8.9. BREAKING SIMPLE EXECUTABLE CRYPTOR

#!/usr/bin/env python
import sys, hexdump, array

def xor_strings(s,t):

https://en.wikipedia.org/wiki/XOR_cipher#Example_implementation

"""xor two strings together"""
return "".join(chr(ord(a)^ord(b)) for a,b in zip(s,t))

IV=array.array('B', [147, 94, 252, 218, 38, 192, 199, 213, 225, 112, 143, 108, 10, 3, 128,⤦
Ç232]).tostring()

def chunks(l, n):
n = max(1, n)
return [l[i:i + n] for i in range(0, len(l), n)]

def read_file(fname):
file=open(fname, mode='rb')
content=file.read()
file.close()
return content

def decrypt_byte(i, k):
return chr ((ord(i)-k) % 256)

def decrypt(buf):
return "".join(decrypt_byte(buf[i], i) for i in range(16))

fout=open(sys.argv[2], mode='wb')

prev=IV
content=read_file(sys.argv[1])
tmp=chunks(content, 16)
for c in tmp:
new_c=decrypt(c)
p=xor_strings (new_c, prev)
prev=xor_strings(c, p)
fout.write(p)
fout.close()

(Source code can downloadedhere.)

Let’s check resulting file:

$ objdump -b binary -m i386 -D decrypted.bin

...

5: 8b ff mov %edi,%edi

7: 55 push %ebp

8: 8b ec mov %esp,%ebp

a: 51 push %ecx

b: 53 push %ebx

c: 33 db xor %ebx,%ebx

e: 43 inc %ebx

f: 84 1d a0 e2 05 01 test %bl,0x105e2a0

15: 75 09 jne 0x20

17: ff 75 08 pushl 0x8(%ebp)

1a: ff 15 b0 13 00 01 call *0x10013b0

20: 6a 6c push $0x6c

22: ff 35 54 d0 01 01 pushl 0x101d054

28: ff 15 b4 13 00 01 call *0x10013b4

2e: 89 45 fc mov %eax,-0x4(%ebp)

31: 85 c0 test %eax,%eax

33: 0f 84 d9 00 00 00 je 0x112

39: 56 push %esi

3a: 57 push %edi

3b: 6a 00 push $0x0

3d: 50 push %eax

3e: ff 15 b8 13 00 01 call *0x10013b8

44: 8b 35 bc 13 00 01 mov 0x10013bc,%esi