Disasembler fall with Key Error while disassemble obfuscated code. #70881

pulina · 2016-04-05T09:51:18Z

BPO	26694
Nosy	@ncoghlan, @stevendaprano, @serhiy-storchaka, @1st1, @pulina
Files	example.zip: zip 4 files, script i used (nedbatchelder), simple code with obfuscated pyc file example and custom_dis module working well

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2018-08-27.09:59:16.409>
created_at = <Date 2016-04-05.09:51:17.700>
labels = ['invalid', 'type-bug', 'library']
title = 'Disasembler fall with Key Error while disassemble obfuscated code.'
updated_at = <Date 2018-08-27.09:59:16.407>
user = 'https://github.com/pulina'

bugs.python.org fields:

activity = <Date 2018-08-27.09:59:16.407>
actor = 'serhiy.storchaka'
assignee = 'none'
closed = True
closed_date = <Date 2018-08-27.09:59:16.409>
closer = 'serhiy.storchaka'
components = ['Library (Lib)']
creation = <Date 2016-04-05.09:51:17.700>
creator = 'pulina'
dependencies = []
files = ['42371']
hgrepos = []
issue_num = 26694
keywords = []
message_count = 2.0
messages = ['262895', '324161']
nosy_count = 5.0
nosy_names = ['ncoghlan', 'steven.daprano', 'serhiy.storchaka', 'yselivanov', 'pulina']
pr_nums = []
priority = 'normal'
resolution = 'not a bug'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue26694'
versions = ['Python 2.7']

pulina · 2016-04-05T09:51:17Z

Many obfuscators use simple technice for block disasemblation. Add broken instructions (for example unknown op codes) and use flow control (SETUP_EXCEPT or JUMP_FORWARD) to skip broken instructions. Interpreter work in right way skipping broken instruction or catch error and go to except instructions but disasembler iterate over all instructions and every where assume that code is correct and doing something like :

elif op in hasname:
print '(' + co.co_names[oparg] + ')',

Which fails because variable oparg not in co_names table or refer to not existing name or const. Why dis lib not assume that code can be broken and try disassemble it as good as it can any way.

15 JUMP_IF_TRUE 3 (to 19)
18 <WRONG INSTRUCTION> (33333333)
19 LOAD_NAME 1 (b)

Or if we rely on the assumption that if code disasseblation done with no problem this mean that code is good. We can add flag where we can disassemble unsteady code or even add other method like dis_unsafe or something like that.

Include: obfuscated and unobfuscated pyc files for testing.

Change proposition:

Cherry-pick code dis module from 3.5 python with some changes required to normal working. Working example included.

serhiy-storchaka · 2018-08-27T09:59:16Z

The dis module is not supposed to support invalid bytecode. This is a new feature, and 2.7 can give only bug fixes.

pulina mannequin added stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error labels Apr 5, 2016

serhiy-storchaka closed this as completed Aug 27, 2018

serhiy-storchaka added the invalid label Aug 27, 2018

ezio-melotti transferred this issue from another repository Apr 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Disasembler fall with Key Error while disassemble obfuscated code. #70881

Disasembler fall with Key Error while disassemble obfuscated code. #70881

pulina mannequin commented Apr 5, 2016

pulina mannequin commented Apr 5, 2016

serhiy-storchaka commented Aug 27, 2018

Disasembler fall with Key Error while disassemble obfuscated code. #70881

Disasembler fall with Key Error while disassemble obfuscated code. #70881

Comments

pulina mannequin commented Apr 5, 2016

pulina mannequin commented Apr 5, 2016

serhiy-storchaka commented Aug 27, 2018