The output of pyobfuscator.com is always exactly two lines. The first is a comment; the second is a Python lambda combined with an exec call. This single-line pattern is elegant and surprisingly effective.
The Output Structure
Line 1: # Python obfuscation by pyobfuscator.com
Line 2: _ = lambda __ : __import__('zlib').decompress(__import__('base64').b64decode(__[::-1]));exec((_)(b'PAYLOAD'))
Breaking Down the Lambda
_ = lambda __ : defines a lambda named _ that takes one argument __. Using _ and __ as names is intentional -- they look like noise, not meaningful identifiers.
__import__('base64').b64decode(__[::-1]) calls Base64 decode on the argument reversed. Using __import__ instead of a top-level import means no imports appear at the file head, making static analysis harder.
__import__('zlib').decompress(...) decompresses the Base64-decoded bytes back to the original source. The result is a bytes object containing Python source code.
exec((_)(b'PAYLOAD')) calls the lambda with the payload bytes, then passes the result to exec(). The semicolon separator keeps both the lambda definition and its invocation on a single logical line.
Why This Is Hard to Detect Automatically
- No standard imports at the top of the file
- Variable names
_and__are indistinguishable from throwaway names - The payload is reversed, defeating naive base64 scanners
- Everything is on one line -- static analysis tools that parse line-by-line struggle
Multi-Layer Mode
In multi-layer mode, the two-line output is itself run through the same pipeline, producing a loader whose payload is another loader. A reverse engineer must apply the decode process twice.