--- title: pyinstaller 逆向筆記 tags: python, 資安 --- # pyinstaller 逆向筆記 ## 工具 - uncompyle6 - `pip install uncompyle6==2.2.0` - pyinstxtractor.py - https://sourceforge.net/projects/pyinstallerextractor/ - https://github.com/countercept/python-exe-unpacker/blob/master/pyinstxtractor.py ## 第一步 解開exe - 使用`pyinstxtractor` - `pyinstxtractor demo.exe` - 產出資料夾 -  - 版本不對 PYZ-00.pyz_extracted 資料夾會是空的 - 主要檔案名稱：`main_obfuscate.pyc.encrypted` ## 第二部 搜集資料 ### 找到 key - ```python= import dis, marshal a = open("demo.exe_extracted\pyimod00_crypto_key", "rb") a.seek(16) m = marshal.load(a) d = dis.disassemble(m) a.close() print(d) ``` - 或是把`pyimod00_crypto_key`重新命名成 `key.pyc` - `python` - `import key` - `print(key.key)` ### 找到 magic_num & header - 直接拿`pyimod00_crypto_key` 前16byte - py2 可能是`8bytes`不確定 - 每個py版本不同`3.7` vs `3.8` - 小版本相同 `3.8.1` vs `3.8.2` ## 第三部 解開檔案 ```python= from Crypto.Cipher import AES import sys, zlib CRYPT_BLOCK_SIZE = 16 # key obtained from pyimod00_crypto_key key = b"xxxxxxxxxxxxxxxx" inf = open(sys.argv[1], "rb") # encrypted file input outf = open("output.pyc", "wb") # output file # Initialization vector iv = inf.read(CRYPT_BLOCK_SIZE) cipher = AES.new(key, AES.MODE_CFB, iv) # Decrypt and decompress plaintext = zlib.decompress(cipher.decrypt(inf.read())) # Write pyc header(3.8) / copy from pyimod00_crypto_key outf.write(b"\x55\x0D\x0D\x0A\x00\x00\x00\x00\x70\x79\x69\x30\x33\x00\x00\x00") # Write decrypted data outf.write(plaintext) inf.close() outf.close() ``` ## 第四部 decomplier - 版本須正確 - `pip install uncompyle6` - `uncompyle6 -o output.py output.pyc` - 登愣拿到檔案 ## 雷點 - python本版要一樣 - 還敢用 py2 阿 - 請用windows