Remove irrelevant packets

Signed-off-by: Still Hsu <[email protected]>

Author: Still34

xor-encode-malware/MalwareC2TrafficPoC/Solution/ctf-rewrite-flag.py

@@ -17,14 +17,16 @@
                     type=str, nargs='?')
 args = parser.parse_args()
 if not re.search(flag_re, args.flag):
-    raise ValueError(f'Unexpected flag format. Flag must match the regular expression {flag_re}.')
+    raise ValueError(
+        f'Unexpected flag format. Flag must match the regular expression {flag_re}.')
 
 packets = rdpcap(args.input)
 new_packets = []
 for packet in packets:
     ip_packet = packet.getlayer('IP')
-    if ip_packet and ip_packet.dport == 433:
-        raw_payload = ip_packet.getlayer('TCP').payload
+    if ip_packet and ip_packet.src == "10.152.152.150" and ip_packet.dport == 433:
+        tcp_packet = ip_packet.getlayer('TCP')
+        raw_payload = tcp_packet.payload
         if not raw_payload:
             new_packets.append(packet)
             continue
@@ -36,14 +38,15 @@
         length = int.from_bytes(raw_length, 'big')
 
         base_length = len(key) + len(raw_length)
-        data = xor_data(tcp_payload[base_length: base_length + length], key).decode('utf-8')
+        data = xor_data(
+            tcp_payload[base_length: base_length + length], key).decode('utf-8')
         deserialized_data = json.loads(data)
         if not re.search(flag_re, deserialized_data['Description']):
             new_packets.append(packet)
             continue
 
         deserialized_data['Description'] = args.flag
-        new_json = json.dumps(deserialized_data).encode()
+        new_json = json.dumps(deserialized_data, indent=4).encode()
         new_data = xor_data(new_json, key)
         new_length = xor_data(key, len(new_data).to_bytes(2, 'big'))
         new_payload = key + new_length + new_data
@@ -55,10 +58,14 @@
 
         raw_payload.load = new_payload
         packet['TCP'].payload = raw_payload
+        packet['TCP'].explicit = tcp_packet.explicit
         new_packet = l2.Ether(packet.build())
+        new_packet['TCP'].time = tcp_packet.time
+        new_packet.time = packet.time
         new_packets.append(new_packet)
     else:
         new_packets.append(packet)
 new_plist = PacketList(new_packets)
 wrpcap(args.output, new_plist)
-print(f"Dumped the modified capture to {args.output}; be sure to verify with ctf-solve.py!")
+print(
+    f"Dumped the modified capture to {args.output}; be sure to verify with ctf-solve.py!")