-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvault_decrypt.py
executable file
·218 lines (171 loc) · 7.74 KB
/
vault_decrypt.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
#!/usr/bin/python3
"""
AUTHOR: P SURYA TEJA
LAST MODIFIED(DD-MM-YYYY): 07-08-2018
This program decrypts image, audio, video, pdf files encrypted by vault by bruteforcing the key and replacing the
encrypted contents of the file with original contents.
HOW DOES THE PROGRAM DECRYPTS:
this program reads the binary file encrypted by vault and finds which key is used to encrypt(ROFL) it by bruteforcing all 256 possible keys.
then it replaces the encrypted content with original content by XOR ing the first 256 characters(128 hex digits)
of the binary content of the encrypted file with key and saves it with the file's original extension.
GUIDELINES:
1) Run the script
2) put all the encrypted files(.bin files) in a folder and enter its path when prompted
3) give a valid separate folder to store decrypted files
4) uncomment code at line 223 if you want to delete encrypted files after successful decryption
"""
from binascii import hexlify, unhexlify
import os
def extractName(file_name):
"""this function takes a filename with extension and
returns the filename after removing the extension.
For example it takes 'earth.jpg' and returns 'earth'"""
return file_name.rsplit('.', maxsplit=1)[0]
def isBinary(filename):
"""this function takes a filename and checks whether it is a file
and ends with '.bin' and returns True if both conditions pass.
"""
return True if (os.path.isfile(filename) and
filename.endswith('.bin')) else False
def main():
# THESE STRINGS WILL BE APPENDED TO THE RESPECTIVE DECRYPTED FILES
image_type = 'image_'
video_type = 'video_'
audio_type = 'audio_'
pdf_type = 'pdf_'
while True:
source_dir = input("enter the folder path where encrypted files are stored: ")
if os.path.exists(source_dir):
break
else:
print("Error: Invalid path or Permission denied.\n")
# CHANGING THE PATH TO THE source_dir DIRECTORY
os.chdir(source_dir)
# AFTER DECRYPTING, FILES ARE STORED IN 'destination_dir'
destination_dir = input("enter directory path to store decrypted files: ")
# IF THE 'destination_dir' DOESN'T EXIST, THE PROGRAM CREATES IT.
if not os.path.exists(destination_dir):
os.makedirs(destination_dir)
# ALL FILE NAMES IN THE 'encrypted' DIRECTORY ARE STORED IN 'all_files'
all_files = os.listdir()
no_of_files = len(all_files)
print("TRAVERSING ALL FILES IN THE FOLDER....\n")
# IF THERE ARE NO FILES IN THE 'encrypted' DIRECTORY, THE PROGRAM EXITS
if os.listdir() == []:
print("NO FILES IN THE 'ENCRYPTED' FOLDER. \nEXITING THE PROGRAM....")
exit()
# THE FILETYPE IS DETERMINED IN THE FOLLOWING 'for' LOOP
for i in range(no_of_files):
# IF THE FILE IS NOT A BINARY FILE, WE NEED NOT DECRYPT IT
if not isBinary(all_files[i]):
continue
file = open(all_files[i], 'rb')
# READING THE CONTENT OF THE BINARY FILE
bin_content = file.read()
file.close()
# CONVERTING THE BINARY CONTENT TO 'str'
str_content = hexlify(bin_content).decode('utf-8')
# 'one, two AND three' ARE FIRST THREE HEXADECIMAL BITS OF THE FILE TO DETERMINE THE FILE TYPE AND KEY
one = int(str_content[0:2], 16)
two = int(str_content[2:4], 16)
three = int(str_content[4:6], 16)
four = int(str_content[6:8], 16)
nine = int(str_content[16:18], 16)
ten = int(str_content[18:20], 16)
eleven = int(str_content[20:22], 16)
twelve = int(str_content[22:24], 16)
print('BRUTEFORCING BEGINS....: {}'.format(all_files[i]))
key = 0
# 'file_type' IS THE TYPE OF THE FILE.(.JPG, .PNG, .MP4, etc.,)
file_type = ''
while key <= 255:
# COMBINATION OF FIRST 3 HEX DIGITS WHICH INDICATE THE IMAGE TYPE
first_three = (hex(one ^ key)[2:] +
hex(two ^ key)[2:] +
hex(three ^ key)[2:])
# 9, 10 AND 11 HEX DIGITS ARE REQUIRED TO DETERMINE MP4 AND 3GP
nine_ten_eleven = (hex(nine ^ key)[2:] +
hex(ten ^ key)[2:] +
hex(eleven ^ key)[2:]).upper()
# IF IT IS '.jpg'
if first_three == "ffd8ff":
file_type = '.jpg'
break
# IF IT IS '.png'
elif first_three == '89504e':
file_type = '.png'
break
# IF IT IS '.gif'
elif first_three == '474946':
file_type = '.gif'
break
# IF IT IS '.tif'
elif first_three in ['49492A', '4D4D0']:
file_type = '.tif'
break
# IF IT IS '.webp' IMAGE
# 57454250 IN HEX REPRESENTS WEBP IN ASCII
elif nine_ten_eleven + hex(twelve ^ key)[2:].upper() == '57454250':
file_type = '.webp'
break
# IF IT IS MP4
elif nine_ten_eleven in ['6D7034', '69736F']:
file_type = '.mp4'
break
# IF IT IS 3GP
elif nine_ten_eleven == '336770':
file_type = '.3gp'
break
# THE BELOW CODE IS COMMENTED BECAUSE VAULT APP DOESN'T OFFER TO HIDE MP3 AND PDF FILES
# IF IT IS '.mp3'
# elif first_three == '494433':
# file_type = '.mp3'
# break
# IF IT IS '.pdf' AS FIRST FOUR CHARACTERS ARE '%PDF'
# elif first_three + hex(four ^ key)[2:] = '25504446':
# file_type = '.pdf'
# break
# IF NO FORMAT MATCHES MAY BE KEY IS WRONG, SO WE INCREMENT THE KEY
else:
key += 1
# INITIALLY file_type IS EMPTY. IF IT IS NOT EMPTY NOW,
# IT MEANS IT MATCHED SOME FORMAT.
if file_type is not '':
print('KEY FOUND: {}'.format(key))
# IF NO FORMAT HAS MATCHED, THEN THE FILE TYPE MAY BE
# SOME OTHER FORMAT WE HAVEN'T ADDED.
else:
print('FAILURE for {}.\n'.format(all_files[i]))
continue
print("DECRYPTION BEGINS....")
# REPLACING THE FIRST 256 CHARACTERS(128 HEXADECIMAL BITS) OF THE FILE WITH ORIGINAL FILE CONTENTS
# AS THE REMAINING LINES ARE UNCHANGED BY THE VAULT APP
# 'replacement' is the content to be replaced at the
replacement = []
# 'first' CONTAINS THE ENCRYPTED CONTENT THAT NEED TO BE DECRYPTED.
first = str_content[:256]
# 'last' CONTAINS THE UNENCRYPTED CONTENT THAT HAVE TO BE COPIES AS IS.
last = str_content[256:]
j = 0
# THE BELOW 'while' LOOP DECRYPTS THE CONTENT AND APPENDS IT TO THE 'replacement' LIST.
# WE ARE PERFORMING THE DECODING ON FIRST 256 BITS ONLY AS THE REMAINING ARE UNCHANGED
# BY THE VAULT APP.
while j < 256:
data = hex(int(first[j : j + 2], 16) ^ key)[2:4]
# IF THE data IS SINGLE DIGIT LIKE 0 OR 2 OR 5 OR A OR C
# WE HAVE TO APPEND IT IN THE FILE AS 00 OR 02 OR 0A etc.,
if len(data) == 1:
data = '0'+ data
replacement.append(data)
j += 2
# ORIGINAL CONTENT IS FORMED
original_content = ''.join(replacement) + last
print('WRITING THE ORIGINAL CONTENT TO THE FILE')
new_file_name = extractName(all_files[i]) + file_type
with open(os.path.join(destination_dir, new_file_name), 'wb') as file:
file.write(unhexlify(original_content.encode('utf-8')))
# DELETING THE ENCRYPTED FILE AFTER SUCCESSFUL DECRYPTION
# os.remove(all_files[i])
print("FILE {} DECRYPTED\n".format(all_files[i]))
if __name__ == '__main__':
main()