121 lines
3.2 KiB
Python
121 lines
3.2 KiB
Python
|
|
# OUTPUT FROM GHIDRA WITH WASM EXTENSION:
|
|
#
|
|
# byte export::check_flag(void)
|
|
# {
|
|
# int strcmp_result;
|
|
# int j;
|
|
# int i;
|
|
# undefined1 c;
|
|
#
|
|
# for (i = 0; (&ram_result_buf)[i] != '\0'; i = i + 1) {
|
|
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 0x14;
|
|
# if (0 < i) {
|
|
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ (&DA T_ram_0000042f)[i];
|
|
# }
|
|
# if (2 < i) {
|
|
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ (&DA T_ram_0000042d)[i];
|
|
# }
|
|
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ (byte) (i % 10);
|
|
# if (i % 2 == 0) {
|
|
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 9;
|
|
# }
|
|
# else {
|
|
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 8;
|
|
# }
|
|
# if (i % 3 == 0) {
|
|
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 7;
|
|
# }
|
|
# else if (i % 3 == 1) {
|
|
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 6;
|
|
# }
|
|
# else {
|
|
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 5;
|
|
# }
|
|
# }
|
|
# for (j = 0; j < i; j = j + 1) {
|
|
# if ((j % 2 == 0) && (j + 1 < i)) {
|
|
# c = (&ram_result_buf)[j];
|
|
# (&ram_result_buf)[j] = (&ram_result_buf_plus1)[j];
|
|
# (&ram_result_buf_plus1)[j] = c;
|
|
# }
|
|
# }
|
|
# strcmp_result = strcmp((char *)0x400,&ram_result _buf);
|
|
# return (strcmp_result != 0 ^ 0xffU) & 1;
|
|
# }
|
|
|
|
INPUT_0400 = b"\x18j|a\x118i7\x1fYyY>\x1cVc\x0dB\x1d~l9\x1cZ!]c\x11\x00b\x05IK~a4\x1cW(\x0fR"
|
|
|
|
def check_flag(flag: bytes) -> bool:
|
|
ram_result_buf = bytearray(flag)
|
|
i = 0
|
|
while i < len(ram_result_buf) and ram_result_buf[i] != 0:
|
|
ram_result_buf[i] ^= 0x14
|
|
|
|
if i > 0:
|
|
ram_result_buf[i] ^= ram_result_buf[i - 1]
|
|
|
|
if i > 2:
|
|
ram_result_buf[i] ^= ram_result_buf[i - 3]
|
|
|
|
ram_result_buf[i] ^= (i % 10)
|
|
|
|
if i % 2 == 0:
|
|
ram_result_buf[i] ^= 9
|
|
else:
|
|
ram_result_buf[i] ^= 8
|
|
|
|
if i % 3 == 0:
|
|
ram_result_buf[i] ^= 7
|
|
elif i % 3 == 1:
|
|
ram_result_buf[i] ^= 6
|
|
else:
|
|
ram_result_buf[i] ^= 5
|
|
|
|
i += 1
|
|
|
|
for j in range(len(ram_result_buf)):
|
|
if (j % 2 == 0) and (j + 1 < i):
|
|
ram_result_buf[j], ram_result_buf[j + 1] = ram_result_buf[j + 1], ram_result_buf[j]
|
|
|
|
return bytes(ram_result_buf) == INPUT_0400
|
|
|
|
def recover_flag() -> bytes:
|
|
recovered_flag = bytearray(INPUT_0400)
|
|
|
|
for j in range(0, len(recovered_flag)):
|
|
if (j % 2 == 0) and (j + 1 < len(recovered_flag)):
|
|
recovered_flag[j], recovered_flag[j + 1] = recovered_flag[j + 1], recovered_flag[j]
|
|
|
|
for i in reversed(range(len(recovered_flag))):
|
|
if i % 3 == 0:
|
|
recovered_flag[i] ^= 7
|
|
elif i % 3 == 1:
|
|
recovered_flag[i] ^= 6
|
|
else:
|
|
recovered_flag[i] ^= 5
|
|
|
|
if i % 2 == 0:
|
|
recovered_flag[i] ^= 9
|
|
else:
|
|
recovered_flag[i] ^= 8
|
|
|
|
recovered_flag[i] ^= (i % 10)
|
|
|
|
if i > 2:
|
|
recovered_flag[i] ^= recovered_flag[i - 3]
|
|
|
|
if i > 0:
|
|
recovered_flag[i] ^= recovered_flag[i - 1]
|
|
|
|
recovered_flag[i] ^= 0x14
|
|
|
|
return bytes(recovered_flag)
|
|
|
|
def main():
|
|
flag = recover_flag()
|
|
print(f"Recovered flag: {flag.decode()}")
|
|
|
|
if __name__ == "__main__":
|
|
main()
|