Created
October 10, 2023 04:40
-
-
Save alaurie/76513fcd5db264b4af54a0690b7914f7 to your computer and use it in GitHub Desktop.
Updated Intunewin decrypt and extract function
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
import xml.etree.ElementTree as ET | |
from Crypto.Cipher import AES | |
from Crypto.Util.Padding import unpad | |
import base64 | |
import zipfile | |
def decrypt_and_extract(metadata_path, encrypted_file_path): | |
# Read the metadata XML | |
with open(metadata_path, "r") as metadata_file: | |
metadata = metadata_file.read() | |
# Parse the XML | |
root = ET.fromstring(metadata) | |
# Extract encryption info | |
encryption_key = base64.b64decode(root.find(".//EncryptionKey").text) | |
iv = base64.b64decode(root.find(".//InitializationVector").text) | |
# Create the extracted content directory if it doesn't exist | |
extracted_content_dir = "extracted_content" | |
if not os.path.exists(extracted_content_dir): | |
os.makedirs(extracted_content_dir) | |
# Read the encrypted content from the file | |
with open(encrypted_file_path, "rb") as encrypted_file: | |
encrypted_content = encrypted_file.read() | |
# Initialize AES cipher | |
cipher = AES.new(encryption_key, AES.MODE_CBC, iv) | |
# Decrypt the content | |
decrypted_content = unpad(cipher.decrypt(encrypted_content), AES.block_size) | |
# Save the decrypted content to a temporary file | |
temp_file_name = os.path.join(extracted_content_dir, "temp.zip") | |
with open(temp_file_name, "wb") as temp_file: | |
temp_file.write(decrypted_content) | |
# Unzip the decrypted content into the extracted content directory | |
with zipfile.ZipFile(temp_file_name, "r") as zip_ref: | |
zip_ref.extractall(extracted_content_dir) | |
# Remove the temporary zip file | |
os.remove(temp_file_name) | |
print( | |
f"File '{encrypted_file_path}' decrypted and extracted to '{extracted_content_dir}'." # noqa: E501 | |
) | |
# Example function useage: | |
metadata_path = r"C:\Users\AlexR\Downloads\temp\npp.8.5.7.Installer.x64\IntuneWinPackage\Metadata\Detection.xml" | |
encrypted_file_path = r"C:\Users\AlexR\Downloads\temp\npp.8.5.7.Installer.x64\IntuneWinPackage\Contents\IntunePackage.intunewin" | |
decrypt_and_extract(metadata_path, encrypted_file_path) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment