filippovitale · August 20, 2020 13:29
diff --git a/extract_lucify_rsrcs.py b/extract_lucify_rsrcs.py
 import pefile
 import argparse


 def decrypt_one_byte(b):
    key = 0x58  # The xor key hasn’t changed
    xor = (b ^ key) & 0xff
    return (xor + key) & 0xff


 def decrypt_payload(payload):
    payload_decrypted = map(decrypt_one_byte, payload)
    return bytes(payload_decrypted)


 def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-f', help="Lucifer file", required=True)
    parser.add_argument('-l', help="List all the resources", action='store_true', required=False)
    parser.add_argument('-r', help="Specify specific resources to extract", nargs='*', required=False)
    parser.add_argument('-e', help="Extract all resources", action='store_true', required=False)
    args = parser.parse_args()

    lucifer_filepath = args.f
    with open(lucifer_filepath, 'rb') as file:
        pe = pefile.PE(data=(file.read()))

    rsrcs = [e for e in pe.DIRECTORY_ENTRY_RESOURCE.entries
             if e.name is not None]

    list_all_resources = args.l
    if list_all_resources:
        names = [rsrc.name.decode('utf-8', 'backslashreplace')
                 for rsrc in rsrcs]
        print(f'Listing Resources: {names}')

    if args.r or args.e:
        for rsrc in rsrcs:
            for entry in rsrc.directory.entries:
                resource_name = {rsrc.name.decode("utf-8", "backslashreplace")}
                offset = entry.directory.entries[0].data.struct.OffsetToData
                size = entry.directory.entries[0].data.struct.Size
                resource_details = (f'Resource name: {resource_name}, '
                                    f'Offset: {offset}, Size: {size}')
                print(resource_details)

                encoded = pe.get_memory_mapped_image()[offset:offset + size]
                decoded = decrypt_payload(encoded)

                dump_path = f'{lucifer_filepath}_{rsrc.name}.dump'
                with open(dump_path, 'wb') as file:
                    file.write(decoded)
                print(f'Dumped at: {dump_path}')


 if __name__ in "__main__":
    main()
	import pefile
	import argparse


	def decrypt_one_byte(b):
	key = 0x58 # The xor key hasn’t changed
	xor = (b ^ key) & 0xff
	return (xor + key) & 0xff


	def decrypt_payload(payload):
	payload_decrypted = map(decrypt_one_byte, payload)
	return bytes(payload_decrypted)


	def main():
	parser = argparse.ArgumentParser()
	parser.add_argument('-f', help="Lucifer file", required=True)
	parser.add_argument('-l', help="List all the resources", action='store_true', required=False)
	parser.add_argument('-r', help="Specify specific resources to extract", nargs='*', required=False)
	parser.add_argument('-e', help="Extract all resources", action='store_true', required=False)
	args = parser.parse_args()

	lucifer_filepath = args.f
	with open(lucifer_filepath, 'rb') as file:
	pe = pefile.PE(data=(file.read()))

	rsrcs = [e for e in pe.DIRECTORY_ENTRY_RESOURCE.entries
	if e.name is not None]

	list_all_resources = args.l
	if list_all_resources:
	names = [rsrc.name.decode('utf-8', 'backslashreplace')
	for rsrc in rsrcs]
	print(f'Listing Resources: {names}')

	if args.r or args.e:
	for rsrc in rsrcs:
	for entry in rsrc.directory.entries:
	resource_name = {rsrc.name.decode("utf-8", "backslashreplace")}
	offset = entry.directory.entries[0].data.struct.OffsetToData
	size = entry.directory.entries[0].data.struct.Size
	resource_details = (f'Resource name: {resource_name}, '
	f'Offset: {offset}, Size: {size}')
	print(resource_details)

	encoded = pe.get_memory_mapped_image()[offset:offset + size]
	decoded = decrypt_payload(encoded)

	dump_path = f'{lucifer_filepath}_{rsrc.name}.dump'
	with open(dump_path, 'wb') as file:
	file.write(decoded)
	print(f'Dumped at: {dump_path}')


	if __name__ in "__main__":
	main()