分析
由 Pyinstaller 打包的 exe 文件无法直接用ida进行反编译查看,我们使用网上的pyinstxtractor.py提取PyInstaller生成的exe文件,将文件夹中的同名文件进行python反编译
https://tool.lu/pyc/
得到如下代码
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.10
import base64
def gen(key):
s = list(range(256))
j = 0
for i in range(256):
j = (j + s[i] + ord(key[i % len(key)])) % 256
tmp = s[i]
s[i] = s[j]
s[j] = tmp
i = j = 0
data = []
for _ in range(50):
i = (i + 1) % 256
j = (j + s[i]) % 256
tmp = s[i]
s[i] = s[j]
s[j] = tmp
data.append(s[(s[i] + s[j]) % 256])
return data
def encrypt(text, key):
result = ''
for c, k in zip(text, gen(key)):
result += chr(ord(c) ^ k)
result = base64.b64encode(result.encode()).decode()
return result
text = input('Flag: ')
key = 'As_we_do_as_you_know'
enc = encrypt(text, key)
if enc == 'wr3ClVcSw7nCmMOcHcKgacOtMkvDjxZ6asKWw4nChMK8IsK7KMOOasOrdgbDlx3DqcKqwr0hw701Ly57w63CtcOl':
print('yes!')
return None
None('try again...')
先来到最后,如果enc 与 右边字符串相等,则输出正确
enc 的值来自 encrypt 函数,该函数先将 c,k并行遍历,然后将 ord ( c ) 与 k 异或后得到明文,在encrypt函数最后进行了 base64 编码,所以写脚本时需要将 encode 改为 decode,并且将脚本逆序
去往base64.b64encode()_b64decode()
encode() 方法使用指定的编码对字符串进行编码。
脚本
直接在源代码上面进行修改
import base64
def gen(key):
s = list(range(256))
j = 0
for i in range(256):
j = (j + s[i] + ord(key[i % len(key)])) % 256
tmp = s[i]
s[i] = s[j]
s[j] = tmp
i = j = 0
data = []
for _ in range(50):
i = (i + 1) % 256
j = (j + s[i]) % 256
tmp = s[i]
s[i] = s[j]
s[j] = tmp
data.append(s[(s[i] + s[j]) % 256])
return data
def decrypt(text, key):
result = ''
text = base64.b64decode(text.encode()).decode()
for c, k in zip(text, gen(key)):
result += chr(ord(c) ^ k)
return result
key = 'As_we_do_as_you_know'
enc = "wr3ClVcSw7nCmMOcHcKgacOtMkvDjxZ6asKWw4nChMK8IsK7KMOOasOrdgbDlx3DqcKqwr0hw701Ly57w63CtcOl"
print(decrypt(enc, key))
得到 flag :
- hgame{python_reverse_is_easy_with_internet}