高校战“疫”网络安全分享赛

周末花了几个小时看了一下题目，做了几道逆向

cycle graph

有向图求通路，长度16，然后根据节点权值就可以计算flag，节点只有32个直接手工画个树状图一下子就搞定了，代码都不用写

'''
.data:006A3380 stru_6A3380 struc_6A3380 <34h, offset stru_6A3398, offset stru_6A338C> 164
.data:006A338C stru_6A338C struc_6A338C <2, offset stru_6A3398, offset stru_6A33E0>
.data:006A3398 stru_6A3398 struc_6A3398 <2Ch, offset stru_6A338C, offset stru_6A33D4> 238
.data:006A33A4 stru_6A33A4 struc_6A33A4 <2Ah, offset stru_6A3458, offset stru_6A3494>961
.data:006A33B0 stru_6A33B0 struc_6A33B0 <6, offset stru_6A33D4, offset stru_6A33EC>
.data:006A33BC stru_6A33BC struc_6A33BC <2Ah, offset stru_6A3398, offset stru_6A3464> 739
.data:006A33C8 stru_6A33C8 struc_6A33C8 <2Fh, offset stru_6A34B8, offset stru_6A34F4>1532
.data:006A33D4 stru_6A33D4 struc_6A33D4 <2Ah, offset stru_6A341C, offset stru_6A3494> 362
.data:006A33E0 stru_6A33E0 struct_6A33E0 <33h, offset stru_6A33B0, offset stru_6A33EC>
.data:006A33EC stru_6A33EC struct_6A33EC <3, offset stru_6A33F8, offset stru_6A341C>
.data:006A33F8 stru_6A33F8 struc_6A33F8 <2, offset stru_6A33B0, offset stru_6A3410>
.data:006A3404 stru_6A3404 struc_6A3404 <32h, offset stru_6A347C, offset stru_6A34DC>1362
.data:006A3410 stru_6A3410 struc_6A3410 <32h, offset stru_6A3428, offset stru_6A33F8>
.data:006A341C stru_6A341C struc_6A341C <32h, offset stru_6A338C, offset stru_6A34A0> 430
.data:006A3428 stru_6A3428 struc_6A3428 <30h, offset stru_6A3380, offset stru_6A33EC>
.data:006A3434 stru_6A3434 struc_6A3434 <3, offset stru_6A3428, offset stru_6A34A0>
.data:006A3440 stru_6A3440 struc_6A3440 <1, offset stru_6A33BC, offset stru_6A34AC>663
.data:006A344C stru_6A344C struc_6A344C <32h, offset stru_6A33D4, offset stru_6A33EC>
.data:006A3458 stru_6A3458 struc_6A3458 <2Bh, offset stru_6A34D0, offset stru_6A34B8>1036
.data:006A3464 stru_6A3464 struc_6A3464 <2, offset stru_6A3410, offset stru_6A33A4>837
.data:006A3470 stru_6A3470 struc_6A3470 <2Eh, offset stru_6A34D0, offset stru_6A3488>
.data:006A347C stru_6A347C struct_6A347C <1, offset stru_6A3434, offset stru_6A33C8>1461
.data:006A3488 stru_6A3488 struc_6A3488 <2, offset stru_6A3434, offset stru_6A344C>
.data:006A3494 stru_6A3494 struc_6A3494 <2Dh, offset stru_6A3398, offset stru_6A341C>
.data:006A34A0 stru_6A34A0 struc_6A34A0 <32h, offset stru_6A3440, offset stru_6A33D4>562
.data:006A34AC stru_6A34AC struc_6A34AC <4, offset stru_6A3494, offset stru_6A3434>
.data:006A34B8 stru_6A34B8 struc_6A34B8 <2Dh, offset stru_6A34E8, offset stru_6A3470>1163
.data:006A34C4 stru_6A34C4 struc_6A34B8 <30h, offset stru_6A3494, offset stru_6A338C>
.data:006A34D0 stru_6A34D0 struc_6A34D0 <31h, offset stru_6A3464, offset stru_6A3440>
.data:006A34DC stru_6A34DC struc_6A34DC <2Fh, offset stru_6A33EC, offset stru_6A33B0>
.data:006A34E8 stru_6A34E8 struc_6A34E8 <33h, offset stru_6A3488, offset stru_6A3404>1230
.data:006A34F4 stru_6A34F4 struc_6A34F4 <5, offset stru_6A34F4, offset stru_6A34F4>1537
'''
# d8b0bc97a6c0ba27
# flag{d8b0bc97a6c0ba27}

天津垓

简单SMC，先check password，然后利用password解密一个函数。自行解密之后将二进制数据覆盖掉原数据，重载进ida，逆一下这个函数很容易就可以算出flag了

# cal password
dest = [17, 8, 6, 10, 15, 20, 42, 59, 47, 3, 47, 4, 16, 72, 62, 0, 7, 16]
key = list(map(ord,list('Rising_Hopper!')))
s = []
for i in range(18):
    for x in range(256):
        tmp = ~( x & key[i % 14]) & ( x | key[i % 14])
        # print(tmp)
        if tmp&0xff == dest[i]:
            s.append(x)

print('get password')
print(''.join(list(map(chr,s))))
print('-----------------------')

# decrypt function(check)
import struct

src = [0x16, 0x29, 0xF4, 0x8F, 0x91, 0x72, 0x75, 0x73, 0x08, 0xFE, 0xF3, 0x45, 0xE2, 0x69, 0x6C, 0x69, 0xB3, 0xFC, 0xD3, 0x61, 0x75, 0x63, 0x13, 0xD1, 0x6B, 0x73, 0x87, 0xF6, 0xCB, 0x61, 0x62, 0x69, 0xA8, 0x06, 0x54, 0x79, 0x84, 0xE4, 0xED, 0x63, 0x61, 0x73, 0x76, 0x51, 0x5D, 0x73, 0x98, 0xE4, 0xFE, 0x69, 0x6C, 0x69, 0x21, 0x96, 0x5D, 0x61, 0xB2, 0xE6, 0xC1, 0x73, 0x75, 0x73, 0x51, 0x82, 0x7B, 0x61, 0xA5, 0xEC, 0xC8, 0x69, 0x74, 0x79, 0x3F, 0x5B, 0x6C, 0x63, 0xA6, 0xF6, 0xDD, 0x73, 0x40, 0x73, 0x67, 0x5D, 0x7D, 0x69, 0xAB, 0xEC, 0xD8, 0x79, 0x43, 0x61, 0x18, 0x35, 0x40, 0x73, 0xB2, 0xF6, 0xF0, 0x73, 0x5F, 0x61, 0xDD, 0x4A, 0x4F, 0x69, 0xB3, 0xFC, 0xF7, 0x61, 0x75, 0x63, 0x98, 0xFA, 0x57, 0x73, 0x87, 0xF6, 0xE7, 0x61, 0x62, 0x69, 0x6F, 0x4B, 0x69, 0x79, 0x84, 0xE4, 0xC9, 0x63, 0x61, 0x73, 0xFF, 0x7A, 0x61, 0x73, 0x98, 0xE4, 0xA2, 0x69, 0x6C, 0x69, 0xD8, 0x71, 0x5D, 0x61, 0xB2, 0xE6, 0xA5, 0x73, 0x75, 0x73, 0x56, 0x4E, 0x7D, 0x61, 0xA5, 0xEC, 0xA4, 0x69, 0x74, 0x79, 0x58, 0xE8, 0x6A, 0x63, 0xA6, 0xF6, 0xB9, 0x73, 0x40, 0x73, 0xFD, 0x11, 0x41, 0x69, 0xAB, 0xEC, 0xA4, 0x79, 0x43, 0x61, 0xFA, 0x36, 0x7F, 0x73, 0xB2, 0xF6, 0x94, 0x73, 0x5F, 0x61, 0x74, 0x54, 0x4E, 0x69, 0xB3, 0xFC, 0x9B, 0x61, 0x75, 0x63, 0x5C, 0xFB, 0x69, 0x73, 0x87, 0xF6, 0x83, 0x61, 0x62, 0x69, 0x77, 0xE0, 0x6B, 0x79, 0x84, 0xE4, 0x95, 0x63, 0x61, 0x73, 0x8C, 0xFA, 0x62, 0x73, 0x98, 0xE4, 0x86, 0x69, 0x6C, 0x69, 0x49, 0xF1, 0x5F, 0x61, 0xB2, 0xE6, 0x89, 0x73, 0x75, 0x73, 0x33, 0xC4, 0x51, 0x61, 0xA5, 0xEC, 0x80, 0x69, 0x74, 0x79, 0xD3, 0x0B, 0x7B, 0x63, 0xA6, 0xF6, 0x85, 0x73, 0x40, 0x73, 0xCF, 0x0B, 0x6C, 0x69, 0xAB, 0xEC, 0x80, 0x79, 0x43, 0x61, 0xE5, 0x09, 0x6F, 0x73, 0xB2, 0xF6, 0xB8, 0x73, 0x5F, 0x61, 0xAD, 0x75, 0x67, 0x69, 0xB3, 0xFC, 0xBF, 0x61, 0x75, 0x63, 0x5C, 0xFB, 0x69, 0x73, 0x87, 0xF6, 0x5F, 0x60, 0x62, 0x69, 0x95, 0xE0, 0x56, 0x79, 0x84, 0xE4, 0x71, 0x62, 0x61, 0x73, 0xA9, 0xA5, 0x62, 0x73, 0x98, 0xE4, 0x6A, 0x68, 0x6C, 0x69, 0x62, 0x44, 0x61, 0x61, 0xB2, 0xE6, 0x6D, 0x72, 0x75, 0x73, 0x2D, 0x25, 0x7E, 0x61, 0xA5, 0xEC, 0x7C, 0x68, 0x74, 0x79, 0xC9, 0x68, 0x54, 0x63, 0xA6, 0xF6, 0x61, 0x72, 0x40, 0x73, 0x0A, 0x8E, 0x7C, 0x69, 0xAB, 0xEC, 0x6C, 0x78, 0x43, 0x61, 0xFA, 0x36, 0x7F, 0x73, 0xB2, 0xF6, 0x5C, 0x72, 0x5F, 0x61, 0x74, 0x54, 0x4E, 0x69, 0xB3, 0xFC, 0x63, 0x60, 0x75, 0x63, 0x5C, 0xFB, 0x69, 0x73, 0x87, 0xF6, 0x7B, 0x60, 0x62, 0x69, 0xB0, 0xBF, 0x56, 0x79, 0x84, 0xE4, 0x5D, 0x62, 0x61, 0x73, 0x4D, 0x4F, 0x5F, 0x73, 0x98, 0xE4, 0x4E, 0x68, 0x6C, 0x69, 0x77, 0x5B, 0x5E, 0x61, 0xB2, 0xE6, 0x51, 0x72, 0x75, 0x73, 0xCA, 0x7A, 0x7E, 0x61, 0xA5, 0xEC, 0x58, 0x68, 0x74, 0x79, 0x7E, 0xE9, 0x69, 0x63, 0xA6, 0xF6, 0x4D, 0x72, 0x40, 0x73, 0x71, 0xC5, 0x46, 0x69, 0xAB, 0xEC, 0x48, 0x78, 0x43, 0x61, 0xFA, 0x36, 0x7F, 0x73, 0xB2, 0xF6, 0x00, 0x72, 0x5F, 0x61, 0x74, 0x54, 0x4E, 0x69, 0xB3, 0xFC, 0x07, 0x60, 0x75, 0x63, 0x0C, 0x25, 0x54, 0x73, 0x87, 0xF6, 0x17, 0x60, 0x62, 0x69, 0x8B, 0xEA, 0x79, 0x79, 0x84, 0xE4, 0x39, 0x62, 0x61, 0x73, 0x18, 0x25, 0x61, 0x73, 0x98, 0xE4, 0x32, 0x68, 0x6C, 0x69, 0xFE, 0x70, 0x62, 0x61, 0xB2, 0xE6, 0x35, 0x72, 0x75, 0x73, 0xCF, 0x26, 0x41, 0x61, 0xA5, 0xEC, 0x34, 0x68, 0x74, 0x79, 0x94, 0xEB, 0x50, 0x63, 0x29, 0xCB, 0x3C, 0x1D, 0x30, 0x06, 0x2B, 0x41, 0x16, 0x01, 0x24, 0xD3, 0x11, 0x59, 0x25, 0x0D, 0x14, 0x04, 0x41, 0x07, 0x3D, 0xFA, 0x05, 0x23, 0x17, 0xE8, 0x37, 0x31, 0x24, 0xD1, 0x1B, 0x59, 0x2B, 0x08, 0x1F, 0x02, 0x02, 0x18, 0x3D, 0xC9, 0x60, 0x07, 0x37, 0x04, 0x42, 0x08, 0x0E, 0x00, 0x3C, 0xF0, 0x06, 0x01, 0x3D, 0xEA, 0x34, 0x1B, 0x3D, 0xCB, 0x2C, 0x1A, 0x2B, 0x18, 0x42, 0x06, 0x0A, 0x49, 0x3C, 0xC3, 0x0B, 0x08, 0x11, 0x06, 0x0F, 0x53, 0x3C, 0x1D, 0x08, 0xFA, 0x1A, 0x11, 0x2A, 0xE0, 0x39, 0x11, 0x3C, 0xC1, 0x37, 0x04, 0x19, 0x0F, 0x08, 0x14, 0x10, 0x1D, 0x08, 0xFA, 0xDA, 0xE1, 0x62, 0x69, 0x6C, 0xAE, 0xF1, 0xF1, 0x43, 0x61, 0x75, 0x00, 0x04, 0x49, 0x75, 0x3B, 0xF8, 0x23, 0x2D, 0x0E, 0x05, 0x1B, 0x05, 0x1A, 0x11, 0x31, 0xF9, 0x41, 0x3E, 0x06, 0x18, 0x53, 0x16, 0x1C, 0x2E, 0x3B, 0xD6, 0x24, 0x42, 0x21, 0xE5, 0x3C, 0x5C, 0x31, 0xFB, 0x07, 0x1C, 0x11, 0x0C, 0x16, 0x11, 0x5D, 0x60, 0x3B, 0xE5, 0x33, 0x07, 0x08, 0x08, 0x10, 0x54, 0x0D, 0x2C, 0x29, 0xFC, 0x26, 0x51, 0x3B, 0xFC, 0x26, 0x78, 0x3B, 0xE7, 0x41, 0x00, 0x1B, 0x09, 0x08, 0x1F, 0x57, 0x49, 0x29, 0xFC, 0x26, 0x21, 0xB5, 0x30, 0x3B, 0x40, 0x3B, 0xE7, 0x2B, 0x03, 0x0A, 0x07, 0x00, 0x1A, 0x1E, 0x63, 0x29, 0xCF, 0x21, 0x13, 0x16, 0x14, 0x18, 0x61, 0x53, 0x05, 0x29, 0xEB, 0x2C, 0x6C, 0x21, 0xFD, 0x2C, 0x4B, 0x29, 0xCD, 0x02, 0x08, 0x12, 0x55, 0x36, 0x2E, 0x07, 0x3A, 0x29, 0xD8, 0x1B, 0x1C, 0x1B, 0x1D, 0x0A, 0x26, 0x4F, 0x75, 0x2B, 0xE8, 0x36, 0x65, 0x3B, 0xC9, 0x26, 0x47, 0xA6, 0x27, 0x92, 0x49, 0x5C, 0x4D, 0x0A, 0x85, 0x24, 0x8A, 0x63, 0x07, 0xB4, 0x30, 0x8B, 0x65, 0x00, 0x99, 0x24, 0x98, 0x69, 0x24, 0xD1, 0x3A, 0x16, 0x37, 0x41, 0x03, 0x06, 0x13, 0x1A, 0x3D, 0xFA, 0x05, 0x99, 0x98, 0x24, 0x90, 0x0F, 0x05, 0x0C, 0x10, 0x1F, 0x84, 0x24, 0x83, 0x42, 0x61, 0xB4, 0xF0, 0x1B, 0x41, 0x73, 0x5F, 0x6A, 0x62, 0x69, 0xEC, 0x21, 0xF9, 0x3C, 0x13, 0x29, 0xFC, 0xA2, 0x89, 0x6D, 0x77, 0x73, 0x40, 0x3B, 0xD2, 0x34, 0xC2, 0x21, 0xE1, 0x2C, 0x8F, 0x31, 0xCA, 0xA0, 0x9D, 0x5D, 0x63, 0x73, 0x75, 0x3B, 0xCD, 0x36, 0x7F, 0x29, 0xEB, 0xA8, 0x84, 0x6B, 0x76, 0x79, 0x43, 0x29, 0xF8, 0x26, 0xC1, 0x3B, 0xFC, 0xB2, 0xA8, 0x45, 0x5D, 0x61, 0x62, 0x21, 0xEF, 0x91, 0x47, 0x0D, 0x55, 0x29, 0xF8, 0x26, 0x8B, 0x3B, 0xFC, 0xB2, 0xA8, 0x97, 0x5E, 0x61, 0x62, 0xD0, 0x6C, 0x69, 0x74, 0x79, 0xAB, 0xDB, 0x74, 0x63, 0x61, 0xB4, 0xF0, 0x17, 0x41, 0x73, 0x5F, 0x82, 0x2E, 0x69, 0x6C, 0xAE, 0xF1, 0x15, 0x42, 0x61, 0x75, 0x63, 0x61, 0x73, 0x75, 0x98, 0x18, 0xF8, 0xDA, 0x0D, 0x63, 0x69, 0x6C, 0x66, 0xC2, 0x3D, 0x46, 0xC1, 0x7A, 0xD5, 0xA1, 0x7C, 0xDA, 0xF6, 0x24, 0x72, 0x5F, 0x61, 0xD8, 0x69, 0x6C, 0x69, 0x74, 0x8E, 0xF6, 0x09, 0x74, 0x63, 0x61, 0xFA, 0xE0, 0x13, 0x41, 0x73, 0x5F, 0xEA, 0xE7, 0x05, 0x6D, 0x69, 0x74, 0xF2, 0xC7, 0xE4, 0xE5, 0x63, 0x61, 0x73, 0x4C, 0xF6, 0x20, 0x72, 0x5F, 0x61, 0x16, 0x7F, 0x24, 0xE4, 0x31, 0x93, 0x0B, 0xE8, 0xB4, 0x8B, 0x1C, 0x72, 0x75, 0x73, 0xF9, 0x73, 0x5F, 0x61, 0x62, 0x81, 0x3F, 0x68, 0x74, 0x79, 0xC0, 0xE4, 0x19, 0x62, 0x61, 0x73, 0x74, 0xF0, 0xFD, 0x1F, 0x5E, 0x61, 0x62, 0x5B, 0x1A, 0xF6, 0x3C, 0xF0, 0xAB, 0x29, 0xFC, 0xA2, 0x89, 0x2B, 0x74, 0x73, 0x40, 0x9B, 0x1C, 0x60, 0x62, 0x69, 0x84, 0x57, 0x75, 0x79, 0x43, 0x90, 0x48, 0x81, 0xC4, 0xF0, 0x01, 0x00, 0x00, 0x5D, 0xC3]
for i in range(1045):
    src[i]^=s[i%18]
 
with open('fun.bin', 'wb')as fp:
    for x in src:
        a = struct.pack('B', x)
        fp.write(a)

# print(len(src))
print("write bin")
print('-----------------------')

#cal flag
res = [2007666, 2125764, 1909251, 2027349, 2421009, 1653372, 2047032, 2184813, 2302911, 2263545, 1909251, 2165130, 1968300, 2243862, 2066715, 2322594, 1987983, 2243862, 1869885, 2066715, 2263545, 1869885, 964467, 944784, 944784, 944784, 728271, 1869885, 2263545, 2283228, 2243862, 2184813, 2165130, 2027349, 1987983, 2243862, 1869885, 2283228, 2047032, 1909251, 2165130, 1869885, 2401326, 1987983, 2243862, 2184813, 885735, 2184813, 2165130, 1987983, 2460375]
a = 19683
b = 0x8000000B

flag = ''
for _ in range(51):
    for i in range(128):
        if a*i%b == res[_]:
            flag += chr(i)


print("get flag!")
print(flag)

easyparser

常规虚拟机，指令清晰明了，五星好评

指令固定24bytes，一个操作码，两个操作数各占8bytes

有4个函数是用虚拟机实现的，功能分别是输出提示性信息并获取输入、初始化虚拟机数据段、变换虚拟机数据段以及最后的check

case 0:                      // mov ds[reg],imm
case 1:                      // mov reg,imm
case 2:                      // mov reg,reg
case 3:                      // mov reg,ds[reg]
case 4:                      // mov ds[reg],reg
case 5:                      // push reg
case 6:                      // pop reg
case 7:                      // add reg,imm
case 8:                      // add reg,reg
case 9:                      // sub reg,imm
case 10:                     // sub reg,reg
case 11:                     // mul reg,imm
case 12:                     // mul reg,reg
case 13:                     // shl reg,imm
case 14:                     // shl reg,reg
case 15:                     // shr reg,imm
case 16:                     // shr reg,reg
case 17:                     // xor reg,imm
case 18:                     // xor reg,reg
case 19:                     // or reg,imm
case 20:                     // or reg,reg
case 21:                     // and reg,imm
case 22:                     // and reg,reg
case 23:                     // getchar
case 24:                     // putchar
case 26:                     // cmp reg,imm
case 27:                     // cmp reg,reg
case 28:                     // jz imm*24
case 29:                     // jmp imm*24
case 30:                     // jb imm*24
case 31:                     // jnz imm*24

共32条指令、opcode比较长，手动反汇编不太现实，直接写个反汇编器将opcode扔进去就可以得到四个函数的汇编代码了，接下来就是常规操作了，check部分主要逻辑非常简单

28: xor r9,r9
29: mov ra,0xe1
2a: mov r7,ds[r9]
2b: mov r6,ds[ra]
2c: xor r6,0x63
2d: shl r6,0x2
2e: cmp r6,r7
2f: jnz 0x3
30: add r9,0x1
31: add ra,0x1
32: cmp r9,0x20
33: jb 0x2a

get flag

ds = [199, 387, 83, 295, 187, 115, 79, 119, 119, 295, 263, 143, 99, 63, 107, 295, 331, 295, 183, 99, 95, 107, 63, 295, 199, 123, 103, 135, 147, 99, 319, 295]
flag = ''
for i in range(0x20):
    flag += chr(((ds[i]-0x37)>>2)^0x63)

flag = 'flag{%s}' % flag
print(flag)

所有代码（包含反汇编器等）

code0 = [
    0x0000000000000000, 0x0000000000000000, 0x0000000000000012,
    0x0000000000000001, 0x0000000000000001, 0x0000000000000012,
    0x0000000000000002, 0x0000000000000002, 0x0000000000000012,
    0x0000000000000003, 0x0000000000000003, 0x0000000000000012,
    0x0000000000000006, 0x0000000000000006, 0x0000000000000012,
    0x0000000000000007, 0x0000000000000007, 0x0000000000000012,
    0x0000000000000000, 0x0000000000000069, 0x0000000000000001,
    0x0000000000000001, 0x000000000000006E, 0x0000000000000001,
    0x0000000000000002, 0x0000000000000070, 0x0000000000000001,
    0x0000000000000003, 0x0000000000000075, 0x0000000000000001,
    0x0000000000000006, 0x0000000000000074, 0x0000000000000001,
    0x0000000000000007, 0x0000000000000020, 0x0000000000000001,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000001, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000002, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000003, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000006, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000007, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000000, 0x0000000000000066, 0x0000000000000001,
    0x0000000000000001, 0x000000000000006C, 0x0000000000000001,
    0x0000000000000002, 0x0000000000000061, 0x0000000000000001,
    0x0000000000000003, 0x0000000000000067, 0x0000000000000001,
    0x0000000000000006, 0x000000000000003A, 0x0000000000000001,
    0x0000000000000007, 0x0000000000000020, 0x0000000000000001,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000001, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000002, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000003, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000006, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000007, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000001, 0x0000000000000001, 0x0000000000000012,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000017,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000005,
    0x0000000000000001, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000001, 0x0000000000000026, 0x000000000000001A,
    0x000000000000001F, 0x0000000000000000, 0x000000000000001E,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000019
]

code1 = [
    0x0000000000000002, 0x0000000000000002, 0x0000000000000012,
    0x0000000000000002, 0x00000000000000C7, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000183, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000053, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000127, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x00000000000000BB, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000073, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x000000000000004F, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000077, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000077, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000127, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000107, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x000000000000008F, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000063, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x000000000000003F, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x000000000000006B, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000127, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x000000000000014B, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000127, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x00000000000000B7, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000063, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x000000000000005F, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x000000000000006B, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x000000000000003F, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000127, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x00000000000000C7, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x000000000000007B, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000067, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000087, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000093, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000063, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x000000000000013F, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000127, 0x0000000000000000,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000019
]

code2 = [
    0x0000000000000002, 0x0000000000000002, 0x0000000000000012,
    0x0000000000000000, 0x0000000000000002, 0x0000000000000003,
    0x0000000000000000, 0x0000000000000037, 0x0000000000000009,
    0x0000000000000002, 0x0000000000000000, 0x0000000000000004,
    0x0000000000000002, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000002, 0x0000000000000020, 0x000000000000001A,
    0x0000000000000001, 0x0000000000000000, 0x000000000000001E,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000019
]

code3 = [
    0x0000000000000000, 0x0000000000000000, 0x0000000000000006,
    0x0000000000000000, 0x000000000000007D, 0x000000000000001A,
    0x0000000000000012, 0x0000000000000000, 0x000000000000001C,
    0x0000000000000000, 0x0000000000000062, 0x0000000000000001,
    0x0000000000000001, 0x0000000000000079, 0x0000000000000001,
    0x0000000000000002, 0x0000000000000065, 0x0000000000000001,
    0x0000000000000003, 0x000000000000007E, 0x0000000000000001,
    0x0000000000000006, 0x000000000000007E, 0x0000000000000001,
    0x0000000000000007, 0x000000000000007E, 0x0000000000000001,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000001, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000002, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000003, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000006, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000007, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000000, 0x000000000000000A, 0x0000000000000001,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000019,
    0x0000000000000008, 0x0000000000000100, 0x0000000000000001,
    0x0000000000000008, 0x00000000000000E1, 0x000000000000001A,
    0x0000000000000019, 0x0000000000000000, 0x000000000000001E,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000006,
    0x0000000000000008, 0x0000000000000000, 0x0000000000000004,
    0x0000000000000008, 0x0000000000000001, 0x0000000000000009,
    0x0000000000000013, 0x0000000000000000, 0x000000000000001D,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000006,
    0x0000000000000000, 0x000000000000007B, 0x000000000000001A,
    0x0000000000000003, 0x0000000000000000, 0x000000000000001F,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000006,
    0x0000000000000000, 0x0000000000000067, 0x000000000000001A,
    0x0000000000000003, 0x0000000000000000, 0x000000000000001F,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000006,
    0x0000000000000000, 0x0000000000000061, 0x000000000000001A,
    0x0000000000000003, 0x0000000000000000, 0x000000000000001F,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000006,
    0x0000000000000000, 0x000000000000006C, 0x000000000000001A,
    0x0000000000000003, 0x0000000000000000, 0x000000000000001F,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000006,
    0x0000000000000000, 0x0000000000000066, 0x000000000000001A,
    0x0000000000000003, 0x0000000000000000, 0x000000000000001F,
    0x0000000000000009, 0x0000000000000009, 0x0000000000000012,
    0x000000000000000A, 0x00000000000000E1, 0x0000000000000001,
    0x0000000000000007, 0x0000000000000009, 0x0000000000000003,
    0x0000000000000006, 0x000000000000000A, 0x0000000000000003,
    0x0000000000000006, 0x0000000000000063, 0x0000000000000011,
    0x0000000000000006, 0x0000000000000002, 0x000000000000000D,
    0x0000000000000006, 0x0000000000000007, 0x000000000000001B,
    0x0000000000000003, 0x0000000000000000, 0x000000000000001F,
    0x0000000000000009, 0x0000000000000001, 0x0000000000000007,
    0x000000000000000A, 0x0000000000000001, 0x0000000000000007,
    0x0000000000000009, 0x0000000000000020, 0x000000000000001A,
    0x000000000000002A, 0x0000000000000000, 0x000000000000001E,
    0x0000000000000000, 0x0000000000000063, 0x0000000000000001,
    0x0000000000000001, 0x000000000000006F, 0x0000000000000001,
    0x0000000000000002, 0x0000000000000072, 0x0000000000000001,
    0x0000000000000003, 0x0000000000000072, 0x0000000000000001,
    0x0000000000000006, 0x0000000000000065, 0x0000000000000001,
    0x0000000000000007, 0x0000000000000063, 0x0000000000000001,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000001, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000002, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000003, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000006, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000007, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000000, 0x0000000000000074, 0x0000000000000001,
    0x0000000000000001, 0x000000000000006C, 0x0000000000000001,
    0x0000000000000002, 0x0000000000000079, 0x0000000000000001,
    0x0000000000000003, 0x0000000000000021, 0x0000000000000001,
    0x0000000000000006, 0x000000000000000A, 0x0000000000000001,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000001, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000002, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000003, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000006, 0x0000000000000000, 0x0000000000000018,
    0x0000000000000000, 0x0000000000000000, 0x0000000000000019
]

'''
case 0:                      // mov ds[reg],imm
case 1:                      // mov reg,imm
case 2:                      // mov reg,reg
case 3:                      // mov reg,ds[reg]
case 4:                      // mov ds[reg],reg
case 5:                      // push reg
case 6:                      // pop reg
case 7:                      // add reg,imm
case 8:                      // add reg,reg
case 9:                      // sub reg,imm
case 10:                     // sub reg,reg
case 11:                     // mul reg,imm
case 12:                     // mul reg,reg
case 13:                     // shl reg,imm
case 14:                     // shl reg,reg
case 15:                     // shr reg,imm
case 16:                     // shr reg,reg
case 17:                     // xor reg,imm
case 18:                     // xor reg,reg
case 19:                     // or reg,imm
case 20:                     // or reg,reg
case 21:                     // and reg,imm
case 22:                     // and reg,reg
case 23:                     // getchar
case 24:                     // putchar
case 26:                     // cmp reg,imm
case 27:                     // cmp reg,reg
case 28:                     // jzf imm*24
case 29:                     // jmp imm*24
case 30:                     // jb imm*24
case 31:                     // jnzf imm*24
'''

print('asm:')

def vm(code):
    eip = 0
    while True:
        op = code[eip * 3 + 2]
        print("%02x:" % eip, end=" ")
        if op == 0x19:
            print("ret!!!")
        if eip == len(code) // 3 - 1:
            break
        if op == 0:
            print("mov ds[r%x],0x%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 1:
            print("mov r%x,0x%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 2:
            print("mov r%x,r%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 3:
            print("mov r%x,ds[r%x]" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 4:
            print("mov ds[r%x],r%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 5:
            print("push r%x" % (code[eip * 3 + 0]))
        elif op == 6:
            print("pop r%x" % (code[eip * 3 + 0]))
        elif op == 7:
            print("add r%x,0x%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 8:
            print("add r%x,r%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 9:
            print("sub r%x,0x%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 10:
            print("sub r%x,r%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 11:
            print("mul r%x,0x%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 12:
            print("mul r%x,r%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 13:
            print("shl r%x,0x%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 14:
            print("shl r%x,r%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 15:
            print("shr r%x,0x%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 16:
            print("shr r%x,r%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 17:
            print("xor r%x,0x%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 18:
            print("xor r%x,r%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 19:
            print("or r%x,0x%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 20:
            print("or r%x,r%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 21:
            print("and r%x,0x%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 22:
            print("and r%x,r%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 23:
            print("getchar(r%x)" % (code[eip * 3 + 0]))
        elif op == 24:
            print("putchar(r%x)" % (code[eip * 3 + 0]))
        elif op == 26:
            print("cmp r%x,0x%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 27:
            print("cmp r%x,r%x" % (code[eip * 3 + 0], code[eip * 3 + 1]))
        elif op == 28:
            print("jz 0x%x" % (code[eip * 3 + 0]))
        elif op == 29:
            print("jmp 0x%x" % (code[eip * 3 + 0]))
        elif op == 30:
            print("jb 0x%x" % (code[eip * 3 + 0]))
        elif op == 31:
            print("jnz 0x%x" % (code[eip * 3 + 0]))
        else:
            print("nop")
        eip += 1


vm(code0)
print('--------------------------')
vm(code1)
print('--------------------------')
vm(code2)
print('--------------------------')
vm(code3)

def input(input):
    print("input flag:",end='')
    flag = input
    print(flag)
    return flag

def initds():
    ds = [199, 387, 83, 295, 187, 115, 79, 119, 119, 295, 263, 143, 99, 63, 107, 295, 331, 295, 183, 99, 95, 107, 63, 295, 199, 123, 103, 135, 147, 99, 319, 295]
    return ds

def sub0x37(ds):
    for i in range(0x20):
        ds[i] -= 0x37
    return ds

def check(flag,ds):
    if (ord(flag[-1:]))!=0x7d:
        return False
    es = list(map(ord,list(flag[5:-1])))
    for i in range(0x20):
        if (es[i]^0x63)<<2 != ds[i]:
            return False
    if flag[:5] != 'flag{':
        return False
    return True

def easyparser(flag):
    input(flag)
    ds = initds()
    ds = sub0x37(ds)
    if check(flag,ds):
        print("correctly!")
    else:
        print("bye~~~")


print('--------------------------')
print('get flag!')

# check flag
# 13_op:12:  xor r9,r9
# 4_op:1:  mov ra,ie1
# 15_op:3:  mov r7,ds[r9]
# 16_op:3:  mov r6,ds[ra]  => mov r6,stack[r9]
# 17_op:11:  xor r6,i63
# 18_op:d:  shl r6,i2
# 19_op:1b:  cmp r6,r7

ds = [199, 387, 83, 295, 187, 115, 79, 119, 119, 295, 263, 143, 99, 63, 107, 295, 331, 295, 183, 99, 95, 107, 63, 295, 199, 123, 103, 135, 147, 99, 319, 295]
flag = ''
for i in range(0x20):
    flag += chr(((ds[i]-0x37)>>2)^0x63)

flag = 'flag{%s}' % flag
print(flag)


print("--------------------------")
print("check flag!")
easyparser(flag)

fxck!

逻辑是将输入进行base58编码，然后与虚拟机执行后的结果比对

题目有点问题，原始题目因为opcode的问题只比对了编码后的第一个字符，后来更新了题目，程序直接在最后明文比对，dump出编码表和虚拟机执行后的结果，解base58即可

import base58
import string

table = '\x41\x42\x43\x44\x45\x46\x47\x48\x4A\x4B\x4C\x4D\x4E\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x31\x32\x33\x34\x35\x36\x37\x38\x39\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A'
base58_table = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'
cipher_text = '4VyhuTqRfYFnQ85Bcw5XcDr3ScNBjf5CzwUdWKVM7SSVqBrkvYGt7SSUJe'
flag = base58.b58decode(cipher_text.translate(string.maketrans(table,base58_table)))
print (flag)