锐单电子商城 , 一站式电子元器件采购平台!

  • 电话:400-990-0325

购物车

[buuctf.reverse] 100_[watevrCTF 2019]Repyc

时间:2023-04-04 00:07:00 evr高压直流继电器

python的虚拟机

下来是个pyc文件,这并不难,只是在网上转下来。然后发现一堆乱码,但不乱,显然是用的utf-8作的变量名,这个一个个转成别的就好了。据说有人打算用汉字写程序,估计结果和这个差不多,作完便卷成密码了。

既然是VM把命令一个个转过来看,原来的乱码太丑了。

#!/usr/bin/env python # visit https://tool.lu/pyc/ for more information # Version: Python 3.6  def fun(val):     idx = 0     ? = 0     data1 = [0] * 16     data2 = [0] * 100     s1 = []     while val[idx][0] != '\xeb\x93\x83':         cmd = val[idx][0].lower()         arg = val[idx][1:]         if cmd == 'd1_0=1 2':             data1[arg[0]] = data1[arg[1]]   data1[arg[2]]         elif cmd == 'd1_0=1^2':             data1[arg[0]] = data1[arg[1]] ^ data1[arg[2]]         elif cmd == 'd1_0=1-2':             data1[arg[0]] = data1[arg[1]] - data1[arg[2]]         elif cmd == 'd1_0=1*2':             data1[arg[0]] = data1[arg[1]] * data1[arg[2]]         elif cmd == 'd1_0=1/2':             data1[arg[0]] = data1[arg[1]] / data1[arg[2]]         elif cmd == 'd1_0=1&2':             data1[arg[0]] = data1[arg[1]] & data1[arg[2]]         elif cmd == 'd1_0=1|2':             data1[arg[0]] = data1[arg[1]] | data1[arg[2]]         elif cmd == 'd1_0=d1_0':             data1[arg[0]] = data1[arg[0]]         elif cmd == 'd1_0=d1_1':             data1[arg[0]] = data1[arg[1]]         elif cmd == 'set_d1':             data1[arg[0]] = arg[1]         elif cmd == 'd2_0=d1_1':             data2[arg[0]] = data1[arg[1]]         elif cmd == 'd1_0=d2_1':             data1[arg[0]] = data2[arg[1]]         elif cmd == 'd1_0=n':             data1[arg[0]] = 0         elif cmd == 'd2_0=n0':             data2[arg[0]] = 0         elif cmd == 'd1_0=input':             data1[arg[0]] = input(data1[arg[1]])         elif cmd == 'd2_0=input':             data2[arg[0]] = input(data1[arg[1]])         elif cmd == 'print_d1_0':             print(data1[arg[0]])         elif cmd == 'print_d2_0':             print(data2[arg[0]])         elif cmd == 'jmp_d1_0':             idx = data1[arg[0]]         elif cmd == 'jmp_d2_0':             idx = data2[arg[0]]         elif cmd == 'jmp_s1_pop':             idx = s1.pop()         elif cmd == '\xeb\xaf\x83' or data1[arg[1]] > data1[arg[2]]:             idx = arg[0]             s1.append(idx)             continue         elif cmd == '????':             data1[7] = 0             for i in range(len(data1[arg):                 if data1[arg[0]] != data1[arg[1]]:                     data1[7] = 1                     idx = data1[arg[2]]                     s1.append(idx)         elif cmd == 'd1_0[] ^=d_1':             s2 = ''             for i in range(len(data1[arg):                 s2  = chr(ord(data1[arg[0]][i]) ^ data1[arg[1]])                          data1[arg[0]] = s2         elif cmd == 'd1_0[] -=d_1':             s2 = ''             for i in range(len(data1[arg):                 s2  = chr(ord(data1[arg[0]][i]) - data1[arg[1]])                          data1[arg[0]] = s2         elif cmd == 'push,jmp d1_0' or data1[arg[1]] > data1[arg[2]]:             idx = data1[arg[0]]             s1.append(idx)             continue         elif cmd == 'push,jmp d2_0' or data1[arg[1]] > data1[arg[2]]:             idx = data2[arg[0]]             s1.append(idx)             continue         elif cmd == 'push,jmp 0' or data1[arg[1]] == data1[arg[2]]:             idx = arg[0]             s1.append(idx)             continue         elif cmd == 'push,jmp d1_0_2' or data1[arg[1]] == data1[arg[2]]:             idx = data1[arg[0]]             s1.append(idx)             continue         elif cmd == 'push,jmp d2_0_2' and data1[arg[1]] == data1[arg[2]]:             idx = data2[arg[0]]             s1.append(idx)             continue         idx  = 1       fun([     ['set_d1',0,'Authentication token: '],     ['d2_0=input',0,0],       #d2[0] = input('Authentication token: ')                               #d1[6] = ...     ['set_d1',6,...这里省略几百字...],     ['set_d1',2,120],         #d1[2] = 120     ['set_d1',4,15],          #d1[4] = 15     ['set_d1',3,1],           #d1[3] = 1     ['d1_0=1*二、二、二、三、       #d1[2] = d1[2]*d1[3]  = 120     ['d1_0=1 二、二、二、四、       #d1[2] = d1[2] d1[4]  = 135     ['d1_0=d1_0',0,2],     ['d1_0=n',3],             #d1[3] = 0     ['d1_0[] ^=d_1',6,3],     #d1[6] ^= d1[3]  不变     ['set_d1',0,'Thanks.'],   #d1[0] = 'Thanks.'     ['set_d1',1,'Authorizing access...'],  #d1[1] = 'Authorizing access...'     ['print_d1_0',0],         #print(Thanks)     ['d1_0=d2_1',0,0],        #d1[0] = d2[0]  输入的flag     ['d1_0[] ^=d_1',0,2],     #d1[0]^= d1[2] 135     ['d1_0[] -=d_1',0,4],     #d1[0]-= d1[4] 15     ['set_d1',5,19],          #d1[5] = 19     ['????,0,6,5,            #   ??? 内容不详     ['print_d1_0',1],         #print('Authorizing access...')     ['\xeb\x93\x83'],            ['set_d1',1,'Access denied!'],     ['print_d1_0',1],     ['\xeb\x93\x83']])

转动后可能会理解,输入flag会先^135再-1后边就是个不明白报错语句和输出成功提示。估计就是 (flag^135)-15 然后和那一大串比较。可结果是乱码。后来想既然变量都是utf8串估计也是utf8,所以用utf8先解了再处理

a = b'\xc3\xa1\xc3\x97\xc3\xa4......'
print(''.join([chr((ord(i)+15)^135) for i in a.decode('utf-8')]))
#watevr{this_must_be_the_best_encryption_method_evr_henceforth_this_is_the_new_Advanced_Encryption_Standard_anyways_i_dont_really_have_a_good_vid_but_i_really_enjoy_this_song_i_hope_you_will_enjoy_it_aswell!_youtube.com/watch?v=E5yFcdPAGv0}
#flag{this_must_be_the_best_encryption_method_evr_henceforth_this_is_the_new_Advanced_Encryption_Standard_anyways_i_dont_really_have_a_good_vid_but_i_really_enjoy_this_song_i_hope_you_will_enjoy_it_aswell!_youtube.com/watch?v=E5yFcdPAGv0}

不过这确实有点不明白,UTF理论上处理ASCII码是不会出来多字节的,整不明白。

锐单商城拥有海量元器件数据手册IC替代型号,打造电子元器件IC百科大全!

相关文章