Tags: cheat decompyle python
Rating:
Let's try to determine the offset by which the code is located. Use next script:
```
import sys
import marshal
fname = sys.argv[1]
f = open(fname, "rb").read()
for x in range(len(f)):
try:
code = marshal.loads(f[x:])
print('Offset found: %d' % x)
print('\targcount: %s' % code.co_argcount)
print('\tconsts count: %d' % len(code.co_consts))
for item in code.co_consts:
print('\t\t%s: %r' % (type(item), item))
print('\tfilename: %s' % code.co_filename)
print('\tfirstlineno: %s' % code.co_firstlineno)
print('\tflags: %s' % code.co_flags)
print('\tname: %s' % code.co_name)
print('\tnlocals: %s' % code.co_nlocals)
print('\tstacksize: %s' % code.co_stacksize)
print('\tvarnames count: %d' % len(code.co_varnames))
for item in code.co_varnames:
print('\t\t%r' % item)
break
except ValueError:
continue
```
After starting we get the answer:
> python3 found.py cctv_manager_activator.pyc
Well, we found code offset = 12. Let's try to decompile the code:
```
import uncompyle6
...
uncompyle6.main.uncompyle(3.5, code, sys.stdout)
```
After decompilation, we can trace the following logic of the script:
```
main() -> exec() -> self.activation.show() -> self.activator.activate(s.upper()) ->
-> self.c.ok.emit() -> self.activation.c.ok.connect(self.activated.activation_passed) // if activate
-> self.c.ko.emit() -> self.activation.c.ko.connect(self.activated.activation_failed) // else
```
That mean, what if we type key, function activation_passed printed flag. Let's look at the activation_passed function:
```
activation_passed() -> self.finalize()
```
So, we just need to run it:
```
lab_result = None
yek = [
5, 202, 234, 95,
76, 173, 96, 10,
232, 7, 146, 79,
111, 147, 145, 13]
vei = [
175, 161, 61, 70,
144, 218, 0, 50,
73, 173, 240, 202,
184, 17, 148, 2]
cne = [
253, 14, 187, 117,
252, 19, 15, 86,
196, 138, 67, 165,
142, 237, 112, 47,
154, 189, 33, 75,
195, 205, 10, 56,
3, 230, 180, 147,
134, 27, 143, 15,
250, 19, 235, 96,
231, 5, 74, 83,
136, 149, 79, 170,
136, 252, 113, 112,
223, 248, 33, 119,
206, 218, 79, 121,
9, 225, 253, 156,
136, 26, 146, 93,
188, 94, 170, 79,
184, 87, 102, 61,
178, 167, 20, 231,
132, 253, 106, 38,
141, 224, 112, 98,
171, 153, 50, 89,
5, 194, 181, 247,
137, 23, 139, 31,
251, 89, 169, 89,
198, 127, 97, 10,
170, 246, 105, 197,
226, 128, 30, 22]
def finalize():
clear = ''
buf = cne
key = yek
iv = vei
buf_sz = len(buf)
bsize = 16
for i in range(0, int(buf_sz / bsize)):
for j in range(0, bsize):
c = buf[i * bsize + j] ^ key[j] ^ iv[j]
iv[j] = buf[i * bsize + j]
buf[i * bsize + j] = c
i = buf[buf_sz - 1]
for j in range(0, i):
buf[buf_sz - 1 - j] = 0
for i in range(0, buf_sz):
if buf[i] == 0:
break
clear += chr(buf[i])
return clear
print(finalize())
```
After run:
> $ python3 flag.py
> Well done ! You bypassed/keygen-ed the activator ! Here is your flag: INSA{4ctiv4t0r_c4n_b3_byp4ss3d!K3YG3N}
We receive flag!!! Without keygen
