banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

pyc反編譯實例

image

pyc 類型的反編譯有時需要修改文件頭,出題人會在文件頭部進行修改,反編譯代碼後,需要分析並編寫源代碼獲取 flag。

文件頭#

python 文件頭格式:

MAGIC_1_0 = 0x00999902,
MAGIC_1_1 = 0x00999903,
MAGIC_1_3 = 0x0A0D2E89,
MAGIC_1_4 = 0x0A0D1704,
MAGIC_1_5 = 0x0A0D4E99,
MAGIC_1_6 = 0x0A0DC4FC,

MAGIC_2_0 = 0x0A0DC687,
MAGIC_2_1 = 0x0A0DEB2A,
MAGIC_2_2 = 0x0A0DED2D,
MAGIC_2_3 = 0x0A0DF23B,
MAGIC_2_4 = 0x0A0DF26D,
MAGIC_2_5 = 0x0A0DF2B3,
MAGIC_2_6 = 0x0A0DF2D1,
MAGIC_2_7 = 0x0A0DF303,

MAGIC_3_0 = 0x0A0D0C3A,
MAGIC_3_1 = 0x0A0D0C4E,
MAGIC_3_2 = 0x0A0D0C6C,
MAGIC_3_3 = 0x0A0D0C9E,
MAGIC_3_4 = 0x0A0D0CEE,
MAGIC_3_5 = 0x0A0D0D16,
MAGIC_3_5_3 = 0x0A0D0D17,
MAGIC_3_6 = 0x0A0D0D33,
MAGIC_3_7 = 0x0A0D0D42,
MAGIC_3_8 = 0x0A0D0D55,
MAGIC_3_9 = 0x0A0D0D61,

如何生成一個 pyc 文件

python 代碼如下 (文件名:pyc.py):

name = input("What is your name? ")
print(f"Hi, {name}!")

通過如下命令生成:

python3 -m py_compile pyc.py

image.png

3.9 的文件頭如下,也就是0x0A0D0D61

image.png

ctf 中的題目如果涉及到 pyc 的逆向,大部分都是需要反編譯 pyc 文件,還原成 python 代碼,再進行分析。

工具#

pyc 反編譯工具有在線和離線兩種工具

1、在線 pyc,pyo 反編譯 python 反編譯

http://tools.bugscaner.com/decompyle/

https://tool.lu/pyc/

2、離線工具有uncompyle6Easy Python Decompiler

uncompyle6是一個用於將已編譯 Python 程序(即 .pyc 文件)反編譯成其原始源代碼的 Python 庫和工具,支持 1.0-3.8 的 python 版本。

項目地址:GitHub - rocky/python-uncompyle6: A cross-version Python bytecode decompiler

Easy Python Decompiler也是一款 Python 字節碼反編譯器,可以反編譯 pyc 和 pyo 文件,支持 1.0-3.4 的 python 版本。

下載地址:Easy Python Decompiler download | SourceForge.net

實例#

下載後的 pyc 文件名,從文件名可以大概推測是 python3.7 版本。

image.png

通過 16 進制編輯器打開,明顯文件頭部被修改了,拿一個正常的 python3.7 的 pyc 文件對比。

image.png

正常的 python 3.7 pyc 的文件頭內容如下圖所示:

image.png

修改後內容如下:

image.png

還原代碼

uncompyle6 game.cpython-37.pyc > main.py

還原後的 python 代碼如下:

# uncompyle6 version 3.9.0
# Python bytecode version base 3.7.0 (3394)
# Decompiled from: Python 3.9.12 (main, Mar 26 2022, 15:44:31) 
# [Clang 13.1.6 (clang-1316.0.21.2)]
# Embedded file name: game.py
# Compiled at: 2020-02-02 19:15:47
# Size of source mod 2**32: 12 bytes
"""貪吃蛇"""
import random, sys, time, pygame
from pygame.locals import *
from collections import deque
SCREEN_WIDTH = 600
SCREEN_HEIGHT = 480
SIZE = 20
LINE_WIDTH = 1
SCOPE_X = (
 0, SCREEN_WIDTH // SIZE - 1)
SCOPE_Y = (2, SCREEN_HEIGHT // SIZE - 1)
FOOD_STYLE_LIST = [
 (10, (255, 100, 100)), (20, (100, 255, 100)), (30, (100, 100, 255))]
LIGHT = (100, 100, 100)
DARK = (200, 200, 200)
BLACK = (0, 0, 0)
RED = (200, 30, 30)
BGCOLOR = (40, 40, 60)

def print_text(screen, font, x, y, text, fcolor=(255, 255, 255)):
    imgText = font.render(text, True, fcolor)
    screen.blit(imgText, (x, y))


def init_snake():
    snake = deque()
    snake.append((2, SCOPE_Y[0]))
    snake.append((1, SCOPE_Y[0]))
    snake.append((0, SCOPE_Y[0]))
    return snake


def create_food(snake):
    food_x = random.randint(SCOPE_X[0], SCOPE_X[1])
    food_y = random.randint(SCOPE_Y[0], SCOPE_Y[1])
    while (food_x, food_y) in snake:
        food_x = random.randint(SCOPE_X[0], SCOPE_X[1])
        food_y = random.randint(SCOPE_Y[0], SCOPE_Y[1])

    return (
     food_x, food_y)


def get_food_style():
    return FOOD_STYLE_LIST[random.randint(0, 2)]


def main():
    pygame.init()
    screen = pygame.display.set_mode((SCREEN_WIDTH, SCREEN_HEIGHT))
    pygame.display.set_caption('貪吃蛇')
    font1 = pygame.font.SysFont('SimHei', 24)
    font2 = pygame.font.Font(None, 72)
    fwidth, fheight = font2.size('GAME OVER')
    b = True
    snake = init_snake()
    food = create_food(snake)
    food_style = get_food_style()
    pos = (1, 0)
    game_over = True
    start = False
    score = 0
    orispeed = 0.5
    speed = orispeed
    last_move_time = None
    pause = False
    while 1:
        for event in pygame.event.get():
            if event.type == QUIT:
                sys.exit()

        screen.fill(BGCOLOR)
        for x in range(SIZE, SCREEN_WIDTH, SIZE):
            pygame.draw.line(screen, BLACK, (x, SCOPE_Y[0] * SIZE), (x, SCREEN_HEIGHT), LINE_WIDTH)

        for y in range(SCOPE_Y[0] * SIZE, SCREEN_HEIGHT, SIZE):
            pygame.draw.line(screen, BLACK, (0, y), (SCREEN_WIDTH, y), LINE_WIDTH)

        curTime = game_over or time.time()
        if curTime - last_move_time > speed and not pause:
            b = True
            last_move_time = curTime
            next_s = (snake[0][0] + pos[0], snake[0][1] + pos[1])
            if next_s == food:
                snake.appendleft(next_s)
                score += food_style[0]
                speed = orispeed - 0.03 * (score // 100)
                food = create_food(snake)
                food_style = get_food_style()
            else:
                if SCOPE_X[0] <= next_s[0] <= SCOPE_X[1]:
                    if SCOPE_Y[0] <= next_s[1] <= SCOPE_Y[1]:
                        if next_s not in snake:
                            snake.appendleft(next_s)
                            snake.pop()
                        else:
                            game_over = True
                    if not game_over:
                        pygame.draw.rect(screen, food_style[1], (food[0] * SIZE, food[1] * SIZE, SIZE, SIZE), 0)
                    for s in snake:
                        pygame.draw.rect(screen, DARK, (s[0] * SIZE + LINE_WIDTH, s[1] * SIZE + LINE_WIDTH,
                         SIZE - LINE_WIDTH * 2, SIZE - LINE_WIDTH * 2), 0)

                    print_text(screen, font1, 30, 7, f"速度: {score // 100}")
                    print_text(screen, font1, 450, 7, f"得分: {score}")
                    if score > 1000:
                        flag = [
                         30, 196, 
                         52, 252, 49, 220, 7, 243, 
                         3, 241, 24, 224, 40, 230, 
                         25, 251, 28, 233, 40, 237, 
                         4, 225, 4, 215, 40, 231, 
                         22, 237, 14, 251, 10, 169]
                        for i in range(0, len(flag), 2):
                            flag[i], flag[i + 1] = flag[i + 1] ^ 136, flag[i] ^ 119

                        print_text(screen, font2, (SCREEN_WIDTH - fwidth) // 2, (SCREEN_HEIGHT - fheight) // 2, bytes(flag).decode(), RED)
                        pygame.display.update()
                    if game_over:
                        if start:
                            print_text(screen, font2, (SCREEN_WIDTH - fwidth) // 2, (SCREEN_HEIGHT - fheight) // 2, 'GAME OVER', RED)
                pygame.display.update()


if __name__ == '__main__':
    main()
# okay decompiling game.cpython-37.pyc

通過對 python 文件進行分析,這是一個遊戲,遊玩分數大於 1000 分就能獲取 flag,關鍵代碼如下:

if score > 1000:
	flag = [
	 30, 196, 
	 52, 252, 49, 220, 7, 243, 
	 3, 241, 24, 224, 40, 230, 
	 25, 251, 28, 233, 40, 237, 
	 4, 225, 4, 215, 40, 231, 
	 22, 237, 14, 251, 10, 169]
	for i in range(0, len(flag), 2):
		flag[i], flag[i + 1] = flag[i + 1] ^ 136, flag[i] ^ 119

編寫代碼獲取 flag

flag = [30, 196, 52, 252, 49, 220, 7, 243, 3, 241, 24, 224, 40, 230, 25, 251, 28, 233, 40, 237, 4, 225, 4, 215, 40, 231, 22, 237, 14, 251, 10, 169]

for i in range(0, len(flag), 2):
	flag[i], flag[i + 1] = flag[i + 1] ^ 136, flag[i] ^ 119
result = ""

for i in range(0, len(flag), 2):
	char = chr(flag[i]) + chr(flag[i + 1])
	result += char

print(result) //獲取flag LitCTF{python_snake_is_so_easy!}

圖片來自:https://wallhaven.cc/w/1pdg63

載入中......
此文章數據所有權由區塊鏈加密技術和智能合約保障僅歸創作者所有。