def test_real_world_01(self):
encoded = B'''301815214850156721331018480063340936214488055910529404970112631124608113197561534315323106291311611118111571030916590053421252410301171850583912575068111856414554157930507606789054031912510227182600807906431133491248306004123002146510940169690710820141169320955312014120171102115059068660995810412198261688106236171480925510919175470806111215112451580216678065680593716920140350943309471097820618705622181381760512207200740695112292051860572813684059730540612867133770664415988405914129061377506879064041396607792051271161313019124720712811569074680757406931112780654609788055291148605702141810628505815128490945608789054940492611748095590847706617126221215309060083411027606705138001434509852091211222411908135111322312025118181250314030113440993311087056570868006343100341090114209134640795408939104470969005365078580853510871072121313211155088071361612710133620813710651092820619305073070401034210170073610823810550093830603610763080201236707691052400143051380813527116720712411948095460972511826117830604909480063550881313020123700732911434109111327107252091820612112243100171263111266077191245908460083860575009354089740698805569074161279005364079321115309035108401031812509134770666308092051560874210137106680758405975068670761013351092730709105236107381053311058085141294409981062930500713676067850583910402141121311512865078790647806541102620815708606137890546108294049031402811547096011424509822121301130413987056231204'''
decoded = B'''wMIc 'prOcess' "cALl" crEAtE "powErsHell -NoNiNtErAC -NoPrOFi -WIn 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'''
pl = chop(476, '[') | chop(5, '-t', '[') | dedup(
sort=True) | snip('2:') | sep(']') | pack(10) | blockop(
'--ctr', 'B+S-A', 'ev:n', ']')
self.assertEqual(decoded, pl(encoded))
def test_example_01_maldoc(self):
data = self.download_from_malshare(
'81a1fca7a1fb97fe021a1f2cf0bf9011dd2e72a5864aad674f8fea4ef009417b')
pipeline = xlxtr(
'9.5:11.5', '15.15', '12.5:14.5'
)[scope('-n', 3) | chop('-t', 5)[sorted | snip('2:') | sep] | pack(10)
| sub('dec:ev:n'
)] | carve_b64z | deob_ps1 | carve_b64z | deob_ps1 | xtp(
'domain', filter=True)
with BytesIO(data) as sample:
c2servers = set(sample | pipeline)
self.assertSetEqual(
c2servers,
set(
c2 % 0x2E for c2 in {
b'udatapost%cred',
b'marvellstudio%conline',
b'sdkscontrol%cpw',
b'abrakam%csite',
b'hiteronak%cicu',
b'ublaznze%conline',
b'sutsyiekha%ccasa',
b'makretplaise%cxyz',
}))
def test_stream_mode(self):
with tempfile.TemporaryDirectory() as root:
path = os.path.join(root, 'test')
dump = self.load(path, stream=True)
data = self.generate_random_buffer(1024)
with io.BytesIO(data) as stream:
list(stream | chop(32)[dump])
self.assertTrue(os.path.exists(path))
with open(path, 'rb') as result:
self.assertEqual(result.read(), data)
def test_layered_frame_02(self):
p = chop(4)[chop(2)[emit('F', 'x::')] | emit('x::', '?')[nop]
| sep] # noqa
self.assertEqual(p(B'OOOO' * 12), B'\n'.join([B'FOOFOO?'] * 12))
def test_layered_frame_01(self):
p = chop(4, '[') | chop(2, '[') | ccp('F', ']') | cca('?') | sep(']')
self.assertEqual(p(B'OOOO' * 12), B'\n'.join([B'FOOFOO?'] * 12))
def test_layer2_rescope(self):
pipeline = rep(6)[scope('4:') | chop(1)[scope('1:') | cca('A')
| scope(0) | ccp('-')]] # noqa
self.assertEqual(pipeline(B'NA'), B'NANANANA-NAA-NAA')
def test_nonblocking_frame_collapse(self):
with io.BytesIO(bytes(range(20))) as stream:
slow = stream | r.chop(5) [ r.rex('.') ] # noqa
for k in range(20):
self.assertEqual(slow.read1(20), bytes((k,)))
def test_documentation_example_02(self):
self.assertEqual(B'FOO.FOO.\nFOO.FOO.', (r.chop(4)[r.chop(2)[r.ccp('F') | r.cca('.')] | r.sep])(B'OOOOOOOO'))
