initial commit

.gitignore

@@ -0,0 +1,8 @@
+/*.zip
+*.pdf
+
+# CPython 3.10 的 include 文件夹
+源码/source/obfuscator/include/
+
+# libtomcrypt 的 src 文件夹
+源码/source/obfuscator/libtomcrypt/

README.md

@@ -0,0 +1,196 @@
+# 永信至诚春秋Game CTF赛题设计说明
+
+### [题目信息]：
+
+| 出题人    | 出题时间     | 题目名字    | 题目类型    | 难度等级 | 题目分值 |
+|:------ |:-------- |:------- |:------- |:---- |:---- |
+| LilRan | 20241226 | Pyhumor | Reverse | 6    | 500  |
+
+### [题目描述]：
+
+```
+对一款常见加密混淆器的简化和模仿。真是很幽默啊。
+```
+
+### [题目考点]：
+
+```
+考察 SMC、动态调试获取数据的知识点。本题用自己实现的一个简化版 Pyarmor 来体现其基本原理，选手可以了解到 CPython pyd 扩展模块和 CPython PyCodeObject 结构。
+```
+
+### [是否原创]：
+
+```
+是
+```
+
+### [Flag]:
+
+`flag{9bc74ce3-a56d-467f-eb52-d5f3d8923c6f}`
+
+### [题目环境]：
+
+```
+只分发附件
+```
+
+### [特别注意]：
+
+```
+（此项不需要向选手说明）出题和做题所有用到 Python 的步骤，版本都需要是 Python 3.10，高一点或低一点都不行。这是 CPython ABI 的要求
+```
+
+### [题目制作过程]：
+
+1. 使用 C 语言编写混淆器运行时，源码位于 `obfuscator/pyhumor_runtime.c`，此文件与 Flag 内容无关
+2. 编译此运行时：以 `obfuscator/` 为工作目录，使用 Python 3.10 运行 `python setup.py build`（可能会遇到编译器找不到 Windows Kits 路径的问题，需要结合实际环境解决）
+3. 使用 Python 编写 Flag 检查程序，源码位于 `task-src/plain.py`，其中包含 Flag 校验逻辑（如果修改此文件，与 Flag 无关的部分需保持代码不变）
+4. 生成混淆脚本，即题目附件：以 `task-src/` 为工作目录，使用 Python 3.10 运行 `python get-obfuscated.py`，在此目录下生成的 `pyhumor_runtime.cp310-win_amd64.pyd` 和 `pyhumor.py` 即题目附件
+5. （可选）使用 `.pyc` 而不是 `.py` 作为题目附件：以 `task-src/` 为工作目录，使用 Python 3.10 运行 `python get-task-pyc.py`
+
+### [题目writeup]：
+
+题目给了 pyc 和 pyd，这两种文件都是与 Python 版本相关的，本题是 3.10。起手用 pycdc 反编译 pyc 得到：
+
+```python
+# Source Generated with Decompyle++
+# File: pyhumor.pyc (Python 3.10)
+
+from pyhumor_runtime import __pyhumor__
+__pyhumor__(__name__, __file__, b'PYHUMOR\x00\x00\x03\n...')  # 省略
+```
+
+看这段代码与常见加密混淆工具 Pyarmor 很相似，都是通过 CPython 扩展模块，从一段字节串中解密原程序运行。
+
+用 IDA 反编译 pyhumor_runtime.cp310-win_amd64.pyd，从字符串 `pyhumor_runtime` 或 `__pyhumor__` 的交叉引用，定位到 sub_180002A40 为主要逻辑。
+
+要实现将字节串转换为符合 CPython 解释器 ABI 的结构并与之交互，无非这两种可能：
+
+- 在 C 层面遍历数据并构造 PyObject，相当于另外实现一套 CPython
+- 先将字节串解密为 PyCodeObject 或源码字符串，然后由 Python 反射运行
+
+从实现的难度来看显然后者可能性更大，从 sub_180002A40 后几行的 `PyImport_ExecCodeModuleObject` 也能知道。
+
+sub_180002A40 依次进行了以下操作：
+
+- 解析函数传参，`PyArg_ParseTuple_SizeT` 的后四个参数从左到右依次是 `(PyObject* __name__, PyObject* __file__, char* input_code, Py_ssize_t input_code_len)`
+- 检查字节串指明的 Python 版本号、长度
+- malloc 一段内存来存放解密后的字节串
+- 通过很长的算法来解密（其实是 libtomcrypt 的 AES_ECB）
+- 将字节串 unmarshal 成 PyObject
+- 往 globals 里注册 `__humor_enter__` 函数为 sub_180002950
+- Eval 上面的 PyObject
+- 从 globals 里删除 `__humor_enter__`
+
+注意到字节串会被 unmarshal 成可执行的 PyObject，而实际上 pyc 文件格式就是 marshal 然后前面加个 Magic Number 得到的。所以可以在 `PyMarshal_ReadObjectFromString` 处打断点，调试获得解密后的字节串。（此函数两个参数分别为字节数组和长度）
+
+*感兴趣的可在 Python 安装目录下 include 文件夹中找到 PyCodeObject 结构体的定义，并将其导入到 IDA，观察内存中的实例*
+
+为了调试 pyd，我们可以把调用者改成下面这样，然后趁着 sleep 的时候将调试器附加到进程：
+
+```python
+import os
+import time
+from pyhumor_runtime import __pyhumor__
+
+print(os.getpid())
+time.sleep(20)
+__pyhumor__(__name__, __file__, b'PYHUMOR\x00\x00\x03\n...')  # 省略
+```
+
+拿到解密后 unmarshal 前的 PyCodeObject，我们既可以将它传递给 dis.dis，也可以补上与附件 pyc 相同的文件头，然后用 pycdas 反汇编。dis 得到：
+
+```python
+>>> import dis
+>>> import marshal
+>>> 
+>>> code = marshal.loads(bytes.fromhex('''E300000000000000000000000000000000070000004000000073140100006500830001007A7873A805686DEFF01C36058A753A614B72CEF927609136F0E0AEC31293A93659474E8E26093235E694EA9C2D0F783A23D92C7ED02D4A25C07E852FE2D6390BD6D21DAA0238AF09DCCF120AC1CDF261C3F55E9DFDCCB61517EF8F008F0BC9188365B085DBD5B055F4B3CA57EC415C89DFC55461B3AA68A26316B234B84F949A27B40E1216FFCBF29530971A3C919EBF9EF2105FDFDEEB0E28A596123FACF53C928C4CDDDE31617009569E8A99F6546D34BB24DA3A0EDA096A4015CBA7B44929184C9DCD2E798EDA2E5D750BE8F4DB3642819C7D84877E365CDCC6C50A355E4862B08F766429C8C50DA130E83FD40FF4948930716A435CF95BABCCD18587C1A0B3746404830101005900640553002916E9000000002901DA067368613235362901DA067265647563657A11456E74657220796F757220666C61673A20E9010000004EE9030000005A03626967690100803B696ED1590969F0FFFFFF5A306463663536343736343537383830626635623339623239353431366632363762376136333633323462616561653166646302000000000000000000000002000000020000004300000073080000007C007C014100530029014EA9002902DA0178DA017972060000007206000000FA083C66726F7A656E3EDA083C6C616D6264613E0E00000073020000000800720A000000E9020000005A0557726F6E67E955000000E907000000E9080000006C160000000028B3313666676CED18E619E018F833E01B30783362E330F85831303478CC60D8428959DD307311434B9B015A0552696768747A2E53746F70207265766572736520656E67696E656572696E67206D652C20656E6A6F7920796F757220646179203A2929145A0F5F5F68756D6F725F656E7465725F5F5A07686173686C69627202000000DA0966756E63746F6F6C737203000000DA05696E707574DA04666C6167DA03696E74DA0A66726F6D5F6279746573DA06656E636F6465DA09686578646967657374DA08656E647377697468DA036D6170DA036F72645A0767726F75705F31DA03616C6CDA057072696E74DA0465786974DA03616363DA01697206000000720600000072060000007209000000DA083C6D6F64756C653E010000007330000000060202020C010C01080220031C01160104FD080608010801040208010C010801160108020E0108020E01060208010E010B0B0B0B0B0B0B0B0B0B0B'''))
+>>> dis.dis(code)
+  3           0 LOAD_NAME                0 (__humor_enter__)
+              2 CALL_FUNCTION            0
+              4 POP_TOP
+
+  5           6 SETUP_FINALLY          120 (to 248)
+
+  6           8 POP_JUMP_IF_TRUE       168 (to 336)
+             10 DUP_TOP_TWO
+Traceback (most recent call last):
+  File "<stdin>", line 1, in <module>
+  File "...\lib\dis.py", line 79, in dis
+    _disassemble_recursive(x, file=file, depth=depth)
+  File "...\lib\dis.py", line 376, in _disassemble_recursive
+    disassemble(co, file=file)
+  File "...\lib\dis.py", line 372, in disassemble
+    _disassemble_bytes(co.co_code, lasti, co.co_varnames, co.co_names,
+  File "...\lib\dis.py", line 404, in _disassemble_bytes
+    for instr in _get_instructions_bytes(code, varnames, names,
+  File "...\lib\dis.py", line 340, in _get_instructions_bytes
+    argval, argrepr = _get_name_info(arg, names)
+  File "...\lib\dis.py", line 304, in _get_name_info
+    argval = name_list[name_index]
+IndexError: tuple index out of range
+>>>
+```
+
+可以发现，最前面对 `__humor_enter__` 的调用已经反汇编出来了，且字节串中可以看到 `Stop reverse engineering me` 等常量（pycdas 可以列出全部常量），但是后面的字节码仍然是错乱的。然而程序又可以正常运行，所以需要继续分析 `__humor_enter__` 即 sub_180002950。
+
+sub_180002950 是一个 SMC 解密函数。通过 `PyEval_GetFrame()` 获得了当前 Python 函数调用栈帧（调用 C 函数不会增加一个栈帧），从中获得了正在运行的 PyCodeObject 指针，从中获得了指令字节码（co_code）的字节数组，并再次解密。这样的话，在 sub_180002950 返回后，下一条指令恰好已被解密，使得 CPython 能够运行下去。
+
+*注：Python 中的 bytes 是不可变的，但我们是在用 C 语言操纵内存；自 Python 3.11 起此方法失效，因为获得的可能是字节码的一个副本。*
+
+所以可以用同样的方法，在再次解密前记录下 co_code 内存地址和密文，在 `return Py_NoneStruct;` 前导出完全解密的 co_code 数组，并用它替换掉之前导出的字节串相应位置，补上 pyc 文件头然后用 pycdc 反编译：
+
+```python
+# Source Generated with Decompyle++
+# File: final.pyc (Python 3.10)
+
+__humor_enter__()
+
+try:
+    from hashlib import sha256
+    from functools import reduce
+    flag = input('Enter your flag: ')
+    group_1 = [
+        int.from_bytes(flag[1::3].encode(), 'big') % 998244353 == 156881262,
+        sha256(flag[-16:].encode()).hexdigest().endswith('dcf56476457880bf5b39b295416f267b7a636324baeae1fd'),
+        reduce((lambda x, y: x ^ y), map(ord, flag)) == 2]
+    if not all(group_1):
+        print('Wrong')
+        exit(1)
+    acc = 0
+    for i in flag:
+        i = ord(i) ^ 85
+        acc |= i
+        acc <<= 7 if i & 1 else 8
+    if acc == 0xCDCB4322E6C376CC4C2D8C199E0D1818D8F861C788CFC181BE067F06380CF318EDD8CF98D98D9A800L:
+        print('Right')
+finally:
+    return None
+    print('Wrong')
+    exit(1)
+    return None
+    print('Stop reverse engineering me, enjoy your day :)')
+    exit(1)
+    return None
+```
+
+可以看到主体部分已经还原了。group_1 的三个不可逆校验是为了防止通过构造具有魔术方法的类来追踪打印计算过程“一把梭”。
+
+由于前面分析过程较繁琐，算法上就不设置得太复杂了，只通过后面的或运算和左移运算就可以反推出 flag：
+
+```python
+target = 0xCDCB4322E6C376CC4C2D8C199E0D1818D8F861C788CFC181BE067F06380CF318EDD8CF98D98D9A800
+flag = []
+while target != 0:
+    target >>= (7 if target & 0x80 else 8)
+    if target != 0:
+        flag.append((target & 0x7F) ^ 85)
+flag = bytes(flag[::-1]).decode()
+print(flag)
+
+# flag{9bc74ce3-a56d-467f-eb52-d5f3d8923c6f}
+```
+
+### 注意事项
+
++ 无

工具/工具清单.md

@@ -0,0 +1,16 @@
+# 使用工具：
+
+## 常见工具：
+
+    1. IDA Pro
+    2. Python == 3.10 （注意必须是 3.10，高一点或者低一点都不可以）
+    3. pycdc
+    4. 010 Editor
+
+## 较少见工具：
+
+    1. 无
+
+## 自创工具：
+
+    1. 无

源码/source/clean.ps1

@@ -0,0 +1,8 @@
+# ȷ<><C8B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ¼Ϊ<C2BC>ű<EFBFBD><C5B1><EFBFBD><EFBFBD><EFBFBD>Ŀ¼
+$scriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
+Set-Location $scriptDir
+
+Remove-Item "obfuscator/build" -Recurse -Force
+Remove-Item "task-src/pyhumor.py" -Force
+Remove-Item "task-src/pyhumor.pyc" -Force
+Remove-Item "task-src/pyhumor_runtime.cp310-win_amd64.pyd" -Force

源码/source/gen-attachment.ps1

@@ -0,0 +1,63 @@
+# ȷ<><C8B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ¼Ϊ<C2BC>ű<EFBFBD><C5B1><EFBFBD><EFBFBD><EFBFBD>Ŀ¼
+$scriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
+Set-Location $scriptDir
+
+# ȷ<><C8B7> Python <20>汾Ϊ 3.10
+$pythonVersion = & python --version 2>&1
+if ($pythonVersion -notlike "Python 3.10*") {
+    Write-Host "`n[!] Python <20>汾<EFBFBD><E6B1BE><EFBFBD><EFBFBD> 3.10<EFBFBD><EFBFBD><EFBFBD><EFBFBD>ǰ<EFBFBD>汾Ϊ $pythonVersion" -ForegroundColor Red
+    exit 1
+}
+
+# <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʱ
+Set-Location "obfuscator"
+Write-Host "`n[+] <20><><EFBFBD>ڱ<EFBFBD><DAB1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʱ...`n" -ForegroundColor Cyan
+$env:INCLUDE="$env:INCLUDE;C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\ucrt;C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared"
+$env:LIB="$env:LIB;C:\Program Files (x86)\Windows Kits\10\Lib\10.0.19041.0\um\x64;C:\Program Files (x86)\Windows Kits\10\Lib\10.0.19041.0\ucrt\x64"
+& python setup.py build
+if ($LASTEXITCODE -ne 0) {
+    Write-Host "`n[!] <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʱʧ<CAB1>ܣ<EFBFBD>" -ForegroundColor Red
+    exit 1
+}
+
+# ȷ<><C8B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD> pycryptodome <20><>
+$pycryptodome = & pip list 2>&1 | Select-String "pycryptodome"
+if (-not $pycryptodome) {
+    Write-Host "`n[!] pycryptodome <20><>δ<EFBFBD><CEB4>װ<EFBFBD><D7B0><EFBFBD><EFBFBD><EFBFBD>ڰ<EFBFBD>װ..." -ForegroundColor Yellow
+    & pip install pycryptodome
+    if ($LASTEXITCODE -ne 0) {
+        Write-Host "`n[!] <20><>װ pycryptodome <20><>ʧ<EFBFBD>ܣ<EFBFBD>" -ForegroundColor Red
+        exit 1
+    }
+}
+
+# <20><><EFBFBD>ɻ<EFBFBD><C9BB><EFBFBD><EFBFBD>ű<EFBFBD>
+Set-Location "../task-src"
+Write-Host "`n[+] <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ɻ<EFBFBD><C9BB><EFBFBD><EFBFBD>ű<EFBFBD>..." -ForegroundColor Cyan
+& python get-obfuscated.py
+if ($LASTEXITCODE -ne 0) {
+    Write-Host "`n[!] <20><><EFBFBD>ɻ<EFBFBD><C9BB><EFBFBD><EFBFBD>ű<EFBFBD>ʧ<EFBFBD>ܣ<EFBFBD>" -ForegroundColor Red
+    exit 1
+}
+
+# <20><><EFBFBD><EFBFBD> pyc <20><><EFBFBD><EFBFBD>
+& python get-task-pyc.py
+if ($LASTEXITCODE -ne 0) {
+    Write-Host "`n[!] <20><><EFBFBD><EFBFBD> pyc <20><><EFBFBD><EFBFBD>ʧ<EFBFBD>ܣ<EFBFBD>" -ForegroundColor Red
+    exit 1
+}
+
+# <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+Write-Host "`n[+] <20><><EFBFBD>ڴ<EFBFBD><DAB4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>..." -ForegroundColor Cyan
+$zipFile = "../attachment.zip"
+if (Test-Path $zipFile) {
+    Remove-Item $zipFile
+}
+Compress-Archive -Path pyhumor.pyc,pyhumor_runtime.cp310-win_amd64.pyd -DestinationPath $zipFile
+if ($LASTEXITCODE -ne 0) {
+    Write-Host "`n[!] <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʧ<EFBFBD>ܣ<EFBFBD>" -ForegroundColor Red
+    exit 1
+}
+
+Write-Host "`n[+] <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ɳɹ<C9B3><C9B9><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> clean.ps1 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʱ<EFBFBD>ļ<EFBFBD><C4BC><EFBFBD>" -ForegroundColor Green
+Set-Location $scriptDir

源码/source/obfuscator/pyhumor_runtime.c

@@ -0,0 +1,133 @@
+#define PY_SSIZE_T_CLEAN
+#define Py_CPYTHON_FRAMEOBJECT_H
+#include "Python.h"
+#include "marshal.h"
+// #include "internal/pycore_frame.h"
+#include "cpython/frameobject.h"
+
+#define ARGTYPE 1
+#include "libtomcrypt/headers/tomcrypt.h"
+
+static const int MAJOR_VERSION = PY_MAJOR_VERSION;
+static const int MINOR_VERSION = PY_MINOR_VERSION;
+
+const unsigned char *aes_key = "WAIT_TO_BE_FILLED";
+
+// PyObject *CodeObject;
+
+PyObject* PyHumorRuntime_HumorEnter(PyObject* self, PyObject* args) {
+    PyFrameObject *frame = PyEval_GetFrame();
+    PyCodeObject *f_code = frame->f_code;
+    // PyCodeObject *f_code = PyFrame_GetCode(PyEval_GetFrame());
+    PyObject *codearray = f_code->co_code;
+
+    Py_ssize_t size;
+    unsigned char *data;
+    PyBytes_AsStringAndSize(codearray, &data, &size);
+    if (data == NULL) {
+        return NULL;
+    }
+    if (size < 8 || size > 8192) {
+        return NULL;
+    }
+    int use_size = (size - 8) - (size - 8) % 16;
+
+    symmetric_key skey;
+    int err;
+    if ((err = aes_setup(aes_key + 1, 16, 0, &skey)) != CRYPT_OK) {
+        return NULL;
+    }
+    for (int i = 0; i < use_size; i += 16) {
+        if ((err = aes_ecb_decrypt(data + i + 8, data + i + 8, &skey)) != CRYPT_OK) {
+            return NULL;
+        }
+    }
+    aes_done(&skey);
+
+    return Py_None;
+}
+
+PyObject* PyHumorRuntime_RunCode(PyObject* self, PyObject* args) {
+    PyObject* name;
+    PyObject* file;
+    char* bytecode;
+    Py_ssize_t bytecodeSize;
+    if (!PyArg_ParseTuple(args, "OOy#", &name, &file, &bytecode, &bytecodeSize)) {
+        return NULL;
+    }
+
+    // Parse the code meta
+    if (bytecodeSize < 16) {
+        return NULL;
+    }
+    if (bytecode[9] != MAJOR_VERSION || bytecode[10] != MINOR_VERSION) {
+        return NULL;
+    }
+    if (*(int*)(bytecode + 12) != bytecodeSize - 16) {
+        return NULL;
+    }
+
+    // Decrypt the bytecode
+    symmetric_key skey;
+    unsigned char *plaintext = malloc(bytecodeSize - 16);
+    int err;
+    if ((err = aes_setup(aes_key, 16, 0, &skey)) != CRYPT_OK) {
+        return NULL;
+    }
+    for (int i = 0; i * 16 < bytecodeSize - 16; i++) {
+        if ((err = aes_ecb_decrypt(bytecode + 16 + i * 16, plaintext + i * 16, &skey)) != CRYPT_OK) {
+            return NULL;
+        }
+    }
+    aes_done(&skey);
+
+    // Load the code object
+    PyObject *codeObject = PyMarshal_ReadObjectFromString(plaintext, bytecodeSize - 16);
+    free(plaintext);
+    if (codeObject == NULL) {
+        return NULL;
+    }
+
+    // Add __humor_enter__ function to the globals
+    PyMethodDef humorEnterMethodDef =
+        {"__humor_enter__", PyHumorRuntime_HumorEnter, METH_VARARGS, NULL};
+
+    PyObject* humorEnterFunc = PyCFunction_New(&humorEnterMethodDef, NULL);
+    if (humorEnterFunc == NULL) {
+        return NULL;
+    }
+
+    PyObject* globals = PyEval_GetGlobals();
+    if (globals == NULL || PyDict_SetItemString(globals, "__humor_enter__", humorEnterFunc) < 0) {
+        Py_DECREF(humorEnterFunc);
+        return NULL;
+    }
+
+    Py_DECREF(humorEnterFunc);  // Decrease reference count since it's now in the globals
+
+    // Run the code
+    PyObject* result = PyImport_ExecCodeModuleObject(name, codeObject, file, NULL);
+    Py_DECREF(codeObject);
+
+    // Remove __humor_enter__ function from the globals
+    PyDict_DelItemString(globals, "__humor_enter__");
+
+    return result;
+}
+
+static PyMethodDef PyHumorRuntime_Methods[] = {
+    {"__pyhumor__", PyHumorRuntime_RunCode, METH_VARARGS, NULL},
+    {NULL, NULL, 0, NULL}
+};
+
+static struct PyModuleDef PyHumorRuntime_Module = {
+    PyModuleDef_HEAD_INIT,
+    "pyhumor_runtime",
+    NULL,
+    -1,
+    PyHumorRuntime_Methods
+};
+
+PyMODINIT_FUNC PyInit_pyhumor_runtime(void) {
+    return PyModule_Create(&PyHumorRuntime_Module);
+}

源码/source/obfuscator/setup.py

@@ -0,0 +1,20 @@
+from distutils.core import setup, Extension
+
+module1 = Extension('pyhumor_runtime',
+                    sources=[
+                        'pyhumor_runtime.c',
+                        'libtomcrypt/ciphers/aes/aes.c',
+                        'libtomcrypt/ciphers/aes/aes_desc.c',
+                        'libtomcrypt/ciphers/aes/aes_tab.c',
+                        # 'libtomcrypt/misc/crypt/crypt_argchk.c',
+                        'libtomcrypt/misc/zeromem.c',
+                        'libtomcrypt/misc/compare_testvector.c',
+                        ],
+                    include_dirs=['libtomcrypt/headers'],
+                    define_macros=[('ARGTYPE', '1')],
+                    )
+
+setup (name = 'pyhumor_runtime',
+       version = '1.0',
+       description = '',
+       ext_modules = [module1])

源码/source/task-src/get-marshaled.py

@@ -0,0 +1,7 @@
+import marshal
+import dis
+
+code = compile(open('plain.py').read(), "<frozen>", "exec")
+dis.dis(code)
+print(code.co_code, len(code.co_code))
+marshal.dump(code, open("plain.marshal", "wb"))

源码/source/task-src/get-obfuscated.py

@@ -0,0 +1,30 @@
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+import marshal
+import os
+
+aes_key = os.urandom(17)
+with open('../obfuscator/build/lib.win-amd64-cpython-310/pyhumor_runtime.cp310-win_amd64.pyd', 'rb') as fin:
+    filled = fin.read().replace(b'WAIT_TO_BE_FILLED', aes_key)
+with open('pyhumor_runtime.cp310-win_amd64.pyd', 'wb') as fout:
+    fout.write(filled)
+
+code = compile(open('plain.py').read(), "<frozen>", "exec")
+raw = marshal.dumps(code)
+
+code_len = len(code.co_code)
+encrypt_len = (code_len - 8) - (code_len - 8) % 16
+cipher = AES.new(aes_key[1:], AES.MODE_ECB)
+encrypted = cipher.encrypt(raw[38:38+encrypt_len])
+assert len(encrypted) == encrypt_len
+raw = raw[:38] + encrypted + raw[38+encrypt_len:]
+raw = pad(raw, 16)
+
+cipher = AES.new(aes_key[:16], AES.MODE_ECB)
+encrypted = cipher.encrypt(raw)
+structured = b'PYHUMOR\x00\x00\x03\x0A\x00' + len(encrypted).to_bytes(4, 'little') + encrypted
+
+open("pyhumor.py", "w").write(f'''from pyhumor_runtime import __pyhumor__
+
+__pyhumor__(__name__, __file__, {repr(structured)})
+''')

源码/source/task-src/get-task-pyc.py

@@ -0,0 +1,3 @@
+import py_compile
+
+py_compile.compile('pyhumor.py', 'pyhumor.pyc')

源码/source/task-src/plain.py

@@ -0,0 +1,35 @@
+# flag{9bc74ce3-a56d-467f-eb52-d5f3d8923c6f}
+
+__humor_enter__()
+
+try:
+    from hashlib import sha256
+    from functools import reduce
+
+    flag = input('Enter your flag: ')
+
+    group_1 = [
+        int.from_bytes(flag[1::3].encode(), 'big') % 998244353 == 156881262,
+        sha256(flag[-16:].encode()).hexdigest().endswith('dcf56476457880bf5b39b295416f267b7a636324baeae1fd'),
+        reduce(lambda x, y: x ^ y, map(ord, flag)) == 2,
+    ]
+
+    if not all(group_1):
+        print('Wrong')
+        exit(1)
+
+    acc = 0
+    for i in flag:
+        i = ord(i) ^ 0x55
+        acc |= i
+        acc <<= (7 if i & 1 else 8)
+
+    if acc == 27473331342481820165679397757145329260017933200691317902624657196062576436414763023083043884214272:
+        print('Right')
+    else:
+        print('Wrong')
+        exit(1)
+
+except:
+    print('Stop reverse engineering me, enjoy your day :)')
+    exit(1)

解题/exp.py

@@ -0,0 +1,11 @@
+# 手动获取 target 的过程见 Writeup
+target = 0xCDCB4322E6C376CC4C2D8C199E0D1818D8F861C788CFC181BE067F06380CF318EDD8CF98D98D9A800
+flag = []
+while target != 0:
+    target >>= (7 if target & 0x80 else 8)
+    if target != 0:
+        flag.append((target & 0x7F) ^ 85)
+flag = bytes(flag[::-1]).decode()
+print(flag)
+
+# flag{9bc74ce3-a56d-467f-eb52-d5f3d8923c6f}