Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Scripts for extracting payloads from Lucifer's resources.
import struct
import pefile
import argparse
def decrypt_payload(payload):
# The xor key hasn’t changed
size = len(payload)
key = 0x58
decoded = b''
for x in range(size):
xor = (payload[x] ^ key) & 0xff
add = (xor + key) & 0xff
decoded += struct.pack('B', add)
return decoded
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-f', help="Lucifer file", required=True)
parser.add_argument('-l', help="List all the resources", action='store_true', required=False)
parser.add_argument('-r', help="Specify specific resources to extract", nargs='*', required=False)
parser.add_argument('-e', help="Extract all resources", action='store_true', required=False)
args = parser.parse_args()
fpath = args.f
data = open(fpath, 'rb').read()
pe = pefile.PE(data=data)
rsrcs = list()
names = list()
rsrcs = [e for e in pe.DIRECTORY_ENTRY_RESOURCE.entries if is not None]
names = ['utf-8', 'backslashreplace') for rsrc in rsrcs]
if args.l:
print(f'Listing Resources: {names}')
if args.r or args.e:
for rsrc in rsrcs:
for entry in
offset =[0].data.struct.OffsetToData
size =[0].data.struct.Size
print(f'Resource name: {"utf-8", "backslashreplace")}, Offset: {offset}, Size: {size}')
encoded = pe.get_memory_mapped_image()[offset:offset+size]
decoded = decrypt_payload(encoded)
dump_path = fpath + '_' + + '.dump'
with open(dump_path, 'wb') as file:
print(f'Dumped at: {dump_path}')
except Exception as err:
if __name__ in "__main__":
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment