glassdfir/notes for blog

## notes for blog
GlassMacBookPro:~ glass$ python
Python 2.7.10 (default, Oct  6 2017, 22:29:07)
[GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.31)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> r = requests.get('http://d2bqtxf7nlm89w.cloudfront.net/3089eeed.crx')
>>> len(r.content)
448845
>>> rawdata = r.content
>>> from hexdump import *
>>> hexdump(rawdata[:32])
00000000: 43 72 32 34 02 00 00 00  26 01 00 00 00 01 00 00  Cr24....&.......
00000010: 30 82 01 22 30 0D 06 09  2A 86 48 86 F7 0D 01 01  0.."0...*.H.....
>>> import struct
>>> struct.unpack('<I', rawdata[4:8])
(2,)
>>> struct.unpack('<I', rawdata[8:12])
(294,)
>>>
>>> struct.unpack('<I', rawdata[12:16])
(256,)
>>> struct.unpack('<II', rawdata[4:12])
(2, 294)
>>> struct.unpack('<III', rawdata[4:16])
(2, 294, 256)
>>> ver, siglen, keylen = struct.unpack('<III', rawdata[4:16])
>>> start_of_file = 0
>>> offset = start_of_file + 16 + siglen + keylen
>>> offset
566
>>> hexdump(rawdata[offset:offset+64])
00000000: 50 4B 03 04 14 00 00 08  08 00 B3 95 B4 4C 36 D1  PK...........L6.
00000010: 8A 4D 9B 00 00 00 0F 01  00 00 0F 00 00 00 62 61  .M............ba
00000020: 63 6B 67 72 6F 75 6E 64  2E 68 74 6D 6C A5 8F 3B  ckground.html..;
00000030: 0F C2 30 0C 84 77 7E 45  C8 5E B2 32 24 19 78 74  ..0..w~E.^.2$.xt
>>> import io
>>> import zipfile
>>> zf = zipfile.ZipFile(io.BytesIO(rawdata[offset:]), 'r')
>>> for file in zf.infolist():
...     file.filename
...
u'background.html'
u'background.js'
u'config.json'
u'images/'
u'manifest.json'
u'test.js'
u'tr.js'
u'images/chromium.svg'
u'images/shadow.png'
>>> zf.read('background.html')
'<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>Background</title><script data-source="internal" type="text/javascript" src="background.js"></script>\n<script data-source="internal" type="text/javascript" src="tr.js"></script>\n</head><body></body></html>'
>>> import hashlib
>>> for file in zf.infolist():
...     print file.filename, hashlib.md5(zf.read(file.filename)).hexdigest()
...
background.html 4e5370ddcdff03169ee66920495772b5
background.js 5f04dbedacf427ba140354370f140bb2
config.json 48f2e086145ecbaa3ad6fe66c4fc040e
images/ d41d8cd98f00b204e9800998ecf8427e
manifest.json cfdd61965155646d4ca1e19140427dbd
test.js 55956b89977b257a461602c810d6090e
tr.js b70672aa81350f9bab74db676b3817ea
images/chromium.svg 129885b674ba18766e5d50fe292d1a37
images/shadow.png 04fd8aac163c7d0ef54b55ed32c8af14
>>> import re
>>> configfile = zf.read('config.json')
>>> urls = re.findall('https?://(?:[-\w.\/]|(?:%[\da-fA-F]{2}))+', configfile)
>>> urls
['http://geo.sastts.com/details', 'http://bit.ly/2IdsQrO', 'http://guqalu.com', 'http://cabarula.com', 'https://trends.google.com/trends/hottrends/hotItems']
>>>
	GlassMacBookPro:~ glass$ python
	Python 2.7.10 (default, Oct 6 2017, 22:29:07)
	[GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.31)] on darwin
	Type "help", "copyright", "credits" or "license" for more information.
	>>> import requests
	>>> r = requests.get('http://d2bqtxf7nlm89w.cloudfront.net/3089eeed.crx')
	>>> len(r.content)
	448845
	>>> rawdata = r.content
	>>> from hexdump import *
	>>> hexdump(rawdata[:32])
	00000000: 43 72 32 34 02 00 00 00 26 01 00 00 00 01 00 00 Cr24....&.......
	00000010: 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0.."0...*.H.....
	>>> import struct
	>>> struct.unpack('<I', rawdata[4:8])
	(2,)
	>>> struct.unpack('<I', rawdata[8:12])
	(294,)
	>>>
	>>> struct.unpack('<I', rawdata[12:16])
	(256,)
	>>> struct.unpack('<II', rawdata[4:12])
	(2, 294)
	>>> struct.unpack('<III', rawdata[4:16])
	(2, 294, 256)
	>>> ver, siglen, keylen = struct.unpack('<III', rawdata[4:16])
	>>> start_of_file = 0
	>>> offset = start_of_file + 16 + siglen + keylen
	>>> offset
	566
	>>> hexdump(rawdata[offset:offset+64])
	00000000: 50 4B 03 04 14 00 00 08 08 00 B3 95 B4 4C 36 D1 PK...........L6.
	00000010: 8A 4D 9B 00 00 00 0F 01 00 00 0F 00 00 00 62 61 .M............ba
	00000020: 63 6B 67 72 6F 75 6E 64 2E 68 74 6D 6C A5 8F 3B ckground.html..;
	00000030: 0F C2 30 0C 84 77 7E 45 C8 5E B2 32 24 19 78 74 ..0..w~E.^.2$.xt
	>>> import io
	>>> import zipfile
	>>> zf = zipfile.ZipFile(io.BytesIO(rawdata[offset:]), 'r')
	>>> for file in zf.infolist():
	... file.filename
	...
	u'background.html'
	u'background.js'
	u'config.json'
	u'images/'
	u'manifest.json'
	u'test.js'
	u'tr.js'
	u'images/chromium.svg'
	u'images/shadow.png'
	>>> zf.read('background.html')
	'<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>Background</title><script data-source="internal" type="text/javascript" src="background.js"></script>\n<script data-source="internal" type="text/javascript" src="tr.js"></script>\n</head><body></body></html>'
	>>> import hashlib
	>>> for file in zf.infolist():
	... print file.filename, hashlib.md5(zf.read(file.filename)).hexdigest()
	...
	background.html 4e5370ddcdff03169ee66920495772b5
	background.js 5f04dbedacf427ba140354370f140bb2
	config.json 48f2e086145ecbaa3ad6fe66c4fc040e
	images/ d41d8cd98f00b204e9800998ecf8427e
	manifest.json cfdd61965155646d4ca1e19140427dbd
	test.js 55956b89977b257a461602c810d6090e
	tr.js b70672aa81350f9bab74db676b3817ea
	images/chromium.svg 129885b674ba18766e5d50fe292d1a37
	images/shadow.png 04fd8aac163c7d0ef54b55ed32c8af14
	>>> import re
	>>> configfile = zf.read('config.json')
	>>> urls = re.findall('https?://(?:[-\w.\/]\|(?:%[\da-fA-F]{2}))+', configfile)
	>>> urls
	['http://geo.sastts.com/details', 'http://bit.ly/2IdsQrO', 'http://guqalu.com', 'http://cabarula.com', 'https://trends.google.com/trends/hottrends/hotItems']
	>>>