Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

can't decompile this file #17

Closed
jstar88 opened this issue Nov 20, 2013 · 23 comments

Comments

@jstar88
Copy link

@jstar88 jstar88 commented Nov 20, 2013

@iraklisv

This comment has been minimized.

Copy link

@iraklisv iraklisv commented Nov 20, 2013

Same here,

I get the following error:

Can't uncompyle iamspotted.pyc

Traceback (most recent call last):
File "C:\Python27\lib\site-packages\uncompyle2__init__.py", line 197, in main

uncompyle_file(infile, outstream, showasm, showast, deob)

File "C:\Python27\lib\site-packages\uncompyle2__init__.py", line 129, in unco
mpyle_file
version, co = load_module(filename)
File "C:\Python27\lib\site-packages\uncompyle2__init
_.py", line 74, in _load
_module
raise ImportError, "This is a Python %s file! Only Python 2.7 files are supp
orted." % version
ImportError: This is a Python 2.6 file! Only Python 2.7 files are supported.

decompiled 0 files: 0 okay, 1 failed, 0 verify failed

2013.11.20 15:00:56 Central Standard Time

@jstar88

This comment has been minimized.

Copy link
Author

@jstar88 jstar88 commented Nov 21, 2013

note: it's in python 2.6

@Mysterie

This comment has been minimized.

Copy link
Owner

@Mysterie Mysterie commented Dec 30, 2013

I can't download the file mentioned because hotfile.com is dead.
But uncompyle2 support PYC version 2.5 to 2.7. So I don't know why you have issues with 2.6.

We haven't the same code line 74:

if (version > 2.7) or (version < 2.5):
    raise ImportError, "This is a Python %s file! Only Python 2.5 to 2.7 files are supported." % version

Check your files and clone the last uncompyle2 :)

@auerserg

This comment has been minimized.

Copy link

@auerserg auerserg commented Jan 7, 2014

I have same file, so I uploaded it to file storage http://rghost.ru/51466521
this file compiled witch python 2.6.4 and used Marshal
I tried to decompile it but in return received an empty file, witch extension "pyc_dis_failed"

@inflectecrasta

This comment has been minimized.

Copy link

@inflectecrasta inflectecrasta commented Jan 7, 2014

verry interested in decompile and "how to do it" so ill upload in my dropbox https://www.dropbox.com/s/eksw6s9zqb0t29m/iamspotted.pyc

@caot

This comment has been minimized.

Copy link

@caot caot commented Jan 7, 2014

is the pyc valide?

Python 2.6.6 (r266:84292, Oct 12 2012, 14:23:48)
[GCC 4.4.6 20120305 (Red Hat 4.4.6-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.

import dis
import py_compile
import compiler
dis.dis('iamspotted.pyc')
Traceback (most recent call last):
File "", line 1, in
File "/usr/lib64/python2.6/dis.py", line 44, in dis
disassemble_string(x)
File "/usr/lib64/python2.6/dis.py", line 111, in disassemble_string
labels = findlabels(code)
File "/usr/lib64/python2.6/dis.py", line 165, in findlabels
oparg = ord(code[i]) + ord(code[i+1])*256
IndexError: string index out of range

@inflectecrasta

This comment has been minimized.

Copy link

@inflectecrasta inflectecrasta commented Jan 7, 2014

yes is valid.
same type of script was decompile with service http://crazy-compilers.com/decompyle/,
for a sample in decompile:
1- this one is compiled https://www.dropbox.com/s/u78wklkstxw5h36/12.pyc
2- this is decompiled with that service https://www.dropbox.com/s/1vsu2ghdlvny4ut/2.pyc

P.S. in e-mail was this
Thanks for using crazy compiler Decompyle Service!

Enclosed please find the decompyled files. Decompyle does a good job on
reconstructing the source. Anyway you should check whether there are any
errors in the source.

Please note that I've removed the encrypted material for legal reasons.
As you are the legitimate owner of the source, if should be easy to
complete it from your documentation.

@Mysterie

This comment has been minimized.

Copy link
Owner

@Mysterie Mysterie commented Jan 8, 2014

hacik, your dropbox link didn't seems valid. I've download the PYC and I'll check this issue tomorrow,
btw, crazy-compilers use closed & not free software ! :-(

@mooseyaka

This comment has been minimized.

Copy link

@mooseyaka mooseyaka commented Jan 8, 2014

open popcorn :)

@inflectecrasta

This comment has been minimized.

Copy link

@inflectecrasta inflectecrasta commented Jan 8, 2014

links fixed

@ambassadorkosha

This comment has been minimized.

Copy link

@ambassadorkosha ambassadorkosha commented Jan 8, 2014

more one popcorn and minicola plz...

@Mysterie

This comment has been minimized.

Copy link
Owner

@Mysterie Mysterie commented Jan 10, 2014

It seems that those files are protected / obfuscated. The goal of uncompyle2 is to decompyle, not deobfuscate code.

So as I say in #12.

"For the moment I'll try to improve the python bytecode reader, and the way error are handled.
But uncompyle2 is a decompilator not a deobfuscator (for the moment), so it won't be a full fix."

Thanks for your report! :)

@drfrank

This comment has been minimized.

Copy link

@drfrank drfrank commented Jan 18, 2014

So anyone had luck in decompiling this file ? Iam also highly interested.

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Jan 18, 2014

Yes. Try to import it and research the traceback

@drfrank

This comment has been minimized.

Copy link

@drfrank drfrank commented Jan 18, 2014

Ok.. i tried this i found out that some jumps for IF FALSE and IF TRUE are out of rang of the length of the code.

But i need some more hints where to go from there. I already tried to fix the jump target by setting them to 1 or 0. But if i do this i run into another problem regarding the function "getOpcodeToDel" which fails because of an assertion

@drfrank

This comment has been minimized.

Copy link

@drfrank drfrank commented Jan 18, 2014

thank you iam making progress however i come around a lot of non valid target right now because everyother command seems to have an invalid target i.e. ('LOAD_CONST', 100) with targets like 26368

@drfrank

This comment has been minimized.

Copy link

@drfrank drfrank commented Jan 19, 2014

Ok got it almost working ... but now iam facing the problem you mentioned that uncompyle2 ist not able to handle NOPs. Do you know any other Tool which can handle this ?

I tried PYRETIC but without any sucess.

@drfrank

This comment has been minimized.

Copy link

@drfrank drfrank commented Jan 19, 2014

0x48 PRINT_NEWLINE have done the trick ...

@homyzere

This comment has been minimized.

Copy link

@homyzere homyzere commented Jan 20, 2014

1nj3ct0r or drfrank, someone could write a little howto maybe?
Thanks in advance.

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Jan 21, 2014

Sorry right now I have no time for this. But as I mentioned above you can start from this

cryptedModuleName = '12'
try:
    __import__(cryptedModuleName)
except:
    #Research the traceback for code objects you interested in
    #And you can marshal.dump() it to a file or do something else you want
@jstar88

This comment has been minimized.

Copy link
Author

@jstar88 jstar88 commented Jan 21, 2014

this is what im trying to do without results

import traceback
import marshal
import sys
cryptedModuleName = 'iamspotted'
try:
     __import__(cryptedModuleName)
except:
info = sys.exc_info()
marshal.dump(info[0],open('test.txt'))
@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Jan 21, 2014

Why don't you spend some time to understand this Python language?
Why info[0], where it should be info[2]? And why did you open a file for reading, if you're going to write it???

    exc_traceback = sys.exc_info()[2]
    code = exc_traceback.tb_next.tb_next.tb_frame.f_code
    marshal.dump(code, open('test.pyc', 'wb'))

Or something like this....
Also you have to attach the header to the file.
And you have to start with https://www.dropbox.com/s/u78wklkstxw5h36/12.pyc
because it's more difficult to decompile the "iamspotted"

@drfrank

This comment has been minimized.

Copy link

@drfrank drfrank commented Jan 21, 2014

you get header by using

f = open('iamspotted.pyc', 'rb')
header = f.read(8)
f.close()
@Mysterie Mysterie closed this Mar 5, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
10 participants
You can’t perform that action at this time.