how to decompile/deobfuscate sourcedefender pye code

Question

How do I decompile a pye file which is compiled by py concrete? I'm trying to do this for the past few months and I'm still not able to do so.

Answer 1

SourceDefender simply uses TgCrypto to encrypt and decrypt the code. You can wrap the decryption function to print the data.

Let's say you want to decrypt mystery.pye.

Preparation

Save the following script as wrapper.py in the same working directory:

import msgpack
import tgcrypto

# Save the original function references
original_ctr256_decrypt = tgcrypto.ctr256_decrypt

SOURCE_CODE = ""


# Define wrapper function with print behavior
def wrap_ctr256_decrypt(data: bytes, key: bytes, iv: bytes, state: bytes):
    global SOURCE_CODE
    result = original_ctr256_decrypt(data, key, iv, state)
    unpacked = msgpack.loads(result)
    SOURCE_CODE = unpacked.get("code")
    print(SOURCE_CODE)

    # Disable potentially dangerous code and return timestamp = 2999-01-01
    dummy_data = msgpack.dumps({"code": "", "eol_timestamp": 32472144000})
    return dummy_data


# Replace the original function with the wrapper in the tgcrypto module
tgcrypto.ctr256_decrypt = wrap_ctr256_decrypt

Execution

Run a Python shell with command python3 and then import the wrapper right before the encrypted module:

import sourcedefender
import wrapper
# The following is the PYE file
import mystery

The code will be printed on screen. You can still access it afterwards like:

print(wrapper.SOURCE_CODE)

Or even:

with open("mystery.py", "w") as outfile:
    outfile.write(wrapper.SOURCE_CODE)