Magic 010Editor Template Recognizes Pseudo Encryption

When talking about pseudo-encryption, "Geek Compression" can be used to ignore pseudo-encryption, open the compression package directly, and there are so good tools to download it, but the velvet reports virus directly, and persuade me directly.

Later I saw Baidu Dalao's analysis of software on the Internet. Bamboo Bug: Backdoor hidden in common tool software This software has 121 functional API s, such as downloading any program and executing it silently, ending the process, modifying any registry, installing APK s to connected mobile phones, modifying home pages, local claims and so on, which are powerful and shocking. It is worth noting that Lua scripts can be upgraded and updated at any time, without excluding behind-the-scenes hackers who use this powerful backdoor to perform privacy theft.Other malicious acts, such as these, have a very high security risk.

For the sake of the security and reliability of your local environment, it's a good idea to use 010Editor Template to analyze whether pseudo-encryption is possible.

What is pseudo-encryption first

If the global mode bit of the compressed file data area is marked as 0000 in the figure above and the global mode bit of the compressed file directory area is marked as 0900, it can be judged as pseudo-encryption. This is also the case for implementation in programs.

A normal zip template is one that only determines the integrity of the zip file after execution and whether it is corrupted or not.

Modified will determine whether it is pseudo-encryption or not, and will give a hint if it meets the above criteria

I wanted to tell directly that pseudo-encryption automatically changed the bytes in the file, but I reported a function error and could not change several functions. Next, I need to learn how to use scripts to change the open file data.

Function 'WriteBytes' cannot write to the current file in a template. Use a script instead.

Today I will post a script that can be identified as pseudo-encrypted. Thank you for Wei Shen's guidance on my C language structure.

Welcome to the WeChat Public Number "Chicken Skills Limited"

//------------------------------------------------
//--- 010 Editor v2.0 Binary Template
//
//      File: ZIP.bt
//    Author: SweetScape Software
//   Version: 2.3
//   Purpose: Parse ZIP archive files.
//  Category: Archive
// File Mask: *.zip
//  ID Bytes: 50 4B //PK
//   History:  
//   2.3   2015-07-18  SweetScape: Updated header for repository submission.
//   2.2   S.Gibson:   Fix for entry comment field, 
//                     Fix for parsing data descriptors
//   2.1   SweetScape: Added write function for ZIPFILERECORD structure
//   2.0   SweetScape: Added read functions
//   1.0   SweetScape: Initial release
//
// More information available at:
//  https://en.wikipedia.org/wiki/Zip_%28file_format%29
//------------------------------------------------

// Define structures used in ZIP files

//enum used for compression format
typedef enum <short> { 
    COMP_STORED    = 0,
    COMP_SHRUNK    = 1,
    COMP_REDUCED1  = 2,
    COMP_REDUCED2  = 3,
    COMP_REDUCED3  = 4,
    COMP_REDUCED4  = 5,
    COMP_IMPLODED  = 6,
    COMP_TOKEN     = 7,
    COMP_DEFLATE   = 8,
    COMP_DEFLATE64 = 9    
} COMPTYPE;
 
// Defines a file record
typedef struct {
    // Header for the file
    char     frSignature[4];    //0x04034b50
    ushort   frVersion;
    ushort   frFlags;
    COMPTYPE frCompression;
    DOSTIME  frFileTime;
    DOSDATE  frFileDate;
    uint     frCrc     <format=hex>;
    uint     frCompressedSize;
    uint     frUncompressedSize;
    ushort   frFileNameLength;
    ushort   frExtraFieldLength;
    if( frFileNameLength > 0 )
        char     frFileName[ frFileNameLength ];
    if( frExtraFieldLength > 0 )
        uchar    frExtraField[ frExtraFieldLength ];

    // Compressed data
    SetBackColor( cNone );
    if( frCompressedSize > 0 )
        uchar    frData[ frCompressedSize ];

} ZIPFILERECORD <read=ReadZIPFILERECORD, write=WriteZIPFILERECORD>;

// Defines an entry in the directory table
typedef struct {
    char     deSignature[4];     //0x02014b50
    ushort   deVersionMadeBy;
    ushort   deVersionToExtract;
    ushort   deFlags;
    COMPTYPE deCompression;
    DOSTIME  deFileTime;
    DOSDATE  deFileDate;
    uint     deCrc     <format=hex>;
    uint     deCompressedSize;
    uint     deUncompressedSize;
    ushort   deFileNameLength;
    ushort   deExtraFieldLength;
    ushort   deFileCommentLength;
    ushort   deDiskNumberStart;
    ushort   deInternalAttributes;
    uint     deExternalAttributes;
    uint     deHeaderOffset;
    if( deFileNameLength > 0 )
        char     deFileName[ deFileNameLength ];
    if( deExtraFieldLength > 0 )
        uchar    deExtraField[ deExtraFieldLength ];
    if( deFileCommentLength > 0 )
        uchar    deFileComment[ deFileCommentLength ];
} ZIPDIRENTRY <read=ReadZIPDIRENTRY>;

// Defines the digital signature
typedef struct {
    char     dsSignature[4];    //0x05054b50
    ushort   dsDataLength;
    if( dsDataLength > 0 )
        uchar    dsData[ dsDataLength ];
} ZIPDIGITALSIG;
        
// Defintes the Data descriptor
typedef struct {
    char ddSignature[4]; //0x08074b50
    uint ddCRC <format=hex>;
    uint ddCompressedSize;
    uint ddUncompressedSize;
} ZIPDATADESCR;

// Defines the end of central directory locator
typedef struct {
    char     elSignature[4];    //0x06054b50
    ushort   elDiskNumber;
    ushort   elStartDiskNumber;
    ushort   elEntriesOnDisk;
    ushort   elEntriesInDirectory;
    uint     elDirectorySize;
    uint     elDirectoryOffset;
    ushort   elCommentLength;
    if( elCommentLength > 0 )
        char    elComment[ elCommentLength ];
} ZIPENDLOCATOR;

//--------------------------------------------

// Custom read functions that allows the name of the
//  of the file to appear in the Template Results.

string ReadZIPFILERECORD( ZIPFILERECORD &file )
{
    if( exists( file.frFileName ) )
        return file.frFileName;
    else
        return "";
}

string ReadZIPDIRENTRY( ZIPDIRENTRY &entry )
{
    if( exists( entry.deFileName ) )
        return entry.deFileName;
    else
        return "";
}

// Custom write function that allows changing
//  the name of the file - note that the file
//  name size cannot be increased

void WriteZIPFILERECORD( ZIPFILERECORD &file, string s )
{
    local int len = Strlen( s );
    if( exists( file.frFileName ) )
    {
        Strncpy( file.frFileName, s, file.frFileNameLength );
        if( len < file.frFileNameLength )
            file.frFileName[len] = 0; //null terminate        
    }
}

//--------------------------------------------

// Define the file
local uint tag;
LittleEndian(); 
local uint tag2;
while( !FEof() )
{
    // Read a tag
  
    tag = ReadUInt( FTell() );
    // Read data depending upon tag - should start with 'PK'.
    // Note that when duplicate variables are defined, they
    // are made into an array (see 'Using Templates and Structs'
    // in the help file).
    if( tag == 0x04034b50 )
    {

        SetBackColor( cLtGray );
        ZIPFILERECORD record;
        tag2=record.frFlags;
    }
    else if( tag == 0x08074b50 )
    {
        SetBackColor( cLtGreen );
        ZIPDATADESCR dataDescr;
    }
    else if( tag == 0x02014b50 )
    {   
        SetBackColor( cLtPurple );
        ZIPDIRENTRY dirEntry;

        if(dirEntry.deFlags==0x9 && dirEntry.deFlags != tag2)
        {
            Printf("what fake zip!\n");
        }
    }
    else if( tag == 0x05054b50)
    {

        SetBackColor( cLtBlue );
        ZIPDIGITALSIG digitalSig;
    }
    else if( tag == 0x06054b50 )
    {

        SetBackColor( cLtYellow );
        ZIPENDLOCATOR endLocator;
    }
    else
    {
        Warning( "Unknown ZIP tag encountered. Template stopped." );
        return -1;
    }
}

Tags: CTF Information Security

Posted on Thu, 09 Sep 2021 13:16:03 -0400 by Stevis2002