Skip to content
/ aplib-ripper Public

Use this library to automatically extract PE files compressed with aplib from a binary blob.

32 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

herrcore/aplib-ripper

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
aplib.py
aplib.py
 
 
aprip.py
aprip.py
 
 
setup.py
setup.py
 
 

Repository files navigation

aplib-ripper

Use this library to automatically extract PE files compressed with aplib from a binary blob.

What is aPlib?

Aplib is a lightweight LZ-based compression library that is commonly used in packers and shell code. It is easy to spot a PE file that has been compressed using aPlib because the PE magic bytes MZ become M8Z.

The aplib-ripper (aprip.py) simply automates the process of locating those magic bytes in a file an attempting to decompress the resulting data into a PE file.

Let's get automating!

Use Cases

Aplib-ripper (aprip.py) can be imported as a module and used in your python tooling or it can used as a standalone CLI tool.

aprip module

To use aprip.py as a module you simply need to import it and use the extract_all function to automatically extract all aplib compressed PE files from you data blob.

>>> import aprip
>>> #Extract PE files from data 
>>> #pe_files is a list containing all extracted PE files
>>> pe_files = aprip.extract_all(data)
>>>

aprip CLI

To use aprip.py as a tool from the command line you simply need to pass it the name of the file that you will be extracting the aPlib compressed PE files from. Each extracted file will be written to a file “dump0.bin”, “dump1.bin”, …

$aprip test.bin 

-----------------------------

  APLIB RIPPER 1.1

-----------------------------

Ripping PE files, this may take some time...
 - Ripped PE writing to file: dump0.bin
 - Ripped PE writing to file: dump1.bin

Aprip Function Reference

find_candidates(blob)
    Find potential aplib candidates.
    Args:
        blob (string): binary string of the blob to search
    Returns:
        list: offsets to each of the candidates (empty if none found)

extract_candidate(blob, offset)
    Attempt to decrypt candidate and test DOS header.
    Args:
        blob (string): binary string of the blob to search
        offset (int): offset in the blob (candidate start)
    Returns:
        string: extracted PE file (none if no PE is extracted)

extract_all(blob)
    Locate potential aplib candidates and attempt to decrypt them.
    Args:
        blob (string): binary string of the blob to search
    Returns:
        list: list of PE files that have been extracted (empty if none are found)

Acknowledgments

A big thank you to the creator of the aplib python module: Kabopan http://code.google.com/p/kabopan/

Feedback / Help

  • Any questions, comments, requests hit me up on twitter: @herrcore
  • Pull requests welcome!

About

Use this library to automatically extract PE files compressed with aplib from a binary blob.

Resources

Readme
Activity

Stars

32 stars

Watchers

4 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages