[柏鹭杯 2021]baby_python

pyinstxtractor解包，发现需要python3.7本版，不然解出来了，会发现PYZ-00.pyz_extracted文件夹中什么也没有

如图所示
直接就去官网下一个python3.7，然后就在其控制台pyinstxtractor解包即可
我用的是anconda，python本版控制器，切换到python3.7本版进行解包

会有许多报错，也是正常的，因为PYZ-00.pyz_extracted目录下的文件被加密了
解包后，文件夹在C:\Users\下的个人用户目录下
对baby.pyc进行反汇编

可见核心代码在baby_core.pyc中，也就是在baby.exe_extracted\PYZ-00.pyz_extracted\baby_python中
来到相应的文件夹，发现全被加密了

baby_python\baby_core.pyc.encrypted也是被加密的
找到可能存放key的pyc文件

反汇编得到key = ‘f8c0870eba862579’

接下来写个文件解密脚本

import zlib
from pathlib import Path

import tinyaes

key = 'f8c0870eba862579'
key = bytes(key, 'utf-8')
for p in Path(r"C:\Users\86158\Desktop\REVERSE\baby.exe_extracted\PYZ-00.pyz_extracted").glob("**\*.pyc.encrypted"):
    # "**/*.pyc.encrypted" 表示匹配当前目录及其所有子目录中以 .pyc.encrypted 结尾的文件路径。
    inf = open(p, 'rb')
    outf = open(p.with_name(p.stem), 'wb')  # 去除扩展名baby_core.pyc.encrypted变baby_core.pyc
    iv = inf.read(len(key))
    cipher = tinyaes.AES(key, iv)
    # 从文件中读取加密压缩过的数据，对其进行解密和解压缩，最终得到原始的明文数据，并将其存储在变量 plaintext 中。
    plaintext = zlib.decompress(cipher.CTR_xcrypt_buffer(inf.read()))
    # The header below is for Python 3.8(也可以和struct.pyc文件头16字节一样)
    outf.write(b'\x42\x0D\x0D\x0A\0\0\0\0\x70\x79\x69\x30\x10\x01\0\0')
    outf.write(plaintext)
    inf.close()
    outf.close()
    p.unlink()  # 删除原始的 .pyc.encrypted 文件
    print(f"{p}已完成\n")
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

对baby_core.pyc进行反汇编

# uncompyle6 version 3.9.0
# Python bytecode version base 3.7.0 (3394)
# Decompiled from: Python 3.10.9 | packaged by Anaconda, Inc. | (main, Mar  1 2023, 18:18:15) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: baby_python\baby_core.py
# Compiled at: 1995-09-28 00:18:56
# Size of source mod 2**32: 272 bytes
import hashlib

def md5(s: bytes) -> str:
    m = hashlib.md5()
    m.update(s)
    return m.hexdigest().lower()


def main():
    secret = input('secret: ')
    if len(secret) != 48:
        return
    else:
        return secret.isnumeric() or None
    values = []
    for i in range(0, 48, 3):
        values.append(int(secret[i:i + 3]))

    co = [[158, 195, 205, 229, 213, 238, 211, 198, 190, 226, 135, 119, 145, 
      205, 113, 122],
     [
      234, 256, 185, 253, 244, 134, 102, 117, 190, 106, 131, 
      205, 198, 234, 162, 218],
     [
      164, 164, 209, 200, 168, 226, 189, 151, 253, 241, 232, 
      151, 193, 119, 226, 193],
     [
      213, 117, 151, 103, 249, 148, 103, 213, 218, 222, 104, 
      228, 100, 206, 218, 177],
     [
      217, 202, 126, 214, 195, 125, 144, 105, 152, 118, 167, 
      137, 171, 173, 206, 240],
     [
      160, 134, 131, 135, 186, 213, 146, 129, 125, 139, 174, 
      205, 177, 240, 194, 181],
     [
      183, 213, 127, 136, 136, 209, 199, 191, 150, 218, 160, 
      111, 191, 226, 154, 191],
     [
      247, 188, 210, 219, 179, 204, 155, 220, 215, 127, 225, 
      214, 195, 162, 214, 239],
     [
      108, 112, 104, 133, 178, 138, 110, 176, 232, 124, 193, 
      239, 131, 138, 161, 218],
     [
      140, 213, 142, 181, 179, 173, 203, 208, 184, 129, 129, 
      119, 122, 152, 186, 124],
     [
      105, 205, 124, 142, 175, 184, 234, 119, 195, 218, 141, 
      122, 202, 202, 190, 178],
     [
      183, 178, 256, 124, 241, 132, 163, 209, 204, 104, 175, 
      211, 196, 136, 158, 210],
     [
      224, 144, 189, 106, 177, 251, 206, 163, 167, 144, 208, 
      254, 117, 253, 100, 106],
     [
      251, 251, 136, 170, 145, 177, 175, 124, 193, 188, 193, 
      198, 208, 171, 151, 230],
     [
      143, 200, 143, 150, 243, 148, 136, 213, 161, 224, 170, 
      208, 185, 117, 189, 242],
     [
      234, 188, 226, 194, 248, 168, 250, 244, 166, 106, 113, 
      218, 209, 220, 158, 228]]
    r = [
     472214, 480121, 506256, 449505, 433390, 435414, 453899, 536361, 
     423332, 427624, 440268, 488759, 469049, 484574, 
     480266, 
     522818]
    for i in range(16):
        v = 0
        for j in range(16):
            v += co[i][j] * values[j]

        if v != r[i]:
            return

    print('flag{ISEC-%s}' % md5(secret.encode()))
# okay decompiling C:\Users\86158\Desktop\REVERSE\baby.exe_extracted\PYZ-00.pyz_extracted\baby_python\baby_core.pyc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

直接用求解器

import hashlib

from z3 import *


def md5(ss: bytes) -> str:
    m = hashlib.md5()
    m.update(ss)
    return m.hexdigest().lower()


co = [[158, 195, 205, 229, 213, 238, 211, 198, 190, 226, 135, 119, 145,
       205, 113, 122],
      [
          234, 256, 185, 253, 244, 134, 102, 117, 190, 106, 131,
          205, 198, 234, 162, 218],
      [
          164, 164, 209, 200, 168, 226, 189, 151, 253, 241, 232,
          151, 193, 119, 226, 193],
      [
          213, 117, 151, 103, 249, 148, 103, 213, 218, 222, 104,
          228, 100, 206, 218, 177],
      [
          217, 202, 126, 214, 195, 125, 144, 105, 152, 118, 167,
          137, 171, 173, 206, 240],
      [
          160, 134, 131, 135, 186, 213, 146, 129, 125, 139, 174,
          205, 177, 240, 194, 181],
      [
          183, 213, 127, 136, 136, 209, 199, 191, 150, 218, 160,
          111, 191, 226, 154, 191],
      [
          247, 188, 210, 219, 179, 204, 155, 220, 215, 127, 225,
          214, 195, 162, 214, 239],
      [
          108, 112, 104, 133, 178, 138, 110, 176, 232, 124, 193,
          239, 131, 138, 161, 218],
      [
          140, 213, 142, 181, 179, 173, 203, 208, 184, 129, 129,
          119, 122, 152, 186, 124],
      [
          105, 205, 124, 142, 175, 184, 234, 119, 195, 218, 141,
          122, 202, 202, 190, 178],
      [
          183, 178, 256, 124, 241, 132, 163, 209, 204, 104, 175,
          211, 196, 136, 158, 210],
      [
          224, 144, 189, 106, 177, 251, 206, 163, 167, 144, 208,
          254, 117, 253, 100, 106],
      [
          251, 251, 136, 170, 145, 177, 175, 124, 193, 188, 193,
          198, 208, 171, 151, 230],
      [
          143, 200, 143, 150, 243, 148, 136, 213, 161, 224, 170,
          208, 185, 117, 189, 242],
      [
          234, 188, 226, 194, 248, 168, 250, 244, 166, 106, 113,
          218, 209, 220, 158, 228]]
r = [
    472214, 480121, 506256, 449505, 433390, 435414, 453899, 536361,
    423332, 427624, 440268, 488759, 469049, 484574,
    480266,
    522818]
s = Solver()
values = [Int('n[%d]' % i) for i in range(16)]
for i in range(16):
    v = 0
    for j in range(16):
        v += co[i][j] * values[j]
    s.add(v == r[i])
if s.check() == sat:
    model = s.model()
    flag = ''.join(str(model[i]) for i in values)
    print('flag{ISEC-%s}' % md5(flag.encode()))
# flag{ISEC-ca32ab6174689b5e366241ad58108c68}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

相关阅读:
b站黑马JavaScript的Ajax案例代码——图书管理案例
 【Python高级编程】pickle`文件处理：序列化与反序列化
 Vue循环渲染 v-for和v-if，key
python包引用方式总结
 DevSecOps：软件安全捍卫者
 AI框架的未来将何去何从，跟着MindSpore一起探讨其趋势
 C++基础——数组
 Flink容错机制
 开发工具篇第七讲：阿里云日志查询与分析
 LeetCode 87 双周赛
原文地址：https://blog.csdn.net/liaochonxiang/article/details/136856922