pyinstxtractor icon indicating copy to clipboard operation
pyinstxtractor copied to clipboard

Published 20 hours ago verified publisher icon extremecoders-re

这份代码似乎依然在一些 exe 的反编译上有问题

Open LittFlower opened this issue 2 years ago • 1 comments

当我使用最新版本的 pyinstxtractor.py 时,我得到的 1.pyc 似乎依然没有一个正确的文件头,以至于当我使用 uncompyle6 时会报错:

~ uncompyle6 1.pyc 
Unknown type 0
Traceback (most recent call last):
  File "/home/temp/.local/bin/uncompyle6", line 11, in <module>
    sys.exit(main_bin())
  File "/home/temp/.local/lib/python2.7/site-packages/uncompyle6/bin/uncompile.py", line 194, in main_bin
    **options)
  File "/home/temp/.local/lib/python2.7/site-packages/uncompyle6/main.py", line 328, in main
    do_fragments,
  File "/home/temp/.local/lib/python2.7/site-packages/uncompyle6/main.py", line 230, in decompile_file
    do_fragments=do_fragments,
  File "/home/temp/.local/lib/python2.7/site-packages/uncompyle6/main.py", line 78, in decompile
    assert iscode(co), ("%s does not smell like code" % co)
AssertionError: None does not smell like code

我使用的 exe 文件可以在这里下载( github 的 issue 似乎无法上传 exe 文件)

按照我的设想,根据 struct.pyc 的文件头可知正确的文件头应当是:

image

但使用此脚本反编译得到的 1.pyc 的文件头却是:

image

我使用的反编译命令是:python3 pyinstxtractor.py pyre.exe,它看起来很正常。

我使用 010editor 这个16进制编辑器查看了这两个 pyc 文件,上面的两种图片即来自于此。

LittFlower avatar Aug 06 '22 12:08 LittFlower

我自己修改了一下源代码(为了实现自动补充文件头),您可以在这里查看它。(不一定普适但可以解决上述问题)

LittFlower avatar Aug 06 '22 12:08 LittFlower

wut??

Blank-c avatar Sep 11 '22 17:09 Blank-c

wut??

发生甚么事了?

LittFlower avatar Sep 12 '22 10:09 LittFlower

wut??

What happened?

it would have been better if you wrote in english

Blank-c avatar Sep 13 '22 09:09 Blank-c

wut??

What happened?

it would have been better if you wrote in english

......emm I'm sorry....

LittFlower avatar Sep 14 '22 03:09 LittFlower

This code still seems to have problems with decompilation of some exe's is what it says

KrynixOfficial avatar Sep 15 '22 15:09 KrynixOfficial

Please check again with the latest build. This should be working now.

extremecoders-re avatar Sep 17 '22 10:09 extremecoders-re

In a Python 3.7 environment, run

$ python3.7 pyinstxtractor.py pyre.exe
[+] Processing pyre.exe
[+] Pyinstaller version: 2.1+
[+] Python version: 3.7
[+] Length of package: 5796250 bytes
[+] Found 61 files in CArchive
[+] Beginning extraction...please standby
[+] Possible entry point: pyiboot01_bootstrap.pyc
[+] Possible entry point: 1.pyc
[+] Found 133 files in PYZ archive
[+] Successfully extracted pyinstaller archive: pyre.exe

You can now use a python decompiler on the pyc files within the extracted directory

Now you can decompile 1.pyc

$ uncompyle6 pyre.exe_extracted/1.pyc
# uncompyle6 version 3.8.0
# Python bytecode 3.7.0 (3394)
# Decompiled from: Python 3.7.12 | packaged by conda-forge | (default, Oct 26 2021, 06:08:21)
# [GCC 9.4.0]
# Embedded file name: 1.py


def check():
    a = input('plz input your flag:')
    c = [144, 163, 158, 177, 121, 39, 58, 58, 91, 111, 25, 158, 72, 53, 152, 78, 171, 12, 53, 105, 45, 12, 12, 53, 12, 171, 111, 91, 53, 152, 105, 45, 152, 144, 39, 171, 45, 91, 78, 45, 158, 8]
    if len(a) != 42:
        print('wrong length')
        return 0
    b = 179
    for i in range(len(a)):
        if ord(a[i]) * 33 % b != c[i]:
            print('wrong')
            return

    print('win')


check()
# okay decompiling pyre.exe_extracted/1.pyc

extremecoders-re avatar Sep 17 '22 10:09 extremecoders-re

Great! Thanks for your help.

LittFlower avatar Sep 18 '22 02:09 LittFlower