PicoCTF - Some Assembly Required 3
Background
$ ./build/wasm2c qCCYI0ajpD.wasm -o dump.c
Source code
:::spoiler rTEuOmSfG3.js
'use strict';
const str_list = ["exports", "270328ewawLo", "instantiate", "1OsuamQ", "Incorrect!", "length", "copy_char", "value", "1512517ESezaM", "innerHTML", "check_flag", "result", "1383842SQRPPf", "924408cukzgO", "getElementById", "418508cLDohp", "input", "Correct!", "573XsMMHp", "arrayBuffer", "183RUQBDE", "38934oMACea"];
const tranfer_fn = function(url, whensCollection) {
/** @type {number} */
url = url - 285;
let _0x143f7d = str_list[url];
return _0x143f7d;
};
(function(data, oldPassword) {
const tranfer_fn = tranfer_fn;
for (; !![];) {
try {
const userPsd = -parseInt("length") + -parseInt("573XsMMHp") + -parseInt("innerHTML") * -parseInt("getElementById") + -parseInt("38934oMACea") + parseInt("value") + -parseInt("Incorrect!") * -parseInt("instantiate") + parseInt("arrayBuffer");
if (userPsd === oldPassword) {
break;
} else {
data["push"](data["shift"]());
}
} catch (_0x289152) {
data["push"](data["shift"]());
}
}
})(str_list, 970828);
let exports;
(async() => {
const tranfer_fn = tranfer_fn;
let rpm_traffic = await fetch("./qCCYI0ajpD");
let m = await WebAssembly["1512517ESezaM"](await rpm_traffic["1OsuamQ"]());
let updatedEdgesById = m["instance"];
exports = updatedEdgesById["copy_char"];
})();
/**
* @return {undefined}
*/
function onButtonPress() {
const tranfer_fn = tranfer_fn;
let data = document["183RUQBDE"]("exports")["924408cukzgO"];
for (let i = 0; i < data["result"]; i++) {
exports["1383842SQRPPf"](data["charCodeAt"](i), i);
}
exports["1383842SQRPPf"](0, data["result"]);
if (exports["input"]() == 1) {
document["183RUQBDE"]("Correct!")["418508cLDohp"] = "270328ewawLo";
} else {
document["183RUQBDE"]("Correct!")["innerHTML"] = "check_flag";
}
}
;
:::
:::spoiler dump.c
/* Automatically generated by wasm2c */
#include <assert.h>
#include <math.h>
#include <stdarg.h>
#include <stddef.h>
#include <string.h>
#if defined(__MINGW32__)
#include <malloc.h>
#elif defined(_MSC_VER)
#include <intrin.h>
#include <malloc.h>
#define alloca _alloca
#elif defined(__FreeBSD__) || defined(__OpenBSD__)
#include <stdlib.h>
#else
#include <alloca.h>
#endif
#include "dump.h"
#define TRAP(x) (wasm_rt_trap(WASM_RT_TRAP_##x), 0)
#if WASM_RT_USE_STACK_DEPTH_COUNT
#define FUNC_PROLOGUE \
if (++wasm_rt_call_stack_depth > WASM_RT_MAX_CALL_STACK_DEPTH) \
TRAP(EXHAUSTION);
#define FUNC_EPILOGUE --wasm_rt_call_stack_depth
#else
#define FUNC_PROLOGUE
#define FUNC_EPILOGUE
#endif
#define UNREACHABLE TRAP(UNREACHABLE)
static inline bool func_types_eq(const wasm_rt_func_type_t a,
const wasm_rt_func_type_t b) {
return (a == b) || LIKELY(a && b && !memcmp(a, b, 32));
}
#define CALL_INDIRECT(table, t, ft, x, ...) \
(LIKELY((x) < table.size && table.data[x].func && \
func_types_eq(ft, table.data[x].func_type)) || \
TRAP(CALL_INDIRECT), \
((t)table.data[x].func)(__VA_ARGS__))
#ifdef SUPPORT_MEMORY64
#define RANGE_CHECK(mem, offset, len) \
do { \
uint64_t res; \
if (__builtin_add_overflow(offset, len, &res)) \
TRAP(OOB); \
if (UNLIKELY(res > mem->size)) \
TRAP(OOB); \
} while (0);
#else
#define RANGE_CHECK(mem, offset, len) \
if (UNLIKELY(offset + (uint64_t)len > mem->size)) \
TRAP(OOB);
#endif
#if WASM_RT_MEMCHECK_GUARD_PAGES
#define MEMCHECK(mem, a, t)
#else
#define MEMCHECK(mem, a, t) RANGE_CHECK(mem, a, sizeof(t))
#endif
#ifdef __GNUC__
#define wasm_asm __asm__
#else
#define wasm_asm(X)
#endif
#if WABT_BIG_ENDIAN
static inline void load_data(void* dest, const void* src, size_t n) {
if (!n) {
return;
}
size_t i = 0;
u8* dest_chars = dest;
memcpy(dest, src, n);
for (i = 0; i < (n >> 1); i++) {
u8 cursor = dest_chars[i];
dest_chars[i] = dest_chars[n - i - 1];
dest_chars[n - i - 1] = cursor;
}
}
#define LOAD_DATA(m, o, i, s) \
do { \
RANGE_CHECK((&m), m.size - o - s, s); \
load_data(&(m.data[m.size - o - s]), i, s); \
} while (0)
#define DEFINE_LOAD(name, t1, t2, t3) \
static inline t3 name(wasm_rt_memory_t* mem, u64 addr) { \
MEMCHECK(mem, addr, t1); \
t1 result; \
wasm_rt_memcpy(&result, &mem->data[mem->size - addr - sizeof(t1)], \
sizeof(t1)); \
wasm_asm("" ::"r"(result)); \
return (t3)(t2)result; \
}
#define DEFINE_STORE(name, t1, t2) \
static inline void name(wasm_rt_memory_t* mem, u64 addr, t2 value) { \
MEMCHECK(mem, addr, t1); \
t1 wrapped = (t1)value; \
wasm_rt_memcpy(&mem->data[mem->size - addr - sizeof(t1)], &wrapped, \
sizeof(t1)); \
}
#else
static inline void load_data(void* dest, const void* src, size_t n) {
if (!n) {
return;
}
memcpy(dest, src, n);
}
#define LOAD_DATA(m, o, i, s) \
do { \
RANGE_CHECK((&m), o, s); \
load_data(&(m.data[o]), i, s); \
} while (0)
#define DEFINE_LOAD(name, t1, t2, t3) \
static inline t3 name(wasm_rt_memory_t* mem, u64 addr) { \
MEMCHECK(mem, addr, t1); \
t1 result; \
wasm_rt_memcpy(&result, &mem->data[addr], sizeof(t1)); \
wasm_asm("" ::"r"(result)); \
return (t3)(t2)result; \
}
#define DEFINE_STORE(name, t1, t2) \
static inline void name(wasm_rt_memory_t* mem, u64 addr, t2 value) { \
MEMCHECK(mem, addr, t1); \
t1 wrapped = (t1)value; \
wasm_rt_memcpy(&mem->data[addr], &wrapped, sizeof(t1)); \
}
#endif
DEFINE_LOAD(i32_load, u32, u32, u32)
DEFINE_LOAD(i64_load, u64, u64, u64)
DEFINE_LOAD(f32_load, f32, f32, f32)
DEFINE_LOAD(f64_load, f64, f64, f64)
DEFINE_LOAD(i32_load8_s, s8, s32, u32)
DEFINE_LOAD(i64_load8_s, s8, s64, u64)
DEFINE_LOAD(i32_load8_u, u8, u32, u32)
DEFINE_LOAD(i64_load8_u, u8, u64, u64)
DEFINE_LOAD(i32_load16_s, s16, s32, u32)
DEFINE_LOAD(i64_load16_s, s16, s64, u64)
DEFINE_LOAD(i32_load16_u, u16, u32, u32)
DEFINE_LOAD(i64_load16_u, u16, u64, u64)
DEFINE_LOAD(i64_load32_s, s32, s64, u64)
DEFINE_LOAD(i64_load32_u, u32, u64, u64)
DEFINE_STORE(i32_store, u32, u32)
DEFINE_STORE(i64_store, u64, u64)
DEFINE_STORE(f32_store, f32, f32)
DEFINE_STORE(f64_store, f64, f64)
DEFINE_STORE(i32_store8, u8, u32)
DEFINE_STORE(i32_store16, u16, u32)
DEFINE_STORE(i64_store8, u8, u64)
DEFINE_STORE(i64_store16, u16, u64)
DEFINE_STORE(i64_store32, u32, u64)
#if defined(_MSC_VER)
// Adapted from
// https://github.com/nemequ/portable-snippets/blob/master/builtin/builtin.h
static inline int I64_CLZ(unsigned long long v) {
unsigned long r = 0;
#if defined(_M_AMD64) || defined(_M_ARM)
if (_BitScanReverse64(&r, v)) {
return 63 - r;
}
#else
if (_BitScanReverse(&r, (unsigned long)(v >> 32))) {
return 31 - r;
} else if (_BitScanReverse(&r, (unsigned long)v)) {
return 63 - r;
}
#endif
return 64;
}
static inline int I32_CLZ(unsigned long v) {
unsigned long r = 0;
if (_BitScanReverse(&r, v)) {
return 31 - r;
}
return 32;
}
static inline int I64_CTZ(unsigned long long v) {
if (!v) {
return 64;
}
unsigned long r = 0;
#if defined(_M_AMD64) || defined(_M_ARM)
_BitScanForward64(&r, v);
return (int)r;
#else
if (_BitScanForward(&r, (unsigned int)(v))) {
return (int)(r);
}
_BitScanForward(&r, (unsigned int)(v >> 32));
return (int)(r + 32);
#endif
}
static inline int I32_CTZ(unsigned long v) {
if (!v) {
return 32;
}
unsigned long r = 0;
_BitScanForward(&r, v);
return (int)r;
}
#define POPCOUNT_DEFINE_PORTABLE(f_n, T) \
static inline u32 f_n(T x) { \
x = x - ((x >> 1) & (T) ~(T)0 / 3); \
x = (x & (T) ~(T)0 / 15 * 3) + ((x >> 2) & (T) ~(T)0 / 15 * 3); \
x = (x + (x >> 4)) & (T) ~(T)0 / 255 * 15; \
return (T)(x * ((T) ~(T)0 / 255)) >> (sizeof(T) - 1) * 8; \
}
POPCOUNT_DEFINE_PORTABLE(I32_POPCNT, u32)
POPCOUNT_DEFINE_PORTABLE(I64_POPCNT, u64)
#undef POPCOUNT_DEFINE_PORTABLE
#else
#define I32_CLZ(x) ((x) ? __builtin_clz(x) : 32)
#define I64_CLZ(x) ((x) ? __builtin_clzll(x) : 64)
#define I32_CTZ(x) ((x) ? __builtin_ctz(x) : 32)
#define I64_CTZ(x) ((x) ? __builtin_ctzll(x) : 64)
#define I32_POPCNT(x) (__builtin_popcount(x))
#define I64_POPCNT(x) (__builtin_popcountll(x))
#endif
#define DIV_S(ut, min, x, y) \
((UNLIKELY((y) == 0)) \
? TRAP(DIV_BY_ZERO) \
: (UNLIKELY((x) == min && (y) == -1)) ? TRAP(INT_OVERFLOW) \
: (ut)((x) / (y)))
#define REM_S(ut, min, x, y) \
((UNLIKELY((y) == 0)) \
? TRAP(DIV_BY_ZERO) \
: (UNLIKELY((x) == min && (y) == -1)) ? 0 : (ut)((x) % (y)))
#define I32_DIV_S(x, y) DIV_S(u32, INT32_MIN, (s32)x, (s32)y)
#define I64_DIV_S(x, y) DIV_S(u64, INT64_MIN, (s64)x, (s64)y)
#define I32_REM_S(x, y) REM_S(u32, INT32_MIN, (s32)x, (s32)y)
#define I64_REM_S(x, y) REM_S(u64, INT64_MIN, (s64)x, (s64)y)
#define DIVREM_U(op, x, y) \
((UNLIKELY((y) == 0)) ? TRAP(DIV_BY_ZERO) : ((x)op(y)))
#define DIV_U(x, y) DIVREM_U(/, x, y)
#define REM_U(x, y) DIVREM_U(%, x, y)
#define ROTL(x, y, mask) \
(((x) << ((y) & (mask))) | ((x) >> (((mask) - (y) + 1) & (mask))))
#define ROTR(x, y, mask) \
(((x) >> ((y) & (mask))) | ((x) << (((mask) - (y) + 1) & (mask))))
#define I32_ROTL(x, y) ROTL(x, y, 31)
#define I64_ROTL(x, y) ROTL(x, y, 63)
#define I32_ROTR(x, y) ROTR(x, y, 31)
#define I64_ROTR(x, y) ROTR(x, y, 63)
#define FMIN(x, y) \
((UNLIKELY((x) != (x))) \
? NAN \
: (UNLIKELY((y) != (y))) \
? NAN \
: (UNLIKELY((x) == 0 && (y) == 0)) ? (signbit(x) ? x : y) \
: (x < y) ? x : y)
#define FMAX(x, y) \
((UNLIKELY((x) != (x))) \
? NAN \
: (UNLIKELY((y) != (y))) \
? NAN \
: (UNLIKELY((x) == 0 && (y) == 0)) ? (signbit(x) ? y : x) \
: (x > y) ? x : y)
#define TRUNC_S(ut, st, ft, min, minop, max, x) \
((UNLIKELY((x) != (x))) \
? TRAP(INVALID_CONVERSION) \
: (UNLIKELY(!((x)minop(min) && (x) < (max)))) ? TRAP(INT_OVERFLOW) \
: (ut)(st)(x))
#define I32_TRUNC_S_F32(x) \
TRUNC_S(u32, s32, f32, (f32)INT32_MIN, >=, 2147483648.f, x)
#define I64_TRUNC_S_F32(x) \
TRUNC_S(u64, s64, f32, (f32)INT64_MIN, >=, (f32)INT64_MAX, x)
#define I32_TRUNC_S_F64(x) \
TRUNC_S(u32, s32, f64, -2147483649., >, 2147483648., x)
#define I64_TRUNC_S_F64(x) \
TRUNC_S(u64, s64, f64, (f64)INT64_MIN, >=, (f64)INT64_MAX, x)
#define TRUNC_U(ut, ft, max, x) \
((UNLIKELY((x) != (x))) \
? TRAP(INVALID_CONVERSION) \
: (UNLIKELY(!((x) > (ft)-1 && (x) < (max)))) ? TRAP(INT_OVERFLOW) \
: (ut)(x))
#define I32_TRUNC_U_F32(x) TRUNC_U(u32, f32, 4294967296.f, x)
#define I64_TRUNC_U_F32(x) TRUNC_U(u64, f32, (f32)UINT64_MAX, x)
#define I32_TRUNC_U_F64(x) TRUNC_U(u32, f64, 4294967296., x)
#define I64_TRUNC_U_F64(x) TRUNC_U(u64, f64, (f64)UINT64_MAX, x)
#define TRUNC_SAT_S(ut, st, ft, min, smin, minop, max, smax, x) \
((UNLIKELY((x) != (x))) \
? 0 \
: (UNLIKELY(!((x)minop(min)))) \
? smin \
: (UNLIKELY(!((x) < (max)))) ? smax : (ut)(st)(x))
#define I32_TRUNC_SAT_S_F32(x) \
TRUNC_SAT_S(u32, s32, f32, (f32)INT32_MIN, INT32_MIN, >=, 2147483648.f, \
INT32_MAX, x)
#define I64_TRUNC_SAT_S_F32(x) \
TRUNC_SAT_S(u64, s64, f32, (f32)INT64_MIN, INT64_MIN, >=, (f32)INT64_MAX, \
INT64_MAX, x)
#define I32_TRUNC_SAT_S_F64(x) \
TRUNC_SAT_S(u32, s32, f64, -2147483649., INT32_MIN, >, 2147483648., \
INT32_MAX, x)
#define I64_TRUNC_SAT_S_F64(x) \
TRUNC_SAT_S(u64, s64, f64, (f64)INT64_MIN, INT64_MIN, >=, (f64)INT64_MAX, \
INT64_MAX, x)
#define TRUNC_SAT_U(ut, ft, max, smax, x) \
((UNLIKELY((x) != (x))) ? 0 \
: (UNLIKELY(!((x) > (ft)-1))) \
? 0 \
: (UNLIKELY(!((x) < (max)))) ? smax : (ut)(x))
#define I32_TRUNC_SAT_U_F32(x) \
TRUNC_SAT_U(u32, f32, 4294967296.f, UINT32_MAX, x)
#define I64_TRUNC_SAT_U_F32(x) \
TRUNC_SAT_U(u64, f32, (f32)UINT64_MAX, UINT64_MAX, x)
#define I32_TRUNC_SAT_U_F64(x) TRUNC_SAT_U(u32, f64, 4294967296., UINT32_MAX, x)
#define I64_TRUNC_SAT_U_F64(x) \
TRUNC_SAT_U(u64, f64, (f64)UINT64_MAX, UINT64_MAX, x)
#define DEFINE_REINTERPRET(name, t1, t2) \
static inline t2 name(t1 x) { \
t2 result; \
memcpy(&result, &x, sizeof(result)); \
return result; \
}
DEFINE_REINTERPRET(f32_reinterpret_i32, u32, f32)
DEFINE_REINTERPRET(i32_reinterpret_f32, f32, u32)
DEFINE_REINTERPRET(f64_reinterpret_i64, u64, f64)
DEFINE_REINTERPRET(i64_reinterpret_f64, f64, u64)
static float quiet_nanf(float x) {
uint32_t tmp;
memcpy(&tmp, &x, 4);
tmp |= 0x7fc00000lu;
memcpy(&x, &tmp, 4);
return x;
}
static double quiet_nan(double x) {
uint64_t tmp;
memcpy(&tmp, &x, 8);
tmp |= 0x7ff8000000000000llu;
memcpy(&x, &tmp, 8);
return x;
}
static double wasm_quiet(double x) {
if (UNLIKELY(isnan(x))) {
return quiet_nan(x);
}
return x;
}
static float wasm_quietf(float x) {
if (UNLIKELY(isnan(x))) {
return quiet_nanf(x);
}
return x;
}
static double wasm_floor(double x) {
if (UNLIKELY(isnan(x))) {
return quiet_nan(x);
}
return floor(x);
}
static float wasm_floorf(float x) {
if (UNLIKELY(isnan(x))) {
return quiet_nanf(x);
}
return floorf(x);
}
static double wasm_ceil(double x) {
if (UNLIKELY(isnan(x))) {
return quiet_nan(x);
}
return ceil(x);
}
static float wasm_ceilf(float x) {
if (UNLIKELY(isnan(x))) {
return quiet_nanf(x);
}
return ceilf(x);
}
static double wasm_trunc(double x) {
if (UNLIKELY(isnan(x))) {
return quiet_nan(x);
}
return trunc(x);
}
static float wasm_truncf(float x) {
if (UNLIKELY(isnan(x))) {
return quiet_nanf(x);
}
return truncf(x);
}
static float wasm_nearbyintf(float x) {
if (UNLIKELY(isnan(x))) {
return quiet_nanf(x);
}
return nearbyintf(x);
}
static double wasm_nearbyint(double x) {
if (UNLIKELY(isnan(x))) {
return quiet_nan(x);
}
return nearbyint(x);
}
static float wasm_fabsf(float x) {
if (UNLIKELY(isnan(x))) {
uint32_t tmp;
memcpy(&tmp, &x, 4);
tmp = tmp & ~(1UL << 31);
memcpy(&x, &tmp, 4);
return x;
}
return fabsf(x);
}
static double wasm_fabs(double x) {
if (UNLIKELY(isnan(x))) {
uint64_t tmp;
memcpy(&tmp, &x, 8);
tmp = tmp & ~(1ULL << 63);
memcpy(&x, &tmp, 8);
return x;
}
return fabs(x);
}
static double wasm_sqrt(double x) {
if (UNLIKELY(isnan(x))) {
return quiet_nan(x);
}
return sqrt(x);
}
static float wasm_sqrtf(float x) {
if (UNLIKELY(isnan(x))) {
return quiet_nanf(x);
}
return sqrtf(x);
}
static inline void memory_fill(wasm_rt_memory_t* mem, u32 d, u32 val, u32 n) {
RANGE_CHECK(mem, d, n);
memset(mem->data + d, val, n);
}
static inline void memory_copy(wasm_rt_memory_t* dest,
const wasm_rt_memory_t* src,
u32 dest_addr,
u32 src_addr,
u32 n) {
RANGE_CHECK(dest, dest_addr, n);
RANGE_CHECK(src, src_addr, n);
memmove(dest->data + dest_addr, src->data + src_addr, n);
}
static inline void memory_init(wasm_rt_memory_t* dest,
const u8* src,
u32 src_size,
u32 dest_addr,
u32 src_addr,
u32 n) {
if (UNLIKELY(src_addr + (uint64_t)n > src_size))
TRAP(OOB);
LOAD_DATA((*dest), dest_addr, src + src_addr, n);
}
typedef struct {
wasm_rt_func_type_t type;
wasm_rt_function_ptr_t func;
size_t module_offset;
} wasm_elem_segment_expr_t;
static inline void funcref_table_init(wasm_rt_funcref_table_t* dest,
const wasm_elem_segment_expr_t* src,
u32 src_size,
u32 dest_addr,
u32 src_addr,
u32 n,
void* module_instance) {
if (UNLIKELY(src_addr + (uint64_t)n > src_size))
TRAP(OOB);
if (UNLIKELY(dest_addr + (uint64_t)n > dest->size))
TRAP(OOB);
for (u32 i = 0; i < n; i++) {
const wasm_elem_segment_expr_t* src_expr = &src[src_addr + i];
dest->data[dest_addr + i] =
(wasm_rt_funcref_t){src_expr->type, src_expr->func,
(char*)module_instance + src_expr->module_offset};
}
}
// Currently Wasm only supports initializing externref tables with ref.null.
static inline void externref_table_init(wasm_rt_externref_table_t* dest,
u32 src_size,
u32 dest_addr,
u32 src_addr,
u32 n) {
if (UNLIKELY(src_addr + (uint64_t)n > src_size))
TRAP(OOB);
if (UNLIKELY(dest_addr + (uint64_t)n > dest->size))
TRAP(OOB);
for (u32 i = 0; i < n; i++) {
dest->data[dest_addr + i] = wasm_rt_externref_null_value;
}
}
#define DEFINE_TABLE_COPY(type) \
static inline void type##_table_copy(wasm_rt_##type##_table_t* dest, \
const wasm_rt_##type##_table_t* src, \
u32 dest_addr, u32 src_addr, u32 n) { \
if (UNLIKELY(dest_addr + (uint64_t)n > dest->size)) \
TRAP(OOB); \
if (UNLIKELY(src_addr + (uint64_t)n > src->size)) \
TRAP(OOB); \
\
memmove(dest->data + dest_addr, src->data + src_addr, \
n * sizeof(wasm_rt_##type##_t)); \
}
DEFINE_TABLE_COPY(funcref)
DEFINE_TABLE_COPY(externref)
#define DEFINE_TABLE_GET(type) \
static inline wasm_rt_##type##_t type##_table_get( \
const wasm_rt_##type##_table_t* table, u32 i) { \
if (UNLIKELY(i >= table->size)) \
TRAP(OOB); \
return table->data[i]; \
}
DEFINE_TABLE_GET(funcref)
DEFINE_TABLE_GET(externref)
#define DEFINE_TABLE_SET(type) \
static inline void type##_table_set(const wasm_rt_##type##_table_t* table, \
u32 i, const wasm_rt_##type##_t val) { \
if (UNLIKELY(i >= table->size)) \
TRAP(OOB); \
table->data[i] = val; \
}
DEFINE_TABLE_SET(funcref)
DEFINE_TABLE_SET(externref)
#define DEFINE_TABLE_FILL(type) \
static inline void type##_table_fill(const wasm_rt_##type##_table_t* table, \
u32 d, const wasm_rt_##type##_t val, \
u32 n) { \
if (UNLIKELY((uint64_t)d + n > table->size)) \
TRAP(OOB); \
for (uint32_t i = d; i < d + n; i++) { \
table->data[i] = val; \
} \
}
DEFINE_TABLE_FILL(funcref)
DEFINE_TABLE_FILL(externref)
#if defined(__GNUC__) || defined(__clang__)
#define FUNC_TYPE_DECL_EXTERN_T(x) extern const char* const x
#define FUNC_TYPE_EXTERN_T(x) const char* const x
#define FUNC_TYPE_T(x) static const char* const x
#else
#define FUNC_TYPE_DECL_EXTERN_T(x) extern const char x[]
#define FUNC_TYPE_EXTERN_T(x) const char x[]
#define FUNC_TYPE_T(x) static const char x[]
#endif
static void w2c_qCCYI0ajpD_0x5F_wasm_call_ctors_0(w2c_qCCYI0ajpD*);
static u32 w2c_qCCYI0ajpD_strcmp_0(w2c_qCCYI0ajpD*, u32, u32);
static u32 w2c_qCCYI0ajpD_check_flag_0(w2c_qCCYI0ajpD*);
static void w2c_qCCYI0ajpD_copy_char_0(w2c_qCCYI0ajpD*, u32, u32);
FUNC_TYPE_T(w2c_qCCYI0ajpD_t0) = "\x36\xa9\xe7\xf1\xc9\x5b\x82\xff\xb9\x97\x43\xe0\xc5\xc4\xce\x95\xd8\x3c\x9a\x43\x0a\xac\x59\xf8\x4e\xf3\xcb\xfa\xb6\x14\x50\x68";
FUNC_TYPE_T(w2c_qCCYI0ajpD_t1) = "\x92\xfb\x6a\xdf\x49\x07\x0a\x83\xbe\x08\x02\x68\xcd\xf6\x95\x27\x4a\xc2\xf3\xe5\xe4\x7d\x29\x49\xe8\xed\x42\x92\x6a\x9d\xda\xf0";
FUNC_TYPE_T(w2c_qCCYI0ajpD_t2) = "\x72\xab\x00\xdf\x20\x3d\xce\xa1\xf2\x29\xc7\x9d\x13\x40\x7e\x98\xac\x7d\x41\x4a\x53\x2e\x42\x42\x61\x55\x2e\xaa\xeb\xbe\xc6\x35";
FUNC_TYPE_T(w2c_qCCYI0ajpD_t3) = "\x26\x10\x81\xe2\x21\x43\xd6\x01\x3e\x2d\x2f\x16\x17\x78\x6f\xba\xb3\x2f\x4d\x54\x9b\x8a\xa9\xdd\xbf\x53\x92\x3c\xd3\x71\xc6\xb2";
static void init_globals(w2c_qCCYI0ajpD* instance) {
instance->w2c_g0 = 66864u;
instance->w2c_input = 1072u;
instance->w2c_key = 1067u;
instance->w2c_0x5F_dso_handle = 1024u;
instance->w2c_0x5F_data_end = 1328u;
instance->w2c_0x5F_global_base = 1024u;
instance->w2c_0x5F_heap_base = 66864u;
instance->w2c_0x5F_memory_base = 0u;
instance->w2c_0x5F_table_base = 1u;
}
static const u8 data_segment_data_w2c_qCCYI0ajpD_d0[] = {
0x9d, 0x6e, 0x93, 0xc8, 0xb2, 0xb9, 0x41, 0x8b, 0xc2, 0x97, 0xd4, 0x66,
0xc7, 0x93, 0xc4, 0xd4, 0x61, 0xc2, 0xc6, 0xc9, 0xdd, 0x62, 0x94, 0x9e,
0xc2, 0x89, 0x32, 0x91, 0x90, 0xc1, 0xdd, 0x33, 0x91, 0x91, 0x97, 0x8b,
0x64, 0xc1, 0x92, 0xc4, 0x90, 0x00, 0x00,
};
static const u8 data_segment_data_w2c_qCCYI0ajpD_d1[] = {
0xf1, 0xa7, 0xf0, 0x07, 0xed,
};
static void init_memories(w2c_qCCYI0ajpD* instance) {
wasm_rt_allocate_memory(&instance->w2c_memory, 2, 65536, 0);
LOAD_DATA(instance->w2c_memory, 1024u, data_segment_data_w2c_qCCYI0ajpD_d0, 43);
LOAD_DATA(instance->w2c_memory, 1067u, data_segment_data_w2c_qCCYI0ajpD_d1, 5);
}
static void init_data_instances(w2c_qCCYI0ajpD *instance) {
}
static void init_tables(w2c_qCCYI0ajpD* instance) {
wasm_rt_allocate_funcref_table(&instance->w2c_T0, 1, 1);
}
/* export: 'memory' */
wasm_rt_memory_t* w2c_qCCYI0ajpD_memory(w2c_qCCYI0ajpD* instance) {
return &instance->w2c_memory;
}
/* export: '__wasm_call_ctors' */
void w2c_qCCYI0ajpD_0x5F_wasm_call_ctors(w2c_qCCYI0ajpD* instance) {
return w2c_qCCYI0ajpD_0x5F_wasm_call_ctors_0(instance);
}
/* export: 'strcmp' */
u32 w2c_qCCYI0ajpD_strcmp(w2c_qCCYI0ajpD* instance, u32 var_p0, u32 var_p1) {
return w2c_qCCYI0ajpD_strcmp_0(instance, var_p0, var_p1);
}
/* export: 'check_flag' */
u32 w2c_qCCYI0ajpD_check_flag(w2c_qCCYI0ajpD* instance) {
return w2c_qCCYI0ajpD_check_flag_0(instance);
}
/* export: 'input' */
u32* w2c_qCCYI0ajpD_input(w2c_qCCYI0ajpD* instance) {
return &instance->w2c_input;
}
/* export: 'copy_char' */
void w2c_qCCYI0ajpD_copy_char(w2c_qCCYI0ajpD* instance, u32 var_p0, u32 var_p1) {
return w2c_qCCYI0ajpD_copy_char_0(instance, var_p0, var_p1);
}
/* export: 'key' */
u32* w2c_qCCYI0ajpD_key(w2c_qCCYI0ajpD* instance) {
return &instance->w2c_key;
}
/* export: '__dso_handle' */
u32* w2c_qCCYI0ajpD_0x5F_dso_handle(w2c_qCCYI0ajpD* instance) {
return &instance->w2c_0x5F_dso_handle;
}
/* export: '__data_end' */
u32* w2c_qCCYI0ajpD_0x5F_data_end(w2c_qCCYI0ajpD* instance) {
return &instance->w2c_0x5F_data_end;
}
/* export: '__global_base' */
u32* w2c_qCCYI0ajpD_0x5F_global_base(w2c_qCCYI0ajpD* instance) {
return &instance->w2c_0x5F_global_base;
}
/* export: '__heap_base' */
u32* w2c_qCCYI0ajpD_0x5F_heap_base(w2c_qCCYI0ajpD* instance) {
return &instance->w2c_0x5F_heap_base;
}
/* export: '__memory_base' */
u32* w2c_qCCYI0ajpD_0x5F_memory_base(w2c_qCCYI0ajpD* instance) {
return &instance->w2c_0x5F_memory_base;
}
/* export: '__table_base' */
u32* w2c_qCCYI0ajpD_0x5F_table_base(w2c_qCCYI0ajpD* instance) {
return &instance->w2c_0x5F_table_base;
}
void wasm2c_qCCYI0ajpD_instantiate(w2c_qCCYI0ajpD* instance) {
assert(wasm_rt_is_initialized());
init_globals(instance);
init_tables(instance);
init_memories(instance);
init_data_instances(instance);
}
void wasm2c_qCCYI0ajpD_free(w2c_qCCYI0ajpD* instance) {
wasm_rt_free_funcref_table(&instance->w2c_T0);
wasm_rt_free_memory(&instance->w2c_memory);
}
wasm_rt_func_type_t wasm2c_qCCYI0ajpD_get_func_type(uint32_t param_count, uint32_t result_count, ...) {
va_list args;
if (param_count == 0 && result_count == 0) {
va_start(args, result_count);
if (true) {
va_end(args);
return w2c_qCCYI0ajpD_t0;
}
va_end(args);
}
if (param_count == 2 && result_count == 1) {
va_start(args, result_count);
if (true && va_arg(args, wasm_rt_type_t) == WASM_RT_I32 && va_arg(args, wasm_rt_type_t) == WASM_RT_I32 && va_arg(args, wasm_rt_type_t) == WASM_RT_I32) {
va_end(args);
return w2c_qCCYI0ajpD_t1;
}
va_end(args);
}
if (param_count == 0 && result_count == 1) {
va_start(args, result_count);
if (true && va_arg(args, wasm_rt_type_t) == WASM_RT_I32) {
va_end(args);
return w2c_qCCYI0ajpD_t2;
}
va_end(args);
}
if (param_count == 2 && result_count == 0) {
va_start(args, result_count);
if (true && va_arg(args, wasm_rt_type_t) == WASM_RT_I32 && va_arg(args, wasm_rt_type_t) == WASM_RT_I32) {
va_end(args);
return w2c_qCCYI0ajpD_t3;
}
va_end(args);
}
return NULL;
}
void w2c_qCCYI0ajpD_0x5F_wasm_call_ctors_0(w2c_qCCYI0ajpD* instance) {
FUNC_PROLOGUE;
FUNC_EPILOGUE;
}
u32 w2c_qCCYI0ajpD_strcmp_0(w2c_qCCYI0ajpD* instance, u32 var_p0, u32 var_p1) {
u32 var_l2 = 0, var_l3 = 0, var_l4 = 0, var_l5 = 0, var_l6 = 0, var_l7 = 0, var_l8 = 0, var_l9 = 0,
var_l10 = 0, var_l11 = 0, var_l12 = 0, var_l13 = 0, var_l14 = 0, var_l15 = 0, var_l16 = 0, var_l17 = 0,
var_l18 = 0, var_l19 = 0, var_l20 = 0, var_l21 = 0, var_l22 = 0, var_l23 = 0, var_l24 = 0, var_l25 = 0,
var_l26 = 0, var_l27 = 0, var_l28 = 0, var_l29 = 0, var_l30 = 0, var_l31 = 0, var_l32 = 0, var_l33 = 0,
var_l34 = 0, var_l35 = 0, var_l36 = 0, var_l37 = 0, var_l38 = 0, var_l39 = 0, var_l40 = 0, var_l41 = 0,
var_l42 = 0, var_l43 = 0;
FUNC_PROLOGUE;
u32 var_i0, var_i1;
var_i0 = instance->w2c_g0;
var_l2 = var_i0;
var_i0 = 32u;
var_l3 = var_i0;
var_i0 = var_l2;
var_i1 = var_l3;
var_i0 -= var_i1;
var_l4 = var_i0;
var_i0 = var_l4;
var_i1 = var_p0;
i32_store(&instance->w2c_memory, (u64)(var_i0) + 24, var_i1);
var_i0 = var_l4;
var_i1 = var_p1;
i32_store(&instance->w2c_memory, (u64)(var_i0) + 20, var_i1);
var_i0 = var_l4;
var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 24u);
var_l5 = var_i0;
var_i0 = var_l4;
var_i1 = var_l5;
i32_store(&instance->w2c_memory, (u64)(var_i0) + 16, var_i1);
var_i0 = var_l4;
var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 20u);
var_l6 = var_i0;
var_i0 = var_l4;
var_i1 = var_l6;
i32_store(&instance->w2c_memory, (u64)(var_i0) + 12, var_i1);
var_L1:
var_i0 = var_l4;
var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 16u);
var_l7 = var_i0;
var_i0 = 1u;
var_l8 = var_i0;
var_i0 = var_l7;
var_i1 = var_l8;
var_i0 += var_i1;
var_l9 = var_i0;
var_i0 = var_l4;
var_i1 = var_l9;
i32_store(&instance->w2c_memory, (u64)(var_i0) + 16, var_i1);
var_i0 = var_l7;
var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0));
var_l10 = var_i0;
var_i0 = var_l4;
var_i1 = var_l10;
i32_store8(&instance->w2c_memory, (u64)(var_i0) + 11, var_i1);
var_i0 = var_l4;
var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 12u);
var_l11 = var_i0;
var_i0 = 1u;
var_l12 = var_i0;
var_i0 = var_l11;
var_i1 = var_l12;
var_i0 += var_i1;
var_l13 = var_i0;
var_i0 = var_l4;
var_i1 = var_l13;
i32_store(&instance->w2c_memory, (u64)(var_i0) + 12, var_i1);
var_i0 = var_l11;
var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0));
var_l14 = var_i0;
var_i0 = var_l4;
var_i1 = var_l14;
i32_store8(&instance->w2c_memory, (u64)(var_i0) + 10, var_i1);
var_i0 = var_l4;
var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0) + 11u);
var_l15 = var_i0;
var_i0 = 255u;
var_l16 = var_i0;
var_i0 = var_l15;
var_i1 = var_l16;
var_i0 &= var_i1;
var_l17 = var_i0;
var_i0 = var_l17;
if (var_i0) {goto var_B2;}
var_i0 = var_l4;
var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0) + 11u);
var_l18 = var_i0;
var_i0 = 255u;
var_l19 = var_i0;
var_i0 = var_l18;
var_i1 = var_l19;
var_i0 &= var_i1;
var_l20 = var_i0;
var_i0 = var_l4;
var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0) + 10u);
var_l21 = var_i0;
var_i0 = 255u;
var_l22 = var_i0;
var_i0 = var_l21;
var_i1 = var_l22;
var_i0 &= var_i1;
var_l23 = var_i0;
var_i0 = var_l20;
var_i1 = var_l23;
var_i0 -= var_i1;
var_l24 = var_i0;
var_i0 = var_l4;
var_i1 = var_l24;
i32_store(&instance->w2c_memory, (u64)(var_i0) + 28, var_i1);
goto var_B0;
var_B2:;
var_i0 = var_l4;
var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0) + 11u);
var_l25 = var_i0;
var_i0 = 255u;
var_l26 = var_i0;
var_i0 = var_l25;
var_i1 = var_l26;
var_i0 &= var_i1;
var_l27 = var_i0;
var_i0 = var_l4;
var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0) + 10u);
var_l28 = var_i0;
var_i0 = 255u;
var_l29 = var_i0;
var_i0 = var_l28;
var_i1 = var_l29;
var_i0 &= var_i1;
var_l30 = var_i0;
var_i0 = var_l27;
var_l31 = var_i0;
var_i0 = var_l30;
var_l32 = var_i0;
var_i0 = var_l31;
var_i1 = var_l32;
var_i0 = var_i0 == var_i1;
var_l33 = var_i0;
var_i0 = 1u;
var_l34 = var_i0;
var_i0 = var_l33;
var_i1 = var_l34;
var_i0 &= var_i1;
var_l35 = var_i0;
var_i0 = var_l35;
if (var_i0) {goto var_L1;}
var_i0 = var_l4;
var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0) + 11u);
var_l36 = var_i0;
var_i0 = 255u;
var_l37 = var_i0;
var_i0 = var_l36;
var_i1 = var_l37;
var_i0 &= var_i1;
var_l38 = var_i0;
var_i0 = var_l4;
var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0) + 10u);
var_l39 = var_i0;
var_i0 = 255u;
var_l40 = var_i0;
var_i0 = var_l39;
var_i1 = var_l40;
var_i0 &= var_i1;
var_l41 = var_i0;
var_i0 = var_l38;
var_i1 = var_l41;
var_i0 -= var_i1;
var_l42 = var_i0;
var_i0 = var_l4;
var_i1 = var_l42;
i32_store(&instance->w2c_memory, (u64)(var_i0) + 28, var_i1);
var_B0:;
var_i0 = var_l4;
var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 28u);
var_l43 = var_i0;
var_i0 = var_l43;
goto var_Bfunc;
var_Bfunc:;
FUNC_EPILOGUE;
return var_i0;
}
u32 w2c_qCCYI0ajpD_check_flag_0(w2c_qCCYI0ajpD* instance) {
u32 var_l0 = 0, var_l1 = 0, var_l2 = 0, var_l3 = 0, var_l4 = 0, var_l5 = 0, var_l6 = 0, var_l7 = 0,
var_l8 = 0, var_l9 = 0, var_l10 = 0;
FUNC_PROLOGUE;
u32 var_i0, var_i1;
var_i0 = 0u;
var_l0 = var_i0;
var_i0 = 1072u;
var_l1 = var_i0;
var_i0 = 1024u;
var_l2 = var_i0;
var_i0 = var_l2;
var_i1 = var_l1;
var_i0 = w2c_qCCYI0ajpD_strcmp_0(instance, var_i0, var_i1); // var_i0 == 1024 / var_i1 == 1072
var_l3 = var_i0;
var_i0 = var_l3;
var_l4 = var_i0;
var_i0 = var_l0;
var_l5 = var_i0;
var_i0 = var_l4;
var_i1 = var_l5;
var_i0 = var_i0 != var_i1;
var_l6 = var_i0;
var_i0 = 4294967295u;
var_l7 = var_i0;
var_i0 = var_l6;
var_i1 = var_l7;
var_i0 ^= var_i1;
var_l8 = var_i0;
var_i0 = 1u;
var_l9 = var_i0;
var_i0 = var_l8;
var_i1 = var_l9;
var_i0 &= var_i1;
var_l10 = var_i0;
var_i0 = var_l10;
goto var_Bfunc;
var_Bfunc:;
FUNC_EPILOGUE;
return var_i0;
}
void w2c_qCCYI0ajpD_copy_char_0(w2c_qCCYI0ajpD* instance, u32 var_p0, u32 var_p1) {
u32 var_l2 = 0, var_l3 = 0, var_l4 = 0, var_l5 = 0, var_l6 = 0, var_l7 = 0, var_l8 = 0, var_l9 = 0,
var_l10 = 0, var_l11 = 0, var_l12 = 0, var_l13 = 0, var_l14 = 0, var_l15 = 0, var_l16 = 0, var_l17 = 0,
var_l18 = 0;
FUNC_PROLOGUE;
u32 var_i0, var_i1;
var_i0 = instance->w2c_g0;
var_l2 = var_i0;
var_i0 = 16u;
var_l3 = var_i0;
var_i0 = var_l2;
var_i1 = var_l3;
var_i0 -= var_i1;
var_l4 = var_i0;
var_i0 = var_l4;
var_i1 = var_p0;
i32_store(&instance->w2c_memory, (u64)(var_i0) + 12, var_i1);
var_i0 = var_l4;
var_i1 = var_p1;
i32_store(&instance->w2c_memory, (u64)(var_i0) + 8, var_i1);
var_i0 = var_l4;
var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 12u);
var_l5 = var_i0;
var_i0 = var_l5;
var_i0 = !(var_i0);
if (var_i0) {goto var_B0;}
var_i0 = 4u;
var_l6 = var_i0;
var_i0 = var_l4;
var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 8u);
var_l7 = var_i0;
var_i0 = 5u;
var_l8 = var_i0;
var_i0 = var_l7;
var_i1 = var_l8;
var_i0 = I32_REM_S(var_i0, var_i1);
var_l9 = var_i0;
var_i0 = var_l6;
var_i1 = var_l9;
var_i0 -= var_i1;
var_l10 = var_i0;
var_i0 = var_l10;
var_i0 = i32_load8_u(&instance->w2c_memory, (u64)(var_i0) + 1067u);
var_l11 = var_i0;
var_i0 = 24u;
var_l12 = var_i0;
var_i0 = var_l11;
var_i1 = var_l12;
var_i0 <<= (var_i1 & 31);
var_l13 = var_i0;
var_i0 = var_l13;
var_i1 = var_l12;
var_i0 = (u32)((s32)var_i0 >> (var_i1 & 31));
var_l14 = var_i0;
var_i0 = var_l4;
var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 12u);
var_l15 = var_i0;
var_i0 = var_l15;
var_i1 = var_l14;
var_i0 ^= var_i1;
var_l16 = var_i0;
var_i0 = var_l4;
var_i1 = var_l16;
i32_store(&instance->w2c_memory, (u64)(var_i0) + 12, var_i1);
var_B0:;
var_i0 = var_l4;
var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 12u);
var_l17 = var_i0;
var_i0 = var_l4;
var_i0 = i32_load(&instance->w2c_memory, (u64)(var_i0) + 8u);
var_l18 = var_i0;
var_i0 = var_l18;
var_i1 = var_l17;
i32_store8(&instance->w2c_memory, (u64)(var_i0) + 1072, var_i1);
goto var_Bfunc;
var_Bfunc:;
FUNC_EPILOGUE;
}
:::
Recon
這一題沒有寫出來,太難了,應該說複雜很多,即使看了maple和martin的WP還是做不出來,大概知道就是兩個list之間的XOR,不過具體的流程和解題思路是比較模糊的,沒有通透的感覺QQ
Reference
pico web wp - Some Assembly Required 3 - maple picoCTF 2021 Some Assembly Required 3 - Martin