important links:

--- tags: decompiler --- # important links: - All samples summary: [link](https://docs.google.com/spreadsheets/d/1lWiTob6nIFrQFSZFpIHcUmtopqbEJNi0JVm1GPklqTQ/edit?pli=1#gid=1429326896) - # To do: - Check control flows - minor versions of python - Compare control flows for 10 programs -> for major and minor versions - [ ] Work on creating rules and increase fixing samples (in progress) - [ ] Add rules to Table 1 for source level transformations - [ ] Create table for Regex transformation of bytecode - [x] Errors associated with headers (Yasunari) - Due on 20 Nov - [x] Check to see if the code object can be extracted - [x] Apply different environments for bytecode extraction - [ ] - [x] Categorise types of errors (Ahmed) - [ ] Create a pie chart or table for types of errors for paper - [ ] Map solutions to root causes -> Map root causes to symptoms - [ ] Make table out of this - [x] Add tables to paper in categories - [x] Run decompyle3 on pyinstaller files - [ ] Incorporate rule fixes for PYC samples (11 samples) - [x] py 3.7 samples - [ ] py 2.7 samples - [ ] Pyinstaller py3.7 files (250) - Friday - [x] run `break_booleans` -> Checking now in check_uncompyle - [x] run `remove_deadcode` -> Checking now in check_uncompyle2 - [x] run `convert_loopBoolean` -> Checking now in check_uncompyle3 - [ ] Check python 3.9 conversion - [ ] Try header replacement - [ ] ~~Filter benign and not benign (Ahmed)~~ - [ ] Evaluation: - [ ] Other numbers for run-time - [ ] Blocks, iterations, "how many solutions?" - [ ] Find samples in passed decompilation to see if we can find incorrectly decompiled files ~~- [ ] SET -> verification of decompiler -> CFG differences~~ - [x] Run decompiler on pyc files from the 184k files extracted from pyinstaller (**only 134k done**) - [x] Run on python 2.7 - [x] Run on python 3.6 - [x] Run on python 3.7 - [ ] ~~Run on python 3.8 - Technical issue wasted run~~ - [x] Compile and separate out failed pyc files - [x] Separate failed files - [x] Separate parse errors - [x] Check unique - [x] Run tests on new pyc files [on going] - All failing were already tested before. No new samples - [x] Check known malware parse errors # Rule progress For python 3.7 samples (pyinstaller - 253): https://docs.google.com/spreadsheets/d/1nUEuDckBVd26UDtgYx7xB6nZNiYWtyl4Xh9t4yxQEpk/edit#gid=597934707 For python 3.8 samples (pyinstaller - 1661): https://docs.google.com/spreadsheets/d/1qyQ-RKhZeJimnACpDoruWekb_49Sjzxj1KqFst6P_3s/edit?usp=sharing # To discuss N/A # Malicious pyc files summary: - Pyinstaller pycs (Details [here](https://docs.google.com/spreadsheets/d/1lWiTob6nIFrQFSZFpIHcUmtopqbEJNi0JVm1GPklqTQ/edit?pli=1#gid=756694094)): ![](https://i.imgur.com/dmCT32i.png) # Sample sheet: - [link](https://docs.google.com/spreadsheets/d/1j6isrdKbemgjXVSewO3wmjCsqXudSIH7-Yz52eqITuc/edit#gid=257041503) to all samples - [link](https://docs.google.com/spreadsheets/d/1pAvO0rmjofyqvrocO8x8ytL43eCivXEHF8sEaLM6Ppc/edit#gid=0) to UTD categories - [Link](https://docs.google.com/spreadsheets/d/1lWiTob6nIFrQFSZFpIHcUmtopqbEJNi0JVm1GPklqTQ/edit?pli=1#gid=0) to results of recompiled malicious source python code - [Link](https://docs.google.com/spreadsheets/d/1lWiTob6nIFrQFSZFpIHcUmtopqbEJNi0JVm1GPklqTQ/edit?pli=1#gid=867711403) to malicious pyc files result. # Manipulation rules: - The rules can be found [here](https://hackmd.io/@aliahad97/SylocWXWt#Transformation-rules) # Changing control flows: Here is the link to logging to down changes in control flow through decompilation: [link](https://hackmd.io/@aliahad97/ry3JqUjad) # My MWEs - Link to MWEs extracted by UTD: [here](https://hackmd.io/@aliahad97/Hyu8mVX6O) ## Error 1/ 0-20 Link for MWEs [here](https://hackmd.io/@aliahad97/rkPmyJCpO). ## Error 1/ 21-27 Link for MWEs [here](https://hackmd.io/@aliahad97/rJ9E9JA6d) ## Error 1/ 28-38 Link for MWEs [here](https://hackmd.io/@aliahad97/r1feMvmRd) ## Error 1/ 39-61 Link for MWEs [here](https://hackmd.io/@aliahad97/BJNrSJ0pd) ## Error 1/ 62-82 Link for MWEs [here](https://hackmd.io/@aliahad97/Hk4eJlCCO) ## Error 1/ 83-97 Link for MWEs [here](https://hackmd.io/@aliahad97/HJ4WsOVyY) ## Error 1/ 98-119 Link for MWEs [here](https://hackmd.io/@mengwang/rytVGn2yt) - (by meng) ## Error 1/ 120 - Link for MWEs [here](https://hackmd.io/@mengwang/ry_wQtxxK) - (by meng) ## Only MWEs: - Meng: [here](https://hackmd.io/@aliahad97/Hy1Xp9kQK) - Xin Liu: [here](https://hackmd.io/@aliahad97/S16yA9kXK) - Ahmed: [here](https://hackmd.io/@aliahad97/SJg6aqyQK) ## Error Template Source: [link](https://svn.apache.org/repos/infra/infrastructure/trunk/projects/asfpy/asfpy/ldap.py) Python version: 3.8 Decompyle3: Failed Uncompyle6: Failed Error: `Deparsing stopped due to parse error` | Py3.8 | Py3.7 | Py3.6 | Py2.7 | | -------- | -------- | -------- | -------- | | Pass | Fail | Pass | Pass | ### MWE: ```python= ``` #### Closest Solution: ```python= ``` ```c= ``` #### MWE data: Bytecode for MWE: ```c= ``` Output uncompyle6: ```python= ``` Output Decompyle3: ```python= ```