All the ransomware.py really does is add some data onto the beginning and end of what we're after. My solution was to write this script.
```
#!/usr/bin/python

f = file("lock.iso")

data = f.read()

#You can see exactly where the beginnings and ends of the added blocks are.
#I just searched for them, and pulled out everything between.
x = x = data[data.index('\x55\x64\x24\x02')+4:data.index('\x83\x1a\x34\xcd')]
file("backup-recreate.zip","w").write(x)

#Then just unzip it. Flag is: DCTF{474dac08d29d013515a312d1a8460050634f9b3cb6a696a4c73652d1802a1872}
```

Original writeup (https://n00bsec.github.io/update/post/exploitation/reverse-engineering/2017/10/01/DefCampCTF.html).