Bytecode
这题考察Python字节码,换源后发现代码是一个改了Delta的Tea,上网一搜Python Tea竟然发现源码,顺利拿到一血。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
| Disassembly of main:
27 0 LOAD_CONST 1 (305419896)
2 LOAD_CONST 2 (2271560481)
4 LOAD_CONST 3 (2427178479)
6 LOAD_CONST 4 (4275878409)
8 BUILD_LIST 4
10 STORE_FAST 0 (key)
28 12 LOAD_CONST 5 (3888592564)
14 LOAD_CONST 6 (3737879155)
16 BUILD_LIST 2
18 LOAD_CONST 7 (4063334467)
20 LOAD_CONST 8 (2214487552)
22 BUILD_LIST 2
24 LOAD_CONST 9 (2420456096)
26 LOAD_CONST 10 (1529806583)
28 BUILD_LIST 2
30 LOAD_CONST 11 (2576007368)
32 LOAD_CONST 12 (2328179940)
34 BUILD_LIST 2
36 LOAD_CONST 13 (1665686107)
38 LOAD_CONST 14 (1748819876)
40 BUILD_LIST 2
42 BUILD_LIST 5
44 STORE_FAST 1 (arr)
29 46 LOAD_GLOBAL 0 (input)
48 LOAD_CONST 15 ('please input your secret key: ')
50 CALL_FUNCTION 1
52 STORE_FAST 2 (flag)
31 54 BUILD_LIST 0
56 STORE_FAST 3 (encry)
32 58 BUILD_LIST 0
60 STORE_FAST 4 (encryted)
33 62 LOAD_GLOBAL 1 (range)
64 LOAD_CONST 16 (0)
66 LOAD_GLOBAL 2 (len)
68 LOAD_FAST 2 (flag)
70 CALL_FUNCTION 1
72 LOAD_CONST 17 (8)
74 CALL_FUNCTION 3
76 GET_ITER
>> 78 FOR_ITER 112 (to 192)
80 STORE_FAST 5 (i)
34 82 LOAD_FAST 3 (encry)
84 LOAD_METHOD 3 (append)
86 LOAD_GLOBAL 4 (struct)
88 LOAD_METHOD 5 (unpack)
90 LOAD_CONST 18 ('<I')
92 LOAD_FAST 2 (flag)
94 LOAD_FAST 5 (i)
96 LOAD_FAST 5 (i)
98 LOAD_CONST 19 (4)
100 BINARY_ADD
102 BUILD_SLICE 2
104 BINARY_SUBSCR
106 LOAD_METHOD 6 (encode)
108 LOAD_CONST 20 ('utf-8')
110 CALL_METHOD 1
112 CALL_METHOD 2
114 LOAD_CONST 16 (0)
116 BINARY_SUBSCR
118 CALL_METHOD 1
120 POP_TOP
35 122 LOAD_FAST 3 (encry)
124 LOAD_METHOD 3 (append)
126 LOAD_GLOBAL 4 (struct)
128 LOAD_METHOD 5 (unpack)
130 LOAD_CONST 18 ('<I')
132 LOAD_FAST 2 (flag)
134 LOAD_FAST 5 (i)
136 LOAD_CONST 19 (4)
138 BINARY_ADD
140 LOAD_FAST 5 (i)
142 LOAD_CONST 17 (8)
144 BINARY_ADD
146 BUILD_SLICE 2
148 BINARY_SUBSCR
150 LOAD_METHOD 6 (encode)
152 LOAD_CONST 20 ('utf-8')
154 CALL_METHOD 1
156 CALL_METHOD 2
158 LOAD_CONST 16 (0)
160 BINARY_SUBSCR
162 CALL_METHOD 1
164 POP_TOP
36 166 LOAD_GLOBAL 7 (encrypt)
168 LOAD_FAST 3 (encry)
170 LOAD_FAST 0 (key)
172 CALL_FUNCTION 2
174 STORE_FAST 6 (encrypted)
37 176 LOAD_FAST 4 (encryted)
178 LOAD_METHOD 3 (append)
180 LOAD_FAST 6 (encrypted)
182 CALL_METHOD 1
184 POP_TOP
38 186 BUILD_LIST 0
188 STORE_FAST 3 (encry)
190 JUMP_ABSOLUTE 78
39 >> 192 LOAD_FAST 4 (encryted)
194 LOAD_FAST 1 (arr)
196 COMPARE_OP 2 (==)
198 POP_JUMP_IF_FALSE 210
40 200 LOAD_GLOBAL 8 (print)
202 LOAD_CONST 21 ('ok,fine~')
204 CALL_FUNCTION 1
206 POP_TOP
208 JUMP_FORWARD 8 (to 218)
42 >> 210 LOAD_GLOBAL 8 (print)
212 LOAD_CONST 22 ('sry~')
214 CALL_FUNCTION 1
216 POP_TOP
>> 218 LOAD_CONST 0 (None)
220 RETURN_VALUE
Disassembly of encrypt:
6 0 LOAD_FAST 0 (v)
2 LOAD_CONST 1 (0)
4 BINARY_SUBSCR
6 STORE_FAST 2 (v0)
7 8 LOAD_FAST 0 (v)
10 LOAD_CONST 2 (1)
12 BINARY_SUBSCR
14 STORE_FAST 3 (v1)
8 16 LOAD_CONST 1 (0)
18 STORE_FAST 4 (x)
9 20 LOAD_CONST 3 (6710886)
22 STORE_FAST 5 (delta)
10 24 LOAD_FAST 1 (k)
26 LOAD_CONST 1 (0)
28 BINARY_SUBSCR
30 STORE_FAST 6 (k0)
11 32 LOAD_FAST 1 (k)
34 LOAD_CONST 2 (1)
36 BINARY_SUBSCR
38 STORE_FAST 7 (k1)
12 40 LOAD_FAST 1 (k)
42 LOAD_CONST 4 (2)
44 BINARY_SUBSCR
46 STORE_FAST 8 (k2)
13 48 LOAD_FAST 1 (k)
50 LOAD_CONST 5 (3)
52 BINARY_SUBSCR
54 STORE_FAST 9 (k3)
14 56 LOAD_GLOBAL 0 (range)
58 LOAD_CONST 6 (32)
60 CALL_FUNCTION 1
62 GET_ITER
>> 64 FOR_ITER 108 (to 174)
66 STORE_FAST 10 (i)
15 68 LOAD_FAST 4 (x)
70 LOAD_FAST 5 (delta)
72 INPLACE_ADD
74 STORE_FAST 4 (x)
16 76 LOAD_FAST 4 (x)
78 LOAD_CONST 7 (4294967295)
80 BINARY_AND
82 STORE_FAST 4 (x)
17 84 LOAD_FAST 2 (v0)
86 LOAD_FAST 3 (v1)
88 LOAD_CONST 8 (4)
90 BINARY_LSHIFT
92 LOAD_FAST 6 (k0)
94 BINARY_ADD
96 LOAD_FAST 3 (v1)
98 LOAD_FAST 4 (x)
100 BINARY_ADD
102 BINARY_XOR
104 LOAD_FAST 3 (v1)
106 LOAD_CONST 9 (5)
108 BINARY_RSHIFT
110 LOAD_FAST 7 (k1)
112 BINARY_ADD
114 BINARY_XOR
116 INPLACE_ADD
118 STORE_FAST 2 (v0)
18 120 LOAD_FAST 2 (v0)
122 LOAD_CONST 7 (4294967295)
124 BINARY_AND
126 STORE_FAST 2 (v0)
19 128 LOAD_FAST 3 (v1)
130 LOAD_FAST 2 (v0)
132 LOAD_CONST 8 (4)
134 BINARY_LSHIFT
136 LOAD_FAST 8 (k2)
138 BINARY_ADD
140 LOAD_FAST 2 (v0)
142 LOAD_FAST 4 (x)
144 BINARY_ADD
146 BINARY_XOR
148 LOAD_FAST 2 (v0)
150 LOAD_CONST 9 (5)
152 BINARY_RSHIFT
154 LOAD_FAST 9 (k3)
156 BINARY_ADD
158 BINARY_XOR
160 INPLACE_ADD
162 STORE_FAST 3 (v1)
20 164 LOAD_FAST 3 (v1)
166 LOAD_CONST 7 (4294967295)
168 BINARY_AND
170 STORE_FAST 3 (v1)
172 JUMP_ABSOLUTE 64
21 >> 174 LOAD_FAST 2 (v0)
176 LOAD_FAST 0 (v)
178 LOAD_CONST 1 (0)
180 STORE_SUBSCR
22 182 LOAD_FAST 3 (v1)
184 LOAD_FAST 0 (v)
186 LOAD_CONST 2 (1)
188 STORE_SUBSCR
23 190 LOAD_FAST 0 (v)
192 RETURN_VALUE
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
| from Crypto.Util.number import long_to_bytes
key = [305419896, 2271560481, 2427178479, 4275878409]
arr = [[3888592564, 3737879155], [4063334467, 2214487552], [2420456096, 1529806583], [2576007368, 2328179940], [1665686107, 1748819876]]
flag = []
encryted = []
for i in range(0, len(flag), 8):
encry = []
encry.append(flag[i:i+4])
encry.append(flag[i+4:i+8])
encryted.append(encrypt(encry, key))
def encrypt(encry, key):
v0 = v[0]
v1 = v[1]
x = 0
delta = 6710886
k0 = k[0]
k1 = k[1]
k2 = k[2]
k3 = k[3]
for i in range(32):
x += delta
x &= 0xffffffff
v0 += ((v1 << 4) + k0) ^ (v1 + x) ^ ((v1 >> 5) + k1)
v0 &= 0xffffffff
v1 += ((v0 << 4) + k2) ^ (v0 + x) ^ ((v0 >> 5) + k3)
v1 &= 0xffffffff
v[0] = v0
v[1] = v1
return v
def decrypt(v, k):
v0 = v[0]
v1 = v[1]
x = 0xcccccc0
delta = 6710886
k0 = k[0]
k1 = k[1]
k2 = k[2]
k3 = k[3]
for i in range(32):
v1 -= ((v0 << 4) + k2) ^ (v0 + x) ^ ((v0 >> 5) + k3)
v1 = v1 & 0xFFFFFFFF
v0 -= ((v1 << 4) + k0) ^ (v1 + x) ^ ((v1 >> 5) + k1)
v0 = v0 & 0xFFFFFFFF
x -= delta
x = x & 0xFFFFFFFF
v[0] = v0
v[1] = v1
return v
for i in arr:
a = decrypt(i, key)
b = long_to_bytes(a[0]).decode()[::-1]
c = long_to_bytes(a[1]).decode()[::-1]
print(b+c, end='')
|
