0x0 背景
6盘倒了之后出了个PikPak,虽说比不上6盘,但也够用。问题在于官方没有PC客户端,想要文件批量下载很不方便。在官方群中倒是有许多官方发布的第三方客户端链接,其中一款里调用IDM下载居然还是付费功能...想逆向看看机器码生成的逻辑,简单记录下过程中参考的资料。
0x1 过程
丢到IDA打开后看到有个WinMain(x, x, x, x),查看调用发现其中一个方案里有这条字符串:Cannot open PyInstaller archive from executable .....。看来是PyInstaller打包后的Python程序。
印象中GC佬有提到过PyInstaller的逆向,链接在这:记一次简单的Python逆向
也谷歌了几份资料发现都是使用pyinstxtractor拆包,uncompyle6反编译。
python逆向实战:反编译pyinstaller打包生成的exe中提到PYZ-00.pyz_extracted应该是主要关注的目录。但第一次尝试使用pyinstxtractor解包后发现是空目录。
这才注意到log中提到需要Python3.8来解包:
[!] Warning: This script is running in a different Python version than the one used to build the executable.
[!] Please run this script in Python308 to prevent extraction errors during unmarshalling
[!] Skipping pyz extraction不想再额外装一份Python3.8,还好谷歌找到有便携版Python:Portable Python 3.8。
下载解压后运行Console-Launcher.exe即可在终端中使用Python3.8成功解包:
[+] Processing PikPak_xxxxx.exe
[+] Pyinstaller version: 2.1+
[+] Python version: 308
[+] Length of package: 44069253 bytes
[+] Found 137 files in CArchive
[+] Beginning extraction...please standby
[+] Possible entry point: pyiboot01_bootstrap.pyc
[+] Possible entry point: pyi_rth_subprocess.pyc
[+] Possible entry point: pyi_rth_pkgutil.pyc
[+] Possible entry point: pyi_rth_multiprocessing.pyc
[+] Possible entry point: pyi_rth_inspect.pyc
[+] Possible entry point: pyi_rth_win32api.pyc
[+] Possible entry point: pyi_rth_win32comgenpy.pyc
[+] Possible entry point: pyi_rth_pyqt5.pyc
[+] Possible entry point: pikpak.pyc
[+] Found 563 files in PYZ archive
[+] Successfully extracted pyinstaller archive: PikPak_xxxxx.exe
You can now use a python decompiler on the pyc files within the extracted directory根据提示程序主入口可能为pikpak.pyc,可以此文件入手。
使用uncompyle6反编译时报错
\# Deparsing stopped due to parse error
翻看原库发现对于Python3.7以上版本推荐使用decompyle3:
For Python 3.7 and 3.8, the code in decompyle3 is generally better.
不过使用,但其实结合字节码和反编译成功的源码是可以看出逻辑的。decompyle3后也会报同样的错
