# [rev] unknown - Tamil CTF 2021
###### tags: `TamilCTF2021` `rev`
Executable built using PyInstaller is given, so I have decompiled it using [pyinstxtractor](https://github.com/extremecoders-re/pyinstxtractor) and [pycdc](https://github.com/zrax/pycdc).
```
> python .\pyinstxtractor.py .\unknown
[+] Processing .\unknown
[+] Pyinstaller version: 2.1+
[+] Python version: 39
[+] Length of package: 6983166 bytes
[+] Possible entry point: pyiboot01_bootstrap.pyc
[+] Possible entry point: pyi_rth_pkgutil.pyc
[+] Possible entry point: pyi_rth_multiprocessing.pyc
[+] Possible entry point: pyi_rth_inspect.pyc
[+] Possible entry point: byte.pyc
[+] Found 228 files in PYZ archive
[+] Successfully extracted pyinstaller archive: .\unknown
```
```
$ ./pycdc ~/unknown_extracted/byte.pyc
```
```python=
# Source Generated with Decompyle++
# File: byte.pyc (Python 3.9)
from binascii import *
import base64
import time
import sys
def idfc():
eval(''.join((lambda .0: [ chr(i) for i in .0 ])((112, 114, 105, 110, 116, 40, 34, 87, 114, 111, 110, 103, 32, 102, 108, 97, 103, 34, 41))))
sys.exit(1)
def udkncdi(cringe):
eval(bytearray.fromhex('7072696e7428225761697420666f7220666577207365636f6e642229').decode())
eval(bytearray.fromhex('74696d652e736c656570283029206966206372696e67655b335d203d3d20275f2720656c736520696466632829').decode())
eval(''.join((lambda .0: [ chr(i) for i in .0 ])((116, 105, 109, 101, 46, 115, 108, 101, 101, 112, 40, 48, 41, 32, 105, 102, 32, 99, 114, 105, 110, 103, 101, 91, 49, 49, 93, 32, 61, 61, 32, 39, 95, 39, 32, 101, 108, 115, 101, 32, 105, 100, 102, 99, 40, 41))))
eval(bytearray.fromhex('74696d652e736c656570283029206966206372696e67655b32315d203d3d20275f2720656c736520696466632829').decode())
eval(''.join((lambda .0: [ chr(i) for i in .0 ])((116, 105, 109, 101, 46, 115, 108, 101, 101, 112, 40, 48, 41, 32, 105, 102, 32, 99, 114, 105, 110, 103, 101, 91, 50, 54, 93, 32, 61, 61, 32, 39, 95, 39, 32, 101, 108, 115, 101, 32, 105, 100, 102, 99, 40, 41))))
eval(bytearray.fromhex('74696d652e736c656570283029206966206372696e67655b2d315d203d3d20273f2720656c736520696466632829').decode())
eval(base64.b64decode('dGltZS5zbGVlcCgwKSBpZiBiYXNlNjQuYjY0ZW5jb2RlKGNyaW5nZVs0OjExXS5lbmNvZGUoJ3V0Zi04JykpLmRlY29kZSgpID09ICJjak4yTTNKVFpRPT0iIGVsc2UgaWRmYygp').decode())
eval(base64.b64decode('dGltZS5zbGVlcCgxKSBpZiBiYXNlNjQuYjE2ZW5jb2RlKGNyaW5nZVsyNzpdLmVuY29kZSgndXRmLTgnKSkuZGVjb2RlKCkgID09ICc3NDQxNkMzMzZFNTQzNDZFNTQzRicgZWxzZSBpZGZjKCk=').decode())
eval(''.join((lambda .0: pass)((116, 105, 109, 101, 46, 115, 108, 101, 101, 112, 40, 49, 41, 32, 105, 102, 32, 99, 114, 105, 110, 103, 101, 91, 58, 51, 93, 32, 43, 32, 99, 114, 105, 110, 103, 101, 91, 50, 50, 58, 50, 54, 93, 32, 61, 61, 32, 39, 97, 82, 101, 108, 51, 115, 53, 39, 32, 101, 108, 115, 101, 32, 105, 100, 102, 99, 40, 41))))
enigd = eval(bytearray.fromhex('27272e6a6f696e285b20636872286f72642869295e322920666f72206920696e206372696e67655b31323a32315d205d29'))
eval(''.join((lambda .0: [ chr(i) for i in .0 ])((116, 105, 109, 101, 46, 115, 108, 101, 101, 112, 40, 49, 41, 32, 105, 102, 32, 101, 110, 105, 103, 100, 32, 61, 61, 32, 39, 103, 76, 101, 75, 108, 103, 71, 112, 55, 39, 32, 101, 108, 115, 101, 32, 105, 100, 102, 99, 40, 41))))
eval(bytearray.fromhex('7072696e742822436f72726563742070617373776f7264212121215c6e2229').decode())
eval(bytearray.fromhex('7072696e7428225c6e2d2d2d2d2d2057656c636f6d6520746f2054616d696c435446202d2d2d2d2d2d5c6e2229').decode())
dfjic = eval(''.join(bytearray.fromhex('696e7075742822456e746572207468652070617373776f7264203a202229').decode()))
eval(''.join((lambda .0: [ chr(i) for i in .0 ])((117, 100, 107, 110, 99, 100, 105, 40, 100, 102, 106, 105, 99, 41, 32, 105, 102, 32, 108, 101, 110, 40, 100, 102, 106, 105, 99, 41, 32, 61, 61, 32, 51, 55, 32, 101, 108, 115, 101, 32, 112, 114, 105, 110, 116, 40, 34, 92, 110, 87, 114, 111, 110, 103, 32, 102, 108, 97, 103, 92, 110, 34, 41))))
```
Its obfuscated using `eval` function, so I have quickly cleaned it up.
```python=
def idfc():
print("Wrong flag")
sys.exit(1)
def udkncdi(cringe):
print("Wait for few second")
time.sleep(0) if cringe[3] == '_' else idfc()
time.sleep(0) if cringe[11] == '_' else idfc()
time.sleep(0) if cringe[21] == '_' else idfc()
time.sleep(0) if cringe[26] == '_' else idfc()
time.sleep(0) if cringe[-1] == '?' else idfc()
time.sleep(0) if base64.b64encode(cringe[4:11].encode('utf-8')).decode() == "cjN2M3JTZQ==" else idfc()
time.sleep(1) if base64.b16encode(cringe[27:].encode('utf-8')).decode() == '74416C336E54346E543F' else idfc()
time.sleep(1) if cringe[:3] + cringe[22:26] == 'aRel3s5' else idfc()
enigd = ''.join([ chr(ord(i)^2) for i in cringe[12:21] ])
time.sleep(1) if enigd == 'gLeKlgGp7' else idfc()
print("Correct password!!!!\n")
print("\n----- Welcome to TamilCTF ------\n")
dfjic = input("Enter the password : ")
udkncdi(dfjic) if len(dfjic) == 37 else print("\nWrong flag\n")
```
From the information above, flag can be obtained.
```
$ ./challenge
----- Welcome to TamilCTF ------
Enter the password : aRe_r3v3rSe_eNgIneEr5_l3s5_tAl3nT4nT?
Wait for few second
Correct password!!!!
```
Flag: `TamilCTF{aRe_r3v3rSe_eNgIneEr5_l3s5_tAl3nT4nT?}`