[复现]2021VNCTF-RE

notsudoku

一看图标就知道是python写的exe

​

先查壳，有upx壳

​

脱壳

​

正常的py逆向过程

​

恢复

​

pyc ->py

​

得到源码：

# uncompyle6 version 3.8.0
# Python bytecode 3.7.0 (3394)
# Decompiled from: Python 3.7.3 (v3.7.3:ef4ec6ed12, Mar 25 2019, 22:22:05) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: 2.py
# Compiled at: 1995-09-28 00:18:56
# Size of source mod 2**32: 272 bytes
import time, sys, hashlib

class あ:

    def __init__(self):
        self.う = {}
        self.な = []
        self.に = ''
        self.ぬ = []
        self.ね = 65

    def え(self, えひ):

        def の(f):
            self.う[えひ] = f
            return f

        return の

    def お(self, は):
        return self.う.get(は)

    def か(self):
        き = 0
        while True:
            く = self.な[き][0]
            け = self.な[き][1]
            こ = self.な[き][2]
            さ = self.お(く)
            さ(け, こ)
            き += 1


い = あ()

@い.え('し')
def f(a, b):
    if a == 1:
        い.ぬ += b


@い.え('す')
def f(a, b):
    if a == 1:
        print(い.に)
    else:
        if a == 2:
            print(い.ぬ)
        else:
            if a == 3:
                print((い.flag), end='')
            else:
                print(a, end='')


@い.え('せ')
def f(a, b):
    sys.exit()


@い.え('そ')
def f(a, b):
    い.に = input()


@い.え('た')
def f(a, b):
    time.sleep(a)


@い.え('ち')
def f(a, b):
    if len(い.に) % 2 != 0:
        sys.exit()
    for i in い.に:
        if ord(i) > 52 or ord(i) < 48:
            sys.exit()

    x = str(hashlib.new('md5', bytes((い.に), encoding='utf8')).hexdigest())
    if x[:6] != 'e3a912':
        sys.exit()
    い.flag = x


@い.え('と')
def f(a, b):
    ふ = 0
    for i in range(0, len(い.に), 2):
        ふ += 1
        a = int(い.に[i])
        b = int(い.に[(i + 1)])
        い.ぬ[a][b] = ふ


@い.え('つ')
def f(a, b):
    if い.ぬ[0][1] != 24 or い.ぬ[4][3] != 2:
        sys.exit()
    if い.ぬ[0][2] != 1 or い.ぬ[2][3] != 20:
        sys.exit()
    if い.ぬ[1][0] != 23 or い.ぬ[3][4] != 3:
        sys.exit()


@い.え('て')
def f(a, b):
    ね = 0
    if b == -1:
        for i in range(5):
            ね += い.ぬ[a][i]

        if ね != い.ね:
            sys.exit()
    else:
        for i in range(5):
            ね += い.ぬ[i][b]

        if ね != い.ね:
            sys.exit()


い.な = [
 [
  'す', 'welcome baby~ ', 0],
 [
  'す', 'input your flag~:', 0],
 [
  'そ', 0, 0],
 [
  'す', 'your input is:', 0],
 [
  'す', 1, 0],
 [
  'す', "let's check......", 0],
 [
  'た', 0.5, 0],
 [
  'し', 1, [[0 for i in range(5)]]],
 [
  'し', 1, [[0 for i in range(5)]]],
 [
  'し', 1, [[0 for i in range(5)]]],
 [
  'し', 1, [[0 for i in range(5)]]],
 [
  'し', 1, [[0 for i in range(5)]]],
 [
  'ち', 0, 0],
 [
  'と', 0, 0],
 [
  'つ', 0, 0],
 [
  'て', 0, -1],
 [
  'て', 1, -1],
 [
  'て', 2, -1],
 [
  'て', 3, -1],
 [
  'て', 4, -1],
 [
  'て', 0, 0],
 [
  'て', 0, 1],
 [
  'て', 0, 2],
 [
  'て', 0, 3],
 [
  'て', 0, 4],
 [
  'す', 'Goodjob!', 0],
 [
  'す', 'The flag is vnctf{', 0],
 [
  'す', 3, 0],
 [
  'す', '}', 0],
 [
  'せ', 0, 0]]
い.か()
# okay decompiling 2.pyc

上面怎么还会有日语emmm，，晦气换成拼音叭

从这里差不多能够看出这个矩阵有5*5幻方的特征

​

l=[[17,24,1,8,15],
   [23,5,7,14,16],
   [4,6,13,20,22],
   [10,12,19,21,3],
   [11,18,25,2,9]]

幻方就是这样的幻方，那就把其转化成合适的形式

l=[[17,24,1,8,15],
   [23,5,7,14,16],
   [4,6,13,20,22],
   [10,12,19,21,3],
   [11,18,25,2,9]]
flag=""
for i in range(1,26):
    for row in range(5):
        try:
            flag+=str(row)+str(l[row].index(i))
        except:
            pass
print(flag)

​

就去原始的exe验证

​