1.是pyc文件用uncompyle6反编译。
2.得到py文件,发现是有一大堆乱码。无从下手。
# uncompyle6 version 3.7.4
# Python bytecode 3.6 (3379)
# Decompiled from: Python 3.7.8 (tags/v3.7.8:4b47a5b6ba, Jun 28 2020, 08:53:46) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: circ.py
# Compiled at: 2019-12-14 02:29:55
# Size of source mod 2**32: 5146 bytes
佤 = 0
侰 = ~佤 * ~佤
俴 = 侰 + 侰
def 䯂(䵦):
굴 = 佤
굿 = 佤
괠 = [佤] * 俴 ** (俴 * 俴)
궓 = [佤] * 100
괣 = []
while 䵦[굴][佤] != '듃':
굸 = 䵦[굴][佤].lower()
亀 = 䵦[굴][侰:]
if 굸 == '뉃':
괠[亀[佤]] = 괠[亀[侰]] + 괠[亀[俴]]
else:
if 굸 == '렀':
괠[亀[佤]] = 괠[亀[侰]] ^ 괠[亀[俴]]
else:
if 굸 == '렳':
괠[亀[佤]] = 괠[亀[侰]] - 괠[亀[俴]]
else:
if 굸 == '냃':
괠[亀[佤]] = 괠[亀[侰]] * 괠[亀[俴]]
else:
if 굸 == '뢯':
괠[亀[佤]] = 괠[亀[侰]] / 괠[亀[俴]]
else:
if 굸 == '륇':
괠[亀[佤]] = 괠[亀[侰]] & 괠[亀[俴]]
else:
if 굸 == '맳':
괠[亀[佤]] = 괠[亀[侰]] | 괠[亀[俴]]
else:
if 굸 == '괡':
괠[亀[佤]] = 괠[亀[佤]]
else:
if 굸 == '뫇':
괠[亀[佤]] = 괠[亀[侰]]
else:
if 굸 == '꼖':
괠[亀[佤]] = 亀[侰]
else:
if 굸 == '뫻':
궓[亀[佤]] = 괠[亀[侰]]
else:
if 굸 == '딓':
괠[亀[佤]] = 궓[亀[侰]]
else:
if 굸 == '댒':
괠[亀[佤]] = 佤
else:
if 굸 == '묇':
궓[亀[佤]] = 佤
else:
if 굸 == '묟':
괠[亀[佤]] = input(괠[亀[侰]])
else:
if 굸 == '꽺':
궓[亀[佤]] = input(괠[亀[侰]])
else:
if 굸 == '돯':
print(괠[亀[佤]])
else:
if 굸 == '뭗':
print(궓[亀[佤]])
else:
if 굸 == '뭿':
굴 = 괠[亀[佤]]
else:
if 굸 == '뮓':
굴 = 궓[亀[佤]]
else:
if 굸 == '뮳':
굴 = 괣.pop()
else:
if 굸 == '믃':
if 괠[亀[侰]] > 괠[亀[俴]]:
굴 = 亀[佤]
괣.append(굴)
continue
else:
if 굸 == '꽲':
괠[7] = 佤
for i in range(len(괠[亀[佤]])):
if 괠[亀[佤]] != 괠[亀[侰]]:
괠[7] = 侰
굴 = 괠[亀[俴]]
괣.append(굴)
else:
if 굸 == '꾮':
괢 = ''
for i in range(len(괠[亀[佤]])):
괢 += chr(ord(괠[亀[佤]][i]) ^ 괠[亀[侰]])
괠[亀[佤]] = 괢
else:
if 굸 == '꿚':
괢 = ''
for i in range(len(괠[亀[佤]])):
괢 += chr(ord(괠[亀[佤]][i]) - 괠[亀[侰]])
괠[亀[佤]] = 괢
else:
if 굸 == '떇':
if 괠[亀[侰]] > 괠[亀[俴]]:
굴 = 괠[亀[佤]]
괣.append(굴)
continue
else:
if 굸 == '뗋':
if 괠[亀[侰]] > 괠[亀[俴]]:
굴 = 궓[亀[佤]]
괣.append(굴)
continue
else:
if 굸 == '똷':
if 괠[亀[侰]] == 괠[亀[俴]]:
굴 = 亀[佤]
괣.append(굴)
continue
else:
if 굸 == '뚫':
if 괠[亀[侰]] == 괠[亀[俴]]:
굴 = 괠[亀[佤]]
괣.append(굴)
continue
else:
if 굸 == '띇':
if 괠[亀[侰]] == 괠[亀[俴]]:
굴 = 궓[亀[佤]]
괣.append(굴)
continue
굴 += 侰
䯂([
[
'꼖', 佤, 'Authentication token: '],
[
'꽺', 佤, 佤],
[
'꼖', 6, 'á×äÓâæíäàßåÉÛãåäÉÖÓÉäàÓÉÖÓåäÉÓÚÕæïèäßÙÚÉÛÓäàÙÔÉÓâæÉàÓÚÕÓÒÙæäàÉäàßåÉßåÉäàÓÉÚÓáÉ·Ôâ×ÚÕÓÔɳÚÕæïèäßÙÚÉÅä×ÚÔ×æÔÉ×Úïá×ïåÉßÉÔÙÚäÉæÓ×ÜÜïÉà×âÓÉ×ÉÑÙÙÔÉâßÔÉÖãäÉßÉæÓ×ÜÜïÉÓÚÞÙïÉäàßåÉåÙÚÑÉßÉàÙèÓÉïÙãÉáßÜÜÉÓÚÞÙïÉßäÉ×åáÓÜÜ\x97ÉïÙãäãÖÓ\x9aÕÙÛ\x99á×äÕà©â«³£ï²ÕÔÈ·±â¨ë'],
[
'꼖', 俴, 俴 ** (3 * 俴 + 侰) - 俴 ** (俴 + 侰)],
[
'꼖', 4, 15],
[
'꼖', 3, 侰],
[
'냃', 俴, 俴, 3],
[
'뉃', 俴, 俴, 4],
[
'괡', 佤, 俴],
[
'댒', 3],
[
'꾮', 6, 3],
[
'꼖', 佤, 'Thanks.'],
[
'꼖', 侰, 'Authorizing access...'],
[
'돯', 佤],
[
'딓', 佤, 佤],
[
'꾮', 佤, 俴],
[
'꿚', 佤, 4],
[
'꼖', 5, 19],
[
'꽲', 佤, 6, 5],
[
'돯', 侰],
[
'듃'],
[
'꼖', 侰, 'Access denied!'],
[
'돯', 侰],
[
'듃']])
找到大佬的wp才知道这是python虚拟机。乱码(괠,亀。。。)可以用replace进行替换操作。
替换后:
# uncompyle6 version 3.7.4
# Python bytecode 3.6 (3379)
# Decompiled from: Python 3.7.8 (tags/v3.7.8:4b47a5b6ba, Jun 28 2020, 08:53:46) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: circ.py
# Compiled at: 2019-12-14 02:29:55
# Size of source mod 2**32: 5146 bytes
a = 0
b = ~a * ~a #b=1
c = b + b #c=2
def fun(x):
t = a
t2 = a
m = [a] * c ** (c * c)
key1 = [a] * 100
key2 = []
while x[t][a] != 'NULL':
x1 = x[t][a].lower()
x2 = x[t][b:]
if x1 == 'ADD':
m[x2[a]] = m[x2[b]] + m[x2[c]]
else:
if x1 == 'XOR':
m[x2[a]] = m[x2[b]] ^ m[x2[c]]
else:
if x1 == 'SUB':
m[x2[a]] = m[x2[b]] - m[x2[c]]
else:
if x1 == 'X':
m[x2[a]] = m[x2[b]] * m[x2[c]]
else:
if x1 == '/':
m[x2[a]] = m[x2[b]] / m[x2[c]]
else:
if x1 == '&':
m[x2[a]] = m[x2[b]] & m[x2[c]]
else:
if x1 == '|':
m[x2[a]] = m[x2[b]] | m[x2[c]]
else:
if x1 == 'mov':
m[x2[a]] = m[x2[a]]
else:
if x1 == 'mov1':
m[x2[a]] = m[x2[b]]
else:
if x1 == 'mov2':
m[x2[a]] = x2[b]
else:
if x1 == 'mov3':
key1[x2[a]] = m[x2[b]]
else:
if x1 == 'mov4':
m[x2[a]] = key1[x2[b]]
else:
if x1 == 'mov5':
m[x2[a]] = a
else:
if x1 == 'mov6':
key1[x2[a]] = a
else:
if x1 == 'input1':
m[x2[a]] = input(m[x2[b]])
else:
if x1 == 'input2':
key1[x2[a]] = input(m[x2[b]])
else:
if x1 == 'print1':
print(m[x2[a]])
else:
if x1 == 'print2':
print(key1[x2[a]])
else:
if x1 == 'mov7':
t = m[x2[a]]
else:
if x1 == 'mov8':
t = key1[x2[a]]
else:
if x1 == 'POP':
t = key2.pop()
else:
if x1 == 'mov9':
if m[x2[b]] > m[x2[c]]:
t = x2[a]
key2.append(t)
continue
else:
if x1 == 'cmp':
m[7] = a
for i in range(len(m[x2[a]])):
if m[x2[a]] != m[x2[b]]:
m[7] = b
t = m[x2[c]]
key2.append(t)
else:
if x1 == 'for XOR':
flag = ''
for i in range(len(m[x2[a]])):
flag += chr(ord(m[x2[a]][i]) ^ m[x2[b]])
m[x2[a]] = flag
else:
if x1 == 'for SUB':
flag = ''
for i in range(len(m[x2[a]])):
flag += chr(ord(m[x2[a]][i]) - m[x2[b]])
m[x2[a]] = flag
else:
if x1 == 'mov10':
if m[x2[b]] > m[x2[c]]:
t = m[x2[a]]
key2.append(t)
continue
else:
if x1 == 'mov11':
if m[x2[b]] > m[x2[c]]:
t = key1[x2[a]]
key2.append(t)
continue
else:
if x1 == 'cmp1':
if m[x2[b]] == m[x2[c]]:
t = x2[a]
key2.append(t)
continue
else:
if x1 == 'cmp2':
if m[x2[b]] == m[x2[c]]:
t = m[x2[a]]
key2.append(t)
continue
else:
if x1 == 'cmp3':
if m[x2[b]] == m[x2[c]]:
t = key1[x2[a]]
key2.append(t)
continue
t += b
fun([
[#m[0]=="Authentication token: "
'mov2', a, 'Authentication token: '],
[#key1[0]=="答案"
'input2', a, a],
[#m[6]=="á×äÓâæíäàßåÉÛãåäÉÖÓÉäà......."
'mov2', 6, 'á×äÓâæíäàßåÉÛãåäÉÖÓÉäàÓÉÖÓåäÉÓÚÕæïèäßÙÚÉÛÓäàÙÔÉÓâæÉàÓÚÕÓÒÙæäàÉäàßåÉßåÉäàÓÉÚÓáÉ·Ôâ×ÚÕÓÔɳÚÕæïèäßÙÚÉÅä×ÚÔ×æÔÉ×Úïá×ïåÉßÉÔÙÚäÉæÓ×ÜÜïÉà×âÓÉ×ÉÑÙÙÔÉâßÔÉÖãäÉßÉæÓ×ÜÜïÉÓÚÞÙïÉäàßåÉåÙÚÑÉßÉàÙèÓÉïÙãÉáßÜÜÉÓÚÞÙïÉßäÉ×åáÓÜÜ\x97ÉïÙãäãÖÓ\x9aÕÙÛ\x99á×äÕà©â«³£ï²ÕÔÈ·±â¨ë'],
[#m[2]==2**(3*2+1)-2**(2+1)==120
'mov2', c, c ** (3 * c + b) - c ** (c + b)],
[#m[4]==15
'mov2', 4, 15],
[#m[3]==1
'mov2', 3, b],
[#m[2]==m[2]*m[3]==120
'X', c, c, 3],
[#m[2]==m[2]+m[4]==135
'ADD', c, c, 4],
[#m[0]==m[0]
'mov', a, c],
[#m[3]==0
'mov5', 3],
[#m[6]==m[6]^m[3]
'for XOR', 6, 3],
[#m[0]=="Thanks."
'mov2', a, 'Thanks.'],
[#m[1]=="Authorizing access..."
'mov2', b, 'Authorizing access...'],
[#print("Thanks.")
'print1', a],
[#m[0]==key1[0]
'mov4', a, a],
[#m[0]==m[0]^m[2]
'for XOR', a, c],
[#m[0]==m[0]-m[4]
'for SUB', a, 4],
[#m[5]==19
'mov2', 5, 19],
[#m[0]!=a[6]
'cmp', a, 6, 5],
[#print("Authorizing access...")
'print1', b],
[
'NULL'],
[#m[1]=="Access denied!"
'mov2', b, 'Access denied!'],
[#print("Access denied!")
'print1', b],
[
'NULL']])
乱码替换后,分析逻辑:逻辑很简单,就是把输入的flag先与135异或在减15得到á×äÓâæíäàßåÉÛãåäÉÖÓÉäàÓÉÖÓåäÉÓÚÕæïèäßÙÚÉÛÓäàÙÔÉÓâæÉàÓÚÕÓÒÙæäàÉäàßåÉßåÉäàÓÉÚÓáÉ·Ôâ×ÚÕÓÔɳÚÕæïèäßÙÚÉÅä×ÚÔ×æÔÉ×Úïá×ïåÉßÉÔÙÚäÉæÓ×ÜÜïÉà×âÓÉ×ÉÑÙÙÔÉâßÔÉÖãäÉßÉæÓ×ÜÜïÉÓÚÞÙïÉäàßåÉåÙÚÑÉßÉàÙèÓÉïÙãÉáßÜÜÉÓÚÞÙïÉßäÉ×åáÓÜÜ\x97ÉïÙãäãÖÓ\x9aÕÙÛ\x99á×äÕà©â«³£ï²ÕÔÈ·±â¨ë
3.直接上脚本:
x="á×äÓâæíäàßåÉÛãåäÉÖÓÉäàÓÉÖÓåäÉÓÚÕæïèäßÙÚÉÛÓäàÙÔÉÓâæÉàÓÚÕÓÒÙæäàÉäàßåÉßåÉäàÓÉÚÓáÉ·Ôâ×ÚÕÓÔɳÚÕæïèäßÙÚÉÅä×ÚÔ×æÔÉ×Úïá×ïåÉßÉÔÙÚäÉæÓ×ÜÜïÉà×âÓÉ×ÉÑÙÙÔÉâßÔÉÖãäÉßÉæÓ×ÜÜïÉÓÚÞÙïÉäàßåÉåÙÚÑÉßÉàÙèÓÉïÙãÉáßÜÜÉÓÚÞÙïÉßäÉ×åáÓÜÜ\x97ÉïÙãäãÖÓ\x9aÕÙÛ\x99á×äÕà©â«³£ï²ÕÔÈ·±â¨ë"
flag=""
for i in range(len(x)):
flag+=chr((ord(x[i])+15)^135)
print(flag)
4.get flag
flag{this_must_be_the_best_encryption_method_evr_henceforth_this_is_the_new_Advanced_Encryption_Standard_anyways_i_dont_really_have_a_good_vid_but_i_really_enjoy_this_song_i_hope_you_will_enjoy_it_aswell!_youtube.com/watch?v=E5yFcdPAGv0} (这是我见到的最长的flag了,200多个,麻了。)