PyInstaller is a popular tool used by developers to package Python applications into standalone executables. It simplifies the distribution of Python programs by bundling all the necessary dependencies and creating an executable file that can run independently on different systems.

While it streamlines the distribution process, the nature of Python as an interpretable language raises security concerns. In certain scenarios, security testers may need to decompile PyInstaller-generated executables to unveil potential vulnerabilities, discover hardcoded secrets, and analyze the underlying code.

This article provides a brief overview of the decompilation process, aiming to raise awareness among developers about the potential risks associated with distributing proof of concepts (PoCs) and programs. By understanding that the process of reverse engineering and analysis is relatively straightforward, it becomes evident that malicious individuals may be more inclined to attempt cracking your application or exploiting it to breach your systems.

There are several tools commonly used for unpacking and decompiling the bytecode to obtain Python code for analysis purposes.

One widely used tool is PyInstaller Extractor, which is utilized to unpack the executable file. It can be found at https://sourceforge.net/projects/pyinstallerextractor/

When unpacking the executable, a collection of .pyc files is obtained. These files contain compiled bytecode generated by the Python interpreter when a Python script is executed or imported.

As of May 2023, it is relatively straightforward to recover the original Python code if the .pyc files were generated using Python versions before 3.9. There are a couple of libraries that can be employed for this purpose:

1. uncompyle6 (https://pypi.org/project/uncompyle6/): This library can be used to decompile the Python bytecode and retrieve the corresponding source code.
2. decompyle3 (https://github.com/rocky/python-decompile3): Another useful library that assists in decompiling Python bytecode and obtaining the original source code.

However, it’s worth noting that the latest Python version at the time of writing is 3.11+, and the decompilation of .pyc files for versions beyond 3.8 is more challenging
Implementing methods to decompile the bytecode for the latest Python versions is a time-consuming process, which is why it takes some time to update.

Despite this limitation, I found a tool called pycdc available at https://github.com/zrax/pycdc that can partially decompile code from the latest Python versions. It should be noted that this tool may not always succeed but can provide some code fragments for analysis.

Packing

As a demonstration, let’s create a quick Proof of Concept (PoC) with hardcoded credentials to showcase the decompilation process.

After developing the PoC, we proceed to pack it into an executable file (.exe) using the PyInstaller tool. This step creates a standalone executable that encapsulates the Python code and its dependencies.

Unpacking

Now, let’s assume that the generated .exe file gets leaked or falls into the hands of an attacker. From the attacker’s perspective, the first step is to extract the compiled bytecode (.pyc) from the executable:

Next, the attacker can utilize pycdc.exe (Decompile++) to decompile the bytecode into readable Python code.
This process is possible even if the Python version used for compilation is higher than 3.8, thanks to the capabilities of pycdc.

As a result, the attacker gains access to easily analyzable and exploitable code, exposing any hardcoded credentials or potential vulnerabilities present in the original code.

Decompiling PyInstaller executables holds great significance in security testing as it reveals vulnerabilities, exposes hardcoded secrets, and evaluates code quality.
The process is often more accessible than developers might anticipate. With a lower entry threshold, more hackers are inclined to attempt breaking into your executables. Therefore, it is crucial to code responsibly and implement best practices, even when working on Proof of Concepts (PoCs). By prioritizing security measures from the start, you can minimize the risks associated with decompilation and enhance the overall resilience of your applications.