In Memory Reverse Engineering for Obfuscated Python Bytecode

Growing numbers of commercial and closed source applications are being developed using the Python programming language. The trend with developers of such applications appears to be that there is an increasing amount of effort being invested in order to stop the sourcecode of their application being easily obtainable by the end user. This is being achieved through the use of a variety of obfuscation techniques designed to impede the common methods of Python decompilation. Another trend occurring in parallel is the use of Python as an increasingly present component of 'Cloud' technologies where traditional bytecode decompilation techniques fall down not through obfuscation, but through lack of access to the bytecode files on disk.

The techniques discussed in this paper extend existing Python decompilation technologies through taking an approach that does not require access to standard Python bytecode files (.pyc/.pyo), but rather focuses on gaining access to the bytecode through instantiated Python objects in memory and using these to reconstruct a sourcecode listing equivalent to that composed by the applications author. Approaches will also be discussed of how to defeat the common obfuscation techniques that have been observed in use in order to be able to use the in memory decompilation techniques.

Finally a proof of concept embodiment of the techniques developed will be discussed which will allow people to quickly leverage them to evaluate code for bugs that was previously opaque to them.