#!/usr/bin/perl
#
# Parse the PerfectKeyLogger trojan's inst.dat
#
# Author: PinkFreud / Mirkwood Networks
# Date: 2005-05-15
# License: GPL
#
# History
# 1.0.0:	Initial release

$version = 1.0.0;

sub usage {
  print "Usage: $0 <path to inst.dat>\n";
  exit;
}

$inst = shift or usage;

$hardcoded_xor = 0xaa;
$bpk_xor_offset = 0x21c;
$bpk_offset = 0x224;

open (INST, $inst) or die "Failed to read $inst: $!\n";

seek INST, $bpk_xor_offset, 0;
read INST, $bpk_xor, 1;
$bpk_xor = ord $bpk_xor;

# Make the XOR values human-readble
$pkbin_xor = sprintf "0x%02x", $bpk_xor ^ $hardcoded_xor;
$bpk_xor = sprintf "0x%02x", $bpk_xor;

seek INST, $bpk_offset, 0;
read INST, $bpk, 32;	# 32 bytes is almost certainly wrong, but it'll suffice.
seek INST, 32, 1;
read INST, $bpkhk, 32;
read INST, $bpkwb, 32;
read INST, $pkbin, 32;

close (INST);

$bpk = unpack ("Z*", $bpk);
$bpkhk = unpack ("Z*", $bpkhk);
$bpkwb = unpack ("Z*", $bpkwb);
$pkbin = unpack ("Z*", $pkbin);

print <<_EOF_;
 XOR | Filename
---------------
 $bpk_xor $bpk
 $bpk_xor $bpkhk
 $bpk_xor $bpkwb
 $pkbin_xor $pkbin
_EOF_