zoukankan      html  css  js  c++  java
  • re | [watevrCTF 2019]Repyc

    这题就是一坨shi
    用3.6以上的版本去反编译,linux环境下。

    # uncompyle6 version 3.7.4
    # Python bytecode 3.6 (3379)
    # Decompiled from: Python 3.8.4 (default, Jul 13 2020, 21:16:07) 
    # [GCC 9.3.0]
    # Embedded file name: circ.py
    # Compiled at: 2019-12-14 02:29:55
    # Size of source mod 2**32: 5146 bytes
    佤 = 0
    侰 = ~佤 * ~佤
    俴 = 侰 + 侰
    
    def 䯂(䵦):
        굴 = 佤
        굿 = 佤
        괠 = [佤] * 俴 ** (俴 * 俴)
        궓 = [佤] * 100
        괣 = []
        while 䵦[굴][佤] != '듃':
            굸 = 䵦[굴][佤].lower()
            亀 = 䵦[굴][侰:]
            if 굸 == '뉃':
                괠[亀[佤]] = 괠[亀[侰]] + 괠[亀[俴]]
            else:
                if 굸 == '렀':
                    괠[亀[佤]] = 괠[亀[侰]] ^ 괠[亀[俴]]
                else:
                    if 굸 == '렳':
                        괠[亀[佤]] = 괠[亀[侰]] - 괠[亀[俴]]
                    else:
                        if 굸 == '냃':
                            괠[亀[佤]] = 괠[亀[侰]] * 괠[亀[俴]]
                        else:
                            if 굸 == '뢯':
                                괠[亀[佤]] = 괠[亀[侰]] / 괠[亀[俴]]
                            else:
                                if 굸 == '륇':
                                    괠[亀[佤]] = 괠[亀[侰]] & 괠[亀[俴]]
                                else:
                                    if 굸 == '맳':
                                        괠[亀[佤]] = 괠[亀[侰]] | 괠[亀[俴]]
                                    else:
                                        if 굸 == '괡':
                                            괠[亀[佤]] = 괠[亀[佤]]
                                        else:
                                            if 굸 == '뫇':
                                                괠[亀[佤]] = 괠[亀[侰]]
                                            else:
                                                if 굸 == '꼖':
                                                    괠[亀[佤]] = 亀[侰]
                                                else:
                                                    if 굸 == '뫻':
                                                        궓[亀[佤]] = 괠[亀[侰]]
                                                    else:
                                                        if 굸 == '딓':
                                                            괠[亀[佤]] = 궓[亀[侰]]
                                                        else:
                                                            if 굸 == '댒':
                                                                괠[亀[佤]] = 佤
                                                            else:
                                                                if 굸 == '묇':
                                                                    궓[亀[佤]] = 佤
                                                                else:
                                                                    if 굸 == '묟':
                                                                        괠[亀[佤]] = input(괠[亀[侰]])
                                                                    else:
                                                                        if 굸 == '꽺':
                                                                            궓[亀[佤]] = input(괠[亀[侰]])
                                                                        else:
                                                                            if 굸 == '돯':
                                                                                print(괠[亀[佤]])
                                                                            else:
                                                                                if 굸 == '뭗':
                                                                                    print(궓[亀[佤]])
                                                                                else:
                                                                                    if 굸 == '뭿':
                                                                                        굴 = 괠[亀[佤]]
                                                                                    else:
                                                                                        if 굸 == '뮓':
                                                                                            굴 = 궓[亀[佤]]
                                                                                        else:
                                                                                            if 굸 == '뮳':
                                                                                                굴 = 괣.pop()
                                                                                            else:
                                                                                                if 굸 == '믃':
                                                                                                    if 괠[亀[侰]] > 괠[亀[俴]]:
                                                                                                        굴 = 亀[佤]
                                                                                                        괣.append(굴)
                                                                                                        continue
                                                                                                else:
                                                                                                    if 굸 == '꽲':
                                                                                                        괠[7] = 佤
                                                                                                        for i in range(len(괠[亀[佤]])):
                                                                                                            if 괠[亀[佤]] != 괠[亀[侰]]:
                                                                                                                괠[7] = 侰
                                                                                                                굴 = 괠[亀[俴]]
                                                                                                                괣.append(굴)
    
                                                                                                    else:
                                                                                                        if 굸 == '꾮':
                                                                                                            괢 = ''
                                                                                                            for i in range(len(괠[亀[佤]])):
                                                                                                                괢 += chr(ord(괠[亀[佤]][i]) ^ 괠[亀[侰]])
    
                                                                                                            괠[亀[佤]] = 괢
                                                                                                        else:
                                                                                                            if 굸 == '꿚':
                                                                                                                괢 = ''
                                                                                                                for i in range(len(괠[亀[佤]])):
                                                                                                                    괢 += chr(ord(괠[亀[佤]][i]) - 괠[亀[侰]])
    
                                                                                                                괠[亀[佤]] = 괢
                                                                                                            else:
                                                                                                                if 굸 == '떇':
                                                                                                                    if 괠[亀[侰]] > 괠[亀[俴]]:
                                                                                                                        굴 = 괠[亀[佤]]
                                                                                                                        괣.append(굴)
                                                                                                                        continue
                                                                                                                else:
                                                                                                                    if 굸 == '뗋':
                                                                                                                        if 괠[亀[侰]] > 괠[亀[俴]]:
                                                                                                                            굴 = 궓[亀[佤]]
                                                                                                                            괣.append(굴)
                                                                                                                            continue
                                                                                                                    else:
                                                                                                                        if 굸 == '똷':
                                                                                                                            if 괠[亀[侰]] == 괠[亀[俴]]:
                                                                                                                                굴 = 亀[佤]
                                                                                                                                괣.append(굴)
                                                                                                                                continue
                                                                                                                        else:
                                                                                                                            if 굸 == '뚫':
                                                                                                                                if 괠[亀[侰]] == 괠[亀[俴]]:
                                                                                                                                    굴 = 괠[亀[佤]]
                                                                                                                                    괣.append(굴)
                                                                                                                                    continue
                                                                                                                            else:
                                                                                                                                if 굸 == '띇':
                                                                                                                                    if 괠[亀[侰]] == 괠[亀[俴]]:
                                                                                                                                        굴 = 궓[亀[佤]]
                                                                                                                                        괣.append(굴)
                                                                                                                                        continue
            굴 += 侰
    
    
    䯂([
     [
      '꼖', 佤, 'Authentication token: '],
     [
      '꽺', 佤, 佤],
     [
      '꼖', 6, 'á×äÓâæíäàßåÉÛãåäÉÖÓÉäàÓÉÖÓåäÉÓÚÕæïèäßÙÚÉÛÓäàÙÔÉÓâæÉàÓÚÕÓÒÙæäàÉäàßåÉßåÉäàÓÉÚÓáÉ·Ôâ×ÚÕÓÔɳÚÕæïèäßÙÚÉÅä×ÚÔ×æÔÉ×Úïá×ïåÉßÉÔÙÚäÉæÓ×ÜÜïÉà×âÓÉ×ÉÑÙÙÔÉâßÔÉÖãäÉßÉæÓ×ÜÜïÉÓÚÞÙïÉäàßåÉåÙÚÑÉßÉàÙèÓÉïÙãÉáßÜÜÉÓÚÞÙïÉßäÉ×åáÓÜÜx97ÉïÙãäãÖÓx9aÕÙÛx99á×äÕà©â«³£ï²ÕÔÈ·±â¨ë'],
     [
      '꼖', 俴, 俴 ** (3 * 俴 + 侰) - 俴 ** (俴 + 侰)],
     [
      '꼖', 4, 15],
     [
      '꼖', 3, 侰],
     [
      '냃', 俴, 俴, 3],
     [
      '뉃', 俴, 俴, 4],
     [
      '괡', 佤, 俴],
     [
      '댒', 3],
     [
      '꾮', 6, 3],
     [
      '꼖', 佤, 'Thanks.'],
     [
      '꼖', 侰, 'Authorizing access...'],
     [
      '돯', 佤],
     [
      '딓', 佤, 佤],
     [
      '꾮', 佤, 俴],
     [
      '꿚', 佤, 4],
     [
      '꼖', 5, 19],
     [
      '꽲', 佤, 6, 5],
     [
      '돯', 侰],
     [
      '듃'],
     [
      '꼖', 侰, 'Access denied!'],
     [
      '돯', 侰],
     [
      '듃']])
    

    好家伙,果然反编译出来一坨shi
    明显的虚拟机
    行吧
    然后就是一通分析,这里借用misaka师傅的整理:https://blog.csdn.net/Misaka10046/article/details/111400928
    然后整理出来就是这种东西:

    a = 0
    b = 1
    c = 2
    def main(p):
        m = 0
        o = 0
        t = [0] * 16
        y = [0] * 100
        x = []
        while p[m][0] != 'nop':
            opcode = p[m][0].lower()
            h = p[m][1:]
            if opcode == 'add':
                t[h[0]] = t[h[1]] + t[h[2]]
            else:
                if opcode == 'xor':
                    t[h[0]] = t[h[1]] ^ t[h[2]]
                else:
                    if opcode == 'sub':
                        t[h[0]] = t[h[1]] - t[h[2]]
                    else:
                        if opcode == 'mul':
                            t[h[0]] = t[h[1]] * t[h[2]]
                        else:
                            if opcode == 'div':
                                t[h[0]] = t[h[1]] / t[h[2]]
                            else:
                                if opcode == 'and':
                                    t[h[0]] = t[h[1]] & t[h[2]]
                                else:
                                    if opcode == 'or':
                                        t[h[0]] = t[h[1]] | t[h[2]]
                                    else:
                                        if opcode == 'equ':
                                            t[h[0]] = t[h[0]]
                                        else:
                                            if opcode == 'lea':
                                                t[h[0]] = t[h[1]]
                                            else:
                                                if opcode == 'mov':
                                                    t[h[0]] = h[1]
                                                else:
                                                    if opcode == 'mov1':
                                                        y[h[0]] = t[h[1]]
                                                    else:
                                                        if opcode == 'mov2':
                                                            t[h[0]] = y[h[1]]
                                                        else:
                                                            if opcode == 'Clear':
                                                                t[h[0]] = 0
                                                            else:
                                                                if opcode == 'Clear1':
                                                                    y[h[0]] = 0
                                                                else:
                                                                    if opcode == 'input':
                                                                        t[h[0]] = input(t[h[1]])
                                                                    else:
                                                                        if opcode == 'input1':
                                                                            y[h[0]] = input(t[h[1]])
                                                                        else:
                                                                            if opcode == 'print':
                                                                                print(t[h[0]])
                                                                            else:
                                                                                if opcode == 'print1':
                                                                                    print(y[h[0]])
                                                                                else:
                                                                                    if opcode == 'mov3':
                                                                                        m = t[h[0]]
                                                                                    else:
                                                                                        if opcode == 'mov4':
                                                                                            m = y[h[0]]
                                                                                        else:
                                                                                            if opcode == 'pop':
                                                                                                m = x.pop()
                                                                                            else:
                                                                                                if opcode == 'cmp+push':
                                                                                                    if t[h[1]] > t[h[2]]:
                                                                                                        m = h[0]
                                                                                                        x.append(m)
                                                                                                        continue
                                                                                                else:
                                                                                                    if opcode == 'cmp+push1':
                                                                                                        t[7] = 0
                                                                                                        for i in range(len(t[h[0]])):
                                                                                                            if t[h[0]] != t[h[1]]:
                                                                                                                t[7] = 1
                                                                                                                m = t[h[2]]
                                                                                                                x.append(m)
    
                                                                                                    else:
                                                                                                        if opcode == 'xor+mov':
                                                                                                            g = ''
                                                                                                            for i in range(len(t[h[0]])):
                                                                                                                g += chr(ord(t[h[0]][i]) ^ t[h[1]])
    
                                                                                                            t[h[0]] = g
                                                                                                        else:
                                                                                                            if opcode == 'sub+mov':
                                                                                                                g = ''
                                                                                                                for i in range(len(t[h[0]])):
                                                                                                                    g += chr(ord(t[h[0]][i]) - t[h[1]])
    
                                                                                                                t[h[0]] = g
                                                                                                            else:
                                                                                                                if opcode == 'cmp+push2':
                                                                                                                    if t[h[1]] > t[h[2]]:
                                                                                                                        m = t[h[0]]
                                                                                                                        x.append(m)
                                                                                                                        continue
                                                                                                                else:
                                                                                                                    if opcode == 'cmp+push3':
                                                                                                                        if t[h[1]] > t[h[2]]:
                                                                                                                            m = y[h[0]]
                                                                                                                            x.append(m)
                                                                                                                            continue
                                                                                                                    else:
                                                                                                                        if opcode == 'cmp+push4':
                                                                                                                            if t[h[1]] == t[h[2]]:
                                                                                                                                m = h[0]
                                                                                                                                x.append(m)
                                                                                                                                continue
                                                                                                                        else:
                                                                                                                            if opcode == 'cmp':
                                                                                                                                if t[h[1]] == t[h[2]]:
                                                                                                                                    m = t[h[0]]
                                                                                                                                    x.append(m)
                                                                                                                                    continue
                                                                                                                            else:
                                                                                                                                if opcode == 'cmp1':
                                                                                                                                    if t[h[1]] == t[h[2]]:
                                                                                                                                        m = y[h[0]]
                                                                                                                                        x.append(m)
                                                                                                                                        continue
            m += 1
    
    
    main([
     [  'mov', 0, 'Authentication token: '],
     [  'input1', 0, 0],
     [  'mov', 6, 'á×äÓâæíäàßåÉÛãåäÉÖÓÉäàÓÉÖÓåäÉÓÚÕæïèäßÙÚÉÛÓäàÙÔÉÓâæÉàÓÚÕÓÒÙæäàÉäàßåÉßåÉäàÓÉÚÓáÉ·Ôâ×ÚÕÓÔɳÚÕæïèäßÙÚÉÅä×ÚÔ×æÔÉ×Úïá×ïåÉßÉÔÙÚäÉæÓ×ÜÜïÉà×âÓÉ×ÉÑÙÙÔÉâßÔÉÖãäÉßÉæÓ×ÜÜïÉÓÚÞÙïÉäàßåÉåÙÚÑÉßÉàÙèÓÉïÙãÉáßÜÜÉÓÚÞÙïÉßäÉ×åáÓÜÜx97ÉïÙãäãÖÓx9aÕÙÛx99á×äÕà©â«³£ï²ÕÔÈ·±â¨ë'],
     [  'mov', 2, 120],
     [  'mov', 4, 15],
     [  'mov', 3, 1],
     [  'mul', 2, 2, 3],
     [  'add', 2, 2, 4],
     [  'equ', 0, 2],
     [  'Clear', 3],
     [  'xor+mov', 6, 3],
     [  'mov', 0, 'Thanks.'],
     [  'mov', 1, 'Authorizing access...'],
     [  'print', 0],
     [  'mov2', 0, 0],
     [  'xor+mov', 0, 2],
     [  'sub+mov', 0, 4],
     [  'mov', 5, 19],
     [  'cmp+push1', 0, 6, 5],
     [  'print', 1],
     [  'nop'],
     [  'mov', 1, 'Access denied!'],
     [  'print', 1],
     [  'nop']])
    

    分析虚拟机执行流程,

    先让输入与135异或再减15。简单清晰。

    嗯就是这样
    然后反推一下就好。
    over.

  • 相关阅读:
    break return continue
    爬虫---请求
    pycharm加开头注释
    爬虫---入门
    pip
    XML基础
    英语
    布局
    adobe
    StackOverflow
  • 原文地址:https://www.cnblogs.com/Mz1-rc/p/14256932.html
Copyright © 2011-2022 走看看