Skip to content

Instantly share code, notes, and snippets.

@gerry gerry/
Last active Sep 24, 2015

What would you like to do?
Extracts the embedded source code from Cisco Security Agent Management Console.
#!/usr/bin/env python
""", Extracts the embedded source code from Cisco Security Agent Management Console.
Gerry <>
import os
import sys
import struct
import pefile
from itertools import takewhile
_KEY = 'Copyright material protected by a technological protection measure!'
_KEY_LEN = len(_KEY)
def get_section_by_name(pe, name):
section = filter(lambda s: s.Name == name, pe.sections)[0]
except IndexError, e:
return None
return section
def not_null(c):
return c != '\0'
def decrypt_data(data):
decrypted_data = []
for idx, val in enumerate(data):
decrypted_data.append(chr(ord(val) - ord(_KEY[idx % _KEY_LEN])))
return ''.join(decrypted_data)
def main(output_path="./extracted", filename="webadmin.exe", section_name="htlconst"):
pe = pefile.PE(filename, fast_load=True)
# Create the output path is needed, then chdir to it
output_path = os.path.abspath(output_path)
if not os.path.isdir(output_path):
# Filename to search for when locating the file table
search_string = "login.htl"
# The htlconst section contains all the data we need
htlconst = get_section_by_name(pe, section_name)
assert htlconst is not None, "Could not find section: %s" % section_name
image_base = pe.OPTIONAL_HEADER.ImageBase
# Get index of known filename in htlconst section data
filename_offset =
except ValueError:
sys.exit("Could not find search string: %s" % search_string)
# Get address of known filename in htlconst section
filename_rva = filename_offset + htlconst.VirtualAddress + image_base
# Search for a pointer to the filename
filename_ptr = struct.pack("I", filename_rva)
assert filename_ptr in, "Could not find pointer to filename"
# Search back for 0x00000000 and add 4 to get the start of the struct
table_offset = None
filename_ptr_idx =
# Is there a better way todo this?
for idx in reversed(xrange(0, filename_ptr_idx, 4)):
if[idx:idx+4] == "\x00\x00\x00\x00":
table_offset = idx + 4
assert table_offset is not None, "Could not find start of file table"
cur_offset = table_offset
while True:
# unpack pointers to the filename and its 'encrypted' contents
(ptr_filename, ptr_data) = struct.unpack('II',[cur_offset:cur_offset + 8])
# Check for the end of the structure
if not htlconst.contains_rva(ptr_data - image_base):
filename = pe.get_string_at_rva(ptr_filename - image_base)
print '[+] Extracting: %s' % filename
data_offset = (ptr_data - image_base - htlconst.VirtualAddress)
encrypted_data = takewhile(not_null,[data_offset:])
decrypted_data = decrypt_data(encrypted_data)
f = open(filename, 'w')
cur_offset += 8
print "[+] Done extracting %d files." % ((cur_offset - table_offset)/8)
if __name__ == "__main__":
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.