pyc 类型的反编译有时需要修改文件头,出题人会在文件头部进行修改,反编译代码后,需要分析并编写源代码获取 flag。
文件头#
python 文件头格式:
MAGIC_1_0 = 0x00999902,
MAGIC_1_1 = 0x00999903,
MAGIC_1_3 = 0x0A0D2E89,
MAGIC_1_4 = 0x0A0D1704,
MAGIC_1_5 = 0x0A0D4E99,
MAGIC_1_6 = 0x0A0DC4FC,
MAGIC_2_0 = 0x0A0DC687,
MAGIC_2_1 = 0x0A0DEB2A,
MAGIC_2_2 = 0x0A0DED2D,
MAGIC_2_3 = 0x0A0DF23B,
MAGIC_2_4 = 0x0A0DF26D,
MAGIC_2_5 = 0x0A0DF2B3,
MAGIC_2_6 = 0x0A0DF2D1,
MAGIC_2_7 = 0x0A0DF303,
MAGIC_3_0 = 0x0A0D0C3A,
MAGIC_3_1 = 0x0A0D0C4E,
MAGIC_3_2 = 0x0A0D0C6C,
MAGIC_3_3 = 0x0A0D0C9E,
MAGIC_3_4 = 0x0A0D0CEE,
MAGIC_3_5 = 0x0A0D0D16,
MAGIC_3_5_3 = 0x0A0D0D17,
MAGIC_3_6 = 0x0A0D0D33,
MAGIC_3_7 = 0x0A0D0D42,
MAGIC_3_8 = 0x0A0D0D55,
MAGIC_3_9 = 0x0A0D0D61,
如何生成一个 pyc 文件
python 代码如下 (文件名:pyc.py):
name = input("What is your name? ")
print(f"Hi, {name}!")
通过如下命令生成:
python3 -m py_compile pyc.py
3.9 的文件头如下,也就是0x0A0D0D61。
ctf 中的题目如果涉及到 pyc 的逆向,大部分都是需要反编译 pyc 文件,还原成 python 代码,再进行分析。
工具#
pyc 反编译工具有在线和离线两种工具
1、在线 pyc,pyo 反编译 python 反编译
http://tools.bugscaner.com/decompyle/
2、离线工具有uncompyle6和Easy Python Decompiler
uncompyle6是一个用于将已编译 Python 程序(即 .pyc 文件)反编译成其原始源代码的 Python 库和工具,支持 1.0-3.8 的 python 版本。
项目地址:GitHub - rocky/python-uncompyle6: A cross-version Python bytecode decompiler
Easy Python Decompiler也是一款 Python 字节码反编译器,可以反编译 pyc 和 pyo 文件,支持 1.0-3.4 的 python 版本。
下载地址:Easy Python Decompiler download | SourceForge.net
实例#
下载后的 pyc 文件名,从文件名可以大概推测是 python3.7 版本。
通过 16 进制编辑器打开,明显文件头部被修改了,拿一个正常的 python3.7 的 pyc 文件对比。
正常的 python 3.7 pyc 的文件头内容如下图所示:
修改后内容如下:
还原代码
uncompyle6 game.cpython-37.pyc > main.py
还原后的 python 代码如下:
# uncompyle6 version 3.9.0
# Python bytecode version base 3.7.0 (3394)
# Decompiled from: Python 3.9.12 (main, Mar 26 2022, 15:44:31)
# [Clang 13.1.6 (clang-1316.0.21.2)]
# Embedded file name: game.py
# Compiled at: 2020-02-02 19:15:47
# Size of source mod 2**32: 12 bytes
"""贪吃蛇"""
import random, sys, time, pygame
from pygame.locals import *
from collections import deque
SCREEN_WIDTH = 600
SCREEN_HEIGHT = 480
SIZE = 20
LINE_WIDTH = 1
SCOPE_X = (
0, SCREEN_WIDTH // SIZE - 1)
SCOPE_Y = (2, SCREEN_HEIGHT // SIZE - 1)
FOOD_STYLE_LIST = [
(10, (255, 100, 100)), (20, (100, 255, 100)), (30, (100, 100, 255))]
LIGHT = (100, 100, 100)
DARK = (200, 200, 200)
BLACK = (0, 0, 0)
RED = (200, 30, 30)
BGCOLOR = (40, 40, 60)
def print_text(screen, font, x, y, text, fcolor=(255, 255, 255)):
imgText = font.render(text, True, fcolor)
screen.blit(imgText, (x, y))
def init_snake():
snake = deque()
snake.append((2, SCOPE_Y[0]))
snake.append((1, SCOPE_Y[0]))
snake.append((0, SCOPE_Y[0]))
return snake
def create_food(snake):
food_x = random.randint(SCOPE_X[0], SCOPE_X[1])
food_y = random.randint(SCOPE_Y[0], SCOPE_Y[1])
while (food_x, food_y) in snake:
food_x = random.randint(SCOPE_X[0], SCOPE_X[1])
food_y = random.randint(SCOPE_Y[0], SCOPE_Y[1])
return (
food_x, food_y)
def get_food_style():
return FOOD_STYLE_LIST[random.randint(0, 2)]
def main():
pygame.init()
screen = pygame.display.set_mode((SCREEN_WIDTH, SCREEN_HEIGHT))
pygame.display.set_caption('贪吃蛇')
font1 = pygame.font.SysFont('SimHei', 24)
font2 = pygame.font.Font(None, 72)
fwidth, fheight = font2.size('GAME OVER')
b = True
snake = init_snake()
food = create_food(snake)
food_style = get_food_style()
pos = (1, 0)
game_over = True
start = False
score = 0
orispeed = 0.5
speed = orispeed
last_move_time = None
pause = False
while 1:
for event in pygame.event.get():
if event.type == QUIT:
sys.exit()
screen.fill(BGCOLOR)
for x in range(SIZE, SCREEN_WIDTH, SIZE):
pygame.draw.line(screen, BLACK, (x, SCOPE_Y[0] * SIZE), (x, SCREEN_HEIGHT), LINE_WIDTH)
for y in range(SCOPE_Y[0] * SIZE, SCREEN_HEIGHT, SIZE):
pygame.draw.line(screen, BLACK, (0, y), (SCREEN_WIDTH, y), LINE_WIDTH)
curTime = game_over or time.time()
if curTime - last_move_time > speed and not pause:
b = True
last_move_time = curTime
next_s = (snake[0][0] + pos[0], snake[0][1] + pos[1])
if next_s == food:
snake.appendleft(next_s)
score += food_style[0]
speed = orispeed - 0.03 * (score // 100)
food = create_food(snake)
food_style = get_food_style()
else:
if SCOPE_X[0] <= next_s[0] <= SCOPE_X[1]:
if SCOPE_Y[0] <= next_s[1] <= SCOPE_Y[1]:
if next_s not in snake:
snake.appendleft(next_s)
snake.pop()
else:
game_over = True
if not game_over:
pygame.draw.rect(screen, food_style[1], (food[0] * SIZE, food[1] * SIZE, SIZE, SIZE), 0)
for s in snake:
pygame.draw.rect(screen, DARK, (s[0] * SIZE + LINE_WIDTH, s[1] * SIZE + LINE_WIDTH,
SIZE - LINE_WIDTH * 2, SIZE - LINE_WIDTH * 2), 0)
print_text(screen, font1, 30, 7, f"速度: {score // 100}")
print_text(screen, font1, 450, 7, f"得分: {score}")
if score > 1000:
flag = [
30, 196,
52, 252, 49, 220, 7, 243,
3, 241, 24, 224, 40, 230,
25, 251, 28, 233, 40, 237,
4, 225, 4, 215, 40, 231,
22, 237, 14, 251, 10, 169]
for i in range(0, len(flag), 2):
flag[i], flag[i + 1] = flag[i + 1] ^ 136, flag[i] ^ 119
print_text(screen, font2, (SCREEN_WIDTH - fwidth) // 2, (SCREEN_HEIGHT - fheight) // 2, bytes(flag).decode(), RED)
pygame.display.update()
if game_over:
if start:
print_text(screen, font2, (SCREEN_WIDTH - fwidth) // 2, (SCREEN_HEIGHT - fheight) // 2, 'GAME OVER', RED)
pygame.display.update()
if __name__ == '__main__':
main()
# okay decompiling game.cpython-37.pyc
通过对 python 文件进行分析,这是个游戏,游玩分数大于 1000 分就能获取 flag,关键代码如下:
if score > 1000:
flag = [
30, 196,
52, 252, 49, 220, 7, 243,
3, 241, 24, 224, 40, 230,
25, 251, 28, 233, 40, 237,
4, 225, 4, 215, 40, 231,
22, 237, 14, 251, 10, 169]
for i in range(0, len(flag), 2):
flag[i], flag[i + 1] = flag[i + 1] ^ 136, flag[i] ^ 119
编写代码获取 flag
flag = [30, 196, 52, 252, 49, 220, 7, 243, 3, 241, 24, 224, 40, 230, 25, 251, 28, 233, 40, 237, 4, 225, 4, 215, 40, 231, 22, 237, 14, 251, 10, 169]
for i in range(0, len(flag), 2):
flag[i], flag[i + 1] = flag[i + 1] ^ 136, flag[i] ^ 119
result = ""
for i in range(0, len(flag), 2):
char = chr(flag[i]) + chr(flag[i + 1])
result += char
print(result) //获取flag LitCTF{python_snake_is_so_easy!}