For Re102 Lab 3's, the only python I saw on the VM was Python 3 ( C:\Users\IEUser\AppData\Local\Programs\Python\Python37\python.exe ) -- the script provided looks like it's python 2. :) I had to remove some ords, convert ranges to lists, and do a little conversion during the write-stage. No big trouble, but might be a hiccup if folks aren't familiar with the 2->3 discrepancies! Also may as well mention that CFF explorer is referenced again on Lab 4 (Convert the Shellcode into an EXE).
In case it's helpful: full source of the tweaked python I used below. Thanks again for the fantastic workshop material!
import os
import sys
def key_schedule(key):
keylength = len(key)
S = list(range(256))
j = 0
for i in list(range(256)):
k = key[i % keylength]
j = (j + S[i] + k) % 256
S[i], S[j] = S[j], S[i] # swap
return S, j
with open(sys.argv[1], 'rb') as key_file, open(sys.argv[2], 'rb') as encrypted, open("decrypted_shellcode.bin", 'wb') as out:
key_size = os.path.getsize(sys.argv[1]) # 0x20
key = key_file.read(key_size)
S, j = key_schedule(key)
"""
A normal RC4 stream algorithm
resets j before a second use.
"""
# j = 0
i = 0
shellcode_size = os.path.getsize(sys.argv[2]) # 0x65E4
while (shellcode_size > 0):
char = encrypted.read(1)
i = (i + 1) % 256
j = (j + S[i]) % 256
# swap
S[i], S[j] = S[j], S[i]
k = S[(S[i] + S[j]) % 256]
shellcode_size -= 1
outbyte = ord(char) ^ k
out.write(bytes([outbyte]))
out.close()
key_file.close()
encrypted.close()
For Re102 Lab 3's, the only python I saw on the VM was Python 3 ( C:\Users\IEUser\AppData\Local\Programs\Python\Python37\python.exe ) -- the script provided looks like it's python 2. :) I had to remove some ords, convert ranges to lists, and do a little conversion during the write-stage. No big trouble, but might be a hiccup if folks aren't familiar with the 2->3 discrepancies! Also may as well mention that CFF explorer is referenced again on Lab 4 (Convert the Shellcode into an EXE).
In case it's helpful: full source of the tweaked python I used below. Thanks again for the fantastic workshop material!