Why is this unable to be decompiled?

[Ekultek]

UPDATE (07/07/2022):

Since the owner has decided to prevent me from posting on this thread this is what has happened so far:

• Virustotal detects this as malware as well as multiple other dynamic sandboxes: https://www.virustotal.com/gui/file/8e9d7cb05e025962ae2f55ff514dd9580d664849b99d444f6225a130c9be1f9c

• Currently it is being run through all the sandboxes that are available (joes, malcore, hybrid, etc) and all the information will be publicly available on Virustotal.

• The software has been detected to have code very similar to discord token stealers, ChChes Trojan, and some ransomwares which is why it is getting flagged as malicious. What you do with this information is completely up to you, but I would urge you to check before installation. Good luck.

• pycdc (which is also compatible with 3.10) is unable to decompile this as well:

  ./pycdc /mnt/c/Users/rando/Downloads/main.pyc
  CreateObject: Got unsupported type 0x0
  Error loading file /mnt/c/Users/rando/Downloads/main.pyc: std::bad_cast

• Thanks to JonasTD: https://www.hybrid-analysis.com/sample/8e9d7cb05e025962ae2f55ff514dd9580d664849b99d444f6225a130c9be1f9c/62c5044190be191ec04b8683 Hybrid Analysis flags this at 75/100

• Thanks to LordTeruki the sandbox Yomi Hunter flags this as Malicious can be seen here: https://www.virustotal.com/gui/file/8e9d7cb05e025962ae2f55ff514dd9580d664849b99d444f6225a130c9be1f9c/detection

• Side loading is in the sample:

• https://sandbox.pikker.ee/analysis/3168412/summary

• Current release SHA hashsums:

1a07e810620002e0a9dc0d7997716f3903802af0cd59e6079a15427163790fd0  main.exe  # after building with pyinstaller
8e9d7cb05e025962ae2f55ff514dd9580d664849b99d444f6225a130c9be1f9c  ../CapsuleFarmer.exe

Along with the size difference:

---

ORIGINAL QUESTION:

Your exe that you're providing is detected by two AV's as malicious: https://www.virustotal.com/gui/file/8e9d7cb05e025962ae2f55ff514dd9580d664849b99d444f6225a130c9be1f9c/detection

When decompiling the exe in order to determine the issue myself I'm unable to decompile it, what this means is that in some way you put something into the exe to prevent the ability to decompile it and see whats going on. So my question becomes, why?

Error from decompiler:

Unknown type 0
Traceback (most recent call last):
  File "/home/salty/venv/bin/uncompyle6", line 8, in <module>
    sys.exit(main_bin())
  File "/home/salty/venv/lib/python3.8/site-packages/uncompyle6/bin/uncompile.py", line 196, in main_bin
    result = main(src_base, out_base, pyc_paths, source_paths, outfile,
  File "/home/salty/venv/lib/python3.8/site-packages/uncompyle6/main.py", line 304, in main
    deparsed = decompile_file(
  File "/home/salty/venv/lib/python3.8/site-packages/uncompyle6/main.py", line 201, in decompile_file
    decompile(
  File "/home/salty/venv/lib/python3.8/site-packages/uncompyle6/main.py", line 81, in decompile
    assert iscode(co), f"""{co} does not smell like code"""
AssertionError: None does not smell like code

As you can see the assertion itself determines that you are preventing people from reversing your app, I just would like to know why?

[oldkingcone]

I assume they don't want people to steal the work they put into the app; just like most software that isn't "open-source"

That's now how python works, or code works in general. From my experience if its obfuscated or has anti tamper techniques in the code there's something nasty in the code. Considering that multiple sandboxes have detected and consider this executable in question as behaving like ransomware, its very curious why this guy went the extra step to make sure the executable which was transpiled from python to a native binary from being reversed back into plain python code as difficult a task as it is, that is a real good indication that the executable is not the same code as the small python script in this repo.

[Ekultek]

Side note: https://www.joesandbox.com/analysis/658201/0/html

[Ekultek]

Also for people reading this that don't understand, python exe files are completely decompilable. Unless you specifically design the exe to not be decompiled anyone with the tools and know-how can get the source code of the application. Now seeing how this is an "opensource" tool that has its "source code" on github. That fact is completely irrelevant.

[LordTeruki]

🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩

[LeagueOfPoro]

I did not do any measures that would prevent decompiling. The exes are created exactly as it says in the README.md.

pipenv install --dev
pipenv run pyinstaller -F --icon=poro.ico .\main.py

[LordTeruki]

download this exe and then login to league, seems legit

[LeagueOfPoro]

This is your error message:

File "/home/salty/venv/lib/python3.8/site-packages/uncompyle6/main.py", line 81, in decompile

The program is compiled with Python 3.10 as you can see in Pipfile. You are using uncompyle6 which supports Python until 3.8. From the PyPi.org of uncompyle6:

It accepts bytecodes from Python version 1.0 to version 3.8, spanning over 24 years of Python releases.

So my recommendation - if you don't know how to decompile files and cannot be bothered reading the documentation for tools you are using, maybe it is not a great idea to accuse and attack others

[LeagueOfPoro]

Side note: https://www.joesandbox.com/analysis/658201/0/html

As you can see in the sandbox, none of the code is flagged as malicious except possibly the chromedriver.exe. This file is downloaded when the program is run because it needs to match the Chrome version exactly. The path to the file is shown in the sandbox report, it will be somewhere in C:\Users\<YOUR_USERNAME>\AppData\Local\Temp\. Here's the VirusTotal report of said file.

[Ekultek]

@LeagueOfPoro firstly; none of the decompilers are able to decompile it thats just a small sample of what was tried secondly; as you can see in the sandbox the exe itself is "suspicious" As you can see in the sandbox, none of the code is flagged as malicious suspicious is good enough for me to reverse it so youre worried about the wrong things thirdly; So my recommendation - if you don't know how to decompile files and cannot be bothered reading the documentation for tools you are using, maybe it is not a great idea to accuse and attack others you need to go read it again.

[Ekultek]

regardless of what you're trying to do, i dont give a shit either way I was just curious why youre trying to hide it so well. but since you clearly are going to be rude and extreme, i'll make sure that this gets flagged as malicious all over the world. thank you for your time.

[oldkingcone]

https://analyze.intezer.com/analyses/253c564d-31a8-401c-8c5c-8d705d978d7f/behavior

its a token grabber lol

[LordTeruki]

i will also submit to AV vendors as malicious

[oldkingcone]

because he put anti vm stuff in there. but its still pretty shit tbh.

[Ekultek]

maybe we should reopen this then?

[oldkingcone]

maybe we should reopen this then?

oh 100%

[LordTeruki]

poro is very quiet

[LeagueOfPoro]

You know what, I don't care anymore. You clearly don't know what you are doing and trying to find sensations somewhere where they aren't.

[LordTeruki]

you are distributing malware

[Ekultek]

https://www.virustotal.com/gui/file/8e9d7cb05e025962ae2f55ff514dd9580d664849b99d444f6225a130c9be1f9c VT disagrees with your statement now.

You know what, I don't care anymore. You clearly don't know what you are doing and trying to find sensations somewhere where they aren't.

[LordTeruki]

until you explain, we will do our best to get this flagged by all AV vendors to stop the spread of your malware, everything you have said has been sus af

[LordTeruki]

The sandbox Yomi Hunter flags this file as: [MALWARE]

[JonasTD]

https://www.hybrid-analysis.com/sample/8e9d7cb05e025962ae2f55ff514dd9580d664849b99d444f6225a130c9be1f9c/62c5044190be191ec04b8683

[LordTeruki]

MALICOUS says it right there

[LordTeruki]

75/100 threat score YT should shut down his channel

[LordTeruki]

yeah so what? what does it say

[Ekultek]

Thats because it does side loading and dynamic api calling, apparently im allowed to comment now

[JonasTD]

https://www.filescan.io/uploads/62c5fc8ed10613c3c96bbc2b/reports/5b19b930-4d07-4646-b0ec-558737d19afd/overview

[Ekultek]

@JonasTD when you build the source with pyinstaller its 6.9k kb in size the release is 7.4k kb

[LeagueOfPoro]

So I had some fun. See this analysis from your "PROFESSIONAL TOOL" https://analyze.intezer.com/analyses/752efa93-8fc7-49b8-9349-493b802103d7

It's this code:

from pprint import pprint
pprint("Hello world")

Hello world. So malicious.

And this is literally an empty file with no user code inside: https://analyze.intezer.com/analyses/8f75e4d5-b861-46a0-bfc1-8b700eda7633

[SkinSpotlights]

Note, I haven't analysed anything I don't have time to and just want to interject my own thoughts on the matter based on everything.

Going to preface this with, if this truly is a virus I doubt it was intentional and probably more a cause of libraries getting infected without knowledge of it happening.

Just the usual people have made viruses using python and packaging them into exes and causes false positives. Executable size tests can only really be done apples to apples with exact same versions of everything.

To the initial post about the side loading, yes thats present because its part of pyinstaller, https://github.com/pyinstaller/pyinstaller/blob/22d1d2a5378228744cc95f14904dae1664df32c4/bootloader/src/pyi_main.c#L168

OpenProcessToken/GetTokenInformation, again... part of pyinstaller https://github.com/pyinstaller/pyinstaller/blob/22d1d2a5378228744cc95f14904dae1664df32c4/bootloader/src/pyi_win32_utils.c#L391

IsDebuggerPresent is commonly used in a lot of libraries, not too surprising to see it pop up depends on its usage whether its malware related but considering the last two examples I assume its part of pyinstaller as well.

I personally fail to see what gain there is for someone to yoink a small number of access tokens vs the damage it would cause to credibility.

[LeagueOfPoro]

I personally fail to see what gain there is for someone to yoink a small number of access tokens vs the damage it would cause to credibility.

Exactly my thinking. Also, hello, big fan of your work!

[alepouna]

What am I reading?

[](url )

MALICOUS says it right there

@LordTeruki

because he put anti vm stuff in there. but its still pretty shit tbh.

@oldkingcone

I'm sorry but if I told you python is used to make literally ANY type of malware from ransomware to discord token grabbers, does that make any project using Python a malware as well? No.

Create an empty python file, compile using the same technique in the readme.md and upload to your 'security analysis tools' that you use. See for your self and at the same time laugh at your self for miss-using these 'credible' sites.

The fact that you are just looking at random sites that you have 0 ideas how they work or how they analyze the code just to come up with the conclusion that its malware, just only shows you are commenting here to go into a witch hunt and provide no actual context or any usefulness to the initial issue inquiry or you have no idea of what you are doing or both.

--

@Ekultek I see you attempted to decompile the file but you actually failed to realize you are decompiling a Python file that was built into an exe which includes Python it self and DEPENDANCIES. Incase you live under a rock, let me remind you that DEPENDANCIES are hosted ONLINE on PIP and updated by their publishers at ANY point in time. In addition to that, any developer can use other dependencies inside his own PIP package and the point is, any dependency can have some short of actual malicious code or code that can be exploited to make it malicious, example 0 Day exploits. It is impossible for the ordinary user to know of these exploits which is why software get updated, and obviously any credible tool online will report of them beforehand (example Dependabot by GitHub).

You can also take a look at this article 'Famous npm package deletes files to protest Ukraine war' to get an idea of what I mean.

Finally, you can check the repo on the most famous, professional and actually credible tool on GitHub https://lgtm.com/projects/g/LeagueOfPoro/EsportsCapsuleFarmer/

Conclusion

If you are concerned a repository is a virus, look at the source code. You think a release is a virus? Find credible proof that is and report it to GitHub. Then the actual experts can take a look and come to their own conclusion.

If you are looking to start drama, go to Twitter and get off this platform.

[Ekultek]

Woah that's crazy.

Traceback (most recent call last):
  File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.10_x64__qbz5n2kfra8p0\lib\runpy.py", line 194, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.10_x64__qbz5n2kfra8p0\lib\runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.10_x64__qbz5n2kfra8p0\lib\dis.py", line 553, in <module>
    _test()
  File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.10_x64__qbz5n2kfra8p0\lib\dis.py", line 549, in _test
    code = compile(source, args.infile.name, "exec")
ValueError: source code string cannot contain null bytes

Tell me again how I'm wrong.

@auroraisluna I see you attempted to decompile the file but you actually failed to realize you are decompiling a Python file that was built into an exe which includes Python it self and DEPENDANCIES. yes the dependencies are *.pyd files which is "python dependency" when compiled using pyinstaller. The actual code is a *.pyc file. If you googled before saying anything you would of realized that I decompiled the *.pyc file before making the issue, its okay reading is hard I forgive you. I'll explain how it works to you;

Files compiled into an exe by pyinstaller are compiled with the dependencies and python so that you don't have to install python on the target system. Makes it compatible and distributional which is awesome. However all pyinstaller files can be decompiled very easily using available tools (google will help if you're lost already). Once the exe has been decompiled you get a list of files (*.pyd and *.pyc). The *.pyc files are the ones that you want because they contain the code that was written by the distributor, so you can reverse these using the dis library (it's built-in feel free to google it) or tools like uncompyle, pycdc, etc. In order to prevent decompilation you add NOPS (\x90) or NULL bytes (\x00) to the pyc file. In pyc files NULLs act a lot like NOPs in assembly (you're gonna have to google again I'm sorry). So if the file isnt tampered with pycdc, and theoretically uncompyle6 will decompile the pyc file without problems.

However this one isn't able to be decompiled, and as I said, why? The whole question was why?.

TL;DR: .pyc is what you decompile out of a pyinstaller exe because it's python bytecode .pyd is what the dependencies are.

If you are concerned a repository is a virus, look at the source code. I'll just report the repo thanks.

@SkinSpotlights Going to preface this with, if this truly is a virus I doubt it was intentional and probably more a cause of libraries getting infected without knowledge of it happening. That's completely acceptable and makes sense to me. Thank you.

[oldkingcone]

Note, I haven't analysed anything I don't have time to and just want to interject my own thoughts on the matter based on everything.

Going to preface this with, if this truly is a virus I doubt it was intentional and probably more a cause of libraries getting infected without knowledge of it happening.

Just the usual people have made viruses using python and packaging them into exes and causes false positives. Executable size tests can only really be done apples to apples with exact same versions of everything.

To the initial post about the side loading, yes thats present because its part of pyinstaller, https://github.com/pyinstaller/pyinstaller/blob/22d1d2a5378228744cc95f14904dae1664df32c4/bootloader/src/pyi_main.c#L168

OpenProcessToken/GetTokenInformation, again... part of pyinstaller https://github.com/pyinstaller/pyinstaller/blob/22d1d2a5378228744cc95f14904dae1664df32c4/bootloader/src/pyi_win32_utils.c#L391

IsDebuggerPresent is commonly used in a lot of libraries, not too surprising to see it pop up depends on its usage whether its malware related but considering the last two examples I assume its part of pyinstaller as well.

I personally fail to see what gain there is for someone to yoink a small number of access tokens vs the damage it would cause to credibility.

Although likely, the fact the executable was padded by either NOP's (\x90 ) or NULLS(\x00) fails to explain why if the code is truly the same as whats in the repo, is even in the trans-piled file to begin with. The extra steps done to prevent the de-compilation would indicate that the executable is not the same code as whats listed in this repo at all.

It also fails to explain why the sandboxes and AV vendors are flagging it as malicious, similarities are one thing for sure, however this does not explain behavioral flagging, which is why AV/EDR vendors are flagging it, on behavior. This culminated with the padding done to the file, does not give credence to the "oh it might just be a malicious library" theory. The reason why things like OpenProcessToken and IsDebuggerPresent are considered bad, are due to what follow on actions are typically done. The anti debugging and VM detection also do not give credence to, any of what you are saying as that is not part of pyinstaller by any means.

In conclusion:

Due to the file listed in releases being almost a full 1000KB larger than the file listed in this repo AFTER compilation with pyinstaller, and the hash being different, signify that they are not the same, not even close to being the same. I think you need to look up how hashes are calculated using the Secure Hashing Algorithm(SHA) and then come back.

[alepouna]

@Ekultek

Woah that's crazy.

Traceback (most recent call last):
  File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.10_x64__qbz5n2kfra8p0\lib\runpy.py", line 194, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.10_x64__qbz5n2kfra8p0\lib\runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.10_x64__qbz5n2kfra8p0\lib\dis.py", line 553, in <module>
    _test()
  File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.10_x64__qbz5n2kfra8p0\lib\dis.py", line 549, in _test
    code = compile(source, args.infile.name, "exec")
ValueError: source code string cannot contain null bytes

Tell me again how I'm wrong. Actually don't, just install it please.

Lots of different people have installed the project, my self included. I have also decompiled the project the moment you brought up this thread to make sure, and I can decompile it just fine using https://github.com/zrax/pycdc and you can see some of the output here You can go ahead and make and run pycdc your self to see the full code.

@SkinSpotlights Going to preface this with, if this truly is a virus I doubt it was intentional and probably more a cause of libraries getting infected without knowledge of it happening. That's completely acceptable and makes sense to me. Thank you.

Now that you also can see I can decompile it just fine, let's not continue this witch hunting thread then? If you can't build the project on your machine, contact me directly.

@oldkingcone

think you need to look up how hashes are calculated using the Secure Hashing Algorithm(SHA) and then come back.

Very relevant.

Although likely, the fact the executable was padded by either NOP's (\x90 ) or NULLS(\x00) fails to explain why if the code is truly the same as whats in the repo, is even in the trans-piled file to begin with. The extra steps done to prevent the de-compilation would indicate that the executable is not the same code as whats listed in this repo at all.

It also fails to explain why the sandboxes and AV vendors are flagging it as malicious, similarities are one thing for sure, however this does not explain behavioral flagging, which is why AV/EDR vendors are flagging it, on behavior. This culminated with the padding done to the file, does not give credence to the "oh it might just be a malicious library" theory. The reason why things like OpenProcessToken and IsDebuggerPresent are considered bad, are due to what follow on actions are typically done. The anti debugging and VM detection also do not give credence to, any of what you are saying, as that is not part of pyinstaller by any means.

Your decompiler errors or can't decompile != the project is malicious or its hiding its source code.

This will be my final entry on this issue request. I'm not willing to give you more attention or any more of my time, especially since this is not an actual issue. If y'all want to keep showing errors from your compilers, go to the compiler repo and make an issue there that you can't decompile this project. Maybe you can contribute something useful.

And again, if you are looking to start drama, go to Twitter and get off this platform.

@LeagueOfPoro I recommend locking this issue since it's going off the hill.