PyInstaller/Python代码的加密编译与反编译

createh52个月前 (02-01)技术教程25

Demo代码

import time
# 这是注释
start = time.time()
number = 0
print(number)

PyInstaller打包时加密.pyc代码

Python bytecode modules can be obfuscated with AES256 by specifying an encryption key on PyInstaller’s command line. Please note that it is still very easy to extract the key and get back the original bytecode, but it should prevent most forms of “casual” tampering. See Encrypting Python Bytecode for details.

程序入口的Python文件,如demo.py不会加密,只要加密import的模块,所以不要把主要代码写在入口文件上。

pyinstaller --key 123 demo.py

即下述生成的demo.pyc没有加密,其导入的模块打包于子文件PYZ-00.pyz中,解开可以看到其是有加密的后缀.pyc.encrypted。为何入口文件没加密?

demo.pyc
pyiboot01_bootstrap.pyc
pyimod00_crypto_key.pyc
pyimod01_archive.pyc
pyimod02_importers.pyc
pyimod03_ctypes.pyc
pyimod04_pywin32.pyc
pyi_rth_subprocess.pyc
PYZ-00.pyz
struct.pyc

解密PyInstaller加密的.pyc.encrypted代码

PyInstaller use tinyaes-py to encrypt Python bytecode from 4.2, previously it used Pycrypto. https://github.com/pyinstaller/pyinstaller/pull/4652

有两个方法:一是使用 pyinstxtractor-ng 解包PyInstaller打包的bundle中的demo.exe文件时附带解密掉;二是对 pyinstxtractor 解包后的 .pyc.encrypted 手动解密。

pyinstxtractor-ng附带解密pyc.encrypted


https://github.com/pyinstxtractor/pyinstxtractor-ng 集成解密功能,看它的代码应该也不是100%解密成功。

python .\pyinstxtractor-ng.py .\dist\demo\demo.exe

手动解密pyc.encrypted代码为.pyc

import sys

class Cipher(object):
    """
    This class is used only to decrypt Python modules.
    """
    def __init__(self):
        # At build-type the key is given to us from inside the spec file, at
        # bootstrap-time, we must look for it ourselves by trying to import
        # the generated 'pyi_crypto_key' module.
        import pyimod00_crypto_key
        key = pyimod00_crypto_key.key

        assert type(key) is str
        if len(key) > CRYPT_BLOCK_SIZE:
            self.key = key[0:CRYPT_BLOCK_SIZE]
        else:
            self.key = key.zfill(CRYPT_BLOCK_SIZE)
        assert len(self.key) == CRYPT_BLOCK_SIZE
        import tinyaes
        self._aesmod = tinyaes
        # Issue #1663: Remove the AES module from sys.modules list. Otherwise
        # it interferes with using 'tinyaes' module in users' code.
        del sys.modules['tinyaes']

    def __create_cipher(self, iv):
        # The 'AES' class is stateful, this factory method is used to
        # re-initialize the block cipher class with each call to xcrypt().
        return self._aesmod.AES(self.key.encode(), iv)

    def decrypt(self, data):
        cipher = self.__create_cipher(data[:CRYPT_BLOCK_SIZE])
        return cipher.CTR_xcrypt_buffer(data[CRYPT_BLOCK_SIZE:])

if __name__ == '__main__':
    import zlib

    CRYPT_BLOCK_SIZE = 16

    inf = open('/home/a/a.exe_extracted/PYZ-00.pyz_extracted/yamnet.pyc.encrypted', 'rb') # encrypted file input
    outf = open('yamnet.pyc', 'wb') # output file 

    cipher = Cipher()

    # Decrypt and decompress
    plaintext = zlib.decompress(cipher.decrypt(inf.read()))

    # Write pyc header
    # get from importlib.util.MAGIC_NUMBER.hex()
    outf.write(b'\x55\x0d\x0d\x0a\0\0\0\0')

    # Write decrypted data
    outf.write(plaintext)

    inf.close()
    outf.close()

解包PyInstaller打包的exe

PyInstaller Extractor is a Python script to extract the contents of a PyInstaller generated Windows executable file https://github.com/extremecoders-re/pyinstxtractor

更新:作者的新库
https://github.com/pyinstxtractor/pyinstxtractor-ng 集成反汇编xdis与解密Pyinstaller的加密代码。

反汇编disassembler

即反汇编(disassembler)字节码.pyc为用户可读的指令列表,
https://github.com/rocky/python-xdis 这个库支持跨Python版本反汇编,其安装完提供一个命令行工具
pydisasm.exepydisasm.exe .\demo.exe_extracted\demo.pyc的结果如下所示。

# pydisasm version 6.0.4
# Python bytecode 3.8.0 (3413)
# Disassembled from Python 3.8.12 (default, Oct 12 2021, 03:01:40) [MSC v.1916 64 bit (AMD64)]
# Timestamp in code: 0 (1970-01-01 08:00:00)
# Source code size mod 2**32: 0 bytes
# Method Name:       
# Filename:          demo.py
# Argument count:    0
# Position-only argument count: 0
# Keyword-only arguments: 0
# Number of locals:  0
# Stack size:        2
# Flags:             0x00000040 (NOFREE)
# First Line:        1
# Constants:
#    0: 0
#    1: None
# Names:
#    0: time
#    1: start
#    2: number
#    3: print
  1:           0 LOAD_CONST           (0)
               2 LOAD_CONST           (None)
               4 IMPORT_NAME          (time)
               6 STORE_NAME           (time)

  3:           8 LOAD_NAME            (time)
              10 LOAD_METHOD          (time)
              12 CALL_METHOD          0
              14 STORE_NAME           (start)

  4:          16 LOAD_CONST           (0)
              18 STORE_NAME           (number)

  5:          20 LOAD_NAME            (print)
              22 LOAD_NAME            (number)
              24 CALL_FUNCTION        1
              26 POP_TOP
              28 LOAD_CONST           (None)
              30 RETURN_VALUE

反编译decompile

即反编译(decompiler)字节码.pyc为Python源代码。
https://github.com/rocky/python-decompile3 目前只支持Python 3.7-3.8,Python 3.9+还不支持。所以,使用高版本的Python,字节码被反编译的概率更小,更安全。反编译结果如下所示,源代码中的注释没有了。

$ decompyle3.exe .\demo.exe_extracted\demo.pyc
# decompyle3 version 3.8.0
# Python bytecode 3.8.0 (3413)
# Decompiled from: Python 3.8.12 (default, Oct 12 2021, 03:01:40) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: demo.py
import time
start = time.time()
number = 0
print(number)
# okay decompiling .\demo.exe_extracted\demo.pyc

Use https://github.com/rocky/python-decompile3. Unlike Java, there is no pretty mature tool for Python code decompilation.

But, it may raise error: `ValueError: bad marshal data (unknown type code) sometimes.

For complete decrypt, this maybe help.

https://github.com/pyinstaller/pyinstaller/blob/253feb7e16cd3a6a6d3ea2fb80c3491d30671e39/PyInstaller/loader/pyimod02_archive.py#L265

F.Y.I

def extract(self, name):
    (typ, pos, length) = self.toc.get(name, (0, None, 0))
    if pos is None:
        return None
    with self.lib:
        self.lib.seek(self.start + pos)
        obj = self.lib.read(length)
    try:
        if self.cipher:
            obj = self.cipher.decrypt(obj)
        obj = zlib.decompress(obj)
        if typ in (PYZ_TYPE_MODULE, PYZ_TYPE_PKG):
            obj = marshal.loads(obj)
    except EOFError:
        raise ImportError("PYZ entry '%s' failed to unmarshal" % name)
    return typ, obj

相关文章

你的代码被反编译啊?如何防止java jar被反编译,大佬们快看过来

你的代码被反编译了嘛?我们将如何防止java jar被反编译,大佬们快看过来大家晚上好,这里是互联网技术学堂,今天来谈谈,如何防止java jar被反编译。如果你有兴趣,那就点赞、关注、分享吧。为什么...

达内java培训专家:7款开源Java反编译工具

反编译听起来是一个非常高上大的技术词汇,通俗的说,反编译是一个对目标可执行程序进行逆向分析,从而得到原始代码的过程。达内java培训(java.tedu.cn)专家今天要来分享一些关于Java的反编译...

记一次噩梦般的经历--论学会反编译的重要性

最近在做一个android项目,因为非开源,github上也没购有私有库,所以就没有提交github管理。昨天我感觉写到了一定程度,一个小的版本已经出来了,于是就想U盘和网盘都备份一下。结果出现了下面...

初试安卓软件反编译破解软件的方法

出于对反编译的好奇心,今天特意测试了一下安卓软件的反编译,好吧,废话少说,直奔主题。首先下载软件,apk编辑器。像这样。不是旁边那个编译器。第二步,安装。这个都会。第三步,直接打开。看下图在这里,你可...

「O泡果奶」软件反编译破解(o泡果奶魔性软件)

0x00 事由最近一些高校出现了会以最大音量外放音频且无法退出的恶搞Android App,造成了一些不好的影响。恰好借这个机会尝试通过逆向工程分析其原理,同时这个App也使用了Lua脚本并进行了加密...