2 Command Line
david edited this page 2026-06-23 12:59:20 -07:00

Command Line

All tools are in the repo root directory. Run with Python 3.10+.


booba_recover.py — Batch partial recovery

python3 booba_recover.py <encrypted_dir> <output_dir>

Scans <encrypted_dir> recursively for *.booba files, writes recovered files to <output_dir> preserving the subdirectory structure, and writes a recovery_report.txt summary.

For each path/to/foo.ext.booba the tool writes:

  • <output_dir>/path/to/foo.ext — primary recovered file
  • <output_dir>/path/to/foo.ext.txt (or .strings.txt, .sheet1.csv, .recovered.vsd, etc.) — companion files when applicable

Example:

python3 booba_recover.py /mnt/encrypted /mnt/recovered
INFO  Found 47 encrypted file(s)
INFO  OK  [text ]   4,821B  ServerHotFix.config.booba
INFO  OK  [docx ] 185,442B  Report.docx.booba  +Report.docx.txt (14,209B)
INFO  OK  [xlsx ] 902,114B  Inventory.xlsx.booba  +Inventory.xlsx.strings.txt
INFO  OK  [vsdx ]  45,230B  Process.vsdx.booba  +Process.vsdx.text.txt
INFO  OK  [dwg  ]  92,440B  Layout.dwg.booba  +Layout.pass1.dxf  +Layout.pass2.dxf
...
==================================================
Recovered : 45/47
Failed    : 2/47
Report    : /mnt/recovered/recovery_report.txt
==================================================

booba_decrypt.py — Full decryption

Analyse mode — no key needed

python3 booba_decrypt.py --mode analyse <encrypted_dir>

Prints footer metadata for every .booba file: group IDs, attacker public key candidate, per-file nonce variation, and ECDH keyblob. Useful for confirming all files are from the same infection batch.

Full decryption

python3 booba_decrypt.py --mode full \
    --attacker-sk <64-hex-chars> \
    <encrypted_dir> <output_dir>

--attacker-sk is the attacker's 32-byte Curve25519 private key as 64 lowercase hex characters. Derives the per-file HC-128 key+IV via ECDH and decrypts the header of every file completely.

Requires: pip install cryptography

Known-plaintext decryption

python3 booba_decrypt.py --mode known-plaintext <encrypted_dir> <output_dir>

Applies pre-computed 17-byte and 108-byte keystreams recovered via known-plaintext analysis for TFS300785.sql and TFS300354.sql specifically.


reconstruct_pdf.py — Deep PDF repair

For PDFs where the %PDF stub from partial recovery is not enough (missing /Catalog, broken xref):

python3 reconstruct_pdf.py <recovered.pdf> [original.pdf.booba]

Steps:

  1. Adjusts all xref offsets by the encryption-header shift
  2. Decompresses ObjStm (compressed object streams)
  3. Locates all page objects (/MediaBox + /Contents)
  4. Builds a synthetic /Pages tree and /Catalog
  5. Writes a clean PDF with a standard xref table

Pass the original .booba file as the second argument to have the shift computed automatically; omit it if you already have a recovered file with a %PDF stub.


reconstruct_dwg.py — Deep DWG/DXF merging

booba_recover.py writes up to 9 companion .dxf files per DWG from different recovery passes. This tool merges them into a single clean DXF by deduplicating entities across all sources.

python3 reconstruct_dwg.py <recovery_dir> [--out FILE] [--verbose]
Argument Description
<recovery_dir> Directory of booba_recover.py output (contains *.dxf companions)
--out FILE Output path (default: <recovery_dir>/merged.reconstructed.dxf)
--verbose Print entity counts per source file

Example:

python3 reconstruct_dwg.py /mnt/recovered/Drawings/ --verbose
# Output: /mnt/recovered/Drawings/merged.reconstructed.dxf
#         /mnt/recovered/Drawings/merged.reconstructed.report.txt

Requires: pip install ezdxf


Dependencies

pip install -r requirements.txt    # openpyxl, ezdxf  (always needed)
pip install cryptography           # only for booba_decrypt.py --mode full

LibreDWG (dwg2dxf) is optional. Place its binaries in libredwg/ to enable DXF companion output for DWG files. DWG body data is always preserved without it.