Juana111 发表于 2024-7-22 10:55

逆向解题记录-矩阵杯Packpy

爆0 看不懂一点Packpy检测是否有壳情况,查阅资料发现是头被改掉了直接将文件头改为UPX!修复一下(下面就是菜逼纯复现了)做题的时候发现是pyinstxtractor这个东西打包的程序,但时间太赶完全没有时间去研究跳转到wiki,就题来说是ELF文件格式的解包情况使用命令objcopy --dump-section pydata=Packer.dump /home/juana-2u/RE/packpy就获得了一个dump文件https://o5hycj3otj.feishu.cn/space/api/box/stream/download/asynccode/?code=OWU1M2JjZTdjZmM2YTk0Njc5ZTYyYWViZWNkZjBlNTNfVjhmdFNlWjJtTjhCYTFDWGxFTTRYcTE4SmY5WWN5YVhfVG9rZW46Wk1PRWJMSXFwb2E1bGZ4MnBnNmNoN2ZQbk9jXzE3MjE2MTY1NjE6MTcyMTYyMDE2MV9WNA再使用命令,解获得的dump包,就可以获得该进程内存镜像的文件(不知道叫啥),就是获得了一个熟悉的pyc文件,直接反编译。python3 pyinstxtractor.py Packer.dumphttps://o5hycj3otj.feishu.cn/space/api/box/stream/download/asynccode/?code=NGM5NDQ3Y2QyMjAwZjgxNDQwYWNkN2ZiNWE1ZmZiNGZfbDdTbGxTQktCcUk1M2hjT1hsa0FBSVIxWGJMS2VwdzdfVG9rZW46QjFscWJCV0Zxb0YwZ3d4ZUI3UGNVZ1k1bmhnXzE3MjE2MTY1NjE6MTcyMTYyMDE2MV9WNApyc反编译之后的代码如下:#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.8

import base58
import zlib
import marshal

try:
    scrambled_code_string = b'X1XehTQeZCsb4WSLBJBYZMjovD1x1E5wjTHh2w3j8dDxbscVa6HLEBSUTPEMsAcerwYASTaXFsCmWb1RxBfwBd6RmyePv3AevTDUiFAvV1GB94eURvtdrpYez7dF1egrwVz3EcQjHxXrpLXs2APE4MS93sMsgMgDrTFCNwTkPba31Aa2FeCSMu151LvEpwiPq5hvaZQPaY2s4pBpH16gGDoVb9MEvLn5J4cP23rEfV7EzNXMgqLUKF82mH1v7yjVCtYQhR8RprKCCtD3bekHjBH2AwES4QythgjVetUNDRpN5gfeJ99UYbZn1oRQHVmiu1sLjpq2mMm8tTuiZgfMfsktf5Suz2w8DgRX4qBKQijnuU4Jou9hduLeudXkZ85oWx9SU7MCE6gjsvy1u57VYw33vckJU6XGGZgZvSqKGR5oQKJf8MPNZi1dF8yF9MkwDdEq59jFsRUJDv7kNwig8XiuBXvmtJPV963thXCFQWQe8XGSu7kJqeRaBX1pkkQ4goJpgTLDHR1LW7bGcZ7m13KzW5mVmJHax81XLis774FjwWpApmTVuiGC2TQr2RcyUTkhGgC8R4bQiXgCsqZMoWyafcSmjdZsHmE6WgNAqPQmEg9FyjpK5f2XC1DkzuyHan5YceeEDMxKUJgJrmNcdGxB7281EyeriyuWNJVH2rVNhio6yoG'
    exec(marshal.loads(zlib.decompress(base58.b58decode(scrambled_code_string))))
finally:
    pass
return None发现还缺少文件头的部分,随便生成一个pyc文件:import py_compile
py_compile.compile('test.py')
import base58
import zlib
import marshal

scrambled_code_string = b'X1XehTQeZCsb4WSLBJBYZMjovD1x1E5wjTHh2w3j8dDxbscVa6HLEBSUTPEMsAcerwYASTaXFsCmWb1RxBfwBd6RmyePv3AevTDUiFAvV1GB94eURvtdrpYez7dF1egrwVz3EcQjHxXrpLXs2APE4MS93sMsgMgDrTFCNwTkPba31Aa2FeCSMu151LvEpwiPq5hvaZQPaY2s4pBpH16gGDoVb9MEvLn5J4cP23rEfV7EzNXMgqLUKF82mH1v7yjVCtYQhR8RprKCCtD3bekHjBH2AwES4QythgjVetUNDRpN5gfeJ99UYbZn1oRQHVmiu1sLjpq2mMm8tTuiZgfMfsktf5Suz2w8DgRX4qBKQijnuU4Jou9hduLeudXkZ85oWx9SU7MCE6gjsvy1u57VYw33vckJU6XGGZgZvSqKGR5oQKJf8MPNZi1dF8yF9MkwDdEq59jFsRUJDv7kNwig8XiuBXvmtJPV963thXCFQWQe8XGSu7kJqeRaBX1pkkQ4goJpgTLDHR1LW7bGcZ7m13KzW5mVmJHax81XLis774FjwWpApmTVuiGC2TQr2RcyUTkhGgC8R4bQiXgCsqZMoWyafcSmjdZsHmE6WgNAqPQmEg9FyjpK5f2XC1DkzuyHan5YceeEDMxKUJgJrmNcdGxB7281EyeriyuWNJVH2rVNhio6yoG'
# exec(marshal.loads(zlib.decompress(base58.b58decode(scrambled_code_string))))
pyc = zlib.decompress(base58.b58decode(scrambled_code_string))
#pyc = bytes.fromhex('550D0D0A000000000000000000000000'.replace((' ','')))
HEAD = bytes.fromhex('550D0D0A000000000000000000000000')
with open('packer_1.pyc','wb') as f:
    f.write(HEAD+pyc)对加上文件头的pyc文件重新反编译获得代码#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.8

import random
encdata = b'%18%fa%add%ed%ab%ad%9d%e5%c0%ad%fa%f9%0be%f9%e5%ade6%f9%fd%88%f9%9d%e5%9c%e5%9de%c3))%0f%ff'

def generate_key(seed_value):
    key = list(range(256))
    random.seed(seed_value)
    random.shuffle(key)
    return bytes(key)


def encrypt(data, key):
    encrypted = bytearray()
    for byte in data:
      encrypted.append(key ^ 95)
    return bytes(encrypted)


try:
    flag = input('input your flag:')
    key = generate_key(len(flag))
    data = flag.encode()
    encrypted_data = encrypt(data, key)
    if encrypted_data == encdata:
      print('good')
finally:
    pass
return None简单分析一下
[*]generate_key以flag的长度作为种子生成key值,使用shuffle函数随机打乱key值
[*]data加密并异或处理之后与encdata进行对比,即encdata作为最后的对比数据
import random
import re
raw_hex_string = "%18%fa%add%ed%ab%ad%9d%e5%c0%ad%fa%f9%0be%f9%e5%ade6%f9%fd%88%f9%9d%e5%9c%e5%9de%c3%))%0f%ff"

# s_replaced = raw_hex_string.replace('%', '\\x')
# print(s_replaced)
s_replaced = b'\x18\xfa\xadd\xed\xab\xad\x9d\xe5\xc0\xad\xfa\xf9\x0be\xf9\xe5\xade6\xf9\xfd\x88\xf9\x9d\xe5\x9c\xe5\x9de\xc3))\x0f\xff'

key = list(range(256))
random.seed(len(s_replaced))
random.shuffle(key)

flag=[]
for x in s_replaced:
    x ^= 95
    flag.append(key.index(x))
print(bytes(flag))获得flag{mar3hal_Is_3asy_t0_r3v3rse!!@}

msmvc 发表于 2024-7-23 09:20

能玩这个的都是高手

晓晓520 发表于 2024-7-23 17:03

gegegefei 发表于 2024-7-24 07:02

感谢分享,我看了几遍,还是不太明白。

Juana111 发表于 2024-7-24 18:17

gegegefei 发表于 2024-7-24 07:02
感谢分享,我看了几遍,还是不太明白。

不太明白是?

AMingMing 发表于 2024-7-24 19:59

感谢分享,我看了几遍,还是不太明白。

crapeber 发表于 2024-7-24 21:41

这是个签到题,就只改了UPX的头

晓晓520 发表于 2024-7-30 16:16

Juana111 发表于 2024-7-30 14:07
我可以研究下

谢谢大佬
页: [1]
查看完整版本: 逆向解题记录-矩阵杯Packpy