-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathwinscp-deobfuscator.py
92 lines (72 loc) · 2.71 KB
/
winscp-deobfuscator.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
import argparse
class Decrypter:
SIMPLE_STRING = "0123456789ABCDEF"
SIMPLE_MAGIC = 0xA3
def __init__(self, password):
self.data = password
def next(self):
a = self.SIMPLE_STRING.index(self.data[0])
b = self.SIMPLE_STRING.index(self.data[1])
result = ~(((a << 4) + b) ^ self.SIMPLE_MAGIC) % 256
self.discard(2)
return result
def discard(self, n=2):
self.data = self.data[n:]
def decrypt(hostname, username, password):
FLAG_SIMPLE = 0xFF
decrypter = Decrypter(password)
flag = decrypter.next()
if flag == FLAG_SIMPLE:
decrypter.discard(2)
length = decrypter.next()
else:
length = flag
offset = decrypter.next()
decrypter.discard(offset*2)
result = "".join([chr(decrypter.next()) for i in range(length)])
key = username + hostname
if flag == FLAG_SIMPLE and result.startswith(key):
return result[len(key):]
return result
def load_from_registry():
import winreg
results = []
with winreg.OpenKey(winreg.HKEY_CURRENT_USER, r"Software\Martin Prikryl\WinSCP 2\Sessions") as key:
count = winreg.QueryInfoKey(key)[0]
for i in range(count):
try:
session = winreg.EnumKey(key, i)
with winreg.OpenKey(key, session) as subkey:
hostname = winreg.QueryValueEx(subkey, "HostName")[0]
username = winreg.QueryValueEx(subkey, "UserName")[0]
obfuscated = winreg.QueryValueEx(subkey, "Password")[0]
password = decrypt(hostname, username, obfuscated)
results.append((hostname, username, password))
except FileNotFoundError:
pass
return results
def print_results(results, title=""):
width = 50
print("="*width)
print(("WinSCP deobfuscation" + title).center(width))
print("="*width)
for hostname, username, password in results:
print(" Host:", hostname)
print(" User:", username)
print(" Password:", password)
print("-"*width)
if __name__=="__main__":
#load_from_registry()
parser = argparse.ArgumentParser(description='Deobfuscate WinSCP password, using info either from registry (if no arguments are given) or from the command line.')
parser.add_argument('--hostname', type=str, help='HostName', required=False)
parser.add_argument('--username', type=str, help='UserName', required=False)
parser.add_argument('--hash', type=str, help='Password', required=False)
args = parser.parse_args()
if not (args.hostname or args.username or args.hash):
results = load_from_registry()
print_results(results, title=" from registry")
elif args.hostname and args.username and args.hash:
password = decrypt(args.hostname, args.username, args.hash)
print_results([(args.hostname, args.username, password)], title=" from command line")
else:
parser.error("When using external values, please provide hostname, username and hash.")