有一个程序加密得如下

发表于 | 分类于

题目只给了一串类似乱码的字符串
0be6770IigHXZpz9hQYR1fpl15R0z9MUalmYEPhJeEN/sRklL6wQw5yQ7SAyT6tKGJNY0AxnyzS/L7zWQII=
程序是.pyc
利用工具将pyc转成py
工具名EasyPythonDecompiler
图1
得到如下代码

# Embedded file name: ./rev200.py
import sys
from hashlib import md5
import base64
from time import time
from datetime import datetime
UC_KEY = '123456789'

def authcode(string, operation = 'DECODE', key = UC_KEY, expiry = 0):
    ckey_length = 4
    if key == '':
        key = md5(UC_KEY.encode('utf-8')).hexdigest()
    else:
        key = md5(key.encode('utf-8')).hexdigest()
    keya = md5(key[0:16].encode('utf-8')).hexdigest()
    keyb = md5(key[16:32].encode('utf-8')).hexdigest()
    if ckey_length == 0:
        keyc = ''
    elif operation == 'DECODE':
        keyc = string[0:ckey_length]
    elif operation == 'ENCODE':
        keyc = md5(str(datetime.now().microsecond).encode('utf-8')).hexdigest()[-ckey_length:]
    else:
        return
    cryptkey = keya + md5((keya + keyc).encode('utf-8')).hexdigest()
    key_length = len(cryptkey)
    if operation == 'DECODE':
        string = base64.b64decode(string[ckey_length:])
    elif operation == 'ENCODE':
        if expiry == 0:
            string = '0000000000' + md5((string + keyb).encode('utf-8')).hexdigest()[0:16] + string
        else:
            string = '%10d' % (expiry + int(time())) + md5((string + keyb).encode('utf-8')).hexdigest()[0:16] + string
    else:
        return
    string_length = len(string)
    result = ''
    box = range(256)
    rndkey = [0] * 256
    for i in range(256):
        rndkey[i] = ord(cryptkey[i % key_length])

    j = 0
    for i in range(256):
        j = (j + box[i] + rndkey[i]) % 256
        tmp = box[i]
        box[i] = box[j]
        box[j] = tmp

    a = j = 0
    for i in range(string_length):
        a = (a + 1) % 256
        j = (j + box[a]) % 256
        tmp = box[a]
        box[a] = box[j]
        box[j] = tmp
        result += chr(ord(string[i]) ^ box[(box[a] + box[j]) % 256])

    if operation == 'DECODE':
        if not result[0:10].isdigit() or int(result[0:10]) == 0 or int(result[0:10]) - int(time()) > 0:
            if result[10:26] == md5(result[26:].encode('utf-8') + keyb).hexdigest()[0:16]:
                return result[26:]
            else:
                return ''
        else:
            return ''
    else:
        return keyc + base64.b64encode(result)


if __name__ == '__main__':
    if len(sys.argv) < 3:
        exit(1)
    ex = 20
    for i in range(1, len(sys.argv), 2):
        a = sys.argv[i]
        b = sys.argv[i + 1]
        if a == '-t':
            ex = int(b)
        elif a == '-e':
            encoded = authcode(b, 'ENCODE', expiry=ex)
            print encoded
        elif a == '-d':
            decoded = authcode(b, 'DECODE', expiry=ex)
            print decoded

分析源码,执行的时候加入-d参数,值为题目给的乱码,但是返回的却是空
注意该段 

if operation == 'DECODE':
        if not result[0:10].isdigit() or int(result[0:10]) == 0 or int(result[0:10]) - int(time()) > 0:
            if result[10:26] == md5(result[26:].encode('utf-8') + keyb).hexdigest()[0:16]:
                return result[26:]
            else:
                return ''
        else:
            return ''
    else:
        return keyc + base64.b64encode(result)

我们直接修改源码,跳过判断,在if之前直接print string,执行可得到 

1429861566556d9f4f29671810DUTCTF{2u0_chu_14i_d3_5hi_h3n74i}

得到flag值DUTCTF{2u0_chu_14i_d3_5hi_h3n74i}