Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

i tried making a deobfuscator #1

Open
A3ima opened this issue Apr 12, 2023 · 4 comments
Open

i tried making a deobfuscator #1

A3ima opened this issue Apr 12, 2023 · 4 comments

Comments

@A3ima
Copy link

A3ima commented Apr 12, 2023
edited
Loading 

import bz2
import os
import quopri
import random
import base64
import random
import platform
import traceback
import itertools
import re
import autopep8

def try_deobfuscate(code, techniques):
    for technique in techniques:
        try:
            code = technique(code)
        except Exception as e:
            return None
    return code

def deobfuscate(obfuscated_code):
    obfuscated_code = remove_dbgprot(obfuscated_code)
    obfuscated_code = unify_deobfuscate(obfuscated_code)
    techniques = [rev_deobfuscate, quoted_decode, comppy_deobfuscate, b64unpack]

    for layer_count in range(1, 50):
        technique_orders = list(itertools.product(techniques, repeat=layer_count))
        for order in technique_orders:
            deobfuscated_code = try_deobfuscate(obfuscated_code, order)
            if deobfuscated_code is not None:
                return deobfuscated_code

    raise Exception("Deobfuscation failed for all technique orders.")

def remove_dbgprot(code):
    if code.startswith("exec(\"\"\""):
        code = code.split("exec(\"\"\"\n", 1)[1]
        code = code.rsplit("\"\"\"", 1)[0]
    return code

def unify_deobfuscate(code):
    for quote_type in ['"""', "'''"]:
        if code.startswith(f"exec({quote_type}"):
            code = code[len(f"exec({quote_type}"):]
            code = code[:-len(quote_type)]
            code = code.replace('\\n', '\n').replace('\\t', '\t')
            break
    return code

def rev_deobfuscate(input_str):
    if input_str.startswith("data=r"):
        input_str = input_str.split("\n", 1)[1]
        input_str = input_str[:-1]
        revedcode = input_str[::-1]
        return revedcode
    else:
        raise Exception("Not a valid reverse obfuscation")

def comppy_deobfuscate(code):
    if code.startswith("import bz2"):
        decompresser_start = code.index("exec(bz2.decompress(") + len("exec(bz2.decompress(")
        decompresser_end = code.index("))", decompresser_start)
        compressed = eval(code[decompresser_start:decompresser_end])
        decompressed = bz2.decompress(compressed).decode('utf-8')
        return decompressed
    else:
        raise Exception("Not a valid comppy obfuscation")

def quoted_decode(code):
    if code.startswith("import quopri"):
        encoded_start = code.index("exec(quopri.decodestring(") + len("exec(quopri.decodestring(")
        encoded_end = code.index(").decode('utf-8'))", encoded_start)
        encoded = eval(code[encoded_start:encoded_end])
        decoded = quopri.decodestring(encoded).decode('ascii')
        return decoded
    else:
        raise Exception("Not a valid quoted obfuscation")

def b64unpack(code):
    encoded_start = code.find("decoded = '")
    if encoded_start != -1:
        encoded_start += len("decoded = '")
        encoded_end = code.index("'", encoded_start)
        encoded = code[encoded_start:encoded_end]

        n = 0
        while "decoded = base64.b64decode(decoded.encode()).decode()" in code:
            n += 1
            code = code.replace("decoded = base64.b64decode(decoded.encode()).decode()", "", 1)

        decoded = encoded
        for i in range(n):
            decoded = base64.b64decode(decoded.encode()).decode()

        return decoded
    else:
        raise Exception("Not a valid b64unpack obfuscation")

def fix_formatting(code):
    formatted_code = autopep8.fix_code(code, options={'aggressive': 2})
    return formatted_code

def main():
    file_path = ""  # Change this to your obfuscated Python file path
    with open(file_path, "r") as f:
        obfuscated_code = f.read()

    formatted_code = fix_formatting(obfuscated_code)

    try:
        deobfuscated_code = deobfuscate(formatted_code)
    except Exception as e:
        print("Deobfuscation failed. Showing the original code:")
        print(formatted_code)
    else:
        print("Deobfuscated code:")
        print(deobfuscated_code)

if __name__ == "__main__":
    main()
@Noisec
Copy link
Owner

Noisec commented Apr 19, 2023
edited
Loading

Nice, but no chance against 200mb obf.ed files 😂
But also it was just an fun project, so anyway, it doesn't make much sense to make a 200mb obf.ed python file with this, it would use a lot of cpu, but if it's not 200mb, then simpler deobfuscators like this will be able to decipher it, or if the random obfuscation was so bad, then even a human can undo it.

@Noisec
Copy link
Owner

Noisec commented Apr 19, 2023

oukay

@A3ima
Copy link
Author

A3ima commented Apr 19, 2023

i can make it work against 200mb obf files

@A3ima
Copy link
Author

A3ima commented Apr 19, 2023
edited
Loading

anyways, if ur going to improve this fun proj lmk, il update the deobfucator, and if ur ever going to be serious about building an obfuscator lmk, il help out

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Noisec @A3ima