Decrypt the payload of ebay clear.png data exfiltration

## decrypt_ebay.py
#!/usr/bin/env python3

import itertools
import urllib.parse

import sys


def encrypt(message, key):
    alpha = "0123456789abcdef"
    concat = str(len(message)) + '&' + message

    encrypted = []
    for char, keychar in zip(concat, itertools.cycle(key)):
        crypt = ord(char) ^ ord(keychar) & 10
        encrypted.append(alpha[(crypt >> 4) & 15])
        encrypted.append(alpha[crypt & 15])
    return ''.join(encrypted)


def cycle_twice(iterable):
    # cycle('ABCD') --> A B C D A B C D A B C D ...
    saved = []
    for element in iterable:
        yield element
        yield element
        saved.append(element)
    while saved:
        for element in saved:
              yield element
              yield element


def decrypt(encr, key):
    alpha = "0123456789abcdef"

    message = []
    last = None
    for idx, (char, keychar) in enumerate(zip(encr, cycle_twice(key))):
        if idx % 2 == 0:
            last = char
            continue
        crypt = alpha.index(last) << 4 | alpha.index(char)
        message.append(chr(crypt ^ ord(keychar) & 10))
    concat = ''.join(message)
    length, sep, msg = concat.partition('&')
    if len(length) == 0:
        return concat
    if len(msg) != int(length):
        raise ValueError("Error decoding message")
    return msg


def parse_clear_png_url(url):
    query = urllib.parse.urlparse(url).query
    parsed = urllib.parse.parse_qs(query)

    if not 'session_id' in parsed:
        raise ValueError('unable to find session_id query parameter')
    encr = None
    for key, value in parsed.items():
        if key[0] == 'j':
            encr = value[0]
    if encr is None:
        raise ValueError('unable to find encrypted message query parameter')
    return decrypt(encr, parsed['session_id'][0])


if __name__ == '__main__':
    if len(sys.argv) < 2:
        print('First argument must be "https://src.ebay-us.com/fp/clear.png" URL')
        print('USAGE: python3 decrypt_ebay.py "https://src.ebay-us.com/fp/clear.png?org_id=usllpic0&session_id=46ab9c371710a4e926a88ae2fffe6d35&nonce=4b4aa5f76ec76448&jac=1&je=983468573629384792837493287429847293847..."')
        sys.exit(1)
    print(parse_clear_png_url(sys.argv[1]))
	#!/usr/bin/env python3

	import itertools
	import urllib.parse

	import sys


	def encrypt(message, key):
	alpha = "0123456789abcdef"
	concat = str(len(message)) + '&' + message

	encrypted = []
	for char, keychar in zip(concat, itertools.cycle(key)):
	crypt = ord(char) ^ ord(keychar) & 10
	encrypted.append(alpha[(crypt >> 4) & 15])
	encrypted.append(alpha[crypt & 15])
	return ''.join(encrypted)


	def cycle_twice(iterable):
	# cycle('ABCD') --> A B C D A B C D A B C D ...
	saved = []
	for element in iterable:
	yield element
	yield element
	saved.append(element)
	while saved:
	for element in saved:
	yield element
	yield element


	def decrypt(encr, key):
	alpha = "0123456789abcdef"

	message = []
	last = None
	for idx, (char, keychar) in enumerate(zip(encr, cycle_twice(key))):
	if idx % 2 == 0:
	last = char
	continue
	crypt = alpha.index(last) << 4 \| alpha.index(char)
	message.append(chr(crypt ^ ord(keychar) & 10))
	concat = ''.join(message)
	length, sep, msg = concat.partition('&')
	if len(length) == 0:
	return concat
	if len(msg) != int(length):
	raise ValueError("Error decoding message")
	return msg


	def parse_clear_png_url(url):
	query = urllib.parse.urlparse(url).query
	parsed = urllib.parse.parse_qs(query)

	if not 'session_id' in parsed:
	raise ValueError('unable to find session_id query parameter')
	encr = None
	for key, value in parsed.items():
	if key[0] == 'j':
	encr = value[0]
	if encr is None:
	raise ValueError('unable to find encrypted message query parameter')
	return decrypt(encr, parsed['session_id'][0])



	if __name__ == '__main__':
	if len(sys.argv) < 2:
	print('First argument must be "https://src.ebay-us.com/fp/clear.png" URL')
	print('USAGE: python3 decrypt_ebay.py "https://src.ebay-us.com/fp/clear.png?org_id=usllpic0&session_id=46ab9c371710a4e926a88ae2fffe6d35&nonce=4b4aa5f76ec76448&jac=1&je=983468573629384792837493287429847293847..."')
	sys.exit(1)
	print(parse_clear_png_url(sys.argv[1]))