Reverse-WP记录6
前言
之前写的,一直没发,留个记录吧,万一哪天记录掉了起码在csdn有个念想
1.[HZNUCTF 2023 preliminary]checkin
找到汇编语言,r转一下
也可以写个脚本
import reimport libnums = """
mov rax, 7B465443554E5A48h
mov [rbp+var_20], rax
mov rax, 5F656D3063316557h
mov [rbp+var_18], rax
mov rax, 72657665525F3074h
mov [rbp+var_10], rax
mov [rbp+var_8], 7D6573h
"""
p = r', (\w+)h'
print(b''.join(map(lambda x: libnum.n2s(x)[::-1], list(map(lambda x: int(x, 16), re.findall(p, s))))))
HZNUCTF{We1c0me_t0_Reverse}
2.[CISCN 2023 初赛]moveAside
查壳看一下
打开就是mov汇编程序,很奇怪
0x1 失败尝试
搜索一下发现是通过movfuscator加密混淆过的
但是mov混淆 demov首先环境比较难配 然后解混淆效果极差
0x2 分析
Shift+F12 查看字符串
发现一个提示输入字符串ok input your flag:和一个可疑字符串VIPeeUd\\eHPQ\\UgQW\\IgTc\\TbRVTTPISRRV
可以推测如果输入正确则会输出’yes!’
进入到可疑字符串区域
转成数组发现刚好是42个byte(flag长度),第一想法应该是做了什么位运算得到的 而且很直观的是 四个 \ 正好对应四个 -,可能说明是一一对应关系,因为有些flag的格式就是xxxx-xxxx-xxxx-xxxx
Shift+E Export Data
复制数据内容
对比分析
我们已知的flag结果为 开头的’flag{‘,结尾的’}’ 以及中间的四个’-’
与数组中的对应位进行二进制比较: 发现还是有些规律的bit0取反,bit1,2,3保持不变
idx 0: 0110 0111 0x67
idx 0: 0110 0110 'f'idx 1: 1001 1101 0x9d
idx 1: 0110 1100 'l'idx 2: 0110 0000 0x60
idx 2: 0110 0001 'a'idx 3: 0110 0110 0x66
idx 3: 0110 0111 'g'idx 4: 1000 1010 0x8a
idx 4: 0111 1011 '{'idx 13: 0101 1100 0x5c
idx 13: 0010 1101 '-'idx 41: 1000 1100 0x8c
idx 41: 0111 1101 '}'
0x3 exp
推断所有可能
字节范围内遍历异或,查看所有16进制可见字符的可能,
# flag的16进制字母表
alphabet = "0123456789abcdef"
# 从IDA获取的42长的byte数组
raw = [0x67, 0x9D, 0x60, 0x66, 0x8A, 0x56, 0x49, 0x50, 0x65, 0x65,0x60, 0x55, 0x64, 0x5C, 0x65, 0x48, 0x50, 0x51, 0x5C, 0x55,0x67, 0x51, 0x57, 0x5C, 0x49, 0x67, 0x54, 0x63, 0x5C, 0x54,0x62, 0x52, 0x56, 0x54, 0x54, 0x50, 0x49, 0x53, 0x52, 0x52,0x56, 0x8C] # 遍历查看{括号中的可能内容}
for j in range(5, 41):print(f"{j}, {hex(raw[j])}:", end=' ')# 0x5c对应'-'if raw[j] == 0x5c:print('-', end=' ')# 遍历0x00-0xff 只取其中的奇数作亦或for i in range(1, 256, 2):s = chr(raw[j] ^ i)#在字母表内 而且运算先后 低1,2,3bit位相同if s in alphabet and ord(s) & 0xe == raw[j] & 0xe:print(s, end=' ')print()输出如下 可见可以暴力枚举 但也有2^23的数量 考虑进一步优化
5, 0x56: 7
6, 0x49: 8
7, 0x50: a 1
8, 0x65: d 4
9, 0x65: d 4
10, 0x60: a 1
11, 0x55: d 4
12, 0x64: e 5
13, 0x5c: -
14, 0x65: d 4
15, 0x48: 9
16, 0x50: a 1
17, 0x51: 0
18, 0x5c: -
19, 0x55: d 4
20, 0x67: f 6
21, 0x51: 0
22, 0x57: f 6
23, 0x5c: -
24, 0x49: 8
25, 0x67: f 6
26, 0x54: e 5
27, 0x63: b 2
28, 0x5c: -
29, 0x54: e 5
30, 0x62: c 3
31, 0x52: c 3
32, 0x56: 7
33, 0x54: e 5
34, 0x54: e 5
35, 0x50: a 1
36, 0x49: 8
37, 0x53: b 2
38, 0x52: c 3
39, 0x52: c 3
40, 0x56: 7缩小可能范围
前面推测得到两个数组直接应该是一一映射的关系,即特定的输入对应特定的输出
由于我们已经知道了 f 和 a 对应的输入为0x67和0x9d, 那么0x57就应该对应6和1
同理 如果0x54对应e 那么所有0x54都对应e
实际上也就并不需要枚举2^23种可能 只需确定[b,2] [c,3] [d,4] [e,5]的对应关系即2^4=16种可能
爆破脚本:
from pwn import *# flag的16进制字母表
alphabet = "0123456789abcdef"
# 从IDA获取的42长的byte数组
raw = [0x67, 0x9D, 0x60, 0x66, 0x8A, 0x56, 0x49, 0x50, 0x65, 0x65,0x60, 0x55, 0x64, 0x5C, 0x65, 0x48, 0x50, 0x51, 0x5C, 0x55,0x67, 0x51, 0x57, 0x5C, 0x49, 0x67, 0x54, 0x63, 0x5C, 0x54,0x62, 0x52, 0x56, 0x54, 0x54, 0x50, 0x49, 0x53, 0x52, 0x52,0x56, 0x8C]d = {0x67: ["f"], 0x9d: ["l"], 0x60: ["a"],0x66: ["g"], 0x5c: ["-"], 0x8a: ["{"], 0x8c: ["}"]}
# 遍历查看{括号中的可能内容}
for j in range(5, 41):# 0x5c对应'-'if raw[j] in d.keys():continue# 遍历0x00-0xff 只取其中的奇数作亦或t = []for i in range(1, 256, 2):s = chr(raw[j] ^ i)# 在字母表内 而且运算先后 低1,2,3bit位相同 且未出现过if s in alphabet and ord(s) & 0xe == raw[j] & 0xe and s not in "flag{-}":t.append(s)d[raw[j]] = tprint(d)for i in raw:print(f"{hex(i)} : {d[i]}")# 16种可能
ds = [{0x63: 'b', 0x53: '2', 0x62: 'c', 0x52: '3', 0x65: 'd', 0x55: '4', 0x64: 'e', 0x54: '5'},{0x63: 'b', 0x53: '2', 0x62: 'c', 0x52: '3', 0x65: 'd', 0x55: '4', 0x64: '5', 0x54: 'e'},{0x63: 'b', 0x53: '2', 0x62: 'c', 0x52: '3', 0x65: '4', 0x55: 'd', 0x64: 'e', 0x54: '5'},{0x63: 'b', 0x53: '2', 0x62: 'c', 0x52: '3', 0x65: '4', 0x55: 'd', 0x64: '5', 0x54: 'e'},{0x63: 'b', 0x53: '2', 0x62: '3', 0x52: 'c', 0x65: 'd', 0x55: '4', 0x64: 'e', 0x54: '5'},{0x63: 'b', 0x53: '2', 0x62: '3', 0x52: 'c', 0x65: 'd', 0x55: '4', 0x64: '5', 0x54: 'e'},{0x63: 'b', 0x53: '2', 0x62: '3', 0x52: 'c', 0x65: '4', 0x55: 'd', 0x64: 'e', 0x54: '5'},{0x63: 'b', 0x53: '2', 0x62: '3', 0x52: 'c', 0x65: '4', 0x55: 'd', 0x64: '5', 0x54: 'e'},{0x63: '2', 0x53: 'b', 0x62: 'c', 0x52: '3', 0x65: 'd', 0x55: '4', 0x64: 'e', 0x54: '5'},{0x63: '2', 0x53: 'b', 0x62: 'c', 0x52: '3', 0x65: 'd', 0x55: '4', 0x64: '5', 0x54: 'e'},{0x63: '2', 0x53: 'b', 0x62: 'c', 0x52: '3', 0x65: '4', 0x55: 'd', 0x64: 'e', 0x54: '5'},{0x63: '2', 0x53: 'b', 0x62: 'c', 0x52: '3', 0x65: '4', 0x55: 'd', 0x64: '5', 0x54: 'e'},{0x63: '2', 0x53: 'b', 0x62: '3', 0x52: 'c', 0x65: 'd', 0x55: '4', 0x64: 'e', 0x54: '5'},{0x63: '2', 0x53: 'b', 0x62: '3', 0x52: 'c', 0x65: 'd', 0x55: '4', 0x64: '5', 0x54: 'e'},{0x63: '2', 0x53: 'b', 0x62: '3', 0x52: 'c', 0x65: '4', 0x55: 'd', 0x64: 'e', 0x54: '5'},{0x63: '2', 0x53: 'b', 0x62: '3', 0x52: 'c', 0x65: '4', 0x55: 'd', 0x64: '5', 0x54: 'e'},]for i in range(16):flag=''for j in raw:if len(d[j])==1:flag+=d[j][0]else:flag+=ds[i][j]print(flag)proc=process('./moveAside')proc.sendlineafter(b'flag:\n', flag.encode())# 接收返回的输入字符串proc.recvline()# 超过0.02秒则说明没有回显,停止接收res = proc.recv(timeout=0.02)if b'yes!' in res:success('\n')success(flag)success('\n')exit(0)proc.kill()flag{78ldda4e-d910-4f06-8f5b-5c3755182337}
3. [WUSTCTF 2020]level4
int __fastcall main(int argc, const char **argv, const char **envp)
{puts("Practice my Data Structure code.....");puts("Typing....Struct.....char....*left....*right............emmmmm...OK!");init("Typing....Struct.....char....*left....*right............emmmmm...OK!", argv);puts("Traversal!");printf("Traversal type 1:");type1(&unk_601290);printf("\nTraversal type 2:");type2(&unk_601290);printf("\nTraversal type 3:");puts(" //type3(&x[22]); No way!");puts(&byte_400A37);return 0;
}根据脚本分析可知这是而二叉树遍历
然后写出解密脚本
def PreOrder(Postorder,Inorder):length = len(Postorder)if length == 0:return 0root = Postorder[length-1]for i in range(length):if root == Inorder[i]:breakprint(root,end="")PreOrder(Postorder[0:i],Inorder[0:i])PreOrder(Postorder[i:length-1],Inorder[i+1:length])
PreOrder("20f0Th{2tsIS_icArE}e7__w","2f0t02T{hcsiI_SwA__r7Ee}")
wctf2020{This_IS_A_7reE}
4. [广东强网杯 2021 个人组]goodpy
发现是py字节码
补出源代码
import osa = 0
flag = input()for i in range(len(flag)):a += 1if a != 32:print('error')exit()if flag[0] != 'f' or flag[1] != 'l' or flag[2] != 'a' or flag[3] != 'g' or flag[4] != '{' or flag[31] != '}':print('error')exit()tmp = []for i in range(a):tmp.append(flag[i])for i in range(a):tmp[i] = ord(tmp[i]) - 9for i in range(a):tmp[i] ^= 51for i in range(a):tmp[i] += 8tmp1 = tmp[a - 3]
tmp2 = tmp[a - 2]
tmp3 = tmp[a - 1]for i in range(a - 3):tmp[a - 1 - i - 3] = tmp[a - 1 - i - 3 - 3]tmp[0] = tmp3
tmp[1] = tmp2
tmp[2] = tmp1for i in range(a):if i % 7 == 1:tmp[i] ^= 119with open('out', 'w') as f:f.write(str(tmp))
这个代码从用户输入 flag 后进行一系列字符操作,包括减去 9、异或 51、加上 8,以及调整顺序并对特定索引进行异或 119,最终将结果写入 out 文件。
写出解密脚本
flag = [56, 92, 6, 1, 47, 4, 2, 62, 129, 84, 97, 100, 5, 100, 87, 89, 60, 11, 84, 87, 244, 103, 118, 247, 47, 96,47, 244, 98, 127, 81, 102]
for i in range(len(flag)):if i % 7 != 1:flag[i] ^= 119
flag = flag[3::] + flag[:3][::-1]
for i in range(len(flag)):flag[i] = flag[i] - 8for i in range(len(flag)):flag[i] = flag[i] ^ 51for i in range(len(flag)):flag[i] = flag[i] + 9for i in range(len(flag)):print(chr(flag[i]), end='')
flag{S1FAbA4kyP14QDfTlElQGM6Ccp}
5.[NSSRound#6 Team]void(V1)
打开
发现换表了
发现换表了
动调看看发现真正的表
提取出来
import base64
new = 'W3wp+L4hmzSZOjsR2vkNeBgdirc5uH0x6nIDEfolCVGtyb89Q/qTaFAXY7KJM1UP'#新表
old = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"#老表
flag = ''
mapper = str.maketrans(new,old)
enc = "NfjN2Fv40AO7rNiXOpjIOT+FrDuXspBniArDiD67jpBION67ONjnx2==" #待解密的
decoded = enc.translate(mapper)
flag = base64.b64decode(decoded)
print(flag)
NSSCTF{c9e6703b315f7785acfcb8945b18913a}
6.[第五空间 2021]StrangeLanguage
解包一下
转换一下
File Name: main.pyObject Name: <module>Arg Count: 0Pos Only Arg Count: 0KW Only Arg Count: 0Locals: 0Stack Size: 2Flags: 0x00000040 (CO_NOFREE)[Names]'brainfuck''main_check'[Var Names][Free Vars][Cell Vars][Constants]0None[Disassembly]0 LOAD_CONST 0: 02 LOAD_CONST 1: None4 IMPORT_NAME 0: brainfuck6 STORE_NAME 0: brainfuck8 LOAD_NAME 0: brainfuck10 LOAD_METHOD 1: main_check12 CALL_METHOD 014 POP_TOP16 LOAD_CONST 1: None18 RETURN_VALUE
发现与brainfuck编码有关
用ida打开
跟进查看,然后提取
写出解密脚本
def shrinkBFCode(code):cPos2Vars = {} #位置对应的变量cPos2Change = {} #位置中 + 号 增加的值varPos = 0nCode = []incVal = 0lc = NonedataChangeOp = set(['+', '-'])dataShiftOp = set(['>', '<'])for i in range(len(code)):c = code[i]if c not in dataChangeOp and lc in dataChangeOp:cPos2Change[len(nCode)] = incValcPos2Vars[len(nCode)] = varPosnCode.append('+')incVal = 0if c == '>':varPos += 1elif c == '<':varPos -= 1else:if c in dataChangeOp:incVal += 1 if c == '+' else -1else:#if lc == '>' or lc == '<':# cPos2Vars[len(nCode)] = varPoscPos2Vars[len(nCode)] = varPosnCode.append(c)lc = creturn ''.join(nCode), cPos2Vars, cPos2Change
def generatePyCode(shellCode, pVars, pChange):pyCodes = []bStacks = []whileVarCache = {}for i, c in enumerate(shellCode):d_pos = i if i not in pVars else pVars[i]d_change = 1 if i not in pChange else pChange[i]indentLevel = len(bStacks)indentStr = ' '*(4*indentLevel)if c == '[':pyCodes.append('{}while data[{}] != 0:'.format(indentStr, d_pos))bStacks.append((c, i))whileVarCache[i] = {}elif c == ']':if bStacks[-1][0] != '[':raise Exception('miss match of {}] found between {} and {}'.format(bStacks[-1][0], bStacks[-1][1], i))cNum = i-bStacks[-1][1]if cNum == 2:del pyCodes[-1]del pyCodes[-1]d_pos_l = i-1 if i-1 not in pVars else pVars[i-1]pyCodes.append('{}data[{}] = 0'.format(' '*(4*(indentLevel-1)), d_pos_l))whileCode = shellCode[bStacks[-1][1]+1 : i]if cNum>2 and '[' not in whileCode and not '%' in whileCode: # nested loop is a bit complicated, just skiploopCondvar = bStacks[-1][1]d_pos_l = loopCondvar if loopCondvar not in pVars else pVars[loopCondvar]whileVars = whileVarCache[bStacks[-1][1]]cVarChange = whileVars[d_pos_l]# remove statement of same indentwhile len(pyCodes)>0 and pyCodes[-1].startswith(indentStr) and pyCodes[-1][len(indentStr)]!=' ':pyCodes.pop()pyCodes.pop()#del pyCodes[bStacks[-1][1]-i:]for vPos, vChange in whileVars.items():if vPos == d_pos_l:continuectimes = abs(vChange / cVarChange)ctimesStr = '' if ctimes==1 else '{}*'.format(ctimes)cSign = '+' if vChange > 0 else '-'pyCodes.append('{}data[{}] {}= {}data[{}]'.format(' '*(4*(indentLevel-1)),vPos, cSign, ctimesStr, d_pos_l))pyCodes.append('{}data[{}] = 0'.format(' '*(4*(indentLevel-1)), d_pos_l))del whileVarCache[bStacks[-1][1]]bStacks.pop()elif c == '.':pyCodes.append('{}print(data[{}])'.format(indentStr, d_pos))elif c == ',':pyCodes.append('{}data[{}] = ord(stdin.read(1))'.format(indentStr, d_pos))elif c == '+':opSign = '-=' if d_change < 0 else '+='if pyCodes and pyCodes[-1] == '{}data[{}] = 0'.format(indentStr, d_pos):pyCodes[-1] = '{}data[{}] = {}'.format(indentStr, d_pos, d_change)else:pyCodes.append('{}data[{}] {} {}'.format(indentStr, d_pos, opSign, abs(d_change)))if bStacks:whileVarCache[bStacks[-1][1]].setdefault(d_pos, 0)whileVarCache[bStacks[-1][1]][d_pos] += d_changeelif c == '-':opSign = '+=' if d_change < 0 else '-='if pyCodes and pyCodes[-1] == '{}data[{}] = 0'.format(indentStr, d_pos):pyCodes[-1] = '{}data[{}] = {}'.format(indentStr, d_pos, -d_change)else:pyCodes.append('{}data[{}] {} {}'.format(indentStr, d_pos, opSign, abs(d_change)))if bStacks:whileVarCache[bStacks[-1][1]].setdefault(d_pos, 0)whileVarCache[bStacks[-1][1]][d_pos] -= d_changeelif c == '%':pyCodes.append('{}data[{}] %= data[{}]'.format(indentStr, d_pos, d_pos+1))return '\n'.join(pyCodes)
shellcode = '>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[-]><>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]>[<+>-]<><[-]+><>[-]<<<[-]>>[>+<<<+>>-]>[<+>-]<><[-]>[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-][-]>[-]++++++[<++++++>-]<++><<>>[-]>[-]<<[>[-]<<[>>+>+<<<-]>>[<<+>>-]+>[[-]<-<<->>>]<<-]<[-]>>[<<+>>-]<<[[-][-]>[-]<<<<[>>>+>+<<<<-]>>>>[<<<<+>>>>-]<[<+>[-]]]<[>[-]><,><>[-]<<[-]>[>+<<+>-]>[<+>-]<><[-]>[-]<<[>+>+<<-]>>[<<+>>-][-]++++++++++><<[->-<]+>[<->[-]]<[>>[-]><>[-]<<<<<<[-]>>>>>[>+<<<<<<+>>>>>-]>[<+>-]<><<<[-]][-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-][-]>[-]>[-]<<<<[>>>+>+<<<<-]>>>>[<<<<+>>>>-]<<<[>>>[-]<[>+<-]<+[>+<-]<-[>+<-]>]>>>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]>[<+>-]<[<<+>>-]<[<[<+>-]>-[<+>-]<]<<[-]>[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-][-]>[-]++++++[<++++++>-]<++><<>>[-]>[-]<<[>[-]<<[>>+>+<<<-]>>[<<+>>-]+>[[-]<-<<->>>]<<-]<[-]>>[<<+>>-]<<[[-][-]>[-]<<<<[>>>+>+<<<<-]>>>>[<<<<+>>>>-]<[<+>[-]]]<][-]>[-]>[-]>[-]>[-]>[-]>[-]<[>>[-]+<[>+<-]<-[>+<-]>]>>[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]<[<<+>>-]<[<[<+>-]>-[<+>-]<][-]>[-]++++++++++[<++++++++++>-]<++><<[->-<]+>[<->[-]]<[[-][-]+>[-]<[>>[-]+<[>+<-]<-[>+<-]>]>>[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]<[<<+>>-]<[<[<+>-]>-[<+>-]<][-]>[-]+++++++++[<++++++++++++>-]<><<[->-<]+>[<->[-]]<[<+>[-]]]<[[-][-]++>[-]<[>>[-]+<[>+<-]<-[>+<-]>]>>[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]<[<<+>>-]<[<[<+>-]>-[<+>-]<][-]>[-]++++++++[<++++++++++++>-]<+><<[->-<]+>[<->[-]]<[<+>[-]]]<[[-][-]+++>[-]<[>>[-]+<[>+<-]<-[>+<-]>]>>[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]<[<<+>>-]<[<[<+>-]>-[<+>-]<][-]>[-]++++++++[<+++++++++++++>-]<-><<[->-<]+>[<->[-]]<[<+>[-]]]<[[-][-]++++>[-]<[>>[-]+<[>+<-]<-[>+<-]>]>>[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]<[<<+>>-]<[<[<+>-]>-[<+>-]<][-]>[-]+++++++++++[<+++++++++++>-]<++><<[->-<]+>[<->[-]]<[<+>[-]]]<[[-][-]>[-]++++++[<++++++>-]<+>[-]<[>>[-]+<[>+<-]<-[>+<-]>]>>[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]<[<<+>>-]<[<[<+>-]>-[<+>-]<][-]>[-]+++++++++[<++++++++++++++>-]<-><<[->-<]+>[<->[-]]<[<+>[-]]]<>[-]<<[-]>[>+<<+>-]>[<+>-]<><[-]>[-]+>[-]>[-]<<<<<[>>>>+>+<<<<<-]>>>>>[<<<<<+>>>>>-]<>[-]+<[>-<[-]]>[<+>-]<[<<+>->[-]]<[[-]>[-]<<<[>>+>+<<<-]>>>[<<<+>>>-]<>[-]+<[>-<[-]]>[<+>-]<[<+>[-]]][-]+<[>->[-]>[-]<>++++++++++[<+++++++++++>-]<.+.-.+.-.+.<<[-]]>[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[-]+><>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]>[<+>-]<><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[-]>[-]+++++++[<++++++++++++>-]<->[-]+++++++++++++++>[-]>[-]+++++++++[<++++++++++>-]<>[-]>[-]+++++++[<++++++++++++>-]<>[-]>[-]++++++++[<++++++++++>-]<>[-]>[-]+++++++[<++++++++++++>-]<+>[-]+++>[-]++>[-]>[-]+++++++>[-]>[-]+++++++[<++++++++++++>-]<++>[-]+++++++>[-]+++++++>[-]>[-]+++++++[<+++++++++++++>-]<>[-]+++++++++>[-]>[-]>[-]++++++++[<++++++++++>-]<>[-]+++++>[-]++>[-]+++>[-]>[-]+++++++[<+++++++++++++>-]<++>[-]>[-]+++++++[<+++++++++++++>-]<+>[-]>[-]++++++++[<++++++++++>-]<>[-]>[-]+++++++++[<+++++++++>-]<>[-]>[-]+++++++++[<+++++++++>-]<+>[-]>[-]+++++++[<++++++++++++>-]<>[-]>[-]+++++++++[<++++++++++>-]<>[-]>[-]++++++++[<++++++++++++>-]<->[-]++>[-]>[-]++++++++[<+++++++++++>-]<->[-]+++++++>[-]>[-]++++[<+++++++++++++>-]<>><[-]+++++><>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]>[<+>-]<><[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-][-]>[-]++++++[<++++++>-]<><<>>[-]>[-]<<[>[-]<<[>>+>+<<<-]>>[<<+>>-]+>[[-]<-<<->>>]<<-]<[-]>>[<<+>>-]<<[[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-][-]>[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-][-]<[>>[-]+<[>+<-]<-[>+<-]>]>>[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]<[<<+>>-]<[<[<+>-]>-[<+>-]<][-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-][-]+><<>[<+>-][-]<[>>[-]+<[>+<-]<-[>+<-]>]>>[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]<[<<+>>-]<[<[<+>-]>-[<+>-]<]<<>>>>>>>[-]>>[-]<[-]--------[++++++++<<[-]<[-]<[-]<[-]<[-]++<<[->>-[>+>>+<<<-]>[<+>-]>>>>+<<-[<+<<++>>>>>--<<+]<<<<<]>>>>[<<<<+>>>>-]<<[-]++<[->-[>+>>+<<<-]>[<+>-]>>>+<-[>--<<+<<++>>>+]<<<<]>>>[<<<+>>>-]>>[>-<-]>[[-]<<+>>]>[<+<+>>-]<[>+<-]<[<[<+>-]<[>++<-]>>-]<[>>>>+<<<<-]>>>-------]>[<<<<<<<<<+>>>>>>>>>-]<<<<<<<<<<<[>>>[-]<[>+<-]<+[>+<-]<-[>+<-]>]>>>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]>[<+>-]<[<<+>>-]<[<[<+>-]>-[<+>-]<]<[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]<[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-][-]>[-]++++++[<++++++>-]<><<>>[-]>[-]<<[>[-]<<[>>+>+<<<-]>>[<<+>>-]+>[[-]<-<<->>>]<<-]<[-]>>[<<+>>-]<<][-]><>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]>[<+>-]<><[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-][-]>[-]++++[<++++++++>-]<><<>>[-]>[-]<<[>[-]<<[>>+>+<<<-]>>[<<+>>-]+>[[-]<-<<->>>]<<-]<[-]>>[<<+>>-]<<[[-]+++++>[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]<<>[<+>-][-]<[>>[-]+<[>+<-]<-[>+<-]>]>>[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]<[<<+>>-]<[<[<+>-]>-[<+>-]<][-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-][-]<[>>[-]+<[>+<-]<-[>+<-]>]>>[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]<[<<+>>-]<[<[<+>-]>-[<+>-]<]<<[->-<]>[<+>[-]]<[>>[-]><>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]>[<+>-]<><<<[-]][-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-]<[-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-][-]>[-]++++[<++++++++>-]<><<>>[-]>[-]<<[>[-]<<[>>+>+<<<-]>>[<<+>>-]+>[[-]<-<<->>>]<<-]<[-]>>[<<+>>-]<<][-]>[-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>-][-]+<[>->[-]>[-]<>++++++[<+++++++++++>-]<+.>++++[<+++++++++++>-]<.-.-------.+++++++++++.>++++[<---->-]<-.>+++[<++++++>-]<+.-.>+++++++++[<--------->-]<-.<<[-]]>[>[-]>[-]<>++++++++++[<+++++++++++>-]<.+.-.+.-.+.<-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<-]<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<'
shrinkCode, pVars, pChange = shrinkBFCode(shellcode)
print(generatePyCode(shrinkCode, pVars, pChange))
data[1] = 0
data[44] += data[43]
data[1] += data[43]
data[43] = 0
data[43] += data[44]
data[44] = 0
data[43] = 1
data[44] = 0
data[41] = 0
data[44] += data[43]
data[41] += data[43]
data[43] = 0
data[43] += data[44]
data[44] = 0
data[43] = 0
data[44] = 0
data[45] = 0
data[44] += data[1]
data[45] += data[1]
data[1] = 0
data[1] += data[45]
data[45] = 0
data[45] = 0
data[46] = 6
data[45] += 6.0*data[46]
data[46] = 0
data[45] += 2
data[46] = 0
data[47] = 0
while data[45] != 0:data[46] = 0data[46] += data[44]data[47] += data[44]data[44] = 0data[44] += data[46]data[46] = 1while data[47] != 0:data[47] = 0data[46] -= 1data[44] -= 1data[45] -= 1
data[44] = 0
data[44] += data[46]
data[46] = 0
while data[44] != 0:data[44] = 0data[44] = 0data[45] = 0data[44] += data[41]data[45] += data[41]data[41] = 0data[41] += data[45]data[45] = 0while data[44] != 0:data[43] += 1data[44] = 0
while data[43] != 0:data[44] = 0data[44] = ord(stdin.read(1))data[45] = 0data[43] = 0data[45] += data[44]data[43] += data[44]data[44] = 0data[44] += data[45]data[45] = 0data[44] = 0data[45] = 0data[44] += data[43]data[45] += data[43]data[43] = 0data[43] += data[45]data[45] = 0data[45] = 10data[45] -= data[44]data[44] = 1while data[45] != 0:data[44] -= 1data[45] = 0while data[44] != 0:data[46] = 0data[47] = 0data[41] = 0data[47] += data[46]data[41] += data[46]data[46] = 0data[46] += data[47]data[47] = 0data[44] = 0data[44] = 0data[45] = 0data[44] += data[1]data[45] += data[1]data[1] = 0data[45] += 1data[1] += data[45]data[45] = 0data[45] = 0data[46] = 0data[47] = 0data[46] += data[43]data[47] += data[43]data[43] = 0data[43] += data[47]data[47] = 0while data[44] != 0:data[47] = 0data[47] += data[46]data[46] = 0data[45] += 1data[46] += data[45]data[45] = 0data[44] -= 1data[45] += data[44]data[44] = 0data[48] = 0data[3] = 0data[48] += data[47]data[3] += data[47]data[47] = 0data[47] += data[48]data[48] = 0data[45] += data[47]data[47] = 0while data[46] != 0:data[44] += data[45]data[45] = 0data[46] -= 1data[45] += data[46]data[46] = 0data[43] = 0data[44] = 0data[45] = 0data[44] += data[1]data[45] += data[1]data[1] = 0data[1] += data[45]data[45] = 0data[45] = 0data[46] = 6data[45] += 6.0*data[46]data[46] = 0data[45] += 2data[46] = 0data[47] = 0while data[45] != 0:data[46] = 0data[46] += data[44]data[47] += data[44]data[44] = 0data[44] += data[46]data[46] = 1while data[47] != 0:data[47] = 0data[46] -= 1data[44] -= 1data[45] -= 1data[44] = 0data[44] += data[46]data[46] = 0while data[44] != 0:data[44] = 0data[44] = 0data[45] = 0data[44] += data[41]data[45] += data[41]data[41] = 0data[41] += data[45]data[45] = 0while data[44] != 0:data[43] += 1data[44] = 0
data[43] = 0
data[44] = 0
data[45] = 0
data[46] = 0
data[47] = 0
data[48] = 0
data[49] = 0
while data[48] != 0:data[50] = 1data[50] += data[49]data[49] = 0data[48] -= 1data[49] += data[48]data[48] = 0
data[51] = 0
data[52] = 0
data[51] += data[3]
data[52] += data[3]
data[3] = 0
data[3] += data[52]
data[52] = 0
data[49] += data[51]
data[51] = 0
while data[50] != 0:data[48] += data[49]data[49] = 0data[50] -= 1data[49] += data[50]data[50] = 0
data[49] = 0
data[50] = 10
data[49] += 10.0*data[50]
data[50] = 0
data[49] += 2
data[49] -= data[48]
data[48] = 1
while data[49] != 0:data[48] -= 1data[49] = 0
while data[48] != 0:data[48] = 0data[48] = 1data[49] = 0while data[48] != 0:data[50] = 1data[50] += data[49]data[49] = 0data[48] -= 1data[49] += data[48]data[48] = 0data[51] = 0data[52] = 0data[51] += data[3]data[52] += data[3]data[3] = 0data[3] += data[52]data[52] = 0data[49] += data[51]data[51] = 0while data[50] != 0:data[48] += data[49]data[49] = 0data[50] -= 1data[49] += data[50]data[50] = 0data[49] = 0data[50] = 9data[49] += 12.0*data[50]data[50] = 0data[49] -= data[48]data[48] = 1while data[49] != 0:data[48] -= 1data[49] = 0while data[48] != 0:data[47] += 1data[48] = 0
while data[47] != 0:data[47] = 0data[47] = 2data[48] = 0while data[47] != 0:data[49] = 1data[49] += data[48]data[48] = 0data[47] -= 1data[48] += data[47]data[47] = 0data[50] = 0data[51] = 0data[50] += data[3]data[51] += data[3]data[3] = 0data[3] += data[51]data[51] = 0data[48] += data[50]data[50] = 0while data[49] != 0:data[47] += data[48]data[48] = 0data[49] -= 1data[48] += data[49]data[49] = 0data[48] = 0data[49] = 8data[48] += 12.0*data[49]data[49] = 0data[48] += 1data[48] -= data[47]data[47] = 1while data[48] != 0:data[47] -= 1data[48] = 0while data[47] != 0:data[46] += 1data[47] = 0
while data[46] != 0:data[46] = 0data[46] = 3data[47] = 0while data[46] != 0:data[48] = 1data[48] += data[47]data[47] = 0data[46] -= 1data[47] += data[46]data[46] = 0data[49] = 0data[50] = 0data[49] += data[3]data[50] += data[3]data[3] = 0data[3] += data[50]data[50] = 0data[47] += data[49]data[49] = 0while data[48] != 0:data[46] += data[47]data[47] = 0data[48] -= 1data[47] += data[48]data[48] = 0data[47] = 0data[48] = 8data[47] += 13.0*data[48]data[48] = 0data[47] -= 1data[47] -= data[46]data[46] = 1while data[47] != 0:data[46] -= 1data[47] = 0while data[46] != 0:data[45] += 1data[46] = 0
while data[45] != 0:data[45] = 0data[45] = 4data[46] = 0while data[45] != 0:data[47] = 1data[47] += data[46]data[46] = 0data[45] -= 1data[46] += data[45]data[45] = 0data[48] = 0data[49] = 0data[48] += data[3]data[49] += data[3]data[3] = 0data[3] += data[49]data[49] = 0data[46] += data[48]data[48] = 0while data[47] != 0:data[45] += data[46]data[46] = 0data[47] -= 1data[46] += data[47]data[47] = 0data[46] = 0data[47] = 11data[46] += 11.0*data[47]data[47] = 0data[46] += 2data[46] -= data[45]data[45] = 1while data[46] != 0:data[45] -= 1data[46] = 0while data[45] != 0:data[44] += 1data[45] = 0
while data[44] != 0:data[44] = 0data[44] = 0data[45] = 6data[44] += 6.0*data[45]data[45] = 0data[44] += 1data[45] = 0while data[44] != 0:data[46] = 1data[46] += data[45]data[45] = 0data[44] -= 1data[45] += data[44]data[44] = 0data[47] = 0data[48] = 0data[47] += data[3]data[48] += data[3]data[3] = 0data[3] += data[48]data[48] = 0data[45] += data[47]data[47] = 0while data[46] != 0:data[44] += data[45]data[45] = 0data[46] -= 1data[45] += data[46]data[46] = 0data[45] = 0data[46] = 9data[45] += 14.0*data[46]data[46] = 0data[45] -= 1data[45] -= data[44]data[44] = 1while data[45] != 0:data[44] -= 1data[45] = 0while data[44] != 0:data[43] += 1data[44] = 0
data[44] = 0
data[42] = 0
data[44] += data[43]
data[42] += data[43]
data[43] = 0
data[43] += data[44]
data[44] = 0
data[43] = 0
data[44] = 1
data[45] = 0
data[46] = 0
data[45] += data[41]
data[46] += data[41]
data[41] = 0
data[41] += data[46]
data[46] = 0
data[46] = 1
while data[45] != 0:data[46] -= 1data[45] = 0
data[45] += data[46]
data[46] = 0
while data[45] != 0:data[43] += 1data[44] -= 1data[45] = 0
while data[44] != 0:data[44] = 0data[45] = 0data[44] += data[42]data[45] += data[42]data[42] = 0data[42] += data[45]data[45] = 0data[45] = 1while data[44] != 0:data[45] -= 1data[44] = 0data[44] += data[45]data[45] = 0while data[44] != 0:data[43] += 1data[44] = 0
data[44] = 1
while data[43] != 0:data[44] -= 1data[45] = 0data[46] = 10data[45] += 11.0*data[46]data[46] = 0print(data[45])data[45] += 1print(data[45])data[45] -= 1print(data[45])data[45] += 1print(data[45])data[45] -= 1print(data[45])data[45] += 1print(data[45])data[43] = 0
while data[44] != 0:data[77] = 1data[78] = 0data[41] = 0data[78] += data[77]data[41] += data[77]data[77] = 0data[77] += data[78]data[78] = 0data[45] = 0data[46] = 7data[45] += 12.0*data[46]data[46] = 0data[45] -= 1data[46] = 15data[47] = 0data[48] = 9data[47] += 10.0*data[48]data[48] = 0data[48] = 0data[49] = 7data[48] += 12.0*data[49]data[49] = 0data[49] = 0data[50] = 8data[49] += 10.0*data[50]data[50] = 0data[50] = 0data[51] = 7data[50] += 12.0*data[51]data[51] = 0data[50] += 1data[51] = 3data[52] = 2data[53] = 0data[54] = 7data[55] = 0data[56] = 7data[55] += 12.0*data[56]data[56] = 0data[55] += 2data[56] = 7data[57] = 7data[58] = 0data[59] = 7data[58] += 13.0*data[59]data[59] = 0data[59] = 9data[60] = 0data[61] = 0data[62] = 8data[61] += 10.0*data[62]data[62] = 0data[62] = 5data[63] = 2data[64] = 3data[65] = 0data[66] = 7data[65] += 13.0*data[66]data[66] = 0data[65] += 2data[66] = 0data[67] = 7data[66] += 13.0*data[67]data[67] = 0data[66] += 1data[67] = 0data[68] = 8data[67] += 10.0*data[68]data[68] = 0data[68] = 0data[69] = 9data[68] += 9.0*data[69]data[69] = 0data[69] = 0data[70] = 9data[69] += 9.0*data[70]data[70] = 0data[69] += 1data[70] = 0data[71] = 7data[70] += 12.0*data[71]data[71] = 0data[71] = 0data[72] = 9data[71] += 10.0*data[72]data[72] = 0data[72] = 0data[73] = 8data[72] += 12.0*data[73]data[73] = 0data[72] -= 1data[73] = 2data[74] = 0data[75] = 8data[74] += 11.0*data[75]data[75] = 0data[74] -= 1data[75] = 7data[76] = 0data[77] = 4data[76] += 13.0*data[77]data[77] = 0data[77] = 5data[78] = 0data[40] = 0data[78] += data[77]data[40] += data[77]data[77] = 0data[77] += data[78]data[78] = 0data[77] = 0data[78] = 0data[77] += data[40]data[78] += data[40]data[40] = 0data[40] += data[78]data[78] = 0data[78] = 0data[79] = 6data[78] += 6.0*data[79]data[79] = 0data[79] = 0data[80] = 0while data[78] != 0:data[79] = 0data[79] += data[77]data[80] += data[77]data[77] = 0data[77] += data[79]data[79] = 1while data[80] != 0:data[80] = 0data[79] -= 1data[77] -= 1data[78] -= 1data[77] = 0data[77] += data[79]data[79] = 0while data[77] != 0:data[77] = 0data[78] = 0data[77] += data[40]data[78] += data[40]data[40] = 0data[40] += data[78]data[78] = 0data[78] = 0data[79] = 0data[80] = 0data[79] += data[40]data[80] += data[40]data[40] = 0data[40] += data[80]data[80] = 0data[80] = 0while data[79] != 0:data[81] = 1data[81] += data[80]data[80] = 0data[79] -= 1data[80] += data[79]data[79] = 0data[82] = 0data[83] = 0data[82] += data[3]data[83] += data[3]data[3] = 0data[3] += data[83]data[83] = 0data[80] += data[82]data[82] = 0while data[81] != 0:data[79] += data[80]data[80] = 0data[81] -= 1data[80] += data[81]data[81] = 0data[80] = 0data[81] = 0data[80] += data[40]data[81] += data[40]data[40] = 0data[40] += data[81]data[81] = 0data[81] = 1data[80] += data[81]data[81] = 0data[81] = 0while data[80] != 0:data[82] = 1data[82] += data[81]data[81] = 0data[80] -= 1data[81] += data[80]data[80] = 0data[83] = 0data[84] = 0data[83] += data[3]data[84] += data[3]data[3] = 0data[3] += data[84]data[84] = 0data[81] += data[83]data[83] = 0while data[82] != 0:data[80] += data[81]data[81] = 0data[82] -= 1data[81] += data[82]data[82] = 0data[86] = 0data[88] = 0data[87] = -8while data[87] != 0:data[87] += 8data[85] = 0data[84] = 0data[83] = 0data[82] = 0data[81] = 2while data[79] != 0:data[79] -= 1data[81] -= 1data[82] += data[81]data[84] += data[81]data[81] = 0data[81] += data[82]data[82] = 0data[86] += 1data[84] -= 1data[83] += data[84]data[81] += 2.0*data[84]data[86] -= 2.0*data[84]data[84] = 0data[79] += data[83]data[83] = 0data[81] = 2while data[80] != 0:data[80] -= 1data[81] -= 1data[82] += data[81]data[84] += data[81]data[81] = 0data[81] += data[82]data[82] = 0data[85] += 1data[84] -= 1data[85] -= 2.0*data[84]data[83] += data[84]data[81] += 2.0*data[84]data[84] = 0data[80] += data[83]data[83] = 0data[86] -= data[85]data[85] = 0while data[86] != 0:data[86] = 0data[84] += 1data[86] += data[87]data[85] += data[87]data[87] = 0data[87] += data[86]data[86] = 0while data[85] != 0:data[83] += data[84]data[84] = 0data[84] += 2.0*data[83]data[83] = 0data[85] -= 1data[88] += data[84]data[84] = 0data[87] -= 7data[79] += data[88]data[88] = 0while data[77] != 0:data[80] = 0data[80] += data[79]data[79] = 0data[78] += 1data[79] += data[78]data[78] = 0data[77] -= 1data[78] += data[77]data[77] = 0data[81] = 0data[3] = 0data[81] += data[80]data[3] += data[80]data[80] = 0data[80] += data[81]data[81] = 0data[78] += data[80]data[80] = 0while data[79] != 0:data[77] += data[78]data[78] = 0data[79] -= 1data[78] += data[79]data[79] = 0data[77] = 0data[78] = 0data[77] += data[40]data[78] += data[40]data[40] = 0data[78] += 1data[40] += data[78]data[78] = 0data[77] = 0data[78] = 0data[77] += data[40]data[78] += data[40]data[40] = 0data[40] += data[78]data[78] = 0data[78] = 0data[79] = 6data[78] += 6.0*data[79]data[79] = 0data[79] = 0data[80] = 0while data[78] != 0:data[79] = 0data[79] += data[77]data[80] += data[77]data[77] = 0data[77] += data[79]data[79] = 1while data[80] != 0:data[80] = 0data[79] -= 1data[77] -= 1data[78] -= 1data[77] = 0data[77] += data[79]data[79] = 0data[77] = 0data[78] = 0data[40] = 0data[78] += data[77]data[40] += data[77]data[77] = 0data[77] += data[78]data[78] = 0data[77] = 0data[78] = 0data[77] += data[40]data[78] += data[40]data[40] = 0data[40] += data[78]data[78] = 0data[78] = 0data[79] = 4data[78] += 8.0*data[79]data[79] = 0data[79] = 0data[80] = 0while data[78] != 0:data[79] = 0data[79] += data[77]data[80] += data[77]data[77] = 0data[77] += data[79]data[79] = 1while data[80] != 0:data[80] = 0data[79] -= 1data[77] -= 1data[78] -= 1data[77] = 0data[77] += data[79]data[79] = 0while data[77] != 0:data[77] = 5data[78] = 0data[79] = 0data[78] += data[40]data[79] += data[40]data[40] = 0data[40] += data[79]data[79] = 0data[77] += data[78]data[78] = 0data[78] = 0while data[77] != 0:data[79] = 1data[79] += data[78]data[78] = 0data[77] -= 1data[78] += data[77]data[77] = 0data[80] = 0data[81] = 0data[80] += data[3]data[81] += data[3]data[3] = 0data[3] += data[81]data[81] = 0data[78] += data[80]data[80] = 0while data[79] != 0:data[77] += data[78]data[78] = 0data[79] -= 1data[78] += data[79]data[79] = 0data[78] = 0data[79] = 0data[78] += data[40]data[79] += data[40]data[40] = 0data[40] += data[79]data[79] = 0data[79] = 0while data[78] != 0:data[80] = 1data[80] += data[79]data[79] = 0data[78] -= 1data[79] += data[78]data[78] = 0data[81] = 0data[82] = 0data[81] += data[46]data[82] += data[46]data[46] = 0data[46] += data[82]data[82] = 0data[79] += data[81]data[81] = 0while data[80] != 0:data[78] += data[79]data[79] = 0data[80] -= 1data[79] += data[80]data[80] = 0data[78] -= data[77]data[77] = 0while data[78] != 0:data[77] += 1data[78] = 0while data[77] != 0:data[79] = 0data[80] = 0data[41] = 0data[80] += data[79]data[41] += data[79]data[79] = 0data[79] += data[80]data[80] = 0data[77] = 0data[77] = 0data[78] = 0data[77] += data[40]data[78] += data[40]data[40] = 0data[78] += 1data[40] += data[78]data[78] = 0data[77] = 0data[78] = 0data[77] += data[40]data[78] += data[40]data[40] = 0data[40] += data[78]data[78] = 0data[78] = 0data[79] = 4data[78] += 8.0*data[79]data[79] = 0data[79] = 0data[80] = 0while data[78] != 0:data[79] = 0data[79] += data[77]data[80] += data[77]data[77] = 0data[77] += data[79]data[79] = 1while data[80] != 0:data[80] = 0data[79] -= 1data[77] -= 1data[78] -= 1data[77] = 0data[77] += data[79]data[79] = 0data[77] = 0data[78] = 0data[77] += data[41]data[78] += data[41]data[41] = 0data[41] += data[78]data[78] = 0data[78] = 1while data[77] != 0:data[78] -= 1data[79] = 0data[80] = 6data[79] += 11.0*data[80]data[80] = 0data[79] += 1print(data[79])data[80] += 4data[79] += 11.0*data[80]data[80] = 0print(data[79])data[79] -= 1print(data[79])data[79] -= 7print(data[79])data[79] += 11print(data[79])data[80] += 4data[79] -= 4.0*data[80]data[80] = 0data[79] -= 1print(data[79])data[80] += 3data[79] += 6.0*data[80]data[80] = 0data[79] += 1print(data[79])data[79] -= 1print(data[79])data[80] += 9data[79] -= 9.0*data[80]data[80] = 0data[79] -= 1print(data[79])data[77] = 0while data[78] != 0:data[79] = 0data[80] = 10data[79] += 11.0*data[80]data[80] = 0print(data[79])data[79] += 1print(data[79])data[79] -= 1print(data[79])data[79] += 1print(data[79])data[79] -= 1print(data[79])data[79] += 1print(data[79])data[78] -= 1data[44] -= 1此处发现大量的赋值语句,显然这就是enc了
修改逻辑后将这一段代码输出来
83,15,90,84,80,85,3,2,0,7,86,7,7,91,9,0,80,5,2,3,93,92,80,81,82,84,90,95,2,87,7,52
# 定义加密字符数组
enc = [83, 15, 90, 84, 80, 85, 3, 2, 0, 7, 86, 7, 7, 91, 9, 0, 80, 5, 2, 3, 93, 92, 80, 81, 82, 84, 90, 95, 2, 87, 7, 52]# 对数组进行异或操作
for i in range(len(enc) - 2, -1, -1):enc[i] ^= enc[i + 1]# 输出结果
# 注意:直接打印列表会输出整数列表,若要输出字符串形式,请使用以下方法转换:
output_str = ''.join(chr(i) for i in enc)
print(output_str)
NSSCTF{d78b6f30225cdc811adfe8d4e7c9fd34}
7. [HNCTF 2022 WEEK2]Try2Bebug_Plus
查壳,发现是linux
在ida中打开
断点
断点
进行动调
一直F7出现rdi然后修改
然后就有flag了
脚本
#include <stdio.h>
#include <stdint.h>
#include<string.h>void decrypt(unsigned int *v, int *a2)
{unsigned int v0; // [rsp+1Ch] [rbp-24h]unsigned int v1; // [rsp+20h] [rbp-20h]unsigned int sum; // [rsp+24h] [rbp-1Ch]unsigned int i; // [rsp+28h] [rbp-18h]v0 = *v;v1 = v[1];sum = 0xC6EF3720;for ( i = 0; i <= 31; ++i ){v1 -= (v0 + sum) ^ (16 * v0 + a2[2]) ^ ((v0 >> 5) + a2[3]);v0 -= (v1 + sum) ^ (16 * v1 + *a2) ^ ((v1 >> 5) + a2[1]);sum += 0x61C88647;}*v = v0;v[1] = v1;}int main()
{unsigned int v[12]={0x489A0BFD, 0x38DE3838, 0x16D1DA51, 0x710510ED, 0x1E619392, 0x0B487955, 0x0AB44987, 0x5DB378E5, 0x9F9DA4CD,0x49F2D9A8, 0x608F269E, 0x6261B831};int k[4]={0xAA, 0xBB, 0xCC, 0xDD};unsigned char v3[12];int i;for ( i = 0; i <= 11; i=i + 2 )decrypt(&v[i], k);for ( i = 0; i <= 11; ++i ){v3[i] = (16 * i) ^ v[i];//v是整型,占四个字节 printf("%c",v3[i]);}//th1s_1s_flagreturn 0;
}
th1s_1s_flag
8. [MoeCTF 2021]Realezpy
发现是pyc文件,直接反编译一手
import time
c = [119,121,111,109,100,112,123,74,105,100,114,48,120,95,49,99,95,99,121,48,121,48,121,48,121,48,95,111,107,99,105,125]def encrypt(a):result = []for i in range(len(a)):if ord(a[i]) <= ord(a[i]) or ord(a[i]) <= ord('z'):passelse:ord('a')result.append((ord(a[i]) + 114 - ord('a')) % 26 + ord('a'))continueif ord(a[i]) <= ord(a[i]) or ord(a[i]) <= ord('Z'):passelse:ord('A')result.append((ord(a[i]) + 514 - ord('A')) % 26 + ord('A'))continueresult.append(ord(a[i]))continuereturn resultipt = input('Plz give me your flag:')
out = encrypt(ipt)
if len(ipt) != len(c):print('Wrong lenth~')exit()
else:for i in range(len(c)):if out[i] != c[i]:print('Plz try again?')exit()continueprint('Congratulations!!!')time.sleep(1)print('enjoy the beauty of python ~~~ ')import thisreturn None写出解密脚本
c = [119, 121, 111, 109, 100, 112, 123, 74, 105, 100, 114, 48, 120, 95, 49, 99, 95, 99, 121, 48, 121, 48, 121, 48, 121, 48, 95, 111, 107, 99, 105, 125]def encrypt(a):result = []for i in range(len(a)):if ord('a') <= ord(a[i]) <= ord('z'):result.append((ord(a[i]) + 114 - ord('a')) % 26 + ord('a'))elif ord('A') <= ord(a[i]) <= ord('Z'):result.append((ord(a[i]) + 514 - ord('A')) % 26 + ord('A'))else:result.append(ord(a[i]))else:return resultfor i in range(0,len(c)):for k in range(37,127):if c[i]==encrypt(chr(k))[0]:print(chr(k),end="")break解出flag
9. [HDCTF 2023]double_code
跟进alloc使用的指针中
data段中保存此内存
32bit ida打开 创建函数 得到:
for ( i = 0; ; ++i ){v0 = MEMORY[0x1B250](v2);if ( v0 <= i )break;v7 = i % 5;if ( i % 5 == 1 ){v2[i] ^= 0x23u;}else{switch ( v7 ){case 2:v2[i] += 2;break;case 3:v2[i] -= 3;break;case 4:v2[i] -= 4;break;case 5:v2[i] -= 25;break;}}
}
写出脚本
flag=[0x48,0x67,0x45,0x51,0x42,0x7b,0x70,0x6a,0x30,0x68,0x6c,0x60,0x32,0x61,0x61,0x5f,0x42,0x70,0x61,0x5b,0x30,0x53,0x65,0x6c,0x60,0x65,0x7c,0x63,0x69,0x2d,0x5f,0x46,0x35,0x70,0x75,0x7d]
for i in range(len(flag)):if(i%5 == 1):flag[i] ^= 0x23if(i%5 == 2):flag[i] -= 2if(i%5 == 3):flag[i] += 3if(i%5 == 4):flag[i] += 4if(i%5 == 5):flag[i] += 25for i in flag:print(chr(i),end="")
HDCTF{Sh3llC0de_and_0pcode_al1_e3sy}
10. [柏鹭杯 2021]baby_python
py解包
改文件头
发现引用了baby_python.code的包
找到的密钥文件就在pyimod00_crypto_key这个文件中,这个文件用010打开,发现是一个pyc文件,添加后缀.pyc
key = 'f8c0870eba862579'
然后根据相关性发现文件的主要加密逻辑在pyimod02_archive.pyc中反编译
源代码
import marshal
import struct
import sys
import zlib
import _thread as thread
CRYPT_BLOCK_SIZE = 16
PYZ_TYPE_MODULE = 0
PYZ_TYPE_PKG = 1
PYZ_TYPE_DATA = 2
PYZ_TYPE_NSPKG = 3class FilePos(object):'''This class keeps track of the file object representing and current positionin a file.'''def __init__(self):self.file = Noneself.pos = 0class ArchiveFile(object):'''File class support auto open when access member from file objectThis class is use to avoid file locking on windows'''def __init__(self, *args, **kwargs):self.args = argsself.kwargs = kwargsself._filePos = { }def local(self):"""Return an instance of FilePos for the current thread. This is a crude# re-implementation of threading.local, which isn't a built-in module# and therefore isn't available."""ti = thread.get_ident()if ti not in self._filePos:self._filePos[ti] = FilePos()return self._filePos[ti]def __getattr__(self, name):'''Make this class act like a file, by invoking most methods on itsunderlying file object.'''file = self.local().fileif not file:raise AssertionErrorreturn None(file, name)def __enter__(self):
Unsupported opcode: CALL_FUNCTION_EX'''Open file and seek to pos record from last close.'''fp = self.local()if fp.file:raise AssertionError# WARNING: Decompyle incompletedef __exit__(self, type, value, traceback):'''Close file and record pos.'''fp = self.local()if not fp.file:raise AssertionErrorfp.pos = None.file.tell()fp.file.close()fp.file = Noneclass ArchiveReadError(RuntimeError):passclass ArchiveReader(object):'''A base class for a repository of python code objects.The extract method is used by imputil.ArchiveImporterto get code objects by name (fully qualified name), soan enduser "import a.b" would becomeextract(\'a.__init__\')extract(\'a.b\')'''MAGIC = b'PYL\x00'HDRLEN = 12TOCPOS = 8os = None_bincache = Nonedef __init__(self, path, start = (None, 0)):
Unsupported opcode: WITH_CLEANUP_START'''Initialize an Archive. If path is omitted, it will be an empty Archive.'''self.toc = Noneself.path = pathself.start = startimport _frozen_importlibself.pymagic = _frozen_importlib._bootstrap_external.MAGIC_NUMBER# WARNING: Decompyle incompletedef loadtoc(self):'''Overridable.Default: After magic comes an int (4 byte native) giving theposition of the TOC within self.lib.Default: The TOC is a marshal-able string.'''self.lib.seek(self.start + self.TOCPOS)(offset,) = struct.unpack('!i', self.lib.read(4))self.lib.seek(self.start + offset)self.toc = dict(marshal.loads(self.lib.read()))def is_package(self, name):(ispkg, pos) = self.toc.get(name, (0, None))if pos is None:return Nonereturn None(ispkg)def extract(self, name):
Unsupported opcode: WITH_CLEANUP_START"""Get the object corresponding to name, or None.For use with imputil ArchiveImporter, object is a python code object.'name' is the name as specified in an 'import name'.'import a.b' will become:extract('a') (return None because 'a' is not a code object)extract('a.__init__') (return a code object)extract('a.b') (return a code object)Default implementation:self.toc is a dictself.toc[name] is posself.lib has the code object marshal-ed at pos"""(ispkg, pos) = self.toc.get(name, (0, None))if pos is None:return None# WARNING: Decompyle incompletedef contents(self):'''Return a list of the contentsDefault implementation assumes self.toc is a dict like object.Not required by ArchiveImporter.'''return list(self.toc.keys())def checkmagic(self):'''Overridable.Check to see if the file object self.lib actually has a filewe understand.'''self.lib.seek(self.start)if self.lib.read(len(self.MAGIC)) != self.MAGIC:raise ArchiveReadError('%s is not a valid %s archive file' % (self.path, self.__class__.__name__))if None.lib.read(len(self.pymagic)) != self.pymagic:raise ArchiveReadError('%s has version mismatch to dll' % self.path)None.lib.read(4)class Cipher(object):'''This class is used only to decrypt Python modules.'''def __init__(self):import pyimod00_crypto_keykey = pyimod00_crypto_key.keyif not type(key) is str:raise AssertionErrorif None(key) > CRYPT_BLOCK_SIZE:self.key = key[0:CRYPT_BLOCK_SIZE]else:self.key = key.zfill(CRYPT_BLOCK_SIZE)if not len(self.key) == CRYPT_BLOCK_SIZE:raise AssertionErrorimport tinyaesself._aesmod = tinyaesdel sys.modules['tinyaes']def __create_cipher(self, iv):return self._aesmod.AES(self.key.encode(), iv)def decrypt(self, data):cipher = self.__create_cipher(data[:CRYPT_BLOCK_SIZE])return cipher.CTR_xcrypt_buffer(data[CRYPT_BLOCK_SIZE:])class ZlibArchiveReader(ArchiveReader):'''ZlibArchive - an archive with compressed entries. Archive is readfrom the executable created by PyInstaller.This archive is used for bundling python modules inside the executable.NOTE: The whole ZlibArchive (PYZ) is compressed so it is not necessaryto compress single modules with zlib.'''MAGIC = b'PYZ\x00'TOCPOS = 8HDRLEN = ArchiveReader.HDRLEN + 5def __init__(self = None, path = None, offset = None):
Warning: Stack history is not empty!
Warning: block stack is not empty!if path is None:offset = 0elif offset is None:for i in range(len(path) - 1, -1, -1):if path[i] == '?':try:offset = int(path[i + 1:])except ValueError:continuepath = path[:i]breakoffset = 0super(ZlibArchiveReader, self).__init__(path, offset)try:import pyimod00_crypto_keyself.cipher = Cipher()except ImportError:self.cipher = Nonereturn Nonedef is_package(self, name):(typ, pos, length) = self.toc.get(name, (0, None, 0))if pos is None:return Nonereturn None in (PYZ_TYPE_PKG, PYZ_TYPE_NSPKG)def is_pep420_namespace_package(self, name):(typ, pos, length) = self.toc.get(name, (0, None, 0))if pos is None:return Nonereturn None == PYZ_TYPE_NSPKGdef extract(self, name):
Unsupported opcode: WITH_CLEANUP_START(typ, pos, length) = self.toc.get(name, (0, None, 0))if pos is None:return None# WARNING: Decompyle incomplete__classcell__ = None写出解密脚本
from z3 import *
import hashlibdef md5(s: bytes) -> str:m = hashlib.md5()m.update(s)return m.hexdigest().lower()co = [[158, 195, 205, 229, 213, 238, 211, 198, 190, 226, 135, 119, 145, 205, 113, 122],[234, 256, 185, 253, 244, 134, 102, 117, 190, 106, 131, 205, 198, 234, 162, 218],[164, 164, 209, 200, 168, 226, 189, 151, 253, 241, 232, 151, 193, 119, 226, 193],[213, 117, 151, 103, 249, 148, 103, 213, 218, 222, 104, 228, 100, 206, 218, 177],[217, 202, 126, 214, 195, 125, 144, 105, 152, 118, 167, 137, 171, 173, 206, 240],[160, 134, 131, 135, 186, 213, 146, 129, 125, 139, 174, 205, 177, 240, 194, 181],[183, 213, 127, 136, 136, 209, 199, 191, 150, 218, 160, 111, 191, 226, 154, 191],[247, 188, 210, 219, 179, 204, 155, 220, 215, 127, 225, 214, 195, 162, 214, 239],[108, 112, 104, 133, 178, 138, 110, 176, 232, 124, 193, 239, 131, 138, 161, 218],[140, 213, 142, 181, 179, 173, 203, 208, 184, 129, 129, 119, 122, 152, 186, 124],[105, 205, 124, 142, 175, 184, 234, 119, 195, 218, 141, 122, 202, 202, 190, 178],[183, 178, 256, 124, 241, 132, 163, 209, 204, 104, 175, 211, 196, 136, 158, 210],[224, 144, 189, 106, 177, 251, 206, 163, 167, 144, 208, 254, 117, 253, 100, 106],[251, 251, 136, 170, 145, 177, 175, 124, 193, 188, 193, 198, 208, 171, 151, 230],[143, 200, 143, 150, 243, 148, 136, 213, 161, 224, 170, 208, 185, 117, 189, 242],[234, 188, 226, 194, 248, 168, 250, 244, 166, 106, 113, 218, 209, 220, 158, 228]]
r = [472214, 480121, 506256, 449505, 433390, 435414, 453899, 536361, 423332, 427624, 440268, 488759, 469049, 484574,480266, 522818]s = Solver()
values = [Int('v%d' % i) for i in range(16)]
#print(values)
for i in range(16):v = 0for j in range(16):v += co[i][j] * values[j]s.add(v == r[i])for j in range(16):s.add(values[j] > 0)s.check()
answer = s.model()
print(answer)
#print([str(answer[each]) for each in values])
# [v13 = 103, v9 = 109, v12 = 152, v14 = 124, v10 = 244, v2 = 188, v0 = 113, v3 = 123, v15 = 165, v6 = 154, v7 = 241, v4 = 164, v8 = 163, v11 = 215, v1 = 201, v5 = 176]
result = "".join([str(answer[each]) for each in values])
# print(result)
# 113201188123164176154241163109244215152103124165
len(result)
# 48print('flag{ISEC-%s}' % md5(result.encode()))
flag{ISEC-ca32ab6174689b5e366241ad58108c68}
11. [强网杯 2022]GameMaster
发现是C#
第二处,进行了一个 RijndaelManaged(实质就是AES) 的ECB加密,并且给出了KEY,
对此对数据进行提取
继续进行分析
主要加密函数,然后通过对函数进行分析,解flag即可,不懂得c#代码可以问chatgpt,前面的主要就是一些通过本地环境变量进行提取出来的数据
另外,c#中的ulong是不大于64bit的,所以再对x,y,z进行z3计算时,设为64bit限制
from z3 import *s = Solver()
x = BitVec('x', 64)
y = BitVec('y', 64)
z = BitVec('z', 64)
KeyStream = [101,5,80,213,163,26,59,38,19,6,173,189,198,166,140,183,42,247,223,24,106,20,145,37,24,7,22,191,110,179,227,5,62,9,13,17,65,22,37,5]
num=-1
arr2=[BitVec(f'arr2{[i]}',64)for i in range(len(KeyStream))]
for i in range(320):x = (((x >> 29 ^ x >> 28 ^ x >> 25 ^ x >> 23) & 1) | x << 1)y = (((y >> 30 ^ y >> 27) & 1) | y << 1)z = (((z >> 31 ^ z >> 30 ^ z >> 29 ^ z >> 28 ^ z >> 26 ^ z >> 24) & 1) | z << 1)flag = i % 8 == 0if (flag):num+=1arr2[num] = ((arr2[num] << 1) | (((z >> 32 & 1 & (x >> 30 & 1)) ^ (((z>> 32 & 1) ^ 1) & (y >> 31 & 1))) & 0xffffffff) & 0xff)for i in range(len(KeyStream)):s.add(KeyStream[i] == arr2[i])
if s.check() == sat:model = s.model()# print(model)
y = 868387187
z = 3131229747
x = 156324965
L=[x,y,z]
arr4=[0]*12
for i in range(3):for j in range(4):arr4[i * 4 + j] = (L[i] >> j * 8 & 255)
arr6=[60,100,36,86,51,251,167,108,116,245,207,223,40,103,34,62,22,251,227]
for i in range(len(arr6)):arr6[i]^=arr4[i%len(arr4)]
print(bytes(arr6))
Y0u_@re_G3meM3s7er!
12. [NSSRound#4 SWPU]hide_and_seek
查壳,发现是linux系统
进入
判断前断点,然后再jz跳转处断点
修改完成后,可以直接运行到快结束的时候
然后进行搜索NSSCTF
NSSCTF{h1d3_0n_h34p}
方法二
可以浅显的猜测flag目前加密后的样子为
Q\x17SCTF{wud3_0n@,34p}
可以发现下表为0,1,7,8,14,15的位置可能进行了加密,一般猜测为异或。
发现相邻的两个数,
前面一个异或:Q^未知数=N,未知数= 31
后面一个异或:\x17^未知数=S,未知数=68
就得到结果:
NSSCTF{h1d3_0n_h34p}
13. [HNCTF 2022 WEEK3]Help_Me!
int __fastcall main(int argc, const char **argv, const char **envp)
{__int64 v3; // rbx__int64 v4; // r8__int64 v5; // rdxint v6; // ebxunsigned int v7; // esiunsigned int v8; // ediint v10; // [rsp+28h] [rbp-F0h]int v11; // [rsp+2Ch] [rbp-ECh]int v12[24]; // [rsp+30h] [rbp-E8h]int v13[34]; // [rsp+90h] [rbp-88h]v3 = 0i64;_main();puts("Welc0me T0 HNCTF!");puts("可怜的出踢人被繁重的作业压得喘不过气=_=!");puts("你能替他选择含金量高的作业保证他在不猝死的情况下获得最高的score嘛?");puts("以下是作业的含金量");v4 = 26i64;v12[0] = 26;v12[1] = 59;v12[2] = 30;v12[3] = 19;v12[4] = 66;v12[5] = 85;v12[6] = 94;v12[7] = 8;v12[8] = 3;v12[9] = 44;v12[20] = 0;v12[10] = 5;v12[11] = 1;v12[12] = 41;v12[13] = 82;v12[14] = 76;v12[15] = 1;v12[16] = 12;v12[17] = 81;v12[18] = 73;v12[19] = 32;v13[0] = 71;v13[1] = 34;v13[20] = 0;v13[2] = 82;v13[3] = 23;v13[4] = 1;v13[5] = 88;v13[6] = 12;v13[7] = 57;v13[8] = 10;v13[9] = 68;v13[10] = 5;v13[11] = 33;v13[12] = 37;v13[13] = 69;v13[14] = 98;v13[15] = 24;v13[16] = 26;v13[17] = 83;v13[18] = 16;v13[19] = 26;while ( 1 ){v5 = (unsigned int)v3++;printf("(%d).%d\n", v5, v4);if ( v3 == 20 )break;v4 = (unsigned int)v12[v3];}puts("你要选择几门课?");std::istream::operator>>(refptr__ZSt3cin);puts("你要哪几门课?");if ( v10 <= 0 ){v7 = 1;}else{v6 = 0;v7 = 1;v8 = 0;do{++v6;std::istream::operator>>(refptr__ZSt3cin);v8 += v13[v11];v7 *= v12[v11];}while ( v10 > v6 );if ( v8 > 0xC8 ){printf("And_1 已猝死==");exit(0);}}if ( (unsigned int)func(v7) )printf("\nOI佬!! __Orz__");elseprintf("\nscore还能更高\n我可是很贪心的 =_=! ");return 0;
}再跟进funv7()
__int64 __fastcall func(int a1)
{int *v1; // raxint v2; // r8d__int64 result; // raxunsigned int i; // [rsp+20h] [rbp-28h] BYREFint v5[3]; // [rsp+24h] [rbp-24h] BYREFint v6; // [rsp+30h] [rbp-18h]_BYTE v7[20]; // [rsp+34h] [rbp-14h] BYREFv5[0] = -980807104;v5[1] = -976211644;v5[2] = -376040367;v6 = -191100812;v1 = v5;for ( i = a1 ^ 0xDFAC0F41; v1 != (int *)v7; *(v1 - 1) = a1 ^ v2 )v2 = *v1++;result = 0i64;if ( (_BYTE)i == 65 && (_BYTE)v6 == 116 ){printf("NSSCTF{%s}\n", (const char *)&i);return 1i64;}return result;
}写出解密脚本
#include<bits/stdc++.h>
using namespace std;
int dp[21][201];
int value[21], weight[21];
int main()
{value[0] = 26;value[1] = 59;value[2] = 30;value[3] = 19;value[4] = 66;value[5] = 85;value[6] = 94;value[7] = 8;value[8] = 3;value[9] = 44;value[10] = 5;value[11] = 1;value[12] = 41;value[13] = 82;value[14] = 76;value[15] = 1;value[16] = 12;value[17] = 81;value[18] = 73;value[19] = 32;weight[0] = 71;weight[1] = 34;weight[2] = 82;weight[3] = 23;weight[4] = 1;weight[5] = 88;weight[6] = 12;weight[7] = 57;weight[8] = 10;weight[9] = 68;weight[10] = 5;weight[11] = 33;weight[12] = 37;weight[13] = 69;weight[14] = 98;weight[15] = 24;weight[16] = 26;weight[17] = 83;weight[18] = 16;weight[19] = 26;for (int i = 1; i <= 20; i++){for (int j = 1; j <= 200; j++){if (j < weight[i - 1]){dp[i][j] = dp[i - 1][j];}else{dp[i][j] = max(dp[i - 1][j - weight[i - 1]] + value[i - 1], dp[i - 1][j]);}}}cout << "最大值为" << dp[20][200] << endl;int i = 20, j = 200;int max = dp[20][200];int count = 0;//计数器cout << "选择的课程为:" << endl << endl;while (i){if (max == dp[i - 1][j]){i--;}else{cout << i - 1 << endl;count++;max -= value[i - 1];i--;}for (int t = 0; t <= j; t++){if (max == dp[i][t]){j = t;break;}}}cout << endl << "共" << count << "门课" << endl;
}
//最大值为452
//选择的课程为:
//
//19
//18
//13
//12
//10
//6
//4
//1
//
//共8门课
NSSCTF{An_E@sy_DP#_Question}
14. [FSCTF 2023]Tea_apk
安卓反编译软件打开
直接锁定源码
发现经过了base64和xxtea加密
flag{pldCiQuCBtakT4ctlsZQ}
15.[AFCTF 2018]简单编码
源文本
flag = ''
f = open('flag.txt','r')
input = f.readline()
assert input.startswith('afctf{')
assert input.endswith('}')
flag = input[6:21]
f.close()
print input + flagdef enc1(word, i):word = ord(word) ^ 0x76 ^ 0xADtemp1 = (word & 0xAA) >> 1temp2 = 2 * word & 0xAAword = temp1 | temp2return worddef enc2(word, i): word = ord(word) ^ 0x76 ^ 0xBEtemp1 = (word & 0xCC) >> 2temp2 = 4 * word & 0xCCword = temp1 | temp2return worddef enc3(word,i):word = ord(word) ^ 0x76 ^ 0xEFtemp1 = (word & 0xF0) >> 4temp2 = 16 * word & 0xF0word = temp1 | temp2return word output = ''for i in range(5):output += chr(enc1(flag[i],i))for i in range(5):output += chr(enc2(flag[i+5],i))for i in range(5):output += chr(enc3(flag[i+10],i))f = open('output','w')
f.write(output)
f.close()写出解密脚本
#-*- coding:utf-8 -*-def enc1(word, i):word = ord(word) ^ 0x76 ^ 0xAD# print(word)temp1 = (word & 0xAA) >> 1temp2 = 2 * word & 0xAAword = temp1 | temp2# print(word)return worddef enc2(word, i): word = ord(word) ^ 0x76 ^ 0xBEtemp1 = (word & 0xCC) >> 2temp2 = 4 * word & 0xCCword = temp1 | temp2return worddef enc3(word,i):word = ord(word) ^ 0x76 ^ 0xEFtemp1 = (word & 0xF0) >> 4temp2 = 16 * word & 0xF0word = temp1 | temp2return word import string
with open("output",'rb') as f:sss=f.read()
flag=""
for i in range(5):for s in string.printable:if sss[i]==enc1(s,i):flag+=s
for i in range(5):for s in string.printable:if sss[i+5]==enc2(s,i):flag+=s
for i in range(5):for s in string.printable:if sss[i+10]==enc3(s,i):flag+=s
print(flag)
