Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"

Xor decode from pcap file

by mabossert (Scribe)
on Jun 18, 2011 at 17:50 UTC ( #910345=perlquestion: print w/replies, xml ) Need Help??
mabossert has asked for the wisdom of the Perl Monks concerning the following question:

Please be gentle, this is the first time I have posted a question.

I have done several searches, but cannot seem to get any of the examples to work...I am OK with extracting the payload from each packet in the pcap...What I am falling short on is the Xor operation. Ideally, I would like to decode each payload and put it back into the packet so that I can open the file back up in wireshark and analyze the decoded packets:

Any help would be greatly appreciated! As a side note, I have considered writing a wireshark protocol dissector, but unfortunately, I cannot compile on this computer, nor can I do it at home and bring the compiled dissector in...

I have a payload which contains the following:
03 76 2c ef a7 ff e5
The second two bytes are used as a key to decode the rest of the payload such that they are Xor'd against the remaining data like the example below:

03 76 2c ef a7 ff e5
              76 2c76 2c
             99 8b 89 c9

I have tried different approaches to this, here is my current code and a big empty where I am stuck:

#!C:/Perl/bin/Perl.exe -w use strict; use warnings; use Carp qw (cluck confess croak); use Net::Pcap; use NetPacket; use NetPacket::Ethernet qw(:strip); use NetPacket::IP; use NetPacket::UDP; use NetPacket::TCP; use List::Util qw( sum ); my $err; my $pcap = Net::Pcap::pcap_open_offline('FILE LOCATION', \$err) or con +fess; Net::Pcap::pcap_loop($pcap,-1,\&process_packet,undef); sub process_packet { my ($user_data, $header, $packet) = @_; my $rec = parse_packet($packet); } sub parse_packet { my $packet = shift; my $ip_obj=NetPacket::IP->decode(eth_strip($packet)); my $udp_obj=NetPacket::UDP->decode($ip_obj->{data}); my $hexString=unpack("H$udp_obj->{len}",$udp_obj->{data}); if(substr($hexString,0,2) eq '03' && $udp_obj->{len} > 3) { # print "UDP OBJ LEN: $udp_obj->{len} : ".substr($hexString,0,$ +udp_obj->{len})."\n"; my $xorKey=substr($hexString,2,4); my $encryptedData=substr($hexString,6,$udp_obj->{len}); my $decryptedData=sum(map(hex,unpack '(a4)*',$encryptedData)) +& map(hex,unpack '(a4)*',$xorKey); print $decryptedData."\n"; # my @inBytes=unpack("(A2)*",$hexString); # my $xorKey="$inBytes[1]$inBytes[2]"; # print $xorKey ^ (sum(map (hex,unpack '(a4)*',substr($hexStrin +g,2,$udp_obj->{len})))); } }

Replies are listed 'Best First'.
Re: Xor decode from pcap file
by AnomalousMonk (Chancellor) on Jun 18, 2011 at 18:34 UTC

    Maybe something like this:

    >perl -wMstrict -le "my $binary = pack 'H*', '03762cefa7ffe5'; printf '%02x ', $_ for unpack 'C*', $binary; print ''; ;; my ($p, $q) = unpack 'xCC', $binary; my $pairs = (length($binary) - 3) / 2; my $k = pack 'C*', 0, 0, 0, ($p, $q) x $pairs; printf '%02x ', $_ for unpack 'C*', $k; print ''; ;; my $decode = $binary ^ $k; printf '%02x ', $_ for unpack 'C*', $decode; " 03 76 2c ef a7 ff e5 00 00 00 76 2c 76 2c 03 76 2c 99 8b 89 c9
      Sweet! That seems to have done the trick...Thank you so much. I have a huge headache from banging my head on the wall trying to figure out how to accomplish this. Now all I have to do is figure out what the heck the decoded data means...Thanks again!!!!
        Would you mind posting the completed code?

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://910345]
Approved by moritz
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (7)
As of 2018-05-21 10:03 GMT
Find Nodes?
    Voting Booth?