python的虚拟机
下来是个pyc文件,这并不难,只是在网上转下来。然后发现一堆乱码,但不乱,显然是用的utf-8作的变量名,这个一个个转成别的就好了。据说有人打算用汉字写程序,估计结果和这个差不多,作完便卷成密码了。
既然是VM把命令一个个转过来看,原来的乱码太丑了。
#!/usr/bin/env python # visit https://tool.lu/pyc/ for more information # Version: Python 3.6 def fun(val): idx = 0 ? = 0 data1 = [0] * 16 data2 = [0] * 100 s1 = [] while val[idx][0] != '\xeb\x93\x83': cmd = val[idx][0].lower() arg = val[idx][1:] if cmd == 'd1_0=1 2': data1[arg[0]] = data1[arg[1]] data1[arg[2]] elif cmd == 'd1_0=1^2': data1[arg[0]] = data1[arg[1]] ^ data1[arg[2]] elif cmd == 'd1_0=1-2': data1[arg[0]] = data1[arg[1]] - data1[arg[2]] elif cmd == 'd1_0=1*2': data1[arg[0]] = data1[arg[1]] * data1[arg[2]] elif cmd == 'd1_0=1/2': data1[arg[0]] = data1[arg[1]] / data1[arg[2]] elif cmd == 'd1_0=1&2': data1[arg[0]] = data1[arg[1]] & data1[arg[2]] elif cmd == 'd1_0=1|2': data1[arg[0]] = data1[arg[1]] | data1[arg[2]] elif cmd == 'd1_0=d1_0': data1[arg[0]] = data1[arg[0]] elif cmd == 'd1_0=d1_1': data1[arg[0]] = data1[arg[1]] elif cmd == 'set_d1': data1[arg[0]] = arg[1] elif cmd == 'd2_0=d1_1': data2[arg[0]] = data1[arg[1]] elif cmd == 'd1_0=d2_1': data1[arg[0]] = data2[arg[1]] elif cmd == 'd1_0=n': data1[arg[0]] = 0 elif cmd == 'd2_0=n0': data2[arg[0]] = 0 elif cmd == 'd1_0=input': data1[arg[0]] = input(data1[arg[1]]) elif cmd == 'd2_0=input': data2[arg[0]] = input(data1[arg[1]]) elif cmd == 'print_d1_0': print(data1[arg[0]]) elif cmd == 'print_d2_0': print(data2[arg[0]]) elif cmd == 'jmp_d1_0': idx = data1[arg[0]] elif cmd == 'jmp_d2_0': idx = data2[arg[0]] elif cmd == 'jmp_s1_pop': idx = s1.pop() elif cmd == '\xeb\xaf\x83' or data1[arg[1]] > data1[arg[2]]: idx = arg[0] s1.append(idx) continue elif cmd == '????': data1[7] = 0 for i in range(len(data1[arg): if data1[arg[0]] != data1[arg[1]]: data1[7] = 1 idx = data1[arg[2]] s1.append(idx) elif cmd == 'd1_0[] ^=d_1': s2 = '' for i in range(len(data1[arg): s2 = chr(ord(data1[arg[0]][i]) ^ data1[arg[1]]) data1[arg[0]] = s2 elif cmd == 'd1_0[] -=d_1': s2 = '' for i in range(len(data1[arg): s2 = chr(ord(data1[arg[0]][i]) - data1[arg[1]]) data1[arg[0]] = s2 elif cmd == 'push,jmp d1_0' or data1[arg[1]] > data1[arg[2]]: idx = data1[arg[0]] s1.append(idx) continue elif cmd == 'push,jmp d2_0' or data1[arg[1]] > data1[arg[2]]: idx = data2[arg[0]] s1.append(idx) continue elif cmd == 'push,jmp 0' or data1[arg[1]] == data1[arg[2]]: idx = arg[0] s1.append(idx) continue elif cmd == 'push,jmp d1_0_2' or data1[arg[1]] == data1[arg[2]]: idx = data1[arg[0]] s1.append(idx) continue elif cmd == 'push,jmp d2_0_2' and data1[arg[1]] == data1[arg[2]]: idx = data2[arg[0]] s1.append(idx) continue idx = 1 fun([ ['set_d1',0,'Authentication token: '], ['d2_0=input',0,0], #d2[0] = input('Authentication token: ') #d1[6] = ... ['set_d1',6,...这里省略几百字...], ['set_d1',2,120], #d1[2] = 120 ['set_d1',4,15], #d1[4] = 15 ['set_d1',3,1], #d1[3] = 1 ['d1_0=1*二、二、二、三、 #d1[2] = d1[2]*d1[3] = 120 ['d1_0=1 二、二、二、四、 #d1[2] = d1[2] d1[4] = 135 ['d1_0=d1_0',0,2], ['d1_0=n',3], #d1[3] = 0 ['d1_0[] ^=d_1',6,3], #d1[6] ^= d1[3] 不变 ['set_d1',0,'Thanks.'], #d1[0] = 'Thanks.' ['set_d1',1,'Authorizing access...'], #d1[1] = 'Authorizing access...' ['print_d1_0',0], #print(Thanks) ['d1_0=d2_1',0,0], #d1[0] = d2[0] 输入的flag ['d1_0[] ^=d_1',0,2], #d1[0]^= d1[2] 135 ['d1_0[] -=d_1',0,4], #d1[0]-= d1[4] 15 ['set_d1',5,19], #d1[5] = 19 ['????,0,6,5, # ??? 内容不详 ['print_d1_0',1], #print('Authorizing access...') ['\xeb\x93\x83'], ['set_d1',1,'Access denied!'], ['print_d1_0',1], ['\xeb\x93\x83']])转动后可能会理解,输入flag会先^135再-1后边就是个不明白报错语句和输出成功提示。估计就是 (flag^135)-15 然后和那一大串比较。可结果是乱码。后来想既然变量都是utf8串估计也是utf8,所以用utf8先解了再处理
a = b'\xc3\xa1\xc3\x97\xc3\xa4......'
print(''.join([chr((ord(i)+15)^135) for i in a.decode('utf-8')]))
#watevr{this_must_be_the_best_encryption_method_evr_henceforth_this_is_the_new_Advanced_Encryption_Standard_anyways_i_dont_really_have_a_good_vid_but_i_really_enjoy_this_song_i_hope_you_will_enjoy_it_aswell!_youtube.com/watch?v=E5yFcdPAGv0}
#flag{this_must_be_the_best_encryption_method_evr_henceforth_this_is_the_new_Advanced_Encryption_Standard_anyways_i_dont_really_have_a_good_vid_but_i_really_enjoy_this_song_i_hope_you_will_enjoy_it_aswell!_youtube.com/watch?v=E5yFcdPAGv0}不过这确实有点不明白,UTF理论上处理ASCII码是不会出来多字节的,整不明白。