Created
December 17, 2024 02:20
-
-
Save ymgve/97e08c29be918edd93246a6bbc9aff3f to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os, sys, struct, zlib, hashlib | |
| def unpack(data): | |
| pkg_ver, compress_level, num_files = struct.unpack("<BII", data[-9:]) | |
| #print(pkg_ver, compress_level) | |
| tampered = False | |
| prev_file_start = None | |
| files = [] | |
| index = len(data) - 9 | |
| for i in range(num_files): | |
| unpacked_size, packed_size, file_start, filename_len = struct.unpack("<IIII", data[index-16:index]) | |
| filename_end = index-16 | |
| index -= 16 + filename_len | |
| filename = data[index:filename_end] | |
| filedata = bytearray() | |
| offset = file_start | |
| while packed_size > 0: | |
| clen = struct.unpack("<I", data[offset:offset+4])[0] | |
| filedata += zlib.decompress(data[offset+4:offset+4+clen]) | |
| packed_size = packed_size - clen | |
| offset += 4 + clen | |
| if packed_size != 0: | |
| raise Exception() | |
| if len(filedata) != unpacked_size: | |
| raise Exception() | |
| files.append((filename, bytes(filedata))) | |
| if prev_file_start != None and file_start < prev_file_start: | |
| tampered = True | |
| prev_file_start = file_start | |
| return files, tampered | |
| root = sys.argv[1] | |
| for filename in os.listdir(root): | |
| # if not filename.lower().endswith(".pkg"): | |
| # continue | |
| if "LinuxHldsUpdateTool" in filename: | |
| continue | |
| if "_rsa_signature" in filename: | |
| continue | |
| #print("dsdsds", filename) | |
| fullname = os.path.join(root, filename) | |
| if os.path.isdir(fullname): | |
| continue | |
| data = open(fullname, "rb").read() | |
| tampered = False | |
| files, tampered2 = unpack(data) | |
| if tampered2: | |
| print("reverse file order, maybe tampered") | |
| tampered = True | |
| for filename2, filedata in files: | |
| if b"86724794f8a0fcb0c129b979e7af2e1e" in filedata: | |
| print("standard 2048 bit neuter RSA key") | |
| tampered = True | |
| break | |
| if b"bf973e24beb372c12bea4494450afaee" in filedata: | |
| print("standard 1024 bit neuter RSA key") | |
| tampered = True | |
| break | |
| if b"invalidxx.example.com" in filedata: | |
| print("invalidxx domain") | |
| tampered = True | |
| break | |
| if b"invalid00.example.com" in filedata: | |
| print("invalid00 domain") | |
| tampered = True | |
| break | |
| if b"10.0.0.100" in filedata: | |
| print("ip address 10.0.0.100") | |
| tampered = True | |
| break | |
| if b"127.0.0.1:27030" in filedata: | |
| print("ip address 127.0.0.1:27030") | |
| tampered = True | |
| break | |
| if b"d4cac" in filename2: | |
| print("cracked cacdll") | |
| tampered = True | |
| break | |
| if b"d4cas.ath.cx" in filedata: | |
| print("d4cas.ath.cx domain") | |
| tampered = True | |
| break | |
| if tampered: | |
| print("package shows signs of tampering", filename, hashlib.sha256(data).hexdigest()) | |
| else: | |
| print("------ might be clean", filename) | |
| print() | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment