suctf逆向部分

自己真的菜，然后在网上找了一篇分析pyc反编译后的文件然后进行手撸opcode,过程真痛苦

http://www.wooy0ung.me/writeup/2017/10/11/0ctf-quals-2017-py/
   names ('ctypes', 'libnum', 'n2s', 's2n', 'binascii', 'b', 'key', 'aaaa', 'aa', 'aaaaa', 'aaa', 'aaaaaa', '__name__')从这我们看到程序的大概函数和变量
   ctypes libnum n2s s2n binascii  b key aaaa aa aaaaa aaa aaaaaa  __name__

查找了一下发现 ctypes 是python 访问c 的库

连接http://python3-cookbook.readthedocs.io/zh_CN/latest/c15/p01_access_ccode_using_ctypes.html

libnum 类似 用法参考以下链接

http://www.cnblogs.com/pcat/p/7225782.html

google 了一下发现这个

Very Hard RSA

http://bestwing.me/2016/09/10/Common%20types%20of%20RSA/

基本还原前四个的代码了

import ctypes

from libnum import n2s,s2n

至于binasciipython内置模块我这里不做阐述

然后就是 b key aaaa aa aaaaa aaa aaaaaa  '__name__'

开始猜测大概函数是这样

import ctypes

from libnum import n2s,s2n

def b():
     ...

def key():
     ...

def aaaa():
     ...

def aa():
     ...

def aaaaa():
     ...

def aaa():
     ...

def aaaaaa():
     ...

def main():
     ...

if '__name__==main()'
     main()

但是再回去分析发现导出都在传key所以key几乎不可能是一个函数而且b只在a.py处出现了一次，推测b可能是一个局部变量

现在有如下结构

import ctypes

from libnum import n2s,s2n

def aaaa():
     ...

def aa():
     ...

def aaaaa():
     ...

def aaa():
     ...

def aaaaaa():
     ...

def main():
     ...

if '__name__==main()'
     main()

这时候我们通过 names vernames和name 进行还原

import ctypes

from libnum import n2s,s2n

def aaaa():
     a=lambda a:b.hexhexlify(a)
    

def aa():
     a=cdll.LoadLibrary('./a') #https://blog.csdn.net/linda1000/article/details/12623527

def aaaaa():
     s2n(a)

def aaa():
     a=cdll.LoadLibrary('./a')

def aaaaaa():
     aaa(aaaa(key))

def main():
     aaaaaa()

if '__name__==main()'
     main()

发现似乎含有bug,使得freevars段还没使用，怎么办呢google http://kdr2.com/tech/main/1012-pyc-format.html

发现这是嵌套函数使用的，好了们明白了

import ctypes

from libnum import n2s,s2n

key=***

def aaaa(key):
     a=lambda a:b.hexhexlify(a)
     return ''.join(a[i] for i in key)

def aa(key):
     a=cdll.LoadLibrary('./a') #https://blog.csdn.net/linda1000/article/details/12623527
     a(key)

def aaaaa(a):
     s2n(a)

def aaa(key):
     a=cdll.LoadLibrary('./a')
     a(key)

def aaaaaa():
     aaa(aaaa(key))

def main():
     aaaaaa()

if '__name__==main()'
     main()

程序逻辑到这里差不多清晰了,但是b还有点模糊猜测是import模块引起的，于是在修改

import ctypes

from libnum import n2s,s2n

import binascii as b

key=***

def aaaa(key):
     a=lambda a:b.hexhexlify(a)
     return ''.join(a[i] for i in key)

def aa(key):
     a=cdll.LoadLibrary('./a') #https://blog.csdn.net/linda1000/article/details/12623527
     a(key)

def aaaaa(a):
     s2n(a)

def aaa(key):
     a=cdll.LoadLibrary('./a')
     a(key)

def aaaaaa():
     aaa(aaaa(key))

def main():
     aaaaaa()

if '__name__==main()'
     main()

这里基本就复现完成，下面我们在进行解密即可，参考大牛的技术进行后面的解密即可

void decrypt(char *k){
     FILE *fp1, *fp2;
     unsigned char key[256] = {0x00};
     unsigned char sbox[256] = {0x00};
     fp1 = fopen("code.txt","r");
     fp2 = fopen("decode.txt","w");
     DataEncrypt(k, key, sbox, fp1, fp2);

}

extern "C" 

{   
    void a(char *k){
        encrypt(k);
    }
    void aa(char *k){
        decrypt(k);
    }

}

解密时python调用c函数进行解密

from ctypes import *

from libnum import n2s,s2n

import binascii as b

#key="20182018"

def aaaa(key):
     a=lambda a:b.hexlify(a)
     return "".join(a(i) for i in key)

def aa(key): #jia mi
     a=cdll.LoadLibrary("./a").a
     a(key)

def aaaaa(a):
     return s2n(a)

def aaa(key): #jie mi
     a=cdll.LoadLibrary("./a").aa
     a(key)

def brup_key():
     i=20182000
     while i<100000000:
         aaa(aaaa(str(i)))
         data=open("flag.txt","r").read()
         if "SUCTF" in data:
             print i
             break
         i=i+1

def aaaaaa():
     # aa(aaaa(key))#jia mi
     # aaa(aaaa(key)) #jie mi
     brup_key()

if __name__=="__main__":
     aaaaaa()

key为20182018

参考文章安全客suctfwp链接：https://www.anquanke.com/post/id/146419