  1. C++异常化处理

  2. OLLVM-控制流平坦化

  3. Two Puzzles


一般碰到C++异常逆向,确定了异常分发、处理部分,直接把call throw改为jmp catch块,再F5即可。
PS: 多个catch块根据rdx来当为异常处理数值决定哪个为对应的catch块。


参考Write up:
lchild师傅的Write up(pdf所以没法给链接)


程序最先开始运行的是 407629,这里我们可以输入上下左右箭头与特定的数字。
  • 如果是数字,程序读取加密进行存放

  • 如果是箭头,会继续进行处理


Official Write up: The value of the first field of the thrown StdObfException object comes from the second input passed to the construct of StdObfException.

那么异常处理先不深究,继续回来箭头如何处理这个问题。那么箭头其实为三字节码,上下左右箭头分别对应 ^[[A ^[[B ^[[C ^[[D。此时开始动调,我第一次输入为上箭头,同时注意RAX。
那么在 407629 第一次处理箭头会读取为1B。
随后到 40553A 读取为5B。
最后到达 405676 可以发现我们的上箭头代码所对应的字符为A。


  1. 函数的开始地址为序言(Prologue)的地址

  2. 序言的后继为主分发器(Main dispatcher)

  3. 后继为主分发器的块为预处理器(Predispatcher)

  4. 后继为预处理器的块为真实块(Relevant blocks)

  5. 无后继的块为retn块

  6. 剩下的为无用块与子分发器(Sub dispatchers)

  1. 静态分析CFG得到序言/入口块(Prologue)、主分发器(Main dis。

  2. patcher)、子分发器/无用块(Sub dispatchers)、真实块(Relevant blocks)、预分发器(Predispatcher)和返回块(Return)。

  3. 利用符号执行恢复真实块的前后关系,重建控制流。

  4. 根据第二步重建的控制流Patch程序,输出恢复后的可执行文件。



对于最基本的thown catch不再赘述,这篇讲到很清楚:




没找到相应的catch,调用 std::terminate() (这个函数是把程序abort)。


程序中catch的代码块有个专有名词:Landing pad

3、从抛异常到开始 -> 执行Landing pad代码 这整个过程叫作Stack unwind。

Stack unwind
从抛异常函数开始,对调用链上的函数逐个往前查找Landing pad。
如果没有找到Landing pad则把程序abort,如果找到则记下Landing pad的位置,再重新回到抛异常的函数那里开始,一帧一帧地清理调用链上各个函数内部的局部变量,直到 landing pad 所在的函数为止。
void func1(){  cs a; // stack unwind时被析构。  throw 3;}
void func2(){ cs b; func1();}
void func3(){ cs c; try { func2(); } catch (int) { //进入这里之前, func1, func2已经被unwind. }}
stack unwind的过程可以简单看成函数调用的逆过程,这个过程在实现上由一个专门的stack unwind库来实现。
  • stack unwind库在intel平台上

  • 属于Itanium ABI 接口中的一部分

  • 与具体的语言无关,由系统实现

  • 任何上层语言都可以通过这个接口的基础实现各自的异常处理

  • GCC就是通过这个接口实现C++的异常处理

Itanium C++ ABI

ltanium C++ ABI定义了一系列函数以及数据结构来建立整个异常处理的流程及框架,主要函数包括以下列:
其中 _Unwind_RaiseException() 函数进行stack unwind,它在用户执行throw的时被调用。
从当前函数开始,对调用链上的每一个函数都调用一个叫做 personality routine 的函数(__gxx_personality_v0)。
personality routine 该函数由上层的语言定义及提供实现。
_Unwind_RaiseException() 会在内部把函数栈调用现场重现,然后传给 personality routine,该函数主要做两件事情:
那么稍稍总结一下,就是当程序抛出异常就要进行 stack unwind 操作。
而这个操作具体是 _Unwind_RaiseException() 中的 personality routine() 实现了检查catch和清理栈上的局部变量。


基于前面介绍的 ltanium ABI,编译器层面也定义了一系列 ABI 与之交互。
当我们在代码中写下 throw xxx,编译器会分配一个数据结构 __cxa_exception 来表示该异常,该异常也有一个头部,定义如下:
struct __cxa_exception{  std::type_info *    exceptionType;  void (*exceptionDestructor) (void *);  unexpected_handler    unexpectedHandler;  terminate_handler    terminateHandler;  __cxa_exception *    nextException;
int handlerCount; int handlerSwitchValue; const char * actionRecord; const char * languageSpecificData; void * catchTemp; void * adjustedPtr;
_Unwind_Exception unwindHeader;};
当用户 throw 一个异常时,编译器会帮我们调用相应的函数分配出如下的结构:
其中 __cxa_exception 就是头部,exception_obj 则是 "throw xxx" 中的 xxx,这两部分在内存中是连续的。
  • 异常对象由函数 __cxa_allocate_exception() 进行创建

  • 最后由 __cxa_free_exception() 进行销毁

1、调用 cxa_allocate_exception 函数,分配一个异常对象(cxa_exception,数据结构如上)。
2、调用 __cxa_throw 函数,这个函数会将异常对象做一些初始化。
3、__cxa_throw() 调用 Itanium ABI 里的 _Unwind_RaiseException() 从而开始 unwind。
4、_Unwind_RaiseException() 对调用链上的函数进行 unwind 时,调用 personality routine()。
5、该异常如能被处理(有相应的 catch),则 personality routine 会依次对调用链上的函数进行清理。
6、_Unwind_RaiseException() 将控制权转到相应的catch代码。
7、unwind 完成,用户代码继续执行。


有了这些前置知识,再看题目中的异常,由前面描述可知实现 unwind stack 的具体过程是通过 __gxx_personality_v0(即personality routine)实现。
_Unwind_Reason_Code __fastcall _gxx_personality_v0(        int Version,        _Unwind_Action actions,        __int64 exceptionClass,        _Unwind_Exception *exceptionObject,        _Unwind_Context *context)
  1. 检查当前函数是否有相应的 catch 语句。

  2. 清理当前函数中的局部变量。

在personality routine()下的 scan_eh_tab() 该函数有我们最关心的两个值,同时也是魔改处。


Shfit + F1 -> INS 导入结构体。
struct scan_results{int64_t ttypeIndex;const uint8_t* actionRecord;const uint8_t* languageSpecificData;uintptr_t landingPad;void* adjustedPtr;_Unwind_Reason_Code reason;};
void scan_eh_tab(scan_results *results, _Unwind_Action actions, bool native_exception, _Unwind_Exception *unwind_exception, _Unwind_Context *context)
Landing pad
Landing pad(指向catch块的分发处,只单单拿到landing pad还不够,这时候还缺少一个对应异常类型ttypeIndex)。


最后的ttypeIndex由 thrown_object_ptr(由我们的第一段输入所决定的thrown_object_ptr) 和 原始固定固定typeIndex 决定。
Official Write up: And we have figured out that the ttypeIndex is determined by the first field of the thrown StdObfException object and the lptinfo passed to __cxa_throw. The value of the first field of the thrown StdObfException object comes from the second input passed to the construct of StdObfException.
the first field of the thrown StdObfException object 指的就是我们的输入。
the lptinfo passed to __cxa_throw 指的就是当 ___cxa_allocate_exception 创建的异常,也就是固定的。
现在知道了魔改后的流程是从哪里来到哪里去,人工方式就是跳到landing pad再设置rdx为ttypeIndex就可以到达我们所对应的catch块。


那么现在知道了routine personality 中的 scan_eh_tab被修改了,而IDA平常能识别throw catch这些块的原因就是这些正常的源码。
Prologue(入口块)-> Main dispatcher(主分发器)-> Sub dispathers(子分发器)-> Relevant blocks(真实块)-> Predispather(预分发器)-> Main dispatcher(主分发器)...
我们的下一个真实块取决于系统生产的lptinfo和我们的第一段输入所导致的StdObfException,在每个真实块的结束,我们不只是跳往与预分发器,而是调用 __cxa_throw 进行第二次调度,我们称二次调用为 second dispatch。
... -> main dispatcher -> sub dispatchers -> relevant block -> throw StdObfException exception -> Secondary dispatchers -> pre-dispatcher -> main dispatcher -> ...
除此之外,程序还抛出了一些真正的异常,对于这些异常,第二次调用发生于Landing pad末尾。
... -> main dispatcher -> sub dispatchers -> relevant block that throws real exceptions -> the according real LandingPad block -> throw StdObfException exception -> Secondary dispatchers -> pre-dispatcher -> main dispatcher -> ...
  1. 找到所有的真实块

  2. 找到真实块之间的关系

Find all relevant blocks

sub dispathers such as:cmpjx
isCmpRI = lambda instr: instr.mnemonic == "cmp" and\  hasattr(instr.operands[0], "_X86RegisterOperand__key") and\  hasattr(instr.operands[1], "_X86ImmediateOperand__key")isCJmp = lambda instr: instr.mnemonic.startswith("j") and \  instr.mnemonic != "jmp"isSubDispatcher = lambda bb: (len(bb.instrs) == 2) and\   isCmpRI(bb.instrs[0]) and isCJmp(bb.instrs[1])
class PatchHelper:  ## ......  # To get all cfgs  def block(self, addr):    bb = self.cfg.find_basic_block(addr)    if bb is None:      bb = barf.bb_builder.strategy._disassemble_bb(addr, barf.binary.ea_end, {})    return bb def get_relevant_blocks(cfg, patch_helper, main_dispatcher):  isCmpRI = lambda instr: instr.mnemonic == "cmp" and\    hasattr(instr.operands[0], "_X86RegisterOperand__key") and\    hasattr(instr.operands[1], "_X86ImmediateOperand__key")  isCJmp = lambda instr: instr.mnemonic.startswith("j") and \    instr.mnemonic != "jmp"  isSubDispatcher = lambda bb: (len(bb.instrs) == 2) and\     isCmpRI(bb.instrs[0]) and isCJmp(bb.instrs[1])  relevant_blocks = []  visited = set()  q = SimpleQueue()  q.put(patch_helper.block(main_dispatcher))  while not q.empty():    bb = q.get()    # Either Sub Patchers or Relevant blocks?    if isSubDispatcher(bb):      for succ, cond in bb.branches:        if succ in visited:          continue        q.put(patch_helper.block(succ))        visited.add(succ)    else:      relevant_blocks.append(bb)  return relevant_blocks
Relevant blocks:
*******************relevant blocks************************main_dispatcher:0x404a80relevant_blocks: ['0x409437', '0x406443', '0x404ab8', '0x408031', '0x407842', '0x407d31', '0x407437', '0x407f4f', '0x4076bd', '0x407a6b', '0x40723e', '0x407fc4', '0x409458', '0x407bc7', '0x40732f', '0x407ebc', '0x407566', '0x407960', '0x4070fa', '0x405e7a', '0x4078e3', '0x407e5a', '0x4074ca', '0x405c87', '0x407741', '0x407af5', '0x4072b4', '0x405ded', '0x4077b6', '0x407c6b', '0x4073a4', '0x405b29', '0x4075f9', '0x407a06', '0x4071aa', '0x406cfe', '0x406c94', '0x406ef0', '0x406859', '0x40707d', '0x406b62', '0x406f5f', '0x4065c9', '0x406e5d', '0x406a72', '0x406d7b', '0x406704', '0x406def', '0x406964', '0x40944b', '0x4064a5', '0x405469', '0x405a5f', '0x404fae', '0x40532c', '0x40589c', '0x404d58', '0x4053d3', '0x405923', '0x404ec5', '0x40529a', '0x4057b8', '0x404bc4', '0x405f2a', '0x4056f0', '0x406299', '0x4068f0', '0x4063b0', '0x406bf9', '0x406323', '0x406646', '0x40620f', '0x406b00', '0x4060e7', '0x4067bb', '0x40617c', '0x4069e3', '0x40606d', '0x406521', '0x4051fe', '0x405647', '0x404e14', '0x4055b5', '0x4050cc', '0x40550b', '0x404ca4']

Find the flow

Official Write up: A good idea is to abstract the throw StdObfException -> catch process and do the one basic block symbolic execution (You can refer to Deobfuscation: recovering an OLLVM-protected program(https://blog.quarkslab.com/deobfuscation-recovering-an-ollvm-protected-program.html) or 利用符号执行去除控制流平坦化(https://security.tencent.com/index.php/blog/msg/112) for more information).
  • 40A3D4为我们catch块地址

  • _ZN18StdSubObfExceptionC2Ec为了打印异常类型

cmds = """\set pagination off b *0x40A3D4commands  silent  printf "landingPad: %x\\n", $rdx  continueend b _ZN18StdSubObfExceptionC2Eccommands  silent  printf "selector: %x\\n", $rsi  continueend define mytrace  break $arg0  commands    silent    printf "%x\\n", $pc    python gdb.execute('continue')  endend"""for bb in relevant_blocks:    cmds += (f"mytrace *{hex(bb.address)} \n")cmds += "run\n"with open("test.gdb", "w") as f:    f.write(cmds)
cat teatin0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef gdb inflated -x test.gdb --batch < testin > testout
于是可以获取真实块接下来的landing pad与异常类型。
Breakpoint 1 at 0x40a3d4......Breakpoint 88 at 0x404ca44075f9selector: 0landingPad: 4089bf4072b4selector: 0landingPad: 4085034075f9selector: 2landingPad: 4089bf4060e7selector: 0......40617cselector: 0landingPad: 409100409437[Inferior 1 (process 13732) exited normally]
def parse_logs(logfn, prologue, patch_helper):  with open(logfn, "r") as f:    t = f.readlines()  i = 0  selector_s = "selector: "  landingpad_s = "landingPad: "  relations = set()  laddr = prologue  lselector = 0  landingpad = 0  while i < len(t):    try:      addr = int(t[i], 16)    except:      i += 1      continue    if not laddr is None:      relations.add((laddr, lselector, addr))    if t[i+1].startswith(selector_s):      selector = int(t[i+1][len(selector_s):], 16)      i += 2    elif t[i+1].startswith(landingpad_s):      landingpad = int(t[i+1][len(landingpad_s):], 16)      relations.add((addr, -1, landingpad))      addr = landingpad      while not patch_helper.is_unreachable(patch_helper.block(addr).direct_branch):        addr = patch_helper.block(addr).direct_branch      if t[i+2].startswith(selector_s):        selector = int(t[i+2][len(selector_s):], 16)      i += 3    elif t[i+1].startswith("[Inferior "):      i += 1    else:      print("Warning: %x doesn't have selector. "%addr)      exit(0)    laddr = addr    lselector = selector  return list(relations) print('************************flow******************************')relations = parse_logs(sys.argv[3], prologue, patch_helper)relations.sort(key = lambda x:x)flow = {}for bb, selector, child in relations:  if bb in flow:    while len(flow[bb]) < selector:      flow[bb].append(-1)    flow[bb].append(child)    assert(len(flow[bb]) == selector+1)  else:    flow[bb] = [child]for (k, v) in list(flow.items()):    print('%#x:' % k, [hex(child) for child in v])
************************flow******************************0x404820: ['0x4075f9']0x404ab8: ['0x404ab8', '0x406c94']0x404bc4: ['0x407bc7']0x404ca4: ['0x406bf9']0x404ec5: ['0x4053d3']0x404fae: ['0x406b00']0x4051fe: ['0x40707d']0x4053d3: ['0x406521']0x405469: ['0x407d31']0x4056f0: ['0x405a5f', '0x4056f0']0x4057b8: ['0x404ab8']0x405923: ['0x405923', '0x406e5d']0x405a5f: ['0x4067bb']0x405b29: ['0x406964', '0x406646']0x405c87: ['0x405c87', '0x407437']0x405f2a: ['0x405f2a', '0x4063b0']0x4060e7: ['0x40723e']0x40617c: ['0x409437']0x40620f: ['0x405f2a']0x406299: ['0x404bc4', '0x4057b8']0x4063b0: ['0x4063b0', '0x405469']0x4064a5: ['0x406704', '0x40620f']0x406521: ['0x4074ca', '0x404bc4']0x4065c9: ['0x40723e']0x406646: ['0x406964']0x406704: ['0x405c87']0x4067bb: ['0x4082b6']0x406964: ['0x405b29', '0x404ca4']0x4069e3: ['0x408281']0x406a72: ['0x404fae']0x406b00: ['0x406299']0x406bf9: ['0x405923']0x406c94: ['0x4074ca']0x406cfe: ['0x40723e']0x406e5d: ['0x406e5d', '0x4077b6']0x406f5f: ['0x406f5f', '0x407566']0x40707d: ['0x40707d', '0x407960']0x4070fa: ['0x406f5f']0x4071aa: ['0x4056f0']0x40723e: ['0x4072b4']0x4072b4: ['0x4075f9', '0x4071aa']0x407437: ['0x407437', '0x4064a5']0x4074ca: ['0x404ec5', '0x407c6b']0x407566: ['0x407566', '0x407a6b']0x4075f9: ['0x4072b4', '-0x1', '0x4060e7', '0x406cfe', '0x4078e3', '0x4065c9']0x4076bd: ['0x404ec5']0x4077b6: ['0x406bf9', '0x4070fa']0x4078e3: ['0x40723e']0x407960: ['0x4081f5']0x407a6b: ['0x4070fa', '0x406704']0x407bc7: ['0x406a72', '0x407bc7']0x407c6b: ['0x4069e3']0x407d31: ['0x407d31', '0x407ebc']0x407ebc: ['0x407ebc', '0x40617c']0x4081f5: ['0x405b29']0x408281: ['0x4051fe']0x4082b6: ['0x4076bd']


修复程序环节!当我们已经确定了执行流程,像抛异常 子分发器什么都是多余的了,统统patch掉。
对于有多个后继块的,需要通过esi(也就是异常类型)来改成cmp esi, ... jz即可。
def patch_branches(self, bb, va_targets):  va_start, size = self.get_patchable_from_relblk(bb)  if size < PatchHelper.JMP_SIZE:    print("[Warning] patch_jmp at block %x may fail. size: %d."%(bb.address, size))  org_start = va_start  print(f"va_start: {hex(va_start)}, bb addr: {hex(bb.address)}, size: {size}")  ## `cmp esi, v` instr takes 3 bytes while `je xxx` takes 6 bytes  ## And the last jmp instr takes 5 bytes.  total_size = 9 * len(va_targets) - 4  if size < total_size:    ## If the nop block at the end of current block is not large enough,       ## try to find another nop block and then jump to it.    nx_va_start, nx_size = self.get_nop_by_size(total_size)    if nx_size == 0:      print("[Error] `patch_branches` needs a nop block with size larger than %d."%(total_size))    self.patch_jmp(va_start, nx_va_start)    va_start, size = nx_va_start, nx_size   for i, t in enumerate(va_targets[:-1]):    cmp_instr = bytes([0x83,0xfe,i])    self.do_patch(va_start, cmp_instr)    va_start += len(cmp_instr)    cj_instr = bytes([PatchHelper.opcode['j'],PatchHelper.opcode['e']])    if t == -1:      ## -1 represent that we do not know the flow for this selector value for now.      cj_instr += struct.pack('<i', self.func_terminate-va_start-6)      # cj_instr = asm(f"je {hex(self.func_terminate)}", vma=va_start)    else:      cj_instr += struct.pack('<i', t-va_start-6)      # cj_instr = asm(f"je {hex(t)}", vma=va_start)    self.do_patch(va_start, cj_instr)    va_start += len(cj_instr)  va_start += self.patch_jmp(va_start, va_targets[-1])  if va_start > org_start+size:    print("[Warning] patches at (%x, %x) overlaps next blk. "%(org_start, va_start))
## filename: deflat.pyfrom ast import Tuplefrom xmlrpc.client import Booleanfrom barf.barf import BARFimport angrimport structimport sysfrom pwnlib import elffrom queue import SimpleQueue# from pwn import * class PatchHelper:  opcode = {'a' :0x87, 'ae':0x83, 'b' :0x82, 'be':0x86, 'c' :0x82, 'e' :0x84, 'z' :0x84, 'g' :0x8F,            'ge':0x8D, 'l' :0x8C, 'le':0x8E, 'na':0x86, 'nae':0x82,'nb':0x83, 'nbe':0x87,'nc':0x83,            'ne':0x85, 'ng':0x8E, 'nge':0x8C,'nl':0x8D, 'nle':0x8F,'no':0x81, 'np':0x8B, 'ns':0x89,            'nz':0x85, 'o' :0x80, 'p' :0x8A, 'pe':0x8A, 'po':0x8B, 's' :0x88, 'nop':0x90,'jmp':0xE9, 'j':0x0F}  JMP_SIZE = 5   def is_unreachable(self, bb):    if isinstance(bb, int):      bb = self.block(bb)    for i in range(len(bb.instrs)):      if bb.instrs[i].mnemonic != "call":        continue      target = bb.instrs[i].operands[0].immediate      if target == self.func_terminate:        return True   def block(self, addr):    bb = self.cfg.find_basic_block(addr)    if bb is None:      bb = barf.bb_builder.strategy._disassemble_bb(addr, barf.binary.ea_end, {})    return bb   @staticmethod  def is_imm(operand):    return (hasattr(operand, "_X86ImmediateOperand__key"))   @staticmethod  def is_reg(operand):    return (hasattr(operand, "_X86RegisterOperand__key"))   def is_call_throw(self, instr):    return instr.mnemonic == "call" and \        self.is_imm(instr.operands[0]) and\        instr.operands[0].immediate == self.func_throw   def is_call_allocate_exception(self, instr):    return instr.mnemonic == "call" and \        self.is_imm(instr.operands[0]) and\        instr.operands[0].immediate == self.func_allocate_exception   def is_call_obf_exception(self, instr):    return instr.mnemonic == "call" and \        self.is_imm(instr.operands[0]) and\        instr.operands[0].immediate == self.func_obf_exception    def skip_call_args(self, bb, i):    while ((bb.instrs[i].mnemonic in ["xor","mov","lea"]) and\      (len(bb.instrs[i].operands) > 0) and (self.is_reg(bb.instrs[i].operands[0])) and\      (bb.instrs[i].operands[0].name in ["edx", "rdx", "esi", "rsi", "edi", "rdi"])) or \      bb.instrs[i].mnemonic == "nop":      i -= 1    return i   def get_patchable_from_relblk(self, bb):    i = 0    end = bb.start_address + bb.size    while i < len(bb.instrs) and not self.is_call_throw(bb.instrs[i]):      i += 1    i = self.skip_call_args(bb, i-1)    if i == len(bb.instrs) - 1:      start = end    else:      start = bb.instrs[i+1].address    self.fill_nops(start, end)    return (start, end-start)   def __init__(self, proj, elf, barf, cfg) -> None:    self.p = proj    obj = proj.loader.main_object    self.func_terminate = obj.symbols_by_name["__clang_call_terminate"].rebased_addr    self.func_throw = obj.plt["__cxa_throw"]    self.func_allocate_exception = obj.plt["__cxa_allocate_exception"]    self.func_obf_exception = obj.symbols_by_name["_ZN18StdSubObfExceptionC2Ec"].rebased_addr    self.elf = elf    self.elfData = bytearray(self.elf.data)    self.barf = barf    self.cfg = cfg    self.nops = []   def append_nop(self, nopblk):    if nopblk[1] > 0:      self.nops.append(nopblk)   def finalize(self):    self.nops.sort()    idx = 0    while idx < len(self.nops) - 1:      if self.nops[idx][0] + self.nops[idx][1] != self.nops[idx+1][0]:        idx += 1        continue      self.nops[idx]=(self.nops[idx][0], self.nops[idx][1]+self.nops[idx+1][1])      del self.nops[idx+1]   def fill_nops(self, va_start, va_end):    assert not self.elf is None    start = self.elf.vaddr_to_offset(va_start)    end   = self.elf.vaddr_to_offset(va_end)    for i in range(start, end):      self.elfData[i] = PatchHelper.opcode['nop']   def get_nop_by_size(self, min_size):    for idx, nop in enumerate(self.nops):      if nop[1] > min_size:        del self.nops[idx]        return nop    return (-1, 0)   def do_patch(self, va_start, codes):    start = self.elf.vaddr_to_offset(va_start)    for i in range(len(codes)):      self.elfData[start+i] = codes[i]   def patch_jmp(self, va_start, va_target):    offset = va_target - va_start - PatchHelper.JMP_SIZE    jmp = bytes([PatchHelper.opcode['jmp']])+struct.pack('<i', offset)    self.do_patch(va_start, jmp)    return PatchHelper.JMP_SIZE   def patch_branches(self, bb, va_targets):    va_start, size = self.get_patchable_from_relblk(bb)    if size < PatchHelper.JMP_SIZE:      print("[Warning] patch_jmp at block %x may fail. size: %d."%(bb.address, size))    org_start = va_start    print(f"va_start: {hex(va_start)}, bb addr: {hex(bb.address)}, size: {size}")    ## `cmp esi, v` instr takes 3 bytes while `je xxx` takes 6 bytes    ## And the last jmp instr takes 5 bytes.    total_size = (3+6) * len(va_targets) - 4    if size < total_size:      ## If the nop block at the end of current block is not large enough,         ## try to find another nop block and then jump to it.      nx_va_start, nx_size = self.get_nop_by_size(total_size)      if nx_size == 0:        print("\033[31m[Error]\033[0m `patch_branches` needs a nop block with size larger than %d."%(total_size))      self.patch_jmp(va_start, nx_va_start)      va_start, size = nx_va_start, nx_size    for i, t in enumerate(va_targets[:-1]):      cmp_instr = bytes([0x83,0xfe,i])      self.do_patch(va_start, cmp_instr)      va_start += len(cmp_instr)      cj_instr = bytes([PatchHelper.opcode['j'],PatchHelper.opcode['e']])      if t == -1:        ## -1 represent that we do not know the flow for this selector value for now.        cj_instr += struct.pack('<i', self.func_terminate-va_start-6)        # cj_instr = asm(f"je {hex(self.func_terminate)}", vma=va_start)      else:        cj_instr += struct.pack('<i', t-va_start-6)        # cj_instr = asm(f"je {hex(t)}", vma=va_start)      self.do_patch(va_start, cj_instr)      va_start += len(cj_instr)    va_start += self.patch_jmp(va_start, va_targets[-1])    if va_start > org_start+size:      print("[Warning] patches at (%x, %x) overlaps next blk. "%(org_start, va_start)) def get_relevant_blocks(cfg, patch_helper, main_dispatcher):  isCmpRI = lambda instr: instr.mnemonic == "cmp" and\    hasattr(instr.operands[0], "_X86RegisterOperand__key") and\    hasattr(instr.operands[1], "_X86ImmediateOperand__key")  isCJmp = lambda instr: instr.mnemonic.startswith("j") and \    instr.mnemonic != "jmp"  isSubDispatcher = lambda bb: (len(bb.instrs) == 2) and\     isCmpRI(bb.instrs[0]) and isCJmp(bb.instrs[1])  relevant_blocks = []  visited = set()  q = SimpleQueue()  q.put(patch_helper.block(main_dispatcher))  while not q.empty():    bb = q.get()    if isSubDispatcher(bb):      patch_helper.append_nop((bb.start_address, bb.size))      for succ, cond in bb.branches:        if succ in visited:          continue        q.put(patch_helper.block(succ))        visited.add(succ)    else:      relevant_blocks.append(bb)  return relevant_blocks  def parse_logs(logfn, prologue, patch_helper):  with open(logfn, "r") as f:    t = f.readlines()  i = 0  selector_s = "selector: "  landingpad_s = "landingPad: "  relations = set()  laddr = prologue  lselector = 0  landingpad = 0  while i < len(t):    try:      addr = int(t[i], 16)    except:      i += 1      continue    if not laddr is None:      relations.add((laddr, lselector, addr))    if t[i+1].startswith(selector_s):      selector = int(t[i+1][len(selector_s):], 16)      i += 2    elif t[i+1].startswith(landingpad_s):      landingpad = int(t[i+1][len(landingpad_s):], 16)      relations.add((addr, -1, landingpad))      addr = landingpad      while not patch_helper.is_unreachable(patch_helper.block(addr).direct_branch):        addr = patch_helper.block(addr).direct_branch      if t[i+2].startswith(selector_s):        selector = int(t[i+2][len(selector_s):], 16)      i += 3    elif t[i+1].startswith("[Inferior "):      i += 1    else:      print("Warning: %x doesn't have selector. "%addr)      exit(0)    laddr = addr    lselector = selector  return list(relations)  def generate_gdb_script(relevant_blocks):  cmds = """\set pagination off b *0x40A3D4commands  silent  printf "landingPad: %x\n", $rdx  continueend b _ZN18StdSubObfExceptionC2Eccommands  silent  printf "selector: %x\n", $rsi  continueend define mytrace  break $arg0  commands    silent    printf "%x\\n", $pc    python gdb.execute('continue')  endend"""  for bb in relevant_blocks:    cmds += (f"mytrace *{hex(bb.address)} \n")  cmds += "run\n"  with open("test.gdb", "w") as f:    f.write(cmds)  if __name__ == '__main__':    if len(sys.argv) < 3:        print('Usage: python deflat.py filename function_address(hex) [logfile]')        exit(0)     # context.arch = "amd64"    # context.os = "linux"    # context.endian = "little"     filename = sys.argv[1]    start = int(sys.argv[2], 16)     origin = elf.ELF(filename)    b = angr.Project(filename, load_options={'auto_load_libs': False, 'main_opts':{'custom_base_addr': 0}})    barf = BARF(filename)    cfg = barf.recover_cfg(start=start)    patch_helper = PatchHelper(b, origin, barf, cfg)    blocks = cfg.basic_blocks     prologue = start    main_dispatcher = patch_helper.block(prologue).direct_branch    relevant_blocks = get_relevant_blocks(cfg, patch_helper, main_dispatcher)    nop = patch_helper.get_patchable_from_relblk(patch_helper.block(prologue))    patch_helper.append_nop(nop)     print('*******************relevant blocks************************')    print('main_dispatcher:%#x' % main_dispatcher)    print('relevant_blocks:', [hex(bb.address) for bb in relevant_blocks])      if len(sys.argv) < 4:      generate_gdb_script(relevant_blocks)      exit(0)     print('************************flow******************************')    relations = parse_logs(sys.argv[3], prologue, patch_helper)    relations.sort(key = lambda x:x)    flow = {}    for bb, selector, child in relations:      if bb in flow:        while len(flow[bb]) < selector:          flow[bb].append(-1)        flow[bb].append(child)        assert(len(flow[bb]) == selector+1)      else:        flow[bb] = [child]    for (k, v) in list(flow.items()):        print('%#x:' % k, [hex(child) for child in v])     print('************************patch*****************************')    patch_helper.finalize()    for (parent, childs) in list(flow.items()):      ## Patch jmps      blk = patch_helper.block(parent)      patch_helper.patch_branches(blk, childs)      ## Nop call allocate_exception and call obf_exception      for idx, instr in enumerate(blk.instrs):        if patch_helper.is_call_allocate_exception(instr) or\          patch_helper.is_call_obf_exception(instr):          # si = patch_helper.skip_call_args(blk, idx-1)+1          # start = blk.instrs[si].address          start = instr.address          end = instr.address + instr.size          patch_helper.fill_nops(start, end)     with open(filename + '.recovered', 'wb') as f:        f.write(bytes(patch_helper.elfData))    print('Successful! The recovered file: %s' % (filename + '.recovered'))
Work flow:
$ python deflat.py inflated 0x404820$ gdb inflated -x test.gdb --batch < testin > testout$ python deflat.py inflated 0x404820 testout
int __cdecl main(int argc, const char **argv, const char **envp){  ......  v3 = fileno(stdin);  tcgetattr(v3, &intermiosBufBackup);  cfmakeraw(&intermiosBuf);  tcsetattr(v3, 0, &intermiosBuf);  *(_OWORD *)v196 = 0LL;  v195 = 0LL;  *(_OWORD *)s = 0LL;  *(_QWORD *)&v196[13] = 0LL;  v124 = &v168;  v123 = &v167;  v164 = v199;  v187 = &v198;  v186 = &v96;  v185 = &v97;  v184 = &v100;  v122 = &s[12];  v108 = v103;  v163 = &v197;  v183 = &v99;  v162 = &v166;  ......  v5 = 0LL;  do  {    v72 = v4;    v98 = getc(stdin);    v73 = v98 << 24;    v74 = v98 << 24 == 0x1B000000;    if ( v98 << 24 == 0x31000000 )      v74 = 2;    if ( v73 == 0x37000000 )      v74 = 3;    if ( v73 == 0x33000000 )      v74 = 4;    if ( v73 == 0x34000000 )      v74 = 5;    v101 = v5;    v102 = v72;    v119 = v72;    if ( v74 )    {      if ( v74 == 1 )        _clang_call_terminate(5LL);      if ( v74 == 2 )      {        v107 = v102 + (4LL << (3 * (unsigned __int8)v101));        v85 = v98;      }      else if ( v74 == 3 )      {        v107 = v102 + (5LL << (3 * (unsigned __int8)v101));        v85 = v98;      }      else      {        if ( v74 == 4 )          v107 = v102 + (6LL << (3 * (unsigned __int8)v101));        else          v107 = v102 + (7LL << (3 * (unsigned __int8)v101));        v85 = v98;      }      s[v101] = v85;      v119 = v107;    }    v5 = v101 + 1;    v174 = v119;  }  while ( v101 != 11 );  s[12] = 0;  v69 = fileno(stdin);  tcsetattr(v69, 0, &intermiosBufBackup);  for ( i = 0LL; i < 5; ++i )    *((_BYTE *)v136 + i) = byte_40E0F3[i] - byte_40E0F8[i];  v188 = &v190;  v190 = v136[0];  v189 = 4LL;  v191 = 0;  __isoc99_scanf(&v190, v122);  v26 = v188;  v175 = v188;  *(_OWORD *)v188 = xmmword_40E040;  v26[4] = 639210836;  *((_BYTE *)v26 + 20) = 16;  *(_QWORD *)((char *)v26 + 34) = 0x1005E763241AA6B1LL;  *(_OWORD *)((char *)v26 + 21) = xmmword_40E148;  __cxa_begin_catch(v26);  v155 = strlen(v122);  v128 = 0LL;  v113 = 0;  v125 = v155;  v147 = 0LL;  do  {    v133 = v125 - 1;    v86 = v122[v147];    v160 = v128;    v110 = v113;    v176 = v147;    isalnum(v86);    v50 = (unsigned int)(v160 + 1);    *(&v95 + (int)v160) = v86;    v181 = v176 + 1;    v130 = v50;    v112 = v110;    v146 = 0LL;    if ( (_DWORD)v50 == 4 )    {      do      {        v106 = 0LL;        v149 = v146;        do        {          v199[v106 + 16] = byte_40E071[v106] - byte_40E0B2[v106];          ++v106;        }        while ( v106 < 0x41 );        v56 = v163;        *(_QWORD *)v163 = v164;        v165 = 64LL;        v169 = (_OWORD *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::_M_create(                           v56,                           &v165,                           0LL);        v9 = (void **)v163;        v10 = v169;        *(_QWORD *)v163 = v169;        v11 = v165;        *(_QWORD *)v164 = v165;        v12 = MEMORY[5];        v13 = MEMORY[0x15];        v14 = MEMORY[0x25];        v10[3] = MEMORY[0x35];        v10[2] = v14;        v10[1] = v13;        *v10 = v12;        *(_QWORD *)v187 = v11;        *((_BYTE *)v10 + v11) = 0;        v15 = v149;        *(&v95 + v15) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::find(                          v9,                          (unsigned int)*(&v95 + v149),                          0LL);        v177 = *v9;        operator delete(v177);        v146 = v149 + 1;      }      while ( v149 != 3 );      v17 = *v186;      *v183 = (4 * *v57) | ((unsigned __int8)*v186 >> 4) & 3;      v18 = *v185;      *v59 = (16 * v17) | ((unsigned __int8)*v185 >> 2) & 0xF;      *v184 = *v58 + (v18 << 6);      v152 = v110;      v151 = 0LL;      do      {        v6 = v151;        v7 = (unsigned __int8)*(&v99 + v151) / 0xAu;        v8 = v152;        v199[v152 + 96] = (unsigned __int8)*(&v99 + v151) % 0xAu;        v199[v8 + 97] = v7;        v151 = v6 + 1;        v152 = v8 + 2;        v182 = v8 + 2;      }      while ( v6 != 2 );      v130 = 0LL;      v112 = v182;    }    v128 = v130;    v113 = v112;    v125 = v133;    v147 = v181;  }  while ( v133 );  __cxa_end_catch();  v193 = 152788034LL;  v192[3] = xmmword_40E130;  v192[2] = xmmword_40E120;  v192[1] = xmmword_40E110;  v192[0] = xmmword_40E100;  v138 = 152788034LL;  cipher_helper<12037464u,StList<0ul,1ul,2ul,3ul,4ul,5ul,6ul,7ul,8ul,9ul,10ul,11ul,12ul,13ul,14ul,15ul,16ul,17ul,18ul,19ul,20ul,21ul,22ul,23ul,24ul,25ul,26ul,27ul,28ul,29ul,30ul,31ul,32ul,33ul,34ul,35ul,36ul,37ul,38ul,39ul>>::get_array(    152788034LL,    "Knows the futility yet does it anyway. ");  v55 = v138;  *(_OWORD *)(v138 + 56) = xmmword_40E16D;  *(_OWORD *)(v55 + 40) = xmmword_40E15D;  *(_QWORD *)(v55 + 72) = 0x6FF0E70B5B3F60A4LL;  v137 = (void *)0x6FF0E70B5B3F60A4LL;  __cxa_begin_catch((void *)0x6FF0E70B5B3F60A4LL);  v145 = 0LL;  do  {    v67 = v145;    *((_DWORD *)v192 + 2 * v145) ^= 0x9005408u;    v145 = v67 + 1;  }  while ( v67 != 8 );  __cxa_end_catch();  *(_OWORD *)v75 = xmmword_40E030;  *((_QWORD *)v75 + 2) = 0x48D1556A814FF991LL;  *((_QWORD *)v75 + 5) = 0x48B0E10161EA8322LL;  v25 = -2.526699287193993e95;  *(_OWORD *)(v75 + 24) = xmmword_40E185;  __cxa_begin_catch(v75);  v121 = 0LL;  v109 = 0;  do  {    v27 = v121;    v179 = (unsigned __int64 *)v192 + (unsigned int)v121 / 9uLL;    v28 = *v179;    v29 = (unsigned int)v121 % 9;    v30 = pow(v25, (double)(int)((unsigned int)v121 % 9 + 1));    v178 = v28;    v31 = v28 % (unsigned int)(int)(v30 + 0.5);    y = (double)v29;    v32 = pow(11.0, (double)v29) + 0.5;    v33 = (unsigned int)(int)v32;    v25 = v32 - 9.223372036854776e18;    v158 = v27;    v157 = v109;    v111 = v109;    if ( v31 < v33 )    {      v111 = v157 + 1;      v51 = v199[(int)v157 + 96];      v52 = pow(v25, y) + 0.5;      v53 = (unsigned int)(int)v52;      v25 = v52 - 9.223372036854776e18;      *v179 = v178 + v51 * v53;    }    v121 = (unsigned int)(v158 + 1);    v109 = v111;  }  while ( (_DWORD)v158 != 80 );  __cxa_end_catch();  v88 = 1;  v140 = 0LL;  do  {    v60 = v108;    v108[8] = 0;    *(_QWORD *)v60 = 0LL;    v171 = *((_QWORD *)v192 + v140);    v126 = 0LL;    v170 = v140;    do    {      v19 = v126;      v20 = v126 + 1;      v21 = pow(v25, (double)((int)v126 + 1));      v22 = v171 % (unsigned int)(int)(v21 + 0.5);      v23 = pow(11.0, (double)v19) + 0.5;      v24 = (unsigned int)(int)v23;      v25 = v23 - 9.223372036854776e18;      v103[v22 / v24] = 1;      v141 = 1LL;      v89 = v88;      v126 = v20;    }    while ( v20 != 9 );    do    {      v61 = v89;      if ( !v103[v141] )        v61 = 0;      ++v141;      v115 = v61;      v89 = v61;    }    while ( v141 != 10 );    v140 = v170 + 1;    v131 = 0LL;    v87 = v115;    v88 = v115;  }  while ( v170 != 8 );  do  {    v68 = v108;    v108[8] = 0;    *(_QWORD *)v68 = 0LL;    v172 = (double)((int)v131 + 1);    v40 = (double)(int)v131;    v173 = (double)(int)v131;    v161 = (unsigned int)v131;    v142 = 0LL;    do    {      v62 = v142;      v63 = *((_QWORD *)v192 + v142);      v64 = v63 % (unsigned int)(int)(pow(v40, v172) + 0.5);      v65 = pow(11.0, v173) + 0.5;      v66 = (unsigned int)(int)v65;      v40 = v65 - 9.223372036854776e18;      v103[v64 / v66] = 1;      v142 = v62 + 1;      v144 = 1LL;      v90 = v87;    }    while ( v62 != 8 );    do    {      v71 = v90;      if ( !v103[v144] )        v71 = 0;      ++v144;      v116 = v71;      v90 = v71;    }    while ( v144 != 10 );    v131 = (unsigned int)(v161 + 1);    v132 = 0LL;    v92 = v116;    v87 = v116;  }  while ( (_DWORD)v131 != 9 );  do  {    v54 = v108;    v108[8] = 0;    *(_QWORD *)v54 = 0LL;    v135 = 3 * ((unsigned int)v132 / 3);    v134 = 3 * ((unsigned int)v132 % 3) + 1;    v129 = 0LL;    v159 = (unsigned int)v132;    do    {      v34 = v129;      v35 = *((_QWORD *)v192 + (int)(v135 + (unsigned int)v129 / 3));      v36 = (v134 + (unsigned int)v129 % 3) % 9;      v37 = v35 % (unsigned int)(int)(pow(v40, (double)(v36 + 1)) + 0.5);      v38 = pow(11.0, (double)v36) + 0.5;      v39 = (unsigned int)(int)v38;      v40 = v38 - 9.223372036854776e18;      v103[v37 / v39] = 1;      v129 = (unsigned int)(v34 + 1);      v150 = 1LL;      v94 = v92;    }    while ( v34 != 8 );    do    {      v70 = v94;      if ( !v103[v150] )        v70 = 0;      ++v150;      v104 = v70;      v94 = v70;    }    while ( v150 != 10 );    v132 = (unsigned int)(v159 + 1);    v92 = v104;  }  while ( (_DWORD)v159 != 8 );  v48 = v108;  v108[8] = 0;  *(_QWORD *)v48 = 0LL;  v127 = 0LL;  do  {    v41 = v127;    v42 = 9 - v127;    if ( !(_DWORD)v127 )      v42 = 0;    v43 = *((_QWORD *)v192 + v42);    v44 = v127 + 1;    v45 = v43 % (unsigned int)(int)(pow(v40, (double)((int)v127 + 1)) + 0.5);    v46 = pow(11.0, (double)v41) + 0.5;    v47 = (unsigned int)(int)v46;    v40 = v46 - 9.223372036854776e18;    v103[v45 / v47] = 1;    v143 = 1LL;    v91 = v104;    v127 = v44;  }  while ( v44 != 9 );  do  {    v49 = v91;    if ( !v103[v143] )      v49 = 0;    ++v143;    v117 = v49;    v91 = v49;  }  while ( v143 != 10 );  v16 = v108;  v108[8] = 0;  *(_QWORD *)v16 = 0LL;  v139 = 0LL;  do  {    v76 = v139 + 1;    v77 = v139 == 8;    v78 = v139 + 1;    if ( v139 == 8 )      v78 = 0;    v79 = *((_QWORD *)v192 + v139);    v80 = v79 % (unsigned int)(int)(pow(v40, (double)(v78 + 1)) + 0.5);    v81 = pow(11.0, (double)v78) + 0.5;    v82 = (unsigned int)(int)v81;    v40 = v81 - 9.223372036854776e18;    v103[v80 / v82] = 1;    v148 = 1LL;    v93 = v117;    v139 = v76;  }  while ( !v77 );  do  {    v83 = v93;    if ( !v103[v148] )      v83 = 0;    ++v148;    v118 = v83;    v93 = v83;  }  while ( v148 != 10 );  return 0;}


do {   v72 = v4;   input1 = getc(stdin);   v73 = input1 << 24;   shift_input1 = input1 << 24 == 0x1B000000;   if ( input1 << 24 == 0x31000000 )     shift_input1 = 2;   if ( v73 == 0x37000000 )     shift_input1 = 3;   if ( v73 == 0x33000000 )     shift_input1 = 4;   if ( v73 == 0x34000000 )     shift_input1 = 5;   count = v5;   v102 = v72;   v119 = v72;   if ( shift_input1 )   {     if ( shift_input1 == 1 )       _clang_call_terminate((void *)5);     if ( shift_input1 == 2 )     {       v107 = v102 + (4LL << (3 * (unsigned __int8)count));       org_input = input1;     }     else if ( shift_input1 == 3 )     {       v107 = v102 + (5LL << (3 * (unsigned __int8)count));       org_input = input1;     }     else     {       if ( shift_input1 == 4 )         v107 = v102 + (6LL << (3 * (unsigned __int8)count));       else         v107 = v102 + (7LL << (3 * (unsigned __int8)count));       org_input = input1;     }     s[count] = org_input;     v119 = v107;   }   v5 = count + 1;   v174 = v119; } while ( count != 11 );
int part1_size = 12;while(count < part1_size) {  char a = getchar();  if (a == 27) {    if (getchar() == 91) {      char c = getchar();      try {        rmCjJ0(true, c);      } catch(Le3KW5 &cc) {        char c = cc.state;        if (c == 65) {          state += 0ull << (3 * count);        } else if (c==66) {          state += 2ull << (3 * count);        } else if (c==67) {          state += 1ull << (3 * count);        } else if (c==68) {          state += 3ull << (3 * count);        }      }      flag[count] = c;    }  } else if (a=='1') {    state += 4ull << (3 * count);    flag[count] = a;  } else if (a=='7') {    state += 5ull << (3 * count);    flag[count] = a;  } else if (a=='3') {    state += 6ull << (3 * count);    flag[count] = a;  } else if (a=='4') {    state += 7ull << (3 * count);    flag[count] = a;  }  count += 1;}// ... Second Part ...// Check Partif (... && state == 0xb3e659480) {  std::cout << LIT("Congratulation! \n") << LIT("Your flag is ACTF{") << flag << LIT("_amazing!}") << std::endl;}


  if ( (_DWORD)v50 == 4 )  {    do    {      v106 = 0LL;      v149 = v146;      do      {        baseTable[v106 + 16] = byte_40E071[v106] - byte_40E0B2[v106];// baseTable        ++v106;      }      while ( v106 < 0x41 );      v56 = (__int64)v163;      *(_QWORD *)v163 = v164;      v165 = 64LL;      v169 = (_OWORD *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::_M_create(                         v56,                         &v165,                         0LL);      v9 = (void **)v163;      v10 = v169;      *(_QWORD *)v163 = v169;      v11 = v165;      *(_QWORD *)v164 = v165;      v12 = MEMORY[5];      v13 = MEMORY[0x15];      v14 = MEMORY[0x25];      v10[3] = MEMORY[0x35];      v10[2] = v14;      v10[1] = v13;      *v10 = v12;      *(_QWORD *)v187 = v11;      *((_BYTE *)v10 + v11) = 0;      v15 = v149;      *(&copy_input1 + v15) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::find(                                v9,                                (unsigned int)*(&copy_input1 + v149),                                0LL);      v177 = *v9;      operator delete(v177);      v146 = v149 + 1;    }    while ( v149 != 3 );    v17 = *v186;    *v183 = (4 * *v57) | ((unsigned __int8)*v186 >> 4) & 3;    v18 = *v185;    *v59 = (16 * v17) | ((unsigned __int8)*v185 >> 2) & 0xF;    *v184 = *v58 + (v18 << 6);    v152 = v110;    v151 = 0LL;    do    {                                         // 对输入进行操作分值操作      v6 = v151;      v7 = (unsigned __int8)*(&v99 + v151) / 0xAu;      v8 = v152;      baseTable[v152 + 96] = (unsigned __int8)*(&v99 + v151) % 0xAu;      baseTable[v8 + 97] = v7;      v151 = v6 + 1;      v152 = v8 + 2;      v182 = v8 + 2;    }    while ( v6 != 2 );    v130 = 0LL;    v112 = v182;  }  v128 = v130;  v113 = v112;  copy_len = v133;  v147 = v181;}while ( v133 );                               // 以上是对input进行了base64解码

具体参考lchild师傅的Write up 

# https://sudoku.vip/sudoku-x-solver/

s = []t = 0xB3E659480# 每3个字节为一次输入for i in range(12):    s.append(t & 0x7)    t >>= 3 assert t == 0key = ''for i in s:    if i == 0: key += '↑'    elif i == 1: key += '→'    elif i == 2: key += '↓'    elif i == 3: key += '←'    elif i == 4: key += '1'    elif i == 5: key += '7'    elif i == 6: key += '3'    elif i == 7: key += '4'print(key) # ??↓↓→←→←3417  values = [0x00000000331b6d84, 0x0000000054cab29a, 0x000000000cd0afcd,0x000000006636db08, 0x0000000000021528, 0x0000000005d62020, 0x00000000070bc7c1,0x00000000006739bd, 0x00000000001b084a]table = []for i in values:    table.append([])    s = ''    value = i    for j in range(9):        table[-1].append(int(value % 11))        s += "%2d" % (value % 11)        value /= 11 #   print(s[2: ] + s[: 2])''' 0 0 0 0 0 0 0 4 0 0 0 5 0 0 0 7 6 0 0 0 0 0 4 0 0 1 0 0 0 0 0 0 0 0 8 0 0 6 3 9 0 0 0 0 0 0 0 0 0 3 0 5 0 0 2 9 0 0 8 0 6 0 0 0 7 0 0 9 3 0 0 0 3 0 0 0 0 1 0 0 0''' # print(sum(table, []).count(0))# https://sudoku.vip/sudoku-x-solver/ solves = [[8, 1, 6, 7, 5, 2, 3, 4, 9],[4, 3, 5, 8, 1, 9, 7, 6, 2],[7, 2, 9, 3, 4, 6, 8, 1, 5],[9, 4, 7, 1, 6, 5, 2, 8, 3],[5, 6, 3, 9, 2, 8, 4, 7, 1],[1, 8, 2, 4, 3, 7, 5, 9, 6],[2, 9, 1, 5, 8, 4, 6, 3, 7],[6, 7, 4, 2, 9, 3, 1, 5, 8],[3, 5, 8, 6, 7, 1, 9, 2, 4]] # 数独列右移for i in range(9):    solves[i] = [solves[i][-1]] + solves[i][: -1]#    print(solves[i]) numbers = []for y in range(9):    for x in range(9):            if table[y][x] == 0:#                print(table[y][x])                numbers.append(solves[y][x]) assert len(numbers) % 2 == 0 flag = ''for i in range(0, len(numbers), 2):    flag += chr(numbers[i] + 10 * numbers[i + 1]) import base64# print(flag)print(base64.b64encode(str.encode(flag))) # ↑↑↓↓→←→←3417# WT05ICpTW0tcPyYxETgMGTBDUSphES1TLgwtVUwd



*本文由看雪论坛 P.Z 原创,转载请注明来自看雪社区

