main

pydecipher.main._parse_args(args: List | None = None) → Namespace

Parse pydecipher’s arguments and accordingly set run-time options.

Usually these arguments will come from the command line, however if pydecipher is being called from code, _args may be passed in as a list.

Parameters:

args (List, optional) – A list of arguments/flags. If you are calling pydecipher from code, you need to pass in your command line as a space-delimited list. i.e. for pydecipher -v example.exe, args would be [‘-v’, ‘example.exe’].

Returns:

The populated namespace of options for pydecipher’s runtime.

Return type:

argparse.Namespace

pydecipher.main.run(args_in: List[str] | None = None) → None

Orchestrate the flow of the pydecipher command.

This function is the entry-point of the pydecipher command. It calls out to other routines and generally attempts to follow this high-level flow:

1. Parse program arguments.

2. Check that input files are readable and output locations are writeable, including that the the program is running in a sufficiently new Python environment (3.6+).

3. Recursively call unpack on the artifact until all items of interest are extracted.

4. Decompile any Python bytecode found through the unpacking process.

Parameters:

args_in (List[str]) – If this function is being called from other Python code, pydecipher flags and other command-line options can be passed in as a list.

pydecipher.main.unpack(python_artifact: PathLike, output_dir: str | None = None, **kwargs) → None

Recursively extract interesting resources from the Python artifact.

This function will cycle through all the registered ARTIFACT_TYPES. See usages of pydecipher.__init__.register() for the creation of this list.

ARTIFACT_TYPES consists of the different ‘unpackable’, registered (via decorator) Python artifact classes in a dictionary of the format <Artifact_Name : Class Instance of Artifact_Name>. A class’s constructor should raise a TypeError if is being instantiated with something that isn’t the correct type (i.e. Py2Exe resource being passed to a PyInstaller archive constructor).

Parameters:

• python_artifact (pathlib.Path or io.IOBase (file-like object)) – The path to the Python artifact

• output_dir (str, optional) – Where to dump the extracted output of artifact parsers. If no directory is specified, a directory will be created in the current working directory.

• **kwargs –

  Arbitrary keyword arguments. Including, but not limited to:

  version_hint: str

  The (potential) Python version of the artifact. If you know the version, you should pass it in. Otherwise, pydecipher will try to automatically figure out what version was used through string-analysis (and possibly brute-force decompilation). If