GitBook: [#2830] update .pyc

SUMMARY.md

@@ -469,7 +469,7 @@
     * [Wifi Pcap Analysis](forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md)
     * [Wireshark tricks](forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md)
   * [Specific Software/File-Type Tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md)
-    * [.pyc](forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
+    * [Decompile compiled python binaries (exe, elf) - Retreive from .pyc](forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
     * [Browser Artifacts](forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md)
     * [Desofuscation vbs (cscript.exe)](forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md)
     * [Local Cloud Storage](forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md)

forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md

@@ -1,8 +1,37 @@
-# .pyc
+# Decompile compiled python binaries (exe, elf) - Retreive from .pyc
 
-## Getting the code
+## From Compiled Binary to .pyc
 
-For the .pyc binaries ("compiled" python) you should start trying to **extract** the **original** **python** **code**:
+From an **ELF **compiled binary you can **get the .pyc **with:
+
+```bash
+pyi-archive_viewer <binary>
+# The list of python modules will be given like here:
+[(0, 230, 311, 1, 'm', 'struct'),
+ (230, 1061, 1792, 1, 'm', 'pyimod01_os_path'),
+ (1291, 4071, 8907, 1, 'm', 'pyimod02_archive'),
+ (5362, 5609, 13152, 1, 'm', 'pyimod03_importers'),
+ (10971, 1473, 3468, 1, 'm', 'pyimod04_ctypes'),
+ (12444, 816, 1372, 1, 's', 'pyiboot01_bootstrap'),
+ (13260, 696, 1053, 1, 's', 'pyi_rth_pkgutil'),
+ (13956, 1134, 2075, 1, 's', 'pyi_rth_multiprocessing'),
+ (15090, 445, 672, 1, 's', 'pyi_rth_inspect'),
+ (15535, 2514, 4421, 1, 's', 'binary_name'),
+...
+
+? X binary_name
+to filename? /tmp/binary.pyc
+```
+
+In an **python exe binary** compiled you can **get the .pyc **by running:
+
+```bash
+python pyinstxtractor.py executable.exe
+```
+
+## From .pyc to python code
+
+For the **.pyc **data ("compiled" python) you should start trying to **extract** the **original** **python** **code**:
 
 ```bash
 uncompyle6 binary.pyc  > decompiled.py
@@ -10,7 +39,46 @@ uncompyle6 binary.pyc  > decompiled.py
 
 **Be sure** that the binary has the **extension** "**.pyc**" (if not, uncompyle6 is not going to work)
 
-After extracting it, it will be more easy to analyze.
+While executing **uncompyle6 **you might find the **following errors**:
+
+### Error: Unknown magic number 227
+
+```bash
+/kali/.local/bin/uncompyle6 /tmp/binary.pyc
+Unknown magic number 227 in /tmp/binary.pyc
+```
+
+In order to fix this you need to **add the correct magic number **at the begging of the generated fil.
+
+**Magic numbers vary with the python version**, to get the magic number of **python3.8** you will need to **open a python3.8** terminal and execute:
+
+```
+>> import imp
+>> imp.get_magic().hex()
+'550d0d0a'
+```
+
+The **magic number **in this case for python3.8 is **`0x550d0d0a`**, then, to fix this error you will need to **add **at the **begging **of the **.pyc file** the following bytes: `0x0d550a0d000000000000000000000000`
+
+**Once **you have **added **that magic header, the** error should be fixed.**
+
+This is how a correctly added **.pyc python3.8 magic header** will looks like:
+
+```bash
+hexdump 'binary.pyc' | head
+0000000 0d55 0a0d 0000 0000 0000 0000 0000 0000
+0000010 00e3 0000 0000 0000 0000 0000 0000 0000
+0000020 0700 0000 4000 0000 7300 0132 0000 0064
+0000030 0164 006c 005a 0064 0164 016c 015a 0064
+```
+
+### Error: Decompiling generic errors
+
+**Other errors **like: `class 'AssertionError'>; co_code should be one of the types (<class 'str'>, <class 'bytes'>, <class 'list'>, <class 'tuple'>); is type <class 'NoneType'>` may appear.
+
+This probably means that you** haven't added correctly** the magic number or that you haven't **used **the **correct magic number**, so make **sure you use the correct one** (or try a new one).
+
+Check the previous error documentation.
 
 ## Analyzing python assembly
 

reversing/reversing-tools-basic-methods/README.md

@@ -201,14 +201,14 @@ The **Create Dump** option will dump the final shellcode if any change is done t
 
 ### Disassembling using CyberChef
 
-Upload you shellcode file as input and use the following receipt to decompile it: [https://gchq.github.io/CyberChef/#recipe=To_Hex('Space',0)Disassemble_x86('32','Full%20x86%20architecture',16,0,true,true)](https://gchq.github.io/CyberChef/#recipe=To_Hex\('Space',0\)Disassemble_x86\('32','Full%20x86%20architecture',16,0,true,true\))
+Upload you shellcode file as input and use the following receipt to decompile it: [https://gchq.github.io/CyberChef/#recipe=To\_Hex('Space',0)Disassemble\_x86('32','Full%20x86%20architecture',16,0,true,true)](https://gchq.github.io/CyberChef/#recipe=To\_Hex\('Space',0\)Disassemble\_x86\('32','Full%20x86%20architecture',16,0,true,true\))
 
 ## [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator)
 
 This obfuscator **modify all the instructions for `mov`**(yeah, really cool). It also uses interruptions to change executions flows. For more information about how does it works:
 
-* [https://www.youtube.com/watch?v=2VF_wPkiBJY](https://www.youtube.com/watch?v=2VF_wPkiBJY)
-* [https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas\_2015\_the_movfuscator.pdf](https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas\_2015\_the_movfuscator.pdf)
+* [https://www.youtube.com/watch?v=2VF\_wPkiBJY](https://www.youtube.com/watch?v=2VF\_wPkiBJY)
+* [https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas\_2015\_the\_movfuscator.pdf](https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas\_2015\_the\_movfuscator.pdf)
 
 If you are lucky [demovfuscator ](https://github.com/kirschju/demovfuscator)will deofuscate the binary. It has several dependencies
 
@@ -219,7 +219,7 @@ apt-get install libz3-dev
 
 And [install keystone](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE-NIX.md) (`apt-get install cmake; mkdir build; cd build; ../make-share.sh; make install`)
 
-If you are playing a **CTF, this workaround to find the flag** could be very useful: [https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html](https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html) 
+If you are playing a **CTF, this workaround to find the flag** could be very useful: [https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html](https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html) 
 
 ## Rust
 
@@ -250,6 +250,14 @@ Just press** ATL+f7 **(import python plugin in IDA) and select the python plugin
 
 This will resolve the names of the functions.
 
+## Compiled Python
+
+In this page you can find how to get the python code from an ELF/EXE python compiled binary:
+
+{% content-ref url="../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %}
+[.pyc.md](../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
+{% endcontent-ref %}
+
 ## GBA - Game Body Advance
 
 If you get the **binary **of a GBA game you can use different tools to **emulate **and **debug **it:
@@ -307,7 +315,7 @@ void FUN_080015a8(void)
   uVar4 = DAT_030004d8;
 ```
 
- It's found this code:
+ It's found this code:
 
 ```c
   do {
@@ -369,5 +377,5 @@ So, in this challenge, knowing the values of the buttons, you needed to** press
 
 ## Courses
 
-* [https://github.com/0xZ0F/Z0FCourse_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse_ReverseEngineering)
+* [https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering)
 * [https://github.com/malrev/ABD](https://github.com/malrev/ABD) (Binary deobfuscation)