add example: pytecode

Xornet-Euphoria · Oct 6, 2024 · 9930e1f · 9930e1f
1 parent fb258ea
commit 9930e1f
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 0 deletions.
diff --git a/examples/custom_unpickler/pytecode/analysis.py b/examples/custom_unpickler/pytecode/analysis.py
@@ -0,0 +1,59 @@
+import importlib._bootstrap_external
+from pickaxe import CustomUnpickler
+import types
+
+hex_code = "8c0574797065738c0c46756e6374696f6e547970659372390500008c0574797065738c08436f64655479706593723a05000028284b024b00324d3905324b0043e697007c007c006b03000000007d027c007c02190000000000000000007d037c037c037a0a00007d047c047c047a0800007d057c057c057a0300007d067c057c067a0300007d077c077c057a0300007d087c077c057a0a00007d097c087c097a0a00007d0a7c087c067a0a00007d0b7c087c057a0a00007d0c7c047c057c067c097c077c0a7c0b7c0c67087d0d7c0467017c087a0500007d0e7c0d44005d227d0f7c0f7c087a0500007d107c107c087a0000007d1102007c017c007c107c11850219000000000000000000a6010000ab0100000000000000007c0e7c0f3c0000008c237c0e53002932288c086275696c74696e738c0767657461747472938c013f8c075f5f6d756c5f5f86524d39058552696275696c74696e730a7475706c650a8c037468658c0463616b658c0269734d390543016143036c69656c72a31c0000696275696c74696e730a7475706c650a817d86818c085f5f6d61696e5f5f8c03696e70938c086275696c74696e738c0767657461747472938c086275696c74696e738c03696e74938c0a66726f6d5f62797465738652865272193400003067313333370a67313333380a2867373333310a284b004b034b06432697007c007c0178027802190000000000000000007c027a190000630363023c0000007c00530075696275696c74696e730a7475706c650a817d86816731333333370a4b008a083713dec0adde371387523067313333370a67313333380a2867373333310a284b004b034b06433497007c007c02190000000000000000007c007c011900000000000000000063027c007c013c0000007c007c023c0000007c00530075696275696c74696e730a7475706c650a817d86816731333333370a4b024b0787523067313333370a67313333380a2867373333310a284b004b034b06434697007c007c01190000000000000000007d037c037c027a0a00007d047c047c047a0a00007d057c047c056b000000000072037c040b006e017c047c007c013c0000007c00530075696275696c74696e730a7475706c650a817d86816731333333370a4b048a0980808080808080800087523067313333370a67313333380a2867373333310a284b004b034b06438c97007c007c01190000000000000000007d037c037c037a0200007d047c047c027a0300007c047a0a00007d057c037c057a0100007d067c037c027a1600007d037c047c047a0000007d077c077c077a0500007c077a0000007d087c047c087a0300007d097c097c027a0a00007d0a7c037c067c0a7a0300007a1400007d037c037c007c013c0000007c00530075696275696c74696e730a7475706c650a817d86816731333333370a4b014b0d87523067313333370a67313333380a2867373333310a284b004b044b06432e97007c007c01190000000000000000007c007c02190000000000000000007a0c00007c007c033c0000007c00530075696275696c74696e730a7475706c650a817d8681286731333333370a4b014b064b0174523067313333370a67313333380a2867373333310a284b004b034b06433497007c007c01190000000000000000007c007c01190000000000000000007c027a0900007a0c00007c007c013c0000007c00530075696275696c74696e730a7475706c650a817d86816731333333370a4b054b0c87523067313333370a67313333380a2867373333310a284b004b034b06433497007c007c02190000000000000000007c007c011900000000000000000063027c007c013c0000007c007c023c0000007c00530075696275696c74696e730a7475706c650a817d86816731333333370a4b034b0687523067313333370a67313333380a2867373333310a284b004b024b0643f097007c007c007a0600007d027c007c007a0200007d037c037c037a0000007d047c037c047a0000007d057c047c047a0800007d067c047c057a0000007d077c057c047a0500007d087c067c047a0500007c037a0a00007d097c037c087a0300007d0a7c0a7c047a0500007d0b7c037c0a7a0300007c037a0a00007d0c7c097c087a0500007d0d7c097c0b7c0a7a0000007c037a0a00007a0500007d0e7c027c037c047c057c067c077c087c0967087d0f7c0f44005d1b7d107c017c10190000000000000000007c007a0c00007c017c103c0000007c0d7c007a0500007c0e7a0000007c0c7a0100007d008c1c7c01530075696275696c74696e730a7475706c650a817d86818a0831733173371337136731333333370a86523067313333370a67313333380a2867373333310a284b004b024b06430e97007c007c016b0200000000530075696275696c74696e730a7475706c650a817d86816731333333370a288a08681b8ed0fbbd6c418a0941c7497ece39ad89008a084aeddba97935e5158a095ea56bfce5024e9f008a0894076c3bc5a9d72b8a08376e39db1e2c8a6d8a0982c47dc69701a288008a080a5558e826cbfd656c86522e"
+
+
+functions = {}
+prev_f_idx = -1
+
+# extract code objects
+class PytecodeUnpickler(CustomUnpickler):
+    def load_reduce(self):
+        f: types.FunctionType = self.stack[-2]
+        args = self.stack[-1]
+
+        if hasattr(f, "__code__"):
+            code = f.__code__
+            if code.co_filename == "the":
+                functions[self.ip] = (f, args)
+
+        super().load_reduce()
+
+
+def change_varnames(self: CustomUnpickler):
+    self.stack[-1] = tuple(f"var_{i}" for i in range(1337))
+
+
+up = PytecodeUnpickler(bytes.fromhex(hex_code))
+up.set_breakpoint(353, change_varnames)
+
+inp = b"X" * 0x40
+
+up.load()
+
+
+import dis, marshal, subprocess, sys
+
+DECOMPILE = "-d" in sys.argv
+pycdc_path = "/home/xornet/tools/pycdc/pycdc"
+
+for idx, (f, args) in functions.items():
+    # code.co_varnames = tuple(f"var_{i}" for i in range(1337))
+    print(f"[+] Called at {idx}: f{args}")
+    dis.dis(f)
+    print("=" * 0x60)
+
+    if not DECOMPILE:
+        continue
+    cd = marshal.dumps(f.__code__)
+    marshaled_name = f"./marshaled/func_{idx}"
+    with open(marshaled_name, "wb") as _f:
+        _f.write(cd)
+
+    decomp_f = open(marshaled_name+".py", "w")
+
+    res = subprocess.run([pycdc_path, "-c", "-v", "3.11", marshaled_name], stdout=decomp_f)
+
+    decomp_f.close()
diff --git a/examples/custom_unpickler/pytecode/chall.py b/examples/custom_unpickler/pytecode/chall.py
@@ -0,0 +1,30 @@
+import sys
+import pickle
+
+
+# check your python version
+if (v := sys.version_info) and v.major == 3 and v.minor == 11:
+    print("[+] version check: ok")
+else:
+    print("[+] Requirement: Python 3.11")
+    print("    Please change the version of Python")
+    print("    Or use the Dockerfile in distfiles")
+    exit()
+
+# get input and sanity check
+inp = input("flag> ").encode("ascii")
+if len(inp) != 64:
+    print("[!] check the length of flag")
+    exit(1)
+
+for c in inp:
+    if c > 0x7f:
+        print("[!] ASCII printable only")
+        exit(1)
+
+# rev time
+hex_code = "8c0574797065738c0c46756e6374696f6e547970659372390500008c0574797065738c08436f64655479706593723a05000028284b024b00324d3905324b0043e697007c007c006b03000000007d027c007c02190000000000000000007d037c037c037a0a00007d047c047c047a0800007d057c057c057a0300007d067c057c067a0300007d077c077c057a0300007d087c077c057a0a00007d097c087c097a0a00007d0a7c087c067a0a00007d0b7c087c057a0a00007d0c7c047c057c067c097c077c0a7c0b7c0c67087d0d7c0467017c087a0500007d0e7c0d44005d227d0f7c0f7c087a0500007d107c107c087a0000007d1102007c017c007c107c11850219000000000000000000a6010000ab0100000000000000007c0e7c0f3c0000008c237c0e53002932288c086275696c74696e738c0767657461747472938c013f8c075f5f6d756c5f5f86524d39058552696275696c74696e730a7475706c650a8c037468658c0463616b658c0269734d390543016143036c69656c72a31c0000696275696c74696e730a7475706c650a817d86818c085f5f6d61696e5f5f8c03696e70938c086275696c74696e738c0767657461747472938c086275696c74696e738c03696e74938c0a66726f6d5f62797465738652865272193400003067313333370a67313333380a2867373333310a284b004b034b06432697007c007c0178027802190000000000000000007c027a190000630363023c0000007c00530075696275696c74696e730a7475706c650a817d86816731333333370a4b008a083713dec0adde371387523067313333370a67313333380a2867373333310a284b004b034b06433497007c007c02190000000000000000007c007c011900000000000000000063027c007c013c0000007c007c023c0000007c00530075696275696c74696e730a7475706c650a817d86816731333333370a4b024b0787523067313333370a67313333380a2867373333310a284b004b034b06434697007c007c01190000000000000000007d037c037c027a0a00007d047c047c047a0a00007d057c047c056b000000000072037c040b006e017c047c007c013c0000007c00530075696275696c74696e730a7475706c650a817d86816731333333370a4b048a0980808080808080800087523067313333370a67313333380a2867373333310a284b004b034b06438c97007c007c01190000000000000000007d037c037c037a0200007d047c047c027a0300007c047a0a00007d057c037c057a0100007d067c037c027a1600007d037c047c047a0000007d077c077c077a0500007c077a0000007d087c047c087a0300007d097c097c027a0a00007d0a7c037c067c0a7a0300007a1400007d037c037c007c013c0000007c00530075696275696c74696e730a7475706c650a817d86816731333333370a4b014b0d87523067313333370a67313333380a2867373333310a284b004b044b06432e97007c007c01190000000000000000007c007c02190000000000000000007a0c00007c007c033c0000007c00530075696275696c74696e730a7475706c650a817d8681286731333333370a4b014b064b0174523067313333370a67313333380a2867373333310a284b004b034b06433497007c007c01190000000000000000007c007c01190000000000000000007c027a0900007a0c00007c007c013c0000007c00530075696275696c74696e730a7475706c650a817d86816731333333370a4b054b0c87523067313333370a67313333380a2867373333310a284b004b034b06433497007c007c02190000000000000000007c007c011900000000000000000063027c007c013c0000007c007c023c0000007c00530075696275696c74696e730a7475706c650a817d86816731333333370a4b034b0687523067313333370a67313333380a2867373333310a284b004b024b0643f097007c007c007a0600007d027c007c007a0200007d037c037c037a0000007d047c037c047a0000007d057c047c047a0800007d067c047c057a0000007d077c057c047a0500007d087c067c047a0500007c037a0a00007d097c037c087a0300007d0a7c0a7c047a0500007d0b7c037c0a7a0300007c037a0a00007d0c7c097c087a0500007d0d7c097c0b7c0a7a0000007c037a0a00007a0500007d0e7c027c037c047c057c067c077c087c0967087d0f7c0f44005d1b7d107c017c10190000000000000000007c007a0c00007c017c103c0000007c0d7c007a0500007c0e7a0000007c0c7a0100007d008c1c7c01530075696275696c74696e730a7475706c650a817d86818a0831733173371337136731333333370a86523067313333370a67313333380a2867373333310a284b004b024b06430e97007c007c016b0200000000530075696275696c74696e730a7475706c650a817d86816731333333370a288a08681b8ed0fbbd6c418a0941c7497ece39ad89008a084aeddba97935e5158a095ea56bfce5024e9f008a0894076c3bc5a9d72b8a08376e39db1e2c8a6d8a0982c47dc69701a288008a080a5558e826cbfd656c86522e"
+if pickle.loads(bytes.fromhex(hex_code)):
+    print("Congrats!! Submit your flag.")
+else:
+    print("nope")