MoeCTF 2021Re部分------Midpython.exe
生活随笔
收集整理的這篇文章主要介紹了
MoeCTF 2021Re部分------Midpython.exe
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
文章目錄
- Midpython.exe
- marshal和dis庫配合:
- 手動改為py
- 解密腳本
- 總結:
Midpython.exe
python代碼寫成的exe,進行反編譯,先搞成pyc,然后把pyc反編譯成py,但是再第二個步驟反編譯成py的時候出現了如下報錯:
Traceback (most recent call last):File "g:\python3.7.6-64\lib\runpy.py", line 193, in _run_module_as_main"__main__", mod_spec)File "g:\python3.7.6-64\lib\runpy.py", line 85, in _run_codeexec(code, run_globals)File "G:\python3.7.6-64\Scripts\uncompyle6.exe\__main__.py", line 7, in <module>File "g:\python3.7.6-64\lib\site-packages\uncompyle6\bin\uncompile.py", line 194, in main_bin**options)File "g:\python3.7.6-64\lib\site-packages\uncompyle6\main.py", line 324, in maindo_fragments,File "g:\python3.7.6-64\lib\site-packages\uncompyle6\main.py", line 222, in decompile_filedo_fragments=do_fragments,File "g:\python3.7.6-64\lib\site-packages\uncompyle6\main.py", line 141, in decompileco, out, bytecode_version, debug_opts=debug_opts, is_pypy=is_pypyFile "g:\python3.7.6-64\lib\site-packages\uncompyle6\semantics\pysource.py", line 2570, in code_deparsescanner = get_scanner(version, is_pypy=is_pypy)File "g:\python3.7.6-64\lib\site-packages\uncompyle6\scanner.py", line 566, in get_scanner"scan.Scanner%s(show_asm=show_asm)" % v_str, locals(), globals()File "<string>", line 1, in <module>File "g:\python3.7.6-64\lib\site-packages\uncompyle6\scanners\scanner39.py", line 36, in __init__Scanner37Base.__init__(self, 3.9, show_asm)File "g:\python3.7.6-64\lib\site-packages\uncompyle6\scanners\scanner37base.py", line 98, in __init__self.opc.END_FINALLY, AttributeError: module 'xdis.opcodes.opcode_39' has no attribute 'END_FINALLY'查看后是反編譯器的版本出現了不合。uncompyle6可將python字節碼轉換回等效的python源代碼,它接受python 1.3版到3.8版的字節碼,但是這個題目是python3.9,所以需要換其他方法
marshal和dis庫配合:
當然前提是需要到pyc的步驟,并且把頭修改好。
import marshal import dis a=open('Midpython.pyc','rb') a.seek(16) dis.dis(marshal.load(a))然后先跳過頭結點(magic和time),原因,利用marshal進行以二進制格式讀取,然后用dis庫進行輸出,
1 0 BUILD_LIST 02 LOAD_CONST 0 ((69, 70, 79, 72, 88, 75, 85, 127, 89, 85, 74, 19, 74, 122, 107, 103, 75, 77, 9, 73, 29, 28, 67))4 LIST_EXTEND 16 STORE_NAME 0 (key)2 8 LOAD_CONST 1 (<code object <lambda> at 0x7f0b479a2be0, file "Midpython.py", line 2>)10 LOAD_CONST 2 ('<lambda>')12 MAKE_FUNCTION 014 STORE_NAME 1 (xxor)3 16 LOAD_CONST 3 (<code object <lambda> at 0x7f0b479a2c90, file "Midpython.py", line 3>)18 LOAD_CONST 2 ('<lambda>')20 MAKE_FUNCTION 022 STORE_NAME 2 (xoor)4 24 LOAD_CONST 4 (<code object <lambda> at 0x7f0b479a2d40, file "Midpython.py", line 4>)26 LOAD_CONST 2 ('<lambda>')28 MAKE_FUNCTION 030 STORE_NAME 3 (xorr)5 32 LOAD_NAME 4 (len)34 LOAD_NAME 0 (key)36 CALL_FUNCTION 138 STORE_NAME 5 (length)6 40 LOAD_NAME 6 (input)42 LOAD_CONST 5 ('>>>input your flag:\n>>>')44 CALL_FUNCTION 146 STORE_NAME 7 (ipt)7 48 LOAD_CONST 6 (1)50 STORE_NAME 8 (flag)8 52 LOAD_NAME 4 (len)54 LOAD_NAME 7 (ipt)56 CALL_FUNCTION 158 LOAD_NAME 5 (length)60 COMPARE_OP 2 (==)62 POP_JUMP_IF_FALSE 1149 64 LOAD_NAME 9 (range)66 LOAD_NAME 5 (length)68 CALL_FUNCTION 170 GET_ITER>> 72 FOR_ITER 38 (to 112)74 STORE_NAME 10 (i)10 76 LOAD_NAME 3 (xorr)78 LOAD_NAME 11 (ord)80 LOAD_NAME 7 (ipt)82 LOAD_NAME 10 (i)84 BINARY_SUBSCR86 CALL_FUNCTION 188 LOAD_NAME 10 (i)90 CALL_FUNCTION 292 LOAD_NAME 0 (key)94 LOAD_NAME 10 (i)96 BINARY_SUBSCR98 COMPARE_OP 3 (!=)100 POP_JUMP_IF_FALSE 7211 102 LOAD_CONST 7 (0)104 STORE_NAME 8 (flag)12 106 POP_TOP108 JUMP_ABSOLUTE 118110 JUMP_ABSOLUTE 72>> 112 JUMP_FORWARD 4 (to 118)14 >> 114 LOAD_CONST 7 (0)116 STORE_NAME 8 (flag)15 >> 118 LOAD_NAME 8 (flag)120 LOAD_CONST 6 (1)122 COMPARE_OP 2 (==)124 POP_JUMP_IF_FALSE 13616 126 LOAD_NAME 12 (print)128 LOAD_CONST 8 ('>>>Right!!')130 CALL_FUNCTION 1132 POP_TOP134 JUMP_FORWARD 8 (to 144)18 >> 136 LOAD_NAME 12 (print)138 LOAD_CONST 9 ('>>>Wrong!!')140 CALL_FUNCTION 1142 POP_TOP>> 144 LOAD_CONST 10 (None)146 RETURN_VALUEDisassembly of <code object <lambda> at 0x7f0b479a2be0, file "Midpython.py", line 2>:2 0 LOAD_FAST 0 (x)2 LOAD_FAST 1 (y)4 BINARY_XOR6 LOAD_CONST 1 (11)8 BINARY_XOR10 RETURN_VALUEDisassembly of <code object <lambda> at 0x7f0b479a2c90, file "Midpython.py", line 3>:3 0 LOAD_GLOBAL 0 (xxor)2 LOAD_FAST 0 (x)4 LOAD_FAST 1 (y)6 CALL_FUNCTION 28 LOAD_CONST 1 (45)10 BINARY_XOR12 RETURN_VALUEDisassembly of <code object <lambda> at 0x7f0b479a2d40, file "Midpython.py", line 4>:4 0 LOAD_GLOBAL 0 (xoor)2 LOAD_FAST 0 (x)4 LOAD_FAST 1 (y)6 CALL_FUNCTION 28 LOAD_CONST 1 (14)10 BINARY_XOR12 RETURN_VALUE手動改為py
import dis def pyc():key=[(69, 70, 79, 72, 88, 75, 85, 127, 89, 85, 74, 19, 74, 122, 107, 103, 75, 77, 9, 73, 29, 28, 67)]xxor=lambda x,y:x^y^11xoor=lambda xxor,x,y:xxor(x,y)^45xorr=lambda xoor,x,y:xoor(x,y)^14length=len(key)ipt=input('>>>input your flag:\n>>>')flag=1if len(ipt)==length:for i in range(length):if xorr(ord(ipt[i]),i)!=key[i]:flag=0else:flag=0 if flag==1:print('>>>Right!!')else:print('>>>Wrong!!')dis.dis(pyc)解密腳本
key=[69, 70, 79, 72, 88, 75, 85, 127, 89, 85, 74, 19, 74, 122, 107, 103, 75, 77, 9, 73, 29, 28, 67] for i in range(len(key)):flag=key[i]^11^i^45^14print(chr(flag),end='') moectf{Pyth0n_M@st3r!!}總結:
python3.9編譯的exe:
總結
以上是生活随笔為你收集整理的MoeCTF 2021Re部分------Midpython.exe的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: MoeCTF 2021Re部分-----
- 下一篇: MoeCTF 2021Re部分-----