Skip to content

Frequently Asked Questions

extremecoders-re edited this page Apr 2, 2020 · 27 revisions

How to extract digitally signed exe's?

Pyinstxtractor will not work with digitally signed exe's as-is. You need to remove the signature first. There are several tools for this purpose:

Do I need to fix the header of the extracted .pyc's?

You do not need to fix the header of the extracted pyc's. They are automatically taken care of. In case you are using an old version of pyinstxtractor from SourceForge please update to the latest version from here.

Is it necessary to run the script in the same version of Python which was used to build the executable?

It's important to use the same version of Python. If you don't know which version of Python has been used, run the script once and it would tell you the version of Python.

What can go wrong if I use a different version of Python?

Firstly, if you use a different version of Python, pyinstxtractor will not extract the PYZ archive. Secondly, the magic signature of the extracted pyc's (first 4 bytes) in the top-level directory will be wrong. In such cases, de-compiling the pyc's will fail. If you are familiar with Python internals and pyc file format you can of-course correct the signature manually using a hex editor.

Are encrypted pyz archives supported?

pyinstxtractor currently doesn't support encrypted pyz archives. This will be introduced later in the form of a separate script. Currently you can use the following snippet to decrypt encrypted pyc's within the pyz extarcted directory. Note that the script below is written to run on Python 2.7.

#!/usr/bin/env python2
from Crypto.Cipher import AES
import zlib

CRYPT_BLOCK_SIZE = 16

# key obtained from pyimod00_crypto_key
key = 'MySup3rS3cr3tK3y'

inf = open('_abcoll.pyc.encrypted', 'rb') # encrypted file input
outf = open('_abcoll.pyc', 'wb') # output file 

# Initialization vector
iv = inf.read(CRYPT_BLOCK_SIZE)

cipher = AES.new(key, AES.MODE_CFB, iv)

# Decrypt and decompress
plaintext = zlib.decompress(cipher.decrypt(inf.read()))

# Write pyc header
# The header below is for Python 2.7
outf.write('\x03\xf3\x0d\x0a\0\0\0\0')

# Write decrypted data
outf.write(plaintext)

inf.close()
outf.close()

The script can decompile encrypted pyc's from any Python version. However you need to change the pyc header appropriately from the list below. This was generated from xdis

Python 2.7: \x03\xf3\x0d\x0a\0\0\0\0
Python 3.0: \x3b\x0c\x00\x00\0\0\0\0
Python 3.1: \x4f\x0c\x00\x00\0\0\0\0
Python 3.2: \x6c\x0c\x00\x00\0\0\0\0
Python 3.3: \x9e\x0c\x00\x00\0\0\0\0\0\0\0\0
Python 3.4: \xee\x0c\x00\x00\0\0\0\0\0\0\0\0
Python 3.5: \x17\x0d\x00\x00\0\0\0\0\0\0\0\0
Python 3.6: \x33\x0d\x00\x00\0\0\0\0\0\0\0\0
Python 3.7: \x42\x0d\x00\x00\0\0\0\0\0\0\0\0\0\0\0\0
Python 3.8: \x55\x0d\x00\x00\0\0\0\0\0\0\0\0\0\0\0\0
Clone this wiki locally