-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdecodexorpayload.py
executable file
·46 lines (38 loc) · 1.23 KB
/
decodexorpayload.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#! /usr/bin/python
# Script to parse a PCAP and XOR data based on a byte offset
# Requires Scapy
# 0.1 - 07172012
# Default is two bytes, change at line 35
# Stephen Reese and Chris Gragsone
#
# todo: add two more args, offset length and static offset option
from scapy.all import *
import sys
# Get input and output files from command line
if len(sys.argv) < 2:
print "Usage: decodexorpayload.py <input pcap file>"
sys.exit(1)
# Assign variable names for input and output files
infile = sys.argv[1]
def many_byte_xor(buf, key):
buf = bytearray(buf)
key = bytearray(key)
key_len = len(key)
for i, bufbyte in enumerate(buf):
buf[i] = bufbyte ^ key[i % key_len]
return str(buf)
def process_packets():
pkts = rdpcap(infile)
cooked=[]
for p in pkts:
# You may have to adjust the payload depth here:
# i.e. p.payload.payload.payload
pkt_payload = str(p.payload.payload)
pkt_offset = str(p.payload.payload)[:3]
if pkt_payload and pkt_offset:
pmod=p
# You may have to adjust the payload depth here:
p.payload.payload=many_byte_xor(pkt_payload, pkt_offset)
cooked.append(pmod)
wrpcap("dump.pcap", cooked)
process_packets()