CloudVM - IrisCTF 2024
独自のアーキテクチャの実行環境とバイナリのみが提供される
ISAもバイナリのフォーマットもわからないので調べる必要がある
バイナリが2種類配布されるので、これを見比べると概ねフォーマットがわかる
また、実行環境も提供されるので実行結果とにらめっこして命令を調べる
標準出力と足し算を行うexample.binがあり、これで概ねの命令フォーマットがわかる
ヒントとしてちょうどよかったArata.icon
00などの不正な命令を含めるとレジスタとメモリをダンプして終了するのでこれも利用する
そうして以下のようなバイナリのディスアセンブラができる
code: parse.py
import sys
import binascii
from pwn import *
funcs = {}
strs = {}
def disas(code, base):
f = BytesIO(code)
while f.tell() < len(code):
print(f'0x{base + f.tell():x}: ', end='')
match op:
case 0xc0:
print(f'mov r{index1}, r{index2}')
case 0xc1:
imm = u32(f.read(4))
print(f'mov r{index}, 0x{imm:x}')
case 0xc2:
print(f'add r8, r{index}')
case 0xc3:
print(f'sub r8, r{index}')
case 0xc4:
print(f'mul r8, r{index}')
case 0xc5:
print(f'div r8, r{index}')
case 0xc6:
print(f'and r8, r{index}')
case 0xc7:
print(f'or r8, r{index}')
case 0xc8:
print(f'xor r8, r{index}')
case 0xc9:
print(f'shl r8, r{index}')
case 0xca:
print(f'shr r8, r{index}')
case 0xd0:
offset = u32(f.read(4))
if offset in strs:
else:
print(f'puts 0x{offset:x}')
case 0xd2:
print(f'puts r{index}')
case 0xd3:
case 0xd4:
case 0xd5:
case 0xe0:
addr = u32(f.read(4))
print(f'jmp 0x{addr:x}')
case 0xe1:
addr = u32(f.read(4))
print(f'jmp_ne 0x{addr:x}, r{index}')
case 0xe2:
addr = u32(f.read(4))
print(f'jmp_eq 0x{addr:x}, r{index}')
case 0xe5:
addr = u32(f.read(4))
print(f'jmp(e5)? 0x{addr:x}, r{index}')
case 0xf0:
target = u32(f.read(4))
case 0xf1:
print('ret')
case 0xf2:
print('halt')
case _:
print(f'unknown op: {op:x}')
with open(sys.argv1, 'rb') as f: magic = f.read(4)
print('----- function')
func_num = u32(f.read(4))
for i in range(func_num):
pos = f.tell()
func_start = u32(f.read(4))
funcname_len = u16(f.read(2))
funcname = f.read(funcname_len)
print(f'0x{pos:x}: {funcname} from 0x{func_start:x}')
funcspos = (func_start, funcname) print('----- string')
while f.tell() < first_func_start:
pos = f.tell()
str_len = u16(f.read(2))
str_data = f.read(str_len)
print(f'0x{pos:x}: {str_data}')
print('----- code')
func_list = list(funcs.values())
func_list.append((0x10000000, b''))
for i in range(len(func_list) - 1):
pos = f.tell()
func_size = func_listi + 10 - func_listi0 code = f.read(func_size)
print(f'--- 0x{pos:x}: {func_listi1} ---') disas(code, pos)
次に問題のmichaelpaint.binを見る
CLIで動作するペイントソフトらしい
文字列を見るに条件を満たすような特定の絵を描くとフラグがわかるらしい
さっきのディスアセンブラを使って読む
code: michaelpaint.bin.disas
----- function
0x8: b'main' from 0x26d
0x12: b'paint' from 0x2e5
0x1d: b'read_xinput' from 0x33c
0x2e: b'read_yinput' from 0x370
0x3f: b'read_otherinput' from 0x3a4
0x54: b'render' from 0x404
0x60: b'about' from 0x528
0x6b: b'strlen' from 0x533
0x77: b'suSsY' from 0x565
0x82: b'SUssY' from 0xa8d
0x8d: b'A' from 0xaec
----- string
0x94: b'michael paint v1\n'
0xa7: b' 1. new image\n'
0xb8: b' 2. about\n'
0xc5: b' 3. exit\n'
0xd1: b'Invalid command.\n'
0xe4: b'paint'
0xeb: b'about'
0xf2: b'render'
0xfa: b'read_xinput'
0x107: b'read_yinput'
0x114: b'read_otherinput'
0x125: b'suSsY'
0x12c: b'\x1b[2J\n'
0x133: b'\x1b[40m\n'
0x13b: b'\x1b[43m+'
0x143: b'\x1b[40m.'
0x14b: b'\x1b[41m.'
0x153: b'\x1b[42m.'
0x15b: b'\x1b[43m.'
0x163: b'\x1b[44m.'
0x16b: b'\x1b[45m.'
0x173: b'\x1b[46m.'
0x17b: b'\x1b[47m.'
0x183: b'\x1b[40m?'
0x18b: b'\x1b[0m \n'
0x193: b'w: up, s: down, a: left, d: right, c: color >, v: color <\n'
0x1cf: b'michael paint v1 shareware edition\n'
0x1f4: b'by michaelsoft corp\n\n'
0x20b: b'SUssY'
0x212: b'Success! You have the right image! Wrap the name of this thing in irisctf{}\n'
0x260: b'test string'
----- code
--- 0x26d: b'main' ---
0x26d: puts b'michael paint v1\n'
0x272: puts b' 1. new image\n'
0x277: puts b' 2. about\n'
0x27c: puts b' 3. exit\n'
0x281: mov r0, 0x160
0x287: mov r1, 0x1
0x292: mov r0, 0xff
0x298: mov r1, 0x30
0x29e: and r8, r0
0x2a0: sub r8, r1
0x2a2: mov r0, 0x1
0x2a8: jmp_eq 0x2d0, r0
0x2ae: mov r0, 0x2
0x2b4: jmp_eq 0x2da, r0
0x2ba: mov r0, 0x3
0x2c0: jmp_eq 0x2e4, r0
0x2c6: puts b'Invalid command.\n'
0x2cb: jmp 0x26d
0x2d0: call b'paint'
0x2d5: jmp 0x26d
0x2da: call b'about'
0x2df: jmp 0x26d
0x2e4: halt
--- 0x2e5: b'paint' ---
0x2e5: mov r5, 0x0
0x2eb: mov r6, 0x0
0x2f1: call b'render'
0x2f6: mov r0, 0x160
0x2fc: mov r1, 0x1
0x302: mov r2, 0xff
0x308: mov r3, 0xf
0x313: and r8, r2
0x315: mov r0, r8
0x318: call b'read_xinput'
0x31d: and r8, r3
0x31f: mov r5, r8
0x322: call b'read_yinput'
0x327: and r8, r3
0x329: mov r6, r8
0x32c: call b'read_otherinput'
0x331: call b'suSsY'
0x336: jmp 0x2f1
0x33b: ret
--- 0x33c: b'read_xinput' ---
0x33c: mov r8, r0
0x33f: mov r0, 0x61
0x345: mov r1, 0x64
0x34b: jmp_ne 0x35d, r0
0x351: mov r8, r5
0x354: mov r5, 0x1
0x35a: sub r8, r5
0x35c: ret
0x35d: jmp_ne 0x36c, r1
0x363: mov r8, 0x1
0x369: add r8, r5
0x36b: ret
0x36c: mov r8, r5
0x36f: ret
--- 0x370: b'read_yinput' ---
0x370: mov r8, r0
0x373: mov r0, 0x77
0x379: mov r1, 0x73
0x37f: jmp_ne 0x391, r0
0x385: mov r8, r6
0x388: mov r6, 0x1
0x38e: sub r8, r6
0x390: ret
0x391: jmp_ne 0x3a0, r1
0x397: mov r8, 0x1
0x39d: add r8, r6
0x39f: ret
0x3a0: mov r8, r6
0x3a3: ret
--- 0x3a4: b'read_otherinput' ---
0x3a4: mov r8, r0
0x3a7: mov r0, 0x63
0x3ad: mov r1, 0x76
0x3b3: mov r2, 0x4
0x3b9: jmp_ne 0x3de, r0
0x3bf: mov r8, r6
0x3c2: shl r8, r2
0x3c4: add r8, r5
0x3c6: mov r3, r8
0x3cb: mov r4, 0x1
0x3d1: add r8, r4
0x3d3: mov r4, 0xffffff07
0x3d9: and r8, r4
0x3dd: ret
0x3de: jmp_ne 0x403, r1
0x3e4: mov r8, r6
0x3e7: shl r8, r2
0x3e9: add r8, r5
0x3eb: mov r3, r8
0x3f0: mov r4, 0x7
0x3f6: add r8, r4
0x3f8: mov r4, 0xffffff07
0x3fe: and r8, r4
0x402: ret
0x403: ret
--- 0x404: b'render' ---
0x404: mov r2, 0x4
0x40a: mov r3, 0x1
0x410: puts b'\x1b[2J\n'
0x415: mov r0, 0x0
0x41b: mov r1, 0x0
0x421: puts b'\x1b[40m\n'
0x426: mov r8, r0
0x429: jmp_ne 0x442, r6
0x42f: mov r8, r1
0x432: jmp_ne 0x442, r5
0x438: puts b'\x1b[43m+'
0x43d: jmp 0x4ef
0x442: mov r8, r0
0x445: shl r8, r2
0x447: add r8, r1
0x44b: mov r4, 0xff
0x451: and r8, r4
0x453: mov r4, r8
0x456: mov r8, 0x0
0x45c: jmp_ne 0x46c, r4
0x462: puts b'\x1b[40m.'
0x467: jmp 0x4ef
0x46c: add r8, r3
0x46e: jmp_ne 0x47e, r4
0x474: puts b'\x1b[41m.'
0x479: jmp 0x4ef
0x47e: add r8, r3
0x480: jmp_ne 0x490, r4
0x486: puts b'\x1b[42m.'
0x48b: jmp 0x4ef
0x490: add r8, r3
0x492: jmp_ne 0x4a2, r4
0x498: puts b'\x1b[43m.'
0x49d: jmp 0x4ef
0x4a2: add r8, r3
0x4a4: jmp_ne 0x4b4, r4
0x4aa: puts b'\x1b[44m.'
0x4af: jmp 0x4ef
0x4b4: add r8, r3
0x4b6: jmp_ne 0x4c6, r4
0x4bc: puts b'\x1b[45m.'
0x4c1: jmp 0x4ef
0x4c6: add r8, r3
0x4c8: jmp_ne 0x4d8, r4
0x4ce: puts b'\x1b[46m.'
0x4d3: jmp 0x4ef
0x4d8: add r8, r3
0x4da: jmp_ne 0x4ea, r4
0x4e0: puts b'\x1b[47m.'
0x4e5: jmp 0x4ef
0x4ea: puts b'\x1b[40m?'
0x4ef: mov r8, 0x1
0x4f5: add r8, r1
0x4f7: mov r1, r8
0x4fa: mov r8, 0x10
0x500: jmp(e5)? 0x426, r1
0x506: mov r8, 0x1
0x50c: add r8, r0
0x50e: mov r0, r8
0x511: mov r8, 0x10
0x517: jmp(e5)? 0x41b, r0
0x51d: puts b'\x1b[0m \n'
0x522: puts b'w: up, s: down, a: left, d: right, c: color >, v: color <\n'
0x527: ret
--- 0x528: b'about' ---
0x528: puts b'michael paint v1 shareware edition\n'
0x52d: puts b'by michaelsoft corp\n\n'
0x532: ret
--- 0x533: b'strlen' ---
0x533: mov r1, r0
0x536: mov r2, 0xff
0x53c: mov r3, 0x0
0x542: mov r4, 0x1
0x54a: and r8, r2
0x54c: jmp_eq 0x55f, r3
0x552: mov r8, r0
0x555: add r8, r4
0x557: mov r0, r8
0x55a: jmp 0x548
0x55f: mov r8, r0
0x562: sub r8, r1
0x564: ret
--- 0x565: b'suSsY' ---
0x565: mov r0, 0x23
0x56b: mov r1, 0x85a8
0x571: mov r2, 0x94b8
0x577: call b'SUssY'
0x57c: jmp_ne 0xa8c, r2
0x582: mov r0, 0x27
0x588: mov r1, 0xe27d
0x58e: mov r2, 0xf36c
0x594: call b'SUssY'
0x599: jmp_ne 0xa8c, r2
0x59f: mov r0, 0x2b
0x5a5: mov r1, 0x57ce
0x5ab: mov r2, 0x56cf
0x5b1: call b'SUssY'
0x5b6: jmp_ne 0xa8c, r2
0x5bc: mov r0, 0x33
0x5c2: mov r1, 0x17c8
0x5c8: mov r2, 0x6d9
0x5ce: call b'SUssY'
0x5d3: jmp_ne 0xa8c, r2
0x5d9: mov r0, 0x37
0x5df: mov r1, 0x171e
0x5e5: mov r2, 0x60f
0x5eb: call b'SUssY'
0x5f0: jmp_ne 0xa8c, r2
0x5f6: mov r0, 0x3b
0x5fc: mov r1, 0x1cdd
0x602: mov r2, 0x1dcc
0x608: call b'SUssY'
0x60d: jmp_ne 0xa8c, r2
0x613: mov r0, 0x43
0x619: mov r1, 0xe0c3
0x61f: mov r2, 0xe1c2
0x625: call b'SUssY'
0x62a: jmp_ne 0xa8c, r2
0x630: mov r0, 0x47
0x636: mov r1, 0x831
0x63c: mov r2, 0x831
0x642: call b'SUssY'
0x647: jmp_ne 0xa8c, r2
0x64d: mov r0, 0x4b
0x653: mov r1, 0xc995
0x659: mov r2, 0xc885
0x65f: call b'SUssY'
0x664: jmp_ne 0xa8c, r2
0x66a: mov r0, 0x53
0x670: mov r1, 0xc719
0x676: mov r2, 0xd618
0x67c: call b'SUssY'
0x681: jmp_ne 0xa8c, r2
0x687: mov r0, 0x57
0x68d: mov r1, 0x9ecb
0x693: mov r2, 0xcc88
0x699: call b'SUssY'
0x69e: jmp_ne 0xa8c, r2
0x6a4: mov r0, 0x5b
0x6aa: mov r1, 0x1b5a
0x6b0: mov r2, 0x1a4a
0x6b6: call b'SUssY'
0x6bb: jmp_ne 0xa8c, r2
0x6c1: mov r0, 0x63
0x6c7: mov r1, 0xf2a
0x6cd: mov r2, 0x1e2b
0x6d3: call b'SUssY'
0x6d8: jmp_ne 0xa8c, r2
0x6de: mov r0, 0x67
0x6e4: mov r1, 0x9cac
0x6ea: mov r2, 0xceef
0x6f0: call b'SUssY'
0x6f5: jmp_ne 0xa8c, r2
0x6fb: mov r0, 0x6b
0x701: mov r1, 0x9c8a
0x707: mov r2, 0x9d9a
0x70d: call b'SUssY'
0x712: jmp_ne 0xa8c, r2
0x718: mov r0, 0x73
0x71e: mov r1, 0x2ed5
0x724: mov r2, 0x2fd4
0x72a: call b'SUssY'
0x72f: jmp_ne 0xa8c, r2
0x735: mov r0, 0x77
0x73b: mov r1, 0x6b5d
0x741: mov r2, 0x6b5d
0x747: call b'SUssY'
0x74c: jmp_ne 0xa8c, r2
0x752: mov r0, 0x7b
0x758: mov r1, 0x13a9
0x75e: mov r2, 0x12b9
0x764: call b'SUssY'
0x769: jmp_ne 0xa8c, r2
0x76f: mov r0, 0x83
0x775: mov r1, 0xab96
0x77b: mov r2, 0xba87
0x781: call b'SUssY'
0x786: jmp_ne 0xa8c, r2
0x78c: mov r0, 0x87
0x792: mov r1, 0xc359
0x798: mov r2, 0xd248
0x79e: call b'SUssY'
0x7a3: jmp_ne 0xa8c, r2
0x7a9: mov r0, 0x8b
0x7af: mov r1, 0xf24c
0x7b5: mov r2, 0xf35d
0x7bb: call b'SUssY'
0x7c0: jmp_ne 0xa8c, r2
0x7c6: mov r0, 0x93
0x7cc: mov r1, 0xa417
0x7d2: mov r2, 0xd506
0x7d8: call b'SUssY'
0x7dd: jmp_ne 0xa8c, r2
0x7e3: mov r0, 0x97
0x7e9: mov r1, 0xeb9f
0x7ef: mov r2, 0xfa8e
0x7f5: call b'SUssY'
0x7fa: jmp_ne 0xa8c, r2
0x800: mov r0, 0x9b
0x806: mov r1, 0xbe0
0x80c: mov r2, 0xaf1
0x812: call b'SUssY'
0x817: jmp_ne 0xa8c, r2
0x81d: mov r0, 0xa3
0x823: mov r1, 0x3ba9
0x829: mov r2, 0x4ad8
0x82f: call b'SUssY'
0x834: jmp_ne 0xa8c, r2
0x83a: mov r0, 0xa7
0x840: mov r1, 0xceb
0x846: mov r2, 0x7dfc
0x84c: call b'SUssY'
0x851: jmp_ne 0xa8c, r2
0x857: mov r0, 0xab
0x85d: mov r1, 0x9264
0x863: mov r2, 0x9375
0x869: call b'SUssY'
0x86e: jmp_ne 0xa8c, r2
0x874: mov r0, 0xb3
0x87a: mov r1, 0x52af
0x880: mov r2, 0x23be
0x886: call b'SUssY'
0x88b: jmp_ne 0xa8c, r2
0x891: mov r0, 0xb7
0x897: mov r1, 0x619f
0x89d: mov r2, 0x708e
0x8a3: call b'SUssY'
0x8a8: jmp_ne 0xa8c, r2
0x8ae: mov r0, 0xbb
0x8b4: mov r1, 0xd30d
0x8ba: mov r2, 0xd21a
0x8c0: call b'SUssY'
0x8c5: jmp_ne 0xa8c, r2
0x8cb: mov r0, 0xc3
0x8d1: mov r1, 0x1e15
0x8d7: mov r2, 0xf04
0x8dd: call b'SUssY'
0x8e2: jmp_ne 0xa8c, r2
0x8e8: mov r0, 0xc7
0x8ee: mov r1, 0x9a87
0x8f4: mov r2, 0x8b96
0x8fa: call b'SUssY'
0x8ff: jmp_ne 0xa8c, r2
0x905: mov r0, 0xcb
0x90b: mov r1, 0x731f
0x911: mov r2, 0x720e
0x917: call b'SUssY'
0x91c: jmp_ne 0xa8c, r2
0x922: mov r0, 0xd3
0x928: mov r1, 0x137b
0x92e: mov r2, 0x26a
0x934: call b'SUssY'
0x939: jmp_ne 0xa8c, r2
0x93f: mov r0, 0xd7
0x945: mov r1, 0xf0b4
0x94b: mov r2, 0xe196
0x951: call b'SUssY'
0x956: jmp_ne 0xa8c, r2
0x95c: mov r0, 0xdb
0x962: mov r1, 0x5240
0x968: mov r2, 0x5351
0x96e: call b'SUssY'
0x973: jmp_ne 0xa8c, r2
0x979: mov r0, 0xe3
0x97f: mov r1, 0xf41a
0x985: mov r2, 0xe50a
0x98b: call b'SUssY'
0x990: jmp_ne 0xa8c, r2
0x996: mov r0, 0xe7
0x99c: mov r1, 0x1637
0x9a2: mov r2, 0x726
0x9a8: call b'SUssY'
0x9ad: jmp_ne 0xa8c, r2
0x9b3: mov r0, 0xeb
0x9b9: mov r1, 0xe91c
0x9bf: mov r2, 0xe81d
0x9c5: call b'SUssY'
0x9ca: jmp_ne 0xa8c, r2
0x9d0: mov r0, 0xf3
0x9d6: mov r1, 0xf3c3
0x9dc: mov r2, 0xf3c3
0x9e2: call b'SUssY'
0x9e7: jmp_ne 0xa8c, r2
0x9ed: mov r0, 0xf7
0x9f3: mov r1, 0xaabe
0x9f9: mov r2, 0xaabe
0x9ff: call b'SUssY'
0xa04: jmp_ne 0xa8c, r2
0xa0a: mov r0, 0xfb
0xa10: mov r1, 0xb3cc
0xa16: mov r2, 0xb3cc
0xa1c: call b'SUssY'
0xa21: jmp_ne 0xa8c, r2
0xa27: mov r0, 0x103
0xa2d: mov r1, 0x2601
0xa33: mov r2, 0x2601
0xa39: call b'SUssY'
0xa3e: jmp_ne 0xa8c, r2
0xa44: mov r0, 0x107
0xa4a: mov r1, 0xc244
0xa50: mov r2, 0xc244
0xa56: call b'SUssY'
0xa5b: jmp_ne 0xa8c, r2
0xa61: mov r0, 0x10b
0xa67: mov r1, 0x3d7b
0xa6d: mov r2, 0x3d7b
0xa73: call b'SUssY'
0xa78: jmp_ne 0xa8c, r2
0xa7e: puts b'Success! You have the right image! Wrap the name of this thing in irisctf{}\n'
0xa83: mov r0, 0x100
0xa8c: ret
--- 0xa8d: b'SUssY' ---
0xa8f: mov r2, r8
0xa92: mov r3, 0x8
0xa98: mov r4, r8
0xa9b: mov r5, r8
0xa9e: mov r8, r2
0xaa1: mov r3, 0xc
0xaa7: shr r8, r3
0xaa9: mov r6, r8
0xaac: mov r7, r8
0xaaf: mov r3, 0xff
0xab5: mov r8, r4
0xab8: and r8, r3
0xaba: mov r4, r8
0xabd: mov r8, r6
0xac0: and r8, r3
0xac2: mov r6, r8
0xac5: mov r3, 0xff00
0xacb: mov r8, r5
0xace: and r8, r3
0xad0: mov r5, r8
0xad3: mov r8, r7
0xad6: and r8, r3
0xad8: mov r7, r8
0xadb: mov r8, 0x0
0xae1: or r8, r4
0xae3: or r8, r5
0xae5: or r8, r6
0xae7: or r8, r7
0xae9: xor r8, r1
0xaeb: ret
--- 0xaec: b'A' ---
0xaec: ret
関数suSsYで何らかの判定を行っているので、この判定をパスする条件を考える
16x16のキャンバスのデータを4ピクセルずつ取り出して、関数SUssYで2バイトのデータにしてxorで比較している
関数SUssYは以下のような感じ
code: SUssY.py
def sussy(r0, r1):
r8 = r0 & 0xFFFFFFFF
r6 = r8 >> 0xc
r7 = r8 >> 0xc
r4 = r8 & 0xff
r6 = r6 & 0xff
r5 = r8 & 0xff00
r7 = r7 & 0xff00
r8 = r4 | r5 | r6 | r7
r8 ^= r1
return r8
図などを描いて考えてみると、この関数の戻り値からは4ピクセル分のデータを完全に復元できることがわかる
code: sussy
00 c1 00 c2 00 c3 00 c4
1111 1111 1111 1111 1111 1111 1111 1111 (キャンバスの4ピクセル分のデータ)
--------- r4
--------- r5
--------- r6
--------- r7
r4 | r5 | r6 | r7 = c1 c3 c2 c4
なので復元して、どのような絵になるかを確かめる
code: solve.py
prog = '''
0x565: mov r0, 0x23
0x56b: mov r1, 0x85a8
0x571: mov r2, 0x94b8
0x577: call b'SUssY'
0x57c: jmp_ne 0xa8c, r2
0x582: mov r0, 0x27
0x588: mov r1, 0xe27d
0x58e: mov r2, 0xf36c
0x594: call b'SUssY'
0x599: jmp_ne 0xa8c, r2
0x59f: mov r0, 0x2b
0x5a5: mov r1, 0x57ce
0x5ab: mov r2, 0x56cf
0x5b1: call b'SUssY'
0x5b6: jmp_ne 0xa8c, r2
0x5bc: mov r0, 0x33
0x5c2: mov r1, 0x17c8
0x5c8: mov r2, 0x6d9
0x5ce: call b'SUssY'
0x5d3: jmp_ne 0xa8c, r2
0x5d9: mov r0, 0x37
0x5df: mov r1, 0x171e
0x5e5: mov r2, 0x60f
0x5eb: call b'SUssY'
0x5f0: jmp_ne 0xa8c, r2
0x5f6: mov r0, 0x3b
0x5fc: mov r1, 0x1cdd
0x602: mov r2, 0x1dcc
0x608: call b'SUssY'
0x60d: jmp_ne 0xa8c, r2
0x613: mov r0, 0x43
0x619: mov r1, 0xe0c3
0x61f: mov r2, 0xe1c2
0x625: call b'SUssY'
0x62a: jmp_ne 0xa8c, r2
0x630: mov r0, 0x47
0x636: mov r1, 0x831
0x63c: mov r2, 0x831
0x642: call b'SUssY'
0x647: jmp_ne 0xa8c, r2
0x64d: mov r0, 0x4b
0x653: mov r1, 0xc995
0x659: mov r2, 0xc885
0x65f: call b'SUssY'
0x664: jmp_ne 0xa8c, r2
0x66a: mov r0, 0x53
0x670: mov r1, 0xc719
0x676: mov r2, 0xd618
0x67c: call b'SUssY'
0x681: jmp_ne 0xa8c, r2
0x687: mov r0, 0x57
0x68d: mov r1, 0x9ecb
0x693: mov r2, 0xcc88
0x699: call b'SUssY'
0x69e: jmp_ne 0xa8c, r2
0x6a4: mov r0, 0x5b
0x6aa: mov r1, 0x1b5a
0x6b0: mov r2, 0x1a4a
0x6b6: call b'SUssY'
0x6bb: jmp_ne 0xa8c, r2
0x6c1: mov r0, 0x63
0x6c7: mov r1, 0xf2a
0x6cd: mov r2, 0x1e2b
0x6d3: call b'SUssY'
0x6d8: jmp_ne 0xa8c, r2
0x6de: mov r0, 0x67
0x6e4: mov r1, 0x9cac
0x6ea: mov r2, 0xceef
0x6f0: call b'SUssY'
0x6f5: jmp_ne 0xa8c, r2
0x6fb: mov r0, 0x6b
0x701: mov r1, 0x9c8a
0x707: mov r2, 0x9d9a
0x70d: call b'SUssY'
0x712: jmp_ne 0xa8c, r2
0x718: mov r0, 0x73
0x71e: mov r1, 0x2ed5
0x724: mov r2, 0x2fd4
0x72a: call b'SUssY'
0x72f: jmp_ne 0xa8c, r2
0x735: mov r0, 0x77
0x73b: mov r1, 0x6b5d
0x741: mov r2, 0x6b5d
0x747: call b'SUssY'
0x74c: jmp_ne 0xa8c, r2
0x752: mov r0, 0x7b
0x758: mov r1, 0x13a9
0x75e: mov r2, 0x12b9
0x764: call b'SUssY'
0x769: jmp_ne 0xa8c, r2
0x76f: mov r0, 0x83
0x775: mov r1, 0xab96
0x77b: mov r2, 0xba87
0x781: call b'SUssY'
0x786: jmp_ne 0xa8c, r2
0x78c: mov r0, 0x87
0x792: mov r1, 0xc359
0x798: mov r2, 0xd248
0x79e: call b'SUssY'
0x7a3: jmp_ne 0xa8c, r2
0x7a9: mov r0, 0x8b
0x7af: mov r1, 0xf24c
0x7b5: mov r2, 0xf35d
0x7bb: call b'SUssY'
0x7c0: jmp_ne 0xa8c, r2
0x7c6: mov r0, 0x93
0x7cc: mov r1, 0xa417
0x7d2: mov r2, 0xd506
0x7d8: call b'SUssY'
0x7dd: jmp_ne 0xa8c, r2
0x7e3: mov r0, 0x97
0x7e9: mov r1, 0xeb9f
0x7ef: mov r2, 0xfa8e
0x7f5: call b'SUssY'
0x7fa: jmp_ne 0xa8c, r2
0x800: mov r0, 0x9b
0x806: mov r1, 0xbe0
0x80c: mov r2, 0xaf1
0x812: call b'SUssY'
0x817: jmp_ne 0xa8c, r2
0x81d: mov r0, 0xa3
0x823: mov r1, 0x3ba9
0x829: mov r2, 0x4ad8
0x82f: call b'SUssY'
0x834: jmp_ne 0xa8c, r2
0x83a: mov r0, 0xa7
0x840: mov r1, 0xceb
0x846: mov r2, 0x7dfc
0x84c: call b'SUssY'
0x851: jmp_ne 0xa8c, r2
0x857: mov r0, 0xab
0x85d: mov r1, 0x9264
0x863: mov r2, 0x9375
0x869: call b'SUssY'
0x86e: jmp_ne 0xa8c, r2
0x874: mov r0, 0xb3
0x87a: mov r1, 0x52af
0x880: mov r2, 0x23be
0x886: call b'SUssY'
0x88b: jmp_ne 0xa8c, r2
0x891: mov r0, 0xb7
0x897: mov r1, 0x619f
0x89d: mov r2, 0x708e
0x8a3: call b'SUssY'
0x8a8: jmp_ne 0xa8c, r2
0x8ae: mov r0, 0xbb
0x8b4: mov r1, 0xd30d
0x8ba: mov r2, 0xd21a
0x8c0: call b'SUssY'
0x8c5: jmp_ne 0xa8c, r2
0x8cb: mov r0, 0xc3
0x8d1: mov r1, 0x1e15
0x8d7: mov r2, 0xf04
0x8dd: call b'SUssY'
0x8e2: jmp_ne 0xa8c, r2
0x8e8: mov r0, 0xc7
0x8ee: mov r1, 0x9a87
0x8f4: mov r2, 0x8b96
0x8fa: call b'SUssY'
0x8ff: jmp_ne 0xa8c, r2
0x905: mov r0, 0xcb
0x90b: mov r1, 0x731f
0x911: mov r2, 0x720e
0x917: call b'SUssY'
0x91c: jmp_ne 0xa8c, r2
0x922: mov r0, 0xd3
0x928: mov r1, 0x137b
0x92e: mov r2, 0x26a
0x934: call b'SUssY'
0x939: jmp_ne 0xa8c, r2
0x93f: mov r0, 0xd7
0x945: mov r1, 0xf0b4
0x94b: mov r2, 0xe196
0x951: call b'SUssY'
0x956: jmp_ne 0xa8c, r2
0x95c: mov r0, 0xdb
0x962: mov r1, 0x5240
0x968: mov r2, 0x5351
0x96e: call b'SUssY'
0x973: jmp_ne 0xa8c, r2
0x979: mov r0, 0xe3
0x97f: mov r1, 0xf41a
0x985: mov r2, 0xe50a
0x98b: call b'SUssY'
0x990: jmp_ne 0xa8c, r2
0x996: mov r0, 0xe7
0x99c: mov r1, 0x1637
0x9a2: mov r2, 0x726
0x9a8: call b'SUssY'
0x9ad: jmp_ne 0xa8c, r2
0x9b3: mov r0, 0xeb
0x9b9: mov r1, 0xe91c
0x9bf: mov r2, 0xe81d
0x9c5: call b'SUssY'
0x9ca: jmp_ne 0xa8c, r2
0x9d0: mov r0, 0xf3
0x9d6: mov r1, 0xf3c3
0x9dc: mov r2, 0xf3c3
0x9e2: call b'SUssY'
0x9e7: jmp_ne 0xa8c, r2
0x9ed: mov r0, 0xf7
0x9f3: mov r1, 0xaabe
0x9f9: mov r2, 0xaabe
0x9ff: call b'SUssY'
0xa04: jmp_ne 0xa8c, r2
0xa0a: mov r0, 0xfb
0xa10: mov r1, 0xb3cc
0xa16: mov r2, 0xb3cc
0xa1c: call b'SUssY'
0xa21: jmp_ne 0xa8c, r2
0xa27: mov r0, 0x103
0xa2d: mov r1, 0x2601
0xa33: mov r2, 0x2601
0xa39: call b'SUssY'
0xa3e: jmp_ne 0xa8c, r2
0xa44: mov r0, 0x107
0xa4a: mov r1, 0xc244
0xa50: mov r2, 0xc244
0xa56: call b'SUssY'
0xa5b: jmp_ne 0xa8c, r2
0xa61: mov r0, 0x10b
0xa67: mov r1, 0x3d7b
0xa6d: mov r2, 0x3d7b
0xa73: call b'SUssY'''
def at(x, y):
def set(x, y, c):
def dump_mem():
for y in range(16):
for x in range(16):
print(f'{at(x, y):02x}', end=', ')
print()
def draw_mem():
for y in range(16):
for x in range(16):
print()
for line in prog.split('\n'):
if 'mov r0' in line:
n = int(line.split(', ')1, 16) r0 = n
elif 'mov r1' in line:
n = int(line.split(', ')1, 16) r1 = n
elif 'mov r2' in line:
n = int(line.split(', ')1, 16) r2 = n
elif 'call' in line:
x = (r0 & 0xf) - 3
y = (r0 >> 4) - 1
v = r1 ^ r2
print(x, y, hex(v))
set(x+0, y, (v >> 0x0) & 0x7)
set(x+1, y, (v >> 0x8) & 0x7)
set(x+2, y, (v >> 0x4) & 0x7)
set(x+3, y, (v >> 0xc) & 0x7)
draw_mem()
以下の画像が得られる
https://scrapbox.io/files/6599fdba259d260024423e83.png
Success! You have the right image! Wrap the name of this thing in irisctf{}というようなメッセージがあるので、これが何に見えるかをフラグとして答えればよい