DEV Community

Mikhail Chernov
Mikhail Chernov

Posted on

How to look inside a .exe compiled with Nuitka? A new open‑source tool

Hi everyone!

I’ve always wondered how to disassemble an .exe file compiled with Nuitka. I knew there were tools like IDA PRO, Cremniy, and HxD, but I decided to try building an open‑source project. That’s how I created DeNuitkanizator.

Important: DeNuitkanizator is an analyzer, not a decompiler. It extracts only the available information from the binary.

Thumbnail

History of creation

At first, I thought there must already be such decompilers. Personally, I couldn’t find any. So I started thinking about how to make one. I remembered the pefile and Capstone libraries. After I finally managed to build something, I realized my program could also parse PyInstaller .exe files and even native binaries. I found that really cool, so I published it on GitHub.

Why is this needed?

Many developers use Nuitka to compile Python scripts into executable files. Nuitka translates Python code into C++ and then compiles it into an .exe file. This reduces the file size and speeds up startup time.

But unlike PyInstaller, where you can use pydumpck, full reverse decompilation is nearly impossible with Nuitka because it has better protection against reverse engineering. However, you can still extract useful data from it:

  • paths, URLs, email addresses;
  • names of modules and variables;
  • metadata about the compiler and protection;
  • signs of anti‑debugging techniques;
  • compressed data blocks (zstd, zlib).

That’s exactly why I created DeNuitkanizator.

TUI Interface

What can DeNuitkanizator do?

The tool has (I think) good functionality:

  • Detects the packer used to package the .exe file (currently detects whether it’s Nuitka or not);
  • Determines the Python code version (at least my program includes magic numbers for different versions);
  • Extracts names of modules and variables;
  • Analyzes protection mechanisms (DEP, ASLR) and searches for anti‑debugging mechanisms;
  • Unpacks data (zstd, zlib) and searches for compressed blocks (gzip, bzip2, zip);
  • Disassembles the entry point with comments and finds cross‑references to strings;
  • Calculates hashes (MD5, SHA1, SHA256) and identifies the compiler (MinGW GCC, MSVC, Clang/LLVM);
  • Checks the architecture (x86/x64) and searches for packed sections or sections with high entropy;
  • Automatically checks for updates via the GitHub API.

You can find more details in the repository.

How it works: a brief technical breakdown

  1. The file is read into memory, and pefile parses the PE headers;
  2. Searches for Nuitka signatures (8 patterns) + analyzes entropy in .rsrc;
  3. Regex search for strings, modules, paths, IP/URL/email;
  4. Searches for P*ython magic numbers (42 0D 0D 0A, etc.)* + marshal.loads;
  5. Searches and unpacks zstd (28 B5 2F FD) and zlib (78 9C, 78 01, etc.). **I’m planning to add LZ4 and LZMA unpacking in the future (it already searches for **LZMA, but doesn’t do anything with it yet);
  6. Disassembly via Capstone with automatic x86/x64 detection;
  7. Builds xrefs: searches for lea/mov/push → matches them with strings;
  8. Analysis: anti‑debug, packed sections, entropy, compiler detection.

Example

Installing the program

Method 1: Pre‑built .exe
Download DeNuitkanizator.exe from Releases and run it.

Method 2: From source

git clone https://github.com/2M12/DeNuitkanizator.git
cd DeNuitkanizator
pip install -r requirements.txt
python DeNuitkanizator.py
Enter fullscreen mode Exit fullscreen mode

Usage instructions

  1. Launch DeNuitkanizator.exe, or if you downloaded the Python file, run DeNuitkanizator.py.
  2. Then enter the path to the .exe file, or simply run: 
python DeNuitkanizator.py "path"
Enter fullscreen mode Exit fullscreen mode
  1. The file analysis will start, and the results will appear in the DeNuitkanizator_Output folder.
  2. You can then examine the files yourself. The summary.txt file contains only a summary.

Summary Example

❗ Important notes

As I said, results aren’t always guaranteed.
The program can analyze regular .exe files (native) that weren’t written in Python.
PyInstaller provides more detailed information because it’s simpler - it doesn’t translate code into C++, but simply packages the interpreter together with the script.

Conclusion

DeNuitkanizator can be a useful tool for you - and at the very least, an interesting experiment. It has quite powerful features and automates a lot. In the future, the project will be improved and updated, with new functions added.

GitHub: [here]

I hope you’ll appreciate my project on GitHub!

P.S. Which packer do you use?

Tags:
Nuitka, PyInstaller, reverse engineering, PE analysis, disassembly, static analysis, binary analysis, exe analyzer, open‑source, Python

Top comments (0)