python-pyd-proxy

This project shows how to proxy and wrap functions in a .pyd file to intercept and view their behavior without altering the main application.

.pyd is python code compiled using Cython (translated to C/C++ code) <- this make reverse engineering on .pyd is hard.

showcase.mp4

Overview

In this proof-of-concept, we are working with a number guessing game where the answer is generated by two functions, thinking_number() and select_number(), located in brain.cp310-win_amd64.pyd. The game's challenge is to guess the correct answer number generated by these functions. To reveal this number, we will proxy and wrap these functions to observe their behavior.

Steps to Proxy

1. Rename Exported Functions

   • The brain.cp310-win_amd64.pyd file exports a function named PyInit_brain that allows it to be imported as brain.
   • Rename brain.cp310-win_amd64.pyd to xxxxx.pyd and update the exported function name to PyInit_xxxxx.

2. Create a Proxy Module

   • Create brain.py which will act as a proxy. It will import xxxxx.pyd and forward calls to it while allowing us to intercept function calls.

3. Implement Wrappers

   • In brain.py, wrap the functions thinking_number() and select_number() to capture their return values. This will allow us to see the generated answer number and win the game.

For further details on how to set up the proxy and wrap functions, refer to the 2-original-build-with-proxy/brain.py file.

Snapshots

• 0-original-code

  • Contains the original source code of main.py (number guessing game), brain.py before compilation and setup.py script to compile brain.py to .pyd

• 1-original-build

  • Includes the main.py (assume it compiled as main.exe) and brain.cp310-win_amd64.pyd

• 2-original-build-with-proxy

  • Contains the renamed .pyd file (xxxxx.pyd), brain.py with the proxy implementation, and exported_renamer.py script to rename PyInit exported function.