LITCTF WP

forgotten message

ida打开就有

Burger Reviewer

源码都给了，纯解密

data=[0]*42
data[13]=ord("_")
data[17]=95
data[19]=ord("_")
data[26]=190-data[19]
data[29]=ord("_")
data[34]=95
data[39]=ord("_")
m = 41
meat=[ord(i) for i in ['n', 'w', 'y', 'h', 't', 'f', 'i', 'a', 'i']]
dif=[4, 2, 2, 2, 1, 2, 1, 3, 3]
for i in range(len(meat)):
      m-=dif[i]
      data[m]=meat[i]
print(data)
sauce=[ord(i) for i in ['b', 'p', 'u', 'b', 'r', 'n', 'r', 'c']]
a=7
b=20
veg1=[10, 12, 15, 22, 23, 25, 32, 36, 38, 40]
veg=[0]*len(veg1)
veg[0]=9
veg[1]=5
veg[2]=4
veg[3]=2
veg[4]=veg[3]
veg[5] =veg[4]+3
veg[7] = 4
veg[5]=5
veg[6]=3
veg[8]=7
veg[9]=2
for i in range(len(veg1)):
      data[veg1[i]]=ord(str(veg[i]))
data=data[7:]
data=data[:-1]
index=0
for i in range(len(data)):
      if data[i]==0:
            print(i)
data[0]=sauce[0]
data[13]=sauce[1]
data[1]=sauce[2]
data[11]=sauce[3]
data[2]=sauce[4]
data[9]=sauce[5]
data[4]=sauce[6]
data[7]=sauce[7]
print("".join(map(chr,data)))
#bur9r5_c4n_b_pi22a5_if_th3y_w4n7_2

revsite1

断在这，点check，就会得到一个正确的字符，手动一个一个拿了拼就行

LITCTF{t0d4y_15_l1t3rally_th3_d4y_b3f0re_the_c0nt3st}

revsite2

扫一遍内存不难找到存放分数的位置

直接修改会被检测

动调发现这一行都是用来检测的

分析wat代码构造正确的数据过检测就行

const view = new DataView(wasmMemory.buffer);
view.setInt32(0x10320,0xa763ffff,true)
view.setInt32(0x00010324,0xde0b6b3,true)
view.setInt32(0x10300,0xaebfcd14,true)
view.setInt32(0x10304,0xde0b6b3,true)
getpoints() 


//breakpoint at 0x5d9 in wasm

view.setInt32(0x10308,0xa7640001,true)
view.setInt32(0x1030c,0x536c55c3,true)

//breakpoint at 0x616 in wasm

view.setInt32(66312,0xa7640001,true)
view.setInt32(66316,0x536c55c3,true)
view.setInt32(66320,0x93bc0003,true)
view.setInt32(66324,0x10fc3d09,true)
//前面两组数据的脚本被盖了，不想写了
from ctypes import *
def suma(a):
    return a*(a+1)//2
def sumaa(a):
    return a*(a+1)*(2*a+1)//6
def sumaaa(a):
    return (suma(a))**2
d66312=c_int64(0x1+3)
d66320=c_int64(0x3+8)
a=10**18-1
d66312.value+=3*sumaa(a)+5*suma(a)+3*a
d66320.value+=8*sumaaa(a)+3*sumaa(a)+3*suma(a)+8*a
print(hex(d66312.value&0xffffffffffffffff),hex(d66320.value&0xffffffffffffffff))

hilbert

推理证明，第二个证不出来

大佬的证明