├── .gitignore
├── LICENSE
├── README.md
├── examples
    ├── hello.py
    └── hello.pye
├── requirements.txt
└── sourcerestorer.py


/.gitignore:
--------------------------------------------------------------------------------
  1 | # Byte-compiled / optimized / DLL files
  2 | __pycache__/
  3 | *.py[cod]
  4 | *$py.class
  5 | 
  6 | # C extensions
  7 | *.so
  8 | 
  9 | # Distribution / packaging
 10 | .Python
 11 | build/
 12 | develop-eggs/
 13 | dist/
 14 | downloads/
 15 | eggs/
 16 | .eggs/
 17 | lib/
 18 | lib64/
 19 | parts/
 20 | sdist/
 21 | var/
 22 | wheels/
 23 | share/python-wheels/
 24 | *.egg-info/
 25 | .installed.cfg
 26 | *.egg
 27 | MANIFEST
 28 | 
 29 | # PyInstaller
 30 | #  Usually these files are written by a python script from a template
 31 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 32 | *.manifest
 33 | *.spec
 34 | 
 35 | # Installer logs
 36 | pip-log.txt
 37 | pip-delete-this-directory.txt
 38 | 
 39 | # Unit test / coverage reports
 40 | htmlcov/
 41 | .tox/
 42 | .nox/
 43 | .coverage
 44 | .coverage.*
 45 | .cache
 46 | nosetests.xml
 47 | coverage.xml
 48 | *.cover
 49 | *.py,cover
 50 | .hypothesis/
 51 | .pytest_cache/
 52 | cover/
 53 | 
 54 | # Translations
 55 | *.mo
 56 | *.pot
 57 | 
 58 | # Django stuff:
 59 | *.log
 60 | local_settings.py
 61 | db.sqlite3
 62 | db.sqlite3-journal
 63 | 
 64 | # Flask stuff:
 65 | instance/
 66 | .webassets-cache
 67 | 
 68 | # Scrapy stuff:
 69 | .scrapy
 70 | 
 71 | # Sphinx documentation
 72 | docs/_build/
 73 | 
 74 | # PyBuilder
 75 | .pybuilder/
 76 | target/
 77 | 
 78 | # Jupyter Notebook
 79 | .ipynb_checkpoints
 80 | 
 81 | # IPython
 82 | profile_default/
 83 | ipython_config.py
 84 | 
 85 | # pyenv
 86 | #   For a library or package, you might want to ignore these files since the code is
 87 | #   intended to run in multiple environments; otherwise, check them in:
 88 | # .python-version
 89 | 
 90 | # pipenv
 91 | #   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
 92 | #   However, in case of collaboration, if having platform-specific dependencies or dependencies
 93 | #   having no cross-platform support, pipenv may install dependencies that don't work, or not
 94 | #   install all needed dependencies.
 95 | #Pipfile.lock
 96 | 
 97 | # poetry
 98 | #   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
 99 | #   This is especially recommended for binary packages to ensure reproducibility, and is more
100 | #   commonly ignored for libraries.
101 | #   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
102 | #poetry.lock
103 | 
104 | # pdm
105 | #   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
106 | #pdm.lock
107 | #   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
108 | #   in version control.
109 | #   https://pdm.fming.dev/#use-with-ide
110 | .pdm.toml
111 | 
112 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
113 | __pypackages__/
114 | 
115 | # Celery stuff
116 | celerybeat-schedule
117 | celerybeat.pid
118 | 
119 | # SageMath parsed files
120 | *.sage.py
121 | 
122 | # Environments
123 | .env
124 | .venv
125 | env/
126 | venv/
127 | ENV/
128 | env.bak/
129 | venv.bak/
130 | 
131 | # Spyder project settings
132 | .spyderproject
133 | .spyproject
134 | 
135 | # Rope project settings
136 | .ropeproject
137 | 
138 | # mkdocs documentation
139 | /site
140 | 
141 | # mypy
142 | .mypy_cache/
143 | .dmypy.json
144 | dmypy.json
145 | 
146 | # Pyre type checker
147 | .pyre/
148 | 
149 | # pytype static type analyzer
150 | .pytype/
151 | 
152 | # Cython debug symbols
153 | cython_debug/
154 | 
155 | # PyCharm
156 | #  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
157 | #  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
158 | #  and can be added to the global gitignore or merged into this file.  For a more nuclear
159 | #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
160 | #.idea/
161 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | This is free and unencumbered software released into the public domain.
 2 | 
 3 | Anyone is free to copy, modify, publish, use, compile, sell, or
 4 | distribute this software, either in source code form or as a compiled
 5 | binary, for any purpose, commercial or non-commercial, and by any
 6 | means.
 7 | 
 8 | In jurisdictions that recognize copyright laws, the author or authors
 9 | of this software dedicate any and all copyright interest in the
10 | software to the public domain. We make this dedication for the benefit
11 | of the public at large and to the detriment of our heirs and
12 | successors. We intend this dedication to be an overt act of
13 | relinquishment in perpetuity of all present and future rights to this
14 | software under copyright law.
15 | 
16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
19 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
20 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
21 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
22 | OTHER DEALINGS IN THE SOFTWARE.
23 | 
24 | For more information, please refer to <https://unlicense.org>
25 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # SourceRestorer
 2 | 
 3 | SourceRestorer is a tool designed to recover lost code from `.pye` files
 4 | encrypted using [SOURCEdefender](https://www.sourcedefender.co.uk). It provides
 5 | a means to decrypt and analyze otherwise unreadable Python source code, which
 6 | can be particularly useful in several scenarios such as:
 7 | 
 8 | - **Malware analysis:** Analyzing potentially harmful code without having access
 9 |   to its original sources
10 | - **Forensic investigation of unknown code:** Gaining insights into third-party
11 |   scripts with no available documentation
12 | - **Code recovery:** Restoring your own code when you've accidentally lost the
13 |   original source files
14 | 
15 | It has been tested with version 11.0 of the library.
16 | 
17 | 
18 | ## How does it work?
19 | 
20 | SOURCEdefender uses `TgCrypto` and `msgpack` under the hood. We simply need to
21 | wrap the `tgcrypto.ctr256_decrypt` function [so that it prints the decrypted
22 | code](https://stackoverflow.com/a/78422120/1101509).
23 | 
24 | Finally, we make it return an empty value instead. This last step is performed
25 | to ensure no harmful code is ever executed.
26 | 
27 | 
28 | ## Usage
29 | 
30 | Firstly, you should install the original SOURCEdefender library:
31 | 
32 | ```bash
33 | pip install -r requirements.txt
34 | ```
35 | 
36 | To use the program **place the encrypted file in the same directory as the
37 | script,** then simply call it by passing the file name as the only parameter:
38 | 
39 | ```bash
40 | python sourcerestorer.py input.pye
41 | ```
42 | 
43 | The code will be printed out on screen.
44 | 
45 | 
46 | ## License
47 | 
48 | This software is released in the public domain under _The Unlicense_. It comes
49 | without warrant of any kind and no support will be provided.
50 | 


--------------------------------------------------------------------------------
/examples/hello.py:
--------------------------------------------------------------------------------
1 | print("Hello World!")
2 | 


--------------------------------------------------------------------------------
/examples/hello.pye:
--------------------------------------------------------------------------------
1 | --BEGIN SOURCEDEFENDER FILE---
2 | GhOt7h7Jm.?sE?I;!%a(cCM6@0X(^n
3 | GhN0Z!6+uLCB*6P)Ib)lbH%l2oEWct
4 | ->-HK_]faP%;P<?"Z]tH&=fBPfl9>[
5 | [tDrfEj5[?ac-XFbYJ21qfGLQ)#sX:
6 | ---END SOURCEDEFENDER FILE----


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | sourcedefender
2 | 


--------------------------------------------------------------------------------
/sourcerestorer.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import sys
 3 | 
 4 | import msgpack
 5 | import sourcedefender  # pylint: disable=unused-import
 6 | import tgcrypto
 7 | 
 8 | # Save the original function references
 9 | original_ctr256_decrypt = tgcrypto.ctr256_decrypt
10 | 
11 | SOURCE_CODE = ""
12 | 
13 | 
14 | # Define wrapper function with print behavior
15 | def wrap_ctr256_decrypt(data: bytes, key: bytes, iv: bytes, state: bytes):
16 |     global SOURCE_CODE
17 |     result = original_ctr256_decrypt(data, key, iv, state)
18 |     unpacked = msgpack.loads(result)
19 |     SOURCE_CODE = unpacked.get("code")
20 |     print(SOURCE_CODE)
21 | 
22 |     # Disable potentially dangerous code and return timestamp = 2999-01-01
23 |     dummy_data = msgpack.dumps({"code": "", "eol_timestamp": 32472144000})
24 |     return dummy_data
25 | 
26 | 
27 | # Replace the original function with the wrapper in the tgcrypto module
28 | tgcrypto.ctr256_decrypt = wrap_ctr256_decrypt
29 | 
30 | 
31 | filename = os.path.splitext(sys.argv[1])[0]
32 | __import__(filename)
33 | 


--------------------------------------------------------------------------------