- Published on
PCC '23 - Rev - Literal Byte Bolt
- Authors
- Name
- Ali Taqi Wajid
- @alitaqiwajid
Challenge Description
Solution
We're given a rev-llb.zip file, unzipping the file gives us the following files:
Well, PyArmor, something I don't have much experience with. According to it's github page
Pyarmor is a command-line tool designed for obfuscating Python scripts, binding obfuscated scripts to specific machines, and setting expiration dates for obfuscated scripts.
So, we have a python script that's obfuscated, and we need to deobfuscate it. Let's see what we can do. Looking at flag.py
# Pyarmor 8.4.4 (trial), 000000, non-profits, 2023-12-06T04:50:52.041087
from pyarmor_runtime_000000 import __pyarmor__
__pyarmor__(__name__, __file__, b'PY000000\x00\x03\x08\x00U\r\r\n\x80\x00\x01\x00\x08\x00\x00\x00\x04\x00\x00\x00@\x00\x00\x00\x00\x05\x00\x00\x12\t\x04\x00o~\xe2$\xe6\xeaH\x08mq\\Y\xf4\xf5j\x07\x00\x00\x00\x00\x00\x00\x00\x00\xdbMa\x83\xfe \x19\xd2\xae\x10\r\xdb\x96\xe3\xac\x10\x89a\x1f\x98\xe71_)7\xf1\xd4\x84\xc6J\x14T\xda\x1bW\xd2\x8aW:\xad\x18\x8c\x12\xf6\x17]\xe9\xf4\xd1n\xb9d\xf7\xa1B\xb3\xe39\x1a\x9d\xad\'~@\xa0a7\\\x81\xa1\x80R\xc8\xa0\xbb\xfb\xb9X\xad\x1b_\xa7\xdfbU\x96\x9f\x97w}\x95\x9a\xe2\xbc;ky]gq,~(\xe0\xb6\x87W\xe2\xe9\x93\xf5\xb1\x92\xd3\xbf\xa03\xd0\xe5b\xf71\xa8\xb1\xb3\n5\xcf\xfd\x81\xb2\x88\xdd(|!mb\x81\xab&\xd4<\xbf\x10\x8f\xa3\x88\x8b\xb9\x03\x8f\xe1F\xb2\xa8\x99i\xa4m\x1e\xad\x7f\xe9WI\x1c\xc2tON8\x90\'\x93\x1a\x07*h\xa1R|4e\xce\xd0:4T\x9e\xe1k\xfa\xa0\x1b\xbbU4:\x93`:\xda(\\\xc2\xc7\x00\x8d|T\x9dAM\x96>]Q\x0b\xbc\xd4E;\x911\x9e\xe6\xf2\x1fo\n\xde/\xa4\x83&\x1ct%\x87\xc5\x9f\xc6tJ\xb6\x8ew\xd9\x165\x80ob\x93\x1f\xa0\xde\xda\x8f\x0eQ\x1a\x8e\x83:\xd20\xa0\x01\'F\x8e\x02k\xcc|\x8a\x86\x97\n)}\xa01\xb4\xef\xcbuu\x03\x9d\x97\x855\xcfX\'Q\xd2j\xed8n\xad\xbbi\xdc\x80\x1f\xa8\x14\x0c\xbc\x07\x06E\x93\x02Q\xbd\x15\x87\xc3f\x91=e\x11\xcb\xbbm,F Eu\x7f\x1d\xf1\xdb\x93\x12\x1bJ9m\x18\xb9y\x11\xb5d\xa2\xf4\xc4\xeal\x843&\xd0\x0c\xc7\xf8\xdd\xa9\xe9J.\x8fr+\xaa\'/\xb8\xbb\xdcr\x01\x93\x19R{\xc2\x06\xcc\x837Hg\xc0\\\x9a;\x98\x08\x9c\x94\xfb+\xc6\xb1\x8b\xe8\x80fk>\xca\xcc\x84>\xb2:\xb7\xf1\xd3"\x947\xbb\x83"\r\x82\xac\xadIz\x95\xaa\xfc\xc2Z9\x82l\x9f\xc5\xbf4\xb41PAF\xccV#\xbf\x03\xb7/KhA\xc8\xac\\\xaf\x1c\x00yo\xbb\x99\x13\x84}\x8d\xf7\xa9\xb9b\xe8F\x05\xe2@\x01\x1b\xd6&E\xb0\xbe\xb6\x97\x0c\xa0\xe6u\x0b"\x94\x1a\xe4\x105\n\x1a\xc5s^\x0b\x89\xa4\xfds\x81\x8f\xf0\xe7\x0b\x9a\x14\'j\x81\xe9D\xa5D\x83\xf2\xff\'\x8b\xa9\x81>\xc9\xe4\xf40a3\x80Q\x1c\x8f\x88\xc7\xd0\x8b4B\xae\xcb\xdc\x9eh\xd1\x1d8E7\xbay6\xbe\xab\xbc5`\ts\xb6\x1f\x84oJd\t\xea)\x9f\n6G\xa4\xbe\xb4\x9e\xb9\x0c\xf0\xfd\xea\x1d\x85\xc7\xd2\x98\xeb\xf9j\x83\xc8\xbd\xfd\xe8\x12\x11b\xc8\x99\x9a\\\x9c\xdcHp\xa6X\xacC\xa4\xc5\xd6\x86Y\xbd\xab"\xcc1o\xaa\x83\xde\xa8HKRyBJZ[\x9eE\xa5X\xdej&\x16;\x9b\xb1`\xfd\xe1\xa6\x9f.\x97\xd4\x89\xf5\x1b\xf1\xba\x02\xd4\xbb\x92\x0c\x0f7\xdb\x94\x0f\xdd\x11{Q\x1d|\xd8H\x8e\x12\xfc\'\x94\xf3#\xa4H\xb8d.\xa1\x1aa\xf4\xe3\x8aZ\xe4N\xda\xc2\xb0H\xadq\xce\x836\xb4\xf1\x16\x00I\xac\xfc}*4\xde\xdaK\xce\x93\xeb\x9f\xbcWZO-\xbf\x83\xf5\xc4xa\xa5\xed\xda\x991A\x03UuF\xaa^\xa2\xf5\xcd\x00b\x08)"\ti\xb2u{\xfb\xb1\xddA"\xb9\xdc\x86bw|\x94\xe9\xf0\t\xb3\xc0\'\xb4\xcd\x9b\xc8\x048\x16@TE3\xa1\x85d\xee*\x17\xec\x8a\xd1\xd9\xb8u\x05_\xf2\xb0\xa1{oO_\t\x94\x8e\xd4|\t\xaeo~\x95\xf0\x97\r\xf1\xbb>8\xb1\x1e\xc6\xe9\x17\xb8\x16x\x02\xdey6\x98 \xb9/\xdf\r\xd0\xe6\x1eQ\xdb\x8f\xe8\xb1\xb0\x8c\xae\x97\x81\x10\xcc\xc8\x0br\xdb\xb4\xe3$\x07\x1c\x10\x8e\x92m\xf6\xf1\x8a\x88n\xa3\x95\x10\x9c5\xc9\x8c\x10"_\x10\xda\xa5/a\x0b\x17\xe1\xf5\x91\xfc\xd2\xe04\x1a<\xdb\x1b\xc7%h\xe0\xe62@\xd7\xdd\xda\x8d\xfe \x89\xaa\xf7\xe5\x922\x95\xbb\xf9\x9f\x88(l:@\x04\xf3\xa0v\xc8\xe4\xe5\x9e\x18\xf9\x02\x0e0\xd8\x03\x915\xe6\xca\xfb.\xc0v\xf3\x96\xdb\xdb\xf7\x1b\xb0\xdd\xb2\xd4%\xed\x9dw&\xec\xf7U\xbe\xfb\\}\x19q)\x7fA\xc7\xe0k\xa5kq\x9b`\x8eI&\xc1F!Y\x9b\xbe\x9dqi\x81\xdb\xe0\x14\x96\x01\xa6\xc1.&#\xb5\x84C\x85,\xe5@1c\xa6H\x12=\x13\x9b\xfb_\xb5\xd4\xc9\xcd\xbcLu\xb2\x1a\xea2;/YV\x8fua(\x18a\x82\xe1\xe6oZ\xe8\x16\xaf_f\xc0\xd2O\xdd\x84\xd8:]\xfa\x9eWV\xf3\x87\xa7\x88\x8f+\x12\xca\x80\xc6h\xb48\xa7\x00\xf6\x14Ig>"\xfd-\xebBv\x18\xb2\xf2\xcd\xde\xc8m\x12\x02\x83\x08\xea\xce\x13\xc5\xaaB6\x0e\x0b\xea\xe8\xeaI\x0c\x15\x80\x12\x01\x15\xdf6\xed&\x14\x03\xa3\xf2\x86\xb0sL\xb5^b\x12N\x0e\xab\xec\xd3\xb7e,\xda\xeb\x8f\xe9\x88_\x86\xa9\x98!\x04H\xb9\xda\xe12EWn\xbb\xe0_"\x8ah\x89\xb8D\x92\xfb\x0c\n-\xeb\xdc\xc34\xa6\xb1U^\xf4\xf3jV\x85\x9d\x945\x9f#\xa1\xde\x16-\x12\xd3\x03e:\x8a_<\xf0`\xe8nxC\xccM\xf8\xb4\x85\xa3k\xe7Y\x9f\xfe\x86y\xb0j\x88\xe2&\xf5\xb0\x8ef\xac\x86\xe4\x12\x06\xd0{[\xca\xecj\xbe\xaa\xc8\xa2\xffakO\xb2\x8aE%N\x8c\xa0\x8d')
Well, this seems useless to even think about manually deobfuscating it. Let's see what happens if we try and run it
Well, it asks for inputs and upon closing; it closes. Let's see what happens if we try and run it with strace
So, it seems like the python process spawns another child process; maps the python file in memory of the child process and then executes it.
What if, we attach GDB to this process and search for PCC in memory? Maybe it's kept in plaintext.
Firstly, finding the PID of the process
Now, attaching GDB to the process
sudo gdb pid=5941
Now, since we have pwndbg, we can simply search for the string PCC in memory:
If anyone knows a better way of doing this, or how you can de-obfuscate the script, please let me know.