Don’t be afraid of .pyc

During the last UCSB iCTF we (ENOFLAG) got (amongst other applications) a python binary which means, we only got the .pyc file and not the python source. The .pyc modules had to be reversed to find some remote code execution vulnerability. Well, I’m not the assembler-uber-geek so I had some problems reversing the code and until the host supplied the plain source I didn’t really got anything usable.

Now, a few days later, I know the exploit but I lost the source for the binary. So I just thought, let’s get it back and do what you were supposed to do. And … it’s astonishingly easy. The only thing you got to do is take some time and decompile the disassembled output line by line into source.

So here come’s a short tutorial for decompiling python 2.5/2.6 code:

Step 1: disassembling

dismybinary.py:
#!/use/bin/env python
import binarymodule
import dis

dis.dis(binarymodule)


$ ./dismybinary.py > mybinary.dis

Step 2: decompiling

$ cp mybinary.dis mybinarydis.py
$ vim mybinardis.py

An additional ipython shell on another terminal might help for inspecting the binary module during decompilation.

Now, cpython disassembler output is not to hard to read, it’s really easy in fact, when you concentrate and take your time. The documentation of dis helps and I’m pretty sure you can do it, too.

So next time, I won’t be so afraid of python binaries and I suggest anyone having to deal with, too: Don’t be afraid, it’s easy, just do it.

No Comments

Add your own comment...

You must be registered to leave a comment.