0verp0wer Posted April 9 Posted April 9 View File Python Crackme (Custom VM) Hello, this is a crackme made in python by a friends (wrc3667 on discord) Difficulty: [95 / 100] The purpose of this challenge is to find the correct key (note: the key should be in hexadecimal, otherwise the program will istantly close) Features: - Constant encryption - Name encryption - Opcode shuffling - Bytecode encryption - Stack encryption - Bytecode instruction mangling - Guillotine Interpreter - Complete namespace virtualization Submitter 0verp0wer Submitted 04/10/2024 Category CrackMe
Solution Extreme Coders Posted May 18 Solution Posted May 18 (edited) Correct key is Spoiler db1f8101d77e22d2a549059d6410e812b1f0c508d8463f6323f83e91919bf815da1b95da0eaf3f05561a9dca931242e2f9c5ef92dce8fc767805e892229087f2 The correct key can be obtained at runtime. Not necessary to deal with any of the protection features mentioned. It can be found by hooking and monitoring the arguments passed/return value of any of the push, pop functions defined in guillotine.pyd. These values are all PyObject's, hence interacting with the CPython API is necessary to log these to stdout. Essentially tracing the operations of the VM will reveal the key when it compares the user input with the correct key. Probably will do a mini-write in the future up if I get time. Edited May 18 by Extreme Coders formatting 3 1
Sean Park - Lovejoy Posted May 18 Posted May 18 3 hours ago, Extreme Coders said: Correct key is Reveal hidden contents db1f8101d77e22d2a549059d6410e812b1f0c508d8463f6323f83e91919bf815da1b95da0eaf3f05561a9dca931242e2f9c5ef92dce8fc767805e892229087f2 The correct key can be obtained at runtime. Not necessary to deal with any of the protection features mentioned. It can be found by hooking and monitoring the arguments passed/return value of any of the push, pop functions defined in guillotine.pyd. These values are all PyObject's, hence interacting with the CPython API is necessary to log these to stdout. Essentially tracing the operations of the VM will reveal the key when it compares the user input with the correct key. Probably will do a mini-write in the future up if I get time. @Extreme Coders How to execute the guillotine.pyd? I did this. this is a python file. import guillotine guillotine The result is below. Quote "D:\Downloaded Files\Compressed\password\venv\Scripts\python.exe" "D:\Downloaded Files\Compressed\password\Python3-2.py" Process finished with exit code 0 Many thanks in advance. Regards. sean. 1
Extreme Coders Posted May 18 Posted May 18 @Sean Park - Lovejoy guillotine.pyd is a Python extension module built in Cython. An extension module can't be executed directly. If you decompile password.txt_guillotine.pyc using pycdc, # Source Generated with Decompyle++ # File: password.txt_guillotine.pyc (Python 3.10) import sys sys.dont_write_bytecode = True from py310_win32t_guillotine import __guillotine_runtime__ __guillotine_runtime__(b'GUILLOTINE\x17\x10\x00\x00\x01<\x01\x00 ...[snip]... \x00\x00', { '__annotations__': __annotations__, '__builtins__': __builtins__, '__doc__': __doc__, '__loader__': __loader__, '__name__': __name__, '__package__': __package__, '__spec__': __spec__, '__file__': __file__ }) can note that it imports __guillotine_runtime__ function from the pyd and calls it with a large gibberish string passed as an argument. If you are familiar with pyarmor it is quite similar to that. You can thus run the file password.txt_guillotine.pyc in Python and it would import the pyd. 1
Sean Park - Lovejoy Posted May 18 Posted May 18 31 minutes ago, Extreme Coders said: @Sean Park - Lovejoy guillotine.pyd is a Python extension module built in Cython. An extension module can't be executed directly. If you decompile password.txt_guillotine.pyc using pycdc, # Source Generated with Decompyle++ # File: password.txt_guillotine.pyc (Python 3.10) import sys sys.dont_write_bytecode = True from py310_win32t_guillotine import __guillotine_runtime__ __guillotine_runtime__(b'GUILLOTINE\x17\x10\x00\x00\x01<\x01\x00 ...[snip]... \x00\x00', { '__annotations__': __annotations__, '__builtins__': __builtins__, '__doc__': __doc__, '__loader__': __loader__, '__name__': __name__, '__package__': __package__, '__spec__': __spec__, '__file__': __file__ }) can note that it imports __guillotine_runtime__ function from the pyd and calls it with a large gibberish string passed as an argument. If you are familiar with pyarmor it is quite similar to that. You can thus run the file password.txt_guillotine.pyc in Python and it would import the pyd. @Extreme Coders How can I obtain the password.txt_guillotine.pyc to decompile? I can not find it anywhere. Many thanks in advance. Regards. sean. 1
Sean Park - Lovejoy Posted May 18 Posted May 18 24 minutes ago, Sean Park - Lovejoy said: @Extreme Coders How can I obtain the password.txt_guillotine.pyc to decompile? I can not find it anywhere. Many thanks in advance. Regards. sean. @Extreme Coders Oh, It was your application. called "pyinstxtractor-2024.04". Okay. I see. Regards. sean. 1
Extreme Coders Posted May 18 Posted May 18 The executable is built in PyInstaller. To extract a pyinstaller generated executable can use pyinstxtractor or pyinstxtractor-ng or the web version pyinstxtractor-web 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now