[MTCTF 2021 final]pyc
python3.10 pyc直接pycdc反编译有部分编译不出来
用dis+marshal看字节码
点击查看代码
1 0 LOAD_CONST 0 (0)
2 LOAD_CONST 1 (None)
4 IMPORT_NAME 0 (hashlib)
6 STORE_NAME 0 (hashlib)
2 8 LOAD_NAME 1 (input)
10 CALL_FUNCTION 0
12 STORE_NAME 2 (s)
3 14 LOAD_NAME 3 (len)
16 LOAD_NAME 2 (s)
18 CALL_FUNCTION 1
20 LOAD_CONST 2 (72)
22 COMPARE_OP 3 (!=)
24 POP_JUMP_IF_FALSE 17 (to 34)
4 26 LOAD_NAME 4 (print)
28 LOAD_CONST 3 ('wrong')
30 CALL_FUNCTION 1
32 POP_TOP
5 >> 34 LOAD_NAME 5 (set)
36 CALL_FUNCTION 0
38 STORE_NAME 6 (a1)
6 40 LOAD_NAME 5 (set)
42 CALL_FUNCTION 0
44 STORE_NAME 7 (a2)
7 46 LOAD_NAME 5 (set)
48 CALL_FUNCTION 0
50 STORE_NAME 8 (a3)
8 52 LOAD_CONST 4 (2654435769)
54 LOAD_CONST 4 (2654435769)
56 BUILD_LIST 2
58 STORE_NAME 9 (a4)
9 60 LOAD_CONST 5 ('012345678')
62 GET_ITER
>> 64 FOR_ITER 10 (to 86)
66 STORE_NAME 10 (d)
10 68 LOAD_NAME 8 (a3)
70 LOAD_METHOD 11 (add)
72 LOAD_NAME 2 (s)
74 LOAD_METHOD 12 (count)
76 LOAD_NAME 10 (d)
78 CALL_METHOD 1
80 CALL_METHOD 1
82 POP_TOP
84 JUMP_ABSOLUTE 32 (to 64)
11 >> 86 LOAD_NAME 13 (range)
88 LOAD_CONST 0 (0)
90 LOAD_NAME 3 (len)
92 LOAD_NAME 2 (s)
94 CALL_FUNCTION 1
96 LOAD_CONST 6 (9)
98 CALL_FUNCTION 3
100 GET_ITER
>> 102 FOR_ITER 81 (to 266)
104 STORE_NAME 14 (i)
12 106 LOAD_NAME 13 (range)
108 LOAD_CONST 0 (0)
110 LOAD_CONST 7 (15)
112 LOAD_CONST 8 (2)
114 CALL_FUNCTION 3
116 GET_ITER
>> 118 FOR_ITER 33 (to 186)
120 STORE_NAME 15 (l)
13 122 LOAD_NAME 7 (a2)
124 LOAD_METHOD 11 (add)
126 LOAD_NAME 16 (sum)
128 LOAD_CONST 9 (<code object <genexpr> at 0x7f5e92b0dbb0, file "pyc_public.py", line 13>)
130 LOAD_CONST 10 ('<genexpr>')
132 MAKE_FUNCTION 0
134 LOAD_CONST 11 (<code object <listcomp> at 0x7f5e92b273c0, file "pyc_public.py", line 13>)
136 LOAD_CONST 12 ('<listcomp>')
138 MAKE_FUNCTION 0
140 LOAD_NAME 17 (str)
142 LOAD_NAME 9 (a4)
144 LOAD_CONST 13 (1)
146 BINARY_SUBSCR
148 LOAD_CONST 14 (64201746666225664)
150 BINARY_XOR
152 LOAD_CONST 15 (3446703994)
154 BINARY_XOR
156 CALL_FUNCTION 1
158 LOAD_NAME 15 (l)
160 LOAD_NAME 15 (l)
162 LOAD_CONST 16 (3)
164 BINARY_ADD
166 BUILD_SLICE 2
168 BINARY_SUBSCR
170 GET_ITER
172 CALL_FUNCTION 1
174 GET_ITER
176 CALL_FUNCTION 1
178 CALL_FUNCTION 1
180 CALL_METHOD 1
182 POP_TOP
184 JUMP_ABSOLUTE 59 (to 118)
14 >> 186 LOAD_NAME 18 (int)
188 LOAD_NAME 2 (s)
190 LOAD_NAME 14 (i)
192 LOAD_NAME 14 (i)
194 LOAD_CONST 6 (9)
196 BINARY_ADD
198 BUILD_SLICE 2
200 BINARY_SUBSCR
202 CALL_FUNCTION 1
204 LOAD_NAME 9 (a4)
206 LOAD_CONST 0 (0)
208 BINARY_SUBSCR
210 COMPARE_OP 5 (>=)
212 POP_JUMP_IF_FALSE 109 (to 218)
15 214 POP_TOP
216 JUMP_ABSOLUTE 133 (to 266)
16 >> 218 LOAD_NAME 18 (int)
220 LOAD_NAME 2 (s)
222 LOAD_NAME 14 (i)
224 LOAD_NAME 14 (i)
226 LOAD_CONST 6 (9)
228 BINARY_ADD
230 BUILD_SLICE 2
232 BINARY_SUBSCR
234 CALL_FUNCTION 1
236 LOAD_NAME 9 (a4)
238 LOAD_CONST 0 (0)
240 STORE_SUBSCR
17 242 LOAD_NAME 6 (a1)
244 LOAD_METHOD 11 (add)
246 LOAD_NAME 2 (s)
248 LOAD_NAME 14 (i)
250 LOAD_NAME 14 (i)
252 LOAD_CONST 6 (9)
254 BINARY_ADD
256 BUILD_SLICE 2
258 BINARY_SUBSCR
260 CALL_METHOD 1
262 POP_TOP
264 JUMP_ABSOLUTE 51 (to 102)
18 >> 266 LOAD_NAME 4 (print)
268 LOAD_NAME 3 (len)
270 LOAD_NAME 6 (a1)
272 CALL_FUNCTION 1
274 LOAD_CONST 17 (8)
276 COMPARE_OP 2 (==)
278 POP_JUMP_IF_FALSE 176 (to 352)
280 LOAD_NAME 3 (len)
282 LOAD_NAME 7 (a2)
284 CALL_FUNCTION 1
286 LOAD_CONST 13 (1)
288 COMPARE_OP 2 (==)
290 POP_JUMP_IF_FALSE 176 (to 352)
292 LOAD_NAME 3 (len)
294 LOAD_NAME 8 (a3)
296 CALL_FUNCTION 1
298 LOAD_CONST 13 (1)
300 COMPARE_OP 2 (==)
302 POP_JUMP_IF_FALSE 176 (to 352)
304 LOAD_NAME 2 (s)
306 LOAD_METHOD 12 (count)
308 LOAD_CONST 18 ('9')
310 CALL_METHOD 1
312 LOAD_CONST 0 (0)
314 COMPARE_OP 2 (==)
316 POP_JUMP_IF_FALSE 176 (to 352)
318 LOAD_CONST 19 ('flag{')
320 LOAD_NAME 0 (hashlib)
322 LOAD_METHOD 19 (md5)
324 LOAD_NAME 2 (s)
326 LOAD_METHOD 20 (encode)
328 LOAD_CONST 20 ('ascii')
330 CALL_METHOD 1
332 CALL_METHOD 1
334 LOAD_METHOD 21 (hexdigest)
336 CALL_METHOD 0
338 FORMAT_VALUE 0
340 LOAD_CONST 21 ('}')
342 BUILD_STRING 3
344 CALL_FUNCTION 1
346 POP_TOP
348 LOAD_CONST 1 (None)
350 RETURN_VALUE
>> 352 LOAD_CONST 3 ('wrong')
354 CALL_FUNCTION 1
356 POP_TOP
358 LOAD_CONST 1 (None)
360 RETURN_VALUE
Disassembly of <code object <genexpr> at 0x7f5e92b0dbb0, file "pyc_public.py", line 13>:
0 GEN_START 0
13 2 LOAD_FAST 0 (.0)
>> 4 FOR_ITER 17 (to 40)
6 STORE_FAST 1 (j)
8 LOAD_GLOBAL 0 (int)
10 LOAD_GLOBAL 1 (s)
12 LOAD_GLOBAL 2 (i)
14 LOAD_FAST 1 (j)
16 BINARY_ADD
18 LOAD_GLOBAL 2 (i)
20 LOAD_FAST 1 (j)
22 BINARY_ADD
24 LOAD_CONST 0 (1)
26 BINARY_ADD
28 BUILD_SLICE 2
30 BINARY_SUBSCR
32 CALL_FUNCTION 1
34 YIELD_VALUE
36 POP_TOP
38 JUMP_ABSOLUTE 2 (to 4)
>> 40 LOAD_CONST 1 (None)
42 RETURN_VALUE
Disassembly of <code object <listcomp> at 0x7f5e92b273c0, file "pyc_public.py", line 13>:
13 0 BUILD_LIST 0
2 LOAD_FAST 0 (.0)
>> 4 FOR_ITER 6 (to 18)
6 STORE_FAST 1 (v)
8 LOAD_GLOBAL 0 (int)
10 LOAD_FAST 1 (v)
12 CALL_FUNCTION 1
14 LIST_APPEND 2
16 JUMP_ABSOLUTE 2 (to 4)
>> 18 RETURN_VALUE
结合部分反编译结果
import hashlib
s = input()
if len(s) != 72:
print('wrong')
a1 = set()
a2 = set()
a3 = set()
a4 = [
0x9E3779B9L,
0x9E3779B9L]
for d in '012345678':
a3.add(s.count(d))
for i in range(0, len(s), 9):
for l in range(0, 15, 2):
a2.add(sum((lambda .0: pass# WARNING: Decompyle incomplete
)((lambda .0: [ int(v) for v in .0 ])(str(a4[1] ^ 0xE4172600000000L ^ 0xCD70877AL)[l:l + 3]))))
if int(s[i:i + 9]) >= a4[0]:
pass
else:
a4[0] = int(s[i:i + 9])
a1.add(s[i:i + 9])
if len(a1) == 8 and len(a2) == 1 and len(a3) == 1 and s.count('9') == 0:
print(f'''flag{{{hashlib.md5(s.encode('ascii')).hexdigest()}}}''')
return None
None(print)
return None
还原如下:
import hashlib
s = input()
if len(s) != 72:
print('wrong')
a1 = set()
a2 = set()
a3 = set()
a4 = [
0x9E3779B9,
0x9E3779B9]
for d in '012345678':
a3.add(s.count(d))
for i in range(0, len(s), 9): # 8组
for l in range(0, 15, 2):
a2.add(sum(int(s[i+j:i+j+1]) for j in ([ int(v) for v in (str(a4[1] ^ 0xE4172600000000 ^ 0xCD70877A)[l:l + 3])])))
# 642 201 174 480 063 345 528 867
# 三行 三列 两对角线
"""
|0|1|2|
|3|4|5|
|6|7|8|
"""
print(a2)
if int(s[i:i + 9]) >= a4[0]: # 每一组都要比前一组小
pass
else:
a4[0] = int(s[i:i + 9])
a1.add(s[i:i + 9])
if len(a1) == 8 and len(a2) == 1 and len(a3) == 1 and s.count('9') == 0:
# '0'~'8'出现次数一样 没有'9' 求出的sum和相同 9个字符一组 每组9个字符都一样
print(f'''flag{{{hashlib.md5(s.encode('ascii')).hexdigest()}}}''')
# 分析发现是3x3幻方 用0~8来填 刚好3x3也只有8个
结合set a1,a2,a3 以及一些sum的check 可以分析出这是8个3x3幻方
网上找到
-1过后降序排列md5即可
input: 723048561705246381561048723507642183381246705327840165183642507165840327
flag{f3d61359a7d1876468ea5f09eaf1ddd6}
浙公网安备 33010602011771号