# [rev] unknown - Tamil CTF 2021 ###### tags: `TamilCTF2021` `rev` Executable built using PyInstaller is given, so I have decompiled it using [pyinstxtractor](https://github.com/extremecoders-re/pyinstxtractor) and [pycdc](https://github.com/zrax/pycdc). ``` > python .\pyinstxtractor.py .\unknown [+] Processing .\unknown [+] Pyinstaller version: 2.1+ [+] Python version: 39 [+] Length of package: 6983166 bytes [+] Possible entry point: pyiboot01_bootstrap.pyc [+] Possible entry point: pyi_rth_pkgutil.pyc [+] Possible entry point: pyi_rth_multiprocessing.pyc [+] Possible entry point: pyi_rth_inspect.pyc [+] Possible entry point: byte.pyc [+] Found 228 files in PYZ archive [+] Successfully extracted pyinstaller archive: .\unknown ``` ``` $ ./pycdc ~/unknown_extracted/byte.pyc ``` ```python= # Source Generated with Decompyle++ # File: byte.pyc (Python 3.9) from binascii import * import base64 import time import sys def idfc(): eval(''.join((lambda .0: [ chr(i) for i in .0 ])((112, 114, 105, 110, 116, 40, 34, 87, 114, 111, 110, 103, 32, 102, 108, 97, 103, 34, 41)))) sys.exit(1) def udkncdi(cringe): eval(bytearray.fromhex('7072696e7428225761697420666f7220666577207365636f6e642229').decode()) eval(bytearray.fromhex('74696d652e736c656570283029206966206372696e67655b335d203d3d20275f2720656c736520696466632829').decode()) eval(''.join((lambda .0: [ chr(i) for i in .0 ])((116, 105, 109, 101, 46, 115, 108, 101, 101, 112, 40, 48, 41, 32, 105, 102, 32, 99, 114, 105, 110, 103, 101, 91, 49, 49, 93, 32, 61, 61, 32, 39, 95, 39, 32, 101, 108, 115, 101, 32, 105, 100, 102, 99, 40, 41)))) eval(bytearray.fromhex('74696d652e736c656570283029206966206372696e67655b32315d203d3d20275f2720656c736520696466632829').decode()) eval(''.join((lambda .0: [ chr(i) for i in .0 ])((116, 105, 109, 101, 46, 115, 108, 101, 101, 112, 40, 48, 41, 32, 105, 102, 32, 99, 114, 105, 110, 103, 101, 91, 50, 54, 93, 32, 61, 61, 32, 39, 95, 39, 32, 101, 108, 115, 101, 32, 105, 100, 102, 99, 40, 41)))) eval(bytearray.fromhex('74696d652e736c656570283029206966206372696e67655b2d315d203d3d20273f2720656c736520696466632829').decode()) eval(base64.b64decode('dGltZS5zbGVlcCgwKSBpZiBiYXNlNjQuYjY0ZW5jb2RlKGNyaW5nZVs0OjExXS5lbmNvZGUoJ3V0Zi04JykpLmRlY29kZSgpID09ICJjak4yTTNKVFpRPT0iIGVsc2UgaWRmYygp').decode()) eval(base64.b64decode('dGltZS5zbGVlcCgxKSBpZiBiYXNlNjQuYjE2ZW5jb2RlKGNyaW5nZVsyNzpdLmVuY29kZSgndXRmLTgnKSkuZGVjb2RlKCkgID09ICc3NDQxNkMzMzZFNTQzNDZFNTQzRicgZWxzZSBpZGZjKCk=').decode()) eval(''.join((lambda .0: pass)((116, 105, 109, 101, 46, 115, 108, 101, 101, 112, 40, 49, 41, 32, 105, 102, 32, 99, 114, 105, 110, 103, 101, 91, 58, 51, 93, 32, 43, 32, 99, 114, 105, 110, 103, 101, 91, 50, 50, 58, 50, 54, 93, 32, 61, 61, 32, 39, 97, 82, 101, 108, 51, 115, 53, 39, 32, 101, 108, 115, 101, 32, 105, 100, 102, 99, 40, 41)))) enigd = eval(bytearray.fromhex('27272e6a6f696e285b20636872286f72642869295e322920666f72206920696e206372696e67655b31323a32315d205d29')) eval(''.join((lambda .0: [ chr(i) for i in .0 ])((116, 105, 109, 101, 46, 115, 108, 101, 101, 112, 40, 49, 41, 32, 105, 102, 32, 101, 110, 105, 103, 100, 32, 61, 61, 32, 39, 103, 76, 101, 75, 108, 103, 71, 112, 55, 39, 32, 101, 108, 115, 101, 32, 105, 100, 102, 99, 40, 41)))) eval(bytearray.fromhex('7072696e742822436f72726563742070617373776f7264212121215c6e2229').decode()) eval(bytearray.fromhex('7072696e7428225c6e2d2d2d2d2d2057656c636f6d6520746f2054616d696c435446202d2d2d2d2d2d5c6e2229').decode()) dfjic = eval(''.join(bytearray.fromhex('696e7075742822456e746572207468652070617373776f7264203a202229').decode())) eval(''.join((lambda .0: [ chr(i) for i in .0 ])((117, 100, 107, 110, 99, 100, 105, 40, 100, 102, 106, 105, 99, 41, 32, 105, 102, 32, 108, 101, 110, 40, 100, 102, 106, 105, 99, 41, 32, 61, 61, 32, 51, 55, 32, 101, 108, 115, 101, 32, 112, 114, 105, 110, 116, 40, 34, 92, 110, 87, 114, 111, 110, 103, 32, 102, 108, 97, 103, 92, 110, 34, 41)))) ``` Its obfuscated using `eval` function, so I have quickly cleaned it up. ```python= def idfc(): print("Wrong flag") sys.exit(1) def udkncdi(cringe): print("Wait for few second") time.sleep(0) if cringe[3] == '_' else idfc() time.sleep(0) if cringe[11] == '_' else idfc() time.sleep(0) if cringe[21] == '_' else idfc() time.sleep(0) if cringe[26] == '_' else idfc() time.sleep(0) if cringe[-1] == '?' else idfc() time.sleep(0) if base64.b64encode(cringe[4:11].encode('utf-8')).decode() == "cjN2M3JTZQ==" else idfc() time.sleep(1) if base64.b16encode(cringe[27:].encode('utf-8')).decode() == '74416C336E54346E543F' else idfc() time.sleep(1) if cringe[:3] + cringe[22:26] == 'aRel3s5' else idfc() enigd = ''.join([ chr(ord(i)^2) for i in cringe[12:21] ]) time.sleep(1) if enigd == 'gLeKlgGp7' else idfc() print("Correct password!!!!\n") print("\n----- Welcome to TamilCTF ------\n") dfjic = input("Enter the password : ") udkncdi(dfjic) if len(dfjic) == 37 else print("\nWrong flag\n") ``` From the information above, flag can be obtained. ``` $ ./challenge ----- Welcome to TamilCTF ------ Enter the password : aRe_r3v3rSe_eNgIneEr5_l3s5_tAl3nT4nT? Wait for few second Correct password!!!! ``` Flag: `TamilCTF{aRe_r3v3rSe_eNgIneEr5_l3s5_tAl3nT4nT?}`
Last changed by  
mopi
471
Published on HackMD