1
import imp
s = ''
if imp.get_magic() != 'm\xf2\r\n':
    raise RuntimeError, s


try:
    import zlib
except:
    raise RuntimeError, ''

import marshal
import sys
import os
for p in filter(os.path.exists, map(lambda p: os.path.join(p, 'ind.pyz'), sys.path)):
    f = open(p, 'rb')
    exec marshal.loads(zlib.decompress(f.read(905)))
    boot('ind', f, 64608)
    break
import inca

I have this code in, ind.pyc file. Now I want to know that:

What does this codes? As can I see decompressing ind.pyz with zlib first 905 bytes? Then booting ind.pyz (first 64608 bytes?). I understood that, isn't it?

"ind.pyz" What is that supposed to be? An executable or a compiled pyc, so python file? I tried to decompile .pyz file but I can't.. And Is there a decompiler software for those files?

I'm really stuck, here is ind.pyz file (64kb) how is compressed this file? https://mega.co.nz/#!hIkH3RSI!f3UDHGI9omXXN7jXHJKYTCpMCU0y8N3npop6a3tfmcw

Alihan Pehlivan
  • 33
  • 5

1 Answers1

1

First of all, marshal is internal serialization util, which output is version dependent, so your code checks whether it is compiled by correct python version:

if imp.get_magic() != 'm\xf2\r\n':
    raise RuntimeError, s

Then it looks through sys.path for a ind.pyz file, and when found, reads 905 bytes

f.read(905)

Those 905 bites are consideres to be a zlib-compressed string, so are decompressed 

zlib.decompress(f.read(905))

and resulted string is unmarshalled to a python object:

marshal.loads(zlib.decompress(f.read(905)))

This object in turn is executed. I suppose un-marshalled object is a python code, but won't check it myself, I do not unmarshal code from untrusted sources ;)

On the next line,

boot('ind', f, 64608)

boot is not a built python function, so it has to be defined by the exec statement.

alko
  • 46,136
  • 12
  • 94
  • 102
  • Is it possible to get the source code from a string that is loaded with ```marshal.loads()```? Is "yes", how? – alexandernst Nov 18 '13 at 11:10
  • @alexandernst it is a completely separate question, I don't know simple answer; even term `source code` is not clear, and for your benefit I advise you to start a new thread about it, as this more people me will be aware of it, and question can be answered better. – alko Nov 18 '13 at 11:17
  • I already started it here: http://stackoverflow.com/questions/20045395/marshal-loading-and-exec-ing ```source code``` is a pretty simple and clear concept. Get the source code as it was written. – alexandernst Nov 18 '13 at 11:18