#!/usr/bin/env python # # iheartxor is a tool for bruteforcing encoded strings # within a boundary defined by a regular expression. It # will bruteforce the key value range of 0x1 through 0x255 # # Version 0.01 - still need to test passing regular expressions # # Created by Alexander.Hanel@gmail.com # # Usage: brutexor.py [options] <file> # # Options: # -h, --help show this help message and exit # -k KEY, --key=KEY Static XOR key to use # -f, --full XOR full file # -r PATTERN, --re=PATTERN # Regular Expression Pattern to search for import string import re import sys from optparse import OptionParser def valid_ascii(char): if char in string.printable[:-3]: return True else: return None def xor(data, key): decode = '' if isinstance(key, basestring): key = int(key,16) for d in data: decode = decode + chr(ord(d) ^ key) return decode def main(argv): parser = OptionParser() usage = 'usage: iheartxor.py [options] <file>' parser = OptionParser(usage=usage) parser.add_option('-k', '--key', action='store', dest='key', type='string', help='Static XOR key to use') parser.add_option('-f', '--full', action='store_true', dest='full', help='XOR full file') parser.add_option('-r', '--re', action='store', dest='pattern', type='string', help='Regular Expression Pattern to search for') (options, args) = parser.parse_args() # Test for Args if len(sys.argv) < 2: parser.print_help() return try: f = open(sys.argv[len(sys.argv)-1],'rb+') except Exception: print '[ERROR] FILE CAN NOT BE OPENED OR READ!' return # Test that the full option contains a XOR Key if options.full != None and options.key == None: print '[ERROR] --FULL OPTION MUST INCLUDE XOR KEY' return # XOR the full file with key if options.full != None and options.key != None: sys.stdout.write(xor(f.read(), options.key)) return # Parse file for regular expressions if options.pattern == None: regex = re.compile(r'\x00(?!\x00).+?\x00') else: try: regex = re.compile(pattern) except Exception: print "ERROR: INVALID REGULAR EXPRESSION PATTERN" sys.exit(1) buff = '' # for each regex pattern found for match in regex.finditer(f.read()): if len(match.group()) < 8: continue if options.key == None: # for XOR key in range of 0x0 to 0xff for key in range(1,0x100): # for each byte in match of regex pattern for byte in match.group(): if byte == '\x00': buff = buff + '\x00' continue else: tmp = xor(byte,key) if valid_ascii(tmp) == None: buff = '' break else: buff = buff + tmp if buff != '': sys.stdout.write(hex(match.start()) + ' ' + 'key ' + hex(key) + ' ' + buff + '\n') buff = '' else: # same as above but for static key key = int(options.key,16) for byte in match.group(): if byte == '\x00': buff = buff + '\x00' continue else: tmp = xor(byte,key) if valid_ascii(tmp) == None: buff = '' break else: buff = buff + tmp if buff != '': sys.stdout.write(hex(match.start()) + ' ' + 'key ' + hex(key) + ' ' + buff + '\n') return if __name__== '__main__': main(sys.argv[1:])
iheartxor
This is a static page that contains the most updated version of iheartxor.py. Current version is 0.01.The tool can be used to bruteforce xor encoded strings within a user defined regular expression pattern (-r). The default search pattern is a regular expression of that searches for data between null bytes ('\x00'). The tool can also be used to do a straight xor on a file with -f file.name -k value. The value must between 0x0-0x255. Codepad Link
Subscribe to:
Posts (Atom)
http://hooked-on-mnemonics.blogspot.com
ReplyDelete