python2 反编译pyinstaller打包的可执行exe文件

先上个链接，基于python3的反编译python打包的exe文件的教程

 https://blog.csdn.net/weixin_46847476/article/details/105358131

故事开始于pyinstxtractor.py 反编译query.exe文件后不会直接生成query.py文件，是没有扩展名的query文件，需要根据struct文件修改query文件，具体是往query文件里添加若干个16进制字符串，此例是16个hex。

C:\Users\netmanager\Desktop\python_test>dir
 驱动器 C 中的卷没有标签。
 卷的序列号是 1556-183E

 C:\Users\netmanager\Desktop\python_test 的目录

2020-10-07  20:52    <DIR>          .
2020-10-07  20:52    <DIR>          ..
2020-10-07  20:40                 0 mod_hex_py2.py
2020-10-07  12:26             1,467 query
2020-10-07  20:52                 0 query.py
2020-10-07  12:26             1,467 query.pyc
2020-10-07  12:26               234 struct
               5 个文件          3,168 字节
               2 个目录 56,282,697,728 可用字节

C:\Users\netmanager\Desktop\python_test>dir
 驱动器 C 中的卷没有标签。
 卷的序列号是 1556-183E

 C:\Users\netmanager\Desktop\python_test 的目录

2020-10-07  21:21    <DIR>          .
2020-10-07  21:21    <DIR>          ..
2020-10-07  21:21               941 mod_hex_py2.py
2020-10-07  12:26             1,467 query
2020-10-07  20:52                 0 query.py
2020-10-07  12:26             1,467 query.pyc
2020-10-07  21:21             1,475 query2.pyc
2020-10-07  12:26               234 struct
               6 个文件          5,584 字节
               2 个目录 56,280,313,856 可用字节


C:\Users\netmanager\Desktop\python_test>uncompyle6 -o . query2.pyc
query2.pyc --
# Successfully decompiled file

C:\Users\netmanager\Desktop\python_test>dir
 驱动器 C 中的卷没有标签。
 卷的序列号是 1556-183E

 C:\Users\netmanager\Desktop\python_test 的目录

2020-10-07  21:23    <DIR>          .
2020-10-07  21:23    <DIR>          ..
2020-10-07  21:21               941 mod_hex_py2.py
2020-10-07  12:26             1,467 query
2020-10-07  20:52                 0 query.py
2020-10-07  12:26             1,467 query.pyc
2020-10-07  21:23             1,401 query2.py
2020-10-07  21:21             1,475 query2.pyc
2020-10-07  12:26               234 struct
               7 个文件          6,985 字节
               2 个目录 56,280,096,768 可用字节

C:\Users\netmanager\Desktop\python_test>dir
 驱动器 C 中的卷没有标签。
 卷的序列号是 1556-183E

 C:\Users\netmanager\Desktop\python_test 的目录

2020-10-07  21:37    <DIR>          .
2020-10-07  21:37    <DIR>          ..
2020-10-07  21:37             1,028 mod_hex_py2.py
2020-10-07  12:26             1,467 query
2020-10-07  20:52                 0 query.py
2020-10-07  12:26             1,467 query.pyc
2020-10-07  21:23             1,401 query2.py
2020-10-07  21:21             1,475 query2.pyc
2020-10-07  21:37             1,475 query3.pyc
2020-10-07  12:26               234 struct
               8 个文件          8,547 字节
               2 个目录 56,278,953,984 可用字节

C:\Users\netmanager\Desktop\python_test>uncompyle6 query3.pyc
# uncompyle6 version 3.7.4
# Python bytecode 2.7 (62211)
# Decompiled from: Python 2.7.18 (v2.7.18:8d21aa21f2, Apr 20 2020, 13:19:08) [MSC v.1500 32 bit (Intel)]
# Embedded file name: query.py
# Compiled at: 1995-09-28 00:18:56
import wmi, os
f = os.popen('systeminfo | findstr \xcf\xb5\xcd\xb3\xd0\xcd\xba\xc5')
print f.read()
f.close()

def sys_version():
    c = wmi.WMI()
    print '\nOS:'
    for sys in c.Win32_OperatingSystem():
        print sys.Caption, sys.BuildNumber, sys.OSArchitecture, sys.CSName, sys.RegisteredUser,

    print '\nCPU:'
    for processor in c.Win32_Processor():
        print processor.Name.strip()

    print '\nMemory:'
    for Memory in c.Win32_PhysicalMemory():
        print int(Memory.Capacity) // 1073741824, 'GB'

    print '\nDISK:'
    for physical_disk in c.Win32_DiskDrive():
        if physical_disk.Size:
            print '\t' + str(physical_disk.Caption) + ' :\t' + str(long(physical_disk.Size) // 1000000000) + 'GB'

    print '\nIP:'
    for interface in c.Win32_NetworkAdapterConfiguration(IPEnabled=1):
        print 'MAC: %s' % interface.MACAddress
        for ip_address in interface.IPAddress:
            print '\tIP: %s' % ip_address

    print '\nBIOS:'
    bios = c.Win32_BIOS()[0]
    print bios.Version
    print bios.Manufacturer
    print bios.ReleaseDate


sys_version()
rawinput_a = raw_input('\xc7\xeb\xb9\xd8\xb1\xd5\xb3\xcc\xd0\xf2')
# okay decompiling query3.pyc

C:\Users\netmanager\Desktop\python_test>

 上面是命令提示符cmd操作过程

加一张运行修改头部16进制代码的图片

标题

下面是给query文件头部加上struct文件的前16个16进制字符串的代码，用于python2,

python3的开头的链接里有。

# -*- coding: cp936 -*-
'''python v2.7
print binascii.hexlify.__doc__
b2a_hex(data) -> s; Hexadecimal representation of binary data.
---
print binascii.unhexlify.__doc__
a2b_hex(hexstr) -> s; Binary data of hexadecimal representation.
hexstr must contain an even number of hex digits (upper or lower case).

'''
import binascii
file = 'query'
with open(file,'rb') as f:
    content = f.read()
a = binascii.hexlify(content)
print 'query文件的前30个HEX字符串'
print a[:30]
print '*'*30
file1 = 'struct'
with open(file1,'rb') as f1:
    content1 = f1.read()
b = binascii.hexlify(content1)
print 'struct文件的前30个HEX字符串'
print b[:30]
prefix_part = binascii.unhexlify(b[:16])
#经比较,pyinstxtractor.py反编译后的"query"文件少了16个HEX字符
f2 = open('query3.pyc','wb')
f2.write(prefix_part) # 加上"struct"文件的前16个HEX字符对应的头部文件binary data
f2.write(content) # 把query文件写入query3.pyc
f2.close()
f.close()
f1.close()
raw_input_a = raw_input('完成头部文件添加,在当前目录查找query3.pyc')

安装一些库以后，完美运行，pip install wmi