RE

genshinwishsimulator

原神抽卡模拟,先开Assembly-CSharp.dll看看,看到

image-20240216120848553

其中input为已知数组。那么我们就需要找bucket是什么了,发现这个方法下面是check,搜索check方法:

image-20240216121045048

可以发现如果check==1,就返回5星,否则其它,那么就需要check返回1才可以

1
2
3
4
5
private static bool Check()
	{
		int[] bucket = GachaManager.instance.gachaHistoryBucket.GetBucket();
		return bucket[0] * 40 + bucket[1] * 65 + bucket[2] * -53 + bucket[3] * 70 + bucket[4] * -84 + bucket[5] * -38 + bucket[6] * 94 + bucket[7] * -39 + bucket[8] * -91 + bucket[9] * -35 + bucket[10] * 54 + bucket[11] * 17 + bucket[12] * 45 + bucket[13] * 92 + bucket[14] * -29 + bucket[15] * 61 == 3004 && bucket[0] * -15 + bucket[1] * 74 + bucket[2] * -89 + bucket[3] * -82 + bucket[4] * -92 + bucket[5] * 27 + bucket[6] * 21 + bucket[7] * -24 + bucket[8] * -82 + bucket[9] * -58 + bucket[10] * -36 + bucket[11] * 64 + bucket[12] * -49 + bucket[13] * -22 + bucket[14] * 59 + bucket[15] * -47 == -674 && bucket[0] * 67 + bucket[1] * -23 + bucket[2] * 63 + bucket[3] * -38 + bucket[4] * -32 + bucket[5] * 61 + bucket[6] * -71 + bucket[7] * 49 + bucket[8] * 83 + bucket[9] * -92 + bucket[10] * -16 + bucket[11] * 65 + bucket[12] * -22 + bucket[13] * 12 + bucket[14] * -85 + bucket[15] * 74 == 945 && bucket[0] * -49 + bucket[1] * 48 + bucket[2] * -11 + bucket[3] * 20 + bucket[4] * -14 + bucket[5] * 92 + bucket[6] * -19 + bucket[7] * 32 + bucket[8] * 64 + bucket[9] * -77 + bucket[10] * 49 + bucket[11] * -19 + bucket[12] * 72 + bucket[13] * -64 + bucket[14] * 85 + bucket[15] * 54 == 1721 && bucket[0] * 36 + bucket[1] * -21 + bucket[2] * -59 + bucket[3] * -54 + bucket[4] * -96 + bucket[5] * -81 + bucket[6] * -33 + bucket[7] * 31 + bucket[8] * -41 + bucket[9] * -70 + bucket[10] * -27 + bucket[11] * 24 + bucket[12] * 95 + bucket[13] * -61 + bucket[14] * -17 + bucket[15] * -52 == -2198 && bucket[0] * 78 + bucket[1] * -62 + bucket[2] * 70 + bucket[3] * -69 + bucket[4] * 38 + bucket[5] * 90 + bucket[6] * -52 + bucket[7] * 41 + bucket[8] * 63 + bucket[9] * -65 + bucket[10] * -15 + bucket[11] * 59 + bucket[12] * -31 + bucket[13] * 54 + bucket[14] * 33 + bucket[15] * -57 == -1833 && bucket[0] * 56 + bucket[1] * 75 + bucket[2] * 71 + bucket[3] * 78 + bucket[4] * -39 + bucket[5] * -84 + bucket[6] * 55 + bucket[7] * 54 + bucket[8] * -12 + bucket[9] * -57 + bucket[10] * 32 + bucket[11] * -19 + bucket[12] * 13 + bucket[13] * -83 + bucket[14] * 11 + bucket[15] * -67 == 829 && bucket[0] * 10 + bucket[1] * -97 + bucket[2] * 56 + bucket[3] * -61 + bucket[4] * 45 + bucket[5] * -22 + bucket[6] * 33 + bucket[7] * 81 + bucket[8] * 32 + bucket[9] * 49 + bucket[10] * -19 + bucket[11] * -18 + bucket[12] * 80 + bucket[13] * -98 + bucket[14] * 79 + bucket[15] * -36 == -2551 && bucket[0] * 24 + bucket[1] * -61 + bucket[2] * 91 + bucket[3] * 93 + bucket[4] * 76 + bucket[5] * 54 + bucket[6] * -33 + bucket[7] * -29 + bucket[8] * -72 + bucket[9] * 20 + bucket[10] * 48 + bucket[11] * 79 + bucket[12] * 76 + bucket[13] * 68 + bucket[14] * 51 + bucket[15] * 25 == 2996 && bucket[0] * -83 + bucket[1] * -77 + bucket[2] * -64 + bucket[3] * -38 + bucket[4] * -13 + bucket[5] * -85 + bucket[6] * 33 + bucket[7] * -76 + bucket[8] * 27 + bucket[9] * 14 + bucket[10] * -79 + bucket[11] * -63 + bucket[12] * -78 + bucket[13] * 53 + bucket[14] * -73 + bucket[15] * 61 == -2315 && bucket[0] * 84 + bucket[1] * -67 + bucket[2] * 57 + bucket[3] * 26 + bucket[4] * 94 + bucket[5] * 20 + bucket[6] * -71 + bucket[7] * -88 + bucket[8] * -28 + bucket[9] * -13 + bucket[10] * -40 + bucket[11] * 76 + bucket[12] * -14 + bucket[13] * 33 + bucket[14] * 76 + bucket[15] * -75 == -150 && bucket[0] * -60 + bucket[1] * 88 + bucket[2] * -66 + bucket[3] * -72 + bucket[4] * 41 + bucket[5] * 49 + bucket[6] * 48 + bucket[7] * -77 + bucket[8] * -42 + bucket[9] * 25 + bucket[10] * -50 + bucket[11] * -84 + bucket[12] * 40 + bucket[13] * 50 + bucket[14] * -83 + bucket[15] * -27 == -1919 && bucket[0] * -16 + bucket[1] * -53 + bucket[2] * -21 + bucket[3] * -44 + bucket[4] * 26 + bucket[5] * -56 + bucket[6] * -90 + bucket[7] * -93 + bucket[8] * -73 + bucket[9] * 48 + bucket[10] * 15 + bucket[11] * -43 + bucket[12] * -61 + bucket[13] * -24 + bucket[14] * 71 + bucket[15] * 67 == -1199 && bucket[0] * 55 + bucket[1] * -34 + bucket[2] * -22 + bucket[3] * 60 + bucket[4] * 93 + bucket[5] * -95 + bucket[6] * 50 + bucket[7] * 36 + bucket[8] * -48 + bucket[9] * -26 + bucket[10] * -94 + bucket[11] * -35 + bucket[12] * 21 + bucket[13] * -27 + bucket[14] * 91 + bucket[15] * -76 == -1163 && bucket[0] * 64 + bucket[1] * -50 + bucket[2] * -23 + bucket[3] * -70 + bucket[4] * -78 + bucket[5] * 34 + bucket[6] * 26 + bucket[7] * 64 + bucket[8] * -72 + bucket[9] * 10 + bucket[10] * -96 + bucket[11] * 61 + bucket[12] * -15 + bucket[13] * 31 + bucket[14] * 36 + bucket[15] * 50 == -266 && bucket[0] * -27 + bucket[1] * 86 + bucket[2] * -61 + bucket[3] * 89 + bucket[4] * -53 + bucket[5] * 10 + bucket[6] * -42 + bucket[7] * 92 + bucket[8] * -48 + bucket[9] * 13 + bucket[10] * 84 + bucket[11] * -71 + bucket[12] * 93 + bucket[13] * 54 + bucket[14] * -69 + bucket[15] * -30 == 892;
	}

尝试z3:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
from z3 import *

bucket = [Int('bucket[%d]' % i) for i in range(16)]

s = Solver()

s.add(And(bucket[0] * 40 + bucket[1] * 65 + bucket[2] * -53 + bucket[3] * 70 + bucket[4] * -84 + bucket[5] * -38 + bucket[6] * 94 + bucket[7] * -39 + bucket[8] * -91 + bucket[9] * -35 + bucket[10] * 54 + bucket[11] * 17 + bucket[12] * 45 + bucket[13] * 92 + bucket[14] * -29 + bucket[15] * 61 == 3004 , bucket[0] * -15 + bucket[1] * 74 + bucket[2] * -89 + bucket[3] * -82 + bucket[4] * -92 + bucket[5] * 27 + bucket[6] * 21 + bucket[7] * -24 + bucket[8] * -82 + bucket[9] * -58 + bucket[10] * -36 + bucket[11] * 64 + bucket[12] * -49 + bucket[13] * -22 + bucket[14] * 59 + bucket[15] * -47 == -674 , bucket[0] * 67 + bucket[1] * -23 + bucket[2] * 63 + bucket[3] * -38 + bucket[4] * -32 + bucket[5] * 61 + bucket[6] * -71 + bucket[7] * 49 + bucket[8] * 83 + bucket[9] * -92 + bucket[10] * -16 + bucket[11] * 65 + bucket[12] * -22 + bucket[13] * 12 + bucket[14] * -85 + bucket[15] * 74 == 945 , bucket[0] * -49 + bucket[1] * 48 + bucket[2] * -11 + bucket[3] * 20 + bucket[4] * -14 + bucket[5] * 92 + bucket[6] * -19 + bucket[7] * 32 + bucket[8] * 64 + bucket[9] * -77 + bucket[10] * 49 + bucket[11] * -19 + bucket[12] * 72 + bucket[13] * -64 + bucket[14] * 85 + bucket[15] * 54 == 1721 , bucket[0] * 36 + bucket[1] * -21 + bucket[2] * -59 + bucket[3] * -54 + bucket[4] * -96 + bucket[5] * -81 + bucket[6] * -33 + bucket[7] * 31 + bucket[8] * -41 + bucket[9] * -70 + bucket[10] * -27 + bucket[11] * 24 + bucket[12] * 95 + bucket[13] * -61 + bucket[14] * -17 + bucket[15] * -52 == -2198 , bucket[0] * 78 + bucket[1] * -62 + bucket[2] * 70 + bucket[3] * -69 + bucket[4] * 38 + bucket[5] * 90 + bucket[6] * -52 + bucket[7] * 41 + bucket[8] * 63 + bucket[9] * -65 + bucket[10] * -15 + bucket[11] * 59 + bucket[12] * -31 + bucket[13] * 54 + bucket[14] * 33 + bucket[15] * -57 == -1833 , bucket[0] * 56 + bucket[1] * 75 + bucket[2] * 71 + bucket[3] * 78 + bucket[4] * -39 + bucket[5] * -84 + bucket[6] * 55 + bucket[7] * 54 + bucket[8] * -12 + bucket[9] * -57 + bucket[10] * 32 + bucket[11] * -19 + bucket[12] * 13 + bucket[13] * -83 + bucket[14] * 11 + bucket[15] * -67 == 829 , bucket[0] * 10 + bucket[1] * -97 + bucket[2] * 56 + bucket[3] * -61 + bucket[4] * 45 + bucket[5] * -22 + bucket[6] * 33 + bucket[7] * 81 + bucket[8] * 32 + bucket[9] * 49 + bucket[10] * -19 + bucket[11] * -18 + bucket[12] * 80 + bucket[13] * -98 + bucket[14] * 79 + bucket[15] * -36 == -2551 , bucket[0] * 24 + bucket[1] * -61 + bucket[2] * 91 + bucket[3] * 93 + bucket[4] * 76 + bucket[5] * 54 + bucket[6] * -33 + bucket[7] * -29 + bucket[8] * -72 + bucket[9] * 20 + bucket[10] * 48 + bucket[11] * 79 + bucket[12] * 76 + bucket[13] * 68 + bucket[14] * 51 + bucket[15] * 25 == 2996 , bucket[0] * -83 + bucket[1] * -77 + bucket[2] * -64 + bucket[3] * -38 + bucket[4] * -13 + bucket[5] * -85 + bucket[6] * 33 + bucket[7] * -76 + bucket[8] * 27 + bucket[9] * 14 + bucket[10] * -79 + bucket[11] * -63 + bucket[12] * -78 + bucket[13] * 53 + bucket[14] * -73 + bucket[15] * 61 == -2315 , bucket[0] * 84 + bucket[1] * -67 + bucket[2] * 57 + bucket[3] * 26 + bucket[4] * 94 + bucket[5] * 20 + bucket[6] * -71 + bucket[7] * -88 + bucket[8] * -28 + bucket[9] * -13 + bucket[10] * -40 + bucket[11] * 76 + bucket[12] * -14 + bucket[13] * 33 + bucket[14] * 76 + bucket[15] * -75 == -150 , bucket[0] * -60 + bucket[1] * 88 + bucket[2] * -66 + bucket[3] * -72 + bucket[4] * 41 + bucket[5] * 49 + bucket[6] * 48 + bucket[7] * -77 + bucket[8] * -42 + bucket[9] * 25 + bucket[10] * -50 + bucket[11] * -84 + bucket[12] * 40 + bucket[13] * 50 + bucket[14] * -83 + bucket[15] * -27 == -1919 , bucket[0] * -16 + bucket[1] * -53 + bucket[2] * -21 + bucket[3] * -44 + bucket[4] * 26 + bucket[5] * -56 + bucket[6] * -90 + bucket[7] * -93 + bucket[8] * -73 + bucket[9] * 48 + bucket[10] * 15 + bucket[11] * -43 + bucket[12] * -61 + bucket[13] * -24 + bucket[14] * 71 + bucket[15] * 67 == -1199 , bucket[0] * 55 + bucket[1] * -34 + bucket[2] * -22 + bucket[3] * 60 + bucket[4] * 93 + bucket[5] * -95 + bucket[6] * 50 + bucket[7] * 36 + bucket[8] * -48 + bucket[9] * -26 + bucket[10] * -94 + bucket[11] * -35 + bucket[12] * 21 + bucket[13] * -27 + bucket[14] * 91 + bucket[15] * -76 == -1163 , bucket[0] * 64 + bucket[1] * -50 + bucket[2] * -23 + bucket[3] * -70 + bucket[4] * -78 + bucket[5] * 34 + bucket[6] * 26 + bucket[7] * 64 + bucket[8] * -72 + bucket[9] * 10 + bucket[10] * -96 + bucket[11] * 61 + bucket[12] * -15 + bucket[13] * 31 + bucket[14] * 36 + bucket[15] * 50 == -266 , bucket[0] * -27 + bucket[1] * 86 + bucket[2] * -61 + bucket[3] * 89 + bucket[4] * -53 + bucket[5] * 10 + bucket[6] * -42 + bucket[7] * 92 + bucket[8] * -48 + bucket[9] * 13 + bucket[10] * 84 + bucket[11] * -71 + bucket[12] * 93 + bucket[13] * 54 + bucket[14] * -69 + bucket[15] * -30 == 892))

if s.check() == sat:
    m = s.model()
    for i in range(16):
        print('this.bucket[%d] = %s;' % (i, m[bucket[i]]))
       # print('%s,'% m[bucket[i]],end='')
#this.bucket[0] = 1;
#this.bucket[1] = 14;
#this.bucket[2] = 1;
#this.bucket[3] = 17;
#this.bucket[4] = 2;
#this.bucket[5] = 1;
#this.bucket[6] = 1;
#this.bucket[7] = 0;
#this.bucket[8] = 2;
#this.bucket[9] = 4;
#this.bucket[10] = 1;
#this.bucket[11] = 17;
#this.bucket[12] = 2;
#this.bucket[13] = 0;
#this.bucket[14] = 2;
#this.bucket[15] = 16;

那么在int[] bucket = GachaManager.instance.gachaHistoryBucket.GetBucket();中直接写入bucket的值,右键->编辑方法->写入上面的内容->编译->上面工具栏保存所有->打开主程序->出金

image-20240216121732007

EzADVM

这个是个安卓vm,jadx打开,然后打开main_activity,

1
2
3
4
5
6
7
8
9
public void CheckClick(View a) {
        TextView tv = this.binding.sampleText;
        EditText flagText = this.binding.flagtext;
        String flagstring = flagText.getText().toString();
        if ("Right!".equals(stringFromJNI(flagstring))) {
            tv.setText("Right!");
            tv.setTextColor(-16711936);
            return;
        }

看到有stringFromJNI(flagstring),去找函数原型,没找到,应该在库里。

用apktool反编译出源代码。打开so文件

重点是这些:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
now_num = 0;
  i = 1;
  used_char = _JNIEnv::GetStringUTFChars(in, a3, 0LL);
  while ( 1 )
  {
    while ( 1 )
    {
      if ( !i++ )
      {
LABEL_29:
        std::string::basic_string<decltype(nullptr)>(v14, "Error!");
        v7 = (const char *)sub_20F50(v14);
        v13 = _JNIEnv::NewStringUTF(in, v7);
        std::string::~string(v14);
        return v13;
      }
      if ( code[i] != 0x21 )
        break;
      __strcpy_chk(input, used_char, 1024LL);
    }
    if ( code[i] == 0xFF )
      goto LABEL_29;
    if ( code[i] == 0x88 )
      break;
    switch ( code[i] )
    {
      case 0xA1u:
        s[now_num - 1] = or_not_num & or_num;
        break;
      case 0xC3u:
        or_num = b1 | b2;
        break;
      case 0xB2u:
        not_1 = ~b1;
        break;
      case 0xE5u:
        not_2 = ~b2;
        break;
      case 0xF1u:
        b1 = input[now_num];
        b2 = input[++now_num];
        break;
      case 0xD4u:
        or_not_num = not_2 | not_1;
        break;
      case 0xBFu:
        i_form = now_num++;
        save[0] = s[i_form];
        break;
      case 0x99u:
        now_num = 0;
        break;
      case 0xBBu:
        s[now_num - 1] = now_num + save[0] - 1;
        break;
    }
  }
  if ( !memcmp(&last, s, 0x20uLL) )

输入用来初始化input了,所以相当于是用指令码对input加密,最后得到last

以及一开始有一个循环只有当code[i]==0先1时才会执行初始化,所以只需要匹配合理的指令即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
opcode = [0x01, 0x01, 0x21, 0xF1, 0xC3, 0xB2, 0xE5, 0xD4, 
        0xA1, 0x53, 0x57, 0x44, 0x61, 0x44, 0x64, 0xF1, 
        0xC3, 0xB2, 0xE5, 0xD4, 0xA1, 0xF1, 0xC3, 0xB2, 
        0xE5, 0xD4, 0xA1, 0xF1, 0xC3, 0xB2, 0xE5, 0xD4, 
        0xA1, 0x53, 0x57, 0x44, 0x61, 0x44, 0x64, 0xF1, 
        0xC3, 0xB2, 0xE5, 0xD4, 0xA1, 0xF1, 0xC3, 0xB2, 
        0xE5, 0xD4, 0xA1, 0xF1, 0xC3, 0xB2, 0xE5, 0xD4, 
        0xA1, 0xF1, 0xC3, 0xB2, 0xE5, 0xD4, 0xA1, 0xF1, 
        0xC3, 0xB2, 0xE5, 0xD4, 0xA1, 0x53, 0x57, 0x44, 
        0x61, 0x44, 0x64, 0xF1, 0xC3, 0xB2, 0xE5, 0xD4, 
        0xA1, 0xF1, 0xC3, 0xB2, 0xE5, 0xD4, 0xA1, 0xF1, 
        0xC3, 0xB2, 0xE5, 0xD4, 0xA1, 0x53, 0x57, 0x44, 
        0x61, 0x44, 0x64, 0xF1, 0xC3, 0xB2, 0xE5, 0xD4, 
        0xA1, 0xF1, 0xC3, 0xB2, 0xE5, 0xD4, 0xA1, 0xF1, 
        0xC3, 0xB2, 0xE5, 0xD4, 0xA1, 0x66, 0x6C, 0x61, 
        0x67, 0x7B, 0x59, 0x75, 0x69, 0x73, 0x61, 0x62, 
        0x65, 0x61, 0x75, 0x74, 0x69, 0x66, 0x75, 0x6C, 
        0x67, 0x69, 0x72, 0x6C, 0x7D, 0xF1, 0xC3, 0xB2, 
        0xE5, 0xD4, 0xA1, 0xF1, 0xC3, 0xB2, 0xE5, 0xD4, 
        0xA1, 0x66, 0x6C, 0x61, 0x67, 0x7B, 0x59, 0x75, 
        0x69, 0x73, 0x61, 0x62, 0x65, 0x61, 0x75, 0x74, 
        0x69, 0x66, 0x75, 0x6C, 0x67, 0x69, 0x72, 0x6C, 
        0x7D, 0xF1, 0xC3, 0xB2, 0xE5, 0xD4, 0xA1, 0xF1, 
        0xC3, 0xB2, 0xE5, 0xD4, 0xA1, 0x66, 0x6C, 0x61, 
        0x67, 0x7B, 0x59, 0x75, 0x69, 0x73, 0x61, 0x62, 
        0x65, 0x61, 0x75, 0x74, 0x69, 0x66, 0x75, 0x6C, 
        0x67, 0x69, 0x72, 0x6C, 0x7D, 0xF1, 0xC3, 0xB2, 
        0xE5, 0xD4, 0xA1, 0xF1, 0xC3, 0xB2, 0xE5, 0xD4, 
        0xA1, 0x53, 0x57, 0x44, 0x61, 0x44, 0x64, 0x66, 
        0x6C, 0x61, 0x67, 0x7B, 0x59, 0x75, 0x69, 0x73, 
        0x61, 0x62, 0x65, 0x61, 0x75, 0x74, 0x69, 0x66, 
        0x75, 0x6C, 0x67, 0x69, 0x72, 0x6C, 0x7D, 0xF1, 
        0xC3, 0xB2, 0xE5, 0xD4, 0xA1, 0xF1, 0xC3, 0xB2, 
        0xE5, 0xD4, 0xA1, 0xF1, 0xC3, 0xB2, 0xE5, 0xD4, 
        0xA1, 0xF1, 0xC3, 0xB2, 0xE5, 0xD4, 0xA1, 0x53, 
        0x57, 0x44, 0x61, 0x44, 0x64, 0x66, 0x6C, 0x61, 
        0x67, 0x7B, 0x59, 0x75, 0x69, 0x73, 0x61, 0x62, 
        0x65, 0x61, 0x75, 0x74, 0x69, 0x66, 0x75, 0x6C, 
        0x67, 0x69, 0x72, 0x6C, 0x7D, 0xF1, 0xC3, 0xB2, 
        0xE5, 0xD4, 0xA1, 0x66, 0x6C, 0x61, 0x67, 0x7B, 
        0x59, 0x75, 0x69, 0x73, 0x61, 0x62, 0x65, 0x61, 
        0x75, 0x74, 0x69, 0x66, 0x75, 0x6C, 0x67, 0x69, 
        0x72, 0x6C, 0x7D, 0xF1, 0xC3, 0xB2, 0xE5, 0xD4, 
        0xA1, 0xF1, 0xC3, 0xB2, 0xE5, 0xD4, 0xA1, 0xF1, 
        0xC3, 0xB2, 0xE5, 0xD4, 0xA1, 0xF1, 0xC3, 0xB2, 
        0xE5, 0xD4, 0xA1, 0xF1, 0xC3, 0xB2, 0xE5, 0xD4, 
        0xA1, 0x53, 0x57, 0x44, 0x61, 0x44, 0x64, 0xF1, 
        0xC3, 0xB2, 0xE5, 0xD4, 0xA1, 0x99, 0xBF, 0xBB, 
        0xBF, 0xBB, 0xBF, 0xBB, 0xBF, 0xBB, 0xBF, 0xBB, 
        0xBF, 0xBB, 0xBF, 0xBB, 0xBF, 0xBB, 0xBF, 0xBB, 
        0xBF, 0xBB, 0xBF, 0xBB, 0xBF, 0xBB, 0xBF, 0xBB, 
        0xBF, 0xBB, 0xBF, 0xBB, 0xBF, 0xBB, 0xBF, 0xBB, 
        0xBF, 0xBB, 0xBF, 0xBB, 0xBF, 0xBB, 0x66, 0x6C, 
        0x61, 0x67, 0x7B, 0x59, 0x75, 0x69, 0x73, 0x61, 
        0x62, 0x65, 0x61, 0x75, 0x74, 0x69, 0x66, 0x75, 
        0x6C, 0x67, 0x69, 0x72, 0x6C, 0x7D, 0xBF, 0xBB, 
        0xBF, 0xBB, 0xBF, 0xBB, 0xBF, 0xBB, 0xBF, 0xBB, 
        0xBF, 0xBB, 0xBF, 0xBB, 0xBF, 0xBB, 0xBF, 0xBB, 
        0xBF, 0xBB, 0x53, 0x57, 0x44, 0x44, 0xBF, 0xBB, 
        0xBF, 0xBB, 0x99, 0x53, 0x57, 0x44, 0x44, 0x53, 
        0x57, 0x44, 0x44, 0x88, 0xFF, 0x53, 0x57, 0x44, 
        0x44, 0x00, 0x00]
i = 0

for code in opcode:
    match code:
        case 0xa1:
            print("last[now_num - 1] = or_not_num & or_num" )
        case 0xc3:
            print("or_num = b1 | b2")
        case 0xb2:
            print("not_1 = ~b1")
        case 0xe5:
            print("not_2 = ~b2")
        case 0xf1:
            print("b1 = input[now_num]")
            print("now_num += 1")
            print("b2 = input[now_num]")
        case 0xd4:
            print("or_not_num = not_2 | not_1")
        case 0xbf:
            print("save = last[now_num]")
            print("now_num+=1")
        case 0x99:
            print("now_num = 0")
        case 0xbb:
            print("last[now_num-1] = now_num + save - 1")

大致是

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
last = [0]*100
now_num = 0

b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num
b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num

b1 = input[now_num]
now_num += 1
b2 = input[now_num]
or_num = b1 | b2
not_1 = ~b1
not_2 = ~b2
or_not_num = not_2 | not_1
last[now_num - 1] = or_not_num & or_num


now_num = 0


save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1

save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1

save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1

save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
save = last[now_num]
now_num+=1
last[now_num-1] = now_num + save - 1
now_num = 0

然后化简逆向:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from prism import *
last = [0x1D, 0x01, 0x12, 0x1A, 0x16, 0x42, 0x39, 0x0F, 
        0x38, 0x09, 0x13, 0x31, 0x28, 0x38, 0x67, 0x6E, 
        0x1B, 0x61, 0x7C, 0x24, 0x1F, 0x47, 0x44, 0x81, 
        0x6A, 0x2C, 0x6D, 0x2B, 0x2C, 0x2D, 0x6A, 0x9C]

# last = [0]*100
# now_num = 0
# for i in range(32):
#     b1 = input[now_num]
#     now_num += 1
#     b2 = input[now_num]
#     or_num = b1 | b2
#     not_1 = ~b1
#     not_2 = ~b2
#     or_not_num = not_2 | not_1
#     last[now_num - 1] = or_not_num & or_num

# now_num = 0

# for i in range(32):
#     save = last[now_num]
#     now_num+=1
#     last[now_num-1] = now_num + save - 1



for i in range(31,0,-1):
    last[i]-=i
for i in range(30,-1,-1):
    last[i]^=last[i+1]

pl(last)
#NSSCTF{H@ppy_Ch1ne5_NEwY3ar!1!1}

crypto

过年来下棋

XXVAF AVXAX DXFVX DXDVA XAGV

很明显是棋盘密码ADFGVX

根据密文段数发现是key为5位

写脚本穷举:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
4h9343nse2r4: abcde
4gl393mgewr8: abced
4h9343ise2rf: abdce
44lz934mbwr2: abdec
4bl393cgd2r3: abecd
4fl3l3fmdkr2: abedc
5b98405sy2r4: acbde
5al8904gywr8: acbed
5g99y0ls2erf: acdbe
94fh8344nsq2: acdeb
5al930fg1er3: acebd
9fflk3f4pgq2: acedb
5b984z6sy2m9: adbce
9alk934mgwq8: adbec
5g99yzrs2em9: adcbe
94fh8344isq2: adceb
9all33fmjeq3: adebc
9fflk3f4jmq2: adecb
4bl89y6gs2q9: aebcd
4fl8ly9mskq8: aebdc
4gl93yrgweq9: aecbd
49f5ky94ugq2: aecdb
44l53y9mteq3: aedbc
49f5ky94tmq2: aedcb
fh8948nse264: bacde
fgk998mgew68: baced
fh8948ise26f: badce
f4k5984mbw62: badec
fbk998cgd263: baecd
ffk9l8fmdk62: baedc
b58946zsy29m: bcade
b4k996ygyw9q: bcaed
bl8946ks2e9c: bcdae
r44h9343nse2: bcdea
bfk996eg1e90: bcead
rf4ll3f3pge2: bceda
b589450sy24r: bdace
f4kl99ymgw8q: bdaec
bl8945qs2e46: bdcae
r44h9343ise2: bdcea
ffkl99emje80: bdeac
rf4ll3f3jme2: bdeca
a5k9940gs28r: beacd
a9k9l43msk8q: beadc
alk994qgwe86: becad
m945ly93uge2: becda
a9k5948mte80: bedac
m945ly93tme2: bedca
lb984q5wa264: cabde
lal89q4kaw68: cabed
lg99yqlwee6f: cadbe
94b58846bs02: cadeb
lal93qfkde63: caebd
9fb9k8f6dg02: caedb
g5934rzwa29m: cbade
g4l39rykaw9q: cbaed
gl934rkwee9c: cbdae
645b98405sy2: cbdea
gfl39rekde90: cbead
6f5fl8f07gy2: cbeda
h499yn3wye4r: cdabe
94bl89y6gs2q: cdaeb
hf984n8wye46: cdbae
9m5g99y0ls2e: cdbea
9fbl89e6ja20: cdeab
9c5lf9e0j42y: cdeba
g4l93m3kse8r: ceabd
49b9k436sg2q: ceadb
gfl89m8kse86: cebad
4r54l430xg2e: cebda
49b58486ta20: cedab
4655f480t42y: cedba
lb984k6wa2c9: dabce
9ah8984naw08: dabec
lg99ykrweec9: dacbe
94b58845cs02: daceb
9ah938fnde03: daebc
9fb9k8f5dm02: daecb
g5934l0wa2fr: dbace
44h399ynaw3q: dbaec
gl934lqweef6: dbcae
645b984z6sy2: dbcea
4fh399ende30: dbeac
6f5fl8fz7my2: dbeca
h499yi3wyefr: dcabe
94bl89y5ms2q: dcaeb
hf984i8wyef6: dcbae
9m5g99yzrs2e: dcbea
9fbl89e5pa20: dceab
9c5lf9ezp42y: dceba
44h9343nse2r: deabc
49b9k435sm2q: deacb
4fh8948nse26: debac
4r54l43zxm2e: debca
49b58485ua20: decab
4655f48zu42y: decba
fbl89e6ja209: eabcd
ffl8le9pak08: eabdc
fgl93erjee09: eacbd
f9f5ke97cg02: eacdb
f4l53e9pbe03: eadbc
f9f5ke97bm02: eadcb
a5l39f0ja23r: ebacd
a9l3lf3pak3q: ebadc
all39fqjee36: ebcad
c99ble916gy2: ebcda
a9lz9f8pbe30: ebdac
c99ble915my2: ebdca
b4l93c3jye3r: ecabd
f9flkf37mg2q: ecadb
bfl89c8jye36: ecbad
fr9glf31rg2e: ecbda
f9fh8f87na20: ecdab
f69hff81n42y: ecdba
f4ll3f3pge2r: edabc
f9flkf37gm2q: edacb
fflk9f8pge26: edbac
fr9glf31lm2e: edbca
f9fh8f87ia20: edcab
f69hff81i42y: edcba

总不可能让我一个一个输吧。。看到题目

1
新年快乐呀!来一起下象棋吧!我都摆好咯~ 祝愿大家在新的一年里 lucky!flag格式:NSSCTF{**字母小写**}

唯一的五位key盲猜lucky,那么NSSCTF{h499yn3wye4r}

misc

温馨的酒吧

看视频过完所有剧情即可拿flag

官方wp是遍历所有节点返回名字含flag的图片来得到的

注意有一段有5个乱码和中间正好一样,猜测:

1
NSSCTF{新年快乐_不要停下来啊_CTFer!}

userssssssssss

进入后按创建日期排序,最后是laminous,打开看到flag

1
NSSCTF{f9d04fc8-77a6-4700-b114-2a071ff76ceb}