Pages: [1]

Author Topic: [Python] WTF is this script doing? And how?  (Read 781 times)

0 Members and 1 Guest are viewing this topic.

Offline d4rkcat

  • Knight
  • **
  • Posts: 287
  • Cookies: 115
  • He who controls the past controls the future. He who controls the present controls the past.
    • View Profile
    • Scripts
[Python] WTF is this script doing? And how?
« on: December 12, 2014, 04:07:18 am »
https://github.com/wallproxy/pytoy/blob/master/zipcode.py

So this is pretty cool, I found it while researching various obfuscation methods for python code.
At first glance I thought this was just making a self extracting script using zlib as per https://github.com/d4rkcat/pycompressor.
Upon further inspection however, I have come to the conclusion that I have no idea wtf is going on.
To test it I ran my cryptdoor.py script through it and got back this:

Code: (Python) [Select]
# -*- coding: latin-1 -*-
code = 'xڍRÛNÃ0\x0c}ÏW”\x07ˆÏ\x06cÝ4\x01í²Oà\x07ª¨ÚÚl\x14ÊŠ:\x1e\x10â㱓v\x17\x18\x12‘*7Žs.ŽK·ŽŠ¦t”çF"\x12\x15ñ¿_0´©›Õ²Þ–®¦ýI¦¥X[¨¨ZÓ!?Ú¸wÒy^6Ežk Ú\x11=6[\x07\x08° 3èëò\rDM[âZ\x12\x19M§\x0fH,Rêy³±\x1d¬Úm!èÀb`@wÀ-Ý3\\êI=Â>p™!\x1aó.|¬.Z7m\x00¨¶!Š\x0e/š7sŠ\'\x0c–¬Z·|9äE‚‘ûÉ\t‰€û]ì‘#WïœGë;ÆVB´†BS0Ÿww¿|\x02WÌÈ\x1e\x16\x0bb+7Ý\x198=™ÍÐw\x00CÃ\x1céyòN ïÇ¥o…úåçÄÊE°Ò\x0bÅYm\x1cþФÎøK¬ÉB7­’>üä:š•£;\x02å>\\A¤õ蹑\x07\t£P<µý\x0b\nó¨t~$õg]­xˆº§ëŽ;·ÿ\x1a¹£yí\x0b¬ÑZyx¨o\x1eÇF¼¶ÝÓÓ¥ïÚä¥Óü¾Ð¦ÉÉé€ÁÚ–±ûŽùÃáÄà±ðÃ²»¸¹­’ÄŠ˜´Û€ôº¿ó÷Þ¬¤ˆÚ®ÉÏ羦óÉ’ÆÕ»ëë«·µ§—Æï³ç̹ü¦Ôñ££¤Û‹ñî换±ø̽‰²¾òòÔîϜڟ¾© µ¸á¥™ª¾ šˆš†ÁËù½£ó»´Ö楡ŠÍ¨¼£ÄÎ…ÐÒȹ©€Âý‰Ÿÿ’ÅýÃÀƒ’Õº™ÓùÄÕ™ü–§¨´ˆûðÓŽØÛž¶Ð¬ôøÚ´Ðñ¦ñ«ÀÉÚø§ßú¢„ÁƒͲõ®–âÓèÜ¥Õ’àÄ™øæíѦöª×㐇󏈺±ÙâçÊ®šÍ°õĪö¸ö㙊ïÔЭԉŒøÎêЛ˹­£ÂБ ‰ãÅͨœ¸ð± ·¨áˆºÈÑ˜à–®µ¦Ã”“„ª ±Ò­Ð¹ù“¡‰„¶¤àø÷£äÀ¨¬Í¶ØˤÄÜŒõ¾èЗÍÚÉÙñêûòêÈͪàÖ™ôବ´ãÖŒ¤ÖÔ颩˜Ç£ÄéŒÙ€œÇ’Òµ¶ÈôšËÚÌä”öÝý½í†Éßࣗ°ÎÀôäÀêâÓ»Òª¸ÌÝÈ‹ÃúЯ¾§Ã÷·æÈ…•¶ëÚÖø Ͳ€µ­°áãðâ¢ÇÛ“Õºªßڏ­ÍÔ·½ÑžúÑßõãß‚äå Ô…¨ßÔü³Ø’곞Úë®ç³êúÒÑìë¼Öš©üýЁìΩ±‘’à˜œÄÄÓ›ÔŠÔ¹ìш«Š¶»ÜШóÈïªÂÍàþª·¶Ä“°Ô’ÁâèÔæ„‹ˆÛ³Ô™Á©Æº·Ãֻ؄¾…½ÂÏ–°¸öãÄøÖ˪€»™ÙºøꜳԢŠÌŠ‘ïÔ÷ò«èÝõ©•ñ˜ýÙê½­È“Á»öæՑŦ„úªæ“º“ÀÒ‘È…£ÔÚÑøéêá£Ç¾¢¬Ò¹•ªüŽ¯â»ýñóÛÿÿ×à¿¿ÿÈòß÷òžï×ÿóÜÌûú×É«²ÚãÅ¿ôåâ–Ìö½ã ÓԐթ…ö¢üÕÒôÜÍ•…¸«©â€Ç¯È½’èÔà¾Î´“Ô‰çÜÀÄÄ‘—úцÍòËÖ§ËÎ騺À½¨ñôÚ˶¿ÙÉ¢æûÿºò­ÇÉÃÃîô—¦À†‚Ô‘¨è¬ÅËà„—”ß¼þƒîáñ™Úê´€éªëÀ°Ð”Íþà¡Ï¶Í†Ú–¦•¤°ò¨õÔéèË¥¿â‰š˜¦¹ÜˆÑò–³Û•´²øˆçñœðéࡘ¤²Æ쪂ლ€þ§¿½Û’öÔÛ‡¼É¥žÐš¢íφхÜБ怭ÍØ‘Æ”œÒË°ÿÀš¤¡¶¹·¦ñ©ò¾ˆ¢–øØȱ¨“’ŒÀð„å§óÅêìÔÍÜÚü¾¾™Á«ƒÐ‡€Þ÷†ëŸýâä’ŒÏìÖ¹õ¶ƒ’ö¿”ŒÇ ØåÕýÚ͝§ÃöŒ‰Ü¯„íùÁ»ŒÓÌÀÙª®ÍÊø¥ù‹¡ˆ®¸ÔØ™˜³¡«—ñ†ˆÜé·Šù« ¦ßßÓ܌ȘÁÓè—ÎÚîè‚í™™ˆã©­…µÖ£‰Ùˆ‰âÍ‘† 썔®¥ÎÞ‰é÷‚¼üõ©£—˜°·‡†¤÷Øᝎؒóæ’œ†öÀαóˆÑùÍŠ™‘ˆ˜¨É±¬Á¼£†ƒÉŠ–¾ƒ›•ªØ¨ÎÙñ…öÅ›ÃÎç¢Î•„¤çÜ©ÑíÛLjΉۈ”—ì©Åïóƒ¶úةע󘬡­€þõ¨£Øí°ÐÎ¥áࡸˆ¸¥í¨ÈÁÒ“¯ûÅڏ“Àý¯”˜ÀêÊէͼ´¦ä§›ÕÀ¢‹ÁÄÓ½Þ‚Ù„šÆô‰€Ðºà´ûÎà¶ðÎý­¢Â´À„‘¤ë¯ò‰ƒÚ¤‚·â—ûƒÕ€Óáì­À¼”ò©œâ‘Ö𒈶֣…ÕÉÁœ¡è󎈌ÐòßØŽ‰¤˜µõ¡ØÈÂý›œ’¶Ø“ÀÀ›ƒ¡§è„Ĭ§Žµ¬öÅà·÷÷ÌÜÓ”ç³ü…Žð×ƾ¨ìÎòÌÜՌɟ€ýÁî¢Ù¹¦º–团¹á¦³ÔÜ“—÷¢àžñÌÛîšý¾ŽŒ¡…ˆµ •£ä¯Í«Àëõíþ…¤‘ýˆÓ˜äï½â¶‚¸ì—‡ó°ÚÜ䄛𩝍›…œÒËø¸¥ÉÇ‹Á›“˜¨¡¾žïâ­õÙ›û͏•ˆðŒ¢žçí¢à•›•¡ÆԦƊ©ÀƁðþ¼Ì†‘ÌŸ‘ªÜ¯ÙŽìϦ£æÖÅå¶óéé‚×ïçß—¢õþ¥ßªŒ¯ç‘ž©¼€Ýúÿ‰€¢ô¬žà“ÏÔ‚²Ÿß™ÖÁӖ°ºõŠ÷”‚—ÑÊ͇âÞõ²º¾Ò»˜’í€õÛ–Ö°™“²÷üÏÆí¡‰œÍã„Œ‚â›À™«õ‰à…꼭£Ð‡ÒäŽôÚ˨¦’Ö»ý§×¼¦€„ÎÅΧèŒ×ëÁÎÉÔŽáâÁˆŠÏÉñ´¤ËÈÎõ‹ÍЃÇãñ‰â‡®â§¼©É›¬ÐŠáƒÊƒÎ†÷æÄîç½žüœëš¦¶ÿüŒƒ¬«—ΨŒúü›Ïß¡—ªÓó¼ÛÊ¿›ï•Î¨³âÉô¦‘µ×·±¶ÅÒÐõ¶îÖ›ÿ·¼Êïûêÿ«×»Àãî—çÍôíÍÏñÁ©û½ÞëŠÔ¼ø«¼§’ⶮïëŸÏËâñáåÀÍý½îï窪Õù»û—þ¦ÿ‡£†×ãè©áÿ«ïŧœ¶›Ï±µÍ•í·²äºÕÖø¯ÓþúÊæøÔ˽ߍË稬ƒ«çøò›œìÚÞª„¨—÷´þÕͺöë¼¼›×šÚËçå©Ÿå¢Ä÷’À”ŽêùŸ¥Ç¿Ö¯©õõù٦Æ×ÕžÕìÄÿ—ûÑÍô┺‘ûÙ·òæè×îôÖ·Íá°ÕŠÂÔ÷Áãê÷»äÕ†èµýÿÊ®îþȧìÙ•¢¹¦£÷»¿ç³ÛàÌšù¹÷㽯¼³ï™åõÅêÊ«÷¼ÛýÏú¼»Úãø¨µâàÛ·±îßõŽ×¾Ì·­µ¹¹œ±¤ªŠ«™íÂÊ¿‹á¢÷þ…ý“Âø•«ðÄ—®ì¬‹ÛÝ„®þÝæý´ù¼õÃÊööÝÞŸ•ôª‹Ù”ó‚ðý‹çûÏ­ŽÉ”Ïþжқîë™Úú«›ïéàÝ•÷ÆÅüêóæýþÕÞûÛõµ›Å‡Þüàôí§ÊÎí“êýïÕÚý°Ï…º´õçîضõÀÏãüñ¼³šÿËéî¥ã­ê¥šë­õ߆õ«¨êá¢åûñá×Éì÷…Í×Ù”ž–îýÞòñÑó·Ó¼ŸçûÓ¢ž¬Ü“é­Æë»îɵ¿¾ì³æ÷»¸»ùÛ¾³áʽ¦êùÙª ßü³®ë€Î‹¹ËÑø×ßÖÉöÓ÷úÏ­÷Õ›Ýö´é‹Î÷“Ä̵ôøéÚºª§ñͯ¶Ç¿¶·Ôµùü¥½­ðº»úëß·³­¦Ñ¤ÎÏþ¿Š†êê×ù­øñ×½¿õ‹ÅÒªÛ÷ÕÕ›ãݵçÎÌ«‡ãšÖºã¼˜Þ‰‰éûâÑüéê•—Óû¤ûç“æÿäŸÏ”î뭛ˑ†¬¯ùåáÖùºî×£®¦ó¿žÚúÐ×£­ŸºÊ½Ü®óñ·´„ïšÒáøÛçòÖ®ž ½ÈÂØâÏïã”ÐÍü¸×ëÜ÷•½ðÍÞÛÖᢽ·Õ·ëØŠ‡½úÆÚßöÑÇËËñÝÒß×æ‹–å÷¢ð§îÃêîªÙߦ›¡×Ô—Ýò ´àøù‘ÄÝä«àü”š¼ö—·™¿·‰©µæüëž‹“¢ùùñØÔµíÓܖ˶µî­—’ÓíËÚúÖ›óò ý¿ÓÒ֏´Ÿ›™Ûªù¶¾ç棴ͦò¯ç¶úÝÐãâ·ã§º«èüýä£Û½Ö‹ÑœïóãÇ㜯ŠÖêõµÎ֏ÐâñÅüéßïξËê–ÛÙß«¢óðÚóÞ÷ݭ∀¨òˆ¦Ÿþ…‚¥‘ðòò·¢Ä¬ˆ¹ó¥®ðö©ê£Ñïä´ÔŽƒ’È°’ðƒÒò¼øæ„çÆÛì㰲ʌù…–®Ž×šŠ’ˆ±´¤ô½Ã’•­˜ƒêא²¡ËÊ”â·á“ÙÄÔ”¥Ó„âŒáȉþÀñµ„ÜÀ‹´êƒ¤¥æÑš—ùº¹ÏŒ½¸éä„¥€©“²Ì˜…ÑÈ¿ª¶–¥þ¡øì‹ñ†…ýßž˜áè’ĸëÍÌÿþÑ…Žé©”ƒÎԝúâÖúÀÁªÖðóü¤Éꃱˆª ñÇŒü÷Ù…¿ù¨®…ƒ§Þ•¤Øéø£¦Çÿê°Êœ¬øÀúì°•äÉÇ릱õßã¿´ê½òð—ž³ü߈۴àõֹ؄›õ‚åÀþødžó݁‚ªÊ¹«Ö¡²Ãöωº¬ì¬Ãþ·±¨š…–®é›Ë«ßƒÉ¼À û¸¶ŠóÌý¼­‡ž„˲å–íõÈ¿Ûª À¯ëäîÁ°ð³ÖºÙŠÔ÷ŶÊà°óíø€õ°ÓÀ–“²ƒ’Ä×¾ñþùàœŠòûÆ຀®ôî Ϭ¹ß‰‡”õæˆÛ‰ã€ˆ²©øò܉°ÈØÕ…Í¡’¥ê¾ÍŽ¸ËâÝóÄÞ”Ûç©œ¸ûÊÐù䆐¼¡ÃŸõ¢‰ëæ֔ʨՈ­Œ±» „¬ÝôÀÁ·Ð¼žú‰‡çÜ–ó¼ì÷°·æõ²·Ýο›î°‚‡ýÀÕžÀíéäÙ×쟊¥¤ÎƯ’®Ž×”þç×ö§ÔÝê׃ǴÿÔìüþÉÞ£±”¼£Úàý÷¨§ÓñÿÐŵ¯­ú¬Ä£ ”°ÀÉ÷Àíª«ŽºÀá”·°ÿ”õâÀ±šÐšÈü ÒÑéŽúš»ûÀ…ܼ‘ø˜ˆÏÀê¡•ç–¾¡®¾Àõ…¸ºò§ÛûŽ¿ÞÃÏîÿЀ›Ý÷öäî¿î¥óÅ»Œ‚Ø·€™Ù£²û‡²¼ã°Ù‘ý­£¿îƒ¯©¤Ê»—·ÓéÍ‹Å„§®á©îÛ‰ãÍ—»†úÊ⇦ééÅŠ‡Ýš—ÊÆñ¾¯³ÞàŠÿ„É„Üéõ“Þ¯¿¾Ç¬šñ ´Ú‰¥ðêßçï…꿈ڴ³â”ɧ »ìÝ­Á·‡¥üÛ—¦ó•Ü»ÕÙö½Í©öçãÕ¼µïÓôñŸé̹ڒ†æ€ø½â‚ѧ©×«Í“÷ÆÃ’”ŸÜÒªäëËÛóÇÙҏÝÈåž•øôîÃóöÂ˸‰ÄÍŠËÃÖàÅØÑð ÅõŸÖç»°¸úü ⶐ޹¢Äˆ¡˜ðËÕ¶†â‚´»“Ò¤¢Ü–ñåžÁú‹é¢¶Š¾×‹‡Û‡§ÉÕ½Á™€‰¶Œæ»Ù¸ÚŠ”¾Žà㥜ݮ–¡È±¸Ã‰ö–øÇÄ©ýƒ±â­ð 㸝ðé؈̏Èèú”ŒŽ¯ØšƒÝñ¶æéïøª‰¼Ô”æ®Á·¬…â çêÈÚ¼«¾µæž†”œú®ƒõŒäÌŠÎïãÔí㬴ž¤èÀ ˆÎÅ˟̩őʽޖΏè¸±ä†ˆÊÁ–霋ù®ðÕìàåí”à”“À…džúìÂ۝¾²Ò÷Ð×½õöå칚•ŠÕ»˜é—¬‘Àùžð¶“¸Ø›†Ï’ ù̷¸坟“‘  ™ë“ÍѪ™³Åõʳ̧­ô‘êúË†çЃÁò‰§ØˆÛ¢„†ªîÛüóÊõ˜­ä¦¯±ÀÇК‡ÀÛìˏ¡¿íôççºÂùÙËŒ û»¢öõ¢êñ‚•—™ž“Ù„ÐäØâîôÖ‹Ÿ¯ìÖ™¬Î‘–Ö‹ƒÝŸ–È…Ô‚éø¦Õ±“ì°á±´ß¸ªçå²€ˆ¤²Ýː¢Œç…õÙ°Â×–­Ûï—´ÕϘ­ÄÑâ•Úá­±Û‚¦Â¬¼ëª¯¨å¢ýÞ¯…ú’ÊßàÈ¿Þú½š™Áþé¿Ø±ï›£Ë÷æ䍡ÀÂýû±›ò«üÞãÏÅ׋¥‹Ë¥³—Þ™‘™º÷–°ÀÊ‹ýû±ÍÝðòŽ›Ÿñ€”³¦óˆ¸ÝÜÍô©×°Ó·äšèúÑë™É ÒÁå©å£ÑȨäÜê……ßÁÝøꅩ¤¢ùýŠ„è´×ýéá²Ôâ÷ç“À³Ì¬Âþ×—ï†ü—ü® ô®Œ¡çüæòÜ…Ì—ŸÇŒ€ÝžÃì±ò‡ÍÍŠüî“ß’øáèºô˜ì¸”ëÌ¿þƒó®òš³ßøù‡”’±Ï’àÙÝِìî‡ï£ŒÑ寮ÚÒʹáé‰ã¯ö×ïã½þö¾ËÄôÜ‘ˆ™è­¨òìÓåÀ½ÇÏŠØà•èö©úò©—ê½üòߐå¤ÞšÕžæ ª’›Ò싐ò¾ãѧŒ¥Ý‘¼¯÷ƒ¤éè¡ïÀÒ®ÞŒÝÒ±¯Ç½ì¤ÎÏÛ¥Û¸ßÖñç´Òí±àž»Á׼dz¯‰³¿÷‘Ýó¢šâî÷Ýï½î¢Œã–Ø÷Çê÷ÇÁ¦–„Äü¡‚…ÑþÌúø‹À¾ðøùÒ ˆ–ôꝺóà÷€™£‘àœ©§¦Ýš²²ý¬˜ÍÈ˯š½Ï÷¡”¢ì™‘²†¦ÌÑçâÜÁËíÐáà‘ìÛÁé¯ôÑ÷â¿ÀƒÝëà0'
exec(code.decode('zlib'))

after running the 'code' string through zlib.decompress() I expected to see my original cryptdoor code, but instead got this:

Code: (Python) [Select]
def code(__=code):
 (_______)=(globals)();del((_______)['code'])
 if(((_______).get('__doc__'))is((None))):
  (__)=(map)((ord),(__)[(339):]);(______)=[0]*(((((len)((__))+(1))*(7))/(8)));((___),(____),(_____))=((0),(0),(0))
  for((__))in((__)):
   if((__)<(128)):break
   if((____)==(0)):((___),(____))=((__),(1))
   else:
    (______)[(_____)]=((((___)<<(____))|(((__)&(127))>>((7)-(____))))&(255));(_____)+=(1);((___),(____))=((__),(((____)+(1))%(8)))
  if((__)<(128)):
   if((____)!=(0)):
    (__)=((((___)<<(____))|((__)>>((7)-(____))))&(255))
   (______)[(_____):]=[((__))]
  elif((____)!=(0)):del((______)[(_____):])
  exec((''.join((map)((chr),(______))).decode('zlib')))in((_______))
  if(((_______).get('__doc__'))is((None))):(_______)['__doc__']=''
code()

And the weirdest thing of all, the script still works perfectly.
Please someone explain this shit to me!  :o
Report to moderator   Logged
Jabber (OTR required): thed4rkcat@einfachjabber.de    Email (PGP required): thed4rkcat@yandex.com    PGP Key: here and here     Blog

<sofldan> not asking for anyone to hold my hand uber space shuttle door gunner guy.

Offline madf0x

  • Knight
  • **
  • Posts: 172
  • Cookies: 50
    • View Profile
Re: [Python] WTF is this script doing? And how?
« Reply #1 on: December 12, 2014, 05:09:43 am »
Well without digging too deep yet it appears to me that its using some obfuscated code to build another text block to be decompressed by zlib. Cause keep in mind that the zlib compression is its own pseudo programming language that describes data based on patterns. If you parse this pattern you could easily store parts of it in different ways, and then build it back  up. In essence it seems to be using a custom compression to describe the zlib compression ;)

Of course I havn't really verified it yet as Im busy with some other stuff. If no one figures out for sure later I might check to see if I'm right.
Report to moderator   Logged

Offline d4rkcat

  • Knight
  • **
  • Posts: 287
  • Cookies: 115
  • He who controls the past controls the future. He who controls the present controls the past.
    • View Profile
    • Scripts
Re: [Python] WTF is this script doing? And how?
« Reply #2 on: December 12, 2014, 05:19:44 am »
Yeah i sortof got that far on my own,
I'm looking for a detailed explanation but thanks anyway.
Report to moderator   Logged
Jabber (OTR required): thed4rkcat@einfachjabber.de    Email (PGP required): thed4rkcat@yandex.com    PGP Key: here and here     Blog

<sofldan> not asking for anyone to hold my hand uber space shuttle door gunner guy.

Offline d4rkcat

  • Knight
  • **
  • Posts: 287
  • Cookies: 115
  • He who controls the past controls the future. He who controls the present controls the past.
    • View Profile
    • Scripts
Re: [Python] WTF is this script doing? And how?
« Reply #3 on: December 13, 2014, 12:59:56 pm »
mkay so i figured out the bit that was confusing me.
So the zlib format is similar to the jpeg one in that the format can remain valid even if you add shit onto the end.
So all this is is the decryption code for his own little algo zlib'ed PLUS whatever that code has to decrypt.
To test this we can fire up python:
Code: [Select]
>>> a = 'hello'.encode('zlib')
>>> a
'x\x9c\xcbH\xcd\xc9\xc9\x07\x00\x06,\x02\x15'
>>> a += 'dstkmnedriogjnsdljkgngdfljkgbndfzlkmgnbsdzfklmgnfdkl;mgldfakmgbldfkmlkdfzmnglkdzmnlkdfnmglkznfgklnzxklgn'
>>> a
'x\x9c\xcbH\xcd\xc9\xc9\x07\x00\x06,\x02\x15dstkmnedriogjnsdljkgngdfljkgbndfzlkmgnbsdzfklmgnfdkl;mgldfakmgbldfkmlkdfzmnglkdzmnlkdfnmglkznfgklnzxklgn'
>>> a.decode('zlib')
'hello'

so a simplified version of what his code is doing is like:

Code: [Select]
>>> code = 'exec code[22:]'.encode('zlib')
>>> len(code)
22
>>> code += 'print "i see"'
>>> code
'x\x9cK\xadHMVH\xceOI\x8d62\xb2\x8a\x05\x00%\xec\x04\xb7print "i see"'
>>> exec(code.decode('zlib'))
i see
>>>

Not as magical as it seems. Still cool though.
Report to moderator   Logged
Jabber (OTR required): thed4rkcat@einfachjabber.de    Email (PGP required): thed4rkcat@yandex.com    PGP Key: here and here     Blog

<sofldan> not asking for anyone to hold my hand uber space shuttle door gunner guy.

Pages: [1]