Shulou(Shulou.com)05/31 Report--

Today, I'm going to talk to you about how to reverse hand-play opcode from the pyc of HGAME. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something from this article.

A pyc file recovery

Red Sun Security: MoR03r

Red Sun blog: http://sec-redclub.com/team/

Python Pyc file format [compile.h] / * Bytecode object * / typedef struct {PyObject_HEAD int co_argcount; / * # arguments, except * args * / int co_nlocals; / * # local variables * / int co_stacksize; / * # entries needed for evaluation stack * / int co_flags; / * CO_..., see below * / PyObject * co_code / * instruction opcodes * / PyObject * co_consts; / * list (constants used) * / PyObject * co_names; / * list of strings (names used) * / PyObject * co_varnames; / * tuple of strings (local variable names) * / PyObject * co_freevars; / * tuple of strings (free variable names) * / PyObject * co_cellvars / * tuple of strings (cell variable names) * / * The rest doesn't count for hash/cmp * / PyObject * co_filename; / * string (where it was loaded from) * / PyObject * co_name; / * string (name, for reference) * / int co_firstlineno; / * first source line number * / PyObject * co_lnotab; / * string (encoding addrlineno mapping) * /} PyCodeObject Load pyc co_codeIn [1]: import dis,marshalIn [2]: f=open ('third.pyc') In [3]: f.read (4) Out [3]:'\ X03\ xf3\ r\ n'In [4]: f.read (4) Out [4]:'\ xf1\ xe1S\\'In [5]: code = marshal.load (f) In [6]: code.co_constsOut [6]: (- 1, None,'+','/', 'FcjTCgD1EffEm2rPC3bTyL5Wu2bKBI9KAZrwFgrUygHN', "Welcome to Processor's Python Classroom Part 334!\ n",'qi shi wo jiu shi lan cai ba liang dao ti fang zai yi qi.', "Now let's start the origin of Python!\ n", 'Plz Input Your Flag:\ nFor, 2, 0, 1,', "You're right!", "You're Wrong!") In [7]: code.co_varnamesOut [7]: () In [8]: code.co_namesOut [8]: ('string' 'list', 'letters',' digits', 'dec',' encode', 'raw_input',' enc', 'lst',' reverse', 'len',' llen', 'range',' iota, 'chr',' ord', 'enc2',' join' 'enc3') In [9]: code.co_codeOut [9]:' Q\ X03\ x00q\ t\ X00d\ X0f\ X00q\ X0e\ x00Gdd\ X00d\ X00d\ X00l\ X00\ X00Z\ X00e\ X00j\ X02\ X83\ X01\ X00e\ X00e\ X00j\ X03\ X00\ X01\ X00\ x17d\ X00d\ X03\ X00g\ X02\ X00d\ x04\ x00d\ X05 \ X00\ x84\ X00\ X00Z\ X05\ X00d\ X06\ X07\ x00GHd\ X08\ x00GHd\ t\ x00GHe\ X06\ X00\ X00Z\ X07\ X00e\ X01\ X00e\ X00\ X83\ X00Z\ X08\ X00j\ t\ X83\ X00\ X01e\ n\ X00e\ x08\ x00\ X83\ X01\ X00Z\ X0b\ x00xc\ x00e\ x0c\ X00e\ X00b\ x83\ x00D] U\ X00Z\ r\ X00e\ r \ x00d\ n\ x00\ x16d\ x00b\ x02\ x00r\ xc4\ x00e\ x00e\ X00e\ X00e\ x08\ x00e\ r\ x19\ x83\ x00d\ n\ X18\ x83\ X00e\ X00e\ r\ x008} '.format (str (bin (ord (I) .replace (' 0b') '') for i in input_str] output_str =''equal_num = 0 while str_ascii_list: temp_list = str_ascii_list [: 3] if len (temp_list)! = 3: while len (temp_list)

< 3: equal_num += 1 temp_list += ['00000000'] temp_str = ''.join(temp_list) temp_str_list = [ temp_str[x:x + 6] for x in [0, 6, 12, 18] ] temp_str_list = [ int(x, 2) for x in temp_str_list ] if equal_num: temp_str_list = temp_str_list[0:4 - equal_num] output_str += ''.join([ letters[x] for x in temp_str_list ]) str_ascii_list = str_ascii_list[3:] output_str = output_str + '=' * equal_num return output_strprint "Welcome to Processor's Python Classroom Part 3&4!\n"print 'qi shi wo jiu shi lan cai ba liang dao ti fang zai yi qi.'print "Now let's start the origin of Python!\n"print 'Plz Input Your Flag:\n'enc = raw_input()lst = list(enc)lst.reverse()llen = len(lst)for i in range(llen): if i % 2 == 0: lst[i] = chr(ord(lst[i]) - 2) lst[i] = chr(ord(lst[i]) + 1)enc2 = ''enc2 = enc2.join(lst)enc3 = encode(enc2)if enc3 == dec: print "You're right! "else: print "You're Wrong! "# +++ okay decompyling third_test2.pyc # decompiled 1 files: 1 okay, 0 failed, 0 verify failed# 2019.02.16 14:17:21 CST 至此，代码已经还原，剩下的题目就很简单了。 解读代码 encode函数实现了一个base64，这里有一点点坑，这里的base64编码范围为abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/，并非原生的ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/，直接转换一下就好 solve.py↓ #!/usr/bin/python# -*- coding: utf-8 -*-def decode(input_str): output_str = '' for i in input_str: if ord(i)>

57 and ord (I) 91: output_str + = i.upper () else: output_str + = I lst = list (output_str.decode ('base64')) llen = len (lst) for i in range (llen): lst [I] = chr (ord (LST [I])-1) if I% 2 = 0: lst [I] = chr ( Ord (LST [I]) + 2) lst.reverse () return''.join (lst) if _ _ name__ = =' _ main__':dec = 'FcjTCgD1EffEm2rPC3bTyL5Wu2bKBI9KAZrwFgrUygHN'print decode (dec) finish reading the above Do you have any further understanding of how to reverse hand-opcode from HGAME's pyc? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.