https://github.com/knight0x07/pyc2bytecode

A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries by disassembling and analyzing the compiled python byte-code(.pyc) files across all python versions (including Python 3.10.*)
https://github.com/knight0x07/pyc2bytecode

blueteam cybersecurity disassembler infosec infosectools malware-analysis malware-research python reverse-engineering security-tools static-analysis threat-intelligence

Last synced: 3 months ago
JSON representation

A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries by disassembling and analyzing the compiled python byte-code(.pyc) files across all python versions (including Python 3.10.*)

• Host: GitHub
• URL: https://github.com/knight0x07/pyc2bytecode
• Owner: knight0x07
• Created: 2022-01-12T15:38:44.000Z (almost 3 years ago)
• Default Branch: main
• Last Pushed: 2023-05-28T21:24:57.000Z (over 1 year ago)
• Last Synced: 2024-04-09T10:33:56.030Z (7 months ago)
• Topics: blueteam, cybersecurity, disassembler, infosec, infosectools, malware-analysis, malware-research, python, reverse-engineering, security-tools, static-analysis, threat-intelligence
• Language: Python
• Homepage:
• Size: 5.86 KB
• Stars: 127
• Watchers: 8
• Forks: 23
• Open Issues: 3
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-lists - knight0x07/pyc2bytecode - A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries by disassembling and analyzing the compiled python byte-code(.pyc) files across all python versions (including Py (Python)

README

        
# pyc2bytecode:

A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries by disassembling and analyzing the compiled python byte-code(.pyc) files across all python versions (including Python 3.10.*)

## Usage: 

To run pyc2bytecode:

```

> Console Disassembled Output: python pyc2bytecode.py -p 

> Save Disassembled Output to a file: python pyc2bytecode.py -p  -o  

```

## Demonstration:

**pyc2bytecode** can be used by researchers for reverse engineering Malicious Python Binaries and tear them apart in order to understand the inner workings of the binary statically.

We execute pyc2bytecode.py against **onlyfans.pyc** which is extracted from a recent Python ransomware sample masquerading as an **OnlyFans** executable in the wild using [pyinstxtractor.py](https://github.com/countercept/python-exe-unpacker/blob/master/pyinstxtractor.py)

Following are the analysis results extracted post execution of **pyc2bytecode**:

![2](https://user-images.githubusercontent.com/60843949/149174687-0191b9f2-89e0-493e-b140-0f3b2adc5af6.PNG)

![3](https://user-images.githubusercontent.com/60843949/149175102-fe0c9214-c7cd-4f78-87a0-aa25c4571196.PNG)

![7](https://user-images.githubusercontent.com/60843949/149175411-fc4606c4-4f42-49ad-9724-4d60ba81e7fa.PNG)

![8](https://user-images.githubusercontent.com/60843949/149175512-6c577c97-d4d3-4f8f-a409-cb327eb84a23.PNG)

![9](https://user-images.githubusercontent.com/60843949/149175534-f3bb9f11-8ca7-4564-8281-ebc7d32a6e34.PNG)

**Extract the Disassembled output into a text file**

![output-file](https://user-images.githubusercontent.com/60843949/149175676-34e76764-c7e9-4990-8c4c-ef3cda214450.PNG)

![10](https://user-images.githubusercontent.com/60843949/149175797-8075b3e1-61e5-4645-a693-688539c36b6a.PNG)

## Future Development:

- Develop Python decompiler for recent python versions by using pyc2bytecode (Need to DIS it up :p)

## Credits & References:

i) https://github.com/google/pytype/blob/main/pytype/pyc/magic.py - Magic Numbers	

ii) https://nedbatchelder.com/blog/200804/the_structure_of_pyc_files.html - PYC structure	

iii) https://docs.python.org/3/library/dis.html - DIS	

iv) https://docs.python.org/3/library/marshal.html- Marshal	

**Thankyou, Feedback would be greatly appreciated! hope you like the tool :) - knight!**