A PYC file analyzer, which attempts to deconstruct PYC files and look for suspicious attributes. The script will attempt to work with multiple versions of PYC files, compiled in various versions and will give details and suspected decoding details. 

This is a work in progress, still in its initial stages and is currently being built and testing against only 2 PYC malware files. There are false positives to fix, bugs to work out, and better detections to add. Current version does work nicely on sample 1da7a04105561fd2bdeec72d6fcec43b, there are less details (like the reverse function) when running in earlier versions of Python 3, but most the details are still present.

Example Usage:
python3.13 testpyc.py de195ebb0f1cf3762d73f956b9d21b63de1a5bbe9626a78af623ed9f59ed760f 
python3.13 testpyc.py license.pyc (1da7a04105561fd2bdeec72d6fcec43b)

Example OUTPUT:
python3.13 testpyc.py license.pyc 
[*] Detected .pyc magic version: 3571
[*] Analyzing: license.pyc
[*] Searching for XOR and decoding structures...

[*] Detected reverse slice pattern [::-1] via LOAD_CONST/BUILD_SLICE sequence
[+] Encoded strings detected:
  - hex in <module>: f3e4f3c8d8f9eab2f0ffb6a8a4f6a4eaced2daf5c8e8aaf2cddfd9a5dce7...
  - base64 in <lambda>: zlib

[+] Possible decoding/reversing operations:
  - Byte casting via bytes @ offset 12 in <module>
  - Reverse slice [::-1] @ offset 68 in <module>
  - Byte casting via bytes @ offset 2 in <lambda>
  - Zlib decompress via decompress @ offset 22 in <lambda>
  - Generic decode call via b64decode @ offset 62 in <lambda>
  - Base64 decode via b64decode @ offset 62 in <lambda>

[*] Suggested decoding flow:
  - Hex decode via fromhex
  - XOR with constant 157
  - Reverse via [::-1]
  - Base64 decode via b64decode
  - Zlib decompress via decompress