【攻防世界】Reverse——bad_python writeup

pyc 文件是 Python 在解释执行源代码时生成的一种字节码文件，它包含了源代码的编译结果和相关的元数据信息，以便于 Python 可以更快地加载和执行代码。

可以使用uncompyle把pyc还原成py：

发现无法编译成功，结合题目名字bad_python和cpython-36.pyc， 猜测是用python3.6编译的，但是头部被损坏导致uncompyle无法解析。

而正常的用python3.6编译的pyc文件的头是这样的：

复制正常文件的头到pyre-cpython-36.pyc，就可以成功编译了。得到如下代码：

# uncompyle6 version 3.9.0
# Python bytecode version base 3.6 (3379)
# Decompiled from: Python 3.6.2 |Continuum Analytics, Inc.| (default, Jul 20 2017, 12:30:02) [MSC v.1900 64 bit (AMD64)]
# Embedded file name: pyre.py
# Compiled at: 2024-01-05 10:16:56
# Size of source mod 2**32: 52 bytes
from ctypes import *
from Crypto.Util.number import bytes_to_long
from Crypto.Util.number import long_to_bytes

def encrypt(v, k):
    v0 = c_uint32(v[0])
    v1 = c_uint32(v[1])
    sum1 = c_uint32(0)
    delta = 195935983
    for i in range(32):
        v0.value += (v1.value << 4 ^ v1.value >> 7) + v1.value ^ sum1.value + k[sum1.value & 3]
        sum1.value += delta
        v1.value += (v0.value << 4 ^ v0.value >> 7) + v0.value ^ sum1.value + k[sum1.value >> 9 & 3]

    return (
     v0.value, v1.value)


if __name__ == '__main__':
    flag = input('please input your flag:')
    k = [255, 187, 51, 68]
    if len(flag) != 32:
        print('wrong!')
        exit(-1)
    a = []
    for i in range(0, 32, 8):
        v1 = bytes_to_long(bytes(flag[i:i + 4], 'ascii'))
        v2 = bytes_to_long(bytes(flag[i + 4:i + 8], 'ascii'))
        a += encrypt([v1, v2], k)

    enc = [
     '4006073346', '2582197823', '2235293281', '558171287', '2425328816',
     '1715140098', '986348143', '1948615354']
    for i in range(8):
        if enc[i] != a[i]:
            print('wrong!')
            exit(-1)

    print('flag is flag{%s}' % flag)

使用下面的代码得到flag

from ctypes import *



def decrypt(v, k):  
    v0 = c_uint32(v[0])  
    v1 = c_uint32(v[1])  
    sum1 = c_uint32(0)  
    delta = 195935983 
    sum1.value = delta * 32 
    for i in range(32):  
        v1.value -= (v0.value << 4 ^ v0.value >> 7) + v0.value ^ sum1.value + k[sum1.value >> 9 & 3]
        sum1.value -= delta
        v0.value -= (v1.value << 4 ^ v1.value >> 7) + v1.value ^ sum1.value + k[sum1.value & 3]
  
    return (  
        v0.value, v1.value)


if __name__ == '__main__':
   
    k = [255, 187, 51, 68]

    dec = []
    for i in range(0,8,2):
        enc = [4006073346, 2582197823,   2235293281, 558171287,  
               2425328816, 1715140098,  986348143, 1948615354] 
        dec+=decrypt([enc[i], enc[i + 1]], k)  

print(dec)    
  
byte_array = bytearray()  
for i in range(0, 8):
    num = dec[i]   
    for i in range(4):  
        byte = num >> (8*(3-i)) & 0xff  
        byte_array.append(byte)
flag = ''.join([chr(x) for x in byte_array]) 
print("flag{"+flag+"}")