From 0d1bc9ac7aa7627059d8c0e96d2c2ec686e5a390 Mon Sep 17 00:00:00 2001
From: Jan Gru <j4n6ru@gmail.com>
Date: Mon, 5 Apr 2021 09:34:51 +0200
Subject: [PATCH 1/2] Add Ice9Scan, which provides custom Ice9 RC4 decryption
 routine

---
 ZeusScan/zeusscan.py | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/ZeusScan/zeusscan.py b/ZeusScan/zeusscan.py
index 11bc228..d06a189 100644
--- a/ZeusScan/zeusscan.py
+++ b/ZeusScan/zeusscan.py
@@ -504,6 +504,36 @@ def render_text(self, outfd, data):
 
             self.render_extra(outfd, task, vad, params)
 
+#--------------------------------------------------------------------------------
+# Scanner for Zeus derivative Ice9/IceIX, which uses a different RC4 crypt routine     
+#--------------------------------------------------------------------------------
+
+class Ice9Scan(ZeusScan2):
+    """Locate and decrypt Ice9 Configs"""
+
+    def rc4(self, key, encoded):
+        """Perform a IceIX RC4 operation"""
+        # Turn the buffers into lists so the elements are mutable
+        key_copy = [ord(c) for c in key]
+        enc_copy = [ord(c) for c in encoded]
+        # Start with the last two bytes in the key
+        var1 = key_copy[0x100]
+        var2 = key_copy[0x101]
+        # Do the RC4 algorithm
+        for i in range(0, len(enc_copy)):
+            var1 += 3
+            a = var1 & 0xFF
+            b = key_copy[a]
+            var2 += (b + 7)
+            var2 &= 0xFF
+            key_copy[a]  = key_copy[var2]
+            key_copy[var2] = b
+            enc_copy[i] ^= key_copy[(key_copy[a] + b) & 0xFF]
+        # Return the decoded bytes as a string
+        decoded = [chr(c) for c in enc_copy]
+        return ''.join(decoded)
+
+
 class CitadelScan1345(ZeusScan2):
     """Locate and Decrypt Citadel 1.3.4.5 Configs"""
 

From e33e375bc62a37334c8684ae517b11ec70fa7dfa Mon Sep 17 00:00:00 2001
From: Jan Gru <j4n6ru@gmail.com>
Date: Mon, 5 Apr 2021 09:45:05 +0200
Subject: [PATCH 2/2] Add Ice9Scan, which provides the custom RC4 routine
 tailored to Ice9-Zeus derivative

---
 ZeusScan/zeusscan.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ZeusScan/zeusscan.py b/ZeusScan/zeusscan.py
index d06a189..86fadb8 100644
--- a/ZeusScan/zeusscan.py
+++ b/ZeusScan/zeusscan.py
@@ -505,7 +505,7 @@ def render_text(self, outfd, data):
             self.render_extra(outfd, task, vad, params)
 
 #--------------------------------------------------------------------------------
-# Scanner for Zeus derivative Ice9/IceIX, which uses a different RC4 crypt routine     
+# Scanner for Zeus derivative Ice9/IceIX, which uses a different RC4 crypt routine
 #--------------------------------------------------------------------------------
 
 class Ice9Scan(ZeusScan2):