1

i created some compiled binaries using different languages and tried to understand them using x64dbg, the compiled binaries produced by the c language/gcc compiler were pretty easy to understand, then i compiled a simple hello world program in python using pyinstaller, the output exe file was larger and was messier, i could not understand any of the binary code in x64dbg, can anyone help me understand it? or provide some resources?, i am learning reverse engineering by compiling my own code and reversing it.

Improve this question
1
  • Welcome to RE.SE. There are numerous questions about the very same topic. Please also have a look at them.
    – 0xC0000022L
    Commented Nov 17, 2023 at 21:44

2 Answers 2

Reset to default
2

On macOS at least, the Python modules are prepended as zlib streams to the executable. I recommend you give a try at pyinstxtractor — using a recent version of Python — to attempt to decompress the zlib streams as .pyc files then a bytecode decompiler like pycdc.

Improve this answer
5
  • i want to understand the binary/asm and what it does, not how to decompile it, thank you.
    – Praveen
    Commented Nov 17, 2023 at 16:26
  • @Praveen the assembler/binary code is only the loader and python interpreter. your own code is stored the pyc stuff glued afterwards.
    – masterX244
    Commented Nov 22, 2023 at 10:19
  • @masterX244 i cannot find the .pyc, i compiled it as a single exe
    – Praveen
    Commented Dec 3, 2023 at 13:43
  • @Praveen those files are glued onto the exe, thats what the answer says where this comment is chained off
    – masterX244
    Commented Dec 4, 2023 at 14:04
  • @masterX244 yea got that, but how do i know which is which?, like which part of the exe is the file?
    – Praveen
    Commented Dec 10, 2023 at 15:03
2

PyInstaller binaries are basically self extracting archives that contain compiled Python code for the program and its dependencies.

The extraction code and also some of these libraries may be native binary files.

However, pure Python code does not compile into native assembly but into an IR that the Python runtime, which is included in the package, can run. As mentioned, these files have a .pyc extension.

This is marshalled code, in Python terms, and it can be un-marshalled into its IR representation using the builtin marshal module.

Loading a PyInstaller executable in a RE tool will only produce a generic archive-extraction code that is unrelated to the actual program code.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.