mirror of
https://github.com/gchq/CyberChef
synced 2026-01-06 18:43:23 +00:00
Compare commits
22 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
68e8a221ff | ||
|
|
cce84c3782 | ||
|
|
d3473a7462 | ||
|
|
6bfe4ee238 | ||
|
|
e61b7d598e | ||
|
eb81b9217e | ||
|
|
4d9bfcad20 | ||
|
|
2387452a56 | ||
|
|
a4772941a7 | ||
|
|
6318f78e29 | ||
|
|
5e6f3cc5b4 | ||
|
|
04f1fa06ad | ||
|
|
8d660e53b2 | ||
|
|
f3864b00fe | ||
|
|
51cc94bf2a | ||
|
f63d1354ba | ||
|
|
80362cfa84 | ||
|
|
447a6d7524 | ||
|
|
f022440b4a | ||
|
|
4f5e0c007d | ||
|
|
b83f6591bb | ||
|
|
77a9481cf9 |
2
package-lock.json
generated
2
package-lock.json
generated
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "cyberchef",
|
||||
"version": "9.11.0",
|
||||
"version": "9.11.3",
|
||||
"lockfileVersion": 1,
|
||||
"requires": true,
|
||||
"dependencies": {
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "cyberchef",
|
||||
"version": "9.11.0",
|
||||
"version": "9.11.3",
|
||||
"description": "The Cyber Swiss Army Knife for encryption, encoding, compression and data analysis.",
|
||||
"author": "n1474335 <n1474335@gmail.com>",
|
||||
"homepage": "https://gchq.github.io/CyberChef",
|
||||
|
||||
@@ -40,7 +40,7 @@ export const FILE_SIGNATURES = {
|
||||
4: [0x37, 0x39], // 7|9
|
||||
5: 0x61 // a
|
||||
},
|
||||
extractor: null
|
||||
extractor: extractGIF
|
||||
},
|
||||
{
|
||||
name: "Portable Network Graphics image",
|
||||
@@ -736,7 +736,7 @@ export const FILE_SIGNATURES = {
|
||||
10: 0x56,
|
||||
11: 0x45
|
||||
},
|
||||
extractor: null
|
||||
extractor: extractWAV
|
||||
},
|
||||
{
|
||||
name: "OGG audio",
|
||||
@@ -1444,7 +1444,7 @@ export const FILE_SIGNATURES = {
|
||||
1: 0x5a,
|
||||
2: 0x68
|
||||
},
|
||||
extractor: null
|
||||
extractor: extractBZIP2
|
||||
},
|
||||
{
|
||||
name: "7zip",
|
||||
@@ -1485,7 +1485,7 @@ export const FILE_SIGNATURES = {
|
||||
4: 0x5a,
|
||||
5: 0x0
|
||||
},
|
||||
extractor: null
|
||||
extractor: extractXZ
|
||||
},
|
||||
{
|
||||
name: "Tarball",
|
||||
@@ -1870,7 +1870,7 @@ export const FILE_SIGNATURES = {
|
||||
2: 0x4c,
|
||||
3: 0x69
|
||||
},
|
||||
extractor: null
|
||||
extractor: extractSQLITE
|
||||
},
|
||||
{
|
||||
name: "BitTorrent link",
|
||||
@@ -1993,7 +1993,7 @@ export const FILE_SIGNATURES = {
|
||||
6: 0x4c,
|
||||
7: 0x65
|
||||
},
|
||||
extractor: null
|
||||
extractor: extractEVT
|
||||
},
|
||||
{
|
||||
name: "Windows Event Log",
|
||||
@@ -2009,7 +2009,7 @@ export const FILE_SIGNATURES = {
|
||||
5: 0x6c,
|
||||
6: 0x65
|
||||
},
|
||||
extractor: null
|
||||
extractor: extractEVTX
|
||||
},
|
||||
{
|
||||
name: "Windows Pagedump",
|
||||
@@ -2331,6 +2331,133 @@ export const FILE_SIGNATURES = {
|
||||
19: 0x46
|
||||
},
|
||||
extractor: null
|
||||
},
|
||||
{
|
||||
name: "Bash",
|
||||
extension: "bash",
|
||||
mime: "application/bash",
|
||||
description: "",
|
||||
signature: {
|
||||
0: 0x23, // #!/bin/bash
|
||||
1: 0x21,
|
||||
2: 0x2f,
|
||||
3: 0x62,
|
||||
4: 0x69,
|
||||
5: 0x6e,
|
||||
6: 0x2f,
|
||||
7: 0x62,
|
||||
8: 0x61,
|
||||
9: 0x73,
|
||||
10: 0x68,
|
||||
},
|
||||
extractor: null
|
||||
},
|
||||
{
|
||||
name: "Shell",
|
||||
extension: "sh",
|
||||
mime: "application/sh",
|
||||
description: "",
|
||||
signature: {
|
||||
0: 0x23, // #!/bin/sh
|
||||
1: 0x21,
|
||||
2: 0x2f,
|
||||
3: 0x62,
|
||||
4: 0x69,
|
||||
5: 0x6e,
|
||||
6: 0x2f,
|
||||
7: 0x73,
|
||||
8: 0x68,
|
||||
},
|
||||
extractor: null
|
||||
},
|
||||
{
|
||||
name: "Python",
|
||||
extension: "py,pyc,pyd,pyo,pyw,pyz",
|
||||
mime: "application/python",
|
||||
description: "",
|
||||
signature: {
|
||||
0: 0x23, // #!/usr/bin/python(2|3)
|
||||
1: 0x21,
|
||||
2: 0x2f,
|
||||
3: 0x75,
|
||||
4: 0x73,
|
||||
5: 0x72,
|
||||
6: 0x2f,
|
||||
7: 0x62,
|
||||
8: 0x69,
|
||||
9: 0x6e,
|
||||
10: 0x2f,
|
||||
11: 0x70,
|
||||
12: 0x79,
|
||||
13: 0x74,
|
||||
14: 0x68,
|
||||
15: 0x6f,
|
||||
16: 0x6e,
|
||||
17: [0x32, 0x33, 0xa, 0xd],
|
||||
},
|
||||
extractor: null
|
||||
},
|
||||
{
|
||||
name: "Ruby",
|
||||
extension: "rb",
|
||||
mime: "application/ruby",
|
||||
description: "",
|
||||
signature: {
|
||||
0: 0x23, // #!/usr/bin/ruby
|
||||
1: 0x21,
|
||||
2: 0x2f,
|
||||
3: 0x75,
|
||||
4: 0x73,
|
||||
5: 0x72,
|
||||
6: 0x2f,
|
||||
7: 0x62,
|
||||
8: 0x69,
|
||||
9: 0x6e,
|
||||
10: 0x2f,
|
||||
11: 0x72,
|
||||
12: 0x75,
|
||||
13: 0x62,
|
||||
14: 0x79,
|
||||
},
|
||||
extractor: null
|
||||
},
|
||||
{
|
||||
name: "perl",
|
||||
extension: "pl,pm,t,pod",
|
||||
mime: "application/perl",
|
||||
description: "",
|
||||
signature: {
|
||||
0: 0x23, // #!/usr/bin/perl
|
||||
1: 0x21,
|
||||
2: 0x2f,
|
||||
3: 0x75,
|
||||
4: 0x73,
|
||||
5: 0x72,
|
||||
6: 0x2f,
|
||||
7: 0x62,
|
||||
8: 0x69,
|
||||
9: 0x6e,
|
||||
10: 0x2f,
|
||||
11: 0x70,
|
||||
12: 0x65,
|
||||
13: 0x72,
|
||||
14: 0x6c,
|
||||
},
|
||||
extractor: null
|
||||
},
|
||||
{
|
||||
name: "php",
|
||||
extension: "php,phtml,php3,php4,php5,php7,phps,php-s,pht,phar",
|
||||
mime: "application/php",
|
||||
description: "",
|
||||
signature: {
|
||||
0: 0x3c, // <?php
|
||||
1: 0x3f,
|
||||
2: 0x70,
|
||||
3: 0x68,
|
||||
4: 0x70,
|
||||
},
|
||||
extractor: null
|
||||
}
|
||||
]
|
||||
};
|
||||
@@ -2440,6 +2567,49 @@ export function extractJPEG(bytes, offset) {
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* GIF extractor.
|
||||
*
|
||||
* @param {Uint8Array} bytes
|
||||
* @param {Number} offset
|
||||
* @returns {Uint8Array}
|
||||
*/
|
||||
export function extractGIF(bytes, offset) {
|
||||
const stream = new Stream(bytes.slice(offset));
|
||||
|
||||
// Move to application extension block.
|
||||
stream.continueUntil([0x21, 0xff]);
|
||||
|
||||
// Move to Graphic Control Extension for frame #1.
|
||||
stream.continueUntil([0x21, 0xf9]);
|
||||
stream.moveForwardsBy(2);
|
||||
|
||||
while (stream.hasMore()) {
|
||||
// Move to Image descriptor.
|
||||
stream.moveForwardsBy(stream.readInt(1) + 1);
|
||||
|
||||
// Move past Image descriptor to the image data.
|
||||
stream.moveForwardsBy(11);
|
||||
|
||||
// Loop until next Graphic Control Extension.
|
||||
while (stream.getBytes(2) !== [0x21, 0xf9]) {
|
||||
stream.moveBackwardsBy(2);
|
||||
stream.moveForwardsBy(stream.readInt(1));
|
||||
if (!stream.readInt(1))
|
||||
break;
|
||||
stream.moveBackwardsBy(1);
|
||||
}
|
||||
|
||||
// When the end of the file is [0x00, 0x3b], end.
|
||||
if (stream.readInt(1) === 0x3b)
|
||||
break;
|
||||
|
||||
stream.moveForwardsBy(1);
|
||||
}
|
||||
return stream.carve();
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Portable executable extractor.
|
||||
* Assumes that the offset refers to an MZ header.
|
||||
@@ -2602,6 +2772,26 @@ export function extractBMP(bytes, offset) {
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* WAV extractor.
|
||||
*
|
||||
* @param {Uint8Array} bytes
|
||||
* @param {Number} offset
|
||||
* @returns {Uint8Array}
|
||||
*/
|
||||
export function extractWAV(bytes, offset) {
|
||||
const stream = new Stream(bytes.slice(offset));
|
||||
|
||||
// Move to file size field.
|
||||
stream.moveTo(4);
|
||||
|
||||
// Move to file size.
|
||||
stream.moveTo(stream.readInt(4, "le") - 4);
|
||||
|
||||
return stream.carve();
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* FLV extractor.
|
||||
*
|
||||
@@ -2689,6 +2879,31 @@ export function extractRTF(bytes, offset) {
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* SQLITE extractor.
|
||||
*
|
||||
* @param {Uint8Array} bytes
|
||||
* @param {number} offset
|
||||
* @returns {Uint8Array}
|
||||
*/
|
||||
export function extractSQLITE(bytes, offset) {
|
||||
const stream = new Stream(bytes.slice(offset));
|
||||
|
||||
// Extract the size of the page.
|
||||
stream.moveTo(16);
|
||||
const pageSize = stream.readInt(2);
|
||||
|
||||
// Extract the number of pages.
|
||||
stream.moveTo(28);
|
||||
const numPages = stream.readInt(4);
|
||||
|
||||
// Move to the end of all the pages.
|
||||
stream.moveTo(pageSize*numPages);
|
||||
|
||||
return stream.carve();
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* PList (XML) extractor.
|
||||
*
|
||||
@@ -2777,6 +2992,43 @@ export function extractGZIP(bytes, offset) {
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* BZIP2 extractor.
|
||||
*
|
||||
* @param {Uint8Array} bytes
|
||||
* @param {Number} offset
|
||||
* @returns {Uint8Array}
|
||||
*/
|
||||
export function extractBZIP2(bytes, offset) {
|
||||
const stream = new Stream(bytes.slice(offset));
|
||||
|
||||
// The EOFs shifted between all possible combinations.
|
||||
const lookingfor = [
|
||||
[0x77, 0x24, 0x53, 0x85, 0x09],
|
||||
[0xee, 0x48, 0xa7, 0x0a, 0x12],
|
||||
[0xdc, 0x91, 0x4e, 0x14, 0x24],
|
||||
[0xb9, 0x22, 0x9c, 0x28, 0x48],
|
||||
[0x72, 0x45, 0x38, 0x50, 0x90],
|
||||
[0xbb, 0x92, 0x29, 0xc2, 0x84],
|
||||
[0x5d, 0xc9, 0x14, 0xe1, 0x42],
|
||||
[0x2e, 0xe4, 0x8a, 0x70, 0xa1],
|
||||
[0x17, 0x72, 0x45, 0x38, 0x50]
|
||||
];
|
||||
|
||||
for (let i = 0; i < lookingfor.length; i++) {
|
||||
// Continue until an EOF.
|
||||
stream.continueUntil(lookingfor[i]);
|
||||
if (stream.getBytes(5).join("") === lookingfor[i].join(""))
|
||||
break;
|
||||
|
||||
// Jump back to the start if invalid EOF.
|
||||
stream.moveTo(0);
|
||||
}
|
||||
stream.moveForwardsBy(4);
|
||||
return stream.carve();
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Zlib extractor.
|
||||
*
|
||||
@@ -2808,6 +3060,26 @@ export function extractZlib(bytes, offset) {
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* XZ extractor.
|
||||
*
|
||||
* @param {Uint8Array} bytes
|
||||
* @param {Number} offset
|
||||
* @returns {string}
|
||||
*/
|
||||
export function extractXZ(bytes, offset) {
|
||||
const stream = new Stream(bytes.slice(offset));
|
||||
|
||||
// Move forward to EOF marker
|
||||
stream.continueUntil([0x00, 0x00, 0x00, 0x00, 0x04, 0x59, 0x5a]);
|
||||
|
||||
// Move over EOF marker
|
||||
stream.moveForwardsBy(7);
|
||||
|
||||
return stream.carve();
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* ELF extractor.
|
||||
*
|
||||
@@ -3059,3 +3331,54 @@ function readHuffmanCode(stream, table) {
|
||||
|
||||
return codeWithLength & 0xffff;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* EVTX extractor.
|
||||
*
|
||||
* @param {Uint8Array} bytes
|
||||
* @param {Number} offset
|
||||
* @returns {Uint8Array}
|
||||
*/
|
||||
export function extractEVTX(bytes, offset) {
|
||||
const stream = new Stream(bytes.slice(offset));
|
||||
|
||||
// Move to first ELFCHNK.
|
||||
stream.moveTo(0x28);
|
||||
const total = stream.readInt(4, "le") - 0x2c;
|
||||
stream.moveForwardsBy(total);
|
||||
|
||||
while (stream.hasMore()) {
|
||||
// Loop through ELFCHNKs.
|
||||
if (stream.getBytes(7).join("") === "\x45\x6c\x66\x43\x68\x6e\x6b")
|
||||
stream.moveForwardsBy(0xfff9);
|
||||
else
|
||||
break;
|
||||
}
|
||||
|
||||
return stream.carve();
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* EVT extractor.
|
||||
*
|
||||
* @param {Uint8Array} bytes
|
||||
* @param {Number} offset
|
||||
* @returns {Uint8Array}
|
||||
*/
|
||||
export function extractEVT(bytes, offset) {
|
||||
const stream = new Stream(bytes.slice(offset));
|
||||
|
||||
// Extract offset of EOF.
|
||||
stream.moveTo(0x14);
|
||||
const eofOffset = stream.readInt(4, "le");
|
||||
stream.moveTo(eofOffset);
|
||||
|
||||
// Extract the size of the EOF.
|
||||
const eofSize = stream.readInt(4, "le");
|
||||
|
||||
// Move past EOF.
|
||||
stream.moveForwardsBy(eofSize-4);
|
||||
return stream.carve();
|
||||
}
|
||||
|
||||
@@ -42,15 +42,22 @@ class FromBase62 extends Operation {
|
||||
*/
|
||||
run(input, args) {
|
||||
if (input.length < 1) return [];
|
||||
const ALPHABET = Utils.expandAlphRange(args[0]).join("");
|
||||
const BN = BigNumber.clone({ ALPHABET });
|
||||
const alphabet = Utils.expandAlphRange(args[0]).join("");
|
||||
const BN62 = BigNumber.clone({ ALPHABET: alphabet });
|
||||
|
||||
const re = new RegExp("[^" + ALPHABET.replace(/[[\]\\\-^$]/g, "\\$&") + "]", "g");
|
||||
const re = new RegExp("[^" + alphabet.replace(/[[\]\\\-^$]/g, "\\$&") + "]", "g");
|
||||
input = input.replace(re, "");
|
||||
|
||||
const number = new BN(input, 62);
|
||||
// Read number in using Base62 alphabet
|
||||
const number = new BN62(input, 62);
|
||||
// Copy to new BigNumber object that uses the default alphabet
|
||||
const normalized = new BigNumber(number);
|
||||
|
||||
return Utils.convertToByteArray(number.toString(16), "Hex");
|
||||
// Convert to hex and add leading 0 if required
|
||||
let hex = normalized.toString(16);
|
||||
if (hex.length % 2 !== 0) hex = "0" + hex;
|
||||
|
||||
return Utils.convertToByteArray(hex, "Hex");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -44,12 +44,15 @@ class ToBase62 extends Operation {
|
||||
input = new Uint8Array(input);
|
||||
if (input.length < 1) return "";
|
||||
|
||||
const ALPHABET = Utils.expandAlphRange(args[0]).join("");
|
||||
const BN = BigNumber.clone({ ALPHABET });
|
||||
const alphabet = Utils.expandAlphRange(args[0]).join("");
|
||||
const BN62 = BigNumber.clone({ ALPHABET: alphabet });
|
||||
|
||||
input = toHexFast(input).toUpperCase();
|
||||
|
||||
const number = new BN(input, 16);
|
||||
// Read number in as hex using normal alphabet
|
||||
const normalized = new BigNumber(input, 16);
|
||||
// Copy to BigNumber clone that uses the specified Base62 alphabet
|
||||
const number = new BN62(normalized);
|
||||
|
||||
return number.toString(62);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user