TOC

碎碎念

帮忙做了一个re题,题目挺简单的,是python 的exe解包,做了还是写写吧hhh

python exe解包

首先利用pyinstxtractor脚本将.exe文件转为.pyc文件,指令格式为

python pyinstxtractor.py  exe文件名称

执行完成之后会生成一个xxx_extracted文件夹,反编译之前先把struct文件中E3之前的字符复制到想要反编译的文件中 这道题需要反编译的文件是snake before.png after.png 补完头部信息之后可以用uncompyle6反编译uncompyle6 snake.pyc > snake.py

# uncompyle6 version 3.7.4
# Python bytecode 3.7 (3394)
# Decompiled from: Python 3.8.3 (default, Jul  2 2020, 17:30:36) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: snake.py
# Compiled at: 1995-09-28 00:18:56
# Size of source mod 2**32: 272 bytes
import hashlib, sys, random, time
maze = [
 [1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
 [1, 1, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0],
 [0, 1, 1, 0, 1, 0, 1, 1, 1, 1, 0, 0],
 [0, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0],
 [0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0],
 [0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0],
 [0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0],
 [0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0],
 [0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 0],
 [0, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 0],
 [0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0],
 [0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 9]]
s = str(input())
seed = time.time()
random.seed(seed)
random.seed(random.randint(0, 999999))
maze[1][1] = random.randint(987, 1000)
maze[3][4] = random.randint(345, 356)
maze[7][7] = random.randint(107, 116)
maze[11][8] = random.randint(833, 856)
for i in range(12):
  for j in range(12):
      tmp = 12 * i + j
      if maze[i][j] == 0:
          maze[i][j] = 3456 + tmp
          continue
      if tmp % 4 == 0:
          random.seed(maze[1][1])
          for cnt in range(tmp):
              random.randint(0, 999)

          maze[i][j] = random.randint(0, 999)
      elif tmp % 4 == 1:
          random.seed(maze[3][4])
          for cnt in range(tmp):
              random.randint(555, 1234)

          maze[i][j] = random.randint(555, 1234)
      elif tmp % 4 == 2:
          random.seed(maze[7][7])
          for cnt in range(tmp):
              random.randint(777, 888)

          maze[i][j] = random.randint(777, 888)
      elif tmp % 4 == 3:
          random.seed(maze[11][8])
          for cnt in range(tmp):
              random.randint(369, 777)

          maze[i][j] = random.randint(369, 777)

maze[11][11] = 9
if len(s) != 56:
  sys.exit(-1)
idx1 = 0
idx2 = 0
for i in s:
  if i == 'w':
      idx1 -= 1
  else:
      if i == 's':
          idx1 += 1
      else:
          if i == 'a':
              idx2 -= 1
          else:
              if i == 'd':
                  idx2 += 1
  if not 0 <= maze[idx1][idx2] <= 1234:
      print('Where are you going?')
      sys.exit(2)

if maze[idx1][idx2] != 9:
  print('You lost in the maze!')
result = ''
for xx in maze:
  for xxx in xx:
      result += str(xxx)

hash_res = hashlib.sha256(result.encode('latin-1')).hexdigest()
print(hash_res)
if hash_res == 'f1793dcf5ad3858512b944ac34413725a27c63e25618858231e88b9686466b00':
  flag1 = str(maze[1][1]) + str(maze[7][7]) + str(maze[11][8]) + str(maze[3][4])
  flag2 = hashlib.sha256(s.encode('latin-1')).hexdigest()
  flag = flag2[::-1] + flag1[::-1]
  final_flag = hashlib.sha256(flag.encode('latin-1')).hexdigest()
  print('flag{' + final_flag[0:32] + '}')
# okay decompiling snake.pyc

逆向

从文件逻辑可以看出来这道题需要走迷宫和爆破这个迷宫(因为有要求迷宫的hash值) 爆破迷宫的话只需要爆破maze[1][1], maze[3][4], maze[7][7], maze[11][8]的值就可以了,因为这几个值确定了以后整个迷宫就确定了。 爆破迷宫

import hashlib, sys, random, time
flag = 0
for a in range(987, 1001):
  for b in range(345, 357):
      for c in range(107, 117):
          for d in range(833, 857):
              maze = [
                  [1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
                  [1, 1, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0],
                  [0, 1, 1, 0, 1, 0, 1, 1, 1, 1, 0, 0],
                  [0, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0],
                  [0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0],
                  [0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0],
                  [0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0],
                  [0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0],
                  [0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 0],
                  [0, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 0],
                  [0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0],
                  [0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 9]]
              maze[1][1] = a
              maze[3][4] = b
              maze[7][7] = c
              maze[11][8] = d
              for i in range(12):
                  for j in range(12):
                      tmp = 12 * i + j
                      if maze[i][j] == 0:
                          maze[i][j] = 3456 + tmp
                          continue
                      if tmp % 4 == 0:
                          random.seed(maze[1][1])
                          for cnt in range(tmp):
                              random.randint(0, 999)

                          maze[i][j] = random.randint(0, 999)
                      elif tmp % 4 == 1:
                          random.seed(maze[3][4])
                          for cnt in range(tmp):
                              random.randint(555, 1234)

                          maze[i][j] = random.randint(555, 1234)
                      elif tmp % 4 == 2:
                          random.seed(maze[7][7])
                          for cnt in range(tmp):
                              random.randint(777, 888)

                          maze[i][j] = random.randint(777, 888)
                      elif tmp % 4 == 3:
                          random.seed(maze[11][8])
                          for cnt in range(tmp):
                              random.randint(369, 777)

                          maze[i][j] = random.randint(369, 777)
              maze[11][11] = 9
              result = ''
              for xx in maze:
                  for xxx in xx:
                      result += str(xxx)
              hash_res = hashlib.sha256(result.encode('latin-1')).hexdigest()
              if hash_res == 'f1793dcf5ad3858512b944ac34413725a27c63e25618858231e88b9686466b00':
                  flag = 1
                  print(a, b, c, d)
              if flag:
                  break
          if flag:
              break
      if flag:
          break
  if flag:
      break
  print(a)
"""
爆破出来的值:
maze[1][1] = 996
maze[3][4] = 352
maze[7][7] = 113
maze[11][8] = 849
"""

走迷宫:

#coding=utf-8
MIN = 9999999

a = [[0 for col in range(50)] for row in range(50)]#迷宫最大数组
book = [[0 for col in range(50)] for row in range(50)]#标记数组
lujing = ['*']*100
index_step = ['d', 's', 'a', 'w']
def dfs(start_x,start_y,end_x,end_y,migong_array,step):
  '''
  :param start_x: 起始横坐标
  :param start_y: 起始纵坐标
  :param end_x: 终点横坐标
  :param end_y: 终点纵坐标
  :param migong_array: 迷宫的数组
  :return:
  '''
  next_step = [[0,1],  #向右走
          [1,0],  #向下走
          [0,-1], #向左走
          [-1,0]  #向上走
          ]
  if (start_x == end_x and start_y == end_y):
      global MIN
      if(step < MIN):
          MIN = step
      return 1

  for i in range(len(next_step)):
      next_x = start_x + next_step[i][0]
      next_y = start_y + next_step[i][1]
      if(next_x < 0 or next_y < 0 or next_x > len(migong_array) or next_y > len(migong_array[0])):
          continue
      if(0<= a[next_x][next_y] <= 1234 and book[next_x][next_y] == 0):
          book[next_x][next_y] = 1
          if dfs(next_x,next_y,end_x,end_y,migong_array,step+1):
              lujing[step] = index_step[i]
              return 1
          book[next_x][next_y] = 0
  return 0

if __name__ == '__main__':
  start_x = 0
  start_y = 0
  end_x = 11
  end_y = 11
  migong_array = [[545, 3457, 3458, 3459, 3460, 3461, 3462, 3463, 3464, 3465, 3466, 3467], [239, 796, 3470, 3471, 640, 948, 831, 3475, 3476, 3477, 3478, 3479], [3480, 1095, 843, 3483, 766, 3485, 848, 464, 95, 703, 3490, 3491], [3492, 3493, 864, 627, 8, 3497, 3498, 3499, 3500, 1064, 3502, 3503], [3504, 3505, 3506, 3507, 3508, 3509, 881, 600, 985, 706, 3514, 3515], [3516, 3517, 3518, 3519, 3520, 3521, 864, 3523, 3524, 3525, 3526, 3527], [3528, 1214, 779, 709, 804, 3533, 813, 403, 861, 1096, 829, 3539], [3540, 628, 3542, 3543, 494, 3545, 3546, 395, 3548, 3549, 798, 3551], [3552, 988, 3554, 3555, 485, 3557, 3558, 3559, 3560, 674, 777, 3563], [3564, 761, 802, 3567, 412, 568, 829, 721, 217, 1137, 3574, 3575], [3576, 3577, 853, 763, 3580, 3581, 3582, 3583, 3584, 3585, 3586, 3587], [3588, 3589, 3590, 372, 962, 923, 785, 502, 368, 707, 795, 9]]   #初始化迷宫

  for i in range(len(migong_array)):
      for j in range(len(migong_array[0])):
          a[i][j] = migong_array[i][j]  #将迷宫数组写入a中
  book[start_x][start_y] = 1  #将第一步标记为1,证明走过了。避免重复走

  dfs(start_x,start_y,end_x,end_y,migong_array,0)

  print('The min length of path is : {}'.format(MIN))
  print("".join(i for i in lujing)[:MIN])