Skip to content

Instantly share code, notes, and snippets.

@nemec
Last active July 9, 2021 13:52
Show Gist options
  • Save nemec/ea6b21bcd027b81ac1e3fbcfeb01db3e to your computer and use it in GitHub Desktop.
Save nemec/ea6b21bcd027b81ac1e3fbcfeb01db3e to your computer and use it in GitHub Desktop.
Decrypt the payload of ebay clear.png data exfiltration
#!/usr/bin/env python3
import itertools
import urllib.parse
import sys
def encrypt(message, key):
alpha = "0123456789abcdef"
concat = str(len(message)) + '&' + message
encrypted = []
for char, keychar in zip(concat, itertools.cycle(key)):
crypt = ord(char) ^ ord(keychar) & 10
encrypted.append(alpha[(crypt >> 4) & 15])
encrypted.append(alpha[crypt & 15])
return ''.join(encrypted)
def cycle_twice(iterable):
# cycle('ABCD') --> A B C D A B C D A B C D ...
saved = []
for element in iterable:
yield element
yield element
saved.append(element)
while saved:
for element in saved:
yield element
yield element
def decrypt(encr, key):
alpha = "0123456789abcdef"
message = []
last = None
for idx, (char, keychar) in enumerate(zip(encr, cycle_twice(key))):
if idx % 2 == 0:
last = char
continue
crypt = alpha.index(last) << 4 | alpha.index(char)
message.append(chr(crypt ^ ord(keychar) & 10))
concat = ''.join(message)
length, sep, msg = concat.partition('&')
if len(length) == 0:
return concat
if len(msg) != int(length):
raise ValueError("Error decoding message")
return msg
def parse_clear_png_url(url):
query = urllib.parse.urlparse(url).query
parsed = urllib.parse.parse_qs(query)
if not 'session_id' in parsed:
raise ValueError('unable to find session_id query parameter')
encr = None
for key, value in parsed.items():
if key[0] == 'j':
encr = value[0]
if encr is None:
raise ValueError('unable to find encrypted message query parameter')
return decrypt(encr, parsed['session_id'][0])
if __name__ == '__main__':
if len(sys.argv) < 2:
print('First argument must be "https://src.ebay-us.com/fp/clear.png" URL')
print('USAGE: python3 decrypt_ebay.py "https://src.ebay-us.com/fp/clear.png?org_id=usllpic0&session_id=46ab9c371710a4e926a88ae2fffe6d35&nonce=4b4aa5f76ec76448&jac=1&je=983468573629384792837493287429847293847..."')
sys.exit(1)
print(parse_clear_png_url(sys.argv[1]))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment