爆0 看不懂一点Packpy检测是否有壳情况,查阅资料发现是头被改掉了直接将文件头改为UPX!修复一下(下面就是菜逼纯复现了)做题的时候发现是pyinstxtractor这个东西打包的程序,但时间太赶完全没有时间去研究跳转到wiki,就题来说是ELF文件格式的解包情况使用命令[Shell] 纯文本查看 复制代码 objcopy --dump-section pydata=Packer.dump /home/juana-2u/RE/packpy 就获得了一个dump文件再使用命令,解获得的dump包,就可以获得该进程内存镜像的文件(不知道叫啥),就是获得了一个熟悉的pyc文件,直接反编译。[Shell] 纯文本查看 复制代码 python3 pyinstxtractor.py Packer.dump pyc反编译之后的代码如下:[Python] 纯文本查看 复制代码 #!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.8
import base58
import zlib
import marshal
try:
scrambled_code_string = b'X1XehTQeZCsb4WSLBJBYZMjovD1x1E5wjTHh2w3j8dDxbscVa6HLEBSUTPEMsAcerwYASTaXFsCmWb1RxBfwBd6RmyePv3AevTDUiFAvV1GB94eURvtdrpYez7dF1egrwVz3EcQjHxXrpLXs2APE4MS93sMsgMgDrTFCNwTkPba31Aa2FeCSMu151LvEpwiPq5hvaZQPaY2s4pBpH16gGDoVb9MEvLn5J4cP23rEfV7EzNXMgqLUKF82mH1v7yjVCtYQhR8RprKCCtD3bekHjBH2AwES4QythgjVetUNDRpN5gfeJ99UYbZn1oRQHVmiu1sLjpq2mMm8tTuiZgfMfsktf5Suz2w8DgRX4qBKQijnuU4Jou9hduLeudXkZ85oWx9SU7MCE6gjsvy1u57VYw33vckJU6XGGZgZvSqKGR5oQKJf8MPNZi1dF8yF9MkwDdEq59jFsRUJDv7kNwig8XiuBXvmtJPV963thXCFQWQe8XGSu7kJqeRaBX1pkkQ4goJpgTLDHR1LW7bGcZ7m13KzW5mVmJHax81XLis774FjwWpApmTVuiGC2TQr2RcyUTkhGgC8R4bQiXgCsqZMoWyafcSmjdZsHmE6WgNAqPQmEg9FyjpK5f2XC1DkzuyHan5YceeEDMxKUJgJrmNcdGxB7281EyeriyuWNJVH2rVNhio6yoG'
exec(marshal.loads(zlib.decompress(base58.b58decode(scrambled_code_string))))
finally:
pass
return None 发现还缺少文件头的部分,随便生成一个pyc文件:[Python] 纯文本查看 复制代码 import py_compile
py_compile.compile('test.py')
import base58
import zlib
import marshal
scrambled_code_string = b'X1XehTQeZCsb4WSLBJBYZMjovD1x1E5wjTHh2w3j8dDxbscVa6HLEBSUTPEMsAcerwYASTaXFsCmWb1RxBfwBd6RmyePv3AevTDUiFAvV1GB94eURvtdrpYez7dF1egrwVz3EcQjHxXrpLXs2APE4MS93sMsgMgDrTFCNwTkPba31Aa2FeCSMu151LvEpwiPq5hvaZQPaY2s4pBpH16gGDoVb9MEvLn5J4cP23rEfV7EzNXMgqLUKF82mH1v7yjVCtYQhR8RprKCCtD3bekHjBH2AwES4QythgjVetUNDRpN5gfeJ99UYbZn1oRQHVmiu1sLjpq2mMm8tTuiZgfMfsktf5Suz2w8DgRX4qBKQijnuU4Jou9hduLeudXkZ85oWx9SU7MCE6gjsvy1u57VYw33vckJU6XGGZgZvSqKGR5oQKJf8MPNZi1dF8yF9MkwDdEq59jFsRUJDv7kNwig8XiuBXvmtJPV963thXCFQWQe8XGSu7kJqeRaBX1pkkQ4goJpgTLDHR1LW7bGcZ7m13KzW5mVmJHax81XLis774FjwWpApmTVuiGC2TQr2RcyUTkhGgC8R4bQiXgCsqZMoWyafcSmjdZsHmE6WgNAqPQmEg9FyjpK5f2XC1DkzuyHan5YceeEDMxKUJgJrmNcdGxB7281EyeriyuWNJVH2rVNhio6yoG'
# exec(marshal.loads(zlib.decompress(base58.b58decode(scrambled_code_string))))
pyc = zlib.decompress(base58.b58decode(scrambled_code_string))
#pyc = bytes.fromhex('550D0D0A000000000000000000000000'.replace((' ','')))
HEAD = bytes.fromhex('550D0D0A000000000000000000000000')
with open('packer_1.pyc','wb') as f:
f.write(HEAD+pyc) 对加上文件头的pyc文件重新反编译获得代码[Python] 纯文本查看 复制代码 #!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.8
import random
encdata = b'%18%fa%add%ed%ab%ad%9d%e5%c0%ad%fa%f9%0be%f9%e5%ade6%f9%fd%88%f9%9d%e5%9c%e5%9de%c3))%0f%ff'
def generate_key(seed_value):
key = list(range(256))
random.seed(seed_value)
random.shuffle(key)
return bytes(key)
def encrypt(data, key):
encrypted = bytearray()
for byte in data:
encrypted.append(key[byte] ^ 95)
return bytes(encrypted)
try:
flag = input('input your flag:')
key = generate_key(len(flag))
data = flag.encode()
encrypted_data = encrypt(data, key)
if encrypted_data == encdata:
print('good')
finally:
pass
return None 简单分析一下- generate_key以flag的长度作为种子生成key值,使用shuffle函数随机打乱key值
- data加密并异或处理之后与encdata进行对比,即encdata作为最后的对比数据
[Python] 纯文本查看 复制代码 import random
import re
raw_hex_string = "%18%fa%add%ed%ab%ad%9d%e5%c0%ad%fa%f9%0be%f9%e5%ade6%f9%fd%88%f9%9d%e5%9c%e5%9de%c3%))%0f%ff"
# s_replaced = raw_hex_string.replace('%', '\\x')
# print(s_replaced)
s_replaced = b'\x18\xfa\xadd\xed\xab\xad\x9d\xe5\xc0\xad\xfa\xf9\x0be\xf9\xe5\xade6\xf9\xfd\x88\xf9\x9d\xe5\x9c\xe5\x9de\xc3))\x0f\xff'
key = list(range(256))
random.seed(len(s_replaced))
random.shuffle(key)
flag=[]
for x in s_replaced:
x ^= 95
flag.append(key.index(x))
print(bytes(flag)) 获得[Python] 纯文本查看 复制代码 flag{mar3hal_Is_3asy_t0_r3v3rse!!@}
|