We were given a gzip compressed file which had the rot13 encoded python source for the challenge. The source had python bytecode which could be disassembled using dis module.
if __name__ == "__main__": codeobj = marshal.loads(bytecode.decode('base64')) f = new.function(codeobj, globals(), "f", None, None) dis.dis(f)
2 0 LOAD_CONST 0 (-1) 3 LOAD_CONST 1 (('sha1',)) 6 IMPORT_NAME 0 (hashlib) 9 IMPORT_FROM 1 (sha1) 12 STORE_NAME 1 (sha1) 15 POP_TOP 3 16 LOAD_CONST 0 (-1) 19 LOAD_CONST 2 (('getenv',)) 22 IMPORT_NAME 2 (os) 25 IMPORT_FROM 3 (getenv) 28 STORE_NAME 3 (getenv) 31 POP_TOP 4 32 LOAD_NAME 3 (getenv) 35 LOAD_CONST 3 ('NO_CON_NAME') 38 LOAD_CONST 4 ('') 41 CALL_FUNCTION 2 44 LOAD_CONST 5 ('Y') 47 COMPARE_OP 2 (==) 50 POP_JUMP_IF_FALSE 147 6 53 LOAD_CONST 6 (' 57 68 61 74 20 69 73 20 74 68 65 20 61 69 72 2d ') 56 STORE_GLOBAL 4 (flag) 7 59 LOAD_GLOBAL 4 (flag) 62 LOAD_CONST 7 (' 73 70 65 65 64 20 76 65 6c 6f 63 69 74 79 20 6f ') 65 INPLACE_ADD 66 STORE_GLOBAL 4 (flag) 8 69 LOAD_GLOBAL 4 (flag) 72 LOAD_CONST 8 (' 66 20 61 6e 20 75 6e 6c 61 64 65 6e 20 73 77 61 ') 75 INPLACE_ADD 76 STORE_GLOBAL 4 (flag) 9 79 LOAD_GLOBAL 4 (flag) 82 LOAD_CONST 9 (' 6c 6c 6f 77 3f ') 85 INPLACE_ADD 86 STORE_GLOBAL 4 (flag) 10 89 LOAD_GLOBAL 4 (flag) 92 LOAD_ATTR 5 (replace) 95 LOAD_CONST 10 (' ') 98 LOAD_CONST 4 ('') 101 CALL_FUNCTION 2 104 STORE_GLOBAL 4 (flag) 11 107 LOAD_GLOBAL 4 (flag) 110 LOAD_ATTR 6 (decode) 113 LOAD_CONST 11 ('hex') 116 CALL_FUNCTION 1 119 STORE_GLOBAL 4 (flag) 12 122 LOAD_CONST 12 ('NCN') 125 LOAD_NAME 1 (sha1) 128 LOAD_GLOBAL 4 (flag) 131 CALL_FUNCTION 1 134 LOAD_ATTR 7 (hexdigest) 137 CALL_FUNCTION 0 140 BINARY_ADD 141 STORE_GLOBAL 4 (flag) 144 JUMP_FORWARD 0 (to 147) >> 147 LOAD_CONST 13 (None) 150 RETURN_VALUEThis translates to below code:
#!/usr/bin/env python from hashlib import sha1 from os import getenv #from os import environ #environ['NO_CON_NAME'] = 'Y' if getenv('NO_CON_NAME') == 'Y': flag = ' 57 68 61 74 20 69 73 20 74 68 65 20 61 69 72 2d ' flag += ' 73 70 65 65 64 20 76 65 6c 6f 63 69 74 79 20 6f ' flag += ' 66 20 61 6e 20 75 6e 6c 61 64 65 6e 20 73 77 61 ' flag += ' 6c 6c 6f 77 3f ' flag = flag.replace(' ','').decode('hex') flag = 'NCN' + sha1(flag).hexdigest() print flagFlag for the challenge is NCN6ceeeff26e72a40b71e6029a7149ad0626fcf310
No comments :
Post a Comment