Command Line
All tools are in the repo root directory. Run with Python 3.10+.
booba_recover.py — Batch partial recovery
python3 booba_recover.py <encrypted_dir> <output_dir>
Scans <encrypted_dir> recursively for *.booba files, writes recovered files to <output_dir> preserving the subdirectory structure, and writes a recovery_report.txt summary.
For each path/to/foo.ext.booba the tool writes:
<output_dir>/path/to/foo.ext— primary recovered file<output_dir>/path/to/foo.ext.txt(or.strings.txt,.sheet1.csv,.recovered.vsd, etc.) — companion files when applicable
Example:
python3 booba_recover.py /mnt/encrypted /mnt/recovered
INFO Found 47 encrypted file(s)
INFO OK [text ] 4,821B ServerHotFix.config.booba
INFO OK [docx ] 185,442B Report.docx.booba +Report.docx.txt (14,209B)
INFO OK [xlsx ] 902,114B Inventory.xlsx.booba +Inventory.xlsx.strings.txt
INFO OK [vsdx ] 45,230B Process.vsdx.booba +Process.vsdx.text.txt
INFO OK [dwg ] 92,440B Layout.dwg.booba +Layout.pass1.dxf +Layout.pass2.dxf
...
==================================================
Recovered : 45/47
Failed : 2/47
Report : /mnt/recovered/recovery_report.txt
==================================================
booba_decrypt.py — Full decryption
Analyse mode — no key needed
python3 booba_decrypt.py --mode analyse <encrypted_dir>
Prints footer metadata for every .booba file: group IDs, attacker public key candidate, per-file nonce variation, and ECDH keyblob. Useful for confirming all files are from the same infection batch.
Full decryption
python3 booba_decrypt.py --mode full \
--attacker-sk <64-hex-chars> \
<encrypted_dir> <output_dir>
--attacker-sk is the attacker's 32-byte Curve25519 private key as 64 lowercase hex characters. Derives the per-file HC-128 key+IV via ECDH and decrypts the header of every file completely.
Requires: pip install cryptography
Known-plaintext decryption
python3 booba_decrypt.py --mode known-plaintext <encrypted_dir> <output_dir>
Applies pre-computed 17-byte and 108-byte keystreams recovered via known-plaintext analysis for TFS300785.sql and TFS300354.sql specifically.
reconstruct_pdf.py — Deep PDF repair
For PDFs where the %PDF stub from partial recovery is not enough (missing /Catalog, broken xref):
python3 reconstruct_pdf.py <recovered.pdf> [original.pdf.booba]
Steps:
- Adjusts all xref offsets by the encryption-header shift
- Decompresses ObjStm (compressed object streams)
- Locates all page objects (
/MediaBox+/Contents) - Builds a synthetic
/Pagestree and/Catalog - Writes a clean PDF with a standard xref table
Pass the original .booba file as the second argument to have the shift computed automatically; omit it if you already have a recovered file with a %PDF stub.
reconstruct_dwg.py — Deep DWG/DXF merging
booba_recover.py writes up to 9 companion .dxf files per DWG from different recovery passes. This tool merges them into a single clean DXF by deduplicating entities across all sources.
python3 reconstruct_dwg.py <recovery_dir> [--out FILE] [--verbose]
| Argument | Description |
|---|---|
<recovery_dir> |
Directory of booba_recover.py output (contains *.dxf companions) |
--out FILE |
Output path (default: <recovery_dir>/merged.reconstructed.dxf) |
--verbose |
Print entity counts per source file |
Example:
python3 reconstruct_dwg.py /mnt/recovered/Drawings/ --verbose
# Output: /mnt/recovered/Drawings/merged.reconstructed.dxf
# /mnt/recovered/Drawings/merged.reconstructed.report.txt
Requires: pip install ezdxf
Dependencies
pip install -r requirements.txt # openpyxl, ezdxf (always needed)
pip install cryptography # only for booba_decrypt.py --mode full
LibreDWG (dwg2dxf) is optional. Place its binaries in libredwg/ to enable DXF companion output for DWG files. DWG body data is always preserved without it.