Write-up for UIU 2024

### Write-up for UIUCTF 2024 #### Summarize - Đề cho chúng ta 1 file sau khi check thì mình bỏ vào ida để phân tích thử. - Sau khi đọc qua thì biết được chương trình yêu cầu nhập 6 số: a1,a2,a3,a4,a5,a6. Thì để có được flag thì bộ 6 số vừa nhập phải pass qua được 1 hàm như sau: ![image](https://hackmd.io/_uploads/ryXe6SSdR.png) - Để ý thấy thì có khá nhiều fuction sub_... ban đầu mình có vào và đọc thì thấy nó là các hàm chứa các vòng lặp cùng các toán tử cơ bản bên trong. Sau khi mất 1 hồi phân tích cùng với kiến thức môn nhập môn mạch số thì mình nhận ra các hàm này chỉ là đang thực hiện các phép toán +,-,&,^ cơ bản. - Vậy vấn đề bây giờ là làm sao tìm ra bộ 6 số này. Nếu bỏ đi ràng buộc về các giá trị cuối cùng là số dư thì bài toán trở nên đơn giản nhưng đây lại là các phép toán chia dư nên việt brute-force bằng kĩ năng lập trình cá nhân là rất khó. Mình đã chật vật tìm cách tối ưu... để cố gắng brute-force trong vô vọng. May sao lúc đó được teammate crypto gợi ý có thể tìm số dựa trên các ràng buộc bằng Z3 của python. Vậy là mình tìm hiểu và đây là script cuối cùng của mình giải bài này bằng Z3. ```python from z3 import * def sub(a,b): return add(a,0xffffffff - b + 1) def add(a,b): return (a + b) & 0xffffffff solve = Solver() a1 = BitVec('a1',32) a2 = BitVec('a2',32) a3 = BitVec('a3',32) a4 = BitVec('a4',32) a5 = BitVec('a5',32) a6 = BitVec('a6',32) solve.add(a1 > 0x5F5E100) solve.add(a2 > 0x5F5E100) solve.add(a3 > 0x5F5E100) solve.add(a4 > 0x5F5E100) solve.add(a5 > 0x5F5E100) solve.add(a6 > 0x5F5E100) solve.add(a1 <= 0x3B9AC9FF) solve.add(a2 <= 0x3B9AC9FF) solve.add(a3 <= 0x3B9AC9FF) solve.add(a4 <= 0x3B9AC9FF) solve.add(a5 <= 0x3B9AC9FF) solve.add(a6 <= 0x3B9AC9FF) v7 = sub(a1,a2) v18 = add(v7, a3) % 0x10AE961 v19 = add(a1, a2) % 0x1093A1D v8 = (a2 * 2) & 0xffffffff v9 = (a1 * 3) & 0xffffffff v10 = sub(v9,v8) v20 = v10 % (a1 ^ a4) v11 = add(a3, a1) v21 = (a2 & v11) % 0x6E22 v22 = add(a2, a4) % a1 v12 = add(a4, a6) v23 = (a3 ^ v12) % 0x1CE628 v24 = sub(a5, a6) % 0x1172502 v25 = add(a5, a6) % 0x2E16F83 solve.add(v18 == 4139449) solve.add(v19 == 9166034) solve.add(v20 == 556569677) solve.add(v21 == 12734) solve.add(v22 == 540591164) solve.add(v23 == 1279714) solve.add(v24 == 17026895) solve.add(v25 == 23769303) if solve.check() == sat: model = solve.model() print(model[a1],' ',model[a2],' ',model[a3],' ',model[a4],' ',model[a5],' ',model[a6]) else: print('?') #705965527 780663452 341222189 465893239 966221407 217433792 #uiuctf{2a142dd72e87fa9c1456a32d1bc4f77739975e5fcf5c6c0} ``` #### Pwnymaps - Đây là chall mình đánh giá rất hay và đòi hỏi tính kiên trì nhiều, thứ mà ban đầu khi bắt tay vào làm chall này mình rất thiếu <(""). Và chính vì nó hay nên mình sẽ phân tích nó kĩ 1 xíu. - Đề cho chúng ta 1 file, mình check file xong thì bỏ vô ida như bình thường. ![image](https://hackmd.io/_uploads/H1JJIldO0.png) - Từ dữ liệu của đề bài và đọc pseudocode thì điều chúng ta cần làm là phải pass qua 2 hàm check: ![image](https://hackmd.io/_uploads/SJRIUguOA.png) và... ![image](https://hackmd.io/_uploads/SJtRIeOuC.png) - Do mỗi lần nhập 2 số x,y thì lại có hàm check nên ta chỉ việc coi length của mảng correct hoặc correct_checksums thì sẽ dễ dàng biết được cần nhập vào bao nhiêu cặp số! (length = 335). - Ok vậy đến đây tổng quan thì chúng ta cần nhập 335 cặp số sau 1 tá các biến đổi thì phải đúng 2 điều kiện trên... Đến đây điều đầu tiên nảy lên trong đầu mình là Z3, cơ mà sau khi thử bắt tay vào code thì... đời không như là mơ... Vì các data type trong pseudocode quá nhiều và khác nhau dẫn tới việc code z3 trong python gặp không ít khó khăn. Nên mình chuyển qua phân tích từng hàm... ![image](https://hackmd.io/_uploads/S11CPgu_C.png) - Sau khi phân tích đống ở trên thì mình nhận ra được có v25 là có tất cả mặc dù có vẻ hơi lạ khi v20 được khởi tạo và không được sử dụng đến lần nào hết! - Trong chương trình này thì có khá nhiều hàm Pad...: + Pad12bit: ![image](https://hackmd.io/_uploads/SyVN_eO_0.png) + Pad24bit: ![image](https://hackmd.io/_uploads/SkFSdg_dA.png) + Pad6bit: ![image](https://hackmd.io/_uploads/Hybqdl__R.png) ... - Ở trên mình lấy ví dụ với hàm Pad, với những hàm có các số không dễ để ta nhìn ra tính chất thì thay vì mình ngồi phân tích thì mình brute-force để mình quan sát đặc điểm của từng hàm luôn :)). Cách này có vẻ hơi sus... nhưng khi quan sát đủ nhiều, đủ trường hợp thì mình sẽ tự tin hơn. - Ở đây với 3 hàm Pad24bit,Pad48Bit,Pad12Bit. hàm Padxbit thì sẽ nhận vào số x/2 bit. giả sử số đó là 0b100110 thì kết quả hàm trả về sẽ là từng bit của số cũ so le với bit 0. Nên ta được kết quả là 0b0**1**0**0**0**0**0**1**0**1**0**0**. Các hàm khác tương sẽ phân tích gần tương tự. ![image](https://hackmd.io/_uploads/HJ18FgddC.png) - Việc reverse của mình bắt đầu từ đoạn check correct[ii]. Từ đó mình tìm được 8bit của v26[0->8]. Đến đây thì chỉ cần check lại điều kiện của correct_Checksums nữa là rev lại được x,y ban đầu cần nhập. ```cpp #include<bits/stdc++.h> using namespace std; unsigned int correct_checksums[335] = {0xcd4f2531, 0x23531b52, 0xc3c978e8, 0x8d5d6f3, 0x23531b52, 0xcd4f2531, 0xc3c978e8, 0x46a636a4, 0x23531b52, 0x9a9f4a63, 0xc3c978e8, 0x23531b52, 0xcd4f2531, 0x23531b52, 0xc3c978e8, 0xc3c978e8, 0xc3c978e8, 0x23531b52, 0xc3c978e8, 0xdfb6d245, 0xc3c978e8, 0xc3c978e8, 0x9a9f4a63, 0x8d5d6f3, 0x8d5d6f3, 0xcd4f2531, 0xc3c978e8, 0x46a636a4, 0xc3c978e8, 0x23531b52, 0x4c8214b, 0x8d5d6f3, 0xc3c978e8, 0x9a9f4a63, 0x23531b52, 0x9a9f4a63, 0xcd4f2531, 0x8d5d6f3, 0xdfb6d245, 0x9a9f4a63, 0x23531b52, 0x23531b52, 0xc3c978e8, 0x8d5d6f3, 0x8d5d6f3, 0x9a9f4a63, 0xcd4f2531, 0x8d5d6f3, 0x4c8214b, 0xc3c978e8, 0x4c8214b, 0x8d5d6f3, 0x8d5d6f3, 0x4c8214b, 0x9a9f4a63, 0xc3c978e8, 0x9a9f4a63, 0xc3c978e8, 0x23531b52, 0xcd4f2531, 0xc3c978e8, 0x8d5d6f3, 0x46a636a4, 0x9a9f4a63, 0xcd4f2531, 0x23531b52, 0x8d5d6f3, 0xdfb6d245, 0xc3c978e8, 0xcd4f2531, 0xc3c978e8, 0x9a9f4a63, 0x23531b52, 0x23531b52, 0x9a9f4a63, 0xcd4f2531, 0x23531b52, 0xcd4f2531, 0xcd4f2531, 0xc3c978e8, 0x23531b52, 0x4c8214b, 0x9a9f4a63, 0x8d5d6f3, 0x9a9f4a63, 0x8d5d6f3, 0x9a9f4a63, 0x8d5d6f3, 0x23531b52, 0x8d5d6f3, 0xc3c978e8, 0x66a79298, 0x8d5d6f3, 0x9a9f4a63, 0x23531b52, 0x23531b52, 0xcd4f2531, 0xc3c978e8, 0xc3c978e8, 0x9a9f4a63, 0x4c8214b, 0x9a9f4a63, 0x9a9f4a63, 0xdfb6d245, 0xc3c978e8, 0xdfb6d245, 0x23531b52, 0xc3c978e8, 0xcd4f2531, 0x23531b52, 0x8d5d6f3, 0x9a9f4a63, 0x4c8214b, 0x9a9f4a63, 0x4c8214b, 0xc3c978e8, 0x8d5d6f3, 0x9a9f4a63, 0x8d5d6f3, 0x9a9f4a63, 0xc3c978e8, 0xc3c978e8, 0x4c8214b, 0x9a9f4a63, 0x8d5d6f3, 0x4c8214b, 0x8d5d6f3, 0x23531b52, 0x8d5d6f3, 0x9a9f4a63, 0xc3c978e8, 0xc3c978e8, 0x46a636a4, 0x4c8214b, 0x8d5d6f3, 0x9a9f4a63, 0xc3c978e8, 0x8d5d6f3, 0x23531b52, 0xc3c978e8, 0xc3c978e8, 0x23531b52, 0x9a9f4a63, 0x4c8214b, 0x9a9f4a63, 0x8d5d6f3, 0x9a9f4a63, 0x9a9f4a63, 0x9a9f4a63, 0xc3c978e8, 0x23531b52, 0x4c8214b, 0x9a9f4a63, 0xc3c978e8, 0x9a9f4a63, 0x9a9f4a63, 0x8d5d6f3, 0x4c8214b, 0xa085b4c, 0xc3c978e8, 0x4c8214b, 0x46a636a4, 0x9a9f4a63, 0xc3c978e8, 0x9a9f4a63, 0x4c8214b, 0x23531b52, 0x9a9f4a63, 0x4c8214b, 0x8d5d6f3, 0x9a9f4a63, 0x46a636a4, 0x46a636a4, 0x9a9f4a63, 0xcd4f2531, 0x9a9f4a63, 0x4c8214b, 0xc3c978e8, 0x4c8214b, 0x8d5d6f3, 0xc3c978e8, 0xc3c978e8, 0x8d5d6f3, 0x9a9f4a63, 0x46a636a4, 0xc3c978e8, 0x23531b52, 0xc3c978e8, 0x8d5d6f3, 0x23531b52, 0x4c8214b, 0x4c8214b, 0x4c8214b, 0xc3c978e8, 0xc3c978e8, 0xcd4f2531, 0x9a9f4a63, 0xc3c978e8, 0x8d5d6f3, 0x8d5d6f3, 0x9a9f4a63, 0x9a9f4a63, 0x9a9f4a63, 0x8d5d6f3, 0xc3c978e8, 0xc3c978e8, 0xc3c978e8, 0x9a9f4a63, 0x9a9f4a63, 0x4c8214b, 0x9a9f4a63, 0xc3c978e8, 0xcd4f2531, 0x23531b52, 0x9a9f4a63, 0x9a9f4a63, 0x8d5d6f3, 0xc3c978e8, 0x8d5d6f3, 0xc3c978e8, 0xcd4f2531, 0x8d5d6f3, 0xc3c978e8, 0x9a9f4a63, 0x4c8214b, 0x8d5d6f3, 0x4c8214b, 0x46a636a4, 0x9a9f4a63, 0xcd4f2531, 0x23531b52, 0x9a9f4a63, 0xcd4f2531, 0xc3c978e8, 0x4c8214b, 0x8d5d6f3, 0xc3c978e8, 0x9a9f4a63, 0xa085b4c, 0xc3c978e8, 0xc3c978e8, 0x9a9f4a63, 0xcd4f2531, 0x4c8214b, 0x23531b52, 0xcd4f2531, 0x4c8214b, 0x8d5d6f3, 0xa085b4c, 0xc3c978e8, 0x46a636a4, 0x8d5d6f3, 0xc3c978e8, 0x9a9f4a63, 0xc3c978e8, 0xcd4f2531, 0x8d5d6f3, 0x4c8214b, 0x23531b52, 0x8d5d6f3, 0xcd4f2531, 0x9a9f4a63, 0x8d5d6f3, 0x4c8214b, 0x9a9f4a63, 0x8d5d6f3, 0x8d5d6f3, 0x46a636a4, 0x9a9f4a63, 0x46a636a4, 0xc3c978e8, 0xcd4f2531, 0xc3c978e8, 0x4c8214b, 0x23531b52, 0x8d5d6f3, 0x23531b52, 0x8d5d6f3, 0x8d5d6f3, 0xc3c978e8, 0x23531b52, 0x8d5d6f3, 0x9a9f4a63, 0x4c8214b, 0x8d5d6f3, 0x23531b52, 0x8d5d6f3, 0x9a9f4a63, 0x8d5d6f3, 0xc3c978e8, 0x8d5d6f3, 0x9a9f4a63, 0x9a9f4a63, 0x8d5d6f3, 0x4c8214b, 0x8d5d6f3, 0x4c8214b, 0x4c8214b, 0xc3c978e8, 0x8d5d6f3, 0x9a9f4a63, 0x9a9f4a63, 0x23531b52, 0x8d5d6f3, 0x9a9f4a63, 0x9a9f4a63, 0x23531b52, 0x8d5d6f3, 0xc3c978e8, 0x46a636a4, 0x4c8214b, 0x8d5d6f3, 0x46a636a4, 0xc3c978e8, 0x23531b52, 0x8d5d6f3, 0x23531b52, 0x23531b52, 0x9a9f4a63, 0x8d5d6f3, 0xc3c978e8, 0x9a9f4a63, 0xc3c978e8, 0x23531b52, 0xcd4f2531, 0x4c8214b, 0xcd4f2531, 0x9a9f4a63, 0x4c8214b, 0x4c8214b, 0x8d5d6f3, 0x4c8214b, 0xc3c978e8, 0xa085b4c, 0xc3c978e8}; uint64_t correct[335] = {0x22640aba57200, 0x8004479d42852, 0x880054948c092, 0x8a41420193a02, 0x400541d1e04050, 0x4821117a352810, 0x4a0044c8404a12, 0x4a245518302a90, 0x4a24557b20d892, 0x4a2650e3796050, 0x10a01442864e2d0, 0x108a505e86d6802, 0x108a50451e1c880, 0x108a505f3ec4010, 0x108a70169e13012, 0x108a7011af138d0, 0x108860412910010, 0x1422700d0b40812, 0x142865141e590c0, 0x142a44551dce092, 0x148a455682d2000, 0x14a2545a205aa92, 0x400a0550a055212, 0x402a1044bec02c2, 0x408250471c01280, 0x4088145fb0d1852, 0x408834010dc50c0, 0x4088211f1a83012, 0x50227401a7400c2, 0x50202007aa948c0, 0x500835170e80042, 0x44a071423453280, 0x448a30420e53000, 0x442a601ba382a52, 0x4422751ca9ddad0, 0x442045472a068c0, 0x442810491c9b012, 0x448245568915880, 0x44a2044c9fde000, 0x500054449210290, 0x502044461b93242, 0x548851463309a82, 0x54825446b34e012, 0x5482105ba4cb042, 0x548230008d5c852, 0x548230018dcf292, 0x548261528b93800, 0x54807559b9928d0, 0x542a4d162197a02, 0x54801913325ba90, 0x548848189197012, 0x54a8614b1acb202, 0x1002a31432d18890, 0x1008074499f8b090, 0x54a8304b2d578c0, 0x540a75590c45a40, 0x54023543b083ad0, 0x50826453af42010, 0x1048a00422488082, 0x10488015436c0082, 0x1048235023e1b840, 0x104822401abc48c2, 0x1048071423b4e252, 0x10480714f370e090, 0x104821d022adead2, 0x1048a5d190b072d0, 0x104a81d0d074a850, 0x1102219079e8f2d2, 0x110884c1bb8c0212, 0x1108a61051c988c2, 0x11020650f2100800, 0x104a824071b45812, 0x10420700d1893a50, 0x10402750f19df080, 0x100a8600d00128c0, 0x14088401fb31d250, 0x14082101fb75b802, 0x114aa544c324f200, 0x140000546a19e842, 0x14000515ba2972c2, 0x1400071099100a42, 0x114aa740731408c0, 0x114a82017160ea10, 0x1142230402f4c850, 0x11408705a135f240, 0x1140a654614c0a80, 0x1148830563bd5a52, 0x114a831519a56080, 0x14002355f03950d2, 0x14008091e8edd210, 0x1400a08032b172d2, 0x140821852bc00050, 0x144000c449118242, 0x1500001461ed8290, 0x144aa154b288c082, 0x144aa350001cd880, 0x144aa7016be07840, 0x1500231071e41ad2, 0x150026452beccad2, 0x144aa58039586a52, 0x150024c17a053a42, 0x150024c173551a12, 0x150a25150a45f2d0, 0x154005558b45c802, 0x15422005aa558842, 0x154880058b8dd252, 0x800001046854aac0, 0x80020004e175f2c2, 0x800280544931f000, 0x8008a054c3303a00, 0x80482541a1c5d2d2, 0x8048210038a542c0, 0x80480114aa697840, 0x8042a015b3917a52, 0x804283502048a0c0, 0x8040a310f8d91240, 0x8040a314221110d2, 0x8040a644ba291890, 0x80420615197c2892, 0x804aa254fbf8a8d0, 0x8102a20478a938d2, 0x810a031539f55250, 0x81420701f81d7ad0, 0x814226501230ba12, 0x814003412855cac0, 0x810801047a995250, 0x8100a105137dea90, 0x814aa454f1a5d840, 0x814aa21028c50252, 0x814a8351c16c80d0, 0x814a2711f25cd250, 0x814a8245a234bac2, 0x814a2715f195d090, 0x814a80c189f828c0, 0x840082549b2d7a50, 0x840203459138a0c0, 0x84088644d961aa00, 0x844087047b200a90, 0x8440a65453248a50, 0x8502a14533580092, 0x85020414d0e5aa40, 0x844aa1055bfca8c2, 0x8448a6009814ca52, 0x8448a60408a56ad0, 0x844a8314b864b210, 0x85020304b2293842, 0x850803143b6dd212, 0x850a0655a1a97092, 0x85088711dad17a12, 0x8502271050a0b880, 0x844aa30050451ac0, 0x8542a005195db8c0, 0x8542a310022c9892, 0x8542a310b9c8d850, 0x8548260401907080, 0x854883556288f010, 0x854a05d0088d1a12, 0x854a2180c3c91a52, 0x854a859409a96052, 0x9000219468cdc212, 0x90020584302cb252, 0x900800d5e0ac2090, 0x90402494e9a49ac0, 0x904201c5a829b802, 0x9040a245b2a40280, 0x900a0744d3e8b2c2, 0x900001c029517282, 0x854024d08325ca92, 0x850a208121fc4810, 0x904a0515b26d8812, 0x904800459b3de810, 0x9040871022a1d0c0, 0x9042a251710d0812, 0x904206516838a290, 0x904222005115c050, 0x90482344a38930c0, 0x904a0715eae99a42, 0x910202059a1532d0, 0x9108065542fdf042, 0x910a2214a03c58d0, 0x910a221058b4f052, 0x910282503bbc9852, 0x904a82109b2412d2, 0x904a8455b9f8c2d2, 0x9100251598492a42, 0x91088414f0f52052, 0x91482545385998d2, 0x91482545710492c2, 0x91488250c36de0d2, 0x9148a7013ac000d2, 0x914887150b09f280, 0x9148871568412290, 0x914a231480d42240, 0x94002215299cfa52, 0x9400a30508a91ac2, 0x9408870528981050, 0x940a230589cc5212, 0x940a0445b0703092, 0x9440a405100dc292, 0x94428005b9fcc8d0, 0x944884559a6d0852, 0x944a2404f21142d2, 0x9500241472cd1840, 0x9508a410f32c7ac0, 0x950885558038c840, 0x95088554b3003202, 0x95088445da497ac2, 0x950887509075e850, 0x9508a301dbc11210, 0x9508a745e999f850, 0x9540260548056000, 0x9542a354cac4a892, 0x95488610faa94250, 0x954a0700985032c2, 0x9542860009d18292, 0x950aa4445b513ac2, 0x20a75423b48880, 0x20a640f855ba90, 0x22260042397850, 0x2a045473f45052, 0x2aa05552306240, 0x608310a93d4a02, 0x622351c0388850, 0x62a3105204ea92, 0x62a31039b98a40, 0x6a044572b89842, 0x6aa2410204d842, 0x12002114ae010c0, 0x12222117a910282, 0x1228315298c82d0, 0x12a24057b4d32d2, 0x16002014bb03090, 0x160020113c0b0c2, 0x12aa214e2d42082, 0x12aa214b134a812, 0x1602741da91f0d2, 0x16803552b74dac2, 0x16a86544b7c5292, 0x42883048301a280, 0x4282641b07d6212, 0x4288610033c4050, 0x4602150a944da42, 0x468805071794ad0, 0x46a24415acc12c0, 0x5200044e35d7a02, 0x5222504f1e19ad0, 0x52a2740e0bcd090, 0x5602751192d18d0, 0x56203517a69d002, 0x562265501008280, 0x52a8710415d8a90, 0x528835109159840, 0x5208641a8f070d2, 0x5202211eb05d8c2, 0x46a8300d1dd1a40, 0x4688255a3acd2c0, 0x462a6556a442852, 0x4222745a8250ad0, 0x420a3446bc4fa92, 0x460814123a1fa82, 0x46205416b91e010, 0x56aa1445a453012, 0x56aa210290c1ad0, 0x56a8700600dea92, 0x10200200704152c2, 0x10208255a09cb810, 0x102206544290c282, 0x102a865582498242, 0x10602711394ca802, 0x10602710b97190c2, 0x1060a21152d138c0, 0x10620645a3b8f052, 0x10680215a0a9ea10, 0x106a02448b0502c0, 0x106a875139187802, 0x106aa741a8892a82, 0x1120060089c18850, 0x11602455d2f84010, 0x1160875062d1fa82, 0x112aa600d9510a40, 0x112a2314c80c0a82, 0x11228241d9248a10, 0x11222601bad46a80, 0x1122260109b060c0, 0x1128a2404870f050, 0x11688500516daa10, 0x116a055429a87ad0, 0x116a25459248a882, 0x116a8405f2ac4ad0, 0x116aa701c8c402d0, 0x1420220153397a00, 0x142023140ab00a92, 0x14202314c1851842, 0x1420275443f1e0c0, 0x14208615eb14ea52, 0x142827054a9c98c2, 0x142a030542544280, 0x142aa65520e958c2, 0x14608710500132c2, 0x142aa651a2003252, 0x1428224002a5d0c2, 0x14202750ab94ca10, 0x1560a64548f04a00, 0x1560071439743a02, 0x1528264419ecf240, 0x15228715e3dc5810, 0x1520a3419294e0d2, 0x152223019a78a852, 0x1528861098889050, 0x152a234061a85292, 0x152a234009c57a00, 0x152824451064e0c0, 0x15200545b970f8c0, 0x15602500d3380042, 0x1560a55423398800, 0x1562a145eb6ca800, 0x15688405335c88d0, 0x156a0015f89c2890, 0x156823018b357092, 0x156226006a3d6040, 0x15680641cbf038d2, 0x156aa7111bf5b212, 0x8022865179fc2a92, 0x8022a31428a11ac0, 0x802082044ac42240, 0x156a2645eaccca10, 0x15688254b10d5a00, 0x1568871552381810, 0x1568859162609ac0, 0x156821801b78ca50, 0x156281d1706cf892, 0x156081c5218122c0, 0x156000d5abb11090, 0x152a24d582389002, 0x152a00c461119880}; unsigned char v26[8]; void getback9x7(uint64_t x) { for (int i = 0; i < 9; i++) { for (int j = 0; j < 7; j++) { if (i == 8) break; if ((x >> (i + j * 9)) & 1) v26[i] |= (1<<j); } if (i == 8) { for (int j = 0; j < 7; j++) { v26[7 - j] |= (((x >> (i + j * 9)) & 1)<<7); } } } } unsigned int HIWORD(unsigned int x) { return (x >> 16); } __int64 __fastcall hashh(unsigned int a1) { unsigned int v2; // [rsp+0h] [rbp-4h] v2 = 73244475 * ((73244475 * (a1 ^ HIWORD(a1))) ^ ((73244475 * (a1 ^ HIWORD(a1))) >> 16)); return HIWORD(v2) ^ v2; } unsigned __int64 Convert8to64() { unsigned __int64 ans = 0; for (int i = 0; i < 8; i++) { for (int j = 0; j< 8; j++) { if ((v26[i] >> j) & 1) ans |= (1LL << (i + j * 8)); } } return ans; } int main() { freopen("coordinates.txt","w",stdout); cout << "co =["; for (int i = 0; i < 335; i++) { uint64_t v22 = correct[i]; memset(v26,0,sizeof v26); v26[0] |= ((v22 >> 63) << 7); v22 &= 0x7FFFFFFFFFFFFFFF; getback9x7(v22); int val =((unsigned __int16)((((unsigned __int8)v26[4] << 8) | (unsigned __int8)v26[5]) ^ (((unsigned __int8)v26[2] << 8) | (unsigned __int8)v26[3]) ^ ((unsigned __int8)v26[1] | ((unsigned __int8)v26[0] << 8)) ^ (((unsigned __int8)v26[6] << 8) | (unsigned __int8)v26[7]))); assert(correct_checksums[i] == (unsigned int)hashh(__builtin_popcount(val))); swap(v26[1],v26[5]); unsigned __int64 v25 = Convert8to64(); unsigned __int16 v6 = v25 & 0xfff; __int64 v24 = (v25 >>12); unsigned int v11 = 0,v10 = 0; v11 |= (1LL * ((v6 & 0xf) << 28)); v10 = 1LL * (v6 >> 4); unsigned int v19 = 0; unsigned __int16 v7 = 0; int numv19 = 0; int numv7 = 0; for (int i = 0; i < 49; i++) { bool v = (v24 >> i) & 1; if (v == 1) { if (i % 2 == 0) { v19 |= (1LL<<numv19); } else { v7 |= (1LL << numv7); } } if (i % 2 == 0) numv19++; else numv7++; } v11 |= (v7 << 16); v19 <<= 8; v10 |= v19; cout << "(" << v10 <<", " << v11 <<")" ; if (i != 334) cout <<","; } cout << ']'; return 0; } ``` - Còn đây là script nối các điểm đó lại tạo flag: ```python import matplotlib.pyplot as plt co =[(23717296, 70123520), (34143559, 58982400), (41972267, 47185920), (48531922, 34734080), (70856741, 30146560), (106220865, 32112640), (118050931, 41943040), (124537177, 55050240), (124576491, 65536000), (124631333, 79298560), (186177341, 34078720), (183620962, 47841280), (183513704, 59637760), (183612449, 66846720), (183562627, 80609280), (183523789, 91095040), (178259969, 119930880), (225512515, 93061120), (229389964, 80609280), (233324331, 64225280), (250397952, 47841280), (259622747, 39976960), (281822387, 39976960), (298873886, 45875200), (309375128, 58982400), (312075463, 66191360), (311958700, 85196800), (310747523, 98304000), (427318286, 86507520), (419479660, 96337920), (412913670, 98304000), (389330328, 102891520), (382768512, 101580800), (367118679, 91750400), (360533757, 83230720), (355238252, 61603840), (361837443, 51773440), (376228072, 46530560), (390692640, 43909120), (406347801, 42598400), (422095254, 43909120), (515156698, 44564480), (511242019, 44564480), (508680070, 57671680), (508583527, 67502080), (508583867, 85196800), (509921728, 106823680), (507341133, 125173760), (502041074, 150077440), (504670169, 157941760), (513894819, 139591680), (530950034, 119275520), (567581257, 119930880), (574192521, 119275520), (529636844, 119930880), (486348020, 121896960), (475849181, 120586240), (443079937, 124518400), (650154506, 36700160), (646198282, 49807360), (643609540, 70123520), (642272366, 87818240), (640986935, 103546880), (641055529, 128450560), (643598207, 138280960), (654117309, 155975680), (664608581, 159907840), (693433279, 161218560), (715777043, 158597120), (719598158, 93716480), (690849856, 94371840), (663268579, 93061120), (623976917, 93716480), (612216744, 93716480), (597754188, 92405760), (849472181, 32112640), (844234690, 32112640), (804857776, 44564480), (806144870, 45219840), (808829374, 58327040), (808806486, 83886080), (804826188, 94371840), (796963697, 96993280), (760225381, 103546880), (749842356, 105512960), (753710168, 110100480), (781233399, 117309440), (798254376, 122552320), (811436207, 131727360), (814077617, 148766720), (817924543, 154009600), (844165125, 174325760), (872966678, 176291840), (939832857, 43909120), (937263658, 53739520), (937168616, 68157440), (938537444, 82575360), (945075423, 93061120), (946402943, 108789760), (938539383, 152043520), (946390486, 165806080), (946388179, 165806080), (997480381, 39976960), (1010660962, 39976960), (1027726918, 39976960), (1048667831, 41287680), (1074847580, 41943040), (1090633662, 42598400), (1099721632, 42598400), (1120741840, 44564480), (1182381759, 4587520), (1179698236, 17694720), (1175835108, 37355520), (1170582007, 57016320), (1167889164, 68157440), (1154865300, 93716480), (1154779279, 102891520), (1156169929, 121241600), (1160019275, 123207680), (1204681549, 129761280), (1237369295, 127795200), (1259666613, 122552320), (1295109629, 97648640), (1298926547, 86507520), (1276698236, 71434240), (1242613941, 62259200), (1221607289, 58327040), (1340974820, 59637760), (1338299415, 67502080), (1335703053, 81264640), (1333108405, 99614720), (1334415326, 107479040), (1333112489, 130416640), (1334409548, 140247040), (1351443957, 121241600), (1360603916, 123207680), (1386836816, 126484480), (1420877913, 128450560), (1424762453, 128450560), (1507375115, 57671680), (1495603028, 59637760), (1473281870, 66846720), (1457606263, 83886080), (1457538429, 101580800), (1469437841, 117964800), (1494319558, 121241600), (1511323315, 121241600), (1529717163, 106823680), (1521834483, 98959360), (1500775368, 93061120), (1473254620, 92405760), (1572896716, 55705600), (1574176459, 70778880), (1574302437, 85196800), (1583360424, 100925440), (1587315617, 116654080), (1597785299, 135659520), (1599156439, 146145280), (1605656871, 169738240), (1616172595, 177602560), (1630570391, 186122240), (1645053193, 182190080), (1684399836, 176947200), (1696187330, 173670400), (1690928152, 124518400), (1664693150, 129761280), (1612249530, 134348800), (1550657147, 136970240), (1530969185, 140247040), (1731565123, 58327040), (1711894369, 58327040), (1689551532, 70123520), (1707910211, 97648640), (1697434393, 81264640), (1698704933, 92405760), (1717150092, 104202240), (1731580630, 117309440), (1761693085, 123863040), (1781276582, 117309440), (1799720173, 102236160), (1799638951, 93061120), (1770843847, 87818240), (1736795295, 86507520), (1739455039, 56360960), (1752518998, 55705600), (1789238535, 59637760), (1853414095, 55705600), (1853400734, 62914560), (1854748463, 79298560), (1861275663, 90439680), (1857315768, 108134400), (1857343769, 113377280), (1867848980, 100925440), (1883566071, 106168320), (1892696286, 106823680), (1924188293, 106168320), (1934718131, 106168320), (1932106123, 55050240), (1960838715, 55705600), (1971453549, 56360960), (1991070791, 58327040), (2002880575, 60948480), (2019857604, 62259200), (2061870588, 28835840), (2059209316, 39321600), (2059248018, 52428800), (2057916926, 66191360), (2059214693, 84541440), (2060546193, 98959360), (2063199205, 114688000), (2086683936, 113377280), (2111657803, 111411200), (2124791861, 96337920), (2133940638, 83886080), (2107669019, 67502080), (2078833118, 60948480), (2164043336, 103546880), (2162810841, 92405760), (2170554853, 79298560), (2200747175, 61603840), (2211186996, 65536000), (2224417906, 68812800), (2237467205, 81264640), (2245265275, 94371840), (2245323348, 85852160), (2267581126, 66846720), (2278033126, 73400320), (2281984140, 82575360), (2302986266, 98959360), (2308236829, 106168320), (2338387359, 66191360), (2348837257, 82575360), (2348823438, 90439680), (2344983818, 111411200), (2344988483, 117964800), (2356759471, 98959360), (2384264958, 107479040), (2410446011, 112721920), (2458985240, 102891520), (2456395059, 89784320), (2460232741, 70778880), (2489186038, 0), (2525804669, 26869760), (2540197020, 32768000), (2550775282, 45219840), (2574365405, 59637760), (2608434857, 77332480), (2625397965, 89784320), (2635911842, 100270080), (2641109528, 104857600), (2612280921, 76677120), (2593943236, 71434240), (2561268143, 72089600), (2554717934, 81920000), (2542877908, 93716480), (2525865660, 108789760), (2515326279, 115343360), (2440676445, 105512960), (2430138363, 111411200), (2493031418, 7208960), (2503535393, 15073280), (2681755011, 60948480), (2680480989, 68157440), (2679146363, 76677120), (2684391614, 92405760), (2693631937, 106168320), (2704017978, 111411200), (2746028566, 108134400), (2759128898, 89128960), (2759195278, 84541440), (2764315084, 98959360), (2770971559, 108789760), (2785379185, 106823680), (2802410524, 102891520), (2814175714, 89128960), (2818163034, 72744960), (2820764229, 67502080), (2892830753, 66846720), (2898041850, 77987840), (2883680340, 92405760), (2874491994, 110100480), (2844354129, 96993280), (2841763192, 90439680), (2841667884, 72089600), (2865257381, 76021760), (2930784081, 26869760), (2940002813, 35389440), (2943947594, 57671680), (2946598013, 66846720), (2951828509, 79953920), (2956995056, 100270080), (2958313563, 103546880), (2958369990, 109445120), (2960931628, 112066560), (2963664759, 115343360), (2993704654, 116654080), (3004177464, 115343360), (3018625262, 106823680), (3031695774, 92405760), (3018686871, 73400320), (2991064750, 70123520), (2961043057, 69468160), (3169343600, 114032640), (3157589458, 117964800), (3127408564, 119275520), (3115695329, 116654080), (3101232943, 90439680), (3109116743, 91750400), (3131392645, 85196800), (3143147707, 77332480), (3143136752, 67502080), (3127383852, 55050240), (3090807788, 55050240), (3161532422, 28835840), (3170675264, 37355520), (3185178432, 49807360), (3198205517, 57671680), (3204828489, 64225280), (3193007531, 74055680), (3177237796, 79298560), (3190389199, 82575360), (3220471699, 91095040), (3249339739, 98304000), (3251945692, 101580800), (3229635860, 111411200), (3211384433, 116654080), (3196953840, 118620160), (3199469761, 133693440), (3199505116, 149422080), (3192945269, 154664960), (3181156331, 165150720), (3164119324, 172359680), (3155028105, 174981120), (3144485506, 175636480), (3137907400, 176291840)] for i in co: plt.plot(i[0], i[1], marker='o', linestyle='-', color='b') # Vẽ đường thẳng nối các điểm plt.title('Line Plot of Points') # Tiêu đề của đồ thị plt.xlabel('X-axis') # Nhãn của trục X plt.ylabel('Y-axis') # Nhãn của trục Y plt.grid(True) # Bật lưới đồ thị plt.tight_layout() # Tự động căn chỉnh layout plt.show() # Hiển thị đồ thị ``` - Finally! ![image](https://hackmd.io/_uploads/S1G8nx_OA.png)