湖湘杯2020_ReMe
本帖最后由 0xK4ws 于 2020-11-4 19:32 编辑第一次发帖 还请师傅们多多包涵!
查壳后发现是由Python2.7环境下编译得到的exe可执行文件
由此想到可将exe转为pyc文件再反编译成py文件
且该方法只适用于py2 无混淆 因为py3的字节码结构有些许变化
step1:
在该目录下启动archive_viewer.py程序操作该可执行文件
后分别使用x struct和x ReMe语句提取struct和生成的pyc文件 文件保存在当前目录中
step2:
后来发现ReMe缺少部分文件头 后使用工具010editor将struct作为模板 把struct的头添加到ReMe中并保存
step3:
使用神器uncompyle6将pyc文件反编译为py文件
uncompyle6 ReMe.pyc >test.py
uncompyle6安装命令(pip install uncompyle6)
后得到完整源码
~~~~
import sys, hashlib
check = [
'e5438e78ec1de10a2693f9cffb930d23',
'08e8e8855af8ea652df54845d21b9d67',
'a905095f0d801abd5865d649a646b397',
'bac8510b0902185146c838cdf8ead8e0',
'f26f009a6dc171e0ca7a4a770fecd326',
'cffd0b9d37e7187483dc8dd19f4a8fa8',
'4cb467175ab6763a9867b9ed694a2780',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'cffd0b9d37e7187483dc8dd19f4a8fa8',
'fd311e9877c3db59027597352999e91f',
'49733de19d912d4ad559736b1ae418a7',
'7fb523b42413495cc4e610456d1f1c84',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'acb465dc618e6754de2193bf0410aafe',
'bc52c927138231e29e0b05419e741902',
'515b7eceeb8f22b53575afec4123e878',
'451660d67c64da6de6fadc66079e1d8a',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'fe86104ce1853cb140b7ec0412d93837',
'acb465dc618e6754de2193bf0410aafe',
'c2bab7ea31577b955e2c2cac680fb2f4',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'f077b3a47c09b44d7077877a5aff3699',
'620741f57e7fafe43216d6aa51666f1d',
'9e3b206e50925792c3234036de6a25ab',
'49733de19d912d4ad559736b1ae418a7',
'874992ac91866ce1430687aa9f7121fc']
def func(num):
result = []
while num != 1:
num = num * 3 + 1 if num % 2 else num // 2
result.append(num)
return result
if __name__ == '__main__':
print('Your input is not the FLAG!')
inp = input()
if len(inp) != 27:
print('length error!')
sys.exit(-1)
for i, ch in enumerate(inp):
ret_list = func(ord(ch))
s = ''
for idx in range(len(ret_list)):
s += str(ret_list)
s += str(ret_list[(len(ret_list) - idx - 1)])
md5 = hashlib.md5()
md5.update(s.encode('utf-8'))
if md5.hexdigest() != check:
sys.exit(i)
md5 = hashlib.md5()
md5.update(inp.encode('utf-8'))
print('You win!')
print('flag{' + md5.hexdigest() + '}')
~~~~
直接修改代码爆破flag
~~~~
import sys, hashlib
check = [
'e5438e78ec1de10a2693f9cffb930d23',
'08e8e8855af8ea652df54845d21b9d67',
'a905095f0d801abd5865d649a646b397',
'bac8510b0902185146c838cdf8ead8e0',
'f26f009a6dc171e0ca7a4a770fecd326',
'cffd0b9d37e7187483dc8dd19f4a8fa8',
'4cb467175ab6763a9867b9ed694a2780',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'cffd0b9d37e7187483dc8dd19f4a8fa8',
'fd311e9877c3db59027597352999e91f',
'49733de19d912d4ad559736b1ae418a7',
'7fb523b42413495cc4e610456d1f1c84',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'acb465dc618e6754de2193bf0410aafe',
'bc52c927138231e29e0b05419e741902',
'515b7eceeb8f22b53575afec4123e878',
'451660d67c64da6de6fadc66079e1d8a',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'fe86104ce1853cb140b7ec0412d93837',
'acb465dc618e6754de2193bf0410aafe',
'c2bab7ea31577b955e2c2cac680fb2f4',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'f077b3a47c09b44d7077877a5aff3699',
'620741f57e7fafe43216d6aa51666f1d',
'9e3b206e50925792c3234036de6a25ab',
'49733de19d912d4ad559736b1ae418a7',
'874992ac91866ce1430687aa9f7121fc']
def func(num):
result = []
while num != 1:
num = num * 3 + 1 if num % 2 else num // 2
result.append(num)
return result
if __name__ == '__main__':
inp = *27
if len(inp) != 27:
print('length error!')
sys.exit(-1)
flag = ''
for i, ch in enumerate(inp):
for each_num in range(30,128):
ret_list = func(each_num)
print(ret_list)
s = ''
for idx in range(len(ret_list)):
s += str(ret_list)
s += str(ret_list[(len(ret_list) - idx - 1)])
print(s)
md5 = hashlib.md5()
md5.update(s.encode('utf-8'))
if md5.hexdigest() != check:
continue
else:
flag += chr(each_num)
print(flag)
break
inp = flag
md5 = hashlib.md5()
md5.update(inp.encode('utf-8'))
print('You win!')
print('flag{' + md5.hexdigest() + '}')
~~~~
最后得到flag
冰露㊣神 发表于 2020-11-5 09:27
py代码自己写的吗?我咋看到跟份wp一样的
嗯 不是自己写的 当时比赛就只到了最后那步 太菜了 没逆出最后的脚本 后来比赛结束看到了师傅们的wp 然后就想着最后复现记录一下 py代码自己写的吗?我咋看到跟份wp一样的 感谢分享 学习了,感谢! 学习一下。谢谢分享。 跟着学习下,非常不错加油 学习了。谢谢楼主 感谢分享
页:
[1]
2