extremecoders-re
commented
2 years ago Most likely the key you're to decrypt is incorrect. It's 16 bytes in size. If you share the pyimod00_crypto_key.pyc file, will be able to tell the correct key.
Closed 4o3F closed 2 years ago
extremecoders-re
commented
2 years ago Most likely the key you're to decrypt is incorrect. It's 16 bytes in size. If you share the pyimod00_crypto_key.pyc file, will be able to tell the correct key.
4o3F
commented
2 years ago pyimod00_crypto_key.zip
The file is here and I decrypted the key Downloader-PyJun
Also, the pyz file is as follow
PYZ.zip
extremecoders-re
commented
2 years ago The key is correct indeed. Looks the the executable may be using a modified pyinstaller. Can you share the file pyimod02_archive.pyc?
4o3F
commented
2 years ago Of course extracted.zip
extremecoders-re
commented
2 years ago This is an older version (<4.0) of PyInstaller which uses AES in CFB mode. Actually this is documented in the wiki.
The first snippet => https://github.com/extremecoders-re/pyinstxtractor/wiki/Frequently-Asked-Questions#are-encrypted-pyz-archives-supported
To automate the process you can use this script
import glob
import zlib
from Crypto.Cipher import AES
from pathlib import Path
CRYPT_BLOCK_SIZE = 16
# key obtained from pyimod00_crypto_key
key = bytes('Downloader-PyJun', 'utf-8')
for p in Path("PYZ-00.pyz_extracted").glob("**/*.pyc.encrypted"):
inf = open(p, 'rb') # encrypted file input
outf = open(p.with_name(p.stem), 'wb') # output file
# Initialization vector
iv = inf.read(CRYPT_BLOCK_SIZE)
cipher = AES.new(key, AES.MODE_CFB, iv)
# Decrypt and decompress
plaintext = zlib.decompress(cipher.decrypt(inf.read()))
# Write pyc header
# The header below is for Python 3.8
outf.write(b'\x55\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0')
# Write decrypted data
outf.write(plaintext)
inf.close()
outf.close()
# Delete .pyc.encrypted file
p.unlink()Thanks! It is my mistakeš„
When using the code in wiki and changing the password
I get the following
the environment is as below Python 3.8.13 tinyaes 1.0.3