pyi-archive_viewer<binary># The list of python modules will be given here:[(0,230,311,1,'m','struct'),(230,1061,1792,1,'m','pyimod01_os_path'),(1291,4071,8907,1,'m','pyimod02_archive'),(5362,5609,13152,1,'m','pyimod03_importers'),(10971,1473,3468,1,'m','pyimod04_ctypes'),(12444,816,1372,1,'s','pyiboot01_bootstrap'),(13260,696,1053,1,'s','pyi_rth_pkgutil'),(13956,1134,2075,1,'s','pyi_rth_multiprocessing'),(15090,445,672,1,'s','pyi_rth_inspect'),(15535,2514,4421,1,'s','binary_name'),...? X binary_nameto filename? /tmp/binary.pyc
In a python exe binary compiled you can get the .pyc by running:
コンパイルされたpython exeバイナリでは、次のコマンドを実行することで**.pyc**を取得できます:
The magic number in this case for python3.8 is 0x550d0d0a, then, to fix this error you will need to add at the beginning of the .pyc file the following bytes: 0x0d550a0d000000000000000000000000
Once you have added that magic header, the error should be fixed.
This is how a correctly added .pyc python3.8 magic header will look like:
# Error when attempting to decompile without the prepend optiontest@test: uncompyle6 unpacked/malware_3.exe/archive.pyTraceback (most recent call last):...ImportError: File name:'unpacked/malware_3.exe/__pycache__/archive.cpython-35.pyc' doesn't exist
# Successful decompilation after using the prepend optiontest@test:python python_exe_unpack.py -p unpacked/malware_3.exe/archive[*] On Python 2.7[+] Magic bytes are already appended.# Successfully decompiled file[+] Successfully decompiled.
>>> importdis>>> importmarshal>>> importstruct>>> importimp>>>>>> withopen('hello.pyc','r') asf:# Read the binary file...magic=f.read(4)...timestamp=f.read(4)...code=f.read()...>>>>>> # Unpack the structured content and un-marshal the code>>> magic=struct.unpack('<H',magic[:2])>>> timestamp=struct.unpack('<I',timestamp)>>> code=marshal.loads(code)>>> magic,timestamp,code((62211,), (1425911959,),<code object <module> at 0x7fd54f90d5b0, file "hello.py", line 1>)>>>>>> # Verify if the magic number corresponds with the current python version>>> struct.unpack('<H', imp.get_magic()[:2]) == magicTrue>>>>>> # Disassemble the code object>>> dis.disassemble(code)10LOAD_CONST0 (<code objecthello_worldat0x7f31b7240eb0,file"hello.py",line1>)3MAKE_FUNCTION06STORE_NAME0 (hello_world)9LOAD_CONST1 (None)12RETURN_VALUE>>>>>> # Also disassemble that const being loaded (our function)>>> dis.disassemble(code.co_consts[0])20LOAD_CONST1 ('Hello {0}')3LOAD_ATTR0 (format)6LOAD_FAST0 (name)9CALL_FUNCTION112PRINT_ITEM13PRINT_NEWLINE14LOAD_CONST0 (None)17RETURN_VALUE