自己真的菜,然后在网上找了一篇分析pyc反编译后的文件然后进行手撸opcode,过程真痛苦
http://www.wooy0ung.me/writeup/2017/10/11/0ctf-quals-2017-py/
names ('ctypes', 'libnum', 'n2s', 's2n', 'binascii', 'b', 'key', 'aaaa', 'aa', 'aaaaa', 'aaa', 'aaaaaa', '__name__')从这我们看到程序的大概函数和变量
ctypes libnum n2s s2n binascii b key aaaa aa aaaaa aaa aaaaaa __name__
查找了一下发现 ctypes 是python 访问c 的库
连接http://python3-cookbook.readthedocs.io/zh_CN/latest/c15/p01_access_ccode_using_ctypes.html
libnum 类似 用法参考以下链接
http://www.cnblogs.com/pcat/p/7225782.html
google 了一下发现这个
Very Hard RSA
http://bestwing.me/2016/09/10/Common%20types%20of%20RSA/
基本还原前四个的代码了
import ctypes
from libnum import n2s,s2n
至于binasciipython内置模块我这里不做阐述
然后就是 b key aaaa aa aaaaa aaa aaaaaa '__name__'
开始猜测大概函数是这样
import ctypes
from libnum import n2s,s2n
def b():
...
def key():
...
def aaaa():
...
def aa():
...
def aaaaa():
...
def aaa():
...
def aaaaaa():
...
def main():
...
if '__name__==main()'
main()
但是再回去分析发现导出都在传key所以key几乎不可能是一个函数而且b只在a.py处出现了一次,推测b可能是一个局部变量
现在有如下结构
import ctypes
from libnum import n2s,s2n
def aaaa():
...
def aa():
...
def aaaaa():
...
def aaa():
...
def aaaaaa():
...
def main():
...
if '__name__==main()'
main()
这时候我们通过 names vernames和name 进行还原
import ctypes
from libnum import n2s,s2n
def aaaa():
a=lambda a:b.hexhexlify(a)
def aa():
a=cdll.LoadLibrary('./a') #https://blog.csdn.net/linda1000/article/details/12623527
def aaaaa():
s2n(a)
def aaa():
a=cdll.LoadLibrary('./a')
def aaaaaa():
aaa(aaaa(key))
def main():
aaaaaa()
if '__name__==main()'
main()
发现似乎含有bug,使得freevars段还没使用,怎么办呢google http://kdr2.com/tech/main/1012-pyc-format.html
发现这是嵌套函数使用的,好了们明白了
import ctypes
from libnum import n2s,s2n
key=***
def aaaa(key):
a=lambda a:b.hexhexlify(a)
return ''.join(a[i] for i in key)
def aa(key):
a=cdll.LoadLibrary('./a') #https://blog.csdn.net/linda1000/article/details/12623527
a(key)
def aaaaa(a):
s2n(a)
def aaa(key):
a=cdll.LoadLibrary('./a')
a(key)
def aaaaaa():
aaa(aaaa(key))
def main():
aaaaaa()
if '__name__==main()'
main()
程序逻辑到这里差不多清晰了,但是b还有点模糊猜测是import模块引起的,于是在修改
import ctypes
from libnum import n2s,s2n
import binascii as b
key=***
def aaaa(key):
a=lambda a:b.hexhexlify(a)
return ''.join(a[i] for i in key)
def aa(key):
a=cdll.LoadLibrary('./a') #https://blog.csdn.net/linda1000/article/details/12623527
a(key)
def aaaaa(a):
s2n(a)
def aaa(key):
a=cdll.LoadLibrary('./a')
a(key)
def aaaaaa():
aaa(aaaa(key))
def main():
aaaaaa()
if '__name__==main()'
main()
这里基本就复现完成,下面我们在进行解密即可,参考大牛的技术进行后面的解密即可
void decrypt(char *k){
FILE *fp1, *fp2;
unsigned char key[256] = {0x00};
unsigned char sbox[256] = {0x00};
fp1 = fopen("code.txt","r");
fp2 = fopen("decode.txt","w");
DataEncrypt(k, key, sbox, fp1, fp2);
}
extern "C"
{
void a(char *k){
encrypt(k);
}
void aa(char *k){
decrypt(k);
}
}
解密时python调用c函数进行解密
from ctypes import *
from libnum import n2s,s2n
import binascii as b
#key="20182018"
def aaaa(key):
a=lambda a:b.hexlify(a)
return "".join(a(i) for i in key)
def aa(key): #jia mi
a=cdll.LoadLibrary("./a").a
a(key)
def aaaaa(a):
return s2n(a)
def aaa(key): #jie mi
a=cdll.LoadLibrary("./a").aa
a(key)
def brup_key():
i=20182000
while i<100000000:
aaa(aaaa(str(i)))
data=open("flag.txt","r").read()
if "SUCTF" in data:
print i
break
i=i+1
def aaaaaa():
# aa(aaaa(key))#jia mi
# aaa(aaaa(key)) #jie mi
brup_key()
if __name__=="__main__":
aaaaaa()
key为20182018
参考文章安全客suctfwp链接:https://www.anquanke.com/post/id/146419