64位Office API声明语句第81讲

【分享成果，随喜正能量】与其沦为情绪的奴隶，等到情绪爆发后再悔恨不已，不如从现在起，沉下心来，主宰自己的情绪，让自己时刻拥有健康的心绪。

跟我学VBA，我这里专注VBA, 授人以渔。我98年开始，从源码接触VBA已经20余年了，随着年龄的增长，越来越觉得有必要把这项技能传递给需要这项技术的职场人员。希望和数据打交道的朋友，都来学习VBA,利用VBA,起码可以提高自己的工作效率，可以有时间多陪陪父母，多陪陪家人，何乐而不为呢？

这讲我们继续学习64位Office API声明语句第81讲，这些内容是MS的权威资料，看似枯燥，但对于想学习API函数的朋友是非常有用的。

Const MARSHAL_E_LAST = &H8004012F

Const MARSHAL_S_FIRST = &H40120

Const MARSHAL_S_LAST = &H4012F

Const DATA_E_FIRST = &H80040130

Const DATA_E_LAST = &H8004013F

Const DATA_S_FIRST = &H40130

Const DATA_S_LAST = &H4013F

Const VIEW_E_FIRST = &H80040140

Const VIEW_E_LAST = &H8004014F

Const VIEW_S_FIRST = &H40140

Const VIEW_S_LAST = &H4014F

Const VIEW_E_DRAW = &H80040140

Const REGDB_E_FIRST = &H80040150

Const REGDB_E_LAST = &H8004015F

Const REGDB_S_FIRST = &H40150

Const REGDB_S_LAST = &H4015F

Const REGDB_E_READREGDB = &H80040150

Const REGDB_E_WRITEREGDB = &H80040151

Const REGDB_E_KEYMISSING = &H80040152

Const REGDB_E_INVALIDVALUE = &H80040153

Const REGDB_E_CLASSNOTREG = &H80040154

Const REGDB_E_IIDNOTREG = &H80040155

Const CACHE_E_FIRST = &H80040170

Const CACHE_E_LAST = &H8004017F

Const CACHE_S_FIRST = &H40170

Const CACHE_S_LAST = &H4017F

Const CACHE_E_NOCACHE_UPDATED = &H80040170

Const OLEOBJ_E_FIRST = &H80040180

Const OLEOBJ_E_LAST = &H8004018F

Const OLEOBJ_S_FIRST = &H40180

Const OLEOBJ_S_LAST = &H4018F

Const OLEOBJ_E_NOVERBS = &H80040180

Const OLEOBJ_E_INVALIDVERB = &H80040181

Const CLIENTSITE_E_FIRST = &H80040190

Const CLIENTSITE_E_LAST = &H8004019F

Const CLIENTSITE_S_FIRST = &H40190

Const CLIENTSITE_S_LAST = &H4019F

Const INPLACE_E_NOTUNDOABLE = &H800401A0

Const INPLACE_E_NOTOOLSPACE = &H800401A1

Const INPLACE_E_FIRST = &H800401A0

Const INPLACE_E_LAST = &H800401AF

Const INPLACE_S_FIRST = &H401A0

Const INPLACE_S_LAST = &H401AF

Const ENUM_E_FIRST = &H800401B0

Const ENUM_E_LAST = &H800401BF

Const ENUM_S_FIRST = &H401B0

Const ENUM_S_LAST = &H401BF

Const CONVERT10_E_FIRST = &H800401C0

Const CONVERT10_E_LAST = &H800401CF

Const CONVERT10_S_FIRST = &H401C0

Const CONVERT10_S_LAST = &H401CF

Const CONVERT10_E_OLESTREAM_GET = &H800401C0

Const CONVERT10_E_OLESTREAM_PUT = &H800401C1

Const CONVERT10_E_OLESTREAM_FMT = &H800401C2

Const CONVERT10_E_OLESTREAM_BITMAP_TO_DIB = &H800401C3

Const CONVERT10_E_STG_FMT = &H800401C4

Const CONVERT10_E_STG_NO_STD_STREAM = &H800401C5

Const CONVERT10_E_STG_DIB_TO_BITMAP = &H800401C6

Const CLIPBRD_E_FIRST = &H800401D0

Const CLIPBRD_E_LAST = &H800401DF

Const CLIPBRD_S_FIRST = &H401D0

Const CLIPBRD_S_LAST = &H401DF

Const CLIPBRD_E_CANT_OPEN = &H800401D0

Const CLIPBRD_E_CANT_EMPTY = &H800401D1

Const CLIPBRD_E_CANT_SET = &H800401D2

Const CLIPBRD_E_BAD_DATA = &H800401D3

Const CLIPBRD_E_CANT_CLOSE = &H800401D4

Const MK_E_FIRST = &H800401E0

Const MK_E_LAST = &H800401EF

Const MK_S_FIRST = &H401E0

Const MK_S_LAST = &H401EF

Const MK_E_CONNECTMANUALLY = &H800401E0

Const MK_E_EXCEEDEDDEADLINE = &H800401E1

Const MK_E_NEEDGENERIC = &H800401E2

Const MK_E_UNAVAILABLE = &H800401E3

Const MK_E_SYNTAX = &H800401E4

Const MK_E_NOOBJECT = &H800401E5

Const MK_E_INVALIDEXTENSION = &H800401E6

Const MK_E_INTERMEDIATEINTERFACENOTSUPPORTED = &H800401E7

Const MK_E_NOTBINDABLE = &H800401E8

Const MK_E_NOTBOUND = &H800401E9

Const MK_E_CANTOPENFILE = &H800401EA

Const MK_E_MUSTBOTHERUSER = &H800401EB

Const MK_E_NOINVERSE = &H800401EC

Const MK_E_NOSTORAGE = &H800401ED

Const MK_E_NOPREFIX = &H800401EE

Const MK_E_ENUMERATION_FAILED = &H800401EF

Const CO_E_FIRST = &H800401F0

Const CO_E_LAST = &H800401FF

Const CO_S_FIRST = &H401F0

Const CO_S_LAST = &H401FF

Const CO_E_NOTINITIALIZED = &H800401F0

Const CO_E_ALREADYINITIALIZED = &H800401F1

Const CO_E_CANTDETERMINECLASS = &H800401F2

Const CO_E_CLASSSTRING = &H800401F3

Const CO_E_IIDSTRING = &H800401F4

Const CO_E_APPNOTFOUND = &H800401F5

Const CO_E_APPSINGLEUSE = &H800401F6

Const CO_E_ERRORINAPP = &H800401F7

Const CO_E_DLLNOTFOUND = &H800401F8

Const CO_E_ERRORINDLL = &H800401F9

Const CO_E_WRONGOSFORAPP = &H800401FA

Const CO_E_OBJNOTREG = &H800401FB

Const CO_E_OBJISREG = &H800401FC

Const CO_E_OBJNOTCONNECTED = &H800401FD

Const CO_E_APPDIDNTREG = &H800401FE

Const CO_E_RELEASED = &H800401FF

Const OLE_S_USEREG = &H40000

Const OLE_S_STATIC = &H40001

Const OLE_S_MAC_CLIPFORMAT = &H40002

Const DRAGDROP_S_DROP = &H40100

Const DRAGDROP_S_CANCEL = &H40101

Const DRAGDROP_S_USEDEFAULTCURSORS = &H40102

Const DATA_S_SAMEFORMATETC = &H40130

Const VIEW_S_ALREADY_FROZEN = &H40140

Const CACHE_S_FORMATETC_NOTSUPPORTED = &H40170

Const CACHE_S_SAMECACHE = &H40171

Const CACHE_S_SOMECACHES_NOTUPDATED = &H40172

Const OLEOBJ_S_INVALIDVERB = &H40180

Const OLEOBJ_S_CANNOT_DOVERB_NOW = &H40181

Const OLEOBJ_S_INVALIDHWND = &H40182

Const INPLACE_S_TRUNCATED = &H401A0

Const CONVERT10_S_NO_PRESENTATION = &H401C0

Const MK_S_REDUCED_TO_SELF = &H401E2

Const MK_S_ME = &H401E4

Const MK_S_HIM = &H401E5

Const MK_S_US = &H401E6

Const MK_S_MONIKERALREADYREGISTERED = &H401E7

Const CO_E_CLASS_CREATE_FAILED = &H80080001

Const CO_E_SCM_ERROR = &H80080002

Const CO_E_SCM_RPC_FAILURE = &H80080003

Const CO_E_BAD_PATH = &H80080004

Const CO_E_SERVER_EXEC_FAILURE = &H80080005

Const CO_E_OBJSRV_RPC_FAILURE = &H80080006

Const MK_E_NO_NORMALIZED = &H80080007

Const CO_E_SERVER_STOPPING = &H80080008

Const MEM_E_INVALID_ROOT = &H80080009

Const MEM_E_INVALID_LINK = &H80080010

Const MEM_E_INVALID_SIZE = &H80080011

Const DISP_E_UNKNOWNINTERFACE = &H80020001

Const DISP_E_MEMBERNOTFOUND = &H80020003

Const DISP_E_PARAMNOTFOUND = &H80020004

Const DISP_E_TYPEMISMATCH = &H80020005

Const DISP_E_UNKNOWNNAME = &H80020006

Const DISP_E_NONAMEDARGS = &H80020007

Const DISP_E_BADVARTYPE = &H80020008

Const DISP_E_EXCEPTION = &H80020009

Const DISP_E_OVERFLOW = &H8002000A

Const DISP_E_BADINDEX = &H8002000B

Const DISP_E_UNKNOWNLCID = &H8002000C

Const DISP_E_ARRAYISLOCKED = &H8002000D

Const DISP_E_BADPARAMCOUNT = &H8002000E

Const DISP_E_PARAMNOTOPTIONAL = &H8002000F

Const DISP_E_BADCALLEE = &H80020010

Const DISP_E_NOTACOLLECTION = &H80020011

Const TYPE_E_BUFFERTOOSMALL = &H80028016

Const TYPE_E_INVDATAREAD = &H80028018

Const TYPE_E_UNSUPFORMAT = &H80028019

Const TYPE_E_REGISTRYACCESS = &H8002801C

Const TYPE_E_LIBNOTREGISTERED = &H8002801D

Const TYPE_E_UNDEFINEDTYPE = &H80028027

Const TYPE_E_QUALIFIEDNAMEDISALLOWED = &H80028028

Const TYPE_E_INVALIDSTATE = &H80028029

Const TYPE_E_WRONGTYPEKIND = &H8002802A

Const TYPE_E_ELEMENTNOTFOUND = &H8002802B

Const TYPE_E_AMBIGUOUSNAME = &H8002802C

Const TYPE_E_NAMECONFLICT = &H8002802D

Const TYPE_E_UNKNOWNLCID = &H8002802E

Const TYPE_E_DLLFUNCTIONNOTFOUND = &H8002802F

Const TYPE_E_BADMODULEKIND = &H800288BD

Const TYPE_E_SIZETOOBIG = &H800288C5

Const TYPE_E_DUPLICATEID = &H800288C6

我20多年的VBA实践经验，全部浓缩在下面的各个教程中：

【分享成果，随喜正能量】人活一世，所有遇见，皆是命中注定，所有经历，都是前行的意义。无论是谁，都是来渡你的人。人生就是一场马拉松，渡过去，再回首，经历的苦难都会成为你的礼物。

WP 有意思！一道题三个语言

Triple Language

题目名称的意思是三个语言，本题还确实就是三个语言。

看到题目给到的文件：

其中的 unicorn.dll 是很明显的，其实本题就是使用unicorn来模拟执行了关键的代码。

ida反编译看到main函数：两个判断函数分别使用unicorn来模拟执行了mips32和arm架构的机器码。

mips

先看到模拟执行的mips32代码：因为符号表没有去除的，所以网上找一份unicorn模拟执行的代码对比分析即可。

看到上面的 uc_open(3i64, 4i64, &v10)，这里的第一个和第二个参数表示模拟执行代码的架构和模式。

通过下载unicorn的源码在其头文件中找到这些数字代表的宏。所以上面的即表示模拟执行mips32结构的代码。

// Architecture typetypedef enum uc_arch { UC_ARCH_ARM = 1, // ARM architecture (including Thumb, Thumb-2) UC_ARCH_ARM64, // ARM-64, also called AArch64 UC_ARCH_MIPS, // Mips architecture UC_ARCH_X86, // X86 architecture (including x86 & x86-64) UC_ARCH_PPC, // PowerPC architecture (currently unsupported) UC_ARCH_SPARC, // Sparc architecture UC_ARCH_M68K, // M68K architecture UC_ARCH_MAX,} uc_arch;// Mode typetypedef enum uc_mode { UC_MODE_LITTLE_ENDIAN = 0, // little-endian mode (default mode) UC_MODE_BIG_ENDIAN = 1 << 30, // big-endian mode // arm / arm64 UC_MODE_ARM = 0, // ARM mode UC_MODE_THUMB = 1 << 4, // THUMB mode (including Thumb-2) UC_MODE_MCLASS = 1 << 5, // ARM's Cortex-M series (currently unsupported) UC_MODE_V8 = 1 << 6, // ARMv8 A32 encodings for ARM (currently unsupported) // arm (32bit) cpu types UC_MODE_ARM926 = 1 << 7, // ARM926 CPU type UC_MODE_ARM946 = 1 << 8, // ARM946 CPU type UC_MODE_ARM1176 = 1 << 9, // ARM1176 CPU type // ARM BE8 UC_MODE_ARMBE8 = 1 << 10, // Big-endian data and Little-endian code // mips UC_MODE_MICRO = 1 << 4, // MicroMips mode (currently unsupported) UC_MODE_MIPS3 = 1 << 5, // Mips III ISA (currently unsupported) UC_MODE_MIPS32R6 = 1 << 6, // Mips32r6 ISA (currently unsupported) UC_MODE_MIPS32 = 1 << 2, // Mips32 ISA UC_MODE_MIPS64 = 1 << 3, // Mips64 ISA // x86 / x64 UC_MODE_16 = 1 << 1, // 16-bit mode UC_MODE_32 = 1 << 2, // 32-bit mode UC_MODE_64 = 1 << 3, // 64-bit mode // ppc UC_MODE_PPC32 = 1 << 2, // 32-bit mode (currently unsupported) UC_MODE_PPC64 = 1 << 3, // 64-bit mode (currently unsupported) UC_MODE_QPX = 1 << 4, // Quad Processing eXtensions mode (currently unsupported) // sparc UC_MODE_SPARC32 = 1 << 2, // 32-bit mode UC_MODE_SPARC64 = 1 << 3, // 64-bit mode UC_MODE_V9 = 1 << 4, // SparcV9 mode (currently unsupported) // m68k} uc_mode;

再看到 uc_hook_add 这个函数，为UC_HOOK_CODE事件注册了钩子回调函数。这其实就好比一个调试指令，每当一条要模拟的指令得到执行前都会跳到uc_hook_add 设置的回调函数去执行。

这样仅凭程序中的代码是分析不到关键代码的，因为关键代码都是unicorn去模拟执行的，对于我们像是一个黑盒子一样，我们只知道输入和输出。

这里通过把要模拟执行的机器码dump出来，然后使用 capstone 模块以unicorn模拟执行架构和位数来对这些机器码进行一个反汇编。

from capstone import *from capstone.arm import *CODE = bytes([0x01, 0x00, 0x08, 0x3C, 0x00, 0x10, 0x08, 0x35, 0x00, 0x00, 0x08, 0x81, 0x02, 0x48, 0x28, 0x71, 0x01, 0x00, 0x08, 0x3C, 0x00, 0x10, 0x08, 0x35, 0x01, 0x00, 0x08, 0x81, 0x02, 0x50, 0x48, 0x71, 0x01, 0x00, 0x08, 0x3C, 0x00, 0x10, 0x08, 0x35, 0x02, 0x00, 0x08, 0x81, 0x02, 0x58, 0x68, 0x71, 0x01, 0x00, 0x08, 0x3C, 0x00, 0x10, 0x08, 0x35, 0x03, 0x00, 0x08, 0x81, 0x02, 0x60, 0x88, 0x71, 0x01, 0x00, 0x08, 0x3C, 0x00, 0x10, 0x08, 0x35, 0x04, 0x00, 0x08, 0x81, 0x02, 0x68, 0xA8, 0x71, 0x01, 0x00, 0x08, 0x3C, 0x00, 0x10, 0x08, 0x35, 0x05, 0x00, 0x08, 0x81, 0x02, 0x70, 0xC8, 0x71, 0x01, 0x00, 0x10, 0x3C, 0x00, 0x20, 0x10, 0x36, 0x01, 0x00, 0x11, 0x3C, 0x00, 0x30, 0x31, 0x36, 0x00, 0x00, 0x09, 0x82, 0x00, 0x00, 0x39, 0x82, 0x20, 0x48, 0x39, 0x01, 0x01, 0x00, 0x10, 0x26, 0x01, 0x00, 0x31, 0x26, 0x00, 0x00, 0x0A, 0x82, 0x00, 0x00, 0x39, 0x82, 0x20, 0x50, 0x59, 0x01, 0x01, 0x00, 0x10, 0x26, 0x01, 0x00, 0x31, 0x26, 0x00, 0x00, 0x0B, 0x82, 0x00, 0x00, 0x39, 0x82, 0x20, 0x58, 0x79, 0x01, 0x01, 0x00, 0x10, 0x26, 0x01, 0x00, 0x31, 0x26, 0x00, 0x00, 0x0C, 0x82, 0x00, 0x00, 0x39, 0x82, 0x20, 0x60, 0x99, 0x01, 0x01, 0x00, 0x10, 0x26, 0x01, 0x00, 0x31, 0x26, 0x00, 0x00, 0x0D, 0x82, 0x00, 0x00, 0x39, 0x82, 0x20, 0x68, 0xB9, 0x01, 0x01, 0x00, 0x10, 0x26, 0x01, 0x00, 0x31, 0x26, 0x00, 0x00, 0x0E, 0x82, 0x00, 0x00, 0x39, 0x82, 0x20, 0x70, 0xD9, 0x01, 0x01, 0x00, 0x10, 0x26, 0x01, 0x00, 0x31, 0x26, 0x00, 0x00, 0x0F, 0x82, 0x00, 0x00, 0x39, 0x82, 0x20, 0x78, 0xF9, 0x01, 0x01, 0x00, 0x10, 0x26, 0x01, 0x00, 0x31, 0x26, 0x00, 0x00, 0x18, 0x82, 0x00, 0x00, 0x39, 0x82, 0x20, 0xC0, 0x19, 0x03, 0x01, 0x00, 0x10, 0x26, 0x01, 0x00, 0x31, 0x26])md = Cs(CS_ARCH_MIPS, CS_MODE_32)for i in md.disasm(CODE, 0x10000): ins = "0x%x:\t%s\t%s" % (i.address, i.mnemonic, i.op_str) print(ins)

得到：

0x10000: lui $t0, 10x10004: ori $t0, $t0, 0x10000x10008: lb $t0, ($t0)0x1000c: mul $t1, $t1, $t00x10010: lui $t0, 10x10014: ori $t0, $t0, 0x10000x10018: lb $t0, 1($t0)0x1001c: mul $t2, $t2, $t00x10020: lui $t0, 10x10024: ori $t0, $t0, 0x10000x10028: lb $t0, 2($t0)0x1002c: mul $t3, $t3, $t00x10030: lui $t0, 10x10034: ori $t0, $t0, 0x10000x10038: lb $t0, 3($t0)0x1003c: mul $t4, $t4, $t00x10040: lui $t0, 10x10044: ori $t0, $t0, 0x10000x10048: lb $t0, 4($t0)0x1004c: mul $t5, $t5, $t00x10050: lui $t0, 10x10054: ori $t0, $t0, 0x10000x10058: lb $t0, 5($t0)0x1005c: mul $t6, $t6, $t00x10060: lui $s0, 10x10064: ori $s0, $s0, 0x20000x10068: lui $s1, 10x1006c: ori $s1, $s1, 0x30000x10070: lb $t1, ($s0)0x10074: lb $t9, ($s1)0x10078: add $t1, $t1, $t90x1007c: addiu $s0, $s0, 10x10080: addiu $s1, $s1, 10x10084: lb $t2, ($s0)0x10088: lb $t9, ($s1)0x1008c: add $t2, $t2, $t90x10090: addiu $s0, $s0, 10x10094: addiu $s1, $s1, 10x10098: lb $t3, ($s0)0x1009c: lb $t9, ($s1)0x100a0: add $t3, $t3, $t90x100a4: addiu $s0, $s0, 10x100a8: addiu $s1, $s1, 10x100ac: lb $t4, ($s0)0x100b0: lb $t9, ($s1)0x100b4: add $t4, $t4, $t90x100b8: addiu $s0, $s0, 10x100bc: addiu $s1, $s1, 10x100c0: lb $t5, ($s0)0x100c4: lb $t9, ($s1)0x100c8: add $t5, $t5, $t90x100cc: addiu $s0, $s0, 10x100d0: addiu $s1, $s1, 10x100d4: lb $t6, ($s0)0x100d8: lb $t9, ($s1)0x100dc: add $t6, $t6, $t90x100e0: addiu $s0, $s0, 10x100e4: addiu $s1, $s1, 10x100e8: lb $t7, ($s0)0x100ec: lb $t9, ($s1)0x100f0: add $t7, $t7, $t90x100f4: addiu $s0, $s0, 10x100f8: addiu $s1, $s1, 10x100fc: lb $t8, ($s0)0x10100: lb $t9, ($s1)0x10104: add $t8, $t8, $t90x10108: addiu $s0, $s0, 10x1010c: addiu $s1, $s1, 1

到这篇文章查mips常见指令的含义：

结合每条指令执行前调用的callback函数分析这些机器码：

看到上面是每隔0x10的机器码就有一个判断，所以我们也按照这个分块分析mips指令。

总结就是先把前6个字符与 “zjgcjy” 单字节依次相乘然后在回调函数对比乘积结果。

后面就是输入的[6, 14]与[14, 22]分别相加，而在模拟执行代码之前有他们分别相减的结果对比，因此解这一部分就是解8个二元一次方程，使用z3即可处理。

本部分总的解密脚本：

from z3 import *enc_mul = [0x2F2E, 0x282A, 0x2C42, 0x2A8A, 0x13E0, 0x36D4]s = "zjgcjy"p1 = [enc_mul[i]//ord(s[i]) for i in range(6)]s = Solver()p2 = [BitVec('x%d'%i, 8) for i in range(16)]enc_add = [194, 195, 215, 196, 218, 165, 160, 190]enc_sub = 0x3EBB0EFAF301FCenc_sub = enc_sub.to_bytes(8, "little")#print(enc_sub)for i in range(8): s.add(((p2[i]-p2[i+8])&0xff) == enc_sub[i]) s.add(p2[i]+p2[i+8] == enc_add[i])if s.check() == sat: m = s.model() p2 = [m[i].as_long() for i in p2]else: print('Not Found!')p = p1+p2 print(bytes(p))#cann0t_be_t0o_carefu1_arm

接着是第二部分的arm代码的模拟执行：这一部分相比上一部分就复杂的多了，从要模拟执行的机器码数量也能看出来，另外此部分还单独映射了一部内存内存作为栈空间。!(unsigned int)uc_mem_map(v3, 0x10000i64, 0x1000i64, 7i64)// 栈空间

做法同样可以使用 capstone 来反汇编机器码：

from capstone import *from capstone.arm import *CODE = bytes([0x04, 0xB0, 0x2D, 0xE5, 0x00, 0xB0, 0x8D, 0xE2, 0x8C, 0xD0, 0x4D, 0xE2, 0x29, 0x30, 0xA0, 0xE3, 0x28, 0x30, 0x4B, 0xE5, 0x38, 0x30, 0xA0, 0xE3, 0x27, 0x30, 0x4B, 0xE5, 0x46, 0x30, 0xA0, 0xE3, 0x26, 0x30, 0x4B, 0xE5, 0x50, 0x30, 0xA0, 0xE3, 0x25, 0x30, 0x4B, 0xE5, 0x3E, 0x30, 0xA0, 0xE3, 0x24, 0x30, 0x4B, 0xE5, 0x36, 0x30, 0xA0, 0xE3, 0x23, 0x30, 0x4B, 0xE5, 0x5E, 0x30, 0xA0, 0xE3, 0x22, 0x30, 0x4B, 0xE5, 0x42, 0x30, 0xA0, 0xE3, 0x21, 0x30, 0x4B, 0xE5, 0x3D, 0x30, 0xA0, 0xE3, 0x20, 0x30, 0x4B, 0xE5, 0x47, 0x30, 0xA0, 0xE3, 0x1F, 0x30, 0x4B, 0xE5, 0x36, 0x30, 0xA0, 0xE3, 0x1E, 0x30, 0x4B, 0xE5, 0x40, 0x30, 0xA0, 0xE3, 0x1D, 0x30, 0x4B, 0xE5, 0x3E, 0x30, 0xA0, 0xE3, 0x1C, 0x30, 0x4B, 0xE5, 0x58, 0x30, 0xA0, 0xE3, 0x1B, 0x30, 0x4B, 0xE5, 0x2A, 0x30, 0xA0, 0xE3, 0x1A, 0x30, 0x4B, 0xE5, 0x50, 0x30, 0xA0, 0xE3, 0x19, 0x30, 0x4B, 0xE5, 0x3C, 0x30, 0xA0, 0xE3, 0x18, 0x30, 0x4B, 0xE5, 0x47, 0x30, 0xA0, 0xE3, 0x17, 0x30, 0x4B, 0xE5, 0x3D, 0x30, 0xA0, 0xE3, 0x16, 0x30, 0x4B, 0xE5, 0x42, 0x30, 0xA0, 0xE3, 0x15, 0x30, 0x4B, 0xE5, 0x29, 0x30, 0xA0, 0xE3, 0x14, 0x30, 0x4B, 0xE5, 0x31, 0x30, 0xA0, 0xE3, 0x13, 0x30, 0x4B, 0xE5, 0x20, 0x30, 0xA0, 0xE3, 0x12, 0x30, 0x4B, 0xE5, 0x20, 0x30, 0xA0, 0xE3, 0x11, 0x30, 0x4B, 0xE5, 0x8C, 0x30, 0x4B, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x00, 0x30, 0xA0, 0xE3, 0x0C, 0x30, 0x0B, 0xE5, 0x50, 0x00, 0x00, 0xEA, 0x08, 0x20, 0x1B, 0xE5, 0x01, 0x30, 0x82, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x0C, 0x10, 0x1B, 0xE5, 0x01, 0x30, 0x83, 0xE0, 0x00, 0x30, 0xD3, 0xE5, 0x23, 0x31, 0xA0, 0xE1, 0x73, 0x30, 0xEF, 0xE6, 0x21, 0x30, 0x83, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x00, 0x30, 0xC2, 0xE5, 0x08, 0x20, 0x1B, 0xE5, 0x01, 0x30, 0x82, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x0C, 0x10, 0x1B, 0xE5, 0x01, 0x30, 0x83, 0xE0, 0x00, 0x30, 0xD3, 0xE5, 0x03, 0x32, 0xA0, 0xE1, 0x73, 0x30, 0xAF, 0xE6, 0x30, 0x30, 0x03, 0xE2, 0x73, 0x10, 0xAF, 0xE6, 0x0C, 0x30, 0x1B, 0xE5, 0x01, 0x00, 0x83, 0xE2, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x00, 0x30, 0xD3, 0xE7, 0x23, 0x32, 0xA0, 0xE1, 0x73, 0x30, 0xEF, 0xE6, 0x73, 0x30, 0xAF, 0xE6, 0x03, 0x30, 0x81, 0xE1, 0x73, 0x30, 0xAF, 0xE6, 0x73, 0x30, 0xEF, 0xE6, 0x21, 0x30, 0x83, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x00, 0x30, 0xC2, 0xE5, 0x08, 0x20, 0x1B, 0xE5, 0x01, 0x30, 0x82, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x0C, 0x30, 0x1B, 0xE5, 0x01, 0x10, 0x83, 0xE2, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x01, 0x30, 0xD3, 0xE7, 0x03, 0x31, 0xA0, 0xE1, 0x73, 0x30, 0xAF, 0xE6, 0x3C, 0x30, 0x03, 0xE2, 0x73, 0x10, 0xAF, 0xE6, 0x0C, 0x30, 0x1B, 0xE5, 0x02, 0x00, 0x83, 0xE2, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x00, 0x30, 0xD3, 0xE7, 0x23, 0x33, 0xA0, 0xE1, 0x73, 0x30, 0xEF, 0xE6, 0x73, 0x30, 0xAF, 0xE6, 0x03, 0x30, 0x81, 0xE1, 0x73, 0x30, 0xAF, 0xE6, 0x73, 0x30, 0xEF, 0xE6, 0x21, 0x30, 0x83, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x00, 0x30, 0xC2, 0xE5, 0x08, 0x20, 0x1B, 0xE5, 0x01, 0x30, 0x82, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x0C, 0x30, 0x1B, 0xE5, 0x02, 0x10, 0x83, 0xE2, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x01, 0x30, 0xD3, 0xE7, 0x3F, 0x30, 0x03, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x21, 0x30, 0x83, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x00, 0x30, 0xC2, 0xE5, 0x0C, 0x30, 0x1B, 0xE5, 0x03, 0x30, 0x83, 0xE2, 0x0C, 0x30, 0x0B, 0xE5, 0x0C, 0x30, 0x1B, 0xE5, 0x0D, 0x00, 0x53, 0xE3, 0xAB, 0xFF, 0xFF, 0xDA, 0x0C, 0x30, 0x1B, 0xE5, 0x0F, 0x00, 0x53, 0xE3, 0x52, 0x00, 0x00, 0xCA, 0x08, 0x20, 0x1B, 0xE5, 0x01, 0x30, 0x82, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x0C, 0x10, 0x1B, 0xE5, 0x01, 0x30, 0x83, 0xE0, 0x00, 0x30, 0xD3, 0xE5, 0x23, 0x31, 0xA0, 0xE1, 0x73, 0x30, 0xEF, 0xE6, 0x21, 0x30, 0x83, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x00, 0x30, 0xC2, 0xE5, 0x0C, 0x30, 0x1B, 0xE5, 0x0F, 0x00, 0x53, 0xE3, 0x14, 0x00, 0x00, 0x1A, 0x08, 0x20, 0x1B, 0xE5, 0x01, 0x30, 0x82, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x0C, 0x10, 0x1B, 0xE5, 0x01, 0x30, 0x83, 0xE0, 0x00, 0x30, 0xD3, 0xE5, 0x03, 0x32, 0xA0, 0xE1, 0x73, 0x30, 0xEF, 0xE6, 0x30, 0x30, 0x03, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x21, 0x30, 0x83, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x00, 0x30, 0xC2, 0xE5, 0x08, 0x30, 0x1B, 0xE5, 0x01, 0x20, 0x83, 0xE2, 0x08, 0x20, 0x0B, 0xE5, 0x20, 0x20, 0xA0, 0xE3, 0x00, 0x20, 0xC3, 0xE5, 0x28, 0x00, 0x00, 0xEA, 0x08, 0x20, 0x1B, 0xE5, 0x01, 0x30, 0x82, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x0C, 0x10, 0x1B, 0xE5, 0x01, 0x30, 0x83, 0xE0, 0x00, 0x30, 0xD3, 0xE5, 0x03, 0x32, 0xA0, 0xE1, 0x73, 0x30, 0xAF, 0xE6, 0x30, 0x30, 0x03, 0xE2, 0x73, 0x10, 0xAF, 0xE6, 0x0C, 0x30, 0x1B, 0xE5, 0x01, 0x00, 0x83, 0xE2, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x00, 0x30, 0xD3, 0xE7, 0x23, 0x32, 0xA0, 0xE1, 0x73, 0x30, 0xEF, 0xE6, 0x73, 0x30, 0xAF, 0xE6, 0x03, 0x30, 0x81, 0xE1, 0x73, 0x30, 0xAF, 0xE6, 0x73, 0x30, 0xEF, 0xE6, 0x21, 0x30, 0x83, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x00, 0x30, 0xC2, 0xE5, 0x08, 0x20, 0x1B, 0xE5, 0x01, 0x30, 0x82, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x0C, 0x30, 0x1B, 0xE5, 0x01, 0x10, 0x83, 0xE2, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x01, 0x30, 0xD3, 0xE7, 0x03, 0x31, 0xA0, 0xE1, 0x73, 0x30, 0xEF, 0xE6, 0x3C, 0x30, 0x03, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x21, 0x30, 0x83, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x00, 0x30, 0xC2, 0xE5, 0x08, 0x30, 0x1B, 0xE5, 0x01, 0x20, 0x83, 0xE2, 0x08, 0x20, 0x0B, 0xE5, 0x20, 0x20, 0xA0, 0xE3, 0x00, 0x20, 0xC3, 0xE5, 0x08, 0x30, 0x1B, 0xE5, 0x01, 0x20, 0x83, 0xE2, 0x08, 0x20, 0x0B, 0xE5, 0x00, 0x20, 0xA0, 0xE3, 0x00, 0x20, 0xC3, 0xE5, 0x00, 0x30, 0xA0, 0xE3, 0x0C, 0x30, 0x0B, 0xE5, 0x0E, 0x00, 0x00, 0xEA, 0x8C, 0x20, 0x4B, 0xE2, 0x0C, 0x30, 0x1B, 0xE5, 0x03, 0x30, 0x82, 0xE0, 0x00, 0x20, 0xD3, 0xE5, 0x28, 0x10, 0x4B, 0xE2, 0x0C, 0x30, 0x1B, 0xE5, 0x03, 0x30, 0x81, 0xE0, 0x00, 0x30, 0xD3, 0xE5, 0x03, 0x00, 0x52, 0xE1, 0x01, 0x00, 0x00, 0x0A, 0x00, 0x30, 0xA0, 0xE3, 0x06, 0x00, 0x00, 0xEA, 0x0C, 0x30, 0x1B, 0xE5, 0x01, 0x30, 0x83, 0xE2, 0x0C, 0x30, 0x0B, 0xE5, 0x0C, 0x30, 0x1B, 0xE5, 0x17, 0x00, 0x53, 0xE3, 0xED, 0xFF, 0xFF, 0xDA, 0x01, 0x30, 0xA0, 0xE3, 0x03, 0x00, 0xA0, 0xE1, 0x00, 0xD0, 0x8B, 0xE2, 0x04, 0xB0, 0x9D, 0xE4])md = Cs(CS_ARCH_ARM, CS_MODE_ARM)for i in md.disasm(CODE, 0x200000): ins = "0x%x:\t%s\t%s" % (i.address, i.mnemonic, i.op_str) print(ins)

0x200000: str fp, [sp, #-4]!0x200004: add fp, sp, #00x200008: sub sp, sp, #0x8c0x20000c: mov r3, #0x290x200010: strb r3, [fp, #-0x28]0x200014: mov r3, #0x380x200018: strb r3, [fp, #-0x27]0x20001c: mov r3, #0x460x200020: strb r3, [fp, #-0x26]0x200024: mov r3, #0x500x200028: strb r3, [fp, #-0x25]0x20002c: mov r3, #0x3e0x200030: strb r3, [fp, #-0x24]0x200034: mov r3, #0x360x200038: strb r3, [fp, #-0x23]0x20003c: mov r3, #0x5e0x200040: strb r3, [fp, #-0x22]0x200044: mov r3, #0x420x200048: strb r3, [fp, #-0x21]0x20004c: mov r3, #0x3d0x200050: strb r3, [fp, #-0x20]0x200054: mov r3, #0x470x200058: strb r3, [fp, #-0x1f]0x20005c: mov r3, #0x360x200060: strb r3, [fp, #-0x1e]0x200064: mov r3, #0x400x200068: strb r3, [fp, #-0x1d]0x20006c: mov r3, #0x3e0x200070: strb r3, [fp, #-0x1c]0x200074: mov r3, #0x580x200078: strb r3, [fp, #-0x1b]0x20007c: mov r3, #0x2a0x200080: strb r3, [fp, #-0x1a]0x200084: mov r3, #0x500x200088: strb r3, [fp, #-0x19]0x20008c: mov r3, #0x3c0x200090: strb r3, [fp, #-0x18]0x200094: mov r3, #0x470x200098: strb r3, [fp, #-0x17]0x20009c: mov r3, #0x3d0x2000a0: strb r3, [fp, #-0x16]0x2000a4: mov r3, #0x420x2000a8: strb r3, [fp, #-0x15]0x2000ac: mov r3, #0x290x2000b0: strb r3, [fp, #-0x14]0x2000b4: mov r3, #0x310x2000b8: strb r3, [fp, #-0x13]0x2000bc: mov r3, #0x200x2000c0: strb r3, [fp, #-0x12]0x2000c4: mov r3, #0x200x2000c8: strb r3, [fp, #-0x11]0x2000cc: sub r3, fp, #0x8c0x2000d0: str r3, [fp, #-8]0x2000d4: mov r3, #00x2000d8: str r3, [fp, #-0xc]0x2000dc: b #0x2002240x2000e0: ldr r2, [fp, #-8]0x2000e4: add r3, r2, #10x2000e8: str r3, [fp, #-8]0x2000ec: movw r3, #0x10240x2000f0: movt r3, #20x2000f4: ldr r1, [fp, #-0xc]0x2000f8: add r3, r3, r10x2000fc: ldrb r3, [r3]0x200100: lsr r3, r3, #20x200104: uxtb r3, r30x200108: add r3, r3, #0x210x20010c: uxtb r3, r30x200110: strb r3, [r2]0x200114: ldr r2, [fp, #-8]0x200118: add r3, r2, #10x20011c: str r3, [fp, #-8]0x200120: movw r3, #0x10240x200124: movt r3, #20x200128: ldr r1, [fp, #-0xc]0x20012c: add r3, r3, r10x200130: ldrb r3, [r3]0x200134: lsl r3, r3, #40x200138: sxtb r3, r30x20013c: and r3, r3, #0x300x200140: sxtb r1, r30x200144: ldr r3, [fp, #-0xc]0x200148: add r0, r3, #10x20014c: movw r3, #0x10240x200150: movt r3, #20x200154: ldrb r3, [r3, r0]0x200158: lsr r3, r3, #40x20015c: uxtb r3, r30x200160: sxtb r3, r30x200164: orr r3, r1, r30x200168: sxtb r3, r30x20016c: uxtb r3, r30x200170: add r3, r3, #0x210x200174: uxtb r3, r30x200178: strb r3, [r2]0x20017c: ldr r2, [fp, #-8]0x200180: add r3, r2, #10x200184: str r3, [fp, #-8]0x200188: ldr r3, [fp, #-0xc]0x20018c: add r1, r3, #10x200190: movw r3, #0x10240x200194: movt r3, #20x200198: ldrb r3, [r3, r1]0x20019c: lsl r3, r3, #20x2001a0: sxtb r3, r30x2001a4: and r3, r3, #0x3c0x2001a8: sxtb r1, r30x2001ac: ldr r3, [fp, #-0xc]0x2001b0: add r0, r3, #20x2001b4: movw r3, #0x10240x2001b8: movt r3, #20x2001bc: ldrb r3, [r3, r0]0x2001c0: lsr r3, r3, #60x2001c4: uxtb r3, r30x2001c8: sxtb r3, r30x2001cc: orr r3, r1, r30x2001d0: sxtb r3, r30x2001d4: uxtb r3, r30x2001d8: add r3, r3, #0x210x2001dc: uxtb r3, r30x2001e0: strb r3, [r2]0x2001e4: ldr r2, [fp, #-8]0x2001e8: add r3, r2, #10x2001ec: str r3, [fp, #-8]0x2001f0: ldr r3, [fp, #-0xc]0x2001f4: add r1, r3, #20x2001f8: movw r3, #0x10240x2001fc: movt r3, #20x200200: ldrb r3, [r3, r1]0x200204: and r3, r3, #0x3f0x200208: uxtb r3, r30x20020c: add r3, r3, #0x210x200210: uxtb r3, r30x200214: strb r3, [r2]0x200218: ldr r3, [fp, #-0xc]0x20021c: add r3, r3, #30x200220: str r3, [fp, #-0xc]0x200224: ldr r3, [fp, #-0xc]0x200228: cmp r3, #0xd0x20022c: ble #0x2000e00x200230: ldr r3, [fp, #-0xc]0x200234: cmp r3, #0xf0x200238: bgt #0x2003880x20023c: ldr r2, [fp, #-8]0x200240: add r3, r2, #10x200244: str r3, [fp, #-8]0x200248: movw r3, #0x10240x20024c: movt r3, #20x200250: ldr r1, [fp, #-0xc]0x200254: add r3, r3, r10x200258: ldrb r3, [r3]0x20025c: lsr r3, r3, #20x200260: uxtb r3, r30x200264: add r3, r3, #0x210x200268: uxtb r3, r30x20026c: strb r3, [r2]0x200270: ldr r3, [fp, #-0xc]0x200274: cmp r3, #0xf0x200278: bne #0x2002d00x20027c: ldr r2, [fp, #-8]0x200280: add r3, r2, #10x200284: str r3, [fp, #-8]0x200288: movw r3, #0x10240x20028c: movt r3, #20x200290: ldr r1, [fp, #-0xc]0x200294: add r3, r3, r10x200298: ldrb r3, [r3]0x20029c: lsl r3, r3, #40x2002a0: uxtb r3, r30x2002a4: and r3, r3, #0x300x2002a8: uxtb r3, r30x2002ac: add r3, r3, #0x210x2002b0: uxtb r3, r30x2002b4: strb r3, [r2]0x2002b8: ldr r3, [fp, #-8]0x2002bc: add r2, r3, #10x2002c0: str r2, [fp, #-8]0x2002c4: mov r2, #0x200x2002c8: strb r2, [r3]0x2002cc: b #0x2003740x2002d0: ldr r2, [fp, #-8]0x2002d4: add r3, r2, #10x2002d8: str r3, [fp, #-8]0x2002dc: movw r3, #0x10240x2002e0: movt r3, #20x2002e4: ldr r1, [fp, #-0xc]0x2002e8: add r3, r3, r10x2002ec: ldrb r3, [r3]0x2002f0: lsl r3, r3, #40x2002f4: sxtb r3, r30x2002f8: and r3, r3, #0x300x2002fc: sxtb r1, r30x200300: ldr r3, [fp, #-0xc]0x200304: add r0, r3, #10x200308: movw r3, #0x10240x20030c: movt r3, #20x200310: ldrb r3, [r3, r0]0x200314: lsr r3, r3, #40x200318: uxtb r3, r30x20031c: sxtb r3, r30x200320: orr r3, r1, r30x200324: sxtb r3, r30x200328: uxtb r3, r30x20032c: add r3, r3, #0x210x200330: uxtb r3, r30x200334: strb r3, [r2]0x200338: ldr r2, [fp, #-8]0x20033c: add r3, r2, #10x200340: str r3, [fp, #-8]0x200344: ldr r3, [fp, #-0xc]0x200348: add r1, r3, #10x20034c: movw r3, #0x10240x200350: movt r3, #20x200354: ldrb r3, [r3, r1]0x200358: lsl r3, r3, #20x20035c: uxtb r3, r30x200360: and r3, r3, #0x3c0x200364: uxtb r3, r30x200368: add r3, r3, #0x210x20036c: uxtb r3, r30x200370: strb r3, [r2]0x200374: ldr r3, [fp, #-8]0x200378: add r2, r3, #10x20037c: str r2, [fp, #-8]0x200380: mov r2, #0x200x200384: strb r2, [r3]0x200388: ldr r3, [fp, #-8]0x20038c: add r2, r3, #10x200390: str r2, [fp, #-8]0x200394: mov r2, #00x200398: strb r2, [r3]0x20039c: mov r3, #00x2003a0: str r3, [fp, #-0xc]0x2003a4: b #0x2003e40x2003a8: sub r2, fp, #0x8c0x2003ac: ldr r3, [fp, #-0xc]0x2003b0: add r3, r2, r30x2003b4: ldrb r2, [r3]0x2003b8: sub r1, fp, #0x280x2003bc: ldr r3, [fp, #-0xc]0x2003c0: add r3, r1, r30x2003c4: ldrb r3, [r3]0x2003c8: cmp r2, r30x2003cc: beq #0x2003d80x2003d0: mov r3, #00x2003d4: b #0x2003f40x2003d8: ldr r3, [fp, #-0xc]0x2003dc: add r3, r3, #10x2003e0: str r3, [fp, #-0xc]0x2003e4: ldr r3, [fp, #-0xc]0x2003e8: cmp r3, #0x170x2003ec: ble #0x2003a80x2003f0: mov r3, #10x2003f4: mov r0, r30x2003f8: add sp, fp, #00x2003fc: pop {fp}

但这样继续手撸arm指令确实太麻烦了，想到 ida 本就有这个功能，还能反编译呢。所以复制机器码到一个文件，ida打开，设置好架构和基地址，得到反编译后的关键函数：

不难发现这个关键加密算法其实就类似base64，但把码表改成了加 33 ，直接解了一下得到：!you_are_wrong!!

后面才发现这其实是错的，原因是密文被变换过的，在UC_HOOK_CODE事件注册的钩子回调函数：这里的69代表r3寄存器。

按照同样的逻辑修改密文：

>>> s = [41, 56, 70, 80, 62, 54, 94, 66, 61, 71, 54, 64, 62, 88, 42, 80, 60, 71, 61, 66, 41, 49]>>> s[0] += 15>>> s[(0x58-0x10)//8] += 15>>> s[(0x18-0x10)//8] ^= 0x6f>>> s[(0x20-0x10)//8] -= 12>>> s[(0x40-0x10)//8] -= 12>>> s[(0x28-0x10)//8] ^= 0x12>>> s[(0x30-0x10)//8] -= 5>>> s[(0x70-0x10)//8] -= 5>>> s[(0x38-0x10)//8] += 33>>> s[(0x48-0x10)//8] ^= 0xd>>> s[(0x50-0x10)//8] -= 3>>> s[(0x60-0x10)//8] ^= 0x68>>> s[(0x68-0x10)//8] ^= 0xa>>> s[(0x78-0x10)//8] -= 33>>> s[(0x80-0x10)//8] += 48>>> s[(0x88-0x10)//8] ^= 0x18>>> s[(0x90-0x10)//8] += 2>>> s[(0x98-0x10)//8] -= 16>>> s[(0xa0-0x10)//8] ^= 0x1b>>> s[(0xa8-0x10)//8] += 6>>> s[(0xb0-0x10)//8] ^= 0x13>>> bytes(s)b'8W:B9WRO:V^J97ZH>7&H:1'

得到正确密文：8W:B9WRO:V^J97ZH>7&H:1，解密得到：_faclng_ianguage

最后还有开始的4字节，一个crc类算法，应该魔改过，结果要等于 0xCAFABCBC

解这里爆破即可。

本部分总的解密脚本：

crc = [0x00000000, 0xF26B8303, 0xE13B70F7, 0x1350F3F4, 0xC79A971F, 0x35F1141C, 0x26A1E7E8, 0xD4CA64EB, 0x8AD958CF, 0x78B2DBCC, 0x6BE22838, 0x9989AB3B, 0x4D43CFD0, 0xBF284CD3, 0xAC78BF27, 0x5E133C24, 0x105EC76F, 0xE235446C, 0xF165B798, 0x030E349B, 0xD7C45070, 0x25AFD373, 0x36FF2087, 0xC494A384, 0x9A879FA0, 0x68EC1CA3, 0x7BBCEF57, 0x89D76C54, 0x5D1D08BF, 0xAF768BBC, 0xBC267848, 0x4E4DFB4B, 0x20BD8EDE, 0xD2D60DDD, 0xC186FE29, 0x33ED7D2A, 0xE72719C1, 0x154C9AC2, 0x061C6936, 0xF477EA35, 0xAA64D611, 0x580F5512, 0x4B5FA6E6, 0xB93425E5, 0x6DFE410E, 0x9F95C20D, 0x8CC531F9, 0x7EAEB2FA, 0x30E349B1, 0xC288CAB2, 0xD1D83946, 0x23B3BA45, 0xF779DEAE, 0x05125DAD, 0x1642AE59, 0xE4292D5A, 0xBA3A117E, 0x4851927D, 0x5B016189, 0xA96AE28A, 0x7DA08661, 0x8FCB0562, 0x9C9BF696, 0x6EF07595, 0x417B1DBC, 0xB3109EBF, 0xA0406D4B, 0x522BEE48, 0x86E18AA3, 0x748A09A0, 0x67DAFA54, 0x95B17957, 0xCBA24573, 0x39C9C670, 0x2A993584, 0xD8F2B687, 0x0C38D26C, 0xFE53516F, 0xED03A29B, 0x1F682198, 0x5125DAD3, 0xA34E59D0, 0xB01EAA24, 0x42752927, 0x96BF4DCC, 0x64D4CECF, 0x77843D3B, 0x85EFBE38, 0xDBFC821C, 0x2997011F, 0x3AC7F2EB, 0xC8AC71E8, 0x1C661503, 0xEE0D9600, 0xFD5D65F4, 0x0F36E6F7, 0x61C69362, 0x93AD1061, 0x80FDE395, 0x72966096, 0xA65C047D, 0x5437877E, 0x4767748A, 0xB50CF789, 0xEB1FCBAD, 0x197448AE, 0x0A24BB5A, 0xF84F3859, 0x2C855CB2, 0xDEEEDFB1, 0xCDBE2C45, 0x3FD5AF46, 0x7198540D, 0x83F3D70E, 0x90A324FA, 0x62C8A7F9, 0xB602C312, 0x44694011, 0x5739B3E5, 0xA55230E6, 0xFB410CC2, 0x092A8FC1, 0x1A7A7C35, 0xE811FF36, 0x3CDB9BDD, 0xCEB018DE, 0xDDE0EB2A, 0x2F8B6829, 0x82F63B78, 0x709DB87B, 0x63CD4B8F, 0x91A6C88C, 0x456CAC67, 0xB7072F64, 0xA457DC90, 0x563C5F93, 0x082F63B7, 0xFA44E0B4, 0xE9141340, 0x1B7F9043, 0xCFB5F4A8, 0x3DDE77AB, 0x2E8E845F, 0xDCE5075C, 0x92A8FC17, 0x60C37F14, 0x73938CE0, 0x81F80FE3, 0x55326B08, 0xA759E80B, 0xB4091BFF, 0x466298FC, 0x1871A4D8, 0xEA1A27DB, 0xF94AD42F, 0x0B21572C, 0xDFEB33C7, 0x2D80B0C4, 0x3ED04330, 0xCCBBC033, 0xA24BB5A6, 0x502036A5, 0x4370C551, 0xB11B4652, 0x65D122B9, 0x97BAA1BA, 0x84EA524E, 0x7681D14D, 0x2892ED69, 0xDAF96E6A, 0xC9A99D9E, 0x3BC21E9D, 0xEF087A76, 0x1D63F975, 0x0E330A81, 0xFC588982, 0xB21572C9, 0x407EF1CA, 0x532E023E, 0xA145813D, 0x758FE5D6, 0x87E466D5, 0x94B49521, 0x66DF1622, 0x38CC2A06, 0xCAA7A905, 0xD9F75AF1, 0x2B9CD9F2, 0xFF56BD19, 0x0D3D3E1A, 0x1E6DCDEE, 0xEC064EED, 0xC38D26C4, 0x31E6A5C7, 0x22B65633, 0xD0DDD530, 0x0417B1DB, 0xF67C32D8, 0xE52CC12C, 0x1747422F, 0x49547E0B, 0xBB3FFD08, 0xA86F0EFC, 0x5A048DFF, 0x8ECEE914, 0x7CA56A17, 0x6FF599E3, 0x9D9E1AE0, 0xD3D3E1AB, 0x21B862A8, 0x32E8915C, 0xC083125F, 0x144976B4, 0xE622F5B7, 0xF5720643, 0x07198540, 0x590AB964, 0xAB613A67, 0xB831C993, 0x4A5A4A90, 0x9E902E7B, 0x6CFBAD78, 0x7FAB5E8C, 0x8DC0DD8F, 0xE330A81A, 0x115B2B19, 0x020BD8ED, 0xF0605BEE, 0x24AA3F05, 0xD6C1BC06, 0xC5914FF2, 0x37FACCF1, 0x69E9F0D5, 0x9B8273D6, 0x88D28022, 0x7AB90321, 0xAE7367CA, 0x5C18E4C9, 0x4F48173D, 0xBD23943E, 0xF36E6F75, 0x0105EC76, 0x12551F82, 0xE03E9C81, 0x34F4F86A, 0xC69F7B69, 0xD5CF889D, 0x27A40B9E, 0x79B737BA, 0x8BDCB4B9, 0x988C474D, 0x6AE7C44E, 0xBE2DA0A5, 0x4C4623A6, 0x5F16D052, 0xAD7D5351, 0xD76AA478]class Getoutofloop(Exception): passtry: for i in range(0x20, 0x7b): for j in range(0x20, 0x7b): for k in range(0x20, 0x7b): for l in range(0x20, 0x7b): v1 = -1 v1 &= 0xffffffff p1 = [i, j, k, l] for m in p1: v1 = (v1 >> 8) ^ crc[(m ^ v1)&0xff] v1 &= 0xffffffff if ((~v1)&0xffffffff) == 0xCAFABCBC: print(bytes(p1)) raise Getoutofloop()except Getoutofloop: pass#enc = ')8FP>6^B=G6@>X*P<G=B)1'enc = '8W:B9WRO:V^J97ZH>7&H:1'data = [ord(enc[i])-33 for i in range(len(enc))]#print(data)ans = ''.join([bin(i)[2:].rjust(6, '0') for i in data])p2 = []#print(ans)for i in range(len(ans)//8): p2 += [int(ans[8*i:8*(i+1)], 2)]print(bytes(p1+p2))#when_faclng_ianguage结束

最后两部分输入程序得到flag。

Enter input1 :cann0t_be_t0o_carefu1_Part 1 completed! Congratulations! Just keep alive.Enter input2 :when_faclng_ianguageGood Work!You survived!Flag is flag{0e84fe424762de65491829fdf7b75cec}crackPYC

因为所给python字节码简单且少，根据所给字节码还原出对应的python代码。

def keyinit(key): num = 0 for i in range(8): num -= 7508399208111569251 num %= 4294967295 key.append(num >> 24) if __name__ == '__main__': print('Can you crack pyc?') str = input('Plz give me your flag:') text = [108, 17, 42, 226, 158, 180, 96, 115, 64, 24, 38, 236, 179, 173, 34, 22, 81, 113, 38, 215, 165, 135, 68, 7, 119, 97, 45, 254, 250, 172, 43, 62] if str[0:7] == 'DASCTF{' and str[31] == '}': key = [] keyinit(key) st = list(str) for i in range(len(str)): st = [ord(str[i])^key[i%len(key)]] if st == text: print('Congratulations and you are good at PYC!') else: print('Sorry,plz learn more about pyc.') else: print('Bye bye~~')

接着再逆向一下加密算法即可。

>>> a[108, 17, 42, 226, 158, 180, 96, 115, 64, 24, 38, 236, 179, 173, 34, 22, 81, 113, 38, 215, 165, 135, 68, 7, 119, 97, 45, 254, 250, 172, 43, 62]>>> flag = [a[i]^key[i%len(key)] for i in range(len(a))]>>> flag[252, 48, 152, 160, 77, 208, 148, 246, 208, 57, 148, 174, 96, 201, 214, 147, 193, 80, 148, 149, 118, 227, 176, 130, 231, 64, 159, 188, 41, 200, 223, 187]>>> key = []>>> num = 0>>> for i in range(8):... num -= 7508399208111569251... num %= 4294967295... key.append(num >> 24)...>>> key[40, 80, 121, 161, 202, 242, 27, 67]>>> a[108, 17, 42, 226, 158, 180, 96, 115, 64, 24, 38, 236, 179, 173, 34, 22, 81, 113, 38, 215, 165, 135, 68, 7, 119, 97, 45, 254, 250, 172, 43, 62]>>> flag = [a[i]^key[i%len(key)] for i in range(len(a))]>>> flag[68, 65, 83, 67, 84, 70, 123, 48, 104, 72, 95, 77, 121, 95, 57, 85, 121, 33, 95, 118, 111, 117, 95, 68, 95, 49, 84, 95, 48, 94, 48, 125]>>> bytes(flag)b'DASCTF{0hH_My_9Uy!_vou_D_1T_0^0}'

DASCTF{0hH_My_9Uy!_vou_D_1T_0^0}