{"id":13815637,"url":"https://github.com/landaire/unfuck","last_synced_at":"2025-05-15T09:32:55.022Z","repository":{"id":45172192,"uuid":"393113961","full_name":"landaire/unfuck","owner":"landaire","description":"Python 2.7 bytecode d̶e̶o̶b̶f̶u̶s̶c̶a̶t̶o̶r unfucker","archived":false,"fork":false,"pushed_at":"2023-11-12T04:10:16.000Z","size":3126,"stargazers_count":200,"open_issues_count":1,"forks_count":12,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-05-13T12:06:25.633Z","etag":null,"topics":["deobfuscation","obfuscation","reverse-engineering"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/landaire.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2021-08-05T16:48:34.000Z","updated_at":"2025-02-12T08:47:09.000Z","dependencies_parsed_at":"2023-11-12T04:19:57.462Z","dependency_job_id":"44454522-47ea-4efd-8aec-e9eea46c1502","html_url":"https://github.com/landaire/unfuck","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/landaire%2Funfuck","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/landaire%2Funfuck/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/landaire%2Funfuck/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/landaire%2Funfuck/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/landaire","download_url":"https://codeload.github.com/landaire/unfuck/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254313984,"owners_count":22050149,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["deobfuscation","obfuscation","reverse-engineering"],"created_at":"2024-08-04T04:03:45.501Z","updated_at":"2025-05-15T09:32:54.601Z","avatar_url":"https://github.com/landaire.png","language":"Rust","funding_links":[],"categories":["Rust"],"sub_categories":[],"readme":"# unfuck\n\nHave fucked Python 2.7 bytecode? Let's `unfuck` it.\n\n## Overview\n\nunfuck is a utility and library for deobfuscating obfuscated Python 2.7 bytecode. It is essentially a reimplementation of the Python VM with taint tracking. Some of the things unfuck can do:\n\n1. Remove opaque predicates\n2. Dead code elimination\n3. Restore some lost function names\n4. Cleanup obfuscated variable names\n\n#1 and #2 are the two biggest items that Python decompilers trip over when attempting to reconstruct original Python source code.\n\nunfuck basically makes your bytecode go from this to this:\n\n![Obfuscated code](./img/graph_view_obfuscated_thumb.png)\n![Deobfuscated code](./img/graph_view_deobfuscated_thumb.png)\n\nOr from this to this:\n\n[![Obfuscated vs deobfuscated code hex dump](./img/obfuscated_bytecode_thumb.png)](./img/obfuscated_bytecode.png)\n\nYes, these are real-world examples.\n\n### Useful Wiki Resources\n\n- [Obfuscation Tricks](https://github.com/landaire/unfuck/wiki/Obfuscation-Tricks)\n- [Deobfuscation Passes](https://github.com/landaire/unfuck/wiki/Deobfuscation-Passes)\n- [Debugging Failed Decompilation](https://github.com/landaire/unfuck/wiki/Debugging-Failed-Decompilation)\n\n## Usage\n\nunfuck can either be used as a library or a command-line utility.\n\n```\nunfuck 0.2.0\n\nUSAGE:\n    unfuck [FLAGS] [OPTIONS] \u003cinput-obfuscated-file\u003e \u003coutput-path\u003e [graphs-dir] [SUBCOMMAND]\n\nFLAGS:\n        --dry        Dry run only -- do not write any files\n    -g               Enable outputting code graphs to dot format\n    -h, --help       Prints help information\n    -q               Disable all logging\n    -V, --version    Prints version information\n    -v               Enable verbose logging\n\nOPTIONS:\n        --decompiler \u003cdecompiler\u003e    Your favorite Python 2.7 bytecode decompiler. This program assumes the decompiler's\n                                     first positional argument is the file to decompile, and it prints the decompiled\n                                     output to stdout [env: UNFUCK_DECOMPILER=]  [default: uncompyle6]\n\nARGS:\n    \u003cinput-obfuscated-file\u003e    Input obfuscated file\n    \u003coutput-path\u003e              Output file name or directory name. If this path is a directory, a file will be\n                               created with the same name as the input. When the `strings-only` subcommand is\n                               applied, this will be where the output strings file is placed\n    \u003cgraphs-dir\u003e               An optional directory for graphs to be written to [default: .]\n\nSUBCOMMANDS:\n    help            Prints this message or the help of the given subcommand(s)\n    strings-only\n```\n\nTo unfuck a single file:\n\n```\n# deobfuscated.pyc can also be a directory\nunfuck obfuscated.pyc deobfuscated.pyc\n```\n\nYou can also provide additional flags to dump strings to a file, or dump `dot` graphs that can be viewed in graphviz:\n\n```\n# -g is for printing graphs\nunfuck -g obfuscated.pyc deobfuscated.pyc\n# use the strings-only subcommand for dumping just dumping strings -- no deobfuscation is performed\nunfuck deobfuscated.pyc ./strings.csv strings-only\n```\n\n### Building\n\nunfuck requires Python 2.7 in your system's `PATH`. After ensuring it's present, you should be able to just `cargo build`. If for some reason the correct interpreter cannot be found, try setting the `PYTHON_SYS_EXECUTABLE` env var to your Python 2.7 interpreter path.\n\n### Installing\n\n`cargo install --force unfuck`\n\n### Library Usage\n\n**NOTE:** unfuck was not originally designed with library usage in mind, and therefore brings its own multithreading platform (in this case, Rayon).\n\nUsage is fairly straightforward:\n\n```rust\nuse std::convert::TryInto;\nuse std::fs::File;\n\nlet mut pyc_contents = vec![];\nlet pyc_file = File::open(\"obfuscated.pyc\")?;\npyc_file.read_to_end(\u0026mut pyc_contents)?;\n\n// magic/moddate are specific to the PYC header and are required to be\n// a valid PYC file\nlet magic = u32::from_le_bytes(pyc_contents[0..4].try_into().unwrap());\nlet moddate = u32::from_le_bytes(pyc_contents[4..8].try_into().unwrap());\n\nlet pyc_contents = \u0026pyc_contents[8..];\n\n// Use a standard Python 2.7 opcode table\nlet deobfuscator = unfuck::Deobfuscator::\u003cpydis::opcode::py27::Standard\u003e::new(pyc_contents);\nlet deobfuscator = if enable_graphs {\n    deobfuscator.enable_graphs()\n} else {\n    deobfuscator\n};\n\nlet deobfuscated_code = deobfuscator.deobfuscate()?;\n\nlet mut deobfuscated_file = File::create(\"deobfuscated.pyc\")?;\ndeobfuscated_file.write_all(\u0026magic.to_le_bytes()[..])?;\ndeobfuscated_file.write_all(\u0026moddate.to_le_bytes()[..])?;\ndeobfuscated_file.write_all(deobfuscated_code.data.as_slice())?;\n```\n\n## greetz\n\ngabe_k, yrp, lpcvoid, folks from the WD disc, squif, ian, pie doom, saruhan","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flandaire%2Funfuck","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flandaire%2Funfuck","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flandaire%2Funfuck/lists"}