r2 Emulation Basics Emulation is a great way to find out what a function, basic block, or just a couple of instructions are doing without actually running the code. Emulation can often be used to assist with reverse engineering malware’s encryption/packing routines. Radare2 supports emulation for all platforms that support ESIL uplifting. Decrypting a XOR encrypted string with Radare2’s Emulation Follow along and download the sample here! This sample contains a XOR decryption routine in main.

Unpacking PyInstaller The first step is to extract all the pyc files from within the PyInstaller executable. This script (pyinstxtractor.py) is able to parse the PyInstaller exe and extract the pyc files. python3 pyinstxtractor.py sample.exe [+] Processing sample.exe [+] Pyinstaller version: 2.1+ [+] Python version: 37 [+] Length of package: 5738778 bytes [+] Found 61 files in CArchive [+] Beginning extraction...please standby [+] Possible entry point: pyiboot01_bootstrap.pyc [+] Possible entry point: sample.