Gzip decryption now supports 2 libraries and threshold search.

Gzip decryption now stop decrypting at the position of plaintext searched by threshold
2025-05-08 07:21:02 -04:00 · 2017-10-21 07:51:03 +01:00 · 2017-10-21 07:51:03 +01:00 · fde87fd95c
commit fde87fd95c
parent 5b9665e8b9
3 changed files with 70 additions and 19 deletions
--- a/src/core/config/OperationConfig.js
+++ b/src/core/config/OperationConfig.js
@ -1759,10 +1759,21 @@ const OperationConfig = {
    },
    "HTTP gzip Decrypt": {
        module: "Compression",
-        description: "Decrypts Gzip payload from a request or response and returning plaintext of the header and decrypted payload.",
+        description: "Decrypts Gzip payload from a request or response and returning plaintext of the header and decrypted payload.<br><br>Arguments:<br>Library: The  library used for decoding GZIP data.<br>Threshold: The threshold value for searching non-GZIP data. It has to be at least 8.",
        inputType: "byteArray",
        outputType: "byteArray",
-        args: []
+        args: [
+            {
+                name: "Library",
+                type: "option",
+                value: Compress.HTTP_GZIP_OPTION
+            },
+            {
+                name: "Threshold",
+                type: "number",
+                value: Compress.HTTP_GZIP_THRESHOLD
+            },
+        ]
    },
    "Parse User Agent": {
        module: "HTTP",
@ -3879,7 +3890,7 @@ const OperationConfig = {
    },
    "Strip TCP Headers": {
        module: "Packets",
-        description: "Remove selected TCP headers from hexstream",
+        description: "Remove selected TCP headers from hexstream using Regular Expressions.<br /><br />Ethernet Header: <code>/^(([0-9a-f]{4} ){6,8}0800 )/igm</code><br />IP Header: <code>/^((45[0-9a-f]{2} ([0-9a-f]{4} ){9}))/igm</code><br />TCP Header: <code>/^([0-9a-f]{4} ){6}((80[0-9a-f]{2} ([0-9a-f]{4} ?){9})|(50[0-9a-f]{2} ([0-9a-f]{4} ?){3}))/igm</code>",
        inputType: "string",
        outputType: "string",
        args: [
--- a/src/core/config/modules/Compression.js
+++ b/src/core/config/modules/Compression.js
@ -26,7 +26,7 @@ OpModules.Compression = {
    "Bzip2 Decompress":     Compress.runBzip2Decompress,
    "Tar":                  Compress.runTar,
    "Untar":                Compress.runUntar,
-    "HTTP gzip Decrypt":Compress.runHttpGzip,
+    "HTTP gzip Decrypt":    Compress.runHttpGzip,

 };

--- a/src/core/operations/Compress.js
+++ b/src/core/operations/Compress.js
@ -255,6 +255,17 @@ const Compress = {
    },


+    /**
+     * @constant
+     * @default
+     */
+    HTTP_GZIP_OPTION: ["pako.js", "zlib.js"],
+    /**
+     * @constant
+     * @default
+     */
+    HTTP_GZIP_THRESHOLD: 8,
+
    /**
     * HTTP Gzip operation.
     *
@ -263,18 +274,47 @@ const Compress = {
     * @returns {byteArray}
     */
    runHttpGzip: function(input, args) {
+        const library = Compress.HTTP_GZIP_OPTION.indexOf(args[0]);
+        let threshold = Compress.HTTP_GZIP_THRESHOLD;
+        if (args[1] > 8) {
+            threshold = args[1];
+        }
        input = Utils.byteArrayToHexNoSpace(input);
+        let output = input;

        let regexStr = /1f8b080[0-8][0-9a-f]{12}/;
        let gzipPos = input.search(regexStr);
        if (gzipPos === -1) {
            return Utils.hexToByteArray(input);
        }
-        let plainData = input.substr(0, gzipPos);
-        let gzipData = input.substr(gzipPos);

+        while (gzipPos !== -1) {
+            output = input;
+
+            let plainData = output.substr(0, gzipPos);
+            let gzipData = output.substr(gzipPos);
+            let httpDataAfter = "";
+
+            let httpDataPosRegex = new RegExp("/((3[0-9])|(6[0-9a-f])|(7[0-9a])|(4[0-9a-f])|(5[0-9a])|(2[e-f])|(2b)|(20)){" + threshold + "}/");
+            let httpDataPos = gzipData.search(httpDataPosRegex);
+            if (httpDataPos !== -1) {
+                httpDataAfter = gzipData.substr(httpDataPos);
+                gzipData = gzipData.substr(0, httpDataPos);
+            }
+
+            console.log(httpDataPos);
            gzipData = Utils.hexToByteArray(gzipData);
-        return Utils.hexToByteArray(plainData).concat(Array.prototype.slice.call(pako.ungzip(gzipData)));
+            if (library === 0) {
+                output = Utils.hexToByteArray(plainData).concat(Array.prototype.slice.call(pako.inflate(gzipData))).concat(Utils.hexToByteArray(httpDataAfter));
+            } else if (library === 1) {
+                let gzipDataRaw = new Zlib.Gunzip(gzipData);
+                output = Utils.hexToByteArray(plainData).concat(Array.prototype.slice.call(gzipDataRaw.decompress())).concat(Utils.hexToByteArray("0d0a 0d0a")).concat(Utils.hexToByteArray(httpDataAfter));
+            }
+
+            input = Utils.byteArrayToHexNoSpace(output);
+            gzipPos = input.search(regexStr);
+        }
+        return output;
    },