/usr/lib/python3/dist-packages/binwalk/plugins/arcadyan.py is in python3-binwalk 2.1.1-16.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 | import os
import binwalk.core.common
import binwalk.core.plugin
class ArcadyanDeobfuscator(binwalk.core.plugin.Plugin):
'''
Deobfuscator for known Arcadyan firmware obfuscation(s).
'''
MODULES = ['Signature']
OBFUSCATION_MAGIC_SIZE = 4
MAX_IMAGE_SIZE = 0x1B0000
BLOCK_SIZE = 32
BLOCK1_OFFSET = 4
BLOCK2_OFFSET = 0x68
MIN_FILE_SIZE = (OBFUSCATION_MAGIC_SIZE + BLOCK2_OFFSET + BLOCK_SIZE)
BLOCK1_START = BLOCK1_OFFSET
BLOCK1_END = BLOCK1_START + BLOCK_SIZE
BLOCK2_START = BLOCK2_OFFSET
BLOCK2_END = BLOCK2_OFFSET + BLOCK_SIZE
P1_START = 0
P1_END = BLOCK1_OFFSET
P2_START = BLOCK1_END
P2_END = BLOCK2_START
P3_START = BLOCK2_END
def init(self):
if self.module.extractor.enabled:
self.module.extractor.add_rule(regex="^obfuscated arcadyan firmware",
extension="obfuscated",
cmd=self.extractor)
def extractor(self, fname):
deobfuscated = None
fname = os.path.abspath(fname)
infile = binwalk.core.common.BlockFile(fname, "rb")
obfuscated = infile.read()
infile.close()
if len(obfuscated) >= self.MIN_FILE_SIZE:
# Swap blocks 1 and 2
p1 = obfuscated[self.P1_START:self.P1_END]
b1 = obfuscated[self.BLOCK1_START:self.BLOCK1_END]
p2 = obfuscated[self.P2_START:self.P2_END]
b2 = obfuscated[self.BLOCK2_START:self.BLOCK2_END]
p3 = obfuscated[self.P3_START:]
deobfuscated = p1 + b2 + p2 + b1 + p3
# Nibble-swap each byte in block 1
nswap = ''
for i in range(self.BLOCK1_START, self.BLOCK1_END):
nswap += chr(((ord(deobfuscated[i]) & 0x0F) << 4) + ((ord(deobfuscated[i]) & 0xF0) >> 4));
deobfuscated = deobfuscated[self.P1_START:self.P1_END] + nswap + deobfuscated[self.BLOCK1_END:]
# Byte-swap each byte pair in block 1
bswap = ''
i = self.BLOCK1_START
while i < self.BLOCK1_END:
bswap += deobfuscated[i+1] + deobfuscated[i]
i += 2
deobfuscated = deobfuscated[self.P1_START:self.P1_END] + bswap + deobfuscated[self.BLOCK1_END:]
if deobfuscated:
out = binwalk.core.common.BlockFile((os.path.splitext(fname)[0] + '.deobfuscated'), "wb")
out.write(deobfuscated)
out.close()
return True
else:
return False
|