dan-masek

Deobfuscating some python code (no payload version)

May 16th, 2021
436
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.13 KB | None | 0 0
  1. import base64
  2. import dis
  3. import marshal
  4. import zlib
  5.  
  6. # NB: Paste the string that the tracker.py script tries to load and execute
  7. PAYLOAD = ''
  8.  
  9. l1 = marshal.loads(PAYLOAD)
  10. print("Names", l1.co_names)
  11. print(dis.dis(l1.co_code))
  12.  
  13. l2 = marshal.loads(l1.co_consts[2])
  14.  
  15. print("Names", l2.co_names)
  16. print(dis.dis(l2.co_code))
  17.  
  18. l3 = base64.b64decode(l2.co_consts[2])
  19. l3_str = l3.split('"')[1]
  20.  
  21. l4 = marshal.loads(base64.b32decode(l3_str))
  22. print("Names", l4.co_names)
  23. print(dis.dis(l4.co_code))
  24.  
  25. l4_str = l4.co_consts[2]
  26.  
  27. l4_bin = base64.b64decode(l4_str)
  28.  
  29. l5 = zlib.decompress(l4_bin)
  30. l5_str = l5.split('"')[1]
  31.  
  32. l5_bin = base64.b64decode(l5_str)
  33. l6 = marshal.loads(zlib.decompress(l5_bin))
  34. print("Names", l6.co_names)
  35. print(dis.dis(l6.co_code))
  36.  
  37. l7 = base64.b32decode(l6.co_consts[2])
  38. l8 = marshal.loads(zlib.decompress(l7))
  39. print("Names", l8.co_names)
  40. print(dis.dis(l8.co_code))
  41.  
  42. l9 = base64.b16decode(l8.co_consts[2])
  43. l10 = marshal.loads(zlib.decompress(l9))
  44. print("Names", l10.co_names)
  45. print(dis.dis(l10.co_code))
  46.  
  47. l11 = base64.b64decode(l10.co_consts[2])
  48.  
  49. with open('deobfuscated.py', 'w') as f:
  50.     f.write(l11)
  51.  
  52.  
Add Comment
Please, Sign In to add comment