Shulou(Shulou.com)06/02 Report--

This article introduces the relevant knowledge of "how to realize the decompilation of Python files". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

The convenience of python makes many software developers and hackers begin to release programs by packaging python into exe. A feature of this kind of exe is that you can use decompilation to get the source code of the program, isn't it amazing? Let's start to learn how to decompile an exe program packaged with python. PS: the decompilation method of pyinstaller, which is widely used, is described below.

Here is a blackmail virus packaged by pyinstaller, and we can tell by its icon that it is packaged by pyinstaller.

The first step in decompilation is to convert exe files into pyc files, where pyinstxtractor is used

Enter the command: python pyinstxtractor.py [filename] to complete the conversion. PS:python should use the corresponding version.

After the decompression is successful, a folder of [filename] _ extracted appears in the same path, which contains the main program lockyfud. This is the file we want to decompile, and the rest are dependent libraries. For example, the files in the out00-PYZ-extracted folder are all library files, so we don't need to worry about it. At this point, we may wonder why this file is not a .pyc file. This may be a deficiency of pyinstxtractor, the format of the converted main program is incorrect, and we also need to fix it manually.

We need to add an 8-byte pyc header at the beginning of the file, which consists of a 4-byte magic and a 4-byte timestamp, where the magic varies depending on the python version, so how do we know what it is? One trick is to look at the magic of the struct file and copy it directly.

After adding the pyc header, add the magic and timestamp: 03 F3 0D 0A 00 00 00, and then save it as a .pyc file, and the repair is complete.

The final job is to decompile pyc into py, here using uncompyle6, using the command: pip install uncompyle6, you can complete the installation. Then type uncompyle6 [filename] > lock.py to decompile the file into py.

Lock.py is the source code of the program.

It is added here that some virus programs, in order to avoid decompilation, will make some confusion, resulting in errors in the pyinstxtractor conversion. The following file, when using pyinstxtractor.py for conversion, will report an error, "Error: Unsupported pyinstaller version or not a pyinstaller archive", which means that this is not a pyinstaller-packaged file.

It is a py executable file, how can you say that it is not a pyinstaller packaging program? Let's start with this problem and see why this mistake occurred.

When you come to line 50 of the pyinstxtractor code, the original code logic is like this: once you can't read the MAGIC, it will report an error, indicating that it is not a pyinstaller packager.

Online traceability, you can see that the logo MAGIC is' MEI\ xxxxxx', version 2.0 of MAGIC is located at [end-24], version 2.1 of MAGIC is located at [end-88].

When we look at the binary of the file, we find that the end of the file is full of junk data and there is no 'MEI' logo at all.

We searched and finally found MAGIC in one of the above locations. This is the pyinstaller logo. The next step is to get rid of the junk data and put the MAGIC at 24 or 88. Is that 24 or 88? (whether the file is packaged with pyinstaller2.0 or pyinstaller2.1), it depends on the difference between 2. 0 and 2. 1.

Compared with 2.0, 2.1 has 64 bytes more pylibname, so let's see if there is pylibname in this file.

We found python27.dll after 'MEI', and this is pylibname, and it looks like this is packaged by pyinstaller2.1, so we delete all junk data since' MEI'+88. The result of deletion is as follows:

After the repair, you can convert normally, and then follow the steps above.

This is the end of the content of "how to decompile Python files". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.