首先运行一下 python ether_v2.py,这个程序需要输一串东西,而输各种东西都只能看到一个 You are too vegetable please try again!。试图劫持各种函数,也发现对获取程序逻辑没有太大帮助,那么还是老老实实看字节码吧。
试着反编译了一下,但是也出错。把 dis 模块的代码拷过来调试,发现程序一开始就是个大跳转,而很多不会被执行的地方也有很多非法指令。可以按照跳转的顺序输出字节码,就能得到比较容易分析的结果了。
import marshal
from opcode import *
f = open('../ether_v2.pyc', 'rb')
f.read(8)
co = marshal.load(f)
code = co.co_code
def work(i):
res = ''
c = code[i]
op = ord(c)
res += repr(i).rjust(4) + ' '
res += opname[op].ljust(20) + ' '
i += 1
if op >= HAVE_ARGUMENT:
oparg = ord(code[i]) + ord(code[i + 1]) * 256
i = i + 2
if op == EXTENDED_ARG:
extended_arg = oparg * 65536L
res += repr(oparg).rjust(5) + ' '
if op in hasconst:
if oparg < len(co.co_consts):
res += '(' + repr(co.co_consts[oparg]) + ') '
else:
res += '(invalid_const) '
elif op in hasname:
if oparg < len(co.co_names):
res += '(' + co.co_names[oparg] + ') '
else:
res += '(invalid_name) '
elif op in hasjrel:
res += '(to ' + repr(i + oparg) + ') '
elif op in haslocal:
pass
elif op in hascompare:
if oparg < len(cmp_op):
res += '(' + cmp_op[oparg] + ') '
else:
res += '(invalid_cmp_op) '
elif op in hasfree:
if free is None:
free = co.co_cellvars + co.co_freevars
if oparg < len(free):
res += '(' + free[oparg] + ') '
else:
res += '(invalid_free) '
nextop = [i]
if opname[op] == 'JUMP_ABSOLUTE':
nextop = [oparg]
elif opname[op] == 'FOR_ITER':
nextop.append(i + oparg)
elif opname[op] == 'SETUP_LOOP':
nextop.append(i + oparg)
elif opname[op] == 'SETUP_EXCEPT':
nextop.append(i + oparg)
elif opname[op] == 'JUMP_FORWARD':
nextop = [oparg + i]
elif opname[op] == 'JUMP_IF_FALSE_OR_POP':
nextop.append(oparg)
elif opname[op] == 'JUMP_IF_TRUE_OR_POP':
nextop.append(oparg)
elif opname[op] == 'POP_JUMP_IF_FALSE':
nextop.append(oparg)
elif 'JUMP' in opname[op] or 'to ' in res:
print res
assert 0
return res, nextop, 1 + 2 * (op >= HAVE_ARGUMENT)
q = [0]
q2 = []
mp = {}
mp[6371] = 1
lst = 0
while len(q) or len(q2):
if len(q):
t = q[0]
q = q[1:]
elif len(q2):
t = q2[0]
q2 = q2[1:]
if t in mp:
continue
a, b, c = work(t)
if abs(t - lst) > 3:
print
lst = t
print a
mp[t] = a
assert len(b) <= 2 and len(b)
if b[0] not in mp:
q.append(b[0])
if len(b) > 1 and b[1] not in mp:
q2 = [b[1]] + q2得到的字节码顺序就比较可读了。在前几百行,有几个类似这样的块
4508 LOAD_FAST 9
4511 UNARY_NEGATIVE
4512 LOAD_CONST 38 (3)
4515 UNARY_INVERT
4516 BINARY_AND
4517 POP_JUMP_IF_FALSE 6051
4520 LOAD_GLOBAL 11 (SystemError)
4523 LOAD_CONST 6 ('')
4526 LOAD_ATTR 12 (join)
4529 BUILD_LIST 0
4532 LOAD_CONST 7 (152)
4535 LOAD_CONST 8 (57)
4538 LOAD_CONST 9 (117)
4541 LOAD_CONST 10 (116)
4544 LOAD_CONST 11 (123)
4547 LOAD_CONST 12 (100)
4550 LOAD_CONST 13 (118)
4553 LOAD_CONST 13 (118)
4556 LOAD_CONST 10 (116)
4559 LOAD_CONST 14 (107)
4562 LOAD_CONST 8 (57)
4565 LOAD_CONST 15 (113)
4568 LOAD_CONST 16 (120)
4571 LOAD_CONST 17 (106)
4574 LOAD_CONST 8 (57)
4577 LOAD_CONST 11 (123)
4580 LOAD_CONST 10 (116)
4583 LOAD_CONST 10 (116)
4586 LOAD_CONST 18 (111)
4589 LOAD_CONST 8 (57)
4592 LOAD_CONST 19 (119)
4595 LOAD_CONST 20 (110)
4598 LOAD_CONST 12 (100)
4601 LOAD_CONST 18 (111)
4604 LOAD_CONST 9 (117)
4607 LOAD_CONST 8 (57)
4610 LOAD_CONST 14 (107)
4613 LOAD_CONST 12 (100)
4616 LOAD_CONST 18 (111)
4619 LOAD_CONST 18 (111)
4622 LOAD_CONST 21 (112)
4625 LOAD_CONST 18 (111)
4628 LOAD_CONST 13 (118)
4631 LOAD_CONST 8 (57)
4634 LOAD_CONST 21 (112)
4637 LOAD_CONST 18 (111)
4640 LOAD_CONST 8 (57)
4643 LOAD_CONST 22 (96)
4646 LOAD_CONST 20 (110)
4649 LOAD_CONST 12 (100)
4652 LOAD_CONST 14 (107)
4655 LOAD_CONST 8 (57)
4658 LOAD_CONST 17 (106)
4661 LOAD_CONST 22 (96)
4664 LOAD_CONST 17 (106)
4667 LOAD_CONST 23 (101)
4670 LOAD_CONST 10 (116)
4673 LOAD_CONST 24 (108)
4676 LOAD_CONST 25 (47)
4679 LOAD_CONST 8 (57)
4682 LOAD_CONST 26 (137)
4685 LOAD_CONST 27 (109)
4688 LOAD_CONST 10 (116)
4691 LOAD_CONST 16 (120)
4694 LOAD_CONST 17 (106)
4697 LOAD_CONST 10 (116)
4700 LOAD_CONST 28 (45)
4703 LOAD_CONST 8 (57)
4706 LOAD_CONST 12 (100)
4709 LOAD_CONST 18 (111)
4712 LOAD_CONST 27 (109)
4715 LOAD_CONST 20 (110)
4718 LOAD_CONST 16 (120)
4721 LOAD_CONST 9 (117)
4724 LOAD_CONST 8 (57)
4727 LOAD_CONST 21 (112)
4730 LOAD_CONST 23 (101)
4733 LOAD_CONST 8 (57)
4736 LOAD_CONST 19 (119)
4739 LOAD_CONST 14 (107)
4742 LOAD_CONST 20 (110)
4745 LOAD_CONST 24 (108)
4748 LOAD_CONST 8 (57)
4751 LOAD_CONST 24 (108)
4754 LOAD_CONST 10 (116)
4757 LOAD_CONST 24 (108)
4760 LOAD_CONST 20 (110)
4763 LOAD_CONST 14 (107)
4766 LOAD_CONST 22 (96)
4769 LOAD_CONST 8 (57)
4772 LOAD_CONST 16 (120)
4775 LOAD_CONST 18 (111)
4778 LOAD_CONST 9 (117)
4781 LOAD_CONST 8 (57)
4784 LOAD_CONST 14 (107)
4787 LOAD_CONST 10 (116)
4790 LOAD_CONST 17 (106)
4793 LOAD_CONST 23 (101)
4796 LOAD_CONST 16 (120)
4799 LOAD_CONST 14 (107)
4802 LOAD_CONST 23 (101)
4805 LOAD_CONST 25 (47)
4808 BUILD_LIST 92
4811 GET_ITER
4812 JUMP_ABSOLUTE 3955
3955 FOR_ITER 1479 (to 5437)
3958 STORE_FAST 8
3961 LOAD_GLOBAL 13 (chr)
3964 LOAD_FAST 8
3967 LOAD_CONST 12 (100)
3970 BINARY_ADD
3971 LOAD_CONST 29 (189)
3974 BINARY_XOR
3975 CALL_FUNCTION 1
3978 LIST_APPEND 2
3981 JUMP_ABSOLUTE 3955
把每个数加上 100,异或 189,可以知道,这是抛了个有调试器的异常,所以这部分大概是反调试。
从 995 行的 3220 LOAD_ATTR 28 (hexdigest) 开始,后面就不太容易看出在干啥了。
看了接下来的一部分代码,猜测 LOAD_FAST 20 是一个比较重要的变量。
可以通过下面的方法在 1058 行(4234 SETUP_EXCEPT 1614 (to 5851) )输出 LOAD_FAST 20 的结果:
import marshal
from hashlib import md5
f = open('ether_v2.pyc', 'rb')
f.read(8)
code = marshal.load(f)
print(code)
f = open('ether_v2.pyc', 'rb')
a = code.co_code
b = f.read()
oa = b.find(a)
def throw_it(x):
res = []
res += [116, 11, 0] # LOAD_GLOBAL 11 (SystemError)
res += [116, 8, 0] # LOAD_GLOBAL 8 (str)
res += [124, x % 256, x // 256] # LOAD_FAST x
res += [131, 1, 0] # CALL_FUNCTION 1
res += [131, 1, 0] # CALL_FUNCTION 1
res += [130, 1, 0] # RAISE_VARARGS 1
return res
def debug(x, y):
global a
t = throw_it(y)
for i in range(len(t)):
a[x + i] = chr(t[i])
a = list(a)
debug(4234, 20)
a = ''.join(a)
b = b[:oa] + a + b[oa + len(a):]
open('patch.pyc', 'wb').write(b)执行 patch.pyc 就能得到结果:
Traceback (most recent call last):
File "pyprotect.angelic47.com", line 3, in ProtectedCode
SystemError: 7yK�c�ĈK����s� ==--AVM͕OT)=�ZϮз*Nżfʕӌ bce0af39a797tЇ U�syÂЅ�9Ϣ> WARNING×WARNING_їA>0�Rݕɣc�ݐ�ڡʇ WARNING WARNINGݞOU�XK�!`̓*�̥ You Battle You ߦtt �kEՕdzc�빍
ڌȷatch out!)u� WޕNI"9kK۲ݪ-F̆
ƦώG HELLu% Yeah 橵 ��%rՔd̿$HǴ this time!u� ̆RN%0
=λԣc斱ϛQ�ȑ有何居心呢s۟uy~K��(x
đtW进来啊u� 非y߸梏�RGIgű�����绝对回避丑̤йG�6Z��K��是小看本娘熃谱�T�ĨxЮZr�ܚ不停尝到BAD݂ND�fK�ěo��hЦد一定会u� ݐAR"7�[ܷұ-HƖ>੧ 不得不警示象拉ڑ؞0tѲ�둂ژӴ UR answer: t� ܴ3c\Hr-ޓeڧ-לԴe5t� 8ce92dc3f K)$ˁ옛uꒋ t� ei, t�܇ y�YK�C`ڴk�Ƞvegetable pleaseݳryL�,}ӎ둝яôable!!! Bad end!ݦt�l~KtߘBc�쇮ƑȖery Vegetable!!!݅adL�%xځ둩՛¶4s% Really Rea𫹠:�,yЁя� ʰk։àend!!!t i% 霠 lݝ8|�ۊ�ࠑ�nT心就来吧u� zϖ郆ϠaFW|Ɖ[B̵� 或是激労㹟ő��6MK边感到无聊 x߀铇ΌBGNcƎH��真不错呢 呒练ڑ؝7X�݊K��ͥȘ还会还会tؘ呤̧\GhNǹa��Ҫ 看好给本崟朘܁ܝ;g�顎λ�RU开吧!u� 你zۉ扤άjHP^ˁ{��[࠵! 对上本娄í˽Ϲ]"4bɦqլ|Y�ܟi i� i� ��l�O�c�츇��� Burning!u� ݡܬʖԹ^�6_䥔Ӫ¢砠不得了?u� xچ絑g<�>O�緎Ѓ�Tg心吧?u� *****֭**FTa6ъ{>驧 再一次华丽熃阆״۞0t��뒋�tl啊还有更多曨⤚ʨ߽μԣc騬͏q�ܬ娘确切地闪t؇!���c�
Χ�@�被打进了结屜輁Ăթ術ㅝG��hФ؍能输!u� 腺煚ܵԟ�^���ȁ但是很开心ݐAR"7�[ځ둭hD�Ș警告你,这z߯咞̀{ECměo��[۵� 本娘超纻✰�܆͒9z 「ۉ�Xsu' 而且你无zԕꭽ�DF[rƌe��}ťܹ幕i� i ��l�[�c�칓��� t� Mi
t݇ �
K�Rpޣz�ֳn8o8o1n5982rq31oϴ14_�~.ȓ䑚9ܡ8ڙײ0rrr9s04qr58q9n5зq1TI:(͗ēZ5Ӿs͘ղ10909p332413oo3o�4TJ|mԐޑZpĩzۙԹ0pq0330os586rr92Ƶ34TF�nˏᗒrݧ}ęֳs8113923n911555sʵsq_�xsȗ씐8Ħ:Śp03r8os0083r8565ž09Y
$n�
qۥ9�ִ85q3s558o4n39qrp_�yi롓ㅝG��Yɥ܀心!s) GoodݧBu�^<nՎՃ�o٦.DŽȰlease try again! l'$i܁FCR߁�Ljҥgetable!!! Bad eM
� d̻$Ȕo get your ETH, �a��kiɅٱ*ڛѥr as private key| l~�zܕ�
o࠴9ћԥd with this Pyth�
?iیނ iÿ.Ը֯tect, please con駣tL�/qӎӂ
fϽ"Юcom for more tec��
�kuֆܑ�`࠸$ۉҧ 不得了?䡁晃ҷН>O�緎Ѓ�Tg心吧u� 没错sی裎SFKLĊi��pש״u� 欢迎杹∰̨弰"4y覓Ǭadǵ -- END --( ܇(%l~Kh𠓣�x٥L��ashlibt� AVMt�܇ f �,h�`ݎ"ژӴt� f1agt� lel~$nࠔأc�ϩ"�㠠 Truet� decodl~.rُ׆��뒋އϮt� xt� chrt�܇ l]
I���뒋״� l1lt� l11t؇ O'pϤԣcmȽ'n砠appendt� md5tՇ ��3xӇ�u㒋l1lllt� lllllll~Kpבߏ�mȥC��l1lll1lt� llll�vK��0Ƚ'`砠l1llllllt� ll𫬬]�?�Rmڠ'Ӈ isuppert� iଯw
?��oʹc��sډ 妫�" ։�𤓳�.ۣd=Ɲןٰə0$�ײֺTo�/Ԝ.֝/!~��1�FծίᱵѸθ�cW涷Gޱ�䏶yY࣍
=͞D�͢ˊ�佺1jЯ8ژySǣ՞����V3۞.砻ۂ3<ΏÈڐXʞݞhSWtީ߇ ��Ј酠Ѝ 6̀ʕȼƑőc%־ס��h�.ױQjb�į�Rګ�OPg�oڨȔv�9ĨȓΎmC�)ѿ ՖόB���٫�ǾѿƖ𘨜^�)ʀȨ�όB���ڌQӻh�{ɌlK!۵c=ݬē
�۳TǩزKמь]߈��iH$Ԓ$3sڋ~a�Xg ͙�ީJ�8͈ҝک�9gرɍ
���ɈN(0
CȆƐ7ɤԩ١°7kRًȓɔ��)8�Q+^ҷvֳD oa<Vɉ��� ����$֑2ѱ幮捒tǵPͺ5ާXL ���ӭ�$֍ʃ��ؒ��а逤E࠵�䖉ƇѤî٭�%5~��X �ƼDۛ�
ݣ܇A_႟₰7kRًȓʹz!����9ʕ왤,Fȭב\YX
�Ƿ鮾���� 짰Oצ𬕷֚Ө����^~��{آ�ퟯ� ǖYVΠoa�5o�$ִҩ ��� ����$
DƓϐ�žǸ̄�\z��ҲЃѲٳPᬉЍ
օFC�釢ُғWe ۼ�̾�)Ɲ(�^~��عࠁ�Ďb�!н~�&eր
֑l甂ýϒfʔú䕉u9V��ࠀB�)¼ߺ�ዑɨ֢ |SV輈ν\˅zƞ.b�롯Ե֚ƾ��Ŀ��R��Ql{�£Qԑ�ǔ�ݎ`ـݣ���o1ğ|ޒ��ۭ�T¯ȮꍮԔՖ�1(Sʭ�ڦ�D٣`��ù��@⥡͞翖Ш*+پ7([\�%1l甂ýϒf��úɫݨϸƌG��ީ�ēՄǣ֏U�$_�æ��ی֬[㭽Ե@퉻ʩ~��&࠾5⭲a5ɳ5GW۞܉~����
Ѝ<�_ڮ͛'�g��>jʕ佺1eε&��t�/Ĝݙ���ή��H0 㕢'ũ܉~����
Sʠƹ!�b�!Èh�� mڽ£߃���*양l甞Ľо�H9Z7��wͿƄ)2/ĠĽ}NʷQ^㺁pȵփ:ޮf���7י7,_T�%1l甂ýϒfʈƺ庨8'ЬN°���ׂƝ^~�������£Bſ��2�Ebτ�)Ӷ{ú䖳ѽ/L�aԗ@̹֔}[ɸɉDɤ&òt́ܜ �Md7����͎֪b��?��꜉~��32~��͠Ʃ;����Ȗª՞9�աs��ꕵ(EAɔ��Ѹӥ£Яɟaڪ���=|�&CMѤ֡1d˒ĢPQ뭗_dˢQM��ȩɪ?Q秾zև࠷<o4�.ց(!~Һئ˫&�+ݤc٢ݞ~�������ǣޯ�իҽĨvPȶX6Kڏ�fʔú䕚w3iʑqӃς"㪡�ݱ0#(ɿ壱ɮյ(EAɔ��ɔ��Σ�詿����e��su$AIɔ��)Tu^{=1Kooސu�τ�)Ӷ{ú䕘u7gȕqӠꥉX̣ýب?f31"槿ʴŃًm躍�ŧڍ~��ŭ䭽ĽبϠ>)ߔӯױ˵3ـ~��٢��vȡ̉ʒ�݉{ӳ�0ŷ�Px˪}ݢҕࠦ��f��< ��*[T=嵡&�W%�=.ܼ9ҧɩv0®议̈�̋㣽ب?f20 꿏1Ӆ�ًm躍�ŧڍ~��ŭ䭽ĽبϠ!,Րӯױ˲6Ӏ~��9̷㽠#9�bM_͗ihȔ0��ʥ2ڻᶱ�.֕'ũ܉~��32~a
Ѝͻ> 0C�0կ,ޠ
ϔ�ǢՓm躍�ŧڍ㺐
{ں��వވ��⢸YM~��۽�?kh\$Ѳ ֝̋؝݀֬Ί�fc߃���f자���ۗࠨ_�po魦3t ݔP�T䘓Hق굷�,ԩյ6Sm�$ ��۞췱:7�%˘à�DCɔ��Ѥ֡1d�bݽ-
��s�ގDՂ9ӎ�㽈�̀}~��ʭ�𗤏Cތ߯ɇ}&şV�Nu��ࠀKɔ��UԵ()?��Ȗª՞\!뙃�醁ɔ��1d�ݹ9)ɧϖ*ȃQ�pُև�ψʕb}��1ZˣP!֨$�t㒲1>¼Ẅ́|Yׄ�ƨQ�ɓ̲ߖ �Ʒ-`�u<`IkLpݾˍ|ѻZقE>܍牔��ꕵJg�ѤՅbԖĕчڏ)fՔʨ۽N6wǾ��ݍ>Zֿ߅ʁ%QŻGɱէ'�:ҖT
[~Ƽ>[͏�fʔéOuݺ×K�
在这里面可以看到一些中文,而这个东西接下来会被丢进 marshal.loads。
经过测试,改动 pyc 里的代码,会导致这里面随机字符的部分发生改变。再次阅读前面的代码,发现代码经过一定的运算后被做成了 key,然后这个 key 拿来异或上一个内置的字符串,就得到了解密结果。
进一步可以发现,这个 key 除了某一位外,其他部分只有 65536 种可能。(虽然可以想办法直接算出来 key,但是我觉得调试会更加麻烦)
用下面的脚本可以得到正确的解密结果:(s1.txt 里面应该是 7150 时的 LOAD_FAST 16 结果,test.txt 里是一些异或结果(可以参考代码后半部分的处理),out_0.txt 和 out_1.txt 里分别是把 5424 patch 成 0 和 1 后在 1058 行输出 LOAD_FAST 20 的结果:)
from hashlib import md5
import marshal
st = 17234
def get(x):
return ''.join(map(chr, [x % 256, x // 256, 0, 0]))
a = open('s1.txt', 'rb').read()[0x6b:-1]
sh = []
for i in range(-2000, 2000):
table = get((st + i) % 65536)
o = []
for i in a:
o.append(ord(i) ^ ord(table[ord(i) & 3]))
o = ''.join(map(chr, o))
hs = md5(o).digest()
sh.append(hs)
s = []
for i in open('test.txt').readlines():
s.append(eval(i))
s2 = s[1][1]
s = s[0][1]
for i in range(len(sh) - 1):
flag = True
for j in range(16):
if s[j] != (ord(sh[i][j]) ^ ord(sh[i + 1][j])):
flag = False
break
if flag:
# print(i)
break
xt = map(ord, sh[i]) + [0] * 21
xt[-4] = 3
a = open('res/out_0.txt', 'rb').read()[0x6b:-1]
o = []
for j in range(len(a)):
o.append(ord(a[j]) ^ xt[j % 37])
o = ''.join(map(chr, o))
xt = map(ord, sh[i + 1]) + [0] * 21
xt[-4] = 0
u = []
for j in range(len(o)):
u.append(ord(o[j]) ^ xt[j % 37])
u = ''.join(map(chr, u))
b = open('res/out_1.txt', 'rb').read()[0x6b:-1]
assert u == b
cnt = 0
for _sx in range(2207, 2208):
sx = sh[_sx]
xt = map(ord, sx) + [0] * 21
ok = False
xt[-4] = 143
xt[-3] = 5
p = []
for j in range(len(o)):
p.append(ord(o[j]) ^ xt[j % 37])
p = ''.join(map(chr, p))
# print p
cnt += 1
open('resw/%d.txt' % cnt, 'wb').write(p)
try:
pp = marshal.loads(p)
ok = True
rp = p
print type(pp)
print pp
except:
pass得到的解密结果:
[(), (-1, None, '==--AVMPROTECTFUNCTION--==', 'bce0af39a797', '9d8e9bcfe8d3', u'WARNING\xd7WARNING\xd7WARNING', u'WARNING WARNING WARNING YOU', u'Ba Ba Battle You Battle You Battle You', u'(And watch out!)', u'WARNING WARNING WARNING HELL', u'Yeah you cannot die not at this time!', u'WARNING!', u'\u4f60\u5bf9\u6211\u6709\u4f55\u5c45\u5fc3\u5462\uff1f', u'\u522b\u968f\u610f\u5730\u8fdb\u6765\u554a', u'\u975e\u5e38\u5371\u9669\u7684\u6c14\u606f', u'\u7edd\u5bf9\u56de\u907f\u4e0d\u80fd\u7684\u5f39\u5e55', u'\u8981\u662f\u5c0f\u770b\u672c\u5a18\u7684\u8bdd', u'\u4f60\u94c1\u5b9a\u4f1a\u4e0d\u505c\u5c1d\u5230BAD END', u'\u4f60\u7684\u5fc3\u53ef\u662f\u4e00\u5b9a\u4f1a', u'WARNING WARNING', u'\u4e0d\u5f97\u4e0d\u8b66\u793a\u8b66\u62a5\u7684\u5427', 'Input UR answer: ', '33c0691e3230d16fb434e5', '8ce92dc3fe708e5b81a848', 'k', 171, 'e', 44, 'y', 'You are too vegetable please try again!', 'Vegetable!!! Bad end!!!', 'hex', 'Very Very Vegetable!!! Bad end!!!', 'base64', 'Really Really Vegetable!!! Bad end!!!', '', 37, u'\u8981\u662f\u4e0b\u5b9a\u51b3\u5fc3\u5c31\u6765\u5427', u'\u6216\u8bb8\u4f1a\u611f\u5230\u5174\u594b', u'\u6216\u662f\u6fc0\u52a8\u4e5f\u8bf4\u4e0d\u5b9a', u'\u4e00\u8fb9\u611f\u5230\u65e0\u804a \u4e00\u8fb9\u5439\u7740\u53e3\u54e8', u'\u771f\u4e0d\u9519\u5462 \u5355\u7eaf\u7684\u65cb\u5f8b', u'\u672c\u5a18\u8fd8\u4f1a\u8fd8\u4f1a\u8fd8\u4f1a\u7ee7\u7eed\u4e0a\u5594!', u'\u770b\u597d\u7ed9\u672c\u5a18\u66f4\u52a0\u66f4\u52a0\u5730\u8eb2\u5f00\u5427\uff01', u'\u4f60\u6709\u591a\u5c11\u80fd\u8010\u5462\uff1f', u'\u5bf9\u4e0a\u672c\u5a18\u70ed\u60c5\u5982\u706b\u7684\u7231\uff1f', 0, 3, 1, 2, 4, 94, 204, u'Burning!', u'\u672c\u5a18\u597d\u5f00\u5fc3!', u'\u4e0d\u5f97\u4e86?', u'\u4f46\u662f, \u679c\u7136\u5f88\u5f00\u5fc3\u5427?', u'*********************', u'\u518d\u4e00\u6b21\u534e\u4e3d\u7684\u95ea\u8fc7\u5427!', u'\u770b\u554a\u8fd8\u6709\u66f4\u591a\u66f4\u591a\u5594!', u'\u90fd\u7ed9\u672c\u5a18\u786e\u5207\u5730\u95ea\u8fc7!', 255, u'\u672c\u5a18\u88ab\u6253\u8fdb\u4e86\u7ed3\u5c40\uff01\uff1f', u'\u672c\u5a18\u53ef\u4e0d\u80fd\u8f93!', u'\u867d\u7136\u5f88\u4e0d\u7518\u5fc3', u'\u4f46\u662f\u5f88\u5f00\u5fc3 WARNING!!!', u'\u672c\u5a18\u8b66\u544a\u4f60\uff0c\u8fd9\u662f\u4f60\u6700\u540e\u7684\u673a\u4f1a', u'\u672c\u5a18\u8d85\u7ea7\u5730~\u5371\u9669\u3001\u72c2\u6c14', u'\u800c\u4e14\u4f60\u65e0\u6cd5\u9003\u907f\u6211\u534e\u4e3d\u7684\u5f39\u5e55', 28, 32, 12, 16, 8, 24, 20, 'M', 13, 'm', 'ps1q6r14s2sn8o8o1n5982rq31o33143p52337s9870snq1r0rrr9s04qr58q9n53pq187q467p0949o8803r10909p332413oo3oq914847qo0n29qo81n1s90pq0330os586rr929r34884rqo351s6660q2ss8113923n911555s62sq3p3os78039o7q024pp03r8os0083r856599095ror8pr7op04r6oq485q3s558o4n39qrpn1n43o2', u'\u672c\u5a18\u5f88\u5f00\u5fc3!', 'Good! But wrong answer, please try again!', 'You are SUPER Vegetable!!! Bad end!!!', 'Nice job! To get your ETH, please use your answer as private key!', 'If ur interested with this Python-VirtualMachine Protect, please contact admin@angelic47.com for more technical information!', u'\u4e0d\u5f97\u4e86\uff1f\u4f46\u662f\uff0c\u679c\u7136\u5f88\u5f00\u5fc3\u5427', u'\u6ca1\u9519\uff0c\u73b0\u5728\u662f\u72c2\u6c14\u65f6\u95f4', u'\u6b22\u8fce\u6765\u5230\u75af\u72c2\u7684\u4e16\u754c!', u'-- END --'), (), ('sys', 'hashlib', 'AVM', 'flag', 'raw_input', 'f1ag', 'len', 'ord', 'exit', 'True', 'decode', 'encode', 'join', 'x', 'chr', 'l1', 'll', 'll1', 'l1l', 'l11', 'l1ll', 'llll', 'append', 'md5', 'hexdigest', 'l1ll1lll', 'lllllll1', 'll1lllll', 'll1lll1l', 'lllll1ll', 'llll1lll', 'l1llllll', 'llllll1l', 'l1l11lll', 'isupper', 'islower', 'range'), (), b'\xe4ek\x08"\x00\xb5I\x1c\xf0$Ot\x1c.\xb6\x1d/!~\xfd\x04\xfc\xfa1#H{\xd0\x971\xf2\xb5zTo\x1c/\xb4\x1c.\xb6\x1d/!~\xfd\x04\xfc\xfa1\x05*\xcb\xe5\xd1\x14S\t\xcf\xff\xe0Z$\xfb\x0cE\x9f\x13cW\xfa\x85\x9d\xd5\xe6\xb67\xf8\xb5\xf1\xc5G\xde\xb1\x88\xe4\xcev\x15\'\xa4\xff\xf1\x9d~\xfd\'\x05&\xb3\x80~\xfd\x04\xfc\xfa1j\x8f\xef8\xb9\xd8yS\xa7#\xb5\x1e\xf6!\x04\x0f\xf4\x1c.\xb6\x1d/!~\xfd\x04\xfc\xfa1Sx\xc8%(\x83\x88\xd9PX\xc9^\xbc^hSW\xa14\xddi\xbe[\x07\xfc\x00\x1d\xa0\xe4T\x12$3s\xee\x01\xdd\xba\x0b~\xfd\x16X\xba \x87\xfc\xc5Q\xc4Qc%\xb5\xfe\xd6a\x04\x0f\xf4\x1c.\xb6\x1d/!~\xfd\x04\xfc\xfa1\x9b\xc0\x0f\x04\xa4\x8f\xe4o\xd9h\xa7\xd4v\x1d9\x83\xe8\x87S\xcdNmC\x1d\xb5\xf5\xceR\xe4\xcft\x1c.\xb6\x1d/!~\xfd\x04\xfc\xfa1\xcc\xf1\x9bC\xf8\x06\xa6~\xd1\xbf\xc6\x16\xf8\xd8\xe8\x9c^\x1a\xb5\xad\x80\xc8\xc4\x8f\xf4\x1c.\xb6\x1d/!~\xfd\x04\xfc\xfa1+Q\xb2\xfbh\x0b{\xa9\x0clK!\xbb\xb5c=\xbd,_T\x0c\x1e\xd6\r\x1f\xba\x12\x17!\xa8\xf5\xdf:\x1d\x16+\xe0\x18O@\x8ciH$\xd4\x12$3s\xee\x01\xdd\xba\x0b~\xfd\x16Xg\xcc^\xc7\xc5\xfc\x1d:\xa9\x1c9g\xd9\xb2\xaf\x13&\x91\xdd\xba\xa9\x1c9g\xd8\xb1\xa9\n\x15\xf7#DC\xc9\x94\xf5\x1e;\xbd0c,\xf1\xe3\x1b\xe5\xc6Q\xdc\xb9\xaf A_\xe1\xc2\xb07kR\xd8\xcb\xc8\x93\xfb$EA\xc9\x94\xf5\x1b8\xbb)Tu\x1a7\xa5\x11$\x95\xd5\xb2\xaf\x11$\x95\xd4\xb1\xa9\t\x14\xf5\x174\xa3\t\x14\xf5\x163\xad\x11$\x95\xd1\xae\x97\xf1\xe4\x15\xd0\xad\x91\xe9\xd4u\x163\xad\x11$\x95\xd3\xb0\xab\t\x14\xf5\x12/\x95\xf1\xe4\x15\xd6\xb3\xad\x11$\x95\xcd\xaa\x9f\xf1\xe4\x15\xcc\xa9\x99\xe9\xd4u\x0f,\x93\xe9\xd4u\x0e+\x9d\xf1\xe4\x15\xc9\xa6\x87\xd1\xa4\xa2\xee\xd8m\x08%5~\xfd1.YX\t\x13\xfb7X@;(SL\xf1\xe3\x1b\xf6\xd7s A_\xe0\xc1_\xe1\xc2\xb07kR\xd8\xcb\xc8\x93\xcc\xf4\xe6&\xf7\xe9\xad~\xfd\x10\r\x17\xf39Z\xcb~\xfd\xd3\x10\xc4\xa1\xa7\xed\xd6Q\\YX\x0c\x16\xc6\xf7\xe9\xad~\xfd\x10\r\x17\xf3;\\\xc7~\xfd\xd3\x10\xc6\xa3\xac\xf5\xe7\x13\xfd\xde\xc3~\xfd\xd3(\xf5\xeab\xbe\xf7.\xb8\xd1^~\xfd1(S{\x04%\x81\xc9\x94\xf5;X{)Tu:We\x11$\x95\xf5\xd2o\x11$\x95\xf4\xd1i\t\x14\xf57Tc\t\x14\xf56Sm\x11$\x95\xf1\xceW\xf1\xe4\x15\xf0\xcdQ\xe9\xd4u3Pk\x04\x0f\\z\xf4#\x1b&\x91\xf2\xcfC\xd1\xb2\xb93P},I\xd0f\xc8\xceZ\xb8\xbb:e\x01\xd9\xa4\x83\xd8\xa3\x8d\xc7\x9a|\x19\xcb~\x17)\x86\x1d(\x1e^~\xfd\x81p\xeb\x0b\xfe\xdf\xc1~\xfd\x85~\xfd\x81c\xde\xc3\x7f\xfe7.a(\xeb\xd5\xd1l\xe7\x13\xc2\xa3=\x8f\x12f\x8a\x14\xc2\xfa\xe4\x15\x95r9Vsc\x94\xdc\xb9\xaf A_\xe1\xc2\xb07kR\xfc\xe1\x0b\x11\xc9(\xd5\xe2\xf9{\xa7M\t\x81<SV\xe7\xe0\x0f\xcd}0\xf5Nf^~\xfd\x81p\xeb\x0b\xfe\xdf\xc1~\xfd\x85~\xfd\x81c\xde\xc3\x7f\xfe7)\\R\x0b\x15Ql\xe7\x13\xc2\xa3=\x8f\x12f\x8a\x14\xc2\xfa\xe4\x15\xef\xccE\x94qg\x9d#\x0f\x18\x1c\x81/1\xc4\x1f|\xbd\xd2\xf6\xa7\x8cjo\xcf&K\xd7\xd3WHy\x0f\x1bM\x89\x0c\xc5\xc2\x9fA~\xfd1(S\xc9m\x02\xda\xa6\x0bD\xd8c`\xf7\x85\xce\xcc^~\xfd\x81p\xeb\x0b\xfe\xdf\xc1~\xfd\x85~\xfd\x81c\xde\xc3\x7f\xfe7([\\\x13%1l\xe7\x13\xc2\xa3=\x8f\x12f\x8a\x14\xc2\xfa\xe4\x15\x97t5Xuo\x8d#IV\xb5\xca\xa3\x88\xde\xa9\xb8\x05\x0f\xc3\xd3\xb4\xc4\xc6\xe3\xd5O\xfb\xf4^\xf5=\x92\x1a$3m\xe8:\r\x17\xc4\xe7\xd9\xcd~\xfd\x10\r\x17\xc4\xf1\xe3,\xfd\xef\x03\xd3\xb45@\xec\xc9\xbb\xc9i~\xfd\x05"\x05&\xb3\x80~\xfd\x16\x12\xb2\xd6\xcb\xf2\xdeV\x1c.\xb6\x15\'\xa4\xe9\xdb\xc9~\xfd\'l\x8d\xf4q~\xfd\n\xcf\xcd\xa0\x85\x95_\xb5\x10\xe6\x07\xdc\xaf\xb4\x1c.\xb6\x1d/!~\xfd\x04\xfc\xfa1e\x8e\xb5&\xfd2$Ot\x1d/\x83\xdc\xbd\x85\x01\x02\x02\xc1\x90Q\xed\x9b\xbd<\xe4+1\xcb\xf2\xdeV\x1c.\xb6\x15\'\xa4\xe9\xdb\xc9~\xfd\'l\x8d\xf4q~\xfd\n\xcf\xcd\xa0\x85\x95_^~\xfd\x81p\xeb\x0b\xfe\xdf\xc1~\xfd\x85~\xfd\x81c\xde\xc3\x7f\xfe7-`*\xeb\xd5\xd1l\xe7\x13\xc2\xa3=\x8f\x12f\x8a\x14\xc2\xfa\xe4\x15\x94q?f\x87\x8bM#)2/\xee\x8b\x0e\x83`\x84\xbd\x80\xfdN\xaa7Q^~\xfd\x81p\xeb\x0b\xfe\xdf\xc1~\xfd\x85~\xfd\x81c\xde\xc3\x7f\xfe7,_T\x13%1l\xe7\x13\xc2\xa3=\x8f\x12f\x8a\x14\xc2\xfa\xe4\x15\x96s;k\x8c\x9da\xd3\x07\xf5\x12\x9d6.\xfa^~\xfd\x81p\xeb\x0b\xfe\xdf\xc1~\xfd\x85~\xfd\x81c\xde\xc3\x7f\xfe7/b.\xf3\xe5\xb1l\xe7\x13\xc2\xa3=\x8f\x12f\x8a\x14\xc2\xfa\xe4\x15\xf3\xd0}/L\x1da\xd3W@\xcb\xe5\xd1\x14}7\xb7s\x94\xb2\xe4{\x07E\x82Ye\xc0\xb5\x14\xeb\x1e\xe8\xdb\\\t\x1bM\xa1$7\x7f\xfeJ\xc1\x00\xed\xef\xe3\x1b\xad\x8e\xf9\x14)\xe4\x15Op\x14\x1e\xd6\x1c.\xb6\x15\'\xa4\xe9\xdb\xc9~\xfd\'l\x8d32~\xfd\n\xcf\xcd\xa0\x85u<\xfc(EA\xc9\x94\xf5(EA\xc9\x94\xf5(EA\xc9\x94\xf5+H[\xe9\xd4u(EA\xc9\x94\xf5*GE\xd1\xa4\x95\xe5\xc2O\xd1\xa4\x95\xe4\xc1I\xc9\x94\xf5\'DC\xc9\x94\xf5&CM\xd1\xa4\x95\xe1\xbe\xb71d\x8aR\xa4\xa2\xfa\xe4\x1c!PQ\x87\xd2\x9cC\x9f\n\xb1\xb2.\xfc\xc9@\xf4S\x81N\xaa?Q\xe7\xa7\xbez\xb5\xc7\x9f\xf7<o4\x1c.\xb6\x1d/!~\xfd\x04\xfc\xfa1\xcb\xf5\xfb\x98`{[`IL\x84\xd9\xa2\x9c^~\xfd\x81p\xeb\x0b\xfe\xdf\xc1~\xfd\x85~\xfd\x81c\xde\xc3\x7f\xfe7*]P\x0b\x15Ql\xe7\x13\xc2\xa3=\x8f\x12f\x8a\x14\xc2\xfa\xe4\x15\x9aw3i\x8a\x91q\xd3\x9f\x88\x02"\x8e\x94\xea\x1b&\x91\xe3\xc0K\xc9\x94\xf5(EA\xc9\x94\xf5(EA\xc9\x94\xf5(EA\xc9\x94\xf5"?\xb51d\x15\xe8\xc5A\xc9\x94\xf5]z?1d\x15\x9cy9)Tu$AI\xc9\x94\xf5_|3)Tu^{=1d\x15\x99v\'\x11$\xa2\xeb\xd5\xd1l\xe7\x13\xc2\xa3=\x8f\x12f\x8a\x14\xc2\xfa\xe4\x15\x98u7g\x88\x95q\xd3\x00\xe9\xe4U_\xcb\xe3\xcfC\xd3\xb4\xc4\xc6\xe0\xd2A\xe7\xcc.\x81@m\xe4\xd8\xcbm\xe8:\r\x17\xc4\xe7\xd9\xcd~\xfd\x10\r\x17\xc4\xf1\xe3,\xfd\xef\x03\xd3\xb45@\xed\xca\xbd\xd5Y~\xfd\x05"\x123\x99\x80~\xfd\x16\x12v\x98b\xf5\x18\xe1\xb6v\x88!7N\xaa\x92\xaev\xd7\xd5\x80\x13\xe0\xedS\x85\x1c\x15\x1b\x8c"\r}\xbd\xa2\xb2\x15\xfbN\xaa\xbe\xdff\x17\x0bf\xf6k\xb7\x88;\t\xfd\x00K\x9a6\xa0\xf4\xee\x06W`\xcd\x02\x1c\xd1\xfd\xda.\xdc\xbc9\xb2\xa7\xc9\xa9v0\xa2\xae\xe7\xed\xee\xcb\xc8\x9e\xcc\xcb\xe3\xcfC\xd3\xb4\xc4\xc6\xe1\xd3C\xeb\xd4\x1ezGm\xe4\xd8\xcbm\xe8:\r\x17\xc4\xe7\xd9\xcd~\xfd\x10\r\x17\xc4\xf1\xe3,\xfd\xef\x03\xd3\xb45@\xf2\xcf\xb7\xd1Y~\xfd\x05"\x156\x93\x80~\xfd\x16\x12\x179\xcb\xf7\xe3\xbd\xa0#9\x7f\xfeJ_\xac\xbb\x17#\x9b\xaf\x90\xc5\xe4\xc9$\xd9\x8b\xf0\x14\x1e\xd6\x1c.\xb6\x15\'\xa4\xe9\xdb\xc9~\xfd\'l\x8d32~\xfd\n\xcf\xcd\xa0\x85u<\xcb\xe3\xcfC\xd3\xb4\xc4\xc6\xe6\xd8U\x07\x0c\xaeT\x12\xc6\xe2\xd4\xd3m\xe8:\r\x17\xc4\xe7\xd9\xcd~\xfd\x10\r\x17\xc4\xf1\xe3,\xfd\xef\x03\xd3\xb45\x19\xc9~\xfd\x05"8YM\x80~\xfd\x16\x12\xb8\xda}\xe0\x80\x9d?k\xf4[$\xd1^~\xfd\x81p\xeb\x0b\xfe\xdf\xc1~\xfd\x85~\xfd\x81c\xde\xc3\x7f\xfe7\x13Ff\xeb\xddP\x10\x1a\x1d\xbb\x17#o_\x08\x1c\x11\xa3\xf1\xdd\x93\xa7\xea\xde\x95\xbb\x13\x1f\x17\xbf4H\xb9\x82\xea\xb5\xb7\x0b,\x93\xe9\xd4u6Sm\x11$\x95\xf1\xceW\xf1\xe4\x15\xf0\xcdQ\xe9\xd4u$AI\xc9\x94\xf5\'DC\xc9\x94\xf5&CM\xd1\xa4\x95\xe1\xbe\xb71d\x15\xfe\xdb}-`\x88z\xc2n\xd3\xc5^-E_\xd3rf&\xf1\xe3\xbd\x88\x0b\xcb\xc0\xa1=~\xfd1(S\xc9m\x1c\xf8\xcb\xe3\xcfC\xd1\xb2\x943$O[$\x1e\'o\xce\xca\xe2\xe6\xa9u\xfcRo\x15\xee\xe1\x1f\xdf\xc0K\xc9\x94\xf5(EA\xc9\x94\xf5(EA\xc9\x94\xf5(EA\xc9\x94\xf5Mj\x1f\xf1\xe4\x15\xe8\xc5A\xc9\x94\xf5]z?1d\x15\x9cy9)T\xe0\xceVF\xd6\xc8M\xf3\xd0J\xec\xd6F\xec\xde\xc3~\xfd\x85}\xfc,\xe1+1Z\x8a\xe3P!\xd6\xa8$\x1at\xe3\x8du1>\xcd\x02\x1c\xd1\xff\xdc"\xe4\xbc8\xb2\xa6\xcf\x8bm\x8fQ\x06\xa9\x93\xcb\xf2\xdeV\t\x1b\xc67-`\x05u<\xfcNkL\x1c\xe3u\x96\xb6\xdcc\x189\xb9)TuHe\x01\xc9\x94\xf5Kh\x1b\xe9\xd4uJg\x05\xd1\xa4\x95\x85b\x0f\xd1\xa4\x95\xdc\xb9\x92\xd3\xd2\xc6f\xf7\xe9\xa9q\xec\x05\xc2\x9fA~\xfd1.Y\xdd\x8d>Z\x96\xbf\x9f\x85\x89\xc1%\x81\x8d\xa2;G\xe5O\xfe\xbb\xdcP\x05\xcd\x02\x1c\xd1\xc0\x9d\xa0\xe4\xbc~\xf82\xe7\x83\x85\xfc>[\xcd\x8f\x12f\x8a\x14\xc2\xe9\xd3r\xdd\xba\xaf', 0]可以发现,前面很像 python 的 const 表,中间像是 sys 表,最后像是一串字节码。
而从 1067 行(6375)开始的若干指令,则是在初始化虚拟机,如 STORE_FAST 28 存着一个栈,29 是个不知道是啥的表,30 是 program counter,31 是用来解密代码的东西,42 是当前指令。
手动把这些虚拟机代码翻译回 python,并加上输出指令的代码,得到:
import sys, hashlib
a, cotbl, b, systbl, c, code, d = eval(open('code.txt').read())
pc = 0
strange = 17441 % 256
print(len(code))
vm_flag = False
s34 = None
arg = 0
stack = []
table_B = []
known = {}
def DEBUG(id, *args):
if 0:
print id,
for i in args:
print i,
print
known[id] = args
def dump():
res = ''
for i in range(10000):
if i in known:
res += str(i) + ' ' * 4 + ' '.join(map(str, known[i])) + '\n'
open('fin.txt', 'w').write(res)
while True:
oldpc = pc
cur_inst = ord(code[pc]) ^ strange
strange = (strange + ord(code[pc])) % 256
pc += 1
if cur_inst == 133: # ref 1375 460
DEBUG(oldpc, 'SLICE+3')
a43 = stack.pop()
a44 = stack.pop()
a9 = stack.pop()
stack.append(a9[a44:a43])
elif cur_inst == 41: # ref 1427 2180
DEBUG(oldpc, 'BINARY_ADD')
a44 = stack.pop()
a9 = stack.pop()
stack.append(a9 + a44)
elif cur_inst == 238: # ref 1449 4408
DEBUG(oldpc, 'BINARY_SUBTRACT')
a44 = stack.pop()
a9 = stack.pop()
stack.append(a9 - a44)
elif cur_inst == 154: # ref 1471 6114
DEBUG(oldpc, 'PRINT_EXPR')
print stack.pop()
elif cur_inst == 212: # ref 1481 6142
DEBUG(oldpc, 'GET_ITER')
a9 = stack.pop()
stack.append(iter(a9))
elif cur_inst == 93: # ref 1499 6938
DEBUG(oldpc, 'BINARY_RSHIFT')
a44 = stack.pop()
a9 = stack.pop()
stack.append(a9 >> a44)
elif cur_inst == 194: # ref 1521 7326
DEBUG(oldpc, 'RETURN_1')
if vm_flag == True:
while True: # 7350 SETUP_LOOP 276 (to 7629)
if len(table_B) > 0: # 3761 JUMP_IF_FALSE_OR_POP 5873
t = table_B[-1][0] != 222
if t: # 5873 POP_JUMP_IF_FALSE 8170
tmp = table_B[-1][2]
stack = stack[:tmp] # 5891 STORE_FAST 28 (stack)
table_B.pop()
else:
break
else:
break
# here 7629 LOAD_GLOBAL 19 (len)
if len(table_B) > 0: # 7644 POP_JUMP_IF_FALSE 8174
strange = 17441 % 256 # 7654 STORE_FAST 31 (strange)
tmp = table_B[-1][2]
stack = stack[:tmp] # 7672 STORE_FAST 28 (stack)
pc = table_B[-1][1]
table_B.pop()
else:
print 'exit'
exit(s34)
else:
if len(stack) >= 3: # 8393 JUMP_IF_FALSE_OR_POP 2031
if isinstance(stack[-2], Exception): # 2031 POP_JUMP_IF_FALSE 4049
a9 = stack.pop()
a44 = stack.pop()
a43 = stack.pop()
raise a44
elif cur_inst == 172: # ref 1634 5449
DEBUG(oldpc, 'BINARY_MODULO')
a44 = stack.pop()
a9 = stack.pop()
stack.append(a9 % a44)
elif cur_inst == 255: # ref 1656 6312
DEBUG(oldpc, 'BINARY_XOR')
a44 = stack.pop()
a9 = stack.pop()
stack.append(a9 ^ a44)
elif cur_inst == 132: # ref 1678 6548
DEBUG(oldpc, 'BINARY_SUBSCR')
a44 = stack.pop()
a9 = stack.pop()
stack.append(a9[a44])
elif cur_inst == 240: # ref 1700 7009
DEBUG(oldpc, 'INPLACE_ADD')
a44 = stack.pop()
a9 = stack.pop()
stack.append(a9 + a44) # inplace add
elif cur_inst == 62: # ref 1724 7236
DEBUG(oldpc, 'PRINT_NEWLINE')
print
elif cur_inst == 236: # ref 1732 7601
DEBUG(oldpc, 'POP_TOP')
stack.pop()
elif cur_inst == 224: # ref 1743 7729
DEBUG(oldpc, 'RETURN_2')
s34 = stack.pop()
s33 = True
while True:
if len(table_B) > 0:
t = table_B[-1][0] != 222
if t:
tmp = table_B[-1][2]
stack = stack[:tmp]
table_B.pop()
else:
break
else:
break
if len(table_B) > 0:
strange = 17441 % 256
tmp = table_B[-1][2]
stack = stack[:tmp]
pc = table_B[-1][1]
table_B.pop()
else:
print 'exit'
exit(s34)
elif cur_inst == 111: # ref 1825 8344
DEBUG(oldpc, 'TABLE_B_POP')
table_B.pop()
else:
assert arg == 0
arg = ((arg << 16) + ord(code[pc])) ^ strange
strange = (strange + ord(code[pc])) % 256
pc += 1
arg = arg + ((ord(code[pc]) ^ strange) << 8)
strange = (strange + ord(code[pc])) % 256
pc += 1
if cur_inst == 127: # ref 1888 8539
DEBUG(oldpc, 'CALL'.ljust(20, ' '), arg)
a45 = (arg & 65280) >> 8
a46 = arg & 255
a47 = {}
a48 = []
for i in range(0, a45):
a49 = stack.pop()
a50 = stack.pop()
a47[a50] = a49
for i in range(0, a46):
a48.insert(0, stack.pop())
a51 = stack.pop()
a38 = []
a39 = []
if a51 == sys.exit:
dump()
stack.append(a51(*a48, **a47))
arg = 0
elif cur_inst == 72: # ref 2165 6252
DEBUG(oldpc, 'TABLE_B_ADD_72'.ljust(20, ' '), arg)
table_B.append((72, arg + pc, len(stack)))
arg = 0
elif cur_inst == 221: # ref 2186 7074
DEBUG(oldpc, 'LOAD_CONST'.ljust(20, ' '), str(arg).ljust(4, ' '), repr(cotbl[arg]))
stack.append(cotbl[arg])
arg = 0
elif cur_inst == 148: # ref 2202 7172
DEBUG(oldpc, 'FOR_ITER'.ljust(20, ' '), arg)
a9 = stack.pop()
try:
a44 = a9.next()
stack.append(a9)
stack.append(a44)
except:
strange = 17441 % 256
pc += arg
arg = 0
elif cur_inst == 253: # ref 2233 7456
DEBUG(oldpc, 'POP_JUMP_IF_TRUE'.ljust(20, ' '), arg)
a9 = stack.pop()
if a9:
strange = 17441 % 256
pc = arg
arg = 0
elif cur_inst == 254: # ref 2256 7781
DEBUG(oldpc, 'LIST_APPEND'.ljust(20, ' '), arg)
a9 = stack[-arg - 1]
a44 = stack.pop()
list.append(a9, a44)
arg = 0
elif cur_inst == 123: # ref 2282 8099
DEBUG(oldpc, 'LOAD_ATTR'.ljust(20, ' '), str(arg).ljust(4, ' '), systbl[arg])
a53 = systbl[arg]
arg = 0
stack.append(getattr(stack.pop(), a53))
elif cur_inst == 197: # ref 2305 8201
DEBUG(oldpc, 'JUMP_ABSOLUTE'.ljust(20, ' '), arg)
strange = 17441 % 256
pc = arg
arg = 0
elif cur_inst == 229: # ref 2320 8254
DEBUG(oldpc, 'COMPARE_OP'.ljust(20, ' '), arg)
a44 = stack.pop()
a9 = stack.pop()
if arg == 0:
stack.append(a9 < a44)
elif arg == 1:
stack.append(a9 <= a44)
elif arg == 2:
stack.append(a9 == a44)
elif arg == 3:
stack.append(a9 != a44)
elif arg == 4:
stack.append(a9 > a44)
elif arg == 5:
stack.append(a9 >= a44)
elif arg == 6:
stack.append(a9 in a44)
elif arg == 7:
stack.append(a9 not in a44)
elif arg == 8:
stack.append(a9 is a44)
elif arg == 9:
stack.append(a9 is not a44)
elif arg == 10:
stack.append(isinstance(a9, a44))
arg = 0
elif cur_inst == 242: # ref 2350 8689
DEBUG(oldpc, 'TABLE_B_ADD_242'.ljust(20, ' '), arg)
table_B.append((242, arg + pc, len(stack)))
arg = 0
elif cur_inst == 94: # ref 2371 8754
DEBUG(oldpc, 'DEL_LIST'.ljust(20, ' '), arg)
a54 = list(stack.pop()[:arg])
for i in range(arg):
stack.append(a54.pop())
arg = 0
elif cur_inst == 66: # ref 2410 8896
DEBUG(oldpc, 'BUILD_LIST'.ljust(20, ' '), arg)
a54 = []
for i in range(arg):
a54.insert(0, stack.pop())
stack.append(a54)
arg = 0
elif cur_inst == 182: # ref 2448 8958
DEBUG(oldpc, 'POP_JUMP_IF_FALSE'.ljust(20, ' '), arg)
a9 = stack.pop()
a9 = not a9
if a9:
strange = 17441 % 256
pc = arg
arg = 0
elif cur_inst == 234: # ref 2470 9020
DEBUG(oldpc, 'LOAD_GLOBAL'.ljust(20, ' '), str(arg).ljust(4, ' '), systbl[arg])
a53 = systbl[arg]
arg = 0
if locals().has_key(a53):
stack.append(locals()[a53])
elif globals().has_key(a53):
stack.append(globals()[a53])
elif a53 in dir(__builtins__):
stack.append(getattr(__builtins__, a53))
else:
assert False
elif cur_inst == 2: # ref 2499 9163
DEBUG(oldpc, 'JUMP_ADD'.ljust(20, ' '), str(arg).ljust(4, ' '), '->', arg + pc)
strange = 17441 % 256
pc += arg
arg = 0
elif cur_inst == 21: # ref 2515 9207
DEBUG(oldpc, 'IMPORT_NAME'.ljust(20, ' '), arg)
a53 = systbl[arg]
a44 = stack.pop()
a43 = stack.pop()
a9 = __import__(a53, globals(), locals(), a44, a43)
stack.append(a9)
arg = 0
elif cur_inst == 203: # ref 2551 9325
DEBUG(oldpc, 'STORE_GLOBAL'.ljust(20, ' '), str(arg).ljust(4, ' '), systbl[arg])
a53 = systbl[arg]
val = stack.pop()
locals()[a53] = val
arg = 0
elif cur_inst == 52: # ref 2571 9397
DEBUG(oldpc, 'BUILD_SLICE'.ljust(20, ' '), arg)
if arg == 2:
a44 = stack.pop()
a9 = stack.pop()
stack.append(slice(a9, a44))
elif arg == 3:
a43 = stack.pop()
a44 = stack.pop()
a9 = stack.pop()
stack.append(slice(a9, a44, a43))
arg = 0
else:
raise RuntimeError('unknown opcode')查看输出的代码,可以看出,输入长度需要是 64。之后可以发现调用了 md5 等函数。
0 JUMP_ABSOLUTE 352
6 FOR_ITER 927
9 STORE_GLOBAL 15 l1
12 LOAD_GLOBAL 14 chr
15 LOAD_GLOBAL 15 l1
18 CALL 1
21 LIST_APPEND 2
24 JUMP_ABSOLUTE 6
32 FOR_ITER 1196
35 STORE_GLOBAL 15 l1
38 LOAD_GLOBAL 14 chr
41 LOAD_GLOBAL 15 l1
44 CALL 1
47 LIST_APPEND 2
50 JUMP_ABSOLUTE 32
79 FOR_ITER 551
82 STORE_GLOBAL 13 x
85 LOAD_GLOBAL 14 chr
88 LOAD_GLOBAL 7 ord
91 LOAD_GLOBAL 13 x
94 CALL 1
97 LOAD_CONST 36 37
100 BINARY_XOR
101 CALL 1
104 LIST_APPEND 2
107 JUMP_ABSOLUTE 79
118 FOR_ITER 712
121 STORE_GLOBAL 15 l1
124 LOAD_GLOBAL 14 chr
127 LOAD_GLOBAL 15 l1
130 CALL 1
133 LIST_APPEND 2
136 JUMP_ABSOLUTE 118
190 FOR_ITER 552
193 STORE_GLOBAL 15 l1
196 LOAD_GLOBAL 14 chr
199 LOAD_GLOBAL 15 l1
202 CALL 1
205 LIST_APPEND 2
208 JUMP_ABSOLUTE 190
233 FOR_ITER 1315
236 STORE_GLOBAL 15 l1
239 LOAD_GLOBAL 14 chr
242 LOAD_GLOBAL 15 l1
245 CALL 1
248 LIST_APPEND 2
251 JUMP_ABSOLUTE 233
270 FOR_ITER 891
273 STORE_GLOBAL 15 l1
276 LOAD_GLOBAL 14 chr
279 LOAD_GLOBAL 15 l1
282 CALL 1
285 LIST_APPEND 2
288 JUMP_ABSOLUTE 270
302 FOR_ITER 1205
305 STORE_GLOBAL 31 l1llllll
308 LOAD_GLOBAL 30 llll1lll
311 LOAD_GLOBAL 31 l1llllll
314 BINARY_SUBSCR
315 LOAD_GLOBAL 29 lllll1ll
318 LOAD_GLOBAL 31 l1llllll
321 BINARY_SUBSCR
322 COMPARE_OP 3
325 POP_JUMP_IF_FALSE 302
328 LOAD_CONST 81 'Good! But wrong answer, please try again!'
331 PRINT_EXPR
332 PRINT_NEWLINE
333 LOAD_GLOBAL 0 sys
336 LOAD_ATTR 8 exit
339 LOAD_CONST 0 -1
342 CALL 1
352 LOAD_CONST 0 -1
355 LOAD_CONST 1 None
358 IMPORT_NAME 0
361 STORE_GLOBAL 0 sys
364 LOAD_CONST 0 -1
367 LOAD_CONST 1 None
370 IMPORT_NAME 1
373 STORE_GLOBAL 1 hashlib
376 LOAD_CONST 2 '==--AVMPROTECTFUNCTION--=='
379 STORE_GLOBAL 2 AVM
382 LOAD_CONST 3 'bce0af39a797'
385 STORE_GLOBAL 3 flag
388 LOAD_GLOBAL 3 flag
391 LOAD_CONST 4 '9d8e9bcfe8d3'
394 LOAD_CONST 1 None
397 LOAD_CONST 1 None
400 LOAD_CONST 0 -1
403 BUILD_SLICE 3
406 BINARY_SUBSCR
407 INPLACE_ADD
408 STORE_GLOBAL 3 flag
411 LOAD_CONST 5 u'WARNING\xd7WARNING\xd7WARNING'
414 STORE_GLOBAL 2 AVM
417 LOAD_CONST 6 u'WARNING WARNING WARNING YOU'
420 STORE_GLOBAL 2 AVM
423 LOAD_CONST 7 u'Ba Ba Battle You Battle You Battle You'
426 STORE_GLOBAL 2 AVM
429 LOAD_CONST 8 u'(And watch out!)'
432 STORE_GLOBAL 2 AVM
435 LOAD_CONST 9 u'WARNING WARNING WARNING HELL'
438 STORE_GLOBAL 2 AVM
441 LOAD_CONST 10 u'Yeah you cannot die not at this time!'
444 STORE_GLOBAL 2 AVM
447 LOAD_CONST 11 u'WARNING!'
450 STORE_GLOBAL 2 AVM
453 LOAD_CONST 12 u'\u4f60\u5bf9\u6211\u6709\u4f55\u5c45\u5fc3\u5462\uff1f'
456 STORE_GLOBAL 2 AVM
459 LOAD_CONST 13 u'\u522b\u968f\u610f\u5730\u8fdb\u6765\u554a'
462 STORE_GLOBAL 2 AVM
465 LOAD_CONST 11 u'WARNING!'
468 STORE_GLOBAL 2 AVM
471 LOAD_CONST 14 u'\u975e\u5e38\u5371\u9669\u7684\u6c14\u606f'
474 STORE_GLOBAL 2 AVM
477 LOAD_CONST 15 u'\u7edd\u5bf9\u56de\u907f\u4e0d\u80fd\u7684\u5f39\u5e55'
480 STORE_GLOBAL 2 AVM
483 LOAD_CONST 11 u'WARNING!'
486 STORE_GLOBAL 2 AVM
489 LOAD_CONST 16 u'\u8981\u662f\u5c0f\u770b\u672c\u5a18\u7684\u8bdd'
492 STORE_GLOBAL 2 AVM
495 LOAD_CONST 17 u'\u4f60\u94c1\u5b9a\u4f1a\u4e0d\u505c\u5c1d\u5230BAD END'
498 STORE_GLOBAL 2 AVM
501 LOAD_CONST 18 u'\u4f60\u7684\u5fc3\u53ef\u662f\u4e00\u5b9a\u4f1a'
504 STORE_GLOBAL 2 AVM
507 LOAD_CONST 19 u'WARNING WARNING'
510 STORE_GLOBAL 2 AVM
513 LOAD_CONST 20 u'\u4e0d\u5f97\u4e0d\u8b66\u793a\u8b66\u62a5\u7684\u5427'
516 STORE_GLOBAL 2 AVM
519 LOAD_GLOBAL 4 raw_input
522 LOAD_CONST 21 'Input UR answer: '
525 CALL 1
528 STORE_GLOBAL 5 f1ag
531 LOAD_GLOBAL 3 flag
534 LOAD_CONST 22 '33c0691e3230d16fb434e5'
537 INPLACE_ADD
538 STORE_GLOBAL 3 flag
541 LOAD_GLOBAL 3 flag
544 LOAD_CONST 23 '8ce92dc3fe708e5b81a848'
547 LOAD_CONST 1 None
550 LOAD_CONST 1 None
553 LOAD_CONST 0 -1
556 BUILD_SLICE 3
559 BINARY_SUBSCR
560 INPLACE_ADD
561 STORE_GLOBAL 3 flag
564 LOAD_GLOBAL 6 len
567 LOAD_GLOBAL 5 f1ag
570 CALL 1
573 LOAD_GLOBAL 7 ord
576 LOAD_CONST 24 'k'
579 CALL 1
582 BINARY_ADD
583 LOAD_CONST 25 171
586 COMPARE_OP 4
589 POP_JUMP_IF_TRUE 161
592 LOAD_GLOBAL 6 len
595 LOAD_GLOBAL 5 f1ag
598 CALL 1
601 LOAD_GLOBAL 7 ord
604 LOAD_CONST 26 'e'
607 CALL 1
610 BINARY_ADD
611 LOAD_CONST 27 44
614 LOAD_GLOBAL 7 ord
617 LOAD_CONST 28 'y'
620 CALL 1
623 BINARY_ADD
624 COMPARE_OP 0
627 POP_JUMP_IF_FALSE 904
633 CALL 1
636 STORE_GLOBAL 3 flag
639 LOAD_CONST 37 u'\u8981\u662f\u4e0b\u5b9a\u51b3\u5fc3\u5c31\u6765\u5427'
642 STORE_GLOBAL 2 AVM
645 LOAD_CONST 38 u'\u6216\u8bb8\u4f1a\u611f\u5230\u5174\u594b'
648 STORE_GLOBAL 2 AVM
651 LOAD_CONST 39 u'\u6216\u662f\u6fc0\u52a8\u4e5f\u8bf4\u4e0d\u5b9a'
654 STORE_GLOBAL 2 AVM
657 LOAD_CONST 40 u'\u4e00\u8fb9\u611f\u5230\u65e0\u804a \u4e00\u8fb9\u5439\u7740\u53e3\u54e8'
660 STORE_GLOBAL 2 AVM
663 LOAD_CONST 41 u'\u771f\u4e0d\u9519\u5462 \u5355\u7eaf\u7684\u65cb\u5f8b'
666 STORE_GLOBAL 2 AVM
669 LOAD_CONST 42 u'\u672c\u5a18\u8fd8\u4f1a\u8fd8\u4f1a\u8fd8\u4f1a\u7ee7\u7eed\u4e0a\u5594!'
672 STORE_GLOBAL 2 AVM
675 LOAD_CONST 43 u'\u770b\u597d\u7ed9\u672c\u5a18\u66f4\u52a0\u66f4\u52a0\u5730\u8eb2\u5f00\u5427\uff01'
678 STORE_GLOBAL 2 AVM
681 LOAD_CONST 44 u'\u4f60\u6709\u591a\u5c11\u80fd\u8010\u5462\uff1f'
684 STORE_GLOBAL 2 AVM
687 LOAD_CONST 45 u'\u5bf9\u4e0a\u672c\u5a18\u70ed\u60c5\u5982\u706b\u7684\u7231\uff1f'
690 STORE_GLOBAL 2 AVM
693 LOAD_CONST 46 0
696 STORE_GLOBAL 15 l1
699 BUILD_LIST 0
702 STORE_GLOBAL 16 ll
705 LOAD_CONST 47 3
708 LOAD_CONST 48 1
711 LOAD_CONST 46 0
714 LOAD_CONST 49 2
717 BUILD_LIST 4
720 DEL_LIST 4
723 STORE_GLOBAL 17 ll1
726 STORE_GLOBAL 18 l1l
729 STORE_GLOBAL 19 l11
732 STORE_GLOBAL 20 l1ll
735 TABLE_B_ADD_72 681
738 LOAD_GLOBAL 5 f1ag
741 GET_ITER
742 JUMP_ABSOLUTE 989
745 CALL 1
748 LOAD_ATTR 11 encode
751 LOAD_CONST 31 'hex'
754 CALL 1
757 CALL 1
760 LOAD_ATTR 24 hexdigest
763 CALL 0
766 STORE_GLOBAL 29 lllll1ll
769 LOAD_GLOBAL 1 hashlib
772 LOAD_ATTR 23 md5
775 LOAD_CONST 35 ''
778 LOAD_ATTR 12 join
781 BUILD_LIST 0
784 LOAD_GLOBAL 16 ll
787 LOAD_CONST 72 16
790 LOAD_CONST 75 20
793 SLICE+3
794 LOAD_CONST 1 None
797 LOAD_CONST 1 None
800 LOAD_CONST 0 -1
803 BUILD_SLICE 3
806 BINARY_SUBSCR
807 GET_ITER
808 JUMP_ABSOLUTE 270
833 CALL 1
836 LOAD_ATTR 11 encode
839 LOAD_CONST 31 'hex'
842 CALL 1
845 CALL 1
848 LOAD_ATTR 24 hexdigest
851 CALL 0
854 STORE_GLOBAL 26 lllllll1
857 LOAD_GLOBAL 1 hashlib
860 LOAD_ATTR 23 md5
863 LOAD_CONST 35 ''
866 LOAD_ATTR 12 join
869 BUILD_LIST 0
872 LOAD_GLOBAL 16 ll
875 LOAD_CONST 50 4
878 LOAD_CONST 73 8
881 SLICE+3
882 GET_ITER
883 JUMP_ABSOLUTE 6
904 TABLE_B_ADD_242 931
907 LOAD_GLOBAL 3 flag
910 LOAD_ATTR 10 decode
913 LOAD_CONST 31 'hex'
916 CALL 1
919 STORE_GLOBAL 3 flag
922 TABLE_B_POP
923 JUMP_ADD 1246 -> 2172
936 CALL 1
939 LOAD_ATTR 11 encode
942 LOAD_CONST 31 'hex'
945 CALL 1
948 CALL 1
951 LOAD_ATTR 24 hexdigest
954 CALL 0
957 STORE_GLOBAL 27 ll1lllll
960 LOAD_GLOBAL 1 hashlib
963 LOAD_ATTR 23 md5
966 LOAD_CONST 35 ''
969 LOAD_ATTR 12 join
972 BUILD_LIST 0
975 LOAD_GLOBAL 16 ll
978 LOAD_CONST 74 24
981 LOAD_CONST 69 28
984 SLICE+3
985 GET_ITER
986 JUMP_ABSOLUTE 1088
989 FOR_ITER 796
992 STORE_GLOBAL 21 llll
995 LOAD_GLOBAL 15 l1
998 LOAD_CONST 50 4
1001 BINARY_MODULO
1002 LOAD_GLOBAL 17 ll1
1005 COMPARE_OP 2
1008 POP_JUMP_IF_FALSE 1715
1011 LOAD_GLOBAL 16 ll
1014 LOAD_ATTR 22 append
1017 LOAD_GLOBAL 7 ord
1020 LOAD_GLOBAL 21 llll
1023 CALL 1
1026 LOAD_GLOBAL 7 ord
1029 LOAD_GLOBAL 3 flag
1032 LOAD_GLOBAL 15 l1
1035 LOAD_CONST 50 4
1038 BINARY_RSHIFT
1039 LOAD_CONST 49 2
1042 BINARY_ADD
1043 BINARY_SUBSCR
1044 CALL 1
1047 BINARY_XOR
1048 LOAD_CONST 36 37
1051 BINARY_XOR
1052 CALL 1
1055 POP_TOP
1056 JUMP_ADD 656 -> 1715
1088 FOR_ITER 198
1091 STORE_GLOBAL 15 l1
1094 LOAD_GLOBAL 14 chr
1097 LOAD_GLOBAL 15 l1
1100 CALL 1
1103 LIST_APPEND 2
1106 JUMP_ABSOLUTE 1088
1109 FOR_ITER 496
1112 STORE_GLOBAL 15 l1
1115 LOAD_GLOBAL 15 l1
1118 LOAD_CONST 61 255
1121 BINARY_XOR
1122 LIST_APPEND 2
1125 JUMP_ABSOLUTE 1109
1164 CALL 1
1167 LOAD_ATTR 11 encode
1170 LOAD_CONST 31 'hex'
1173 CALL 1
1176 CALL 1
1179 LOAD_ATTR 24 hexdigest
1182 CALL 0
1185 STORE_GLOBAL 30 llll1lll
1188 LOAD_GLOBAL 1 hashlib
1191 LOAD_ATTR 23 md5
1194 LOAD_CONST 35 ''
1197 LOAD_ATTR 12 join
1200 BUILD_LIST 0
1203 LOAD_GLOBAL 16 ll
1206 LOAD_CONST 73 8
1209 LOAD_CONST 71 12
1212 SLICE+3
1213 GET_ITER
1214 JUMP_ABSOLUTE 32
1231 CALL 1
1234 LOAD_ATTR 11 encode
1237 LOAD_CONST 31 'hex'
1240 CALL 1
1243 CALL 1
1246 LOAD_ATTR 24 hexdigest
1249 CALL 0
1252 STORE_GLOBAL 31 l1llllll
1255 LOAD_GLOBAL 1 hashlib
1258 LOAD_ATTR 23 md5
1261 LOAD_CONST 35 ''
1264 LOAD_ATTR 12 join
1267 BUILD_LIST 0
1270 LOAD_GLOBAL 16 ll
1273 LOAD_CONST 75 20
1276 LOAD_CONST 74 24
1279 SLICE+3
1280 GET_ITER
1281 JUMP_ABSOLUTE 1518
1289 CALL 1
1292 LOAD_ATTR 11 encode
1295 LOAD_CONST 31 'hex'
1298 CALL 1
1301 CALL 1
1304 LOAD_ATTR 24 hexdigest
1307 CALL 0
1310 STORE_GLOBAL 28 ll1lll1l
1313 LOAD_GLOBAL 1 hashlib
1316 LOAD_ATTR 23 md5
1319 LOAD_CONST 35 ''
1322 LOAD_ATTR 12 join
1325 BUILD_LIST 0
1328 LOAD_GLOBAL 16 ll
1331 LOAD_CONST 46 0
1334 LOAD_CONST 50 4
1337 SLICE+3
1338 GET_ITER
1339 JUMP_ABSOLUTE 190
1360 FOR_ITER 450
1363 STORE_GLOBAL 27 ll1lllll
1366 LOAD_GLOBAL 27 ll1lllll
1369 LOAD_ATTR 34 isupper
1372 CALL 0
1375 POP_JUMP_IF_FALSE 1927
1419 LOAD_CONST 53 u'Burning!'
1422 STORE_GLOBAL 2 AVM
1425 LOAD_CONST 53 u'Burning!'
1428 STORE_GLOBAL 2 AVM
1431 LOAD_CONST 53 u'Burning!'
1434 STORE_GLOBAL 2 AVM
1437 LOAD_CONST 54 u'\u672c\u5a18\u597d\u5f00\u5fc3!'
1440 STORE_GLOBAL 2 AVM
1443 LOAD_CONST 53 u'Burning!'
1446 STORE_GLOBAL 2 AVM
1449 LOAD_CONST 55 u'\u4e0d\u5f97\u4e86?'
1452 STORE_GLOBAL 2 AVM
1455 LOAD_CONST 56 u'\u4f46\u662f, \u679c\u7136\u5f88\u5f00\u5fc3\u5427?'
1458 STORE_GLOBAL 2 AVM
1461 LOAD_CONST 57 u'*********************'
1464 STORE_GLOBAL 2 AVM
1467 LOAD_CONST 58 u'\u518d\u4e00\u6b21\u534e\u4e3d\u7684\u95ea\u8fc7\u5427!'
1470 STORE_GLOBAL 2 AVM
1473 LOAD_CONST 59 u'\u770b\u554a\u8fd8\u6709\u66f4\u591a\u66f4\u591a\u5594!'
1476 STORE_GLOBAL 2 AVM
1479 LOAD_CONST 60 u'\u90fd\u7ed9\u672c\u5a18\u786e\u5207\u5730\u95ea\u8fc7!'
1482 STORE_GLOBAL 2 AVM
1485 BUILD_LIST 0
1488 LOAD_GLOBAL 16 ll
1491 GET_ITER
1492 JUMP_ABSOLUTE 1109
1518 FOR_ITER 529
1521 STORE_GLOBAL 15 l1
1524 LOAD_GLOBAL 14 chr
1527 LOAD_GLOBAL 15 l1
1530 CALL 1
1533 LIST_APPEND 2
1536 JUMP_ABSOLUTE 1518
1551 CALL 1
1554 LOAD_ATTR 11 encode
1557 LOAD_CONST 31 'hex'
1560 CALL 1
1563 CALL 1
1566 LOAD_ATTR 24 hexdigest
1569 CALL 0
1572 STORE_GLOBAL 25 l1ll1lll
1575 LOAD_GLOBAL 1 hashlib
1578 LOAD_ATTR 23 md5
1581 LOAD_CONST 35 ''
1584 LOAD_ATTR 12 join
1587 BUILD_LIST 0
1590 LOAD_GLOBAL 16 ll
1593 LOAD_CONST 71 12
1596 LOAD_CONST 72 16
1599 SLICE+3
1600 GET_ITER
1601 JUMP_ABSOLUTE 118
1608 STORE_GLOBAL 16 ll
1611 LOAD_CONST 62 u'\u672c\u5a18\u88ab\u6253\u8fdb\u4e86\u7ed3\u5c40\uff01\uff1f'
1614 STORE_GLOBAL 2 AVM
1617 LOAD_CONST 53 u'Burning!'
1620 STORE_GLOBAL 2 AVM
1623 LOAD_CONST 53 u'Burning!'
1626 STORE_GLOBAL 2 AVM
1629 LOAD_CONST 53 u'Burning!'
1632 STORE_GLOBAL 2 AVM
1635 LOAD_CONST 63 u'\u672c\u5a18\u53ef\u4e0d\u80fd\u8f93!'
1638 STORE_GLOBAL 2 AVM
1641 LOAD_CONST 53 u'Burning!'
1644 STORE_GLOBAL 2 AVM
1647 LOAD_CONST 64 u'\u867d\u7136\u5f88\u4e0d\u7518\u5fc3'
1650 STORE_GLOBAL 2 AVM
1653 LOAD_CONST 65 u'\u4f46\u662f\u5f88\u5f00\u5fc3 WARNING!!!'
1656 STORE_GLOBAL 2 AVM
1659 LOAD_CONST 57 u'*********************'
1662 STORE_GLOBAL 2 AVM
1665 LOAD_CONST 66 u'\u672c\u5a18\u8b66\u544a\u4f60\uff0c\u8fd9\u662f\u4f60\u6700\u540e\u7684\u673a\u4f1a'
1668 STORE_GLOBAL 2 AVM
1671 LOAD_CONST 67 u'\u672c\u5a18\u8d85\u7ea7\u5730~\u5371\u9669\u3001\u72c2\u6c14'
1674 STORE_GLOBAL 2 AVM
1677 LOAD_CONST 68 u'\u800c\u4e14\u4f60\u65e0\u6cd5\u9003\u907f\u6211\u534e\u4e3d\u7684\u5f39\u5e55'
1680 STORE_GLOBAL 2 AVM
1683 LOAD_GLOBAL 1 hashlib
1686 LOAD_ATTR 23 md5
1689 LOAD_CONST 35 ''
1692 LOAD_ATTR 12 join
1695 BUILD_LIST 0
1698 LOAD_GLOBAL 16 ll
1701 LOAD_CONST 69 28
1704 LOAD_CONST 70 32
1707 SLICE+3
1708 GET_ITER
1709 JUMP_ABSOLUTE 233
1712 JUMP_ABSOLUTE 1360
1715 LOAD_GLOBAL 15 l1
1718 LOAD_CONST 50 4
1721 BINARY_MODULO
1722 LOAD_GLOBAL 18 l1l
1725 COMPARE_OP 2
1728 POP_JUMP_IF_FALSE 1863
1731 LOAD_GLOBAL 16 ll
1734 LOAD_ATTR 22 append
1737 LOAD_GLOBAL 7 ord
1740 LOAD_GLOBAL 21 llll
1743 CALL 1
1746 LOAD_GLOBAL 7 ord
1749 LOAD_GLOBAL 3 flag
1752 LOAD_GLOBAL 15 l1
1755 LOAD_CONST 50 4
1758 BINARY_RSHIFT
1759 LOAD_CONST 48 1
1762 BINARY_ADD
1763 BINARY_SUBSCR
1764 CALL 1
1767 BINARY_XOR
1768 LOAD_CONST 51 94
1771 BINARY_XOR
1772 CALL 1
1775 POP_TOP
1776 JUMP_ADD 84 -> 1863
1788 TABLE_B_POP
1789 JUMP_ABSOLUTE 1419
1813 TABLE_B_POP
1814 JUMP_ABSOLUTE 2215
1863 LOAD_GLOBAL 15 l1
1866 LOAD_CONST 50 4
1869 BINARY_MODULO
1870 LOAD_GLOBAL 19 l11
1873 COMPARE_OP 2
1876 POP_JUMP_IF_FALSE 1980
1879 LOAD_GLOBAL 16 ll
1882 LOAD_ATTR 22 append
1885 LOAD_GLOBAL 7 ord
1888 LOAD_GLOBAL 21 llll
1891 CALL 1
1894 LOAD_GLOBAL 7 ord
1897 LOAD_GLOBAL 3 flag
1900 LOAD_GLOBAL 15 l1
1903 LOAD_CONST 50 4
1906 BINARY_RSHIFT
1907 LOAD_CONST 47 3
1910 BINARY_ADD
1911 BINARY_SUBSCR
1912 CALL 1
1915 BINARY_XOR
1916 LOAD_CONST 52 204
1919 BINARY_XOR
1920 CALL 1
1923 POP_TOP
1924 JUMP_ADD 53 -> 1980
1927 LOAD_GLOBAL 27 ll1lllll
1930 LOAD_ATTR 35 islower
1933 CALL 0
1936 POP_JUMP_IF_FALSE 2329
1939 LOAD_GLOBAL 27 ll1lllll
1942 LOAD_CONST 78 'm'
1945 COMPARE_OP 1
1948 POP_JUMP_IF_FALSE 1135
1951 LOAD_GLOBAL 30 llll1lll
1954 LOAD_GLOBAL 14 chr
1957 LOAD_GLOBAL 7 ord
1960 LOAD_GLOBAL 27 ll1lllll
1963 CALL 1
1966 LOAD_CONST 77 13
1969 BINARY_ADD
1970 CALL 1
1973 INPLACE_ADD
1974 STORE_GLOBAL 30 llll1lll
1977 JUMP_ABSOLUTE 1712
1980 LOAD_GLOBAL 15 l1
1983 LOAD_CONST 50 4
1986 BINARY_MODULO
1987 LOAD_GLOBAL 20 l1ll
1990 COMPARE_OP 2
1993 POP_JUMP_IF_FALSE 2194
1996 LOAD_GLOBAL 16 ll
1999 LOAD_ATTR 22 append
2002 LOAD_GLOBAL 7 ord
2005 LOAD_GLOBAL 21 llll
2008 CALL 1
2011 LOAD_GLOBAL 7 ord
2014 LOAD_GLOBAL 3 flag
2017 LOAD_GLOBAL 15 l1
2020 LOAD_CONST 50 4
2023 BINARY_RSHIFT
2024 BINARY_SUBSCR
2025 CALL 1
2028 BINARY_XOR
2029 LOAD_CONST 25 171
2032 BINARY_XOR
2033 CALL 1
2036 POP_TOP
2037 JUMP_ADD 154 -> 2194
2050 CALL 1
2053 LOAD_ATTR 11 encode
2056 LOAD_CONST 31 'hex'
2059 CALL 1
2062 CALL 1
2065 LOAD_ATTR 24 hexdigest
2068 CALL 0
2071 STORE_GLOBAL 32 llllll1l
2074 LOAD_GLOBAL 25 l1ll1lll
2077 LOAD_GLOBAL 26 lllllll1
2080 BINARY_ADD
2081 LOAD_GLOBAL 27 ll1lllll
2084 BINARY_ADD
2085 LOAD_GLOBAL 28 ll1lll1l
2088 BINARY_ADD
2089 LOAD_GLOBAL 29 lllll1ll
2092 BINARY_ADD
2093 LOAD_GLOBAL 30 llll1lll
2096 BINARY_ADD
2097 LOAD_GLOBAL 31 l1llllll
2100 BINARY_ADD
2101 LOAD_GLOBAL 32 llllll1l
2104 BINARY_ADD
2105 STORE_GLOBAL 33 l1l11lll
2108 LOAD_CONST 42 u'\u672c\u5a18\u8fd8\u4f1a\u8fd8\u4f1a\u8fd8\u4f1a\u7ee7\u7eed\u4e0a\u5594!'
2111 STORE_GLOBAL 2 AVM
2114 LOAD_CONST 43 u'\u770b\u597d\u7ed9\u672c\u5a18\u66f4\u52a0\u66f4\u52a0\u5730\u8eb2\u5f00\u5427\uff01'
2117 STORE_GLOBAL 2 AVM
2120 LOAD_CONST 44 u'\u4f60\u6709\u591a\u5c11\u80fd\u8010\u5462\uff1f'
2123 STORE_GLOBAL 2 AVM
2126 LOAD_CONST 45 u'\u5bf9\u4e0a\u672c\u5a18\u70ed\u60c5\u5982\u706b\u7684\u7231\uff1f'
2129 STORE_GLOBAL 2 AVM
2132 LOAD_CONST 57 u'*********************'
2135 STORE_GLOBAL 2 AVM
2138 LOAD_CONST 58 u'\u518d\u4e00\u6b21\u534e\u4e3d\u7684\u95ea\u8fc7\u5427!'
2141 STORE_GLOBAL 2 AVM
2144 LOAD_CONST 59 u'\u770b\u554a\u8fd8\u6709\u66f4\u591a\u66f4\u591a\u5594!'
2147 STORE_GLOBAL 2 AVM
2150 LOAD_CONST 60 u'\u90fd\u7ed9\u672c\u5a18\u786e\u5207\u5730\u95ea\u8fc7!'
2153 STORE_GLOBAL 2 AVM
2156 LOAD_CONST 35 ''
2159 STORE_GLOBAL 30 llll1lll
2162 TABLE_B_ADD_72 50
2165 LOAD_GLOBAL 33 l1l11lll
2168 GET_ITER
2169 JUMP_ABSOLUTE 1360
2172 TABLE_B_ADD_242 134
2175 LOAD_GLOBAL 3 flag
2178 LOAD_ATTR 11 encode
2181 LOAD_CONST 33 'base64'
2184 CALL 1
2187 STORE_GLOBAL 3 flag
2190 TABLE_B_POP
2191 JUMP_ADD 192 -> 2386
2194 LOAD_GLOBAL 15 l1
2197 LOAD_CONST 48 1
2200 INPLACE_ADD
2201 STORE_GLOBAL 15 l1
2204 JUMP_ABSOLUTE 989
2215 LOAD_CONST 79 'ps1q6r14s2sn8o8o1n5982rq31o33143p52337s9870snq1r0rrr9s04qr58q9n53pq187q467p0949o8803r10909p332413oo3oq914847qo0n29qo81n1s90pq0330os586rr929r34884rqo351s6660q2ss8113923n911555s62sq3p3os78039o7q024pp03r8os0083r856599095ror8pr7op04r6oq485q3s558o4n39qrpn1n43o2'
2218 STORE_GLOBAL 29 lllll1ll
2221 LOAD_CONST 62 u'\u672c\u5a18\u88ab\u6253\u8fdb\u4e86\u7ed3\u5c40\uff01\uff1f'
2224 STORE_GLOBAL 2 AVM
2227 LOAD_CONST 53 u'Burning!'
2230 STORE_GLOBAL 2 AVM
2233 LOAD_CONST 53 u'Burning!'
2236 STORE_GLOBAL 2 AVM
2239 LOAD_CONST 53 u'Burning!'
2242 STORE_GLOBAL 2 AVM
2245 LOAD_CONST 80 u'\u672c\u5a18\u5f88\u5f00\u5fc3!'
2248 STORE_GLOBAL 2 AVM
2251 LOAD_CONST 53 u'Burning!'
2254 STORE_GLOBAL 2 AVM
2257 LOAD_CONST 64 u'\u867d\u7136\u5f88\u4e0d\u7518\u5fc3'
2260 STORE_GLOBAL 2 AVM
2263 LOAD_CONST 65 u'\u4f46\u662f\u5f88\u5f00\u5fc3 WARNING!!!'
2266 STORE_GLOBAL 2 AVM
2269 TABLE_B_ADD_72 70
2272 LOAD_GLOBAL 36 range
2275 LOAD_CONST 46 0
2278 LOAD_GLOBAL 6 len
2281 LOAD_GLOBAL 30 llll1lll
2284 CALL 1
2287 CALL 2
2290 GET_ITER
2291 JUMP_ABSOLUTE 302
2329 LOAD_GLOBAL 30 llll1lll
2332 LOAD_GLOBAL 27 ll1lllll
2335 INPLACE_ADD
2336 STORE_GLOBAL 30 llll1lll
2339 JUMP_ABSOLUTE 1712
2386 TABLE_B_ADD_242 38
2389 LOAD_GLOBAL 5 f1ag
2392 LOAD_ATTR 10 decode
2395 LOAD_CONST 31 'hex'
2398 CALL 1
2401 STORE_GLOBAL 5 f1ag
2404 TABLE_B_POP
2405 JUMP_ADD 34 -> 2442
2442 LOAD_CONST 35 ''
2445 LOAD_ATTR 12 join
2448 BUILD_LIST 0
2451 LOAD_GLOBAL 3 flag
2454 GET_ITER
2455 JUMP_ABSOLUTE 79
通过在调用函数出输出参数,可以发现,输入被拆成 8 个部分,和一些内置值异或一下,然后求 md5。最后拼起来需要是指定的值。
每个部分是长为 8 的 hex,不难爆破。爆破完,还原输入,就得到了答案。
tql