09474277051fc387a9b43f7f08a9bf4f6817c24768719b21f9f7163d9c5c8f74

Metadata

SHA256: 09474277051fc387a9b43f7f08a9bf4f6817c24768719b21f9f7163d9c5c8f74
Difficulty: advanced
Platform: Windows
Tags: custom wrapper evilai packed pdf converter pyinstaller
Likes: 1
Views: 150
Submitter: struppigel

Analysis

Goal

PyInstxtractor does not work here. Extract and decrypt all the python code, including the plain "PYZ" archive contents.

Description

This is a custom PyInstxtractor stub. On top of that the PYZ archive contents are encrypted.
Figure out the differences.
Modify pyinstxtractor-ng.py so that it works on the sample and also decrypts the PYZ archive.

(This is set to advanced because of custom tooling, albeit I am debating whether medium is more appropriate)

Recommended Tools

pyinstxtractor-ng python

Solutions

Extractor for custom PyInstaller executables as seen in PDFly or PDFClick Reference by struppigel

891

Sample