EvilZone
Programming and Scripting => Scripting Languages => : d4rkcat December 12, 2014, 04:07:18 AM
-
https://github.com/wallproxy/pytoy/blob/master/zipcode.py
So this is pretty cool, I found it while researching various obfuscation methods for python code.
At first glance I thought this was just making a self extracting script using zlib as per https://github.com/d4rkcat/pycompressor.
Upon further inspection however, I have come to the conclusion that I have no idea wtf is going on.
To test it I ran my cryptdoor.py script through it and got back this:
# -*- coding: latin-1 -*-
code = 'xÚRÛNÃ0\x0c}ÏW”\x07ˆÏ\x06cÝ4\x01í²Oà\x07ª¨ÚÚl\x14ÊŠ:\x1e\x10â㱓v\x17\x18\x12‘*7Žs.ŽK·ŽŠ¦t”çF"\x12\x15ñ¿_0´©›Õ²Þ–®¦ýI¦¥X[¨¨ZÓ!?Ú¸wÒy^6Ežk Ú\x11=6[\x07\x08° 3èëò\rDM[âZ\x12\x19M§\x0fH,Rêy³±\x1d¬Úm!èÀb`@wÀ-Ý3\\êI=Â>p™!\x1aó.|¬.Z7m\x00¨¶!Š\x0e/š7sŠ\'\x0c–¬Z·|9äE‚‘ûÉ\t‰€û]ì‘#WïœGë;ÆVB´†BS0Ÿww¿|\x02WÌÈ\x1e\x16\x0bb+7Ý\x198=™ÍÐw\x00CÃ\x1céyòN ïÇ¥o…úåçÄÊE°Ò\x0bÅYm\x1cþФÎøK¬ÉB7’>üä:š•£;\x02å>\\A¤õ蹑\x07\t£P<µý\x0b\nó¨t~$õg]xˆº§ëŽ;·ÿ\x1a¹£yí\x0b¬ÑZyx¨o\x1eÇF¼¶ÝÓÓ¥ïÚä¥Óü¾Ð¦ÉÉé€ÁÚ–±ûŽùÃáÄà±ðò»¸¹’ÄŠ˜´Û€ôº¿ó÷Þ¬¤ˆÚ®ÉÏ羦óÉ’ÆÕ»ëë«·µ§—Æï³ç̹ü¦Ôñ££¤Û‹ñî梱ø̽‰²¾òòÔîϜڟ¾© µ¸á¥™ª¾ šˆš†ÁËù½£ó»´Ö楡ŠÍ¨¼£ÄÎ…ÐÒȹ©€Âý‰Ÿÿ’ÅýÃÀƒ’Õº™ÓùÄÕ™ü–§¨´ˆûðÓŽØÛž¶Ð¬ôøÚ´Ðñ¦ñ«ÀÉÚø§ßú¢„ÁƒͲõ®–âÓèÜ¥Õ’àÄ™øæíѦöª×ã‡óˆº±ÙâçÊ®šÍ°õĪö¸ö㙊ïÔÐÔ‰ŒøÎêЛ˹£ÂБ ‰ãÅͨœ¸ð± ·¨áˆºÈÑ˜à–®µ¦Ã”“„ª ±Òйù“¡‰„¶¤àø÷£äÀ¨¬Í¶ØˤÄÜŒõ¾èЗÍÚÉÙñêûòêÈͪàÖ™ôବ´ãÖŒ¤ÖÔ颩˜Ç£ÄéŒÙ€œÇ’Òµ¶ÈôšËÚÌä”öÝý½í†Éßࣗ°ÎÀôäÀêâÓ»Òª¸ÌÝÈ‹ÃúЯ¾§Ã÷·æÈ…•¶ëÚÖø Ͳ€µ°áãðâ¢ÇÛ“ÕºªßÚÍÔ·½ÑžúÑßõãß‚äå Ô…¨ßÔü³Ø’곞Úë®ç³êúÒÑìë¼Öš©üýÐìΩ±‘’à˜œÄÄÓ›ÔŠÔ¹ìш«Š¶»ÜШóÈïªÂÍàþª·¶Ä“°Ô’ÁâèÔæ„‹ˆÛ³Ô™Á©Æº·Ãֻ؄¾…½ÂÏ–°¸öãÄøÖ˪€»™ÙºøꜳԢŠÌŠ‘ïÔ÷ò«èÝõ©•ñ˜ýÙê½È“Á»öæՑŦ„úªæ“º“ÀÒ‘È…£ÔÚÑøéêá£Ç¾¢¬Ò¹•ªüŽ¯â»ýñóÛÿÿ×à¿¿ÿÈòß÷òžï×ÿóÜÌûú×É«²ÚãÅ¿ôåâ–Ìö½ã ÓÔÕ©…ö¢üÕÒôÜÍ•…¸«©â€Ç¯È½’èÔà¾Î´“Ô‰çÜÀÄÄ‘—úцÍòËÖ§ËÎ騺À½¨ñôÚ˶¿ÙÉ¢æûÿºòÇÉÃÃîô—¦À†‚Ô‘¨è¬ÅËà„—”ß¼þƒîáñ™Úê´€éªëÀ°Ð”Íþà¡Ï¶Í†Ú–¦•¤°ò¨õÔéèË¥¿â‰š˜¦¹ÜˆÑò–³Û•´²øˆçñœðéࡘ¤²Æ쪂ლ€þ§¿½Û’öÔÛ‡¼É¥žÐš¢íφхÜБæ€ÍØ‘Æ”œÒË°ÿÀš¤¡¶¹·¦ñ©ò¾ˆ¢–øØȱ¨“’ŒÀð„å§óÅêìÔÍÜÚü¾¾™Á«ƒÐ‡€Þ÷†ëŸýâä’ŒÏìÖ¹õ¶ƒ’ö¿”ŒÇ ØåÕýÚͧÃöŒ‰Ü¯„íùÁ»ŒÓÌÀÙª®ÍÊø¥ù‹¡ˆ®¸ÔØ™˜³¡«—ñ†ˆÜé·Šù« ¦ßßÓ܌ȘÁÓè—ÎÚîè‚í™™ˆã©…µÖ£‰Ùˆ‰âÍ‘† ì”®¥ÎÞ‰é÷‚¼üõ©£—˜°·‡†¤÷ØáŽØ’óæ’œ†öÀαóˆÑùÍŠ™‘ˆ˜¨É±¬Á¼£†ƒÉŠ–¾ƒ›•ªØ¨ÎÙñ…öÅ›ÃÎç¢Î•„¤çÜ©ÑíÛLjΉۈ”—ì©Åïóƒ¶úةע󘬡€þõ¨£Øí°ÐÎ¥áࡸˆ¸¥í¨ÈÁÒ“¯ûÅÚ“Àý¯”˜ÀêÊէͼ´¦ä§›ÕÀ¢‹ÁÄÓ½Þ‚Ù„šÆô‰€Ðºà´ûÎà¶ðÎý¢Â´À„‘¤ë¯ò‰ƒÚ¤‚·â—ûƒÕ€ÓáìÀ¼”ò©œâ‘Ö𒈶֣…ÕÉÁœ¡è󎈌ÐòßØŽ‰¤˜µõ¡ØÈÂý›œ’¶Ø“ÀÀ›ƒ¡§è„Ĭ§Žµ¬öÅà·÷÷ÌÜÓ”ç³ü…Žð×ƾ¨ìÎòÌÜՌɟ€ýÁî¢Ù¹¦º–团¹á¦³ÔÜ“—÷¢àžñÌÛîšý¾ŽŒ¡…ˆµ •£ä¯Í«Àëõíþ…¤‘ýˆÓ˜äï½â¶‚¸ì—‡ó°ÚÜ䄛𩛅œÒËø¸¥ÉÇ‹Á›“˜¨¡¾žïâõÙ›ûÍ•ˆðŒ¢žçí¢à•›•¡ÆԦƊ©ÀÆðþ¼Ì†‘ÌŸ‘ªÜ¯ÙŽìϦ£æÖÅå¶óéé‚×ïçß—¢õþ¥ßªŒ¯ç‘ž©¼€Ýúÿ‰€¢ô¬žà“ÏÔ‚²Ÿß™ÖÁӖ°ºõŠ÷”‚—ÑÊ͇âÞõ²º¾Ò»˜’í€õÛ–Ö°™“²÷üÏÆí¡‰œÍã„Œ‚â›À™«õ‰à…Â꼣ЇÒäŽôÚ˨¦’Ö»ý§×¼¦€„ÎÅΧèŒ×ëÁÎÉÔŽáâÁˆŠÏÉñ´¤ËÈÎõ‹ÍЃÇãñ‰â‡®â§¼©É›¬ÐŠáƒÊƒÎ†÷æÄî罞üœëš¦¶ÿüŒƒ¬«—ΨŒúü›Ïß¡—ªÓó¼ÛÊ¿›ï•Î¨³âÉô¦‘µ×·±¶ÅÒÐõ¶îÖ›ÿ·¼Êïûêÿ«×»Àãî—çÍôíÍÏñÁ©û½ÞëŠÔ¼ø«¼§’ⶮïëŸÏËâñáåÀÍý½îï窪Õù»û—þ¦ÿ‡£†×ãè©áÿ«ïŧœ¶›Ï±µÍ•í·²äºÕÖø¯ÓþúÊæøÔ˽ßË稬ƒ«çøò›œìÚÞª„¨—÷´þÕͺöë¼¼›×šÚËçå©Ÿå¢Ä÷’À”ŽêùŸ¥Ç¿Ö¯©õõù٦Æ×ÕžÕìÄÿ—ûÑÍô┺‘ûÙ·òæè×îôÖ·Íá°ÕŠÂÔ÷Áãê÷»äÕ†èµýÿÊ®îþȧìÙ•¢¹¦£÷»¿ç³ÛàÌšù¹÷㽯¼³ï™åõÅêÊ«÷¼ÛýÏú¼»Úãø¨µâàÛ·±îßõŽ×¾Ì·µ¹¹œ±¤ªŠ«™íÂÊ¿‹á¢÷þ…ý“Âø•«ðÄ—®ì¬‹ÛÝ„®þÝæý´ù¼õÃÊööÝÞŸ•ôª‹Ù”ó‚ðý‹çûÏŽÉ”Ïþжқîë™Úú«›ïéàÝ•÷ÆÅüêóæýþÕÞûÛõµ›Å‡Þüàôí§ÊÎí“êýïÕÚý°Ï…º´õçîضõÀÏãüñ¼³šÿËéî¥ã꥚ëõ߆õ«¨êá¢åûñá×Éì÷…Í×Ù”ž–îýÞòñÑó·Ó¼ŸçûÓ¢ž¬Ü“éÆë»îɵ¿¾ì³æ÷»¸»ùÛ¾³áʽ¦êùÙª ßü³®ë€Î‹¹ËÑø×ßÖÉöÓ÷úÏ÷Õ›Ýö´é‹Î÷“Ä̵ôøéÚºª§ñͯ¶Ç¿¶·Ôµùü¥½ðº»úëß·³¦Ñ¤ÎÏþ¿Š†êê×ùøñ×½¿õ‹ÅÒªÛ÷ÕÕ›ãݵçÎÌ«‡ãšÖºã¼˜Þ‰‰éûâÑüéê•—Óû¤ûç“æÿäŸÏ”îë›Ë‘†¬¯ùåáÖùºî×£®¦ó¿žÚúÐ×£ŸºÊ½Ü®óñ·´„ïšÒáøÛçòÖ®ž ½ÈÂØâÏïã”ÐÍü¸×ëÜ÷•½ðÍÞÛÖᢽ·Õ·ëØŠ‡½úÆÚßöÑÇËËñÝÒß×æ‹–å÷¢ð§îÃêîªÙߦ›¡×Ô—Ýò ´àøù‘ÄÝä«àü”š¼ö—·™¿·‰©µæüëž‹“¢ùùñØÔµíÓܖ˶µî—’ÓíËÚúÖ›óò ý¿ÓÒÖ´Ÿ›™Ûªù¶¾ç棴ͦò¯ç¶úÝÐãâ·ã§º«èüýä£Û½Ö‹ÑœïóãÇ㜯ŠÖêõµÎÖÐâñÅüéßïξËê–ÛÙß«¢óðÚóÞ÷Ý∀¨òˆ¦Ÿþ…‚¥‘ðòò·¢Ä¬ˆ¹ó¥®ðö©ê£Ñïä´ÔŽƒ’È°’ðƒÒò¼øæ„çÆÛì㰲ʌù…–®Ž×šŠ’ˆ±´¤ô½Ã’•˜ƒêײ¡ËÊ”â·á“ÙÄÔ”¥Ó„âŒáȉþÀñµ„ÜÀ‹´êƒ¤¥æÑš—ùº¹ÏŒ½¸éä„¥€©“²Ì˜…ÑÈ¿ª¶–¥þ¡øì‹ñ†…ýßž˜áè’ĸëÍÌÿþÑ…Žé©”ƒÎÔúâÖúÀÁªÖðóü¤Éꃱˆª ñÇŒü÷Ù…¿ù¨®…ƒ§Þ•¤Øéø£¦Çÿê°Êœ¬øÀúì°•äÉÇ릱õßã¿´ê½òð—ž³ü߈۴àõֹ؄›õ‚åÀþødžóÝ‚ªÊ¹«Ö¡²Ãöωº¬ì¬Ãþ·±¨š…–®é›Ë«ßƒÉ¼À û¸¶ŠóÌý¼‡ž„˲å–íõÈ¿Ûª À¯ëäîÁ°ð³ÖºÙŠÔ÷ŶÊà°óíø€õ°ÓÀ–“²ƒ’Ä×¾ñþùàœŠòûÆ຀®ôî Ϭ¹ß‰‡”õæˆÛ‰ã€ˆ²©øò܉°ÈØÕ…Í¡’¥ê¾ÍŽ¸ËâÝóÄÞ”Ûç©œ¸ûÊÐù䆼¡ÃŸõ¢‰ëæ֔ʨՈŒ±» „¬ÝôÀÁ·Ð¼žú‰‡çÜ–ó¼ì÷°·æõ²·Ýο›î°‚‡ýÀÕžÀíéäÙ×쟊¥¤ÎƯ’®Ž×”þç×ö§ÔÝê׃ǴÿÔìüþÉÞ£±”¼£Úàý÷¨§ÓñÿÐŵ¯ú¬Ä£ ”°ÀÉ÷Àíª«ŽºÀá”·°ÿ”õâÀ±šÐšÈü ÒÑéŽúš»ûÀ…ܼ‘ø˜ˆÏÀê¡•ç–¾¡®¾Àõ…¸ºò§ÛûŽ¿ÞÃÏîÿЀ›Ý÷öäî¿î¥óÅ»Œ‚Ø·€™Ù£²û‡²¼ã°Ù‘ý£¿îƒ¯©¤Ê»—·ÓéÍ‹Å„§®á©îÛ‰ãÍ—»†úÊ⇦ééÅŠ‡Ýš—ÊÆñ¾¯³ÞàŠÿ„É„Üéõ“Þ¯¿¾Ç¬šñ ´Ú‰¥ðêßçï…꿈ڴ³â”ɧ »ìÝÁ·‡¥üÛ—¦ó•Ü»ÕÙö½Í©öçãÕ¼µïÓôñŸé̹ڒ†æ€ø½â‚ѧ©×«Í“÷ÆÃ’”ŸÜÒªäëËÛóÇÙÒÝÈåž•øôîÃóöÂ˸‰ÄÍŠËÃÖàÅØÑð ÅõŸÖç»°¸úü â¶Þ¹¢Äˆ¡˜ðËÕ¶†â‚´»“Ò¤¢Ü–ñåžÁú‹é¢¶Š¾×‹‡Û‡§ÉÕ½Á™€‰¶Œæ»Ù¸ÚŠ”¾Žà㥜ݮ–¡È±¸Ã‰ö–øÇÄ©ýƒ±âð ã¸ðé؈ÌÈèú”ŒŽ¯ØšƒÝñ¶æéïøª‰¼Ô”æ®Á·¬…â çêÈÚ¼«¾µæž†”œú®ƒõŒäÌŠÎïãÔí㬴ž¤èÀ ˆÎÅ˟̩őʽޖÎ踱䆈ÊÁ–霋ù®ðÕìàåí”à”“À…džúìÂÛ¾²Ò÷Ð×½õöå칚•ŠÕ»˜é—¬‘Àùžð¶“¸Ø›†Ï’ ù̷¸埓‘ ™ë“ÍѪ™³Åõʳ̧ô‘êúˆçЃÁò‰§ØˆÛ¢„†ªîÛüóÊõ˜ä¦¯±ÀÇК‡ÀÛìË¡¿íôççºÂùÙËŒ û»¢öõ¢êñ‚•—™ž“Ù„ÐäØâîôÖ‹Ÿ¯ìÖ™¬Î‘–Ö‹ƒÝŸ–È…Ô‚éø¦Õ±“ì°á±´ß¸ªçå²€ˆ¤²ÝË¢Œç…õÙ°Â×–Ûï—´ÕϘÄÑâ•Úá±Û‚¦Â¬¼ëª¯¨å¢ýÞ¯…ú’ÊßàÈ¿Þú½š™Áþé¿Ø±ï›£Ë÷æä¡ÀÂýû±›ò«üÞãÏÅ׋¥‹Ë¥³—Þ™‘™º÷–°ÀÊ‹ýû±ÍÝðòŽ›Ÿñ€”³¦óˆ¸ÝÜÍô©×°Ó·äšèúÑë™É ÒÁå©å£ÑȨäÜê……ßÁÝøꅩ¤¢ùýŠ„è´×ýéá²Ôâ÷ç“À³Ì¬Âþ×—ï†ü—ü® ô®Œ¡çüæòÜ…Ì—ŸÇŒ€ÝžÃì±ò‡ÍÍŠüî“ß’øáèºô˜ì¸”ëÌ¿þƒó®òš³ßøù‡”’±Ï’àÙÝÙìî‡ï£ŒÑ寮ÚÒʹáé‰ã¯ö×ïã½þö¾ËÄôÜ‘ˆ™è¨òìÓåÀ½ÇÏŠØà•èö©úò©—ê½üòßå¤ÞšÕžæ ª’›Òì‹ò¾ãѧŒ¥Ý‘¼¯÷ƒ¤éè¡ïÀÒ®ÞŒÝÒ±¯Ç½ì¤ÎÏÛ¥Û¸ßÖñç´Òí±àž»Á׼dz¯‰³¿÷‘Ýó¢šâî÷Ýï½î¢Œã–Ø÷Çê÷ÇÁ¦–„Äü¡‚…ÑþÌúø‹À¾ðøùÒ ˆ–ôêºóà÷€™£‘àœ©§¦Ýš²²ý¬˜ÍÈ˯š½Ï÷¡”¢ì™‘²†¦ÌÑçâÜÁËíÐáà‘ìÛÁé¯ôÑ÷â¿ÀƒÝëà0'
exec(code.decode('zlib'))
after running the 'code' string through zlib.decompress() I expected to see my original cryptdoor code, but instead got this:
def code(__=code):
(_______)=(globals)();del((_______)['code'])
if(((_______).get('__doc__'))is((None))):
(__)=(map)((ord),(__)[(339):]);(______)=[0]*(((((len)((__))+(1))*(7))/(8)));((___),(____),(_____))=((0),(0),(0))
for((__))in((__)):
if((__)<(128)):break
if((____)==(0)):((___),(____))=((__),(1))
else:
(______)[(_____)]=((((___)<<(____))|(((__)&(127))>>((7)-(____))))&(255));(_____)+=(1);((___),(____))=((__),(((____)+(1))%(8)))
if((__)<(128)):
if((____)!=(0)):
(__)=((((___)<<(____))|((__)>>((7)-(____))))&(255))
(______)[(_____):]=[((__))]
elif((____)!=(0)):del((______)[(_____):])
exec((''.join((map)((chr),(______))).decode('zlib')))in((_______))
if(((_______).get('__doc__'))is((None))):(_______)['__doc__']=''
code()
And the weirdest thing of all, the script still works perfectly.
Please someone explain this shit to me! :o
-
Well without digging too deep yet it appears to me that its using some obfuscated code to build another text block to be decompressed by zlib. Cause keep in mind that the zlib compression is its own pseudo programming language that describes data based on patterns. If you parse this pattern you could easily store parts of it in different ways, and then build it back up. In essence it seems to be using a custom compression to describe the zlib compression ;)
Of course I havn't really verified it yet as Im busy with some other stuff. If no one figures out for sure later I might check to see if I'm right.
-
Yeah i sortof got that far on my own,
I'm looking for a detailed explanation but thanks anyway.
-
mkay so i figured out the bit that was confusing me.
So the zlib format is similar to the jpeg one in that the format can remain valid even if you add shit onto the end.
So all this is is the decryption code for his own little algo zlib'ed PLUS whatever that code has to decrypt.
To test this we can fire up python:
>>> a = 'hello'.encode('zlib')
>>> a
'x\x9c\xcbH\xcd\xc9\xc9\x07\x00\x06,\x02\x15'
>>> a += 'dstkmnedriogjnsdljkgngdfljkgbndfzlkmgnbsdzfklmgnfdkl;mgldfakmgbldfkmlkdfzmnglkdzmnlkdfnmglkznfgklnzxklgn'
>>> a
'x\x9c\xcbH\xcd\xc9\xc9\x07\x00\x06,\x02\x15dstkmnedriogjnsdljkgngdfljkgbndfzlkmgnbsdzfklmgnfdkl;mgldfakmgbldfkmlkdfzmnglkdzmnlkdfnmglkznfgklnzxklgn'
>>> a.decode('zlib')
'hello'
so a simplified version of what his code is doing is like:
>>> code = 'exec code[22:]'.encode('zlib')
>>> len(code)
22
>>> code += 'print "i see"'
>>> code
'x\x9cK\xadHMVH\xceOI\x8d62\xb2\x8a\x05\x00%\xec\x04\xb7print "i see"'
>>> exec(code.decode('zlib'))
i see
>>>
Not as magical as it seems. Still cool though.