Files
hacc/web/some_assembly_required_4/solve.py
T

121 lines
3.2 KiB
Python

# OUTPUT FROM GHIDRA WITH WASM EXTENSION:
#
# byte export::check_flag(void)
# {
# int strcmp_result;
# int j;
# int i;
# undefined1 c;
#
# for (i = 0; (&ram_result_buf)[i] != '\0'; i = i + 1) {
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 0x14;
# if (0 < i) {
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ (&DA T_ram_0000042f)[i];
# }
# if (2 < i) {
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ (&DA T_ram_0000042d)[i];
# }
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ (byte) (i % 10);
# if (i % 2 == 0) {
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 9;
# }
# else {
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 8;
# }
# if (i % 3 == 0) {
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 7;
# }
# else if (i % 3 == 1) {
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 6;
# }
# else {
# (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 5;
# }
# }
# for (j = 0; j < i; j = j + 1) {
# if ((j % 2 == 0) && (j + 1 < i)) {
# c = (&ram_result_buf)[j];
# (&ram_result_buf)[j] = (&ram_result_buf_plus1)[j];
# (&ram_result_buf_plus1)[j] = c;
# }
# }
# strcmp_result = strcmp((char *)0x400,&ram_result _buf);
# return (strcmp_result != 0 ^ 0xffU) & 1;
# }
INPUT_0400 = b"\x18j|a\x118i7\x1fYyY>\x1cVc\x0dB\x1d~l9\x1cZ!]c\x11\x00b\x05IK~a4\x1cW(\x0fR"
def check_flag(flag: bytes) -> bool:
ram_result_buf = bytearray(flag)
i = 0
while i < len(ram_result_buf) and ram_result_buf[i] != 0:
ram_result_buf[i] ^= 0x14
if i > 0:
ram_result_buf[i] ^= ram_result_buf[i - 1]
if i > 2:
ram_result_buf[i] ^= ram_result_buf[i - 3]
ram_result_buf[i] ^= (i % 10)
if i % 2 == 0:
ram_result_buf[i] ^= 9
else:
ram_result_buf[i] ^= 8
if i % 3 == 0:
ram_result_buf[i] ^= 7
elif i % 3 == 1:
ram_result_buf[i] ^= 6
else:
ram_result_buf[i] ^= 5
i += 1
for j in range(len(ram_result_buf)):
if (j % 2 == 0) and (j + 1 < i):
ram_result_buf[j], ram_result_buf[j + 1] = ram_result_buf[j + 1], ram_result_buf[j]
return bytes(ram_result_buf) == INPUT_0400
def recover_flag() -> bytes:
recovered_flag = bytearray(INPUT_0400)
for j in range(0, len(recovered_flag)):
if (j % 2 == 0) and (j + 1 < len(recovered_flag)):
recovered_flag[j], recovered_flag[j + 1] = recovered_flag[j + 1], recovered_flag[j]
for i in reversed(range(len(recovered_flag))):
if i % 3 == 0:
recovered_flag[i] ^= 7
elif i % 3 == 1:
recovered_flag[i] ^= 6
else:
recovered_flag[i] ^= 5
if i % 2 == 0:
recovered_flag[i] ^= 9
else:
recovered_flag[i] ^= 8
recovered_flag[i] ^= (i % 10)
if i > 2:
recovered_flag[i] ^= recovered_flag[i - 3]
if i > 0:
recovered_flag[i] ^= recovered_flag[i - 1]
recovered_flag[i] ^= 0x14
return bytes(recovered_flag)
def main():
flag = recover_flag()
print(f"Recovered flag: {flag.decode()}")
if __name__ == "__main__":
main()