Skip to content

Instantly share code, notes, and snippets.

@rxwx
Created September 7, 2023 17:54
Show Gist options
  • Save rxwx/47cab53bb867e4b631685af62db335e8 to your computer and use it in GitHub Desktop.
Save rxwx/47cab53bb867e4b631685af62db335e8 to your computer and use it in GitHub Desktop.
Decode "Obscured" Check Point Trac.config files
import io
import sys
import string
KEY_STR = 'ModifiedFwPropertySheetWithOKTheSheetIDS_LDAP_AU_PROPERTIESNULL0FW_WP_OBJECTS'
def get_byte(x):
c = ord(chr(x).lower())
if ((c - 0x30) & 255) < 10:
retval = c - 0x30
elif ((c + 0x9f) & 255) < 6:
retval = c - 0x57
else:
retval = 0xff
return retval & 0xff
def inner_decode(data):
pair = [0, 0]
dec = 0
i = 0
while i < 2:
if data[i] == 0 or \
chr(data[i]) not in string.hexdigits:
break
c = get_byte(data[i])
pair[i] = c
i += 1
if i == 0:
i = -1
if i == 2:
dec = pair[0] * 0x10 + pair[1]
if i == 1:
dec = pair[0]
return i, dec
def decode(data):
data = data.lstrip(b'11TRAC')
if len(data) % 2:
print ('Unable to decode odd-length string')
return None
inbuf = io.BytesIO(data)
outbuf = b''
while inbuf.tell() != len(data):
ret, dec = inner_decode(inbuf.read(2))
if ret < 0:
return None
outbuf += bytes([dec])
return outbuf[::-1]
def decrypt(enc):
dec = ''
for i, x in enumerate(enc):
k = ord(KEY_STR[i % len(KEY_STR)])
dec += chr(x ^ (k - 0x20))
return dec.encode()
if __name__ == '__main__':
if len(sys.argv) != 2:
print (' Usage: python3 %s /path/to/Trac.config' % sys.argv[0])
sys.exit(1)
with open(sys.argv[1], 'rb') as f:
inbuf = f.read()
# 11TRAC397b067b627b09061c701d030b077076686c0b1f0606710573030c0f0806077327
if inbuf[0:6] != b'11TRAC':
print ('Data not obfuscated')
sys.exit(1)
decoded = decode(inbuf)
if decoded is not None:
decrypted = decrypt(decoded)
print (decrypted.decode())
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment