Overclock.net banner

1 - 3 of 3 Posts

·
Terrible at everything
Joined
·
1,136 Posts
Discussion Starter #1
One of my classes requires that I write a command and control server for a piece of malware that accepts commands that are Base64 encoded with a non-standard alphabet. It's not anything special really.<br><br>
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/<br>
This is the standard Base64 alphabet.<br><br>
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/<br>
This is the non-standard alphabet.<br><br>
I know that Python has a built-in library that handles Base64 conversion, but I can't seem to make it use the non-standard library. Any ideas?<br><br>
UPDATE: <span style="text-decoration:line-through;">Would replacing the characters after the Base64 coversion is run work? In theory, each character represents a specific numerical value 0-63. If I were to replace the character with the corresponding character, would that work?</span><br><br>
Yeahh... that idea won't work...
 

·
Registered
Joined
·
115 Posts
<div class="quote-container" data-huddler-embed="/t/1475505/python-base64-encoding-with-a-non-standard-alphabet#post_21976037" data-huddler-embed-placeholder="false"><span>Quote:</span>
<div class="quote-block">Originally Posted by <strong>Terrere</strong> <a href="/t/1475505/python-base64-encoding-with-a-non-standard-alphabet#post_21976037"><img alt="View Post" class="inlineimg" src="/img/forum/go_quote.gif"></a><br><br>
One of my classes requires that I write a command and control server for a piece of malware that accepts commands that are Base64 encoded with a non-standard alphabet. It's not anything special really.<br><br>
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/<br>
This is the standard Base64 alphabet.<br><br>
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/<br>
This is the non-standard alphabet.<br><br>
I know that Python has a built-in library that handles Base64 conversion, but I can't seem to make it use the non-standard library. Any ideas?<br><br>
UPDATE: <span style="text-decoration:line-through;">Would replacing the characters after the Base64 coversion is run work? In theory, each character represents a specific numerical value 0-63. If I were to replace the character with the corresponding character, would that work?</span><br><br>
Yeahh... that idea won't work...</div>
</div>
<br>
Your idea of replacing the characters should work. Use string.maketrans to create a translation table, and then use str.translate to use it.<br><div class="bbcode_code">
<div class="bbcode_code_head">Code:</div>
<pre>
<code>import string
import base64

STANDARD_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
CUSTOM_ALPHABET = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/'
ENCODE_TRANS = string.maketrans(STANDARD_ALPHABET, CUSTOM_ALPHABET)
DECODE_TRANS = string.maketrans(CUSTOM_ALPHABET, STANDARD_ALPHABET)

def encode(input):
return base64.b64encode(input).translate(ENCODE_TRANS)

def decode(input):
return base64.b64decode(input.translate(DECODE_TRANS))</code>
</pre></div>
 
  • Rep+
Reactions: Terrere

·
Terrible at everything
Joined
·
1,136 Posts
Discussion Starter #3
<div class="quote-container" data-huddler-embed="/t/1475505/python-base64-encoding-with-a-non-standard-alphabet/0_30#post_21976685" data-huddler-embed-placeholder="false"><span>Quote:</span>
<div class="quote-block">Originally Posted by <strong>jvolkman</strong> <a href="/t/1475505/python-base64-encoding-with-a-non-standard-alphabet/0_30#post_21976685"><img alt="View Post" class="inlineimg" src="/img/forum/go_quote.gif"></a><br><br>
Your idea of replacing the characters should work. Use string.maketrans to create a translation table, and then use str.translate to use it.<br><div class="bbcode_code">
<div class="bbcode_code_head">Code:</div>
<pre>
<code>import string
import base64

STANDARD_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
CUSTOM_ALPHABET = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/'
ENCODE_TRANS = string.maketrans(STANDARD_ALPHABET, CUSTOM_ALPHABET)
DECODE_TRANS = string.maketrans(CUSTOM_ALPHABET, STANDARD_ALPHABET)

def encode(input):
return base64.b64encode(input).translate(ENCODE_TRANS)

def decode(input):
return base64.b64decode(input.translate(DECODE_TRANS))</code>
</pre></div>
</div>
</div>
<br>
Wow, thanks for the reply. I figured out last night that I could create a for loop to do the translations. When I was doing the conversions, I was using documentation from a report on the malware to compare my conversions. The tail end of the command was correct, but the conversion of the 6 "#" symbols didn't convert well. Your version is actually cleaner and more efficient than my loop.<br><div class="bbcode_code">
<div class="bbcode_code_head">Code:</div>
<pre>
<code>import base64
import string

custom = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/"
Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
s = ""
encode = "######pslist"
result = base64.b64encode(encode);
for ch in result:
if (ch in custom):
s = s+custom[string.find(Base64,str(ch))]
elif (ch == '='):
s += "="</code>
</pre></div>
<br>
The loop also handles all of the padding. I came up with the base loop, but on checking for algorithms I had forgotten the presence of "=" paddings in Base64 and had to steal the idea from someone else.<br><br>
Thanks again for affirming my thought of substitution.
 
1 - 3 of 3 Posts
Top