easy_pyc
pyc反编译成py文件
# uncompyle6 version 3.9.1
# Python bytecode version base 2.7 (62211)
# Decompiled from: Python 3.11.8 (tags/v3.11.8:db85d51, Feb 6 2024, 22:03:32) [MSC v.1937 64 bit (AMD64)]
# Embedded file name: enpyc.py
# Compiled at: 2023-03-29 18:30:23
print 'Welcome to CTFshow Re!'
print 'your flag is here!'
flag = ''
l = len(flag)
for i in range(l):
num = ((flag[i] + i) % 114514 + 114514) % 114514
code += chr(num)
code = map(ord, code)
for i in range(l - 4 + 1):
code[i] = code[i] ^ code[i + 1]
print code
code = [6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23,
24, 25, 26, 27, 28, 29, 30, 31, 32, 27, 33, 34, 35, 36, 36, 9,
37, 22, 38]
# okay decompiling ez_re.pyc
逆了半天,看了一下wp,code 数据不一样,感觉应该是python版本的问题
python2 -m uncompyle6.main ez_re.pyc > flag2.py
也还是不行
最后用了 pycdc ,得到了真正的 code
code = [6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23,
24, 25, 26, 27, 28, 29, 30, 31, 32, 27, 33, 34, 35, 36, 36, 9,
37, 22, 38]
l=len(code)
print(l)
code = ['\x16', '\x1d', '\x1e', '\x1a', '\x18', '\t', '\xff', '\xd0', ',', '\x03', '\x02', '\x14', '8', 'm', '\x01',
'C', 'D', '\xbd', '\xf7', '*', '\r', '\xda', '\xf9', '\x1c', '&', '5', "'", '\xda', '\xd4', '\xd1', '\x0b',
'\xc7', '\xc7', '\x1a', '\x90', 'D', '\xa1']
code = list(map(ord, code))
#num = ((flag[i] + i) % 114514 + 114514) % 114514 其实114514没有影响
# for i in range(l - 4 + 1):
# code[i] = code[i] ^ code[i + 1]
#没有处理最后三个元素,[倒四]=[倒四] ^ [倒三]
for i in range(l-4,-1,-1):
code[i]=code[i]^code[i+1]
for i in range(l):
print(chr((code[i]-i)%128),end='')
故还是 pycdc 和 uncompyle6 互补使用
easy_re
这个 while 循环受输入控制啊,也没有输入的提示啊
难道就是一个简单的base64吗?试试
不是,应该和输入的两个 key 也有关系,然后就一个异或,所以应该找到正确的key值
看 wp 说dword_973 是300*300的数组,太长了,应该是的
阿狸那个话是 580 长度,应该就是用那个数组加上key异或得到阿狸base64的话
没有对key的信息,那就只能爆破了
结合 flag。。。,其base64等于Zmxhz
写爆破脚本
也是不怎么会,借鉴一下大佬的
看了有两个思路都挺不错的,都是爆破
第一个就是dump下来,但是关键就是需要把数组提取出来,但是不好搞
所以这个方法放弃了,但思路很好
int key1;
int key2;
int v9;
int v10;
for(key1=0;key1<200;key1++)
{
for(key2=0;key2<200;key2++)
{
int v3=key1%299;
int v4=key2%299;
unsigned int v5=0;
v10=key2%299;
char input[]="ZmxhZ";
int com[5];
int data[5]={90,171,198,235,229};
int v6=strlen(input);
do{
v9=arr[v3][v4]^input[v5];
v3=(v9+v3)%299;
v10=(v9+v10)%300;
com[v5]=v9;
v4=v10;
++v5;
}while(v5<v6);
if(com[0]==data[0]&&com[1]==data[1]&&com[2]==data[2]&&com[3]==data[3]&&com[4]==data[4])
{
printf("%d ",key1);
printf("%d",key2);
}
}
}
另外就是用 pwn 库
from base64 import *
from pwn import u32
def decrypt(k1,k2,cipher):
tk1,tk2 = k1,k2
m = []
for v8 in cipher[::-1]:
k1 = (k1-v8)%299
k2 = (k2-v8)%300 # change v3,v4 failure
m.append(d_3aa0[300*k1+k2] ^ v8)
base64_text = bytes(m[::-1])
if base64_text[:5]==b'ZmxhZ':
flag=b64decode(base64_text).decode('utf-8')
print(base64_text,tk1,tk2,'\n',flag)
flag=''
data = open("D:\\ctf附件2\\easy_re\\re1.exe", 'rb').read()[0x28a0: 0x5a6e0]
d_3aa0 = [u32(data[i:i+4]) for i in range(0, len(data), 4)]
a = [90,171,198,235,229,43,246,92,198,203,233,228,6,128,215,68,201,4,220,214,169,245,208,199,112,170,119,251,244,58,237,4,70,231,200,45,186,137,247,225,243,13,145,139,190,146,194,242,253,56,239,5,41,225,105,51,247,79,170,231,88,64,224,138,222,220,229,88,43,117,236,189,228,205,150,65,26,205,232,141,116,149,185,89,212,251,16,215,205,17,238,22,245,77,220,198,224,248,223,209,205,167,223,210,165,247,190,3,5,246,243,228,181,33,42,207,174,138,244,118,192,22,219,60,80,229,144,219,133,211,221,229,190,58,151,240,183,207,221,60,77,217,220,74,105,220,221,165,85,174,43,183,188,190,252,255,130,137,189,201,239,181,150,143,214,203,26,211,103,222,105,87,214,179,83,185,104,206,229,172,221,117,163,57,106,200,46,165,193,135,243,166,168,209,144,52,210,12,58,10,103,5,211,55,172,76,88,250,136,245,167,139,241,26,92,97,139,241,137,27,53,211,251,191,240,173,14,231,241,242,255,122,144,97,234,36,175,155,253,35,156,229,19,166,191,140,195,218,130,35,200,178,245,41,162,243,214,222,87,83,195,144,55,159,208,241,193,233,204,228,196,105,84,58,220,226,1,47,248,138,177,124,236,53,210,79,250,106,27,244,251,203,210,103,213,218,183,4,40,28,12,175,52,224,203,89,176,174,175,233,43,20,103,152,201,4,148,76,241,103,135,139,136,246,80,184,255,194,149,239,206,207,246,166,20,63,202,199,177,214,60,99,74,211,219,94,247,193,40,212,197,175,30,244,41,24,113,27,249,213,225,55,188,193,165,220,174,252,105,154,74,126,174,255,110,169,103,44,246,255,98,251,211,87,171,62,67,250,69,149,18,77,159,137,168,231,187,97,174,115,243,44,128,151,90,246,83,11,138,67,184,22,53,228,230,252,76,112,20,136,131,90,233,248,67,207,61,212,113,62,239,203,201,66,83,179,16,209,253,63,206,208,101,150,196,145,101,220,22,79,241,69,237,219,97,87,20,22,240,244,218,7,237,42,14,8,38,115,141,102,206,191,142,55,196,200,142,98,16,129,53,52,50,197,53,219,2,66,152,192,245,243,69,26,132,240,164,90,246,200,53,89,221,119,139,76,47,132,53,47,249,26,53,141,113,69,76,152,121,193,53,176,97,135,205,206,237,108,251,38,216,108,12,220,209,194,26,243,217,231,36,117,235,106,205,43,254,75,209,141,239,200,5,183,219,166,113,9,16,154,116,144,238,208,245,136,173,16,103,107,114,17,208,181,196,98,212,133,211,252]
for k1 in range(299):
for k2 in range(300):
decrypt(k1,k2,a)
但想了半天没搞清楚那个 0x28A0 是怎么算的 0.0
大佬wp
想不到一点真的是 0.0
Coffee Feast
看不懂一点
百度了一下,是将 jar 里的一些关键字混淆了好像,工具搞了一下,太难弄了,先遛了 0.0