Python Pyarmor + My Protector

March 7, 2020

Language : Python
Platform : Windows
OS Version : All
Packer / Protector : Pyarmor + My Protector

Description :

Want to see if someone can unpack it, want to use this obfuscator for my future aplications in python

Screenshot :

Spoiler

Download :

Virustotal: https://www.virustotal.com/gui/file/fec987a11c8bdd47355529389d75f1f2cb0f980a763efa21e796dd1a21619989/detection
Download: https://anonfile.com/3fn5o8gdo5/UnpackME_by_0x72_rar

UnpackME by 0x72.rar

Edited March 8, 2020 by Teddy Rogers
Please use correct formatting and attach your file to the topic (do not use external file host) (see edit history)

March 7, 2020

The program is a 64 bit executable! (Portable Executable 64)
Did you code this UnpackMe yourself?

March 7, 2020

10 minutes ago, CodeExplorer said:

The program is a 64 bit executable! (Portable Executable 64)
Did you code this UnpackMe yourself?

Half of obfuscation is made manually and for the rest i used pyarmor

To make it Executable i used pyinstaller

Edited March 7, 2020 by 0x72 (see edit history)

March 29, 2020

Not necessary to unpack to get the key.

Key:

Spoiler

GENERATE-KEY-0X72GOD-UNPACKME

Converted it to run on Linux because it's easier to compile CPython on Linux and also because I don't have Visual Studio installed in the Windows VM.
This also explains why "title" and "cls" commands were not found.

Steps :

Spoiler

1. Use pyinstxtractor.py to extract the executable in Python 3.7

2. Using the extracted files, create the following directory structure


.
|-- martisor.pyc
`-- pytransform
    |-- __init__.py
    |-- _pytransform.dll
    |-- license.lic
    `-- pytransform.key

1 directory, 5 files

For running on Linux, you need _pytransform.so downloadable from https://pyarmor.dashingsoft.com/platforms.html

3. Install psutil using pip (Required for pyarmor). From now on, you can just run python3.7 martisor.pyc instead of the unpackme executable.

4. pyarmor encrypts the code objects on disk and they are only decrypted at runtime just before they are executed. The entire logic is implemented in _pytransform.dll. There are anti-debugging/timing checks to prevent us from using a debugger to dump code objects from memory. But there's no need to use a debugger at all when CPython itself is open source.

5. Compile Python 3.7 from source. Modify the _PyEval_EvalFrameDefault function such that it dumps the code object to disk. By doing so we do not need to bother about all the anti-debugging and encrypted stuff. This is because pyarmor decrypts the code object in memory before it hands it to the Python VM for execution.

6. Run strings on the dumped code object. We get many base64 strings. Like this one: CkdFTkVSQVRFLUtFWS0wWDcyR09ELVVOUEFDS01FCg==

7. Base64 decode and profit!

April 19, 2020

5. Compile Python 3.7 from source. Modify the _PyEval_EvalFrameDefault function such that it dumps the code object to disk. By doing so we do not need to bother about all the anti-debugging and encrypted stuff. This is because pyarmor decrypts the code object in memory before it hands it to the Python VM for execution.

I don't understand this step at all

Edited April 19, 2020 by 0x72 (see edit history)

May 18, 2020

On 3/29/2020 at 9:50 PM, Extreme Coders said:

5. Compile Python 3.7 from source. Modify the _PyEval_EvalFrameDefault function such that it dumps the code object to disk. By doing so we do not need to bother about all the anti-debugging and encrypted stuff. This is because pyarmor decrypts the code object in memory before it hands it to the Python VM for execution.

Hi Extreme, im trying to do this, but the code is unredable after dumped!

How you do it?

Which function you have used?

Thanks in advance :)

May 18, 2020

3 hours ago, Powante said:

Hi Extreme, im trying to do this, but the code is unredable after dumped!

The code will be unreadable as it's encrypted. But at least for this challenge that is not an issue. You can simply run strings on the dumped file.

May 18, 2020

I need to do the same, research for a string, but with "unredable" i means that the dumped code it is not binary.

I think i did not write the function for dumping correctly, do you have a sample or the function you have write for dumping?

Thank you very much!

Edited May 18, 2020 by Powante (see edit history)

June 9, 2020

Thanks to "Extreme Coders", I've never programmed in python before, but after reading all your public material and following the recommended steps in this thread I've been able to desofuscate the code.
If they tell you how to do it you will understand it, but if they guide you and you have to discover how to do it you will learn

martisor_unpacked.py

June 29, 2020

On 3/29/2020 at 10:50 PM, Extreme Coders said:

5. Compile Python 3.7 from source. Modify the _PyEval_EvalFrameDefault function such that it dumps the code object to disk. By doing so we do not need to bother about all the anti-debugging and encrypted stuff. This is because pyarmor decrypts the code object in memory before it hands it to the Python VM for execution.

Quote

Modify the _PyEval_EvalFrameDefault function such that it dumps the code object to disk

do u mind explaining how to do that? how to dump the bytes from _PyEval_EvalFrameDefault

Edited June 29, 2020 by shadow.Walker (see edit history)

June 29, 2020

On 6/9/2020 at 3:22 PM, OdieWan said:

Thanks to "Extreme Coders", I've never programmed in python before, but after reading all your public material and following the recommended steps in this thread I've been able to desofuscate the code.
If they tell you how to do it you will understand it, but if they guide you and you have to discover how to do it you will learn

martisor_unpacked.py 10.3 kB · 12 downloads

Quote

def run_it():
r"""
/*
An exception occurred when decompiling this method (06000001)

ICSharpCode.Decompiler.DecompilerException: Error decompiling System.Void <Module>::.cctor()
---> System.OverflowException: Arithmetic operation resulted in an overflow.
at ICSharpCode.Decompiler.ILAst.ILAstBuilder.StackSlot.ModifyStack(StackSlot[] stack, Int32 popCount, Int32 pushCount, ByteCode pushDefinition) in C:\projects\dnspy\Extensions\ILSpy.Decompiler\ICSharpCode.Decompiler\ICSharpCode.Decompiler\ILAst\ILAstBuilder.cs:line 47
at ICSharpCode.Decompiler.ILAst.ILAstBuilder.StackAnalysis(MethodDef methodDef) in C:\projects\dnspy\Extensions\ILSpy.Decompiler\ICSharpCode.Decompiler\ICSharpCode.Decompiler\ILAst\ILAstBuilder.cs:line 387
at ICSharpCode.Decompiler.ILAst.ILAstBuilder.Build(MethodDef methodDef, Boolean optimize, DecompilerContext context) in C:\projects\dnspy\Extensions\ILSpy.Decompiler\ICSharpCode.Decompiler\ICSharpCode.Decompiler\ILAst\ILAstBuilder.cs:line 269
at ICSharpCode.Decompiler.Ast.AstMethodBodyBuilder.CreateMethodBody(IEnumerable`1 parameters, MethodDebugInfoBuilder& builder) in C:\projects\dnspy\Extensions\ILSpy.Decompiler\ICSharpCode.Decompiler\ICSharpCode.Decompiler\Ast\AstMethodBodyBuilder.cs:line 112
at ICSharpCode.Decompiler.Ast.AstMethodBodyBuilder.CreateMethodBody(MethodDef methodDef, DecompilerContext context, AutoPropertyProvider autoPropertyProvider, IEnumerable`1 parameters, Boolean valueParameterIsKeyword, StringBuilder sb, MethodDebugInfoBuilder& stmtsBuilder) in C:\projects\dnspy\Extensions\ILSpy.Decompiler\ICSharpCode.Decompiler\ICSharpCode.Decompiler\Ast\AstMethodBodyBuilder.cs:line 88
--- End of inner exception stack trace ---
at ICSharpCode.Decompiler.Ast.AstMethodBodyBuilder.CreateMethodBody(MethodDef methodDef, DecompilerContext context, AutoPropertyProvider autoPropertyProvider, IEnumerable`1 parameters, Boolean valueParameterIsKeyword, StringBuilder sb, MethodDebugInfoBuilder& stmtsBuilder) in C:\projects\dnspy\Extensions\ILSpy.Decompiler\ICSharpCode.Decompiler\ICSharpCode.Decompiler\Ast\AstMethodBodyBuilder.cs:line 92
at ICSharpCode.Decompiler.Ast.AstBuilder.<>c__DisplayClass89_1.<AddMethodBody>b__0() in C:\projects\dnspy\Extensions\ILSpy.Decompiler\ICSharpCode.Decompiler\ICSharpCode.Decompiler\Ast\AstBuilder.cs:line 1531
*/

"""
pass

what Dnspy got to do with a python compiled program!! would u explain how u managed to modified the _PyEval_EvalFrameDefault function!

June 30, 2020

15 hours ago, shadow.Walker said:

do u mind explaining how to do that? how to dump the bytes from _PyEval_EvalFrameDefault

_PyEval_EvalFrameDefault executes a code object on the Python frame.
To dump the code object to a file you need to use PyMarshal_WriteObjectToFile / PyMarshal_WriteObjectToString at an appropriate place within the function.

15 hours ago, shadow.Walker said:

what Dnspy got to do with a python compiled program!! would u explain how u managed to modified the _PyEval_EvalFrameDefault function!

DnSpy has nothing to do with Python. It's just a piece of string inserted there on purpose.

Edited June 30, 2020 by Extreme Coders (see edit history)

October 20, 2020

@Extreme Coders would you be able to share your compiled python #lazy

thanks!

October 22, 2020

@bytemangl3r I can but doubt that will be of any help since it's compiled for Linux and isn't a generic solution against Pyarmor i.e. won't work against the recent versions.

November 24, 2020

On 10/22/2020 at 4:19 AM, Extreme Coders said:

I can but doubt that will be of any help since it's compiled for Linux and isn't a generic solution against Pyarmor i.e. won't work against the recent versions.

im on linux and it would be VERY helpfull if u could still send it

Edited November 24, 2020 by OliKing800 (see edit history)

Sign In

Python Pyarmor + My Protector

Recommended Posts

0x72 2

Link to post

CodeExplorer 3,505

Link to post

0x72 2

Link to post

Extreme Coders 443

Link to post

0x72 2

Link to post

Powante 0

Link to post

Extreme Coders 443

Link to post

Powante 0

Link to post

OdieWan 2

Link to post

shadow.Walker 1

Link to post

shadow.Walker 1

Link to post

Extreme Coders 443

Link to post

bytemangl3r 0

Link to post

Extreme Coders 443

Link to post

OliKing800 0

Link to post

Create an account or sign in to comment

Create an account

Sign in

Community

Search