[柏鹭杯 2021]baby_python

最后更新于 2024-07-25 1171 字 预计阅读时间: 5 分钟

PE64位程序,解包完后发现有pyc被加密

进入解包后的文件夹发现import的pyc全部被加密

对baby.pyc进行反编译后得到

发现其调用了baby_python.baby_core下的main函数

找到解包根目录下的pyimod00_crypto_key文件反汇编得到加密密钥,用网上的脚本进行解密

import glob
import zlib
import tinyaes
from pathlib import Path

CRYPT_BLOCK_SIZE = 16

# key obtained from pyimod00_crypto_key
key = bytes('f8c0870eba862579', 'utf-8')

for p in Path("./PYZ-00.pyz_extracted").glob("**/*.pyc.encrypted"):
    inf = open(p, 'rb')  # encrypted file input
    outf = open(p.with_name(p.stem), 'wb')  # output file

    # Initialization vector
    iv = inf.read(CRYPT_BLOCK_SIZE)

    cipher = tinyaes.AES(key, iv)

    # Decrypt and decompress
    plaintext = zlib.decompress(cipher.CTR_xcrypt_buffer(inf.read()))

    # Write pyc header
    # The header below is for Python 3.8
    outf.write(b'\x42\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0')

    # Write decrypted data
    outf.write(plaintext)

    inf.close()
    outf.close()

    # Delete .pyc.encrypted file
    p.unlink()

# Python 2.7: \x03\xf3\x0d\x0a\0\0\0\0
# Python 3.0: \x3b\x0c\x0d\x0a\0\0\0\0
# Python 3.1: \x4f\x0c\x0d\x0a\0\0\0\0
# Python 3.2: \x6c\x0c\x0d\x0a\0\0\0\0
# Python 3.3: \x9e\x0c\x0d\x0a\0\0\0\0\0\0\0\0
# Python 3.4: \xee\x0c\x0d\x0a\0\0\0\0\0\0\0\0
# Python 3.5: \x17\x0d\x0d\x0a\0\0\0\0\0\0\0\0
# Python 3.6: \x33\x0d\x0d\x0a\0\0\0\0\0\0\0\0
# Python 3.7: \x42\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0
# Python 3.8: \x55\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0
# Python 3.9: \x61\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0
# Python 3.10: \x6f\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0

得到baby_python.baby_core.pyc反编译后得到

# Source Generated with Decompyle++
# File: baby_python.baby_core.pyc (Python 3.7)
import hashlib
def md5(s = None):
    m = hashlib.md5()
    m.update(s)
    return m.hexdigest().lower()
def main():
    secret = input('secret: ')
    if len(secret) != 48:
        return None
    if not None.isnumeric():
        return None
    values = None
    for i in range(0, 48, 3):
        values.append(int(secret[i:i + 3]))

    co = [[158, 195, 205, 229, 213, 238, 211, 198, 190, 226, 135, 119, 145, 205, 113, 122],
          [
              234, 256, 185, 253, 244, 134, 102, 117, 190, 106, 131, 205, 198, 234, 162, 218],
          [
              164, 164, 209, 200, 168, 226, 189, 151, 253, 241, 232, 151, 193, 119, 226, 193],
          [
              213, 117, 151, 103, 249, 148, 103, 213, 218, 222, 104, 228, 100, 206, 218, 177],
          [
              217, 202, 126, 214, 195, 125, 144, 105, 152, 118, 167, 137, 171, 173, 206, 240],
          [
              160, 134, 131, 135, 186, 213, 146, 129, 125, 139, 174, 205, 177, 240, 194, 181],
          [
              183, 213, 127, 136, 136, 209, 199, 191, 150, 218, 160, 111, 191, 226, 154, 191],
          [
              247, 188, 210, 219, 179, 204, 155, 220, 215, 127, 225, 214, 195, 162, 214, 239],
          [
              108, 112, 104, 133, 178, 138, 110, 176, 232, 124, 193, 239, 131, 138, 161, 218],
          [
              140, 213, 142, 181, 179, 173, 203, 208, 184, 129, 129, 119, 122, 152, 186, 124],
          [
              105, 205, 124, 142, 175, 184, 234, 119, 195, 218, 141, 122, 202, 202, 190, 178],
          [
              183, 178, 256, 124, 241, 132, 163, 209, 204, 104, 175, 211, 196, 136, 158, 210],
          [
              224, 144, 189, 106, 177, 251, 206, 163, 167, 144, 208, 254, 117, 253, 100, 106],
          [
              251, 251, 136, 170, 145, 177, 175, 124, 193, 188, 193, 198, 208, 171, 151, 230],
          [
              143, 200, 143, 150, 243, 148, 136, 213, 161, 224, 170, 208, 185, 117, 189, 242],
          [
              234, 188, 226, 194, 248, 168, 250, 244, 166, 106, 113, 218, 209, 220, 158, 228]]

    r = [472214, 480121, 506256, 449505, 433390, 435414, 453899, 536361, 423332, 427624, 440268, 488759, 469049, 484574,
         480266, 522818]
    for i in range(16):
        v = 0
        for j in range(16):
            v += co[i][j] * values[j]
        
        if v != r[i]:
            return None
    
    print('flag{ISEC-%s}' % md5(secret.encode()))

z3爆破脚本得到flag

import hashlib
from z3.z3 import *
values=[BitVec(f'values{x}',8) for x in range(0,16)]
co = [[158, 195, 205, 229, 213, 238, 211, 198, 190, 226, 135, 119, 145, 205, 113, 122],
      [
    234, 256, 185, 253, 244, 134, 102, 117, 190, 106, 131, 205, 198, 234, 162, 218],
    [
    164, 164, 209, 200, 168, 226, 189, 151, 253, 241, 232, 151, 193, 119, 226, 193],
    [
    213, 117, 151, 103, 249, 148, 103, 213, 218, 222, 104, 228, 100, 206, 218, 177],
    [
    217, 202, 126, 214, 195, 125, 144, 105, 152, 118, 167, 137, 171, 173, 206, 240],
    [
    160, 134, 131, 135, 186, 213, 146, 129, 125, 139, 174, 205, 177, 240, 194, 181],
    [
    183, 213, 127, 136, 136, 209, 199, 191, 150, 218, 160, 111, 191, 226, 154, 191],
    [
    247, 188, 210, 219, 179, 204, 155, 220, 215, 127, 225, 214, 195, 162, 214, 239],
    [
    108, 112, 104, 133, 178, 138, 110, 176, 232, 124, 193, 239, 131, 138, 161, 218],
    [
    140, 213, 142, 181, 179, 173, 203, 208, 184, 129, 129, 119, 122, 152, 186, 124],
    [
    105, 205, 124, 142, 175, 184, 234, 119, 195, 218, 141, 122, 202, 202, 190, 178],
    [
    183, 178, 256, 124, 241, 132, 163, 209, 204, 104, 175, 211, 196, 136, 158, 210],
    [
    224, 144, 189, 106, 177, 251, 206, 163, 167, 144, 208, 254, 117, 253, 100, 106],
    [
    251, 251, 136, 170, 145, 177, 175, 124, 193, 188, 193, 198, 208, 171, 151, 230],
    [
    143, 200, 143, 150, 243, 148, 136, 213, 161, 224, 170, 208, 185, 117, 189, 242],
    [
    234, 188, 226, 194, 248, 168, 250, 244, 166, 106, 113, 218, 209, 220, 158, 228]]

r = [472214,480121,506256,449505,433390,435414,453899,536361,423332,427624,440268,488759,469049,484574,480266,522818]
s=Solver()
for i in range(16):
    v = 0
    for j in range(16):
        v += co[i][j] * values[j]
    s.add(v==r[i])

if s.check()==sat:
    ans=s.model()
    for x in values:
        print(ans[x].as_long(),end="")
#md5(113201188123164176154241163109244215152103124165)
#flag{ISEC-ca32ab6174689b5e366241ad58108c68}

此作者没有提供个人介绍。
最后更新于 2024-07-25