Difficulty: Easy
Concepts: Python, code obfuscation
Tools: Detect It Easy, Python, Pyinstxtrator-ng
About
The Decompyle Me challenge demonstrates basic techniques used to obfuscate python code. I saw this in action as I was reversing a piece of malware that was sent to my office in a phishing email.
The executable in this challenge is actually a Python pyinstaller compiled archive. I compiled it with pyinstallers –onefile flag.
Walkthrough
Use tools like ProcMon, Detect It Easy, or VirusTotal to inspect the file and determine that this is a pyinstaller compiled executable.
Once you’ve determined that your working with a pyinstaller executable you can use a tool called Pyinstxtrator-ng to extract the compiled source along with any dependencies from the exe. Everything will be written to a new directory in the directory that Pyinstxtrator is run from.
Locate “Secure.pyc” in the extracted files and use the “cat” command to read it. Python .pyc files contain compiled bytecode so the output wont be pretty, but it is enough to find your next lead.
In the output from cat look for anything suspicious. In this case there is a string of hex digits. Copy that and paste it into an online hex to ascii converter.
Done, you should see the flag output from the converter. Enter it on The Range to complete the challenge.
Extra
You can use a tool like Decompile++ to decompile the “secure.pyc” file back into source code. It’s not exact but good enough. I wrote secure.py in Python 3.11 so decompilers have not caught up fully yet at the time I’m writing this.