VNCTF2022_RE_复盘

1.BabyMaze

题目给出一个 BabyMaze.pyc 文件,尝试用uncompyle6反编译,但是失败 ,于是用脚本反汇编

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# 安装环境
import dis
import marshal
import sys

header_sizes = [
    # (size, first version this applies to)
    # pyc files were introduced in 0.9.2 way, way back in June 1991.
    (8,  (0, 9, 2)),  # 2 bytes magic number, \r\n, 4 bytes UNIX timestamp
    (12, (3, 6)),     # added 4 bytes file size
    # bytes 4-8 are flags, meaning of 9-16 depends on what flags are set
    # bit 0 not set: 9-12 timestamp, 13-16 file size
    # bit 0 set: 9-16 file hash (SipHash-2-4, k0 = 4 bytes of the file, k1 = 0)
    (16, (3, 7)),     # inserted 4 bytes bit flag field at 4-8
    # future version may add more bytes still, at which point we can extend
    # this table. It is correct for Python versions up to 3.9
]
header_size = next(s for s, v in reversed(
    header_sizes) if sys.version_info >= v)

with open('BabyMaze.pyc', "rb") as f:
    metadata = f.read(header_size)  # first header_size bytes are metadata
    code = marshal.load(f)          # rest is a marshalled code object

a = dis.dis(code)
print(len(code.co_code))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
1           0 JUMP_ABSOLUTE            4
        >>    2 JUMP_ABSOLUTE            6
        >>    4 JUMP_ABSOLUTE            2
        >>    6 LOAD_CONST               0 (1)
              8 LOAD_CONST               0 (1)
             10 LOAD_CONST               0 (1)
             12 LOAD_CONST               0 (1)
             14 LOAD_CONST               0 (1)
             16 LOAD_CONST               0 (1)
             18 LOAD_CONST               0 (1)
             20 LOAD_CONST               0 (1)
             22 LOAD_CONST               0 (1)
             24 LOAD_CONST               0 (1)
             26 LOAD_CONST               0 (1)
             28 LOAD_CONST               0 (1)
             30 LOAD_CONST               0 (1)
             32 LOAD_CONST               0 (1)
             34 LOAD_CONST               0 (1)
             36 LOAD_CONST               0 (1)
             38 LOAD_CONST               0 (1)
             40 LOAD_CONST               0 (1)
             42 LOAD_CONST               0 (1)
             44 LOAD_CONST               0 (1)
             46 LOAD_CONST               0 (1)
             48 LOAD_CONST               0 (1)
             50 LOAD_CONST               0 (1)
             ..........
             42 LOAD_CONST               5 ("Sorry, we won't acknowledge the existence of your squad.")
             44 CALL_FUNCTION            1
             46 POP_TOP
        >>   48 LOAD_CONST               0 (None)
             50 RETURN_VALUE
            2030(0X7EE)

可以发现开头是3个指令的跳转,是这个地方干扰了uncompyle6,于是打开opcode.h,找对应的机器码

是113(0X71)

将其删除,并且将 7EE 改为 7E8,然后重新反编译

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# uncompyle6 version 3.7.4
# Python bytecode 3.8 (3413)
# Decompiled from: Python 3.8.5 (tags/v3.8.5:580fbb0, Jul 20 2020, 15:57:54) [MSC v.1924 64 bit (AMD64)]
# Embedded file name: .\BabyMaze.py
# Compiled at: 2022-02-08 15:12:27
# Size of source mod 2**32: 3707 bytes
_map = [
 [
  1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1], [1, 5, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], [1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1], [1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1], [1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1], [1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1], [1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1], [1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1], [1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1], [1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1], [1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1], [1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1], [1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1], [1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1], [1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], [1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1], [1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1], [1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1], [1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1], [1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1], [1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1], [1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1], [1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1], [1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 7, 1], [1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]]

def maze():
    x = 1
    y = 1
    step = input()
    for i in range(len(step)):
        if step[i] == 'w':
            x -= 1
        else:
            if step[i] == 's':
                x += 1
            else:
                if step[i] == 'a':
                    y -= 1
                else:
                    if step[i] == 'd':
                        y += 1
                    else:
                        return False
        if _map[x][y] == 1:
            return False
        if x == 29 and y == 29:
            return True


def main():
    print('Welcome To VNCTF2022!!!')
    print('Hello Mr. X, this time your mission is to get out of this maze this time.(FIND THAT 7!)')
    print('you are still doing the mission alone, this tape will self-destruct in five seconds.')
    if maze():
        print('Congratulation! flag: VNCTF{md5(your input)}')
    else:
        print("Sorry, we won't acknowledge the existence of your squad.")


if __name__ == '__main__':
    main()
# okay decompiling BabyMaze.pyc

发现是31 * 31的迷宫

稍作整理,DFS解密即可, 解密脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
# 题目:给定大小为n*m的矩阵,求S到G的最短路径并输出
# 输入:
# 10 10
# #S######.#
# ......#..#
# .#.##.##.#
# .#........
# ##.##.####
# ....#....#
# .#######.#
# ....#.....
# .####.###.
# ....#...G#
# 输出:
# 迷宫路径
import queue
import hashlib

MAX_VALUE = float('inf')


class Point:
    def __init__(self, x=0, y=0):
        self.x = x
        self.y = y


def bfs(maze, begin, end):
    path = []  # 保存经过的每一个点
    n, m = len(maze), len(maze[0])
    dist = [[MAX_VALUE for _ in range(m)] for _ in range(n)]
    pre = [[None for _ in range(m)] for _ in range(n)]   # 当前点的上一个点,用于输出路径轨迹

    nx = [[1, 0], [-1, 0], [0, -1], [0, 1]]

    sx, sy = begin.x, begin.y
    gx, gy = end.x, end.y

    dist[sx][sy] = 0
    q = queue.Queue()
    q.put(begin)
    while q:
        point = q.get()
        if point.x == gx and point.y == gy:
            break
        for i in range(4):
            dx, dy = point.x + nx[i][0], point.y + nx[i][1]
            if 0 <= dx < n and 0 <= dy < m and maze[dx][dy] != '#' and dist[dx][dy] == MAX_VALUE:
                dist[dx][dy] = dist[point.x][point.y] + 1
                pre[dx][dy] = point
                q.put(Point(dx, dy))
    stack = []
    curr = end
    while True:
        stack.append(curr)
        if curr.x == begin.x and curr.y == begin.y:
            break
        prev = pre[curr.x][curr.y]
        curr = prev

    while stack:
        curr = stack.pop()
        # print('(%d, %d)' % (curr.x, curr.y))
        path.append((curr.x, curr.y))
    return path


def get_path(path):
    # 将路径的点打印为路径
    sss = ""
    for i in range(1, len(path)):
        x = path[i-1]   # 前面的
        y = path[i]     # 后面的

        if x[0] == y[0]:    # 横坐标相同,左右移动,即a或d
            if x[1] > y[1]:
                sss += "a"
            else:
                sss += "d"
        else:  # 纵坐标相同
            if x[0] > y[0]:
                sss += "w"
            else:
                sss += "s"
    # print(sss)
    return sss


if __name__ == '__main__':
    n, m = map(int, input().split())
    maze = [['' for _ in range(m)] for _ in range(n)]
    begin = Point()
    end = Point()

    for i in range(n):
        s = input()
        maze[i] = list(s)
        if 'S' in s:
            begin.x = i
            begin.y = s.index('S')
        if 'G' in s:
            end.x = i
            end.y = s.index('G')
    _path = bfs(maze, begin, end)
    path = get_path(_path)
    print(path)
    print(hashlib.md5(path.encode()).hexdigest())
# 31 31
# ###############################
# #S#.................#.........#
# #.#.#########.#####.#.#######.#
# #.#...#.......#...#...#.#...#.#
# #.#####.#########.#####.#.#.#.#
# #...#...#.............#...#...#
# ###.#.###.#############.#######
# #...#.#...#.........#...#...#.#
# #.###.#.###.#######.#.###.#.#.#
# #.....#.#...#...#.#.#...#.#...#
# #######.#.###.#.#.#.###.#.###.#
# #.......#.....#...#.#...#.#...#
# #.###############.#.#.###.#.###
# #.......#.......#.#...#...#...#
# #.#####.#.#.#.###.#####.#######
# #.#...#.#.#.#.#...#...........#
# #.#.#.#.#.#.###.###.#####.###.#
# #.#.#.#.#.#...#...#.#...#.#...#
# #.#.###.#.###.###.#.#.#.###.###
# #...#...#.#.....#.#.#.#...#...#
# #.###.#.#.#.#####.#.#.###.#.#.#
# #.#...#.#.#.......#.#.#.#.#.#.#
# #.#.###.#.###########.#.#.#.#.#
# #.#...#.#.#.........#.#.#.#.#.#
# #.###.#.#.#####.#.#.#.#.#.#.#.#
# #...#.#.#.....#.#.#...#...#.#.#
# #####.#######.###.#######.###.#
# #.....#.....#...#.......#.....#
# #.#####.###.###.#######.#####.#
# #.........#.............#....G#
# ###############################
# ssssddssaassddddwwwwddwwddddddwwddddddssddwwddddddddssssaawwaassaassaassddssaassaawwwwwwaaaaaaaassaassddddwwddssddssssaassddssssaaaaaawwddwwaawwwwaassssssssssssddddssddssddddddddwwaaaaaawwwwddssddwwwwwwwwddssddssssssssddddss
# 801f190737434100e7d2790bd5b0732e

关于python字节码的反汇编,可以看这个文章学习 https://song-10.gitee.io/2020/04/20/Reverse-2020-04-20-python-byte/

2.cm1

是个APK文件,拖入JEB进行分析

发现关键check函数放在了解密后的ooo文件中,进入copyFiles函数观察如何解密的

是以1024为1组,异或vn2022,写脚本解密

1
2
3
4
5
6
7
with open("ooo", "rb") as f:
    content = list(f.read())
key = b"vn2022"
for i in range(len(content)):
    content[i] ^= key[(i % 1024) % 6]
with open("oooo", "wb") as f:
    f.write(bytes(content))

然后用jadx打开opoo,找到hcheck

是xxtea加密,写脚本解密即可

1
2
3
In [18]: a = b"H4pPY_VNCTF!!OvO"
In [19]: struct.unpack("<IIII", a)
Out[19]: (1349530696, 1314283353, 558257219, 1333153569)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#include <stdio.h>

void encrypt(unsigned int * v,  int n, unsigned int * key) {
	unsigned int  rounds = (52 / n) + 6;
	unsigned int  sum = 0, y = 0;
	unsigned int z = v[n - 1];
	unsigned int p;
	while (rounds > 0) {
		sum -= 1640531527;
		unsigned int e = (sum >> 2) & 3;
		for (p = 0; p < n - 1; p++) {
			y = v[p + 1];
			v[p] += ((((z >> 5) ^ (y << 2)) + ((y >> 3) ^ (z << 4))) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)));
			z = v[p];
		}
		y = v[0];
		v[n - 1] += ((((z >> 5) ^ (y << 2)) + ((y >> 3) ^ (z << 4))) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)));
		z = v[n - 1];
		rounds--;
	}
}

void decrypt(unsigned int* v,  int n, unsigned int* key)
{
	unsigned int  rounds = (52 / n) + 6;
	unsigned int sum =0 - (1640531527 * rounds), z = 0;
	unsigned int p;
	unsigned int y = v[0];
	while (rounds > 0) {
		unsigned int e = (sum >> 2) & 3;
		for (p = n - 1; p > 0; p--)
		{
			z = v[p - 1];
			v[p] -= ((((z >> 5) ^ (y << 2)) + ((y >> 3) ^ (z << 4))) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)));
			y = v[p];
		}
		z = v[n - 1];
		v[0] -= ((((z >> 5) ^ (y << 2)) + ((y >> 3) ^ (z << 4))) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)));
		y = v[0];
		sum += 1640531527;
		rounds--;
	}
}

int main() {
	char c[] = { 68, 39, -92, 108, -82, -18, 72, -55, 74, -56, 38, 11, 60, 84, 97, -40, 87, 71, 99, -82, 120, 104, 47, -71, -58, -57, 0, 33, 42, 38, -44, -39, -60, 113, -2, 92, -75, 118, -77, 50, -121, 43, 32, -106 };
	unsigned int key[] = { 1349530696, 1314283353, 558257219, 1333153569 };
	decrypt((unsigned int *)c, 11, key);
	return 0;
}
//VNCTF{93ee7688-f216-42cb-a5c2-191ff4e412ba}

3.cm狗

拿到题目,发现是用go语言实现的VM,直接用IDA7.6打开

根据main.(_ptr_MzVm).initmain.(_ptr_MzVm).run 2个函数,找到VM的大体结构

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
struct func
{
    void *call;
    vm *vmm;
}
struct vm
{
    DWORD REG[21];
    DWORD stack[1000];
    DWORD _eip;
    DWORD _esp;
    DWORD _ebp;
    QWORD * data;   //指向OPCODE
    func * function[100];
    char is_exit;
};
struct params
{
    DWORD parm1;
    DWORD parm2;
}

添加结构体到IDA中,发现瞬间函数变的非常的清晰

慢慢分析每个func的功能,然后把OPCODE提取出来,写脚本打印伪代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
a = [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000057, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000065, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000006C, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000063, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000006F, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000006D, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000065, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000020, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000074, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000006F, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000020, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000056, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000004E, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000043, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000054, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000046, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000032, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000030, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000032, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000032, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000021, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000000A, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000069, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000006E, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000070, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000075, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000074, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000020, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000066, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000006C, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000061, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000067, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000003A, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000000A, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000013, 0x00000049, 0x00000001, 0x00000003, 0x00000000, 0x00000001, 0x00000001, 0x0000002B, 0x00000001, 0x00000002, 0x00000001, 0x00000061, 0x00000000, 0x00000000, 0x00000005, 0x00000000, 0x00000000, 0x00000008, 0x00000001, 0x00000002, 0x0000000E, 0x00000001, 0x00000003, 0x00000001, 0x00000000, 0x00000000, 0x00000005, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000006, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000006, 0x00000000, 0x00000002, 0x00000000, 0x00000006, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000006, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000006, 0x00000000, 0x00000002, 0x00000000, 0x00000006, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000006, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000006, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000007, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000007, 0x00000000, 0x00000002, 0x00000000, 0x00000007, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000007, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000007, 0x00000000, 0x00000002, 0x00000000, 0x00000007, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000007, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000007, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000008, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000008, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000008, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000009, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000009, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000009, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000009, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000009, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000009, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000A, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000A, 0x00000000, 0x00000002, 0x00000000, 0x0000000A, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000A, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000A, 0x00000000, 0x00000002, 0x00000000, 0x0000000A, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000A, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000A, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000B, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000B, 0x00000000, 0x00000002, 0x00000000, 0x0000000B, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000B, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000B, 0x00000000, 0x00000002, 0x00000000, 0x0000000B, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000B, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000B, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000C, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000C, 0x00000000, 0x00000002, 0x00000000, 0x0000000C, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000C, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000C, 0x00000000, 0x00000002, 0x00000000, 0x0000000C, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000C, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000C, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000D, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000D, 0x00000000, 0x00000002, 0x00000000, 0x0000000D, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000D, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000D, 0x00000000, 0x00000002, 0x00000000,
     0x0000000D, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000D, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000D, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000E, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000E, 0x00000000, 0x00000002, 0x00000000, 0x0000000E, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000E, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000E, 0x00000000, 0x00000002, 0x00000000, 0x0000000E, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000E, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000E, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000F, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000F, 0x00000000, 0x00000002, 0x00000000, 0x0000000F, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000F, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000F, 0x00000000, 0x00000002, 0x00000000, 0x0000000F, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000F, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000F, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000010, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000010, 0x00000000, 0x00000002, 0x00000000, 0x00000010, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000010, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000010, 0x00000000, 0x00000002, 0x00000000, 0x00000010, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000010, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000010, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000005, 0x00000006, 0x00000000, 0x00000005, 0x00000007, 0x00000000, 0x00000005, 0x00000008, 0x00000000, 0x00000005, 0x00000009, 0x00000000, 0x00000005, 0x0000000A, 0x00000000, 0x00000005, 0x0000000B, 0x00000000, 0x00000005, 0x0000000C, 0x00000000, 0x00000005, 0x0000000D, 0x00000000, 0x00000005, 0x0000000E, 0x00000000, 0x00000005, 0x0000000F, 0x00000000, 0x00000005, 0x00000010, 0x00000000, 0x00000006, 0x00000001, 0x00000000, 0x00000006, 0x00000002, 0x00000000, 0x00000001, 0x00000014, 0x0000011C, 0x00000001, 0x00000000, 0x00000154, 0x0000000C, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0xE8D1D5DF, 0x00000001, 0x00000013, 0x00000183, 0x00000001, 0x00000014, 0x00000153, 0x0000000E, 0x00000001, 0x00000000, 0x00000001, 0x00000000, 0xF5E3C114, 0x0000000E, 0x00000002, 0x00000000, 0x00000006, 0x00000001, 0x00000000, 0x00000006, 0x00000002, 0x00000000, 0x00000001, 0x00000014, 0x00000127, 0x00000001, 0x00000000, 0x00000154, 0x0000000C, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x228EC216, 0x00000001, 0x00000013, 0x00000183, 0x00000001, 0x00000014, 0x00000153, 0x0000000E, 0x00000001, 0x00000000, 0x00000001, 0x00000000, 0x89D45A61, 0x0000000E, 0x00000002, 0x00000000, 0x00000006, 0x00000001, 0x00000000, 0x00000006, 0x00000002, 0x00000000, 0x00000001, 0x00000014, 0x00000132, 0x00000001, 0x00000000, 0x00000154, 0x0000000C, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x655B8F69, 0x00000001, 0x00000013, 0x00000183, 0x00000001, 0x00000014, 0x00000153, 0x0000000E, 0x00000001, 0x00000000, 0x00000001, 0x00000000, 0x2484A07A, 0x0000000E, 0x00000002, 0x00000000, 0x00000006, 0x00000001, 0x00000000, 0x00000006, 0x00000002, 0x00000000, 0x00000001, 0x00000014, 0x0000013D, 0x00000001, 0x00000000, 0x00000154, 0x0000000C, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0xD9E5E7F8, 0x00000001, 0x00000013, 0x00000183, 0x00000001, 0x00000014, 0x00000153, 0x0000000E, 0x00000001, 0x00000000, 0x00000001, 0x00000000, 0x3A441532, 0x0000000E, 0x00000002, 0x00000000, 0x00000006, 0x00000001, 0x00000000, 0x00000006, 0x00000002, 0x00000000, 0x00000001, 0x00000014, 0x00000148, 0x00000001, 0x00000000, 0x00000154, 0x0000000C, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x91AB7E88, 0x00000001, 0x00000013, 0x00000183, 0x00000001, 0x00000014, 0x00000153, 0x0000000E, 0x00000001, 0x00000000, 0x00000001, 0x00000000, 0x69FC64BC, 0x0000000E, 0x00000002, 0x00000000, 0x00000006, 0x00000001, 0x00000000, 0x00000001, 0x00000000, 0x007D3765, 0x0000000E, 0x00000001, 0x00000000, 0x00000001, 0x00000000, 0x00000189, 0x0000000C, 0x00000000, 0x00000000, 0x00000063, 0x00000000, 0x00000000, 0x00000001, 0x00000003, 0x9E3779B9, 0x00000001, 0x00000004, 0x00095C4C, 0x00000001, 0x00000005, 0x0000871D, 0x00000001, 0x00000006, 0x0001A7B7, 0x00000001, 0x00000007, 0x0012C7C7, 0x00000001, 0x00000008, 0x00000000, 0x00000001, 0x00000011, 0x00000010, 0x00000001, 0x00000012, 0x00000020, 0x00000001, 0x00000013, 0x00000160, 0x00000001, 0x0000000A, 0x00000000, 0x00000001, 0x0000000B, 0x00000020, 0x00000001, 0x0000000C, 0x00000001, 0x00000007, 0x00000008, 0x00000003, 0x00000002, 0x00000000, 0x00000002, 0x0000000A, 0x00000000, 0x00000011, 0x00000007, 0x00000000, 0x00000004, 0x00000002, 0x0000000E, 0x00000000, 0x00000002, 0x00000000, 0x00000002, 0x00000007, 0x00000000, 0x00000008, 0x00000002, 0x0000000F, 0x00000000, 0x00000002, 0x00000000, 0x00000002, 0x00000009, 0x00000000, 0x00000012, 0x00000007, 0x00000000, 0x00000005, 0x00000002, 0x00000010, 0x00000000, 0x00000002, 0x00000000, 0x0000000E, 0x0000000B, 0x00000000, 0x0000000F, 0x0000000B, 0x00000000, 0x00000010, 0x00000007, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000001, 0x0000000A, 0x00000000, 0x00000011, 0x00000007, 0x00000000, 0x00000006, 0x00000002, 0x0000000E, 0x00000000, 0x00000002, 0x00000000, 0x00000001, 0x00000007, 0x00000000, 0x00000008, 0x00000002, 0x0000000F, 0x00000000, 0x00000002, 0x00000000, 0x00000001, 0x00000009, 0x00000000, 0x00000012, 0x00000007, 0x00000000, 0x00000007, 0x00000002, 0x00000010, 0x00000000, 0x00000002, 0x00000000, 0x0000000E, 0x0000000B, 0x00000000, 0x0000000F, 0x0000000B, 0x00000000, 0x00000010, 0x00000007, 0x00000002, 0x00000000, 0x00000008, 0x0000000B, 0x0000000C, 0x0000000E, 0x0000000B, 0x0000000A, 0x0000000C, 0x00000014, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000006E, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000006F, 0x00000062, 0x00000000, 0x00000000, 0x0000000C, 0x00000014, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000079, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000065, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000073, 0x00000062, 0x00000000, 0x00000000, 0x0000000C, 0x00000014, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]

# print(len(a))
# for i in range(0, len(a), 3):
#     print(a[i], a[i+1], a[i+2])


asmmm_map = {
    0: "nop",
    1: "VM->REG[{0}] = {1}",
    2: "VM->REG[{0}] = VM->REG[{1}]",
    # 指定位置的数据传给指定的寄存器
    3: "v3 = (VM->stack_top - {1}) VM->REG[{0}] = VM->stack[v3];",
    4: "result = (VM->stack_top - {0}) VM->stack[result] = VM->REG[{1}]",
    5: "push REG[{0}]",
    6: "pop REG[{0}]",
    7: "VM->REG[{0}] += VM->REG[{1}]",
    8: "VM->REG[{0}] -= VM->REG[{1}]",
    9: "VM->REG[{0}] /= VM->REG[{1}]",
    10: "VM->REG[{0}] *= VM->REG[{1}];",
    11: "VM->REG[{0}] ^= VM->REG[{1}]",
    12: "VM->_eip = 3 * VM->REG[{0}]",
    13: "CMP VM->REG[{1}], VM->REG[{0} if yes: VM->_eip = 3 * VM->REG[19]",
    14: "CMP VM->REG[{1}], VM->REG[{0}] if yes: VM->_eip = 3 * VM->REG[19]",
    15: "VM->REG[{1}] < VM->REG[{0}] if yes: VM->_eip = 3 * VM->REG[19]",
    16: "VM->REG[{1}] > VM->REG[{0}] if yes: VM->_eip = 3 * VM->REG[19]",
    97: "getchar",
    98: "putchar",
    99: "vm quit"
}
for i in range(0, len(a), 3):
    print(asmmm_map[a[i]].format(a[i+1], a[i+2]))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
VM->REG[0] = 87 
putchar
VM->REG[0] = 101
putchar
VM->REG[0] = 108
putchar
VM->REG[0] = 99 
putchar
VM->REG[0] = 111
putchar
VM->REG[0] = 109
putchar
VM->REG[0] = 101
putchar
VM->REG[0] = 32 
putchar
VM->REG[0] = 116
putchar
VM->REG[0] = 111
putchar
VM->REG[0] = 32
putchar
VM->REG[0] = 86
putchar
VM->REG[0] = 78
putchar
VM->REG[0] = 67
putchar
VM->REG[0] = 84
putchar
VM->REG[0] = 70
putchar
VM->REG[0] = 50
putchar
VM->REG[0] = 48
putchar
VM->REG[0] = 50
putchar
VM->REG[0] = 50
putchar
VM->REG[0] = 33
putchar
VM->REG[0] = 10
putchar
VM->REG[0] = 105
putchar
VM->REG[0] = 110
putchar
VM->REG[0] = 112
putchar
VM->REG[0] = 117
putchar
VM->REG[0] = 116
putchar
VM->REG[0] = 32
putchar
VM->REG[0] = 102
putchar
VM->REG[0] = 108
putchar
VM->REG[0] = 97
putchar
VM->REG[0] = 103
putchar
VM->REG[0] = 58
putchar
VM->REG[0] = 10
putchar
VM->REG[19] = 73
VM->REG[3] = 0
VM->REG[1] = 43
VM->REG[2] = 1
getchar
push REG[0]
VM->REG[1] -= VM->REG[2]
CMP VM->REG[3], VM->REG[1] if yes: VM->_eip = 3 * VM->REG[19]  //输入flag,长度是43
VM->REG[0] = 0
push REG[0]
nop
nop
pop REG[0]
VM->REG[5] = 256
VM->REG[0] *= VM->REG[5];
VM->REG[6] = VM->REG[0]
pop REG[0]
VM->REG[6] += VM->REG[0]
VM->REG[0] = VM->REG[6]
VM->REG[0] *= VM->REG[5];
VM->REG[6] = VM->REG[0]
pop REG[0]
VM->REG[6] += VM->REG[0]
VM->REG[0] = VM->REG[6]
VM->REG[0] *= VM->REG[5];
VM->REG[6] = VM->REG[0]
pop REG[0]
VM->REG[6] += VM->REG[0]
nop
pop REG[0]
VM->REG[5] = 256
VM->REG[0] *= VM->REG[5];
VM->REG[7] = VM->REG[0]
pop REG[0]
VM->REG[7] += VM->REG[0]
VM->REG[0] = VM->REG[7]
VM->REG[0] *= VM->REG[5];
VM->REG[7] = VM->REG[0]
pop REG[0]
VM->REG[7] += VM->REG[0]
VM->REG[0] = VM->REG[7]
VM->REG[0] *= VM->REG[5];
VM->REG[7] = VM->REG[0]
pop REG[0]
VM->REG[7] += VM->REG[0]
nop
pop REG[0]
VM->REG[5] = 256
VM->REG[0] *= VM->REG[5];
VM->REG[8] = VM->REG[0]
pop REG[0]
VM->REG[8] += VM->REG[0]
VM->REG[0] = VM->REG[8]
VM->REG[0] *= VM->REG[5];
VM->REG[8] = VM->REG[0]
pop REG[0]
VM->REG[8] += VM->REG[0]
VM->REG[0] = VM->REG[8]
VM->REG[0] *= VM->REG[5];
VM->REG[8] = VM->REG[0]
pop REG[0]
VM->REG[8] += VM->REG[0]
nop
pop REG[0]
VM->REG[5] = 256
VM->REG[0] *= VM->REG[5];
VM->REG[9] = VM->REG[0]
pop REG[0]
VM->REG[9] += VM->REG[0]
VM->REG[0] = VM->REG[9]
VM->REG[0] *= VM->REG[5];
VM->REG[9] = VM->REG[0]
pop REG[0]
VM->REG[9] += VM->REG[0]
VM->REG[0] = VM->REG[9]
VM->REG[0] *= VM->REG[5];
VM->REG[9] = VM->REG[0]
pop REG[0]
VM->REG[9] += VM->REG[0]
nop
pop REG[0]
VM->REG[5] = 256
VM->REG[0] *= VM->REG[5];
VM->REG[10] = VM->REG[0]
pop REG[0]
VM->REG[10] += VM->REG[0]
VM->REG[0] = VM->REG[10]
VM->REG[0] *= VM->REG[5];
VM->REG[10] = VM->REG[0]
pop REG[0]
VM->REG[10] += VM->REG[0]
VM->REG[0] = VM->REG[10]
VM->REG[0] *= VM->REG[5];
VM->REG[10] = VM->REG[0]
pop REG[0]
VM->REG[10] += VM->REG[0]
nop
pop REG[0]
VM->REG[5] = 256
VM->REG[0] *= VM->REG[5];
VM->REG[11] = VM->REG[0]
pop REG[0]
VM->REG[11] += VM->REG[0]
VM->REG[0] = VM->REG[11]
VM->REG[0] *= VM->REG[5];
VM->REG[11] = VM->REG[0]
pop REG[0]
VM->REG[11] += VM->REG[0]
VM->REG[0] = VM->REG[11]
VM->REG[0] *= VM->REG[5];
VM->REG[11] = VM->REG[0]
pop REG[0]
VM->REG[11] += VM->REG[0]
nop
pop REG[0]
VM->REG[5] = 256
VM->REG[0] *= VM->REG[5];
VM->REG[12] = VM->REG[0]
pop REG[0]
VM->REG[12] += VM->REG[0]
VM->REG[0] = VM->REG[12]
VM->REG[0] *= VM->REG[5];
VM->REG[12] = VM->REG[0]
pop REG[0]
VM->REG[12] += VM->REG[0]
VM->REG[0] = VM->REG[12]
VM->REG[0] *= VM->REG[5];
VM->REG[12] = VM->REG[0]
pop REG[0]
VM->REG[12] += VM->REG[0]
nop
pop REG[0]
VM->REG[5] = 256
VM->REG[0] *= VM->REG[5];
VM->REG[13] = VM->REG[0]
pop REG[0]
VM->REG[13] += VM->REG[0]
VM->REG[0] = VM->REG[13]
VM->REG[0] *= VM->REG[5];
VM->REG[13] = VM->REG[0]
pop REG[0]
VM->REG[13] += VM->REG[0]
VM->REG[0] = VM->REG[13]
VM->REG[0] *= VM->REG[5];
VM->REG[13] = VM->REG[0]
pop REG[0]
VM->REG[13] += VM->REG[0]
nop
pop REG[0]
VM->REG[5] = 256
VM->REG[0] *= VM->REG[5];
VM->REG[14] = VM->REG[0]
pop REG[0]
VM->REG[14] += VM->REG[0]
VM->REG[0] = VM->REG[14]
VM->REG[0] *= VM->REG[5];
VM->REG[14] = VM->REG[0]
pop REG[0]
VM->REG[14] += VM->REG[0]
VM->REG[0] = VM->REG[14]
VM->REG[0] *= VM->REG[5];
VM->REG[14] = VM->REG[0]
pop REG[0]
VM->REG[14] += VM->REG[0]
nop
pop REG[0]
VM->REG[5] = 256
VM->REG[0] *= VM->REG[5];
VM->REG[15] = VM->REG[0]
pop REG[0]
VM->REG[15] += VM->REG[0]
VM->REG[0] = VM->REG[15]
VM->REG[0] *= VM->REG[5];
VM->REG[15] = VM->REG[0]
pop REG[0]
VM->REG[15] += VM->REG[0]
VM->REG[0] = VM->REG[15]
VM->REG[0] *= VM->REG[5];
VM->REG[15] = VM->REG[0]
pop REG[0]
VM->REG[15] += VM->REG[0]
nop
pop REG[0]
VM->REG[5] = 256
VM->REG[0] *= VM->REG[5];
VM->REG[16] = VM->REG[0]
pop REG[0]
VM->REG[16] += VM->REG[0]
VM->REG[0] = VM->REG[16]
VM->REG[0] *= VM->REG[5];
VM->REG[16] = VM->REG[0]
pop REG[0]
VM->REG[16] += VM->REG[0]
VM->REG[0] = VM->REG[16]
VM->REG[0] *= VM->REG[5];
VM->REG[16] = VM->REG[0]
pop REG[0]
VM->REG[16] += VM->REG[0]
nop
push REG[6]
push REG[7]
push REG[8]
push REG[9]
push REG[10]
push REG[11]
push REG[12]
push REG[13]
push REG[14]
push REG[15]
push REG[16]
pop REG[1]
pop REG[2]
VM->REG[20] = 284
VM->REG[0] = 340
VM->_eip = 3 * VM->REG[0]
VM->REG[0] = 3906065887
VM->REG[19] = 387
VM->REG[20] = 339
CMP VM->REG[0], VM->REG[1] if yes: VM->_eip = 3 * VM->REG[19]
VM->REG[0] = 4125344020
CMP VM->REG[0], VM->REG[2] if yes: VM->_eip = 3 * VM->REG[19]
pop REG[1]
pop REG[2]
VM->REG[20] = 295
VM->REG[0] = 340
VM->_eip = 3 * VM->REG[0]
VM->REG[0] = 579781142
VM->REG[19] = 387
VM->REG[20] = 339
CMP VM->REG[0], VM->REG[1] if yes: VM->_eip = 3 * VM->REG[19]
VM->REG[0] = 2312395361
CMP VM->REG[0], VM->REG[2] if yes: VM->_eip = 3 * VM->REG[19]
pop REG[1]
pop REG[2]
VM->REG[20] = 306
VM->REG[0] = 340
VM->_eip = 3 * VM->REG[0]
VM->REG[0] = 1700499305
VM->REG[19] = 387
VM->REG[20] = 339
CMP VM->REG[0], VM->REG[1] if yes: VM->_eip = 3 * VM->REG[19]
VM->REG[0] = 612671610
CMP VM->REG[0], VM->REG[2] if yes: VM->_eip = 3 * VM->REG[19]
pop REG[1]
pop REG[2]
VM->REG[20] = 317
VM->REG[0] = 340
VM->_eip = 3 * VM->REG[0]
VM->REG[0] = 3655723000
VM->REG[19] = 387
VM->REG[20] = 339
CMP VM->REG[0], VM->REG[1] if yes: VM->_eip = 3 * VM->REG[19]
VM->REG[0] = 977540402
CMP VM->REG[0], VM->REG[2] if yes: VM->_eip = 3 * VM->REG[19]
pop REG[1]
pop REG[2]
VM->REG[20] = 328
VM->REG[0] = 340
VM->_eip = 3 * VM->REG[0]
VM->REG[0] = 2443935368
VM->REG[19] = 387
VM->REG[20] = 339
CMP VM->REG[0], VM->REG[1] if yes: VM->_eip = 3 * VM->REG[19]
VM->REG[0] = 1778148540
CMP VM->REG[0], VM->REG[2] if yes: VM->_eip = 3 * VM->REG[19]
pop REG[1]
VM->REG[0] = 8206181
CMP VM->REG[0], VM->REG[1] if yes: VM->_eip = 3 * VM->REG[19]
VM->REG[0] = 393
VM->_eip = 3 * VM->REG[0]
vm quit

VM->REG[3] = 2654435769
VM->REG[4] = 613452
VM->REG[5] = 34589
VM->REG[6] = 108471
VM->REG[7] = 1230791
VM->REG[8] = 0
VM->REG[17] = 16
VM->REG[18] = 32
VM->REG[19] = 352
VM->REG[10] = 0
VM->REG[11] = 32
VM->REG[12] = 1
VM->REG[8] += VM->REG[3]		sum += 2654435769
VM->REG[0] = VM->REG[2]			v1 
VM->REG[0] *= VM->REG[17];		v1 << 4
VM->REG[0] += VM->REG[4]		(v1 << 4) + 613452
VM->REG[14] = VM->REG[0]		VM->REG[14] = (v1 << 4) + 613452
VM->REG[0] = VM->REG[2]			
VM->REG[0] += VM->REG[8]		v1 + sum
VM->REG[15] = VM->REG[0]		VM->REG[15] = (v1 + sum)
VM->REG[0] = VM->REG[2]			
VM->REG[0] /= VM->REG[18]		v1 >> 5
VM->REG[0] += VM->REG[5]		(v1 >> 5) + 34589
VM->REG[16] = VM->REG[0]		VM->REG[16] = (v1 >> 5) + 34589
VM->REG[0] = VM->REG[14]
VM->REG[0] ^= VM->REG[15]
VM->REG[0] ^= VM->REG[16]
VM->REG[1] += VM->REG[0]		v0 += ((v1 << 4) + 613452) ^ (v1 + sum) ^ ((v1 >> 5) + 34589)
VM->REG[0] = VM->REG[1]
VM->REG[0] *= VM->REG[17];		v0 << 4
VM->REG[0] += VM->REG[6]		v0 << 4 + 108471
VM->REG[14] = VM->REG[0]		VM->REG[14] = (v0 << 4 + 108471)
VM->REG[0] = VM->REG[1]			
VM->REG[0] += VM->REG[8]		v0 + sum
VM->REG[15] = VM->REG[0]		VM->REG[15] =  (v0 + sum)
VM->REG[0] = VM->REG[1]
VM->REG[0] /= VM->REG[18]		v0 >> 5
VM->REG[0] += VM->REG[7]		(v0 >> 5) + 1230791
VM->REG[16] = VM->REG[0]		VM->REG[16] = (v0 >> 5) + 1230791
VM->REG[0] = VM->REG[14]
VM->REG[0] ^= VM->REG[15]
VM->REG[0] ^= VM->REG[16]		
VM->REG[2] += VM->REG[0]		v1 += ((v0 << 4) + 108471) ^ (v0 + sum) ^ (v0 >> 5) + 1230791
VM->REG[11] -= VM->REG[12]
CMP VM->REG[10], VM->REG[11] if yes: VM->_eip = 3 * VM->REG[19]
VM->_eip = 3 * VM->REG[20]
nop
VM->REG[0] = 110 		# NO
putchar
VM->REG[0] = 111
putchar
VM->_eip = 3 * VM->REG[20]
nop
VM->REG[0] = 121		# YES
putchar
VM->REG[0] = 101
putchar
VM->REG[0] = 115
putchar
VM->_eip = 3 * VM->REG[20]
nop
nop

一点点分析,发现是tea加密,提取出密文和key,解密即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#include <stdio.h>
#include <stdint.h>

//加密函数
void encrypt(uint32_t *v, uint32_t *k)
{
    uint32_t v0 = v[0], v1 = v[1], sum = 0, i;           /* set up */
    uint32_t delta = 0x9e3779b9;                         /* a key schedule constant */
    uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3]; /* cache key */
    for (i = 0; i < 32; i++)
    { /* basic cycle start */
        sum += delta;
        v0 += ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
        v1 += ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
    } /* end cycle */
    v[0] = v0;
    v[1] = v1;
}
//解密函数
void decrypt(uint32_t *v, uint32_t *k)
{
    uint32_t v0 = v[0], v1 = v[1], sum = 0xC6EF3720, i;  /* set up */
    uint32_t delta = 0x9e3779b9;                         /* a key schedule constant */
    uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3]; /* cache key */
    for (i = 0; i < 32; i++)
    { /* basic cycle start */
        v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
        v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
        sum -= delta;
    } /* end cycle */
    v[0] = v0;
    v[1] = v1;
}

int main()
{
    uint32_t key[] = {613452, 34589, 108471, 1230791};
    uint32_t v[12] = {
        3906065887,
        4125344020,
        579781142,
        2312395361,
        1700499305,
        612671610,
        3655723000,
        977540402,
        2443935368,
        1778148540,
        8206181,
        0};

    for (int i = 0; i < 5; i++)
    {
        decrypt(&v[2 * i], key);
    }

    printf("%s", (char *)v);
    return 0;
}
// VNCTF{ecd63ae5-8945-4ac4-b5a5-34fc3ade81e7}

4.时空飞行

IDA打开,发现流程非常的清晰,就是时间的问题。。。

先判断输入的日期

写脚本直接逆即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from z3 import *
from Crypto.Util.number import *


def __ROL4__(a1, num):
    return (a1 << num) & 0XFFFFFFFF | (a1 >> (32-num)) & 0xFFFFFFFF


def __ROR4__(a1, num):
    return (a1 >> num) & 0XFFFFFFFF | (a1 << (32-num)) & 0xFFFFFFFF


def sub_401A3B(a1):
    return (a1 ^ __ROL4__(a1, 13) ^ __ROR4__(a1, 9)) & 0XFFFFFFFF


CK = [0x00070E15, 0x1C232A31, 0x383F464D, 0x545B6269, 0x70777E85, 0x8C939AA1, 0xA8AFB6BD, 0xC4CBD2D9, 0xE0E7EEF5, 0xFC030A11, 0x181F262D, 0x343B4249, 0x50575E65, 0x6C737A81, 0x888F969D,
      0xA4ABB2B9, 0xC0C7CED5, 0xDCE3EAF1, 0xF8FF060D, 0x141B2229, 0x30373E45, 0x4C535A61, 0x686F767D, 0x848B9299, 0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209, 0x10171E25, 0x2C333A41, 0x484F565D, 0x646B7279]


dword_404040 = [0xFD07C452, 0xEC90A488, 0x68D33CD1, 0x96F64587]
FK = [0xA3B1BAC6, 0x56AA3350, 0x677D9197, 0xB27022DC]

v5 = [0] * 32 + dword_404040

j = 32
for i in range(32):  # 得到前面32个数
    v5[j-1] = sub_401A3B(v5[j] ^ v5[j+1] ^ v5[j+2] ^ CK[j-1]) ^ v5[j+3]
    j = j - 1

c = v5[:4]
c = [c[i] ^ FK[i] for i in range(4)]
data = b""
for i in range(4):
    data += long_to_bytes(c[i])
print(data)
# 0211205

然后再往下,用Z3解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
from z3 import *
from Crypto.Util.number import *

flag = [BitVec("flag1_%d" % i, 32) for i in range(66)]


# len = 24
dword_404080 = [0x00000025, 0x00000015, 0x000000DF, 0x000000A2, 0x000000C0, 0x00000093, 0x000000AD, 0x00000014, 0x00000046, 0x000000C5, 0x0000000F,
                0x0000002E, 0x0000009A, 0x000000EB, 0x00000030, 0x000000F8, 0x00000020, 0x000000E9, 0x000000CB, 0x00000088, 0x000000C6, 0x000000BE, 0x0000008D, 0x000000E3]
dword_4050C0 = [0x01000000, 0x02000000, 0x04000000, 0x08000000,
                0x10000000, 0x20000000, 0x40000000, 0x80000000, 0x1B000000, 0x36000000]


def HIBYTE(a1):
    return (a1 >> 24) & 0XFF


def BYTE2(a1):
    return (a1 >> 16) & 0XFF


def BYTE1(a1):
    return (a1 >> 8) & 0XFF


def BYTE(a1):
    return a1 & 0XFF


def sub_401FFB(a1, a2):
    v3 = [0] * 7
    # sub_401EFB
    v3[0] = HIBYTE(a1)
    v3[1] = BYTE2(a1)
    v3[2] = BYTE1(a1)
    v3[3] = BYTE(a1)
    # sub_401F67
    tmp = [0] * 6
    for i in range(4):
        tmp[i] = v3[i]
    v4 = 1
    for i in range(4):
        v3[i] = tmp[v4]
        v4 = v4 + 1
        v4 = v4 % 4
    # sub_401EA7
    v4 = (v3[3] & 0XFFFFFFFF) | ((v3[2] << 8) & 0XFFFFFFFF) | (
        (v3[1] << 16) & 0XFFFFFFFF) | ((v3[0] << 24) & 0XFFFFFFFF)
    return (v4 ^ dword_4050C0[a2]) & 0XFFFFFFFF


# flag = [0X31323334, 0X35363738, 0X39303132,
#         0x33343536, 0x37383930, 0x31323334] + [0] * 60
v5 = 6
v3 = 0
while v5 <= 65:
    if v5 % 6:
        flag[v5] = flag[v5 - 6] ^ flag[v5 - 1]
    else:
        v2 = flag[v5 - 6]
        flag[v5] = v2 ^ sub_401FFB(flag[v5 - 1], v3)
        v3 = v3 + 1
    v5 = v5 + 1


v4 = [0] * 24
for i in range(6):
    v4[4 * i] = BYTE(flag[i + 60])
    v4[4 * i + 1] = BYTE1(flag[i + 60])
    v4[4 * i + 2] = BYTE2(flag[i + 60])
    v4[4 * i + 3] = HIBYTE(flag[i + 60])

for i in range(1, 24, 1):
    v4[i - 1] ^= (v4[i - 1] % 18 + v4[i] + 5) ^ 0x41


s = Solver()
for i in range(24):
    s.add(v4[i] == dword_404080[i])

s.add(flag[0] == 1447969620)   # VNCT
assert s.check() == sat
print("SUCCESS")
m = s.model()
real_flag = b""
for i in range(6):
    real_flag += long_to_bytes(m[flag[i]].as_long())

print(real_flag)
# VNCTF{TimeFlightMachine}

去掉空字符为flag: VNCTF{TimeFl20211205ightMachine}