反编译

分析&查壳

1

1
程序脚本语言是python和UPX壳

解包PyInstaller结构

1
2
3
4
5
脱壳后提取字节码
# 安装解包工具
pip install pyinstxtractor
# 解包脱壳后的exe
python pyinstxtractor.py unpacked.exe

1

反编译字节码

1
定位主脚本文件如(main,app,struct等)
1
2
3
4
5
6
7
8
# 安装反编译器
pip install uncompyle6

# 反编译修复后的文件
uncompyle6 main.pyc > main_decompiled.py
----------------------------------------
1.如果pyc文件缺少Magic Number,可以通过获取不同Python版本的Magic Number来修复文件头信息。
2.代码如果有混淆,需要解混淆!!!

部分源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
def set_console_icon(path):
    hicon = ctypes.windll.user32.LoadImageW(None, path, 1, 32, 32, 16)
    hwnd = ctypes.windll.kernel32.GetConsoleWindow()
    ctypes.windll.user32.SendMessageW(hwnd, 128, 1, hicon)
    ctypes.windll.user32.SendMessageW(hwnd, 128, 0, hicon)
set_console_icon('bot.ico')

def generate_random_name():
    length = random.randint(10, 20)
    return ''.join(random.choices(string.ascii_lowercase, k=length)) + '.exe'

def set_console_title(title):
    ctypes.windll.kernel32.SetConsoleTitleW(title)
random_title = generate_random_name()
set_console_title(random_title)
logging.info(f'软件进程已随机化为: {random_title}')
print(ascii_banner)
logging.info('初始化 KeyAuth...')

def getchecksum():
    md5_hash = hashlib.md5()
    with open(sys.argv[0], 'rb') as f:
        md5_hash.update(f.read())
        return md5_hash.hexdigest()
from keyauth import api
TEMPLATE_DIR = os.path.join(os.getcwd(), '')
LICENSE_FILE = os.path.join(TEMPLATE_DIR, 'key.txt')

def load_license():
    """从文件加载已保存的许可证"""  # inserted
    if os.path.exists(LICENSE_FILE):
        with open(LICENSE_FILE, 'r') as f:
            return f.read().strip()
    return None

def save_license(username):
    """保存许可证到文件"""  # inserted
    with open(LICENSE_FILE, 'w') as f:
        f.write(username)
keyauthapp = api(name='Rliccc69\'s Application', ownerid='QToYPije5f', version='1.3', hash_to_check=getchecksum())

def prompt_license():
    """提示用户输入许可证,或者直接使用已保存的许可证"""  # inserted
    saved_license = load_license()
    if saved_license:
        print(f'检测到已保存的许可证:{saved_license}')
        logging.info(f'检测到已保存的许可证:{saved_license}')
        keyauthapp.license(saved_license)
    return None