Created
January 2, 2012 23:23
-
-
Save ksose/1552594 to your computer and use it in GitHub Desktop.
decode/unzip Shylock webinjects file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // k`sOSe | |
| // decode/unzip Shylock configuration files, tested on Shylock 1.2.1.3160 | |
| // | |
| // Usage: | |
| // gcc -o unpack unpack.c -lz | |
| // wget --no-check-certificate https://paragua-analyst.cc/files/injects.jpg | |
| // ./unpack injects.jpg injects.plain | |
| // | |
| // to extract webinjects from an infected machine: https://gist.github.com/1552587 | |
| #include <stdio.h> | |
| #include "zlib.h" | |
| #include <string.h> | |
| #include <stdlib.h> | |
| #include <sys/types.h> | |
| #include <sys/stat.h> | |
| #define CHECK_ERR(err, msg) { \ | |
| if (err != Z_OK) { \ | |
| fprintf(stderr, "%s error: %d\n", msg, err); \ | |
| exit(1); \ | |
| } \ | |
| } | |
| void unzip(char *in, unsigned long in_len, char *out, unsigned long out_len); | |
| #define HEADER_LEN 0x1a | |
| #define OFF_MAGIC 0xe | |
| // not sure if MUL/ADD change or what :) | |
| #define MUL 845 | |
| #define ADD 577 | |
| int main(int argc, char *argv[]) | |
| { | |
| FILE *fp; | |
| struct stat st; | |
| char *header, *data , *out; | |
| short magic, i = 0; | |
| if(argc != 3) | |
| exit(printf("Usage: %s <injects_file> <output_file>\n", argv[0])); | |
| stat(argv[1], &st); | |
| header = malloc(st.st_size); | |
| fp = fopen(argv[1], "rb"); | |
| fread(header, 1, st.st_size, fp); | |
| fclose(fp); | |
| if(*(unsigned int *)header != 0x11223344) | |
| printf("Input does not seem to be a webinjects file: %08x\n", *(unsigned int *)header); | |
| magic = *(unsigned short *)&header[OFF_MAGIC]; | |
| data = header + HEADER_LEN; | |
| do | |
| { | |
| data[i++] ^= (unsigned char)magic; | |
| magic = (MUL * magic + ADD) % 0xffffffff; | |
| } | |
| while((st.st_size-HEADER_LEN) >= i); | |
| out = malloc(0x24620*5); | |
| memset(out, 0x0, 0x24620*5); | |
| unzip(data, st.st_size-HEADER_LEN, out, 0x24620*5); | |
| fp = fopen(argv[2], "wb"); | |
| fwrite(out, 1, 0x24620*5, fp); | |
| fclose(fp); | |
| } | |
| void unzip(char *in, unsigned long in_len, char *out, unsigned long out_len) | |
| { | |
| int err; | |
| z_stream d_stream; | |
| d_stream.zalloc = (alloc_func)0; | |
| d_stream.zfree = (free_func)0; | |
| d_stream.opaque = (voidpf)0; | |
| d_stream.next_in = in; | |
| d_stream.avail_in = in_len; | |
| d_stream.next_out = out; | |
| d_stream.avail_out = out_len; | |
| err = inflateInit2_(&d_stream, 0x2f, "1.2.3", sizeof(z_stream)); | |
| CHECK_ERR(err, "issnflateInit2_"); | |
| inflate(&d_stream, Z_NO_FLUSH); | |
| err = inflateEnd(&d_stream); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment