In this task we have a gzip compressed python file which contained rot13-encoded source code. After decoding we got right source code that was simple to understand - there was creation of function with marshal python module and execution it.
Restored code you can see at "ctf.py". Marshal construct new function with base64-encoded data as initialization data. If you decode it you can see some useful information for getting flag. Actually we could get a flag at this step but we decided to go the author planed way.
But for some reason our decoded code didn't run. It throws an error that variable "flag" is undefined. So we decide to get source code of newly created function.
We used python module called "dis".
import dis print dis.dis(f)
It returns something like machine instructions executed by this function (it was like assembler code for me :) ). This instructions you can see at "dis.txt". So it was easy to see that function first concat four hex-strings, remove space characters from result, decode hex, and finally return "NCN" concatted with sha1 hexdigest from result string. It was flag.