熊酱杂记

python 解包exe简略流程

1.用tool的pyinstxtractor.py xxx.exe解包 工具地址 https://github.com/extremecoders-re/pyinstxtractor
2.打开16进制修改工具，如ultraedit，将主文件参考struct.pyc添加/修改头，通常为 b"\x42\x0D\x0D\x0A\x00\x00\x00\x00\x70\x79\x69\x30\x10\x01\x00\x00"
3.用 uncompyle6 -o . xx.pyc 还原pyc，可pip安装
4.如加密了，先用上述方式还原 pyimod00_crypto_key.pyc ，找到密码key
    参考decrypt_pyc.py 还原待解密的pyc，再uncompyle6还原pyc




import zlib
import tinyaes

CHIPHER_BLOCK_SIZE = 16

key = b"12345"
pyc_header = b"\x42\x0D\x0D\x0A\x00\x00\x00\x00\x70\x79\x69\x30\x10\x01\x00\x00"
file_input='PYZ-00.pyz_extracted/crackme.pyc.encrypted'

def dec_file(filename):
    foutput=filename.strip('encrypted')[:-1]
    with open(filename, "rb") as en_f:
        with open(foutput, "wb") as de_f:
            origin_encrypted_data = en_f.read()

            # Decrypt program path: https://github.com/pyinstaller/pyinstaller/blob/faee2a99deae6c9f8e1e67606a5f43af974e3fd4/PyInstaller/loader/pyimod02_archive.py#L264
            cipher = tinyaes.AES(key, origin_encrypted_data[:CHIPHER_BLOCK_SIZE])
            decrypted_data = cipher.CTR_xcrypt_buffer(origin_encrypted_data[CHIPHER_BLOCK_SIZE:])

            plaintext = zlib.decompress(decrypted_data)

            de_f.write(pyc_header)
            de_f.write(plaintext)
    print(f'{foutput} Done!')

if __name__ == "__main__":
    dec_file(file_input)
    print('All Done!')