1.  拿到文件，先进行查壳，收集基本信息

 

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import marshal, zlib, base64

exec(marshal.loads(zlib.decompress(base64.b64decode('eJyNVktv00AQXm/eL0igiaFA01IO4cIVCUGFBBJwqRAckLhEIQmtRfPwI0QIeio/hRO/hJ/CiStH2M/prj07diGRP43Hs9+MZ2fWMxbnP6mux+oK9xVMHPFViLdCTB0xkeKDFEFfTIU4E8KZq8dCvB4UlN3hGEsdddXU9QTLv1eFiGKGM4cKUgsFCNLFH7dFrS9poayFYmIZm1b0gyqxMOwJaU3r6xs9sW1ooakXuRv+un7Q0sIlLVzOCZq/XtsK2oTSYaZlStogXi1HV0iazoN2CV2HZeXqRQ54TlJRb7FUlKyUatISsdzo+P7UU1Gb1POdMruckepGwk9tIXQTftz2yBaT5JQovWvpSa6poJPuqgao+b9l5Aj/R+mLQIP4f6Q8Vb3g/5TB/TJxWGdZr9EQrmn99fwKtTvAZGU7wzS7GNpZpDm2JgCrr8wrmPoo54UqGampFIeS9ojXjc4E2yI06bq/4DRoUAc0nVnng4k6p7Ks0+j/S8z9V+NZ5dhmrJUM/y7JTJeRtnJ2TSYJvsFq3CQt/vnfqmQXt5KlpuRcIvDAmhnn2E0t9BJ3SvB/SfLWhuOWNiNVZ+h28g4wlwUp00w95si43rZ3r6+fUIEdgOZbQAsyFRRvBR6dla8KCzRdslar7WS+a5HFb39peIAmG7uZTHVm17Czxju4m6bayz8e7J40DzqM0jr0bmv9PmPvk6y5z57HU8wdTDHeiUJvBMAM4+0CpoAZ4BPgJeAYEAHmgAUgAHiAj4AVAGORtwd4AVgC3gEmgBBwCPgMWANOAQ8AbwBHgHuAp4D3gLuARwoGmNUizF/j4yDC5BWM1kNvvlxFA8xikRrBxHIUhutFMBlgQoshhPphGAXe/OggKqqb2cibxwuEXjUcQjccxi5eFRL1fDSbKrUhy2CMb2aLyepkegDWsBwPlrVC0/kLHmeCBQ=='))))

分析一下，经过了：

base64.b64decode() base64解码
zlib.decompress() 解压字符串
marshal.loads() 对字节码组织
exec() 执行括号内的命令

那么我们就按照题目的意思进行解码

2.

import marshal,zlib,base64

out=zlib.decompress(base64.b64decode('eJyNVktv00AQXm/eL0igiaFA01IO4cIVCUGFBBJwqRAckLhEIQmtRfPwI0QIeio/hRO/hJ/CiStH2M/prj07diGRP43Hs9+MZ2fWMxbnP6mux+oK9xVMHPFViLdCTB0xkeKDFEFfTIU4E8KZq8dCvB4UlN3hGEsdddXU9QTLv1eFiGKGM4cKUgsFCNLFH7dFrS9poayFYmIZm1b0gyqxMOwJaU3r6xs9sW1ooakXuRv+un7Q0sIlLVzOCZq/XtsK2oTSYaZlStogXi1HV0iazoN2CV2HZeXqRQ54TlJRb7FUlKyUatISsdzo+P7UU1Gb1POdMruckepGwk9tIXQTftz2yBaT5JQovWvpSa6poJPuqgao+b9l5Aj/R+mLQIP4f6Q8Vb3g/5TB/TJxWGdZr9EQrmn99fwKtTvAZGU7wzS7GNpZpDm2JgCrr8wrmPoo54UqGampFIeS9ojXjc4E2yI06bq/4DRoUAc0nVnng4k6p7Ks0+j/S8z9V+NZ5dhmrJUM/y7JTJeRtnJ2TSYJvsFq3CQt/vnfqmQXt5KlpuRcIvDAmhnn2E0t9BJ3SvB/SfLWhuOWNiNVZ+h28g4wlwUp00w95si43rZ3r6+fUIEdgOZbQAsyFRRvBR6dla8KCzRdslar7WS+a5HFb39peIAmG7uZTHVm17Czxju4m6bayz8e7J40DzqM0jr0bmv9PmPvk6y5z57HU8wdTDHeiUJvBMAM4+0CpoAZ4BPgJeAYEAHmgAUgAHiAj4AVAGORtwd4AVgC3gEmgBBwCPgMWANOAQ8AbwBHgHuAp4D3gLuARwoGmNUizF/j4yDC5BWM1kNvvlxFA8xikRrBxHIUhutFMBlgQoshhPphGAXe/OggKqqb2cibxwuEXjUcQjccxi5eFRL1fDSbKrUhy2CMb2aLyepkegDWsBwPlrVC0/kLHmeCBQ=='))

f=open('out','wb')

f.write(out)

f.close()

 然后在这个python文件的同一目录中就会生成一个名为out的文件

然后使用uncomple6 命令进行解压（注意将out重命名为out.pyc) 

但是我们可以发现这个时候解压并没有成功

后来参考大佬的wp才知道，该文件缺少文件头，那么我们使用16进制工具winhex进行添加文件头

文件头为：
03 F3 0D 0A C8 C4 A1 58（具体还是要根据你所使用的python版本而定，我用的是python2）

 

 虽然显示反编译错误，但是该文件可以被打开了

3.打开该文件

1000多行，我就不一一放出来了

分析汇编代码，注意到有

BINARY_ADD

ROT_TWO

两个特殊的函数

百度一下，它们一个是交换，一个是求和

那么我们先提取字符再用python模拟这两个函数

4.脚本

import re
with open("out.py",'r')as f:
	line=[]
	for i in range(1000):
		line.append(f.readline()) 
list=[]
pat="(\d*)\n"  
for i in line:          
	if 'LOAD_CONST'in i:  
		text=re.compile(pat).findall(i) 
		for j in text:
			list.append(j)		
for i in list:
	if(i==''):  
		print("")
	else:
		print(chr(int(i)),end='') 

 得到字符串为：llaC em yP aht notriv lauhcamni !eac Ini npreterP tohty ntybdocese!!!
ctihN{noy woc uoc naipmoa eldnur yP nnohttyb doceni euoy rb ria}!napwssro :dorWp gnssadrow...elP  esa yrtaga .ni oD tonurbf etecro)= .

然后通过python对两个函数进行模拟

with open("out.py",'r') as f:
    line = []
    for i in range(1000):
        line.append(f.readline())
        
def ROT_TWO(List): 
    a = List.pop()
    b = List.pop()
    List.append(a)
    List.append(b)
    return List

def BINARY_ADD(List): 
    a = List.pop()
    b = List.pop()
    List.append(b+a)
    return List

cipher ="llaC em yP aht notriv lauhcamni !eac Ini npreterP tohty ntybdocese!!! ctihN{noy woc uoc naipmoa eldnur yP nnohttyb doceni euoy rb ria}!napwssro :dorWp gnssadrow...elP  esa yrtaga .ni oD tonurbf etecro)= ."

cipher = list(cipher)

s =[]
j=0
for i in line:
    if 'LOAD_CONST' in i and j < len(cipher):
        s.append(cipher[j])
        j += 1
    elif 'ROT_TWO' in i:
        s = ROT_TWO(s)
    elif 'BINARY_ADD' in i:
        s = BINARY_ADD(s)
print (s)

运行脚本

得到答案

得到flag为：hitcon{Now you can compile and run Python bytecode in your brain!}