Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Cannot debug program that's a py2exe

Bidasci
Bidasci
in Reverse Engineering Articles

Featured Replies

Posted

I have renamed the program to ensure anonymity. 

Hello everyone. I am trying to debug this program that is compiled with py2exe (you can tell from the icon) But when I try to debug it (x64dbg and others) it does not show the text. When you first run the program it gives you 3 options.

31Bga56.png One is to start mining, 2nd is to Send coins, and 3rd is to Check balance or view your public key. What I expected is that when running in a debugger it would expose what server it connects to and other ways. I can tell that the program is created in python because when ran in a debugger it shows Py commands. ms3lsAz.png

I have tried a method known as unpy2exe to decompile it but when I try to use that it says "This is not python code." and when ran with a PE scanner it says its created in visual studio v14 nq1cWjt.png

Is there a way I can decompile it into a way where I can see the instructions clearly? Thanks.

Load the file in a Resource Editor (Resource Hacker).
If its really a py2exe binary you would see a resource named PYTHONSCRIPT.

Another tool for the same purpose: https://sourceforge.net/projects/p2ebe/ but its better to check manually first.

    • Like 1

    Could it be that this was compiled using Cython or some other library that converts it to C code first?

    It could be compiled with something such as cython or nukita which is hard to unpack. Also that does not mean it was made in Visual Studio. It means it is compiled with C++ runtime version 14 which all python exes say that when trying to find the packer.

    • Thanks 1

    It is also possible that a wrapper made with C++ was used while the underlying app was coded originally with python.

    Its actually a PyInstaller generated executable.

    The first sign of this is the relatively large overlay 0x5e014c bytes ~ 6 MB.
    Further, you can search for one of the strings ("Failed to convert executable path to UTF-8.") on the PyInstaller GitHub repo and you would get a hit.

    For extracting PyInstaller binaries you can use my script pyinstxtractor.py
    There are also wrapper scripts on top of this for the same purpose https://github.com/countercept/python-exe-unpacker

    • Like 1

    send me file, i could atleast take a look at it. i have experience in unpacking those kind of assemblies.

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.