python-uncompyle6
python-uncompyle6 copied to clipboard
Published
20 hours ago •
rocky
rocky
Unable to decompile Python 3.8 (PyInstaller on Windows created) bytecode
trafficstars
- original file 504lab.exe.zip
- patched bytecode 504lab.pyc.zip
- error message
$ uncompyle6 504lab.pyc
# uncompyle6 version 3.7.0
# Python bytecode 3.8 (3413)
# Decompiled from: Python 3.8.2 (default, Mar 11 2020, 00:29:50)
# [Clang 11.0.0 (clang-1100.0.33.17)]
# Embedded file name: 504lab.py
# Compiled at: 2054-06-26 14:40:57
# Size of source mod 2**32: 584092496 bytes
Instruction context:
L. 183 1022 LOAD_NAME time
1024 LOAD_METHOD sleep
1026 LOAD_CONST 1
1028 CALL_METHOD_1 1 ''
-> 1030 POP_TOP
# file 504lab.pyc
# --- This code section failed: ---
L. 1 0 LOAD_CONST 0
2 LOAD_CONST None
4 IMPORT_NAME os
6 STORE_NAME os
L. 2 8 LOAD_CONST 0
10 LOAD_CONST None
12 IMPORT_NAME subprocess
14 STORE_NAME subprocess
L. 3 16 LOAD_CONST 0
18 LOAD_CONST None
20 IMPORT_NAME time
22 STORE_NAME time
L. 4 24 LOAD_CONST 0
26 LOAD_CONST None
28 IMPORT_NAME tempfile
30 STORE_NAME tempfile
L. 5 32 LOAD_CONST 0
34 LOAD_CONST None
36 IMPORT_NAME sys
38 STORE_NAME sys
L. 6 40 LOAD_CONST 0
42 LOAD_CONST None
44 IMPORT_NAME signal
46 STORE_NAME signal
L. 7 48 LOAD_CONST 0
50 LOAD_CONST None
52 IMPORT_NAME base64
54 STORE_NAME base64
L. 8 56 LOAD_CONST 0
58 LOAD_CONST None
60 IMPORT_NAME re
62 STORE_NAME re
L. 9 64 LOAD_CONST 0
66 LOAD_CONST None
68 IMPORT_NAME random
70 STORE_NAME random
L. 10 72 LOAD_CONST 0
74 LOAD_CONST None
76 IMPORT_NAME socket
78 STORE_NAME socket
L. 11 80 LOAD_CONST 0
82 LOAD_CONST None
84 IMPORT_NAME webbrowser
86 STORE_NAME webbrowser
L. 12 88 LOAD_CONST 0
90 LOAD_CONST None
92 IMPORT_NAME signal
94 STORE_NAME signal
L. 14 96 LOAD_CODE <code_object reliable_start>
98 LOAD_STR 'reliable_start'
100 MAKE_FUNCTION_0 'No defaults, keyword-only args, annotations, or closures'
102 STORE_NAME reliable_start
L. 70 104 LOAD_CODE <code_object shellcmd>
106 LOAD_STR 'shellcmd'
108 MAKE_FUNCTION_0 'No defaults, keyword-only args, annotations, or closures'
110 STORE_NAME shellcmd
L. 75 112 LOAD_CODE <code_object exec_cmd>
114 LOAD_STR 'exec_cmd'
116 MAKE_FUNCTION_0 'No defaults, keyword-only args, annotations, or closures'
118 STORE_NAME exec_cmd
L. 84 120 LOAD_CODE <code_object handler>
122 LOAD_STR 'handler'
124 MAKE_FUNCTION_0 'No defaults, keyword-only args, annotations, or closures'
126 STORE_NAME handler
L. 88 128 LOAD_NAME signal
130 LOAD_METHOD signal
132 LOAD_NAME signal
134 LOAD_ATTR SIGINT
136 LOAD_NAME handler
138 CALL_METHOD_2 2 ''
140 POP_TOP
L. 90 142 LOAD_NAME webbrowser
144 LOAD_METHOD open_new
146 LOAD_STR 'https://markbaggett.github.io/504lab/'
148 CALL_METHOD_1 1 ''
150 POP_TOP
L. 91 152 LOAD_NAME webbrowser
154 LOAD_METHOD open_new_tab
156 LOAD_STR 'https://www.sans.org/course/hacker-techniques-exploits-incident-handling'
158 CALL_METHOD_1 1 ''
160 POP_TOP
L. 92 162 LOAD_NAME webbrowser
164 LOAD_METHOD open_new_tab
166 LOAD_STR 'https://www.sans.org/course/automating-information-security-with-python'
168 CALL_METHOD_1 1 ''
170 POP_TOP
L. 94 172 LOAD_NAME os
174 LOAD_METHOD system
176 LOAD_STR 'cls'
178 CALL_METHOD_1 1 ''
180 POP_TOP
L. 95 182 LOAD_NAME os
184 LOAD_METHOD system
186 LOAD_STR 'color f0'
188 CALL_METHOD_1 1 ''
190 POP_TOP
L. 96 192 LOAD_NAME print
194 LOAD_STR 'KNOW THY SYSTEM! \n\nOpen a second CMD prompt as an Administrator and run netstat -nao on your host so you know what your system looks like before it is "infected."'
196 CALL_FUNCTION_1 1 ''
198 POP_TOP
L. 97 200 LOAD_NAME print
202 LOAD_STR 'Verify your firewall and AV are disabled. I am about to start a non-malicious backdoor for you to find.\n'
204 CALL_FUNCTION_1 1 ''
206 POP_TOP
L. 99 208 LOAD_NAME input
210 LOAD_STR 'After you have run netstat press ENTER to continue'
212 CALL_FUNCTION_1 1 ''
214 STORE_NAME ans
L. 101 216 LOAD_NAME print
218 LOAD_STR '\n\nPlease wait: A TCP Backdoor is being started on your host.'
220 CALL_FUNCTION_1 1 ''
222 POP_TOP
L. 102 224 LOAD_STR 'TheFlagisBlack%s'
226 LOAD_NAME str
228 LOAD_NAME random
230 LOAD_METHOD randint
232 LOAD_CONST 999999
234 LOAD_CONST 999999999
236 CALL_METHOD_2 2 ''
238 CALL_FUNCTION_1 1 ''
240 BINARY_MODULO
242 STORE_NAME flag
L. 103 244 LOAD_NAME reliable_start
246 LOAD_NAME shellcmd
248 LOAD_STR '0'
250 LOAD_NAME flag
252 CALL_FUNCTION_2 2 ''
254 CALL_FUNCTION_1 1 ''
256 UNPACK_SEQUENCE_3 3
258 STORE_NAME pid
260 STORE_NAME ppid
262 STORE_NAME tprt
L. 104 264 LOAD_NAME print
266 LOAD_STR 'Backdoor Started. Please answer the following questions.'
268 CALL_FUNCTION_1 1 ''
270 POP_TOP
L. 106 272 LOAD_NAME input
274 LOAD_STR '\nWhat TCP port is the backdoor listening on? '
276 CALL_FUNCTION_1 1 ''
278 STORE_NAME ans
L. 107 280 LOAD_NAME ans
282 LOAD_NAME str
284 LOAD_NAME tprt
286 CALL_FUNCTION_1 1 ''
288 COMPARE_OP !=
290_292 POP_JUMP_IF_FALSE 418 'to 418'
294 LOAD_NAME ans
296 LOAD_STR 'skip'
298 COMPARE_OP !=
300_302 POP_JUMP_IF_FALSE 418 'to 418'
L. 108 304 LOAD_NAME ans
306 LOAD_CONST None
308 LOAD_CONST 4
310 BUILD_SLICE_2 2
312 BINARY_SUBSCR
314 LOAD_STR 'help'
316 COMPARE_OP ==
318_320 POP_JUMP_IF_FALSE 332 'to 332'
L. 109 322 LOAD_NAME print
324 LOAD_STR '\nnetstat -nao will show you what is listening now. Run it again and compare it to the previous results.'
326 CALL_FUNCTION_1 1 ''
328 POP_TOP
330 JUMP_FORWARD 340 'to 340'
332_0 COME_FROM 318 '318'
L. 111 332 LOAD_NAME print
334 LOAD_STR 'That is incorrect. Please check your answer and try again.'
336 CALL_FUNCTION_1 1 ''
338 POP_TOP
340_0 COME_FROM 330 '330'
L. 112 340 LOAD_STR '\\r\\n.*?TCP.*?\\d{1,3}:(\\d+).*?%s\\r\\n'
342 LOAD_NAME pid
344 BINARY_MODULO
346 STORE_NAME srchstr
L. 113 348 SETUP_FINALLY 376 'to 376'
L. 114 350 LOAD_NAME re
352 LOAD_METHOD search
354 LOAD_NAME srchstr
356 LOAD_NAME exec_cmd
358 LOAD_STR 'netstat -nao'
360 CALL_FUNCTION_1 1 ''
362 CALL_METHOD_2 2 ''
364 LOAD_METHOD group
366 LOAD_CONST 1
368 CALL_METHOD_1 1 ''
370 STORE_NAME tprt
372 POP_BLOCK
374 JUMP_FORWARD 406 'to 406'
376_0 COME_FROM_FINALLY 348 '348'
L. 115 376 POP_TOP
378 POP_TOP
380 POP_TOP
L. 116 382 LOAD_NAME print
384 LOAD_STR "Can't find the TCP port for that PID. Check your AV,Firewall and run the lab as an administrator again"
386 CALL_FUNCTION_1 1 ''
388 POP_TOP
L. 117 390 LOAD_NAME sys
392 LOAD_METHOD exit
394 LOAD_CONST 1
396 CALL_METHOD_1 1 ''
398 POP_TOP
400 POP_EXCEPT
402 JUMP_FORWARD 406 'to 406'
404 END_FINALLY
406_0 COME_FROM 402 '402'
406_1 COME_FROM 374 '374'
L. 118 406 LOAD_NAME input
408 LOAD_STR 'What TCP port is the backdoor listening on? '
410 CALL_FUNCTION_1 1 ''
412 STORE_NAME ans
414_416 JUMP_BACK 280 'to 280'
418_0 COME_FROM 300 '300'
418_1 COME_FROM 290 '290'
L. 120 418 LOAD_NAME input
420 LOAD_STR '\nWhat is the process id number of the backdoor? '
422 CALL_FUNCTION_1 1 ''
424 STORE_NAME ans
L. 121 426 LOAD_NAME ans
428 LOAD_NAME str
430 LOAD_NAME pid
432 CALL_FUNCTION_1 1 ''
434 COMPARE_OP !=
436_438 POP_JUMP_IF_FALSE 498 'to 498'
440 LOAD_NAME ans
442 LOAD_STR 'skip'
444 COMPARE_OP !=
446_448 POP_JUMP_IF_FALSE 498 'to 498'
L. 122 450 LOAD_NAME ans
452 LOAD_CONST None
454 LOAD_CONST 4
456 BUILD_SLICE_2 2
458 BINARY_SUBSCR
460 LOAD_STR 'help'
462 COMPARE_OP ==
464_466 POP_JUMP_IF_FALSE 478 'to 478'
L. 123 468 LOAD_NAME print
470 LOAD_STR '\nnetstat -nao shows you the process id number in the last column.'
472 CALL_FUNCTION_1 1 ''
474 POP_TOP
476 JUMP_FORWARD 486 'to 486'
478_0 COME_FROM 464 '464'
L. 125 478 LOAD_NAME print
480 LOAD_STR 'That is incorrect. Please check your answer and try again.'
482 CALL_FUNCTION_1 1 ''
484 POP_TOP
486_0 COME_FROM 476 '476'
L. 126 486 LOAD_NAME input
488 LOAD_STR 'What is the process id number of the backdoor? '
490 CALL_FUNCTION_1 1 ''
492 STORE_NAME ans
494_496 JUMP_BACK 426 'to 426'
498_0 COME_FROM 446 '446'
498_1 COME_FROM 436 '436'
L. 129 498 LOAD_NAME input
500 LOAD_STR '\nWhat is the parent process id number of the backdoor? '
502 CALL_FUNCTION_1 1 ''
504 STORE_NAME ans
L. 130 506 LOAD_NAME ans
508 LOAD_NAME str
510 LOAD_NAME ppid
512 CALL_FUNCTION_1 1 ''
514 COMPARE_OP !=
516_518 POP_JUMP_IF_FALSE 578 'to 578'
520 LOAD_NAME ans
522 LOAD_STR 'skip'
524 COMPARE_OP !=
526_528 POP_JUMP_IF_FALSE 578 'to 578'
L. 131 530 LOAD_NAME ans
532 LOAD_CONST None
534 LOAD_CONST 4
536 BUILD_SLICE_2 2
538 BINARY_SUBSCR
540 LOAD_STR 'help'
542 COMPARE_OP ==
544_546 POP_JUMP_IF_FALSE 558 'to 558'
L. 132 548 LOAD_NAME print
550 LOAD_STR '\nwmic process where (processid = 1234) get parentprocessid - would show you the parent processid for process 1234'
552 CALL_FUNCTION_1 1 ''
554 POP_TOP
556 JUMP_FORWARD 566 'to 566'
558_0 COME_FROM 544 '544'
L. 134 558 LOAD_NAME print
560 LOAD_STR 'That is incorrect. Please check your answer and try again.'
562 CALL_FUNCTION_1 1 ''
564 POP_TOP
566_0 COME_FROM 556 '556'
L. 135 566 LOAD_NAME input
568 LOAD_STR 'What is the parent process id number of the backdoor? '
570 CALL_FUNCTION_1 1 ''
572 STORE_NAME ans
574_576 JUMP_BACK 506 'to 506'
578_0 COME_FROM 526 '526'
578_1 COME_FROM 516 '516'
L. 137 578 LOAD_NAME print
580 LOAD_STR '\nUse Netcat to connect to the backdoor TCP port.'
582 CALL_FUNCTION_1 1 ''
584 POP_TOP
L. 138 586 LOAD_NAME input
588 LOAD_STR 'What is flag printed when you connect to the backdoor? '
590 CALL_FUNCTION_1 1 ''
592 STORE_NAME ans
L. 139 594 LOAD_NAME ans
596 LOAD_NAME flag
598 COMPARE_OP !=
600_602 POP_JUMP_IF_FALSE 662 'to 662'
604 LOAD_NAME ans
606 LOAD_STR 'skip'
608 COMPARE_OP !=
610_612 POP_JUMP_IF_FALSE 662 'to 662'
L. 140 614 LOAD_NAME ans
616 LOAD_CONST None
618 LOAD_CONST 4
620 BUILD_SLICE_2 2
622 BINARY_SUBSCR
624 LOAD_STR 'help'
626 COMPARE_OP ==
628_630 POP_JUMP_IF_FALSE 642 'to 642'
L. 141 632 LOAD_NAME print
634 LOAD_STR '\nnc 127.0.0.1 1234 - would connect to a backdoor on tcp port 1234.'
636 CALL_FUNCTION_1 1 ''
638 POP_TOP
640 JUMP_FORWARD 650 'to 650'
642_0 COME_FROM 628 '628'
L. 143 642 LOAD_NAME print
644 LOAD_STR 'That is incorrect. Please check your answer and try again.'
646 CALL_FUNCTION_1 1 ''
648 POP_TOP
650_0 COME_FROM 640 '640'
L. 144 650 LOAD_NAME input
652 LOAD_STR 'What is flag printed when you connect to the backdoor? '
654 CALL_FUNCTION_1 1 ''
656 STORE_NAME ans
658_660 JUMP_BACK 594 'to 594'
662_0 COME_FROM 610 '610'
662_1 COME_FROM 600 '600'
L. 147 662 LOAD_STR '\\r\\n.*?TCP.*?\\d{1,3}:(\\d+).*?%s\\r\\n'
664 LOAD_NAME pid
666 BINARY_MODULO
668 STORE_NAME srchstr
L. 148 670 LOAD_NAME re
672 LOAD_METHOD search
674 LOAD_NAME srchstr
676 LOAD_NAME exec_cmd
678 LOAD_STR 'netstat -nao'
680 CALL_FUNCTION_1 1 ''
682 CALL_METHOD_2 2 ''
684 LOAD_METHOD group
686 LOAD_CONST 1
688 CALL_METHOD_1 1 ''
690 STORE_NAME tprt
L. 149 692 LOAD_NAME input
694 LOAD_STR '\nWhat TCP port is the backdoor listening on now? '
696 CALL_FUNCTION_1 1 ''
698 STORE_NAME ans
L. 150 700 LOAD_NAME ans
702 LOAD_NAME str
704 LOAD_NAME tprt
706 CALL_FUNCTION_1 1 ''
708 COMPARE_OP !=
710_712 POP_JUMP_IF_FALSE 842 'to 842'
714 LOAD_NAME ans
716 LOAD_STR 'skip'
718 COMPARE_OP !=
720_722 POP_JUMP_IF_FALSE 842 'to 842'
L. 151 724 LOAD_NAME ans
726 LOAD_CONST None
728 LOAD_CONST 4
730 BUILD_SLICE_2 2
732 BINARY_SUBSCR
734 LOAD_STR 'help'
736 COMPARE_OP ==
738_740 POP_JUMP_IF_FALSE 756 'to 756'
L. 152 742 LOAD_NAME print
744 LOAD_STR '\nnetstat -nao will show you what is listening now. The process id number is still %s.'
746 LOAD_NAME pid
748 BINARY_MODULO
750 CALL_FUNCTION_1 1 ''
752 POP_TOP
754 JUMP_FORWARD 764 'to 764'
756_0 COME_FROM 738 '738'
L. 154 756 LOAD_NAME print
758 LOAD_STR 'That is incorrect. Please check your answer and try again.'
760 CALL_FUNCTION_1 1 ''
762 POP_TOP
764_0 COME_FROM 754 '754'
L. 155 764 LOAD_STR '\\r\\n.*?TCP.*?\\d{1,3}:(\\d+).*?%s\\r\\n'
766 LOAD_NAME pid
768 BINARY_MODULO
770 STORE_NAME srchstr
L. 156 772 SETUP_FINALLY 800 'to 800'
L. 157 774 LOAD_NAME re
776 LOAD_METHOD search
778 LOAD_NAME srchstr
780 LOAD_NAME exec_cmd
782 LOAD_STR 'netstat -nao'
784 CALL_FUNCTION_1 1 ''
786 CALL_METHOD_2 2 ''
788 LOAD_METHOD group
790 LOAD_CONST 1
792 CALL_METHOD_1 1 ''
794 STORE_NAME tprt
796 POP_BLOCK
798 JUMP_FORWARD 830 'to 830'
800_0 COME_FROM_FINALLY 772 '772'
L. 158 800 POP_TOP
802 POP_TOP
804 POP_TOP
L. 159 806 LOAD_NAME print
808 LOAD_STR 'Bad things happened. Check your AV,Firewall and run the lab as an administrator again'
810 CALL_FUNCTION_1 1 ''
812 POP_TOP
L. 160 814 LOAD_NAME sys
816 LOAD_METHOD exit
818 LOAD_CONST 1
820 CALL_METHOD_1 1 ''
822 POP_TOP
824 POP_EXCEPT
826 JUMP_FORWARD 830 'to 830'
828 END_FINALLY
830_0 COME_FROM 826 '826'
830_1 COME_FROM 798 '798'
L. 161 830 LOAD_NAME input
832 LOAD_STR 'What TCP port is the backdoor listening on now? '
834 CALL_FUNCTION_1 1 ''
836 STORE_NAME ans
838_840 JUMP_BACK 700 'to 700'
842_0 COME_FROM 720 '720'
842_1 COME_FROM 710 '710'
L. 163 842 LOAD_NAME print
844 LOAD_STR '\nNow use wmic to kill the process.'
846 CALL_FUNCTION_1 1 ''
848 POP_TOP
L. 164 850 LOAD_NAME input
852 LOAD_STR 'Press enter after you have killed the process.'
854 CALL_FUNCTION_1 1 ''
856 STORE_NAME ans
L. 165 858 LOAD_STR 'wmic process where (processid = %s) list brief'
860 LOAD_NAME pid
862 BINARY_MODULO
864 STORE_NAME check_pid
L. 166 866 LOAD_NAME exec_cmd
868 LOAD_NAME check_pid
870 CALL_FUNCTION_1 1 ''
872 LOAD_STR 'No Instance(s) Available.'
874 COMPARE_OP !=
876_878 POP_JUMP_IF_FALSE 938 'to 938'
880 LOAD_NAME ans
882 LOAD_STR 'skip'
884 COMPARE_OP !=
886_888 POP_JUMP_IF_FALSE 938 'to 938'
L. 167 890 LOAD_NAME ans
892 LOAD_CONST None
894 LOAD_CONST 4
896 BUILD_SLICE_2 2
898 BINARY_SUBSCR
900 LOAD_STR 'help'
902 COMPARE_OP ==
904_906 POP_JUMP_IF_FALSE 918 'to 918'
L. 168 908 LOAD_NAME print
910 LOAD_STR '\nwmic process where (processid = 1234) delete OR get-process -PID 1234 | stop-process - would kill process number 1234.'
912 CALL_FUNCTION_1 1 ''
914 POP_TOP
916 JUMP_FORWARD 926 'to 926'
918_0 COME_FROM 904 '904'
L. 170 918 LOAD_NAME print
920 LOAD_STR 'The process still seems to be running. Please kill the process used by the backdoor with wmic.'
922 CALL_FUNCTION_1 1 ''
924 POP_TOP
926_0 COME_FROM 916 '916'
L. 171 926 LOAD_NAME input
928 LOAD_STR 'Press enter after you have killed the process.'
930 CALL_FUNCTION_1 1 ''
932 STORE_NAME ans
934_936 JUMP_BACK 866 'to 866'
938_0 COME_FROM 886 '886'
938_1 COME_FROM 876 '876'
L. 173 938 LOAD_NAME print
940 LOAD_STR "\n\nThis PowerShell backdoor was easy to find because it listened on a TCP port. A more typical PowerShell backdoor will not. Instead it makes periodic client connections to a command and control server. Now I'm creating a new PowerShell process that does not listen on a port."
942 CALL_FUNCTION_1 1 ''
944 POP_TOP
L. 175 946 LOAD_STR 'Sasquatch%s'
948 LOAD_NAME random
950 LOAD_METHOD randint
952 LOAD_CONST 99999
954 LOAD_CONST 9999999999
956 CALL_METHOD_2 2 ''
958 BINARY_MODULO
960 STORE_NAME newflg
L. 176 962 LOAD_STR 'while($true){$flag = "%s"; [System.Threading.Thread]::Sleep(10000)};'
964 LOAD_NAME newflg
966 BINARY_MODULO
968 STORE_NAME newscript
L. 177 970 LOAD_CONST b'powershell.exe -nop -exec bypass -enc '
972 LOAD_NAME base64
974 LOAD_METHOD b64encode
976 LOAD_NAME newscript
978 LOAD_METHOD encode
980 LOAD_STR 'UTF-16LE'
982 CALL_METHOD_1 1 ''
984 CALL_METHOD_1 1 ''
986 BINARY_ADD
988 LOAD_METHOD decode
990 CALL_METHOD_0 0 ''
992 STORE_NAME newcmd
L. 178 994 LOAD_CONST 5
996 STORE_NAME retry_cnt
L. 180 998 SETUP_FINALLY 1016 'to 1016'
L. 181 1000 LOAD_NAME subprocess
1002 LOAD_METHOD Popen
1004 LOAD_NAME newcmd
1006 CALL_METHOD_1 1 ''
1008 LOAD_ATTR pid
1010 STORE_NAME pid
1012 POP_BLOCK
1014 BREAK_LOOP 1086 'to 1086'
1016_0 COME_FROM_FINALLY 998 '998'
L. 182 1016 POP_TOP
1018 POP_TOP
1020 POP_TOP
L. 183 1022 LOAD_NAME time
1024 LOAD_METHOD sleep
1026 LOAD_CONST 1
1028 CALL_METHOD_1 1 ''
1030 POP_TOP
L. 184 1032 LOAD_NAME retry_cnt
1034 LOAD_CONST 1
1036 INPLACE_SUBTRACT
1038 STORE_NAME retry_cnt
L. 185 1040 LOAD_NAME retry_cnt
1042 LOAD_CONST 1
1044 COMPARE_OP <
1046_1048 POP_JUMP_IF_FALSE 1072 'to 1072'
L. 186 1050 LOAD_NAME print
1052 LOAD_STR 'Unable to start the 2nd part of this lab. In another window manually start the following command:'
1054 CALL_FUNCTION_1 1 ''
1056 POP_TOP
L. 187 1058 LOAD_NAME print
1060 LOAD_NAME cmd
1062 CALL_FUNCTION_1 1 ''
1064 POP_TOP
L. 188 1066 POP_EXCEPT
1068_1070 BREAK_LOOP 1086 'to 1086'
1072_0 COME_FROM 1046 '1046'
1072 POP_EXCEPT
1074 JUMP_BACK 998 'to 998'
1076 END_FINALLY
L. 190 1078_1080 BREAK_LOOP 1086 'to 1086'
1082_1084 JUMP_BACK 998 'to 998'
L. 192 1086 LOAD_NAME input
1088 LOAD_STR '\nWhat is the process id number of the backdoor? '
1090 CALL_FUNCTION_1 1 ''
1092 STORE_NAME ans
L. 193 1094 LOAD_NAME ans
1096 LOAD_NAME str
1098 LOAD_NAME pid
1100 CALL_FUNCTION_1 1 ''
1102 COMPARE_OP !=
1104_1106 POP_JUMP_IF_FALSE 1166 'to 1166'
1108 LOAD_NAME ans
1110 LOAD_STR 'skip'
1112 COMPARE_OP !=
1114_1116 POP_JUMP_IF_FALSE 1166 'to 1166'
L. 194 1118 LOAD_NAME ans
1120 LOAD_CONST None
1122 LOAD_CONST 4
1124 BUILD_SLICE_2 2
1126 BINARY_SUBSCR
1128 LOAD_STR 'help'
1130 COMPARE_OP ==
1132_1134 POP_JUMP_IF_FALSE 1146 'to 1146'
L. 195 1136 LOAD_NAME print
1138 LOAD_STR '\nYou have been told it is a PowerShell based tool. wmic process where (name like "powershell%") list brief - will show you processes that are probably PowerShell.'
1140 CALL_FUNCTION_1 1 ''
1142 POP_TOP
1144 JUMP_FORWARD 1154 'to 1154'
1146_0 COME_FROM 1132 '1132'
L. 197 1146 LOAD_NAME print
1148 LOAD_STR 'That is incorrect. Please check your answer and try again.'
1150 CALL_FUNCTION_1 1 ''
1152 POP_TOP
1154_0 COME_FROM 1144 '1144'
L. 198 1154 LOAD_NAME input
1156 LOAD_STR 'What is the process id number of the backdoor? '
1158 CALL_FUNCTION_1 1 ''
1160 STORE_NAME ans
1162_1164 JUMP_BACK 1094 'to 1094'
1166_0 COME_FROM 1114 '1114'
1166_1 COME_FROM 1104 '1104'
L. 200 1166 LOAD_NAME print
1168 LOAD_STR '\nUse wmic to retrieve the CommandLine and answer the following.'
1170 CALL_FUNCTION_1 1 ''
1172 POP_TOP
L. 201 1174 LOAD_NAME input
1176 LOAD_STR '\nWhat is the flag contained in the script executed by the backdoor? '
1178 CALL_FUNCTION_1 1 ''
1180 STORE_NAME ans
L. 202 1182 LOAD_NAME ans
1184 LOAD_NAME str
1186 LOAD_NAME newflg
1188 CALL_FUNCTION_1 1 ''
1190 COMPARE_OP !=
1192_1194 POP_JUMP_IF_FALSE 1286 'to 1286'
1196 LOAD_NAME ans
1198 LOAD_STR 'skip'
1200 COMPARE_OP !=
1202_1204 POP_JUMP_IF_FALSE 1286 'to 1286'
L. 203 1206 LOAD_NAME ans
1208 LOAD_CONST None
1210 LOAD_CONST 4
1212 BUILD_SLICE_2 2
1214 BINARY_SUBSCR
1216 LOAD_STR 'help'
1218 COMPARE_OP ==
1220_1222 POP_JUMP_IF_FALSE 1266 'to 1266'
L. 204 1224 LOAD_NAME print
1226 LOAD_STR 'Step 1: Acquire the command line that launched the process.'
1228 CALL_FUNCTION_1 1 ''
1230 POP_TOP
L. 205 1232 LOAD_NAME print
1234 LOAD_STR '"wmic process where (processid = 1234) get commandline" - would get the command line that launched process id 1234.'
1236 CALL_FUNCTION_1 1 ''
1238 POP_TOP
L. 206 1240 LOAD_NAME print
1242 LOAD_STR 'Step 2: Decode the base64 string containing the PowerShell Script.'
1244 CALL_FUNCTION_1 1 ''
1246 POP_TOP
L. 207 1248 LOAD_NAME print
1250 LOAD_STR 'For example, the following command decodes a -enc (base64 encoded) string:'
1252 CALL_FUNCTION_1 1 ''
1254 POP_TOP
L. 208 1256 LOAD_NAME print
1258 LOAD_STR '[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("QwBoAGUAYwBrACAAbwB1AHQAIABTAEEATgBTACAAUAB5AHQAaABvAG4AIABDAGwAYQBzAHMAIQAgAFMARQBDADUANwAzACEAIQA=")).'
1260 CALL_FUNCTION_1 1 ''
1262 POP_TOP
1264 JUMP_FORWARD 1274 'to 1274'
1266_0 COME_FROM 1220 '1220'
L. 210 1266 LOAD_NAME print
1268 LOAD_STR 'That is incorrect. Please check your answer and try again.'
1270 CALL_FUNCTION_1 1 ''
1272 POP_TOP
1274_0 COME_FROM 1264 '1264'
L. 211 1274 LOAD_NAME input
1276 LOAD_STR 'What is the flag contained in the script executed by the backdoor? '
1278 CALL_FUNCTION_1 1 ''
1280 STORE_NAME ans
1282_1284 JUMP_BACK 1182 'to 1182'
1286_0 COME_FROM 1202 '1202'
1286_1 COME_FROM 1192 '1192'
L. 213 1286 LOAD_NAME print
1288 LOAD_STR '\nNow use wmic to kill the process.'
1290 CALL_FUNCTION_1 1 ''
1292 POP_TOP
L. 214 1294 LOAD_NAME input
1296 LOAD_STR 'Press enter after you have killed the process.'
1298 CALL_FUNCTION_1 1 ''
1300 STORE_NAME ans
L. 215 1302 LOAD_STR 'wmic process where (processid = %s) list brief'
1304 LOAD_NAME pid
1306 BINARY_MODULO
1308 STORE_NAME check_pid
L. 216 1310 LOAD_NAME exec_cmd
1312 LOAD_NAME check_pid
1314 CALL_FUNCTION_1 1 ''
1316 LOAD_STR 'No Instance(s) Available.'
1318 COMPARE_OP !=
1320_1322 POP_JUMP_IF_FALSE 1382 'to 1382'
1324 LOAD_NAME ans
1326 LOAD_STR 'skip'
1328 COMPARE_OP !=
1330_1332 POP_JUMP_IF_FALSE 1382 'to 1382'
L. 217 1334 LOAD_NAME ans
1336 LOAD_CONST None
1338 LOAD_CONST 4
1340 BUILD_SLICE_2 2
1342 BINARY_SUBSCR
1344 LOAD_STR 'help'
1346 COMPARE_OP ==
1348_1350 POP_JUMP_IF_FALSE 1362 'to 1362'
L. 218 1352 LOAD_NAME print
1354 LOAD_STR '\nwmic process where (processid = 1234) delete OR get-process -PID 1234 | stop-process - would kill process number 1234.'
1356 CALL_FUNCTION_1 1 ''
1358 POP_TOP
1360 JUMP_FORWARD 1370 'to 1370'
1362_0 COME_FROM 1348 '1348'
L. 220 1362 LOAD_NAME print
1364 LOAD_STR '\nThe process still seems to be running. Please kill the process used by the backdoor with wmic.'
1366 CALL_FUNCTION_1 1 ''
1368 POP_TOP
1370_0 COME_FROM 1360 '1360'
L. 221 1370 LOAD_NAME input
1372 LOAD_STR 'Press enter after you have killed the process.'
1374 CALL_FUNCTION_1 1 ''
1376 STORE_NAME ans
1378_1380 JUMP_BACK 1310 'to 1310'
1382_0 COME_FROM 1330 '1330'
1382_1 COME_FROM 1320 '1320'
L. 223 1382 LOAD_NAME input
1384 LOAD_STR '\n\nYou have done well. The evil hackers have been thwarted.\nPress enter to end this lab.'
1386 CALL_FUNCTION_1 1 ''
1388 POP_TOP
Parse error at or near `POP_TOP' instruction at offset 1030
Just to set expectations on bugs like this...
It should be pretty well known and understood that Python 3. 8 compilation is about the weakest. (3.9, 3.10 is and probably will remain be worse.)
Anyone who has been watching the activity on the decompiler projects will notice that the number of bug reporters far exceeds the number of bug fixers. So if you you are interested in making a stab at fixing this, by all means do and submit a PR. However you may have an easier time of it in the decompyle3 project.
Personally, I don't have much interest in particular bugs like this: you have some code your are interested in that you probably didn't write, have never had the source code for, and the code is rather long, uninteresting, and tedious.
Starting in 3.6 the following:
- wordcode instruction operand shortening in jumps,
- of the greater use of
EXtENDED_ARGS, and - the optimization added to work around instructions with
EXTENDED_ARGS
makes conttrol flow even harder to detect, until we have better analysis in place. This was explored in the control-flow project, but needs to revised and incorporated into decompyle3.
Given that you list that you work for for a security firm, I suspect you and others who use or have used the project get paid for your interest. In fact I would not be surprised if this bug is of interest due to some aspect of your job.
However I don't get paid for working on stuff like this or this project, and I am increasingly finding that I can no longer support helping out others whether it is in their line of work, or in their hobbies. (I am currently unemployed).
It is possible in the due course of things, as a result of the general improvement and bug fixing process this particular bug will get addressed. Although the bug is tedious in this form, it probably appears often enough in other bytecode as well. Based on past experience, bugs of this kind get addressed in a couple of years or so.
