Are we out of the woods yet?

Challenge author
Eric Hennenfent (SIGPwny)
Write-up author
Vanilla (Batman's Kitchen)

It looks like this python script was run through a custom packer. It's just Python*, which means it must be easy to reverse, right?


We look at the script and it does a simple transformation, then unmarshals it and runs it (presumably as a code object). Marshal formats differ by version, so we check out the version and compile it ourselves to continue. Rather than execute code objects, we can also disassemble them using the dis module. We modify the script to do this, and we discover an almost identical piece of code with only a few changes. We modify the original script to reflect these changes, again disassembling rather than executing, and get another. We repeat until we end up with a piece of code that looks different.

At this point we read the disassembly to figure out what it is doing. I manually decompiled it in this way, and saw that it took input, incrementally calculated a flag, and compared. I modified this script to not take any input and instead print out the flag it calculated.