Add Python decompiler

[Ana06]

I have had a hard time today analysing a malware sample that loads a byte-like Python code object (with marshal.loads(obj_bytes)) and executes it (with exec()). After testing several options, I found a way that worked:

1. Save byte-like Python code object as PYC file:

   co = marshal.loads(obj_bytes)
   
   # Convert Marshall code object `co` to PYC
   # https://stackoverflow.com/a/73454818/6245337
   import importlib, sys
   pyc_data = importlib._bootstrap_external._code_to_timestamp_pyc(co)
   
   # Write PYC to file
   with open('result.pyc', 'wb') as f:
       f.write(pyc_data)

2. Decompile the PYC file. The object had been compiled with Python 3.10 and there are not many decompilers for it. After trying several tools, these two options worked (the first one worked better than the second) to decompile the PYC file:

   • https://github.com/greyblue9/unpyc37-3.10
   • The compiled pycdc.exe from https://github.com/extremecoders-re/decompyle-builds/releases/tag/build-16-Oct-2024-5e1c403

I propose to add unpyc37-3.10 to FLARE-VM. @mandiant/flare-vm should we add pycdc.exe (and maybe some other binary from https://github.com/extremecoders-re/decompyle-builds/releases/download/build-16-Oct-2024-5e1c403) as well?

[Ana06]

@mandiant/flare-vm I am using Utilities as category, but I think I would have a hard time finding it there. Ideas for a better category?