-
-
[原创]KCTF 2024 第四题 WriteUp
-
发表于: 2024-8-21 10:54
-
发现是pyinstaller打包的程序,尝试用pyinstxtractor解包,只看到了main.pyc,没有找到import的CrackMe在哪儿
x64dbg在main+2116下断点,第二次断下时是在读取main.pyc,其中rcx是内容,rdx是长度,经过检查和main.pyc一致
import sys
import CrackMe
while True:
eval(sys.stdin.readline(), globals(), {"CrackMe": CrackMe})
import sys
import CrackMe
while True:
eval(sys.stdin.readline(), globals(), {"CrackMe": CrackMe})
import dis
import types
d = types.CodeType(
1,
0,
0,
2,
4,
115,
b"|\x00]\x10}\x01t\x00|\x01d\x00\x83\x02V\x00\x01\x00q\x02d\x01S\x00",
("08b", None),
("format",),
(".0", "byte"),
"",
"",
19,
b"",
(),
(),
)c = types.CodeType(
1,
0,
0,
12,
7,
67,
b"d\x01}\x01d\x02}\x02d\x03}\x03d\x04}\x04|\x00D\x00]\x1c}\x05|\x05d\x05A\x00}\x05|\x04|\x05\xa0\x00d\x06d\x07\xa1\x02\x17\x00}\x04q\x14|\x04}\x00t\x01d\x02t\x02|\x00\x83\x01d\x08\x83\x03D\x00]\x90}\x05|\x00|\x05|\x05d\x08\x17\x00\x85\x02\x19\x00}\x06d\x01\xa0\x03d\td\n\x84\x00|\x06D\x00\x83\x01\xa1\x01}\x07t\x01d\x02t\x02|\x07\x83\x01d\x0b\x83\x03D\x00]V}\x08|\x07|\x08|\x08d\x0b\x17\x00\x85\x02\x19\x00}\tt\x02|\t\x83\x01d\x0bk\x00r\xc2|\x02d\x0bt\x02|\t\x83\x01\x18\x007\x00}\x02|\td\x0cd\x0bt\x02|\t\x83\x01\x18\x00\x14\x007\x00}\t|\x01|\x03t\x04|\td\r\x83\x02\x19\x007\x00}\x01q~qF|\x01d\x0e|\x02d\r\x1a\x00\x14\x007\x00}\x01t\x01t\x02|\x01\x83\x01d\r\x1a\x00\x83\x01D\x00]L}\x05|\x01|\x05d\r\x14\x00\x19\x00}\n|\x01|\x05d\r\x14\x00d\x06\x17\x00\x19\x00}\x0b|\x01d\x00|\x05d\r\x14\x00\x85\x02\x19\x00|\x0b\x17\x00|\n\x17\x00|\x01|\x05d\r\x14\x00d\r\x17\x00d\x00\x85\x02\x19\x00\x17\x00}\x01q\xf8|\x01S\x00",
(
None,
"",
0,
"ZQ+U7tSBEKVzyf5coCwb94Dd6raT0eLNin12Hp8mOxFuvMgIPlhRY3WjksqJAXG/",
b"",
85,
1,
"little",
3,
d,
"",
6,
"0",
2,
"!",
),
("to_bytes", "range", "len", "join", "int"),
(
"data",
"encoded_str",
"padding",
"base64_chars",
"ww",
"i",
"chunk",
"binary_str",
"j",
"six_bits",
"a",
"b",
),
"",
"",
4,
b"",
(),
(),
)dis.dis(c)import dis
import types
d = types.CodeType(
1,
0,
0,
2,
4,
115,
b"|\x00]\x10}\x01t\x00|\x01d\x00\x83\x02V\x00\x01\x00q\x02d\x01S\x00",
("08b", None),
("format",),
(".0", "byte"),
"",
"",
19,
b"",
(),
(),
)c = types.CodeType(
1,
0,
0,
12,
7,
67,
b"d\x01}\x01d\x02}\x02d\x03}\x03d\x04}\x04|\x00D\x00]\x1c}\x05|\x05d\x05A\x00}\x05|\x04|\x05\xa0\x00d\x06d\x07\xa1\x02\x17\x00}\x04q\x14|\x04}\x00t\x01d\x02t\x02|\x00\x83\x01d\x08\x83\x03D\x00]\x90}\x05|\x00|\x05|\x05d\x08\x17\x00\x85\x02\x19\x00}\x06d\x01\xa0\x03d\td\n\x84\x00|\x06D\x00\x83\x01\xa1\x01}\x07t\x01d\x02t\x02|\x07\x83\x01d\x0b\x83\x03D\x00]V}\x08|\x07|\x08|\x08d\x0b\x17\x00\x85\x02\x19\x00}\tt\x02|\t\x83\x01d\x0bk\x00r\xc2|\x02d\x0bt\x02|\t\x83\x01\x18\x007\x00}\x02|\td\x0cd\x0bt\x02|\t\x83\x01\x18\x00\x14\x007\x00}\t|\x01|\x03t\x04|\td\r\x83\x02\x19\x007\x00}\x01q~qF|\x01d\x0e|\x02d\r\x1a\x00\x14\x007\x00}\x01t\x01t\x02|\x01\x83\x01d\r\x1a\x00\x83\x01D\x00]L}\x05|\x01|\x05d\r\x14\x00\x19\x00}\n|\x01|\x05d\r\x14\x00d\x06\x17\x00\x19\x00}\x0b|\x01d\x00|\x05d\r\x14\x00\x85\x02\x19\x00|\x0b\x17\x00|\n\x17\x00|\x01|\x05d\r\x14\x00d\r\x17\x00d\x00\x85\x02\x19\x00\x17\x00}\x01q\xf8|\x01S\x00",
(
None,
"",
0,
"ZQ+U7tSBEKVzyf5coCwb94Dd6raT0eLNin12Hp8mOxFuvMgIPlhRY3WjksqJAXG/",
b"",
85,
1,
"little",
3,
d,
"",
6,
"0",
2,
"!",
),
("to_bytes", "range", "len", "join", "int"),
(
"data",
"encoded_str",
"padding",
"base64_chars",
"ww",
"i",
"chunk",
"binary_str",
"j",
"six_bits",
"a",
"b",
),
"",
"",
4,
b"",
(),
(),
)dis.dis(c) 0 LOAD_CONST 1 ('')
2 STORE_FAST 1 (encoded_str)
4 LOAD_CONST 2 (0)
6 STORE_FAST 2 (padding)
8 LOAD_CONST 3 ('ZQ+U7tSBEKVzyf5coCwb94Dd6raT0eLNin12Hp8mOxFuvMgIPlhRY3WjksqJAXG/')
10 STORE_FAST 3 (base64_chars)
12 LOAD_CONST 4 (b'')
14 STORE_FAST 4 (ww)
16 LOAD_FAST 0 (data)
18 GET_ITER
20 FOR_ITER 28 (to 78)
22 STORE_FAST 5 (i)
24 LOAD_FAST 5 (i)
26 LOAD_CONST 5 (85)
28 BINARY_XOR
30 STORE_FAST 5 (i)
32 LOAD_FAST 4 (ww)
34 LOAD_FAST 5 (i)
36 LOAD_METHOD 0 (to_bytes)
38 LOAD_CONST 6 (1)
>> 40 LOAD_CONST 7 ('little')
42 CALL_METHOD 2
44 BINARY_ADD
46 STORE_FAST 4 (ww)
48 JUMP_ABSOLUTE 20 (to 40)
50 LOAD_FAST 4 (ww)
52 STORE_FAST 0 (data)
54 LOAD_GLOBAL 1 (range)
56 LOAD_CONST 2 (0)
58 LOAD_GLOBAL 2 (len)
60 LOAD_FAST 0 (data)
62 CALL_FUNCTION 1
64 LOAD_CONST 8 (3)
66 CALL_FUNCTION 3
68 GET_ITER
70 FOR_ITER 144 (to 360)
72 STORE_FAST 5 (i)
74 LOAD_FAST 0 (data)
76 LOAD_FAST 5 (i)
>> 78 LOAD_FAST 5 (i)
80 LOAD_CONST 8 (3)
82 BINARY_ADD
84 BUILD_SLICE 2
86 BINARY_SUBSCR
88 STORE_FAST 6 (chunk)
90 LOAD_CONST 1 ('')
92 LOAD_METHOD 3 (join)
94 LOAD_CONST 9 (<code object at 0x000002302D8F3100, file "", line 19>)
96 LOAD_CONST 10 ('')
98 MAKE_FUNCTION 0
100 LOAD_FAST 6 (chunk)
102 GET_ITER
104 CALL_FUNCTION 1
106 CALL_METHOD 1
108 STORE_FAST 7 (binary_str)
110 LOAD_GLOBAL 1 (range)
112 LOAD_CONST 2 (0)
114 LOAD_GLOBAL 2 (len)
116 LOAD_FAST 7 (binary_str)
118 CALL_FUNCTION 1
120 LOAD_CONST 11 (6)
122 CALL_FUNCTION 3
124 GET_ITER
126 FOR_ITER 86 (to 300)
128 STORE_FAST 8 (j)
130 LOAD_FAST 7 (binary_str)
132 LOAD_FAST 8 (j)
134 LOAD_FAST 8 (j)
136 LOAD_CONST 11 (6)
138 BINARY_ADD
>> 140 BUILD_SLICE 2
142 BINARY_SUBSCR
144 STORE_FAST 9 (six_bits)
146 LOAD_GLOBAL 2 (len)
148 LOAD_FAST 9 (six_bits)
150 CALL_FUNCTION 1
152 LOAD_CONST 11 (6)
154 COMPARE_OP 0 (<)
156 POP_JUMP_IF_FALSE 194 (to 388)
158 LOAD_FAST 2 (padding)
160 LOAD_CONST 11 (6)
162 LOAD_GLOBAL 2 (len)
164 LOAD_FAST 9 (six_bits)
166 CALL_FUNCTION 1
168 BINARY_SUBTRACT
170 INPLACE_ADD
172 STORE_FAST 2 (padding)
174 LOAD_FAST 9 (six_bits)
176 LOAD_CONST 12 ('0')
178 LOAD_CONST 11 (6)
180 LOAD_GLOBAL 2 (len)
182 LOAD_FAST 9 (six_bits)
184 CALL_FUNCTION 1
186 BINARY_SUBTRACT
188 BINARY_MULTIPLY
190 INPLACE_ADD
192 STORE_FAST 9 (six_bits)
194 LOAD_FAST 1 (encoded_str)
196 LOAD_FAST 3 (base64_chars)
198 LOAD_GLOBAL 4 (int)
200 LOAD_FAST 9 (six_bits)
202 LOAD_CONST 13 (2)
204 CALL_FUNCTION 2
206 BINARY_SUBSCR
208 INPLACE_ADD
210 STORE_FAST 1 (encoded_str)
212 JUMP_ABSOLUTE 126 (to 252)
214 JUMP_ABSOLUTE 70 (to 140)
216 LOAD_FAST 1 (encoded_str)
218 LOAD_CONST 14 ('!')
220 LOAD_FAST 2 (padding)
222 LOAD_CONST 13 (2)
224 BINARY_FLOOR_DIVIDE
226 BINARY_MULTIPLY
228 INPLACE_ADD
230 STORE_FAST 1 (encoded_str)
232 LOAD_GLOBAL 1 (range)
234 LOAD_GLOBAL 2 (len)
236 LOAD_FAST 1 (encoded_str)
238 CALL_FUNCTION 1
240 LOAD_CONST 13 (2)
242 BINARY_FLOOR_DIVIDE
244 CALL_FUNCTION 1
246 GET_ITER
248 FOR_ITER 76 (to 402)
250 STORE_FAST 5 (i)
>> 252 LOAD_FAST 1 (encoded_str)
254 LOAD_FAST 5 (i)
256 LOAD_CONST 13 (2)
258 BINARY_MULTIPLY
260 BINARY_SUBSCR
262 STORE_FAST 10 (a)
264 LOAD_FAST 1 (encoded_str)
266 LOAD_FAST 5 (i)
268 LOAD_CONST 13 (2)
270 BINARY_MULTIPLY
272 LOAD_CONST 6 (1)
274 BINARY_ADD
276 BINARY_SUBSCR
278 STORE_FAST 11 (b)
280 LOAD_FAST 1 (encoded_str)
282 LOAD_CONST 0 (None)
284 LOAD_FAST 5 (i)
286 LOAD_CONST 13 (2)
288 BINARY_MULTIPLY
290 BUILD_SLICE 2
292 BINARY_SUBSCR
294 LOAD_FAST 11 (b)
296 BINARY_ADD
298 LOAD_FAST 10 (a)
>> 300 BINARY_ADD
302 LOAD_FAST 1 (encoded_str)
304 LOAD_FAST 5 (i)
306 LOAD_CONST 13 (2)
308 BINARY_MULTIPLY
310 LOAD_CONST 13 (2)
312 BINARY_ADD
314 LOAD_CONST 0 (None)
316 BUILD_SLICE 2
318 BINARY_SUBSCR
320 BINARY_ADD
322 STORE_FAST 1 (encoded_str)
324 JUMP_ABSOLUTE 248 (to 496)
326 LOAD_FAST 1 (encoded_str)
328 RETURN_VALUE
Disassembly of <code object at 0x000002302D8F3100, file "", line 19>:
0 LOAD_FAST 0 (.0)
2 FOR_ITER 16 (to 36)
>> 4 STORE_FAST 1 (byte)
6 LOAD_GLOBAL 0 (format)
8 LOAD_FAST 1 (byte)
10 LOAD_CONST 0 ('08b')
12 CALL_FUNCTION 2
14 YIELD_VALUE
16 POP_TOP
18 JUMP_ABSOLUTE 2 (to 4)
20 LOAD_CONST 1 (None)
22 RETURN_VALUE
0 LOAD_CONST 1 ('')
2 STORE_FAST 1 (encoded_str)
4 LOAD_CONST 2 (0)
6 STORE_FAST 2 (padding)
8 LOAD_CONST 3 ('ZQ+U7tSBEKVzyf5coCwb94Dd6raT0eLNin12Hp8mOxFuvMgIPlhRY3WjksqJAXG/')
10 STORE_FAST 3 (base64_chars)
12 LOAD_CONST 4 (b'')
14 STORE_FAST 4 (ww)
16 LOAD_FAST 0 (data)
18 GET_ITER
20 FOR_ITER 28 (to 78)
22 STORE_FAST 5 (i)
24 LOAD_FAST 5 (i)
26 LOAD_CONST 5 (85)
28 BINARY_XOR
30 STORE_FAST 5 (i)
32 LOAD_FAST 4 (ww)
34 LOAD_FAST 5 (i)
36 LOAD_METHOD 0 (to_bytes)
38 LOAD_CONST 6 (1)
>> 40 LOAD_CONST 7 ('little')
42 CALL_METHOD 2
44 BINARY_ADD
46 STORE_FAST 4 (ww)
48 JUMP_ABSOLUTE 20 (to 40)
50 LOAD_FAST 4 (ww)
52 STORE_FAST 0 (data)
54 LOAD_GLOBAL 1 (range)
56 LOAD_CONST 2 (0)
58 LOAD_GLOBAL 2 (len)
60 LOAD_FAST 0 (data)
62 CALL_FUNCTION 1
64 LOAD_CONST 8 (3)
66 CALL_FUNCTION 3
68 GET_ITER
70 FOR_ITER 144 (to 360)
72 STORE_FAST 5 (i)
74 LOAD_FAST 0 (data)
76 LOAD_FAST 5 (i)
>> 78 LOAD_FAST 5 (i)
80 LOAD_CONST 8 (3)
82 BINARY_ADD
84 BUILD_SLICE 2
86 BINARY_SUBSCR
88 STORE_FAST 6 (chunk)
90 LOAD_CONST 1 ('')
92 LOAD_METHOD 3 (join)
94 LOAD_CONST 9 (<code object at 0x000002302D8F3100, file "", line 19>)
96 LOAD_CONST 10 ('')
98 MAKE_FUNCTION 0
100 LOAD_FAST 6 (chunk)
102 GET_ITER
104 CALL_FUNCTION 1
106 CALL_METHOD 1
108 STORE_FAST 7 (binary_str)
110 LOAD_GLOBAL 1 (range)
112 LOAD_CONST 2 (0)
114 LOAD_GLOBAL 2 (len)
116 LOAD_FAST 7 (binary_str)
118 CALL_FUNCTION 1
120 LOAD_CONST 11 (6)
122 CALL_FUNCTION 3
124 GET_ITER
126 FOR_ITER 86 (to 300)
128 STORE_FAST 8 (j)
130 LOAD_FAST 7 (binary_str)
132 LOAD_FAST 8 (j)
134 LOAD_FAST 8 (j)
136 LOAD_CONST 11 (6)
138 BINARY_ADD
>> 140 BUILD_SLICE 2
142 BINARY_SUBSCR
144 STORE_FAST 9 (six_bits)
146 LOAD_GLOBAL 2 (len)
148 LOAD_FAST 9 (six_bits)
150 CALL_FUNCTION 1
152 LOAD_CONST 11 (6)
154 COMPARE_OP 0 (<)
156 POP_JUMP_IF_FALSE 194 (to 388)
158 LOAD_FAST 2 (padding)
160 LOAD_CONST 11 (6)
162 LOAD_GLOBAL 2 (len)
164 LOAD_FAST 9 (six_bits)
166 CALL_FUNCTION 1
168 BINARY_SUBTRACT
170 INPLACE_ADD
172 STORE_FAST 2 (padding)
174 LOAD_FAST 9 (six_bits)
176 LOAD_CONST 12 ('0')
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
