Rating:

  From hints of this challenge (Cobra, python) and some strings in the given file ("MEIPASS"), we can easily guess that this file is packed with pyinstaller.
  There is a file Archive_view.py inside pyinstaller github repo, which can extract pyc bytecode from packed elfs, so just run it.

![Alt archiveviewer01](./images/archiveviewer01.png?raw=true)

  Besides usual so libraries, there are files like "reverse_1.1", "pyimod00_crypto_key" and "flag.enc" that worth noticing. So I used "X" command to extract them, and add .pyc header to extracted "reverse_1.1" (because uncompyle need a correct pyc header, which we will mention later). The header consists of 8 bytes, mine was "03 F3 0D 0A A3 EF E1 58". First four bytes are magic number of python 2.7, and latter four are timestamp so can be any four bytes.

  Then I ran uncompyle6 to decompile extracted pyc, and got python code as follows

![Alt uncompyle01](./images/uncompyle01.jpeg?raw=true)

  So easy. Again I wrote a simple script to decrypt flag.enc, and got a picture which contains the flag.

```
fp=open('flag.enc','rb')
flag=fp.read()
decoded=""
for i in range(len(flag)):
for b in xrange(256):
if ((b & 15) << 4 | (b & 240) >> 4)==ord(flag[i]):
decoded+=chr(b)
fp2=open('decoded','wb')
fp2.write(decoded)
```

![Alt decoded](./images/decoded.png?raw=true)

Original writeup (https://github.com/Kung-Pao-Chicken/ctf/tree/master/2017_ASIS_CTF/reverse_king_cobra).