Unpacking PyInstaller

The first step is to extract all the pyc files from within the PyInstaller executable. This script (pyinstxtractor.py) is able to parse the PyInstaller exe and extract the pyc files.

python3 pyinstxtractor.py sample.exe
[+] Processing sample.exe
[+] Pyinstaller version: 2.1+
[+] Python version: 37
[+] Length of package: 5738778 bytes
[+] Found 61 files in CArchive
[+] Beginning extraction...please standby
[+] Possible entry point: pyiboot01_bootstrap.pyc
[+] Possible entry point: sample.pyc
[+] Found 133 files in PYZ archive
[+] Successfully extracted pyinstaller archive: sample.exe

You can now use a python decompiler on the pyc files within the extracted directory

In older versions of pyinstxtractor.py it was necessary to prepend pyc file magic, however that is no longer required.

The pyinstxtractor.py’s output will display possible entry points for the program. In this case we see sample.pyc is a possible entry point.

Decompile Python Compiled Bytecode (.pyc)

To decompile simply run uncompyle6 sample.pyc. This will output the source code of the .pyc.

uncompyle6 sample.pyc
# uncompyle6 version 3.7.3
# Python bytecode 3.7 (3394)
# Decompiled from: Python 3.8.5 (default, Jul 21 2020, 10:48:26)
# [Clang 11.0.3 (clang-1103.0.32.62)]
# Embedded file name: sample.py


def main():
    print('Hello World!')


if __name__ == '__main__':
    main()
# okay decompiling sample.pyc

This tutorial was written specifically for Windows PyInstaller binaries. PyInstaller can generate binaries for MacOS, Linux, FreeBSD, Solaris, and AIX. The general steps for non Windows operating systems are similar, but not the same.

PyInstaller Obfuscation/Encryption

There are various ways to obfuscate the .pyc files within a PyInstaller binary. PyInstaller documentation mentions two possible ways:

  1. Compile with Cython - this will convert python modules into C and compile the C to machine language.
  2. Encrypt the Python byte code with AES256

Future tutorials will be released to show how to handle these two obfuscation methods.