#!/usr/bin/env python
# -*- encoding: utf-8 -*-
'''
# @Time  : 2023/06/17 17:52:54
# @Author: wd-2711
'''

from z3 import *

if __name__ == "__main__":
    cp1_key = [Int(('key_%d' % i)) for i in range(24)]

    # 1
    for i in range(23):
        i = 23 - i
        cp1_key[i] -= cp1_key[i-1]

    cp1_L = [0,15,2,10,6,9,1,4]
    cp1_R = [8,23,11,20,13,21,19,17]
    cp1_X = [11,-13,17,-19,23,-29,31,-37]

    # 2
    for i in range(8):
        cp1_key[cp1_L[i]] += cp1_X[i]
        cp1_key[cp1_R[i]] -= cp1_X[i]

    # 3
    for i in range(23):
        i = i + 1
        cp1_key[i] += cp1_key[i-1]

    cp2_key = [252,352,484,470,496,487,539,585,447,474,577,454,466,345,344,486,501,423,490,375,257,203,265,125]
    cp2_X = [0 for i in range(8)]

    # 9
    for i in range(8):
        cp2_X[i] = cp1_key[i*3]

    # 10
    for i in range(23):
        i = 23 - i
        cp2_key[i] -= cp2_key[i-1]
    # 11
    for i in range(8):
        cp2_key[cp1_L[i]] -= cp2_X[i]
        cp2_key[cp1_R[i]] += cp2_X[i]
    # 12
    for i in range(1, 24):
        cp2_key[i] += cp2_key[i-1]

    # 最后要cp1与cp2的key相等
    solver = Solver()
    for i in range(24):
        solver.add(cp1_key[i] == cp2_key[i])

    if sat == solver.check():
        m = solver.model()
        res = {}
        for d in m.decls():
            res[d.name()] = int(str(m[d]), 10)
        for i in range(24):
            print(chr(res["key_" + str(i)]), end = "")
# sctf{r5cbsumyqpjy0stc7u}

#!/usr/bin/env python
# -*- encoding: utf-8 -*-
'''
# @Time  : 2023/07/03 15:46:03
# @Author: wd-2711
'''


def sub_8001CC0(a2):
    res = [0 for i in range(25)]
    for i in range(0, 20, 2):
        if (a2[i//2] & 0xF) > 9:
            res[i+1] = (a2[i//2] & 0xF) + 87
        else:
            res[i+1] = (a2[i//2] & 0xF) + 48
        if (a2[i//2] >> 4) > 9:
            res[i] = (a2[i//2] >> 4) + 87
        else:
            res[i] = (a2[i//2] >> 4) + 48
    return res

def sub_8001D80(a1, a2):
    for i in range(a2):
        a1[i] -= 1
    return a1
    	
def sub_8001DB4(a1, a2):
    for i in range(a2):
        a1[i] += 1
    return a1

def sub_8001DE8(a1, a2):
    for i in range(a2):
        a1[i] ^= ord('5')
    return a1

def sub_8001E1C(a1, a2):
    for i in range(a2):
        a1[i] ^= a1[9-i]
    return a1

def sub_8001E54(a1, a2):
    for i in range(a2):
        a1[i] ^= a1[i+1-a2*((i+1)//a2)]
    return a1

def sub_8001E94(a1, a2):
    for i in range(a2):
        a1[i] = (16 * a1[i]) | (a1[i] >> 4)
        a1[i] = a1[i] & 0xff
    return a1

def sub_8001ED0(a1, a2):
    for i in range(a2):
        a1[i] = (a1[i] << 6) | (a1[i] >> 2)
        a1[i] = a1[i] & 0xff
    return a1

def sub_8001F0C(a1, a2):
    for i in range(a2):
        a1[i] = (a1[i] * 32) | (a1[i] >> 3)
        a1[i] &= 0xff
    return a1

def sub_8001C8A(a1, a2):
    for i in range(a2):
        a1[i] ^= 0xF7
    return a1

var_4 = [ord('w')]
for i in range(1, 10):
    tmp = (((var_4[i-1] >> 6) & (var_4[i-1] >> 2) & 1) == 0) | ((2 * var_4[i-1]) & 0xff)
    var_4.append(tmp)

origin_200000BF = [0] * len(var_4)
i = 0
for c in "bdgfciejha":
    origin_200000BF[ord(c) - ord('a')] = var_4[i]
    i += 1

arr_200000BF = sub_8001D80(origin_200000BF, 10)
arr_200000BF = sub_8001DE8(arr_200000BF, 10)
arr_200000BF = sub_8001E94(arr_200000BF, 10)
arr_200000BF = sub_8001E54(arr_200000BF, 10)
arr_200000BF = sub_8001DB4(arr_200000BF, 10)
arr_200000BF = sub_8001F0C(arr_200000BF, 10)
arr_200000BF = sub_8001E1C(arr_200000BF, 10)
arr_200000BF = sub_8001C8A(arr_200000BF, 10)
arr_200000BF = sub_8001ED0(arr_200000BF, 10)



res = sub_8001CC0(arr_200000BF)
print("SCTF{", end = "")
for i in res[:20]:
    print(chr(i), end = "")
print("}")

# SCTF{5149ac8b033d602bf6d3}

# 输出st->ed的字节数据
import idc
st = 0x883C80
ed = 0x883CB5
for addr in range(st, ed):
    byte_data = idc.get_wide_byte(addr)
    print(hex(byte_data), end = " ")

#!/usr/bin/env python
# -*- encoding: utf-8 -*-
'''
# @Time  : 2023/07/05 13:16:59
# @Author: wd-2711
'''

userinfo = [0xed,0x2f,0xd8,0x27,0xa8,0x8,0x4e,0xb4,0xc1,0x69,0x97,0x2,0xa7,0x6b,0x4f,0xa7,0x39,0xeb,0xa1,0x63,0x92,0x2d,0xb3,0x1e,0x58,0x91,0x24,0x10,0x3e,0x91,0x88,0x7a,0x2a,0xf5,0x9a,0xdc,0x75,0x45,0xe0,0x43,0xdf,0x11,0xf7,0x7d,0x58,0x14,0x19,0x8c,0x3a,0x40,0xd,0x6e,0x7e]
userinfo = bytes(bytearray(userinfo))

addrbook = [0xed,0x2f,0xd8,0x27,0xa8,0x8,0x4e,0xb4,0xc1,0x69,0x97,0x2,0xa7,0x6b,0x4f,0xa7,0x39,0xeb,0xa1,0x63,0x92,0x2d,0xb3,0x1e,0x58,0x91,0x24,0x1f,0x24,0x89,0x8f,0x32,0x30,0xf3,0xda,0xde,0x67,0x44,0xf6,0x58,0xd4,0x4,0xeb,0x20,0x42,0x8,0x17,0xc1,0x21,0x52,0x5,0x79,0x2a,0xdc,0x95,0x9d,0xc5,0x59,0x20,0xc0,0xc2,0xf4,0x69,0xaf,0x60,0x97,0x9f,0x76,0x25]
addrbook = bytes(bytearray(addrbook))


def main_decode_str(data):
    key = [0xFF, 0xEE, 0xDD, 0xCC, 0xBB, 0xAA, 0x99, 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0]
    key = key[::-1]
    key = bytearray(key)
    key = bytes(key)
    enc = ARC4.new(key)
    res = enc.decrypt(data)
    res = str(res,'gbk')
    return res

print(main_decode_str(userinfo))
print(main_decode_str(addrbook))

# http://190.92.230.233:8080/nologin/userinfo?username=
# http://190.92.230.233:8080/auth/showaddressbook?userid=%d&password=%s

#!/usr/bin/env python
# -*- encoding: utf-8 -*-
'''
# @Time  : 2023/07/10 20:34:43
# @Author: wd-2711
'''

import hashlib

def func_2(str1):
    res = 0
    for i in range(0xC, 0, -1):
        if str1[0xC-i] == '1':
            res |= (1<<((i-1)&0x3F))
    return res

def sub_4070E1(str1, j):
    def count_head_zero(j):
        if j == 0:
            return 0xC
        j = bin(j)[::-1]
        cnt = 0
        for jj in j:
            if jj == '1':
                break
            elif jj == '0':
                cnt += 1
        return cnt
    def sub_4087C6(j, i):
        if i+1 > 0x3F:
            return 0xC
        if j>>(i+1) == 0: 
            return 0xC
        return count_head_zero(j>>(i+1))+(i+1)
   
    j = j & 0xfff
    str1 = "000000000000"
    result = count_head_zero(j)
    i = result
    while True:
        if i > 0xB:
            break
        str1 = str1[:0xB-i] + '1' + str1[0xB-i+1:]
        result = sub_4087C6(j, i)
        i = result
    return str1

def check_1(inp):
    inp = [ord(i) - 48 for i in inp]
    arr1 = [
        [1, 1, 0, 0, 1, 0,],
        [1, 0, 1, 1, 0, 0,],
        [1, 0, 1, 0, 1, 0,],
        [0, 1, 1, 0, 1, 0,],
        [1, 1, 0, 0, 1, 0,],
        [1, 0, 0, 1, 0, 1,],
        [0, 1, 1, 1, 0, 0,],
        [1, 1, 0, 0, 0, 1,],
        [0, 0, 1, 1, 1, 0,],
        [1, 1, 0, 1, 0, 0,],
        [0, 0, 0, 1, 1, 1,],
        [1, 0, 1, 0, 0, 1,], 
    ]

    out = [0] * 6
    for j in range(6):
        for k in range(0xC):
            out[j] ^= (arr1[k][j]&inp[k])
    if sum(out) == 0:
        return 1
    return 0

def generate_inps():
    res = []
    for i in range(0xfff+1):
        binary_string = bin(i)[2:]
        bit_array = [int(bit) for bit in binary_string]
        if len(bit_array) < 0xC:
            bit_array = [0]*(0xC-len(bit_array)) + bit_array
        bit_array = "".join(str(i) for i in bit_array)
        res.append(bit_array)
    return res

def test_length(leng):
    res = ""
    inps = generate_inps()
    c = "000000000000"
    i = 0
    while True:
        for inp in inps:
            f = i
            if f >= leng:
                return 1, res
            a = inp
            b = a
            if check_1(a) == 0:
                continue   
            if i:
                g = func_2(c)
            else:
                g = -1
            if g >= func_2(a):
                continue
            j = g + 1
            wrong = 0
            while True:
                a = b
                if j >= func_2(a):
                    break
                a = sub_4070E1(a, j)
                if check_1(a):
                    wrong = 1
                    break
                j += 1
            if wrong == 0:
                res += inp 
                pass
            else:
                continue
            if i + 12 == leng:
                a = b
                e = func_2(a) + 1
                while True:
                    a = "111111111111"
                    if func_2(a) < e:
                        break
                    a = sub_4070E1(a, e)
                    if check_1(a):
                        return 0, None
                    e += 1
            c = b
            i += 12

if __name__ == "__main__":
    for i in range(1, 1000):
        suc, res = test_length(12 * i)
        if suc == 1:
            print("success length", 12 * i)
            print("res", res)
            m = hashlib.md5()
            m.update(res.encode())
            print("flag is", m.hexdigest())
# success 768
# res 000000000000000001011111000010100011000011111100000100000111000101011000000110100100000111111011001000110010001001101101001010010001001011001110001100110101001101101010001110010110001111001001010000010101010001001010010010110110010011101001010100010010010101001101010110110001010111101110011000100111011001111000011010000100011011011011011100100000011101111111011110000011011111011100100000100011100001111100100010000000100011011111100100100100100101111011100110000111100111011000101000010001101001001110101010110010101011101101101100010110101101001001101110110101101111101010110000110110110001101001110010010101110011001010110100110001110101101110110110010010110111001101111000000100111001011011111010100111111011111000111100000011111101011100111110100000111111111111
# flag is 7bc821b13f8f9f7c043012b6a2a2ece0

#!/usr/bin/env python
# -*- encoding: utf-8 -*-
'''
# @Time  : 2023/07/12 21:39:58
# @Author: wd-2711
'''

import struct
from tqdm import tqdm
from ctypes import c_uint32

# challenge0
def challenge0():
    def decode_level0():
        with open("C:\\Users\\23957\\Desktop\\Syclock\\level0jar", "rb") as f:
            d = f.read()

        with open("C:\\Users\\23957\\Desktop\\Syclock\\level0_decode.jar", "wb") as f:
            for dd in d:
                inp = dd ^ 52
                f.write(inp.to_bytes(1, 'little'))
    def change(a1, a2):
        return a2, a1
    def get_flag():
        plain = "flag{this_is_fake_flag}"
        cipher = [24, 0xF8, 37, 0x86, 70, 16, 0x92, 0xDA, 0xD3, 0x89, 0xF4, 4, 0x7E, 0xB3, 0xF7, 92, 206, 77, 0xAF, 34, 0x7A, 14, 0x9E]
        v6 = [i for i in range(0x100)]
        for k0 in tqdm(range(32,128)):
            for k1 in range(32,128):
                for k2 in range(32,128):
                    for k3 in range(32,128):   
                        k = [k0, k1, k2, k3]
                        tmp = 0
                        v3 = [k[i%4] for i in range(0x100)]
                        for i in range(256):
                            tmp = (v6[i] + tmp + v3[i]) & 0xff
                            v6[i], v6[tmp] = change(v6[i], v6[tmp])
                        i = 0
                        out = [0 for i in range(23)]
                        tmp = 0
                        for j in range(23):
                            i = (i + 1) & 0xff
                            tmp = (tmp + v6[i]) & 0xff
                            v6[i], v6[tmp] = change(v6[i], v6[tmp])
                            out[j] = ord(plain[j])^v6[(v6[i]+v6[tmp])&0xff]^18
                        eq = 1
                        for i in range(23):
                            if out[i] != cipher[i]:
                                eq = 0
                                break
                        if eq == 1:
                            print(chr(k), end = "")
                        v6 = [i for i in range(0x100)]
    print("challenge0_flag:", end = "")
    get_flag()
    print("")

# challenge1
def challenge1():
    print("challenge2_flag:", end = "")
    print("userv")

# challenge2
DELTA = 0x9E3779B9
def encrypt(v, n, k):
    rounds = 6 + int(52 / n)
    sum = c_uint32(0)
    z = v[n - 1].value
    while rounds > 0:
        sum.value += DELTA
        e = (sum.value >> 2) & 3
        p = 0
        while p < n - 1:
            y = v[p + 1].value
            v[p].value += (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum.value ^ y) + (k[(p & 3) ^ e] ^ z)))
            z = v[p].value
            p += 1
        y = v[0].value
        v[n - 1].value += (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum.value ^ y) + (k[(p & 3) ^ e] ^ z)))
        z = v[n - 1].value
        rounds -= 1

def decrypt(v, n, k):
    rounds = 6 + int(52 / n)
    sum = c_uint32(rounds * DELTA)
    y = v[0].value
    while rounds > 0:
        e = (sum.value >> 2) & 3
        p = n - 1
        while p > 0:
            z = v[p - 1].value
            v[p].value -= (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum.value ^ y) + (k[(p & 3) ^ e] ^ z)))
            y = v[p].value
            p -= 1
        z = v[n - 1].value
        v[0].value -= (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum.value ^ y) + (k[(p & 3) ^ e] ^ z)))
        y = v[0].value
        sum.value -= DELTA
        rounds -= 1

def challenge2():
    def get_level2jar():
        with open("C:\\Users\\23957\\Desktop\\Syclock\\liblevel2.so", "rb") as f:
            d = f.read()

        # get size
        size_tuple = (hex(d[-4]), hex(d[-3]), hex(d[-2]), hex(d[-1]))
        size = ""
        for s in size_tuple[::-1]:
            size += s[2:]
        size = int(size, 16)

        # get md5
        st = -20
        md5 = []
        for i in range(16):
            md5.append(d[st+i])
        md5_to_arr4 = []
        for i in range(4):
            tmp = md5[i*4:i*4+4]
            tmp = tmp[::-1]
            tmp = "".join(hex(t)[2:] for t in tmp)
            md5_to_arr4.append(int(tmp, 16))

        # get key
        st = -52
        key = []
        for i in range(0x20):
            key.append(d[st+i])

        # get level2.jar
        st = -52 - size
        filedata = []
        for i in range(size):
            filedata.append(d[st+i])

        # decrypt
        cipher = []
        for i in range(0, len(filedata), 4):
            dd = [hex(filedata[i+j])[2:].zfill(2) for j in range(4)]
            dd = dd[::-1]
            n = "".join(dd)
            n = int(n, 16)
            cipher.append(c_uint32(n))
        decrypt(cipher, len(cipher), md5_to_arr4)

        # save to level2.jar
        out = []
        for i in range(len(cipher)):
            dd = hex(cipher[i].value)[2:].zfill(8)
            dd = [int(dd[j*2:j*2+2], 16) for j in range(4)]
            dd = dd[::-1]
            out += dd
        with open("C:\\Users\\23957\\Desktop\\Syclock\\level2.jar", "wb") as f:
            for dd in out:
                f.write(dd.to_bytes(1, 'little'))
    
    def get_flag():
        target = [90, 80, 70, 91, 93, 80, 93, 71, 82, 65, 90, 110]
        for i in range(11, 0, -1):
            target[i] = target[i-1] ^ target[i]
        for i in range(11, -1, -1):
            target[i] = target[(i+1)%12] ^ target[i]
        for t in target:
            print(chr(t), end = "")

    get_level2jar()
    print("challenge2_flag:", end = "")
    get_flag()
    print("")

challenge0()
challenge1()
challenge2()
# flag{gooduserv4ndroidisfun}

#!/usr/bin/env python
# -*- encoding: utf-8 -*-
'''
# @Time  : 2023/07/18 10:31:52
# @Author: wd-2711
'''


import time

class citys():
    def __init__(self, data):
        self.data = data

    def get_neighbours_info_by_index(self, index):
        info = self.data[index]
        neighbours = info[1]
        neighbours_ind = []
        neighbours_distance = []
        neighbours_cost = []
        for n in neighbours:
            neighbours_ind.append(n[0]-1800)
            neighbours_distance.append(n[1])
            neighbours_cost.append({
                "transportation": n[2][0],
                "time": n[2][1],
                "expense": n[2][2],
            })
        return neighbours_ind, neighbours_distance, neighbours_cost

    def get_delta_by_index(self, index):
        info = self.data[index]
        delta = info[2]
        return delta

    def __len__(self):
        return len(self.data)

def parse_data():
    path = "./gson/gson.json"
    with open(path, 'r') as f:
        lines = f.read().strip().replace(" ", ",").replace("{", "[").replace("}", "]")
    lines = eval(lines)
    return citys(lines)    

expense_gate = 0x0AA000000
target2_gate = 0xC4E0
target2_add_8_gate = 0xD898
valid_city_delta_gate = 0x83
st_index = 2
ed_index = 0x7C2 - 1800
arr = "fedcba9876543210"
citys_info = parse_data()

def find_path():
    ret = {}

    path_seq = [[st_index]]
    expense_seq = [1]
    target2_seq = [0x186A0]
    target2_add_8_seq = [0]
    valid_city_delta_seq = [0]
    
    st = time.time()
    i = 0
    while True:
        i += 1
        if i % 10000 == 0:
            print("path_seq:{:<10}|time:{:<10}|max_path_len:{:<10}".format(len(path_seq), int(time.time()-st), len(path_seq[-1])))

        head_path = path_seq[0]
        head_expense = expense_seq[0]
        head_target2 = target2_seq[0]
        head_target2_add_8 = target2_add_8_seq[0]
        head_valid_city_delta = valid_city_delta_seq[0]

        if len(head_path) == 32:
            break

        now_index = head_path[-1]
        neighbours_ind, neighbours_distance, neighbours_cost = citys_info.get_neighbours_info_by_index(now_index)
        delta = citys_info.get_delta_by_index(now_index)
        neighbours_len = len(neighbours_ind)

        for j in range(neighbours_len):
            new_path = head_path + [neighbours_ind[j]]
            new_expense = (head_expense * neighbours_cost[j]['expense']) & 0xFFFFFFFF
            new_target2 = head_target2 - neighbours_cost[j]['transportation']
            new_target2_add_8 = head_target2_add_8 + neighbours_distance[j]
            new_valid_city_delta = head_valid_city_delta + delta

            if neighbours_cost[j]['transportation'] != 1600:
                continue
            if new_target2 < target2_gate or new_target2_add_8 > target2_add_8_gate or new_valid_city_delta > valid_city_delta_gate:
                continue
            if new_path[-1] in new_path[:-1]:
                continue
            if new_path[-1] == ed_index and len(new_path) < 32:
                continue
            if len(new_path) > 32:
                continue
            if new_path[-1] == ed_index and len(new_path) == 32 and new_target2 == target2_gate and new_target2_add_8 == target2_add_8_gate and new_valid_city_delta == valid_city_delta_gate:
                if new_expense == expense_gate:
                    ret['path'] = new_path
                    return ret
                continue
            
            path_seq.append(new_path)
            expense_seq.append(new_expense)
            target2_seq.append(new_target2)
            target2_add_8_seq.append(new_target2_add_8)
            valid_city_delta_seq.append(new_valid_city_delta)

        path_seq = path_seq[1:]
        expense_seq = expense_seq[1:]
        target2_seq = target2_seq[1:]
        target2_add_8_seq = target2_add_8_seq[1:]
        valid_city_delta_seq = valid_city_delta_seq[1:]
    
def get_flag():
    p = find_path()
    path = p['path']
    tmp5 = 0
    print("SCTF{", end = "")
    for i in range(len(path)-1):
        node_index = path[i]
        next_node_index = path[i+1]
        rax = tmp5 & 0xF
        new_arr = arr[:0x10-rax] + arr[:rax]
        neighbours, _, _ = citys_info.get_neighbours_info_by_index(node_index)
        tmp = neighbours.index(next_node_index)
        flag_c = new_arr[tmp]
        print(flag_c, end = "")
        tmp5 += 4
    print("}")

if __name__ == "__main__":
    get_flag()
# SCTF{dfedfcdefdecdefdccffeddceddecdf}