How do you reverse engineer an EXE "compiled" with PyInstaller

23

11

Having recently watched/read a presentation given by Dave Kennedy at DEF CON 20 [PDF], I'd like to know how to decompile a Python script compiled with PyInstaller.

In his presentation, he is creating a basic reverse shell script in Python, and converts it to an EXE with PyInstaller.

My question is how do you take a PyInstaller created EXE and either completely, or generally, retrieve the logic/source code from the original Python script(s)?

Mick

Posted 2013-03-22T14:01:31.240

Reputation: 5 920

Answers

25

  1. extract EXE's appended data (block starting with PYZ, until the end of the file)
  2. extract wanted files with PyInstaller's archive viewer
  3. decompyle .PYCs - I personally recommend Uncompyle2 for that.

Ange

Posted 2013-03-22T14:01:31.240

Reputation: 5 554

More up to date Uncompyle is at https://pypi.python.org/pypi/uncompyle6

– Peanut – 2016-09-05T22:19:15.180

There is also help in this post: https://stackoverflow.com/questions/18303122/how-to-decompile-files-from-pyinstaller-pyz-file

You can use this script to extract the files: https://sourceforge.net/projects/pyinstallerextractor/

Version 1.8 is also in pastebin: https://pastebin.com/fnMw9AuL

  • Make sure to have pyinstaller installed (pip install pyinstaller)

After extracting the file you can use also this tool: https://sourceforge.net/projects/easypythondecompiler/files/

– E235 – 2017-06-23T09:22:06.833

10

PyInstaller publishes it's source so you see exactly how it packs the python code in the executable...

A more general approach would be to use a tool like binwalk on the exe as a first step.

Remko

Posted 2013-03-22T14:01:31.240

Reputation: 2 243

I'm not sure binwalk is the right tool for this job. It'd show you to the compressed sections of the executable, but the output would likely have a lot other false positives as well unless you point it to look for only compressed sections... which defeats the purpose of using it on this type of file, IMHO. – mrduclaw – 2013-03-23T09:09:16.553

1@mrduclaw: my experience with binwalk is that it's a good tool to do a highlevel scan on unknown, binary, files to see what might be in there. Especially if we know what we're looking for but don't know in which file it is. I didn't mean to propose binwalk as a complete solution (modified my answer to indicate it's a first step) – Remko – 2013-03-23T10:01:07.857

9

The presentation at hack.lu 2012 titled "A Critical Analysis of Dropbox Software Security" discussed reversing of the Dropbox desktop client which used a similar implementation but with an added twist of customized Python interpreter with changed bytecode.

Presentation review: http://blog.csnc.ch/2012/12/asfws-a-critical-analysis-of-dropbox-software-security/
Link to the slides: http://archive.hack.lu/2012/Dropbox%20security.pdf

Igor Skochinsky

Posted 2013-03-22T14:01:31.240

Reputation: 23 976

8

This process should get you as close to the original source as possible.

Basically what tools like pyinstaller and py2exe do is package libraries and dependencies all together so you can run the 'stand-alone' EXE without having to download them or prepare the machine with a python interpreter.

When you launch the EXE - it is unpackaged in memory. This includes the .pyc files (python code that is converted to bytecode). pyREtic is a tool that allows you to grab those from memory and convert it back to source.

https://github.com/MyNameIsMeerkat/pyREtic

pyREtic

Reverse Engineer Obfuscated Python Bytecode This toolkit allows you to take a object in memory back to source code, without needing access to the bytecode directly on disk. This can be useful if the applictions pyc's on disk are obfuscated in one of many ways.

Glides

Posted 2013-03-22T14:01:31.240

Reputation: 369

4

The one stop solution for all pyinstaller exe things. Use this program to reverse engineer a pyinstaller generated exe file.

https://sourceforge.net/projects/pyinstallerexerebuilder/

0xec

Posted 2013-03-22T14:01:31.240

Reputation: 4 170