The Why ?

[sdestivelle]

Hello there, With curiosity, I would like to know why you want to deobfuscate pyarmor code ?

Because I use pyarmor to protect my code for software development and if my customers could decrypt it, it is bad.

regards.

[rakovskij-stanislav]

@sdestivelle

As reverse engineer in malware analysis team I can share with you that pyarmor is a common tool for threat actors to protect their trojans written on python. So for me instruments like this could help to confirm maliciousness and reveal what set of actions this executable has :)

[holly-hacker]

While some legitimate software certainly uses obfuscators like PyArmor to protect their IP (or more realistically, their license checks), it is way more common in malware where obfuscation is the norm. Tools like these are essential to ensure our online safety, which in my opinion outweighs the desire for an easy, one-step protection against software piracy that will eventually get bypassed by a skilled reverse engineer anyway.

In the end, there are better solutions to combat piracy. All code that runs on a client's machine should be considered insecure, after all. I suggest moving your important business logic off the client's machine (ie. to a server), or designing a product that people want to pay for (see blogposts such as Piracy and the four currencies).

[rakovskij-stanislav]

@GarryyBD

IDK why you set thumb down reaction for me :) I only answered the question of the topicstarter that for me this tool could help to reverse malicious samples. It's common practice for threat actors to protect their code using pyarmor:

• Trend Micro: Latest Batloader Campaigns Use Pyarmor Pro for Evasion
• Trend Micro: Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks
• eSentire: Hackers Abuse Google Search Ads to Deliver Vidar and Ursnif Malware
• FortiGuard Labs: EvilExtractor Phishing Campaign Targets Windows Users With PDFs And Dropbox Links
• Sonatype: PyPI packages caught stealing credit card numbers, Discord tokens

So fighting with pyarmor is a part of our work just because we need to know exact logic of malicious samples for writing rules, blacklisting ips and domains, etc

Also it's strange for me to see that you use my signature in the end of text :P

Regards,
@rakovskij-stanislav

[Svenskithesource]

You guys all bring up great arguments for why this tool might be useful. I did not have any intentions for this tool in mind while creating it. This was purely a learning/research project for myself and (hopefully) educational for others. As @holly-hacker mentioned the positive side (malware analysis, educational value) outweighs the negative (piracy) in my opinion. This is the case for every deobfuscator after all.