Decompile compiled python binaries (exe, elf) - Retreive from .pyc

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA USAJILI!
Pata swag rasmi wa PEASS & HackTricks
Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Sawa ya tuzo ya mdudu: jiandikishe kwa Intigriti, jukwaa la tuzo za mdudu za malipo lililoundwa na wadukuzi, kwa wadukuzi! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na anza kupata tuzo hadi $100,000!

Kutoka Binary iliyokompiliwa hadi .pyc

Kutoka kwa binary iliyokompiliwa ya ELF unaweza kupata .pyc na:

pyi-archive_viewer <binary>
# The list of python modules will be given here:
[(0, 230, 311, 1, 'm', 'struct'),
(230, 1061, 1792, 1, 'm', 'pyimod01_os_path'),
(1291, 4071, 8907, 1, 'm', 'pyimod02_archive'),
(5362, 5609, 13152, 1, 'm', 'pyimod03_importers'),
(10971, 1473, 3468, 1, 'm', 'pyimod04_ctypes'),
(12444, 816, 1372, 1, 's', 'pyiboot01_bootstrap'),
(13260, 696, 1053, 1, 's', 'pyi_rth_pkgutil'),
(13956, 1134, 2075, 1, 's', 'pyi_rth_multiprocessing'),
(15090, 445, 672, 1, 's', 'pyi_rth_inspect'),
(15535, 2514, 4421, 1, 's', 'binary_name'),
...

? X binary_name
to filename? /tmp/binary.pyc

Katika binary ya exe ya python iliyokompiliwa unaweza kupata .pyc kwa kukimbia:

python pyinstxtractor.py executable.exe

Kutoka .pyc hadi nambari ya python

Kwa data ya .pyc ("iliyokompiliwa" kwa python) unapaswa kuanza kujaribu kutoa asili ya nambari ya python:

uncompyle6 binary.pyc  > decompiled.py

Hakikisha kwamba binary ina urefusho ".pyc" (ikiwa sivyo, uncompyle6 haitafanya kazi)

Wakati wa kutekeleza uncompyle6 unaweza kukutana na makosa yafuatayo:

Kosa: Namba ya uchawi isiyofahamika 227

/kali/.local/bin/uncompyle6 /tmp/binary.pyc
Unknown magic number 227 in /tmp/binary.pyc

Kurekebisha hili unahitaji kuongeza nambari sahihi ya uchawi mwanzoni mwa faili iliyoundwa.

Nambari za uchawi hutofautiana na toleo la python, ili kupata nambari ya uchawi ya python 3.8 utahitaji kufungua terminal ya python 3.8 na kutekeleza:

>> import imp
>> imp.get_magic().hex()
'550d0d0a'

Namba ya uchawi katika kesi hii kwa python3.8 ni 0x550d0d0a, basi, ili kusahihisha kosa hili utahitaji kuongeza kwenye mwanzo mwa faili ya .pyc baite zifuatazo: 0x0d550a0d000000000000000000000000

Mara baada ya kuongeza kichwa hicho cha uchawi, kosa linapaswa kusahihishwa.

Hivi ndivyo jinsi kichwa cha uchawi cha .pyc python3.8 kilivyoongezwa kwa usahihi:

hexdump 'binary.pyc' | head
0000000 0d55 0a0d 0000 0000 0000 0000 0000 0000
0000010 00e3 0000 0000 0000 0000 0000 0000 0000
0000020 0700 0000 4000 0000 7300 0132 0000 0064
0000030 0164 006c 005a 0064 0164 016c 015a 0064

Hitilafu: Kudecompile makosa ya kawaida

Hitilafu nyingine kama: class 'AssertionError'>; co_code should be one of the types (<class 'str'>, <class 'bytes'>, <class 'list'>, <class 'tuple'>); is type <class 'NoneType'> inaweza kuonekana.

Hii labda inamaanisha kwamba hujaweka sahihi nambari ya uchawi au hujatumia nambari sahihi ya uchawi, hivyo hakikisha unatumia ile sahihi (au jaribu moja mpya).

Angalia nyaraka za hitilafu iliyopita.

Zana ya Kiotomatiki

Zana ya python-exe-unpacker inafanya kazi kama mchanganyiko wa zana kadhaa zilizopo jamii iliyoundwa kusaidia watafiti katika kufungua na kudecompile faili za kutekelezwa zilizoandikwa kwa Python, hasa zile zilizoundwa na py2exe na pyinstaller. Inajumuisha sheria za YARA kutambua ikiwa kutekelezwa ni msingi wa Python na kuthibitisha zana ya uundaji.

ImportError: Jina la Faili: 'unpacked/malware_3.exe/pycache/archive.cpython-35.pyc' halipo

Shida ya kawaida inayokutana ni faili isiyo kamili ya bytecode ya Python inayotokana na mchakato wa kufungua na kudecompile kwa unpy2exe au pyinstxtractor, ambayo kisha haikubaliki na uncompyle6 kutokana na kukosekana kwa nambari ya toleo la bytecode ya Python. Ili kutatua hili, chaguo la prepend limeongezwa, ambalo linaweka nambari inayohitajika ya toleo la bytecode ya Python, kurahisisha mchakato wa kudecompile.

Mfano wa shida:

# Error when attempting to decompile without the prepend option
test@test: uncompyle6 unpacked/malware_3.exe/archive.py
Traceback (most recent call last):
...
ImportError: File name: 'unpacked/malware_3.exe/__pycache__/archive.cpython-35.pyc' doesn't exist

# Successful decompilation after using the prepend option
test@test:python python_exe_unpack.py -p unpacked/malware_3.exe/archive
[*] On Python 2.7
[+] Magic bytes are already appended.

# Successfully decompiled file
[+] Successfully decompiled.

Kuchambua mkutano wa python

Ikiwa hukufanikiwa kutoa kanuni ya awali ya python kufuatia hatua za awali, basi unaweza kujaribu kutoa mkutano (lakini haielezi sana, hivyo jaribu kutoa kanuni ya awali tena). Katika hapa nilipata kanuni rahisi sana ya kuvunja .pyc binary (bahati njema kuelewa mtiririko wa kanuni). Ikiwa .pyc ni kutoka python2, tumia python2:

>>> import dis
>>> import marshal
>>> import struct
>>> import imp
>>>
>>> with open('hello.pyc', 'r') as f:  # Read the binary file
...     magic = f.read(4)
...     timestamp = f.read(4)
...     code = f.read()
...
>>>
>>> # Unpack the structured content and un-marshal the code
>>> magic = struct.unpack('<H', magic[:2])
>>> timestamp = struct.unpack('<I', timestamp)
>>> code = marshal.loads(code)
>>> magic, timestamp, code
((62211,), (1425911959,), <code object <module> at 0x7fd54f90d5b0, file "hello.py", line 1>)
>>>
>>> # Verify if the magic number corresponds with the current python version
>>> struct.unpack('<H', imp.get_magic()[:2]) == magic
True
>>>
>>> # Disassemble the code object
>>> dis.disassemble(code)
1           0 LOAD_CONST               0 (<code object hello_world at 0x7f31b7240eb0, file "hello.py", line 1>)
3 MAKE_FUNCTION            0
6 STORE_NAME               0 (hello_world)
9 LOAD_CONST               1 (None)
12 RETURN_VALUE
>>>
>>> # Also disassemble that const being loaded (our function)
>>> dis.disassemble(code.co_consts[0])
2           0 LOAD_CONST               1 ('Hello  {0}')
3 LOAD_ATTR                0 (format)
6 LOAD_FAST                0 (name)
9 CALL_FUNCTION            1
12 PRINT_ITEM
13 PRINT_NEWLINE
14 LOAD_CONST               0 (None)
17 RETURN_VALUE

Python kuwa Kitekelezaji

Kuanza, tutakuonyesha jinsi mizigo inavyoweza kuchakatwa katika py2exe na PyInstaller.

Ili kuunda mzigo kwa kutumia py2exe:

Sakinisha pakiti ya py2exe kutoka http://www.py2exe.org/
Kwa mzigo (katika kesi hii, tutaiita hello.py), tumia script kama ile katika Mchoro 1. Chaguo "bundle_files" lenye thamani ya 1 litajumuisha kila kitu ikiwa ni pamoja na mkalimani wa Python katika exe moja.
Mara baada ya script kuwa tayari, tutatoa amri "python setup.py py2exe". Hii itaunda kitekelezaji, kama ilivyo katika Mchoro 2.

from distutils.core import setup
import py2exe, sys, os

sys.argv.append('py2exe')

setup(
options = {'py2exe': {'bundle_files': 1}},
#windows = [{'script': "hello.py"}],
console = [{'script': "hello.py"}],
zipfile = None,
)

C:\Users\test\Desktop\test>python setup.py py2exe
running py2exe
*** searching for required modules ***
*** parsing results ***
*** finding dlls needed ***
*** create binaries ***
*** byte compile python files ***
*** copy extensions ***
*** copy dlls ***
copying C:\Python27\lib\site-packages\py2exe\run.exe -> C:\Users\test\Desktop\test\dist\hello.exe
Adding python27.dll as resource to C:\Users\test\Desktop\test\dist\hello.exe

Kujenga mzigo kwa kutumia PyInstaller:

Sakinisha PyInstaller kwa kutumia pip (pip install pyinstaller).
Baada ya hapo, tutatoa amri "pyinstaller -onefile hello.py" (kumbuka kwamba 'hello.py' ni mzigo wetu). Hii itajumuisha kila kitu katika faili moja ya kutekelezeka.

C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
108 INFO: PyInstaller: 3.3.1
108 INFO: Python: 2.7.14
108 INFO: Platform: Windows-10-10.0.16299
………………………………
5967 INFO: checking EXE
5967 INFO: Building EXE because out00-EXE.toc is non existent
5982 INFO: Building EXE from out00-EXE.toc
5982 INFO: Appending archive to EXE C:\Users\test\Desktop\test\dist\hello.exe
6325 INFO: Building EXE from out00-EXE.toc completed successfully.

Marejeo

https://blog.f-secure.com/how-to-decompile-any-python-binary/

Mbinu ya tuzo ya mdudu: Jisajili kwa Intigriti, jukwaa la tuzo la mdudu la malipo lililoanzishwa na wadukuzi, kwa wadukuzi! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na anza kupata tuzo hadi $100,000!

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks:

Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA KUJIUNGA!
Pata bidhaa rasmi za PEASS & HackTricks
Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousSpecific Software/File-Type Tricks NextBrowser Artifacts

Last updated 1 month ago