Zero Days CTF (2024) RE - 1

For the first Capture The Flag (CTF) challenge, participants are presented with a singular file named 'mystery.pyc'.

Figure 1: Initial Challenge Sample

In Python, .pyc files represent compiled bytecode generated by the interpreter upon script import or execution. They facilitate direct execution by the interpreter without recurrent source code compilation, thus enhancing script execution speed, particularly for substantial scripts or modules. Once generated, .pyc files render .py files unnecessary unless subsequent edits are required.

Attempting to open a .pyc file in a text editor does not reveal any readable data or code.

Figure 2: Display of unintelligible data when opening the .pyc file in a text editor

The decompilation of this .pyc file into source code will be conducted using a tool called pycdc, accessible here.

Upon downloading the project, the instructions provided in the project's readme are followed to build the project and acquire pycdc.exe.

Figure 3: Depicts the compiled pycdc.exe binary

To execute pycdc in accordance with the readme instructions, utilize the following command format -

./pycdc [PATH TO PYC FILE]

Figure 4: Illustrates the decompiled mystery.pyc

This yields the following decompilation output -

def print_flag():
Unsupported opcode: JUMP_BACKWARD
 flag = [
 90,
 101,
 114,
 111,
 68,
 97,
 121,
 115,
 123,
 112,
 121,
 99,
 95,
 100,
 51,
 99,
 111,
 109,
 112,
 49,
 108,
 51,
 100,
 125]
# WARNING: Decompyle incomplete

The observed output comprises valid decimal representations convertible to ASCII characters. This can be effectively employed for flag reconstruction in CyberChef, specifically utilizing the "FromDecimal" function.

Figure 5: Displays the decoded flag output achieved through CyberChef

This results in obtaining the flag. The acquired flag is as follows -

Flag - ZeroDays{pyc_d3comp1l3d}