-
-
Save reanimat0r/9c9f7ab5f1489f610aae4e544ccc78de to your computer and use it in GitHub Desktop.
SmokLoader dissector for wireshark
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| do | |
| local smk_req_proto = Proto("smk_req", "SmokeLoader Request"); | |
| local smk_resp_proto = Proto("smk_resp", "SmokeLoader Response"); | |
| function split(str, pat) | |
| local t = {} -- NOTE: use {n = 0} in Lua-5.0 | |
| local fpat = "(.-)" .. pat | |
| local last_end = 1 | |
| local s, e, cap = str:find(fpat, 1) | |
| while s do | |
| if s ~= 1 or cap ~= "" then | |
| table.insert(t,cap) | |
| end | |
| last_end = e+1 | |
| s, e, cap = str:find(fpat, last_end) | |
| end | |
| if last_end <= #str then | |
| cap = str:sub(last_end) | |
| table.insert(t, cap) | |
| end | |
| return t | |
| end | |
| function smk_xor(t,buf,s) | |
| r = "" | |
| xor={} | |
| for i=0,4 do | |
| xor[i] = buf(i,1):uint() | |
| end | |
| for i=0,s-1 do | |
| local v = bit32.bxor(buf(4+i,1):uint(),xor[i%4]) | |
| v = bit32.bxor(v,(255-(i%255))) | |
| r = r .. string.char(v) | |
| end | |
| return r | |
| end | |
| local media_type_table = DissectorTable.get("media_type") | |
| local frm_old_dissector = media_type_table:get_dissector("application/x-www-form-urlencoded") | |
| local htm_old_dissector = media_type_table:get_dissector("text/html") | |
| function smk_req_proto.dissector(tvb, pinfo, tree) | |
| frm_old_dissector:call(tvb, pinfo, tree) | |
| local subtree = tree:add(smk_req_proto, tvb()) | |
| local size = tvb(0,4):le_uint() | |
| -- d(tree,'Size: ' .. size) | |
| if size == tvb():len() then | |
| local s = smk_xor(tree,tvb:range(4),size-8) | |
| for k, v in pairs(split(s,'&')) do | |
| local pp = split(v,'=') | |
| if pp[1] == "r" then | |
| break | |
| end | |
| subtree:add(tvb(),v) | |
| end | |
| subtree:add(tvb_range,s) | |
| end | |
| end | |
| function smk_resp_proto.dissector(tvb,pinfo,tree) | |
| -- skip non numeric shit... | |
| htm_old_dissector:call(tvb,pinfo,tree) | |
| if tonumber(tvb(0,1):string()) == nil then | |
| return | |
| end | |
| local s = "" | |
| for i=0,tvb():len() do | |
| if tvb(i,1):int() == 0 then | |
| break | |
| end | |
| s = tvb(0,i+1) | |
| end | |
| -- d(tree,s:string()) | |
| local xor = tonumber(s(0,3):string()) | |
| local r = "" | |
| for i=3,s:len()-3,3 do | |
| local v = bit32.bxor(xor,tonumber(s(i,3):string()) ) | |
| r = r .. string.char(v) | |
| end | |
| local subtree = tree:add(smk_resp_proto, s()) | |
| subtree:add(s(),r) | |
| end | |
| media_type_table:add("text/html", smk_resp_proto) | |
| media_type_table:add("application/x-www-form-urlencoded", smk_req_proto) | |
| end | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment