- Midpython.exe
- marshal和dis库配合:
- 手动改为py
- 解密脚本
- 总结:
python代码写成的exe,进行反编译,先搞成pyc,然后把pyc反编译成py,但是再第二个步骤反编译成py的时候出现了如下报错:
Traceback (most recent call last):
File "g:python3.7.6-64librunpy.py", line 193, in _run_module_as_main
"__main__", mod_spec)
File "g:python3.7.6-64librunpy.py", line 85, in _run_code
exec(code, run_globals)
File "G:python3.7.6-64scriptsuncompyle6.exe__main__.py", line 7, in
File "g:python3.7.6-64libsite-packagesuncompyle6binuncompile.py", line 194, in main_bin
**options)
File "g:python3.7.6-64libsite-packagesuncompyle6main.py", line 324, in main
do_fragments,
File "g:python3.7.6-64libsite-packagesuncompyle6main.py", line 222, in decompile_file
do_fragments=do_fragments,
File "g:python3.7.6-64libsite-packagesuncompyle6main.py", line 141, in decompile
co, out, bytecode_version, debug_opts=debug_opts, is_pypy=is_pypy
File "g:python3.7.6-64libsite-packagesuncompyle6semanticspysource.py", line 2570, in code_deparse
scanner = get_scanner(version, is_pypy=is_pypy)
File "g:python3.7.6-64libsite-packagesuncompyle6scanner.py", line 566, in get_scanner
"scan.Scanner%s(show_asm=show_asm)" % v_str, locals(), globals()
File "", line 1, in
File "g:python3.7.6-64libsite-packagesuncompyle6scannersscanner39.py", line 36, in __init__
Scanner37base.__init__(self, 3.9, show_asm)
File "g:python3.7.6-64libsite-packagesuncompyle6scannersscanner37base.py", line 98, in __init__
self.opc.END_FINALLY,
AttributeError: module 'xdis.opcodes.opcode_39' has no attribute 'END_FINALLY'
查看后是反编译器的版本出现了不合。uncompyle6可将python字节码转换回等效的python源代码,它接受python 1.3版到3.8版的字节码,但是这个题目是python3.9,所以需要换其他方法
marshal和dis库配合:当然前提是需要到pyc的步骤,并且把头修改好。
import marshal
import dis
a=open('Midpython.pyc','rb')
a.seek(16)
dis.dis(marshal.load(a))
然后先跳过头结点(magic和time),原因,利用marshal进行以二进制格式读取,然后用dis库进行输出,
1 0 BUILD_LIST 0
2 LOAD_ConST 0 ((69, 70, 79, 72, 88, 75, 85, 127, 89, 85, 74, 19, 74, 122, 107, 103, 75, 77, 9, 73, 29, 28, 67))
4 LIST_EXTEND 1
6 STORE_NAME 0 (key)
2 8 LOAD_ConST 1 ( at 0x7f0b479a2be0, file "Midpython.py", line 2>)
10 LOAD_ConST 2 ('')
12 MAKE_FUNCTION 0
14 STORE_NAME 1 (xxor)
3 16 LOAD_ConST 3 ( at 0x7f0b479a2c90, file "Midpython.py", line 3>)
18 LOAD_ConST 2 ('')
20 MAKE_FUNCTION 0
22 STORE_NAME 2 (xoor)
4 24 LOAD_ConST 4 ( at 0x7f0b479a2d40, file "Midpython.py", line 4>)
26 LOAD_ConST 2 ('')
28 MAKE_FUNCTION 0
30 STORE_NAME 3 (xorr)
5 32 LOAD_NAME 4 (len)
34 LOAD_NAME 0 (key)
36 CALL_FUNCTION 1
38 STORE_NAME 5 (length)
6 40 LOAD_NAME 6 (input)
42 LOAD_ConST 5 ('>>>input your flag:n>>>')
44 CALL_FUNCTION 1
46 STORE_NAME 7 (ipt)
7 48 LOAD_ConST 6 (1)
50 STORE_NAME 8 (flag)
8 52 LOAD_NAME 4 (len)
54 LOAD_NAME 7 (ipt)
56 CALL_FUNCTION 1
58 LOAD_NAME 5 (length)
60 COMPARE_OP 2 (==)
62 POP_JUMP_IF_FALSE 114
9 64 LOAD_NAME 9 (range)
66 LOAD_NAME 5 (length)
68 CALL_FUNCTION 1
70 GET_ITER
>> 72 FOR_ITER 38 (to 112)
74 STORE_NAME 10 (i)
10 76 LOAD_NAME 3 (xorr)
78 LOAD_NAME 11 (ord)
80 LOAD_NAME 7 (ipt)
82 LOAD_NAME 10 (i)
84 BINARY_SUBSCR
86 CALL_FUNCTION 1
88 LOAD_NAME 10 (i)
90 CALL_FUNCTION 2
92 LOAD_NAME 0 (key)
94 LOAD_NAME 10 (i)
96 BINARY_SUBSCR
98 COMPARE_OP 3 (!=)
100 POP_JUMP_IF_FALSE 72
11 102 LOAD_ConST 7 (0)
104 STORE_NAME 8 (flag)
12 106 POP_TOP
108 JUMP_ABSOLUTE 118
110 JUMP_ABSOLUTE 72
>> 112 JUMP_FORWARD 4 (to 118)
14 >> 114 LOAD_ConST 7 (0)
116 STORE_NAME 8 (flag)
15 >> 118 LOAD_NAME 8 (flag)
120 LOAD_ConST 6 (1)
122 COMPARE_OP 2 (==)
124 POP_JUMP_IF_FALSE 136
16 126 LOAD_NAME 12 (print)
128 LOAD_ConST 8 ('>>>Right!!')
130 CALL_FUNCTION 1
132 POP_TOP
134 JUMP_FORWARD 8 (to 144)
18 >> 136 LOAD_NAME 12 (print)
138 LOAD_ConST 9 ('>>>Wrong!!')
140 CALL_FUNCTION 1
142 POP_TOP
>> 144 LOAD_ConST 10 (None)
146 RETURN_VALUE
Disassembly of at 0x7f0b479a2be0, file "Midpython.py", line 2>:
2 0 LOAD_FAST 0 (x)
2 LOAD_FAST 1 (y)
4 BINARY_XOR
6 LOAD_ConST 1 (11)
8 BINARY_XOR
10 RETURN_VALUE
Disassembly of at 0x7f0b479a2c90, file "Midpython.py", line 3>:
3 0 LOAD_GLOBAL 0 (xxor)
2 LOAD_FAST 0 (x)
4 LOAD_FAST 1 (y)
6 CALL_FUNCTION 2
8 LOAD_ConST 1 (45)
10 BINARY_XOR
12 RETURN_VALUE
Disassembly of at 0x7f0b479a2d40, file "Midpython.py", line 4>:
4 0 LOAD_GLOBAL 0 (xoor)
2 LOAD_FAST 0 (x)
4 LOAD_FAST 1 (y)
6 CALL_FUNCTION 2
8 LOAD_ConST 1 (14)
10 BINARY_XOR
12 RETURN_VALUE
手动改为py
import dis
def pyc():
key=[(69, 70, 79, 72, 88, 75, 85, 127, 89, 85, 74, 19, 74, 122, 107, 103, 75, 77, 9, 73, 29, 28, 67)]
xxor=lambda x,y:x^y^11
xoor=lambda xxor,x,y:xxor(x,y)^45
xorr=lambda xoor,x,y:xoor(x,y)^14
length=len(key)
ipt=input('>>>input your flag:n>>>')
flag=1
if len(ipt)==length:
for i in range(length):
if xorr(ord(ipt[i]),i)!=key[i]:
flag=0
else:
flag=0
if flag==1:
print('>>>Right!!')
else:
print('>>>Wrong!!')
dis.dis(pyc)
解密脚本
key=[69, 70, 79, 72, 88, 75, 85, 127, 89, 85, 74, 19, 74, 122, 107, 103, 75, 77, 9, 73, 29, 28, 67]
for i in range(len(key)):
flag=key[i]^11^i^45^14
print(chr(flag),end='')
moectf{Pyth0n_M@st3r!!}
总结:
python3.9编译的exe:
- marshal库和dis库配合使用
- uncompyle6对版本的限制
