UNLEASH THE BEAST | THE FUTURE

ＵＮＬＥ⛧ＳＨ　ＴＨＥ　ＢＥＡＳＴ　ト何ゼ

Unpacking PyArmor

July 29, 2020 // icecream

SoderCTF - Rev6

Greetings! This is a write-up that covers up the sixth reversing engineering challenge of SoderCTF.

Starting to Analyze

When you try to run the executable file it gives no output.

> ./SierraTwo_V2.exe

Sometimes, it is a good idea to run grep command on files to check if there is a familiar error string

[0x140008b14]> iz ~ Err
1    0x00021df8 0x1400233f8 38   39   .rdata  ascii   Error allocating decompression buffer\n
3    0x00021e28 0x140023428 26   27   .rdata  ascii   Error %d from inflate: %s\n
4    0x00021e48 0x140023448 30   31   .rdata  ascii   Error %d from inflateInit: %s\n
8    0x00021ec8 0x1400234c8 23   24   .rdata  ascii   Error decompressing %s\n
18   0x00021fa0 0x1400235a0 15   16   .rdata  ascii   Error on file\n.
21   0x00021fc8 0x1400235c8 35   36   .rdata  ascii   Error allocating memory for status\n
23   0x00022010 0x140023610 25   26   .rdata  ascii   Error opening archive %s\n
25   0x00022040 0x140023640 17   18   .rdata  ascii   Error copying %s\n
31   0x000220a8 0x1400236a8 20   21   .rdata  ascii   Error extracting %s\n
142  0x00022f38 0x140024538 31   32   .rdata  ascii   Error loading Python DLL '%s'.\n
154  0x00023110 0x140024710 34   35   .rdata  ascii   Error detected starting Python VM.
173  0x00023310 0x140024910 30   31   .rdata  ascii   Error creating child process!\n

The error string that shows up on 142nd made us think it was a pyinstaller.

[0x140008b14]> iz ~ PyInstaller
177  0x00023370 0x140024970 35   36   .rdata  ascii   PyInstaller: FormatMessageW failed.
178  0x00023398 0x140024998 44   45   .rdata  ascii   PyInstaller: pyi_win32_utils_to_utf8 failed.

We got right in our guess. If it really uses pyinstaller, we can extract the files inside with pyinstxtractor tool.

> python3.8 pyinstxtractor.py SierraTwo_V2.exe
[+] Processing SierraTwo_V2.exe
[+] Pyinstaller version: 2.1+
[+] Python version: 38
[+] Length of package: 10795430 bytes
[+] Found 976 files in CArchive
[+] Beginning extraction...please standby
[+] Possible entry point: pyiboot01_bootstrap.pyc
[+] Possible entry point: pyi_rth__tkinter.pyc
[+] Possible entry point: pyi_rth_multiprocessing.pyc
[+] Possible entry point: SierraTwo.pyc
[+] Found 399 files in PYZ archive
[+] Successfully extracted pyinstaller archive: SierraTwo_V2.exe

You can now use a python decompiler on the pyc files within the extracted directory

It states that it could not find the pytransform module when we wanted to run the file we extracted.

SierraTwo_V2.exe_extracted> python3.8 SierraTwo.pyc
Traceback (most recent call last):
  File "dist\obf\SierraTwo.py", line 2, in <module>
ModuleNotFoundError: No module named 'pytransform'

pytransform name is actually a familiar name, this is pyarmor, pyarmor is a python bytecode packer. We can quickly grep and confirm this.

>> grep -rn pyarmor
Binary file PYZ-00.pyz_extracted/config.pyc matches
Binary file PYZ-00.pyz_extracted/pytransform.pyc matches
Binary file SierraTwo.pyc matches
Binary file _pytransform.dll matches

The Action

We can start by creating the file hierarchy in its own documentation.

SierraTwo.pyc
pytransform/
    __init__.py
    _pytransform.so

We will change __init__.py file with pytransform.pyc

Then, we should run this file flawlessly.

Traceback (most recent call last):
  File "<dist\obf\sierratwo.py>", line 4, in <module>
  File "<frozen sierratwo="">", line 21, in <module>
ModuleNotFoundError: No module named 'slack'
</module></frozen></module></dist\obf\sierratwo.py>

We are so lucky! The code has a library dependency.
`Library dependency == Library Hijacking`
We can create a file named as 'slack.py' then we can put codes that we want. First of all because the code that we will inject will be imported, we need to go to the relevant frame in callstack and look around.

Hurray! Let's check the frames first!

Note:
It will be done with inspection to be more informative here.
`import pdb; pdb.set_trace()` also can be used.

import inspect

for frameinfo in inspect.stack():
    print(frameinfo.frame)

>
', line 219, code _call_with_frames_removed>
', line 783, code exec_module>
', line 671, code _load_unlocked>
', line 975, code _find_and_load_unlocked>
', line 991, code _find_and_load>
', line 21, code <module>>
>
</module>

The related frame that must be analyzed, is probably '0x000001FA7D4971F0' named as SierraTwo.

frame = inspect.stack()[6]

The variable names and constant values come with the code object to be used in bytecode. That is, constant values (like functions) can still be inside our code.

c = frame.f_code

for idx, obj in enumerate(c.co_consts):
    if inspect.iscode(obj):
        print(idx, obj.co_name)

5 prepare_shell
7 create_channel
9 next_channel
11 machine_info
15 uploader_thread
17 upload
19 respawn
21 handle_user_input
23 commands
25 listen
27 hide_process
32 protect_pytransform

If we can read the variables in these functions, maybe we can get something useful.

for idx, obj in enumerate(c.co_consts):
    if inspect.iscode(obj):
        print(idx, obj.co_name, obj.co_consts)

5 prepare_shell (None, 'channels', 'channel', 'id', ('channel', 'users'), ('channel', 'text'), ('channel',), 'messages', 0, 'ts', ('channel', 'timestamp'))
7 create_channel (None, ('name',))
9 next_channel (None, 0, 'name', '-', 2, 1)
11 machine_info (None, '', 'Windows', 'wmic csproduct get UUID', ' ', 5, 'Linux', 'cat', '/etc/machine-id', 'Darwin', 'ioreg', '-d2', '-c', 'IOPlatformExpertDevice', '|', 'awk', '-F', "'/IOPlatformUUID/{print $(NF-1)}'", 'unknown', '`', '` with the `', '` UUID connected.')
15 uploader_thread (None, '', True, ('file', 'channels', 'filename', 'title'), 'Uploaded `', '`', 'File not found.', False)
17 upload (None, True, ('target', 'daemon', 'args'), 'Please wait while your file is uploaded.', ('channel', 'text'), 'Cannot start uploader thread')
19 respawn (None, '', 'b0', '9b', 'b1', '21', '6e', '10', '40', '3c', '72', '23', '6f', '16', 'af', '14', '1a', '64', '12', 'c8', '5b', 'a6', '69', 'b4', '6d', '74', 'a2', 'cf', '62', '52', '58', '30', 'e0', '65', 'db', '1e', '56', '73', 'c4', 'c2', '7e', '20', '24', '8e', 'ce', '42', '17', '9a', '87', 'fb', 'dd', 'eb', 'ea', '25', 'aa', 'fa', 'a9', '2e', '78', 'de', '66', '00', '85', 'dc', '36', '32', '59', 'ae', '3a', '2b', '29', 'da', 'd5', 'f5', '2f', '2c', 'fe', 'cd', '2a', '90', 'e6', '18', '75', '26', '68', '2d', 'be', '35', 'd0', '5a', '31', '22', '5f', '76', '27', 'e1', '91', '45', '63', '94', '5d', '4c', '15', 'ff', 'e2', '5e', '28', '61', 'ee', 'f6', '08', 'c3', 'c7', 'b6', 'b5', '02', '55', 'ef', 'd9', '04', 'ad', code object="" varxor="" at="" 0x0000023226dff5b0,="" file="" "frozen="" sierratwo=""", line 400>, 'respawn.<locals>.varxor', '__main__', 1, 37, 'a', 'b', 'z')
21 handle_user_input (None, '', 'Error reading command output.', ('channel', 'text'), 'The command did not return anything.', '`', 'Output contains an illegal character.', 0, code object="" listcomp="" at 0x0000023226DFF660, file "frozen sierratwo=""", line 440>, 'handle_user_input.locals.<listcomp>', '```', 'Output size is too big. If you are trying to read a file, try uploading it.', 'Unknown error.')
23 commands (None, 'upload', ' ', 1, 'cd', '`cd` complete.', ('channel', 'text'), 'shell_exit', 0)
25 listen (None, '', 'randomval', ('channel',), 0.8, 'messages', 0, 'client_msg_id', 'text', 0.3)
27 hide_process (None, 0, 'taskkill /PID ', ' /f')
32 protect_pytransform (None, 0, code object="" assert_builtin="" at="" 0x0000023226dff9d0,="" file="" "frozen="" sierratwo="">", line 530>, 'protect_pytransform.locals.assert_builtin', code object="" check_obfuscated_script="" at="" 0x0000023226dffb30,="" file="" "frozen="" sierratwo=""", line 536>, 'protect_pytransform.<locals>.check_obfuscated_script', code object="" check_mod_pytransform="" at="" 0x0000023226dffc90,="" file="" "frozen="" sierratwo="">", line 545>, 'protect_pytransform.<locals>.check_mod_pytransform', code object="" check_lib_pytransform="" at="" 0x0000023226dffd40,="" file="" "<frozen="" sierratwo="">", line 559>, 'protect_pytransform.<locals>.check_lib_pytransform')
<code object="" varxor="" at="" 0x0000023226dff5b0,="" file="" "<frozen="" sierratwo=""><code object="" listcomp=""code object="" assert_builtin="" at="" 0x0000023226dff9d0,="" file="" "<frozen="" sierratwo=""code object="" check_obfuscated_script="" at="" 0x0000023226dffb30,="" file="" "<frozen="" sierratwo=""code object="" check_mod_pytransform="" at="" 0x0000023226dffc90,="" file="" "frozen="" sierratwo=""code object="" check_lib_pytransform="" at="" 0x0000023226dffd40,="" file="" "frozen="" sierratwo=""
code object="" varxor="" at="" 0x0000023226dff5b0,="" file="" "frozen="" sierratwo=""code object="" listcomp=""code object="" assert_builtin="" at="" 0x0000023226dff9d0,="" file="" "<frozen="" sierratwo=""code object="" check_obfuscated_script="" at="" 0x0000023226dffb30,="" file="" "<frozen="" sierratwo=""code object="" check_mod_pytransform="" at="" 0x0000023226dffc90,="" file="" "<frozen="" sierratwo=""code object="" check_lib_pytransform="" at="" 0x0000023226dffd40,="" file="" "<frozen="" sierratwo=""code object="" varxor="" at="" 0x0000023226dff5b0,="" file="" "<frozen="" sierratwo=""code object="" listcomp=""code object="" assert_builtin="" at="" 0x0000023226dff9d0,="" file="" "<frozen="" sierratwo=""code object="" check_obfuscated_script="" at="" 0x0000023226dffb30,="" file="" "<frozen="" sierratwo=""code object="" check_mod_pytransform="" at="" 0x0000023226dffc90,="" file="" "frozen="" sierratwo=""code object="" check_lib_pytransform="" at="" 0x0000023226dffd40,="" file="" "frozen="" sierratwo=""
It looks like we have found suspicious data...
19 respawn (None, '', 'b0', '9b', 'b1', '21', '6e', '10', '40', '3c', '72', '23', '6f', '16', 'af', '14', '1a', '64', '12', 'c8', '5b', 'a6', '69', 'b4', '6d', '74', 'a2', 'cf', '62', '52', '58', '30', 'e0', '65', 'db', '1e', '56', '73', 'c4', 'c2', '7e', '20', '24', '8e', 'ce', '42', '17', '9a', '87', 'fb', 'dd', 'eb', 'ea', '25', 'aa', 'fa', 'a9', '2e', '78', 'de', '66', '00', '85', 'dc', '36', '32', '59', 'ae', '3a', '2b', '29', 'da', 'd5', 'f5', '2f', '2c', 'fe', 'cd', '2a', '90', 'e6', '18', '75', '26', '68', '2d', 'be', '35', 'd0', '5a', '31', '22', '5f', '76', '27', 'e1', '91', '45', '63', '94', '5d', '4c', '15', 'ff', 'e2', '5e', '28', '61', 'ee', 'f6', '08', 'c3', 'c7', 'b6', 'b5', '02', '55', 'ef', 'd9', '04', 'ad', code object="" varxor="" at="" 0x0000023226dff5b0,="" file="" "frozen="" sierratwo="">", line 400>, 'respawn.<locals>.varxor', '__main__', 1, 37, 'a', 'b', 'z')
code object="" varxor="" at="" 0x0000023226dff5b0,="" file="" "frozen="" sierratwo="">

After all, this function is a codeobject, which means we can run with exec() function.

frame = inspect.stack()[6].frame
respawn = frame.f_code.co_consts[19]
print(exec(respawn))
None

Sadly this function does not return anything.
We can dissasemble this bytecode with dis (https://docs.python.org/3/library/dis.html) library.

import dis
dis.dis(respawn)

167           0 JUMP_ABSOLUTE           18
              2 NOP

168           4 NOP
        >>    6 POP_BLOCK

169           8 BEGIN_FINALLY
             10 NOP

170          12 NOP
             14 EXTENDED_ARG             4

171          16 JUMP_ABSOLUTE         1066
        >>   18 LOAD_GLOBAL              2 (__armor_enter__)

172          20 CALL_FUNCTION            0
             22 POP_TOP

173          24 NOP
             26 NOP

174          28 EXTENDED_ARG             4
             30 SETUP_FINALLY         1034 (to 1066)

175          32 INPLACE_POWER
             34 NOP

176     >>   36 MAP_ADD                 40
             38 <222>                  175
                ...
                ...
                ...
                ...
Traceback (most recent call last):
File "dist\obf\sierratwo.py", line 4, in <module>
File "frozen sierratwo=""", line 21, in <module>
File "ayskrem\slack.py", line 38, in <module>
  dis.dis(respawn)
File "xi\git\c\cpython\lib\dis.py", line 79, in dis
  _disassemble_recursive(x, file=file, depth=depth)
File "xi\git\c\cpython\lib\dis.py", line 373, in _disassemble_recursive
  disassemble(co, file=file)
File "xi\git\c\cpython\lib\dis.py", line 369, in disassemble
  _disassemble_bytes(co.co_code, lasti, co.co_varnames, co.co_names,
File "xi\git\c\cpython\lib\dis.py", line 401, in _disassemble_bytes
  for instr in _get_instructions_bytes(code, varnames, names,
File "xi\git\c\cpython\lib\dis.py", line 340, in _get_instructions_bytes
  argval, argrepr = _get_name_info(arg, names)
File "xi\git\c\cpython\lib\dis.py", line 304, in _get_name_info
  argval = name_list[name_index]
IndexError: tuple index out of range

Unfortunately we were disappointed again.
If we look at the documentation of PyArmor, we can see that this is the wrap-mode (https://pyarmor.readthedocs.io/en/latest/mode.html?highlight=__armor_enter__#wrap-mode) feature.

LOAD_GLOBALS    N (__armor_enter__)     N = length of co_consts
CALL_FUNCTION   0
POP_TOP
SETUP_FINALLY   X (jump to wrap footer) X = size of original byte code

Here it's obfuscated bytecode of original function

LOAD_GLOBALS    N + 1 (__armor_exit__)
CALL_FUNCTION   0
POP_TOP
END_FINALLY

According to the structure, '__armor_enter__' gets its own reference and updates the bytecode range.

In this case, there are two things we can do. The first one is, patching cpython and the other option is to reverse the extention/library. Most likely it will be easier and faster to patch the cpython.

Bytecodes are processed on `ceval.c`. Since our problem is a polymorphic codeobject, we will only dump the bytecodes that are running. So, we have to dump bytecodes just before switch_case.

@@ -759,6 +759,11 @@ _PyEval_EvalFrameDefault(PyFrameObject *f, int throwflag)
     _Py_atomic_int * const eval_breaker = &ceval->eval_breaker;
     PyCodeObject *co;

+    FILE *a_logger;
+    int logger_flag;
+    if ((logger_flag = PyUnicode_CompareWithASCIIString(f->f_code->co_name, "respawn") == 0)) {
+        a_logger = fopen("xi\respawn.bin", "wb");
+    }
     /* when tracing we set things up so that

            not (instr_lb <= current_bytecode_offset < instr_ub)
@@ -1077,9 +1082,12 @@ _PyEval_EvalFrameDefault(PyFrameObject *f, int throwflag)
 /* Start of code */

     /* push frame */
-    if (Py_EnterRecursiveCall(""))
+    if (Py_EnterRecursiveCall("")){
+        if (logger_flag) {
+            fclose(a_logger);
+       }
         return NULL;
-
+    }
     tstate->frame = f;

     if (tstate->use_tracing) {
@@ -1319,6 +1327,16 @@ main_loop:
             }
         }
 #endif
+       if (logger_flag) {
+          if (HAS_ARG(opcode)) {
+               fputc(opcode, a_logger);
+               fputc(oparg, a_logger);
+          }
+           else {
+              fputc(opcode, a_logger);
+              fputc(0, a_logger);
+          }
+       }

         switch (opcode) {

@@ -3813,7 +3831,9 @@ exit_eval_frame:
     Py_LeaveRecursiveCall();
     f->f_executing = 0;
     tstate->frame = f->f_back;
-
+    if (logger_flag){
+       fclose(a_logger);
+    }
     return _Py_CheckFunctionResult(NULL, retval, "PyEval_EvalFrameEx");
 }

We updated our code. We have to run respawn function again.

exec(respawn)

Now, we can check `respawn.bin` file

import dis
dis.dis(respawn.replace(co_code=open("respawn.bin", "rb").read()), depth=0)

167           0 JUMP_ABSOLUTE           18
              2 LOAD_GLOBAL              2 (__armor_enter__)

168           4 CALL_FUNCTION            0
        >>    6 POP_TOP

169           8 NOP
             10 NOP

170          12 EXTENDED_ARG             4
             14 SETUP_FINALLY         1034 (to 1050)

171          16 LOAD_CONST               1 ('')
        >>   18 STORE_FAST               0 (z2)

172          20 LOAD_CONST               2 ('b0')
             22 STORE_FAST               1 (t6)

173          24 LOAD_CONST               3 ('9b')
             26 STORE_FAST               2 (f23)

174          28 LOAD_CONST               4 ('b1')
             30 STORE_FAST               3 (u46)
                ...
                ...
                ...
            938 STORE_FAST             229 (a67)
            940 LOAD_CONST             121 ((<code object="" varxor="" at="" 0x000001e90f0ff5b0,="" file="" "<frozen="" sierratwo="">", line 400>)

407         942 LOAD_CONST             122 ('respawn.<locals>.varxor')
            944 MAKE_FUNCTION            0

408         946 STORE_FAST             230 (varxor)
            948 LOAD_GLOBAL              0 (__name__)
            950 LOAD_CONST             123 ('__main__')
            952 COMPARE_OP               2 (==)
            954 EXTENDED_ARG             4

409         956 POP_JUMP_IF_FALSE     1062
            958 LOAD_CONST               0 (None)
            960 JUMP_ABSOLUTE            6
            962 POP_BLOCK
            964 BEGIN_FINALLY
            966 NOP
            968 NOP
            970 EXTENDED_ARG             4

410         972 JUMP_ABSOLUTE         1066
            974 LOAD_GLOBAL              3 (__armor_exit__)
            976 CALL_FUNCTION            0
            978 POP_TOP
            980 END_FINALLY
            982 RETURN_VALUE
            code object="" varxor="" at="" 0x000001e90f0ff5b0,="" file="" "<frozen="" sierratwo=""

We have to check `varxor` function but it is also packed. We decided to check manually, because we are lazy.
After all, we can replace the code what original `varxor` function has with another function and we can get what it returns.

def varxor(a, b): pass
varxor.__code__ = respawn.co_consts[respawn.co_consts.index('ad') + 1]

>>> varxor(1, 2)
*** TypeError: 'int' object is not iterable
>>> varxor('1', '2')
'3'
>>> varxor('23123AB', 'F0')
'd3'
>>> varxor('23123AB', '')
''

It looks like it does simple hexstring xor operation. It looks legit for now. If there would be problem, we can go deeper.

lambda a, b: a and b and hex(int(a, 16) ^ int(b, 16))[2:]

After creating a lot of variable, the main section is appeared. It checks if it is called directly.

exec(respawn, exec(respawn, {"__name__": "__main__"}))
dis.dis(respawn.replace(co_code=open("respawn.bin", "rb").read()), depth=0)

(Warning! This is not full dump, only missing part is printed)

408         946 STORE_FAST             230 (varxor)
            948 LOAD_GLOBAL              0 (__name__)
            950 LOAD_CONST             123 ('__main__')
            952 COMPARE_OP               2 (==)
            954 EXTENDED_ARG             4

409         956 POP_JUMP_IF_FALSE     1062
            958 LOAD_CONST             124 (1)
            960 STORE_FAST             231 (i)
            962 LOAD_FAST              231 (i)
            964 LOAD_CONST             125 (37)
            966 COMPARE_OP               1 (<=)
            968 EXTENDED_ARG             4
            970 POP_JUMP_IF_FALSE     1062

410         972 LOAD_GLOBAL              1 (locals)
            974 CALL_FUNCTION            0
            976 LOAD_CONST             126 ('a')
        >>  978 LOAD_FAST              231 (i)
            980 FORMAT_VALUE             0
            982 BUILD_STRING             2
            984 BINARY_SUBSCR
            986 STORE_FAST             232 (a)

411         988 LOAD_GLOBAL              1 (locals)
            990 CALL_FUNCTION            0
            992 LOAD_CONST             127 ('b')
            994 LOAD_FAST              231 (i)
            996 FORMAT_VALUE             0
            998 BUILD_STRING             2
           1000 BINARY_SUBSCR
           1002 STORE_FAST             233 (b)

413        1004 LOAD_GLOBAL              1 (locals)
           1006 CALL_FUNCTION            0
           1008 LOAD_CONST             128 ('z')
           1010 LOAD_FAST              231 (i)
           1012 FORMAT_VALUE             0
           1014 BUILD_STRING             2
           1016 BINARY_SUBSCR

415        1018 STORE_FAST             234 (z)
           1020 LOAD_FAST              234 (z)
           1022 LOAD_FAST              230 (varxor)
           1024 LOAD_FAST              232 (a)
           1026 LOAD_FAST              233 (b)
           1028 CALL_FUNCTION            2
           1030 INPLACE_ADD
           1032 STORE_FAST             234 (z)
           1034 LOAD_FAST              231 (i)
           1036 LOAD_CONST             124 (1)
           1038 INPLACE_ADD
           1040 STORE_FAST             231 (i)
           1042 EXTENDED_ARG             3
           1044 JUMP_ABSOLUTE          978

The estimated equivalent of bytecode is as follows.

while i <= 37:
    a = locals()[f"a{i}"]
    b = locals()[f"b{i}"]
    z = locals()[f"z{i}"]
    z += varxor(a, b)
    i += 1

`locals` is dynamic structure, but only one assignment to variable is required. It can be constructed from the code by using the function `get_instruction` from the `dis` library.

import opcode
from contextlib import suppress

STORE_FAST = opcode.opmap["STORE_FAST"]
LOAD_CONST = opcode.opmap["LOAD_CONST"]

result = ""
_locals = dict()

for instruction in dis.get_instructions(respawn.replace(co_code=open("respawn.bin", "rb").read())):
    if instruction.opcode == STORE_FAST:
        _locals[instruction.argval] = last.argval 
    elif instruction.opcode == LOAD_CONST:
        last = instruction

for i in range(1, 37):
    a = _locals[f"a{i}"]
    b = _locals[f"b{i}"]
    z = _locals[f"z{i}"]
    result += z + (a and b and hex(int(a, 16) ^ int(b, 16))[2:])
print(bytearray.fromhex(result[:-1]).decode())

The flag is finally here!

flag{S3ri0uSlY_Y0u_s0Lv3D_tH1s_t00}

[ＭＥＮＵ]
[THOUGHTS]	[TECH RESOURCES]	[TRASH TALK]
[DANK MEMES]	[FEATURED ARTISTS]	[W]