Lil-Ran/Pyarmor-Static-Unpack-1shot
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Files
79e22e193a5446fc0d8ff937828a8484520c172f
Pyarmor-Static-Unpack-1shot/README.md
Lil-Ran 79e22e193a wip: extract data
2025-02-27 14:01:14 +08:00

2.5 KiB
Raw Blame History

Pyarmor-Static-Unpack-1shot

🚧 Working in progress

Generally this project aims to statically convert (without executing) armored data - which can be regarded as an encrypted variant of pyc files - back to disassembly and (experimentally) source code. Therefore we forked the awesome Decompyle++ (aka pycdc).

Currently we are trying to support Pyarmor 8.0 - latest (9.0.8), Python 3.6 - 3.13, platforms covering Windows, Linux, macOS, and Android, with obfuscating options as many as possible. (However, we only have limited tests.)

We cannot wait to make it public. Detailed write-up will be available soon. For those who are curious, temporarily you can check out the similar work of G DATA Advanced Analytics.

Build

mkdir build
cd build
cmake ..
cmake --build .
mv pyarmor-1shot[.exe] ../helpers

Usage

Make sure the executable pyarmor-1shot exists in helpers directory, and run helpers/shot.py in Python 3 (no need to use the same version with obfuscated scripts) with the "root" directory of obfuscated scripts. It will recursively find and handle pyarmor_runtime and as much armored data as possible. For example:

$ ls /path/to/scripts
__pycache__  pyarmor_runtime_000000  obf_main.py  plain_src.py  util.pyc  packed.so  folder_with_other_scripts  readme.unrelated
$ python /path/to/helpers/shot.py /path/to/scripts

When necessary, specify a pyarmor_runtime executable with -r path/to/pyarmor_runtime[.pyd|.so|.dylib].

All files generated from this tool have a .1shot. in file names. If you want to save them in another directory instead of in-place, use -o another/path/. Folder structure will remain unchanged.

Note:

  • Subdirectories called __pycache__ or site-packages will not be touched, and symbolic links will not be followed, to avoid repeat or forever loop and save time. If you really need them, run the script later in these directories (as "root" directory) and specify the runtime.
  • Archives, executables generated by PyInstaller and so on, must be unpacked by other tools before decrypting, or you will encounter undefined behavior.

Todo (PR Welcome!)

  • Write-up
  • Multi-platform pyarmor_runtime executable
  • Accept more input forms
  • Tests for different Pyarmor and Python versions
  • Support more obfuscating options
  • Use asyncio for concurrency
  • Pyarmor 7 and before (Later or never.)