攻防世界--re4-unvm-me

测试文件：https://adworld.xctf.org.cn/media/task/attachments/70d66fb7eb264e868d4a79c891004128.pyc

 

1.代码转换

将.pyc转换为.py文件，可以去在线的，也可以使用工具，这里有说明：https://www.cnblogs.com/Mayfly-nymph/p/11420487.html

# uncompyle6 version 3.4.0
# Python bytecode 2.7 (62211)
# Decompiled from: Python 3.7.1 (default, Dec 10 2018, 22:54:23) [MSC v.1915 64 bit (AMD64)]
# Embedded file name: unvm_me.py
# Compiled at: 2016-12-21 05:44:01
import md5
md5s = [
 174282896860968005525213562254350376167, 137092044126081477479435678296496849608, 126300127609096051658061491018211963916, 314989972419727999226545215739316729360, 256525866025901597224592941642385934114, 115141138810151571209618282728408211053, 8705973470942652577929336993839061582, 256697681645515528548061291580728800189, 39818552652170274340851144295913091599, 65313561977812018046200997898904313350, 230909080238053318105407334248228870753, 196125799557195268866757688147870815374, 74874145132345503095307276614727915885]
print 'Can you turn me back to python ? ...'
flag = raw_input('well as you wish.. what is the flag: ')
if len(flag) > 69:
    print 'nice try'
    exit()
if len(flag) % 5 != 0:
    print 'nice try'
    exit()
for i in range(0, len(flag), 5):
    s = flag[i:i + 5]
    if int('0x' + md5.new(s).hexdigest(), 16) != md5s[(i / 5)]:
        print 'nice try'
        exit()

print 'Congratz now you have the flag'
# okay decompiling test.pyc

 

2.代码分析

前面两个if条件没什么实质影响，之后的for循环就是将输入字符串，每五位为一组，进行md5加密后与md5s列表对比。

因此我们只需要将md5s列表全部解密就行，先转换为16进制

# -*- coding:utf-8 -*-
md5s = [
 174282896860968005525213562254350376167, 137092044126081477479435678296496849608, 126300127609096051658061491018211963916, 314989972419727999226545215739316729360, 256525866025901597224592941642385934114, 115141138810151571209618282728408211053, 8705973470942652577929336993839061582, 256697681645515528548061291580728800189, 39818552652170274340851144295913091599, 65313561977812018046200997898904313350, 230909080238053318105407334248228870753, 196125799557195268866757688147870815374, 74874145132345503095307276614727915885]
for i in md5s:
    a = hex(i)[2:-1]
    print '0'*(32-len(a))+a

 

再到 https://www.somd5.com/batch.html  在线解密

831daa3c843ba8b087c895f0ed305ce7 ALEXC
6722f7a07246c6af20662b855846c2c8 TF{dv
5f04850fec81a27ab5fc98befa4eb40c 5d4s2
ecf8dcac7503e63a6a3667c5fb94f610 vj8nk
c0fd15ae2c3931bc1e140523ae934722 43s8d
569f606fd6da5d612f10cfb95c0bde6d 8l6m1
068cb5a1cf54c078bf0e7e89584c1a4e n5l67
c11e2cd82d1f9fbd7e4d6ee9581ff3bd ds9v4
1df4c637d625313720f45706a48ff20f 1n52n
3122ef3a001aaecdb8dd9d843c029e06 v37j4
adb778a0f729293e7e0b19b96a4c5a61 81h3d
938c747c6a051b3e163eb802a325148e 28n4b
38543c5e820dd9403b57beff6020596d 6v3k}

 

3.get flag！

ALEXCTF{dv5d4s2vj8nk43s8d8l6m1n5l67ds9v41n52nv37j481h3d28n4b6v3k}