8c9d9150efa35278afcb23f2af4c4babcc4dd55acd9e839bed4c04cb5a8d9c3f

Metadata

SHA256: 8c9d9150efa35278afcb23f2af4c4babcc4dd55acd9e839bed4c04cb5a8d9c3f
Difficulty: advanced
Platform: Windows
Tags: custom wrapper evilai packed pdf converter pyinstaller
Likes: 0
Views: 33
Submitter: struppigel

Analysis

Goal

PyInstxtractor does not work here. Extract and decrypt all the python code, including the plain "PYZ" archive contents.

Description

This is a custom PyInstxtractor stub. On top of that the PYZ archive contents are encrypted.
Figure out the differences.
Modify pyinstxtractor-ng.py so that it works on the sample and also decrypts the PYZ archive.

(This is set to advanced because of custom tooling, albeit I am debating whether medium is more appropriate)

Recommended Tools

pyinstxtractor-ng python

Solutions

Extractor for custom PyInstaller executables as seen in PDFly or PDFClick Reference by struppigel

134

Sample