Try   HackMD

pyinstaller 逆向筆記

工具

第一步 解開exe

  • 使用pyinstxtractor
  • pyinstxtractor demo.exe
  • 產出資料夾
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
  • 版本不對 PYZ-00.pyz_extracted 資料夾會是空的
  • 主要檔案名稱:main_obfuscate.pyc.encrypted

第二部 搜集資料

找到 key

import dis, marshal a = open("demo.exe_extracted\pyimod00_crypto_key", "rb") a.seek(16) m = marshal.load(a) d = dis.disassemble(m) a.close() print(d)
  • 或是把pyimod00_crypto_key重新命名成 key.pyc
  • python
  • import key
  • print(key.key)

找到 magic_num & header

  • 直接拿pyimod00_crypto_key 前16byte
    • py2 可能是8bytes不確定
  • 每個py版本不同3.7 vs 3.8
  • 小版本相同 3.8.1 vs 3.8.2

第三部 解開檔案

from Crypto.Cipher import AES import sys, zlib CRYPT_BLOCK_SIZE = 16 # key obtained from pyimod00_crypto_key key = b"xxxxxxxxxxxxxxxx" inf = open(sys.argv[1], "rb") # encrypted file input outf = open("output.pyc", "wb") # output file # Initialization vector iv = inf.read(CRYPT_BLOCK_SIZE) cipher = AES.new(key, AES.MODE_CFB, iv) # Decrypt and decompress plaintext = zlib.decompress(cipher.decrypt(inf.read())) # Write pyc header(3.8) / copy from pyimod00_crypto_key outf.write(b"\x55\x0D\x0D\x0A\x00\x00\x00\x00\x70\x79\x69\x30\x33\x00\x00\x00") # Write decrypted data outf.write(plaintext) inf.close() outf.close()

第四部 decomplier

  • 版本須正確
  • pip install uncompyle6
  • uncompyle6 -o output.py output.pyc
  • 登愣拿到檔案

雷點

  • python本版要一樣
  • 還敢用 py2 阿
  • 請用windows