python逆向

3.8以上用pycdc

pycdc配置和使用-CSDN博客

例题

Python逆向全版本MagicNumber表_python3.11.4 magicnumber-CSDN博客

例题(正常的py逆向)

enum PycMagic {

MAGIC_1_0 = 0x00999902,

MAGIC_1_1 = 0x00999903, /* Also covers 1.2 */

MAGIC_1_3 = 0x0A0D2E89,

MAGIC_1_4 = 0x0A0D1704,

MAGIC_1_5 = 0x0A0D4E99,

MAGIC_1_6 = 0x0A0DC4FC,

MAGIC_2_0 = 0x0A0DC687,

MAGIC_2_1 = 0x0A0DEB2A,

MAGIC_2_2 = 0x0A0DED2D,

MAGIC_2_3 = 0x0A0DF23B,

MAGIC_2_4 = 0x0A0DF26D,

MAGIC_2_5 = 0x0A0DF2B3,

MAGIC_2_6 = 0x0A0DF2D1,

MAGIC_2_7 = 0x0A0DF303,

MAGIC_3_0 = 0x0A0D0C3A,

MAGIC_3_1 = 0x0A0D0C4E,

MAGIC_3_2 = 0x0A0D0C6C,

MAGIC_3_3 = 0x0A0D0C9E,

MAGIC_3_4 = 0x0A0D0CEE,

MAGIC_3_5 = 0x0A0D0D16,

MAGIC_3_5_3 = 0x0A0D0D17,

MAGIC_3_6 = 0x0A0D0D33,

MAGIC_3_7 = 0x0A0D0D42,

MAGIC_3_8 = 0x0A0D0D55,

MAGIC_3_9 = 0x0A0D0D61,

MAGIC_3_10 = 0x0A0D0D6F,

MAGIC_3_11 = 0x0A0D0DA7,

MAGIC_3_12 = 0x0A0D0DCB,

INVALID = 0,

};

1、ezpy

exeinfope查壳,观察到pyinstaller字眼

python逆向

pyinstxtractor下载链接->GitHub - extremecoders-re/pyinstxtractor: PyInstaller Extractor

uncompyle6库下载命令->cmd窗口输入【pip install uncompyle6

这里已经下载完成了

然后进行反编译,在cmd窗口中输入命令【python pyinstxtractor.py 文件路径

这里懒得输文件路径,索性直接拿到源代码文件下面

可以得到一个文件夹

此时在同目录下产生一个【xx.exe_extracted】文件夹,双击进入此文件夹,找到一个pyc文件(此处有两个文件,我们关注的是除struct.pyc外的另一个pyc文件,如下图红圈)

然后我们忽略那个struct.pyc ,对另外一个pyc进行反编译

在此处再次打开终端,输入命令【uncompyle6 src.pyc > src.py】之后即可在同目录下生成反编译的python文件

然后就可以看到反编译成功的py文件啦

只要令flag=decrypt2(“AAAAAAAAAAAfFwwRSAIWWQ==”, key),key也已经说明

即可获得flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# uncompyle6 version 3.9.1
# Python bytecode version base 3.4 (3310)
# Decompiled from: Python 3.10.9 | packaged by Anaconda, Inc. | (main, Mar  1 2023, 18:18:15) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: src.py
import rsa, base64
key1 = rsa.PrivateKey.load_pkcs1(base64.b64decode("LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcVFJQkFBS0NBUUVBcVJUZ0xQU3BuT0ZDQnJvNHR1K1FBWXFhTjI2Uk42TzY1bjBjUURGRy9vQ1NJSU00ClNBeEVWaytiZHpSN2FucVNtZ1l5MEhRWGhDZTM2U2VGZTF0ejlrd0taL3UzRUpvYzVBSzR1NXZ4UW5QOWY1cTYKYVFsbVAvVjJJTXB5NFFRNlBjbUVoNEtkNm81ZWRJUlB2SHd6V0dWS09OQ3BpL0taQ082V0tWYkpXcWh3WGpEQgpsSDFNVURzZ1gyVUM4b3Bodnk5dXIyek9kTlBocElJZHdIc1o5b0ZaWWtaMUx5Q0lRRXRZRmlKam1GUzJFQ1RVCkNvcU9acnQxaU5jNXVhZnFvZlB4eHlPb2wwYVVoVGhiaHE4cEpXL3FPSFdYd0xJbXdtNk96YXFVeks4NEYyY3UKYWRiRE5zeVNvaElHaHYzd0lBVThNSlFnOEthd1Z3ZHBzRWhlSXdJREFRQUJBb0lCQURBazdwUStjbEZtWHF1Vgp1UEoyRWxZdUJpMkVnVHNMbHZ0c1ltL3cyQnM5dHQ0bEh4QjgxYlNSNUYyMEJ2UlJ4STZ3OXlVZCtWZzdDd1lMCnA5bHhOL3JJdWluVHBkUEhYalNhaGNsOTVOdWNOWEZ4T0dVU05SZy9KNHk4dUt0VHpkV3NITjJORnJRa0o4Y2IKcWF5czNOM3RzWTJ0OUtrUndjbUJGUHNJalNNQzB5UkpQVEE4cmNqOFkranV3SHZjbUJPNHVFWXZXeXh0VHR2UQova0RQelBqdTBuakhkR055RytkSDdkeHVEV2Jxb3VZQnRMdzllZGxXdmIydTJ5YnZzTXl0NWZTOWF1a01NUjNoCnBhaDRMcU1LbC9ETTU3cE44Vms0ZTU3WE1zZUJLWm1hcEptcVNnSGdjajRPNWE2R1RvelN1TEVoTmVGY0l2Tm8KWFczTEFHRUNnWWtBc0J0WDNVcFQ3aUcveE5BZDdSWER2MENOY1k1QnNZOGY4NHQ3dGx0U2pjSWdBKy9nUjFMZQpzb2gxY1RRd1RadUYyRTJXL1hHU3orQmJDTVVySHNGWmh1bXV6aTBkbElNV3ZhU0dvSlV1OGpNODBlUjRiVTRyCmdYQnlLZVZqelkzNVlLejQ5TEVBcFRQcTZRYTVQbzhRYkF6czhuVjZtNXhOQkNPc0pQQ29zMGtCclFQaGo5M0cKOFFKNUFQWEpva0UrMmY3NXZlazZNMDdsaGlEUXR6LzRPYWRaZ1MvUVF0eWRLUmg2V3VEeGp3MytXeXc5ZjNUcAp5OXc0RmtLRzhqNVRpd1RzRmdzem94TGo5TmpSUWpqb3cyVFJGLzk3b2NxMGNwY1orMUtsZTI1cEJ3bk9yRDJBCkVpMUVkMGVEV3dJR2gzaFhGRmlRSzhTOG5remZkNGFMa1ZxK1V3S0JpRXRMSllIamFZY0N2dTd5M0JpbG1ZK0gKbGZIYkZKTkowaXRhazRZZi9XZkdlOUd6R1h6bEhYblBoZ2JrZlZKeEVBU3ZCOE5NYjZ5WkM5THdHY09JZnpLRApiczJQMUhuT29rWnF0WFNxMCt1UnBJdEkxNFJFUzYySDJnZTNuN2dlMzJSS0VCYnVKb3g3YWhBL1k2d3ZscUhiCjFPTEUvNnJRWk0xRVF6RjRBMmpENmdlREJVbHhWTUVDZVFDQjcyUmRoYktNL3M0TSsvMmYyZXI4Y2hwT01SV1oKaU5Hb3l6cHRrby9sSnRuZ1RSTkpYSXdxYVNCMldCcXpndHNSdEhGZnpaNlNyWlJCdTd5Y0FmS3dwSCtUd2tsNQpoS2hoSWFTNG1vaHhwUVNkL21td1JzbTN2NUNDdXEvaFNtNmNXYTdFOVZxc25heGQzV21tQ2VqTnp0MUxQWUZNCkxZMENnWWdKUHhpVTVraGs5cHB6TVAwdWU0clA0Z2YvTENldEdmQjlXMkIyQU03eW9VM2VsMWlCSEJqOEZ3UFQKQUhKUWtCeTNYZEh3SUpGTUV1RUZSSFFzcUFkSTlYVDBzL2V0QTg1Y3grQjhjUmt3bnFHakFseW1PdmJNOVNrMgptMnRwRi8rYm56ZVhNdFA3c0ZoR3NHOXJ5SEZ6UFNLY3NDSDhXWWx0Y1pTSlNDZHRTK21qblAwelArSjMKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K"))
key2 = rsa.PublicKey.load_pkcs1(base64.b64decode("LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUJDZ0tDQVFFQXFSVGdMUFNwbk9GQ0JybzR0dStRQVlxYU4yNlJONk82NW4wY1FERkcvb0NTSUlNNFNBeEUKVmsrYmR6UjdhbnFTbWdZeTBIUVhoQ2UzNlNlRmUxdHo5a3dLWi91M0VKb2M1QUs0dTV2eFFuUDlmNXE2YVFsbQpQL1YySU1weTRRUTZQY21FaDRLZDZvNWVkSVJQdkh3eldHVktPTkNwaS9LWkNPNldLVmJKV3Fod1hqREJsSDFNClVEc2dYMlVDOG9waHZ5OXVyMnpPZE5QaHBJSWR3SHNaOW9GWllrWjFMeUNJUUV0WUZpSmptRlMyRUNUVUNvcU8KWnJ0MWlOYzV1YWZxb2ZQeHh5T29sMGFVaFRoYmhxOHBKVy9xT0hXWHdMSW13bTZPemFxVXpLODRGMmN1YWRiRApOc3lTb2hJR2h2M3dJQVU4TUpRZzhLYXdWd2Rwc0VoZUl3SURBUUFCCi0tLS0tRU5EIFJTQSBQVUJMSUMgS0VZLS0tLS0K"))

def encrypt1(message):
    crypto_text = rsa.encrypt(message.encode(), key2)
    return crypto_text


def decrypt1(message):
    message_str = rsa.decrypt(message, key1).decode()
    return message_str


def encrypt2(tips, key):
    ltips = len(tips)
    lkey = len(key)
    secret = []
    num = 0
    for each in tips:
        if num >= lkey:
            num = num % lkey
        secret.append(chr(ord(each) ^ ord(key[num])))
        num += 1

    return base64.b64encode("".join(secret).encode()).decode()


def decrypt2(secret, key):
    tips = base64.b64decode(secret.encode()).decode()
    ltips = len(tips)
    lkey = len(key)
    secret = []
    num = 0
    for each in tips:
        if num >= lkey:
            num = num % lkey
        secret.append(chr(ord(each) ^ ord(key[num])))
        num += 1

    return "".join(secret)


flag = "IAMrG1EOPkM5NRI1cChQDxEcGDZMURptPzgHJHUiN0ASDgUYUB4LGQMUGAtLCQcJJywcFmddNno/PBtQbiMWNxsGLiFuLwpiFlkyP084Ng0lKj8GUBMXcwEXPTJrRDMdNwMiHVkCBFklHgIAWQwgCz8YQhp6E1xUHgUELxMtSh0xXzxBEisbUyYGOx1DBBZWPg1CXFkvJEcxO0ADeBwzChIOQkdwXQRpQCJHCQsaFE4CIjMDcwswTBw4BS9mLVMLLDs8HVgeQkscGBEBFSpQFQQgPTVRAUpvHyAiV1oPE0kyADpDbF8AbyErBjNkPh9PHiY7O1ZaGBADMB0PEVwdCxI+MCcXARZiPhwfH1IfKitGOF42FV8FTxwqPzBPAVUUOAEKAHEEP2QZGjQVV1oIS0QBJgBDLx1jEAsWKGk5Nw03MVgmWSE4Qy5LEghoHDY+OQ9dXE44Th0="
key = "this is key"

result = decrypt2("AAAAAAAAAAAfFwwRSAIWWQ==", key)
print(decrypt1(base64.b64decode(decrypt2(flag, result))))

2、字符与长整型的转换

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# uncompyle6 version 3.9.1
# Python bytecode version base 3.7.0 (3394)
# Decompiled from: Python 3.10.9 | packaged by Anaconda, Inc. | (main, Mar  1 2023, 18:18:15) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: .\ezPython.py
# Compiled at: 2022-09-03 23:53:44
# Size of source mod 2**32: 444 bytes
from Crypto.Util.number import *
import base64, base58
password = open("password.txt", "r").read()
tmp = bytes_to_long(password.encode("utf-8"))
ans = base64.b64encode(base58.b58encode(str(tmp))).decode()
print("I've forgot my password,could you please help me find the password?")
if ans == "M0hBajFITHVLcWV6R1BOcEM5MTR0R0J3eGZVODV6MTJjZUhGZFNHQw==":
    print("You get the password!")
else:
    print("Wrong! try again")

# okay decompiling ezPython.pyc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import base64
import hashlib

import base58
from Crypto.Util.number import long_to_bytes

flag = "M0hBajFITHVLcWV6R1BOcEM5MTR0R0J3eGZVODV6MTJjZUhGZFNHQw=="
flag = base64.b64decode(flag)
print(flag)
flag = base58.b58decode(flag)
print(flag)
flag = long_to_bytes(int(flag))
print(flag)
print(type(flag))
#Plain Text
flag = flag.decode()
#这⾥需要将值的类型从bytes转换成str
flag = hashlib.md5(flag.encode("utf-8"))
print(flag.hexdigest())

简单的来叙述一下这个exp。
首先因为他加密的时候是先套base58再套base64,所以我们解密的时候就要先解开base64再解base58。因为他在加密base58的时候有转换数据类型为str(字符串)。所以我们在解密base58的时候要转换数据类型为int(整数)。
第一步做完了。
第二步因为他在加密的时候使用了字节型转长整型。
所以我们解密的时候就要反过来把长整型转换成字节型。

1
2
3
4
5
6
7
8
number = 22385992650816784030032474165

# 将整数转换为字节数组,使用大端(big-endian)字节序
number_bytes = number.to_bytes((number.bit_length() + 7) // 8, byteorder='big')

# 将字节数组转换为字符串
number_str = number_bytes.decode('latin1')  # 使用 latin1 编码确保每个字节直接映射到字符
print(number_str)

其实这一步做完之后我们已经把整个程序都解析完毕得到了flag为:HUBUCTF@1405
但是题目要求我们的最终flag还要进行一层md5加密。
所以我们得把HUBUCTF@1405进行md5加密一下,这里简单的方法可以使用在线网站直接加密。


或者就是用我exp里的办法python里的库函数进行python脚本里的md5加密。
最终的flag为:fd78ee3399dd6a3c1d0b637fdca0c075
最后这里附带上python脚本的运行结果:

3、nssctf2433

前面还是正常的python逆向

得到python文件 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# uncompyle6 version 3.9.1
# Python bytecode version base 3.7.0 (3394)
# Decompiled from: Python 3.10.9 | packaged by Anaconda, Inc. | (main, Mar  1 2023, 18:18:15) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: 1.py


def check():
    a = input("plz input your flag:")
    c = [144, 163, 158, 177, 121, 39, 58, 58, 91, 111, 25, 158, 72, 53, 152, 
     78, 171, 12, 53, 105, 45, 12, 12, 53, 12, 171, 111, 91, 53, 
     152, 105, 45, 152, 144, 39, 171, 45, 91, 78, 45, 158, 8]
    if len(a) != 42:
        print("wrong length")
        return 0
    b = 179
    for i in range(len(a)):
        if ord(a[i]) * 33 % b != c[i]:
            print("wrong")
            return

    print("win")


check()

# okay decompiling 1.pyc

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
c = [144, 163, 158, 177, 121, 39, 58, 58, 91, 111, 25, 158, 72, 53, 152,
     78, 171, 12, 53, 105, 45, 12, 12, 53, 12, 171, 111, 91, 53,
     152, 105, 45, 152, 144, 39, 171, 45, 91, 78, 45, 158, 8]
b = 179
a = ''
for i in range(len(c)):
    for j in range(100):
        temp=c[i]+j*b
        num = chr((c[i] + j * b) // 33)
        if (ord(num) >= 33 and ord(num) <= 127 and temp%33==0):
            a += num
            break

print(a)

Python逆向基本操作步骤详解——以杭电新生赛hgame week2 reverse stream(python3.10逆向)为例-CSDN博客magic number

3.8以下用compyle6

例题(修改文件头)

先对pyc反编译

使用010工具把struct的头八字节替换到1.pyc的最上面,为什么要替换?
因为用 PyInstaller 打包后,pyc 文件的前 8 个字节会被抹掉,所以最后要自己添加回去。前四个字节为 python 编译的版本,后四个字节为时间戳。想要获得编译版本可以查看打包文件里 struct 的信息,我这里还是提取出 struct 这个文件,有 struct 作为对照就方便多了,不用特定下载对应版本的 python 来生成特定的 pyc 文件来取前 8 个字节:

然后save,用在线的py反编译一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.7

'''贪吃蛇'''
import random
import sys
import time
import pygame
from pygame.locals import *
from collections import deque

SCREEN_WIDTH = 600
SCREEN_HEIGHT = 480
SIZE = 20
LINE_WIDTH = 1
SCOPE_X = (0, SCREEN_WIDTH // SIZE - 1)
SCOPE_Y = (2, SCREEN_HEIGHT // SIZE - 1)
FOOD_STYLE_LIST = [
    (10, (255, 100, 100)),
    (20, (100, 255, 100)),
    (30, (100, 100, 255))]
LIGHT = (100, 100, 100)
DARK = (200, 200, 200)
BLACK = (0, 0, 0)
RED = (200, 30, 30)
BGCOLOR = (40, 40, 60)


def print_text(screen, font, x, y, text, fcolor=((255, 255, 255),)):
    imgText = font.render(text, True, fcolor)
    screen.blit(imgText, (x, y))


def init_snake():
    snake = deque()
    snake.append((2, SCOPE_Y[0]))
    snake.append((1, SCOPE_Y[0]))
    snake.append((0, SCOPE_Y[0]))
    return snake


def create_food(snake):
    food_x = random.randint(SCOPE_X[0], SCOPE_X[1])
    food_y = random.randint(SCOPE_Y[0], SCOPE_Y[1])
    while (food_x, food_y) in snake:
        food_x = random.randint(SCOPE_X[0], SCOPE_X[1])
        food_y = random.randint(SCOPE_Y[0], SCOPE_Y[1])
    return (food_x, food_y)


def get_food_style():
    return FOOD_STYLE_LIST[random.randint(0, 2)]


def main():
    pygame.init()
    screen = pygame.display.set_mode((SCREEN_WIDTH, SCREEN_HEIGHT))
    pygame.display.set_caption('贪吃蛇')
    font1 = pygame.font.SysFont('SimHei', 24)
    font2 = pygame.font.Font(None, 72)
    (fwidth, fheight) = font2.size('GAME OVER')
    b = True
    snake = init_snake()
    food = create_food(snake)
    food_style = get_food_style()
    pos = (1, 0)
    game_over = True
    start = False
    score = 0
    orispeed = 0.5
    speed = orispeed
    last_move_time = None
    pause = False
    while None:
        for event in pygame.event.get():
            if event.type == QUIT:
                sys.exit()
                continue
            if event.type == KEYDOWN or event.key == K_RETURN or game_over:
                start = True
                game_over = False
                b = True
                snake = init_snake()
                food = create_food(snake)
                food_style = get_food_style()
                pos = (1, 0)
                score = 0
                last_move_time = time.time()
                continue
                if not event.key == K_SPACE or game_over:
                    pause = not pause
                    continue
                    if not (event.key in (K_w, K_UP) or b) and pos[1]:
                        pos = (0, -1)
                        b = False
                        continue
                        if not (event.key in (K_s, K_DOWN) or b) and pos[1]:
                            pos = (0, 1)
                            b = False
                            continue
                            if not (event.key in (K_a, K_LEFT) or b) and pos[0]:
                                pos = (-1, 0)
                                b = False
                                continue
                                if not event.key in (K_d, K_RIGHT) and b and pos[0]:
                                    pos = (1, 0)
                                    b = False
                                screen.fill(BGCOLOR)
                                for x in range(SIZE, SCREEN_WIDTH, SIZE):
                                    pygame.draw.line(screen, BLACK, (x, SCOPE_Y[0] * SIZE), (x, SCREEN_HEIGHT),
                                                     LINE_WIDTH)

        for y in range(SCOPE_Y[0] * SIZE, SCREEN_HEIGHT, SIZE):
            pygame.draw.line(screen, BLACK, (0, y), (SCREEN_WIDTH, y), LINE_WIDTH)

        if not game_over:
            curTime = time.time()
            if not curTime - last_move_time > speed and pause:
                b = True
                last_move_time = curTime
                next_s = (snake[0][0] + pos[0], snake[0][1] + pos[1])
                if next_s == food:
                    snake.appendleft(next_s)
                    score += food_style[0]
                    speed = orispeed - 0.03 * (score // 100)
                    food = create_food(snake)
                    food_style = get_food_style()
                elif next_s[0] <= next_s[0] or next_s[0] <= SCOPE_X[1]:
                    pass
                else:
                    SCOPE_X[0]
            elif next_s[1] <= next_s[1] or next_s[1] <= SCOPE_Y[1]:
                pass
            else:
                SCOPE_Y[0]
        elif next_s not in snake:
            snake.appendleft(next_s)
            snake.pop()
        else:
            game_over = True
        if not game_over:
            pygame.draw.rect(screen, food_style[1], (food[0] * SIZE, food[1] * SIZE, SIZE, SIZE), 0)
        for s in snake:
            pygame.draw.rect(screen, DARK, (
            s[0] * SIZE + LINE_WIDTH, s[1] * SIZE + LINE_WIDTH, SIZE - LINE_WIDTH * 2, SIZE - LINE_WIDTH * 2), 0)

        print_text(screen, font1, 450, 7, f'''得分: {score}''')
        if score > 1000:
            flag = [ 30, 196, 52, 252, 49, 220, 7, 243, 3, 241, 24, 224, 40, 230, 25, 251, 28, 233, 40, 237, 4, 225, 4, 215, 40, 231, 22, 237, 14, 251, 10, 169]
            for i in range(0, len(flag), 2):
                flag[i] = flag[i + 1] ^ 136
                flag[i + 1] = flag[i] ^ 119

            print_text(screen, font2, (SCREEN_WIDTH - fwidth) // 2, (SCREEN_HEIGHT - fheight) // 2,
                       bytes(flag).decode(), RED)
            pygame.display.update()
        if game_over and start:
            print_text(screen, font2, (SCREEN_WIDTH - fwidth) // 2, (SCREEN_HEIGHT - fheight) // 2, 'GAME OVER', RED)
        pygame.display.update()


if __name__ == '__main__':
    main()

看到flag代码提取出来,注意这里要同时异或

1
2
3
4
5
flag = [ 30, 196, 52, 252, 49, 220, 7, 243, 3, 241, 24, 224, 40, 230, 25, 251, 28, 233, 40, 237, 4, 225, 4, 215, 40, 231, 22, 237, 14, 251, 10, 169]
for i in range(0, len(flag), 2):
        flag[i],flag[i+1]= flag[i + 1] ^ 136,flag[i]^119
for i in range(len(flag)):
    print(chr(flag[i]),end='')

3、如果python版本不一样,那么反编译出来的py就不一样,所以得在线网站反编译

可以用在线网站查看python文件的版本

3.10.9的python反编译2.7的py就会出错的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# uncompyle6 version 3.9.1
# Python bytecode version base 2.7 (62211)
# Decompiled from: Python 3.10.9 | packaged by Anaconda, Inc. | (main, Mar  1 2023, 18:18:15) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: encode.py
# Compiled at: 2019-08-19 21:01:57
print 'Welcome to Re World!'
print 'Your input1 is your flag~'
l = len(input1)
for i in range(l):
    num = ((input1[i] + i) % 128 + 128) % 128
    code += num

for i in range(l - 1):
    code[i] = code[i] ^ code[i + 1]

print code
code = [4, 5, 6, 7, 8, 9, 10, 11, 12, 9, 13, 14, 15, 16, 17, 18, 19, 20, 
 10, 21, 22, 23, 24]

# okay decompiling encode.pyc

这是在线网站编译出来的正确文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 2.7

print 'Welcome to Re World!'
print 'Your input1 is your flag~'
l = len(input1)
for i in range(l):
    num = ((input1[i] + i) % 128 + 128) % 128
    code += num

for i in range(l - 1):
    code[i] = code[i] ^ code[i + 1]

print code
code = [
    '%1f',
    '%12',
    '%1d',
    '(',
    '0',
    '4',
    '%01',
    '%06',
    '%14',
    '4',
    ',',
    '%1b',
    'U',
    '?',
    'o',
    '6',
    '*',
    ':',
    '%01',
    'D',
    ';',
    '%',
    '%13']

附上re代码,

取余考查过很多次了记录一下,要保证在字符的范围内

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
code = ['\x1f', '\x12', '\x1d', '(', '0', '4', '\x01', '\x06', '\x14', '4', ',', '\x1b', 'U', '?', 'o', '6', '*', ':', '\x01', 'D', ';', '%', '\x13']

code = [ord(i)for(i)in(code)]
flag=''
l=len(code)
print(l)
for x in range(l-2,-1,-1):
    code[x]=code[x]^code[x+1]
for i in range(l):
   for j in range(5):
       num=code[i]+j*128-i
       if num>=33 and num<=127:
           flag+=chr(num)
           break
print(flag)
#REVERSE
python逆向
http://example.com/2024/05/27/python逆向/
Author
chaye
Posted on
May 27, 2024
Licensed under