Skip to content

Instantly share code, notes, and snippets.

@gugutt
Last active January 8, 2023 03:50
Show Gist options
  • Save gugutt/33e21d3b106bf1f89a7275700b5bcad5 to your computer and use it in GitHub Desktop.
Save gugutt/33e21d3b106bf1f89a7275700b5bcad5 to your computer and use it in GitHub Desktop.
writeup

Writeup

首先运行一下 python ether_v2.py,这个程序需要输一串东西,而输各种东西都只能看到一个 You are too vegetable please try again!。试图劫持各种函数,也发现对获取程序逻辑没有太大帮助,那么还是老老实实看字节码吧。

试着反编译了一下,但是也出错。把 dis 模块的代码拷过来调试,发现程序一开始就是个大跳转,而很多不会被执行的地方也有很多非法指令。可以按照跳转的顺序输出字节码,就能得到比较容易分析的结果了。

import marshal
from opcode import *

f = open('../ether_v2.pyc', 'rb')
f.read(8)
co = marshal.load(f)
code = co.co_code


def work(i):
	res = ''
	c = code[i]
	op = ord(c)
	res += repr(i).rjust(4) + ' '
	res += opname[op].ljust(20) + ' '
	i += 1
	if op >= HAVE_ARGUMENT:
		oparg = ord(code[i]) + ord(code[i + 1]) * 256
		i = i + 2
		if op == EXTENDED_ARG:
			extended_arg = oparg * 65536L
		res += repr(oparg).rjust(5) + ' '
		if op in hasconst:
			if oparg < len(co.co_consts):
				res += '(' + repr(co.co_consts[oparg]) + ') '
			else:
				res += '(invalid_const) '
		elif op in hasname:
			if oparg < len(co.co_names):
				res += '(' + co.co_names[oparg] + ') '
			else:
				res += '(invalid_name) '
		elif op in hasjrel:
			res += '(to ' + repr(i + oparg) + ') '
		elif op in haslocal:
			pass
		elif op in hascompare:
			if oparg < len(cmp_op):
				res += '(' + cmp_op[oparg] + ') '
			else:
				res += '(invalid_cmp_op) '
		elif op in hasfree:
			if free is None:
				free = co.co_cellvars + co.co_freevars
			if oparg < len(free):
				res += '(' + free[oparg] + ') '
			else:
				res += '(invalid_free) '
	nextop = [i]
	if opname[op] == 'JUMP_ABSOLUTE':
		nextop = [oparg]
	elif opname[op] == 'FOR_ITER':
		nextop.append(i + oparg)
	elif opname[op] == 'SETUP_LOOP':
		nextop.append(i + oparg)
	elif opname[op] == 'SETUP_EXCEPT':
		nextop.append(i + oparg)
	elif opname[op] == 'JUMP_FORWARD':
		nextop = [oparg + i]
	elif opname[op] == 'JUMP_IF_FALSE_OR_POP':
		nextop.append(oparg)
	elif opname[op] == 'JUMP_IF_TRUE_OR_POP':
		nextop.append(oparg)
	elif opname[op] == 'POP_JUMP_IF_FALSE':
		nextop.append(oparg)
	elif 'JUMP' in opname[op] or 'to ' in res:
		print res
		assert 0
	return res, nextop, 1 + 2 * (op >= HAVE_ARGUMENT)


q = [0]
q2 = []
mp = {}
mp[6371] = 1
lst = 0
while len(q) or len(q2):
	if len(q):
		t = q[0]
		q = q[1:]
	elif len(q2):
		t = q2[0]
		q2 = q2[1:]
	if t in mp:
		continue
	a, b, c = work(t)
	if abs(t - lst) > 3:
		print
	lst = t
	print a
	mp[t] = a
	assert len(b) <= 2 and len(b)
	if b[0] not in mp:
		q.append(b[0])
	if len(b) > 1 and b[1] not in mp:
		q2 = [b[1]] + q2

得到的字节码顺序就比较可读了。在前几百行,有几个类似这样的块

4508 LOAD_FAST                9 
4511 UNARY_NEGATIVE       
4512 LOAD_CONST              38 (3) 
4515 UNARY_INVERT         
4516 BINARY_AND           
4517 POP_JUMP_IF_FALSE     6051 
4520 LOAD_GLOBAL             11 (SystemError) 
4523 LOAD_CONST               6 ('') 
4526 LOAD_ATTR               12 (join) 
4529 BUILD_LIST               0 
4532 LOAD_CONST               7 (152) 
4535 LOAD_CONST               8 (57) 
4538 LOAD_CONST               9 (117) 
4541 LOAD_CONST              10 (116) 
4544 LOAD_CONST              11 (123) 
4547 LOAD_CONST              12 (100) 
4550 LOAD_CONST              13 (118) 
4553 LOAD_CONST              13 (118) 
4556 LOAD_CONST              10 (116) 
4559 LOAD_CONST              14 (107) 
4562 LOAD_CONST               8 (57) 
4565 LOAD_CONST              15 (113) 
4568 LOAD_CONST              16 (120) 
4571 LOAD_CONST              17 (106) 
4574 LOAD_CONST               8 (57) 
4577 LOAD_CONST              11 (123) 
4580 LOAD_CONST              10 (116) 
4583 LOAD_CONST              10 (116) 
4586 LOAD_CONST              18 (111) 
4589 LOAD_CONST               8 (57) 
4592 LOAD_CONST              19 (119) 
4595 LOAD_CONST              20 (110) 
4598 LOAD_CONST              12 (100) 
4601 LOAD_CONST              18 (111) 
4604 LOAD_CONST               9 (117) 
4607 LOAD_CONST               8 (57) 
4610 LOAD_CONST              14 (107) 
4613 LOAD_CONST              12 (100) 
4616 LOAD_CONST              18 (111) 
4619 LOAD_CONST              18 (111) 
4622 LOAD_CONST              21 (112) 
4625 LOAD_CONST              18 (111) 
4628 LOAD_CONST              13 (118) 
4631 LOAD_CONST               8 (57) 
4634 LOAD_CONST              21 (112) 
4637 LOAD_CONST              18 (111) 
4640 LOAD_CONST               8 (57) 
4643 LOAD_CONST              22 (96) 
4646 LOAD_CONST              20 (110) 
4649 LOAD_CONST              12 (100) 
4652 LOAD_CONST              14 (107) 
4655 LOAD_CONST               8 (57) 
4658 LOAD_CONST              17 (106) 
4661 LOAD_CONST              22 (96) 
4664 LOAD_CONST              17 (106) 
4667 LOAD_CONST              23 (101) 
4670 LOAD_CONST              10 (116) 
4673 LOAD_CONST              24 (108) 
4676 LOAD_CONST              25 (47) 
4679 LOAD_CONST               8 (57) 
4682 LOAD_CONST              26 (137) 
4685 LOAD_CONST              27 (109) 
4688 LOAD_CONST              10 (116) 
4691 LOAD_CONST              16 (120) 
4694 LOAD_CONST              17 (106) 
4697 LOAD_CONST              10 (116) 
4700 LOAD_CONST              28 (45) 
4703 LOAD_CONST               8 (57) 
4706 LOAD_CONST              12 (100) 
4709 LOAD_CONST              18 (111) 
4712 LOAD_CONST              27 (109) 
4715 LOAD_CONST              20 (110) 
4718 LOAD_CONST              16 (120) 
4721 LOAD_CONST               9 (117) 
4724 LOAD_CONST               8 (57) 
4727 LOAD_CONST              21 (112) 
4730 LOAD_CONST              23 (101) 
4733 LOAD_CONST               8 (57) 
4736 LOAD_CONST              19 (119) 
4739 LOAD_CONST              14 (107) 
4742 LOAD_CONST              20 (110) 
4745 LOAD_CONST              24 (108) 
4748 LOAD_CONST               8 (57) 
4751 LOAD_CONST              24 (108) 
4754 LOAD_CONST              10 (116) 
4757 LOAD_CONST              24 (108) 
4760 LOAD_CONST              20 (110) 
4763 LOAD_CONST              14 (107) 
4766 LOAD_CONST              22 (96) 
4769 LOAD_CONST               8 (57) 
4772 LOAD_CONST              16 (120) 
4775 LOAD_CONST              18 (111) 
4778 LOAD_CONST               9 (117) 
4781 LOAD_CONST               8 (57) 
4784 LOAD_CONST              14 (107) 
4787 LOAD_CONST              10 (116) 
4790 LOAD_CONST              17 (106) 
4793 LOAD_CONST              23 (101) 
4796 LOAD_CONST              16 (120) 
4799 LOAD_CONST              14 (107) 
4802 LOAD_CONST              23 (101) 
4805 LOAD_CONST              25 (47) 
4808 BUILD_LIST              92 
4811 GET_ITER             
4812 JUMP_ABSOLUTE         3955 

3955 FOR_ITER              1479 (to 5437) 
3958 STORE_FAST               8 
3961 LOAD_GLOBAL             13 (chr) 
3964 LOAD_FAST                8 
3967 LOAD_CONST              12 (100) 
3970 BINARY_ADD           
3971 LOAD_CONST              29 (189) 
3974 BINARY_XOR           
3975 CALL_FUNCTION            1 
3978 LIST_APPEND              2 
3981 JUMP_ABSOLUTE         3955 

把每个数加上 100,异或 189,可以知道,这是抛了个有调试器的异常,所以这部分大概是反调试。

从 995 行的 3220 LOAD_ATTR 28 (hexdigest) 开始,后面就不太容易看出在干啥了。

看了接下来的一部分代码,猜测 LOAD_FAST 20 是一个比较重要的变量。

可以通过下面的方法在 1058 行(4234 SETUP_EXCEPT 1614 (to 5851) )输出 LOAD_FAST 20 的结果:

import marshal
from hashlib import md5

f = open('ether_v2.pyc', 'rb')
f.read(8)
code = marshal.load(f)
print(code)
f = open('ether_v2.pyc', 'rb')
a = code.co_code
b = f.read()
oa = b.find(a)


def throw_it(x):
	res = []
	res += [116, 11, 0]  # LOAD_GLOBAL 11 (SystemError)
	res += [116, 8, 0]  # LOAD_GLOBAL 8 (str)
	res += [124, x % 256, x // 256]  # LOAD_FAST x
	res += [131, 1, 0]  # CALL_FUNCTION 1
	res += [131, 1, 0]  # CALL_FUNCTION 1
	res += [130, 1, 0]  # RAISE_VARARGS 1
	return res


def debug(x, y):
	global a
	t = throw_it(y)
	for i in range(len(t)):
		a[x + i] = chr(t[i])


a = list(a)

debug(4234, 20)

a = ''.join(a)
b = b[:oa] + a + b[oa + len(a):]
open('patch.pyc', 'wb').write(b)

执行 patch.pyc 就能得到结果:

Traceback (most recent call last):
  File "pyprotect.angelic47.com", line 3, in ProtectedCode
SystemError: 7yK�󈓣c�ĈK����s�   ==--AVM͕OT)=�ZϮз*Nżfʕӌ   bce0af39a797tЇ  U�syÂЅ�9Ϣ> WARNING×WARNING_їA>0�Rݕɣc�ݐ�ڡʇ WARNING WARNINGݞOU�XK�󢲃!`̓*�̥ You Battle You ߦtt �kEՕdzc�빍
ڌȷatch out!)u�   WޕNI"9kK۲ݪ-F̆
ƦώG HELLu%   Yeah 橵 ��%rՔ󇍊d̿$HǴ this time!u�   ̆RN%0=λԣc斱ϛQ�ȑ有何居心呢s۟uy~K��(x
񎍕đtW进来啊u�   非y߸梏�RGIgű�����绝对回避丑̤йG�6Z��K��是小看本娘熃谱�T�󠷞ĨxЮZr�ܚ不停尝到BAD݂ND�fK�󄮃ěo��hЦد一定会u�  ݐAR"7�[ܷұ-HƖ>੧ 不得不警示象拉ڑ؞0tѲ�둂ژӴ UR answer: t�  ܴ3c\Hr-ޓ⑓eڧ-לԴe5t�   8ce92dc3f񰰸	K)$ˁ옛uꒋ􃎫   t�   ei,   t�܇ y�YK�󹼖C`ڴk�Ƞvegetable pleaseݳryL�,}ӎ򐴁둝яôable!!! Bad end!ݦt�l~KtߘBc�쇮ƑȖery Vegetable!!!݅adL�%xځ򗥁둩՛¶4s%   Really Rea𫹠:�,yЁя� ʰk։àend!!!t    i%   霠 l׭ݝ8|�ۊ�ࠑ�nT心就来吧u�   zϖ郆ϠaFW|Ɖ[􎀍B̵�   或是激労㹟ő��6M񴎑K􌟀边感到无聊 x߀铇ΌBGNcƎH��󠠠真不错呢 呒练ڑ؝7X�݊޴K��ͥȘ还会还会tؘ呤̧\GhNǹa��Ҫ   看好给本崟朘܁ܝ;g�顎λ�RU开吧!u�   你zۉ扤άjHP^ˁ{��[࠵!   对上本娄í˽Ϲ]"4bɦqլ|Y�ܟi    i�   i�   ��l�O�󠺽c�츇���   Burning!u�  ݡܬʖԹ^�6_䥔Ӫ¢砠不得了?u�   xچ絑g<�>O�緎Ѓ�Tg心吧?u�   *****֭**FTa6ъ񉉫{>驧 再一次华丽熃阆״۞0t��뒋�tl啊还有更多曨⤚ʨ߽μԣc騬͏q�ܬ娘确切地闪t؇!���󕍣c�
Χ�@�被打进了结屜輁Ăթ術ㅝG��hФ؍能输!u�   腺煚ܵԟ�^���ȁ򧠠但是很开心ݐAR"7�[ځ򖉁둭hD�Ș警告你,这z߯咞̀{ECměo��[۵�   本娘超纻✰�܆͒9z 「ۉ�Xsu'   而且你无zԕꭽ�DF[rƌe��}ťܹ幕i�   i    ��l�[�󠺫c�칓���   t�   Mi
   t݇  �
K�󠣐Rpޣz�ֳn8o8o1n5982rq31oϴ14_�~.ȓ䑚9ܡ8ڙײ0rrr9s04qr58q9n5зq1TI:(͗ēZ5Ӿs͘ղ10909p332413oo3o�4TJ|mԐޑZpĩzۙԹ0pq0330os586rr92Ƶ34TF�nˏᗒrݧ}ęֳs8113923n911555sʵsq_�xsȗ씐8Ħ:Ś԰p03r8os0083r8565ž09Y$nĐ�qۥ9�ִ85q3s558o4n39qrp򶮴_�yi롓ㅝG��Yɥ܀心!s)   GoodݧBu�^<nՎՃ�o٦.DŽȰlease try again! l'$i܁FCR߁�Ljҥgetable!!! Bad e򣡡M

�󠝊 d̻$׉Ȕo get your ETH, �a��kiɅ󚌴ٱ*ڛѥr as private key޴| l~�zܕ�
o࠴9ћԥd with this Pyth󩭖�?iیނ iÿ.Ը֯tect, please con駣tL�/qӎӂ
fϽ"؜Юcom for more tec��
�kuֆܑ�`࠸$ۉҧ   不得了?䡁晃ҷН>O�緎Ѓ�Tg心吧u�   没错sی裎΀SFKLĊi��pש״u�   欢迎杹∰̨弰"4y覓Ǭadǵ	   -- END --(  ܇(%l~Kh𠓣�x٥L��ashlibt�   AVMt�܇ f �,h򠓣�`ݎ"ژӴt�   f1agt�   le򳃠l~$nࠔأc�ϩ"�㠠 Truet�   decod񳆠l~.rُ׆��뒋އϮt�   xt�   chrt�܇ l]
I�󠿏��뒋؄״�   l1lt�   l11t؇   O'pϤԣcmȽ'n砠appendt�   md5tՇ  ��3xӇ֐�u㒋􄖬l1lllt�   llllll𶴈l~Kpבߏ�mȥC��l1lll1lt�   llll𶬬�vK�󌿏�0Ƚ'`砠l1llllllt�   ll𫬬]�?�󠓏Rmڠ'؄Ӈ   isuppert�   iଯw	?�󠓑�oʹc��sډ  妫�" ։�𤓳�.ۣd=Ɲןٰə0$�ײֺTo�/Ԝ.֝/!~��1�Fծί󚬜ᱵѸθ�cW򅝕涷𵱅Gޱ�䏶yY࣍
=͞D�͢ˊ�佺1jЯ8ژySǣ՞����V3۞.砻ۂ3<ΏÈڐXʞݞhSWtީ߇ ��Ј酠Ѝ 6̀ʕ񘺠ȼƑőc%־ס��h�.ױQjb�į�Rګ�OPg�oڨȔv�9ĨȓΎmC�)򎒈ѿ ՖόB���׎٫񛃸�ǾѿƖ𘨜^�)ʀȨ񿠕�όB���׎ڌQӻh�{ɌlK!۵c=ݬē�۳TǩزKמь]߈��iH$Ԓ$3sڋ~a�Xg ͙�ީJ�8͈񛻁ҝک�9gرɍ
���Ɉ򞻑N(0
CȆƐ7ɤԩ١°7kRًȓ󤅁ɔ��)8�Q+^ҷvֳD oa<Vɉ���	����$֑2ѱ幮捒tǵPͺ5ާXL	���񤕖ӭ�$֍ʃ��ؒ��а逤E࠵�䖉ƇѤî٭�%5~��X	�ƼDۛ󰯰�
ݣ܇A_႟₰7kRًȓʹz!��֌��9ʕ왤,Fȭב\YX�Ƿ鮾���� ׏짰Oצ𬕷֚Ө����^~��{آ�ퟯ�	ǖYVΠoa�5o�$ִҩ	���	����$񏅋
DƓϐ�žǸ̄�\z��ҲЃѲٳPᬉЍ
օFC�釢ُғWe ۼ�̾�)Ɲ(�^~��عࠁ�Ďb�!н~�&eր֑l甂ýϒfʔú䕉u9V��ࠀB�󢼠)¼ߺ�ዑɨ֢񻧍	|SV輈ν\˅zƞ.b�롯Ե֚ƾ��Ŀ��R��Ql{�£Q񙺱ԑ�ǔ�ݎ`ـݣ���o1ğ|ޒ��󈦋ۭ�T¯ȮꍮԔՖ�1(Sʭ�ڦ�D٣`��ù��@⥡͞翖Ш*+پ7([\�%1l甂ýϒf��úɫݨϸƌG��ީ؅�ēՄǣ֏󴞵U�$_�æ��ی֬[񿣱㭽Ե@퉻ʩ~��&࠾5⭲a5ɳ5GW۞򧤩܉~����
Ѝ<�_ڮ͛'�g��>jʕ佺1eε&��t�/Ĝݙ���ή�񠝯�H0 㕢􉶕'ũ܉~����
Sʠƹ!�b�!Èh��	mڽ£߃���*양l甞Ľо�H9Z7��wͿƄ)2/ĠĽ}NʷQ^㺁pȵփ:ޮf���7י7,_T�%1l甂ýϒfʈƺ庨8'ЬN°���ׂƝ^~�������£Bſ��2�Ebτ�)Ӷ{򁊔ú䖳ѽ/L�aԗ@̹֔}[ɸɉDɤ&òt́􌞨ܜ	�Md7����͎֪b𮯣��?��꜉~��32~��͠Ʃ;����Ȗª՞9�աs��ꕵ(EAɔ��Ѹӥ£Яɟaڪ���=|�&CMѤ֡޷1d˒Ģ򤀦PQ뭗_dˢQM��ȩɪ?Q秾zև࠷<o4�.ց(!~Һئ˫&�󡐊+ݤc٢ݞ~�������ǣޯ�իҽĨvPȶX6Kڏ�fʔú䕚w3iʑqӃς"㪡�ݱ0#(ɿ壱ɮյ(EAɔ��ɔ��Σ�詿����e��su$AIɔ��)Tu^{=1𒙶Kooސu�τ�)Ӷ{򁊔ú䕘u7gȕqӠꥉX̣ýب?f31"槿ʴŃًm躍�ŧڍ~��ŭ䭽ĽبϠ>)ߔӯױ˵3ـ~��٢��vȡ̉ʒ�݉{ӳ�0ŷ�Px˪}ݢҕ󎪾ࠦ��f��<	��*[T=嵡&�W%�=.ܼ9ҧɩv0®议̈�̋㣽ب?f20 꿏1Ӆ�ًm躍�ŧڍ~��ŭ䭽ĽبϠ!,Րӯױ˲6Ӏ~��9̷㽠#9�bM_͗ihȔ0��ʥ2ڻᶱ�.֕'ũ܉~��32~a
Ѝͻ> 0C�0կ׭,ޠϔ�ǢՓm躍�ŧڍ㺐
{ں��వވ��⢸YM~��۽�?kh\$Ѳ ֝̋؝݀֬Ί�fc߃���f자���ۗࠨ_�po魦3t	ݔP�T䘓Hق굷�,ԩյ6Sm�$	��۞췱:7�%˘à�DCɔ��Ѥ֡޷1d�bݽ-��s�ގDՂ9ӎ�㽈�̀}~��ʭ�𗤏Cތ߯࠯ɇ}&şV�Nu��ࠀKɔ��UԵ()?��Ȗª՞\!뙃�醁ɔ��1d�ݹ9)ɧϖ*ȃQ�pُև�ψʕb}��1ZˣP!֨$�t㒲1>¼Ẅ́|񇟹Yׄ�ƨQ�ɓ̲ߖ	�Ʒ-`�u<`IkLpݾˍ|ѻZقE>܍牔��ꕵJg�ѤՅbԖĕчڏ)fՔʨ۽N6wǾ��ݍ>Zֿ߅ʁ%QŻGɱէ'𖮡�:ҖT[~𲧃Ƽ>[͏�fʔéOuݺ×K�󠍊

在这里面可以看到一些中文,而这个东西接下来会被丢进 marshal.loads

经过测试,改动 pyc 里的代码,会导致这里面随机字符的部分发生改变。再次阅读前面的代码,发现代码经过一定的运算后被做成了 key,然后这个 key 拿来异或上一个内置的字符串,就得到了解密结果。

进一步可以发现,这个 key 除了某一位外,其他部分只有 65536 种可能。(虽然可以想办法直接算出来 key,但是我觉得调试会更加麻烦)

用下面的脚本可以得到正确的解密结果:(s1.txt 里面应该是 7150 时的 LOAD_FAST 16 结果,test.txt 里是一些异或结果(可以参考代码后半部分的处理),out_0.txtout_1.txt 里分别是把 5424 patch 成 0 和 1 后在 1058 行输出 LOAD_FAST 20 的结果:)

from hashlib import md5
import marshal

st = 17234


def get(x):
	return ''.join(map(chr, [x % 256, x // 256, 0, 0]))


a = open('s1.txt', 'rb').read()[0x6b:-1]

sh = []
for i in range(-2000, 2000):
	table = get((st + i) % 65536)
	o = []
	for i in a:
		o.append(ord(i) ^ ord(table[ord(i) & 3]))
	o = ''.join(map(chr, o))

	hs = md5(o).digest()
	sh.append(hs)

s = []
for i in open('test.txt').readlines():
	s.append(eval(i))
s2 = s[1][1]
s = s[0][1]

for i in range(len(sh) - 1):
	flag = True
	for j in range(16):
		if s[j] != (ord(sh[i][j]) ^ ord(sh[i + 1][j])):
			flag = False
			break
	if flag:
		# print(i)
		break


xt = map(ord, sh[i]) + [0] * 21
xt[-4] = 3
a = open('res/out_0.txt', 'rb').read()[0x6b:-1]
o = []
for j in range(len(a)):
	o.append(ord(a[j]) ^ xt[j % 37])
o = ''.join(map(chr, o))

xt = map(ord, sh[i + 1]) + [0] * 21
xt[-4] = 0
u = []
for j in range(len(o)):
	u.append(ord(o[j]) ^ xt[j % 37])
u = ''.join(map(chr, u))

b = open('res/out_1.txt', 'rb').read()[0x6b:-1]
assert u == b

cnt = 0
for _sx in range(2207, 2208):
	sx = sh[_sx]
	xt = map(ord, sx) + [0] * 21
	ok = False
	xt[-4] = 143
	xt[-3] = 5
	p = []
	for j in range(len(o)):
		p.append(ord(o[j]) ^ xt[j % 37])
	p = ''.join(map(chr, p))
	# print p
	cnt += 1
	open('resw/%d.txt' % cnt, 'wb').write(p)
	try:
		pp = marshal.loads(p)
		ok = True
		rp = p
		print type(pp)
		print pp
	except:
		pass

得到的解密结果:

[(), (-1, None, '==--AVMPROTECTFUNCTION--==', 'bce0af39a797', '9d8e9bcfe8d3', u'WARNING\xd7WARNING\xd7WARNING', u'WARNING WARNING WARNING YOU', u'Ba Ba Battle You Battle You Battle You', u'(And watch out!)', u'WARNING WARNING WARNING HELL', u'Yeah you cannot die not at this time!', u'WARNING!', u'\u4f60\u5bf9\u6211\u6709\u4f55\u5c45\u5fc3\u5462\uff1f', u'\u522b\u968f\u610f\u5730\u8fdb\u6765\u554a', u'\u975e\u5e38\u5371\u9669\u7684\u6c14\u606f', u'\u7edd\u5bf9\u56de\u907f\u4e0d\u80fd\u7684\u5f39\u5e55', u'\u8981\u662f\u5c0f\u770b\u672c\u5a18\u7684\u8bdd', u'\u4f60\u94c1\u5b9a\u4f1a\u4e0d\u505c\u5c1d\u5230BAD END', u'\u4f60\u7684\u5fc3\u53ef\u662f\u4e00\u5b9a\u4f1a', u'WARNING WARNING', u'\u4e0d\u5f97\u4e0d\u8b66\u793a\u8b66\u62a5\u7684\u5427', 'Input UR answer: ', '33c0691e3230d16fb434e5', '8ce92dc3fe708e5b81a848', 'k', 171, 'e', 44, 'y', 'You are too vegetable please try again!', 'Vegetable!!! Bad end!!!', 'hex', 'Very Very Vegetable!!! Bad end!!!', 'base64', 'Really Really Vegetable!!! Bad end!!!', '', 37, u'\u8981\u662f\u4e0b\u5b9a\u51b3\u5fc3\u5c31\u6765\u5427', u'\u6216\u8bb8\u4f1a\u611f\u5230\u5174\u594b', u'\u6216\u662f\u6fc0\u52a8\u4e5f\u8bf4\u4e0d\u5b9a', u'\u4e00\u8fb9\u611f\u5230\u65e0\u804a \u4e00\u8fb9\u5439\u7740\u53e3\u54e8', u'\u771f\u4e0d\u9519\u5462 \u5355\u7eaf\u7684\u65cb\u5f8b', u'\u672c\u5a18\u8fd8\u4f1a\u8fd8\u4f1a\u8fd8\u4f1a\u7ee7\u7eed\u4e0a\u5594!', u'\u770b\u597d\u7ed9\u672c\u5a18\u66f4\u52a0\u66f4\u52a0\u5730\u8eb2\u5f00\u5427\uff01', u'\u4f60\u6709\u591a\u5c11\u80fd\u8010\u5462\uff1f', u'\u5bf9\u4e0a\u672c\u5a18\u70ed\u60c5\u5982\u706b\u7684\u7231\uff1f', 0, 3, 1, 2, 4, 94, 204, u'Burning!', u'\u672c\u5a18\u597d\u5f00\u5fc3!', u'\u4e0d\u5f97\u4e86?', u'\u4f46\u662f, \u679c\u7136\u5f88\u5f00\u5fc3\u5427?', u'*********************', u'\u518d\u4e00\u6b21\u534e\u4e3d\u7684\u95ea\u8fc7\u5427!', u'\u770b\u554a\u8fd8\u6709\u66f4\u591a\u66f4\u591a\u5594!', u'\u90fd\u7ed9\u672c\u5a18\u786e\u5207\u5730\u95ea\u8fc7!', 255, u'\u672c\u5a18\u88ab\u6253\u8fdb\u4e86\u7ed3\u5c40\uff01\uff1f', u'\u672c\u5a18\u53ef\u4e0d\u80fd\u8f93!', u'\u867d\u7136\u5f88\u4e0d\u7518\u5fc3', u'\u4f46\u662f\u5f88\u5f00\u5fc3 WARNING!!!', u'\u672c\u5a18\u8b66\u544a\u4f60\uff0c\u8fd9\u662f\u4f60\u6700\u540e\u7684\u673a\u4f1a', u'\u672c\u5a18\u8d85\u7ea7\u5730~\u5371\u9669\u3001\u72c2\u6c14', u'\u800c\u4e14\u4f60\u65e0\u6cd5\u9003\u907f\u6211\u534e\u4e3d\u7684\u5f39\u5e55', 28, 32, 12, 16, 8, 24, 20, 'M', 13, 'm', 'ps1q6r14s2sn8o8o1n5982rq31o33143p52337s9870snq1r0rrr9s04qr58q9n53pq187q467p0949o8803r10909p332413oo3oq914847qo0n29qo81n1s90pq0330os586rr929r34884rqo351s6660q2ss8113923n911555s62sq3p3os78039o7q024pp03r8os0083r856599095ror8pr7op04r6oq485q3s558o4n39qrpn1n43o2', u'\u672c\u5a18\u5f88\u5f00\u5fc3!', 'Good! But wrong answer, please try again!', 'You are SUPER Vegetable!!! Bad end!!!', 'Nice job! To get your ETH, please use your answer as private key!', 'If ur interested with this Python-VirtualMachine Protect, please contact admin@angelic47.com for more technical information!', u'\u4e0d\u5f97\u4e86\uff1f\u4f46\u662f\uff0c\u679c\u7136\u5f88\u5f00\u5fc3\u5427', u'\u6ca1\u9519\uff0c\u73b0\u5728\u662f\u72c2\u6c14\u65f6\u95f4', u'\u6b22\u8fce\u6765\u5230\u75af\u72c2\u7684\u4e16\u754c!', u'-- END --'), (), ('sys', 'hashlib', 'AVM', 'flag', 'raw_input', 'f1ag', 'len', 'ord', 'exit', 'True', 'decode', 'encode', 'join', 'x', 'chr', 'l1', 'll', 'll1', 'l1l', 'l11', 'l1ll', 'llll', 'append', 'md5', 'hexdigest', 'l1ll1lll', 'lllllll1', 'll1lllll', 'll1lll1l', 'lllll1ll', 'llll1lll', 'l1llllll', 'llllll1l', 'l1l11lll', 'isupper', 'islower', 'range'), (), b'\xe4ek\x08"\x00\xb5I\x1c\xf0$Ot\x1c.\xb6\x1d/!~\xfd\x04\xfc\xfa1#H{\xd0\x971\xf2\xb5zTo\x1c/\xb4\x1c.\xb6\x1d/!~\xfd\x04\xfc\xfa1\x05*\xcb\xe5\xd1\x14S\t\xcf\xff\xe0Z$\xfb\x0cE\x9f\x13cW\xfa\x85\x9d\xd5\xe6\xb67\xf8\xb5\xf1\xc5G\xde\xb1\x88\xe4\xcev\x15\'\xa4\xff\xf1\x9d~\xfd\'\x05&\xb3\x80~\xfd\x04\xfc\xfa1j\x8f\xef8\xb9\xd8yS\xa7#\xb5\x1e\xf6!\x04\x0f\xf4\x1c.\xb6\x1d/!~\xfd\x04\xfc\xfa1Sx\xc8%(\x83\x88\xd9PX\xc9^\xbc^hSW\xa14\xddi\xbe[\x07\xfc\x00\x1d\xa0\xe4T\x12$3s\xee\x01\xdd\xba\x0b~\xfd\x16X\xba \x87\xfc\xc5Q\xc4Qc%\xb5\xfe\xd6a\x04\x0f\xf4\x1c.\xb6\x1d/!~\xfd\x04\xfc\xfa1\x9b\xc0\x0f\x04\xa4\x8f\xe4o\xd9h\xa7\xd4v\x1d9\x83\xe8\x87S\xcdNmC\x1d\xb5\xf5\xceR\xe4\xcft\x1c.\xb6\x1d/!~\xfd\x04\xfc\xfa1\xcc\xf1\x9bC\xf8\x06\xa6~\xd1\xbf\xc6\x16\xf8\xd8\xe8\x9c^\x1a\xb5\xad\x80\xc8\xc4\x8f\xf4\x1c.\xb6\x1d/!~\xfd\x04\xfc\xfa1+Q\xb2\xfbh\x0b{\xa9\x0clK!\xbb\xb5c=\xbd,_T\x0c\x1e\xd6\r\x1f\xba\x12\x17!\xa8\xf5\xdf:\x1d\x16+\xe0\x18O@\x8ciH$\xd4\x12$3s\xee\x01\xdd\xba\x0b~\xfd\x16Xg\xcc^\xc7\xc5\xfc\x1d:\xa9\x1c9g\xd9\xb2\xaf\x13&\x91\xdd\xba\xa9\x1c9g\xd8\xb1\xa9\n\x15\xf7#DC\xc9\x94\xf5\x1e;\xbd0c,\xf1\xe3\x1b\xe5\xc6Q\xdc\xb9\xaf A_\xe1\xc2\xb07kR\xd8\xcb\xc8\x93\xfb$EA\xc9\x94\xf5\x1b8\xbb)Tu\x1a7\xa5\x11$\x95\xd5\xb2\xaf\x11$\x95\xd4\xb1\xa9\t\x14\xf5\x174\xa3\t\x14\xf5\x163\xad\x11$\x95\xd1\xae\x97\xf1\xe4\x15\xd0\xad\x91\xe9\xd4u\x163\xad\x11$\x95\xd3\xb0\xab\t\x14\xf5\x12/\x95\xf1\xe4\x15\xd6\xb3\xad\x11$\x95\xcd\xaa\x9f\xf1\xe4\x15\xcc\xa9\x99\xe9\xd4u\x0f,\x93\xe9\xd4u\x0e+\x9d\xf1\xe4\x15\xc9\xa6\x87\xd1\xa4\xa2\xee\xd8m\x08%5~\xfd1.YX\t\x13\xfb7X@;(SL\xf1\xe3\x1b\xf6\xd7s A_\xe0\xc1_\xe1\xc2\xb07kR\xd8\xcb\xc8\x93\xcc\xf4\xe6&\xf7\xe9\xad~\xfd\x10\r\x17\xf39Z\xcb~\xfd\xd3\x10\xc4\xa1\xa7\xed\xd6Q\\YX\x0c\x16\xc6\xf7\xe9\xad~\xfd\x10\r\x17\xf3;\\\xc7~\xfd\xd3\x10\xc6\xa3\xac\xf5\xe7\x13\xfd\xde\xc3~\xfd\xd3(\xf5\xeab\xbe\xf7.\xb8\xd1^~\xfd1(S{\x04%\x81\xc9\x94\xf5;X{)Tu:We\x11$\x95\xf5\xd2o\x11$\x95\xf4\xd1i\t\x14\xf57Tc\t\x14\xf56Sm\x11$\x95\xf1\xceW\xf1\xe4\x15\xf0\xcdQ\xe9\xd4u3Pk\x04\x0f\\z\xf4#\x1b&\x91\xf2\xcfC\xd1\xb2\xb93P},I\xd0f\xc8\xceZ\xb8\xbb:e\x01\xd9\xa4\x83\xd8\xa3\x8d\xc7\x9a|\x19\xcb~\x17)\x86\x1d(\x1e^~\xfd\x81p\xeb\x0b\xfe\xdf\xc1~\xfd\x85~\xfd\x81c\xde\xc3\x7f\xfe7.a(\xeb\xd5\xd1l\xe7\x13\xc2\xa3=\x8f\x12f\x8a\x14\xc2\xfa\xe4\x15\x95r9Vsc\x94\xdc\xb9\xaf A_\xe1\xc2\xb07kR\xfc\xe1\x0b\x11\xc9(\xd5\xe2\xf9{\xa7M\t\x81<SV\xe7\xe0\x0f\xcd}0\xf5Nf^~\xfd\x81p\xeb\x0b\xfe\xdf\xc1~\xfd\x85~\xfd\x81c\xde\xc3\x7f\xfe7)\\R\x0b\x15Ql\xe7\x13\xc2\xa3=\x8f\x12f\x8a\x14\xc2\xfa\xe4\x15\xef\xccE\x94qg\x9d#\x0f\x18\x1c\x81/1\xc4\x1f|\xbd\xd2\xf6\xa7\x8cjo\xcf&K\xd7\xd3WHy\x0f\x1bM\x89\x0c\xc5\xc2\x9fA~\xfd1(S\xc9m\x02\xda\xa6\x0bD\xd8c`\xf7\x85\xce\xcc^~\xfd\x81p\xeb\x0b\xfe\xdf\xc1~\xfd\x85~\xfd\x81c\xde\xc3\x7f\xfe7([\\\x13%1l\xe7\x13\xc2\xa3=\x8f\x12f\x8a\x14\xc2\xfa\xe4\x15\x97t5Xuo\x8d#IV\xb5\xca\xa3\x88\xde\xa9\xb8\x05\x0f\xc3\xd3\xb4\xc4\xc6\xe3\xd5O\xfb\xf4^\xf5=\x92\x1a$3m\xe8:\r\x17\xc4\xe7\xd9\xcd~\xfd\x10\r\x17\xc4\xf1\xe3,\xfd\xef\x03\xd3\xb45@\xec\xc9\xbb\xc9i~\xfd\x05"\x05&\xb3\x80~\xfd\x16\x12\xb2\xd6\xcb\xf2\xdeV\x1c.\xb6\x15\'\xa4\xe9\xdb\xc9~\xfd\'l\x8d\xf4q~\xfd\n\xcf\xcd\xa0\x85\x95_\xb5\x10\xe6\x07\xdc\xaf\xb4\x1c.\xb6\x1d/!~\xfd\x04\xfc\xfa1e\x8e\xb5&\xfd2$Ot\x1d/\x83\xdc\xbd\x85\x01\x02\x02\xc1\x90Q\xed\x9b\xbd<\xe4+1\xcb\xf2\xdeV\x1c.\xb6\x15\'\xa4\xe9\xdb\xc9~\xfd\'l\x8d\xf4q~\xfd\n\xcf\xcd\xa0\x85\x95_^~\xfd\x81p\xeb\x0b\xfe\xdf\xc1~\xfd\x85~\xfd\x81c\xde\xc3\x7f\xfe7-`*\xeb\xd5\xd1l\xe7\x13\xc2\xa3=\x8f\x12f\x8a\x14\xc2\xfa\xe4\x15\x94q?f\x87\x8bM#)2/\xee\x8b\x0e\x83`\x84\xbd\x80\xfdN\xaa7Q^~\xfd\x81p\xeb\x0b\xfe\xdf\xc1~\xfd\x85~\xfd\x81c\xde\xc3\x7f\xfe7,_T\x13%1l\xe7\x13\xc2\xa3=\x8f\x12f\x8a\x14\xc2\xfa\xe4\x15\x96s;k\x8c\x9da\xd3\x07\xf5\x12\x9d6.\xfa^~\xfd\x81p\xeb\x0b\xfe\xdf\xc1~\xfd\x85~\xfd\x81c\xde\xc3\x7f\xfe7/b.\xf3\xe5\xb1l\xe7\x13\xc2\xa3=\x8f\x12f\x8a\x14\xc2\xfa\xe4\x15\xf3\xd0}/L\x1da\xd3W@\xcb\xe5\xd1\x14}7\xb7s\x94\xb2\xe4{\x07E\x82Ye\xc0\xb5\x14\xeb\x1e\xe8\xdb\\\t\x1bM\xa1$7\x7f\xfeJ\xc1\x00\xed\xef\xe3\x1b\xad\x8e\xf9\x14)\xe4\x15Op\x14\x1e\xd6\x1c.\xb6\x15\'\xa4\xe9\xdb\xc9~\xfd\'l\x8d32~\xfd\n\xcf\xcd\xa0\x85u<\xfc(EA\xc9\x94\xf5(EA\xc9\x94\xf5(EA\xc9\x94\xf5+H[\xe9\xd4u(EA\xc9\x94\xf5*GE\xd1\xa4\x95\xe5\xc2O\xd1\xa4\x95\xe4\xc1I\xc9\x94\xf5\'DC\xc9\x94\xf5&CM\xd1\xa4\x95\xe1\xbe\xb71d\x8aR\xa4\xa2\xfa\xe4\x1c!PQ\x87\xd2\x9cC\x9f\n\xb1\xb2.\xfc\xc9@\xf4S\x81N\xaa?Q\xe7\xa7\xbez\xb5\xc7\x9f\xf7<o4\x1c.\xb6\x1d/!~\xfd\x04\xfc\xfa1\xcb\xf5\xfb\x98`{[`IL\x84\xd9\xa2\x9c^~\xfd\x81p\xeb\x0b\xfe\xdf\xc1~\xfd\x85~\xfd\x81c\xde\xc3\x7f\xfe7*]P\x0b\x15Ql\xe7\x13\xc2\xa3=\x8f\x12f\x8a\x14\xc2\xfa\xe4\x15\x9aw3i\x8a\x91q\xd3\x9f\x88\x02"\x8e\x94\xea\x1b&\x91\xe3\xc0K\xc9\x94\xf5(EA\xc9\x94\xf5(EA\xc9\x94\xf5(EA\xc9\x94\xf5"?\xb51d\x15\xe8\xc5A\xc9\x94\xf5]z?1d\x15\x9cy9)Tu$AI\xc9\x94\xf5_|3)Tu^{=1d\x15\x99v\'\x11$\xa2\xeb\xd5\xd1l\xe7\x13\xc2\xa3=\x8f\x12f\x8a\x14\xc2\xfa\xe4\x15\x98u7g\x88\x95q\xd3\x00\xe9\xe4U_\xcb\xe3\xcfC\xd3\xb4\xc4\xc6\xe0\xd2A\xe7\xcc.\x81@m\xe4\xd8\xcbm\xe8:\r\x17\xc4\xe7\xd9\xcd~\xfd\x10\r\x17\xc4\xf1\xe3,\xfd\xef\x03\xd3\xb45@\xed\xca\xbd\xd5Y~\xfd\x05"\x123\x99\x80~\xfd\x16\x12v\x98b\xf5\x18\xe1\xb6v\x88!7N\xaa\x92\xaev\xd7\xd5\x80\x13\xe0\xedS\x85\x1c\x15\x1b\x8c"\r}\xbd\xa2\xb2\x15\xfbN\xaa\xbe\xdff\x17\x0bf\xf6k\xb7\x88;\t\xfd\x00K\x9a6\xa0\xf4\xee\x06W`\xcd\x02\x1c\xd1\xfd\xda.\xdc\xbc9\xb2\xa7\xc9\xa9v0\xa2\xae\xe7\xed\xee\xcb\xc8\x9e\xcc\xcb\xe3\xcfC\xd3\xb4\xc4\xc6\xe1\xd3C\xeb\xd4\x1ezGm\xe4\xd8\xcbm\xe8:\r\x17\xc4\xe7\xd9\xcd~\xfd\x10\r\x17\xc4\xf1\xe3,\xfd\xef\x03\xd3\xb45@\xf2\xcf\xb7\xd1Y~\xfd\x05"\x156\x93\x80~\xfd\x16\x12\x179\xcb\xf7\xe3\xbd\xa0#9\x7f\xfeJ_\xac\xbb\x17#\x9b\xaf\x90\xc5\xe4\xc9$\xd9\x8b\xf0\x14\x1e\xd6\x1c.\xb6\x15\'\xa4\xe9\xdb\xc9~\xfd\'l\x8d32~\xfd\n\xcf\xcd\xa0\x85u<\xcb\xe3\xcfC\xd3\xb4\xc4\xc6\xe6\xd8U\x07\x0c\xaeT\x12\xc6\xe2\xd4\xd3m\xe8:\r\x17\xc4\xe7\xd9\xcd~\xfd\x10\r\x17\xc4\xf1\xe3,\xfd\xef\x03\xd3\xb45\x19\xc9~\xfd\x05"8YM\x80~\xfd\x16\x12\xb8\xda}\xe0\x80\x9d?k\xf4[$\xd1^~\xfd\x81p\xeb\x0b\xfe\xdf\xc1~\xfd\x85~\xfd\x81c\xde\xc3\x7f\xfe7\x13Ff\xeb\xddP\x10\x1a\x1d\xbb\x17#o_\x08\x1c\x11\xa3\xf1\xdd\x93\xa7\xea\xde\x95\xbb\x13\x1f\x17\xbf4H\xb9\x82\xea\xb5\xb7\x0b,\x93\xe9\xd4u6Sm\x11$\x95\xf1\xceW\xf1\xe4\x15\xf0\xcdQ\xe9\xd4u$AI\xc9\x94\xf5\'DC\xc9\x94\xf5&CM\xd1\xa4\x95\xe1\xbe\xb71d\x15\xfe\xdb}-`\x88z\xc2n\xd3\xc5^-E_\xd3rf&\xf1\xe3\xbd\x88\x0b\xcb\xc0\xa1=~\xfd1(S\xc9m\x1c\xf8\xcb\xe3\xcfC\xd1\xb2\x943$O[$\x1e\'o\xce\xca\xe2\xe6\xa9u\xfcRo\x15\xee\xe1\x1f\xdf\xc0K\xc9\x94\xf5(EA\xc9\x94\xf5(EA\xc9\x94\xf5(EA\xc9\x94\xf5Mj\x1f\xf1\xe4\x15\xe8\xc5A\xc9\x94\xf5]z?1d\x15\x9cy9)T\xe0\xceVF\xd6\xc8M\xf3\xd0J\xec\xd6F\xec\xde\xc3~\xfd\x85}\xfc,\xe1+1Z\x8a\xe3P!\xd6\xa8$\x1at\xe3\x8du1>\xcd\x02\x1c\xd1\xff\xdc"\xe4\xbc8\xb2\xa6\xcf\x8bm\x8fQ\x06\xa9\x93\xcb\xf2\xdeV\t\x1b\xc67-`\x05u<\xfcNkL\x1c\xe3u\x96\xb6\xdcc\x189\xb9)TuHe\x01\xc9\x94\xf5Kh\x1b\xe9\xd4uJg\x05\xd1\xa4\x95\x85b\x0f\xd1\xa4\x95\xdc\xb9\x92\xd3\xd2\xc6f\xf7\xe9\xa9q\xec\x05\xc2\x9fA~\xfd1.Y\xdd\x8d>Z\x96\xbf\x9f\x85\x89\xc1%\x81\x8d\xa2;G\xe5O\xfe\xbb\xdcP\x05\xcd\x02\x1c\xd1\xc0\x9d\xa0\xe4\xbc~\xf82\xe7\x83\x85\xfc>[\xcd\x8f\x12f\x8a\x14\xc2\xe9\xd3r\xdd\xba\xaf', 0]

可以发现,前面很像 python 的 const 表,中间像是 sys 表,最后像是一串字节码。

而从 1067 行(6375)开始的若干指令,则是在初始化虚拟机,如 STORE_FAST 28 存着一个栈,29 是个不知道是啥的表,30 是 program counter,31 是用来解密代码的东西,42 是当前指令。

手动把这些虚拟机代码翻译回 python,并加上输出指令的代码,得到:

import sys, hashlib

a, cotbl, b, systbl, c, code, d = eval(open('code.txt').read())
pc = 0
strange = 17441 % 256

print(len(code))

vm_flag = False
s34 = None
arg = 0

stack = []
table_B = []

known = {}


def DEBUG(id, *args):
	if 0:
		print id,
		for i in args:
			print i,
		print
	known[id] = args


def dump():
	res = ''
	for i in range(10000):
		if i in known:
			res += str(i) + ' ' * 4 + ' '.join(map(str, known[i])) + '\n'
	open('fin.txt', 'w').write(res)


while True:
	oldpc = pc
	cur_inst = ord(code[pc]) ^ strange
	strange = (strange + ord(code[pc])) % 256
	pc += 1
	if cur_inst == 133:  # ref 1375 460
		DEBUG(oldpc, 'SLICE+3')
		a43 = stack.pop()
		a44 = stack.pop()
		a9 = stack.pop()
		stack.append(a9[a44:a43])
	elif cur_inst == 41:  # ref 1427 2180
		DEBUG(oldpc, 'BINARY_ADD')
		a44 = stack.pop()
		a9 = stack.pop()
		stack.append(a9 + a44)
	elif cur_inst == 238:  # ref 1449 4408
		DEBUG(oldpc, 'BINARY_SUBTRACT')
		a44 = stack.pop()
		a9 = stack.pop()
		stack.append(a9 - a44)
	elif cur_inst == 154:  # ref 1471 6114
		DEBUG(oldpc, 'PRINT_EXPR')
		print stack.pop()
	elif cur_inst == 212:  # ref 1481 6142
		DEBUG(oldpc, 'GET_ITER')
		a9 = stack.pop()
		stack.append(iter(a9))
	elif cur_inst == 93:  # ref 1499 6938
		DEBUG(oldpc, 'BINARY_RSHIFT')
		a44 = stack.pop()
		a9 = stack.pop()
		stack.append(a9 >> a44)
	elif cur_inst == 194:  # ref 1521 7326
		DEBUG(oldpc, 'RETURN_1')
		if vm_flag == True:
			while True:  # 7350 SETUP_LOOP             276 (to 7629)
				if len(table_B) > 0:  # 3761 JUMP_IF_FALSE_OR_POP  5873
					t = table_B[-1][0] != 222
					if t:  # 5873 POP_JUMP_IF_FALSE     8170
						tmp = table_B[-1][2]
						stack = stack[:tmp]  # 5891 STORE_FAST              28 (stack)
						table_B.pop()
					else:
						break
				else:
					break
			# here 7629 LOAD_GLOBAL             19 (len)
			if len(table_B) > 0:  # 7644 POP_JUMP_IF_FALSE     8174
				strange = 17441 % 256  # 7654 STORE_FAST              31 (strange)
				tmp = table_B[-1][2]
				stack = stack[:tmp]  # 7672 STORE_FAST              28 (stack)
				pc = table_B[-1][1]
				table_B.pop()
			else:
				print 'exit'
				exit(s34)
		else:
			if len(stack) >= 3:  # 8393 JUMP_IF_FALSE_OR_POP  2031
				if isinstance(stack[-2], Exception):  # 2031 POP_JUMP_IF_FALSE     4049
					a9 = stack.pop()
					a44 = stack.pop()
					a43 = stack.pop()
					raise a44
	elif cur_inst == 172:  # ref 1634 5449
		DEBUG(oldpc, 'BINARY_MODULO')
		a44 = stack.pop()
		a9 = stack.pop()
		stack.append(a9 % a44)
	elif cur_inst == 255:  # ref 1656 6312
		DEBUG(oldpc, 'BINARY_XOR')
		a44 = stack.pop()
		a9 = stack.pop()
		stack.append(a9 ^ a44)
	elif cur_inst == 132:  # ref 1678 6548
		DEBUG(oldpc, 'BINARY_SUBSCR')
		a44 = stack.pop()
		a9 = stack.pop()
		stack.append(a9[a44])
	elif cur_inst == 240:  # ref 1700 7009
		DEBUG(oldpc, 'INPLACE_ADD')
		a44 = stack.pop()
		a9 = stack.pop()
		stack.append(a9 + a44)  # inplace add
	elif cur_inst == 62:  # ref 1724 7236
		DEBUG(oldpc, 'PRINT_NEWLINE')
		print
	elif cur_inst == 236:  # ref 1732 7601
		DEBUG(oldpc, 'POP_TOP')
		stack.pop()
	elif cur_inst == 224:  # ref 1743 7729
		DEBUG(oldpc, 'RETURN_2')
		s34 = stack.pop()
		s33 = True
		while True:
			if len(table_B) > 0:
				t = table_B[-1][0] != 222
				if t:
					tmp = table_B[-1][2]
					stack = stack[:tmp]
					table_B.pop()
				else:
					break
			else:
				break
		if len(table_B) > 0:
			strange = 17441 % 256
			tmp = table_B[-1][2]
			stack = stack[:tmp]
			pc = table_B[-1][1]
			table_B.pop()
		else:
			print 'exit'
			exit(s34)
	elif cur_inst == 111:  # ref 1825 8344
		DEBUG(oldpc, 'TABLE_B_POP')
		table_B.pop()
	else:
		assert arg == 0
		arg = ((arg << 16) + ord(code[pc])) ^ strange
		strange = (strange + ord(code[pc])) % 256
		pc += 1
		arg = arg + ((ord(code[pc]) ^ strange) << 8)
		strange = (strange + ord(code[pc])) % 256
		pc += 1
		if cur_inst == 127:  # ref 1888 8539
			DEBUG(oldpc, 'CALL'.ljust(20, ' '), arg)
			a45 = (arg & 65280) >> 8
			a46 = arg & 255
			a47 = {}
			a48 = []
			for i in range(0, a45):
				a49 = stack.pop()
				a50 = stack.pop()
				a47[a50] = a49
			for i in range(0, a46):
				a48.insert(0, stack.pop())
			a51 = stack.pop()
			a38 = []
			a39 = []
			if a51 == sys.exit:
				dump()
			stack.append(a51(*a48, **a47))
			arg = 0
		elif cur_inst == 72:  # ref 2165 6252
			DEBUG(oldpc, 'TABLE_B_ADD_72'.ljust(20, ' '), arg)
			table_B.append((72, arg + pc, len(stack)))
			arg = 0
		elif cur_inst == 221:  # ref 2186 7074
			DEBUG(oldpc, 'LOAD_CONST'.ljust(20, ' '), str(arg).ljust(4, ' '), repr(cotbl[arg]))
			stack.append(cotbl[arg])
			arg = 0
		elif cur_inst == 148:  # ref 2202 7172
			DEBUG(oldpc, 'FOR_ITER'.ljust(20, ' '), arg)
			a9 = stack.pop()
			try:
				a44 = a9.next()
				stack.append(a9)
				stack.append(a44)
			except:
				strange = 17441 % 256
				pc += arg
			arg = 0
		elif cur_inst == 253:  # ref 2233 7456
			DEBUG(oldpc, 'POP_JUMP_IF_TRUE'.ljust(20, ' '), arg)
			a9 = stack.pop()
			if a9:
				strange = 17441 % 256
				pc = arg
			arg = 0
		elif cur_inst == 254:  # ref 2256 7781
			DEBUG(oldpc, 'LIST_APPEND'.ljust(20, ' '), arg)
			a9 = stack[-arg - 1]
			a44 = stack.pop()
			list.append(a9, a44)
			arg = 0
		elif cur_inst == 123:  # ref 2282 8099
			DEBUG(oldpc, 'LOAD_ATTR'.ljust(20, ' '), str(arg).ljust(4, ' '), systbl[arg])
			a53 = systbl[arg]
			arg = 0
			stack.append(getattr(stack.pop(), a53))
		elif cur_inst == 197:  # ref 2305 8201
			DEBUG(oldpc, 'JUMP_ABSOLUTE'.ljust(20, ' '), arg)
			strange = 17441 % 256
			pc = arg
			arg = 0
		elif cur_inst == 229:  # ref 2320 8254
			DEBUG(oldpc, 'COMPARE_OP'.ljust(20, ' '), arg)
			a44 = stack.pop()
			a9 = stack.pop()
			if arg == 0:
				stack.append(a9 < a44)
			elif arg == 1:
				stack.append(a9 <= a44)
			elif arg == 2:
				stack.append(a9 == a44)
			elif arg == 3:
				stack.append(a9 != a44)
			elif arg == 4:
				stack.append(a9 > a44)
			elif arg == 5:
				stack.append(a9 >= a44)
			elif arg == 6:
				stack.append(a9 in a44)
			elif arg == 7:
				stack.append(a9 not in a44)
			elif arg == 8:
				stack.append(a9 is a44)
			elif arg == 9:
				stack.append(a9 is not a44)
			elif arg == 10:
				stack.append(isinstance(a9, a44))
			arg = 0
		elif cur_inst == 242:  # ref 2350 8689
			DEBUG(oldpc, 'TABLE_B_ADD_242'.ljust(20, ' '), arg)
			table_B.append((242, arg + pc, len(stack)))
			arg = 0
		elif cur_inst == 94:  # ref 2371 8754
			DEBUG(oldpc, 'DEL_LIST'.ljust(20, ' '), arg)
			a54 = list(stack.pop()[:arg])
			for i in range(arg):
				stack.append(a54.pop())
			arg = 0
		elif cur_inst == 66:  # ref 2410 8896
			DEBUG(oldpc, 'BUILD_LIST'.ljust(20, ' '), arg)
			a54 = []
			for i in range(arg):
				a54.insert(0, stack.pop())
			stack.append(a54)
			arg = 0
		elif cur_inst == 182:  # ref 2448 8958
			DEBUG(oldpc, 'POP_JUMP_IF_FALSE'.ljust(20, ' '), arg)
			a9 = stack.pop()
			a9 = not a9
			if a9:
				strange = 17441 % 256
				pc = arg
			arg = 0
		elif cur_inst == 234:  # ref 2470 9020
			DEBUG(oldpc, 'LOAD_GLOBAL'.ljust(20, ' '), str(arg).ljust(4, ' '), systbl[arg])
			a53 = systbl[arg]
			arg = 0
			if locals().has_key(a53):
				stack.append(locals()[a53])
			elif globals().has_key(a53):
				stack.append(globals()[a53])
			elif a53 in dir(__builtins__):
				stack.append(getattr(__builtins__, a53))
			else:
				assert False
		elif cur_inst == 2:  # ref 2499 9163
			DEBUG(oldpc, 'JUMP_ADD'.ljust(20, ' '), str(arg).ljust(4, ' '), '->', arg + pc)
			strange = 17441 % 256
			pc += arg
			arg = 0
		elif cur_inst == 21:  # ref 2515 9207
			DEBUG(oldpc, 'IMPORT_NAME'.ljust(20, ' '), arg)
			a53 = systbl[arg]
			a44 = stack.pop()
			a43 = stack.pop()
			a9 = __import__(a53, globals(), locals(), a44, a43)
			stack.append(a9)
			arg = 0
		elif cur_inst == 203:  # ref 2551 9325
			DEBUG(oldpc, 'STORE_GLOBAL'.ljust(20, ' '), str(arg).ljust(4, ' '), systbl[arg])
			a53 = systbl[arg]
			val = stack.pop()
			locals()[a53] = val
			arg = 0
		elif cur_inst == 52:  # ref 2571 9397
			DEBUG(oldpc, 'BUILD_SLICE'.ljust(20, ' '), arg)
			if arg == 2:
				a44 = stack.pop()
				a9 = stack.pop()
				stack.append(slice(a9, a44))
			elif arg == 3:
				a43 = stack.pop()
				a44 = stack.pop()
				a9 = stack.pop()
				stack.append(slice(a9, a44, a43))
			arg = 0
		else:
			raise RuntimeError('unknown opcode')

查看输出的代码,可以看出,输入长度需要是 64。之后可以发现调用了 md5 等函数。

0    JUMP_ABSOLUTE        352
6    FOR_ITER             927
9    STORE_GLOBAL         15   l1
12    LOAD_GLOBAL          14   chr
15    LOAD_GLOBAL          15   l1
18    CALL                 1
21    LIST_APPEND          2
24    JUMP_ABSOLUTE        6
32    FOR_ITER             1196
35    STORE_GLOBAL         15   l1
38    LOAD_GLOBAL          14   chr
41    LOAD_GLOBAL          15   l1
44    CALL                 1
47    LIST_APPEND          2
50    JUMP_ABSOLUTE        32
79    FOR_ITER             551
82    STORE_GLOBAL         13   x
85    LOAD_GLOBAL          14   chr
88    LOAD_GLOBAL          7    ord
91    LOAD_GLOBAL          13   x
94    CALL                 1
97    LOAD_CONST           36   37
100    BINARY_XOR
101    CALL                 1
104    LIST_APPEND          2
107    JUMP_ABSOLUTE        79
118    FOR_ITER             712
121    STORE_GLOBAL         15   l1
124    LOAD_GLOBAL          14   chr
127    LOAD_GLOBAL          15   l1
130    CALL                 1
133    LIST_APPEND          2
136    JUMP_ABSOLUTE        118
190    FOR_ITER             552
193    STORE_GLOBAL         15   l1
196    LOAD_GLOBAL          14   chr
199    LOAD_GLOBAL          15   l1
202    CALL                 1
205    LIST_APPEND          2
208    JUMP_ABSOLUTE        190
233    FOR_ITER             1315
236    STORE_GLOBAL         15   l1
239    LOAD_GLOBAL          14   chr
242    LOAD_GLOBAL          15   l1
245    CALL                 1
248    LIST_APPEND          2
251    JUMP_ABSOLUTE        233
270    FOR_ITER             891
273    STORE_GLOBAL         15   l1
276    LOAD_GLOBAL          14   chr
279    LOAD_GLOBAL          15   l1
282    CALL                 1
285    LIST_APPEND          2
288    JUMP_ABSOLUTE        270
302    FOR_ITER             1205
305    STORE_GLOBAL         31   l1llllll
308    LOAD_GLOBAL          30   llll1lll
311    LOAD_GLOBAL          31   l1llllll
314    BINARY_SUBSCR
315    LOAD_GLOBAL          29   lllll1ll
318    LOAD_GLOBAL          31   l1llllll
321    BINARY_SUBSCR
322    COMPARE_OP           3
325    POP_JUMP_IF_FALSE    302
328    LOAD_CONST           81   'Good! But wrong answer, please try again!'
331    PRINT_EXPR
332    PRINT_NEWLINE
333    LOAD_GLOBAL          0    sys
336    LOAD_ATTR            8    exit
339    LOAD_CONST           0    -1
342    CALL                 1
352    LOAD_CONST           0    -1
355    LOAD_CONST           1    None
358    IMPORT_NAME          0
361    STORE_GLOBAL         0    sys
364    LOAD_CONST           0    -1
367    LOAD_CONST           1    None
370    IMPORT_NAME          1
373    STORE_GLOBAL         1    hashlib
376    LOAD_CONST           2    '==--AVMPROTECTFUNCTION--=='
379    STORE_GLOBAL         2    AVM
382    LOAD_CONST           3    'bce0af39a797'
385    STORE_GLOBAL         3    flag
388    LOAD_GLOBAL          3    flag
391    LOAD_CONST           4    '9d8e9bcfe8d3'
394    LOAD_CONST           1    None
397    LOAD_CONST           1    None
400    LOAD_CONST           0    -1
403    BUILD_SLICE          3
406    BINARY_SUBSCR
407    INPLACE_ADD
408    STORE_GLOBAL         3    flag
411    LOAD_CONST           5    u'WARNING\xd7WARNING\xd7WARNING'
414    STORE_GLOBAL         2    AVM
417    LOAD_CONST           6    u'WARNING WARNING WARNING YOU'
420    STORE_GLOBAL         2    AVM
423    LOAD_CONST           7    u'Ba Ba Battle You Battle You Battle You'
426    STORE_GLOBAL         2    AVM
429    LOAD_CONST           8    u'(And watch out!)'
432    STORE_GLOBAL         2    AVM
435    LOAD_CONST           9    u'WARNING WARNING WARNING HELL'
438    STORE_GLOBAL         2    AVM
441    LOAD_CONST           10   u'Yeah you cannot die not at this time!'
444    STORE_GLOBAL         2    AVM
447    LOAD_CONST           11   u'WARNING!'
450    STORE_GLOBAL         2    AVM
453    LOAD_CONST           12   u'\u4f60\u5bf9\u6211\u6709\u4f55\u5c45\u5fc3\u5462\uff1f'
456    STORE_GLOBAL         2    AVM
459    LOAD_CONST           13   u'\u522b\u968f\u610f\u5730\u8fdb\u6765\u554a'
462    STORE_GLOBAL         2    AVM
465    LOAD_CONST           11   u'WARNING!'
468    STORE_GLOBAL         2    AVM
471    LOAD_CONST           14   u'\u975e\u5e38\u5371\u9669\u7684\u6c14\u606f'
474    STORE_GLOBAL         2    AVM
477    LOAD_CONST           15   u'\u7edd\u5bf9\u56de\u907f\u4e0d\u80fd\u7684\u5f39\u5e55'
480    STORE_GLOBAL         2    AVM
483    LOAD_CONST           11   u'WARNING!'
486    STORE_GLOBAL         2    AVM
489    LOAD_CONST           16   u'\u8981\u662f\u5c0f\u770b\u672c\u5a18\u7684\u8bdd'
492    STORE_GLOBAL         2    AVM
495    LOAD_CONST           17   u'\u4f60\u94c1\u5b9a\u4f1a\u4e0d\u505c\u5c1d\u5230BAD END'
498    STORE_GLOBAL         2    AVM
501    LOAD_CONST           18   u'\u4f60\u7684\u5fc3\u53ef\u662f\u4e00\u5b9a\u4f1a'
504    STORE_GLOBAL         2    AVM
507    LOAD_CONST           19   u'WARNING WARNING'
510    STORE_GLOBAL         2    AVM
513    LOAD_CONST           20   u'\u4e0d\u5f97\u4e0d\u8b66\u793a\u8b66\u62a5\u7684\u5427'
516    STORE_GLOBAL         2    AVM
519    LOAD_GLOBAL          4    raw_input
522    LOAD_CONST           21   'Input UR answer: '
525    CALL                 1
528    STORE_GLOBAL         5    f1ag
531    LOAD_GLOBAL          3    flag
534    LOAD_CONST           22   '33c0691e3230d16fb434e5'
537    INPLACE_ADD
538    STORE_GLOBAL         3    flag
541    LOAD_GLOBAL          3    flag
544    LOAD_CONST           23   '8ce92dc3fe708e5b81a848'
547    LOAD_CONST           1    None
550    LOAD_CONST           1    None
553    LOAD_CONST           0    -1
556    BUILD_SLICE          3
559    BINARY_SUBSCR
560    INPLACE_ADD
561    STORE_GLOBAL         3    flag
564    LOAD_GLOBAL          6    len
567    LOAD_GLOBAL          5    f1ag
570    CALL                 1
573    LOAD_GLOBAL          7    ord
576    LOAD_CONST           24   'k'
579    CALL                 1
582    BINARY_ADD
583    LOAD_CONST           25   171
586    COMPARE_OP           4
589    POP_JUMP_IF_TRUE     161
592    LOAD_GLOBAL          6    len
595    LOAD_GLOBAL          5    f1ag
598    CALL                 1
601    LOAD_GLOBAL          7    ord
604    LOAD_CONST           26   'e'
607    CALL                 1
610    BINARY_ADD
611    LOAD_CONST           27   44
614    LOAD_GLOBAL          7    ord
617    LOAD_CONST           28   'y'
620    CALL                 1
623    BINARY_ADD
624    COMPARE_OP           0
627    POP_JUMP_IF_FALSE    904
633    CALL                 1
636    STORE_GLOBAL         3    flag
639    LOAD_CONST           37   u'\u8981\u662f\u4e0b\u5b9a\u51b3\u5fc3\u5c31\u6765\u5427'
642    STORE_GLOBAL         2    AVM
645    LOAD_CONST           38   u'\u6216\u8bb8\u4f1a\u611f\u5230\u5174\u594b'
648    STORE_GLOBAL         2    AVM
651    LOAD_CONST           39   u'\u6216\u662f\u6fc0\u52a8\u4e5f\u8bf4\u4e0d\u5b9a'
654    STORE_GLOBAL         2    AVM
657    LOAD_CONST           40   u'\u4e00\u8fb9\u611f\u5230\u65e0\u804a \u4e00\u8fb9\u5439\u7740\u53e3\u54e8'
660    STORE_GLOBAL         2    AVM
663    LOAD_CONST           41   u'\u771f\u4e0d\u9519\u5462 \u5355\u7eaf\u7684\u65cb\u5f8b'
666    STORE_GLOBAL         2    AVM
669    LOAD_CONST           42   u'\u672c\u5a18\u8fd8\u4f1a\u8fd8\u4f1a\u8fd8\u4f1a\u7ee7\u7eed\u4e0a\u5594!'
672    STORE_GLOBAL         2    AVM
675    LOAD_CONST           43   u'\u770b\u597d\u7ed9\u672c\u5a18\u66f4\u52a0\u66f4\u52a0\u5730\u8eb2\u5f00\u5427\uff01'
678    STORE_GLOBAL         2    AVM
681    LOAD_CONST           44   u'\u4f60\u6709\u591a\u5c11\u80fd\u8010\u5462\uff1f'
684    STORE_GLOBAL         2    AVM
687    LOAD_CONST           45   u'\u5bf9\u4e0a\u672c\u5a18\u70ed\u60c5\u5982\u706b\u7684\u7231\uff1f'
690    STORE_GLOBAL         2    AVM
693    LOAD_CONST           46   0
696    STORE_GLOBAL         15   l1
699    BUILD_LIST           0
702    STORE_GLOBAL         16   ll
705    LOAD_CONST           47   3
708    LOAD_CONST           48   1
711    LOAD_CONST           46   0
714    LOAD_CONST           49   2
717    BUILD_LIST           4
720    DEL_LIST             4
723    STORE_GLOBAL         17   ll1
726    STORE_GLOBAL         18   l1l
729    STORE_GLOBAL         19   l11
732    STORE_GLOBAL         20   l1ll
735    TABLE_B_ADD_72       681
738    LOAD_GLOBAL          5    f1ag
741    GET_ITER
742    JUMP_ABSOLUTE        989
745    CALL                 1
748    LOAD_ATTR            11   encode
751    LOAD_CONST           31   'hex'
754    CALL                 1
757    CALL                 1
760    LOAD_ATTR            24   hexdigest
763    CALL                 0
766    STORE_GLOBAL         29   lllll1ll
769    LOAD_GLOBAL          1    hashlib
772    LOAD_ATTR            23   md5
775    LOAD_CONST           35   ''
778    LOAD_ATTR            12   join
781    BUILD_LIST           0
784    LOAD_GLOBAL          16   ll
787    LOAD_CONST           72   16
790    LOAD_CONST           75   20
793    SLICE+3
794    LOAD_CONST           1    None
797    LOAD_CONST           1    None
800    LOAD_CONST           0    -1
803    BUILD_SLICE          3
806    BINARY_SUBSCR
807    GET_ITER
808    JUMP_ABSOLUTE        270
833    CALL                 1
836    LOAD_ATTR            11   encode
839    LOAD_CONST           31   'hex'
842    CALL                 1
845    CALL                 1
848    LOAD_ATTR            24   hexdigest
851    CALL                 0
854    STORE_GLOBAL         26   lllllll1
857    LOAD_GLOBAL          1    hashlib
860    LOAD_ATTR            23   md5
863    LOAD_CONST           35   ''
866    LOAD_ATTR            12   join
869    BUILD_LIST           0
872    LOAD_GLOBAL          16   ll
875    LOAD_CONST           50   4
878    LOAD_CONST           73   8
881    SLICE+3
882    GET_ITER
883    JUMP_ABSOLUTE        6
904    TABLE_B_ADD_242      931
907    LOAD_GLOBAL          3    flag
910    LOAD_ATTR            10   decode
913    LOAD_CONST           31   'hex'
916    CALL                 1
919    STORE_GLOBAL         3    flag
922    TABLE_B_POP
923    JUMP_ADD             1246 -> 2172
936    CALL                 1
939    LOAD_ATTR            11   encode
942    LOAD_CONST           31   'hex'
945    CALL                 1
948    CALL                 1
951    LOAD_ATTR            24   hexdigest
954    CALL                 0
957    STORE_GLOBAL         27   ll1lllll
960    LOAD_GLOBAL          1    hashlib
963    LOAD_ATTR            23   md5
966    LOAD_CONST           35   ''
969    LOAD_ATTR            12   join
972    BUILD_LIST           0
975    LOAD_GLOBAL          16   ll
978    LOAD_CONST           74   24
981    LOAD_CONST           69   28
984    SLICE+3
985    GET_ITER
986    JUMP_ABSOLUTE        1088
989    FOR_ITER             796
992    STORE_GLOBAL         21   llll
995    LOAD_GLOBAL          15   l1
998    LOAD_CONST           50   4
1001    BINARY_MODULO
1002    LOAD_GLOBAL          17   ll1
1005    COMPARE_OP           2
1008    POP_JUMP_IF_FALSE    1715
1011    LOAD_GLOBAL          16   ll
1014    LOAD_ATTR            22   append
1017    LOAD_GLOBAL          7    ord
1020    LOAD_GLOBAL          21   llll
1023    CALL                 1
1026    LOAD_GLOBAL          7    ord
1029    LOAD_GLOBAL          3    flag
1032    LOAD_GLOBAL          15   l1
1035    LOAD_CONST           50   4
1038    BINARY_RSHIFT
1039    LOAD_CONST           49   2
1042    BINARY_ADD
1043    BINARY_SUBSCR
1044    CALL                 1
1047    BINARY_XOR
1048    LOAD_CONST           36   37
1051    BINARY_XOR
1052    CALL                 1
1055    POP_TOP
1056    JUMP_ADD             656  -> 1715
1088    FOR_ITER             198
1091    STORE_GLOBAL         15   l1
1094    LOAD_GLOBAL          14   chr
1097    LOAD_GLOBAL          15   l1
1100    CALL                 1
1103    LIST_APPEND          2
1106    JUMP_ABSOLUTE        1088
1109    FOR_ITER             496
1112    STORE_GLOBAL         15   l1
1115    LOAD_GLOBAL          15   l1
1118    LOAD_CONST           61   255
1121    BINARY_XOR
1122    LIST_APPEND          2
1125    JUMP_ABSOLUTE        1109
1164    CALL                 1
1167    LOAD_ATTR            11   encode
1170    LOAD_CONST           31   'hex'
1173    CALL                 1
1176    CALL                 1
1179    LOAD_ATTR            24   hexdigest
1182    CALL                 0
1185    STORE_GLOBAL         30   llll1lll
1188    LOAD_GLOBAL          1    hashlib
1191    LOAD_ATTR            23   md5
1194    LOAD_CONST           35   ''
1197    LOAD_ATTR            12   join
1200    BUILD_LIST           0
1203    LOAD_GLOBAL          16   ll
1206    LOAD_CONST           73   8
1209    LOAD_CONST           71   12
1212    SLICE+3
1213    GET_ITER
1214    JUMP_ABSOLUTE        32
1231    CALL                 1
1234    LOAD_ATTR            11   encode
1237    LOAD_CONST           31   'hex'
1240    CALL                 1
1243    CALL                 1
1246    LOAD_ATTR            24   hexdigest
1249    CALL                 0
1252    STORE_GLOBAL         31   l1llllll
1255    LOAD_GLOBAL          1    hashlib
1258    LOAD_ATTR            23   md5
1261    LOAD_CONST           35   ''
1264    LOAD_ATTR            12   join
1267    BUILD_LIST           0
1270    LOAD_GLOBAL          16   ll
1273    LOAD_CONST           75   20
1276    LOAD_CONST           74   24
1279    SLICE+3
1280    GET_ITER
1281    JUMP_ABSOLUTE        1518
1289    CALL                 1
1292    LOAD_ATTR            11   encode
1295    LOAD_CONST           31   'hex'
1298    CALL                 1
1301    CALL                 1
1304    LOAD_ATTR            24   hexdigest
1307    CALL                 0
1310    STORE_GLOBAL         28   ll1lll1l
1313    LOAD_GLOBAL          1    hashlib
1316    LOAD_ATTR            23   md5
1319    LOAD_CONST           35   ''
1322    LOAD_ATTR            12   join
1325    BUILD_LIST           0
1328    LOAD_GLOBAL          16   ll
1331    LOAD_CONST           46   0
1334    LOAD_CONST           50   4
1337    SLICE+3
1338    GET_ITER
1339    JUMP_ABSOLUTE        190
1360    FOR_ITER             450
1363    STORE_GLOBAL         27   ll1lllll
1366    LOAD_GLOBAL          27   ll1lllll
1369    LOAD_ATTR            34   isupper
1372    CALL                 0
1375    POP_JUMP_IF_FALSE    1927
1419    LOAD_CONST           53   u'Burning!'
1422    STORE_GLOBAL         2    AVM
1425    LOAD_CONST           53   u'Burning!'
1428    STORE_GLOBAL         2    AVM
1431    LOAD_CONST           53   u'Burning!'
1434    STORE_GLOBAL         2    AVM
1437    LOAD_CONST           54   u'\u672c\u5a18\u597d\u5f00\u5fc3!'
1440    STORE_GLOBAL         2    AVM
1443    LOAD_CONST           53   u'Burning!'
1446    STORE_GLOBAL         2    AVM
1449    LOAD_CONST           55   u'\u4e0d\u5f97\u4e86?'
1452    STORE_GLOBAL         2    AVM
1455    LOAD_CONST           56   u'\u4f46\u662f, \u679c\u7136\u5f88\u5f00\u5fc3\u5427?'
1458    STORE_GLOBAL         2    AVM
1461    LOAD_CONST           57   u'*********************'
1464    STORE_GLOBAL         2    AVM
1467    LOAD_CONST           58   u'\u518d\u4e00\u6b21\u534e\u4e3d\u7684\u95ea\u8fc7\u5427!'
1470    STORE_GLOBAL         2    AVM
1473    LOAD_CONST           59   u'\u770b\u554a\u8fd8\u6709\u66f4\u591a\u66f4\u591a\u5594!'
1476    STORE_GLOBAL         2    AVM
1479    LOAD_CONST           60   u'\u90fd\u7ed9\u672c\u5a18\u786e\u5207\u5730\u95ea\u8fc7!'
1482    STORE_GLOBAL         2    AVM
1485    BUILD_LIST           0
1488    LOAD_GLOBAL          16   ll
1491    GET_ITER
1492    JUMP_ABSOLUTE        1109
1518    FOR_ITER             529
1521    STORE_GLOBAL         15   l1
1524    LOAD_GLOBAL          14   chr
1527    LOAD_GLOBAL          15   l1
1530    CALL                 1
1533    LIST_APPEND          2
1536    JUMP_ABSOLUTE        1518
1551    CALL                 1
1554    LOAD_ATTR            11   encode
1557    LOAD_CONST           31   'hex'
1560    CALL                 1
1563    CALL                 1
1566    LOAD_ATTR            24   hexdigest
1569    CALL                 0
1572    STORE_GLOBAL         25   l1ll1lll
1575    LOAD_GLOBAL          1    hashlib
1578    LOAD_ATTR            23   md5
1581    LOAD_CONST           35   ''
1584    LOAD_ATTR            12   join
1587    BUILD_LIST           0
1590    LOAD_GLOBAL          16   ll
1593    LOAD_CONST           71   12
1596    LOAD_CONST           72   16
1599    SLICE+3
1600    GET_ITER
1601    JUMP_ABSOLUTE        118
1608    STORE_GLOBAL         16   ll
1611    LOAD_CONST           62   u'\u672c\u5a18\u88ab\u6253\u8fdb\u4e86\u7ed3\u5c40\uff01\uff1f'
1614    STORE_GLOBAL         2    AVM
1617    LOAD_CONST           53   u'Burning!'
1620    STORE_GLOBAL         2    AVM
1623    LOAD_CONST           53   u'Burning!'
1626    STORE_GLOBAL         2    AVM
1629    LOAD_CONST           53   u'Burning!'
1632    STORE_GLOBAL         2    AVM
1635    LOAD_CONST           63   u'\u672c\u5a18\u53ef\u4e0d\u80fd\u8f93!'
1638    STORE_GLOBAL         2    AVM
1641    LOAD_CONST           53   u'Burning!'
1644    STORE_GLOBAL         2    AVM
1647    LOAD_CONST           64   u'\u867d\u7136\u5f88\u4e0d\u7518\u5fc3'
1650    STORE_GLOBAL         2    AVM
1653    LOAD_CONST           65   u'\u4f46\u662f\u5f88\u5f00\u5fc3 WARNING!!!'
1656    STORE_GLOBAL         2    AVM
1659    LOAD_CONST           57   u'*********************'
1662    STORE_GLOBAL         2    AVM
1665    LOAD_CONST           66   u'\u672c\u5a18\u8b66\u544a\u4f60\uff0c\u8fd9\u662f\u4f60\u6700\u540e\u7684\u673a\u4f1a'
1668    STORE_GLOBAL         2    AVM
1671    LOAD_CONST           67   u'\u672c\u5a18\u8d85\u7ea7\u5730~\u5371\u9669\u3001\u72c2\u6c14'
1674    STORE_GLOBAL         2    AVM
1677    LOAD_CONST           68   u'\u800c\u4e14\u4f60\u65e0\u6cd5\u9003\u907f\u6211\u534e\u4e3d\u7684\u5f39\u5e55'
1680    STORE_GLOBAL         2    AVM
1683    LOAD_GLOBAL          1    hashlib
1686    LOAD_ATTR            23   md5
1689    LOAD_CONST           35   ''
1692    LOAD_ATTR            12   join
1695    BUILD_LIST           0
1698    LOAD_GLOBAL          16   ll
1701    LOAD_CONST           69   28
1704    LOAD_CONST           70   32
1707    SLICE+3
1708    GET_ITER
1709    JUMP_ABSOLUTE        233
1712    JUMP_ABSOLUTE        1360
1715    LOAD_GLOBAL          15   l1
1718    LOAD_CONST           50   4
1721    BINARY_MODULO
1722    LOAD_GLOBAL          18   l1l
1725    COMPARE_OP           2
1728    POP_JUMP_IF_FALSE    1863
1731    LOAD_GLOBAL          16   ll
1734    LOAD_ATTR            22   append
1737    LOAD_GLOBAL          7    ord
1740    LOAD_GLOBAL          21   llll
1743    CALL                 1
1746    LOAD_GLOBAL          7    ord
1749    LOAD_GLOBAL          3    flag
1752    LOAD_GLOBAL          15   l1
1755    LOAD_CONST           50   4
1758    BINARY_RSHIFT
1759    LOAD_CONST           48   1
1762    BINARY_ADD
1763    BINARY_SUBSCR
1764    CALL                 1
1767    BINARY_XOR
1768    LOAD_CONST           51   94
1771    BINARY_XOR
1772    CALL                 1
1775    POP_TOP
1776    JUMP_ADD             84   -> 1863
1788    TABLE_B_POP
1789    JUMP_ABSOLUTE        1419
1813    TABLE_B_POP
1814    JUMP_ABSOLUTE        2215
1863    LOAD_GLOBAL          15   l1
1866    LOAD_CONST           50   4
1869    BINARY_MODULO
1870    LOAD_GLOBAL          19   l11
1873    COMPARE_OP           2
1876    POP_JUMP_IF_FALSE    1980
1879    LOAD_GLOBAL          16   ll
1882    LOAD_ATTR            22   append
1885    LOAD_GLOBAL          7    ord
1888    LOAD_GLOBAL          21   llll
1891    CALL                 1
1894    LOAD_GLOBAL          7    ord
1897    LOAD_GLOBAL          3    flag
1900    LOAD_GLOBAL          15   l1
1903    LOAD_CONST           50   4
1906    BINARY_RSHIFT
1907    LOAD_CONST           47   3
1910    BINARY_ADD
1911    BINARY_SUBSCR
1912    CALL                 1
1915    BINARY_XOR
1916    LOAD_CONST           52   204
1919    BINARY_XOR
1920    CALL                 1
1923    POP_TOP
1924    JUMP_ADD             53   -> 1980
1927    LOAD_GLOBAL          27   ll1lllll
1930    LOAD_ATTR            35   islower
1933    CALL                 0
1936    POP_JUMP_IF_FALSE    2329
1939    LOAD_GLOBAL          27   ll1lllll
1942    LOAD_CONST           78   'm'
1945    COMPARE_OP           1
1948    POP_JUMP_IF_FALSE    1135
1951    LOAD_GLOBAL          30   llll1lll
1954    LOAD_GLOBAL          14   chr
1957    LOAD_GLOBAL          7    ord
1960    LOAD_GLOBAL          27   ll1lllll
1963    CALL                 1
1966    LOAD_CONST           77   13
1969    BINARY_ADD
1970    CALL                 1
1973    INPLACE_ADD
1974    STORE_GLOBAL         30   llll1lll
1977    JUMP_ABSOLUTE        1712
1980    LOAD_GLOBAL          15   l1
1983    LOAD_CONST           50   4
1986    BINARY_MODULO
1987    LOAD_GLOBAL          20   l1ll
1990    COMPARE_OP           2
1993    POP_JUMP_IF_FALSE    2194
1996    LOAD_GLOBAL          16   ll
1999    LOAD_ATTR            22   append
2002    LOAD_GLOBAL          7    ord
2005    LOAD_GLOBAL          21   llll
2008    CALL                 1
2011    LOAD_GLOBAL          7    ord
2014    LOAD_GLOBAL          3    flag
2017    LOAD_GLOBAL          15   l1
2020    LOAD_CONST           50   4
2023    BINARY_RSHIFT
2024    BINARY_SUBSCR
2025    CALL                 1
2028    BINARY_XOR
2029    LOAD_CONST           25   171
2032    BINARY_XOR
2033    CALL                 1
2036    POP_TOP
2037    JUMP_ADD             154  -> 2194
2050    CALL                 1
2053    LOAD_ATTR            11   encode
2056    LOAD_CONST           31   'hex'
2059    CALL                 1
2062    CALL                 1
2065    LOAD_ATTR            24   hexdigest
2068    CALL                 0
2071    STORE_GLOBAL         32   llllll1l
2074    LOAD_GLOBAL          25   l1ll1lll
2077    LOAD_GLOBAL          26   lllllll1
2080    BINARY_ADD
2081    LOAD_GLOBAL          27   ll1lllll
2084    BINARY_ADD
2085    LOAD_GLOBAL          28   ll1lll1l
2088    BINARY_ADD
2089    LOAD_GLOBAL          29   lllll1ll
2092    BINARY_ADD
2093    LOAD_GLOBAL          30   llll1lll
2096    BINARY_ADD
2097    LOAD_GLOBAL          31   l1llllll
2100    BINARY_ADD
2101    LOAD_GLOBAL          32   llllll1l
2104    BINARY_ADD
2105    STORE_GLOBAL         33   l1l11lll
2108    LOAD_CONST           42   u'\u672c\u5a18\u8fd8\u4f1a\u8fd8\u4f1a\u8fd8\u4f1a\u7ee7\u7eed\u4e0a\u5594!'
2111    STORE_GLOBAL         2    AVM
2114    LOAD_CONST           43   u'\u770b\u597d\u7ed9\u672c\u5a18\u66f4\u52a0\u66f4\u52a0\u5730\u8eb2\u5f00\u5427\uff01'
2117    STORE_GLOBAL         2    AVM
2120    LOAD_CONST           44   u'\u4f60\u6709\u591a\u5c11\u80fd\u8010\u5462\uff1f'
2123    STORE_GLOBAL         2    AVM
2126    LOAD_CONST           45   u'\u5bf9\u4e0a\u672c\u5a18\u70ed\u60c5\u5982\u706b\u7684\u7231\uff1f'
2129    STORE_GLOBAL         2    AVM
2132    LOAD_CONST           57   u'*********************'
2135    STORE_GLOBAL         2    AVM
2138    LOAD_CONST           58   u'\u518d\u4e00\u6b21\u534e\u4e3d\u7684\u95ea\u8fc7\u5427!'
2141    STORE_GLOBAL         2    AVM
2144    LOAD_CONST           59   u'\u770b\u554a\u8fd8\u6709\u66f4\u591a\u66f4\u591a\u5594!'
2147    STORE_GLOBAL         2    AVM
2150    LOAD_CONST           60   u'\u90fd\u7ed9\u672c\u5a18\u786e\u5207\u5730\u95ea\u8fc7!'
2153    STORE_GLOBAL         2    AVM
2156    LOAD_CONST           35   ''
2159    STORE_GLOBAL         30   llll1lll
2162    TABLE_B_ADD_72       50
2165    LOAD_GLOBAL          33   l1l11lll
2168    GET_ITER
2169    JUMP_ABSOLUTE        1360
2172    TABLE_B_ADD_242      134
2175    LOAD_GLOBAL          3    flag
2178    LOAD_ATTR            11   encode
2181    LOAD_CONST           33   'base64'
2184    CALL                 1
2187    STORE_GLOBAL         3    flag
2190    TABLE_B_POP
2191    JUMP_ADD             192  -> 2386
2194    LOAD_GLOBAL          15   l1
2197    LOAD_CONST           48   1
2200    INPLACE_ADD
2201    STORE_GLOBAL         15   l1
2204    JUMP_ABSOLUTE        989
2215    LOAD_CONST           79   'ps1q6r14s2sn8o8o1n5982rq31o33143p52337s9870snq1r0rrr9s04qr58q9n53pq187q467p0949o8803r10909p332413oo3oq914847qo0n29qo81n1s90pq0330os586rr929r34884rqo351s6660q2ss8113923n911555s62sq3p3os78039o7q024pp03r8os0083r856599095ror8pr7op04r6oq485q3s558o4n39qrpn1n43o2'
2218    STORE_GLOBAL         29   lllll1ll
2221    LOAD_CONST           62   u'\u672c\u5a18\u88ab\u6253\u8fdb\u4e86\u7ed3\u5c40\uff01\uff1f'
2224    STORE_GLOBAL         2    AVM
2227    LOAD_CONST           53   u'Burning!'
2230    STORE_GLOBAL         2    AVM
2233    LOAD_CONST           53   u'Burning!'
2236    STORE_GLOBAL         2    AVM
2239    LOAD_CONST           53   u'Burning!'
2242    STORE_GLOBAL         2    AVM
2245    LOAD_CONST           80   u'\u672c\u5a18\u5f88\u5f00\u5fc3!'
2248    STORE_GLOBAL         2    AVM
2251    LOAD_CONST           53   u'Burning!'
2254    STORE_GLOBAL         2    AVM
2257    LOAD_CONST           64   u'\u867d\u7136\u5f88\u4e0d\u7518\u5fc3'
2260    STORE_GLOBAL         2    AVM
2263    LOAD_CONST           65   u'\u4f46\u662f\u5f88\u5f00\u5fc3 WARNING!!!'
2266    STORE_GLOBAL         2    AVM
2269    TABLE_B_ADD_72       70
2272    LOAD_GLOBAL          36   range
2275    LOAD_CONST           46   0
2278    LOAD_GLOBAL          6    len
2281    LOAD_GLOBAL          30   llll1lll
2284    CALL                 1
2287    CALL                 2
2290    GET_ITER
2291    JUMP_ABSOLUTE        302
2329    LOAD_GLOBAL          30   llll1lll
2332    LOAD_GLOBAL          27   ll1lllll
2335    INPLACE_ADD
2336    STORE_GLOBAL         30   llll1lll
2339    JUMP_ABSOLUTE        1712
2386    TABLE_B_ADD_242      38
2389    LOAD_GLOBAL          5    f1ag
2392    LOAD_ATTR            10   decode
2395    LOAD_CONST           31   'hex'
2398    CALL                 1
2401    STORE_GLOBAL         5    f1ag
2404    TABLE_B_POP
2405    JUMP_ADD             34   -> 2442
2442    LOAD_CONST           35   ''
2445    LOAD_ATTR            12   join
2448    BUILD_LIST           0
2451    LOAD_GLOBAL          3    flag
2454    GET_ITER
2455    JUMP_ABSOLUTE        79

通过在调用函数出输出参数,可以发现,输入被拆成 8 个部分,和一些内置值异或一下,然后求 md5。最后拼起来需要是指定的值。

每个部分是长为 8 的 hex,不难爆破。爆破完,还原输入,就得到了答案。

@Netrvin
Copy link

Netrvin commented Sep 12, 2020

tql

@loadingfd
Copy link

tql

@daimiaopeng
Copy link

tql

@VergeDX
Copy link

VergeDX commented Sep 13, 2020

tql

@Flynnon
Copy link

Flynnon commented Sep 14, 2020

tql

@myitmx
Copy link

myitmx commented Sep 14, 2020

tql

@9bie
Copy link

9bie commented Sep 21, 2020

tql

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment