A Method for Reverse Engineering a PyInstaller Packaged Program

Tue, 12 Sep 2023 21:45:21 +0700

TL;DR / Geek Summary:

Reverse Engineering: Systematic guide to extracting Python source code from PyInstaller-packaged .exe files.

Toolstack: Leveraging pyinstxtractor.py for extraction and online .pyc-to-.py decompilers for restoration.

Workflow: Compile test script (awa.py) -> Package with PyInstaller 5.13.0 -> Extract entry point and dependency layers from the PYZ archive.

# Reverse engineering the source code of a PyInstaller-packaged exe file

We all know that libraries can be used to compile .py files into .exe files for execution. We will start by compiling a script into a .exe and then decompiling the source code of the .exe to obtain the source file.

# Introduction

We all know that we can use the PyInstaller library to compile .py files into .exe files that can be run. This article will cover compiling scripts into .exe files and then decompiling the source code of the .exe file to extract the source files.

# Environment Tools

Python 3.8.10: Download it yourself if you don’t have it

Pyinstaller library: pip install -i https://pypi.tuna.tsinghua.edu.cn/simple pyinstaller==5.13.0

pyinstxtractor.py: Download address

# Compiling the Program

# Checking the Environment

1

python -V

If the execution is successful, then it’s done.

# Writing the Script

awa.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14



# Function
def test():

print("====666====")

input_text = input("I'm telling you the truth 1")

# Print the formatted time and the content entered by the user
print(datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S ") + input_text)

if __name__ == '__main__':

test()

# Packaging Program

First, install the library pyinstaller used by the packaging program. Here, we use the Tsinghua mirror and specify the 5.13.0 version library.

1

pip install -i https://pypi.tuna.tsinghua.edu.cn/simple pyinstaller==5.13.0

Locate the folder where the script is located. Mine is D:\. cd to this path and enter the following packaging command:

1

Pyinstaller -F awa.py

After the command finishes executing, you will see the completed successfully. field, indicating that the .exe file was successfully generated in the dist folder.

# Reverse Engineering Process

First, we download the decompilation script pyinstxtractor.py and place it in the same working directory as the .exe file we want to decompile.

Then, we continue by cding the dist folder in the command line, entering the following command and executing it:

1

python pyinstxtractor.py awa.exe

After execution, you will see the message Successfully, and a awa.exe_extracted folder will be generated.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33



[+] Processing FDP Configuration Online Update 2.exe

[+] Pyinstaller version: 2.1+

[+] Python version: 3.8

[+] Length of package: 32503973 bytes

[+] Found 141 files in CArchive

[+] Beginning extraction...please standby

[+] Possible entry point: pyiboot01_bootstrap.pyc

[+] Possible entry point: pyi_rth_pyqt5.pyc
[+] Possible entry point: pyi_rth_pkgutil.pyc
[+] Possible entry point: pyi_rth_inspect.pyc
[+] Possible entry point: Download json.pyc
[+] Found 225 files in PYZ archive
[+] Successfully extracted pyinstaller archive: FDP configuration online update 2.exe

You can now use a python decompiler on the pyc files within the extracted direct
ory
``

Enter this folder. Inside, you'll find many files with the extensions `.dll` and `.pyd`, and a folder named `PYZ-00.pyz_extracted`. This folder contains the **dependency libraries** imported by the program. If you've imported other `.py` files, you can use a similar method to decompile those dependent `.py` files.

In this directory, find `awa.pyc` and a file with the same name as your `awa.exe` file.

![Demo](pyinstaller.webp)

Then you can take this `.pyc` file to any `.pyc` to `.py` file conversion website found on search engines to convert it.

PyInstaller on LEl_FENG Blog