Qiwi CTF 2016 – Reverse_100_2

Task:

I have a snake. CrackMe!

I download the file and given task.pyc. The file is a compiled python file

So, i try to uncompile task.pyc using uncompyle2 and after clean the code we get:


import marshal
src = 'YwAAAAADAAAAGAAAAEMAAABz7wAAAGQBAGoAAGcAAGQCAGQDAGQEAGQFAGQGAGQHAGQIAGQJAGQKAGQLAGQMAGQNAGQOAGQPAGQMAGcPAERdHAB9AAB0AQB0AgB8AACDAQBkEAAXgwEAXgIAcToAgwEAfQEAdAMAZBEAgwEAfQIAfAIAfAEAawIAcuYAZAEAagAAZwAAZBIAZBMAZBQAZBUAZBYAZBcAZBgAZBkAZBoAZBsAZBwAZB0AZB4AZAsAZBwAZB8AZAMAZB0AZAgAZB4AZCAAZCEAZxYARF0VAH0AAHwAAGoEAGQiAIMBAF4CAHHGAIMBAEdIbgUAZCMAR0hkAABTKCQAAABOdAAAAAB0AQAAAF50AQAAADR0AQAAAEt0AQAAAGl0AQAAAC50AQAAAC90AQAAAE50AQAAAGp0AQAAAFB0AQAAAG90AQAAAD90AQAAAGx0AQAAADJ0AQAAAFRpAwAAAHMJAAAAWW91IHBhc3M6dAEAAABzdAEAAAB5dAEAAABudAEAAAB0dAEAAAA6dAEAAAB7dAEAAAB3dAEAAABxdAEAAABFdAEAAAA2dAEAAABmdAEAAABYdAEAAAB1dAEAAABhdAEAAAAxdAEAAAB9dAUAAABST1QxM3MFAAAATm8gOigoBQAAAHQEAAAAam9pbnQDAAAAY2hydAMAAABvcmR0CQAAAHJhd19pbnB1dHQGAAAAZGVjb2RlKAMAAAB0AQAAAGV0AwAAAHRtcHQGAAAAcGFzc3dkKAAAAAAoAAAAAHMHAAAAdGFzay5weVIcAAAAAgAAAHMKAAAAAAFfAQwBDAFvAQ=='.decode('base64')
code = marshal.loads(src)
exec code

change syntax exec to print


import marshal
src = 'YwAAAAADAAAAGAAAAEMAAABz7wAAAGQBAGoAAGcAAGQCAGQDAGQEAGQFAGQGAGQHAGQIAGQJAGQKAGQLAGQMAGQNAGQOAGQPAGQMAGcPAERdHAB9AAB0AQB0AgB8AACDAQBkEAAXgwEAXgIAcToAgwEAfQEAdAMAZBEAgwEAfQIAfAIAfAEAawIAcuYAZAEAagAAZwAAZBIAZBMAZBQAZBUAZBYAZBcAZBgAZBkAZBoAZBsAZBwAZB0AZB4AZAsAZBwAZB8AZAMAZB0AZAgAZB4AZCAAZCEAZxYARF0VAH0AAHwAAGoEAGQiAIMBAF4CAHHGAIMBAEdIbgUAZCMAR0hkAABTKCQAAABOdAAAAAB0AQAAAF50AQAAADR0AQAAAEt0AQAAAGl0AQAAAC50AQAAAC90AQAAAE50AQAAAGp0AQAAAFB0AQAAAG90AQAAAD90AQAAAGx0AQAAADJ0AQAAAFRpAwAAAHMJAAAAWW91IHBhc3M6dAEAAABzdAEAAAB5dAEAAABudAEAAAB0dAEAAAA6dAEAAAB7dAEAAAB3dAEAAABxdAEAAABFdAEAAAA2dAEAAABmdAEAAABYdAEAAAB1dAEAAABhdAEAAAAxdAEAAAB9dAUAAABST1QxM3MFAAAATm8gOigoBQAAAHQEAAAAam9pbnQDAAAAY2hydAMAAABvcmR0CQAAAHJhd19pbnB1dHQGAAAAZGVjb2RlKAMAAAB0AQAAAGV0AwAAAHRtcHQGAAAAcGFzc3dkKAAAAAAoAAAAAHMHAAAAdGFzay5weVIcAAAAAgAAAHMKAAAAAAFfAQwBDAFvAQ=='.decode('base64')
code = marshal.loads(src)
print code

After modifying the code save to the new file, example task_uncompyle.py

After that, i write python script to disassemley task_uncompyle.py to read what the code do.


Disassembly of code:
3 0 LOAD_CONST 1 ('')
3 LOAD_ATTR 0 (join)
6 BUILD_LIST 0
9 LOAD_CONST 2 ('^')
12 LOAD_CONST 3 ('4')
15 LOAD_CONST 4 ('K')
18 LOAD_CONST 5 ('i')
21 LOAD_CONST 6 ('.')
24 LOAD_CONST 7 ('/')
27 LOAD_CONST 8 ('N')
30 LOAD_CONST 9 ('j')
33 LOAD_CONST 10 ('P')
36 LOAD_CONST 11 ('o')
39 LOAD_CONST 12 ('?')
42 LOAD_CONST 13 ('l')
45 LOAD_CONST 14 ('2')
48 LOAD_CONST 15 ('T')
51 LOAD_CONST 12 ('?')
54 BUILD_LIST 15
57 GET_ITER
>> 58 FOR_ITER 28 (to 89)
61 STORE_FAST 0 (e)
64 LOAD_GLOBAL 1 (chr)
67 LOAD_GLOBAL 2 (ord)
70 LOAD_FAST 0 (e)
73 CALL_FUNCTION 1
76 LOAD_CONST 16 (3)
79 BINARY_ADD
80 CALL_FUNCTION 1
83 LIST_APPEND 2
86 JUMP_ABSOLUTE 58
>> 89 CALL_FUNCTION 1
92 STORE_FAST 1 (tmp)

4 95 LOAD_GLOBAL 3 (raw_input)
98 LOAD_CONST 17 ('You pass:')
101 CALL_FUNCTION 1
104 STORE_FAST 2 (passwd)

5 107 LOAD_FAST 2 (passwd)
110 LOAD_FAST 1 (tmp)
113 COMPARE_OP 2 (==)
116 POP_JUMP_IF_FALSE 230

6 119 LOAD_CONST 1 ('')
122 LOAD_ATTR 0 (join)
125 BUILD_LIST 0
128 LOAD_CONST 18 ('s')
131 LOAD_CONST 19 ('y')
134 LOAD_CONST 20 ('n')
137 LOAD_CONST 21 ('t')
140 LOAD_CONST 22 (':')
143 LOAD_CONST 23 ('{')
146 LOAD_CONST 24 ('w')
149 LOAD_CONST 25 ('q')
152 LOAD_CONST 26 ('E')
155 LOAD_CONST 27 ('6')
158 LOAD_CONST 28 ('f')
161 LOAD_CONST 29 ('X')
164 LOAD_CONST 30 ('u')
167 LOAD_CONST 11 ('o')
170 LOAD_CONST 28 ('f')
173 LOAD_CONST 31 ('a')
176 LOAD_CONST 3 ('4')
179 LOAD_CONST 29 ('X')
182 LOAD_CONST 8 ('N')
185 LOAD_CONST 30 ('u')
188 LOAD_CONST 32 ('1')
191 LOAD_CONST 33 ('}')
194 BUILD_LIST 22
197 GET_ITER
>> 198 FOR_ITER 21 (to 222)
201 STORE_FAST 0 (e)
204 LOAD_FAST 0 (e)
207 LOAD_ATTR 4 (decode)
210 LOAD_CONST 34 ('ROT13')
213 CALL_FUNCTION 1
216 LIST_APPEND 2
219 JUMP_ABSOLUTE 198
>> 222 CALL_FUNCTION 1
225 PRINT_ITEM
226 PRINT_NEWLINE
227 JUMP_FORWARD 5 (to 235)

7 >> 230 LOAD_CONST 35 ('No :(')
233 PRINT_ITEM
234 PRINT_NEWLINE
>> 235 LOAD_CONST 0 (None)
238 RETURN_VALUE

there are something interesting at line 49 to 70: synt:{wqE6fXuofa4XNu1}

and the clue in line 77 that give me information ROT13 ecnryption

So, i decode using ROT13 in python-cli

>>> “synt:{wqE6fXuofa4XNu1}”.decode(“rot13”)

Finally i found the flag is: flag:{jdR6sKhbsn4KAh1}

 

Source:  My Github

Leave a Reply