先上个链接,基于python3的反编译python打包的exe文件的教程
?https://blog.csdn.net/weixin_46847476/article/details/105358131
故事开始于pyinstxtractor.py?反编译query.exe文件后不会直接生成query.py文件,是没有扩展名的query文件,需要根据struct文件修改query文件,具体是往query文件里添加若干个16进制字符串,此例是16个hex。
C:\Users\netmanager\Desktop\python_test>dir
驱动器 C 中的卷没有标签。
卷的序列号是 1556-183E
C:\Users\netmanager\Desktop\python_test 的目录
2020-10-07 20:52
2020-10-07 20:52
2020-10-07 20:40 0 mod_hex_py2.py
2020-10-07 12:26 1,467 query
2020-10-07 20:52 0 query.py
2020-10-07 12:26 1,467 query.pyc
2020-10-07 12:26 234 struct
5 个文件 3,168 字节
2 个目录 56,282,697,728 可用字节
C:\Users\netmanager\Desktop\python_test>dir
驱动器 C 中的卷没有标签。
卷的序列号是 1556-183E
C:\Users\netmanager\Desktop\python_test 的目录
2020-10-07 21:21
2020-10-07 21:21
2020-10-07 21:21 941 mod_hex_py2.py
2020-10-07 12:26 1,467 query
2020-10-07 20:52 0 query.py
2020-10-07 12:26 1,467 query.pyc
2020-10-07 21:21 1,475 query2.pyc
2020-10-07 12:26 234 struct
6 个文件 5,584 字节
2 个目录 56,280,313,856 可用字节
C:\Users\netmanager\Desktop\python_test>uncompyle6 -o . query2.pyc
query2.pyc --
# Successfully decompiled file
C:\Users\netmanager\Desktop\python_test>dir
驱动器 C 中的卷没有标签。
卷的序列号是 1556-183E
C:\Users\netmanager\Desktop\python_test 的目录
2020-10-07 21:23
2020-10-07 21:23
2020-10-07 21:21 941 mod_hex_py2.py
2020-10-07 12:26 1,467 query
2020-10-07 20:52 0 query.py
2020-10-07 12:26 1,467 query.pyc
2020-10-07 21:23 1,401 query2.py
2020-10-07 21:21 1,475 query2.pyc
2020-10-07 12:26 234 struct
7 个文件 6,985 字节
2 个目录 56,280,096,768 可用字节
C:\Users\netmanager\Desktop\python_test>dir
驱动器 C 中的卷没有标签。
卷的序列号是 1556-183E
C:\Users\netmanager\Desktop\python_test 的目录
2020-10-07 21:37
2020-10-07 21:37
2020-10-07 21:37 1,028 mod_hex_py2.py
2020-10-07 12:26 1,467 query
2020-10-07 20:52 0 query.py
2020-10-07 12:26 1,467 query.pyc
2020-10-07 21:23 1,401 query2.py
2020-10-07 21:21 1,475 query2.pyc
2020-10-07 21:37 1,475 query3.pyc
2020-10-07 12:26 234 struct
8 个文件 8,547 字节
2 个目录 56,278,953,984 可用字节
C:\Users\netmanager\Desktop\python_test>uncompyle6 query3.pyc
# uncompyle6 version 3.7.4
# Python bytecode 2.7 (62211)
# Decompiled from: Python 2.7.18 (v2.7.18:8d21aa21f2, Apr 20 2020, 13:19:08) [MSC v.1500 32 bit (Intel)]
# Embedded file name: query.py
# Compiled at: 1995-09-28 00:18:56
import wmi, os
f = os.popen('systeminfo | findstr \xcf\xb5\xcd\xb3\xd0\xcd\xba\xc5')
print f.read()
f.close()
def sys_version():
c = wmi.WMI()
print '\nOS:'
for sys in c.Win32_OperatingSystem():
print sys.Caption, sys.BuildNumber, sys.OSArchitecture, sys.CSName, sys.RegisteredUser,
print '\nCPU:'
for processor in c.Win32_Processor():
print processor.Name.strip()
print '\nMemory:'
for Memory in c.Win32_PhysicalMemory():
print int(Memory.Capacity) // 1073741824, 'GB'
print '\nDISK:'
for physical_disk in c.Win32_DiskDrive():
if physical_disk.Size:
print '\t' + str(physical_disk.Caption) + ' :\t' + str(long(physical_disk.Size) // 1000000000) + 'GB'
print '\nIP:'
for interface in c.Win32_NetworkAdapterConfiguration(IPEnabled=1):
print 'MAC: %s' % interface.MACAddress
for ip_address in interface.IPAddress:
print '\tIP: %s' % ip_address
print '\nBIOS:'
bios = c.Win32_BIOS()[0]
print bios.Version
print bios.Manufacturer
print bios.ReleaseDate
sys_version()
rawinput_a = raw_input('\xc7\xeb\xb9\xd8\xb1\xd5\xb3\xcc\xd0\xf2')
# okay decompiling query3.pyc
C:\Users\netmanager\Desktop\python_test>
?上面是命令提示符cmd操作过程
下面是给query文件头部加上struct文件的前16个16进制字符串的代码,用于python2,
python3的开头的链接里有。
# -*- coding: cp936 -*-
'''python v2.7
print binascii.hexlify.__doc__
b2a_hex(data) -> s; Hexadecimal representation of binary data.
---
print binascii.unhexlify.__doc__
a2b_hex(hexstr) -> s; Binary data of hexadecimal representation.
hexstr must contain an even number of hex digits (upper or lower case).
'''
import binascii
file = 'query'
with open(file,'rb') as f:
content = f.read()
a = binascii.hexlify(content)
print 'query文件的前30个HEX字符串'
print a[:30]
print '*'*30
file1 = 'struct'
with open(file1,'rb') as f1:
content1 = f1.read()
b = binascii.hexlify(content1)
print 'struct文件的前30个HEX字符串'
print b[:30]
prefix_part = binascii.unhexlify(b[:16])
#经比较,pyinstxtractor.py反编译后的"query"文件少了16个HEX字符
f2 = open('query3.pyc','wb')
f2.write(prefix_part) # 加上"struct"文件的前16个HEX字符对应的头部文件binary data
f2.write(content) # 把query文件写入query3.pyc
f2.close()
f.close()
f1.close()
raw_input_a = raw_input('完成头部文件添加,在当前目录查找query3.pyc')
?