Skip to content

Instantly share code, notes, and snippets.

@reductor

reductor/bubblewrap.txt

Last active April 29, 2022 10:41
Show Gist options
  • Save reductor/604a6fc28f4baa6461f6461f64002b39 to your computer and use it in GitHub Desktop.
Save reductor/604a6fc28f4baa6461f6461f64002b39 to your computer and use it in GitHub Desktop.
Download ZIP
b01lersCTF 2022 : pactvm (will post proper write-up later)
Raw
bubblewrap.txt
count 14
local_38 3
local_1c 10
data b'cdarzowkky'
local_38 3
local_1c 10
data b'hiddqscdxr'
local_38 3
local_1c 10
data b'jmowfrxsjy'
local_38 3
local_1c 10
data b'bldbefsarc'
local_38 3
local_1c 10
data b'bynecdyggx'
local_38 3
local_1c 10
data b'xpklorelln'
local_38 3
local_1c 10
data b'mpapqfwkho'
local_38 3
local_1c 10
data b'pkmcoqhnwn'
local_38 3
local_1c 10
data b'kuewhsqmgb'
local_38 3
local_1c 10
data b'buqcljjivs'
local_38 3
local_1c 10
data b'wmdkqtbxix'
local_38 3
local_1c 10
data b'mvtrrbljpt'
local_38 3
local_1c 10
data b'nsnfwzqfjm'
local_38 3
local_1c 10
data b'afadrrwsof'
count2 5
count3 0
FUN_00401530
val1 0
val2 0
val3 41
arr b'\x07\x01\x1b\x00\x19\x02\x04\x00\x10\x03\x1f\x01\x00\x0e\x14\x10\x04\t\x19\x05\x10\x06\x04\x01\x14\x02\x00\x0b\x14\x10\x07\t\x19\x08\x10\t\x04\x01\x14\x11\x00'
elements [46, 46, 46, 46, 47, 47, 47, 47, 47, 47, 47, 47, 47, 47, 47, 48, 48, 48, 49, 49, 49, 49, 49, 49, 49, 50, 50, 50, 50, 51, 51, 51, 52, 52, 52, 52, 52, 52, 52, 54, 54]
some_count2 10
0 5 b'nwlrbbmqbh'
FUN_00401530
val1 0
val2 0
val3 1037
arr b'\x19\x00\x19\x01\x10\x02\x04\x01\x04\x01\x19\x03\x15\x01\x04\x01\x10\x04\x1f\n\x01\x00\x07\x14\x10\x05\x00\x02\x00\x01\x14\x19\x06\x19\x07\x15\x01\x04\x01\x04\x01\x10\x08\x15\x03\x19\t\x15\x01\x04\x01!\x01\x00!\x14\x02\x00\x0b\x15\x03\x10\n\x0c\x16\x03\x14\x03\x00\x1b\x15\x02\x15\x03\x19\x0b\x15\x01\x15\x03&\x04\x01\'\x14\x03\x00\x1d\x14\x14\x15\x02\x10\x0c&\x15\x02\x10\r&\r\x10\x0e\x0b\x1f\n\x01\x00\x07\x14\x10\x0f\x00\x02\x00\x01\x14\x15\x02\x10\x10&\x15\x02\x10\x11&(\x10\x12\x1f\n\x01\x00\x07\x14\x10\x13\x00\x02\x00\x01\x14\x15\x02\x10\x14&\x15\x02\x10\x15&\r\x10\x16\x1f\n\x01\x00\x07\x14\x10\x17\x00\x02\x00\x01\x14\x15\x02\x10\x18&\x15\x02\x10\x19&\r\x10\x1a\x0b\x1f\n\x01\x00\x07\x14\x10\x1b\x00\x02\x00\x01\x14\x15\x02\x10\x1c&\x15\x02\x10\x1d&\x0c\x10\x1e\x1f\n\x01\x00\x07\x14\x10\x1f\x00\x02\x00\x01\x14\x15\x02\x10 &\x15\x02\x10!&\x0c\x10"\x1f\n\x01\x00\x07\x14\x10#\x00\x02\x00\x01\x14\x15\x02\x10$&\x15\x02\x10%&(\x10&\x1f\n\x01\x00\x07\x14\x10\'\x00\x02\x00\x01\x14\x15\x02\x10(&\x15\x02\x10)&(\x10*\x1f\n\x01\x00\x07\x14\x10+\x00\x02\x00\x01\x14\x15\x02\x10,&\x15\x02\x10-&\x0c\x10.\x1f\n\x01\x00\x07\x14\x10/\x00\x02\x00\x01\x14\x15\x02\x100&\x15\x02\x101&\x0c\x102\x1f\n\x01\x00\x07\x14\x103\x00\x02\x00\x01\x14\x15\x02\x104&\x15\x02\x105&(\x106\x1f\n\x01\x00\x07\x14\x107\x00\x02\x00\x01\x14\x15\x02\x108&\x15\x02\x109&(\x10:\x1f\n\x01\x00\x07\x14\x10;\x00\x02\x00\x01\x14\x15\x02\x10<&\x15\x02\x10=&\x0c\x10>\x1f\n\x01\x00\x07\x14\x10?\x00\x02\x00\x01\x14\x15\x02\x10@&\x15\x02\x10A&\x0c\x10B\x1f\n\x01\x00\x07\x14\x10C\x00\x02\x00\x01\x14\x15\x02\x10D&\x15\x02\x10E&\r\x10F\x0b\x1f\n\x01\x00\x07\x14\x10G\x00\x02\x00\x01\x14\x15\x02\x10H&\x15\x02\x10I&\x0c\x10J\x1f\n\x01\x00\x07\x14\x10K\x00\x02\x00\x01\x14\x15\x02\x10L&\x15\x02\x10M&(\x10N\x1f\n\x01\x00\x07\x14\x10O\x00\x02\x00\x01\x14\x15\x02\x10P&\x15\x02\x10Q&(\x10R\x1f\n\x01\x00\x07\x14\x10S\x00\x02\x00\x01\x14\x15\x02\x10T&\x15\x02\x10U&\r\x10V\x0b\x1f\n\x01\x00\x07\x14\x10W\x00\x02\x00\x01\x14\x15\x02\x10X&\x15\x02\x10Y&\r\x10Z\x1f\n\x01\x00\x07\x14\x10[\x00\x02\x00\x01\x14\x15\x02\x10\\&\x15\x02\x10]&\x0c\x10^\x1f\n\x01\x00\x07\x14\x10_\x00\x02\x00\x01\x14\x15\x02\x10`&\x15\x02\x10a&\r\x10b\x1f\n\x01\x00\x07\x14\x10c\x00\x02\x00\x01\x14\x15\x02\x10d&\x15\x02\x10e&\r\x10f\x0b\x1f\n\x01\x00\x07\x14\x10g\x00\x02\x00\x01\x14\x15\x02\x10h&\x15\x02\x10i&\x0c\x10j\x1f\n\x01\x00\x07\x14\x10k\x00\x02\x00\x01\x14\x15\x02\x10l&\x15\x02\x10m&(\x10n\x1f\n\x01\x00\x07\x14\x10o\x00\x02\x00\x01\x14\x15\x02\x10p&\x15\x02\x10q&(\x10r\x1f\n\x01\x00\x07\x14\x10s\x00\x02\x00\x01\x14\x15\x02\x10t&\x15\x02\x10u&\r\x10v\x1f\n\x01\x00\x07\x14\x10w\x00\x02\x00\x01\x14\x15\x02\x10x&\x15\x02\x10y&(\x10z\x1f\n\x01\x00\x07\x14\x10{\x00\x02\x00\x01\x14\x15\x02\x10|&\x15\x02\x10}&\x0c\x10~\x1f\n\x01\x00\x07\x14\x10\x7f\x00\x02\x00\x01\x14\x15\x02\x10\x80&\x15\x02\x10\x81&(\x10\x82\x1f\n\x01\x00\x07\x14\x10\x83\x00\x02\x00\x01\x14\x15\x02\x10\x84&\x15\x02\x10\x85&(\x10\x86\x1f\n\x01\x00\x07\x14\x10\x87\x00\x02\x00\x01\x14\x15\x02\x10\x88&\x15\x02\x10\x89&(\x10\x8a\x1f\n\x01\x00\x07\x14\x10\x8b\x00\x02\x00\x01\x14\x15\x02\x10\x8c&\x15\x02\x10\x8d&\r\x10\x8e\x0b\x1f\n\x01\x00\x07\x14\x10\x8f\x00\x02\x00\x01\x14\x15\x02\x10\x90&\x15\x02\x10\x91&(\x10\x92\x1f\n\x01\x00\x07\x14\x10\x93\x00\x02\x00\x01\x14\x15\x02\x10\x94&\x15\x02\x10\x95&\r\x10\x96\x1f\n\x01\x00\x07\x14\x10\x97\x00\x02\x00\x01\x14\x15\x02\x10\x98&\x15\x02\x10\x99&\x0c\x10\x9a\x1f\n\x01\x00\x07\x14\x10\x9b\x00\x02\x00\x01\x14\x10\x9c\x00\x11\x00'
elements [3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 8, 8, 8, 8, 8, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 45, 45, 45, 46, 46]
some_count2 157
0 5 b'mvtrrbljpt'
1 5 b'bldbefsarc'
2 5 b'Flag Validator: '
3 5 b'bynecdyggx'
4 3 36
5 3 1
6 5 b'xpklorelln'
7 5 b'bynecdyggx'
8 3 0
9 5 b'bynecdyggx'
10 3 1
11 5 b'buqcljjivs'
12 3 1
13 3 15
14 3 17
15 3 1
16 3 25
17 3 22
18 3 43
19 3 1
20 3 19
21 3 14
22 3 8
23 3 1
24 3 29
25 3 34
26 3 5
27 3 1
28 3 23
29 3 21
30 3 219
31 3 1
32 3 24
33 3 12
34 3 200
35 3 1
36 3 35
37 3 25
38 3 9
39 3 1
40 3 14
41 3 27
42 3 62
43 3 1
44 3 22
45 3 8
46 3 190
47 3 1
48 3 3
49 3 26
50 3 206
51 3 1
52 3 32
53 3 34
54 3 50
55 3 1
56 3 21
57 3 23
58 3 19
59 3 1
60 3 7
61 3 10
62 3 212
63 3 1
64 3 2
65 3 10
66 3 227
67 3 1
68 3 17
69 3 35
70 3 10
71 3 1
72 3 5
73 3 18
74 3 199
75 3 1
76 3 15
77 3 1
78 3 23
79 3 1
80 3 30
81 3 31
82 3 26
83 3 1
84 3 18
85 3 10
86 3 9
87 3 1
88 3 9
89 3 19
90 3 16
91 3 1
92 3 31
93 3 8
94 3 210
95 3 1
96 3 4
97 3 26
98 3 19
99 3 1
100 3 10
101 3 9
102 3 10
103 3 1
104 3 13
105 3 5
106 3 212
107 3 1
108 3 6
109 3 13
110 3 1
111 3 1
112 3 28
113 3 20
114 3 17
115 3 1
116 3 34
117 3 30
118 3 4
119 3 1
120 3 11
121 3 2
122 3 1
123 3 1
124 3 16
125 3 11
126 3 222
127 3 1
128 3 8
129 3 18
130 3 57
131 3 1
132 3 20
133 3 0
134 3 7
135 3 1
136 3 27
137 3 28
138 3 43
139 3 1
140 3 26
141 3 17
142 3 11
143 3 1
144 3 12
145 3 31
146 3 44
147 3 1
148 3 33
149 3 8
150 3 23
151 3 1
152 3 0
153 3 21
154 3 198
155 3 1
156 3 0
local_49 b'\x01'
local_50 3 b'nwlrbbmqbh'
1 5 <__main__.FUN_00401530 object at 0x0000018FEA7B3E20>
2 5 b'nwlrbbmqbh'
3 3 0
4 5 b'Congrats!'
5 5 b'afadrrwsof'
6 3 0
7 5 b'Try again :('
8 5 b'afadrrwsof'
9 3 1
local_49 b'\x00'
val1: 0
val2: 0
val3: 41
arr: b'\x07\x01\x1b\x00\x19\x02\x04\x00\x10\x03\x1f\x01\x00\x0e\x14\x10\x04\t\x19\x05\x10\x06\x04\x01\x14\x02\x00\x0b\x14\x10\x07\t\x19\x08\x10\t\x04\x01\x14\x11\x00'
b'bctf{ '
46 0x00 op#0x07 new? b'nwlrbbmqbh' # 0x1 localvars: 0
46 0x02 op#0x1b store_global? b'nwlrbbmqbh' # 0x0
47 0x04 op#0x19 get_global? b'nwlrbbmqbh' # 0x2
47 0x06 op#0x04 call 0x0
47 0x08 op#0x10 push 0 # 0x3
47 0x0a op#0x1f sp[0] == sp[1]
47 0x0b op#0x01 jz 0x1c
47 0x0e op#0x14 pop
48 0x0f op#0x10 push b'Congrats!' # 0x4
48 0x11 op#0x09 print
49 0x12 op#0x19 get_global? b'afadrrwsof' # 0x5
49 0x14 op#0x10 push 0 # 0x6
49 0x16 op#0x04 call 0x1
49 0x18 op#0x14 pop
50 0x19 op#0x02 jmp 0x27
50 0x1c op#0x14 pop
51 0x1d op#0x10 push b'Try again :(' # 0x7
51 0x1f op#0x09 print
52 0x20 op#0x19 get_global? b'afadrrwsof' # 0x8
52 0x22 op#0x10 push 1 # 0x9
52 0x24 op#0x04 call 0x1
52 0x26 op#0x14 pop
54 0x27 op#0x11 push_nil
54 0x28 op#0x00 ret
None
elements: [46, 46, 46, 46, 47, 47, 47, 47, 47, 47, 47, 47, 47, 47, 47, 48, 48, 48, 49, 49, 49, 49, 49, 49, 49, 50, 50, 50, 50, 51, 51, 51, 52, 52, 52, 52, 52, 52, 52, 54, 54]
some_count2: 10
data:
[0]:
5 b'nwlrbbmqbh'
[1]:
val1: 0
val2: 0
val3: 1037
arr: b'\x19\x00\x19\x01\x10\x02\x04\x01\x04\x01\x19\x03\x15\x01\x04\x01\x10\x04\x1f\n\x01\x00\x07\x14\x10\x05\x00\x02\x00\x01\x14\x19\x06\x19\x07\x15\x01\x04\x01\x04\x01\x10\x08\x15\x03\x19\t\x15\x01\x04\x01!\x01\x00!\x14\x02\x00\x0b\x15\x03\x10\n\x0c\x16\x03\x14\x03\x00\x1b\x15\x02\x15\x03\x19\x0b\x15\x01\x15\x03&\x04\x01\'\x14\x03\x00\x1d\x14\x14\x15\x02\x10\x0c&\x15\x02\x10\r&\r\x10\x0e\x0b\x1f\n\x01\x00\x07\x14\x10\x0f\x00\x02\x00\x01\x14\x15\x02\x10\x10&\x15\x02\x10\x11&(\x10\x12\x1f\n\x01\x00\x07\x14\x10\x13\x00\x02\x00\x01\x14\x15\x02\x10\x14&\x15\x02\x10\x15&\r\x10\x16\x1f\n\x01\x00\x07\x14\x10\x17\x00\x02\x00\x01\x14\x15\x02\x10\x18&\x15\x02\x10\x19&\r\x10\x1a\x0b\x1f\n\x01\x00\x07\x14\x10\x1b\x00\x02\x00\x01\x14\x15\x02\x10\x1c&\x15\x02\x10\x1d&\x0c\x10\x1e\x1f\n\x01\x00\x07\x14\x10\x1f\x00\x02\x00\x01\x14\x15\x02\x10 &\x15\x02\x10!&\x0c\x10"\x1f\n\x01\x00\x07\x14\x10#\x00\x02\x00\x01\x14\x15\x02\x10$&\x15\x02\x10%&(\x10&\x1f\n\x01\x00\x07\x14\x10\'\x00\x02\x00\x01\x14\x15\x02\x10(&\x15\x02\x10)&(\x10*\x1f\n\x01\x00\x07\x14\x10+\x00\x02\x00\x01\x14\x15\x02\x10,&\x15\x02\x10-&\x0c\x10.\x1f\n\x01\x00\x07\x14\x10/\x00\x02\x00\x01\x14\x15\x02\x100&\x15\x02\x101&\x0c\x102\x1f\n\x01\x00\x07\x14\x103\x00\x02\x00\x01\x14\x15\x02\x104&\x15\x02\x105&(\x106\x1f\n\x01\x00\x07\x14\x107\x00\x02\x00\x01\x14\x15\x02\x108&\x15\x02\x109&(\x10:\x1f\n\x01\x00\x07\x14\x10;\x00\x02\x00\x01\x14\x15\x02\x10<&\x15\x02\x10=&\x0c\x10>\x1f\n\x01\x00\x07\x14\x10?\x00\x02\x00\x01\x14\x15\x02\x10@&\x15\x02\x10A&\x0c\x10B\x1f\n\x01\x00\x07\x14\x10C\x00\x02\x00\x01\x14\x15\x02\x10D&\x15\x02\x10E&\r\x10F\x0b\x1f\n\x01\x00\x07\x14\x10G\x00\x02\x00\x01\x14\x15\x02\x10H&\x15\x02\x10I&\x0c\x10J\x1f\n\x01\x00\x07\x14\x10K\x00\x02\x00\x01\x14\x15\x02\x10L&\x15\x02\x10M&(\x10N\x1f\n\x01\x00\x07\x14\x10O\x00\x02\x00\x01\x14\x15\x02\x10P&\x15\x02\x10Q&(\x10R\x1f\n\x01\x00\x07\x14\x10S\x00\x02\x00\x01\x14\x15\x02\x10T&\x15\x02\x10U&\r\x10V\x0b\x1f\n\x01\x00\x07\x14\x10W\x00\x02\x00\x01\x14\x15\x02\x10X&\x15\x02\x10Y&\r\x10Z\x1f\n\x01\x00\x07\x14\x10[\x00\x02\x00\x01\x14\x15\x02\x10\\&\x15\x02\x10]&\x0c\x10^\x1f\n\x01\x00\x07\x14\x10_\x00\x02\x00\x01\x14\x15\x02\x10`&\x15\x02\x10a&\r\x10b\x1f\n\x01\x00\x07\x14\x10c\x00\x02\x00\x01\x14\x15\x02\x10d&\x15\x02\x10e&\r\x10f\x0b\x1f\n\x01\x00\x07\x14\x10g\x00\x02\x00\x01\x14\x15\x02\x10h&\x15\x02\x10i&\x0c\x10j\x1f\n\x01\x00\x07\x14\x10k\x00\x02\x00\x01\x14\x15\x02\x10l&\x15\x02\x10m&(\x10n\x1f\n\x01\x00\x07\x14\x10o\x00\x02\x00\x01\x14\x15\x02\x10p&\x15\x02\x10q&(\x10r\x1f\n\x01\x00\x07\x14\x10s\x00\x02\x00\x01\x14\x15\x02\x10t&\x15\x02\x10u&\r\x10v\x1f\n\x01\x00\x07\x14\x10w\x00\x02\x00\x01\x14\x15\x02\x10x&\x15\x02\x10y&(\x10z\x1f\n\x01\x00\x07\x14\x10{\x00\x02\x00\x01\x14\x15\x02\x10|&\x15\x02\x10}&\x0c\x10~\x1f\n\x01\x00\x07\x14\x10\x7f\x00\x02\x00\x01\x14\x15\x02\x10\x80&\x15\x02\x10\x81&(\x10\x82\x1f\n\x01\x00\x07\x14\x10\x83\x00\x02\x00\x01\x14\x15\x02\x10\x84&\x15\x02\x10\x85&(\x10\x86\x1f\n\x01\x00\x07\x14\x10\x87\x00\x02\x00\x01\x14\x15\x02\x10\x88&\x15\x02\x10\x89&(\x10\x8a\x1f\n\x01\x00\x07\x14\x10\x8b\x00\x02\x00\x01\x14\x15\x02\x10\x8c&\x15\x02\x10\x8d&\r\x10\x8e\x0b\x1f\n\x01\x00\x07\x14\x10\x8f\x00\x02\x00\x01\x14\x15\x02\x10\x90&\x15\x02\x10\x91&(\x10\x92\x1f\n\x01\x00\x07\x14\x10\x93\x00\x02\x00\x01\x14\x15\x02\x10\x94&\x15\x02\x10\x95&\r\x10\x96\x1f\n\x01\x00\x07\x14\x10\x97\x00\x02\x00\x01\x14\x15\x02\x10\x98&\x15\x02\x10\x99&\x0c\x10\x9a\x1f\n\x01\x00\x07\x14\x10\x9b\x00\x02\x00\x01\x14\x10\x9c\x00\x11\x00'
b'bctf{are_you_satisfied_with_this_vm} '
3 0x00 op#0x19 get_global? b'mvtrrbljpt' # 0x0
3 0x02 op#0x19 get_global? b'bldbefsarc' # 0x1
3 0x04 op#0x10 push b'Flag Validator: ' # 0x2
3 0x06 op#0x04 call 0x1
3 0x08 op#0x04 call 0x1
4 0x0a op#0x19 get_global? b'bynecdyggx' # 0x3
4 0x0c op#0x15 dup? 0x1
4 0x0e op#0x04 call 0x1
4 0x10 op#0x10 push 36 # 0x4
4 0x12 op#0x1f sp[0] == sp[1]
4 0x13 op#0x0A bool_neg
4 0x14 op#0x01 jz 0x1e
4 0x17 op#0x14 pop
4 0x18 op#0x10 push 1 # 0x5
4 0x1a op#0x00 ret
4 0x1b op#0x02 jmp 0x1f
4 0x1e op#0x14 pop
5 0x1f op#0x19 get_global? b'xpklorelln' # 0x6
5 0x21 op#0x19 get_global? b'bynecdyggx' # 0x7
5 0x23 op#0x15 dup? 0x1
5 0x25 op#0x04 call 0x1
5 0x27 op#0x04 call 0x1
6 0x29 op#0x10 push 0 # 0x8
6 0x2b op#0x15 dup? 0x3
6 0x2d op#0x19 get_global? b'bynecdyggx' # 0x9
6 0x2f op#0x15 dup? 0x1
6 0x31 op#0x04 call 0x1
6 0x33 op#0x21 sp[0] < sp[1]?
6 0x34 op#0x01 jz 0x58
6 0x37 op#0x14 pop
6 0x38 op#0x02 jmp 0x46
6 0x3b op#0x15 dup? 0x3
6 0x3d op#0x10 push 1 # 0xa
6 0x3f op#0x0C sp[0] + sp[1]?
6 0x40 op#0x16 set_stack? 0x3
6 0x42 op#0x14 pop
6 0x43 op#0x03 jmp 0x2b
7 0x46 op#0x15 dup? 0x2
7 0x48 op#0x15 dup? 0x3
7 0x4a op#0x19 get_global? b'buqcljjivs' # 0xb
7 0x4c op#0x15 dup? 0x1
7 0x4e op#0x15 dup? 0x3
7 0x50 op#0x26 get_element?
7 0x51 op#0x04 call 0x1
7 0x53 op#0x27 set_element?
7 0x54 op#0x14 pop
8 0x55 op#0x03 jmp 0x3b
8 0x58 op#0x14 pop
8 0x59 op#0x14 pop
9 0x5a SPECIAL array_op 1 sub(addr=100) 15 == -17
10 0x75 SPECIAL array_op 25 xor(addr=127) 22 == 43
11 0x8f SPECIAL array_op 19 sub(addr=153) 14 == 8
12 0xa9 SPECIAL array_op 29 sub(addr=179) 34 == -5
13 0xc4 SPECIAL array_op 23 add(addr=206) 21 == 219
14 0xde SPECIAL array_op 24 add(addr=232) 12 == 200
15 0xf8 SPECIAL array_op 35 xor(addr=258) 25 == 9
16 0x112 SPECIAL array_op 14 xor(addr=284) 27 == 62
17 0x12c SPECIAL array_op 22 add(addr=310) 8 == 190
18 0x146 SPECIAL array_op 3 add(addr=336) 26 == 206
19 0x160 SPECIAL array_op 32 xor(addr=362) 34 == 50
20 0x17a SPECIAL array_op 21 xor(addr=388) 23 == 19
21 0x194 SPECIAL array_op 7 add(addr=414) 10 == 212
22 0x1ae SPECIAL array_op 2 add(addr=440) 10 == 227
23 0x1c8 SPECIAL array_op 17 sub(addr=466) 35 == -10
24 0x1e3 SPECIAL array_op 5 add(addr=493) 18 == 199
25 0x1fd SPECIAL array_op 15 xor(addr=519) 1 == 23
26 0x217 SPECIAL array_op 30 xor(addr=545) 31 == 26
27 0x231 SPECIAL array_op 18 sub(addr=571) 10 == -9
28 0x24c SPECIAL array_op 9 sub(addr=598) 19 == 16
29 0x266 SPECIAL array_op 31 add(addr=624) 8 == 210
30 0x280 SPECIAL array_op 4 sub(addr=650) 26 == 19
31 0x29a SPECIAL array_op 10 sub(addr=676) 9 == -10
32 0x2b5 SPECIAL array_op 13 add(addr=703) 5 == 212
33 0x2cf SPECIAL array_op 6 xor(addr=729) 13 == 1
34 0x2e9 SPECIAL array_op 28 xor(addr=755) 20 == 17
35 0x303 SPECIAL array_op 34 sub(addr=781) 30 == 4
36 0x31d SPECIAL array_op 11 xor(addr=807) 2 == 1
37 0x337 SPECIAL array_op 16 add(addr=833) 11 == 222
38 0x351 SPECIAL array_op 8 xor(addr=859) 18 == 57
39 0x36b SPECIAL array_op 20 xor(addr=885) 0 == 7
40 0x385 SPECIAL array_op 27 xor(addr=911) 28 == 43
41 0x39f SPECIAL array_op 26 sub(addr=937) 17 == -11
42 0x3ba SPECIAL array_op 12 xor(addr=964) 31 == 44
43 0x3d4 SPECIAL array_op 33 sub(addr=990) 8 == 23
44 0x3ee SPECIAL array_op 0 add(addr=1016) 21 == 198
45 0x408 op#0x10 push 0 # 0x9c
45 0x40a op#0x00 ret
46 0x40b op#0x11 push_nil
46 0x40c op#0x00 ret
None
elements: [3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 8, 8, 8, 8, 8, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 30, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 35, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 36, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 45, 45, 45, 46, 46]
some_count2: 157
data:
[0]:
5 b'mvtrrbljpt'
[1]:
5 b'bldbefsarc'
[2]:
5 b'Flag Validator: '
[3]:
5 b'bynecdyggx'
[4]:
3 36
[5]:
3 1
[6]:
5 b'xpklorelln'
[7]:
5 b'bynecdyggx'
[8]:
3 0
[9]:
5 b'bynecdyggx'
[10]:
3 1
[11]:
5 b'buqcljjivs'
[12]:
3 1
[13]:
3 15
[14]:
3 17
[15]:
3 1
[16]:
3 25
[17]:
3 22
[18]:
3 43
[19]:
3 1
[20]:
3 19
[21]:
3 14
[22]:
3 8
[23]:
3 1
[24]:
3 29
[25]:
3 34
[26]:
3 5
[27]:
3 1
[28]:
3 23
[29]:
3 21
[30]:
3 219
[31]:
3 1
[32]:
3 24
[33]:
3 12
[34]:
3 200
[35]:
3 1
[36]:
3 35
[37]:
3 25
[38]:
3 9
[39]:
3 1
[40]:
3 14
[41]:
3 27
[42]:
3 62
[43]:
3 1
[44]:
3 22
[45]:
3 8
[46]:
3 190
[47]:
3 1
[48]:
3 3
[49]:
3 26
[50]:
3 206
[51]:
3 1
[52]:
3 32
[53]:
3 34
[54]:
3 50
[55]:
3 1
[56]:
3 21
[57]:
3 23
[58]:
3 19
[59]:
3 1
[60]:
3 7
[61]:
3 10
[62]:
3 212
[63]:
3 1
[64]:
3 2
[65]:
3 10
[66]:
3 227
[67]:
3 1
[68]:
3 17
[69]:
3 35
[70]:
3 10
[71]:
3 1
[72]:
3 5
[73]:
3 18
[74]:
3 199
[75]:
3 1
[76]:
3 15
[77]:
3 1
[78]:
3 23
[79]:
3 1
[80]:
3 30
[81]:
3 31
[82]:
3 26
[83]:
3 1
[84]:
3 18
[85]:
3 10
[86]:
3 9
[87]:
3 1
[88]:
3 9
[89]:
3 19
[90]:
3 16
[91]:
3 1
[92]:
3 31
[93]:
3 8
[94]:
3 210
[95]:
3 1
[96]:
3 4
[97]:
3 26
[98]:
3 19
[99]:
3 1
[100]:
3 10
[101]:
3 9
[102]:
3 10
[103]:
3 1
[104]:
3 13
[105]:
3 5
[106]:
3 212
[107]:
3 1
[108]:
3 6
[109]:
3 13
[110]:
3 1
[111]:
3 1
[112]:
3 28
[113]:
3 20
[114]:
3 17
[115]:
3 1
[116]:
3 34
[117]:
3 30
[118]:
3 4
[119]:
3 1
[120]:
3 11
[121]:
3 2
[122]:
3 1
[123]:
3 1
[124]:
3 16
[125]:
3 11
[126]:
3 222
[127]:
3 1
[128]:
3 8
[129]:
3 18
[130]:
3 57
[131]:
3 1
[132]:
3 20
[133]:
3 0
[134]:
3 7
[135]:
3 1
[136]:
3 27
[137]:
3 28
[138]:
3 43
[139]:
3 1
[140]:
3 26
[141]:
3 17
[142]:
3 11
[143]:
3 1
[144]:
3 12
[145]:
3 31
[146]:
3 44
[147]:
3 1
[148]:
3 33
[149]:
3 8
[150]:
3 23
[151]:
3 1
[152]:
3 0
[153]:
3 21
[154]:
3 198
[155]:
3 1
[156]:
3 0
val: b'nwlrbbmqbh'
[2]:
5 b'nwlrbbmqbh'
[3]:
3 0
[4]:
5 b'Congrats!'
[5]:
5 b'afadrrwsof'
[6]:
3 0
[7]:
5 b'Try again :('
[8]:
5 b'afadrrwsof'
[9]:
3 1
val: None
0x1ead
Raw
dump.py
from pwn import *
from collections import namedtuple
import z3
from z3 import *
f = open(sys.argv[1], 'rb')
count = u32(f.read(4))
print('count', count)
strs = []
for idx in range(count):
local_38 = u32(f.read(4))
print('local_38', local_38)
local_1c = u32(f.read(4))
print('local_1c', local_1c)
s = f.read(local_1c)
print('data', s)
strs.append(s)
count2 = u32(f.read(4))
print('count2', count2)
count3 = u32(f.read(4))
print('count3', count3)
assert count3 == 0 # TODO: Handle != 0
OpRet = namedtuple('ret',['addr'])
OpJz = namedtuple('jz', ['addr', 'target'])
OpJmpFwd = namedtuple('jmpfwd', ['addr', 'target'])
OpJmpBck = namedtuple('jmpbck', ['addr', 'target'])
OpCall = namedtuple('call', ['addr', 'target'])
OpNew = namedtuple('new', ['addr', 'obj'])
OpPrint = namedtuple('print', ['addr'])
OpBoolNeg = namedtuple('bool_neg', ['addr'])
OpNeg = namedtuple('neg', ['addr'])
OpAdd = namedtuple('add', ['addr'])
OpSub = namedtuple('sub', ['addr'])
OpPush = namedtuple('push', ['addr', 'obj'])
OpPushNil = namedtuple('push_nil', ['addr'])
OpPop = namedtuple('pop', ['addr'])
OpDup = namedtuple('dup', ['addr', 'src'])
OpSetStack = namedtuple('dup_into', ['addr', 'target'])
OpGetGlobal = namedtuple('get_global', ['addr', 'obj'])
OpSetGlobal = namedtuple('set_global', ['addr', 'obj'])
OpEqual = namedtuple('equal', ['addr'])
OpGreaterEqual = namedtuple('greater_equal', ['addr'])
OpLess = namedtuple('less', ['addr'])
OpGetElement = namedtuple('get_element', ['addr'])
OpSetElement = namedtuple('set_element', ['addr'])
OpXor = namedtuple('xor', ['addr'])
OpAnd = namedtuple('And', ['addr'])
OpLhs = namedtuple('Lhs', ['addr'])
OpRhs = namedtuple('Rhs', ['addr'])
OpTrySetGlobal = namedtuple('try_set_global', ['addr', 'obj'])
OpSetInstanceVar = namedtuple('set_instance_var', ['addr', 'op'])
OpGetInstanceVar = namedtuple('get_instance_var', ['addr', 'op'])
OpGetSomething = namedtuple('get_something', ['addr','op'])
OpSetDict = namedtuple('set_dict', ['addr', 'op'])
OpMakeArray = namedtuple('make_array', ['addr', 'op'])
OpArrayRetCmp = namedtuple('xor', ['addr', 'op', 'idx1', 'idx2', 'result'])
OpArrayRetCmpNeg = namedtuple('xor', ['addr', 'op', 'idx1', 'idx2', 'result'])
def create_array_ret_cmp(instructions):
idx = 0
while idx < len(instructions):
match instructions[idx:]:
case [OpDup(addr, src=2), OpPush(obj=idx1), OpGetElement(),
OpDup(src=2), OpPush(obj=idx2), OpGetElement(),
(OpAdd() | OpSub() | OpXor()) as op,
OpPush(obj=result),
OpEqual(), OpBoolNeg(),
OpJz(), OpPop(), OpPush(),
OpRet(), OpJmpFwd(),
OpPop(), *_]:
instructions[idx:idx+16] = (OpArrayRetCmp(addr, op, idx1, idx2, result), )
case [OpDup(addr, src=2), OpPush(obj=idx1), OpGetElement(),
OpDup(src=2), OpPush(obj=idx2), OpGetElement(),
(OpAdd() | OpSub() | OpXor()) as op,
OpPush(obj=result),
OpNeg(), # only real diff
OpEqual(), OpBoolNeg(),
OpJz(), OpPop(), OpPush(),
OpRet(), OpJmpFwd(),
OpPop(), *_]:
instructions[idx:idx+17] = (OpArrayRetCmpNeg(addr, op, idx1, idx2, result), )
idx += 1
def get_flag(instructions, this):
flag = [BitVec('f%d' % i, 8) for i in range(100)]
def do_op(op, a, b):
match op:
case OpAdd():
return a + b
case OpSub():
return a - b
case OpXor():
return a ^ b
case _:
raise Exception('Unexpected operation')
ops = []
idx = 0
ops.append(flag[0] == ord('b'))
ops.append(flag[1] == ord('c'))
ops.append(flag[2] == ord('t'))
ops.append(flag[3] == ord('f'))
ops.append(flag[4] == ord('{'))
for k in flag:
ops.append(k <= 0x7f)
ops.append(k >= 0x20)
for inst in instructions:
match inst:
case OpArrayRetCmp(addr, op, idx1, idx2, result):
ops.append(do_op(op, flag[this.data[idx1][1]], flag[this.data[idx2][1]]) == this.data[result][1])
case OpArrayRetCmpNeg(addr, op, idx1, idx2, result):
ops.append(do_op(op, flag[this.data[idx1][1]], flag[this.data[idx2][1]]) == -this.data[result][1])
s = Solver()
s.add(z3.And(ops))
assert s.check() == sat
m = s.model()
print(bytes([m[x].as_long() for x in flag if m[x] != None]))
def decode_inst(inst):
offs = 0
result = []
while offs < len(inst):
match inst[offs]:
case 0:
result.append(OpRet(offs))
offs += 1
case 1:
result.append(OpJz(offs,(inst[offs+1]<<8)+inst[offs+2]))
offs += 3
case 2:
result.append(OpJmpFwd(offs,(inst[offs+1]<<8)+inst[offs+2]))
offs += 3
case 3:
result.append(OpJmpBck(offs,(inst[offs+1]<<8)+inst[offs+2]))
offs += 3
case 4:
result.append(OpCall(offs,inst[offs+1]))
offs += 2
case 7:
result.append(OpNew(offs,inst[offs+1]))
offs += 2
case 9:
result.append(OpPrint(offs))
offs += 1
case 0xA:
result.append(OpBoolNeg(offs))
offs += 1
case 0xB:
result.append(OpNeg(offs))
offs += 1
case 0xC:
result.append(OpAdd(offs))
offs += 1
case 0xD:
result.append(OpSub(offs))
offs += 1
case 0x10:
result.append(OpPush(offs, inst[offs+1]))
offs += 2
case 0x11:
result.append(OpPushNil(offs))
offs += 1
case 0x14:
result.append(OpPop(offs))
offs += 1
case 0x15:
result.append(OpDup(offs, inst[offs+1]))
offs += 2
case 0x16:
result.append(OpSetStack(offs, inst[offs+1]))
offs += 2
case 0x19:
result.append(OpGetGlobal(offs, inst[offs+1]))
offs += 2
case 0x1a:
result.append(OpTrySetGlobal(offs, inst[offs+1]))
offs += 2
case 0x1b:
result.append(OpSetGlobal(offs, inst[offs+1]))
offs += 2
case 0x1c:
result.append(OpSetInstanceVar(offs, inst[offs+1]))
offs += 2
case 0x1d:
result.append(OpGetInstanceVar(offs, inst[offs+1]))
offs += 2
case 0x1f:
result.append(OpEqual(offs))
offs += 1
case 0x20:
result.append(OpGreaterEqual(offs))
offs += 1
case 0x21:
result.append(OpLess(offs))
offs += 1
case 0x22:
result.append(OpGetSomething(offs, inst[offs+1]))
offs += 2
case 0x24:
result.append(OpSetDict(offs, inst[offs+1]))
offs += 2
case 0x25:
result.append(OpMakeArray(offs, inst[offs+1]))
offs += 2
case 0x26:
result.append(OpGetElement(offs))
offs += 1
case 0x27:
result.append(OpSetElement(offs))
offs += 1
case 0x28:
result.append(OpXor(offs))
offs += 1
case 0x2a:
result.append(OpAnd(offs))
offs += 1
case 0x2b:
result.append(OpLhs(offs))
offs += 1
case 0x2c:
result.append(OpRhs(offs))
offs += 1
case _:
raise Exception(f'Not implemented {hex(inst[offs])}')
return result
def disasm(data, elem, this):
instructions = decode_inst(data)
create_array_ret_cmp(instructions)
get_flag(instructions, this)
for inst in instructions:
print(f"{elem[inst.addr]}\t0x{inst.addr:02x}\t", end='')
match inst:
case OpRet(addr):
print('op#0x00', 'ret')
case OpJz(addr, target):
print('op#0x01', 'jz', hex(target+inst.addr+3))
case OpJmpFwd(addr,target):
print('op#0x02', 'jmp', hex(target+inst.addr+3))
case OpJmpBck(addr, target):
print('op#0x03', 'jmp', hex(inst.addr+3-target))
case OpCall(addr, target):
print('op#0x04', 'call', hex(target))
case OpNew(addr, obj):
print('op#0x07', 'new?', this.data[obj][1].val,'#', hex(obj), 'localvars:',this.data[obj][1].val2)
case OpPrint(addr):
print('op#0x09', 'print')
case OpBoolNeg(addr):
print('op#0x0A', 'bool_neg')
case OpNeg(addr):
print('op#0x0B', 'negative')
case OpAdd(addr):
print('op#0x0C', 'sp[0] + sp[1]?')
case OpSub(addr):
print('op#0x0D', 'sp[0] - sp[1]')
case OpPush(addr, obj):
print('op#0x10', 'push', this.data[obj][1],'#', hex(obj))
case OpPushNil(addr):
print('op#0x11', 'push_nil')
case OpPop(addr):
print('op#0x14', 'pop')
case OpDup(addr, src):
print('op#0x15', 'dup?', hex(src))
case OpSetStack(addr, target):
print('op#0x16', 'set_stack?', hex(target))
case OpGetGlobal(addr, obj):
print('op#0x19', 'get_global?', this.data[obj][1],'#', hex(obj))
case OpTrySetGlobal(addr, obj):
print('op#0x1a', 'try_store_global?', this.data[obj][1],'#', hex(obj))
case OpSetGlobal(addr, obj):
print('op#0x1b', 'store_global?', this.data[obj][1],'#', hex(obj))
case OpEqual(addr):
print('op#0x1f', 'sp[0] == sp[1]')
case OpSetInstanceVar(addr, op):
print('op#0x1c', 'set_instance_var', this.data[op][1],'#', hex(op))
case OpGetInstanceVar(addr, op):
print('op#0x1d', 'get_instance_var', this.data[op][1],'#', hex(op))
case OpGreaterEqual(addr):
print('op#0x21', 'sp[0] >= sp[1]?')
case OpLess(addr):
print('op#0x21', 'sp[0] < sp[1]?')
case OpGetSomething(addr, op):
print('op#0x22', 'get_something', this.data[op][1],'#', hex(op))
case OpSetDict(addr, op):
print('op#0x24', 'set_dict', this.data[op][1],'#', hex(op))
case OpMakeArray(addr, op):
print('op#0x25', 'make_array', op,'#', hex(op))
case OpGetElement(addr):
print('op#0x26', 'get_element?')
case OpSetElement(addr):
print('op#0x27', 'set_element?')
case OpXor(addr):
print('op#0x28', 'xor')
case OpAnd(addr):
print('op#0x2a', 'and')
case OpLhs(addr):
print('op#0x2a', 'lhs')
case OpRhs(addr):
print('op#0x2a', 'rhs')
case OpArrayRetCmp(addr, op, idx1, idx2, result):
print('SPECIAL', 'array_op', this.data[idx1][1], op, this.data[idx2][1], '==', this.data[result][1])
case OpArrayRetCmpNeg(addr, op, idx1, idx2, result):
print('SPECIAL', 'array_op', this.data[idx1][1], op, this.data[idx2][1], '==', -this.data[result][1])
case _:
raise Exception(f'Not implemented {inst}')
class FUN_00401530():
def __init__(self, f):
print('FUN_00401530')
self.val1 = u32(f.read(4))
print('val1', self.val1)
self.val2 = u32(f.read(4))
print('val2', self.val2)
self.val3 = u32(f.read(4))
print('val3', self.val3)
self.arr = f.read(self.val3)
print('arr', self.arr)
self.elements = []
for idx in range(self.val3):
self.elements.append(u32(f.read(4)))
print('elements',self.elements)
self.some_count2 = u32(f.read(4))
print('some_count2', self.some_count2)
self.data = []
for idx in range(self.some_count2):
ty = u32(f.read(4))
val = None
match ty:
case 0:
val = f.read(1) # TODO: Bool?
case 1:
val = u64(f.read(8))
case 2:
val = f.read(1)
case 3:
val = u64(f.read(8))
case 4:
val = u64(f.read(8))
case 5:
val = u32(f.read(4))
match val:
case 3:
size = u32(f.read(4))
val = f.read(size)
case 0:
val = FUN_00401530(f)
case _:
raise Exception(f"TODO: Unknown {val}")
case _:
raise Exception(f"TODO: Unknown {hex(ty)}")
print(idx, ty, val)
self.data.append((ty, val))
local_49 = f.read(1)
print('local_49', local_49)
if local_49 == b'\x01':
local_50 = u32(f.read(4))
assert local_50 == 3
size = u32(f.read(4))
val = f.read(size)
print('local_50',local_50, val)
self.val = val
else:
self.val = None
def dump(self, tabs=0):
aprint = lambda *v: print('\t'*tabs, *v)
aprint(f'val1: {self.val1}')
aprint(f'val2: {self.val2}')
aprint(f'val3: {self.val3}')
aprint(f'arr: {self.arr}')
try:
print(disasm(self.arr, self.elements, self))
except Exception as ex:
print(f'exception {ex}')
raise
pass
aprint(f'elements: {self.elements}')
aprint(f'some_count2: {self.some_count2}')
aprint('data:')
idx = 0
for ty, val in self.data:
aprint(f'[{idx}]:')
if isinstance(val, FUN_00401530):
val.dump(tabs+1)
else:
print('\t'*(tabs+1), ty, val)
idx += 1
aprint(f'val: {self.val}')
FUN_00401530(f).dump()
print(hex(f.tell()))
Raw
gdbscript.py
import pwndbg
def toSigned64(n):
n = n & 0xffffffffffffffff
return n | (-(n & 0x8000000000000000))
def get_stack_pointer():
return pwndbg.memory.pvoid(0x44c708)
def get_cur_stackframe():
return 0x0040c0f0 + (pwndbg.memory.u32(0x040c6f0) - 1) * 24
def get_stack_base():
return pwndbg.memory.pvoid(get_cur_stackframe() + 16)
def get_script_func(ptr):
fn = pwndbg.memory.pvoid(ptr + 0x40)
if fn == 0:
return f'<script 0x{ptr:x}>'
ptr2 = pwndbg.memory.pvoid(fn + 0x18)
s = pwndbg.memory.string(ptr2).decode('ascii')
return f'<fn {s}>'
def get_list(ptr):
result = '['
size = pwndbg.memory.u32(ptr + 0x10)
data_ptr = pwndbg.memory.pvoid(ptr + 0x18)
for idx in range(size):
result += get_obj_ptr(data_ptr + idx * 0x10)
if idx != size -1:
result += ', '
result += ']'
return result
def get_obj_ptr(ptr):
ty = pwndbg.memory.u32(ptr)
ptr = pwndbg.memory.pvoid(ptr + 8)
return get_obj(ty, ptr)
def get_map(addr):
count = pwndbg.memory.u32(addr+4)
data = pwndbg.memory.pvoid(addr+8)
result = []
for idx in range(count):
elem = data+idx*0x18
key_ptr = pwndbg.memory.pvoid(elem)
if key_ptr == 0:
continue
key = get_obj_ext(key_ptr)
val_ty = pwndbg.memory.u32(elem + 8)
val_ptr = pwndbg.memory.pvoid(elem + 16)
result.append(f'{key} => {get_obj(val_ty, val_ptr)}')
return result
def get_globals():
return get_map(0x0044c720)
def get_obj(ty, ptr):
ty = ty & 0xff
if ty == 0:
return 'true' if ptr & 1 else 'false'
elif ty == 1:
return 'nil'
elif ty == 2:
return f'\'{chr(ptr&0xFF)}\''
elif ty == 3:
return f'{toSigned64(ptr)}'
elif ty == 4:
return f'double()'
elif ty == 5:
return get_obj_ext(ptr)
return f'<unknown {ty}>'
def get_obj_ext(ptr):
ty2 = pwndbg.memory.u32(ptr)
if ty2 == 0:
return get_script_func(ptr)
elif ty2 == 1:
ptr = pwndbg.memory.pvoid(ptr + 4 * 4)
return get_script_func(ptr)
elif ty2 == 2:
ptr2 = pwndbg.memory.pvoid(ptr + 16)
return f'<native fn 0x{ptr2:x}>'
elif ty2 == 3:
ptr2 = pwndbg.memory.pvoid(ptr + 6 * 4)
s = pwndbg.memory.string(ptr2).decode('ascii')
return f'"{s}"'
elif ty2 == 4:
return 'upvalue'
elif ty2 == 5:
members = ','.join(get_map(ptr + 0x18))
ptr2 = pwndbg.memory.pvoid(ptr + 0x10)
ptr2 = pwndbg.memory.pvoid(ptr2 + 0x18)
s = pwndbg.memory.string(ptr2).decode('ascii')
return f'<class> {s}{"{"}{members}{"}"}'
elif ty2 == 6:
members = ','.join(get_map(ptr + 0x18))
ptr2 = pwndbg.memory.pvoid(ptr + 0x10)
ptr2 = pwndbg.memory.pvoid(ptr2 + 0x10)
ptr2 = pwndbg.memory.pvoid(ptr2 + 0x18)
s = pwndbg.memory.string(ptr2).decode('ascii')
return f'<instance> {s}{"{"}{members}{"}"}'
elif ty2 == 7:
return get_list(ptr)
elif ty2 == 8:
return f'<script> or <fn>'
return f'<unknown_ext {ty}>'
def get_stack():
result = []
sp = get_stack_pointer()
bp = get_stack_base()+16
for x in range(5):
ptr = pwndbg.memory.pvoid(sp - 8)
ty = pwndbg.memory.pvoid(sp - 16)
result.append(f'[{(sp-bp)//16}][-{x}] {get_obj(ty, ptr)} (0x{ptr:x})')
sp -= 16
return result
def context_pact(target=sys.stdout, with_banner=True, width=None):
result = []
result.append(pwndbg.ui.banner("pact (stack)", target=target, width=width))
result.extend(get_stack())
result.append(pwndbg.ui.banner("pact (globals?)", target=target, width=width))
result.extend(get_globals())
return result
pwndbg.commands.context.context_sections['p'] = context_pact
cur = pwndbg.commands.context.config_context_sections.value
pwndbg.commands.context.config_context_sections.value = cur + ' pact'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment