pyinstxtractor解包,发现需要python3.7本版,不然解出来了,会发现PYZ-00.pyz_extracted文件夹中什么也没有
如图所示
直接就去官网下一个python3.7,然后就在其控制台pyinstxtractor解包即可
我用的是anconda,python本版控制器,切换到python3.7本版进行解包
会有许多报错,也是正常的,因为PYZ-00.pyz_extracted目录下的文件被加密了
解包后,文件夹在C:\Users\下的个人用户目录下
对baby.pyc进行反汇编
可见核心代码在baby_core.pyc中,也就是在baby.exe_extracted\PYZ-00.pyz_extracted\baby_python中
来到相应的文件夹,发现全被加密了
baby_python\baby_core.pyc.encrypted也是被加密的
找到可能存放key的pyc文件
反汇编得到key = ‘f8c0870eba862579’
接下来写个文件解密脚本
import zlib
from pathlib import Path
import tinyaes
key = 'f8c0870eba862579'
key = bytes(key, 'utf-8')
for p in Path(r"C:\Users\86158\Desktop\REVERSE\baby.exe_extracted\PYZ-00.pyz_extracted").glob("**\*.pyc.encrypted"):
# "**/*.pyc.encrypted" 表示匹配当前目录及其所有子目录中以 .pyc.encrypted 结尾的文件路径。
inf = open(p, 'rb')
outf = open(p.with_name(p.stem), 'wb') # 去除扩展名baby_core.pyc.encrypted变baby_core.pyc
iv = inf.read(len(key))
cipher = tinyaes.AES(key, iv)
# 从文件中读取加密压缩过的数据,对其进行解密和解压缩,最终得到原始的明文数据,并将其存储在变量 plaintext 中。
plaintext = zlib.decompress(cipher.CTR_xcrypt_buffer(inf.read()))
# The header below is for Python 3.8(也可以和struct.pyc文件头16字节一样)
outf.write(b'\x42\x0D\x0D\x0A\0\0\0\0\x70\x79\x69\x30\x10\x01\0\0')
outf.write(plaintext)
inf.close()
outf.close()
p.unlink() # 删除原始的 .pyc.encrypted 文件
print(f"{p}已完成\n")
对baby_core.pyc进行反汇编
# uncompyle6 version 3.9.0
# Python bytecode version base 3.7.0 (3394)
# Decompiled from: Python 3.10.9 | packaged by Anaconda, Inc. | (main, Mar 1 2023, 18:18:15) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: baby_python\baby_core.py
# Compiled at: 1995-09-28 00:18:56
# Size of source mod 2**32: 272 bytes
import hashlib
def md5(s: bytes) -> str:
m = hashlib.md5()
m.update(s)
return m.hexdigest().lower()
def main():
secret = input('secret: ')
if len(secret) != 48:
return
else:
return secret.isnumeric() or None
values = []
for i in range(0, 48, 3):
values.append(int(secret[i:i + 3]))
co = [[158, 195, 205, 229, 213, 238, 211, 198, 190, 226, 135, 119, 145,
205, 113, 122],
[
234, 256, 185, 253, 244, 134, 102, 117, 190, 106, 131,
205, 198, 234, 162, 218],
[
164, 164, 209, 200, 168, 226, 189, 151, 253, 241, 232,
151, 193, 119, 226, 193],
[
213, 117, 151, 103, 249, 148, 103, 213, 218, 222, 104,
228, 100, 206, 218, 177],
[
217, 202, 126, 214, 195, 125, 144, 105, 152, 118, 167,
137, 171, 173, 206, 240],
[
160, 134, 131, 135, 186, 213, 146, 129, 125, 139, 174,
205, 177, 240, 194, 181],
[
183, 213, 127, 136, 136, 209, 199, 191, 150, 218, 160,
111, 191, 226, 154, 191],
[
247, 188, 210, 219, 179, 204, 155, 220, 215, 127, 225,
214, 195, 162, 214, 239],
[
108, 112, 104, 133, 178, 138, 110, 176, 232, 124, 193,
239, 131, 138, 161, 218],
[
140, 213, 142, 181, 179, 173, 203, 208, 184, 129, 129,
119, 122, 152, 186, 124],
[
105, 205, 124, 142, 175, 184, 234, 119, 195, 218, 141,
122, 202, 202, 190, 178],
[
183, 178, 256, 124, 241, 132, 163, 209, 204, 104, 175,
211, 196, 136, 158, 210],
[
224, 144, 189, 106, 177, 251, 206, 163, 167, 144, 208,
254, 117, 253, 100, 106],
[
251, 251, 136, 170, 145, 177, 175, 124, 193, 188, 193,
198, 208, 171, 151, 230],
[
143, 200, 143, 150, 243, 148, 136, 213, 161, 224, 170,
208, 185, 117, 189, 242],
[
234, 188, 226, 194, 248, 168, 250, 244, 166, 106, 113,
218, 209, 220, 158, 228]]
r = [
472214, 480121, 506256, 449505, 433390, 435414, 453899, 536361,
423332, 427624, 440268, 488759, 469049, 484574,
480266,
522818]
for i in range(16):
v = 0
for j in range(16):
v += co[i][j] * values[j]
if v != r[i]:
return
print('flag{ISEC-%s}' % md5(secret.encode()))
# okay decompiling C:\Users\86158\Desktop\REVERSE\baby.exe_extracted\PYZ-00.pyz_extracted\baby_python\baby_core.pyc
直接用求解器
import hashlib
from z3 import *
def md5(ss: bytes) -> str:
m = hashlib.md5()
m.update(ss)
return m.hexdigest().lower()
co = [[158, 195, 205, 229, 213, 238, 211, 198, 190, 226, 135, 119, 145,
205, 113, 122],
[
234, 256, 185, 253, 244, 134, 102, 117, 190, 106, 131,
205, 198, 234, 162, 218],
[
164, 164, 209, 200, 168, 226, 189, 151, 253, 241, 232,
151, 193, 119, 226, 193],
[
213, 117, 151, 103, 249, 148, 103, 213, 218, 222, 104,
228, 100, 206, 218, 177],
[
217, 202, 126, 214, 195, 125, 144, 105, 152, 118, 167,
137, 171, 173, 206, 240],
[
160, 134, 131, 135, 186, 213, 146, 129, 125, 139, 174,
205, 177, 240, 194, 181],
[
183, 213, 127, 136, 136, 209, 199, 191, 150, 218, 160,
111, 191, 226, 154, 191],
[
247, 188, 210, 219, 179, 204, 155, 220, 215, 127, 225,
214, 195, 162, 214, 239],
[
108, 112, 104, 133, 178, 138, 110, 176, 232, 124, 193,
239, 131, 138, 161, 218],
[
140, 213, 142, 181, 179, 173, 203, 208, 184, 129, 129,
119, 122, 152, 186, 124],
[
105, 205, 124, 142, 175, 184, 234, 119, 195, 218, 141,
122, 202, 202, 190, 178],
[
183, 178, 256, 124, 241, 132, 163, 209, 204, 104, 175,
211, 196, 136, 158, 210],
[
224, 144, 189, 106, 177, 251, 206, 163, 167, 144, 208,
254, 117, 253, 100, 106],
[
251, 251, 136, 170, 145, 177, 175, 124, 193, 188, 193,
198, 208, 171, 151, 230],
[
143, 200, 143, 150, 243, 148, 136, 213, 161, 224, 170,
208, 185, 117, 189, 242],
[
234, 188, 226, 194, 248, 168, 250, 244, 166, 106, 113,
218, 209, 220, 158, 228]]
r = [
472214, 480121, 506256, 449505, 433390, 435414, 453899, 536361,
423332, 427624, 440268, 488759, 469049, 484574,
480266,
522818]
s = Solver()
values = [Int('n[%d]' % i) for i in range(16)]
for i in range(16):
v = 0
for j in range(16):
v += co[i][j] * values[j]
s.add(v == r[i])
if s.check() == sat:
model = s.model()
flag = ''.join(str(model[i]) for i in values)
print('flag{ISEC-%s}' % md5(flag.encode()))
# flag{ISEC-ca32ab6174689b5e366241ad58108c68}
扫一扫
2492
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
