python2 反编译pyinstaller打包的可执行exe文件

先上个链接，基于python3的反编译python打包的exe文件的教程

 https://blog.csdn.net/weixin_46847476/article/details/105358131

故事开始于pyinstxtractor.py 反编译query.exe文件后不会直接生成query.py文件，是没有扩展名的query文件，需要根据struct文件修改query文件，具体是往query文件里添加若干个16进制字符串，此例是16个hex。

C:\Users\netmanager\Desktop\python_test>dir 驱动器 C 中的卷没有标签。 卷的序列号是 1556-183E C:\Users\netmanager\Desktop\python_test 的目录 2020-10-07 20:52 <DIR> . 2020-10-07 20:52 <DIR> .. 2020-10-07 20:40 0 mod_hex_py2.py 2020-10-07 12:26 1,467 query 2020-10-07 20:52 0 query.py 2020-10-07 12:26 1,467 query.pyc 2020-10-07 12:26 234 struct 5 个文件 3,168 字节 2 个目录 56,282,697,728 可用字节 C:\Users\netmanager\Desktop\python_test>dir 驱动器 C 中的卷没有标签。 卷的序列号是 1556-183E C:\Users\netmanager\Desktop\python_test 的目录 2020-10-07 21:21 <DIR> . 2020-10-07 21:21 <DIR> .. 2020-10-07 21:21 941 mod_hex_py2.py 2020-10-07 12:26 1,467 query 2020-10-07 20:52 0 query.py 2020-10-07 12:26 1,467 query.pyc 2020-10-07 21:21 1,475 query2.pyc 2020-10-07 12:26 234 struct 6 个文件 5,584 字节 2 个目录 56,280,313,856 可用字节 C:\Users\netmanager\Desktop\python_test>uncompyle6 -o . query2.pyc query2.pyc -- # Successfully decompiled file C:\Users\netmanager\Desktop\python_test>dir 驱动器 C 中的卷没有标签。 卷的序列号是 1556-183E C:\Users\netmanager\Desktop\python_test 的目录 2020-10-07 21:23 <DIR> . 2020-10-07 21:23 <DIR> .. 2020-10-07 21:21 941 mod_hex_py2.py 2020-10-07 12:26 1,467 query 2020-10-07 20:52 0 query.py 2020-10-07 12:26 1,467 query.pyc 2020-10-07 21:23 1,401 query2.py 2020-10-07 21:21 1,475 query2.pyc 2020-10-07 12:26 234 struct 7 个文件 6,985 字节 2 个目录 56,280,096,768 可用字节 C:\Users\netmanager\Desktop\python_test>dir 驱动器 C 中的卷没有标签。 卷的序列号是 1556-183E C:\Users\netmanager\Desktop\python_test 的目录 2020-10-07 21:37 <DIR> . 2020-10-07 21:37 <DIR> .. 2020-10-07 21:37 1,028 mod_hex_py2.py 2020-10-07 12:26 1,467 query 2020-10-07 20:52 0 query.py 2020-10-07 12:26 1,467 query.pyc 2020-10-07 21:23 1,401 query2.py 2020-10-07 21:21 1,475 query2.pyc 2020-10-07 21:37 1,475 query3.pyc 2020-10-07 12:26 234 struct 8 个文件 8,547 字节 2 个目录 56,278,953,984 可用字节 C:\Users\netmanager\Desktop\python_test>uncompyle6 query3.pyc # uncompyle6 version 3.7.4 # Python bytecode 2.7 (62211) # Decompiled from: Python 2.7.18 (v2.7.18:8d21aa21f2, Apr 20 2020, 13:19:08) [MSC v.1500 32 bit (Intel)] # Embedded file name: query.py # Compiled at: 1995-09-28 00:18:56 import wmi, os f = os.popen('systeminfo | findstr \xcf\xb5\xcd\xb3\xd0\xcd\xba\xc5') print f.read() f.close() def sys_version(): c = wmi.WMI() print '\nOS:' for sys in c.Win32_OperatingSystem(): print sys.Caption, sys.BuildNumber, sys.OSArchitecture, sys.CSName, sys.RegisteredUser, print '\nCPU:' for processor in c.Win32_Processor(): print processor.Name.strip() print '\nMemory:' for Memory in c.Win32_PhysicalMemory(): print int(Memory.Capacity) // 1073741824, 'GB' print '\nDISK:' for physical_disk in c.Win32_DiskDrive(): if physical_disk.Size: print '\t' + str(physical_disk.Caption) + ' :\t' + str(long(physical_disk.Size) // 1000000000) + 'GB' print '\nIP:' for interface in c.Win32_NetworkAdapterConfiguration(IPEnabled=1): print 'MAC: %s' % interface.MACAddress for ip_address in interface.IPAddress: print '\tIP: %s' % ip_address print '\nBIOS:' bios = c.Win32_BIOS()[0] print bios.Version print bios.Manufacturer print bios.ReleaseDate sys_version() rawinput_a = raw_input('\xc7\xeb\xb9\xd8\xb1\xd5\xb3\xcc\xd0\xf2') # okay decompiling query3.pyc C:\Users\netmanager\Desktop\python_test>

 上面是命令提示符cmd操作过程

加一张运行修改头部16进制代码的图片

标题

下面是给query文件头部加上struct文件的前16个16进制字符串的代码，用于python2,

python3的开头的链接里有。

# -*- coding: cp936 -*- '''python v2.7 print binascii.hexlify.__doc__ b2a_hex(data) -> s; Hexadecimal representation of binary data. --- print binascii.unhexlify.__doc__ a2b_hex(hexstr) -> s; Binary data of hexadecimal representation. hexstr must contain an even number of hex digits (upper or lower case). ''' import binascii file = 'query' with open(file,'rb') as f: content = f.read() a = binascii.hexlify(content) print 'query文件的前30个HEX字符串' print a[:30] print '*'*30 file1 = 'struct' with open(file1,'rb') as f1: content1 = f1.read() b = binascii.hexlify(content1) print 'struct文件的前30个HEX字符串' print b[:30] prefix_part = binascii.unhexlify(b[:16]) #经比较,pyinstxtractor.py反编译后的"query"文件少了16个HEX字符 f2 = open('query3.pyc','wb') f2.write(prefix_part) # 加上"struct"文件的前16个HEX字符对应的头部文件binary data f2.write(content) # 把query文件写入query3.pyc f2.close() f.close() f1.close() raw_input_a = raw_input('完成头部文件添加,在当前目录查找query3.pyc')

安装一些库以后，完美运行，pip install wmi