[羊城杯 2020]Bytecode
题目:[羊城杯 2020]Bytecode
拿到手竟然是个txt文件,打开后发现里面是python的字节码
![[羊城杯 2020]Bytecode_第1张图片](http://img.e-com-net.com/image/info8/9c40980d93d14cb9aff2e7a7cb482626.jpg)
查文档反编译出来的python脚本如下:
en = [3,37,72,9,6,132]
output = [101,96,23,68,112,42,107,62,96,53,176,179,98,53,67,29,41,120,60,106,51,101,178,189,101,48]
flag = raw_input('please input your flag:')
str = flag
a = len(str)
if a>=38:
print('lenth wrong!')
exit(0)
if((((ord(str[1])+2020*ord(str[0]))*2020+ord(str[2]))*2020+ord(str[3]))*2020+ord(str[4])!=1182843538814603):
exit(0)
x=[]
k=5
for i in range(13):
b=ord(str[k])
c=ord(str[k+1])
a11=c^en[i%6]
a22=b^en[i%6]
x.append(a11)
x.append(a22)
k+=2
if x!=output:
exit(0)
l=len(str)
a1=ord(str[l-7])
a2=ord(str[l-6])
a3=ord(str[l-5])
a4=ord(str[l-4])
a5=ord(str[l-3])
a6=ord(str[l-2])
if(a1*3+a2*2+a3*5==1003):
if(a1*4+a2*7+a3*9==2013):
if(a1+a2*8+a3*2==1109):
if(a4*3+a5*2+a6*5==671):
if(a4*4+a5*7+a6*9==1252):
if(a4+a5*8+a6*2==644):
print('congraduation!you get the right flag!')
前五个字符串直接忽略,主要是用z3约束器求解后面地字符。
写exp如下:
from z3 import *
a1=Real('a1')
a2=Real('a2')
a3=Real('a3')
a4=Real('a4')
a5=Real('a5')
a6=Real('a6')
s=Solver()
s.add(a1*3+a2*2+a3*5==1003)
s.add(a1*4+a2*7+a3*9==2013)
s.add(a1+a2*8+a3*2==1109)
s.add(a4*3+a5*2+a6*5==671)
s.add(a4*4+a5*7+a6*9==1252)
s.add(a4+a5*8+a6*2==644)
if s.check()==sat:
result=s.model()
#print(result)
#[a4 = 102, a2 = 101, a6 = 51, a1 = 97, a5 = 55, a3 = 102
en = [3,37,72,9,6,132]
output = [101,96,23,68,112,42,107,62,96,53,176,179,98,53,67,29,41,120,60,106,51,101,178,189,101,48]
flag=''
k=0
for i in range(13):
flag+=chr(output[k+1]^en[i%6])
flag+=chr(output[k]^en[i%6])
k+=2
print('flag{'+flag+chr(97)+chr(101)+chr(102)+chr(102)+chr(55)+chr(51)+'}')
得到flag
![[羊城杯 2020]Bytecode_第2张图片](http://img.e-com-net.com/image/info8/b99f0de294b049b69e40e24ab2f2c360.jpg)
flag{
cfa2b87b3f746a8f0ac5c5963faeff73}
相关
- [官方文档]dis — Python 字节码反汇编器
- python-bytecode|python字节码学习