TSCTF-J byte_code

TSCTF-J byte_code

记录一次python字节码逆向

参考链接:

https://nobb.site/2017/03/20/0x2f/

https://www.cnblogs.com/gisen_6/p/15786379.html

字节码相关库使用:

dis模块通过反汇编支持CPython 字节码的分析。

通过命令行获取对应py文件的字节码。

python -m dis exp.py

题目给出的字节码(手工还原为python代码):

  1           0 LOAD_CONST               0 (114)
              2 LOAD_CONST               1 (101)
              4 LOAD_CONST               2 (118)
              6 LOAD_CONST               1 (101)
              8 LOAD_CONST               0 (114)
             10 LOAD_CONST               3 (115)
             12 LOAD_CONST               1 (101)
             14 LOAD_CONST               4 (95)
             16 LOAD_CONST               5 (116)
             18 LOAD_CONST               6 (104)
             20 LOAD_CONST               1 (101)
             22 LOAD_CONST               4 (95)
             24 LOAD_CONST               7 (98)
             26 LOAD_CONST               8 (121)
             28 LOAD_CONST               5 (116)
             30 LOAD_CONST               1 (101)
             32 BUILD_LIST              16
             34 STORE_NAME               0 (a)

  2          36 LOAD_CONST               9 (99)
             38 LOAD_CONST              10 (111)
             40 LOAD_CONST              11 (100)
             42 LOAD_CONST               1 (101)
             44 LOAD_CONST               4 (95)
             46 LOAD_CONST               5 (116)
             48 LOAD_CONST              10 (111)
             50 LOAD_CONST               4 (95)
             52 LOAD_CONST              12 (103)
             54 LOAD_CONST               1 (101)
             56 LOAD_CONST               5 (116)
             58 LOAD_CONST               4 (95)
             60 LOAD_CONST              13 (102)
             62 LOAD_CONST              14 (108)
             64 LOAD_CONST              15 (97)
             66 LOAD_CONST              12 (103)
             68 BUILD_LIST              16
             70 STORE_NAME               1 (b)

  3          72 LOAD_CONST              16 (80)
             74 LOAD_CONST               3 (115)
             76 LOAD_CONST              17 (193)
             78 LOAD_CONST              18 (24)
             80 LOAD_CONST              19 (226)
             82 LOAD_CONST              20 (237)
             84 LOAD_CONST              21 (202)
             86 LOAD_CONST              22 (212)
             88 LOAD_CONST              23 (126)
             90 LOAD_CONST              24 (46)
             92 LOAD_CONST              25 (205)
             94 LOAD_CONST              26 (208)
             96 LOAD_CONST              27 (215)
             98 LOAD_CONST              28 (135)
            100 LOAD_CONST              29 (228)
            102 LOAD_CONST              30 (199)
            104 LOAD_CONST              31 (63)
            106 LOAD_CONST              32 (159)
            108 LOAD_CONST              33 (117)
            110 LOAD_CONST              34 (52)
            112 LOAD_CONST              35 (254)
            114 LOAD_CONST              36 (247)
            116 LOAD_CONST              37 (0)
            118 LOAD_CONST              38 (133)
            120 LOAD_CONST              39 (163)
            122 LOAD_CONST              40 (248)
            124 LOAD_CONST              41 (47)
            126 LOAD_CONST               3 (115)
            128 LOAD_CONST              42 (109)
            130 LOAD_CONST              40 (248)
            132 LOAD_CONST              43 (236)
            134 LOAD_CONST              44 (68)
            136 BUILD_LIST              32
            138 STORE_NAME               2 (e)

  4         140 LOAD_CONST              45 (9)
            142 LOAD_CONST              46 (6)
            144 LOAD_CONST              47 (15)
            146 LOAD_CONST              48 (10)
            148 LOAD_CONST              49 (1)
            150 LOAD_CONST              37 (0)
            152 LOAD_CONST              50 (11)
            154 LOAD_CONST              51 (7)
            156 LOAD_CONST              52 (4)
            158 LOAD_CONST              53 (12)
            160 LOAD_CONST              54 (5)
            162 LOAD_CONST              55 (3)
            164 LOAD_CONST              56 (8)
            166 LOAD_CONST              57 (2)
            168 LOAD_CONST              58 (14)
            170 LOAD_CONST              59 (13)
            172 BUILD_LIST              16
            174 STORE_NAME               3 (pos)

  5         176 LOAD_CONST              60 (335833164)
            178 LOAD_CONST              61 (1155265242)
            180 LOAD_CONST              62 (627920619)
            182 LOAD_CONST              63 (1951749419)
            184 LOAD_CONST              64 (1931742276)
            186 LOAD_CONST              65 (856821608)
            188 LOAD_CONST              66 (489891514)
            190 LOAD_CONST              67 (366025591)
            192 LOAD_CONST              68 (1256805508)
            194 LOAD_CONST              69 (1106091325)
            196 LOAD_CONST              70 (128288025)
            198 LOAD_CONST              71 (234430359)
            200 LOAD_CONST              72 (314915121)
            202 LOAD_CONST              73 (249627427)
            204 LOAD_CONST              74 (207058976)
            206 LOAD_CONST              75 (1573143998)
            208 LOAD_CONST              76 (1443233295)
            210 LOAD_CONST              77 (245654538)
            212 LOAD_CONST              78 (1628003955)
            214 LOAD_CONST              79 (220633541)
            216 LOAD_CONST              80 (1412601456)
            218 LOAD_CONST              81 (1029130440)
            220 LOAD_CONST              82 (1556565611)
            222 LOAD_CONST              83 (1644777223)
            224 LOAD_CONST              84 (853364248)
            226 LOAD_CONST              85 (58316711)
            228 LOAD_CONST              86 (734735924)
            230 LOAD_CONST              87 (1745226113)
            232 LOAD_CONST              88 (1441619500)
            234 LOAD_CONST              89 (1426836945)
            236 LOAD_CONST              90 (500084794)
            238 LOAD_CONST              91 (1534413607)
            240 BUILD_LIST              32
            242 STORE_NAME               4 (d)

  6         244 LOAD_NAME                5 (__name__)
            246 LOAD_CONST              92 ('__main__')
            248 COMPARE_OP               2 (==)
            250 EXTENDED_ARG             1
            252 POP_JUMP_IF_FALSE      490

  7         254 LOAD_NAME                0 (a)
            256 LOAD_NAME                1 (b)
            258 BINARY_ADD
            260 STORE_NAME               6 (c)

  8         262 LOAD_NAME                7 (range)
            264 LOAD_CONST              93 (31)
            266 CALL_FUNCTION            1
            268 GET_ITER
        >>  270 FOR_ITER                26 (to 298)
            272 STORE_NAME               8 (i)

  9         274 LOAD_NAME                9 (print)
            276 LOAD_NAME               10 (chr)
            278 LOAD_NAME                6 (c)
            280 LOAD_NAME                8 (i)
            282 BINARY_SUBSCR
            284 CALL_FUNCTION            1
            286 LOAD_CONST              94 ('')
            288 LOAD_CONST              95 (('end',))
            290 CALL_FUNCTION_KW         2
            292 POP_TOP
            294 EXTENDED_ARG             1
            296 JUMP_ABSOLUTE          270

 10     >>  298 LOAD_NAME                9 (print)
            300 LOAD_NAME               10 (chr)
            302 LOAD_NAME                6 (c)
            304 LOAD_CONST              93 (31)
            306 BINARY_SUBSCR
            308 CALL_FUNCTION            1
            310 CALL_FUNCTION            1
            312 POP_TOP

 11         314 LOAD_NAME                7 (range)
            316 LOAD_CONST              96 (16)
            318 CALL_FUNCTION            1
            320 GET_ITER
        >>  322 FOR_ITER                38 (to 362)
            324 STORE_NAME               8 (i)

 12         326 LOAD_NAME                0 (a)
            328 LOAD_NAME                8 (i)
            330 BINARY_SUBSCR
            332 LOAD_NAME                4 (d)
            334 LOAD_NAME                8 (i)
            336 BINARY_SUBSCR
            338 BINARY_ADD
            340 LOAD_NAME                1 (b)
            342 LOAD_NAME                3 (pos)
            344 LOAD_NAME                8 (i)
            346 BINARY_SUBSCR
            348 BINARY_SUBSCR
            350 BINARY_XOR
            352 LOAD_NAME                0 (a)
            354 LOAD_NAME                8 (i)
            356 STORE_SUBSCR
            358 EXTENDED_ARG             1
            360 JUMP_ABSOLUTE          322

 13     >>  362 LOAD_NAME                7 (range)
            364 LOAD_CONST              96 (16)
            366 CALL_FUNCTION            1
            368 GET_ITER
        >>  370 FOR_ITER                30 (to 402)
            372 STORE_NAME               8 (i)

 14         374 LOAD_NAME                1 (b)
            376 LOAD_NAME                8 (i)
            378 BINARY_SUBSCR
            380 LOAD_NAME                0 (a)
            382 LOAD_NAME                3 (pos)
            384 LOAD_NAME                8 (i)
            386 BINARY_SUBSCR
            388 BINARY_SUBSCR
            390 BINARY_XOR
            392 LOAD_NAME                1 (b)
            394 LOAD_NAME                8 (i)
            396 STORE_SUBSCR
            398 EXTENDED_ARG             1
            400 JUMP_ABSOLUTE          370

 15     >>  402 LOAD_NAME                0 (a)
            404 LOAD_NAME                1 (b)
            406 BINARY_ADD
            408 STORE_NAME               6 (c)

 16         410 LOAD_NAME                7 (range)
            412 LOAD_CONST              97 (32)
            414 CALL_FUNCTION            1
            416 GET_ITER
        >>  418 FOR_ITER                70 (to 490)
            420 STORE_NAME               8 (i)

 17         422 LOAD_NAME                6 (c)
            424 LOAD_NAME                8 (i)
            426 BINARY_SUBSCR
            428 LOAD_NAME                4 (d)
            430 LOAD_NAME                8 (i)
            432 BINARY_SUBSCR
            434 BINARY_MULTIPLY
            436 LOAD_CONST              98 (256)
            438 BINARY_MODULO
            440 LOAD_NAME                6 (c)
            442 LOAD_NAME                8 (i)
            444 STORE_SUBSCR

 18         446 LOAD_NAME                6 (c)
            448 LOAD_NAME                8 (i)
            450 DUP_TOP_TWO
            452 BINARY_SUBSCR
            454 LOAD_NAME                2 (e)
            456 LOAD_NAME                8 (i)
            458 BINARY_SUBSCR
            460 INPLACE_XOR
            462 ROT_THREE
            464 STORE_SUBSCR

 19         466 LOAD_NAME                9 (print)
            468 LOAD_NAME               10 (chr)
            470 LOAD_NAME                6 (c)
            472 LOAD_NAME                8 (i)
            474 BINARY_SUBSCR
            476 CALL_FUNCTION            1
            478 LOAD_CONST              94 ('')
            480 LOAD_CONST              95 (('end',))
            482 CALL_FUNCTION_KW         2
            484 POP_TOP
            486 EXTENDED_ARG             1
            488 JUMP_ABSOLUTE          418
        >>  490 LOAD_CONST              99 (None)
            492 RETURN_VALUE

1.变量存储部分

列表相似的结构:
LOAD_CONST (数字)
BUILD_LIST
STORE_NAME (名称)
a=[114,101,118,101,114,115,101,95,116,104,101,95,98,121,116,101]
b=[99,111,100,101,95,116,111,95,103,101,116,95,102,108,97,103]
d=[335833164,1155265242,627920619,1951749419,1931742276,856821608,489891514,366025591,1256805508,1106091325,128288025,234430359,314915121,249627427,207058976,1573143998,1443233295,245654538,1628003955,220633541,1412601456,1029130440,1556565611,1644777223,853364248,58316711,734735924,1745226113,1441619500,1426836945,500084794,1534413607]
e=[80,115,193,24,226,237,202,212,126,46,205,208,215,135,228,199,63,159,117,52,254,247,0,133,163,248,47,115,109,248,236,68]
pos=[9,6,15,10,1,0,11,7,4,12,5,3,8,2,14,13]
下标访问相似的结构:
LOAD_NAME (名称)
LOAD_NAME (i)
BINARY_SUBSCR
名称[i]

2.变量运算部分

加法运算:
LOAD_NAME                0 (a)
LOAD_NAME                1 (b)
BINARY_ADD
STORE_NAME               6 (c)
c=a+b
异或运算:
LOAD_NAME                4 (d)
LOAD_NAME                8 (i)
BINARY_SUBSCR
BINARY_ADD
LOAD_NAME                1 (b)
LOAD_NAME                3 (pos)
LOAD_NAME                8 (i)
BINARY_SUBSCR
BINARY_SUBSCR
BINARY_XOR
d[i]^b[pos[i]]
乘法和取余运算:
LOAD_NAME                6 (c)
LOAD_NAME                8 (i)
BINARY_SUBSCR
LOAD_NAME                4 (d)
LOAD_NAME                8 (i)
BINARY_SUBSCR
BINARY_MULTIPLY
LOAD_CONST              98 (256)
BINARY_MODULO
特殊异或操作:
LOAD_NAME                6 (c)
LOAD_NAME                8 (i)
DUP_TOP_TWO
BINARY_SUBSCR
LOAD_NAME                2 (e)
LOAD_NAME                8 (i)
BINARY_SUBSCR
INPLACE_XOR
ROT_THREE
STORE_SUBSCR
c[i]*d[i]%256
c[i]^=e[i]

3.for循环

 8         262 LOAD_NAME                7 (range)
            264 LOAD_CONST              93 (31)
            266 CALL_FUNCTION            1
            268 GET_ITER
        >>  270 FOR_ITER                26 (to 298)
            272 STORE_NAME               8 (i)
            
 需要跟进到跳转的地方           
 
 10     >>  298 LOAD_NAME                9 (print)
            300 LOAD_NAME               10 (chr)
            302 LOAD_NAME                6 (c)
            304 LOAD_CONST              93 (31)
            306 BINARY_SUBSCR
            308 CALL_FUNCTION            1
            310 CALL_FUNCTION            1
            312 POP_TOP
 
for i in range(31):
    print(chr(c[i]))

4.完整程序

a=[114,101,118,101,114,115,101,95,116,104,101,95,98,121,116,101]
b=[99,111,100,101,95,116,111,95,103,101,116,95,102,108,97,103]
d=[335833164,1155265242,627920619,1951749419,1931742276,856821608,489891514,366025591,1256805508,1106091325,128288025,234430359,314915121,249627427,207058976,1573143998,1443233295,245654538,1628003955,220633541,1412601456,1029130440,1556565611,1644777223,853364248,58316711,734735924,1745226113,1441619500,1426836945,500084794,1534413607]
e=[80,115,193,24,226,237,202,212,126,46,205,208,215,135,228,199,63,159,117,52,254,247,0,133,163,248,47,115,109,248,236,68]
pos=[9,6,15,10,1,0,11,7,4,12,5,3,8,2,14,13]

c=a+b
for i in range(31):
     print(chr(c[i]))	
print(chr(c[i]),end='')

for i in range(16):
     a[i]=a[i]+d[i]^b[pos[i]]
for i in range(16):
     b[i]=b[i]^a[pos[i]]
     c=a+b   
for i in range(32):
	c[i]=c[i]*d[i]%256
	c[i]^=e[i]
	print((chr(c[i])),end='')

posted @ 2022-10-19 12:12  merk11  阅读(22)  评论(0编辑  收藏  举报
Live2D