Hello again!, after a long time. Today I’m going to share with you a Compiled Python File (.pyc) crackme which is avaiable in root-me.org. This is my first experience with pyc files in reversing because we talk about them rarely in this area.
Here is the challenge : https://www.root-me.org/en/Challenges/Cracking/PYC-ByteCode
It suggests to retrieve the password to validate this challenge.
Let’s run ch19.pyc ( You have to install python 3.1, if you don’t have it )
Okay, fine. Now show us your inside ch19! 😀
ord() method convert ASCII to Integer values. We can simply use chr() to reconvert them back
There is an encrypted list named SOLUCE. This list was generated by converting a string/Flag to integer values. Can we convert back these values to a string? In this situation it’s not possible because they have used XOR operator when generating integers.
So I wrote a simple decryption algorithm which bruteforces each integer in SOLUCE list and find which ASCII character is it.
Full Code : https://github.com/I2NhbmloZWxweW91/pyc-bytecode-crackme-challenge/blob/master/ch19_solution.py
Let’s execute 😉
He hates RUBY then! 😀 😀
Another cool thing happened when I sending the flag in the challenge. Look at bellow one.
What!! I just solved your crackme by bruteforcing, actually are you telling me that I’m stupid right now?!
Frustrated moment… Did I miss something..
Tried once again and it worked!
Site just adviced not to bruteforce the site itself when finding the password. It detected as I did because of sending wrong passwords two times.
Several years ago (when I was grade 7 I guess) my parents gifted this dictionary to someone. It’s still available here! There is a regular book + CD bundle. I kept a copy of that CD to use myself. But after that hoops.. It required a password which is randomly generate from their database to avoid using copies of the original CD. So I couldn’t do anything. Yesterday I met it again when packing my stuff because of the flood. So let’s see what’s inside there.
As you can see we can’t use the digital dictionary without the real book. But hopefully they had used Java. So we can give try to decompile the jar file. Actually jar files (bytecodes) contains a lots of information about the real source code such as original class, method, function, variable names. We can decompile jar files and generate a very similar code to source code unlike PE files.
So I decompiled the main jar file. Above picture is a screenshot of LoginScreen.class file as you can see. There is a nice little OR operator in line 80. Those developing guys had used special string, instead of the randomly generated word to access the main screen. It’s for debugging purposes or just for fun. As you can see “sandaObaMage” is the little secret. “Sanda” should be the crush of the developer :0 Anyway we got access to the dictionary.
Really I don’t know what the hell is this. There is something calling “Phonetic Alphabet”. Probably I must install required fonts for a good view. If you are interested in you can recompile that jar file by removing those IF statements.
Of course it’s possible to avoid these kinds of simple reversing by obfuscating the byte code. There are several free tools like proguard , launch4j. I think launch4j is the best option because proguard doesn’t work well with libraries and it twices the file size according to my experience. You can obfuscate the code, convert it to exe and bundle the JRE using launch4j. So it’s handy I think.
If you convert jar to exe without obfuscating it’s doesn’t make any sense, because anyone can extract class files using a zip tool. Hope you enjoyed 🙂