secureCRT将每个session的配置文件保存在C:\Documents and Settings\Administrator\Application Data\VanDyke下的config文件夹。根据session名找到对应的配置文件。在python3版本后,使用python的代码进行decode时,会提示“SyntaxError: invalid character in identifier” 。python3.5以后,字串转bytes直接用bytes.fromhex。具体的代码如下:

 1# -*- coding=utf-8 -*-
 2# code from www.361way.com
 3#适用python3.6以上
 4#调用方法 python SecureCRTDecrypt.py 10.87.225.2.ini
 5#将SecureCRTDecrypt.py文件放在待破解ini文件同一目录中
 6from Crypto.Cipher import Blowfish
 7import sys
 8import re
 9def decrypt(password) :
10	str_c1 = '5F B0 45 A2 94 17 D9 16 C6 C6 A2 FF 06 41 82 B7'.replace(' ','')
11	str_c2 = '24 A6 3D DE 5B D3 B3 82 9C 7E 06 F4 08 16 AA 07'.replace(' ','')
12	c1 = Blowfish.new(bytes.fromhex(str_c1), Blowfish.MODE_CBC, '\x00'*8)
13	c2 = Blowfish.new(bytes.fromhex(str_c2), Blowfish.MODE_CBC, '\x00'*8)
14	padded = c1.decrypt(c2.decrypt(bytes.fromhex(password))[4:-4])
15	padded = str(padded)
16	padded = padded[0:padded.find(r'\x00\x00')]
17	padded = padded.strip("b'")
18	padded = padded.replace(r'\x00','')
19	return padded
20REGEX_HOSTNAME = re.compile(r'S:"Hostname"=([^\r\n]*)')
21REGEX_PASWORD = re.compile(r'S:"Password"=u([0-9a-f]+)')
22REGEX_PORT = re.compile(r'D:"\[SSH2\] Port"=([0-9a-f]{8})')
23REGEX_USERNAME = re.compile(r'S:"Username"=([^\r\n]*)')
24def hostname(x) :
25    m = REGEX_HOSTNAME.search(x)
26    if m :
27        return m.group(1)
28    return '???'
29def password(x) :
30    m = REGEX_PASWORD.search(x)
31    if m :
32        return decrypt(m.group(1))
33    return '???'
34def port(x) :
35    m = REGEX_PORT.search(x)
36    if m :
37        return '-p %d '%(int(m.group(1), 16))
38    return ''
39def username(x) :
40    m = REGEX_USERNAME.search(x)
41    if m :
42        return m.group(1) #+ '@'
43    return ''
44inifile = sys.argv[1]
45with open(inifile,'r', encoding='utf-8') as f:
46	c = f.read().replace('\x00', '')
47	print ("port:{0}\n hostname:{1}\n username:{2}\n password:{3}".format(port(c), hostname(c), username(c),password(c)))

python2.7版本下使用下的主要代码为:

 1from Crypto.Cipher import Blowfish
 2def decrypt(password) :
 3    c1 = Blowfish.new('5F B0 45 A2 94 17 D9 16 C6 C6 A2 FF 06 41 82 B7'.replace(' ','').decode('hex'), Blowfish.MODE_CBC, '\x00'*8)
 4    c2 = Blowfish.new('24 A6 3D DE 5B D3 B3 82 9C 7E 06 F4 08 16 AA 07'.replace(' ','').decode('hex'), Blowfish.MODE_CBC, '\x00'*8)
 5    padded = c1.decrypt(c2.decrypt(password.decode('hex'))[4:-4])
 6    p = ''
 7    while padded[:2] != '\x00\x00' :
 8        p += padded[:2]
 9        padded = padded[2:]
10    return p.decode('UTF-16')
11print decrypt("xxx240f919a7a477198d1f6ce3a1fbf5a3671c82483f34bed1304c7ebe8de345")