MCPcopy Create free account
hub / github.com/Lil-House/Pyarmor-Static-Unpack-1shot

github.com/Lil-House/Pyarmor-Static-Unpack-1shot @v0.4.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.4.0 ↗ · + Follow
678 symbols 1,409 edges 151 files 42 documented · 6% updated 10d agov0.4.0 · 2026-05-18★ 6368 open issues

Browse by type

Functions 550 Types & classes 128
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Pyarmor Static Unpack One-Shot Tool

GitHub Downloads (all assets, all releases) GitHub Repo stars GitHub Release GitHub commits since latest release GitHub Actions Workflow Status

Pyarmor is a popular tool to protect Python source code. It turns Python scripts into binary data, which can be regarded as an encrypted variant of pyc files. They can be decrypted by a shared library (pyarmor_runtime) and then executed by Python interpreter.

This project aims to convert armored data back to bytecode assembly and (experimentally) source code. We forked the awesome Decompyle++ (aka pycdc), and added some processes on it like modifying abstract syntax tree.

[!IMPORTANT]

This tool should only be used on scripts you own or have permission to analyze. Please respect software licenses and terms of service. The author is not responsible for any misuse or damage caused by this tool.

[!NOTE]

Like other decompilers, this tool is intended for professional users. You should have a basic understanding of Python bytecode. If not, you may need to ask for help from someone who does.

[!WARNING]

Disassembly results are accurate, but decompiled code can be incomplete and incorrect. See issue #3

Features

Static

You don't need to execute the encrypted script. We decrypt them using the same algorithm as pyarmor_runtime. This is useful when the scripts cannot be trusted.

Universal

Currently we are trying to support Pyarmor 8.0 to 9.2.x (latest), Python 3.7 - 3.13, on all operating systems, with obfuscating options as many as possible. (However, we only have limited tests.)

You can run this tool in any environment, no need to be the same with obfuscated scripts or runtime.

[!NOTE]

If the data starts with PY followed by six digits, it is supported. Otherwise, if it starts with PYARMOR, it is generated by Pyarmor 7 or earlier, and is not supported.

Easy to use

The only thing you need to do is specifying where your obfuscated scripts are. The tool does everything like detecting armored data, parsing, disassembling, and decompiling. See "Usage" section below.

Build

mkdir build
cd build
cmake ../pycdc
cmake --build .
cmake --install .

You can also download prebuilt binary files on releases page.

Usage

python /path/to/oneshot/shot.py /path/to/scripts

Before running shot.py, make sure the executable pyarmor-1shot (pyarmor-1shot.exe on Windows) exists in oneshot directory.

You only need to specify the directory that contains all armored data and pyarmor_runtime. The tool finds and handles them recursively as much as possible.

When necessary, specify a pyarmor_runtime executable with -r path/to/pyarmor_runtime[.pyd|.so|.dylib].

All files generated from this tool have a .1shot. in file names. If you want to save them in another directory instead of in-place, use -o another/path/. Folder structure will remain unchanged.

Note:

  • Subdirectories will not be touched if the folder name is exactly __pycache__ or site-packages or it directly contains a file named .no1shot, and symbolic links will not be followed, to avoid repeat or forever loop and save time. If you really need them, run the script later in these directories and specify the runtime.
  • Archives, executables generated by PyInstaller and so on, must be unpacked by other tools before decrypting, or you will encounter undefined behavior.

Feedback

Feel free to open an issue if you have any questions, suggestions, or problems. Don't forget to attach the armored data and the pyarmor_runtime executable if possible.

Project Status

Current

Bug fixes and minor improvements.

The author is trying to design and implement a new pyc decompiler. After that, we can rewrite this tool with the new decompiler.

We will discard the current codebase based on pycdc, and after the new code becomes stable, expected in 2027, we will reach version 1.0.0.

Before v1.0.0

The project is already functioning well, no need to wait for v1.0.0. The public API is still subject to change.

These are the features we are planning to implement before v1.0.0:

  • Rewriting the codebase based on a new pyc decompiler. It will be more stable, maintainable, and extendable.
  • Wiki about the Pyarmor decryption algorithm, and how we analyzed it and implemented it in this tool.
  • The last piece of the puzzle: analysis tool for the native part of BCC Mode (the hardest obfuscating option in Pyarmor).
  • Packaging and distribution of the tool, for installation from package managers like pip.

Maybe there are not many things to do after v1.0.0. We will maintain the project and fix bugs if necessary.

Original Intention

There are not many code protection tools for Python that are publicly available, and Pyarmor is one of the most popular ones. However, when I (Lil-Ran) was analyzing some specific Pyarmor-protected scripts, I found it not so difficult as I had imagined.

Just encrypting the code objects is not as irreversible as the project claims. To be honest, Python bytecode based protection is much less secure than native code based protection.

We definitely do not make profits by cracking. We ourselves had no other uses for this tool, so we published it, hoping to let people know that Pyarmor with default configuration is not as secure as they think.

The Pyarmor algorithm has not been changed, even a year after this unpacking tool is released. Perhaps it is due to considerations of backward compatibility.

We guarantee that once Pyarmor project changes the algorithm, we will not update this tool to support the new algorithm. Currently existing code generated by supported versions of Pyarmor can always be decrypted by this tool.

For CTF Challenge Makers

Please, don't make CTF (Capture The Flag) REVERSE challenges that are about finding and using existing TOOLS. It is not fun for anyone. It is more like a game of hide-and-seek, rather than a test of skill and ingenuity.

It is more meaningful to understand how Pyarmor or this tool works, and then try to improve them.

Star Chart

Stargazers over time

Core symbols most depended-on inside this repo

Shape

Method 314
Function 236
Class 114
Enum 14

Languages

C++69%
Python31%

Modules by API surface

pycdc/ASTNode.h185 symbols
pycdc/plusaes.hpp58 symbols
pycdc/pyc_numeric.h33 symbols
pycdc/pyc_code.h31 symbols
pycdc/tests/input/test_nested_scopes.py21 symbols
pycdc/pyc_object.h21 symbols
pycdc/tests/input/test_functions_py3.py20 symbols
pycdc/pyc_sequence.h20 symbols
pycdc/tests/input/test_functions.py15 symbols
pycdc/ASTree.cpp15 symbols
pycdc/pyc_module.h13 symbols
oneshot/shot.py13 symbols

For agents

$ claude mcp add Pyarmor-Static-Unpack-1shot \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page