pyc2bytecode:
A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries by disassembling and analyzing the compiled python byte-code(.pyc) files across all python versions (including Python 3.10.*)
Usage:
To run pyc2bytecode:
> Console Disassembled Output: python pyc2bytecode.py -p
> Save Disassembled Output to a file: python pyc2bytecode.py -p
-o
Demonstration:
pyc2bytecode can be used by researchers for reverse engineering Malicious Python Binaries and tear them apart in order to understand the inner workings of the binary statically.
We execute pyc2bytecode.py against onlyfans.pyc which is extracted from a recent Python ransomware sample masquerading as an OnlyFans executable in the wild using pyinstxtractor.py
Following are the analysis results extracted post execution of pyc2bytecode:
Extract the Disassembled output into a text file
Future Development:
- Develop Python decompiler for recent python versions by using pyc2bytecode (Need to DIS it up :p)
Credits & References:
i) https://github.com/google/pytype/blob/main/pytype/pyc/magic.py - Magic Numbers
ii) https://nedbatchelder.com/blog/200804/the_structure_of_pyc_files.html - PYC structure
iii) https://docs.python.org/3/library/dis.html - DIS
iv) https://docs.python.org/3/library/marshal.html- Marshal
Thankyou, Feedback would be greatly appreciated! hope you like the tool :) - knight!