柏鹭杯-2021-baby_python(pyinstaller打包后进行了AES加密)

二木 王者

[柏鹭杯 2021]baby_python(pyinstaller打包后进行了AES加密)

找到主函数引用的文件,然后对应的将其解密

1
2
3
4
5
6
7
8
9
10
11
12
13
inf = open(r'PYZ-00.pyz_extracted\baby_python\baby_core.pyc.encrypted', 'rb')
c = Cipher()

buf = c.decrypt(inf.read())
buf = zlib.decompress(buf) # 查看这个代码文件能发现密文是用zlib压缩过的所以需要解压缩

out = open(r'PYZ-00.pyz_extracted\baby_python\baby_core.pyc', 'wb')
out.write(buf)
print('written down %d bytes' % len(buf))

inf.close()
out.close()

[原创]Python逆向——Pyinstaller逆向-软件逆向-看雪-安全社区|安全招聘|kanxue.com

另外一个可以参考的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#!/usr/bin/env python3
import tinyaes
import zlib

CRYPT_BLOCK_SIZE = 16

# 从crypt_key.pyc获取key,也可自行反编译获取
key = bytes('MySup3rS3cr3tK3y', 'utf-8')

inf = open('baby_core.pyc.encrypted', 'rb') # 打开加密文件
outf = open('baby_core.pyc', 'wb') # 输出文件

# 按加密块大小进行读取
iv = inf.read(CRYPT_BLOCK_SIZE)

cipher = tinyaes.AES(key, iv)

# 解密
plaintext = zlib.decompress(cipher.CTR_xcrypt_buffer(inf.read()))

# 补pyc头(最后自己补也行)
outf.write(b'\x55\x0d\x00\x00\0\0\0\0\0\0\0\0\0\0\0\0')

# 写入解密数据
outf.write(plaintext)

inf.close()
outf.close()
 评论