arj exploit

1. import sys
2. import struct
3. import itertools
4. from collections import defaultdict
5. import pprint
6. import pickle
7. import math
8. import numpy as np
9.  
10. def cosine_similarity(a,b):
11.   "compute cosine similarity of v1 to v2: (v1 dot v1)/{||v1||*||v2||)"
12.   return np.dot(a,b.T)/np.linalg.norm(a)/np.linalg.norm(b)
13.   #return np.linalg.norm(a-b) # use euc dist
14.  
15. pp = pprint.PrettyPrinter(indent=4)
16.  
17. f = open(sys.argv[1], 'rb')
18.  
19. header_id = struct.unpack('<H', f.read(2))[0]
20. print('header id: {}'.format(header_id))
21.  
22. header_size = struct.unpack('<H', f.read(2))[0]
23. print('header size: {}'.format(header_size))
24.  
25. first_header_size = ord(f.read(1))
26. print('first header size: {}'.format(first_header_size))
27.  
28. version_num = ord(f.read(1))
29. print('version: {}'.format(version_num))
30.  
31. min_req_version = ord(f.read(1))
32. print('required version: {}'.format(min_req_version))
33.  
34. host_os = ord(f.read(1))
35. print('host os: {}'.format(host_os))
36.  
37. #(0x01 = NOT USED)
38. #(0x02 = RESERVED)
39. #(0x04 = VOLUME_FLAG) indicates presence of succeeding volume
40. #(0x08 = NOT USED)
41. #(0x10 = PATHSYM_FLAG) indicates archive name translated ("\" changed to "/")
42. #(0x20 = BACKUP_FLAG) indicates backup type archive
43. flags = ord(f.read(1))
44. print('flags: {0:b}'.format(flags))
45.  
46. res1 = ord(f.read(1)) # reserved
47. print('res1: {}'.format(res1))
48.  
49. file_type = ord(f.read(1))
50. print('filetype: {}'.format(file_type) )# 2 = comment header
51.  
52. res2 = ord(f.read(1)) # reserved
53. print('res2: {}'.format(res2))
54.  
55. created_date = struct.unpack('<L', f.read(4))
56. print('created_date: {}'.format(created_date))
57.  
58. res3 = bytearray(f.read(4*3)) # reserved
59. print('res3: {}'.format(repr(res3)))
60.  
61. filespec_pos_in_filename = f.read(2)
62.  
63. f.read(8) # unused
64.  
65. orig_filename = bytearray()
66. c = f.read(1)
67. while ord(c) != 0:
68.     orig_filename.append(c)
69.     c = f.read(1)
70. print('orig filename: {}'.format(orig_filename))
71.  
72. comment = bytearray()
73. c = f.read(1)
74. while ord(c) != 0:
75.     comment.append(c)
76.     c = f.read(1)
77. print('comment: {}'.format(comment))
78.  
79. crc = f.read(4)
80.  
81. ext_header_size = struct.unpack('<H', f.read(2)) # extended header, should be 0
82. print(repr(ext_header_size))
83.  
84. print('')
85. print('#####FILE INFO#####')
86. ###### Per-file header
87. header_id = struct.unpack('<H', f.read(2))[0]
88. print('header id: {}'.format(header_id))
89.  
90. header_size = struct.unpack('<H', f.read(2))[0]
91. print('header size: {}'.format(header_size))
92.  
93. first_header_size = ord(f.read(1))
94. print('first header size: {}'.format(first_header_size))
95.  
96. version_num = ord(f.read(1))
97. print('version: {}'.format(version_num))
98.  
99. min_req_version = ord(f.read(1))
100. print('required version: {}'.format(min_req_version))
101.  
102. host_os = ord(f.read(1))
103. print('host os: {}'.format(host_os))
104.  
105. #(0x01 = GARBLED) (password protected)
106. #(0x02 = RESERVED)
107. #(0x04 = VOLUME_FLAG) indicates presence of succeeding volume
108. #(0x08 = EXTFILE_FLAG)
109. #(0x10 = PATHSYM_FLAG) indicates archive name translated ("\" changed to "/")
110. #(0x20 = BACKUP_FLAG) indicates file marked as backup
111. flags = ord(f.read(1))
112. print('flags: {0:b}'.format(flags))
113.  
114. method = ord(f.read(1))
115. print('method: {}'.format(method))
116. ftype = ord(f.read(1))
117. print('filetype: {}'.format(ftype))
118. xor_val = ord(f.read(1))
119. print('xor val: {}'.format(xor_val))
120.  
121. modified_date = struct.unpack('<L', f.read(4))
122. print('modified date: {}'.format(modified_date))
123.  
124. compressed_size = struct.unpack('<L', f.read(4))[0]
125. print('compressed size: {}'.format(compressed_size))
126.  
127. orig_crc = struct.unpack('<L', f.read(4))
128. print('file crc: {}'.format(orig_crc))
129.  
130. filespec_pos_in_filename = f.read(2)
131. file_access_mode = f.read(2)
132. host_data = f.read(2)
133.  
134. extra = bytearray(f.read(16)) # extra data?
135.  
136. print("\"extra\" data: {}".format(repr(extra)))
137.  
138. ext_file_start_pos = f.read(4)
139.  
140.  
141. filename = bytearray()
142. c = f.read(1)
143. while ord(c) != 0:
144.     filename.append(c)
145.     c = f.read(1)
146. print('orig filename: {}'.format(filename))
147.  
148. comment = bytearray()
149. c = f.read(1)
150. while ord(c) != 0:
151.     comment.append(c)
152.     c = f.read(1)
153. print('comment: {}'.format(comment))
154.  
155. file_header_crc = f.read(4)
156.  
157. ext_header_size = struct.unpack('<H', f.read(2)) # usually not used.
158. print('ext header size: {}').format(ext_header_size)
159.  
160. compressed_file = np.array(bytearray(f.read(compressed_size)))
161.  
162. print(len(compressed_file))
163.  
164. known_good = []
165. for i in range(1, 4):
166.   known_good.append(pickle.load(open('norm_freqs{}.pkl'.format(i))))
167.  
168. avg_known_good = []
169. for t in zip(*known_good):
170.   avg_known_good.append(sum(t)/len(t))
171. avg_known_good = np.array(avg_known_good)
172.  
173. #print(avg_known_good)
174.  
175.  
176. for pw_len in range(18, 36, 6):
177.   print("Trying length {}".format(pw_len))
178.   pw_guess = "z"
179.   while len(pw_guess) != pw_len:
180.     attempts = []
181.     for pw_try in range(32, 128):
182.       # 5 or 10 characters long.
183.       #pw = itertools.cycle('f'+chr(255)*pw_try)
184.       #pw = itertools.cycle('fmcn'+chr(pw_try)+chr(128)*1)
185.       #pw = itertools.cycle('fefeVe.e'+chr(pw_try))
186.       #pw = itertools.cycle('t'+chr(pw_try)+chr(255)+chr(255)+chr(255))
187.       pw = [ord(c) for c in pw_guess+chr(pw_try)+chr(255)*(pw_len-len(pw_guess)-1)]
188.       while len(pw) < compressed_size:
189.         pw += pw
190.       pwa = np.array(pw[0:compressed_size])
191.       if flags & 0x01:
192.         #pw = itertools.cycle(sys.argv[2])
193.         #print("DECRYPTING WITH PASSWORD {}".format(pw))
194.         #print("Decrypting.")
195.         unencrypted_compressed_file = ((pwa + xor_val) % 256) ^ compressed_file  # bytearray(p[0] ^ ((p[1] + xor_val) % 256) for p in zip(compressed_file, pw))
196.         #print(list(compressed_file))
197.         #print(compressed_file)
198.       else:
199.         print("NOT ENCRYPTED.")
200.  
201.       if method > 0 and method < 4:
202.         #print(list(bytearray(compressed_file)[0:20]))
203.  
204.         # frequency analysis
205.         #print("Doing freq analysis.")
206.         norm_freqs , buckets = np.histogram(unencrypted_compressed_file, 256, normed=True)
207.         #print(norm_freqs)
208.         #for  b in unencrypted_compressed_file:
209.         #  freqs[b] += 1
210.         #norm_freqs = np.linalg.norm(freqs)
211.         #pp.pprint(dict(zip(range(0, 256), norm_freqs)))
212.         #pickle.dump(norm_freqs, open('norm_freqs3.pkl', 'w+'))
213.  
214.         #goodness = (freqs[0]+freqs[255])/sum(freqs[128:130])
215.         #print("Cosine similarity.")
216.         goodness = cosine_similarity(norm_freqs, avg_known_good)
217.         #print("Goodness for {} ({}) is: {}".format(hex(pw_try), chr(pw_try), goodness))
218.         attempts.append((goodness, pw_try))
219.  
220.        
221.       elif method == 0:
222.         print(list(compressed_file))
223.         print(compressed_file)
224.  
225.     #print("Good attempts:")
226.     attempts.sort()
227.     attempts.reverse()
228.     best = attempts[0]
229.     pw_guess += chr(best[1])
230.     #for b in best:
231.     #  print("{} ({}): {}".format(hex(b[1]), chr(b[1]), b[0]))
232.     print(pw_guess)  
233.   print(pw_guess)  
234. f.close()