# PicoCTF - Some Assembly Required 3 ## Background [WebAssembly/wabt](https://github.com/WebAssembly/wabt) ```bash! $ ./build/wasm2c qCCYI0ajpD.wasm -o dump.c ``` ## Source code :::spoiler rTEuOmSfG3.js ```javascript= 'use strict'; const str_list = ["exports", "270328ewawLo", "instantiate", "1OsuamQ", "Incorrect!", "length", "copy_char", "value", "1512517ESezaM", "innerHTML", "check_flag", "result", "1383842SQRPPf", "924408cukzgO", "getElementById", "418508cLDohp", "input", "Correct!", "573XsMMHp", "arrayBuffer", "183RUQBDE", "38934oMACea"]; const tranfer_fn = function(url, whensCollection) { /** @type {number} */ url = url - 285; let _0x143f7d = str_list[url]; return _0x143f7d; }; (function(data, oldPassword) { const tranfer_fn = tranfer_fn; for (; !![];) { try { const userPsd = -parseInt("length") + -parseInt("573XsMMHp") + -parseInt("innerHTML") * -parseInt("getElementById") + -parseInt("38934oMACea") + parseInt("value") + -parseInt("Incorrect!") * -parseInt("instantiate") + parseInt("arrayBuffer"); if (userPsd === oldPassword) { break; } else { data["push"](data["shift"]()); } } catch (_0x289152) { data["push"](data["shift"]()); } } })(str_list, 970828); let exports; (async() => { const tranfer_fn = tranfer_fn; let rpm_traffic = await fetch("./qCCYI0ajpD"); let m = await WebAssembly["1512517ESezaM"](await rpm_traffic["1OsuamQ"]()); let updatedEdgesById = m["instance"]; exports = updatedEdgesById["copy_char"]; })(); /** * @return {undefined} */ function onButtonPress() { const tranfer_fn = tranfer_fn; let data = document["183RUQBDE"]("exports")["924408cukzgO"]; for (let i = 0; i < data["result"]; i++) { exports["1383842SQRPPf"](data["charCodeAt"](i), i); } exports["1383842SQRPPf"](0, data["result"]); if (exports["input"]() == 1) { document["183RUQBDE"]("Correct!")["418508cLDohp"] = "270328ewawLo"; } else { document["183RUQBDE"]("Correct!")["innerHTML"] = "check_flag"; } } ; ``` ::: :::spoiler dump.c ```cpp= /* Automatically generated by wasm2c */ #include <assert.h> #include <math.h> #include <stdarg.h> #include <stddef.h> #include <string.h> #if defined(__MINGW32__) #include <malloc.h> #elif defined(_MSC_VER) #include <intrin.h> #include <malloc.h> #define alloca _alloca #elif defined(__FreeBSD__) || defined(__OpenBSD__) #include <stdlib.h> #else #include <alloca.h> #endif #include "dump.h" #define TRAP(x) (wasm_rt_trap(WASM_RT_TRAP_##x), 0) #if WASM_RT_USE_STACK_DEPTH_COUNT #define FUNC_PROLOGUE \ if (++wasm_rt_call_stack_depth > WASM_RT_MAX_CALL_STACK_DEPTH) \ TRAP(EXHAUSTION); #define FUNC_EPILOGUE --wasm_rt_call_stack_depth #else #define FUNC_PROLOGUE #define FUNC_EPILOGUE #endif #define UNREACHABLE TRAP(UNREACHABLE) static inline bool func_types_eq(const wasm_rt_func_type_t a, const wasm_rt_func_type_t b) { return (a == b) || LIKELY(a && b && !memcmp(a, b, 32)); } #define CALL_INDIRECT(table, t, ft, x, ...) \ (LIKELY((x) < table.size && table.data[x].func && \ func_types_eq(ft, table.data[x].func_type)) || \ TRAP(CALL_INDIRECT), \ ((t)table.data[x].func)(__VA_ARGS__)) #ifdef SUPPORT_MEMORY64 #define RANGE_CHECK(mem, offset, len) \ do { \ uint64_t res; \ if (__builtin_add_overflow(offset, len, &res)) \ TRAP(OOB); \ if (UNLIKELY(res > mem->size)) \ TRAP(OOB); \ } while (0); #else #define RANGE_CHECK(mem, offset, len) \ if (UNLIKELY(offset + (uint64_t)len > mem->size)) \ TRAP(OOB); #endif #if WASM_RT_MEMCHECK_GUARD_PAGES #define MEMCHECK(mem, a, t) #else #define MEMCHECK(mem, a, t) RANGE_CHECK(mem, a, sizeof(t)) #endif #ifdef __GNUC__ #define wasm_asm __asm__ #else #define wasm_asm(X) #endif #if WABT_BIG_ENDIAN static inline void load_data(void* dest, const void* src, size_t n) { if (!n) { return; } size_t i = 0; u8* dest_chars = dest; memcpy(dest, src, n); for (i = 0; i < (n >> 1); i++) { u8 cursor = dest_chars[i]; dest_chars[i] = dest_chars[n - i - 1]; dest_chars[n - i - 1] = cursor; } } #define LOAD_DATA(m, o, i, s) \ do { \ RANGE_CHECK((&m), m.size - o - s, s); \ load_data(&(m.data[m.size - o - s]), i, s); \ } while (0) #define DEFINE_LOAD(name, t1, t2, t3) \ static inline t3 name(wasm_rt_memory_t* mem, u64 addr) { \ MEMCHECK(mem, addr, t1); \ t1 result; \ wasm_rt_memcpy(&result, &mem->data[mem->size - addr - sizeof(t1)], \ sizeof(t1)); \ wasm_asm("" ::"r"(result)); \ return (t3)(t2)result; \ } #define DEFINE_STORE(name, t1, t2) \ static inline void name(wasm_rt_memory_t* mem, u64 addr, t2 value) { \ MEMCHECK(mem, addr, t1); \ t1 wrapped = (t1)value; \ wasm_rt_memcpy(&mem->data[mem->size - addr - sizeof(t1)], &wrapped, \ sizeof(t1)); \ } #else static inline void load_data(void* dest, const void* src, size_t n) { if (!n) { return; } memcpy(dest, src, n); } #define LOAD_DATA(m, o, i, s) \ do { \ RANGE_CHECK((&m), o, s); \ load_data(&(m.data[o]), i, s); \ } while (0) #define DEFINE_LOAD(name, t1, t2, t3) \ static inline t3 name(wasm_rt_memory_t* mem, u64 addr) { \ MEMCHECK(mem, addr, t1); \ t1 result; \ wasm_rt_memcpy(&result, &mem->data[addr], sizeof(t1)); \ wasm_asm("" ::"r"(result)); \ return (t3)(t2)result; \ } #define DEFINE_STORE(name, t1, t2) \ static inline void name(wasm_rt_memory_t* mem, u64 addr, t2 value) { \ MEMCHECK(mem, addr, t1); \ t1 wrapped = (t1)value; \ wasm_rt_memcpy(&mem->data[addr], &wrapped, sizeof(t1)); \ } #endif DEFINE_LOAD(i32_load, u32, u32, u32) DEFINE_LOAD(i64_load, u64, u64, u64) DEFINE_LOAD(f32_load, f32, f32, f32) DEFINE_LOAD(f64_load, f64, f64, f64) DEFINE_LOAD(i32_load8_s, s8, s32, u32) DEFINE_LOAD(i64_load8_s, s8, s64, u64) DEFINE_LOAD(i32_load8_u, u8, u32, u32) DEFINE_LOAD(i64_load8_u, u8, u64, u64) DEFINE_LOAD(i32_load16_s, s16, s32, u32) DEFINE_LOAD(i64_load16_s, s16, s64, u64) DEFINE_LOAD(i32_load16_u, u16, u32, u32) DEFINE_LOAD(i64_load16_u, u16, u64, u64) DEFINE_LOAD(i64_load32_s, s32, s64, u64) DEFINE_LOAD(i64_load32_u, u32, u64, u64) DEFINE_STORE(i32_store, u32, u32) DEFINE_STORE(i64_store, u64, u64) DEFINE_STORE(f32_store, f32, f32) DEFINE_STORE(f64_store, f64, f64) DEFINE_STORE(i32_store8, u8, u32) DEFINE_STORE(i32_store16, u16, u32) DEFINE_STORE(i64_store8, u8, u64) DEFINE_STORE(i64_store16, u16, u64) DEFINE_STORE(i64_store32, u32, u64) #if defined(_MSC_VER) // Adapted from // https://github.com/nemequ/portable-snippets/blob/master/builtin/builtin.h static inline int I64_CLZ(unsigned long long v) { unsigned long r = 0; #if defined(_M_AMD64) || defined(_M_ARM) if (_BitScanReverse64(&r, v)) { return 63 - r; } #else if (_BitScanReverse(&r, (unsigned long)(v >> 32))) { return 31 - r; } else if (_BitScanReverse(&r, (unsigned long)v)) { return 63 - r; } #endif return 64; } static inline int I32_CLZ(unsigned long v) { unsigned long r = 0; if (_BitScanReverse(&r, v)) { return 31 - r; } return 32; } static inline int I64_CTZ(unsigned long long v) { if (!v) { return 64; } unsigned long r = 0; #if defined(_M_AMD64) || defined(_M_ARM) _BitScanForward64(&r, v); return (int)r; #else if (_BitScanForward(&r, (unsigned int)(v))) { return (int)(r); } _BitScanForward(&r, (unsigned int)(v >> 32)); return (int)(r + 32); #endif } static inline int I32_CTZ(unsigned long v) { if (!v) { return 32; } unsigned long r = 0; _BitScanForward(&r, v); return (int)r; } #define POPCOUNT_DEFINE_PORTABLE(f_n, T) \ static inline u32 f_n(T x) { \ x = x - ((x >> 1) & (T) ~(T)0 / 3); \ x = (x & (T) ~(T)0 / 15 * 3) + ((x >> 2) & (T) ~(T)0 / 15 * 3); \ x = (x + (x >> 4)) & (T) ~(T)0 / 255 * 15; \ return (T)(x * ((T) ~(T)0 / 255)) >> (sizeof(T) - 1) * 8; \ } POPCOUNT_DEFINE_PORTABLE(I32_POPCNT, u32) POPCOUNT_DEFINE_PORTABLE(I64_POPCNT, u64) #undef POPCOUNT_DEFINE_PORTABLE #else #define I32_CLZ(x) ((x) ? __builtin_clz(x) : 32) #define I64_CLZ(x) ((x) ? __builtin_clzll(x) : 64) #define I32_CTZ(x) ((x) ? __builtin_ctz(x) : 32) #define I64_CTZ(x) ((x) ? __builtin_ctzll(x) : 64) #define I32_POPCNT(x) (__builtin_popcount(x)) #define I64_POPCNT(x) (__builtin_popcountll(x)) #endif #define DIV_S(ut, min, x, y) \ ((UNLIKELY((y) == 0)) \ ? TRAP(DIV_BY_ZERO) \ : (UNLIKELY((x) == min && (y) == -1)) ? TRAP(INT_OVERFLOW) \ : (ut)((x) / (y))) #define REM_S(ut, min, x, y) \ ((UNLIKELY((y) == 0)) \ ? TRAP(DIV_BY_ZERO) \ : (UNLIKELY((x) == min && (y) == -1)) ? 0 : (ut)((x) % (y))) #define I32_DIV_S(x, y) DIV_S(u32, INT32_MIN, (s32)x, (s32)y) #define I64_DIV_S(x, y) DIV_S(u64, INT64_MIN, (s64)x, (s64)y) #define I32_REM_S(x, y) REM_S(u32, INT32_MIN, (s32)x, (s32)y) #define I64_REM_S(x, y) REM_S(u64, INT64_MIN, (s64)x, (s64)y) #define DIVREM_U(op, x, y) \ ((UNLIKELY((y) == 0)) ? TRAP(DIV_BY_ZERO) : ((x)op(y))) #define DIV_U(x, y) DIVREM_U(/, x, y) #define REM_U(x, y) DIVREM_U(%, x, y) #define ROTL(x, y, mask) \ (((x) << ((y) & (mask))) | ((x) >> (((mask) - (y) + 1) & (mask)))) #define ROTR(x, y, mask) \ (((x) >> ((y) & (mask))) | ((x) << (((mask) - (y) + 1) & (mask)))) #define I32_ROTL(x, y) ROTL(x, y, 31) #define I64_ROTL(x, y) ROTL(x, y, 63) #define I32_ROTR(x, y) ROTR(x, y, 31) #define I64_ROTR(x, y) ROTR(x, y, 63) #define FMIN(x, y) \ ((UNLIKELY((x) != (x))) \ ? NAN \ : (UNLIKELY((y) != (y))) \ ? NAN \ : (UNLIKELY((x) == 0 && (y) == 0)) ? (signbit(x) ? x : y) \ : (x < y) ? x : y) #define FMAX(x, y) \ ((UNLIKELY((x) != (x))) \ ? NAN \ : (UNLIKELY((y) != (y))) \ ? NAN \ : (UNLIKELY((x) == 0 && (y) == 0)) ? (signbit(x) ? y : x) \ : (x > y) ? x : y) #define TRUNC_S(ut, st, ft, min, minop, max, x) \ ((UNLIKELY((x) != (x))) \ ? TRAP(INVALID_CONVERSION) \ : (UNLIKELY(!((x)minop(min) && (x) < (max)))) ? TRAP(INT_OVERFLOW) \ : (ut)(st)(x)) #define I32_TRUNC_S_F32(x) \ TRUNC_S(u32, s32, f32, (f32)INT32_MIN, >=, 2147483648.f, x) #define I64_TRUNC_S_F32(x) \ TRUNC_S(u64, s64, f32, (f32)INT64_MIN, >=, (f32)INT64_MAX, x) #define I32_TRUNC_S_F64(x) \ TRUNC_S(u32, s32, f64, -2147483649., >, 2147483648., x) #define I64_TRUNC_S_F64(x) \ TRUNC_S(u64, s64, f64, (f64)INT64_MIN, >=, (f64)INT64_MAX, x) #define TRUNC_U(ut, ft, max, x) \ ((UNLIKELY((x) != (x))) \ ? TRAP(INVALID_CONVERSION) \ : (UNLIKELY(!((x) > (ft)-1 && (x) < (max)))) ? TRAP(INT_OVERFLOW) \ : (ut)(x)) #define I32_TRUNC_U_F32(x) TRUNC_U(u32, f32, 4294967296.f, x) #define I64_TRUNC_U_F32(x) TRUNC_U(u64, f32, (f32)UINT64_MAX, x) #define I32_TRUNC_U_F64(x) TRUNC_U(u32, f64, 4294967296., x) #define I64_TRUNC_U_F64(x) TRUNC_U(u64, f64, (f64)UINT64_MAX, x) #define TRUNC_SAT_S(ut, st, ft, min, smin, minop, max, smax, x) \ ((UNLIKELY((x) != (x))) \ ? 0 \ : (UNLIKELY(!((x)minop(min)))) \ ? smin \ : (UNLIKELY(!((x) < (max)))) ? smax : (ut)(st)(x)) #define I32_TRUNC_SAT_S_F32(x) \ TRUNC_SAT_S(u32, s32, f32, (f32)INT32_MIN, INT32_MIN, >=, 2147483648.f, \ INT32_MAX, x) #define I64_TRUNC_SAT_S_F32(x) \ TRUNC_SAT_S(u64, s64, f32, (f32)INT64_MIN, INT64_MIN, >=, (f32)INT64_MAX, \ INT64_MAX, x) #define I32_TRUNC_SAT_S_F64(x) \ TRUNC_SAT_S(u32, s32, f64, -2147483649., INT32_MIN, >, 2147483648., \ INT32_MAX, x) #define I64_TRUNC_SAT_S_F64(x) \ TRUNC_SAT_S(u64, s64, f64, (f64)INT64_MIN, INT64_MIN, >=, (f64)INT64_MAX, \ INT64_MAX, x) #define TRUNC_SAT_U(ut, ft, max, smax, x) \ ((UNLIKELY((x) != (x))) ? 0 \ : (UNLIKELY(!((x) > (ft)-1))) \ ? 0 \ : (UNLIKELY(!((x) < (max)))) ? smax : (ut)(x)) #define I32_TRUNC_SAT_U_F32(x) \ TRUNC_SAT_U(u32, f32, 4294967296.f, UINT32_MAX, x) #define I64_TRUNC_SAT_U_F32(x) \ TRUNC_SAT_U(u64, f32, (f32)UINT64_MAX, UINT64_MAX, x) #define I32_TRUNC_SAT_U_F64(x) TRUNC_SAT_U(u32, f64, 4294967296., UINT32_MAX, x) #define I64_TRUNC_SAT_U_F64(x) \ TRUNC_SAT_U(u64, f64, (f64)UINT64_MAX, UINT64_MAX, x) #define DEFINE_REINTERPRET(name, t1, t2) \ static inline t2 name(t1 x) { \ t2 result; \ memcpy(&result, &x, sizeof(result)); \ return result; \ } DEFINE_REINTERPRET(f32_reinterpret_i32, u32, f32) DEFINE_REINTERPRET(i32_reinterpret_f32, f32, u32) DEFINE_REINTERPRET(f64_reinterpret_i64, u64, f64) DEFINE_REINTERPRET(i64_reinterpret_f64, f64, u64) static float quiet_nanf(float x) { uint32_t tmp; memcpy(&tmp, &x, 4); tmp |= 0x7fc00000lu; memcpy(&x, &tmp, 4); return x; } static double quiet_nan(double x) { uint64_t tmp; memcpy(&tmp, &x, 8); tmp |= 0x7ff8000000000000llu; memcpy(&x, &tmp, 8); return x; } static double wasm_quiet(double x) { if (UNLIKELY(isnan(x))) { return quiet_nan(x); } return x; } static float wasm_quietf(float x) { if (UNLIKELY(isnan(x))) { return quiet_nanf(x); } return x; } static double wasm_floor(double x) { if (UNLIKELY(isnan(x))) { return quiet_nan(x); } return floor(x); } static float wasm_floorf(float x) { if (UNLIKELY(isnan(x))) { return quiet_nanf(x); } return floorf(x); } static double wasm_ceil(double x) { if (UNLIKELY(isnan(x))) { return quiet_nan(x); } return ceil(x); } static float wasm_ceilf(float x) { if (UNLIKELY(isnan(x))) { return quiet_nanf(x); } return ceilf(x); } static double wasm_trunc(double x) { if (UNLIKELY(isnan(x))) { return quiet_nan(x); } return trunc(x); } static float wasm_truncf(float x) { if (UNLIKELY(isnan(x))) { return quiet_nanf(x); } return truncf(x); } static float wasm_nearbyintf(float x) { if (UNLIKELY(isnan(x))) { return quiet_nanf(x); } return nearbyintf(x); } static double wasm_nearbyint(double x) { if (UNLIKELY(isnan(x))) { return quiet_nan(x); } return nearbyint(x); } static float wasm_fabsf(float x) { if (UNLIKELY(isnan(x))) { uint32_t tmp; memcpy(&tmp, &x, 4); tmp = tmp & ~(1UL << 31); memcpy(&x, &tmp, 4); return x; } return fabsf(x); } static double wasm_fabs(double x) { if (UNLIKELY(isnan(x))) { uint64_t tmp; memcpy(&tmp, &x, 8); tmp = tmp & ~(1ULL << 63); memcpy(&x, &tmp, 8); return x; } return fabs(x); } static double wasm_sqrt(double x) { if (UNLIKELY(isnan(x))) { return quiet_nan(x); } return sqrt(x); } static float wasm_sqrtf(float x) { if (UNLIKELY(isnan(x))) { return quiet_nanf(x); } return sqrtf(x); } static inline void memory_fill(wasm_rt_memory_t* mem, u32 d, u32 val, u32 n) { RANGE_CHECK(mem, d, n); memset(mem->data + d, val, n); } static inline void memory_copy(wasm_rt_memory_t* dest, const wasm_rt_memory_t* src, u32 dest_addr, u32 src_addr, u32 n) { RANGE_CHECK(dest, dest_addr, n); RANGE_CHECK(src, src_addr, n); memmove(dest->data + dest_addr, src->data + src_addr, n); } static inline void memory_init(wasm_rt_memory_t* dest, const u8* src, u32 src_size, u32 dest_addr, u32 src_addr, u32 n) { if (UNLIKELY(src_addr + (uint64_t)n > src_size)) TRAP(OOB); LOAD_DATA((*dest), dest_addr, src + src_addr, n); } typedef struct { wasm_rt_func_type_t type; wasm_rt_function_ptr_t func; size_t module_offset; } wasm_elem_segment_expr_t; static inline void funcref_table_init(wasm_rt_funcref_table_t* dest, const wasm_elem_segment_expr_t* src, u32 src_size, u32 dest_addr, u32 src_addr, u32 n, void* module_instance) { if (UNLIKELY(src_addr + (uint64_t)n > src_size)) TRAP(OOB); if (UNLIKELY(dest_addr + (uint64_t)n > dest->size)) TRAP(OOB); for (u32 i = 0; i < n; i++) { const wasm_elem_segment_expr_t* src_expr = &src[src_addr + i]; dest->data[dest_addr + i] = (wasm_rt_funcref_t){src_expr->type, src_expr->func, (char*)module_instance + src_expr->module_offset}; } } // Currently Wasm only supports initializing externref tables with ref.null. static inline void externref_table_init(wasm_rt_externref_table_t* dest, u32 src_size, u32 dest_addr, u32 src_addr, u32 n) { if (UNLIKELY(src_addr + (uint64_t)n > src_size)) TRAP(OOB); if (UNLIKELY(dest_addr + (uint64_t)n > dest->size)) TRAP(OOB); for (u32 i = 0; i < n; i++) { dest->data[dest_addr + i] = wasm_rt_externref_null_value; } } #define DEFINE_TABLE_COPY(type) \ static inline void type##_table_copy(wasm_rt_##type##_table_t* dest, \ const wasm_rt_##type##_table_t* src, \ u32 dest_addr, u32 src_addr, u32 n) { \ if (UNLIKELY(dest_addr + (uint64_t)n > dest->size)) \ TRAP(OOB); \ if (UNLIKELY(src_addr + (uint64_t)n > src->size)) \ TRAP(OOB); \ \ memmove(dest->data + dest_addr, src->data + src_addr, \ n * sizeof(wasm_rt_##type##_t)); \ } DEFINE_TABLE_COPY(funcref) DEFINE_TABLE_COPY(externref) #define DEFINE_TABLE_GET(type) \ static inline wasm_rt_##type##_t type##_table_get( \ const wasm_rt_##type##_table_t* table, u32 i) { \ if (UNLIKELY(i >= table->size)) \ TRAP(OOB); \ return table->data[i]; \ } DEFINE_TABLE_GET(funcref) DEFINE_TABLE_GET(externref) #define DEFINE_TABLE_SET(type) \ static inline void type##_table_set(const wasm_rt_##type##_table_t* table, \ u32 i, const wasm_rt_##type##_t val) { \ if (UNLIKELY(i >= table->size)) \ TRAP(OOB); \ table->data[i] = val; \ } DEFINE_TABLE_SET(funcref) DEFINE_TABLE_SET(externref) #define DEFINE_TABLE_FILL(type) \ static inline void type##_table_fill(const wasm_rt_##type##_table_t* table, \ u32 d, const wasm_rt_##type##_t val, \ u32 n) { \ if (UNLIKELY((uint64_t)d + n > table->size)) \ TRAP(OOB); \ for (uint32_t i = d; i < d + n; i++) { \ table->data[i] = val; \ } \ } DEFINE_TABLE_FILL(funcref) DEFINE_TABLE_FILL(externref) #if defined(__GNUC__) || defined(__clang__) #define FUNC_TYPE_DECL_EXTERN_T(x) extern const char* const x #define FUNC_TYPE_EXTERN_T(x) const char* const x #define FUNC_TYPE_T(x) static const char* const x #else #define FUNC_TYPE_DECL_EXTERN_T(x) extern const char x[] #define FUNC_TYPE_EXTERN_T(x) const char x[] #define FUNC_TYPE_T(x) static const char x[] #endif static void w2c_qCCYI0ajpD_0x5F_wasm_call_ctors_0(w2c_qCCYI0ajpD*); static u32 w2c_qCCYI0ajpD_strcmp_0(w2c_qCCYI0ajpD*, u32, u32); static u32 w2c_qCCYI0ajpD_check_flag_0(w2c_qCCYI0ajpD*); static void w2c_qCCYI0ajpD_copy_char_0(w2c_qCCYI0ajpD*, u32, u32); FUNC_TYPE_T(w2c_qCCYI0ajpD_t0) = "\x36\xa9\xe7\xf1\xc9\x5b\x82\xff\xb9\x97\x43\xe0\xc5\xc4\xce\x95\xd8\x3c\x9a\x43\x0a\xac\x59\xf8\x4e\xf3\xcb\xfa\xb6\x14\x50\x68"; FUNC_TYPE_T(w2c_qCCYI0ajpD_t1) = "\x92\xfb\x6a\xdf\x49\x07\x0a\x83\xbe\x08\x02\x68\xcd\xf6\x95\x27\x4a\xc2\xf3\xe5\xe4\x7d\x29\x49\xe8\xed\x42\x92\x6a\x9d\xda\xf0"; FUNC_TYPE_T(w2c_qCCYI0ajpD_t2) = "\x72\xab\x00\xdf\x20\x3d\xce\xa1\xf2\x29\xc7\x9d\x13\x40\x7e\x98\xac\x7d\x41\x4a\x53\x2e\x42\x42\x61\x55\x2e\xaa\xeb\xbe\xc6\x35"; FUNC_TYPE_T(w2c_qCCYI0ajpD_t3) = "\x26\x10\x81\xe2\x21\x43\xd6\x01\x3e\x2d\x2f\x16\x17\x78\x6f\xba\xb3\x2f\x4d\x54\x9b\x8a\xa9\xdd\xbf\x53\x92\x3c\xd3\x71\xc6\xb2"; static void init_globals(w2c_qCCYI0ajpD* instance) { instance->w2c_g0 = 66864u; instance->w2c_input = 1072u; instance->w2c_key = 1067u; instance->w2c_0x5F_dso_handle = 1024u; instance->w2c_0x5F_data_end = 1328u; instance->w2c_0x5F_global_base = 1024u; instance->w2c_0x5F_heap_base = 66864u; instance->w2c_0x5F_memory_base = 0u; instance->w2c_0x5F_table_base = 1u; } static const u8 data_segment_data_w2c_qCCYI0ajpD_d0[] = { 0x9d, 0x6e, 0x93, 0xc8, 0xb2, 0xb9, 0x41, 0x8b, 0xc2, 0x97, 0xd4, 0x66, 0xc7, 0x93, 0xc4, 0xd4, 0x61, 0xc2, 0xc6, 0xc9, 0xdd, 0x62, 0x94, 0x9e, 0xc2, 0x89, 0x32, 0x91, 0x90, 0xc1, 0xdd, 0x33, 0x91, 0x91, 0x97, 0x8b, 0x64, 0xc1, 0x92, 0xc4, 0x90, 0x00, 0x00, }; static const u8 data_segment_data_w2c_qCCYI0ajpD_d1[] = { 0xf1, 0xa7, 0xf0, 0x07, 0xed, }; static void init_memories(w2c_qCCYI0ajpD* instance) { wasm_rt_allocate_memory(&instance->w2c_memory, 2, 65536, 0); LOAD_DATA(instance->w2c_memory, 1024u, data_segment_data_w2c_qCCYI0ajpD_d0, 43); LOAD_DATA(instance->w2c_memory, 1067u, data_segment_data_w2c_qCCYI0ajpD_d1, 5); } static void init_data_instances(w2c_qCCYI0ajpD *instance) { } static void init_tables(w2c_qCCYI0ajpD* instance) { wasm_rt_allocate_funcref_table(&instance->w2c_T0, 1, 1); } /* export: 'memory' */ wasm_rt_memory_t* w2c_qCCYI0ajpD_memory(w2c_qCCYI0ajpD* instance) { return &instance->w2c_memory; } /* export: '__wasm_call_ctors' */ void w2c_qCCYI0ajpD_0x5F_wasm_call_ctors(w2c_qCCYI0ajpD* instance) { return w2c_qCCYI0ajpD_0x5F_wasm_call_ctors_0(instance); } /* export: 'strcmp' */ u32 w2c_qCCYI0ajpD_strcmp(w2c_qCCYI0ajpD* instance, u32 var_p0, u32 var_p1) { return w2c_qCCYI0ajpD_strcmp_0(instance, var_p0, var_p1); } /* export: 'check_flag' */ u32 w2c_qCCYI0ajpD_check_flag(w2c_qCCYI0ajpD* instance) { return w2c_qCCYI0ajpD_check_flag_0(instance); } /* export: 'input' */ u32* w2c_qCCYI0ajpD_input(w2c_qCCYI0ajpD* instance) { return &instance->w2c_input; } /* export: 'copy_char' */ void w2c_qCCYI0ajpD_copy_char(w2c_qCCYI0ajpD* instance, u32 var_p0, u32 var_p1) { return w2c_qCCYI0ajpD_copy_char_0(instance, var_p0, var_p1); } /* export: 'key' */ u32* w2c_qCCYI0ajpD_key(w2c_qCCYI0ajpD* instance) { return &instance->w2c_key; } /* export: '__dso_handle' */ u32* w2c_qCCYI0ajpD_0x5F_dso_handle(w2c_qCCYI0ajpD* instance) { return &instance->w2c_0x5F_dso_handle; } /* export: '__data_end' */ u32* w2c_qCCYI0ajpD_0x5F_data_end(w2c_qCCYI0ajpD* instance) { return &instance->w2c_0x5F_data_end; } /* export: '__global_base' */ u32* w2c_qCCYI0ajpD_0x5F_global_base(w2c_qCCYI0ajpD* instance) { return &instance->w2c_0x5F_global_base; } /* export: '__heap_base' */ u32* w2c_qCCYI0ajpD_0x5F_heap_base(w2c_qCCYI0ajpD* instance) { return &instance->w2c_0x5F_heap_base; } /* export: '__memory_base' */ u32* w2c_qCCYI0ajpD_0x5F_memory_base(w2c_qCCYI0ajpD* instance) { return &instance->w2c_0x5F_memory_base; } /* export: '__table_base' */ u32* w2c_qCCYI0ajpD_0x5F_table_base(w2c_qCCYI0ajpD* instance) { return &instance->w2c_0x5F_table_base; } void wasm2c_qCCYI0ajpD_instantiate(w2c_qCCYI0ajpD* instance) { assert(wasm_rt_is_initialized()); init_globals(instance); init_tables(instance); init_memories(instance); init_data_instances(instance); } void wasm2c_qCCYI0ajpD_free(w2c_qCCYI0ajpD* instance) { wasm_rt_free_funcref_table(&instance->w2c_T0); wasm_rt_free_memory(&instance->w2c_memory); } wasm_rt_func_type_t wasm2c_qCCYI0ajpD_get_func_type(uint32_t param_count, uint32_t result_count, ...) { va_list args; if (param_count == 0 && result_count == 0) { va_start(args, result_count); if (true) { va_end(args); return w2c_qCCYI0ajpD_t0; } va_end(args); } if (param_count == 2 && result_count == 1) { va_start(args, result_count); if (true && va_arg(args, wasm_rt_type_t) == WASM_RT_I32 && va_arg(args, wasm_rt_type_t) == WASM_RT_I32 && va_arg(args, wasm_rt_type_t) == WASM_RT_I32) { va_end(args); return w2c_qCCYI0ajpD_t1; } va_end(args); } if (param_count == 0 && result_count == 1) { va_start(args, result_count); if (true && va_arg(args, wasm_rt_type_t) == WASM_RT_I32) { va_end(args); return w2c_qCCYI0ajpD_t2; } va_end(args); } if (param_count == 2 && result_count == 0) { va_start(args, result_count); if (true && va_arg(args, wasm_rt_type_t) == WASM_RT_I32 && va_arg(args, wasm_rt_type_t) == WASM_RT_I32) { va_end(args); return w2c_qCCYI0ajpD_t3; } va_end(args); } return NULL; } void w2c_qCCYI0ajpD_0x5F_wasm_call_ctors_0(w2c_qCCYI0ajpD* instance) { FUNC_PROLOGUE; FUNC_EPILOGUE; } u32 w2c_qCCYI0ajpD_strcmp_0(w2c_qCCYI0ajpD* instance, u32 var_p0, u32 var_p1) { u32 var_l2 = 0, var_l3 = 0, var_l4 = 0, var_l5 = 0, var_l6 = 0, var_l7 = 0, var_l8 = 0, var_l9 = 0, var_l10 = 0, var_l11 = 0, var_l12 = 0, var_l13 = 0, var_l14 = 0, var_l15 = 0, var_l16 = 0, var_l17 = 0, var_l18 = 0, var_l19 = 0, var_l20 = 0, var_l21 = 0, var_l22 = 0, var_l23 = 0, var_l24 = 0, var_l25 = 0, var_l26 = 0, var_l27 = 0, var_l28 = 0, var_l29 = 0, var_l30 = 0, var_l31 = 0, var_l32 = 0, var_l33 = 0, var_l34 = 0, var_l35 = 0, var_l36 = 0, var_l37 = 0, var_l38 = 0, var_l39 = 0, var_l40 = 0, var_l41 = 0, var_l42 = 0, var_l43 = 0; FUNC_PROLOGUE; u32 var_i0, var_i1; var_i0 = instance->w2c_g0; var_l2 = var_i0; var_i0 = 32u; var_l3 = var_i0; var_i0 = var_l2; var_i1 = var_l3; var_i0 -= var_i1; var_l4 = var_i0; var_i0 = var_l4; var_i1 = var_p0; i32_store(&instance->w2c_memory, (u64)(var_i0) + 24, var_i1); var_i0 = var_l4; var_i1 = var_p1; i32_store(&instance->w2c_memory, (u64)(var_i0) + 20, var_i1); var_i0 = var_l4; var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 24u); var_l5 = var_i0; var_i0 = var_l4; var_i1 = var_l5; i32_store(&instance->w2c_memory, (u64)(var_i0) + 16, var_i1); var_i0 = var_l4; var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 20u); var_l6 = var_i0; var_i0 = var_l4; var_i1 = var_l6; i32_store(&instance->w2c_memory, (u64)(var_i0) + 12, var_i1); var_L1: var_i0 = var_l4; var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 16u); var_l7 = var_i0; var_i0 = 1u; var_l8 = var_i0; var_i0 = var_l7; var_i1 = var_l8; var_i0 += var_i1; var_l9 = var_i0; var_i0 = var_l4; var_i1 = var_l9; i32_store(&instance->w2c_memory, (u64)(var_i0) + 16, var_i1); var_i0 = var_l7; var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0)); var_l10 = var_i0; var_i0 = var_l4; var_i1 = var_l10; i32_store8(&instance->w2c_memory, (u64)(var_i0) + 11, var_i1); var_i0 = var_l4; var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 12u); var_l11 = var_i0; var_i0 = 1u; var_l12 = var_i0; var_i0 = var_l11; var_i1 = var_l12; var_i0 += var_i1; var_l13 = var_i0; var_i0 = var_l4; var_i1 = var_l13; i32_store(&instance->w2c_memory, (u64)(var_i0) + 12, var_i1); var_i0 = var_l11; var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0)); var_l14 = var_i0; var_i0 = var_l4; var_i1 = var_l14; i32_store8(&instance->w2c_memory, (u64)(var_i0) + 10, var_i1); var_i0 = var_l4; var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0) + 11u); var_l15 = var_i0; var_i0 = 255u; var_l16 = var_i0; var_i0 = var_l15; var_i1 = var_l16; var_i0 &= var_i1; var_l17 = var_i0; var_i0 = var_l17; if (var_i0) {goto var_B2;} var_i0 = var_l4; var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0) + 11u); var_l18 = var_i0; var_i0 = 255u; var_l19 = var_i0; var_i0 = var_l18; var_i1 = var_l19; var_i0 &= var_i1; var_l20 = var_i0; var_i0 = var_l4; var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0) + 10u); var_l21 = var_i0; var_i0 = 255u; var_l22 = var_i0; var_i0 = var_l21; var_i1 = var_l22; var_i0 &= var_i1; var_l23 = var_i0; var_i0 = var_l20; var_i1 = var_l23; var_i0 -= var_i1; var_l24 = var_i0; var_i0 = var_l4; var_i1 = var_l24; i32_store(&instance->w2c_memory, (u64)(var_i0) + 28, var_i1); goto var_B0; var_B2:; var_i0 = var_l4; var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0) + 11u); var_l25 = var_i0; var_i0 = 255u; var_l26 = var_i0; var_i0 = var_l25; var_i1 = var_l26; var_i0 &= var_i1; var_l27 = var_i0; var_i0 = var_l4; var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0) + 10u); var_l28 = var_i0; var_i0 = 255u; var_l29 = var_i0; var_i0 = var_l28; var_i1 = var_l29; var_i0 &= var_i1; var_l30 = var_i0; var_i0 = var_l27; var_l31 = var_i0; var_i0 = var_l30; var_l32 = var_i0; var_i0 = var_l31; var_i1 = var_l32; var_i0 = var_i0 == var_i1; var_l33 = var_i0; var_i0 = 1u; var_l34 = var_i0; var_i0 = var_l33; var_i1 = var_l34; var_i0 &= var_i1; var_l35 = var_i0; var_i0 = var_l35; if (var_i0) {goto var_L1;} var_i0 = var_l4; var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0) + 11u); var_l36 = var_i0; var_i0 = 255u; var_l37 = var_i0; var_i0 = var_l36; var_i1 = var_l37; var_i0 &= var_i1; var_l38 = var_i0; var_i0 = var_l4; var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0) + 10u); var_l39 = var_i0; var_i0 = 255u; var_l40 = var_i0; var_i0 = var_l39; var_i1 = var_l40; var_i0 &= var_i1; var_l41 = var_i0; var_i0 = var_l38; var_i1 = var_l41; var_i0 -= var_i1; var_l42 = var_i0; var_i0 = var_l4; var_i1 = var_l42; i32_store(&instance->w2c_memory, (u64)(var_i0) + 28, var_i1); var_B0:; var_i0 = var_l4; var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 28u); var_l43 = var_i0; var_i0 = var_l43; goto var_Bfunc; var_Bfunc:; FUNC_EPILOGUE; return var_i0; } u32 w2c_qCCYI0ajpD_check_flag_0(w2c_qCCYI0ajpD* instance) { u32 var_l0 = 0, var_l1 = 0, var_l2 = 0, var_l3 = 0, var_l4 = 0, var_l5 = 0, var_l6 = 0, var_l7 = 0, var_l8 = 0, var_l9 = 0, var_l10 = 0; FUNC_PROLOGUE; u32 var_i0, var_i1; var_i0 = 0u; var_l0 = var_i0; var_i0 = 1072u; var_l1 = var_i0; var_i0 = 1024u; var_l2 = var_i0; var_i0 = var_l2; var_i1 = var_l1; var_i0 = w2c_qCCYI0ajpD_strcmp_0(instance, var_i0, var_i1); // var_i0 == 1024 / var_i1 == 1072 var_l3 = var_i0; var_i0 = var_l3; var_l4 = var_i0; var_i0 = var_l0; var_l5 = var_i0; var_i0 = var_l4; var_i1 = var_l5; var_i0 = var_i0 != var_i1; var_l6 = var_i0; var_i0 = 4294967295u; var_l7 = var_i0; var_i0 = var_l6; var_i1 = var_l7; var_i0 ^= var_i1; var_l8 = var_i0; var_i0 = 1u; var_l9 = var_i0; var_i0 = var_l8; var_i1 = var_l9; var_i0 &= var_i1; var_l10 = var_i0; var_i0 = var_l10; goto var_Bfunc; var_Bfunc:; FUNC_EPILOGUE; return var_i0; } void w2c_qCCYI0ajpD_copy_char_0(w2c_qCCYI0ajpD* instance, u32 var_p0, u32 var_p1) { u32 var_l2 = 0, var_l3 = 0, var_l4 = 0, var_l5 = 0, var_l6 = 0, var_l7 = 0, var_l8 = 0, var_l9 = 0, var_l10 = 0, var_l11 = 0, var_l12 = 0, var_l13 = 0, var_l14 = 0, var_l15 = 0, var_l16 = 0, var_l17 = 0, var_l18 = 0; FUNC_PROLOGUE; u32 var_i0, var_i1; var_i0 = instance->w2c_g0; var_l2 = var_i0; var_i0 = 16u; var_l3 = var_i0; var_i0 = var_l2; var_i1 = var_l3; var_i0 -= var_i1; var_l4 = var_i0; var_i0 = var_l4; var_i1 = var_p0; i32_store(&instance->w2c_memory, (u64)(var_i0) + 12, var_i1); var_i0 = var_l4; var_i1 = var_p1; i32_store(&instance->w2c_memory, (u64)(var_i0) + 8, var_i1); var_i0 = var_l4; var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 12u); var_l5 = var_i0; var_i0 = var_l5; var_i0 = !(var_i0); if (var_i0) {goto var_B0;} var_i0 = 4u; var_l6 = var_i0; var_i0 = var_l4; var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 8u); var_l7 = var_i0; var_i0 = 5u; var_l8 = var_i0; var_i0 = var_l7; var_i1 = var_l8; var_i0 = I32_REM_S(var_i0, var_i1); var_l9 = var_i0; var_i0 = var_l6; var_i1 = var_l9; var_i0 -= var_i1; var_l10 = var_i0; var_i0 = var_l10; var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0) + 1067u); var_l11 = var_i0; var_i0 = 24u; var_l12 = var_i0; var_i0 = var_l11; var_i1 = var_l12; var_i0 <<= (var_i1 & 31); var_l13 = var_i0; var_i0 = var_l13; var_i1 = var_l12; var_i0 = (u32)((s32)var_i0 >> (var_i1 & 31)); var_l14 = var_i0; var_i0 = var_l4; var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 12u); var_l15 = var_i0; var_i0 = var_l15; var_i1 = var_l14; var_i0 ^= var_i1; var_l16 = var_i0; var_i0 = var_l4; var_i1 = var_l16; i32_store(&instance->w2c_memory, (u64)(var_i0) + 12, var_i1); var_B0:; var_i0 = var_l4; var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 12u); var_l17 = var_i0; var_i0 = var_l4; var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 8u); var_l18 = var_i0; var_i0 = var_l18; var_i1 = var_l17; i32_store8(&instance->w2c_memory, (u64)(var_i0) + 1072, var_i1); goto var_Bfunc; var_Bfunc:; FUNC_EPILOGUE; } ``` ::: ## Recon 這一題沒有寫出來，太難了，應該說複雜很多，即使看了maple和martin的WP還是做不出來，大概知道就是兩個list之間的XOR，不過具體的流程和解題思路是比較模糊的，沒有通透的感覺QQ ## Reference [pico web wp - Some Assembly Required 3 - maple](https://blog.maple3142.net/2021/03/30/picoctf-2021-writeups/#some-assembly-required-3) [ picoCTF 2021 Some Assembly Required 3 - Martin](https://youtu.be/GBM9wj_xmU0)