Module refinery.units.misc.autoxor
Expand source code Browse git
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import re
from refinery.units.misc.xkey import xkey
from refinery.lib.mime import FileMagicInfo as magic
from refinery.lib.loader import get_entry_point
class autoxor(xkey, extend_docs=True):
"""
Assumes input that was encrypted with a polyalphabetic block cipher, like XOR-ing each byte
with successive bytes from a key or by subtracting the respective key byte value from each
input byte. It uses the `refinery.xkey` unit to attack the cipher and attempts to recover the
plaintext automatically.
"""
def process(self, data: bytearray):
for result in self._attack(data):
key = result.key
names = []
if result.xor is not False:
names.append('xor')
if result.xor is not True:
names.append('sub')
break
else:
self.log_warn('No key was found; returning original data.')
return data
fallback = None
for name in names:
unit = get_entry_point(name)
bin, = data | unit(key)
space = B'\0' | unit(0x20) | bytes
if not (m := magic(bin)).blob:
self.log_info(F'method {name} resulted in {m.mime} data; returning buffer')
return self.labelled(bin, key=key, method=name)
if fallback is None:
fallback = name, key, bin, m.blob
if not any(bin):
continue
as_text = bin | unit(space) | bytearray
try:
decoded = as_text.decode('utf8')
except UnicodeDecodeError:
is_text = False
else:
is_text = bool(re.fullmatch(r'[\s\w!-~]+', decoded))
if is_text:
self.log_info('detected likely text input; automatically shifting towards space character')
key = (b'\x20' * len(key)) | unit(key) | bytes
return self.labelled(as_text, key=key, method=name)
if fallback:
name, key, bin, is_blob = fallback
if is_blob:
self.log_warn('unrecognized format and no confirmed crib; the output is likely junk')
return self.labelled(bin, key=key)Classes
class autoxor (range=slice(1, 32, None), plaintext=None, searchpos=slice(0, None, None), alph=False, crib=False, freq=False)-
Assumes input that was encrypted with a polyalphabetic block cipher, like XOR-ing each byte with successive bytes from a key or by subtracting the respective key byte value from each input byte. It uses the
xkeyunit to attack the cipher and attempts to recover the plaintext automatically.The unit expects encrypted input which was encrypted byte-wise with a polyalphabetic key. For both bit-wise and byte-wise addition, it can attempt do determine this key by three methods:
- Known plaintext cribs: The unit contains a library of file signatures that are expected to occur at specific offsets. It uses these to attempt a known-plaintext attack against the input. If a key is found that is at most half the size of such a crib, it is returned.
- Known alphabets: For each given key length, the input is split into slices that would have been encrypted with a single byte for keys of that length. Each such slice undergoes a character frequency analysis. If the histogram indicates that an alphabet of a small size was used (i.e. base64), then the unit attempts to determine the key based on this.
- Known high frequency glyph: Works if the plaintext contains one letter that occurs with very high frequency, i.e. zero padding in PE or ELF files, and the space character in text. Based on this assumption, the unit computes the most likely key. This method will work best on uncompressed files that were encrypted with a short key.
When no option is set, the unit uses all the above methods by default. When at least one of the methods is selected, it will attempt only selected methods. When a custom plaintext is given, the other methods are disabled by default.
Expand source code Browse git
class autoxor(xkey, extend_docs=True): """ Assumes input that was encrypted with a polyalphabetic block cipher, like XOR-ing each byte with successive bytes from a key or by subtracting the respective key byte value from each input byte. It uses the `refinery.xkey` unit to attack the cipher and attempts to recover the plaintext automatically. """ def process(self, data: bytearray): for result in self._attack(data): key = result.key names = [] if result.xor is not False: names.append('xor') if result.xor is not True: names.append('sub') break else: self.log_warn('No key was found; returning original data.') return data fallback = None for name in names: unit = get_entry_point(name) bin, = data | unit(key) space = B'\0' | unit(0x20) | bytes if not (m := magic(bin)).blob: self.log_info(F'method {name} resulted in {m.mime} data; returning buffer') return self.labelled(bin, key=key, method=name) if fallback is None: fallback = name, key, bin, m.blob if not any(bin): continue as_text = bin | unit(space) | bytearray try: decoded = as_text.decode('utf8') except UnicodeDecodeError: is_text = False else: is_text = bool(re.fullmatch(r'[\s\w!-~]+', decoded)) if is_text: self.log_info('detected likely text input; automatically shifting towards space character') key = (b'\x20' * len(key)) | unit(key) | bytes return self.labelled(as_text, key=key, method=name) if fallback: name, key, bin, is_blob = fallback if is_blob: self.log_warn('unrecognized format and no confirmed crib; the output is likely junk') return self.labelled(bin, key=key)Ancestors
Inherited members