N1CTF 2021 Nu1L Hotel Checkin Writeup

题目简述

题目是使用 Unity 发布的 WebGL 程序，在文本框中输入 flag 后点击下方按钮进行检查。

文件分析

F12 可以找到 WebGL 发布的三个文件：

release_2018.data.unityweb 包含程序相关的资源数据

release_2018.wasm.code.unityweb 包含程序编译生成的代码

release_2018.wasm.framework.unityweb 包含 Unity 相关的框架代码

资源分析

使用 AssetStudio 打开 release_2018.data.unityweb，可以找到名为 N1CTFChecker 的 MonoBehavior，然后点击 File -> Extract file 提取文件得到 global-metadata.dat。

在 Unity 框架中 MonoBehavior 是附加在 GameObject 上的 C# 脚本，用于执行用户自定义的函数。

使用 IL2CppDumper 解析 global-metadata.dat 和 release_2018.wasm.code.unityweb 得到 dump.cs，可以在里面找到 N1CTFChecker 的声明：

// Namespace: 
public class N1CTFChecker : MonoBehaviour // TypeDefIndex: 2380
{
	// Methods

	// RVA: 0x90F Offset: 0x90F VA: 0x90F
	private void Start() { }

	// RVA: 0x910 Offset: 0x910 VA: 0x910
	private void Update() { }

	// RVA: 0x635 Offset: 0x635 VA: 0x635
	public bool check(string flag) { }

	// RVA: 0x911 Offset: 0x911 VA: 0x911
	public void OnClick() { }

	// RVA: 0x912 Offset: 0x912 VA: 0x912
	public void .ctor() { }
}

代码分析

与常规的 Unity 逆向不同的是，上一步得到的 RVA 并不是 wasm 文件中的偏移地址，而且~~目前似乎没有公开的方法可以找到真实的偏移地址~~。

鉴于 wasm 中函数数目多达三万，逐个检查显然是不现实的，所以这里换了一种思路，从函数调用栈开始入手。

注意到在点击按钮时，程序会在控制台日志中打印输入的 flag。

所以可以先在 console.log() 的位置下断点：

触发断点后在函数调用栈中寻找关键函数：

回溯函数调用栈可以找到最早在 Local Variables 中存在对 flag 内容引用的函数位于 0x8086e46f，结合 Memory Inspector 进一步分析可以判断这里是 OnClick 函数。

安装 ghidra-wasm-plugin 插件，使用 Ghidra 对 wasm 进行反编译，查看伪代码：

void OnClick(undefined4 param1,undefined4 param2)

{
  undefined4 uVar1;
  int iVar2;
  undefined4 uVar3;
  undefined4 uVar4;
  undefined4 param2_00;
  
  if (cRam002828a0 == '\0') {
    unnamed_function_31565(PTR_DAT_ram_00001535_ram_0006550c);
    cRam002828a0 = '\x01';
  }
  uVar1 = unnamed_function_21209(param1,0);
  uVar1 = unnamed_function_30128(uVar1,_DAT_ram_00204ed4,0);
  iVar2 = unnamed_function_28091(uVar1,_DAT_ram_001fd140);
  uVar1 = unnamed_function_28091(*(undefined4 *)(iVar2 + 0x9c),_DAT_ram_001fd14c);
  param2_00 = *(undefined4 *)(iVar2 + 0xf0);
  unnamed_function_20876(iVar2,_DAT_ram_00201b8c,0);
  unnamed_function_14173(0x42,iVar2,4);
                    /* input flag: */
  uVar3 = unnamed_function_25541(_DAT_ram_00204ed8,param2_00,0);
  if (((*(ushort *)(_DAT_ram_001fca50 + 0xbe) & 0x200) != 0) &&
     (*(int *)(_DAT_ram_001fca50 + 0x70) == 0)) {
    unnamed_function_31610(_DAT_ram_001fca50);
  }
  unnamed_function_21246(uVar3,0);
  uVar3 = unnamed_function_21209(param1,0);
  uVar3 = unnamed_function_30128(uVar3,_DAT_ram_00204ed0,0);
  uVar3 = unnamed_function_18116(uVar3,_DAT_ram_001fd150);
  uVar4 = unnamed_function_21209(param1,0);
  uVar4 = unnamed_function_30128(uVar4,_DAT_ram_00204d94,0);
  uVar4 = unnamed_function_30128(uVar4,_DAT_ram_00204edc,0);
  iVar2 = check(0,param2_00,0);
  if (iVar2 == 0) {
                    /* never gonna */
    unnamed_function_14173(0x49,uVar1,_DAT_ram_00204ee8);
    uVar1 = unnamed_function_21209(param1,0);
                    /* button */
    uVar1 = unnamed_function_30128(uVar1,_DAT_ram_00204c28,0);
    uVar1 = unnamed_function_18116(uVar1,_DAT_ram_001fd134);
    uVar1 = unnamed_function_30816(uVar1,_DAT_ram_001fd154);
                    /* try again */
    unnamed_function_14173(0x49,uVar1,_DAT_ram_00204eec);
  }
  else {
    unnamed_function_14173(0x49,uVar1,_DAT_ram_00204ee0);
    unnamed_function_31075(uVar3,0);
    uVar1 = unnamed_function_28091(uVar4,_DAT_ram_001fd148);
    unnamed_function_21117(uVar1,1,0);
    uVar1 = unnamed_function_18116(uVar4,_DAT_ram_001fd150);
    unnamed_function_31074(uVar1,0);
    uVar1 = unnamed_function_21209(param1,0);
    uVar1 = unnamed_function_30128(uVar1,_DAT_ram_00204c28,0);
    uVar1 = unnamed_function_18116(uVar1,_DAT_ram_001fd134);
    unnamed_function_23234(uVar1,0,0);
    uVar1 = unnamed_function_21209(param1,0);
    uVar1 = unnamed_function_30128(uVar1,_DAT_ram_00204c28,0);
    uVar1 = unnamed_function_18116(uVar1,_DAT_ram_001fd134);
    uVar1 = unnamed_function_30816(uVar1,_DAT_ram_001fd154);
                    /* congratulation */
    unnamed_function_14173(0x49,uVar1,_DAT_ram_00204ee4);
  }
  return;
}

接着分析控制流可以找到关键的 check 函数：

undefined4 check(undefined4 param1,undefined4 flag,undefined4 param3)

{
  int index;
  int index2;
  int iVar1;
  undefined4 uVar2;
  int index3;
  int table_;
  int target_;
  int buffer;
  int *flag__;
  int length;
  undefined4 uStack00000000;
  undefined4 uStack00000004;
  undefined4 uStack00000008;
  
  if (cRam0028289f == '\0') {
    unnamed_function_31565(PTR_DAT_ram_00001536_ram_00065510);
    cRam0028289f = '\x01';
  }
  uVar2 = unnamed_function_27012(0);
  index3 = unnamed_function_13755(0xf,uVar2,flag);
                    /* 54*54 */
  table_ = malloc_int(_DAT_ram_001fbaec,&DAT_ram_00000b64);
  uStack00000004 = _DAT_ram_00201408;
  uStack00000008 = _DAT_ram_00201408;
  unnamed_function_14607(table_,&stack0x00000008,0);
                    /* 54 */
  target_ = malloc_int(_DAT_ram_001fbaec,0x36);
  uStack00000000 = _DAT_ram_00201478;
  uStack00000008 = _DAT_ram_00201478;
  unnamed_function_14607(target_,&stack0x00000008,0);
  flag__ = (int *)(index3 + 0xc);
                    /* cmp length
                       *(flag_ + 0xc)==*(target + 0xc) */
  if (*flag__ == *(int *)(target_ + 0xc)) {
    buffer = malloc_int(_DAT_ram_001fbaec,*flag__);
    for (index = 0; length = *flag__, index < length; index = index + 1) {
                    /* transform */
      iVar1 = 0;
      for (index2 = 0; index2 < length; index2 = index2 + 1) {
        iVar1 = *(int *)(table_ + 0x10 + (index2 + *flag__ * index) * 4) *
                (uint)*(byte *)(index3 + 0x10 + index2) + iVar1;
        length = *flag__;
                    /* :transform_inner
                       int table[54*54]
                       char flag[54]
                       var1 += table[index2+length*index] * flag[index2] */
      }
      *(int *)(buffer + 0x10 + index * 4) = iVar1;
    }
    for (index3 = 0; index3 < length; index3 = index3 + 1) {
                    /* :compare
                       int code[54]
                       buffer[index3] == code[index3] */
      if (*(int *)(buffer + 0x10 + index3 * 4) != *(int *)(target_ + 0x10 + index3 * 4)) {
        return 0;
      }
      length = *flag__;
    }
                    /* right */
    uVar2 = 1;
  }
  else {
                    /* wrong */
    uVar2 = 0;
  }
  return uVar2;
}

加密分析

check 函数的逻辑实际上是一个矩阵乘法，输入的 flag 与 table 矩阵相乘后得到 buffer，随后将 buffer 和 code 的内容进行比较。

首先将调试器定位到 check 函数。

此时可以在 Local Variable 找到几个关键的指针：

$var5 指向密文内容 int code[54]

$var7 指向输入内容 char flag[54]

$var8 指向矩阵内容 int table[54*54]

在控制台中使用 js 将完整的内存 dump 下来，再结合 WinHex 进行提取：

var temp1 = UnityLoader.Blobs["blob:https://n1ctf-hotel-checkin.misty.workers.dev/3e19d30d-574b-48a0-a1b9-3725905425b3"].Module.buffer;

var a = document.createElement('a');
var file = new Blob([temp1], { type: 'text/plain' });

a.href = URL.createObjectURL(file);
a.download = 'dump';
a.click();

解密分析

使用 z3 进行求解：

import z3
code = [4294966455,1908,2410,484,4294961584,4294966742,2422,506,4294966406,3616,3813,1856,1861,6777,4294966615,4294966441,4294961097,4294962248,4294967025,4294965473,1305,4294966895,1415,3504,2165,4294960261,4294966608,4294964904,3623,4294965173,4294966058,4294961599,2763,7604,4294966185,3433,4294965182,4213,3864,4294967153,4271,4294966470,4294967260,135,1571,4294964262,963,2868,752,4294966286,4294966286,186,1083,4294965910,]  
table = [1,0,3,4294967292,4294967293,2,4294967295,4294967292,4294967292,4294967294,2,0,4,4294967290,4294967294,4,0,4,2,2,4294967294,4294967294,4294967294,0,4,4294967294,4294967292,0,6,0,2,4294967294,6,4294967294,4294967292,4294967292,2,4294967294,2,2,4294967294,4294967292,0,4294967292,2,0,2,4,4294967290,4294967294,2,4294967294,2,0,4294967295,0,4294967295,2,1,0,4294967295,2,1,2,3,4294967294,4294967289,6,3,4294967284,4294967293,4294967292,5,4294967284,4294967295,6,4294967295,2,4294967293,10,3,2,4294967293,4294967294,4294967291,8,4294967289,2,1,10,4294967289,4294967294,4294967295,4294967284,13,4,1,0,7,4294967292,4294967290,18,2,4,4,6,4294967288,0,1,0,1,4294967294,4294967295,4294967294,1,2,4294967291,0,4294967291,2,3,4,1,4,5,4,1,2,3,2,5,4294967288,4294967293,4294967292,4294967293,10,3,4294967290,4294967291,10,4294967292,4294967294,4294967288,6,10,0,0,0,4294967292,6,0,0,8,4294967294,12,4294967292,4,2,4294967290,4294967286,2,2,1,2,1,4294967294,1,0,4294967295,4294967292,4294967293,4294967292,4294967291,4,4294967295,0,4294967293,4,4294967293,4294967292,1,4294967294,4294967293,4294967292,1,4294967294,4294967293,12,3,2,1,4,4294967289,2,4294967291,2,4294967289,2,4294967287,4294967284,4294967289,4294967292,5,4,4294967293,4294967294,16,10,6,0,10,4294967288,8,4294967294,4294967292,8,1,0,3,4294967294,4294967295,0,3,2,4294967293,4294967292,1,2,4294967293,4294967288,4294967295,6,4294967293,0,4294967287,2,4294967291,2,4294967293,4294967294,4294967293,4294967295,4294967291,1,4294967295,1,1,4294967291,3,4294967295,5,4294967291,4294967293,4294967295,3,4294967289,4294967295,4294967285,1,4294967291,1,4294967295,1,5,4294967283,4294967287,4294967295,1,1,4294967295,4294967295,4294967294,1,4294967294,4294967293,6,4294967291,4294967294,1,0,9,4294967292,4294967291,4294967294,5,0,4294967291,4,4294967295,2,4294967291,0,4294967295,4,1,4294967290,1,4,1,6,5,4294967286,9,4,8,4294967288,6,0,6,10,4294967284,4294967290,0,4294967288,4294967290,0,4294967292,6,4294967282,8,4294967294,0,12,4294967284,4294967295,4294967294,4294967295,0,4294967295,4,4294967295,0,4294967295,4294967294,1,0,4294967291,2,7,4,4294967291,0,5,2,1,4294967292,0,4294967292,2,6,6,4294967292,2,4294967292,2,4,0,6,4,4294967294,0,2,0,10,6,4294967294,6,4294967292,2,4294967292,0,4294967290,4,4,8,4294967292,4294967288,0,1,0,1,0,1,4294967292,1,2,4294967293,0,4294967291,4,1,4294967294,4294967295,0,4,4294967294,0,6,4294967292,4294967292,6,4294967292,6,2,4294967290,4294967292,0,2,0,0,0,4294967292,0,4294967290,6,0,0,4,4294967294,4294967294,2,6,4,4294967292,2,4294967292,2,4294967294,4,4294967294,4294967294,6,1,0,1,0,1,4294967294,5,2,4294967293,4294967294,4294967295,4,3,4294967292,0,4,0,2,4294967292,4294967294,4294967294,2,4,4294967294,4,4294967294,4,4294967294,4294967294,4294967294,4294967290,0,4294967292,4294967290,4,4294967288,4294967294,2,4,0,8,4294967290,4,4294967290,4294967294,4294967292,0,4,4294967294,4,2,2,4294967290,2,4294967295,0,4294967295,0,4294967293,2,4294967295,4294967294,3,2,1,4294967292,1,0,1,0,4294967295,4294967292,5,6,4294967295,6,4294967291,4294967294,7,0,4294967295,0,7,2,17,0,3,16,4294967293,6,1,4,4294967291,2,4294967291,6,4294967289,4294967285,11,1,5,4294967289,4294967295,4294967291,4294967285,7,4294967295,3,4294967295,4294967294,4294967295,2,4294967295,0,1,4,3,4,5,4294967294,3,0,3,4294967292,4294967295,0,4294967293,4,4294967295,2,4294967291,4294967294,9,2,3,4294967284,1,4294967292,7,4,3,0,1,0,3,4,9,0,11,4294967290,5,4294967290,4294967295,0,7,4,4294967291,3,4294967293,13,4294967287,1,1,0,1,4294967294,1,0,4294967293,0,1,0,1,1,1,4294967295,3,1,4294967293,3,4294967291,5,4294967295,4294967289,3,1,4294967293,1,4294967295,7,4294967295,5,3,4294967287,1,4294967295,1,4294967295,5,1,4294967293,3,4294967289,1,4294967293,1,1,3,5,3,4294967293,1,3,4294967293,9,4294967293,1,0,1,4294967294,4294967295,4294967294,4294967295,0,4294967291,3,4294967295,5,3,4294967295,4294967295,3,5,5,3,7,1,4294967291,3,4294967295,1,4294967295,4294967293,4294967295,3,4294967295,4294967293,4294967291,3,4294967295,1,4294967291,7,1,4294967295,1,4294967295,4294967295,1,4294967295,3,4294967295,5,1,4294967293,3,7,4294967293,1,4294967295,4294967295,0,4294967293,4,3,4294967294,1,4,3,4,1,0,4294967293,10,5,4294967286,3,0,1,4294967294,3,8,7,2,4294967293,0,3,0,4294967291,4294967290,4294967295,12,4294967289,4294967290,4294967293,2,3,6,4294967295,4294967290,9,2,7,6,5,6,4294967293,4294967290,15,6,3,4294967294,6,6,4294967295,0,4294967295,0,4294967293,0,4294967295,0,4294967293,0,4294967291,4,4294967295,0,4294967291,6,4294967295,4294967290,3,4294967294,1,4294967294,4294967291,0,4294967295,6,1,4294967294,4294967295,4294967294,4294967289,0,4294967293,4294967294,3,6,4294967289,0,3,4294967290,4294967293,12,4294967295,4294967292,5,10,1,4294967288,4,4294967292,4294967286,0,0,12,1,2,1,4294967295,1,4294967295,1,4294967293,4294967295,4294967295,4294967295,1,1,4294967295,4294967293,4294967295,1,4294967295,1,4294967295,4294967295,1,4294967295,3,4294967295,3,4294967295,1,1,1,1,1,1,1,4294967293,1,4294967295,4294967295,4294967295,4294967293,4294967295,4294967295,4294967293,4294967295,1,3,4294967295,1,4294967295,4294967293,4294967295,4294967295,1,4294967295,4294967295,4294967294,4294967295,2,4294967295,0,3,4,1,4294967292,4294967293,2,1,4294967288,1,6,4294967289,4294967292,4294967293,4294967292,1,0,4294967291,0,1,4294967290,4294967293,4294967292,4294967289,4294967292,3,0,4294967281,4294967294,9,4294967290,4294967287,2,3,11,3,4294967287,1,4294967293,4294967291,4294967285,1,4294967293,3,1,4294967295,4294967291,4294967279,15,1,2,1,0,1,4294967294,3,4294967294,3,0,1,4294967294,7,4294967290,4294967289,0,5,4,4294967291,4294967294,4294967295,4,4294967291,4,4294967291,4294967286,4294967291,4294967294,1,1,4294967293,4294967293,3,4294967291,4294967291,4294967295,4294967289,4294967293,4294967295,4294967285,4294967295,4294967291,4294967291,7,4294967291,7,4294967295,3,4294967293,4294967285,4294967291,3,3,1,4294967295,0,4294967293,4,1,4294967293,3,3,3,3,4294967293,1,1,1,4294967295,4294967295,3,4294967293,1,4294967295,3,3,4294967295,4294967295,1,4294967293,1,4294967291,4294967293,4294967293,4294967293,1,4294967293,1,1,4294967295,4294967295,1,4294967295,4294967295,5,3,1,3,4294967293,4294967295,4294967295,4294967291,3,4294967295,4294967293,5,4294967291,5,4294967295,4294967294,1,0,4294967293,2,0,2,0,4294967294,2,4294967292,4294967294,4294967292,0,0,4294967294,4294967294,0,4294967294,4294967294,4,4294967294,4294967294,6,4294967292,4294967294,4294967294,2,0,2,2,2,0,0,4294967294,4294967294,0,4,0,2,4294967294,2,4294967294,0,4294967294,4294967294,0,4294967294,4294967294,4294967292,2,4294967294,2,4294967295,0,4294967293,2,4294967295,4294967294,4294967295,0,4294967295,8,4294967295,4,5,6,4294967293,4294967294,5,4294967294,5,6,9,4294967292,4294967293,4294967292,3,4,1,4294967284,4294967295,4294967294,4294967291,4294967294,4294967295,4,4294967293,4,3,4294967288,4294967287,4294967288,9,8,4294967295,4294967294,5,4294967285,4294967293,5,1,4294967293,17,19,4294967289,4294967293,4294967295,0,4294967295,0,4294967294,2,4294967294,4294967294,0,2,2,0,0,2,0,4294967294,4294967294,4294967294,4,4294967294,2,2,4294967292,0,0,2,2,0,0,4294967294,4294967294,2,0,4,4294967294,4,4294967294,4294967292,2,0,0,2,4294967294,0,0,0,4294967294,0,0,0,4294967294,0,0,0,4294967295,0,4294967293,2,4294967295,4294967294,1,4,1,4,4294967291,2,4294967295,6,1,4,3,4294967292,4294967295,7,9,4294967295,4294967295,4294967293,4294967291,4294967295,4294967295,4294967295,4294967295,4294967295,1,4294967289,5,9,4294967295,5,7,5,4294967291,4294967293,4294967293,11,4294967289,1,3,4294967295,1,4294967287,1,4294967293,4294967295,5,3,4294967291,1,2,4294967295,0,1,4294967294,3,4294967292,4294967295,2,4294967293,6,7,0,4294967295,6,7,6,4294967295,8,4294967294,0,0,4294967288,4,4294967294,0,4294967292,4,0,4294967292,2,6,4294967294,4294967294,4294967292,8,4294967288,4294967294,2,2,8,0,0,4,0,2,2,4294967294,4294967292,0,0,0,6,4294967295,0,4294967295,0,4294967293,2,4294967295,4294967294,3,2,1,4294967292,4294967295,0,4294967295,2,4294967295,4294967294,3,0,4294967295,4,4294967289,4294967294,3,4294967294,7,4,5,6,4294967293,1,11,3,4294967289,4294967295,5,4294967295,3,7,4294967295,11,4294967293,4294967291,4294967293,5,3,3,4294967291,4294967295,4294967285,4294967293,3,1,4294967295,4294967294,4294967295,2,4294967295,4294967294,4294967295,6,3,2,4294967295,0,4294967295,4294967290,4294967295,0,4294967293,4294967292,4294967295,4294967294,1,4294967288,4294967291,4294967292,4294967291,4294967292,4294967287,4294967294,4294967291,4294967290,4294967291,4294967288,4294967293,4294967292,4294967295,4294967292,4294967289,4294967292,0,0,0,4294967292,4294967292,4,4294967292,4294967290,0,2,0,4294967290,10,6,4294967294,10,4294967295,0,4294967295,0,4294967293,0,4294967295,0,4294967291,4,1,4,4294967295,4,1,4294967292,4294967295,4294967294,5,4294967288,5,10,1,0,1,4294967294,1,10,4294967293,4294967290,4294967287,4294967294,4294967289,4,7,2,5,4294967294,9,4294967288,4294967289,4,8,0,4294967294,4294967292,4,4294967292,4294967290,4,4294967284,2,2,4294967294,1,0,3,4294967292,4294967293,2,1,4294967294,4294967289,4294967292,4294967295,4,1,4294967292,4294967295,10,3,6,4294967293,4,4294967295,4294967290,4294967295,4294967286,1,2,4294967286,4294967294,6,4294967290,2,4294967294,12,0,2,4,4294967294,4294967290,4294967294,4294967286,2,2,4294967292,4294967294,6,4294967290,4294967290,10,4294967286,4294967292,4,2,4294967294,4294967294,1,0,1,4294967294,1,2,4294967295,4294967294,3,4294967294,1,4294967292,4294967295,4294967294,3,6,4294967293,2,4294967295,6,4294967289,4294967288,4294967293,0,0,8,2,0,8,4,12,4294967288,4,2,0,4,4,6,4294967290,4,4294967292,0,2,4294967292,2,0,6,4,4294967290,4294967294,4,6,4294967294,0,4294967295,0,4294967295,2,4294967295,4294967294,4294967295,0,1,0,4294967291,0,0,4294967292,4294967288,0,2,4294967288,4,0,0,4294967294,4294967292,2,4,0,4294967290,4294967292,4294967292,4,0,0,4294967294,0,0,2,4294967294,4294967294,4294967292,2,0,2,4294967294,8,4294967294,4,4294967294,4294967290,4,4294967290,4294967294,4,4294967294,8,1,0,1,4294967294,1,0,4294967293,4294967294,4294967293,0,4294967295,4,4294967295,4294967294,4294967293,6,1,4,1,8,4294967295,4294967282,4294967289,0,4294967293,8,4294967291,4294967292,1,4294967292,5,4294967294,4294967293,4294967288,7,4294967288,5,8,5,8,1,4294967286,5,0,4294967283,4294967292,4294967291,4,4294967291,6,13,0,4294967287,6,1,2,1,4294967294,4294967295,0,1,4294967290,4294967295,4294967294,4294967295,2,5,4294967288,4294967291,4,1,4,3,4294967290,3,4294967290,4294967291,8,4294967289,4294967290,4294967285,2,4294967289,4294967294,9,4294967288,1,4294967294,4294967293,4294967294,4294967289,4294967294,4294967285,4294967290,1,4294967295,3,1,1,4294967295,4294967295,3,4294967289,4294967289,4294967295,4294967289,7,3,4294967295,0,4294967293,2,1,0,4294967295,2,1,6,3,2,4294967295,11,7,4294967289,1,3,1,4294967295,7,5,3,4294967295,4294967291,1,7,1,4294967295,4294967289,4294967291,3,4294967293,7,1,5,1,4294967295,3,4294967291,1,5,4294967295,4294967295,1,4294967293,4294967295,4294967295,3,7,4294967295,4294967293,1,4294967289,4294967295,0,4294967293,2,4294967295,0,1,0,3,6,1,2,3,2,3,2,3,0,5,8,4294967289,2,4294967295,4294967292,5,4294967294,5,4294967290,1,2,3,4294967288,11,4,4294967295,10,9,4294967294,5,0,4294967291,6,4294967295,10,7,4,7,4294967292,9,4294967284,4294967294,8,2,2,4294967295,0,4294967295,0,4294967293,2,1,4294967294,4294967293,2,2,2,2,2,0,0,0,0,6,4294967292,4,6,4294967292,4294967294,2,0,4,4294967292,2,4294967288,4294967290,6,0,4,4294967294,2,4294967292,4294967292,6,4294967294,6,0,0,4294967292,0,4294967292,4294967292,0,0,2,4294967294,0,4294967290,0,1,0,1,4294967294,1,2,1,0,4294967295,0,3,4294967294,4294967295,6,5,2,3,10,4294967295,4,1,0,1,4294967292,4294967287,2,4294967295,4294967294,10,4294967292,4,10,4,4294967294,4294967290,4,2,0,4294967292,4294967290,6,2,6,4294967294,6,4294967294,2,4,4294967292,6,6,4294967290,4294967292,4294967292,4294967295,0,4294967295,0,4294967293,2,1,4294967294,4294967293,2,3,2,1,0,4294967295,0,4294967295,1,7,4294967291,9,5,4294967289,5,4294967295,4294967295,3,4294967291,1,4294967287,4294967293,3,4294967295,5,1,4294967293,4294967291,1,5,4294967293,9,4294967293,3,4294967289,4294967291,4294967295,4294967291,4294967295,4294967293,5,1,4294967295,4294967289,4294967293,1,2,4294967295,2,3,4294967290,3,0,4294967295,4,4294967291,4,5,2,4294967291,4294967294,11,0,5,6,4294967293,2,5,4294967293,7,4294967295,3,4294967291,3,1,4294967287,3,1,4294967295,4294967295,4294967295,7,1,4294967295,1,3,3,4294967293,3,3,1,3,4294967291,11,4294967293,1,1,4294967295,3,1,0,1,0,3,0,3,0,1,4294967288,4294967293,0,4294967295,4294967292,5,4,4294967291,2,4294967287,4294967292,4294967293,6,9,0,5,4294967290,3,14,4294967293,10,4294967295,0,4294967289,4294967290,11,4294967288,7,5,4294967293,9,4294967291,5,4294967295,4294967295,3,3,3,7,3,3,4294967291,4294967291,1,4294967295,4294967295,0,4294967295,0,4294967293,0,4294967295,2,4294967295,2,4294967293,0,4294967293,4,4294967295,2,1,4294967292,4294967295,4,9,6,4294967295,0,4294967293,4294967290,4294967295,6,3,6,1,4294967294,7,12,4294967293,3,5,4294967293,4294967291,4294967295,4294967287,11,4294967279,4294967291,7,1,3,4294967295,4294967295,4294967293,4294967293,4294967293,1,4294967287,1,0,1,0,1,4294967292,3,4,4294967291,0,4294967291,2,4294967295,4,1,0,7,2,4294967295,4,1,8,7,4294967292,1,4294967290,4294967295,4,1,0,4294967293,10,4294967295,2,4294967291,4294967294,17,4294967294,7,2,4294967294,2,2,4294967288,12,2,14,4294967292,8,4294967294,4294967294,4294967290,4294967294,4294967292,4294967295,4294967294,4294967295,2,4294967295,0,1,2,1,0,4294967295,0,4294967295,4294967292,4294967295,6,1,4294967294,4294967293,6,4294967293,4294967294,1,4294967290,9,4294967292,5,4294967288,4294967295,8,4294967287,4294967290,3,4294967294,5,4294967284,6,4294967292,4294967292,6,6,0,12,0,4294967290,4294967294,0,4294967290,4294967290,4294967292,8,6,4294967292,4,4294967295,4294967295,4294967295,1,4294967295,1,4294967295,1,1,1,1,4294967295,4294967295,1,1,4294967295,4294967295,4294967295,1,4294967295,1,1,4294967295,4294967295,1,4294967295,1,4294967295,4294967295,4294967295,4294967295,1,4294967295,1,1,1,4294967295,4294967295,1,1,1,1,1,1,4294967295,4294967295,4294967295,4294967295,1,1,4294967295,1,4294967295,1,1,2,4294967295,0,1,4294967292,1,0,1,4,4294967293,6,7,0,1,4294967294,4294967293,4294967292,4294967293,6,5,0,4294967293,4294967294,3,4,5,2,4294967295,2,4294967295,4294967290,4294967295,10,4294967287,2,7,4294967286,5,4,4294967287,8,4294967287,4294967290,1,4294967292,5,4294967294,4294967293,4294967294,5,4294967293,4294967291,1,1,0,1,4294967294,4294967295,0,3,0,4294967293,4294967292,4294967291,2,1,4294967294,3,10,4294967293,4294967294,4294967294,2,4294967294,4294967294,4,4294967292,2,2,2,4,2,2,0,4294967292,2,0,4294967294,4294967292,6,4,4294967294,8,4294967292,2,0,4294967290,6,4294967294,8,4294967292,4294967292,0,0,2,0,2,4294967295,0,4294967295,2,4294967295,0,3,2,1,0,1,2,4294967295,4294967294,1,4294967294,4294967293,4294967290,4294967293,2,5,5,4294967293,4294967293,7,1,3,4294967289,4294967295,4294967293,1,4294967295,5,9,1,4294967293,4294967293,4294967295,5,4294967291,9,4294967295,4294967289,4294967293,4294967293,4294967293,4294967283,4294967293,1,4294967289,4294967295,3,4294967293,4294967291,4294967295,4294967294,4294967295,2,1,2,4294967295,0,5,4294967294,1,4294967288,1,0,1,4294967294,3,6,1,4294967290,3,0,5,0,4294967295,4294967284,4294967287,4294967294,5,4294967294,3,2,1,4294967288,4294967295,0,4294967289,4294967292,4294967289,6,4294967293,8,9,14,4294967295,2,4294967295,4294967292,3,4,7,0,4294967293,1,1,0,3,4294967294,4294967295,0,1,4294967294,4294967295,4294967292,4294967295,4294967292,3,4294967288,4294967287,6,3,0,1,2,4294967287,0,1,6,5,4294967292,4294967295,4294967292,3,12,2,4294967294,6,4294967284,4294967290,4294967294,0,4,4294967294,4,4,4294967294,6,4294967294,4,12,4,4294967294,2,4294967292,0,4,6,6,1,0,1,0,1,4294967292,1,2,4294967293,2,4294967293,2,1,4294967294,4294967291,1,5,4294967295,3,3,4294967291,4294967293,3,4294967295,3,1,4294967295,4294967293,1,3,4294967291,4294967295,4294967293,4294967289,1,4294967291,3,3,4294967295,3,1,4294967291,5,1,1,4294967293,7,1,1,1,7,3,4294967291,5,4294967295,4294967294,1,0,4294967293,0,4294967293,4,1,2,1,4294967288,4294967291,0,4294967293,4294967292,4294967295,4294967290,1,4294967292,4294967293,6,4294967295,2,1,4294967294,4294967289,4,7,6,3,4294967290,4294967293,4294967295,1,1,4294967293,1,4294967293,4294967289,4294967283,5,3,1,7,4294967295,9,4294967295,4294967287,4294967295,4294967293,15,3,1,4294967295,0,4294967295,2,1,0,4294967295,1,1,4294967295,4294967295,4294967295,4294967291,3,4294967295,4294967291,4294967295,4294967291,1,4294967291,1,3,1,3,4294967295,3,1,1,4294967291,1,4294967295,5,4294967291,3,3,5,4294967291,4294967295,4294967295,4294967293,1,1,4294967295,3,4294967295,3,4294967291,4294967293,5,1,4294967293,4294967295,4294967295,4294967295,1,0,2,4294967294,0,0,0,0,4294967294,4294967294,0,0,0,4294967294,0,2,0,2,4294967294,2,4294967294,4294967294,2,0,0,0,4294967294,2,2,2,2,4294967294,2,4294967294,0,4294967294,2,2,0,0,4294967294,4294967294,0,4294967294,2,0,2,2,4294967294,0,2,4294967294,2,4294967294,1,2,4294967295,2,3,4294967292,7,2,3,0,4294967293,2,7,4294967294,4294967295,2,3,2,4294967291,0,1,8,1,4294967292,1,4294967290,1,1,3,4294967293,3,1,4294967291,3,4294967295,7,4294967293,4294967295,4294967295,4294967289,5,7,4294967289,4294967293,3,4294967293,1,1,3,4294967291,4294967287,3,4294967291,3,4294967295,0,4294967293,4,1,4294967292,1,4,3,6,4294967295,4,1,2,3,4294967288,1,4294967292,1,0,4294967295,2,4294967293,4294967288,5,4,1,4294967292,4294967291,4294967292,4294967289,2,4294967289,4,5,4294967290,4294967295,0,9,2,7,6,4294967293,8,4294967289,4294967290,4294967287,3,5,3,4294967289,3,4294967285,1,]
solver = z3.Solver()
input = [z3.BitVec("input_%d"%i,32) for i in range(54)]
for i in range(54):
    sum = 0
    for j in range(54):
        sum += input[j] * table[i*54+j]
    solver.add(sum == code[i])
if solver.check() == z3.sat:
    model = solver.model()
    for i in range(54):
        print(chr(model[input[i]].as_long()),end="")

最后得到 flag：

n1ctf{NEVER_GONNA_GIVE_U_WASM_NEVER_GONNA_LET_U_UNITY}

posted @ 2021-11-22 18:59 Byaidu 阅读(609) 评论(1) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

Byaidu