unfuck
1.0.0
操過 Python 2.7 字節碼嗎?讓我們把它unfuck 。
unfuck 是一個用於反混淆 Python 2.7 字節碼的實用程式和函式庫。它本質上是帶有污點追蹤的 Python VM 的重新實作。一些unfuck可以做的事情:
#1 和 #2 是 Python 反編譯器在嘗試重建原始 Python 原始碼時遇到的兩個最大的問題。
unfuck 基本上讓你的字節碼從這個變成這個:
或從這個到這個:
是的,這些都是現實世界的例子。
unfuck 可以用作庫或命令列實用程式。
unfuck 0.2.0
USAGE:
unfuck [FLAGS] [OPTIONS] <input-obfuscated-file> <output-path> [graphs-dir] [SUBCOMMAND]
FLAGS:
--dry Dry run only -- do not write any files
-g Enable outputting code graphs to dot format
-h, --help Prints help information
-q Disable all logging
-V, --version Prints version information
-v Enable verbose logging
OPTIONS:
--decompiler <decompiler> Your favorite Python 2.7 bytecode decompiler. This program assumes the decompiler's
first positional argument is the file to decompile, and it prints the decompiled
output to stdout [env: UNFUCK_DECOMPILER=] [default: uncompyle6]
ARGS:
<input-obfuscated-file> Input obfuscated file
<output-path> Output file name or directory name. If this path is a directory, a file will be
created with the same name as the input. When the `strings-only` subcommand is
applied, this will be where the output strings file is placed
<graphs-dir> An optional directory for graphs to be written to [default: .]
SUBCOMMANDS:
help Prints this message or the help of the given subcommand(s)
strings-only
若要取消單一文件:
# deobfuscated.pyc can also be a directory
unfuck obfuscated.pyc deobfuscated.pyc
您也可以提供其他標誌以將字串轉儲到文件,或轉儲可以在 graphviz 中查看的dot圖:
# -g is for printing graphs
unfuck -g obfuscated.pyc deobfuscated.pyc
# use the strings-only subcommand for dumping just dumping strings -- no deobfuscation is performed
unfuck deobfuscated.pyc ./strings.csv strings-only
unfuck 需要係統PATH中包含 Python 2.7 。確保它存在後,您應該能夠進行cargo build 。如果由於某種原因無法找到正確的解釋器,請嘗試將PYTHON_SYS_EXECUTABLE環境變數設定為 Python 2.7 解釋器路徑。
cargo install --force unfuck
注意: unfuck 最初設計時並沒有考慮到函式庫的使用,因此帶來了自己的多執行緒平台(在本例中為 Rayon)。
用法相當簡單:
use std :: convert :: TryInto ;
use std :: fs :: File ;
let mut pyc_contents = vec ! [ ] ;
let pyc_file = File :: open ( "obfuscated.pyc" ) ? ;
pyc_file . read_to_end ( & mut pyc_contents ) ? ;
// magic/moddate are specific to the PYC header and are required to be
// a valid PYC file
let magic = u32 :: from_le_bytes ( pyc_contents [ 0 .. 4 ] . try_into ( ) . unwrap ( ) ) ;
let moddate = u32 :: from_le_bytes ( pyc_contents [ 4 .. 8 ] . try_into ( ) . unwrap ( ) ) ;
let pyc_contents = & pyc_contents [ 8 .. ] ;
// Use a standard Python 2.7 opcode table
let deobfuscator = unfuck :: Deobfuscator :: < pydis :: opcode :: py27 :: Standard > :: new ( pyc_contents ) ;
let deobfuscator = if enable_graphs {
deobfuscator . enable_graphs ( )
} else {
deobfuscator
} ;
let deobfuscated_code = deobfuscator . deobfuscate ( ) ? ;
let mut deobfuscated_file = File :: create ( "deobfuscated.pyc" ) ? ;
deobfuscated_file . write_all ( & magic . to_le_bytes ( ) [ .. ] ) ? ;
deobfuscated_file . write_all ( & moddate . to_le_bytes ( ) [ .. ] ) ? ;
deobfuscated_file . write_all ( deobfuscated_code . data . as_slice ( ) ) ? ; gabe_k、yrp、lpcvoid、WD 光碟的人、squif、ian、pie doom、saruhan
