这题和上一题的思路是一样的,具体方法可以参考我的上一篇博客,我写得很详细了:UNCTF-日常训练-reverse-反编译
先用pyinstxtractor解包,用010editor打开struct.pyc和baby.pyc,将baby.pyc的第一行用struct.pyc的第一行代替
另存为一个123.pyc文件,然后就能正常反编译了,在线工具网站:在线pyc反编译
反编译结果:
代码挺好懂的,libnum库安装及使用可以参考:libnum库的安装及使用以及 如何在Vscode中安装Python库
import os, libnum, binascii
flag = 'unctf{*******************}'
x = libnum.s2n(flag) #将字符串转为整形数字
def gen(x): #将整数转为二进制
y = abs(x)
while y > 0:
yield y % 2
y = y >> 1
else:
if x == 0:
yield 0
l = [i for i in gen(x)] #转成一个列表
l.reverse() #逆序
f = '%d' * len(l) % tuple(l) #转成二进制字符串
a = binascii.b2a_hex(f.encode()) #转换成16进制
b = int(a, 16)
c = hex(b)[2:]
print(c)
os.system('pause')
看不太明白的话可以将上面的代码运行然后输出就清楚了
输出结果:
x= 188704670991066536141370339273847784688288633922100254955154045
l= [1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1]
f= 111010101101110011000110111010001100110011110110010101000101010001010100010101000101010001010100010101000101010001010100010101000101010001010100010101000101010001010100010101000101010001010100010101001111101
a= b'313131303130313031313031313130303131303030313130313131303130303031313030313130303131313130313130303130313031303030313031303130303031303130313030303130313031303030313031303130303031303130313030303130313031303030313031303130303031303130313030303130313031303030313031303130303031303130313030303130313031303030313031303130303031303130313030303130313031303030313031303130303031303130313030303130313031303031313131313031'
b= 615642677944755844589086027051519924444394280056671468272502840881184467450548849507856397245422443754415443875647846299739351945724156887086069216756236082374959611190943504809805323016566613493401702842895127742079730167178522792699841232238576822104913463292693320786330695261453042490710615060864634927121239018903386240488948590458611738089891884330615134156082942837325519270066476191699355480627830821762588548619309071232814169144675365008365702250456530252254281996611009228415678377177137
c= 313131303130313031313031313130303131303030313130313131303130303031313030313130303131313130313130303130313031303030313031303130303031303130313030303130313031303030313031303130303031303130313030303130313031303030313031303130303031303130313030303130313031303030313031303130303031303130313030303130313031303030313031303130303031303130313030303130313031303030313031303130303031303130313030303130313031303031313131313031
tip的值,这就是flag经过上面变换后得到的值
313131303130313031313031313130303131303030313130313131303130303031313030313130303131313130313130313031303130303031313031303030303130303030303030313131303130303031303131313131303131303130303130313131303031313031303131313131303131313030313030313130303130313031313030303031303031313030303130303131303030313031313131303031303130313131313130313130303031313030313130303030303031313030303030303131303030313031313131313031
简单写个小脚本就能解出flag
import os, libnum, binascii
t=""
y="313131303130313031313031313130303131303030313130313131303130303031313030313130303131313130313130313031303130303031313031303030303130303030303030313131303130303031303131313131303131303130303130313131303031313031303131313131303131313030313030313130303130313031313030303031303031313030303130303131303030313031313131303031303130313131313130313130303031313030313130303030303031313030303030303131303030313031313131313031"
for i in range(0,len(y),2):
if "31" in y[i:i+2]:
t += '1'
else:
t += '0'
print("t=",t)
print("flag=",libnum.b2s(t))
运行结果
t= 111010101101110011000110111010001100110011110110101010001101000010000000111010001011111011010010111001101011111011100100110010101100001001100010011000101111001010111110110001100110000001100000011000111110110001100110000001100000011000101111101
flag= b'unctf{Th@t_is_rea11y_c001}'
最终flag: unctf{Th@t_is_rea11y_c001}