拿到题目后可以看到是一个python字节码的问题
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
| 4 0 LOAD_GLOBAL 0 (raw_input)
3 LOAD_CONST 1 ('plz input your flag:')
6 CALL_FUNCTION 1
9 STORE_FAST 0 (a)
5 12 LOAD_CONST 2 (0)
15 BUILD_LIST 1
18 LOAD_GLOBAL 1 (len)
21 LOAD_FAST 0 (a)
24 CALL_FUNCTION 1
27 BINARY_MULTIPLY
28 STORE_FAST 1 (b)
6 31 LOAD_CONST 3 (68)
34 LOAD_CONST 4 (5)
37 LOAD_CONST 5 (164)
40 LOAD_CONST 6 (100)
43 LOAD_CONST 7 (231)
46 LOAD_CONST 8 (228)
49 LOAD_CONST 9 (175)
52 LOAD_CONST 10 (36)
55 LOAD_CONST 11 (142)
58 LOAD_CONST 9 (175)
61 LOAD_CONST 12 (78)
64 LOAD_CONST 13 (206)
67 LOAD_CONST 14 (4)
70 LOAD_CONST 15 (45)
73 LOAD_CONST 11 (142)
76 LOAD_CONST 16 (174)
79 LOAD_CONST 17 (238)
82 LOAD_CONST 5 (164)
85 LOAD_CONST 15 (45)
88 LOAD_CONST 18 (14)
91 LOAD_CONST 9 (175)
94 LOAD_CONST 19 (46)
97 LOAD_CONST 17 (238)
100 LOAD_CONST 15 (45)
103 LOAD_CONST 5 (164)
106 LOAD_CONST 16 (174)
109 LOAD_CONST 10 (36)
112 LOAD_CONST 9 (175)
115 LOAD_CONST 15 (45)
118 LOAD_CONST 20 (196)
121 LOAD_CONST 20 (196)
124 LOAD_CONST 12 (78)
127 LOAD_CONST 9 (175)
130 LOAD_CONST 10 (36)
133 LOAD_CONST 19 (46)
136 LOAD_CONST 17 (238)
139 LOAD_CONST 20 (196)
142 LOAD_CONST 13 (206)
145 LOAD_CONST 12 (78)
148 LOAD_CONST 12 (78)
151 LOAD_CONST 3 (68)
154 LOAD_CONST 21 (39)
157 BUILD_LIST 42
160 STORE_FAST 2 (c)
7 163 LOAD_GLOBAL 1 (len)
166 LOAD_FAST 0 (a)
169 CALL_FUNCTION 1
172 LOAD_CONST 22 (42)
175 COMPARE_OP 3 (!=)
178 POP_JUMP_IF_FALSE 190
8 181 LOAD_CONST 23 ('wrong length')
184 PRINT_ITEM
185 PRINT_NEWLINE
9 186 LOAD_CONST 2 (0)
189 RETURN_VALUE
10 >> 190 SETUP_LOOP 117 (to 310)
193 LOAD_GLOBAL 2 (range)
196 LOAD_GLOBAL 1 (len)
199 LOAD_FAST 0 (a)
202 CALL_FUNCTION 1
205 CALL_FUNCTION 1
208 GET_ITER
>> 209 FOR_ITER 97 (to 309)
212 STORE_FAST 3 (i)
11 215 LOAD_GLOBAL 3 (ord)
218 LOAD_FAST 0 (a)
221 LOAD_FAST 3 (i)
224 BINARY_SUBSCR
225 CALL_FUNCTION 1
228 LOAD_CONST 24 (3)
231 BINARY_RSHIFT
232 LOAD_GLOBAL 3 (ord)
235 LOAD_FAST 0 (a)
238 LOAD_FAST 3 (i)
241 BINARY_SUBSCR
242 CALL_FUNCTION 1
245 LOAD_CONST 4 (5)
248 BINARY_LSHIFT
249 BINARY_XOR
250 LOAD_CONST 25 (255)
253 BINARY_AND
254 LOAD_FAST 1 (b)
257 LOAD_FAST 3 (i)
260 STORE_SUBSCR
12 261 LOAD_FAST 1 (b)
264 LOAD_FAST 3 (i)
267 DUP_TOPX 2
270 BINARY_SUBSCR
271 LOAD_CONST 26 (136)
274 INPLACE_XOR
275 ROT_THREE
276 STORE_SUBSCR
13 277 LOAD_FAST 1 (b)
280 LOAD_FAST 3 (i)
283 BINARY_SUBSCR
284 LOAD_FAST 2 (c)
287 LOAD_FAST 3 (i)
290 BINARY_SUBSCR
291 COMPARE_OP 3 (!=)
294 POP_JUMP_IF_FALSE 209
14 297 LOAD_CONST 27 ('wrong')
300 PRINT_ITEM
301 PRINT_NEWLINE
15 302 LOAD_CONST 2 (0)
305 RETURN_VALUE
306 JUMP_ABSOLUTE 209
>> 309 POP_BLOCK
16 >> 310 LOAD_CONST 28 ('win')
313 PRINT_ITEM
314 PRINT_NEWLINE
315 LOAD_CONST 0 (None)
318 RETURN_VALUE
|
LOAD_GLOBAL :全局变量
LOAD_FAST:局部变量
LOAD_CONST:常量
CALL_FUNCTION:调用函数,调用前将pyfuntionobject和实参压栈
STORE_FAST:局部变量
BUILD_LIST:从栈顶取count个元素,创建一个list对象压栈
BINARY_MULTIPLY:乘法
COMPARE_OP:对栈顶的两个元素做指定的比较操作,结果压栈
POP_JUMP_IF_FALSE:栈顶弹出,如果为false跳转
PRINT_ITEM:打印栈顶元素到标准输出
PRINT_NEWLINE:打印回车到标准输出
BINARY_LSHIFT:左移
BINARY_RSHIFT:右移
BINARY_AND:与
BINARY_XOR:异或
开始翻译一下:
首先我们可以看到数组
c = [68, 5, 164, 100, 231, 228, 175, 36, 142, 175, 78, 206, 4, 45, 142, 174, 238, 164, 45, 14, 175, 46, 238, 45, 164, 174, 36, 175, 45, 196, 196, 78, 175, 36, 46, 238, 196, 206, 78, 78, 68, 39]
下面判定了长度,如果我们的长度不等于42,那么就会输出wrong length,我们输入的数据进行循环 进行b[i] = ((b[i]>>3)^(b[i]<<5))&0xff操作后 b[i]^0x88 等于我们的c的数组,如果相同就是win如果不同就是wrong
所以反向进行解密就是我们 经过我们的数组,异或后经过b[i] = ((b[i]<<3)^(b[i]>>5))&0xff即可
exp:
1
2
3
4
5
6
7
8
9
10
11
12
| # -*- coding: UTF-8 -*-
def exp():
flag = ''
c = [68, 5, 164, 100, 231, 228, 175, 36, 142, 175, 78, 206, 4, 45, 142, 174, 238, 164, 45, 14, 175, 46, 238, 45, 164, 174, 36, 175, 45, 196, 196, 78, 175, 36, 46, 238, 196, 206, 78, 78, 68, 39]
b = [0] * len(c)
for i in range(len(c)):
b[i] = c[i]^0x88
b[i] = ((b[i]<<3)^(b[i]>>5))&0xff
flag += chr(b[i])
print flag
exp()
#flag{c9e0962d-013a-4953-a1e9-bb69e53b266f}
|
