Identifying if the program I have is python and then decompiling

[jpnyc]

My wife befriended someone online and he said he could write a program to help her with some data input on her web site. He wrote a 9mb executable for her Mac which runs from within terminal. The program does in fact do what she wanted, but I'm skeptical about the program and hope it it doesnt contain any type of malware, back-doors, etc.

The Mac just identifies the program as a "Unix Executable" and the file has no extension. The contents of the file appear to be compiled (most of the contents are not human readable). Looking through the file with a hex editor I do see some references to py and python in it which is why I started in this forum.

Are there any terminal commands or other ways to find out more about the program?
Anything I can look for in the program to confirm that is python?

Ultimately I would like to "de-compile" the program (not really sure that it is truly compiled, or why I can read the code) and see what it does.

Any help about the next steps to take in any part of this mess would be welcome.
Thanks in advance

[jefsummers]

How about obtaining the source code? Might have to pay, but more ethical than decompiling.
Also, use viral scanning and malware software - you should be using anyway.

[Gribouillis]

I suggest erasing the program and using an open-source one instead.

[jpnyc]

How about obtaining the source code? Might have to pay, but more ethical than decompiling.
Also, use viral scanning and malware software - you should be using anyway.

I'm concerned that it may contain some kind of malware and obviously he wouldn't provide that part.
I'm not concerned with the actual code that does what she wants, I just want to make sure nothing is hidden in it.

I have already scanned it with malwarebytes and Avast and installed LittleSnitch firewall on a test machine. All came up clean but to be 100% sure I would like to make sure nothing sneaky is going on

[jpnyc]

I suggest erasing the program and using an open-source one instead.

It's more about if there was a payload or back-door opened then program itself. I want o make sure that nothing was compromised.
How can I confirm that the executable is indeed python and then possibly decompile?

[jefsummers]

Get the source code and run that in Python. If you are sure he would not include anything malicious in the source, you will be safe. And, you will be sure it is in Python, solves your problem.

[DeaD_EyE]

First try, if the program was written with Python and packed with PyInstaller: https://github.com/extremecoders-re/pyinstxtractor

Decompiler for pyc-files:

Python >3.7: https://github.com/rocky/python-decompile3
Python all : https://pypi.org/project/uncompyle6/

Tool to analyze Binary files: https://ghidra-sre.org/


I guess he has taken the easy way. Program written with Python and packed as distribution with PyInstaller.

[jpnyc]

First try, if the program was written with Python and packed with PyInstaller: https://github.com/extremecoders-re/pyinstxtractor

Decompiler for pyc-files:

Python >3.7: https://github.com/rocky/python-decompile3
Python all : https://pypi.org/project/uncompyle6/

Tool to analyze Binary files: https://ghidra-sre.org/


I guess he has taken the easy way. Program written with Python and packed as distribution with PyInstaller.

First try, if the program was written with Python and packed with PyInstaller: https://github.com/extremecoders-re/pyinstxtractor

Decompiler for pyc-files:

Python >3.7: https://github.com/rocky/python-decompile3
Python all : https://pypi.org/project/uncompyle6/

Tool to analyze Binary files: https://ghidra-sre.org/


I guess he has taken the easy way. Program written with Python and packed as distribution with PyInstaller.

Thanks for your reply. I was hopeful from your post I might be getting somewhere with this. I ran into some snags and Ill relate them to you, maybe something will be of some more help.

First, as I originally mentioned the program in question was written for a Mac. I tried pyinstxtractor but couldn't get it to run on the Mac (I suspect I need to install a full python install, not just use the built in OS version).

So I installed python on a Win10 box. The first thing I noticed is that the program I trying to decompile wouldn't run on the Win10 machine. I assume the packer makes an executable that is platform specific.

after adding an extension .pyo to the file I tried pyinstxtractor again. This is the output

Output:
C:\Users\David>D:\pyinstxtractor.py d:\SA.pyo
[+] Processing d:\SA.pyo
[+] Pyinstaller version: 2.0
[+] Python version: 309
[+] Length of package: 9419143 bytes
Traceback (most recent call last):
  File "D:\pyinstxtractor.py", line 423, in <module>
    main()
  File "D:\pyinstxtractor.py", line 411, in main
    arch.parseTOC()
  File "D:\pyinstxtractor.py", line 235, in parseTOC
    struct.unpack( \
struct.error: unpack requires a buffer of 6906162 bytes

I also tried decompyle3 d:\SA.pyo

Output:
Unknown magic number 64207 in D:\SA.pyo

I installed the Java SDK and ran ghidra-sre. I havent figured out how to use the program but it looks like it is trying to load a project file not a python file. Maybe I'm missing something.

Couldn't figure ut how to install uncompyle6 but I'm pretty fried. Will look at it again tomorrow.

Does any of this information help or give you any more clues?

Thanks