CGVN - Codegate 2024 Finals
吉里吉里Zで実装したプログラムが与えられる
しかしデコンパイル結果は結構間違っているので注意
code:python
# username ?
# final_word ?
# ctfname Codegate
def check(username, final_word, ctfname):
username = _0x20a518(username) # maybe 8 byte
final_word = _0x20a518(final_word)
ctfname = _0x20a518('Codegate') # 8 byte
return _0x269b08(username, final_word, ctfname, 12307354521613678656, 2224992992374123453)
def NOT(v):
return 0xffffffff_ffffffff - v
def _0x9454c1(p3, p4):
return (p3 + p4) & 4294967295;
def _0x1d45e8(p3, p4, p5, p6, p7, p8):
p4 = _0x9454c1(_0x9454c1(p4, p3), _0x9454c1(p6, p8));
return _0x9454c1((p4 << p7) | (p4 >> (32 - p7)), p5);
def _0x1de0e5(p3, p4, p5, p6, p7, p8, p9):
return _0x1d45e8((p4 & p5) | (NOT(p4) & p6), p3, p4, p7, p8, p9);
def _0x3838c1(p3, p4, p5, p6, p7, p8, p9):
return _0x1d45e8((p4 & p6) | (p5 & NOT(p6)), p3, p4, p7, p8, p9);
def _0x192f23(p3, p4, p5, p6, p7, p8, p9):
return _0x1d45e8(p4 ^ p5 ^ p6, p3, p4, p7, p8, p9);
def _0x51b732(p3, p4, p5, p6, p7, p8, p9):
return _0x1d45e8(p5 ^ (p4 | NOT(p6)), p3, p4, p7, p8, p9);
def _0x4a21e0(p3, p4):
v5 = 13, 11, 15, 14, 12, 4, 0, 9, 3, 5, 6, 7, 2, 10, 8, 1; v6 = p3 >> 32;
v7 = p3 & 4294967295;
v8 = p4 >> 32;
v9 = p4 & 4294967295;
v6 = _0x1de0e5(v6, v7, v8, v9, v50, 7, -680876936); v9 = _0x1de0e5(v9, v6, v7, v8, v51, 12, -389564586); v8 = _0x1de0e5(v8, v9, v6, v7, v52, 17, 606105819); v7 = _0x1de0e5(v7, v8, v9, v6, v53, 22, -1044525330); v6 = _0x1de0e5(v6, v7, v8, v9, v54, 7, -176418897); v9 = _0x1de0e5(v9, v6, v7, v8, v55, 12, 1200080426); v8 = _0x1de0e5(v8, v9, v6, v7, v56, 17, -1473231341); v7 = _0x1de0e5(v7, v8, v9, v6, v57, 22, -45705983); v6 = _0x1de0e5(v6, v7, v8, v9, v58, 7, 1770035416); v9 = _0x1de0e5(v9, v6, v7, v8, v59, 12, -1958414417); v8 = _0x1de0e5(v8, v9, v6, v7, v510, 17, -42063); v7 = _0x1de0e5(v7, v8, v9, v6, v511, 22, -1990404162); v6 = _0x1de0e5(v6, v7, v8, v9, v512, 7, 1804603682); v9 = _0x1de0e5(v9, v6, v7, v8, v513, 12, -40341101); v8 = _0x1de0e5(v8, v9, v6, v7, v514, 17, -1502002290); v7 = _0x1de0e5(v7, v8, v9, v6, v515, 22, 1236535329); v6 = _0x3838c1(v6, v7, v8, v9, v51, 5, -165796510); v9 = _0x3838c1(v9, v6, v7, v8, v56, 9, -1069501632); v8 = _0x3838c1(v8, v9, v6, v7, v511, 14, 643717713); v7 = _0x3838c1(v7, v8, v9, v6, v50, 20, -373897302); v6 = _0x3838c1(v6, v7, v8, v9, v55, 5, -701558691); v9 = _0x3838c1(v9, v6, v7, v8, v510, 9, 38016083); v8 = _0x3838c1(v8, v9, v6, v7, v515, 14, -660478335); v7 = _0x3838c1(v7, v8, v9, v6, v54, 20, -405537848); v6 = _0x3838c1(v6, v7, v8, v9, v59, 5, 568446438); v9 = _0x3838c1(v9, v6, v7, v8, v514, 9, -1019803690); v8 = _0x3838c1(v8, v9, v6, v7, v53, 14, -187363961); v7 = _0x3838c1(v7, v8, v9, v6, v58, 20, 1163531501); v6 = _0x3838c1(v6, v7, v8, v9, v513, 5, -1444681467); v9 = _0x3838c1(v9, v6, v7, v8, v52, 9, -51403784); v8 = _0x3838c1(v8, v9, v6, v7, v57, 14, 1735328473); v7 = _0x3838c1(v7, v8, v9, v6, v512, 20, -1926607734); v6 = _0x192f23(v6, v7, v8, v9, v55, 4, -378558); v9 = _0x192f23(v9, v6, v7, v8, v58, 11, -2022574463); v8 = _0x192f23(v8, v9, v6, v7, v511, 16, 1839030562); v7 = _0x192f23(v7, v8, v9, v6, v514, 23, -35309556); v6 = _0x192f23(v6, v7, v8, v9, v51, 4, -1530992060); v9 = _0x192f23(v9, v6, v7, v8, v54, 11, 1272893353); v8 = _0x192f23(v8, v9, v6, v7, v57, 16, -155497632); v7 = _0x192f23(v7, v8, v9, v6, v510, 23, -1094730640); v6 = _0x192f23(v6, v7, v8, v9, v513, 4, 681279174); v9 = _0x192f23(v9, v6, v7, v8, v50, 11, -358537222); v8 = _0x192f23(v8, v9, v6, v7, v53, 16, -722521979); v7 = _0x192f23(v7, v8, v9, v6, v56, 23, 76029189); v6 = _0x192f23(v6, v7, v8, v9, v59, 4, -640364487); v9 = _0x192f23(v9, v6, v7, v8, v512, 11, -421815835); v8 = _0x192f23(v8, v9, v6, v7, v515, 16, 530742520); v7 = _0x192f23(v7, v8, v9, v6, v52, 23, -995338651); v6 = _0x51b732(v6, v7, v8, v9, v50, 6, -198630844); v9 = _0x51b732(v9, v6, v7, v8, v57, 10, 1126891415); v8 = _0x51b732(v8, v9, v6, v7, v514, 15, -1416354905); v7 = _0x51b732(v7, v8, v9, v6, v55, 21, -57434055); v6 = _0x51b732(v6, v7, v8, v9, v512, 6, 1700485571); v9 = _0x51b732(v9, v6, v7, v8, v53, 10, -1894986606); v8 = _0x51b732(v8, v9, v6, v7, v510, 15, -1051523); v7 = _0x51b732(v7, v8, v9, v6, v51, 21, -2054922799); v6 = _0x51b732(v6, v7, v8, v9, v58, 6, 1873313359); v9 = _0x51b732(v9, v6, v7, v8, v515, 10, -30611744); v8 = _0x51b732(v8, v9, v6, v7, v56, 15, -1560198380); v7 = _0x51b732(v7, v8, v9, v6, v513, 21, 1309151649); v6 = _0x51b732(v6, v7, v8, v9, v54, 6, -145523070); v9 = _0x51b732(v9, v6, v7, v8, v511, 10, -1120210379); v8 = _0x51b732(v8, v9, v6, v7, v52, 15, 718787259); v7 = _0x51b732(v7, v8, v9, v6, v59, 21, -343485551); ret = ((_0x9454c1(v7, p3 & 0xffffffff) ^ _0x9454c1(v9, p4 & 0xffffffff)) << 32) | (_0x9454c1(v6, p3 >> 32) ^ _0x9454c1(v8, p4 >> 32));
return ret
def _0xf394f3(p3):
v4 = 188, 108, 161, 166, 29, 146, 220, 92, 57, 70, 74, 129, 48, 104, 66, 213, 158, 54, 183, 148, 40, 210, 27, 93, 42, 78, 101, 28, 136, 127, 113, 249, 31, 95, 117, 211, 102, 51, 26, 228, 76, 12, 227, 132, 98, 99, 229, 206, 238, 17, 149, 23, 59, 55, 202, 128, 5, 184, 237, 164, 147, 125, 170, 16, 142, 195, 193, 13, 134, 177, 236, 187, 209, 106, 205, 9, 1, 85, 150, 131, 168, 6, 239, 119, 217, 41, 245, 112, 240, 252, 138, 155, 68, 53, 208, 46, 230, 182, 222, 196, 225, 4, 14, 174, 223, 45, 72, 218, 38, 118, 172, 224, 231, 80, 97, 215, 160, 7, 105, 145, 156, 186, 30, 111, 219, 173, 81, 130, 120, 254, 79, 90, 61, 191, 157, 63, 167, 251, 143, 250, 234, 39, 109, 0, 126, 10, 62, 175, 43, 58, 212, 50, 163, 88, 190, 35, 77, 235, 110, 33, 52, 44, 185, 192, 96, 221, 56, 65, 22, 116, 140, 242, 197, 123, 100, 162, 200, 176, 241, 32, 246, 199, 115, 133, 25, 151, 178, 89, 243, 144, 87, 248, 165, 179, 216, 15, 137, 114, 255, 180, 73, 24, 67, 37, 94, 75, 107, 69, 121, 34, 122, 169, 8, 201, 194, 82, 181, 214, 203, 20, 91, 64, 103, 189, 198, 36, 19, 139, 244, 154, 60, 159, 232, 152, 49, 71, 3, 2, 233, 21, 171, 226, 124, 253, 83, 11, 84, 247, 204, 135, 86, 153, 47, 207, 141, 18 v5 = p3 & 0xff
v6 = (p3 >> 8) & 0xff
v7 = (p3 >> 16) & 0xff
v8 = (p3 >> 24) & 0xff
v9 = (p3 >> 32) & 0xff
v10 = (p3 >> 40) & 0xff
v11 = (p3 >> 48) & 0xff
v12 = (p3 >> 56) & 0xff
v13 = v4v9 + (v4v11 << 8) + (v4v8 << 16) + (v4v7 << 24) + (v4v5 << 32) + (v4v12 << 40) + (v4v6 << 48) + (v4v10 << 56) return v13
def rev_0xf394f3(p3):
v4 = 188, 108, 161, 166, 29, 146, 220, 92, 57, 70, 74, 129, 48, 104, 66, 213, 158, 54, 183, 148, 40, 210, 27, 93, 42, 78, 101, 28, 136, 127, 113, 249, 31, 95, 117, 211, 102, 51, 26, 228, 76, 12, 227, 132, 98, 99, 229, 206, 238, 17, 149, 23, 59, 55, 202, 128, 5, 184, 237, 164, 147, 125, 170, 16, 142, 195, 193, 13, 134, 177, 236, 187, 209, 106, 205, 9, 1, 85, 150, 131, 168, 6, 239, 119, 217, 41, 245, 112, 240, 252, 138, 155, 68, 53, 208, 46, 230, 182, 222, 196, 225, 4, 14, 174, 223, 45, 72, 218, 38, 118, 172, 224, 231, 80, 97, 215, 160, 7, 105, 145, 156, 186, 30, 111, 219, 173, 81, 130, 120, 254, 79, 90, 61, 191, 157, 63, 167, 251, 143, 250, 234, 39, 109, 0, 126, 10, 62, 175, 43, 58, 212, 50, 163, 88, 190, 35, 77, 235, 110, 33, 52, 44, 185, 192, 96, 221, 56, 65, 22, 116, 140, 242, 197, 123, 100, 162, 200, 176, 241, 32, 246, 199, 115, 133, 25, 151, 178, 89, 243, 144, 87, 248, 165, 179, 216, 15, 137, 114, 255, 180, 73, 24, 67, 37, 94, 75, 107, 69, 121, 34, 122, 169, 8, 201, 194, 82, 181, 214, 203, 20, 91, 64, 103, 189, 198, 36, 19, 139, 244, 154, 60, 159, 232, 152, 49, 71, 3, 2, 233, 21, 171, 226, 124, 253, 83, 11, 84, 247, 204, 135, 86, 153, 47, 207, 141, 18 v5 = v4.index(p3 & 0xff)
v6 = v4.index((p3 >> 8) & 0xff)
v7 = v4.index((p3 >> 16) & 0xff)
v8 = v4.index((p3 >> 24) & 0xff)
v9 = v4.index((p3 >> 32) & 0xff)
v10 = v4.index((p3 >> 40) & 0xff)
v11 = v4.index((p3 >> 48) & 0xff)
v12 = v4.index((p3 >> 56) & 0xff)
v13 = v9 | (v11 << 8) | (v8 << 16) | (v7 << 24) | (v5 << 32) | (v12 << 40) | (v6 << 48) | (v10 << 56)
return v13
def _0x14d338(p3):
v4 = ((p3 & 255) << 56) | (p3 >> 8);
return _0x1b516f(p3, v4) & 0xffffffffffffffff
def _0x1b516f(p3, p4):
v1 = (((p3 ^ p4) * p4) >> 32)
v2 = ((v1 * p3 * p3) & 0xff00ff00ff00ff)
v3 = (((v2 * p4) << 32) ^ p3)
v4 = ((v3 * p4) & 0xff00ff00ff00ff00)
v5 = ((v4 * p4) ^ p3)
return (v5 * p4) ^ p3
def _0x269b08(p3, p4, p5, p6, p7):
v9 = 0
for v10 in range(13100):
p3 = _0xf394f3(p3)
v9 = _0x4a21e0(p3 - p4, p5)
p3 += v9
p4 += v9
p5 = _0x14d338(p5)
p3 = _0xf394f3(p3)
print('p3, p6', p3, p6)
print('p4, p7', p4, p7)
return p3 == p6 or p4 == p7
def rev_0x269b08(p5, p6, p7):
p5s = []
for _ in range(13100):
p5s.append(p5)
p5 = _0x14d338(p5)
p3 = p6
p4 = p7
p3 = rev_0xf394f3(p3)
for v10 in range(13100):
v9 = _0x4a21e0(p3 - p4, p5)
p3 -= v9
p4 -= v9
p3 = rev_0xf394f3(p3)
return p3, p4
def _0x20a518(s):
if len(s) != 8:
return 0
res = 0
for c in s:
res = res * 256
if c not in "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789":
res += 0xff
else:
res += "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".index(c)
return res
def rev_0x20a518(x):
res = ''
while x != 0 and x != -1:
res = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"(x & 0xff)%62 + res x //= 256
return res
ctfname = _0x20a518('Codegate')
username, final_word = rev_0x269b08(ctfname, 12307354521613678656, 2224992992374123453)
print(hex(username), hex(final_word))
print(rev_0x20a518(username), rev_0x20a518(final_word))
print(_0x269b08(username, final_word, ctfname, 12307354521613678656, 2224992992374123453))