reversing pyinstaller compiled exe

Question

i created some compiled binaries using different languages and tried to understand them using x64dbg, the compiled binaries produced by the c language/gcc compiler were pretty easy to understand, then i compiled a simple hello world program in python using pyinstaller, the output exe file was larger and was messier, i could not understand any of the binary code in x64dbg, can anyone help me understand it? or provide some resources?, i am learning reverse engineering by compiling my own code and reversing it.

Welcome to RE.SE. There are numerous questions about the very same topic. Please also have a look at them. — 0xC0000022L, Nov 17 '23 at 21:44

score 2 · Answer 1 · answered Nov 17 '23 at 13:32

2

On macOS at least, the Python modules are prepended as zlib streams to the executable. I recommend you give a try at pyinstxtractor — using a recent version of Python — to attempt to decompress the zlib streams as .pyc files then a bytecode decompiler like pycdc.

answered Nov 17 '23 at 13:32

Ninja Inc

161
2

i want to understand the binary/asm and what it does, not how to decompile it, thank you. – Praveen Nov 17 '23 at 16:26
@Praveen the assembler/binary code is only the loader and python interpreter. your own code is stored the pyc stuff glued afterwards. – masterX244 Nov 22 '23 at 10:19
@masterX244 i cannot find the .pyc, i compiled it as a single exe – Praveen Dec 03 '23 at 13:43
@Praveen those files are glued onto the exe, thats what the answer says where this comment is chained off – masterX244 Dec 04 '23 at 14:04
@masterX244 yea got that, but how do i know which is which?, like which part of the exe is the file? – Praveen Dec 10 '23 at 15:03

score 2 · Answer 2 · answered Nov 22 '23 at 08:53

PyInstaller binaries are basically self extracting archives that contain compiled Python code for the program and its dependencies.

The extraction code and also some of these libraries may be native binary files.

However, pure Python code does not compile into native assembly but into an IR that the Python runtime, which is included in the package, can run. As mentioned, these files have a .pyc extension.

This is marshalled code, in Python terms, and it can be un-marshalled into its IR representation using the builtin marshal module.

Loading a PyInstaller executable in a RE tool will only produce a generic archive-extraction code that is unrelated to the actual program code.

reversing pyinstaller compiled exe

2 Answers2