alaurie/decrypt_extract_intunewin.py

## decrypt_extract_intunewin.py
import os
import xml.etree.ElementTree as ET
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import base64
import zipfile


def decrypt_and_extract(metadata_path, encrypted_file_path):
    # Read the metadata XML
    with open(metadata_path, "r") as metadata_file:
        metadata = metadata_file.read()

    # Parse the XML
    root = ET.fromstring(metadata)

    # Extract encryption info
    encryption_key = base64.b64decode(root.find(".//EncryptionKey").text)
    iv = base64.b64decode(root.find(".//InitializationVector").text)

    # Create the extracted content directory if it doesn't exist
    extracted_content_dir = "extracted_content"
    if not os.path.exists(extracted_content_dir):
        os.makedirs(extracted_content_dir)

    # Read the encrypted content from the file
    with open(encrypted_file_path, "rb") as encrypted_file:
        encrypted_content = encrypted_file.read()

    # Initialize AES cipher
    cipher = AES.new(encryption_key, AES.MODE_CBC, iv)

    # Decrypt the content
    decrypted_content = unpad(cipher.decrypt(encrypted_content), AES.block_size)

    # Save the decrypted content to a temporary file
    temp_file_name = os.path.join(extracted_content_dir, "temp.zip")
    with open(temp_file_name, "wb") as temp_file:
        temp_file.write(decrypted_content)

    # Unzip the decrypted content into the extracted content directory
    with zipfile.ZipFile(temp_file_name, "r") as zip_ref:
        zip_ref.extractall(extracted_content_dir)

    # Remove the temporary zip file
    os.remove(temp_file_name)

    print(
        f"File '{encrypted_file_path}' decrypted and extracted to '{extracted_content_dir}'."  # noqa: E501
    )


# Example function useage:
metadata_path = r"C:\Users\AlexR\Downloads\temp\npp.8.5.7.Installer.x64\IntuneWinPackage\Metadata\Detection.xml"
encrypted_file_path = r"C:\Users\AlexR\Downloads\temp\npp.8.5.7.Installer.x64\IntuneWinPackage\Contents\IntunePackage.intunewin"
decrypt_and_extract(metadata_path, encrypted_file_path)
	import os
	import xml.etree.ElementTree as ET
	from Crypto.Cipher import AES
	from Crypto.Util.Padding import unpad
	import base64
	import zipfile


	def decrypt_and_extract(metadata_path, encrypted_file_path):
	# Read the metadata XML
	with open(metadata_path, "r") as metadata_file:
	metadata = metadata_file.read()

	# Parse the XML
	root = ET.fromstring(metadata)

	# Extract encryption info
	encryption_key = base64.b64decode(root.find(".//EncryptionKey").text)
	iv = base64.b64decode(root.find(".//InitializationVector").text)

	# Create the extracted content directory if it doesn't exist
	extracted_content_dir = "extracted_content"
	if not os.path.exists(extracted_content_dir):
	os.makedirs(extracted_content_dir)

	# Read the encrypted content from the file
	with open(encrypted_file_path, "rb") as encrypted_file:
	encrypted_content = encrypted_file.read()

	# Initialize AES cipher
	cipher = AES.new(encryption_key, AES.MODE_CBC, iv)

	# Decrypt the content
	decrypted_content = unpad(cipher.decrypt(encrypted_content), AES.block_size)

	# Save the decrypted content to a temporary file
	temp_file_name = os.path.join(extracted_content_dir, "temp.zip")
	with open(temp_file_name, "wb") as temp_file:
	temp_file.write(decrypted_content)

	# Unzip the decrypted content into the extracted content directory
	with zipfile.ZipFile(temp_file_name, "r") as zip_ref:
	zip_ref.extractall(extracted_content_dir)

	# Remove the temporary zip file
	os.remove(temp_file_name)

	print(
	f"File '{encrypted_file_path}' decrypted and extracted to '{extracted_content_dir}'." # noqa: E501
	)


	# Example function useage:
	metadata_path = r"C:\Users\AlexR\Downloads\temp\npp.8.5.7.Installer.x64\IntuneWinPackage\Metadata\Detection.xml"
	encrypted_file_path = r"C:\Users\AlexR\Downloads\temp\npp.8.5.7.Installer.x64\IntuneWinPackage\Contents\IntunePackage.intunewin"
	decrypt_and_extract(metadata_path, encrypted_file_path)