攻防世界进阶Re(一)
0x00 re2-cpp-is-awesome
IDA,f5主函数,找到关键判断。
main.png
看到主要是判断v8和off_6020A0数组是否相等,dword_6020C6可以在HEX中查看(这样更加直观)。将off_6020A0和dword_6020C6提取出来。
off_6020A0.png dword_6020C6.png
ALIGN Num
其中:Num必须是2的幂,如:2、4、8和16等。
伪指令的作用是:告诉汇编程序,本伪指令下面的内存变量必须从下一个能被Num整除的地址开始分配。如果下一个地址正好能被Num整除,那么,该伪指令不起作用,否则,汇编程序将空出若干个字节,直到下一个地址能被Num整除为止。
脚本如下:
a = 'L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t'
b = [0x24,0x0,0x5,0x36,0x65,0x7,0x27,0x26,0x2d,0x1,0x3,0x0,0x0d,
0x56,0x01,0x3,0x65,0x3,0x2d,0x16,0x2,0x15,0x3,0x65,0x0,0x29,
0x44,0x44,0x01,0x44,0x2b]
tem = ''
for i in b:
arr = int(str(i))
arr1 = a[arr]
tem += arr1
print(tem)
0x01 crackme
首先使用PEiD查壳,加了nsp壳,这壳没见过啊。。手工脱壳也不会。。。。。。。。
只有工具了,后面再补手工的吧。
image.png
北斗3.X系列脱壳机脱壳,在IDA打开清晰明了,简单的异或操作。这里放个逆向工具包吧挺全挺好用的:https://pan.baidu.com/s/1ocTrTFujIwHLqPV2eC7U9g 提取码 9zp5
简单写个脚本得到flag
a = "this_is_not_flag"
b = [0x12,
0x4,0x8,0x14,0x24,0x5c,0x4a,0x3d,0x56,0xa,0x10,0x67,0x0,
0x41,0x0,
0x1,0x46,0x5a,0x44,0x42,0x6e,0x0c,0x44,0x72,0x0c,0x0d,
0x40,0x3e,0x4b,0x5f,0x2,0x1,0x4c,0x5e,0x5b,0x17,0x6e,0x0c,
0x16,0x68,0x5b,0x12,0x0,0x0]
flag = ""
for i in range(42):
flag += chr(ord(a[i%16])^b[i])
print(flag)
0x02 re-for-50-plz-50
拖进IDA,不能用F5大法了。发现这道题是MIPS汇编,看了大佬文章https://www.cnblogs.com/yanghong-hnu/p/5635245.html学了下MIPS指令。
然后简单分析下逻辑,就是简单的异或操作,字符串分别与0x37异或得到flag.
image.png
脚本如下:
a = "cbtcqLUBChERV[[Nh@_X^D]X_YPV[CJ"
b=0x37
flag=''
for i in a:
flag += chr(ord(i)^b)
print(flag)
0x03 key
终于是使用OD解出题了!
不过第一步还是拖进IDA,分析函数逻辑,发现太复杂了。不过可以看到执行成功的字样。
image.png
运行一下,弹出“?W?h?a?t h?a?p?p?e?n?”。一直跟到sub_402550函数,发现有一个文件的绝对路径,试着在这个路径下创建flag.txt文件,内容随便写。再次运行得到的提示变为了“=W=r=o=n=g=K=e=y=”。 所以我们推断这个程序的逻辑就是判断文本文件的内容是否符合条件。
image.png
其他逻辑就比较头疼了 ,拖进OD搜索ASCll码找到关键字符串。双击进入代码段。
image.png
发现错误提示这里在上方有个跳转,判断这里是一个关键跳转,在跳转处F2下断点,然后点击运行(一定要在上面分析出的目录中创建flag.txt文件,不要程序会直接退出)
image.png
我们可以看到跳转线为红色说明,这个要跳转到错误提示并退出,所以我们改变右边标志位Z为1(双击Z的值),跳转线变为灰色然后再F8单步往下走。
image.png
一直往下走,在此处屏幕出现成功标志,可以看到有两个字符串,第一个为我们自己生成并通过程序变形了的字符,第二个就是要与之比对的正确字符串,这就是flag。
image.png
0x04 simple-check-100
用linux远程连接好了之后,F5主函数,在check_key()处下断点,F2或者直接在行数前单击即可。
image.png
点击debugger—>start process 运行,Linux里提示输入字符,随便输入111。
image.png
查看汇编代码发现关键跳转,F8单步到此处,发现下一步会跳转到错误提示并退出程序。
image.png
所以我们改汇编代码为 jnz 就不会跳转了。Edit—>Patch program —>Assemble。把jz 改为 jnz 。
image.png
继续F8单步往下走。经过sub_80483D0后flag已经在linux里打印出来了。
image.png image.png
嘿嘿嘿 ,这个动态调试太好用了 ,第一次用,舒服舒服。都不用分析头痛的逻辑代码。
0x05 re1-100
拖进IDA,眼花缭乱的函数,不过还是F5大法,查看main函数伪代码。前面的函数都是花里胡哨的,输入一串字符,然后过滤掉OD和gdb的调试等等。这里我用了IDA动态调试有点迷没做出来,虚拟机还给我不小心整崩了。换了方法,但按道理是可以做出来的。
image.png
关键在下面这里这么多 if,唯独一个返回True。看到前面有字符的比较,但是后面字符串顺序不对啊。这里主要的变换函数在confuseke()。
image.png
这里它将字符串等长划分为四串,然后重新按 3,4,1,2的顺序排列。所以将上面花括号里的字符串逆回去就是flag了。
image.png
0x06 handcrafted-pyc
这道题有点难度啊,做了一天,,,
不是常规操作了。
我们得到的只有一个 py 文件,提取出来用python2运行之后,提示输入passwd。首先还是看看执行的是什么吧,把exec里面的东西输出看看。woc,就一行代码,就感觉是一个程序还要check。作为菜鸡,这就涉及到我知识盲区了,这也太秀了吧。到处搜索资料。终于发现它好像是python的字节码?
>>> a = marshal.loads(zlib.decompress(base64.b64decode('eJyNVktv00AQXm/eL0igiaFA01IO4cIVCUGFBBJwqRAc
kLhEIQmtRfPwI0QIeio/hRO/hJ/CiStH2M/prj07diGRP43Hs9+MZ2fWMxbnP6mux+oK9xVMHPFViLdCTB0xkeKDFEFfTIU4E8KZ
q8dCvB4UlN3hGEsdddXU9QTLv1eFiGKGM4cKUgsFCNLFH7dFrS9poayFYmIZm1b0gyqxMOwJaU3r6xs9sW1ooakXuRv+un7Q0sIl
LVzOCZq/XtsK2oTSYaZlStogXi1HV0iazoN2CV2HZeXqRQ54TlJRb7FUlKyUatISsdzo+P7UU1Gb1POdMruckepGwk9tIXQTftz2
yBaT5JQovWvpSa6poJPuqgao+b9l5Aj/R+mLQIP4f6Q8Vb3g/5TB/TJxWGdZr9EQrmn99fwKtTvAZGU7wzS7GNpZpDm2JgCrr8wr
mPoo54UqGampFIeS9ojXjc4E2yI06bq/4DRoUAc0nVnng4k6p7Ks0+j/S8z9V+NZ5dhmrJUM/y7JTJeRtnJ2TSYJvsFq3CQt/vnf
qmQXt5KlpuRcIvDAmhnn2E0t9BJ3SvB/SfLWhuOWNiNVZ+h28g4wlwUp00w95si43rZ3r6+fUIEdgOZbQAsyFRRvBR6dla8KCzRd
slar7WS+a5HFb39peIAmG7uZTHVm17Czxju4m6bayz8e7J40DzqM0jr0bmv9PmPvk6y5z57HU8wdTDHeiUJvBMAM4+0CpoAZ4BPg
JeAYEAHmgAUgAHiAj4AVAGORtwd4AVgC3gEmgBBwCPgMWANOAQ8AbwBHgHuAp4D3gLuARwoGmNUizF/j4yDC5BWM1kNvvlxFA8xi
kRrBxHIUhutFMBlgQoshhPphGAXe/OggKqqb2cibxwuEXjUcQjccxi5eFRL1fDSbKrUhy2CMb2aLyepkegDWsBwPlrVC0/kLHmeC
BQ==')))
>>> exec(a)
password: qweqweqwe
Wrong password... Please try again. Do not brute force. =)
>>> print a
<code object <module> at 0000000003607F30, file "<string>", line 1>
>>>
然后就是反编译了,首先把它转成pyc 文件,其实就是再加个pyc文件头。
import marshal, zlib, base64
a = base64.b64decode('eJyNVktv00AQXm/eL0igiaFA01IO4cIVCUGFBBJwqRAckLhEIQmtRfPwI0QIeio/hRO/hJ/CiStH2M/prj07diGRP43Hs9+MZ2fWMxbnP6mux+oK9xVMHPFViLdCTB0xkeKDFEFfTIU4E8KZq8dCvB4UlN3hGEsdddXU9QTLv1eFiGKGM4cKUgsFCNLFH7dFrS9poayFYmIZm1b0gyqxMOwJaU3r6xs9sW1ooakXuRv+un7Q0sIlLVzOCZq/XtsK2oTSYaZlStogXi1HV0iazoN2CV2HZeXqRQ54TlJRb7FUlKyUatISsdzo+P7UU1Gb1POdMruckepGwk9tIXQTftz2yBaT5JQovWvpSa6poJPuqgao+b9l5Aj/R+mLQIP4f6Q8Vb3g/5TB/TJxWGdZr9EQrmn99fwKtTvAZGU7wzS7GNpZpDm2JgCrr8wrmPoo54UqGampFIeS9ojXjc4E2yI06bq/4DRoUAc0nVnng4k6p7Ks0+j/S8z9V+NZ5dhmrJUM/y7JTJeRtnJ2TSYJvsFq3CQt/vnfqmQXt5KlpuRcIvDAmhnn2E0t9BJ3SvB/SfLWhuOWNiNVZ+h28g4wlwUp00w95si43rZ3r6+fUIEdgOZbQAsyFRRvBR6dla8KCzRdslar7WS+a5HFb39peIAmG7uZTHVm17Czxju4m6bayz8e7J40DzqM0jr0bmv9PmPvk6y5z57HU8wdTDHeiUJvBMAM4+0CpoAZ4BPgJeAYEAHmgAUgAHiAj4AVAGORtwd4AVgC3gEmgBBwCPgMWANOAQ8AbwBHgHuAp4D3gLuARwoGmNUizF/j4yDC5BWM1kNvvlxFA8xikRrBxHIUhutFMBlgQoshhPphGAXe/OggKqqb2cibxwuEXjUcQjccxi5eFRL1fDSbKrUhy2CMb2aLyepkegDWsBwPlrVC0/kLHmeCBQ==')
print (a)
n = zlib.decompress(a)
pyc_headr = '\x03\xf3\x0d\x0a\x14\x0c\xf4\x57'
data = pyc_headr + n
with open('1.pyc','wb') as file:
file.write(data)
file.close()
得到pyc之后,使用uncompyle6反汇编,以为开始正常做题了,然而并不是
uncompyle6 -o 2333.py 1.pyc
打开2333.py得到的却是一堆汇编代码,吐了,分析汇编,把passwd之前的asccll全部提取出来得到一字符串:“ llaC em yP aht notriv lauhcamni !eac Ini npreterP tohty ntybdocese!!! ”感觉这很接近答案了,还观察到汇编里面还有ROT_TWO和BINARY_ADD两个操作。第一个是将栈里栈顶和下一个数据互换,第二个是将栈顶和下一个数据相加在压栈。
(只贴要用汇编代码,太多了)
# uncompyle6 version 3.2.5
# Python bytecode 2.7 (62211)
# Decompiled from: Python 3.6.5 (v3.6.5:f59c0932b4, Mar 28 2018, 17:00:18) [MSC v.1900 64 bit (AMD64)]
# Embedded file name: <string>
# Compiled at: 2016-10-05 04:07:48
def main--- This code section failed: ---
1 0 LOAD_GLOBAL 0 'chr'
3 LOAD_CONST 1 108
6 CALL_FUNCTION_1 1 None
9 LOAD_GLOBAL 0 'chr'
12 LOAD_CONST 1 108
15 CALL_FUNCTION_1 1 None
18 LOAD_GLOBAL 0 'chr'
21 LOAD_CONST 2 97
24 CALL_FUNCTION_1 1 None
27 LOAD_GLOBAL 0 'chr'
30 LOAD_CONST 3 67
33 CALL_FUNCTION_1 1 None
36 ROT_TWO
37 BINARY_ADD
38 ROT_TWO
39 BINARY_ADD
40 ROT_TWO
41 BINARY_ADD
42 LOAD_GLOBAL 0 'chr'
45 LOAD_CONST 4 32
48 CALL_FUNCTION_1 1 None
51 LOAD_GLOBAL 0 'chr'
54 LOAD_CONST 5 101
57 CALL_FUNCTION_1 1 None
60 LOAD_GLOBAL 0 'chr'
63 LOAD_CONST 6 109
66 CALL_FUNCTION_1 1 None
69 LOAD_GLOBAL 0 'chr'
72 LOAD_CONST 4 32
75 CALL_FUNCTION_1 1 None
78 ROT_TWO
79 BINARY_ADD
80 ROT_TWO
81 BINARY_ADD
82 ROT_TWO
83 BINARY_ADD
84 BINARY_ADD
85 LOAD_GLOBAL 0 'chr'
88 LOAD_CONST 7 121
91 CALL_FUNCTION_1 1 None
94 LOAD_GLOBAL 0 'chr'
97 LOAD_CONST 8 80
100 CALL_FUNCTION_1 1 None
103 LOAD_GLOBAL 0 'chr'
106 LOAD_CONST 4 32
109 CALL_FUNCTION_1 1 None
112 LOAD_GLOBAL 0 'chr'
115 LOAD_CONST 2 97
118 CALL_FUNCTION_1 1 None
121 ROT_TWO
122 BINARY_ADD
123 ROT_TWO
124 BINARY_ADD
125 ROT_TWO
126 BINARY_ADD
127 LOAD_GLOBAL 0 'chr'
130 LOAD_CONST 9 104
133 CALL_FUNCTION_1 1 None
136 LOAD_GLOBAL 0 'chr'
139 LOAD_CONST 10 116
142 CALL_FUNCTION_1 1 None
145 ROT_TWO
146 BINARY_ADD
147 LOAD_GLOBAL 0 'chr'
150 LOAD_CONST 4 32
153 CALL_FUNCTION_1 1 None
156 LOAD_GLOBAL 0 'chr'
159 LOAD_CONST 11 110
162 CALL_FUNCTION_1 1 None
165 LOAD_GLOBAL 0 'chr'
168 LOAD_CONST 12 111
171 CALL_FUNCTION_1 1 None
174 ROT_TWO
175 BINARY_ADD
176 ROT_TWO
177 BINARY_ADD
178 BINARY_ADD
179 BINARY_ADD
180 BINARY_ADD
181 LOAD_GLOBAL 0 'chr'
184 LOAD_CONST 10 116
187 CALL_FUNCTION_1 1 None
190 LOAD_GLOBAL 0 'chr'
193 LOAD_CONST 13 114
196 CALL_FUNCTION_1 1 None
199 LOAD_GLOBAL 0 'chr'
202 LOAD_CONST 14 105
205 CALL_FUNCTION_1 1 None
208 LOAD_GLOBAL 0 'chr'
211 LOAD_CONST 15 118
214 CALL_FUNCTION_1 1 None
217 ROT_TWO
218 BINARY_ADD
219 ROT_TWO
220 BINARY_ADD
221 ROT_TWO
222 BINARY_ADD
223 LOAD_GLOBAL 0 'chr'
226 LOAD_CONST 4 32
229 CALL_FUNCTION_1 1 None
232 LOAD_GLOBAL 0 'chr'
235 LOAD_CONST 1 108
238 CALL_FUNCTION_1 1 None
241 LOAD_GLOBAL 0 'chr'
244 LOAD_CONST 2 97
247 CALL_FUNCTION_1 1 None
250 LOAD_GLOBAL 0 'chr'
253 LOAD_CONST 16 117
256 CALL_FUNCTION_1 1 None
259 ROT_TWO
260 BINARY_ADD
261 ROT_TWO
262 BINARY_ADD
263 ROT_TWO
264 BINARY_ADD
265 BINARY_ADD
266 LOAD_GLOBAL 0 'chr'
269 LOAD_CONST 9 104
272 CALL_FUNCTION_1 1 None
275 LOAD_GLOBAL 0 'chr'
278 LOAD_CONST 17 99
281 CALL_FUNCTION_1 1 None
284 LOAD_GLOBAL 0 'chr'
287 LOAD_CONST 2 97
290 CALL_FUNCTION_1 1 None
293 LOAD_GLOBAL 0 'chr'
296 LOAD_CONST 6 109
299 CALL_FUNCTION_1 1 None
302 ROT_TWO
303 BINARY_ADD
304 ROT_TWO
305 BINARY_ADD
306 ROT_TWO
307 BINARY_ADD
308 LOAD_GLOBAL 0 'chr'
311 LOAD_CONST 11 110
314 CALL_FUNCTION_1 1 None
317 LOAD_GLOBAL 0 'chr'
320 LOAD_CONST 14 105
323 CALL_FUNCTION_1 1 None
326 ROT_TWO
327 BINARY_ADD
328 LOAD_GLOBAL 0 'chr'
331 LOAD_CONST 4 32
334 CALL_FUNCTION_1 1 None
337 LOAD_GLOBAL 0 'chr'
340 LOAD_CONST 18 33
343 CALL_FUNCTION_1 1 None
346 LOAD_GLOBAL 0 'chr'
349 LOAD_CONST 5 101
352 CALL_FUNCTION_1 1 None
355 ROT_TWO
356 BINARY_ADD
357 ROT_TWO
358 BINARY_ADD
359 BINARY_ADD
360 BINARY_ADD
361 BINARY_ADD
362 BINARY_ADD
363 LOAD_GLOBAL 0 'chr'
366 LOAD_CONST 2 97
369 CALL_FUNCTION_1 1 None
372 LOAD_GLOBAL 0 'chr'
375 LOAD_CONST 17 99
378 CALL_FUNCTION_1 1 None
381 LOAD_GLOBAL 0 'chr'
384 LOAD_CONST 4 32
387 CALL_FUNCTION_1 1 None
390 LOAD_GLOBAL 0 'chr'
393 LOAD_CONST 19 73
396 CALL_FUNCTION_1 1 None
399 ROT_TWO
400 BINARY_ADD
401 ROT_TWO
402 BINARY_ADD
403 ROT_TWO
404 BINARY_ADD
405 LOAD_GLOBAL 0 'chr'
408 LOAD_CONST 11 110
411 CALL_FUNCTION_1 1 None
414 LOAD_GLOBAL 0 'chr'
417 LOAD_CONST 14 105
420 CALL_FUNCTION_1 1 None
423 LOAD_GLOBAL 0 'chr'
426 LOAD_CONST 4 32
429 CALL_FUNCTION_1 1 None
432 LOAD_GLOBAL 0 'chr'
435 LOAD_CONST 11 110
438 CALL_FUNCTION_1 1 None
441 ROT_TWO
442 BINARY_ADD
443 ROT_TWO
444 BINARY_ADD
445 ROT_TWO
446 BINARY_ADD
447 BINARY_ADD
448 LOAD_GLOBAL 0 'chr'
451 LOAD_CONST 20 112
454 CALL_FUNCTION_1 1 None
457 LOAD_GLOBAL 0 'chr'
460 LOAD_CONST 13 114
463 CALL_FUNCTION_1 1 None
466 LOAD_GLOBAL 0 'chr'
469 LOAD_CONST 5 101
472 CALL_FUNCTION_1 1 None
475 LOAD_GLOBAL 0 'chr'
478 LOAD_CONST 10 116
481 CALL_FUNCTION_1 1 None
484 ROT_TWO
485 BINARY_ADD
486 ROT_TWO
487 BINARY_ADD
488 ROT_TWO
489 BINARY_ADD
490 LOAD_GLOBAL 0 'chr'
493 LOAD_CONST 5 101
496 CALL_FUNCTION_1 1 None
499 LOAD_GLOBAL 0 'chr'
502 LOAD_CONST 13 114
505 CALL_FUNCTION_1 1 None
508 ROT_TWO
509 BINARY_ADD
510 LOAD_GLOBAL 0 'chr'
513 LOAD_CONST 8 80
516 CALL_FUNCTION_1 1 None
519 LOAD_GLOBAL 0 'chr'
522 LOAD_CONST 4 32
525 CALL_FUNCTION_1 1 None
528 LOAD_GLOBAL 0 'chr'
531 LOAD_CONST 10 116
534 CALL_FUNCTION_1 1 None
537 ROT_TWO
538 BINARY_ADD
539 ROT_TWO
540 BINARY_ADD
541 BINARY_ADD
542 BINARY_ADD
543 BINARY_ADD
544 LOAD_GLOBAL 0 'chr'
547 LOAD_CONST 12 111
550 CALL_FUNCTION_1 1 None
553 LOAD_GLOBAL 0 'chr'
556 LOAD_CONST 9 104
559 CALL_FUNCTION_1 1 None
562 LOAD_GLOBAL 0 'chr'
565 LOAD_CONST 10 116
568 CALL_FUNCTION_1 1 None
571 LOAD_GLOBAL 0 'chr'
574 LOAD_CONST 7 121
577 CALL_FUNCTION_1 1 None
580 ROT_TWO
581 BINARY_ADD
582 ROT_TWO
583 BINARY_ADD
584 ROT_TWO
585 BINARY_ADD
586 LOAD_GLOBAL 0 'chr'
589 LOAD_CONST 4 32
592 CALL_FUNCTION_1 1 None
595 LOAD_GLOBAL 0 'chr'
598 LOAD_CONST 11 110
601 CALL_FUNCTION_1 1 None
604 ROT_TWO
605 BINARY_ADD
606 LOAD_GLOBAL 0 'chr'
609 LOAD_CONST 10 116
612 CALL_FUNCTION_1 1 None
615 LOAD_GLOBAL 0 'chr'
618 LOAD_CONST 7 121
621 CALL_FUNCTION_1 1 None
624 LOAD_GLOBAL 0 'chr'
627 LOAD_CONST 21 98
630 CALL_FUNCTION_1 1 None
633 ROT_TWO
634 BINARY_ADD
635 ROT_TWO
636 BINARY_ADD
637 BINARY_ADD
638 BINARY_ADD
639 LOAD_GLOBAL 0 'chr'
642 LOAD_CONST 22 100
645 CALL_FUNCTION_1 1 None
648 LOAD_GLOBAL 0 'chr'
651 LOAD_CONST 12 111
654 CALL_FUNCTION_1 1 None
657 LOAD_GLOBAL 0 'chr'
660 LOAD_CONST 17 99
663 CALL_FUNCTION_1 1 None
666 LOAD_GLOBAL 0 'chr'
669 LOAD_CONST 5 101
672 CALL_FUNCTION_1 1 None
675 ROT_TWO
676 BINARY_ADD
677 ROT_TWO
678 BINARY_ADD
679 ROT_TWO
680 BINARY_ADD
681 LOAD_GLOBAL 0 'chr'
684 LOAD_CONST 23 115
687 CALL_FUNCTION_1 1 None
690 LOAD_GLOBAL 0 'chr'
693 LOAD_CONST 5 101
696 CALL_FUNCTION_1 1 None
699 ROT_TWO
700 BINARY_ADD
701 LOAD_GLOBAL 0 'chr'
704 LOAD_CONST 18 33
707 CALL_FUNCTION_1 1 None
710 LOAD_GLOBAL 0 'chr'
713 LOAD_CONST 18 33
716 CALL_FUNCTION_1 1 None
719 LOAD_GLOBAL 0 'chr'
722 LOAD_CONST 18 33
725 CALL_FUNCTION_1 1 None
728 ROT_TWO
729 BINARY_ADD
730 ROT_TWO
731 BINARY_ADD
732 BINARY_ADD
733 BINARY_ADD
734 BINARY_ADD
735 BINARY_ADD
736 BINARY_ADD
737 LOAD_CONST 0 None
740 NOP
741 JUMP_ABSOLUTE 759 'to 759'
744 LOAD_GLOBAL 1 'raw_input'
747 JUMP_ABSOLUTE 1480 'to 1480'
750 LOAD_FAST 0 'password'
753 COMPARE_OP 2 '=='
756 JUMP_ABSOLUTE 767 'to 767'
759 ROT_TWO
760 STORE_FAST 0 'password'
763 POP_TOP
764 JUMP_BACK 744 'to 744'
767 POP_JUMP_IF_FALSE 1591 'to 1591'
770 LOAD_GLOBAL 0 'chr'
然后就是写脚本来代替上面两个函数的操作了,得到一个正确的字符串,再次exec输入passwd的值得到flag。
exp:
import marshal, zlib, base64, dis, re
mar = (marshal.loads(zlib.decompress(base64.b64decode('eJyNVktv00AQXm/eL0igiaFA01IO4cIVCUGFBBJwqRAckLhEIQmtRfPwI0QIeio/hRO/hJ/CiStH2M/prj07diGRP43Hs9+MZ2fWMxbnP6mux+oK9xVMHPFViLdCTB0xkeKDFEFfTIU4E8KZq8dCvB4UlN3hGEsdddXU9QTLv1eFiGKGM4cKUgsFCNLFH7dFrS9poayFYmIZm1b0gyqxMOwJaU3r6xs9sW1ooakXuRv+un7Q0sIlLVzOCZq/XtsK2oTSYaZlStogXi1HV0iazoN2CV2HZeXqRQ54TlJRb7FUlKyUatISsdzo+P7UU1Gb1POdMruckepGwk9tIXQTftz2yBaT5JQovWvpSa6poJPuqgao+b9l5Aj/R+mLQIP4f6Q8Vb3g/5TB/TJxWGdZr9EQrmn99fwKtTvAZGU7wzS7GNpZpDm2JgCrr8wrmPoo54UqGampFIeS9ojXjc4E2yI06bq/4DRoUAc0nVnng4k6p7Ks0+j/S8z9V+NZ5dhmrJUM/y7JTJeRtnJ2TSYJvsFq3CQt/vnfqmQXt5KlpuRcIvDAmhnn2E0t9BJ3SvB/SfLWhuOWNiNVZ+h28g4wlwUp00w95si43rZ3r6+fUIEdgOZbQAsyFRRvBR6dla8KCzRdslar7WS+a5HFb39peIAmG7uZTHVm17Czxju4m6bayz8e7J40DzqM0jr0bmv9PmPvk6y5z57HU8wdTDHeiUJvBMAM4+0CpoAZ4BPgJeAYEAHmgAUgAHiAj4AVAGORtwd4AVgC3gEmgBBwCPgMWANOAQ8AbwBHgHuAp4D3gLuARwoGmNUizF/j4yDC5BWM1kNvvlxFA8xikRrBxHIUhutFMBlgQoshhPphGAXe/OggKqqb2cibxwuEXjUcQjccxi5eFRL1fDSbKrUhy2CMb2aLyepkegDWsBwPlrVC0/kLHmeCBQ=='))))
# exec(mar)
# print mar.co_consts
with open('1.pyc', 'wb') as f:
marshal.dump(mar.co_consts[1], f)
with open("1.txt",'r') as f:
line = []
for i in range(324):
line.append(f.readline())
def ROT_TWO(List):
a = List.pop()
b = List.pop()
List.append(a)
List.append(b)
return List
def BINARY_ADD(List):
a = List.pop()
b = List.pop()
List.append(b+a)
return List
cipher = "llaC em yP aht notriv lauhcamni !eac Ini npreterP tohty ntybdocese!!!"
cipher = list(cipher)
s =[]
j=0
for i in line:
if 'LOAD_CONST' in i and j < len(cipher):
s.append(cipher[j])
j += 1
elif 'ROT_TWO' in i:
s = ROT_TWO(s)
elif 'BINARY_ADD' in i:
s = BINARY_ADD(s)
print s