├── NSIS ├── 7z.dll └── 7z.exe ├── AutoIt ├── dumb.bin ├── Exe2Aut.exe └── dumb.bin.backup ├── MSI └── jsMSIx.exe ├── AutoHK └── AutoHK_B.exe ├── InnoSetup └── innounp47.exe ├── JV ├── Encode.vbs └── Decode.vbs ├── README.md ├── Powershell └── PshCodec.ps1 └── ejExtractor.py /NSIS/7z.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SanseoLab/ejExtractor/HEAD/NSIS/7z.dll -------------------------------------------------------------------------------- /NSIS/7z.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SanseoLab/ejExtractor/HEAD/NSIS/7z.exe -------------------------------------------------------------------------------- /AutoIt/dumb.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SanseoLab/ejExtractor/HEAD/AutoIt/dumb.bin -------------------------------------------------------------------------------- /MSI/jsMSIx.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SanseoLab/ejExtractor/HEAD/MSI/jsMSIx.exe -------------------------------------------------------------------------------- /AutoIt/Exe2Aut.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SanseoLab/ejExtractor/HEAD/AutoIt/Exe2Aut.exe -------------------------------------------------------------------------------- /AutoHK/AutoHK_B.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SanseoLab/ejExtractor/HEAD/AutoHK/AutoHK_B.exe -------------------------------------------------------------------------------- /AutoIt/dumb.bin.backup: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SanseoLab/ejExtractor/HEAD/AutoIt/dumb.bin.backup -------------------------------------------------------------------------------- /InnoSetup/innounp47.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SanseoLab/ejExtractor/HEAD/InnoSetup/innounp47.exe -------------------------------------------------------------------------------- /JV/Encode.vbs: -------------------------------------------------------------------------------- 1 | ' https://gallery.technet.microsoft.com/Encode-and-Decode-a-VB-a480d74c 2 | 3 | Option Explicit 4 | 5 | dim oEncoder, oFilesToEncode, file, sDest 6 | dim sFileOut, oFile, oEncFile, oFSO, i 7 | dim oStream, sSourceFile 8 | 9 | set oFilesToEncode = WScript.Arguments 10 | set oEncoder = CreateObject("Scripting.Encoder") 11 | For i = 0 to oFilesToEncode.Count - 1 12 | set oFSO = CreateObject("Scripting.FileSystemObject") 13 | file = oFilesToEncode(i) 14 | set oFile = oFSO.GetFile(file) 15 | Set oStream = oFile.OpenAsTextStream(1) 16 | sSourceFile=oStream.ReadAll 17 | oStream.Close 18 | sDest = oEncoder.EncodeScriptFile(".vbs",sSourceFile,0,"") 19 | sFileOut = Left(file, Len(file) - 3) & "vbe" 20 | Set oEncFile = oFSO.CreateTextFile(sFileOut) 21 | oEncFile.Write sDest 22 | oEncFile.Close 23 | Next -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ejExtractor 2 | Integrated tool for extracting scripts and binaries of AutoIt, AutoHotKey, InnoSetup, NSIS executables, MSI and JSE/VBE, powershell Encoding/Decoding. 3 | 4 | 5 | ## Description 6 | There are a lot of tools for each executables like AutoIt, AutoHK, InnoSetup, NSIS etc. So i just simply integrated these tools into command line script. I think it can be used to automate some jobs too. (+ powrshell / jse / vbe decoding routines) 7 | 8 | - Autoit : using exe2aut 9 | - AutoHK : using simple python script for version L and tool [ https://github.com/Kalamity/Exe2AhkPatched ] for version B 10 | - InnoSetup : using innounp47.exe. It can extract everything include installation script(.iss). 11 | - NSIS : using 7z version 15.05. This version can extract everything include installation script(.NSS). 12 | - MSI : using jsMSIx.exe. It can extract files with path, and we can check registry configuration too with "MSI Unpack.log" which generated in same folder. 13 | - Powershell : There are some encoding mechanisms used in malwares like deflate, gzip, secure string. It can decode / encode base64 string which encrypted with these algorithms, So you should make txt file for input with extracted from powershell command lines. If it use secure string, then you also need key and you should add -key option and give a key with command line. 14 | - JSE / VBE : using vbs scripts. [ https://gallery.technet.microsoft.com/Encode-and-Decode-a-VB-a480d74c ] 15 | 16 | 17 | ## Usage 18 | > ejExtractor.py -[Option] [Path] 19 | - ex) 20 | > ejExtractor.py -n C:\test.exe 21 | 22 | for Secure String of Powershell 23 | > ejExtractor.py -[Option] [Path] -key [key] 24 | - ex) 25 | > ejExtractor.py -psd C:\test.txt -key 35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50 26 | 27 | 28 | ## Options 29 | - -h : Help 30 | - -l : AutoHotKey version L 31 | - -b : AutoHotKey version B 32 | - -A : AutoIt Simple Way ( +AutoHK ) 33 | - -a : AutoIt Another Way ( +AutoHK ) 34 | - -i : InnoSetup 35 | - -n : NSIS 36 | - -m : MSI 37 | - -pdd : Powershell Deflate Decode 38 | - -pde : Powershell Deflate Encode 39 | - -pgd : Powershell GZip Decode 40 | - -pge : Powershell GZip Encode 41 | - -psd : Powershell Secure String Decode 42 | - -pse : Powershell Secure String Encode 43 | - -jve : JS / VBS Encoding (to .jse or .vbe). Warn : result extension is alwyas vbe, so just change extension if it's js. 44 | - -jvd : JSE / VBE Decoding (to .js or .vbs). Warn : result extension is alwyas vbs, so just change extension if it's jse. 45 | 46 | 47 | ## TODO 48 | Finding what to add. 49 | 50 | -------------------------------------------------------------------------------- /Powershell/PshCodec.ps1: -------------------------------------------------------------------------------- 1 | 2 | 3 | $Path = $args[1] 4 | $ScriptBytes = [IO.File]::ReadAllBytes((Resolve-Path $Path)) 5 | 6 | 7 | if ($args[0] -eq "DeflateEncode") { 8 | $CompressedStream = New-Object IO.MemoryStream 9 | $DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress) 10 | $DeflateStream.Write($ScriptBytes, 0, $ScriptBytes.Length) 11 | $DeflateStream.Dispose() 12 | $CompressedScriptBytes = $CompressedStream.ToArray() 13 | $CompressedStream.Dispose() 14 | $EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes) 15 | 16 | $output = $EncodedCompressedScript 17 | } 18 | 19 | 20 | elseif ($args[0] -eq "DeflateDecode") { 21 | $ScriptString = [System.Text.Encoding]::ASCII.GetString($ScriptBytes) 22 | $Decompressed64ScriptBytes = [Convert]::FromBase64String($ScriptString) 23 | 24 | $decoded = $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream($(New-Object IO.MemoryStream(,$Decompressed64ScriptBytes)), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd(); 25 | 26 | $output = $decoded 27 | } 28 | 29 | 30 | elseif ($args[0] -eq "GzipEncode") { 31 | $CompressedStream = New-Object IO.MemoryStream 32 | $GzipStream = New-Object IO.Compression.GzipStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress) 33 | $GzipStream.Write($ScriptBytes, 0, $ScriptBytes.Length) 34 | $GzipStream.Dispose() 35 | $CompressedScriptBytes = $CompressedStream.ToArray() 36 | $CompressedStream.Dispose() 37 | $EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes) 38 | 39 | $output = $EncodedCompressedScript 40 | } 41 | 42 | 43 | elseif ($args[0] -eq "GzipDecode") { 44 | $ScriptString = [System.Text.Encoding]::ASCII.GetString($ScriptBytes) 45 | $Decompressed64ScriptBytes = [Convert]::FromBase64String($ScriptString) 46 | 47 | $decoded = $(New-Object IO.StreamReader ($(New-Object IO.Compression.GzipStream($(New-Object IO.MemoryStream(,$Decompressed64ScriptBytes)), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd(); 48 | 49 | $output = $decoded 50 | } 51 | 52 | 53 | elseif ($args[0] -eq "SecureDecode") { 54 | # need additional argument like "173,14,135,91,147,167,51,102,137,66,252,224,178,191,244,248,227,30,210,26,48,244,99,235" 55 | 56 | #PtrToStringAuto 57 | #PtrToStringUni 58 | #PtrToStringAnsi 59 | #PtrToStringBSTR 60 | 61 | #SecureStringToBSTR 62 | #SecureStringToGlobalAllocUnicode 63 | #SecureStringToGlobalAllocAnsi 64 | 65 | # Management.Automation.PSCredential - GetNetworkCredential().Password 66 | # ex) https://www.joesandbox.com/analysis/50838/0/pdf 67 | 68 | $key = $args[2] 69 | $ScriptString = [System.Text.Encoding]::ASCII.GetString($ScriptBytes) 70 | $SecureString = ConvertTo-SecureString $ScriptString -key $key 71 | 72 | $output = [Runtime.InterOpServices.Marshal]::PtrToStringAuto([Runtime.InterOpServices.Marshal]::SecureStringToBSTR($SecureString)) 73 | } 74 | 75 | 76 | elseif ($args[0] -eq "SecureEncode") { 77 | $key = $args[2] 78 | $ScriptString = [System.Text.Encoding]::ASCII.GetString($ScriptBytes) 79 | 80 | $SecureString = ConvertTo-SecureString $ScriptString -AsPlainText -Force 81 | $SecureStringText = $SecureString | ConvertFrom-SecureString -Key $key 82 | $output = $SecureStringText 83 | } 84 | 85 | 86 | Set-Content -Path '.\result.txt' -Value $output 87 | 88 | -------------------------------------------------------------------------------- /JV/Decode.vbs: -------------------------------------------------------------------------------- 1 | ' https://gallery.technet.microsoft.com/Encode-and-Decode-a-VB-a480d74c 2 | 3 | 4 | Option Explicit 5 | 6 | Const BIF_NEWDIALOGSTYLE = &H40 7 | Const BIF_NONEWFOLDERBUTTON = &H200 8 | Const BIF_RETURNONLYFSDIRS = &H1 9 | 10 | Const FOR_READING = 1 11 | Const FOR_WRITING = 2 12 | 13 | 14 | Const TAG_BEGIN1 = "#@~^" 15 | Const TAG_BEGIN2 = "==" 16 | Const TAG_BEGIN2_OFFSET = 10 17 | Const TAG_BEGIN_LEN = 12 18 | Const TAG_END = "==^#~@" 19 | Const TAG_END_LEN = 6 20 | 21 | Dim argv 22 | Dim wsoShellApp 23 | Dim oFolder 24 | Dim sFolder 25 | Dim sFileSource 26 | Dim sFileDest 27 | Dim fso 28 | Dim fld 29 | Dim fc 30 | Dim bEncoded 31 | Dim fSource 32 | Dim tsSource 33 | Dim tsDest 34 | Dim iNumExamined 35 | Dim iNumProcessed 36 | Dim iNumSkipped 37 | 38 | Function Decode(Chaine) 39 | Dim se,i,c,j,index,ChaineTemp 40 | Dim tDecode(127) 41 | Const Combinaison="1231232332321323132311233213233211323231311231321323112331123132" 42 | 43 | Set se=WSCript.CreateObject("Scripting.Encoder") 44 | For i=9 to 127 45 | tDecode(i)="JLA" 46 | Next 47 | For i=9 to 127 48 | ChaineTemp=Mid(se.EncodeScriptFile(".vbs",string(3,i),0,""),13,3) 49 | For j=1 to 3 50 | c=Asc(Mid(ChaineTemp,j,1)) 51 | tDecode(c)=Left(tDecode(c),j-1) & chr(i) & Mid(tDecode(c),j+1) 52 | Next 53 | Next 54 | 55 | tDecode(42)=Left(tDecode(42),1) & ")" & Right(tDecode(42),1) 56 | Set se=Nothing 57 | 58 | Chaine=Replace(Replace(Chaine,"@&",chr(10)),"@#",chr(13)) 59 | Chaine=Replace(Replace(Chaine,"@*",">"),"@!","<") 60 | Chaine=Replace(Chaine,"@$","@") 61 | index=-1 62 | For i=1 to Len(Chaine) 63 | c=asc(Mid(Chaine,i,1)) 64 | If c<128 Then index=index+1 65 | If (c=9) or ((c>31) and (c<128)) Then 66 | If (c<>60) and (c<>62) and (c<>64) Then 67 | Chaine=Left(Chaine,i-1) & Mid(tDecode(c),Mid(Combinaison,(index mod 64)+1,1),1) & Mid(Chaine,i+1) 68 | End If 69 | End If 70 | Next 71 | Decode=Chaine 72 | End Function 73 | 74 | Sub Process (s) 75 | Dim bProcess 76 | Dim iTagBeginPos 77 | Dim iTagEndPos 78 | 79 | 80 | iNumExamined = iNumExamined + 1 81 | 82 | iTagBeginPos = Instr(s, TAG_BEGIN1) 83 | 84 | Select Case iTagBeginPos 85 | Case 0 86 | MsgBox sFileSource & " does not appear to be encoded. Missing Beginning Tag. Skipping file." 87 | iNumSkipped = iNumSkipped + 1 88 | 89 | Case 1 90 | If (Instr(iTagBeginPos, s, TAG_BEGIN2) - iTagBeginPos) = TAG_BEGIN2_OFFSET Then 91 | iTagEndPos = Instr(iTagBeginPos, s, TAG_END) 92 | 93 | If iTagEndPos > 0 Then 94 | Select Case Mid(s, iTagEndPos + TAG_END_LEN) 95 | Case "", Chr(0) 96 | bProcess = True 97 | 98 | If fso.FileExists(sFileDest) Then 99 | If MsgBox("File """ & sFileDest & """ exists. Overwrite?", vbYesNo + vbDefaultButton2) <> vbYes Then 100 | bProcess = False 101 | iNumSkipped = iNumSkipped + 1 102 | End If 103 | End If 104 | 105 | If bProcess Then 106 | s = Decode(Mid(s, iTagBeginPos + TAG_BEGIN_LEN, iTagEndPos - iTagBeginPos - TAG_BEGIN_LEN - TAG_END_LEN)) 107 | 108 | 109 | 110 | Set tsDest = fso.CreateTextFile(sFileDest, TRUE, FALSE) 111 | tsDest.Write s 112 | tsDest.Close 113 | Set tsDest = Nothing 114 | 115 | iNumProcessed = iNumProcessed + 1 116 | End If 117 | 118 | Case Else 119 | MsgBox sFileSource & " does not appear to be encoded. Found " & Len(Mid(s, iTagEndPos + TAG_END_LEN)) & " characters AFTER Ending Tag. Skipping file." 120 | iNumSkipped = iNumSkipped + 1 121 | End Select 122 | 123 | Else 124 | MsgBox sFileSource & " does not appear to be encoded. Missing ending Tag. Skipping file." 125 | iNumSkipped = iNumSkipped + 1 126 | End If 127 | 128 | Else 129 | MsgBox sFileSource & " does not appear to be encoded. Incomplete Beginning Tag. Skipping file." 130 | iNumSkipped = iNumSkipped + 1 131 | End If 132 | 133 | Case Else 134 | MsgBox sFileSource & " does not appear to be encoded. Found " & (iTagBeginPos - 1) & "characters BEFORE Beginning Tag. Skipping file." 135 | iNumSkipped = iNumSkipped + 1 136 | End Select 137 | End Sub 138 | 139 | Set argv = WScript.Arguments 140 | 141 | sFileSource = "" 142 | sFolder = "" 143 | iNumExamined = 0 144 | iNumProcessed = 0 145 | iNumSkipped = 0 146 | 147 | Select Case argv.Count 148 | Case 0 149 | Set wsoShellApp = WScript.CreateObject("Shell.Application") 150 | 151 | On Error Resume Next 152 | set oFolder = wsoShellApp.BrowseForFolder (0, "Select a folder containing files to decode", BIF_NEWDIALOGSTYLE + BIF_NONEWFOLDERBUTTON + BIF_RETURNONLYFSDIRS) 153 | If Err.Number = 0 Then 154 | If TypeName(oFolder) = "Folder3" Then Set oFolder = oFolder.Items.Item 155 | sFolder = oFolder.Path 156 | End If 157 | On Error GoTo 0 158 | 159 | Set oFolder = Nothing 160 | Set wsoShellApp = Nothing 161 | 162 | If sFolder = "" Then 163 | MsgBox "Please pass a full file spec or select a folder containing encoded files" 164 | WScript.Quit 165 | End If 166 | 167 | Case 1 168 | sFileSource = argv(0) 169 | 170 | If InStr(sFileSource, "?") > 0 Then 171 | MsgBox "Pass a full file spec or no arguments (browse for a folder)" 172 | WScript.Quit 173 | End If 174 | 175 | Case Else 176 | MsgBox "Pass a full file spec, -?, /?, ?, or no arguments (browse for a folder)" 177 | WScript.Quit 178 | End Select 179 | 180 | Set fso = WScript.CreateObject("Scripting.FileSystemObject") 181 | 182 | If sFolder <> "" Then 183 | On Error Resume Next 184 | Set fld = fso.GetFolder(sFolder) 185 | If Err.Number <> 0 Then 186 | Set fld = Nothing 187 | Set fso = Nothing 188 | MsgBox "Folder """ & sFolder & """ is not valid in this context" 189 | WScript.Quit 190 | End If 191 | On Error GoTo 0 192 | 193 | Set fc = fld.Files 194 | 195 | For Each fSource In fc 196 | sFileSource = fSource.Path 197 | 198 | Select Case LCase(Right(sFileSource, 4)) 199 | Case ".vbe" 200 | sFileDest = Left(sFileSource, Len(sFileSource) - 1) & "s" 201 | bEncoded = True 202 | 203 | Case Else 204 | bEncoded = False 205 | End Select 206 | 207 | If bEncoded Then 208 | Set tsSource = fSource.OpenAsTextStream(FOR_READING) 209 | Process tsSource.ReadAll 210 | tsSource.Close 211 | Set tsSource = Nothing 212 | End If 213 | Next 214 | 215 | Set fc = Nothing 216 | Set fld = Nothing 217 | 218 | Else 219 | If Not fso.FileExists(sFileSource) Then 220 | MsgBox "File """ & sFileSource & """ not found" 221 | Else 222 | bEncoded = False 223 | 224 | Select Case LCase(Right(sFileSource, 4)) 225 | Case ".vbe" 226 | sFileDest = Left(sFileSource, Len(sFileSource) - 1) & "s" 227 | bEncoded = True 228 | Case Else 229 | MsgBox "File """ & sFileSource & """ needs to be of type VBE or JSE" 230 | bEncoded = False 231 | End Select 232 | 233 | If bEncoded Then 234 | Set tsSource = fso.OpenTextFile(sFileSource, FOR_READING) 235 | Process tsSource.ReadAll 236 | tsSource.Close 237 | Set tsSource = Nothing 238 | End If 239 | End If 240 | End If 241 | 242 | Set fso = Nothing 243 | 244 | MsgBox iNumExamined & " Files Examined; " & iNumProcessed & " Files Processed; " & iNumSkipped & " Files Skipped" -------------------------------------------------------------------------------- /ejExtractor.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import getopt 3 | import os 4 | import shutil 5 | 6 | 7 | def help(): 8 | print "USAGE : ejExtractor.py -[Option] [Path]" 9 | print "USAGE2 (Powershell Secure String) : ejExtractor.py -[Option] [Path] -key [key]" 10 | print "==== Option ====" 11 | print "-l : AutoHotKey version L" 12 | print "-b : AutoHotKey version B" 13 | print "-A : AutoIt Simple Way" 14 | print "-a : AutoIt Another Way" 15 | print "-i : InnoSetup" 16 | print "-n : NSIS" 17 | print "-m : MSI" 18 | print "-pdd : Powershell Deflate Decode" 19 | print "-pde : Powershell Deflate Encode" 20 | print "-pgd : Powershell GZip Decode" 21 | print "-pge : Powershell GZip Encode" 22 | print "-pse : Powershell Secure String Decode" 23 | print "-psd : Powershell Secure String Encode" 24 | print "-jve : JS/VBS Encoding" 25 | print "-jvd : JSE/VBE Eecoding" 26 | return 27 | 28 | 29 | def find_nth(s, x, n, i = 0): 30 | i = s.find(x, i) 31 | if n == 1 or i == -1: 32 | return i 33 | else: 34 | return find_nth(s, x, n - 1, i + len(x)) 35 | 36 | 37 | def main(): 38 | 39 | if len(sys.argv) <= 2: 40 | help() 41 | return 42 | 43 | opt = sys.argv[1] 44 | 45 | 46 | nowDir = os.path.dirname(sys.argv[0]) 47 | os.chdir(nowDir) 48 | resDir = os.path.dirname(sys.argv[2]) 49 | resNameWith = os.path.basename(sys.argv[2]) 50 | resName = os.path.splitext(resNameWith)[0] + "_" 51 | res = resDir + "\\" + resName 52 | os.makedirs(res) 53 | 54 | 55 | if ( opt == "-l" ): 56 | # autohotkey_L 57 | f=sys.argv[2] 58 | resFile = res + "\\result.txt" 59 | f=open(f,'rb') 60 | f=f.read() 61 | n=f.find('\x3cCOMPILER:') 62 | f=f[n:] 63 | n=f.find('\x00\x00') 64 | f=f[0:n] 65 | f=f.replace('\x0a','\x0d\x0a') 66 | q=open(resFile,'wb') 67 | q.write(f) 68 | q.close() 69 | elif ( opt == "-b" ): 70 | # autohotkey_B 71 | os.chdir('AutoHK') 72 | autohkDir = os.getcwd() 73 | exe2ahkFile = autohkDir + "\\AutoHK_B.exe" 74 | itsTemp = res + "\\AutoHK_B.exe" 75 | itsTemp2 = res + "\\dumb.exe" 76 | shutil.copy(exe2ahkFile, itsTemp) 77 | shutil.copy(sys.argv[2], itsTemp2) 78 | command = itsTemp + " " + itsTemp2 79 | os.system(command) 80 | os.remove(itsTemp) 81 | os.remove(itsTemp2) 82 | elif ( opt == "-a" ): 83 | # AutoIt 84 | os.chdir('AutoIt') 85 | autoitDir = os.getcwd() 86 | inputFile = sys.argv[2] 87 | compiledscript = autoitDir + "\\compiledScript.bin" 88 | dumbFile = autoitDir + "\\dumb.bin" 89 | exe2autFile = autoitDir + "\\Exe2Aut.exe" 90 | dumbbackFile = autoitDir + "\\dumb.bin.backup" 91 | 92 | fr = open(inputFile, "rb") 93 | # For read input file 94 | fs = open(compiledscript, "wb") 95 | # For output compiled script file 96 | fd = open(dumbFile, "ab") 97 | 98 | # Read input file and Extract Compiled script 99 | readInput = fr.read() 100 | 101 | startAddr = find_nth(readInput, "AU3!EA06", 1) - 16 102 | endAddr = find_nth(readInput, "AU3!EA06", 2) + 8 103 | 104 | fs.write(readInput[startAddr:endAddr]) 105 | fs.close() 106 | 107 | # Read compiled script file 108 | fs = open(compiledscript, "rb") 109 | r2 = fs.read() 110 | 111 | # Append compiled script file to dumb.bin 112 | fd.write(r2) 113 | 114 | fr.close() 115 | fs.close() 116 | fd.close() 117 | 118 | itsTemp = res + "\\Exe2Aut.exe" 119 | itsTemp2 = res + "\\dumb.bin" 120 | shutil.copy(exe2autFile, itsTemp) 121 | shutil.copy(dumbFile, itsTemp2) 122 | 123 | command = itsTemp + " -nogui -quiet " + itsTemp2 124 | os.system(command) 125 | 126 | os.remove(itsTemp) 127 | os.remove(itsTemp2) 128 | os.remove(compiledscript) 129 | os.remove(dumbFile) 130 | shutil.copy(dumbbackFile, dumbFile) 131 | elif ( opt == "-A"): 132 | # AutoIt Just 133 | os.chdir('AutoIt' ) 134 | autoitDir = os.getcwd() 135 | inputFile = sys.argv[2] 136 | exe2autFile = autoitDir + "\\Exe2Aut.exe" 137 | itsTemp = res + "\\Exe2Aut.exe" 138 | itsTemp2 = res + "\\dumb.exe" 139 | shutil.copy(exe2autFile, itsTemp) 140 | shutil.copy(sys.argv[2], itsTemp2) 141 | command = itsTemp + " -nogui -quiet " + itsTemp2 142 | os.system(command) 143 | os.remove(itsTemp) 144 | os.remove(itsTemp2) 145 | elif ( opt == "-i" ): 146 | # InnoSetup 147 | os.chdir('InnoSetup') 148 | innoDir = os.getcwd() 149 | innoFile = innoDir + "\\innounp47.exe" 150 | command = innoFile + " -x " + sys.argv[2] 151 | os.chdir(res) 152 | os.system(command) 153 | elif ( opt == "-n" ): 154 | # NSIS 155 | os.chdir('NSIS') 156 | nsisDir = os.getcwd() 157 | nsisFile = nsisDir + "\\7z.exe" 158 | command = nsisFile + " e " + sys.argv[2] 159 | os.chdir(res) 160 | os.system(command) 161 | elif ( opt == "-m" ): 162 | # MSI 163 | os.chdir('MSI') 164 | msiDir = os.getcwd() 165 | msiFile = msiDir + "\\jsMSIx.exe" 166 | msiTemp = res + "\\temp.msi" 167 | shutil.copy(sys.argv[2], msiTemp) 168 | command = msiFile + " " + msiTemp 169 | os.system(command) 170 | os.remove(msiTemp) 171 | elif ( opt == "-pdd" ): 172 | # Powershell Deflate Decode 173 | os.chdir('Powershell') 174 | pshDir = os.getcwd() 175 | pshFile = pshDir + '\\PshCodec.ps1' 176 | pshTemp = res + "\\temp.ps1" 177 | shutil.copy(sys.argv[2], pshTemp) 178 | command = "powershell.exe -executionpolicy bypass " + pshFile + " DeflateDecode " + pshTemp 179 | os.chdir(res) 180 | print resDir 181 | os.system(command) 182 | os.remove(pshTemp) 183 | elif ( opt == "-pde" ): 184 | # Powershell Deflate Encode 185 | os.chdir('Powershell') 186 | pshDir = os.getcwd() 187 | pshFile = pshDir + '\\PshCodec.ps1' 188 | pshTemp = res + "\\temp.ps1" 189 | shutil.copy(sys.argv[2], pshTemp) 190 | command = "powershell.exe -executionpolicy bypass " + pshFile + " DeflateEncode " + pshTemp 191 | os.chdir(res) 192 | print resDir 193 | os.system(command) 194 | os.remove(pshTemp) 195 | elif ( opt == "-pgd" ): 196 | # Powershell Gzip Decode 197 | os.chdir('Powershell') 198 | pshDir = os.getcwd() 199 | pshFile = pshDir + '\\PshCodec.ps1' 200 | pshTemp = res + "\\temp.ps1" 201 | shutil.copy(sys.argv[2], pshTemp) 202 | command = "powershell.exe -executionpolicy bypass " + pshFile + " GzipDecode " + pshTemp 203 | os.chdir(res) 204 | print resDir 205 | os.system(command) 206 | os.remove(pshTemp) 207 | elif ( opt == "-pge" ): 208 | # Powershell Gzip Encode 209 | os.chdir('Powershell') 210 | pshDir = os.getcwd() 211 | pshFile = pshDir + '\\PshCodec.ps1' 212 | pshTemp = res + "\\temp.ps1" 213 | shutil.copy(sys.argv[2], pshTemp) 214 | command = "powershell.exe -executionpolicy bypass " + pshFile + " GzipEncode " + pshTemp 215 | os.chdir(res) 216 | print resDir 217 | os.system(command) 218 | os.remove(pshTemp) 219 | elif ( opt == "-psd" ): 220 | # Powershell Secure String Decode 221 | if sys.argv[3] != '-key': 222 | print 'error' 223 | return 224 | os.chdir('Powershell') 225 | pshDir = os.getcwd() 226 | pshFile = pshDir + '\\PshCodec.ps1' 227 | pshTemp = res + "\\temp.ps1" 228 | shutil.copy(sys.argv[2], pshTemp) 229 | command = "powershell.exe -executionpolicy bypass " + pshFile + " SecureDecode " + pshTemp + " " + sys.argv[4] 230 | os.chdir(res) 231 | print resDir 232 | os.system(command) 233 | os.remove(pshTemp) 234 | elif ( opt == "-pse" ): 235 | # Powershell Secure String Encode 236 | if sys.argv[3] != '-key': 237 | print 'error' 238 | return 239 | os.chdir('Powershell') 240 | pshDir = os.getcwd() 241 | pshFile = pshDir + '\\PshCodec.ps1' 242 | pshTemp = res + "\\temp.ps1" 243 | shutil.copy(sys.argv[2], pshTemp) 244 | command = "powershell.exe -executionpolicy bypass " + pshFile + " SecureEncode " + pshTemp + " " + sys.argv[4] 245 | os.chdir(res) 246 | print resDir 247 | os.system(command) 248 | os.remove(pshTemp) 249 | elif ( opt == "-jve" ): 250 | # JS/VBS Encoding 251 | os.chdir('JV') 252 | jvDir = os.getcwd() 253 | jvFile = jvDir + "\\Encode.vbs" 254 | jvTemp = res + "\\temp.vbs" 255 | shutil.copy(sys.argv[2], jvTemp) 256 | command = jvFile + " " + jvTemp 257 | os.system(command) 258 | os.remove(jvTemp) 259 | elif ( opt == "-jvd" ): 260 | # JSE/VBE Decoding 261 | os.chdir('JV') 262 | jvDir = os.getcwd() 263 | jvFile = jvDir + "\\Decode.vbs" 264 | jvTemp = res + "\\temp.vbe" 265 | shutil.copy(sys.argv[2], jvTemp) 266 | command = jvFile + " " + jvTemp 267 | os.system(command) 268 | os.remove(jvTemp) 269 | 270 | 271 | return 272 | 273 | 274 | if __name__ == '__main__': 275 | main() 276 | --------------------------------------------------------------------------------