Skip to content

Instantly share code, notes, and snippets.

@Jinmo

Jinmo/1.cs Secret

Last active January 1, 2017 18:58
Show Gist options
  • Save Jinmo/eb352fa3745997673679772e537a6ccb to your computer and use it in GitHub Desktop.
Save Jinmo/eb352fa3745997673679772e537a6ccb to your computer and use it in GitHub Desktop.
Download ZIP
Christmas CTF 2016 Gift - Inline IL (See README.md for writeup)
Raw
1.cs
public class hello : @object
{
public static int[] a(byte a, byte b, byte c, byte d, byte e, byte f, byte g, byte h)
{
int num = ((int)a << 8) + (int)b;
int num2 = ((int)c << 8) + (int)d;
int num3 = ((int)e << 8) + (int)f;
int num4 = ((int)g << 8) + (int)h;
int[] array = new int[]
{
num ^ num2,
num ^ num3,
num ^ num4,
num2 ^ num3,
num2 ^ num4,
num3 ^ num4
};
byte[] array2 = new byte[6];
int[] array3 = new int[6];
int num5 = 0;
int num6 = array;
for (int i = 0; i < num6.Length; i++)
{
int num7 = num6[i];
int num8 = 0;
int num9 = 0;
int num10 = (num7 == 43774) ? 1 : 0;
if (num10 != 0)
{
array2[0] = 21;
int num11 = array[0] & array[1];
int num12 = 8483354;
num8 = num12 % num11 << 4;
num8 /= 10;
}
else
{
int num13 = (num7 == 40150) ? 1 : 0;
if (num13 != 0)
{
array2[1] = 6;
int num11 = array[2] | array[1];
num8 = (num11 << 4 | num11 >> 16);
}
else
{
int num14 = (num7 == 12335) ? 1 : 0;
if (num14 != 0)
{
array2[4] = 28;
num9 = 30583;
num8 = 43690;
int num12 = 34952;
num8 += num9 * num12 / num8;
}
else
{
int num15 = (num7 == 12316) ? 1 : 0;
if (num15 != 0)
{
array2[1] = 7;
num9 = (num7 & 65280) >> 8;
int num11 = (int)b ^ num9;
num9 = num11;
}
else
{
int num16 = (num7 == 55223) ? 1 : 0;
if (num16 != 0)
{
array2[4] = 28;
num9 = 30583;
num8 = 43690;
int num12 = 34952;
num8 += num9 * num12 / num8;
}
else
{
int num17 = (num7 == 28389) ? 1 : 0;
if (num17 != 0)
{
array2[1] = 3;
int num11 = 28389;
num9 = (num11 ^ 2) % 256;
}
else
{
int num18 = (num7 == 12375) ? 1 : 0;
if (num18 != 0)
{
array2[5] = 19;
num9 = (num7 & 65280) >> 8;
int num11 = (int)f ^ num9;
num9 = num11;
}
else
{
int num19 = (num7 == 52450) ? 1 : 0;
if (num19 != 0)
{
array2[4] = 18;
num9 = (num7 & 65280) >> 8;
int num11 = num9 | num9 + 6177;
}
else
{
int num20 = (num7 == 27198) ? 1 : 0;
if (num20 != 0)
{
array2[1] = 81;
int num11 = 20100;
num8 += (num11 | num11 % 33);
}
else
{
int num21 = (num7 == 6372) ? 1 : 0;
if (num21 != 0)
{
array2[2] = 31;
int num11 = num8 * 20;
num11 = num8 + 4136;
}
else
{
int num22 = (num7 == 57150) ? 1 : 0;
if (num22 != 0)
{
array2[1] = 4;
num8 = (int)array2[1] + 641;
num9 = num8 * 16;
int num11 = num9 % 370;
}
else
{
int num23 = (num7 == 63171) ? 1 : 0;
if (num23 != 0)
{
array2[4] = 20;
num9 = 63171;
int num11 = 1578785;
num8 = num11 % num9;
}
else
{
int num24 = (num7 == 75) ? 1 : 0;
if (num24 != 0)
{
array2[2] = 10;
num9 = (num7 & 65280) >> 8;
int num11 = (int)c ^ num9;
num9 = num11;
}
else
{
int num25 = (num7 == 63264) ? 1 : 0;
if (num25 != 0)
{
array2[3] = 23;
num9 = (num7 & 65280) >> 8;
int num11 = 16;
num9 += num11;
}
else
{
int num26 = (num7 == 65234) ? 1 : 0;
if (num26 != 0)
{
array2[4] = 172;
num9 = (num7 & 65280) >> 18;
num8 = num9 + 18;
int num11 = num8 * num8;
}
else
{
int num27 = (num7 == 46339) ? 1 : 0;
if (num27 != 0)
{
array2[1] = 12;
num9 = num7 - 291;
num8 = (num9 & num9 << 4);
}
else
{
int num28 = (num7 == 12633) ? 1 : 0;
if (num28 != 0)
{
array2[0] = 0;
num9 = (num7 & 65280) >> 8;
int num11 = (int)a ^ num9;
num9 = num11;
}
else
{
int num29 = (num7 == 12562) ? 1 : 0;
if (num29 != 0)
{
array2[4] = 17;
num9 = (num7 & 65280) >> 8;
int num11 = (int)e ^ num9;
num9 = num11;
}
else
{
int num30 = (num7 == 325) ? 1 : 0;
if (num30 != 0)
{
array2[3] = 16;
num9 = (num7 & 65280) >> 8;
int num11 = (int)d ^ num9;
num9 = num11;
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
array3[num5] = ((int)array2[num5] << 8) + num9;
num5++;
}
return array3;
}
}
Raw
1.il
// metadata version: v2.0.50215
.assembly extern mscorlib
{
.publickeytoken = (b7 7a 5c 56 19 34 e0 89 ) // .z\v.4..
.ver 2:0:0:0
}
.assembly sample
{
.custom instance void [mscorlib]system.runtime.compilerservices.compilationrelaxationsattribute::.ctor(int32) = ( 01 00 08 00 00 00 00 00 )
.hash algorithm 0x00008004
.ver 0:0:0:0
}
.module sample.exe
// mvid: {a224f460-a049-4a03-9e71-80a36dbbbcd3}
.imagebase 0x00400000
.file alignment 0x00000200
.stackreserve 0x00100000
.subsystem 0x0003 // windows_cui
.corflags 0x00000001 // ilonly
// image base: 0x02f20000
.class public auto ansi beforefieldinit hello
extends [mscorlib]system.object
{
.method public static int32[] a(uint8 a, uint8 b, uint8 c, uint8 d, uint8 e, uint8 f, uint8 g, uint8 h) cil managed
{
.entrypoint
.maxstack 80
.locals init (
[0] int32,
[1] int32,
[2] int32,
[3] int32,
[4] int32[],
[5] uint8[],
[6] int32[],
[7] int32,
[8] int32,
[9] int32,
[10] int32,
[11] int32,
[12] int32,
[13] int32,
[14] int32,
[15] int32,
[16] int32,
[17] int32,
[18] int32,
[19] int32,
[20] int32,
[21] int32,
[22] int32,
[23] int32,
[24] int32,
[25] int32,
[26] int32,
[27] int32,
[28] int32,
[29] int32,
[30] int32,
[31] int32,
[32] int32,
[33] int32,
[34] int32,
[35] int32,
[36] int32,
[37] int32,
[38] int32,
[39] int32,
[40] int32,
[41] int32,
[42] int32,
[43] int32,
[44] int32
)
nop
ldarg.0
ldc.i4.8
shl
ldarg.1
add
stloc.0
ldarg.2
ldc.i4.8
shl
ldarg.s 3
add
stloc.1
ldarg.s 4
ldc.i4.8
shl
ldarg.s 5
add
stloc.2
ldarg.s 6
ldc.i4.8
shl
ldarg.s 7
add
stloc.3
ldc.i4.6
newarr [mscorlib]System.Int32
dup
ldc.i4.0
ldloc.0
ldloc.1
xor
stelem.i4
dup
ldc.i4.1
ldloc.0
ldloc.2
xor
stelem.i4
dup
ldc.i4.2
ldloc.0
ldloc.3
xor
stelem.i4
dup
ldc.i4.3
ldloc.1
ldloc.2
xor
stelem.i4
dup
ldc.i4.4
ldloc.1
ldloc.3
xor
stelem.i4
dup
ldc.i4.5
ldloc.2
ldloc.3
xor
stelem.i4
stloc.s 4
ldc.i4.6
newarr uint8
stloc.s 5
ldc.i4.6
newarr int32
stloc.s 6
ldc.i4.0
stloc.s 11
nop
ldloc.s 4
stloc.s 12
ldc.i4.0
stloc.s 13
br label3
label4:
ldloc.s 12
ldloc.s 13
ldelem.i4
stloc.s 14
nop
ldc.i4.0
stloc.s 7
ldc.i4.0
stloc.s 8
ldc.i4.0
stloc.s 9
ldc.i4.0
stloc.s 10
ldloc.s 14
ldc.i4 43774
ceq
stloc.s 15
ldloc.s 15
brfalse.s label6
nop
ldloc.s 5
ldc.i4.0
ldc.i4.s 21
stelem.i1
ldloc.s 4
ldc.i4.0
ldelem.i4
ldloc.s 4
ldc.i4.1
ldelem.i4
and
stloc.s 7
ldc.i4 8483354
stloc.s 8
ldloc.s 8
ldloc.s 7
rem
ldc.i4.4
shl
stloc.s 9
ldloc.s 9
ldc.i4.s 10
div
stloc.s 9
nop
br label5
label6:
ldloc.s 14
ldc.i4 40150
ceq
stloc.s 16
ldloc.s 16
brfalse.s label7
nop
ldloc.s 5
ldc.i4.1
ldc.i4.6
stelem.i1
ldloc.s 4
ldc.i4.2
ldelem.i4
ldloc.s 4
ldc.i4.1
ldelem.i4
or
stloc.s 7
ldloc.s 7
ldc.i4.4
shl
ldloc.s 7
ldc.i4.s 16
shr
or
stloc.s 9
nop
br label5
label7:
ldloc.s 14
ldc.i4 12335
ceq
stloc.s 17
ldloc.s 17
brfalse.s label8
nop
ldloc.s 5
ldc.i4.4
ldc.i4.s 28
stelem.i1
ldc.i4 30583
stloc.s 10
ldc.i4 43690
stloc.s 9
ldc.i4 34952
stloc.s 8
ldloc.s 9
ldloc.s 10
ldloc.s 8
mul
ldloc.s 9
div
add
stloc.s 9
nop
br label5
label8:
ldloc.s 14
ldc.i4 12316
ceq
stloc.s 18
ldloc.s 18
brfalse.s label9
nop
ldloc.s 5
ldc.i4.1
ldc.i4.s 7
stelem.i1
ldloc.s 14
ldc.i4 65280
and
ldc.i4.8
shr
stloc.s 10
ldarg.1
ldloc.s 10
xor
stloc.s 7
ldloc.s 7
stloc.s 10
nop
br label5
label9:
ldloc.s 14
ldc.i4 55223
ceq
stloc.s 19
ldloc.s 19
brfalse.s label10
nop
ldloc.s 5
ldc.i4.4
ldc.i4.s 28
stelem.i1
ldc.i4 30583
stloc.s 10
ldc.i4 43690
stloc.s 9
ldc.i4 34952
stloc.s 8
ldloc.s 9
ldloc.s 10
ldloc.s 8
mul
ldloc.s 9
div
add
stloc.s 9
nop
br label5
label10:
ldloc.s 14
ldc.i4 28389
ceq
stloc.s 20
ldloc.s 20
brfalse.s label11
nop
ldloc.s 5
ldc.i4.1
ldc.i4.3
stelem.i1
ldc.i4 28389
stloc.s 7
ldloc.s 7
ldc.i4.2
xor
ldc.i4 256
rem
stloc.s 10
nop
br label5
label11:
ldloc.s 14
ldc.i4 12375
ceq
stloc.s 21
ldloc.s 21
brfalse.s label12
nop
ldloc.s 5
ldc.i4.5
ldc.i4.s 19
stelem.i1
ldloc.s 14
ldc.i4 65280
and
ldc.i4.8
shr
stloc.s 10
ldarg.s 5
ldloc.s 10
xor
stloc.s 7
ldloc.s 7
stloc.s 10
nop
br label5
label12:
ldloc.s 14
ldc.i4 52450
ceq
stloc.s 22
ldloc.s 22
brfalse.s label13
nop
ldloc.s 5
ldc.i4.4
ldc.i4.s 18
stelem.i1
ldloc.s 14
ldc.i4 65280
and
ldc.i4.8
shr
stloc.s 10
ldloc.s 10
ldloc.s 10
ldc.i4 6177
add
or
stloc.s 7
ldloc.s 7
stloc.s 9
nop
br label5
label13:
ldloc.s 14
ldc.i4 27198
ceq
stloc.s 23
ldloc.s 23
brfalse.s label14
nop
ldloc.s 5
ldc.i4.1
ldc.i4.s 81
stelem.i1
ldc.i4 20100
stloc.s 7
ldloc.s 9
ldloc.s 7
ldloc.s 7
ldc.i4.s 33
rem
or
add
stloc.s 9
nop
br label5
label14:
ldloc.s 14
ldc.i4 6372
ceq
stloc.s 24
ldloc.s 24
brfalse.s label15
nop
ldloc.s 5
ldc.i4.2
ldc.i4.s 31
stelem.i1
ldloc.s 9
ldc.i4.s 20
mul
stloc.s 7
ldloc.s 9
ldc.i4 4136
add
stloc.s 7
nop
br label5
label15:
ldloc.s 14
ldc.i4 57150
ceq
stloc.s 25
ldloc.s 25
brfalse.s label16
nop
ldloc.s 5
ldc.i4.1
ldc.i4.4
stelem.i1
ldloc.s 5
ldc.i4.1
ldelem.u1
ldc.i4 641
add
stloc.s 9
ldloc.s 9
ldc.i4.s 16
mul
stloc.s 10
ldloc.s 10
ldc.i4 370
rem
stloc.s 7
nop
br label5
label16:
ldloc.s 14
ldc.i4 63171
ceq
stloc.s 27
ldloc.s 27
brfalse.s label18
nop
ldloc.s 5
ldc.i4.4
ldc.i4.s 20
stelem.i1
ldc.i4 63171
stloc.s 10
ldc.i4 1578785
stloc.s 7
ldloc.s 7
ldloc.s 10
rem
stloc.s 9
nop
br label5
label18:
ldloc.s 14
ldc.i4.s 75
ceq
stloc.s 28
ldloc.s 28
brfalse.s label19
nop
ldloc.s 5
ldc.i4.2
ldc.i4.s 10
stelem.i1
ldloc.s 14
ldc.i4 65280
and
ldc.i4.8
shr
stloc.s 10
ldarg.2
ldloc.s 10
xor
stloc.s 7
ldloc.s 7
stloc.s 10
nop
br label5
label19:
ldloc.s 14
ldc.i4 63264
ceq
stloc.s 29
ldloc.s 29
brfalse.s label20
nop
ldloc.s 5
ldc.i4.3
ldc.i4.s 23
stelem.i1
ldloc.s 14
ldc.i4 65280
and
ldc.i4.8
shr
stloc.s 10
ldc.i4.s 16
stloc.s 7
ldloc.s 10
ldloc.s 7
add
stloc.s 10
nop
br label5
label20:
ldloc.s 14
ldc.i4 65234
ceq
stloc.s 30
ldloc.s 30
brfalse.s label21
nop
ldloc.s 5
ldc.i4.4
ldc.i4 172
stelem.i1
ldloc.s 14
ldc.i4 65280
and
ldc.i4.s 18
shr
stloc.s 10
ldloc.s 10
ldc.i4.s 18
add
stloc.s 9
ldloc.s 9
ldloc.s 9
mul
stloc.s 7
nop
br label5
label21:
ldloc.s 14
ldc.i4 46339
ceq
stloc.s 31
ldloc.s 31
brfalse.s label22
nop
ldloc.s 5
ldc.i4.1
ldc.i4.s 12
stelem.i1
ldloc.s 14
ldc.i4 291
sub
stloc.s 10
ldloc.s 10
ldloc.s 10
ldc.i4.4
shl
and
stloc.s 9
ldloc.s 9
stloc.s 7
nop
br label5
label22:
ldloc.s 14
ldc.i4 12633
ceq
stloc.s 32
ldloc.s 32
brfalse.s label23
nop
ldloc.s 5
ldc.i4.0
ldc.i4.0
stelem.i1
ldloc.s 14
ldc.i4 65280
and
ldc.i4.8
shr
stloc.s 10
ldarg.0
ldloc.s 10
xor
stloc.s 7
ldloc.s 7
stloc.s 10
nop
br label5
label23:
ldloc.s 14
ldc.i4 12562
ceq
stloc.s 33
ldloc.s 33
brfalse.s label24
nop
ldloc.s 5
ldc.i4.4
ldc.i4.s 17
stelem.i1
ldloc.s 14
ldc.i4 65280
and
ldc.i4.8
shr
stloc.s 10
ldarg.s 4
ldloc.s 10
xor
stloc.s 7
ldloc.s 7
stloc.s 10
nop
br.s label5
label24:
ldloc.s 14
ldc.i4 325
ceq
stloc.s 35
ldloc.s 35
brfalse.s label26
nop
ldloc.s 5
ldc.i4.3
ldc.i4.s 16
stelem.i1
ldloc.s 14
ldc.i4 65280
and
ldc.i4.8
shr
stloc.s 10
ldarg.s 3
ldloc.s 10
xor
stloc.s 7
ldloc.s 7
stloc.s 10
nop
br.s label5
label26:
nop
nop
label5:
ldloc.s 6
ldloc.s 11
ldloc.s 5
ldloc.s 11
ldelem.u1
ldc.i4.8
shl
ldloc.s 10
add
stelem.i4
ldloc.s 11
ldc.i4.1
add
stloc.s 11
nop
ldloc.s 13
ldc.i4.1
add
stloc.s 13
label3:
ldloc.s 13
ldloc.s 12
ldlen
conv.i4
blt label4
ldloc.s 6
ret
} // end of method hello::main
} // end of class hello
Raw
1.simplified.cs
using system;
using System;
public class hello: @object {
public static int[] a(byte a, byte b, byte c, byte d, byte e, byte f, byte g, byte h) {
int num = ((int) a << 8) + (int) b;
int num2 = ((int) c << 8) + (int) d;
int num3 = ((int) e << 8) + (int) f;
int num4 = ((int) g << 8) + (int) h;
int[] array = new int[] {
num ^ num2,
num ^ num3,
num ^ num4,
num2 ^ num3,
num2 ^ num4,
num3 ^ num4
};
byte[] array2 = new byte[6];
int[] array3 = new int[6];
int num5 = 0;
int num6 = array;
for (int i = 0; i < num6.Length; i++) {
int num7 = num6[i];
int num8 = 0;
int num9 = 0;
if(num7 == 12316) {
array2[1] = 7;
num9 = 0x30;
int num11 = (int) b ^ num9;
num9 = num11;
}
if(num7 == 12375) {
array2[5] = 19;
num9 = 0x30;
int num11 = (int) f ^ num9;
num9 = num11;
}
if(num7 == 75) {
array2[2] = 10;
num9 = 0;
int num11 = (int) c ^ num9;
num9 = num11;
}
if(num7 == 12633) {
array2[0] = 0;
num9 = 0x31;
int num11 = (int) a ^ num9;
num9 = num11;
}
if(num7 == 12562) {
array2[4] = 17;
num9 = 0x31;
int num11 = (int) e ^ num9;
num9 = num11;
}
if(num7 == 325) {
array2[3] = 16;
num9 = 1;
int num11 = (int) d ^ num9;
num9 = num11;
}
array3[num5] = ((int) array2[num5] << 8) + num9;
num5++;
}
return array3;
}
}
Raw
README.md

Reversing the binary

There are ILs generating ILs in two way:

  1. by using opcodes

  2. by bytes (which are XORed by result of 1)

  3. by using opcodes

// CrackMe.Form1
public static Type IIIIIllllIIIIlllIlllIIIlIIlIll11II1Ill()
{
	AppDomain domain = Thread.GetDomain();
	AssemblyBuilder assemblyBuilder = domain.DefineDynamicAssembly(new AssemblyName
	{
		Name = "IIIII1111I1111II11I1I1I11I11I1I11"
	}, AssemblyBuilderAccess.Run);
	ModuleBuilder moduleBuilder = assemblyBuilder.DefineDynamicModule("IIIIIIllllllIIIll1111llllIII");
	TypeBuilder typeBuilder = moduleBuilder.DefineType("IIIII11111II1111II1I11I1llllll", TypeAttributes.Public);
	MethodBuilder methodBuilder = typeBuilder.DefineMethod("IIIIllllIIllIIIIlllIIIIIIIIIIlllIIllIIlIlIlIlllllIIIllllllIIIIl", MethodAttributes.FamANDAssem | MethodAttributes.Family | MethodAttributes.Static, typeof(int[]), new Type[]
	{
		typeof(byte),
		typeof(byte),
		typeof(byte),
		typeof(byte),
		typeof(byte),
		typeof(byte),
		typeof(byte),
		typeof(byte)
	});
	ILGenerator iLGenerator = methodBuilder.GetILGenerator();
	Label label = iLGenerator.DefineLabel();
	Label label2 = iLGenerator.DefineLabel();
...
	iLGenerator.Emit(OpCodes.Nop);
	iLGenerator.Emit(OpCodes.Ldarg_0);
	iLGenerator.Emit(OpCodes.Ldc_I4_8);
	iLGenerator.Emit(OpCodes.Shl);
	iLGenerator.Emit(OpCodes.Ldarg_1);
	iLGenerator.Emit(OpCodes.Add);
	iLGenerator.Emit(OpCodes.Stloc_0);
	iLGenerator.Emit(OpCodes.Ldarg_2);
...
	return typeBuilder.CreateType();

And this function has input from user.

// CrackMe.Form1
private void button1_Click(object sender, EventArgs e)
{
	string text = this.textBox1.Text;
	bool flag = text == null || text.Length != 8;
	if (flag)
	{
		MessageBox.Show("ILKey variable must have 8 characters.");
	}
	else
	{
		this.IIIIllllIIllIIIIlllIIIIIIIIIIlllIIllIIlIlIlIl(text);
	}
}

And..

// CrackMe.Form1
private void IIIIllllIIllIIIIlllIIIIIIIIIIlllIIllIIlIlIlIl(string I1111lll11l1111ll111l)
{
	byte[] bytes = Encoding.ASCII.GetBytes(I1111lll11l1111ll111l);
	Type type = Form1.IIIIIllllIIIIlllIlllIIIlIIlIll11II1Ill();
	int num = 0;
	object target = Activator.CreateInstance(type, new object[0]);
	object obj = type.InvokeMember("IIIIllllIIllIIIIlllIIIIIIIIIIlllIIllIIlIlIlIlllllIIIllllllIIIIl", BindingFlags.InvokeMethod, null, target, new object[]
	{
		bytes[0],
		bytes[1],
		bytes[2],
		bytes[3],
		bytes[4],
		bytes[5],
		bytes[6],
		bytes[7]
	});
	IEnumerable enumerable = obj as IEnumerable;
	bool flag = enumerable != null;
	if (flag)
	{
		foreach (object current in enumerable)
		{
			int num2 = (int)current;
			this.l1l1111l11IllI1l1IIl[num] = (byte)((num2 & 65280) >> 8);
			this.l1l111l1l11l1l1l1l11l[num] = (byte)(num2 & 255);
			num++;
		}
	}
	this.button3.Visible = true;
}

The array initialized on the binary is used on XOR-ing opcode bytes on 2.

// CrackMe.Form1
public byte[] lIIl11111111111111111111111llllllllll11111111 = new byte[]
{
	112,
	3,
	88,
	4,
	90,
	5,
	90,
	86,
	4,
	97,
	124,
	5,
	89,
	2,
	3,
	4,
	22,
	100,
	38,
	110
};

// CrackMe.Form1
private void button3_Click(object sender, EventArgs e)
{
	for (int i = 0; i < 6; i++)
	{
		byte b = this.lIIl11111111111111111111111llllllllll11111111[(int)this.l1l1111l11IllI1l1IIl[i]] ^ this.l1l111l1l11l1l1l1l11l[i];
		this.lIIl11111111111111111111111llllllllll11111111[(int)this.l1l1111l11IllI1l1IIl[i]] = b;
	}
...

So the array is used on XOR location-XOR value pair. Let's reverse function on 1. First, I could recompile it by ilasm + some replacements. I've attached the IL source code. After compilation, I gave it to ILSpy again. I've attached the decompiled C# source code. Since the returned value is used on XOR location-XOR value, the location must be in the range of opcode array index(0~20).

So some if-elses and some invalid conditions can be removed. I've attached the simplified IL source code. There are multiple input[i]^input[j]=CONSTANT like expressions, so I just feeded it to Z3, removing some cases by seeing it on IL. IL can be viewed on IDA Pro, using IDAPython.

[PatchBytes(here()+i, s[i]) for i in range(len(s))] # s is opcode array.

And I've attached final solution code too. It uses Z3Py.

Raw
solve.py
from z3 import *
from itertools import permutations
blacklist = ''
opcode = [
112,
3,
88,
4,
90,
5,
90,
86,
4,
97,
124,
5,
89,
2,
3,
4,
22,
100,
38,
110
]
xors = [12316, 12375, 75, 12633, 12562, 325]
a, b, c, d, e, f, g, h = BitVecs('a b c d e f g h', 8)
num = Concat(a, b)
num2 = Concat(c, d)
num3 = Concat(e, f)
num4 = Concat(g, h)
for cc in permutations(xors, len(xors)):
s = Solver()
s.add(*[x == y for x, y in zip([
num ^ num2,
num ^ num3,
num ^ num4,
num2 ^ num3,
num2 ^ num4,
num3 ^ num4
], cc)])
s.add(a == ord('C'))
s.add(b == ord('h'))
s.add(c == ord('r'))
s.add(d == ord('1'))
s.add(e == ord('s'))
s.add(f == ord('t'))
for x in [a, b, c, d, e, f, g, h]:
s.add(x >= 32)
s.add(x <= 126)
for y in blacklist:
s.add(x != ord(y))
if s.check() == sat:
model = s.model()
s = bytearray([model[x].as_long() for x in a, b, c, d, e, f, g, h])
table = {0: s[0]^0x31, 7: s[1]^0x30, 10: s[2]^0, 16: s[3]^1, 17: s[4]^0x31, 19: s[5]^0x30}
curopcode = opcode
for key, value in table.items():
curopcode[key] ^= value
print s
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment