avatar

天津市赛初赛2021-Reverse-WP
dummy

Bytecode

这题考察Python字节码,换源后发现代码是一个改了Delta的Tea,上网一搜Python Tea竟然发现源码,顺利拿到一血。

Disassembly of main:
27 0 LOAD_CONST 1 (305419896)
2 LOAD_CONST 2 (2271560481)
4 LOAD_CONST 3 (2427178479)
6 LOAD_CONST 4 (4275878409)
8 BUILD_LIST 4
10 STORE_FAST 0 (key)

28 12 LOAD_CONST 5 (3888592564)
14 LOAD_CONST 6 (3737879155)
16 BUILD_LIST 2
18 LOAD_CONST 7 (4063334467)
20 LOAD_CONST 8 (2214487552)
22 BUILD_LIST 2
24 LOAD_CONST 9 (2420456096)
26 LOAD_CONST 10 (1529806583)
28 BUILD_LIST 2
30 LOAD_CONST 11 (2576007368)
32 LOAD_CONST 12 (2328179940)
34 BUILD_LIST 2
36 LOAD_CONST 13 (1665686107)
38 LOAD_CONST 14 (1748819876)
40 BUILD_LIST 2
42 BUILD_LIST 5
44 STORE_FAST 1 (arr)

29 46 LOAD_GLOBAL 0 (input)
48 LOAD_CONST 15 ('please input your secret key: ')
50 CALL_FUNCTION 1
52 STORE_FAST 2 (flag)

31 54 BUILD_LIST 0
56 STORE_FAST 3 (encry)

32 58 BUILD_LIST 0
60 STORE_FAST 4 (encryted)

33 62 LOAD_GLOBAL 1 (range)
64 LOAD_CONST 16 (0)
66 LOAD_GLOBAL 2 (len)
68 LOAD_FAST 2 (flag)
70 CALL_FUNCTION 1
72 LOAD_CONST 17 (8)
74 CALL_FUNCTION 3
76 GET_ITER
>> 78 FOR_ITER 112 (to 192)
80 STORE_FAST 5 (i)

34 82 LOAD_FAST 3 (encry)
84 LOAD_METHOD 3 (append)
86 LOAD_GLOBAL 4 (struct)
88 LOAD_METHOD 5 (unpack)
90 LOAD_CONST 18 ('<I')
92 LOAD_FAST 2 (flag)
94 LOAD_FAST 5 (i)
96 LOAD_FAST 5 (i)
98 LOAD_CONST 19 (4)
100 BINARY_ADD
102 BUILD_SLICE 2
104 BINARY_SUBSCR
106 LOAD_METHOD 6 (encode)
108 LOAD_CONST 20 ('utf-8')
110 CALL_METHOD 1
112 CALL_METHOD 2
114 LOAD_CONST 16 (0)
116 BINARY_SUBSCR
118 CALL_METHOD 1
120 POP_TOP

35 122 LOAD_FAST 3 (encry)
124 LOAD_METHOD 3 (append)
126 LOAD_GLOBAL 4 (struct)
128 LOAD_METHOD 5 (unpack)
130 LOAD_CONST 18 ('<I')
132 LOAD_FAST 2 (flag)
134 LOAD_FAST 5 (i)
136 LOAD_CONST 19 (4)
138 BINARY_ADD
140 LOAD_FAST 5 (i)
142 LOAD_CONST 17 (8)
144 BINARY_ADD
146 BUILD_SLICE 2
148 BINARY_SUBSCR
150 LOAD_METHOD 6 (encode)
152 LOAD_CONST 20 ('utf-8')
154 CALL_METHOD 1
156 CALL_METHOD 2
158 LOAD_CONST 16 (0)
160 BINARY_SUBSCR
162 CALL_METHOD 1
164 POP_TOP

36 166 LOAD_GLOBAL 7 (encrypt)
168 LOAD_FAST 3 (encry)
170 LOAD_FAST 0 (key)
172 CALL_FUNCTION 2
174 STORE_FAST 6 (encrypted)

37 176 LOAD_FAST 4 (encryted)
178 LOAD_METHOD 3 (append)
180 LOAD_FAST 6 (encrypted)
182 CALL_METHOD 1
184 POP_TOP

38 186 BUILD_LIST 0
188 STORE_FAST 3 (encry)
190 JUMP_ABSOLUTE 78

39 >> 192 LOAD_FAST 4 (encryted)
194 LOAD_FAST 1 (arr)
196 COMPARE_OP 2 (==)
198 POP_JUMP_IF_FALSE 210

40 200 LOAD_GLOBAL 8 (print)
202 LOAD_CONST 21 ('ok,fine~')
204 CALL_FUNCTION 1
206 POP_TOP
208 JUMP_FORWARD 8 (to 218)

42 >> 210 LOAD_GLOBAL 8 (print)
212 LOAD_CONST 22 ('sry~')
214 CALL_FUNCTION 1
216 POP_TOP
>> 218 LOAD_CONST 0 (None)
220 RETURN_VALUE


Disassembly of encrypt:
6 0 LOAD_FAST 0 (v)
2 LOAD_CONST 1 (0)
4 BINARY_SUBSCR
6 STORE_FAST 2 (v0)

7 8 LOAD_FAST 0 (v)
10 LOAD_CONST 2 (1)
12 BINARY_SUBSCR
14 STORE_FAST 3 (v1)

8 16 LOAD_CONST 1 (0)
18 STORE_FAST 4 (x)

9 20 LOAD_CONST 3 (6710886)
22 STORE_FAST 5 (delta)

10 24 LOAD_FAST 1 (k)
26 LOAD_CONST 1 (0)
28 BINARY_SUBSCR
30 STORE_FAST 6 (k0)

11 32 LOAD_FAST 1 (k)
34 LOAD_CONST 2 (1)
36 BINARY_SUBSCR
38 STORE_FAST 7 (k1)

12 40 LOAD_FAST 1 (k)
42 LOAD_CONST 4 (2)
44 BINARY_SUBSCR
46 STORE_FAST 8 (k2)

13 48 LOAD_FAST 1 (k)
50 LOAD_CONST 5 (3)
52 BINARY_SUBSCR
54 STORE_FAST 9 (k3)

14 56 LOAD_GLOBAL 0 (range)
58 LOAD_CONST 6 (32)
60 CALL_FUNCTION 1
62 GET_ITER
>> 64 FOR_ITER 108 (to 174)
66 STORE_FAST 10 (i)

15 68 LOAD_FAST 4 (x)
70 LOAD_FAST 5 (delta)
72 INPLACE_ADD
74 STORE_FAST 4 (x)

16 76 LOAD_FAST 4 (x)
78 LOAD_CONST 7 (4294967295)
80 BINARY_AND
82 STORE_FAST 4 (x)

17 84 LOAD_FAST 2 (v0)
86 LOAD_FAST 3 (v1)
88 LOAD_CONST 8 (4)
90 BINARY_LSHIFT
92 LOAD_FAST 6 (k0)
94 BINARY_ADD
96 LOAD_FAST 3 (v1)
98 LOAD_FAST 4 (x)
100 BINARY_ADD
102 BINARY_XOR
104 LOAD_FAST 3 (v1)
106 LOAD_CONST 9 (5)
108 BINARY_RSHIFT
110 LOAD_FAST 7 (k1)
112 BINARY_ADD
114 BINARY_XOR
116 INPLACE_ADD
118 STORE_FAST 2 (v0)

18 120 LOAD_FAST 2 (v0)
122 LOAD_CONST 7 (4294967295)
124 BINARY_AND
126 STORE_FAST 2 (v0)

19 128 LOAD_FAST 3 (v1)
130 LOAD_FAST 2 (v0)
132 LOAD_CONST 8 (4)
134 BINARY_LSHIFT
136 LOAD_FAST 8 (k2)
138 BINARY_ADD
140 LOAD_FAST 2 (v0)
142 LOAD_FAST 4 (x)
144 BINARY_ADD
146 BINARY_XOR
148 LOAD_FAST 2 (v0)
150 LOAD_CONST 9 (5)
152 BINARY_RSHIFT
154 LOAD_FAST 9 (k3)
156 BINARY_ADD
158 BINARY_XOR
160 INPLACE_ADD
162 STORE_FAST 3 (v1)

20 164 LOAD_FAST 3 (v1)
166 LOAD_CONST 7 (4294967295)
168 BINARY_AND
170 STORE_FAST 3 (v1)
172 JUMP_ABSOLUTE 64

21 >> 174 LOAD_FAST 2 (v0)
176 LOAD_FAST 0 (v)
178 LOAD_CONST 1 (0)
180 STORE_SUBSCR

22 182 LOAD_FAST 3 (v1)
184 LOAD_FAST 0 (v)
186 LOAD_CONST 2 (1)
188 STORE_SUBSCR

23 190 LOAD_FAST 0 (v)
192 RETURN_VALUE
from Crypto.Util.number import long_to_bytes

key = [305419896, 2271560481, 2427178479, 4275878409]
arr = [[3888592564, 3737879155], [4063334467, 2214487552], [2420456096, 1529806583], [2576007368, 2328179940], [1665686107, 1748819876]]

flag = []


encryted = []
for i in range(0, len(flag), 8):
encry = []
encry.append(flag[i:i+4])
encry.append(flag[i+4:i+8])
encryted.append(encrypt(encry, key))
# assert arr == encryted
def encrypt(encry, key):
v0 = v[0]
v1 = v[1]
x = 0
delta = 6710886
k0 = k[0]
k1 = k[1]
k2 = k[2]
k3 = k[3]
for i in range(32):
x += delta
x &= 0xffffffff
v0 += ((v1 << 4) + k0) ^ (v1 + x) ^ ((v1 >> 5) + k1)
v0 &= 0xffffffff
v1 += ((v0 << 4) + k2) ^ (v0 + x) ^ ((v0 >> 5) + k3)
v1 &= 0xffffffff

v[0] = v0
v[1] = v1
return v

def decrypt(v, k):
v0 = v[0]
v1 = v[1]
x = 0xcccccc0
delta = 6710886
k0 = k[0]
k1 = k[1]
k2 = k[2]
k3 = k[3]
for i in range(32):
v1 -= ((v0 << 4) + k2) ^ (v0 + x) ^ ((v0 >> 5) + k3)
v1 = v1 & 0xFFFFFFFF
v0 -= ((v1 << 4) + k0) ^ (v1 + x) ^ ((v1 >> 5) + k1)
v0 = v0 & 0xFFFFFFFF
x -= delta
x = x & 0xFFFFFFFF
v[0] = v0
v[1] = v1
return v

for i in arr:
a = decrypt(i, key)
b = long_to_bytes(a[0]).decode()[::-1]
c = long_to_bytes(a[1]).decode()[::-1]
print(b+c, end='')

image-20211107183640994

image-20211107183640994

文章作者: X Mεl0n
文章链接: http://www.zrzz.site/posts/80b0a394/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 X Mεl0n | 随手记

评论