python的虚拟机
下来是个pyc文件,这个没难度,网上转下就行了。然后发现一堆乱码,但是不乱,明显就是用utf-8作的变量名,这个一个个转成别的就好了。据说有人打算用汉字写程序,估计结果和这个差不多,作完便卷成密码了。
既然是VM就一个个把命令转过来看吧,原来的乱码太难看了。
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.6
def fun(val):
idx = 0
굿 = 0
data1 = [0] * 16
data2 = [0] * 100
s1 = []
while val[idx][0] != '\xeb\x93\x83':
cmd = val[idx][0].lower()
arg = val[idx][1:]
if cmd == 'd1_0=1+2':
data1[arg[0]] = data1[arg[1]] + data1[arg[2]]
elif cmd == 'd1_0=1^2':
data1[arg[0]] = data1[arg[1]] ^ data1[arg[2]]
elif cmd == 'd1_0=1-2':
data1[arg[0]] = data1[arg[1]] - data1[arg[2]]
elif cmd == 'd1_0=1*2':
data1[arg[0]] = data1[arg[1]] * data1[arg[2]]
elif cmd == 'd1_0=1/2':
data1[arg[0]] = data1[arg[1]] / data1[arg[2]]
elif cmd == 'd1_0=1&2':
data1[arg[0]] = data1[arg[1]] & data1[arg[2]]
elif cmd == 'd1_0=1|2':
data1[arg[0]] = data1[arg[1]] | data1[arg[2]]
elif cmd == 'd1_0=d1_0':
data1[arg[0]] = data1[arg[0]]
elif cmd == 'd1_0=d1_1':
data1[arg[0]] = data1[arg[1]]
elif cmd == 'set_d1':
data1[arg[0]] = arg[1]
elif cmd == 'd2_0=d1_1':
data2[arg[0]] = data1[arg[1]]
elif cmd == 'd1_0=d2_1':
data1[arg[0]] = data2[arg[1]]
elif cmd == 'd1_0=n':
data1[arg[0]] = 0
elif cmd == 'd2_0=n0':
data2[arg[0]] = 0
elif cmd == 'd1_0=input':
data1[arg[0]] = input(data1[arg[1]])
elif cmd == 'd2_0=input':
data2[arg[0]] = input(data1[arg[1]])
elif cmd == 'print_d1_0':
print(data1[arg[0]])
elif cmd == 'print_d2_0':
print(data2[arg[0]])
elif cmd == 'jmp_d1_0':
idx = data1[arg[0]]
elif cmd == 'jmp_d2_0':
idx = data2[arg[0]]
elif cmd == 'jmp_s1_pop':
idx = s1.pop()
elif cmd == '\xeb\xaf\x83' or data1[arg[1]] > data1[arg[2]]:
idx = arg[0]
s1.append(idx)
continue
elif cmd == '???':
data1[7] = 0
for i in range(len(data1[arg[0]])):
if data1[arg[0]] != data1[arg[1]]:
data1[7] = 1
idx = data1[arg[2]]
s1.append(idx)
elif cmd == 'd1_0[] ^=d_1':
s2 = ''
for i in range(len(data1[arg[0]])):
s2 += chr(ord(data1[arg[0]][i]) ^ data1[arg[1]])
data1[arg[0]] = s2
elif cmd == 'd1_0[] -=d_1':
s2 = ''
for i in range(len(data1[arg[0]])):
s2 += chr(ord(data1[arg[0]][i]) - data1[arg[1]])
data1[arg[0]] = s2
elif cmd == 'push,jmp d1_0' or data1[arg[1]] > data1[arg[2]]:
idx = data1[arg[0]]
s1.append(idx)
continue
elif cmd == 'push,jmp d2_0' or data1[arg[1]] > data1[arg[2]]:
idx = data2[arg[0]]
s1.append(idx)
continue
elif cmd == 'push,jmp 0' or data1[arg[1]] == data1[arg[2]]:
idx = arg[0]
s1.append(idx)
continue
elif cmd == 'push,jmp d1_0_2' or data1[arg[1]] == data1[arg[2]]:
idx = data1[arg[0]]
s1.append(idx)
continue
elif cmd == 'push,jmp d2_0_2' and data1[arg[1]] == data1[arg[2]]:
idx = data2[arg[0]]
s1.append(idx)
continue
idx += 1
fun([
['set_d1',0,'Authentication token: '],
['d2_0=input',0,0], #d2[0] = input('Authentication token: ')
#d1[6] = ...
['set_d1',6,...此处略掉几百字...],
['set_d1',2,120], #d1[2] = 120
['set_d1',4,15], #d1[4] = 15
['set_d1',3,1], #d1[3] = 1
['d1_0=1*2',2,2,3], #d1[2] = d1[2]*d1[3] = 120
['d1_0=1+2',2,2,4], #d1[2] = d1[2]+d1[4] = 135
['d1_0=d1_0',0,2],
['d1_0=n',3], #d1[3] = 0
['d1_0[] ^=d_1',6,3], #d1[6] ^= d1[3] 不变
['set_d1',0,'Thanks.'], #d1[0] = 'Thanks.'
['set_d1',1,'Authorizing access...'], #d1[1] = 'Authorizing access...'
['print_d1_0',0], #print(Thanks)
['d1_0=d2_1',0,0], #d1[0] = d2[0] 输入的flag
['d1_0[] ^=d_1',0,2], #d1[0]^= d1[2] 135
['d1_0[] -=d_1',0,4], #d1[0]-= d1[4] 15
['set_d1',5,19], #d1[5] = 19
['???',0,6,5], # ??? 内容不详
['print_d1_0',1], #print('Authorizing access...')
['\xeb\x93\x83'],
['set_d1',1,'Access denied!'],
['print_d1_0',1],
['\xeb\x93\x83']])
转完大概能明白了,输入的flag会先^135再-15后边就是个不明白报错语句和输出成功提示。估计就是 (flag^135)-15 然后和那一大串比较。可结果是乱码。后来想既然变量都是utf8串估计也是utf8,所以用utf8先解了再处理
a = b'\xc3\xa1\xc3\x97\xc3\xa4......'
print(''.join([chr((ord(i)+15)^135) for i in a.decode('utf-8')]))
#watevr{this_must_be_the_best_encryption_method_evr_henceforth_this_is_the_new_Advanced_Encryption_Standard_anyways_i_dont_really_have_a_good_vid_but_i_really_enjoy_this_song_i_hope_you_will_enjoy_it_aswell!_youtube.com/watch?v=E5yFcdPAGv0}
#flag{this_must_be_the_best_encryption_method_evr_henceforth_this_is_the_new_Advanced_Encryption_Standard_anyways_i_dont_really_have_a_good_vid_but_i_really_enjoy_this_song_i_hope_you_will_enjoy_it_aswell!_youtube.com/watch?v=E5yFcdPAGv0}
不过这确实有点不明白,UTF理论上处理ASCII码是不会出来多字节的,整不明白。