0xd0cf11e/extract_lucify_rsrcs.py

## extract_lucify_rsrcs.py
import struct
import pefile
import argparse

def decrypt_payload(payload):
    # The xor key hasn’t changed
    size = len(payload)
    key = 0x58
    decoded = b''
    for x in range(size):
        xor = (payload[x] ^ key) & 0xff
        add = (xor + key) & 0xff
        decoded += struct.pack('B', add)
    return decoded

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-f', help="Lucifer file", required=True)
    parser.add_argument('-l', help="List all the resources", action='store_true', required=False)
    parser.add_argument('-r', help="Specify specific resources to extract", nargs='*', required=False)
    parser.add_argument('-e', help="Extract all resources", action='store_true', required=False)
    args = parser.parse_args()

    fpath = args.f
    data = open(fpath, 'rb').read()
    pe = pefile.PE(data=data)
    rsrcs = list()
    names = list()

    rsrcs = [e for e in pe.DIRECTORY_ENTRY_RESOURCE.entries if e.name is not None]
    names = [rsrc.name.decode('utf-8', 'backslashreplace') for rsrc in rsrcs]

    if args.l:
        print(f'Listing Resources: {names}')

    if args.r or args.e:
        for rsrc in rsrcs:
            if rsrc.name:
                for entry in rsrc.directory.entries:
                    offset = entry.directory.entries[0].data.struct.OffsetToData
                    size = entry.directory.entries[0].data.struct.Size
                    print(f'Resource name: {rsrc.name.decode("utf-8", "backslashreplace")}, Offset: {offset}, Size: {size}')
                    try:
                        encoded = pe.get_memory_mapped_image()[offset:offset+size]
                        decoded = decrypt_payload(encoded)
                        dump_path = fpath + '_' + rsrc.name.__str__() + '.dump'
                        with open(dump_path, 'wb') as file:
                          file.write(decoded)
                        print(f'Dumped at: {dump_path}')
                    except Exception as err:
                        print(err)

if __name__ in "__main__":
    main()
	import struct
	import pefile
	import argparse

	def decrypt_payload(payload):
	# The xor key hasn’t changed
	size = len(payload)
	key = 0x58
	decoded = b''
	for x in range(size):
	xor = (payload[x] ^ key) & 0xff
	add = (xor + key) & 0xff
	decoded += struct.pack('B', add)
	return decoded

	def main():
	parser = argparse.ArgumentParser()
	parser.add_argument('-f', help="Lucifer file", required=True)
	parser.add_argument('-l', help="List all the resources", action='store_true', required=False)
	parser.add_argument('-r', help="Specify specific resources to extract", nargs='*', required=False)
	parser.add_argument('-e', help="Extract all resources", action='store_true', required=False)
	args = parser.parse_args()

	fpath = args.f
	data = open(fpath, 'rb').read()
	pe = pefile.PE(data=data)
	rsrcs = list()
	names = list()

	rsrcs = [e for e in pe.DIRECTORY_ENTRY_RESOURCE.entries if e.name is not None]
	names = [rsrc.name.decode('utf-8', 'backslashreplace') for rsrc in rsrcs]

	if args.l:
	print(f'Listing Resources: {names}')

	if args.r or args.e:
	for rsrc in rsrcs:
	if rsrc.name:
	for entry in rsrc.directory.entries:
	offset = entry.directory.entries[0].data.struct.OffsetToData
	size = entry.directory.entries[0].data.struct.Size
	print(f'Resource name: {rsrc.name.decode("utf-8", "backslashreplace")}, Offset: {offset}, Size: {size}')
	try:
	encoded = pe.get_memory_mapped_image()[offset:offset+size]
	decoded = decrypt_payload(encoded)
	dump_path = fpath + '_' + rsrc.name.__str__() + '.dump'
	with open(dump_path, 'wb') as file:
	file.write(decoded)
	print(f'Dumped at: {dump_path}')
	except Exception as err:
	print(err)

	if __name__ in "__main__":
	main()