Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked

Xor decode from pcap file

by mabossert (Scribe)
on Jun 18, 2011 at 17:50 UTC ( #910345=perlquestion: print w/replies, xml ) Need Help??
mabossert has asked for the wisdom of the Perl Monks concerning the following question:

Please be gentle, this is the first time I have posted a question.

I have done several searches, but cannot seem to get any of the examples to work...I am OK with extracting the payload from each packet in the pcap...What I am falling short on is the Xor operation. Ideally, I would like to decode each payload and put it back into the packet so that I can open the file back up in wireshark and analyze the decoded packets:

Any help would be greatly appreciated! As a side note, I have considered writing a wireshark protocol dissector, but unfortunately, I cannot compile on this computer, nor can I do it at home and bring the compiled dissector in...

I have a payload which contains the following:
03 76 2c ef a7 ff e5
The second two bytes are used as a key to decode the rest of the payload such that they are Xor'd against the remaining data like the example below:

03 76 2c ef a7 ff e5
              76 2c76 2c
             99 8b 89 c9

I have tried different approaches to this, here is my current code and a big empty where I am stuck:

#!C:/Perl/bin/Perl.exe -w use strict; use warnings; use Carp qw (cluck confess croak); use Net::Pcap; use NetPacket; use NetPacket::Ethernet qw(:strip); use NetPacket::IP; use NetPacket::UDP; use NetPacket::TCP; use List::Util qw( sum ); my $err; my $pcap = Net::Pcap::pcap_open_offline('FILE LOCATION', \$err) or con +fess; Net::Pcap::pcap_loop($pcap,-1,\&process_packet,undef); sub process_packet { my ($user_data, $header, $packet) = @_; my $rec = parse_packet($packet); } sub parse_packet { my $packet = shift; my $ip_obj=NetPacket::IP->decode(eth_strip($packet)); my $udp_obj=NetPacket::UDP->decode($ip_obj->{data}); my $hexString=unpack("H$udp_obj->{len}",$udp_obj->{data}); if(substr($hexString,0,2) eq '03' && $udp_obj->{len} > 3) { # print "UDP OBJ LEN: $udp_obj->{len} : ".substr($hexString,0,$ +udp_obj->{len})."\n"; my $xorKey=substr($hexString,2,4); my $encryptedData=substr($hexString,6,$udp_obj->{len}); my $decryptedData=sum(map(hex,unpack '(a4)*',$encryptedData)) +& map(hex,unpack '(a4)*',$xorKey); print $decryptedData."\n"; # my @inBytes=unpack("(A2)*",$hexString); # my $xorKey="$inBytes[1]$inBytes[2]"; # print $xorKey ^ (sum(map (hex,unpack '(a4)*',substr($hexStrin +g,2,$udp_obj->{len})))); } }

Replies are listed 'Best First'.
Re: Xor decode from pcap file
by AnomalousMonk (Canon) on Jun 18, 2011 at 18:34 UTC

    Maybe something like this:

    >perl -wMstrict -le "my $binary = pack 'H*', '03762cefa7ffe5'; printf '%02x ', $_ for unpack 'C*', $binary; print ''; ;; my ($p, $q) = unpack 'xCC', $binary; my $pairs = (length($binary) - 3) / 2; my $k = pack 'C*', 0, 0, 0, ($p, $q) x $pairs; printf '%02x ', $_ for unpack 'C*', $k; print ''; ;; my $decode = $binary ^ $k; printf '%02x ', $_ for unpack 'C*', $decode; " 03 76 2c ef a7 ff e5 00 00 00 76 2c 76 2c 03 76 2c 99 8b 89 c9
      Sweet! That seems to have done the trick...Thank you so much. I have a huge headache from banging my head on the wall trying to figure out how to accomplish this. Now all I have to do is figure out what the heck the decoded data means...Thanks again!!!!
        Would you mind posting the completed code?

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://910345]
Approved by moritz
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (11)
As of 2016-09-27 20:20 GMT
Find Nodes?
    Voting Booth?
    Extraterrestrials haven't visited the Earth yet because:

    Results (513 votes). Check out past polls.