Module refinery.units.misc.autoxor

Expand source code Browse git
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from __future__ import annotations

from refinery.units.misc.xkey import xkey
from refinery.lib.mime import FileMagicInfo as magic
from refinery.lib.loader import get_entry_point


class autoxor(xkey, docs='{0}{p}{1}'):
    """
    Assumes input that was encrypted with a polyalphabetic block cipher, like XOR-ing each byte
    with successive bytes from a key or by subtracting the respective key byte value from each
    input byte. It uses the `refinery.xkey` unit to attack the cipher and attempts to recover the
    plaintext automatically.
    """
    def process(self, data: bytearray):
        fallback: tuple[str, bytes, bytearray, bool] | None = None

        try:
            result = next(self._attack(data))
        except StopIteration:
            pass
        else:
            key = result.key
            names = []

            if result.xor is not False:
                names.append('xor')
            if result.xor is not True:
                names.append('sub')

            for name in names:

                unit = get_entry_point(name)
                bin = data | unit(key) | bytearray
                space = B'\0' | unit(0x20) | bytes

                for k in range(4):
                    b = bin[k:k + 0x1000]
                    m = magic(b)
                    if not m.blob:
                        self.log_info(F'method {name} resulted in non-blob data ({m.mime}) at offset {k}; returning buffer')
                        return self.labelled(bin, key=key, method=name)

                if fallback is None:
                    fallback = name, key, bin, m.blob

                if not any(bin):
                    continue

                as_text = bin | unit(space) | bytearray

                try:
                    decoded = as_text.decode('utf8')
                except UnicodeDecodeError:
                    is_text = False
                else:
                    import re
                    is_text = bool(re.fullmatch(r'[\s\w!-~]+', decoded))

                if is_text:
                    self.log_info('detected likely text input; automatically shifting towards space character')
                    key = (b'\x20' * len(key)) | unit(key) | bytes
                    return self.labelled(as_text, key=key, method=name)

        if fallback is None:
            self.log_warn('No key was found; returning original data.')
            return data
        else:
            name, key, bin, is_blob = fallback
            if is_blob and result.how == self._rt.freq:
                self.log_warn('unrecognized format and no confirmed crib; the output is likely junk')
            return self.labelled(bin, key=key)

Classes

class autoxor (range=slice(1, 32, None), plaintext=None, searchpos=slice(0, None, None), alph=False, crib=False, freq=False)

Assumes input that was encrypted with a polyalphabetic block cipher, like XOR-ing each byte with successive bytes from a key or by subtracting the respective key byte value from each input byte. It uses the xkey unit to attack the cipher and attempts to recover the plaintext automatically.

The unit expects encrypted input which was encrypted byte-wise with a polyalphabetic key. For both bit-wise and byte-wise addition, it can attempt do determine this key by three methods:

  1. Known plaintext cribs: The unit contains a library of file signatures that are expected to occur at specific offsets. It uses these to attempt a known-plaintext attack against the input. If a key is found that is at most half the size of such a crib, it is returned.
  2. Known alphabets: For each given key length, the input is split into slices that would have been encrypted with a single byte for keys of that length. Each such slice undergoes a character frequency analysis. If the histogram indicates that an alphabet of a small size was used (i.e. base64), then the unit attempts to determine the key based on this.
  3. Known high frequency glyph: Works if the plaintext contains one letter that occurs with very high frequency, i.e. zero padding in PE or ELF files, and the space character in text. Based on this assumption, the unit computes the most likely key. This method will work best on uncompressed files that were encrypted with a short key.

When no option is set, the unit uses all the above methods by default. When at least one of the methods is selected, it will attempt only selected methods. When a custom plaintext is given, the other methods are disabled by default.

Expand source code Browse git
class autoxor(xkey, docs='{0}{p}{1}'):
    """
    Assumes input that was encrypted with a polyalphabetic block cipher, like XOR-ing each byte
    with successive bytes from a key or by subtracting the respective key byte value from each
    input byte. It uses the `refinery.xkey` unit to attack the cipher and attempts to recover the
    plaintext automatically.
    """
    def process(self, data: bytearray):
        fallback: tuple[str, bytes, bytearray, bool] | None = None

        try:
            result = next(self._attack(data))
        except StopIteration:
            pass
        else:
            key = result.key
            names = []

            if result.xor is not False:
                names.append('xor')
            if result.xor is not True:
                names.append('sub')

            for name in names:

                unit = get_entry_point(name)
                bin = data | unit(key) | bytearray
                space = B'\0' | unit(0x20) | bytes

                for k in range(4):
                    b = bin[k:k + 0x1000]
                    m = magic(b)
                    if not m.blob:
                        self.log_info(F'method {name} resulted in non-blob data ({m.mime}) at offset {k}; returning buffer')
                        return self.labelled(bin, key=key, method=name)

                if fallback is None:
                    fallback = name, key, bin, m.blob

                if not any(bin):
                    continue

                as_text = bin | unit(space) | bytearray

                try:
                    decoded = as_text.decode('utf8')
                except UnicodeDecodeError:
                    is_text = False
                else:
                    import re
                    is_text = bool(re.fullmatch(r'[\s\w!-~]+', decoded))

                if is_text:
                    self.log_info('detected likely text input; automatically shifting towards space character')
                    key = (b'\x20' * len(key)) | unit(key) | bytes
                    return self.labelled(as_text, key=key, method=name)

        if fallback is None:
            self.log_warn('No key was found; returning original data.')
            return data
        else:
            name, key, bin, is_blob = fallback
            if is_blob and result.how == self._rt.freq:
                self.log_warn('unrecognized format and no confirmed crib; the output is likely junk')
            return self.labelled(bin, key=key)

Ancestors

Class variables

var reverse

Inherited members