A lightweight Command Line Interface (CLI) tool designed to reliably recover source code from Python files obfuscated using standard library techniques. It is an ideal utility for reverse-engineering, educational purposes.
- Iterative Deobfuscation: Automatically peels off multiple layers of nested standard library encoding (e.g., Base64 inside Zlib inside another Base64) until clean source code is reached or raw bytecode is exposed.
- Targeted Detection: Uses precise regular expressions to target the main execution calls (
exec(),eval()) that contain the obfuscated payload. - High Success Rate: Proven effective against common packers like CHICO_CP and generic obfuscation wrappers.
- Safe Parsing: Marshal loading is handled safely using standard library functions (
marshal.loads) without relying on the dangerouseval()function for the final execution step. - Clear Output: Provides detailed debug logs for each layer removed and saves the final output with a clean status message.
The deobfuscator actively looks for these patterns as the outer execution layer:
| Format | Execution Pattern | Notes |
|---|---|---|
| Zlib + Base64 | exec(zlib.decompress(base64.b64decode('...'))) |
Highly common, used by CHICO_CP and many basic packers. |
| Simple Base64 | exec(base64.b64decode('...')) |
Single-layer Base64 encoding. |
| Marshal | exec(marshal.loads(b'byte_literal')) |
Extracts the raw byte literal before passing it to marshal.loads(). |
The tool requires Python 3.6 or newer..
-
Clone the repository or download
deobfuscate.py. -
(Optional, for advanced decompilation): If the tool stops at
.pycbytecode, you may need a separate decompiler.pip install uncompyle6
Termux is a common environment for mobile reverse-engineering. Follow these steps exactly to ensure all prerequisites are met:
-
Update Core Packages:
pkg update && pkg upgrade -y -
Install Prerequisites (Python and Git):
pkg install python git -y
-
Clone the Repository:
git clone https://github.com/Matrix1999/adiza-python-deobfuscator.git cd adiza-python-deobfuscator -
Install Decompilation Tool (Optional but Recommended):
pip install uncompyle6
(This enables further decompilation if the script exposes raw Python bytecode.)
-
Preparation: Ensure your obfuscated Python file (e.g.,
encode.py) is placed inside theadiza-python-deobfuscatordirectory. -
Run the script:
python deobfuscate.py
-
When prompted, enter the name of your encoded file (e.g.,
encode.py).
This tool is strictly for educational and legal reverse-engineering purposes. Always inspect recovered code before execution.
The script will log its progress and handle nested layers automatically:
$ python deobfuscate.py
Enter the encoded file name (e.g., encoded.py): encode.py
Debug: File loaded (length: 1849)
[+] Layer 1: Zlib+Base64 detected.
[+] Layer 1 removed: Zlib+Base64. New content length: 3779
Debug: Trying pattern: Zlib+Base64
... (logs of failed attempts on clean code) ...
=======================================================
[SUCCESS] Deobfuscation Complete! All accessible layers removed.
Final output saved to: original_deobfuscated.py
Final content type: Plain Source Code
=======================================================