re | [watevrCTF 2019]Repyc
这题就是一坨shi
用3.6以上的版本去反编译,linux环境下。
# uncompyle6 version 3.7.4
# Python bytecode 3.6 (3379)
# Decompiled from: Python 3.8.4 (default, Jul 13 2020, 21:16:07)
# [GCC 9.3.0]
# Embedded file name: circ.py
# Compiled at: 2019-12-14 02:29:55
# Size of source mod 2**32: 5146 bytes
佤 = 0
侰 = ~佤 * ~佤
俴 = 侰 + 侰
def 䯂(䵦):
굴 = 佤
굿 = 佤
괠 = [佤] * 俴 ** (俴 * 俴)
궓 = [佤] * 100
괣 = []
while 䵦[굴][佤] != '듃':
굸 = 䵦[굴][佤].lower()
亀 = 䵦[굴][侰:]
if 굸 == '뉃':
괠[亀[佤]] = 괠[亀[侰]] + 괠[亀[俴]]
else:
if 굸 == '렀':
괠[亀[佤]] = 괠[亀[侰]] ^ 괠[亀[俴]]
else:
if 굸 == '렳':
괠[亀[佤]] = 괠[亀[侰]] - 괠[亀[俴]]
else:
if 굸 == '냃':
괠[亀[佤]] = 괠[亀[侰]] * 괠[亀[俴]]
else:
if 굸 == '뢯':
괠[亀[佤]] = 괠[亀[侰]] / 괠[亀[俴]]
else:
if 굸 == '륇':
괠[亀[佤]] = 괠[亀[侰]] & 괠[亀[俴]]
else:
if 굸 == '맳':
괠[亀[佤]] = 괠[亀[侰]] | 괠[亀[俴]]
else:
if 굸 == '괡':
괠[亀[佤]] = 괠[亀[佤]]
else:
if 굸 == '뫇':
괠[亀[佤]] = 괠[亀[侰]]
else:
if 굸 == '꼖':
괠[亀[佤]] = 亀[侰]
else:
if 굸 == '뫻':
궓[亀[佤]] = 괠[亀[侰]]
else:
if 굸 == '딓':
괠[亀[佤]] = 궓[亀[侰]]
else:
if 굸 == '댒':
괠[亀[佤]] = 佤
else:
if 굸 == '묇':
궓[亀[佤]] = 佤
else:
if 굸 == '묟':
괠[亀[佤]] = input(괠[亀[侰]])
else:
if 굸 == '꽺':
궓[亀[佤]] = input(괠[亀[侰]])
else:
if 굸 == '돯':
print(괠[亀[佤]])
else:
if 굸 == '뭗':
print(궓[亀[佤]])
else:
if 굸 == '뭿':
굴 = 괠[亀[佤]]
else:
if 굸 == '뮓':
굴 = 궓[亀[佤]]
else:
if 굸 == '뮳':
굴 = 괣.pop()
else:
if 굸 == '믃':
if 괠[亀[侰]] > 괠[亀[俴]]:
굴 = 亀[佤]
괣.append(굴)
continue
else:
if 굸 == '꽲':
괠[7] = 佤
for i in range(len(괠[亀[佤]])):
if 괠[亀[佤]] != 괠[亀[侰]]:
괠[7] = 侰
굴 = 괠[亀[俴]]
괣.append(굴)
else:
if 굸 == '꾮':
괢 = ''
for i in range(len(괠[亀[佤]])):
괢 += chr(ord(괠[亀[佤]][i]) ^ 괠[亀[侰]])
괠[亀[佤]] = 괢
else:
if 굸 == '꿚':
괢 = ''
for i in range(len(괠[亀[佤]])):
괢 += chr(ord(괠[亀[佤]][i]) - 괠[亀[侰]])
괠[亀[佤]] = 괢
else:
if 굸 == '떇':
if 괠[亀[侰]] > 괠[亀[俴]]:
굴 = 괠[亀[佤]]
괣.append(굴)
continue
else:
if 굸 == '뗋':
if 괠[亀[侰]] > 괠[亀[俴]]:
굴 = 궓[亀[佤]]
괣.append(굴)
continue
else:
if 굸 == '똷':
if 괠[亀[侰]] == 괠[亀[俴]]:
굴 = 亀[佤]
괣.append(굴)
continue
else:
if 굸 == '뚫':
if 괠[亀[侰]] == 괠[亀[俴]]:
굴 = 괠[亀[佤]]
괣.append(굴)
continue
else:
if 굸 == '띇':
if 괠[亀[侰]] == 괠[亀[俴]]:
굴 = 궓[亀[佤]]
괣.append(굴)
continue
굴 += 侰
䯂([
[
'꼖', 佤, 'Authentication token: '],
[
'꽺', 佤, 佤],
[
'꼖', 6, 'á×äÓâæíäàßåÉÛãåäÉÖÓÉäàÓÉÖÓåäÉÓÚÕæïèäßÙÚÉÛÓäàÙÔÉÓâæÉàÓÚÕÓÒÙæäàÉäàßåÉßåÉäàÓÉÚÓáÉ·Ôâ×ÚÕÓÔɳÚÕæïèäßÙÚÉÅä×ÚÔ×æÔÉ×Úïá×ïåÉßÉÔÙÚäÉæÓ×ÜÜïÉà×âÓÉ×ÉÑÙÙÔÉâßÔÉÖãäÉßÉæÓ×ÜÜïÉÓÚÞÙïÉäàßåÉåÙÚÑÉßÉàÙèÓÉïÙãÉáßÜÜÉÓÚÞÙïÉßäÉ×åáÓÜÜ\x97ÉïÙãäãÖÓ\x9aÕÙÛ\x99á×äÕà©â«³£ï²ÕÔÈ·±â¨ë'],
[
'꼖', 俴, 俴 ** (3 * 俴 + 侰) - 俴 ** (俴 + 侰)],
[
'꼖', 4, 15],
[
'꼖', 3, 侰],
[
'냃', 俴, 俴, 3],
[
'뉃', 俴, 俴, 4],
[
'괡', 佤, 俴],
[
'댒', 3],
[
'꾮', 6, 3],
[
'꼖', 佤, 'Thanks.'],
[
'꼖', 侰, 'Authorizing access...'],
[
'돯', 佤],
[
'딓', 佤, 佤],
[
'꾮', 佤, 俴],
[
'꿚', 佤, 4],
[
'꼖', 5, 19],
[
'꽲', 佤, 6, 5],
[
'돯', 侰],
[
'듃'],
[
'꼖', 侰, 'Access denied!'],
[
'돯', 侰],
[
'듃']])
好家伙,果然反编译出来一坨shi
明显的虚拟机
行吧
然后就是一通分析,这里借用misaka师傅的整理:https://blog.csdn.net/Misaka10046/article/details/111400928
然后整理出来就是这种东西:
a = 0
b = 1
c = 2
def main(p):
m = 0
o = 0
t = [0] * 16
y = [0] * 100
x = []
while p[m][0] != 'nop':
opcode = p[m][0].lower()
h = p[m][1:]
if opcode == 'add':
t[h[0]] = t[h[1]] + t[h[2]]
else:
if opcode == 'xor':
t[h[0]] = t[h[1]] ^ t[h[2]]
else:
if opcode == 'sub':
t[h[0]] = t[h[1]] - t[h[2]]
else:
if opcode == 'mul':
t[h[0]] = t[h[1]] * t[h[2]]
else:
if opcode == 'div':
t[h[0]] = t[h[1]] / t[h[2]]
else:
if opcode == 'and':
t[h[0]] = t[h[1]] & t[h[2]]
else:
if opcode == 'or':
t[h[0]] = t[h[1]] | t[h[2]]
else:
if opcode == 'equ':
t[h[0]] = t[h[0]]
else:
if opcode == 'lea':
t[h[0]] = t[h[1]]
else:
if opcode == 'mov':
t[h[0]] = h[1]
else:
if opcode == 'mov1':
y[h[0]] = t[h[1]]
else:
if opcode == 'mov2':
t[h[0]] = y[h[1]]
else:
if opcode == 'Clear':
t[h[0]] = 0
else:
if opcode == 'Clear1':
y[h[0]] = 0
else:
if opcode == 'input':
t[h[0]] = input(t[h[1]])
else:
if opcode == 'input1':
y[h[0]] = input(t[h[1]])
else:
if opcode == 'print':
print(t[h[0]])
else:
if opcode == 'print1':
print(y[h[0]])
else:
if opcode == 'mov3':
m = t[h[0]]
else:
if opcode == 'mov4':
m = y[h[0]]
else:
if opcode == 'pop':
m = x.pop()
else:
if opcode == 'cmp+push':
if t[h[1]] > t[h[2]]:
m = h[0]
x.append(m)
continue
else:
if opcode == 'cmp+push1':
t[7] = 0
for i in range(len(t[h[0]])):
if t[h[0]] != t[h[1]]:
t[7] = 1
m = t[h[2]]
x.append(m)
else:
if opcode == 'xor+mov':
g = ''
for i in range(len(t[h[0]])):
g += chr(ord(t[h[0]][i]) ^ t[h[1]])
t[h[0]] = g
else:
if opcode == 'sub+mov':
g = ''
for i in range(len(t[h[0]])):
g += chr(ord(t[h[0]][i]) - t[h[1]])
t[h[0]] = g
else:
if opcode == 'cmp+push2':
if t[h[1]] > t[h[2]]:
m = t[h[0]]
x.append(m)
continue
else:
if opcode == 'cmp+push3':
if t[h[1]] > t[h[2]]:
m = y[h[0]]
x.append(m)
continue
else:
if opcode == 'cmp+push4':
if t[h[1]] == t[h[2]]:
m = h[0]
x.append(m)
continue
else:
if opcode == 'cmp':
if t[h[1]] == t[h[2]]:
m = t[h[0]]
x.append(m)
continue
else:
if opcode == 'cmp1':
if t[h[1]] == t[h[2]]:
m = y[h[0]]
x.append(m)
continue
m += 1
main([
[ 'mov', 0, 'Authentication token: '],
[ 'input1', 0, 0],
[ 'mov', 6, 'á×äÓâæíäàßåÉÛãåäÉÖÓÉäàÓÉÖÓåäÉÓÚÕæïèäßÙÚÉÛÓäàÙÔÉÓâæÉàÓÚÕÓÒÙæäàÉäàßåÉßåÉäàÓÉÚÓáÉ·Ôâ×ÚÕÓÔɳÚÕæïèäßÙÚÉÅä×ÚÔ×æÔÉ×Úïá×ïåÉßÉÔÙÚäÉæÓ×ÜÜïÉà×âÓÉ×ÉÑÙÙÔÉâßÔÉÖãäÉßÉæÓ×ÜÜïÉÓÚÞÙïÉäàßåÉåÙÚÑÉßÉàÙèÓÉïÙãÉáßÜÜÉÓÚÞÙïÉßäÉ×åáÓÜÜ\x97ÉïÙãäãÖÓ\x9aÕÙÛ\x99á×äÕà©â«³£ï²ÕÔÈ·±â¨ë'],
[ 'mov', 2, 120],
[ 'mov', 4, 15],
[ 'mov', 3, 1],
[ 'mul', 2, 2, 3],
[ 'add', 2, 2, 4],
[ 'equ', 0, 2],
[ 'Clear', 3],
[ 'xor+mov', 6, 3],
[ 'mov', 0, 'Thanks.'],
[ 'mov', 1, 'Authorizing access...'],
[ 'print', 0],
[ 'mov2', 0, 0],
[ 'xor+mov', 0, 2],
[ 'sub+mov', 0, 4],
[ 'mov', 5, 19],
[ 'cmp+push1', 0, 6, 5],
[ 'print', 1],
[ 'nop'],
[ 'mov', 1, 'Access denied!'],
[ 'print', 1],
[ 'nop']])
分析虚拟机执行流程,
先让输入与135异或再减15。简单清晰。
嗯就是这样
然后反推一下就好。
over.
本文来自博客园,作者:Mz1,转载请注明原文链接:https://www.cnblogs.com/Mz1-rc/p/14256932.html
如果有问题可以在下方评论或者email:mzi_mzi@163.com
