Module refinery.units.misc.autoxor
Expand source code Browse git
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from __future__ import annotations
from refinery.units.misc.xkey import xkey
from refinery.lib.mime import FileMagicInfo as magic
from refinery.lib.loader import get_entry_point
class autoxor(xkey, docs='{0}{p}{1}'):
"""
Assumes input that was encrypted with a polyalphabetic block cipher, like XOR-ing each byte
with successive bytes from a key or by subtracting the respective key byte value from each
input byte. It uses the `refinery.xkey` unit to attack the cipher and attempts to recover the
plaintext automatically.
"""
def process(self, data: bytearray):
fallback: tuple[str, bytes, bytearray, bool] | None = None
try:
result = next(self._attack(data))
except StopIteration:
pass
else:
key = result.key
names = []
if result.xor is not False:
names.append('xor')
if result.xor is not True:
names.append('sub')
for name in names:
unit = get_entry_point(name)
bin = data | unit(key) | bytearray
space = B'\0' | unit(0x20) | bytes
for k in range(4):
b = bin[k:k + 0x1000]
m = magic(b)
if not m.blob:
self.log_info(F'method {name} resulted in non-blob data ({m.mime}) at offset {k}; returning buffer')
return self.labelled(bin, key=key, method=name)
if fallback is None:
fallback = name, key, bin, m.blob
if not any(bin):
continue
as_text = bin | unit(space) | bytearray
try:
decoded = as_text.decode('utf8')
except UnicodeDecodeError:
is_text = False
else:
import re
is_text = bool(re.fullmatch(r'[\s\w!-~]+', decoded))
if is_text:
self.log_info('detected likely text input; automatically shifting towards space character')
key = (b'\x20' * len(key)) | unit(key) | bytes
return self.labelled(as_text, key=key, method=name)
if fallback is None:
self.log_warn('No key was found; returning original data.')
return data
else:
name, key, bin, is_blob = fallback
if is_blob and result.how == self._rt.freq:
self.log_warn('unrecognized format and no confirmed crib; the output is likely junk')
return self.labelled(bin, key=key)
Classes
class autoxor (range=slice(1, 32, None), plaintext=None, searchpos=slice(0, None, None), alph=False, crib=False, freq=False)
-
Assumes input that was encrypted with a polyalphabetic block cipher, like XOR-ing each byte with successive bytes from a key or by subtracting the respective key byte value from each input byte. It uses the
xkey
unit to attack the cipher and attempts to recover the plaintext automatically.The unit expects encrypted input which was encrypted byte-wise with a polyalphabetic key. For both bit-wise and byte-wise addition, it can attempt do determine this key by three methods:
- Known plaintext cribs: The unit contains a library of file signatures that are expected to occur at specific offsets. It uses these to attempt a known-plaintext attack against the input. If a key is found that is at most half the size of such a crib, it is returned.
- Known alphabets: For each given key length, the input is split into slices that would have been encrypted with a single byte for keys of that length. Each such slice undergoes a character frequency analysis. If the histogram indicates that an alphabet of a small size was used (i.e. base64), then the unit attempts to determine the key based on this.
- Known high frequency glyph: Works if the plaintext contains one letter that occurs with very high frequency, i.e. zero padding in PE or ELF files, and the space character in text. Based on this assumption, the unit computes the most likely key. This method will work best on uncompressed files that were encrypted with a short key.
When no option is set, the unit uses all the above methods by default. When at least one of the methods is selected, it will attempt only selected methods. When a custom plaintext is given, the other methods are disabled by default.
Expand source code Browse git
class autoxor(xkey, docs='{0}{p}{1}'): """ Assumes input that was encrypted with a polyalphabetic block cipher, like XOR-ing each byte with successive bytes from a key or by subtracting the respective key byte value from each input byte. It uses the `refinery.xkey` unit to attack the cipher and attempts to recover the plaintext automatically. """ def process(self, data: bytearray): fallback: tuple[str, bytes, bytearray, bool] | None = None try: result = next(self._attack(data)) except StopIteration: pass else: key = result.key names = [] if result.xor is not False: names.append('xor') if result.xor is not True: names.append('sub') for name in names: unit = get_entry_point(name) bin = data | unit(key) | bytearray space = B'\0' | unit(0x20) | bytes for k in range(4): b = bin[k:k + 0x1000] m = magic(b) if not m.blob: self.log_info(F'method {name} resulted in non-blob data ({m.mime}) at offset {k}; returning buffer') return self.labelled(bin, key=key, method=name) if fallback is None: fallback = name, key, bin, m.blob if not any(bin): continue as_text = bin | unit(space) | bytearray try: decoded = as_text.decode('utf8') except UnicodeDecodeError: is_text = False else: import re is_text = bool(re.fullmatch(r'[\s\w!-~]+', decoded)) if is_text: self.log_info('detected likely text input; automatically shifting towards space character') key = (b'\x20' * len(key)) | unit(key) | bytes return self.labelled(as_text, key=key, method=name) if fallback is None: self.log_warn('No key was found; returning original data.') return data else: name, key, bin, is_blob = fallback if is_blob and result.how == self._rt.freq: self.log_warn('unrecognized format and no confirmed crib; the output is likely junk') return self.labelled(bin, key=key)
Ancestors
Class variables
var reverse
Inherited members