[watevrCTF 2019]Repyc复现
拿到题是个pyc python反编译后得到
佤 = 0
侰 = ~佤 * ~佤
俴 = 侰 + 侰
def 䯂(䵦):
굴 = 佤
굿 = 佤
괠 = [佤] * 俴 ** (俴 * 俴)
궓 = [佤] * 100
괣 = []
while 䵦[굴][佤] != '듃':
굸 = 䵦[굴][佤].lower()
亀 = 䵦[굴][侰:]
if 굸 == '뉃':
괠[亀[佤]] = 괠[亀[侰]] + 괠[亀[俴]]
else:
if 굸 == '렀':
괠[亀[佤]] = 괠[亀[侰]] ^ 괠[亀[俴]]
else:
if 굸 == '렳':
괠[亀[佤]] = 괠[亀[侰]] - 괠[亀[俴]]
else:
if 굸 == '냃':
괠[亀[佤]] = 괠[亀[侰]] * 괠[亀[俴]]
else:
if 굸 == '뢯':
괠[亀[佤]] = 괠[亀[侰]] / 괠[亀[俴]]
else:
if 굸 == '륇':
괠[亀[佤]] = 괠[亀[侰]] & 괠[亀[俴]]
else:
if 굸 == '맳':
괠[亀[佤]] = 괠[亀[侰]] | 괠[亀[俴]]
else:
if 굸 == '괡':
괠[亀[佤]] = 괠[亀[佤]]
else:
if 굸 == '뫇':
괠[亀[佤]] = 괠[亀[侰]]
else:
if 굸 == '꼖':
괠[亀[佤]] = 亀[侰]
else:
if 굸 == '뫻':
궓[亀[佤]] = 괠[亀[侰]]
else:
if 굸 == '딓':
괠[亀[佤]] = 궓[亀[侰]]
else:
if 굸 == '댒':
괠[亀[佤]] = 佤
else:
if 굸 == '묇':
궓[亀[佤]] = 佤
else:
if 굸 == '묟':
괠[亀[佤]] = input(괠[亀[侰]])
else:
if 굸 == '꽺':
궓[亀[佤]] = input(괠[亀[侰]])
else:
if 굸 == '돯':
print(괠[亀[佤]])
else:
if 굸 == '뭗':
print(궓[亀[佤]])
else:
if 굸 == '뭿':
굴 = 괠[亀[佤]]
else:
if 굸 == '뮓':
굴 = 궓[亀[佤]]
else:
if 굸 == '뮳':
굴 = 괣.pop()
else:
if 굸 == '믃':
if 괠[亀[侰]] > 괠[亀[俴]]:
굴 = 亀[佤]
괣.append(굴)
continue
else:
if 굸 == '꽲':
괠[7] = 佤
for i in range(len( 괠[亀[佤]])):
if 괠[亀[佤]] != 괠[亀[侰]]:
괠[7] = 侰
굴 = 괠[亀[ 俴]]
괣.append(굴)
else:
if 굸 == '꾮':
괢 = ''
for i in range(len(괠[亀[佤]])):
괢 += chr(ord(괠[亀[佤]][i]) ^ 괠[亀[侰]])
괠[亀[佤]] = 괢
else:
if 굸 == '꿚':
괢 = ''
for i in range(len(괠[亀[佤]])):
괢 += chr(ord(괠[亀[佤]][i]) - 괠[亀[侰]])
괠[亀[佤]] = 괢
else:
if 굸 == '떇':
if 괠[亀[侰]] > 괠[亀[俴]]:
굴 = 괠[亀[佤]]
괣.append(굴)
continue
else:
if 굸 == '뗋':
if 괠[亀[侰]] > 괠[亀[俴]]:
굴 = 궓[亀[佤]]
괣.append(굴)
continue
else:
if 굸 == '똷':
if 괠[亀[侰]] == 괠[亀[俴]]:
굴 = 亀[佤]
괣.append(굴)
continue
else:
if 굸 == '뚫':
if 괠[亀[侰]] == 괠[亀[俴]]:
굴 = 괠[亀[佤]]
괣.append(굴)
continue
else:
if 굸 == '띇':
if 괠[亀[侰]] == 괠[亀[俴]]:
굴 = 궓[亀[佤]]
괣.append(굴)
continue
굴 += 侰
䯂([
[
'꼖', 佤, 'Authentication token: '],
[
'꽺', 佤, 佤],
[
'꼖', 6, 'á×äÓâæíäàßåÉÛãåäÉÖÓÉäàÓÉÖÓåäÉÓÚÕæïèäßÙÚÉÛÓäàÙÔÉÓâæÉàÓÚÕÓÒÙæäàÉäàßåÉßåÉäàÓÉÚÓáÉ·Ôâ×ÚÕÓÔɳÚÕæïèäßÙÚÉÅä×ÚÔ×æÔÉ×Úïá×ïåÉßÉÔÙÚäÉæÓ×ÜÜïÉà×âÓÉ×ÉÑÙÙÔÉâßÔÉÖãäÉßÉæÓ×ÜÜïÉÓÚÞÙïÉäàßåÉåÙÚÑÉßÉàÙèÓÉïÙãÉáßÜÜÉÓÚÞÙïÉßäÉ×åáÓÜÜ\x97ÉïÙãäãÖÓ\x9aÕÙÛ\x99á×äÕà©â«³£ï²ÕÔÈ·±â¨ë'],
[
'꼖', 俴, 俴 ** (3 * 俴 + 侰) - 俴 ** (俴 + 侰)],
[
'꼖', 4, 15],
[
'꼖', 3, 侰],
[
'냃', 俴, 俴, 3],
[
'뉃', 俴, 俴, 4],
[
'괡', 佤, 俴],
[
'댒', 3],
[
'꾮', 6, 3],
[
'꼖', 佤, 'Thanks.'],
[
'꼖', 侰, 'Authorizing access...'],
[
'돯', 佤],
[
'딓', 佤, 佤],
[
'꾮', 佤, 俴],
[
'꿚', 佤, 4],
[
'꼖', 5, 19],
[
'꽲', 佤, 6, 5],
[
'돯', 侰],
[
'듃'],
[
'꼖', 侰, 'Access denied!'],
[
'돯', 侰],
[
'듃']])
都是乱码 ,看一看发现是python虚拟机,把乱码替换
# uncompyle6 version 3.7.4
# Python bytecode 3.6 (3379)
# Decompiled from: Python 3.8.3 (default, Jul 2 2020, 17:30:36) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: circ.py
# Compiled at: 2019-12-14 02:29:55
# Size of source mod 2**32: 5146 bytes
a = 0
b = ~a * ~a
c = b + b
def main(argv):
d = 0
e = 0
t = [0] * 2 ** (2 * 2)
h1 = [a] * 100
array1 = []
while argv[d][a] != 'not null':
opcode = argv[d][a].lower()
l = argv[d][b:]
if opcode == 'add':
t[l[a]] = t[l[b]] + t[l[c]]
else:
if opcode == 'xor':
t[l[a]] = t[l[b]] ^ t[l[c]]
else:
if opcode == 'sub':
t[l[a]] = t[l[b]] - t[l[c]]
else:
if opcode == 'mul':
t[l[a]] = t[l[b]] * t[l[c]]
else:
if opcode == 'div':
t[l[a]] = t[l[b]] / t[l[c]]
else:
if opcode == 'and':
t[l[a]] = t[l[b]] & t[l[c]]
else:
if opcode == 'or':
t[l[a]] = t[l[b]] | t[l[c]]
else:
if opcode == 'equal':
t[l[a]] = t[l[a]]
else:
if opcode == 'mov1':
t[l[a]] = t[l[b]]
else:
if opcode == 'mov2':
t[l[a]] = l[b]
else:
if opcode == 'mov3':
h1[l[a]] = t[l[b]]
else:
if opcode == 'mov4':
t[l[a]] = h1[l[b]]
else:
if opcode == 'mov5':
t[l[a]] = a
else:
if opcode == 'mov6':
h1[l[a]] = a
else:
if opcode == 'input1':
t[l[a]] = input(t[l[b]])
else:
if opcode == 'input2':
h1[l[a]] = input(t[l[b]])
else:
if opcode == 'printf':
print(t[l[a]])
else:
if opcode == 'printf1':
print(t[l[a]])
else:
if opcode == 'mov7':
d = t[l[a]]
else:
if opcode == 'mov8':
d = h1[l[a]]
else:
if opcode == 'pop':
d = array1.pop()
else:
if opcode == 'cmp+push':
if t[l[b]] > t[l[c]]:
d = l[a]
array1.append(d)
continue
else:
if opcode == 'cmp+push1':
t[7] = a
for i in range(len(t[l[a]])):
if t[l[a]] != t[l[b]]:
t[7] = b
d = t[l[c]]
array1.append(d)
else:
if opcode == 'array_xor':
string = ''
for i in range(len(t[l[a]])):
string += chr(ord(t[l[a]][i]) ^ t[l[b]])
t[l[a]] = string
else:
if opcode == 'array_sub':
string = ''
for i in range(len(t[l[a]])):
string += chr(ord(t[l[a]][i]) - t[l[b]])
t[l[a]] = string
else:
if opcode == 'cmp+push2':
if t[l[b]] > t[l[c]]:
d = t[l[a]]
array1.apparray1(d)
continue
else:
if opcode == 'cmp+push3':
if t[l[b]] > t[l[c]]:
d = h1[l[a]]
array1.apparray1(d)
continue
else:
if opcode == 'cmp+push4':
if t[l[b]] == t[l[c]]:
d = l[a]
array1.apparray1(d)
continue
else:
if opcode == 'cmp+push5':
if t[l[b]] == t[l[c]]:
d = t[l[a]]
array1.apparray1(d)
continue
else:
if opcode == 'cmp+push6':
if t[l[b]] == t[l[c]]:
d = h1[l[a]]
array1.apparray1(d)
continue
d += b
分析完后
main=[
[
'mov2', a, 'Authentication toopcodeen: '], #t[l[0]] = l[1]
[
'input2', 0, 0], #input[t[l[1]]]
[
'mov2', 6, 'á×äÓâæíäàßåÉÛãåäÉÖÓÉäàÓÉÖÓåäÉÓÚÕæïèäßÙÚÉÛÓäàÙÔÉÓâæÉàÓÚÕÓÒÙæäàÉäàßåÉßåÉäàÓÉÚÓáÉ·Ôâ×ÚÕÓÔɳÚÕæïèäßÙÚÉÅä×ÚÔ×æÔÉ×Úïá×ïåÉßÉÔÙÚäÉæÓ×ÜÜïÉà×âÓÉ×ÉÑÙÙÔÉâßÔÉÖãäÉßÉæÓ×ÜÜïÉÓÚÞÙïÉäàßåÉåÙÚÑÉßÉàÙèÓÉïÙãÉáßÜÜÉÓÚÞÙïÉßäÉ×åáÓÜÜ\x97ÉïÙãäãÖÓ\x9aÕÙÛ\x99á×äÕà©â«³£ï²ÕÔÈ·±â¨ë'],# h1[l[0]] = 0
[
'mov2', c, c ** (3 * c + b) - c ** (c + b)], #t[2] = 120 128-8=120
[
'mov2', 4, 15],#t[l[0]] = l[1] t[4] = 15
[
'mov2', 3, b], #t[3] = 1
[
'mul', c, c, 3], #t[2] = t[2]*t[3]=120
[
'add', c, c, 4],# t[2] = t[2] + t[4] t[2] =120+15=135
[
'equal', a, c],#t[0] = t[0]
[
'mov5', 3], #t[3] = 0
[
'array_xor', 6, 3], # string += chr(ord()^t[3])
[
'mov2', a, 'Thanopcodes.'],#t[0] = l[1]
[
'mov2', b, 'Authorizing access...'],#t[1] = l[1]
[
'printf', a], #print(t[a])
[
'mov4', a, a],#t[0] = h1[0]
[
'array_xor', a, c],#string += t[l[0]][i]) ^ t[2] t[2] = 135
[
'array_sub', a, 4],#string += t[0][i]) - t[4])
[
'mov2', 5, 19],#t[5] = l[1]
[
'cmp+push1', a, 6, 5],
[
'printf', b],#print(t[1])
[
'듃'],
[
'mov2', b, 'Access denied!'],
[
'printf', b],
[
'not null']
]
发现就是先与135异或,再减15
所以
str = ' á×äÓâæíäàßåÉÛãåäÉÖÓÉäàÓÉÖÓåäÉÓÚÕæïèäßÙÚÉÛÓäàÙÔÉÓâæÉàÓÚÕÓÒÙæäàÉäàßåÉßåÉäàÓÉÚÓáÉ·Ôâ×ÚÕÓÔɳÚÕæïèäßÙÚÉÅä×ÚÔ×æÔÉ×Úïá×ïåÉßÉÔÙÚäÉæÓ×ÜÜïÉà×âÓÉ×ÉÑÙÙÔÉâßÔÉÖãäÉßÉæÓ×ÜÜïÉÓÚÞÙïÉäàßåÉåÙÚÑÉßÉàÙèÓÉïÙãÉáßÜÜÉÓÚÞÙïÉßäÉ×åáÓÜÜ\x97ÉïÙãäãÖÓ\x9aÕÙÛ\x99á×äÕà©â«³£ï²ÕÔÈ·±â¨ë'
flag = ''
for i in range(len(str)):
flag+= chr((ord(str[i])+15)^135 )
print(flag)
得到flag为
watevr{this_must_be_the_best_encryption_method_evr_henceforth_this_is_the_new_Advanced_Encryption_Standard_anyways_i_dont_really_have_a_good_vid_but_i_really_enjoy_this_song_i_hope_you_will_enjoy_it_aswell!_youtube.com/watch?v=E5yFcdPAGv0}