Unable to decompile Python 3.8 (PyInstaller on Windows created) bytecode #316

evandrix · 2020-05-27T03:51:36Z

original file 504lab.exe.zip
patched bytecode 504lab.pyc.zip
error message

$ uncompyle6 504lab.pyc
# uncompyle6 version 3.7.0
# Python bytecode 3.8 (3413)
# Decompiled from: Python 3.8.2 (default, Mar 11 2020, 00:29:50)
# [Clang 11.0.0 (clang-1100.0.33.17)]
# Embedded file name: 504lab.py
# Compiled at: 2054-06-26 14:40:57
# Size of source mod 2**32: 584092496 bytes
Instruction context:

 L. 183      1022  LOAD_NAME                time
                1024  LOAD_METHOD              sleep
                1026  LOAD_CONST               1
                1028  CALL_METHOD_1         1  ''
->              1030  POP_TOP


# file 504lab.pyc
# --- This code section failed: ---

 L.   1         0  LOAD_CONST               0
                2  LOAD_CONST               None
                4  IMPORT_NAME              os
                6  STORE_NAME               os

 L.   2         8  LOAD_CONST               0
               10  LOAD_CONST               None
               12  IMPORT_NAME              subprocess
               14  STORE_NAME               subprocess

 L.   3        16  LOAD_CONST               0
               18  LOAD_CONST               None
               20  IMPORT_NAME              time
               22  STORE_NAME               time

 L.   4        24  LOAD_CONST               0
               26  LOAD_CONST               None
               28  IMPORT_NAME              tempfile
               30  STORE_NAME               tempfile

 L.   5        32  LOAD_CONST               0
               34  LOAD_CONST               None
               36  IMPORT_NAME              sys
               38  STORE_NAME               sys

 L.   6        40  LOAD_CONST               0
               42  LOAD_CONST               None
               44  IMPORT_NAME              signal
               46  STORE_NAME               signal

 L.   7        48  LOAD_CONST               0
               50  LOAD_CONST               None
               52  IMPORT_NAME              base64
               54  STORE_NAME               base64

 L.   8        56  LOAD_CONST               0
               58  LOAD_CONST               None
               60  IMPORT_NAME              re
               62  STORE_NAME               re

 L.   9        64  LOAD_CONST               0
               66  LOAD_CONST               None
               68  IMPORT_NAME              random
               70  STORE_NAME               random

 L.  10        72  LOAD_CONST               0
               74  LOAD_CONST               None
               76  IMPORT_NAME              socket
               78  STORE_NAME               socket

 L.  11        80  LOAD_CONST               0
               82  LOAD_CONST               None
               84  IMPORT_NAME              webbrowser
               86  STORE_NAME               webbrowser

 L.  12        88  LOAD_CONST               0
               90  LOAD_CONST               None
               92  IMPORT_NAME              signal
               94  STORE_NAME               signal

 L.  14        96  LOAD_CODE                <code_object reliable_start>
               98  LOAD_STR                 'reliable_start'
              100  MAKE_FUNCTION_0          'No defaults, keyword-only args, annotations, or closures'
              102  STORE_NAME               reliable_start

 L.  70       104  LOAD_CODE                <code_object shellcmd>
              106  LOAD_STR                 'shellcmd'
              108  MAKE_FUNCTION_0          'No defaults, keyword-only args, annotations, or closures'
              110  STORE_NAME               shellcmd

 L.  75       112  LOAD_CODE                <code_object exec_cmd>
              114  LOAD_STR                 'exec_cmd'
              116  MAKE_FUNCTION_0          'No defaults, keyword-only args, annotations, or closures'
              118  STORE_NAME               exec_cmd

 L.  84       120  LOAD_CODE                <code_object handler>
              122  LOAD_STR                 'handler'
              124  MAKE_FUNCTION_0          'No defaults, keyword-only args, annotations, or closures'
              126  STORE_NAME               handler

 L.  88       128  LOAD_NAME                signal
              130  LOAD_METHOD              signal
              132  LOAD_NAME                signal
              134  LOAD_ATTR                SIGINT
              136  LOAD_NAME                handler
              138  CALL_METHOD_2         2  ''
              140  POP_TOP

 L.  90       142  LOAD_NAME                webbrowser
              144  LOAD_METHOD              open_new
              146  LOAD_STR                 'https://markbaggett.github.io/504lab/'
              148  CALL_METHOD_1         1  ''
              150  POP_TOP

 L.  91       152  LOAD_NAME                webbrowser
              154  LOAD_METHOD              open_new_tab
              156  LOAD_STR                 'https://www.sans.org/course/hacker-techniques-exploits-incident-handling'
              158  CALL_METHOD_1         1  ''
              160  POP_TOP

 L.  92       162  LOAD_NAME                webbrowser
              164  LOAD_METHOD              open_new_tab
              166  LOAD_STR                 'https://www.sans.org/course/automating-information-security-with-python'
              168  CALL_METHOD_1         1  ''
              170  POP_TOP

 L.  94       172  LOAD_NAME                os
              174  LOAD_METHOD              system
              176  LOAD_STR                 'cls'
              178  CALL_METHOD_1         1  ''
              180  POP_TOP

 L.  95       182  LOAD_NAME                os
              184  LOAD_METHOD              system
              186  LOAD_STR                 'color f0'
              188  CALL_METHOD_1         1  ''
              190  POP_TOP

 L.  96       192  LOAD_NAME                print
              194  LOAD_STR                 'KNOW THY SYSTEM! \n\nOpen a second CMD prompt as an Administrator and run netstat -nao on your host so you know what your system looks like before it is "infected."'
              196  CALL_FUNCTION_1       1  ''
              198  POP_TOP

 L.  97       200  LOAD_NAME                print
              202  LOAD_STR                 'Verify your firewall and AV are disabled.  I am about to start a non-malicious backdoor for you to find.\n'
              204  CALL_FUNCTION_1       1  ''
              206  POP_TOP

 L.  99       208  LOAD_NAME                input
              210  LOAD_STR                 'After you have run netstat press ENTER to continue'
              212  CALL_FUNCTION_1       1  ''
              214  STORE_NAME               ans

 L. 101       216  LOAD_NAME                print
              218  LOAD_STR                 '\n\nPlease wait: A TCP Backdoor is being started on your host.'
              220  CALL_FUNCTION_1       1  ''
              222  POP_TOP

 L. 102       224  LOAD_STR                 'TheFlagisBlack%s'
              226  LOAD_NAME                str
              228  LOAD_NAME                random
              230  LOAD_METHOD              randint
              232  LOAD_CONST               999999
              234  LOAD_CONST               999999999
              236  CALL_METHOD_2         2  ''
              238  CALL_FUNCTION_1       1  ''
              240  BINARY_MODULO
              242  STORE_NAME               flag

 L. 103       244  LOAD_NAME                reliable_start
              246  LOAD_NAME                shellcmd
              248  LOAD_STR                 '0'
              250  LOAD_NAME                flag
              252  CALL_FUNCTION_2       2  ''
              254  CALL_FUNCTION_1       1  ''
              256  UNPACK_SEQUENCE_3     3
              258  STORE_NAME               pid
              260  STORE_NAME               ppid
              262  STORE_NAME               tprt

 L. 104       264  LOAD_NAME                print
              266  LOAD_STR                 'Backdoor Started.  Please answer the following questions.'
              268  CALL_FUNCTION_1       1  ''
              270  POP_TOP

 L. 106       272  LOAD_NAME                input
              274  LOAD_STR                 '\nWhat TCP port is the backdoor listening on? '
              276  CALL_FUNCTION_1       1  ''
              278  STORE_NAME               ans

 L. 107       280  LOAD_NAME                ans
              282  LOAD_NAME                str
              284  LOAD_NAME                tprt
              286  CALL_FUNCTION_1       1  ''
              288  COMPARE_OP               !=
          290_292  POP_JUMP_IF_FALSE   418  'to 418'
              294  LOAD_NAME                ans
              296  LOAD_STR                 'skip'
              298  COMPARE_OP               !=
          300_302  POP_JUMP_IF_FALSE   418  'to 418'

 L. 108       304  LOAD_NAME                ans
              306  LOAD_CONST               None
              308  LOAD_CONST               4
              310  BUILD_SLICE_2         2
              312  BINARY_SUBSCR
              314  LOAD_STR                 'help'
              316  COMPARE_OP               ==
          318_320  POP_JUMP_IF_FALSE   332  'to 332'

 L. 109       322  LOAD_NAME                print
              324  LOAD_STR                 '\nnetstat -nao will show you what is listening now.  Run it again and compare it to the previous results.'
              326  CALL_FUNCTION_1       1  ''
              328  POP_TOP
              330  JUMP_FORWARD        340  'to 340'
            332_0  COME_FROM           318  '318'

 L. 111       332  LOAD_NAME                print
              334  LOAD_STR                 'That is incorrect.  Please check your answer and try again.'
              336  CALL_FUNCTION_1       1  ''
              338  POP_TOP
            340_0  COME_FROM           330  '330'

 L. 112       340  LOAD_STR                 '\\r\\n.*?TCP.*?\\d{1,3}:(\\d+).*?%s\\r\\n'
              342  LOAD_NAME                pid
              344  BINARY_MODULO
              346  STORE_NAME               srchstr

 L. 113       348  SETUP_FINALLY       376  'to 376'

 L. 114       350  LOAD_NAME                re
              352  LOAD_METHOD              search
              354  LOAD_NAME                srchstr
              356  LOAD_NAME                exec_cmd
              358  LOAD_STR                 'netstat -nao'
              360  CALL_FUNCTION_1       1  ''
              362  CALL_METHOD_2         2  ''
              364  LOAD_METHOD              group
              366  LOAD_CONST               1
              368  CALL_METHOD_1         1  ''
              370  STORE_NAME               tprt
              372  POP_BLOCK
              374  JUMP_FORWARD        406  'to 406'
            376_0  COME_FROM_FINALLY   348  '348'

 L. 115       376  POP_TOP
              378  POP_TOP
              380  POP_TOP

 L. 116       382  LOAD_NAME                print
              384  LOAD_STR                 "Can't find the TCP port for that PID.  Check your AV,Firewall and run the lab as an administrator again"
              386  CALL_FUNCTION_1       1  ''
              388  POP_TOP

 L. 117       390  LOAD_NAME                sys
              392  LOAD_METHOD              exit
              394  LOAD_CONST               1
              396  CALL_METHOD_1         1  ''
              398  POP_TOP
              400  POP_EXCEPT
              402  JUMP_FORWARD        406  'to 406'
              404  END_FINALLY
            406_0  COME_FROM           402  '402'
            406_1  COME_FROM           374  '374'

 L. 118       406  LOAD_NAME                input
              408  LOAD_STR                 'What TCP port is the backdoor listening on? '
              410  CALL_FUNCTION_1       1  ''
              412  STORE_NAME               ans
          414_416  JUMP_BACK           280  'to 280'
            418_0  COME_FROM           300  '300'
            418_1  COME_FROM           290  '290'

 L. 120       418  LOAD_NAME                input
              420  LOAD_STR                 '\nWhat is the process id number of the backdoor? '
              422  CALL_FUNCTION_1       1  ''
              424  STORE_NAME               ans

 L. 121       426  LOAD_NAME                ans
              428  LOAD_NAME                str
              430  LOAD_NAME                pid
              432  CALL_FUNCTION_1       1  ''
              434  COMPARE_OP               !=
          436_438  POP_JUMP_IF_FALSE   498  'to 498'
              440  LOAD_NAME                ans
              442  LOAD_STR                 'skip'
              444  COMPARE_OP               !=
          446_448  POP_JUMP_IF_FALSE   498  'to 498'

 L. 122       450  LOAD_NAME                ans
              452  LOAD_CONST               None
              454  LOAD_CONST               4
              456  BUILD_SLICE_2         2
              458  BINARY_SUBSCR
              460  LOAD_STR                 'help'
              462  COMPARE_OP               ==
          464_466  POP_JUMP_IF_FALSE   478  'to 478'

 L. 123       468  LOAD_NAME                print
              470  LOAD_STR                 '\nnetstat -nao shows you the process id number in the last column.'
              472  CALL_FUNCTION_1       1  ''
              474  POP_TOP
              476  JUMP_FORWARD        486  'to 486'
            478_0  COME_FROM           464  '464'

 L. 125       478  LOAD_NAME                print
              480  LOAD_STR                 'That is incorrect.  Please check your answer and try again.'
              482  CALL_FUNCTION_1       1  ''
              484  POP_TOP
            486_0  COME_FROM           476  '476'

 L. 126       486  LOAD_NAME                input
              488  LOAD_STR                 'What is the process id number of the backdoor? '
              490  CALL_FUNCTION_1       1  ''
              492  STORE_NAME               ans
          494_496  JUMP_BACK           426  'to 426'
            498_0  COME_FROM           446  '446'
            498_1  COME_FROM           436  '436'

 L. 129       498  LOAD_NAME                input
              500  LOAD_STR                 '\nWhat is the parent process id number of the backdoor? '
              502  CALL_FUNCTION_1       1  ''
              504  STORE_NAME               ans

 L. 130       506  LOAD_NAME                ans
              508  LOAD_NAME                str
              510  LOAD_NAME                ppid
              512  CALL_FUNCTION_1       1  ''
              514  COMPARE_OP               !=
          516_518  POP_JUMP_IF_FALSE   578  'to 578'
              520  LOAD_NAME                ans
              522  LOAD_STR                 'skip'
              524  COMPARE_OP               !=
          526_528  POP_JUMP_IF_FALSE   578  'to 578'

 L. 131       530  LOAD_NAME                ans
              532  LOAD_CONST               None
              534  LOAD_CONST               4
              536  BUILD_SLICE_2         2
              538  BINARY_SUBSCR
              540  LOAD_STR                 'help'
              542  COMPARE_OP               ==
          544_546  POP_JUMP_IF_FALSE   558  'to 558'

 L. 132       548  LOAD_NAME                print
              550  LOAD_STR                 '\nwmic process where (processid = 1234) get parentprocessid  - would show you the parent processid for process 1234'
              552  CALL_FUNCTION_1       1  ''
              554  POP_TOP
              556  JUMP_FORWARD        566  'to 566'
            558_0  COME_FROM           544  '544'

 L. 134       558  LOAD_NAME                print
              560  LOAD_STR                 'That is incorrect.  Please check your answer and try again.'
              562  CALL_FUNCTION_1       1  ''
              564  POP_TOP
            566_0  COME_FROM           556  '556'

 L. 135       566  LOAD_NAME                input
              568  LOAD_STR                 'What is the parent process id number of the backdoor? '
              570  CALL_FUNCTION_1       1  ''
              572  STORE_NAME               ans
          574_576  JUMP_BACK           506  'to 506'
            578_0  COME_FROM           526  '526'
            578_1  COME_FROM           516  '516'

 L. 137       578  LOAD_NAME                print
              580  LOAD_STR                 '\nUse Netcat to connect to the backdoor TCP port.'
              582  CALL_FUNCTION_1       1  ''
              584  POP_TOP

 L. 138       586  LOAD_NAME                input
              588  LOAD_STR                 'What is flag printed when you connect to the backdoor? '
              590  CALL_FUNCTION_1       1  ''
              592  STORE_NAME               ans

 L. 139       594  LOAD_NAME                ans
              596  LOAD_NAME                flag
              598  COMPARE_OP               !=
          600_602  POP_JUMP_IF_FALSE   662  'to 662'
              604  LOAD_NAME                ans
              606  LOAD_STR                 'skip'
              608  COMPARE_OP               !=
          610_612  POP_JUMP_IF_FALSE   662  'to 662'

 L. 140       614  LOAD_NAME                ans
              616  LOAD_CONST               None
              618  LOAD_CONST               4
              620  BUILD_SLICE_2         2
              622  BINARY_SUBSCR
              624  LOAD_STR                 'help'
              626  COMPARE_OP               ==
          628_630  POP_JUMP_IF_FALSE   642  'to 642'

 L. 141       632  LOAD_NAME                print
              634  LOAD_STR                 '\nnc 127.0.0.1 1234  - would connect to a backdoor on tcp port 1234.'
              636  CALL_FUNCTION_1       1  ''
              638  POP_TOP
              640  JUMP_FORWARD        650  'to 650'
            642_0  COME_FROM           628  '628'

 L. 143       642  LOAD_NAME                print
              644  LOAD_STR                 'That is incorrect.  Please check your answer and try again.'
              646  CALL_FUNCTION_1       1  ''
              648  POP_TOP
            650_0  COME_FROM           640  '640'

 L. 144       650  LOAD_NAME                input
              652  LOAD_STR                 'What is flag printed when you connect to the backdoor? '
              654  CALL_FUNCTION_1       1  ''
              656  STORE_NAME               ans
          658_660  JUMP_BACK           594  'to 594'
            662_0  COME_FROM           610  '610'
            662_1  COME_FROM           600  '600'

 L. 147       662  LOAD_STR                 '\\r\\n.*?TCP.*?\\d{1,3}:(\\d+).*?%s\\r\\n'
              664  LOAD_NAME                pid
              666  BINARY_MODULO
              668  STORE_NAME               srchstr

 L. 148       670  LOAD_NAME                re
              672  LOAD_METHOD              search
              674  LOAD_NAME                srchstr
              676  LOAD_NAME                exec_cmd
              678  LOAD_STR                 'netstat -nao'
              680  CALL_FUNCTION_1       1  ''
              682  CALL_METHOD_2         2  ''
              684  LOAD_METHOD              group
              686  LOAD_CONST               1
              688  CALL_METHOD_1         1  ''
              690  STORE_NAME               tprt

 L. 149       692  LOAD_NAME                input
              694  LOAD_STR                 '\nWhat TCP port is the backdoor listening on now? '
              696  CALL_FUNCTION_1       1  ''
              698  STORE_NAME               ans

 L. 150       700  LOAD_NAME                ans
              702  LOAD_NAME                str
              704  LOAD_NAME                tprt
              706  CALL_FUNCTION_1       1  ''
              708  COMPARE_OP               !=
          710_712  POP_JUMP_IF_FALSE   842  'to 842'
              714  LOAD_NAME                ans
              716  LOAD_STR                 'skip'
              718  COMPARE_OP               !=
          720_722  POP_JUMP_IF_FALSE   842  'to 842'

 L. 151       724  LOAD_NAME                ans
              726  LOAD_CONST               None
              728  LOAD_CONST               4
              730  BUILD_SLICE_2         2
              732  BINARY_SUBSCR
              734  LOAD_STR                 'help'
              736  COMPARE_OP               ==
          738_740  POP_JUMP_IF_FALSE   756  'to 756'

 L. 152       742  LOAD_NAME                print
              744  LOAD_STR                 '\nnetstat -nao will show you what is listening now.  The process id number is still %s.'
              746  LOAD_NAME                pid
              748  BINARY_MODULO
              750  CALL_FUNCTION_1       1  ''
              752  POP_TOP
              754  JUMP_FORWARD        764  'to 764'
            756_0  COME_FROM           738  '738'

 L. 154       756  LOAD_NAME                print
              758  LOAD_STR                 'That is incorrect.  Please check your answer and try again.'
              760  CALL_FUNCTION_1       1  ''
              762  POP_TOP
            764_0  COME_FROM           754  '754'

 L. 155       764  LOAD_STR                 '\\r\\n.*?TCP.*?\\d{1,3}:(\\d+).*?%s\\r\\n'
              766  LOAD_NAME                pid
              768  BINARY_MODULO
              770  STORE_NAME               srchstr

 L. 156       772  SETUP_FINALLY       800  'to 800'

 L. 157       774  LOAD_NAME                re
              776  LOAD_METHOD              search
              778  LOAD_NAME                srchstr
              780  LOAD_NAME                exec_cmd
              782  LOAD_STR                 'netstat -nao'
              784  CALL_FUNCTION_1       1  ''
              786  CALL_METHOD_2         2  ''
              788  LOAD_METHOD              group
              790  LOAD_CONST               1
              792  CALL_METHOD_1         1  ''
              794  STORE_NAME               tprt
              796  POP_BLOCK
              798  JUMP_FORWARD        830  'to 830'
            800_0  COME_FROM_FINALLY   772  '772'

 L. 158       800  POP_TOP
              802  POP_TOP
              804  POP_TOP

 L. 159       806  LOAD_NAME                print
              808  LOAD_STR                 'Bad things happened.  Check your AV,Firewall and run the lab as an administrator again'
              810  CALL_FUNCTION_1       1  ''
              812  POP_TOP

 L. 160       814  LOAD_NAME                sys
              816  LOAD_METHOD              exit
              818  LOAD_CONST               1
              820  CALL_METHOD_1         1  ''
              822  POP_TOP
              824  POP_EXCEPT
              826  JUMP_FORWARD        830  'to 830'
              828  END_FINALLY
            830_0  COME_FROM           826  '826'
            830_1  COME_FROM           798  '798'

 L. 161       830  LOAD_NAME                input
              832  LOAD_STR                 'What TCP port is the backdoor listening on now? '
              834  CALL_FUNCTION_1       1  ''
              836  STORE_NAME               ans
          838_840  JUMP_BACK           700  'to 700'
            842_0  COME_FROM           720  '720'
            842_1  COME_FROM           710  '710'

 L. 163       842  LOAD_NAME                print
              844  LOAD_STR                 '\nNow use wmic to kill the process.'
              846  CALL_FUNCTION_1       1  ''
              848  POP_TOP

 L. 164       850  LOAD_NAME                input
              852  LOAD_STR                 'Press enter after you have killed the process.'
              854  CALL_FUNCTION_1       1  ''
              856  STORE_NAME               ans

 L. 165       858  LOAD_STR                 'wmic process where (processid = %s) list brief'
              860  LOAD_NAME                pid
              862  BINARY_MODULO
              864  STORE_NAME               check_pid

 L. 166       866  LOAD_NAME                exec_cmd
              868  LOAD_NAME                check_pid
              870  CALL_FUNCTION_1       1  ''
              872  LOAD_STR                 'No Instance(s) Available.'
              874  COMPARE_OP               !=
          876_878  POP_JUMP_IF_FALSE   938  'to 938'
              880  LOAD_NAME                ans
              882  LOAD_STR                 'skip'
              884  COMPARE_OP               !=
          886_888  POP_JUMP_IF_FALSE   938  'to 938'

 L. 167       890  LOAD_NAME                ans
              892  LOAD_CONST               None
              894  LOAD_CONST               4
              896  BUILD_SLICE_2         2
              898  BINARY_SUBSCR
              900  LOAD_STR                 'help'
              902  COMPARE_OP               ==
          904_906  POP_JUMP_IF_FALSE   918  'to 918'

 L. 168       908  LOAD_NAME                print
              910  LOAD_STR                 '\nwmic process where (processid = 1234) delete  OR get-process -PID 1234 | stop-process  - would kill process number 1234.'
              912  CALL_FUNCTION_1       1  ''
              914  POP_TOP
              916  JUMP_FORWARD        926  'to 926'
            918_0  COME_FROM           904  '904'

 L. 170       918  LOAD_NAME                print
              920  LOAD_STR                 'The process still seems to be running.  Please kill the process used by the backdoor with wmic.'
              922  CALL_FUNCTION_1       1  ''
              924  POP_TOP
            926_0  COME_FROM           916  '916'

 L. 171       926  LOAD_NAME                input
              928  LOAD_STR                 'Press enter after you have killed the process.'
              930  CALL_FUNCTION_1       1  ''
              932  STORE_NAME               ans
          934_936  JUMP_BACK           866  'to 866'
            938_0  COME_FROM           886  '886'
            938_1  COME_FROM           876  '876'

 L. 173       938  LOAD_NAME                print
              940  LOAD_STR                 "\n\nThis PowerShell backdoor was easy to find because it listened on a TCP port.  A more typical PowerShell backdoor will not.  Instead it makes periodic client connections to a command and control server.  Now I'm creating a new PowerShell process that does not listen on a port."
              942  CALL_FUNCTION_1       1  ''
              944  POP_TOP

 L. 175       946  LOAD_STR                 'Sasquatch%s'
              948  LOAD_NAME                random
              950  LOAD_METHOD              randint
              952  LOAD_CONST               99999
              954  LOAD_CONST               9999999999
              956  CALL_METHOD_2         2  ''
              958  BINARY_MODULO
              960  STORE_NAME               newflg

 L. 176       962  LOAD_STR                 'while($true){$flag = "%s"; [System.Threading.Thread]::Sleep(10000)};'
              964  LOAD_NAME                newflg
              966  BINARY_MODULO
              968  STORE_NAME               newscript

 L. 177       970  LOAD_CONST               b'powershell.exe -nop -exec bypass -enc '
              972  LOAD_NAME                base64
              974  LOAD_METHOD              b64encode
              976  LOAD_NAME                newscript
              978  LOAD_METHOD              encode
              980  LOAD_STR                 'UTF-16LE'
              982  CALL_METHOD_1         1  ''
              984  CALL_METHOD_1         1  ''
              986  BINARY_ADD
              988  LOAD_METHOD              decode
              990  CALL_METHOD_0         0  ''
              992  STORE_NAME               newcmd

 L. 178       994  LOAD_CONST               5
              996  STORE_NAME               retry_cnt

 L. 180       998  SETUP_FINALLY      1016  'to 1016'

 L. 181      1000  LOAD_NAME                subprocess
             1002  LOAD_METHOD              Popen
             1004  LOAD_NAME                newcmd
             1006  CALL_METHOD_1         1  ''
             1008  LOAD_ATTR                pid
             1010  STORE_NAME               pid
             1012  POP_BLOCK
             1014  BREAK_LOOP         1086  'to 1086'
           1016_0  COME_FROM_FINALLY   998  '998'

 L. 182      1016  POP_TOP
             1018  POP_TOP
             1020  POP_TOP

 L. 183      1022  LOAD_NAME                time
             1024  LOAD_METHOD              sleep
             1026  LOAD_CONST               1
             1028  CALL_METHOD_1         1  ''
             1030  POP_TOP

 L. 184      1032  LOAD_NAME                retry_cnt
             1034  LOAD_CONST               1
             1036  INPLACE_SUBTRACT
             1038  STORE_NAME               retry_cnt

 L. 185      1040  LOAD_NAME                retry_cnt
             1042  LOAD_CONST               1
             1044  COMPARE_OP               <
         1046_1048  POP_JUMP_IF_FALSE  1072  'to 1072'

 L. 186      1050  LOAD_NAME                print
             1052  LOAD_STR                 'Unable to start the 2nd part of this lab. In another window manually start the following command:'
             1054  CALL_FUNCTION_1       1  ''
             1056  POP_TOP

 L. 187      1058  LOAD_NAME                print
             1060  LOAD_NAME                cmd
             1062  CALL_FUNCTION_1       1  ''
             1064  POP_TOP

 L. 188      1066  POP_EXCEPT
         1068_1070  BREAK_LOOP         1086  'to 1086'
           1072_0  COME_FROM          1046  '1046'
             1072  POP_EXCEPT
             1074  JUMP_BACK           998  'to 998'
             1076  END_FINALLY

 L. 190  1078_1080  BREAK_LOOP         1086  'to 1086'
         1082_1084  JUMP_BACK           998  'to 998'

 L. 192      1086  LOAD_NAME                input
             1088  LOAD_STR                 '\nWhat is the process id number of the backdoor? '
             1090  CALL_FUNCTION_1       1  ''
             1092  STORE_NAME               ans

 L. 193      1094  LOAD_NAME                ans
             1096  LOAD_NAME                str
             1098  LOAD_NAME                pid
             1100  CALL_FUNCTION_1       1  ''
             1102  COMPARE_OP               !=
         1104_1106  POP_JUMP_IF_FALSE  1166  'to 1166'
             1108  LOAD_NAME                ans
             1110  LOAD_STR                 'skip'
             1112  COMPARE_OP               !=
         1114_1116  POP_JUMP_IF_FALSE  1166  'to 1166'

 L. 194      1118  LOAD_NAME                ans
             1120  LOAD_CONST               None
             1122  LOAD_CONST               4
             1124  BUILD_SLICE_2         2
             1126  BINARY_SUBSCR
             1128  LOAD_STR                 'help'
             1130  COMPARE_OP               ==
         1132_1134  POP_JUMP_IF_FALSE  1146  'to 1146'

 L. 195      1136  LOAD_NAME                print
             1138  LOAD_STR                 '\nYou have been told it is a PowerShell based tool. wmic process where (name like "powershell%") list brief - will show you processes that are probably PowerShell.'
             1140  CALL_FUNCTION_1       1  ''
             1142  POP_TOP
             1144  JUMP_FORWARD       1154  'to 1154'
           1146_0  COME_FROM          1132  '1132'

 L. 197      1146  LOAD_NAME                print
             1148  LOAD_STR                 'That is incorrect.  Please check your answer and try again.'
             1150  CALL_FUNCTION_1       1  ''
             1152  POP_TOP
           1154_0  COME_FROM          1144  '1144'

 L. 198      1154  LOAD_NAME                input
             1156  LOAD_STR                 'What is the process id number of the backdoor? '
             1158  CALL_FUNCTION_1       1  ''
             1160  STORE_NAME               ans
         1162_1164  JUMP_BACK          1094  'to 1094'
           1166_0  COME_FROM          1114  '1114'
           1166_1  COME_FROM          1104  '1104'

 L. 200      1166  LOAD_NAME                print
             1168  LOAD_STR                 '\nUse wmic to retrieve the CommandLine and answer the following.'
             1170  CALL_FUNCTION_1       1  ''
             1172  POP_TOP

 L. 201      1174  LOAD_NAME                input
             1176  LOAD_STR                 '\nWhat is the flag contained in the script executed by the backdoor? '
             1178  CALL_FUNCTION_1       1  ''
             1180  STORE_NAME               ans

 L. 202      1182  LOAD_NAME                ans
             1184  LOAD_NAME                str
             1186  LOAD_NAME                newflg
             1188  CALL_FUNCTION_1       1  ''
             1190  COMPARE_OP               !=
         1192_1194  POP_JUMP_IF_FALSE  1286  'to 1286'
             1196  LOAD_NAME                ans
             1198  LOAD_STR                 'skip'
             1200  COMPARE_OP               !=
         1202_1204  POP_JUMP_IF_FALSE  1286  'to 1286'

 L. 203      1206  LOAD_NAME                ans
             1208  LOAD_CONST               None
             1210  LOAD_CONST               4
             1212  BUILD_SLICE_2         2
             1214  BINARY_SUBSCR
             1216  LOAD_STR                 'help'
             1218  COMPARE_OP               ==
         1220_1222  POP_JUMP_IF_FALSE  1266  'to 1266'

 L. 204      1224  LOAD_NAME                print
             1226  LOAD_STR                 'Step 1: Acquire the command line that launched the process.'
             1228  CALL_FUNCTION_1       1  ''
             1230  POP_TOP

 L. 205      1232  LOAD_NAME                print
             1234  LOAD_STR                 '"wmic process where (processid = 1234) get commandline" - would get the command line that launched process id 1234.'
             1236  CALL_FUNCTION_1       1  ''
             1238  POP_TOP

 L. 206      1240  LOAD_NAME                print
             1242  LOAD_STR                 'Step 2: Decode the base64 string containing the PowerShell Script.'
             1244  CALL_FUNCTION_1       1  ''
             1246  POP_TOP

 L. 207      1248  LOAD_NAME                print
             1250  LOAD_STR                 'For example, the following command decodes a -enc (base64 encoded) string:'
             1252  CALL_FUNCTION_1       1  ''
             1254  POP_TOP

 L. 208      1256  LOAD_NAME                print
             1258  LOAD_STR                 '[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("QwBoAGUAYwBrACAAbwB1AHQAIABTAEEATgBTACAAUAB5AHQAaABvAG4AIABDAGwAYQBzAHMAIQAgAFMARQBDADUANwAzACEAIQA=")).'
             1260  CALL_FUNCTION_1       1  ''
             1262  POP_TOP
             1264  JUMP_FORWARD       1274  'to 1274'
           1266_0  COME_FROM          1220  '1220'

 L. 210      1266  LOAD_NAME                print
             1268  LOAD_STR                 'That is incorrect.  Please check your answer and try again.'
             1270  CALL_FUNCTION_1       1  ''
             1272  POP_TOP
           1274_0  COME_FROM          1264  '1264'

 L. 211      1274  LOAD_NAME                input
             1276  LOAD_STR                 'What is the flag contained in the script executed by the backdoor? '
             1278  CALL_FUNCTION_1       1  ''
             1280  STORE_NAME               ans
         1282_1284  JUMP_BACK          1182  'to 1182'
           1286_0  COME_FROM          1202  '1202'
           1286_1  COME_FROM          1192  '1192'

 L. 213      1286  LOAD_NAME                print
             1288  LOAD_STR                 '\nNow use wmic to kill the process.'
             1290  CALL_FUNCTION_1       1  ''
             1292  POP_TOP

 L. 214      1294  LOAD_NAME                input
             1296  LOAD_STR                 'Press enter after you have killed the process.'
             1298  CALL_FUNCTION_1       1  ''
             1300  STORE_NAME               ans

 L. 215      1302  LOAD_STR                 'wmic process where (processid = %s) list brief'
             1304  LOAD_NAME                pid
             1306  BINARY_MODULO
             1308  STORE_NAME               check_pid

 L. 216      1310  LOAD_NAME                exec_cmd
             1312  LOAD_NAME                check_pid
             1314  CALL_FUNCTION_1       1  ''
             1316  LOAD_STR                 'No Instance(s) Available.'
             1318  COMPARE_OP               !=
         1320_1322  POP_JUMP_IF_FALSE  1382  'to 1382'
             1324  LOAD_NAME                ans
             1326  LOAD_STR                 'skip'
             1328  COMPARE_OP               !=
         1330_1332  POP_JUMP_IF_FALSE  1382  'to 1382'

 L. 217      1334  LOAD_NAME                ans
             1336  LOAD_CONST               None
             1338  LOAD_CONST               4
             1340  BUILD_SLICE_2         2
             1342  BINARY_SUBSCR
             1344  LOAD_STR                 'help'
             1346  COMPARE_OP               ==
         1348_1350  POP_JUMP_IF_FALSE  1362  'to 1362'

 L. 218      1352  LOAD_NAME                print
             1354  LOAD_STR                 '\nwmic process where (processid = 1234) delete  OR get-process -PID 1234 | stop-process  - would kill process number 1234.'
             1356  CALL_FUNCTION_1       1  ''
             1358  POP_TOP
             1360  JUMP_FORWARD       1370  'to 1370'
           1362_0  COME_FROM          1348  '1348'

 L. 220      1362  LOAD_NAME                print
             1364  LOAD_STR                 '\nThe process still seems to be running.  Please kill the process used by the backdoor with wmic.'
             1366  CALL_FUNCTION_1       1  ''
             1368  POP_TOP
           1370_0  COME_FROM          1360  '1360'

 L. 221      1370  LOAD_NAME                input
             1372  LOAD_STR                 'Press enter after you have killed the process.'
             1374  CALL_FUNCTION_1       1  ''
             1376  STORE_NAME               ans
         1378_1380  JUMP_BACK          1310  'to 1310'
           1382_0  COME_FROM          1330  '1330'
           1382_1  COME_FROM          1320  '1320'

 L. 223      1382  LOAD_NAME                input
             1384  LOAD_STR                 '\n\nYou have done well. The evil hackers have been thwarted.\nPress enter to end this lab.'
             1386  CALL_FUNCTION_1       1  ''
             1388  POP_TOP

Parse error at or near `POP_TOP' instruction at offset 1030

The text was updated successfully, but these errors were encountered:

rocky · 2020-05-27T10:44:07Z

Just to set expectations on bugs like this...

It should be pretty well known and understood that Python 3. 8 compilation is about the weakest. (3.9, 3.10 is and probably will remain be worse.)

Anyone who has been watching the activity on the decompiler projects will notice that the number of bug reporters far exceeds the number of bug fixers. So if you you are interested in making a stab at fixing this, by all means do and submit a PR. However you may have an easier time of it in the decompyle3 project.

Personally, I don't have much interest in particular bugs like this: you have some code your are interested in that you probably didn't write, have never had the source code for, and the code is rather long, uninteresting, and tedious.

Starting in 3.6 the following:

wordcode instruction operand shortening in jumps,
of the greater use of EXtENDED_ARGS , and
the optimization added to work around instructions with EXTENDED_ARGS

makes conttrol flow even harder to detect, until we have better analysis in place. This was explored in the control-flow project, but needs to revised and incorporated into decompyle3.

Given that you list that you work for for a security firm, I suspect you and others who use or have used the project get paid for your interest. In fact I would not be surprised if this bug is of interest due to some aspect of your job.

However I don't get paid for working on stuff like this or this project, and I am increasingly finding that I can no longer support helping out others whether it is in their line of work, or in their hobbies. (I am currently unemployed).

It is possible in the due course of things, as a result of the general improvement and bug fixing process this particular bug will get addressed. Although the bug is tedious in this form, it probably appears often enough in other bytecode as well. Based on past experience, bugs of this kind get addressed in a couple of years or so.

rocky added control flow EXTENDED_ARG Python 3.8 labels May 27, 2020

rocky added the volunteer wanted Volunteer wanted to fix if a bug or to implement if a new feature. label May 5, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unable to decompile Python 3.8 (PyInstaller on Windows created) bytecode #316

Unable to decompile Python 3.8 (PyInstaller on Windows created) bytecode #316

evandrix commented May 27, 2020

rocky commented May 27, 2020 •

edited

Unable to decompile Python 3.8 (PyInstaller on Windows created) bytecode #316

Unable to decompile Python 3.8 (PyInstaller on Windows created) bytecode #316

Comments

evandrix commented May 27, 2020

rocky commented May 27, 2020 • edited

rocky commented May 27, 2020 •

edited