import structimport hashlib_SERIALIZED_CREDS_BUFFER_LEN = 22def decrypt_en

1. import struct
2. import hashlib
3.  
4.  
5. _SERIALIZED_CREDS_BUFFER_LEN = 22
6.  
7. def decrypt_envelop(xored):
8. dwKey = struct.unpack("<I", xored[:4])[0]
9. print "dwKey: %08x" % dwKey
10.  
11. data = map(ord, xored[4:])
12. for i in range(len(data)):
13. #print "%02x^%02x=%02x"%(data[i], dwKey, data[i] ^ (dwKey & 0xFF))
14. data[i] ^= (dwKey & 0xFF)
15. dwKey = (dwKey >> 5) | (dwKey << (32 - 5));
16. dwKey &= 0xFFFFFFFF
17.  
18. decData = ''.join("%c"%x for x in data)
19. print "hash: "+decData[:20].encode('hex')
20. print "id: "+decData[20].encode('hex')
21. print "Data: "+decData[21:].encode('hex')
22.  
23. temp = "\0"*20+decData[20:]
24. calcedHash = hashlib.sha1(temp).hexdigest()
25. print "Calced Hash: "+calcedHash
26. if(calcedHash == decData[:20].encode('hex')):
27. print "Success"
28. else:
29. print "Fail"
30. return decData[21:]
31.  
32. def decrypt_mailslot(xored):
33. dwKey = xored[4:8] + xored[:4]
34. print "dwKey: %s" % dwKey.encode('hex')
35. data = xored[8:]
36.  
37. dwKey = dwKey * (len(data)/len(dwKey) + 1)
38. dwKey = dwKey[:len(data)]
39.  
40. decData = [ord(a) ^ ord(b) for a,b in zip(dwKey,data)]
41. if _SERIALIZED_CREDS_BUFFER_LEN + decData[10] + decData[11] + decData[12] + decData[13] == len(xored):
42. print "Mailslot decode Good"
43. else:
44. print "Mailslot decode BAD"
45. decData = ''.join("%c"%x for x in decData)
46. print decData.encode('hex')
47. return decData
48.  
49. def decrypt_strings(mailslot):
50. def decrypt_packed_string(xored):
51. dwKey1 = struct.unpack("<I", xored[:4])[0]
52. dwKey2 = struct.unpack("<I", xored[4:8])[0]
53. #print "dwKey1: %08x" % dwKey1
54. #print "dwKey2: %08x" % dwKey2
55.  
56. data = map(ord, xored[8:])
57. for i in range(len(data)):
58. #print "*pOut = %02x ^ %02x ^ %02x"%(data[i], dwKey1 & 0xFF, dwKey2 & 0xFF)
59. data[i] ^= (dwKey1 & 0xFF) ^ (dwKey2 & 0xFF)
60. dwKey1 = (dwKey1 >> 3) | (dwKey1 << (32 - 3))
61. dwKey2 = (dwKey2 >> 2)
62. dwKey1 &= 0xFFFFFFFF
63. dwKey2 &= 0xFFFFFFFF
64. return ''.join(map(chr, data))
65.  
66. computer_name_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 0])
67. domain_name_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 1])
68. username_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 2])
69. password_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 3])
70.  
71. index = _SERIALIZED_CREDS_BUFFER_LEN - 8
72. computer_name_xored = mailslot[index: index + computer_name_len]
73. index += computer_name_len
74. domain_name_xored = mailslot[index: index + domain_name_len]
75. index += domain_name_len
76. username_xored = mailslot[index: index + username_len]
77. index += username_len
78. password_xored = mailslot[index: index + password_len]
79.  
80. computer_name = decrypt_packed_string(computer_name_xored)
81. domain_name = decrypt_packed_string(domain_name_xored)
82. username = decrypt_packed_string(username_xored)
83. password = decrypt_packed_string(password_xored)
84. print "Computer name:\t%s\nDomain:\t\t%s\nUsername:\t%s\nPassword:\t%s" % (computer_name, domain_name, username, password)
85.  
86.  
87. data = open('cipher.txt', 'rb').read()
88. data2 = decrypt_envelop(data)
89. data3 = decrypt_mailslot(data2)
90. data4 = decrypt_strings(data3)