Closed kenikFJ closed 3 weeks ago
extremecoders-re
commented
3 weeks ago This uses a modified pyinstaller with a custom magic. Also uses modified logic and generates the AES encryption key at runtime.
The following pyinstxtractor-ng script can extract it: https://paste.ee/p/I0vyU Be sure to instasll the dependencies first before running.
kenikFJ
commented
3 weeks ago Thank you so much!!!
If it's not too much trouble, can you explain how you figured it out? Just through the dump? I saw the last issue (https://github.com/extremecoders-re/pyinstxtractor/issues/92) and didn't understand where you get the magic from. I didn't find it at the end of the file
extremecoders-re
commented
3 weeks ago If it's not too much trouble, can you explain how you figured it out? Just through the dump? I saw the last issue (#92) and didn't understand where you get the magic from. I didn't find it at the end of the file
The magic of a standard pyinstaller executable is 4D 45 49 0C 0B 0A 0B 0E. You can search For these bytes using a hex editor in a pyinstaller executable to know the location. It will be at the end of the file. In this particular file, if you check the same location you would find it is different. That way can get the modified magic 54 4C 52 0C 09 0D 0C 0B. Check the screenshot.
FILE: https://gofile.io/d/CKep0X help me please