HackTricks
Search…
Pentesting
Decompile compiled python binaries (exe, elf) - Retreive from .pyc

From Compiled Binary to .pyc

From an ELF compiled binary you can get the .pyc with:
1
pyi-archive_viewer <binary>
2
# The list of python modules will be given like here:
3
[(0, 230, 311, 1, 'm', 'struct'),
4
(230, 1061, 1792, 1, 'm', 'pyimod01_os_path'),
5
(1291, 4071, 8907, 1, 'm', 'pyimod02_archive'),
6
(5362, 5609, 13152, 1, 'm', 'pyimod03_importers'),
7
(10971, 1473, 3468, 1, 'm', 'pyimod04_ctypes'),
8
(12444, 816, 1372, 1, 's', 'pyiboot01_bootstrap'),
9
(13260, 696, 1053, 1, 's', 'pyi_rth_pkgutil'),
10
(13956, 1134, 2075, 1, 's', 'pyi_rth_multiprocessing'),
11
(15090, 445, 672, 1, 's', 'pyi_rth_inspect'),
12
(15535, 2514, 4421, 1, 's', 'binary_name'),
13
...
14
15
? X binary_name
16
to filename? /tmp/binary.pyc
Copied!
In an python exe binary compiled you can get the .pyc by running:
1
python pyinstxtractor.py executable.exe
Copied!

From .pyc to python code

For the .pyc data ("compiled" python) you should start trying to extract the original python code:
1
uncompyle6 binary.pyc > decompiled.py
Copied!
Be sure that the binary has the extension ".pyc" (if not, uncompyle6 is not going to work)
While executing uncompyle6 you might find the following errors:

Error: Unknown magic number 227

1
/kali/.local/bin/uncompyle6 /tmp/binary.pyc
2
Unknown magic number 227 in /tmp/binary.pyc
Copied!
In order to fix this you need to add the correct magic number at the begging of the generated fil.
Magic numbers vary with the python version, to get the magic number of python3.8 you will need to open a python3.8 terminal and execute:
1
>> import imp
2
>> imp.get_magic().hex()
3
'550d0d0a'
Copied!
The magic number in this case for python3.8 is 0x550d0d0a, then, to fix this error you will need to add at the begging of the .pyc file the following bytes: 0x0d550a0d000000000000000000000000
Once you have added that magic header, the error should be fixed.
This is how a correctly added .pyc python3.8 magic header will looks like:
1
hexdump 'binary.pyc' | head
2
0000000 0d55 0a0d 0000 0000 0000 0000 0000 0000
3
0000010 00e3 0000 0000 0000 0000 0000 0000 0000
4
0000020 0700 0000 4000 0000 7300 0132 0000 0064
5
0000030 0164 006c 005a 0064 0164 016c 015a 0064
Copied!

Error: Decompiling generic errors

Other errors like: class 'AssertionError'>; co_code should be one of the types (<class 'str'>, <class 'bytes'>, <class 'list'>, <class 'tuple'>); is type <class 'NoneType'> may appear.
This probably means that you haven't added correctly the magic number or that you haven't used the correct magic number, so make sure you use the correct one (or try a new one).
Check the previous error documentation.

Automatic Tool

The tool https://github.com/countercept/python-exe-unpacker glues together several tools available to the community that helps researcher to unpack and decompile executable written in python (py2exe and pyinstaller).
Several YARA rules are available to determine if the executable is written in python (This script also confirms if the executable is created with either py2exe or pyinstaller).

ImportError: File name: 'unpacked/malware_3.exe/pycache/archive.cpython-35.pyc' doesn't exist

Currently with unpy2exe or pyinstxtractor the Python bytecode file we get might not be complete and in turn it can’t be recognized by uncompyle6 to get the plain Python source code. This is caused by a missing Python bytecode version number. Therefore we included a prepend option; this will include a Python bytecode version number into it and help to ease the process of decompiling. When we try to use uncompyle6 to decompile the .pyc file it returns an error. However, once we use the prepend option we can see that the Python source code has been decompiled successfully.
1
[email protected]: uncompyle6 unpacked/malware_3.exe/archive.py
2
Traceback (most recent call last):
3
……………………….
4
ImportError: File name: 'unpacked/malware_3.exe/__pycache__/archive.cpython-35.pyc' doesn't exist
Copied!
1
[email protected]:python python_exe_unpack.py -p unpacked/malware_3.exe/archive
2
[*] On Python 2.7
3
[+] Magic bytes is already appeneded.
4
5
# Successfully decompiled file
6
[+] Successfully decompiled.
Copied!

Analyzing python assembly

If you weren't able to extract the python "original" code following the previous steps, then you can try to extract the assembly (but it isn't very descriptive, so try to extract again the original code).In here I found a very simple code to dissasemble the .pyc binary (good luck understanding the code flow). If the .pyc is from python2, use python2:
1
>>> import dis
2
>>> import marshal
3
>>> import struct
4
>>> import imp
5
>>>
6
>>> with open('hello.pyc', 'r') as f: # Read the binary file
7
... magic = f.read(4)
8
... timestamp = f.read(4)
9
... code = f.read()
10
...
11
>>>
12
>>> # Unpack the structure content and un-marshal the code
13
>>> magic = struct.unpack('<H', magic[:2])
14
>>> timestamp = struct.unpack('<I', timestamp)
15
>>> code = marshal.loads(code)
16
>>> magic, timestamp, code
17
((62211,), (1425911959,), <code object <module> at 0x7fd54f90d5b0, file "hello.py", line 1>)
18
>>>
19
>>> # Verify if magic number corresponds with the current python version
20
>>> struct.unpack('<H', imp.get_magic()[:2]) == magic
21
True
22
>>>
23
>>> # Disassemble the code object
24
>>> dis.disassemble(code)
25
1 0 LOAD_CONST 0 (<code object hello_world at 0x7f31b7240eb0, file "hello.py", line 1>)
26
3 MAKE_FUNCTION 0
27
6 STORE_NAME 0 (hello_world)
28
9 LOAD_CONST 1 (None)
29
12 RETURN_VALUE
30
>>>
31
>>> # Also disassemble that const being loaded (our function)
32
>>> dis.disassemble(code.co_consts[0])
33
2 0 LOAD_CONST 1 ('Hello {0}')
34
3 LOAD_ATTR 0 (format)
35
6 LOAD_FAST 0 (name)
36
9 CALL_FUNCTION 1
37
12 PRINT_ITEM
38
13 PRINT_NEWLINE
39
14 LOAD_CONST 0 (None)
40
17 RETURN_VALUE
Copied!

Python to Executable

To start off we’re going to show you how payloads can be compiled in py2exe and PyInstaller.

To create a payload using py2exe:

  1. 1.
    Install the py2exe package from http://www.py2exe.org/
  2. 2.
    For the payload (in this case, we will name it hello.py), use a script like the one in Figure 1. The option “bundle_files” with the value of 1 will bundle everything including Python interpreter into one exe.
  3. 3.
    Once the script is ready, we will issue the command “python setup.py py2exe”. This will create the executable, just like in Figure 2.
1
from distutils.core import setup
2
import py2exe, sys, os
3
4
sys.argv.append('py2exe')
5
6
setup(
7
options = {'py2exe': {'bundle_files': 1}},
8
#windows = [{'script': "hello.py"}],
9
console = [{'script': "hello.py"}],
10
zipfile = None,
11
)
Copied!
1
C:\Users\test\Desktop\test>python setup.py py2exe
2
running py2exe
3
*** searching for required modules ***
4
*** parsing results ***
5
*** finding dlls needed ***
6
*** create binaries ***
7
*** byte compile python files ***
8
*** copy extensions ***
9
*** copy dlls ***
10
copying C:\Python27\lib\site-packages\py2exe\run.exe -> C:\Users\test\Desktop\test\dist\hello.exe
11
Adding python27.dll as resource to C:\Users\test\Desktop\test\dist\hello.exe
Copied!

To create a payload using PyInstaller:

  1. 1.
    Install PyInstaller using pip (pip install pyinstaller).
  2. 2.
    After that, we will issue the command “pyinstaller –onefile hello.py” (a reminder that ‘hello.py’ is our payload). This will bundle everything into one executable.
1
C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
2
108 INFO: PyInstaller: 3.3.1
3
108 INFO: Python: 2.7.14
4
108 INFO: Platform: Windows-10-10.0.16299
5
………………………………
6
5967 INFO: checking EXE
7
5967 INFO: Building EXE because out00-EXE.toc is non existent
8
5982 INFO: Building EXE from out00-EXE.toc
9
5982 INFO: Appending archive to EXE C:\Users\test\Desktop\test\dist\hello.exe
10
6325 INFO: Building EXE from out00-EXE.toc completed successfully.
Copied!

References

Last modified 1mo ago