[GWCTF 2019]pyre

<p>[TOC]</p> <h1>🌓分析</h1> <p>pyc文件逆向，直接在线反编译 <a href="https://tool.lu/pyc/">https://tool.lu/pyc/</a></p> <pre><code class="language-python">#!/usr/bin/env python # visit https://tool.lu/pyc/ for more information # Version: Python 2.7 print 'Welcome to Re World!' print 'Your input1 is your flag~' l = len(input1) for i in range(l): num = ((input1[i] + i) % 128 + 128) % 128 code += num for i in range(l - 1): code[i] = code[i] ^ code[i + 1] print code code = [ '%1f', '%12', '%1d', '(', '0', '4', '%01', '%06', '%14', '4', ',', '%1b', 'U', '?', 'o', '6', '*', ':', '%01', 'D', ';', '%', '%13']</code></pre> <p>这个网站反编译不是很好，可以再使用另一个 <a href="https://www.toolnb.com/tools/pyc.html">https://www.toolnb.com/tools/pyc.html</a></p> <pre><code class="language-python"># uncompyle6 version 3.5.0 # Python bytecode 2.7 (62211) # Decompiled from: Python 2.7.5 (default, Nov 16 2020, 22:23:17) # [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] # Embedded file name: encode.py # Compiled at: 2019-08-19 21:01:57 print 'Welcome to Re World!' print 'Your input1 is your flag~' l = len(input1) for i in range(l): num = ((input1[i] + i) % 128 + 128) % 128 code += num for i in range(l - 1): code[i] = code[i] ^ code[(i + 1)] print code code = ['\x1f', '\x12', '\x1d', '(', '0', '4', '\x01', '\x06', '\x14', '4', ',', '\x1b', 'U', '?', 'o', '6', '*', ':', '\x01', 'D', ';', '%', '\x13']</code></pre> <p>可以根据脚本大概写出逆向脚本</p> <h1>🌓Exploit</h1> <pre><code class="language-python"># --run-- code = ['\x1f', '\x12', '\x1d', '(', '0', '4', '\x01', '\x06', '\x14', '4', ',', '\x1b', 'U', '?', 'o', '6', '*', ':', '\x01', 'D', ';', '%', '\x13'] l = len(code) for i in range(l-2, -1, -1): code[i] = chr(ord(code[i]) ^ ord(code[i+1])) for i in range(l): code[i] = chr((ord(code[i]) - i) % 128) print(''.join(code)) # GWHT{Just_Re_1s_Ha66y!}</code></pre> <h1>🌓附件</h1> <p><a href="https://cowtransfer.com/s/4c44ef2389dd4f">https://cowtransfer.com/s/4c44ef2389dd4f</a></p>