--- tags: decompiler --- # Analyzing other errors **Summary:** - Total pyc files: 205138 - Total samples: 6101 - Parse errors: 2190 - I-ll formed bytecode files: 1818 (Error 2, 5, 6, miscelenious) - Header parsing issues: 288 (Error 4, miscelneious) - Timed out : 937 (Error 3) - Load code instruction: 185 (Error 8 and 9 and extra) - Uncompyle6 internal errors: 71 (Error 10 and 7) - Unknown : 612 (314 are Parse errors on different instructions) ## Error 2 (~~1648~~): raise errors types: - `ImportError: Ill-formed bytecode file` : 1614 files - corrupted bytecode file - `TypeError: Internal Error: n_build_list expects list, tuple, set, or unpack` : 34 files - Uncompyle6 bug > Tried with different header sizes and still the marshal.load fails on all of the valid combinations - tested with python 2 and 3.8 > This looks like file header errors => we will ignore. ## Error 3 (937): Timed out: 30 seconds Average size: 121416.79 bytes (min: 221 bytes , max: 6886503 bytes) > We may need to revisit. Some cases can be used to DoS attacks. ## Error 4 (~~267~~): Key error 1280 - Malformed headers `file` command states: "backup/Error_4/0/0.pyc: AppleDouble encoded Macintosh file" > Tried with different header sizes and still the marshal.load fails on all of the valid combinations - tested with python 2 and 3.8 > This doesn't look like legit pyc files. Check the sizes, use grep to identify a common pattern, and skip all (if possible). > **UPDATE**: Checked, all files have the same format with size variation from 220 to 240 bytes. They all have "Mac OS X" keyword ## Error 5 (119 => may be recovering some?): Marshal load fails. This either may be because: - Corrupted bytecode - Header parsing done incorrectly <- most probably because of this. Have to confirm > Tried with different header sizes and was succesffully able to extract bytecode for them using python 3.8 (tried only on one of the samples) This suggests an issue with uncompyle6 -> Can try to manipulate header to make it decompilable Also note that uncopmyle6 was running via uncompyle6 under python3.8 version so it was under compatible version. > Ran under python 2.7, 3.6, 3.7 and failed to decompile in all. Assertion error. The code object unmarshalled is not a code object. This error is different from what we get when running under python 3.8. Python 3.8 cannot even unmarshal. > **What to do**: Brute force with a few templates. 10-20, hopefully we cna recover 30-40~ more is better but no need to spend much time. > What we can argue is that, we have a new capability of ignoring broken headers (traditional tricks), we can sell this as an additional cap. we don't care handling 119 or 50, 60,... anything more than 30-40? ## Error 6 (~~47~~); merge to the Error 2 Error is: ``` ImportError: Ill-formed bytecode file backup/Error_6/0/0.pyc <class 'AssertionError'>; co_code should be one of the types (<class 'str'>, <class 'bytes'>, <class 'list'>, <class 'tuple'>); is type <class 'NoneType'> ``` Average size: 2896.34 <- (not empty) > Tried with different header sizes and still the marshal.load fails on all of the valid combinations - tested with python 2 and 3.8 ## Error 7 (44) => only header issues Error is: ``` TypeError: argument should be integer or bytes-like object, not 'str' ``` The core error is within uncompyle6 <- Could test these with other uncompyle6 with different python versions > Tried with different header sizes and was succesffully able to extract bytecode for them using python 2.7 (tried only on a couple of samples) > Fails on uncompyle6 with python 3.6, 3.7, 3.8 **NOTE: Running with python 2.7 these files decompile perfectly.** > What is the header of the pyc file saying its version? > if the pyc file says it is 3.6, and in fact the content is 2.7. > **UPDATE**: All files are python 2.4-2.7 ## Error 8 and 9 and extra (185) Error is: ``` Parse error at or near `LOAD_CODE' instruction at offset XXX ``` > **What to do**: Try different python version > **UPDATE**: Python 3.8 and 3.7 files (total 4) decompile perfectly with python 2.7. > **UPDATE**: All files have empty output files. ## Error 10 (27) Error is: `AssertionError: dict_comp_func` Bytecode is fine