Message 262895 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	pulina
Recipients	pulina
Date	2016-04-05.09:51:16
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1459849877.74.0.679437404849.issue26694@psf.upfronthosting.co.za>
In-reply-to

Content
Many obfuscators use simple technice for block disasemblation. Add broken instructions (for example unknown op codes) and use flow control (SETUP_EXCEPT or JUMP_FORWARD) to skip broken instructions. Interpreter work in right way skipping broken instruction or catch error and go to except instructions but disasembler iterate over all instructions and every where assume that code is correct and doing something like : elif op in hasname: print '(' + co.co_names[oparg] + ')', Which fails because variable oparg not in co_names table or refer to not existing name or const. Why dis lib not assume that code can be broken and try disassemble it as good as it can any way. 15 JUMP_IF_TRUE 3 (to 19) 18 <WRONG INSTRUCTION> (33333333) 19 LOAD_NAME 1 (b) Or if we rely on the assumption that if code disasseblation done with no problem this mean that code is good. We can add flag where we can disassemble unsteady code or even add other method like dis_unsafe or something like that. Include: obfuscated and unobfuscated pyc files for testing. Change proposition: Cherry-pick code dis module from 3.5 python with some changes required to normal working. Working example included.

Many obfuscators use simple technice for block disasemblation. Add broken instructions (for example unknown op codes) and use flow control (SETUP_EXCEPT or JUMP_FORWARD) to skip broken instructions. Interpreter work in right way skipping broken instruction or catch error and go to except instructions but disasembler iterate over all instructions and every where assume that code is correct and doing something like :

elif op in hasname:
                print '(' + co.co_names[oparg] + ')',


Which fails because variable oparg not in co_names table or refer to not existing name or const. Why dis lib not assume that code can be broken and try disassemble it as good as it can any way. 

   15 JUMP_IF_TRUE             3 (to 19)
   18 <WRONG INSTRUCTION>      (33333333)
   19 LOAD_NAME                1 (b)

Or if we rely on the assumption that if code disasseblation done with no problem this mean that code is good. We can add flag where we can disassemble unsteady code or even add other method like dis_unsafe or something like that. 

Include: obfuscated and unobfuscated pyc files for testing. 

Change proposition:

Cherry-pick code dis module from 3.5 python with some changes required to normal working. Working example included.

History
Date	User	Action	Args
2016-04-05 09:51:17	pulina	set	recipients: + pulina
2016-04-05 09:51:17	pulina	set	messageid: <1459849877.74.0.679437404849.issue26694@psf.upfronthosting.co.za>
2016-04-05 09:51:17	pulina	link	issue26694 messages
2016-04-05 09:51:16	pulina	create