MoeCTF2021 逆向赛题总结

最新推荐文章于 2025-10-12 15:36:14 发布

原创最新推荐文章于 2025-10-12 15:36:14 发布 · 857 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#python #pycharm

ctf 专栏收录该内容

148 篇文章

订阅专栏

在尝试将Python字节码反编译回源代码时遇到版本不匹配问题，使用uncompyle6遇到了AttributeError。之后，将汇编代码编译成可执行程序时，gcc报告了多个未知伪指令错误，导致编译失败。问题可能源于汇编代码的格式或目标架构不兼容。

文章目录

- Midpython.exe
- chall.bc

因为大晚上才看题的，就随便看看那几个高分值的：

Midpython.exe

python代码写成的exe，进行反编译，先搞成pyc，然后把pyc反编译成py，但是再第二个步骤反编译成py的时候出现了如下报错：

Traceback (most recent call last):
  File "g:\python3.7.6-64\lib\runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "g:\python3.7.6-64\lib\runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "G:\python3.7.6-64\Scripts\uncompyle6.exe\__main__.py", line 7, in <module>
  File "g:\python3.7.6-64\lib\site-packages\uncompyle6\bin\uncompile.py", line 194, in main_bin
    **options)
  File "g:\python3.7.6-64\lib\site-packages\uncompyle6\main.py", line 324, in main
    do_fragments,
  File "g:\python3.7.6-64\lib\site-packages\uncompyle6\main.py", line 222, in decompile_file
    do_fragments=do_fragments,
  File "g:\python3.7.6-64\lib\site-packages\uncompyle6\main.py", line 141, in decompile
    co, out, bytecode_version, debug_opts=debug_opts, is_pypy=is_pypy
  File "g:\python3.7.6-64\lib\site-packages\uncompyle6\semantics\pysource.py", line 2570, in code_deparse
    scanner = get_scanner(version, is_pypy=is_pypy)
  File "g:\python3.7.6-64\lib\site-packages\uncompyle6\scanner.py", line 566, in get_scanner
    "scan.Scanner%s(show_asm=show_asm)" % v_str, locals(), globals()
  File "<string>", line 1, in <module>
  File "g:\python3.7.6-64\lib\site-packages\uncompyle6\scanners\scanner39.py", line 36, in __init__
    Scanner37Base.__init__(self, 3.9, show_asm)
  File "g:\python3.7.6-64\lib\site-packages\uncompyle6\scanners\scanner37base.py", line 98, in __init__
    self.opc.END_FINALLY,
AttributeError: module 'xdis.opcodes.opcode_39' has no attribute 'END_FINALLY'

好像是反编译器的版本出现了不合。
6，uncompyle6可将python字节码转换回等效的python源代码，它接受python 1.3版到3.8版的字节码

chall.bc

llc chall.bc -o chall.s

在这里插入图片描述
然后把.s（汇编代码搞成可执行程序）在进行编译的时候出现了如下报错：

 gcc -c chall.s -o hello

报错如下：

chall.s: Assembler messages:
chall.s:4: Error: unknown pseudo-op: `.def'
chall.s:5: Error: unknown pseudo-op: `.scl'
chall.s:6: Error: Missing symbol name in directive
chall.s:7: Error: unknown pseudo-op: `.endef'
chall.s:8: Error: expected symbol name
chall.s:9: Error: expected symbol name
chall.s:11: Error: unknown pseudo-op: `.def'
chall.s:12: Error: unknown pseudo-op: `.scl'
chall.s:13: Error: Missing symbol name in directive
chall.s:13: Error: unrecognized symbol type "32"
chall.s:14: Error: unknown pseudo-op: `.endef'
chall.s:30: Error: register save offset not a multiple of 8
chall.s:105: Error: unknown pseudo-op: `.def'
chall.s:106: Error: unknown pseudo-op: `.scl'
chall.s:107: Error: Missing symbol name in directive
chall.s:107: Error: unrecognized symbol type "32"
chall.s:108: Error: unknown pseudo-op: `.endef'
chall.s:122: Error: register save offset not a multiple of 8
chall.s:196: Error: unknown pseudo-op: `.def'
chall.s:197: Error: unknown pseudo-op: `.scl'
chall.s:198: Error: Missing symbol name in directive
chall.s:198: Error: unrecognized symbol type "32"
chall.s:199: Error: unknown pseudo-op: `.endef'
chall.s:331: Error: unknown pseudo-op: `.def'
chall.s:332: Error: unknown pseudo-op: `.scl'
chall.s:333: Error: Missing symbol name in directive
chall.s:333: Error: unrecognized symbol type "32"
chall.s:334: Error: unknown pseudo-op: `.endef'
chall.s:350: Error: register save offset not a multiple of 8
chall.s:352: Error: register save offset not a multiple of 8
chall.s:483: Fatal error: bad .section directive: want a,w,x,M,S,G,T in string

这里的话问题很大，说实话，我有点想手撸如下汇编：

	.text
	.def	 @feat.00;
	.scl	3;
	.type	0;
	.endef
	.globl	@feat.00
.set @feat.00, 1
	.file	"chall.bc"
	.def	 _func_114514;
	.scl	2;
	.type	32;
	.endef
	.globl	_func_114514            # -- Begin function func_114514
	.p2align	4, 0x90
_func_114514:                           # @func_114514
	.cfi_startproc
# %bb.0:
	pushl	%ebp
	.cfi_def_cfa_offset 8
	.cfi_offset %ebp, -8
	movl	%esp, %ebp
	.cfi_def_cfa_register %ebp
	pushl	%edi
	pushl	%esi
	andl	$-16, %esp
	subl	$1072, %esp             # imm = 0x430
	.cfi_offset %esi, -16
	.cfi_offset %edi, -12
	movl	16(%ebp), %eax
	movl	12(%ebp), %eax
	movl	8(%ebp), %ecx
	movl	%ecx, 16(%esp)
	movl	%eax, 32(%esp)
	movl	$0, 28(%esp)
	leal	48(%esp), %eax
	movl	%eax, (%esp)
	movl	$1024, 8(%esp)          # imm = 0x400
	movl	$0, 4(%esp)
	calll	_memset
	movl	$0, 24(%esp)
LBB0_1:                                 # =>This Inner Loop Header: Depth=1
	cmpl	$256, 24(%esp)          # imm = 0x100
	jge	LBB0_4
# %bb.2:                                #   in Loop: Header=BB0_1 Depth=1
	movl	24(%esp), %eax
	movl	16(%esp), %ecx
	movl	%eax, (%ecx,%eax,4)
	movl	32(%esp), %esi
	movl	24(%esp), %ecx
	movl	16(%ebp), %edi
	movl	%ecx, %eax
	cltd
	idivl	%edi
	movzbl	(%esi,%edx), %eax
	movl	%eax, 48(%esp,%ecx,4)
# %bb.3:                                #   in Loop: Header=BB0_1 Depth=1
	movl	24(%esp), %eax
	addl	$1, %eax
	movl	%eax, 24(%esp)
	jmp	LBB0_1
LBB0_4:
	movl	$0, 12(%esp)
LBB0_5:                                 # =>This Inner Loop Header: Depth=1
	cmpl	$256, 12(%esp)          # imm = 0x100
	jge	LBB0_8
# %bb.6:                                #   in Loop: Header=BB0_5 Depth=1
	movl	28(%esp), %eax
	movl	16(%esp), %ecx
	movl	12(%esp), %edx
	movl	(%ecx,%edx,4), %ecx
	addl	%ecx, %eax
	movl	48(%esp,%edx,4), %ecx
	addl	%ecx, %eax
	movzbl	%al, %eax
	movl	%eax, 28(%esp)
	movl	16(%esp), %eax
	movl	12(%esp), %ecx
	movl	(%eax,%ecx,4), %eax
	movl	%eax, 40(%esp)
	movl	16(%esp), %eax
	movl	28(%esp), %ecx
	movl	(%eax,%ecx,4), %ecx
	movl	12(%esp), %edx
	movl	%ecx, (%eax,%edx,4)
	movl	40(%esp), %eax
	movl	16(%esp), %ecx
	movl	28(%esp), %edx
	movl	%eax, (%ecx,%edx,4)
# %bb.7:                                #   in Loop: Header=BB0_5 Depth=1
	movl	12(%esp), %eax
	addl	$1, %eax
	movl	%eax, 12(%esp)
	jmp	LBB0_5
LBB0_8:
	movl	44(%esp), %eax
	leal	-8(%ebp), %esp
	popl	%esi
	popl	%edi
	popl	%ebp
	retl
	.cfi_endproc
                                        # -- End function
	.def	 _func_1919810;
	.scl	2;
	.type	32;
	.endef
	.globl	_func_1919810           # -- Begin function func_1919810
	.p2align	4, 0x90
_func_1919810:                          # @func_1919810
	.cfi_startproc
# %bb.0:
	pushl	%ebp
	.cfi_def_cfa_offset 8
	.cfi_offset %ebp, -8
	movl	%esp, %ebp
	.cfi_def_cfa_register %ebp
	pushl	%ebx
	andl	$-8, %esp
	subl	$48, %esp
	.cfi_offset %ebx, -12
	movl	16(%ebp), %eax
	movl	12(%ebp), %eax
	movl	8(%ebp), %ecx
	movl	%ecx, 8(%esp)
	movl	%eax, 32(%esp)
	movl	$0, 16(%esp)
	movl	$0, 20(%esp)
	movl	$0, 28(%esp)
	movl	$0, 24(%esp)
LBB1_1:                                 # =>This Inner Loop Header: Depth=1
	movl	24(%esp), %eax
	cmpl	16(%ebp), %eax
	jge	LBB1_4
# %bb.2:                                #   in Loop: Header=BB1_1 Depth=1
	movl	16(%esp), %eax
	movl	%eax, %ecx
	addl	$1, %ecx
	sarl	$31, %ecx
	shrl	$24, %ecx
	leal	1(%eax,%ecx), %ecx
	andl	$-256, %ecx
	negl	%ecx
	leal	1(%eax,%ecx), %eax
	movl	%eax, 16(%esp)
	movl	20(%esp), %eax
	movl	8(%esp), %ecx
	movl	16(%esp), %edx
	movl	(%ecx,%edx,4), %ecx
	addl	%ecx, %eax
	movzbl	%al, %eax
	movl	%eax, 20(%esp)
	movl	8(%esp), %eax
	movl	16(%esp), %ecx
	movb	(%eax,%ecx,4), %al
	movb	%al, 7(%esp)
	movl	8(%esp), %eax
	movl	20(%esp), %ecx
	movl	(%eax,%ecx,4), %ecx
	movl	16(%esp), %edx
	movl	%ecx, (%eax,%edx,4)
	movzbl	7(%esp), %eax
	movl	8(%esp), %ecx
	movl	20(%esp), %edx
	movl	%eax, (%ecx,%edx,4)
	movl	8(%esp), %eax
	movl	16(%esp), %ecx
	movl	(%eax,%ecx,4), %ecx
	movl	20(%esp), %edx
	movl	(%eax,%edx,4), %eax
	addl	%eax, %ecx
	movzbl	%cl, %eax
	movl	%eax, 28(%esp)
	movl	8(%esp), %eax
	movl	28(%esp), %ecx
	movl	(%eax,%ecx,4), %eax
	movl	32(%esp), %ecx
	movl	24(%esp), %edx
	movzbl	(%ecx,%edx), %ebx
	xorl	%eax, %ebx
	movb	%bl, (%ecx,%edx)
# %bb.3:                                #   in Loop: Header=BB1_1 Depth=1
	movl	24(%esp), %eax
	addl	$1, %eax
	movl	%eax, 24(%esp)
	jmp	LBB1_1
LBB1_4:
	movl	40(%esp), %eax
	leal	-4(%ebp), %esp
	popl	%ebx
	popl	%ebp
	retl
	.cfi_endproc
                                        # -- End function
	.def	 _HSencode;
	.scl	2;
	.type	32;
	.endef
	.globl	_HSencode               # -- Begin function HSencode
	.p2align	4, 0x90
_HSencode:                              # @HSencode
	.cfi_startproc
# %bb.0:
	pushl	%ebp
	.cfi_def_cfa_offset 8
	.cfi_offset %ebp, -8
	movl	%esp, %ebp
	.cfi_def_cfa_register %ebp
	andl	$-8, %esp
	subl	$32, %esp
	movl	16(%ebp), %eax
	movl	12(%ebp), %ecx
	movl	8(%ebp), %ecx
	movl	%ecx, 16(%esp)
	movl	%eax, 8(%esp)
	movl	$0, (%esp)
	movl	$0, 4(%esp)
	movl	12(%ebp), %eax
	cltd
	movl	$3, %ecx
	idivl	%ecx
	cmpl	$0, %edx
	jne	LBB2_2
# %bb.1:
	movl	12(%ebp), %eax
	cltd
	movl	$3, %ecx
	idivl	%ecx
	shll	$2, %eax
	movl	%eax, 24(%esp)
	jmp	LBB2_3
LBB2_2:
	movl	12(%ebp), %eax
	cltd
	movl	$3, %ecx
	idivl	%ecx
	addl	$1, %eax
	shll	$2, %eax
	movl	%eax, 24(%esp)
LBB2_3:
	movl	$0, (%esp)
	movl	$0, 4(%esp)
LBB2_4:                                 # =>This Inner Loop Header: Depth=1
	movl	(%esp), %eax
	movl	24(%esp), %ecx
	subl	$2, %ecx
	cmpl	%ecx, %eax
	jge	LBB2_7
# %bb.5:                                #   in Loop: Header=BB2_4 Depth=1
	movl	16(%esp), %eax
	movl	4(%esp), %ecx
	movzbl	(%eax,%ecx), %eax
	shrl	$2, %eax
	addb	$61, %al
	movl	8(%esp), %ecx
	movl	(%esp), %edx
	movb	%al, (%ecx,%edx)
	movl	16(%esp), %ecx
	movl	4(%esp), %edx
	movzbl	(%ecx,%edx), %eax
	andl	$3, %eax
	shll	$4, %eax
	movzbl	1(%ecx,%edx), %ecx
	shrl	$4, %ecx
	orl	%ecx, %eax
	addb	$61, %al
	movl	8(%esp), %ecx
	movl	(%esp), %edx
	movb	%al, 1(%edx,%ecx)
	movl	16(%esp), %eax
	movl	4(%esp), %ecx
	movzbl	1(%ecx,%eax), %edx
	andl	$15, %edx
	movzbl	2(%ecx,%eax), %eax
	shrl	$6, %eax
	leal	(%eax,%edx,4), %eax
	addb	$61, %al
	movl	8(%esp), %ecx
	movl	(%esp), %edx
	movb	%al, 2(%edx,%ecx)
	movl	16(%esp), %eax
	movl	4(%esp), %ecx
	movb	2(%ecx,%eax), %al
	andb	$63, %al
	addb	$61, %al
	movl	8(%esp), %ecx
	movl	(%esp), %edx
	movb	%al, 3(%edx,%ecx)
# %bb.6:                                #   in Loop: Header=BB2_4 Depth=1
	movl	4(%esp), %eax
	addl	$3, %eax
	movl	%eax, 4(%esp)
	movl	(%esp), %eax
	addl	$4, %eax
	movl	%eax, (%esp)
	jmp	LBB2_4
LBB2_7:
	movl	12(%ebp), %ecx
	movl	$1431655766, %edx       # imm = 0x55555556
	movl	%ecx, %eax
	imull	%edx
	movl	%edx, %eax
	shrl	$31, %eax
	addl	%eax, %edx
	leal	(%edx,%edx,2), %eax
	subl	%eax, %ecx
	movl	%ecx, %eax
	subl	$1, %eax
	je	LBB2_9
	jmp	LBB2_8
LBB2_8:
	subl	$2, %ecx
	je	LBB2_10
	jmp	LBB2_11
LBB2_9:
	movl	8(%esp), %eax
	movl	(%esp), %ecx
	movb	$61, -2(%ecx,%eax)
LBB2_10:
	movl	8(%esp), %eax
	movl	(%esp), %ecx
	movb	$61, -1(%ecx,%eax)
LBB2_11:
	movl	28(%esp), %eax
	movl	%ebp, %esp
	popl	%ebp
	retl
	.cfi_endproc
                                        # -- End function
	.def	 _main;
	.scl	2;
	.type	32;
	.endef
	.globl	_main                   # -- Begin function main
	.p2align	4, 0x90
_main:                                  # @main
	.cfi_startproc
# %bb.0:
	pushl	%ebp
	.cfi_def_cfa_offset 8
	.cfi_offset %ebp, -8
	movl	%esp, %ebp
	.cfi_def_cfa_register %ebp
	pushl	%ebx
	pushl	%edi
	pushl	%esi
	andl	$-16, %esp
	subl	$1952, %esp             # imm = 0x7A0
	.cfi_offset %esi, -20
	.cfi_offset %edi, -16
	.cfi_offset %ebx, -12
	calll	___main
	movl	$0, 28(%esp)
	leal	912(%esp), %eax
	movl	%eax, (%esp)
	movl	$1024, 8(%esp)          # imm = 0x400
	movl	$0, 4(%esp)
	calll	_memset
	leal	656(%esp), %eax
	movl	%eax, (%esp)
	movl	$256, 8(%esp)           # imm = 0x100
	movl	$L_main.key, 4(%esp)
	calll	_memcpy
	xorps	%xmm0, %xmm0
	movaps	%xmm0, 112(%esp)
	movaps	%xmm0, 96(%esp)
	movaps	%xmm0, 80(%esp)
	movaps	%xmm0, 64(%esp)
	movaps	%xmm0, 48(%esp)
	movaps	%xmm0, 32(%esp)
	movl	$0, 128(%esp)
	leal	144(%esp), %eax
	movl	%eax, (%esp)
	movl	$512, 8(%esp)           # imm = 0x200
	movl	$0, 4(%esp)
	calll	_memset
	movl	$L_.str, (%esp)
	calll	_puts
	movl	$L_.str.1, (%esp)
	calll	_puts
	movl	$L_.str.2, (%esp)
	calll	_puts
	leal	32(%esp), %esi
	movl	%esi, 4(%esp)
	movl	$L_.str.3, (%esp)
	calll	___isoc99_scanf
	movl	%esi, (%esp)
	calll	_strlen
	xorl	$40, %eax
	orl	%edx, %eax
	je	LBB3_2
	jmp	LBB3_1
LBB3_1:
	leal	L_.str.4, %eax
	movl	%eax, (%esp)
	calll	_puts
	xorl	%eax, %eax
	movl	$0, (%esp)
	calll	_exit
LBB3_2:
	leal	32(%esp), %edi
	leal	656(%esp), %ebx
	movl	%ebx, (%esp)
	calll	_strlen
	movl	%eax, 24(%esp)
	movl	24(%esp), %eax
	movl	%eax, 8(%esp)
	movl	%ebx, 4(%esp)
	leal	912(%esp), %ebx
	movl	%ebx, (%esp)
	calll	_func_114514
	leal	32(%esp), %esi
	movl	%esi, (%esp)
	calll	_strlen
	movl	%eax, 20(%esp)
	movl	20(%esp), %eax
	movl	%eax, 8(%esp)
	movl	%esi, 4(%esp)
	movl	%ebx, (%esp)
	calll	_func_1919810
	movl	%esi, (%esp)
	calll	_strlen
	movl	%eax, 16(%esp)
	movl	16(%esp), %eax
	movl	%edi, (%esp)
	movl	%eax, 4(%esp)
	leal	144(%esp), %eax
	movl	%eax, 8(%esp)
	calll	_HSencode
	movl	$0, 12(%esp)
LBB3_3:                                 # =>This Inner Loop Header: Depth=1
	movl	12(%esp), %esi
	movl	%esi, %edi
	sarl	$31, %edi
	leal	144(%esp), %eax
	movl	%eax, (%esp)
	calll	_strlen
	subl	%eax, %esi
	sbbl	%edx, %edi
	jae	LBB3_8
	jmp	LBB3_4
LBB3_4:                                 #   in Loop: Header=BB3_3 Depth=1
	movl	12(%esp), %eax
	movsbl	144(%esp,%eax), %ecx
	movb	_bytes_114514(%eax), %al
	movsbl	%al, %eax
	cmpl	%eax, %ecx
	je	LBB3_6
# %bb.5:
	leal	L_.str.5, %eax
	movl	%eax, (%esp)
	calll	_printf
	xorl	%eax, %eax
	movl	$0, (%esp)
	calll	_exit
LBB3_6:                                 #   in Loop: Header=BB3_3 Depth=1
	jmp	LBB3_7
LBB3_7:                                 #   in Loop: Header=BB3_3 Depth=1
	movl	12(%esp), %eax
	addl	$1, %eax
	movl	%eax, 12(%esp)
	jmp	LBB3_3
LBB3_8:
	leal	L_.str.6, %eax
	movl	%eax, (%esp)
	calll	_printf
	movl	28(%esp), %eax
	leal	-12(%ebp), %esp
	popl	%esi
	popl	%edi
	popl	%ebx
	popl	%ebp
	retl
	.cfi_endproc
                                        # -- End function
	.data
	.globl	_bytes_114514           # @bytes_114514
	.p2align	4
_bytes_114514:
	.asciz	"@BdxRTbRBbjIVf`PEyqe^\\^\\|cc|JRubaGLytHeRI@jgNegHU[Myy]==\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"

	.section	.rdata,"dr"
	.p2align	4               # @main.key
L_main.key:
	.asciz	"\021E\024avalon,yyds\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"

L_.str:                                 # @.str
	.asciz	"<---  moectf2021  --->"

L_.str.1:                               # @.str.1
	.asciz	" [baby_bc] Welcome to moectf2021."

L_.str.2:                               # @.str.2
	.asciz	"input your flag: "

L_.str.3:                               # @.str.3
	.asciz	"%99s"

L_.str.4:                               # @.str.4
	.asciz	"Wrong length!"

L_.str.5:                               # @.str.5
	.asciz	"rua! you are wrong!"

L_.str.6:                               # @.str.6
	.asciz	"Congratulations!!!"