gifExeExtract.go - Opengist

Änderung 6daad0fd600b0139c0b3b220aff0d75bc0eadad2

gifExeExtract.go · 2.4 KiB · Go Originalformat

package main import ( "bufio" "bytes" "container/ring" "encoding/hex" "flag" "fmt" "io/ioutil" "log" "os" ) var inFile string func init() { flag.StringVar(&inFile, "in", "", "path to input file") } func check(err error) { if err != nil { log.Fatal(err) } } func main() { // parse flags flag.Parse() // check if inputFile is given if inFile == "" { err := fmt.Errorf("no input file given") check(err) } // determine fileSize of inputFile var fileSize int64 file, err := os.Open(inFile) check(err) fi, err := file.Stat() check(err) fileSize = fi.Size() var offset int64 var bytesRead int // extract XOR key keyBuf := make([]byte, 256) offset, err = file.Seek(10, 0) check(err) bytesRead, err = file.Read(keyBuf) check(err) log.Printf("read %d at offset %d into keyBuf\n", bytesRead, offset) log.Println("Key extracted is:") d := hex.Dumper(os.Stdout) defer d.Close() d.Write(keyBuf) err = ioutil.WriteFile("key", keyBuf, 0755) check(err) log.Printf("key was written to the file 'key'\n") // extract encrypted EXE from inFile encBlockSize := fileSize - 10 - 256 - 266 encBlockBuf := make([]byte, encBlockSize) offset, err = file.Seek(266, 0) check(err) bytesRead, err = file.Read(encBlockBuf) check(err) log.Printf("read %d at offset %d into encBlockBuf\n", bytesRead, offset) // extract last block from inFile lastBlockBuf := make([]byte, 266) offset, err = file.Seek(-532, 2) check(err) bytesRead, err = file.Read(lastBlockBuf) check(err) log.Printf("read %d at offset %d into lastBlock\n", bytesRead, offset) // xor encBlockBuf with XOR key decBlock := XOR(encBlockBuf, keyBuf) // decBlock = append(decBlock, lastBlockBuf) var exeBuf bytes.Buffer w := bufio.NewWriter(&exeBuf) w.Write(decBlock) w.Write(lastBlockBuf) w.Flush() // write exe file out err = ioutil.WriteFile("exe", exeBuf.Bytes(), 0755) check(err) log.Printf("wrote output to file 'exe'\n") } // XOR implements a rolling xor where the key size is allowed not to be the same size as the data func XOR(data, key []byte) []byte { // setup ring buffer with key data r := ring.New(len(key)) for i := 0; i < r.Len(); i++ { r.Value = key[i] r = r.Next() } // do the actual xor operation for i := 0; i < len(data); i++ { // foreach byte of data data[i] = r.Value.(byte) ^ data[i] // xor data byte with current ring element r = r.Next() // move ring forward } return data }

1	package main
2
3	import (
4	"bufio"
5	"bytes"
6	"container/ring"
7	"encoding/hex"
8	"flag"
9	"fmt"
10	"io/ioutil"
11	"log"
12	"os"
13	)
14
15	var inFile string
16
17	func init() {
18	flag.StringVar(&inFile, "in", "", "path to input file")
19	}
20
21	func check(err error) {
22	if err != nil {
23	log.Fatal(err)
24	}
25	}
26
27	func main() {
28	// parse flags
29	flag.Parse()
30	// check if inputFile is given
31	if inFile == "" {
32	err := fmt.Errorf("no input file given")
33	check(err)
34	}
35	// determine fileSize of inputFile
36	var fileSize int64
37	file, err := os.Open(inFile)
38	check(err)
39	fi, err := file.Stat()
40	check(err)
41	fileSize = fi.Size()
42
43	var offset int64
44	var bytesRead int
45
46	// extract XOR key
47	keyBuf := make([]byte, 256)
48	offset, err = file.Seek(10, 0)
49	check(err)
50	bytesRead, err = file.Read(keyBuf)
51	check(err)
52	log.Printf("read %d at offset %d into keyBuf\n", bytesRead, offset)
53	log.Println("Key extracted is:")
54	d := hex.Dumper(os.Stdout)
55	defer d.Close()
56	d.Write(keyBuf)
57	err = ioutil.WriteFile("key", keyBuf, 0755)
58	check(err)
59	log.Printf("key was written to the file 'key'\n")
60
61	// extract encrypted EXE from inFile
62	encBlockSize := fileSize - 10 - 256 - 266
63	encBlockBuf := make([]byte, encBlockSize)
64	offset, err = file.Seek(266, 0)
65	check(err)
66	bytesRead, err = file.Read(encBlockBuf)
67	check(err)
68	log.Printf("read %d at offset %d into encBlockBuf\n", bytesRead, offset)
69
70	// extract last block from inFile
71	lastBlockBuf := make([]byte, 266)
72	offset, err = file.Seek(-532, 2)
73	check(err)
74	bytesRead, err = file.Read(lastBlockBuf)
75	check(err)
76	log.Printf("read %d at offset %d into lastBlock\n", bytesRead, offset)
77	// xor encBlockBuf with XOR key
78	decBlock := XOR(encBlockBuf, keyBuf)
79	// decBlock = append(decBlock, lastBlockBuf)
80	var exeBuf bytes.Buffer
81	w := bufio.NewWriter(&exeBuf)
82	w.Write(decBlock)
83	w.Write(lastBlockBuf)
84	w.Flush()
85	// write exe file out
86	err = ioutil.WriteFile("exe", exeBuf.Bytes(), 0755)
87	check(err)
88	log.Printf("wrote output to file 'exe'\n")
89	}
90
91	// XOR implements a rolling xor where the key size is allowed not to be the same size as the data
92	func XOR(data, key []byte) []byte {
93	// setup ring buffer with key data
94	r := ring.New(len(key))
95	for i := 0; i < r.Len(); i++ {
96	r.Value = key[i]
97	r = r.Next()
98	}
99	// do the actual xor operation
100	for i := 0; i < len(data); i++ { // foreach byte of data
101	data[i] = r.Value.(byte) ^ data[i] // xor data byte with current ring element
102	r = r.Next() // move ring forward
103	}
104	return data
105	}
106