Reverse Engineer Windows executable file compiled using Python.
$ repyexe <exe_files and pyc_files>
from repyexe.decompile import decompile_exe
decompile_exe("samples/khaki.exe")
The version of Python used must be the same minor version as the one used to compile the file. If a different one is chosen, the script will exit with a message telling you which version to use. Use pyenv or something similar to switch your Python version.
For CX_Freeze files, the Python code is not located within the exe file but in pyc files in lib\library.zip, which needs to be manually extracted (using tools like uncompyle6).
This script aims to automate the reverse engineering of malware for analysis as much as possible.
Most of the Python executable files are compiled using Py2exe, PyInstaller or CX_Freeze. While this script aims to decompile any exe file, it is currently limited to only those compiled using these 3 libraries. A warning will be shown for exe files that do not match the signatures of files compiled using these libraries.
This script can also bypass the following deobsfucation techniques (only enabled on Py2exe):
NOP, ROT_TWO, ROT_THREE, LOAD_CONST & POP_TOPEXTENDED_ARG
Python <= 3.7
Limited support for Python 3.8
Tested on files listed in tested.md
- Python 2 using Py2exe
- Python 3 using Py2exe
- Python 2 using Py2exe with obsfucation
- Python 3 using Py2exe with obsfucation
- Python 2 using PyInstaller
- Python 3 using PyInstaller
- Python 2 using PyInstaller --onefile
- Python 3 using PyInstaller --onefile
- Python 3 using CX_Freeze
- Some
JUMPinstructions toEXTENDED_ARGinstructions result in an error in uncompyle6's ifelsestmt.py file. Make the following changes to the file.
- Also support folders created by the 3 libraries (which would also automate the reverse engineering of files created by CX_Freeze)
- uncompyle6
- pefile
- Repo: PyInstaller Extractor by Extreme Coders
- Repo: bytecode_graph by Joshua Homan, Mandiant
- Article: Deobsfuscating Python Bytecode by Joshua Homan, Mandiant