Overclock.net banner

1 - 3 of 3 Posts

·
Terrible at everything
Joined
·
1,136 Posts
Discussion Starter · #1 ·
One of my classes requires that I write a command and control server for a piece of malware that accepts commands that are Base64 encoded with a non-standard alphabet. It's not anything special really.

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
This is the standard Base64 alphabet.

0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/
This is the non-standard alphabet.

I know that Python has a built-in library that handles Base64 conversion, but I can't seem to make it use the non-standard library. Any ideas?

UPDATE: Would replacing the characters after the Base64 coversion is run work? In theory, each character represents a specific numerical value 0-63. If I were to replace the character with the corresponding character, would that work?

Yeahh... that idea won't work...
 

·
Registered
Joined
·
115 Posts
Quote:
Originally Posted by Terrere View Post

One of my classes requires that I write a command and control server for a piece of malware that accepts commands that are Base64 encoded with a non-standard alphabet. It's not anything special really.

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
This is the standard Base64 alphabet.

0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/
This is the non-standard alphabet.

I know that Python has a built-in library that handles Base64 conversion, but I can't seem to make it use the non-standard library. Any ideas?

UPDATE: Would replacing the characters after the Base64 coversion is run work? In theory, each character represents a specific numerical value 0-63. If I were to replace the character with the corresponding character, would that work?

Yeahh... that idea won't work...
Your idea of replacing the characters should work. Use string.maketrans to create a translation table, and then use str.translate to use it.

Code:

Code:
import string
import base64

STANDARD_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
CUSTOM_ALPHABET = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/'
ENCODE_TRANS = string.maketrans(STANDARD_ALPHABET, CUSTOM_ALPHABET)
DECODE_TRANS = string.maketrans(CUSTOM_ALPHABET, STANDARD_ALPHABET)

def encode(input):
  return base64.b64encode(input).translate(ENCODE_TRANS)

def decode(input):
  return base64.b64decode(input.translate(DECODE_TRANS))
 

·
Terrible at everything
Joined
·
1,136 Posts
Discussion Starter · #3 ·
Quote:
Originally Posted by jvolkman View Post

Your idea of replacing the characters should work. Use string.maketrans to create a translation table, and then use str.translate to use it.

Code:

Code:
import string
import base64

STANDARD_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
CUSTOM_ALPHABET = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/'
ENCODE_TRANS = string.maketrans(STANDARD_ALPHABET, CUSTOM_ALPHABET)
DECODE_TRANS = string.maketrans(CUSTOM_ALPHABET, STANDARD_ALPHABET)

def encode(input):
  return base64.b64encode(input).translate(ENCODE_TRANS)

def decode(input):
  return base64.b64decode(input.translate(DECODE_TRANS))
Wow, thanks for the reply. I figured out last night that I could create a for loop to do the translations. When I was doing the conversions, I was using documentation from a report on the malware to compare my conversions. The tail end of the command was correct, but the conversion of the 6 "#" symbols didn't convert well. Your version is actually cleaner and more efficient than my loop.

Code:

Code:
import base64
import string

custom = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/"
Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
s = ""
encode = "######pslist"
result = base64.b64encode(encode);
for ch in result:
    if (ch in custom):
        s = s+custom[string.find(Base64,str(ch))]
    elif (ch == '='):
            s += "="
The loop also handles all of the padding. I came up with the base loop, but on checking for algorithms I had forgotten the presence of "=" paddings in Base64 and had to steal the idea from someone else.

Thanks again for affirming my thought of substitution.
 
1 - 3 of 3 Posts
Top