search

zrax / pycdc

C++ python bytecode disassembler and decompiler
GNU General Public License v3.0
3.23k stars 623 forks source link

Very strange decompiled code. #495

Closed JustGuardian closed 4 weeks ago

JustGuardian commented 3 months ago

config.pyc.zip I tried to decompile a .pyc with python3.10 and I got this:

# Source Generated with Decompyle++
# File: config.pyc (Python 3.10)

xor_table = [][round(abs((17432.4+6241.37j)))][round(abs((12179.6+61758.5j)))][round(abs((21220+32441.3j)))][round(abs((1311.56+29272.6j)))][round(abs((19322.2+55715.6j)))][round(abs((25149.6+22178.6j)))][round(abs((53086.4+37144.5j)))][round(abs((24490.6+7688.1j)))][round(abs((1682.33+20740.9j)))][round(abs((48856.6+42009.2j)))][round(abs((36471+28273.9j)))][round(abs((24753+56806.3j)))][round(abs((602.937+31514.2j)))][round(abs((26474.1+46548.1j)))][round(abs((7359.37+40206j)))][round(abs((19355.9+35378.2j)))][round(abs((21414.3+18199.1j)))][round(abs((11777.9+21095.9j)))][round(abs((12221.2+35374.4j)))][round(abs((7883.98+21628.9j)))][round(abs((5478.07+11229j)))][round(abs((42359.2+49539.1j)))][round(abs((34733.7+26950.3j)))][round(abs((10373.3+9033.01j)))][round(abs((8829.27+35898.1j)))][round(abs((20807.4+5202.8j)))][round(abs((3664+63640.6j)))][round(abs((23542.2+31933j)))][round(abs((14586.2+27078.3j)))][round(abs((18427.4+37600.3j)))][round(abs((3469.17+13293.8j)))][round(abs((16044.9+8237.72j)))][round(abs((33250.4+40528.8j)))][round(abs((6259.81+15161.6j)))][round(abs((6627.7+56051.5j)))][round(abs((1027.51+5756.01j)))][round(abs((3175.3+6875.16j)))][round(abs((21067.7+29086.8j)))][round(abs((20888.5+57257.7j)))][round(abs((25750.9+38283.3j)))][round(abs((3732.49+21394.9j)))][round(abs((59333.2+19942.4j)))][round(abs((18187.2+32614.8j)))][round(abs((18220+28148.9j)))][round(abs((669.557+11312.2j)))][round(abs((48421.1+43644.9j)))][round(abs((10773.1+49373.3j)))][round(abs((3416.79+37239.6j)))][round(abs((7679.21+11236.6j)))][round(abs((2720.14+7170.38j)))][round(abs((7174.1+52975.4j)))][round(abs((2010.82+702.498j)))][round(abs((12480.1+32261.2j)))][round(abs((28660.1+34244.2j)))][round(abs((1292.35+56497.2j)))][round(abs((35367.7+26965.7j)))][round(abs((35788+29700.5j)))][round(abs((12624.4+17975.8j)))][round(abs((1137.8+52114.6j)))][round(abs((24249+51582.5j)))][round(abs((906.286+18048.3j)))][round(abs((22137.7+54375.3j)))][round(abs((532.542+19507.7j)))][round(abs((32673.7+41300.3j)))]
__CONFIG__ = {
    ''.join((lambda .0: for i in .0:
passif i == round(abs((5.0934+6.16906j))):
passelif i == round(abs((1.34954+8.89824j))):
passelif i == round(abs((0.266046+5.9941j))):
passelif i == round(abs((2.72403+1.25684j))):
passelif i == round(abs((4.92894+0.83999j))):
passelif i == round(abs((0.978308+0.207154j))):
passelif i == round(abs((3.18499+2.41988j))):
passelif i == round(abs((1.83555+0.794192j))):
passelif i == round(abs((3.08049+6.28574j))):
passcontinueround(abs((7960.79+37858.1j)))[round(abs((7326.93+24574j)))(round(abs((24155.2+55164.3j))) ^ xor_table[i % len(xor_table)])])(range(round(abs((3.24017+9.46051j)))))): True,
    ''.join((lambda .0: for i in .0:
passif i == round(abs((1.81839+4.65762j))):
passelif i == round(abs((0.806109+2.88967j))):
passelif i == round(abs((3.12813+2.49295j))):
passelif i == round(abs((0.671834+0.740702j))):
passelif i == round(abs((1.75847+0.952769j))):
passelif i == round(abs((2.8274+5.29205j))):
passcontinueround(abs((5539.45+38269.2j)))[round(abs((27867.7+58580.2j)))(round(abs((43729+15815.1j))) ^ xor_table[i % len(xor_table)])])(range(round(abs((1.57866+6.81966j)))))): True,
    ''.join((lambda .0: for i in .0:
passif i == round(abs((4.67604+3.7596j))):
passelif i == round(abs((2.87971+2.7762j))):
passelif i == round(abs((1.5116+1.30961j))):
passelif i == round(abs((0.0987191+0.995115j))):
passelif i == round(abs((1.88042+7.77586j))):
passelif i == round(abs((0+0j))):
passelif i == round(abs((6.13092+3.37815j))):
passelif i == round(abs((2.26652+4.45678j))):
passcontinueround(abs((19.0418+25642j)))[round(abs((30151.3+14405.8j)))(round(abs((34310.1+24366.2j))) ^ xor_table[i % len(xor_table)])])(range(round(abs((3.27338+8.38362j)))))): True,
    ''.join((lambda .0: for i in .0:
passif i == round(abs((6.19971+9.08645j))):
passelif i == round(abs((0.292661+1.97847j))):
passelif i == round(abs((0.0816467+0.996661j))):
passelif i == round(abs((3.35617+8.35082j))):
passelif i == round(abs((0+0j))):
passelif i == round(abs((1.31557+6.87527j))):
passelif i == round(abs((0.347878+4.98788j))):
passelif i == round(abs((1.69239+3.62434j))):
passelif i == round(abs((2.69358+1.32084j))):
passelif i == round(abs((0.308629+5.99206j))):
passelif i == round(abs((2.84863+7.47565j))):
passcontinueround(abs((9887.47+64125.2j)))[round(abs((3321.01+20506.8j)))(round(abs((9668.08+33900.3j))) ^ xor_table[i % len(xor_table)])])(range(round(abs((3.50547+11.4766j)))))): True,
    ''.join((lambda .0: for i in .0:
passif i == round(abs((0+0j))):
passelif i == round(abs((0.121726+3.99815j))):
passelif i == round(abs((2.9884+0.263587j))):
passelif i == round(abs((4.21543+2.6889j))):
passelif i == round(abs((0.126513+1.99599j))):
passelif i == round(abs((0.556265+0.831005j))):
passelif i == round(abs((1.44825+6.84855j))):
passcontinueround(abs((61388.3+13568.8j)))[round(abs((15174.9+20684.5j)))(round(abs((10179.8+10040.1j))) ^ xor_table[i % len(xor_table)])])(range(round(abs((1.08681+7.92583j)))))): True,
    ''.join((lambda .0: for i in .0:
passif i == round(abs((0+0j))):
passelif i == round(abs((0.285745+0.958306j))):
passelif i == round(abs((3.52569+1.88931j))):
passelif i == round(abs((6.73358+4.31959j))):
passelif i == round(abs((4.97384+0.510781j))):
passelif i == round(abs((5.04026+4.85755j))):
passelif i == round(abs((4.86193+3.51592j))):
passelif i == round(abs((1.90833+2.31479j))):
passcontinueround(abs((59830.4+25107.5j)))[round(abs((26245.9+12832.4j)))(round(abs((7312.23+7829.41j))) ^ xor_table[i % len(xor_table)])])(range(round(abs((5.69276+6.97083j)))))): True,
    ''.join((lambda .0: for i in .0:
passif i == round(abs((1.82263+0.823422j))):
passelif i == round(abs((2.38884+4.39243j))):
passelif i == round(abs((3.18577+5.08437j))):
passelif i == round(abs((0.362259+2.97805j))):
passelif i == round(abs((0+0j))):
passelif i == round(abs((0.638101+0.769952j))):
passcontinueround(abs((7833.79+16723.1j)))[round(abs((59762.6+19453.4j)))(round(abs((30639.6+46157.2j))) ^ xor_table[i % len(xor_table)])])(range(round(abs((5.93536+3.711j)))))): ''.join((lambda .0: for i in .0:
passif i == round(abs((19.4227+63.0774j))):
passelif i == round(abs((94.5495+50.0939j))):
passelif i == round(abs((21.9014+44.9481j))):
passelif i == round(abs((3.78945+3.26191j))):
passelif i == round(abs((1.83312+6.75572j))):
passelif i == round(abs((33.4856+53.364j))):
passelif i == round(abs((18.5104+45.3692j))):
passelif i == round(abs((15.7566+10.6174j))):
passelif i == round(abs((35.9562+65.8191j))):
passelif i == round(abs((19.9042+19.6932j))):
passelif i == round(abs((16.341+29.8156j))):
passelif i == round(abs((34.9826+112.695j))):
passelif i == round(abs((57.9967+42.6659j))):
passelif i == round(abs((15.8192+25.4903j))):
passelif i == round(abs((12.0131+7.18919j))):
passelif i == round(abs((1.11814+3.84054j))):
passelif i == round(abs((0.576775+10.9849j))):
passelif i == round(abs((19.392+10.3898j))):
passelif i == round(abs((29.8984+97.5197j))):
passelif i == round(abs((9.64331+2.64698j))):
passelif i == round(abs((20.376+20.6354j))):
passelif i == round(abs((31.5077+26.2348j))):
passelif i == round(abs((1.89671+89.98j))):
passelif i == round(abs((1.20727+34.9792j))):
passelif i == round(abs((10.695+64.1141j))):
passelif i == round(abs((3.3359+95.942j))):
passelif i == round(abs((1.03741+15.9663j))):
passelif i == round(abs((8.94893+92.5684j))):
passelif i == round(abs((38.7906+101.864j))):
passelif i == round(abs((32.1189+114.584j))):
passelif i == round(abs((36.0615+49.1993j))):
passelif i == round(abs((36.2134+47.8392j))):
passelif i == round(abs((6.72826+55.5943j))):
passelif i == round(abs((34.6905+60.7994j))):
passelif i == round(abs((32.4364+35.3819j))):
passelif i == round(abs((53.2189+82.2907j))):
passelif i == round(abs((7.96393+76.587j))):
passelif i == round(abs((0+0j))):
passelif i == round(abs((2.27736+61.9582j))):
passelif i == round(abs((4.94043+36.6687j))):
passelif i == round(abs((20.4666+25.8866j))):
passelif i == round(abs((48.7331+63.4435j))):
passelif i == round(abs((24.3464+20.7666j))):
passelif i == round(abs((19.2694+51.514j))):
passelif i == round(abs((25.4161+46.5083j))):
passelif i == round(abs((2.96574+38.8871j))):
passelif i == round(abs((45.0089+79.0898j))):
passelif i == round(abs((23.0831+37.4589j))):
passelif i == round(abs((5.80424+68.7554j))):
passelif i == round(abs((3.74292+84.9176j))):
passelif i == round(abs((32.3623+59.8054j))):
passelif i == round(abs((4.66192+30.6475j))):
passelif i == round(abs((0.680467+2.92181j))):
passelif i == round(abs((46.8657+88.338j))):
passelif i == round(abs((3.33101+51.8932j))):
passelif i == round(abs((38.0868+19.9598j))):
passelif i == round(abs((82.5203+64.9261j))):
passelif i == round(abs((0.331351+5.99084j))):
passelif i == round(abs((24.7761+3.33803j))):
passelif i == round(abs((52.9311+10.6909j))):
passelif i == round(abs((46.5683+92.9914j))):
passelif i == round(abs((22.636+77.7728j))):
passelif i == round(abs((1.88124+22.9229j))):
passelif i == round(abs((1.63905+12.8963j))):
passelif i == round(abs((86.0058+79.3221j))):
passelif i == round(abs((15.3571+36.9345j))):
passelif i == round(abs((20.8259+15.5654j))):
passelif i == round(abs((0.169034+19.9993j))):
passelif i == round(abs((86.6333+15.4487j))):
passelif i == round(abs((32.315+108.281j))):
passelif i == round(abs((0.969566+17.9739j))):
passelif i == round(abs((40.8652+82.4259j))):
passelif i == round(abs((37.4643+114.002j))):
passelif i == round(abs((0.747503+0.664259j))):
passelif i == round(abs((1.14828+1.63751j))):
passelif i == round(abs((42.334+51.9311j))):
passelif i == round(abs((105.113+35.6692j))):
passelif i == round(abs((41.7435+97.4345j))):
passelif i == round(abs((59.286+47.5518j))):
passelif i == round(abs((27.1564+23.6332j))):
passelif i == round(abs((79.7829+75.7277j))):
passelif i == round(abs((48.4981+62.3614j))):
passelif i == round(abs((12.621+11.3891j))):
passelif i == round(abs((88.5628+31.5061j))):
passelif i == round(abs((34.433+76.6183j))):
passelif i == round(abs((27.3394+57.8667j))):
passelif i == round(abs((27.246+37.0629j))):
passelif i == round(abs((87.4244+74.7126j))):
passelif i == round(abs((79.7352+55.2385j))):
passelif i == round(abs((0.68657+37.9938j))):
passelif i == round(abs((2.01745+94.9786j))):
passelif i == round(abs((75.9846+66.5383j))):
passelif i == round(abs((103.817+29.7676j))):
passelif i == round(abs((13.2545+57.4919j))):
passelif i == round(abs((1.0407+8.93963j))):
passelif i == round(abs((6.4467+13.544j))):
passelif i == round(abs((37.0768+19.731j))):
passelif i == round(abs((4.81219+6.39084j))):
passelif i == round(abs((28.0671+49.6109j))):
passelif i == round(abs((15.2314+84.6404j))):
passelif i == round(abs((79.262+59.3173j))):
passelif i == round(abs((65.4124+90.9133j))):
passelif i == round(abs((49.6929+11.4725j))):
passelif i == round(abs((112.819+26.9792j))):
passelif i == round(abs((43.7336+10.6004j))):
passelif i == round(abs((78.5422+26.835j))):
passelif i == round(abs((0.849142+20.9828j))):
passelif i == round(abs((31.1248+75.8633j))):
passelif i == round(abs((23.1614+85.9334j))):
passelif i == round(abs((47.811+52.4891j))):
passelif i == round(abs((46.4279+7.31116j))):
passelif i == round(abs((19.2313+71.4574j))):
passelif i == round(abs((53.7914+56.4843j))):
passelif i == round(abs((113.595+9.59554j))):
passelif i == round(abs((1.38259+57.9835j))):
passelif i == round(abs((53.4314+49.7401j))):
passelif i == round(abs((49.7002+71.4065j))):
passelif i == round(abs((43.9867+93.1352j))):
passelif i == round(abs((26.3626+5.83201j))):
passelif i == round(abs((23.0646+6.63507j))):
passcontinueround(abs((29213+26689.1j)))[round(abs((26626.3+25539.8j)))(round(abs((6651.66+8517.44j))) ^ xor_table[i % len(xor_table)])])(range(round(abs((70.3186+98.4698j)))))) }

which has a very strange (and wrong) syntax. For example the passelif does not have the correct spaces and also the passcontinue. The strangest is the lambda .0: for i in .0:. I dont know what is wrong, please someone help me figure it out.

greenozon commented 3 months ago

is it kind of obfuscated code?

JustGuardian commented 3 months ago

@greenozon yeah it is, but I think that the main problem is that it prints like passelif etc with no indentation or anything else. btw I found a workaround to get the contents of that config.pyc file (I noticed that it was imported and a dict was extracted out of it so I did the same and it worked) so I dont need to decompile it anymore. I just wanted to give you guys a feedback.

scarzehd commented 4 weeks ago

Where did you get this code? My friend got hit with some spyware and, when decompiled, this is exactly what I got. Do you have any insight into this?

JustGuardian commented 4 weeks ago

I got it from decompiling a stealer, but I figured it out, but I dont remeber how I did lol.

scarzehd commented 3 weeks ago

I did end up figuring this out. It's from a program called Empyrean which can be found here https://github.com/addi00000/empyrean/. It's obfuscated using this program https://github.com/0x3C50/pyobf2. I managed to get the information I needed by simply importing the already compiled configuration file and extracting the values from there. Unfortunately, pycdc was not really helpful there.