rex-encoder 0.1.0

data/lib/rex/encoding/xor/byte.rb

@@ -0,0 +1,15 @@
+# -*- coding: binary -*-
+
+require 'rex/encoding/xor/generic'
+
+module Rex
+module Encoding
+module Xor
+
+class Byte < Generic
+
+  def Byte.keysize
+    1
+  end
+
+end end end end # Byte/Xor/Encoding/Rex

data/lib/rex/encoding/xor/dword.rb

@@ -0,0 +1,21 @@
+# -*- coding: binary -*-
+
+require 'rex/encoding/xor/generic'
+
+#
+# Routine for xor encoding a buffer by a 2-byte (intel word) key.  The perl
+# version used to pad this buffer out to a 2-byte boundary, but I can't think
+# of a good reason to do that anymore, so this doesn't.
+#
+
+module Rex
+module Encoding
+module Xor
+
+class Dword < Generic
+
+  def Dword.keysize
+    4
+  end
+
+end end end end # Dword/Xor/Encoding/Rex

data/lib/rex/encoding/xor/dword_additive.rb

@@ -0,0 +1,92 @@
+# -*- coding: binary -*-
+
+require 'rex/encoding/xor/exceptions'
+require 'rex/encoding/xor/generic'
+
+#
+# Routine for xor encoding a buffer by a 2-byte (intel word) key.  The perl
+# version used to pad this buffer out to a 2-byte boundary, but I can't think
+# of a good reason to do that anymore, so this doesn't.
+#
+
+module Rex
+module Encoding
+module Xor
+
+class DwordAdditive < Generic
+
+  def DwordAdditive.keysize
+    4
+  end
+
+  def DwordAdditive._packspec
+    'V'
+  end
+
+  def DwordAdditive.pack_key(key)
+    return [ key ].pack(_packspec)
+  end
+  def DwordAdditive.unpack_key(key)
+    return key.unpack(_packspec)[0]
+  end
+
+  # hook in the key mutation routine of encode for the additive feedback
+  def DwordAdditive._encode_mutate_key(buf, key, pos, len)
+    if (pos + 1) % len == 0
+      # add the last len bytes (in this case 4) with the key,
+      # dropping off any overflow
+      key = pack_key(
+        unpack_key(key) + unpack_key(buf[pos - (len - 1), len]) &
+          (1 << (len << 3)) - 1
+      )
+    end
+
+    return key
+  end
+
+  #
+  # I realize this algorithm is broken.  We invalidate some keys
+  # in _find_bad_keys that could actually be perfectly fine.  However,
+  # it seems to work ok for now, and this is all just a lame adhoc method.
+  # Maybe someday we can revisit this and make it a bit less ghetto...
+  #
+
+  def DwordAdditive._find_good_key(data, badkeys, badchars)
+
+    ksize  = keysize
+    kstart = ""
+    ksize.times { kstart << rand(256) } # random key starting place
+
+    key = kstart.dup
+
+    #
+    # now for the ghettoness of an algorithm:
+    #  try the random key we picked
+    #  if the key failed, figure out which key byte corresponds
+    #  increment that key byte
+    #  if we wrapped a byte all the way around, fail :(
+    #
+
+    loop do
+      # ok, try to encode it, any bad chars present?
+      pos = _check(data, key, badchars)
+
+      # yay, no problems, we found a key!
+      break if !pos
+
+      strip = pos % ksize
+
+      # increment the offending key byte
+      key[strip] = key[strip] + 1 & 0xff
+
+      # We wrapped around!
+      if key[strip] == kstart[strip]
+        raise KeySearchError, "Key space exhausted on strip #{strip}!", caller
+      end
+    end
+
+    return key
+  end
+
+end end end end # DwordAdditive/Xor/Encoding/Rex
+

data/lib/rex/encoding/xor/exceptions.rb

@@ -0,0 +1,17 @@
+# -*- coding: binary -*-
+
+module Rex
+module Encoding
+module Xor
+
+module Exception
+
+end
+
+class KeySearchError < ::Exception
+  include Exception
+  MSG = "Error finding a key."
+end
+
+end end end
+

data/lib/rex/encoding/xor/generic.rb

@@ -0,0 +1,146 @@
+# -*- coding: binary -*-
+
+require 'rex/encoding/xor/exceptions'
+require 'rex/text'
+
+module Rex
+module Encoding
+module Xor
+
+class Generic
+
+  def Generic.keysize
+    # special case:
+    # 0 means we encode based on the length of the key
+    # we don't enforce any perticular key length
+    return 0
+  end
+
+  #
+  # Now for some internal check methods
+  #
+
+  # hook stylies!
+  # return index of offending byte or nil
+  def Generic._check(data, key, badchars)
+    return _check_key(key, badchars) || _check_encode(data, key, badchars)
+  end
+  def Generic._check_key(key, badchars)
+    return Rex::Text.badchar_index(key, badchars)
+  end
+  def Generic._check_encode(data, key, badchars)
+    return Rex::Text.badchar_index(encode(data, key), badchars)
+  end
+
+  def Generic.find_key(data, badchars)
+    return _find_good_key(data, _find_bad_keys(data, badchars), badchars)
+  end
+
+  # !!! xxx MAKE THESE PRIVATE
+
+  #
+  # Find a list of bytes that can't be valid xor keys, from the data and badchars.
+  # This returns a Array of hashes, length keysize
+  #
+  def Generic._find_bad_keys(data, badchars)
+
+    ksize = keysize
+
+    # array of hashes for the bad characters based
+    # on their position in the data
+    badkeys = [ ]
+    ksize.times { badkeys << { } }
+
+    badchars.each_byte { |badchar|
+      pos = 0
+      data.each_byte { |char|
+        badkeys[pos % ksize][char ^ badchar] = true
+        pos += 1
+      }
+    }
+
+    return badkeys
+  end
+
+  #
+  # (Hopefully) find a good key, from badkeys and badchars
+  #
+  def Generic._find_good_key(data, badkeys, badchars)
+
+    ksize = keysize
+    strip = 0
+    key   = ""
+
+    while strip < keysize
+
+      kbyte = rand(256)
+
+      catch(:found_kbyte) do
+        256.times {
+
+          if !badkeys[strip][kbyte] && !badchars[kbyte.chr]
+            throw :found_kbyte
+          end
+
+          kbyte = (kbyte + 1) & 0xff
+        }
+
+        raise KeySearchError, "Exhausted byte space for strip #{strip}!", caller
+      end
+
+      key << kbyte
+      strip += 1
+    end
+
+    # ok, we should have a good key now, lets double check...
+    if _check(data, key, badchars)
+      raise KeySearchError, "Key found, but bad character check failed!", caller
+    end
+
+    return key
+  end
+
+  def Generic.encode(buf, key)
+
+    if !key.kind_of?(String)
+      raise ::ArgumentError, "Key must be a string!", caller
+    end
+
+    len = key.length
+
+    if len == 0
+      raise ::ArgumentError, "Zero key length!", caller
+    end
+
+    if keysize != 0 && keysize != len
+      raise ::ArgumentError, "Key length #{len}, expected #{keysize}", caller
+    end
+
+    encoded = ""
+    pos     = 0
+
+    while pos < buf.length
+      encoded += (buf[pos,1].unpack("C*")[0] ^ key[pos % len, 1].unpack("C*")[0]).chr
+      key = _encode_mutate_key(buf, key, pos, len)
+      pos += 1
+    end
+
+    return [ encoded, key ]
+
+  end
+
+  # kind of ghetto, but very convenient for mutating keys
+  # by default, do no key mutations
+  def Generic._encode_mutate_key(buf, key, pos, len)
+    return key
+  end
+
+  # maybe a bit a smaller of method name?
+  def Generic.find_key_and_encode(data, badchars)
+    key        = find_key(data, badchars)
+    enc, fkey  = encode(data, key)
+    return [ enc, key, fkey ]
+  end
+
+
+end end end end # Generic/Xor/Encoding/Rex

data/lib/rex/encoding/xor/qword.rb

@@ -0,0 +1,15 @@
+# -*- coding: binary -*-
+
+require 'rex/encoding/xor/generic'
+
+module Rex
+module Encoding
+module Xor
+
+class Qword < Generic
+
+  def Qword.keysize
+    8
+  end
+
+end end end end

data/lib/rex/encoding/xor/word.rb

@@ -0,0 +1,21 @@
+# -*- coding: binary -*-
+
+require 'rex/encoding/xor/generic'
+
+#
+# Routine for xor encoding a buffer by a 2-byte (intel word) key.  The perl
+# version used to pad this buffer out to a 2-byte boundary, but I can't think
+# of a good reason to do that anymore, so this doesn't.
+#
+
+module Rex
+module Encoding
+module Xor
+
+class Word < Generic
+
+  def Word.keysize
+    2
+  end
+
+end end end end # Word/Xor/Encoding/Rex

data/lib/rex/poly.rb

@@ -0,0 +1,134 @@
+# -*- coding: binary -*-
+module Rex
+module Poly
+
+require 'rex/poly/register'
+require 'rex/poly/block'
+require 'rex/poly/machine'
+
+###
+#
+# This class encapsulates the state of a single polymorphic block set
+# generation.  It tracks the current set of consumed registers, the linear
+# list of blocks generated, the end-result buffer, and the phase of
+# generation.  The fields exposed by the State class are intended for use only
+# by the polymorphic generation subsystem and should not be modified directly.
+#
+###
+class State
+
+  #
+  # Initializes the polymorphic generation state.
+  #
+  def initialize
+    @block_list = nil
+    reset
+  end
+
+  #
+  # Resets the generation state to have a plain start by clearing all
+  # consumed registers, resetting the polymorphic buffer back to its
+  # beginning and destroying any block generation state.
+  #
+  def reset
+    # Reset the generation flag on any blocks in the block list
+    @block_list.each { |block|
+      block[0].generated = false
+    } if (@block_list)
+
+    @regnums     = Hash.new
+    @buffer      = ''
+    @block_list  = []
+    @curr_offset = 0
+    @first_phase = true
+    @badchars    = nil
+  end
+
+  #
+  # Returns true if the supplied register number is already consumed.
+  #
+  def consumed_regnum?(regnum)
+    @regnums[regnum]
+  end
+
+  #
+  # Consumes a register number, thus removing it from the pool that can be
+  # assigned.  The consumed register number is returned to the caller.
+  #
+  def consume_regnum(regnum)
+    raise RuntimeError, "Register #{regnum} is already consumed." if (consumed_regnum?(regnum))
+
+    @regnums[regnum] = true
+
+    regnum
+  end
+
+  #
+  # Acquires a register number that has not already been consumed from the
+  # supplied register number set and consumes it, returning the selected
+  # register number to the caller.  The register number is selected from the
+  # set at random.
+  #
+  def consume_regnum_from_set(regnum_set)
+    # Pick a random starting point within the supplied set.
+    idx = rand(regnum_set.length)
+
+    # Try each index in the set.
+    regnum_set.length.times { |x|
+      regnum = regnum_set[(idx + x) % regnum_set.length]
+
+      next if (consumed_regnum?(regnum))
+
+      return consume_regnum(regnum)
+    }
+
+    # If we get through the entire iteration without finding a register,
+    # then we are out of registers to assign.
+    raise RuntimeError, "No registers are available to consume from the set"
+  end
+
+  #
+  # Eliminates a register number from the consumed pool so that it can be
+  # used in the future.  This happens after a block indicates that a register
+  # has been clobbered.
+  #
+  def defecate_regnum(regnum)
+    @regnums.delete(regnum)
+  end
+
+  #
+  # The buffer state for the current polymorphic generation.  This stores the
+  # end-result of a call to generate on a LogicalBlock.
+  #
+  attr_accessor :buffer
+
+  #
+  # The linear list of blocks that is generated by calling the generate
+  # method on a LogicalBlock.
+  #
+  attr_accessor :block_list
+
+  #
+  # The current offset into the polymorphic buffer that is being generated.
+  # This is updated as blocks are appended to the block_list.
+  #
+  attr_accessor :curr_offset
+
+  #
+  # A boolean field that is used by the LogicalBlock class to track whether
+  # or not it is in the first phase (generating the block list), or in the
+  # second phase (generating the polymorphic buffer).  This phases are used
+  # to indicate whether or not the offset_of and regnum_of methods will
+  # return actual results.
+  #
+  attr_accessor :first_phase
+
+  #
+  # Characters to avoid when selecting permutations, if any.
+  #
+  attr_accessor :badchars
+
+end
+
+end
+end