re学习笔记（32）HGAME2020-re-Level-Week2- babypy

HGAME2020-re-Level-Week2- babypy
新手一枚，如有错误（不足）请指正，谢谢！！

个人博客：点击进入
参考资料：python字节码学习
Python 字节码反汇编器|官方文档

题目描述

描述
CPython uses a stack-based virtual machine.dc26c1359ec66

题目地址 http://q432pxpwq.bkt.clouddn.com/week2/babyPy_task_e011896c39.log

分析题目

题目的代码

In [1]: from secret import flag, encrypt

In [2]: encrypt(flag)
Out[2]: '7d037d045717722d62114e6a5b044f2c184c3f44214c2d4a22'

In [3]: import dis

In [4]: dis.dis(encrypt)
  4           0 LOAD_FAST                0 (OOo)
              2 LOAD_CONST               0 (None)
              4 LOAD_CONST               0 (None)
              6 LOAD_CONST               1 (-1)
              8 BUILD_SLICE              3
             10 BINARY_SUBSCR
             12 STORE_FAST               1 (O0O)

  5          14 LOAD_GLOBAL              0 (list)
             16 LOAD_FAST                1 (O0O)
             18 CALL_FUNCTION            1
             20 STORE_FAST               2 (O0o)

  6          22 SETUP_LOOP              50 (to 74)
             24 LOAD_GLOBAL              1 (range)
             26 LOAD_CONST               2 (1)
             28 LOAD_GLOBAL              2 (len)
             30 LOAD_FAST                2 (O0o)
             32 CALL_FUNCTION            1
             34 CALL_FUNCTION            2
             36 GET_ITER
        >>   38 FOR_ITER                32 (to 72)
             40 STORE_FAST               3 (O0)

  7          42 LOAD_FAST                2 (O0o)
             44 LOAD_FAST                3 (O0)
             46 LOAD_CONST               2 (1)
             48 BINARY_SUBTRACT
             50 BINARY_SUBSCR
             52 LOAD_FAST                2 (O0o)
             54 LOAD_FAST                3 (O0)
             56 BINARY_SUBSCR
             58 BINARY_XOR
             60 STORE_FAST               4 (Oo)

  8          62 LOAD_FAST                4 (Oo)
             64 LOAD_FAST                2 (O0o)
             66 LOAD_FAST                3 (O0)
             68 STORE_SUBSCR
             70 JUMP_ABSOLUTE           38
        >>   72 POP_BLOCK

  9     >>   74 LOAD_GLOBAL              3 (bytes)
             76 LOAD_FAST                2 (O0o)
             78 CALL_FUNCTION            1
             80 STORE_FAST               5 (O)

 10          82 LOAD_FAST                5 (O)
             84 LOAD_METHOD              4 (hex)
             86 CALL_METHOD              0
             88 RETURN_VALUE

In [5]: exit()

分析后

In [1]: from secret import flag, encrypt

In [2]: encrypt(flag)
Out[2]: '7d037d045717722d62114e6a5b044f2c184c3f44214c2d4a22'

In [3]: import dis

In [4]: dis.dis(encrypt)
  4           0 LOAD_FAST                0 (OOo)
              2 LOAD_CONST               0 (None)
              4 LOAD_CONST               0 (None)
              6 LOAD_CONST               1 (-1)
              8 BUILD_SLICE              3   分片操作
             10 BINARY_SUBSCR
             12 STORE_FAST               1 (O0O)	 4.O0O = OOo[::-1]

  5          14 LOAD_GLOBAL              0 (list)
             16 LOAD_FAST                1 (O0O)
             18 CALL_FUNCTION            1
             20 STORE_FAST               2 (O0o)  	 5.O0o = list(O0o)
  6          22 SETUP_LOOP              50 (to 74)
             24 LOAD_GLOBAL              1 (range)
             26 LOAD_CONST               2 (1)
             28 LOAD_GLOBAL              2 (len)
             30 LOAD_FAST                2 (O0o)
             32 CALL_FUNCTION            1
             34 CALL_FUNCTION            2
             36 GET_ITER
        >>   38 FOR_ITER                32 (to 72)
             40 STORE_FAST               3 (O0)   	 6.for O0 in range(1,len(O0o)):

  7          42 LOAD_FAST                2 (O0o)
             44 LOAD_FAST                3 (O0)
             46 LOAD_CONST               2 (1)
             48 BINARY_SUBTRACT
             50 BINARY_SUBSCR						 O0o[O0-1]
             52 LOAD_FAST                2 (O0o)
             54 LOAD_FAST                3 (O0)
             56 BINARY_SUBSCR						 O0o[O0]
             58 BINARY_XOR							 O0o[O0]^O0o[O0-1]
             60 STORE_FAST               4 (Oo)		 Oo = O0o[O0]^O0o[O0-1]

  8          62 LOAD_FAST                4 (Oo)
             64 LOAD_FAST                2 (O0o)
             66 LOAD_FAST                3 (O0)      
             68 STORE_SUBSCR						 O0o[O0] = O0o[O0]^O0o[O0-1]
             70 JUMP_ABSOLUTE           38
        >>   72 POP_BLOCK					    6 7 8、for O0 in range(1,len(O0o)):
														  O0o[O0] = O0o[O0]^O0o[O0-1]
  9     >>   74 LOAD_GLOBAL              3 (bytes)
             76 LOAD_FAST                2 (O0o)
             78 CALL_FUNCTION            1
             80 STORE_FAST               5 (O)    9. O = bytes(O0o)

 10          82 LOAD_FAST                5 (O)
             84 LOAD_METHOD              4 (hex)    
             86 CALL_METHOD              0
             88 RETURN_VALUE					  10.return hex(O)

In [5]: exit()

也就是encrypt函数其实就是

def encrypt(flag):
    flag1 = flag[::-1]
    flag1 = list(flag)
    for i in range(1,len(flag1)):
        flag1[i] = flag1[i]^flag1[i-1]
    x = bytes(flag1)
    return hex(x)

根据代码写解密函数

flag0 = "7d037d045717722d62114e6a5b044f2c184c3f44214c2d4a22"
flag1= bytes.fromhex(flag0)
flag2= str(flag1,'utf-8')
flag3=list(flag2) 
flag = ""
flag += flag3[0]
for i in range(1,len(flag3)):
    flag += chr(ord(flag3[i])^ord(flag3[i-1]))
print(flag[::-1])

得到flag为hgame{sT4cK_1$_sO_e@Sy~~}