A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries by disassembling and analyzing the compiled python byte-code(.pyc) files across all python versions (including Python 3.10.*)
A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries by disassembling and analyzing the compiled python byte-code(.pyc) files across all python versions (including Python 3.10.*)
To run pyc2bytecode:
> Console Disassembled Output: python pyc2bytecode.py -p <pyc_file_path>
> Save Disassembled Output to a file: python pyc2bytecode.py -p <pyc_file_path> -o <output_file_path>
pyc2bytecode can be used by researchers for reverse engineering Malicious Python Binaries and tear them apart in order to understand the inner workings of the binary statically.
We execute pyc2bytecode.py against onlyfans.pyc which is extracted from a recent Python ransomware sample masquerading as an OnlyFans executable in the wild using pyinstxtractor.py
Following are the analysis results extracted post execution of pyc2bytecode:
Extract the Disassembled output into a text file
i) https://github.com/google/pytype/blob/main/pytype/pyc/magic.py - Magic Numbers ii) https://nedbatchelder.com/blog/200804/the_structure_of_pyc_files.html - PYC structure iii) https://docs.python.org/3/library/dis.html - DIS iv) https://docs.python.org/3/library/marshal.html- Marshal
Thankyou, Feedback would be greatly appreciated! hope you like the tool :) - knight!