Created
August 30, 2018 08:43
-
-
Save minhtt159/7e3840ee4c73a76842fdd53da4cb9505 to your computer and use it in GitHub Desktop.
MeePwn CTF Final 2018 - Handmade
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function name: (null) | |
| number of ops: 39 | |
| compiled vars: !0 = $flag, !1 = $_box, !2 = $magic | |
| line #* E I O op fetch ext return operands | |
| ------------------------------------------------------------------------------------- | |
| 3 0 E > ASSIGN !0, 'FLAG+HERE' | |
| 5 1 NOP | |
| 13 2 NOP | |
| 21 3 NOP | |
| 33 4 NOP | |
| 58 5 NOP | |
| 74 6 FETCH_IS $4 '_GET' | |
| 7 ISSET_ISEMPTY_DIM_OBJ 33554432 ~5 $4, 'key' | |
| 8 > JMPZ_EX ~5 ~5, ->13 | |
| 9 > FETCH_R global $6 '_GET' | |
| 10 FETCH_DIM_R $7 $6, 'key' | |
| 11 IS_NOT_IDENTICAL ~8 $7, '' | |
| 12 BOOL ~5 ~8 | |
| 13 > > JMPZ ~5, ->44 | |
| 75 14 > INIT_FCALL 'b' | |
| 15 FETCH_R global $9 '_GET' | |
| 16 FETCH_DIM_R $10 $9, 'key' | |
| 17 SEND_VAR $10 | |
| 18 DO_FCALL 0 $11 | |
| 19 ASSIGN !1, $11 | |
| 76 20 INIT_FCALL 'a' | |
| 21 SEND_VAR !1 | |
| 22 DO_FCALL 0 $13 | |
| 23 ASSIGN !2, $13 | |
| 77 24 FETCH_IS $15 '_GET' | |
| 25 ISSET_ISEMPTY_DIM_OBJ 33554432 ~16 $15, 'magic' | |
| 26 > JMPZ_EX ~16 ~16, ->33 | |
| 27 > INIT_FCALL 'is_numeric' | |
| 28 FETCH_R global $17 '_GET' | |
| 29 FETCH_DIM_R $18 $17, 'magic' | |
| 30 SEND_VAR $18 | |
| 31 DO_ICALL $19 | |
| 32 BOOL ~16 $19 | |
| 33 > > JMPZ_EX ~16 ~16, ->39 | |
| 34 > FETCH_R global $20 '_GET' | |
| 35 FETCH_DIM_R $21 $20, 'magic' | |
| 36 CAST 4 ~22 $21 | |
| 37 IS_IDENTICAL ~23 ~22, !2 | |
| 38 BOOL ~16 ~23 | |
| 39 > > JMPZ ~16, ->42 | |
| 78 40 > > EXIT !0 | |
| 41* JMP ->43 | |
| 80 42 > > EXIT 'invalid+magic' | |
| 43* JMP ->45 | |
| 82 44 > > EXIT 'invalid+key' | |
| 45* > RETURN 1 | |
| function name: x | |
| number of ops: 17 | |
| compiled vars: !0 = $box, !1 = $i, !2 = $sum, !3 = $j | |
| line #* E I O op fetch ext return operands | |
| ------------------------------------------------------------------------------------- | |
| 5 0 E > RECV !0 | |
| 1 RECV !1 | |
| 6 2 ASSIGN !2, 0 | |
| 7 3 ASSIGN !3, 0 | |
| 4 > JMP ->10 | |
| 8 5 > FETCH_DIM_R $6 !0, !1 | |
| 6 FETCH_DIM_R $7 $6, !3 | |
| 7 ASSIGN_ADD 0 !2, $7 | |
| 7 8 POST_INC ~9 !3 | |
| 9 FREE ~9 | |
| 10 > INIT_FCALL 'count' | |
| 11 SEND_VAR !0 | |
| 12 DO_ICALL $10 | |
| 13 IS_SMALLER ~11 !3, $10 | |
| 14 > JMPNZ ~11, ->5 | |
| 10 15 > > RETURN !2 | |
| 11 16* > RETURN null | |
| End of function x | |
| function name: y | |
| number of ops: 17 | |
| compiled vars: !0 = $box, !1 = $i, !2 = $sum, !3 = $j | |
| line #* E I O op fetch ext return operands | |
| ------------------------------------------------------------------------------------- | |
| 13 0 E > RECV !0 | |
| 1 RECV !1 | |
| 14 2 ASSIGN !2, 0 | |
| 15 3 ASSIGN !3, 0 | |
| 4 > JMP ->10 | |
| 16 5 > FETCH_DIM_R $6 !0, !3 | |
| 6 FETCH_DIM_R $7 $6, !1 | |
| 7 ASSIGN_ADD 0 !2, $7 | |
| 15 8 POST_INC ~9 !3 | |
| 9 FREE ~9 | |
| 10 > INIT_FCALL 'count' | |
| 11 SEND_VAR !0 | |
| 12 DO_ICALL $10 | |
| 13 IS_SMALLER ~11 !3, $10 | |
| 14 > JMPNZ ~11, ->5 | |
| 18 15 > > RETURN !2 | |
| 19 16* > RETURN null | |
| End of function y | |
| function name: z | |
| number of ops: 27 | |
| compiled vars: !0 = $box, !1 = $sum, !2 = $i, !3 = $j | |
| line #* E I O op fetch ext return operands | |
| ------------------------------------------------------------------------------------- | |
| 21 0 E > RECV !0 | |
| 22 1 ASSIGN !1, 0 | |
| 23 2 ASSIGN !2, 0 | |
| 3 > JMP ->20 | |
| 24 4 > ASSIGN !3, 0 | |
| 5 > JMP ->13 | |
| 25 6 > IS_EQUAL ~7 !2, !3 | |
| 7 > JMPZ ~7, ->11 | |
| 26 8 > FETCH_DIM_R $8 !0, !2 | |
| 9 FETCH_DIM_R $9 $8, !3 | |
| 10 ASSIGN_ADD 0 !1, $9 | |
| 24 11 > POST_INC ~11 !3 | |
| 12 FREE ~11 | |
| 13 > INIT_FCALL 'count' | |
| 14 SEND_VAR !0 | |
| 15 DO_ICALL $12 | |
| 16 IS_SMALLER ~13 !3, $12 | |
| 17 > JMPNZ ~13, ->6 | |
| 23 18 > POST_INC ~14 !2 | |
| 19 FREE ~14 | |
| 20 > INIT_FCALL 'count' | |
| 21 SEND_VAR !0 | |
| 22 DO_ICALL $15 | |
| 23 IS_SMALLER ~16 !2, $15 | |
| 24 > JMPNZ ~16, ->4 | |
| 30 25 > > RETURN !1 | |
| 31 26* > RETURN null | |
| End of function z | |
| function name: a | |
| number of ops: 85 | |
| compiled vars: !0 = $box, !1 = $i | |
| line #* E I O op fetch ext return operands | |
| ------------------------------------------------------------------------------------- | |
| 33 0 E > RECV !0 | |
| 34 1 INIT_FCALL 'count' | |
| 2 SEND_VAR !0 | |
| 3 DO_ICALL $2 | |
| 4 INIT_FCALL 'count' | |
| 5 SEND_VAR !0 | |
| 6 DO_ICALL $3 | |
| 7 MUL ~4 $2, $3 | |
| 8 INIT_FCALL 'count' | |
| 9 SEND_VAR !0 | |
| 10 SEND_VAL 1 | |
| 11 DO_ICALL $5 | |
| 12 INIT_FCALL 'count' | |
| 13 SEND_VAR !0 | |
| 14 DO_ICALL $6 | |
| 15 SUB ~7 $5, $6 | |
| 16 IS_NOT_EQUAL ~8 ~4, ~7 | |
| 17 > JMPZ ~8, ->19 | |
| 35 18 > > RETURN 0 | |
| 37 19 > ASSIGN !1, 0 | |
| 20 > JMP ->35 | |
| 38 21 > INIT_FCALL 'y' | |
| 22 SEND_VAR !0 | |
| 23 SEND_VAR !1 | |
| 24 DO_FCALL 0 $10 | |
| 25 INIT_FCALL 'y' | |
| 26 SEND_VAR !0 | |
| 27 ADD ~11 !1, 1 | |
| 28 SEND_VAL ~11 | |
| 29 DO_FCALL 0 $12 | |
| 30 IS_NOT_EQUAL ~13 $10, $12 | |
| 31 > JMPZ ~13, ->33 | |
| 39 32 > > RETURN 0 | |
| 37 33 > POST_INC ~14 !1 | |
| 34 FREE ~14 | |
| 35 > INIT_FCALL 'count' | |
| 36 SEND_VAR !0 | |
| 37 DO_ICALL $15 | |
| 38 SUB ~16 $15, 1 | |
| 39 IS_SMALLER ~17 !1, ~16 | |
| 40 > JMPNZ ~17, ->21 | |
| 42 41 > ASSIGN !1, 0 | |
| 42 > JMP ->57 | |
| 43 43 > INIT_FCALL 'x' | |
| 44 SEND_VAR !0 | |
| 45 SEND_VAR !1 | |
| 46 DO_FCALL 0 $19 | |
| 47 INIT_FCALL 'x' | |
| 48 SEND_VAR !0 | |
| 49 ADD ~20 !1, 1 | |
| 50 SEND_VAL ~20 | |
| 51 DO_FCALL 0 $21 | |
| 52 IS_NOT_EQUAL ~22 $19, $21 | |
| 53 > JMPZ ~22, ->55 | |
| 44 54 > > RETURN 0 | |
| 42 55 > POST_INC ~23 !1 | |
| 56 FREE ~23 | |
| 57 > INIT_FCALL 'count' | |
| 58 SEND_VAR !0 | |
| 59 DO_ICALL $24 | |
| 60 SUB ~25 $24, 1 | |
| 61 IS_SMALLER ~26 !1, ~25 | |
| 62 > JMPNZ ~26, ->43 | |
| 47 63 > INIT_FCALL 'z' | |
| 64 SEND_VAR !0 | |
| 65 DO_FCALL 0 $27 | |
| 66 INIT_FCALL 'y' | |
| 67 SEND_VAR !0 | |
| 68 SEND_VAL 0 | |
| 69 DO_FCALL 0 $28 | |
| 70 IS_NOT_EQUAL ~29 $27, $28 | |
| 71 > JMPZ ~29, ->73 | |
| 48 72 > > RETURN 0 | |
| 50 73 > INIT_FCALL 'z' | |
| 74 SEND_VAR !0 | |
| 75 DO_FCALL 0 $30 | |
| 76 IS_SMALLER ~31 16, $30 | |
| 77 > JMPZ ~31, ->83 | |
| 51 78 > INIT_FCALL 'z' | |
| 79 SEND_VAR !0 | |
| 80 DO_FCALL 0 $32 | |
| 81 > RETURN $32 | |
| 82* JMP ->84 | |
| 54 83 > > RETURN 0 | |
| 56 84* > RETURN null | |
| End of function a | |
| function name: b | |
| number of ops: 63 | |
| compiled vars: !0 = $key, !1 = $key_, !2 = $box, !3 = $i, !4 = $tmp, !5 = $j | |
| line #* E I O op fetch ext return operands | |
| ------------------------------------------------------------------------------------- | |
| 58 0 E > RECV !0 | |
| 59 1 INIT_FCALL 'explode' | |
| 2 SEND_VAL '-' | |
| 3 SEND_VAR !0 | |
| 4 DO_ICALL $6 | |
| 5 ASSIGN !1, $6 | |
| 60 6 ASSIGN !2, <array> | |
| 61 7 ASSIGN !3, 0 | |
| 8 > JMP ->20 | |
| 62 9 > INIT_FCALL 'str_split' | |
| 10 FETCH_DIM_R $10 !1, !3 | |
| 11 SEND_VAR $10 | |
| 12 DO_ICALL $11 | |
| 13 ASSIGN !4, $11 | |
| 63 14 INIT_FCALL 'array_push' | |
| 15 SEND_REF !2 | |
| 16 SEND_VAR !4 | |
| 17 DO_ICALL | |
| 61 18 POST_INC ~14 !3 | |
| 19 FREE ~14 | |
| 20 > INIT_FCALL 'count' | |
| 21 SEND_VAR !1 | |
| 22 DO_ICALL $15 | |
| 23 IS_SMALLER ~16 !3, $15 | |
| 24 > JMPNZ ~16, ->9 | |
| 65 25 > ASSIGN !3, 0 | |
| 26 > JMP ->56 | |
| 66 27 > ASSIGN !5, 0 | |
| 28 > JMP ->49 | |
| 67 29 > INIT_FCALL 'ord' | |
| 30 FETCH_DIM_R $21 !2, !3 | |
| 31 FETCH_DIM_R $22 $21, !5 | |
| 32 SEND_VAR $22 | |
| 33 DO_ICALL $23 | |
| 34 INIT_FCALL 'count' | |
| 35 SEND_VAR !2 | |
| 36 DO_ICALL $24 | |
| 37 INIT_FCALL 'count' | |
| 38 SEND_VAR !2 | |
| 39 DO_ICALL $25 | |
| 40 MUL ~26 $24, $25 | |
| 41 SUB ~27 ~26, 1 | |
| 42 BW_AND ~28 $23, ~27 | |
| 43 ADD ~29 ~28, 1 | |
| 44 FETCH_DIM_W $19 !2, !3 | |
| 45 ASSIGN_DIM $19, !5 | |
| 46 OP_DATA ~29 | |
| 66 47 POST_INC ~30 !5 | |
| 48 FREE ~30 | |
| 49 > INIT_FCALL 'count' | |
| 50 SEND_VAR !2 | |
| 51 DO_ICALL $31 | |
| 52 IS_SMALLER ~32 !5, $31 | |
| 53 > JMPNZ ~32, ->29 | |
| 65 54 > POST_INC ~33 !3 | |
| 55 FREE ~33 | |
| 56 > INIT_FCALL 'count' | |
| 57 SEND_VAR !2 | |
| 58 DO_ICALL $34 | |
| 59 IS_SMALLER ~35 !3, $34 | |
| 60 > JMPNZ ~35, ->27 | |
| 70 61 > > RETURN !2 | |
| 71 62* > RETURN null | |
| End of function b | |
| Generated using Vulcan Logic Dumper |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| $flag = "MeePwnCTF{handmade_is_cool_but_crypto_is_N0T_cool_as_you_think!_HIHIHIXD}"; | |
| function x($box, $i) { | |
| $sum = 0; | |
| for($j=0; $j<count($box); $j++) { | |
| $sum+= $box[$i][$j]; | |
| } | |
| return $sum; | |
| } | |
| function y($box, $i) { | |
| $sum = 0; | |
| for($j=0; $j<count($box); $j++) { | |
| $sum+= $box[$j][$i]; | |
| } | |
| return $sum; | |
| } | |
| function z($box){ | |
| $sum = 0; | |
| for($i=0; $i<count($box); $i++) { | |
| for($j=0; $j<count($box); $j++) { | |
| if ($i == $j) { | |
| $sum+= $box[$i][$j]; | |
| } | |
| } | |
| } | |
| return $sum; | |
| } | |
| function a($box) { | |
| if ((count($box) * count($box)) != (count($box, 1) - count($box))) { | |
| return 0; | |
| } | |
| for($i=0; $i<count($box) - 1; $i++) { | |
| if (y($box, $i) != y($box, $i+1)) { | |
| return 0; | |
| } | |
| } | |
| for($i=0; $i<count($box) - 1; $i++) { | |
| if (x($box, $i) != x($box, $i+1)) { | |
| return 0; | |
| } | |
| } | |
| if (z($box) != y($box, 0)) { | |
| return 0; | |
| } | |
| if (z($box) > 16) { | |
| return z($box); | |
| } | |
| else { | |
| return 0; | |
| } | |
| } | |
| function b($key){ | |
| $key_arr = explode("-", $key); | |
| $box = array(); | |
| for ($i=0; $i<count($key_arr); $i++){ | |
| $tmp = str_split($key_arr[$i]); | |
| array_push($box, $tmp); | |
| }; | |
| for ($i=0; $i<count($box); $i++){ | |
| for ($j=0; $j<count($box); $j++){ | |
| $box[$i][$j] = (ord($box[$i][$j]) & ((count($box)) * (count($box)) - 1)) + 1; | |
| }; | |
| }; | |
| return $box; | |
| } | |
| if ((isset($_GET['key'])) && ($_GET['key'] !== '')) { | |
| $_box = b($_GET['key']); | |
| $magic = a($_box); | |
| if ((isset($_GET['magic'])) && (is_numeric($_GET['magic'])) && ((int)$_GET['magic'] === $magic)) { | |
| die($flag); | |
| } | |
| else { die('invalid magic');}; | |
| } | |
| else { die('invalid key');}; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment