腾讯极客挑战赛第三期——码上种树 WP

2021-03-19

/ ctf

1-10000

window.A274075A = async
function ({
    a
}) {
    return new Promise(_ => setTimeout(__ => _(a[0]), 2000))
}

原样push即可

10000 - 100000

window.A3C2EA99 = async
function ({
    a
}) {
    return new Promise(_ => setTimeout(__ => _(a[0] * a[0] + a[0]), 2000))
}

做运算后push

100000 - 250000

eval(atob("dmFyIF8weGU5MzY9WydBNTQ3Mzc4OCddOyhmdW5jdGlvbihfMHg0OGU4NWMsXzB4ZTkzNmQ4KXt2YXIgXzB4MjNmYzVhPWZ1bmN0aW9uKF8weDI4NThkOSl7d2hpbGUoLS1fMHgyODU4ZDkpe18weDQ4ZTg1Y1sncHVzaCddKF8weDQ4ZTg1Y1snc2hpZnQnXSgpKTt9fTtfMHgyM2ZjNWEoKytfMHhlOTM2ZDgpO30oXzB4ZTkzNiwweDE5NikpO3ZhciBfMHgyM2ZjPWZ1bmN0aW9uKF8weDQ4ZTg1YyxfMHhlOTM2ZDgpe18weDQ4ZTg1Yz1fMHg0OGU4NWMtMHgwO3ZhciBfMHgyM2ZjNWE9XzB4ZTkzNltfMHg0OGU4NWNdO3JldHVybiBfMHgyM2ZjNWE7fTt3aW5kb3dbXzB4MjNmYygnMHgwJyldPWZ1bmN0aW9uKF8weDMzNTQzNyl7dmFyIF8weDFhYWMwMj0weDMwZDNmO2Zvcih2YXIgXzB4M2JlZDZhPTB4MzBkM2Y7XzB4M2JlZDZhPjB4MDtfMHgzYmVkNmEtLSl7dmFyIF8weDM3NTM0MD0weDA7Zm9yKHZhciBfMHgxZGRiNzc9MHgwO18weDFkZGI3NzxfMHgzYmVkNmE7XzB4MWRkYjc3Kyspe18weDM3NTM0MCs9XzB4MzM1NDM3WydhJ11bMHgwXTt9XzB4Mzc1MzQwJV8weDMzNTQzN1snYSddWzB4Ml09PV8weDMzNTQzN1snYSddWzB4MV0mJl8weDNiZWQ2YTxfMHgxYWFjMDImJihfMHgxYWFjMDI9XzB4M2JlZDZhKTt9cmV0dXJuIF8weDFhYWMwMjt9Ow=="))

base64解码，得

var _0xe936 = ['A5473788'];
(function (_0x48e85c, _0xe936d8) {
    var _0x23fc5a = function (_0x2858d9) {
        while (--_0x2858d9) {
            _0x48e85c['push'](_0x48e85c['shift']());
        }
    };
    _0x23fc5a(++_0xe936d8);
}(_0xe936, 0x196));
var _0x23fc = function (_0x48e85c, _0xe936d8) {
    _0x48e85c = _0x48e85c - 0x0;
    var _0x23fc5a = _0xe936[_0x48e85c];
    return _0x23fc5a;
};
window[_0x23fc('0x0')] = function (_0x335437) {
    var _0x1aac02 = 0x30d3f;
    for (var _0x3bed6a = 0x30d3f; _0x3bed6a > 0x0; _0x3bed6a--) {
        var _0x375340 = 0x0;
        for (var _0x1ddb77 = 0x0; _0x1ddb77 < _0x3bed6a; _0x1ddb77++) {
            _0x375340 += _0x335437['a'][0x0];
        }
        _0x375340 % _0x335437['a'][0x2] == _0x335437['a'][0x1] && _0x3bed6a < _0x1aac02 && (_0x1aac02 = _0x3bed6a);
    }
    return _0x1aac02;
};

更改变量名和函数名：

var text = ['A5473788'];

(function (func_arg1, func_arg2) {
    var func_2 = function (func_arg) {
        while (--func_arg) {
            func_arg1['push'](func_arg1['shift']());
        }
    };
    func_2(++func_arg2);
}(text, 406));

var func1 = function (func_arg1, _0xe936d8) {
    func_arg1 = func_arg1 - 0;
    var tmp = text[func_arg1];
    return tmp;
};

window[func1('0x0')] = function (func_arg1) {
    var num = 199999;
    for (var i = 199999; i > 0; i--) {
        var tmp = 0;
        for (var j = 0; j < i; j++) {
            tmp += func_arg1['a'][0];
        }
        tmp % func_arg1['a'][2] == func_arg1['a'][1] && i < num && (num = i);
    }
    return num;
};

主要的运算逻辑在最后一块，是求最小的i，a[0]*i % a[2] = a[1]简化一下，写成python ，跑

# 100000 - 250000
while(True):
    a = requests.get("http://159.75.70.9:8081/pull?u=00000594E3FF0D82DA2B94E8A44213A4")
    b = json.loads(a.text)
    a = [477, 976, 179600] # [477, 976, 179600]
    t = b["t"]
    print(a,t)
    for i in range(0,199999):
        if((i * a[0])%a[2] == a[1]):
            a = i 
            break
    a = requests.get("http://159.75.70.9:8081/push?t="+t+"&a"+a)
    print(a.text)

250000 - 500000

上来就一大段JSFuck ，看得我眼睛疼

直接丢jsunfuck解，不行，分段解，得

window.A593C8B8 = async(_) => (($, _, __, ___, ____) => {
    let _____ = function * () {
        while ([]) yield[(_, __) => _ + __, (_, __) => _ - __, (_, __) => _ * __][++__ % (3)].bind(+[], ___, ____)
    }();
    let ______ = function (_____, ______, _______) {
        ____ = _____;
        ___ = ______next().value();
        __ == _["a"].length && _______(-___)
    };
    return new Promise(__ => _["a"].forEach(___ => $setTimeout(____ => ______(___, _____, __), ___)))
})(window, _, 0, 0, 0)

改改变量名

window.A593C8B8 = a = async(input) => (($,input,times,arg1,funCc)=>{
    let funCb = function*() {
        while ([]){
            yield[(input,times)=>input + times, (input,times)=>input - times, (input,times)=>input * times][++times % 3].bind(0, arg1, funCc)
        }
    }();
    let funCa = function(funCb, funCa, something) {
        funCc = funCb;
        arg1 = funCa.next().value();
        times == input.a.length && something(-arg1)
    };
    return new Promise(times=>input['a'].forEach(arg1=>$.setTimeout(funCc=>funCa(arg1, funCb, times), arg1)))
}
)(window, input, 0, 0, 0)

js的generator，放到控制台跑，看看结果，猜测是算法是

1	result = (((a[0] * -a[1]) +a[2] - a[3]) * a[4] + a[5] -a[6]) * -1

写脚本跑，发现答案错误。

噢，要先排序。。。

while(True):
    a = requests.get("http://159.75.70.9:8081/pull?u=00000594E3FF0D82DA2B94E8A44213A4")
    b = json.loads(a.text)
    a = b["a"]
    a.sort()
    t = b["t"]
    result = (((a[0] * -a[1]) +a[2] - a[3]) * a[4] + a[5] -a[6]) * -1
    a = requests.get("http://159.75.70.9:8081/push?t="+str(t)+"&a="+str(result))
    print(json.loads(a.text)["score"])

500000 - 1000000

这个阶段找不到代码了，以后要养成存代码的习惯= =

总之就是WebAssembly

搜索了资料，直接用wabt反编译，汇编看不大懂，那就再编译成C，丢IDA里看看

找到关键的运算逻辑：

__int64 __fastcall w2c_Run(unsigned int a1, int a2)
{
  unsigned int v4; // [rsp+20h] [rbp-20h]
  int v5; // [rsp+24h] [rbp-1Ch]
  unsigned int v6; // [rsp+28h] [rbp-18h]
  unsigned int v7; // [rsp+2Ch] [rbp-14h]
  unsigned int v8; // [rsp+30h] [rbp-10h]

  if ( ++wasm_rt_call_stack_depth > 0x1F4u )
    wasm_rt_trap(7LL);
  v5 = a2 - 1;
  if ( a2 != 1 )
  {
    do
    {
      v4 = a1;
      v6 = 0;
      v7 = 10;
      do
      {
        v8 = v4 % 0xA;
        v4 /= 0xAu;
        v6 = Z_MathZ_maxZ_iii(v8, v6);
        v7 = Z_MathZ_minZ_iii(v8, v7);
      }
      while ( v4 );
      a1 += v7 * v6;
      --v5;
    }
    while ( v5 );
  }
  --wasm_rt_call_stack_depth;
  return a1;
}

没多分析，直接改成Python代码，跑起来：

while(True):	
    a = requests.get("http://159.75.70.9:8081/pull?u=00000594E3FF0D82DA2B94E8A44213A4")
    b = json.loads(a.text)
    arg = b["a"]
    t = b["t"]
    a1 = arg[0]
    a2 = arg[1]
    v5 = 1000
    if ( a2 != 1 ):
        first_times = 0
        while(True):
            if (first_times == 0 or v5):
                first_times = first_times + 1 
                v4 = a1
                v6 = 0
                v7 = 10
                second_times = 0
                while(True):
                    if(second_times == 0 or v4):
                        second_times = second_times + 1
                        v8 = v4 % 10
                        v4 = int(v4 / 10)
                        v6 = max(v8, v6)
                        v7 = min(v8, v7)
                    else:
                        break
                a1 += v7 * v6
                v5 = v5 - 1
            else:
                break
    a = requests.get("http://159.75.70.9:8081/push?t="+str(t)+"&a="+str(a1))
    print(a.text)

1000000 - 2000000

var __TENCENT_CHAOS_STACK = function () {
    function __TENCENT_CHAOS_VM(f, e, c, r, l, g, s, a) {
        var n = !r;
        f = +f, e = e || [0], r = r || [
            [this],
            [{}]
        ], l = l || {};
        var t = [],
            o = null,
            u = [
                function () {
                    r[r.length - 2] = r[r.length - 2] | r.pop()
                }, , ,
                function () {
                    for (var o = e[f++], u = [], n = e[f++], t = e[f++], p = [], h = 0; h < n; h++) u[e[f++]] = r[e[f++]];
                    for (h = 0; h < t; h++) p[h] = e[f++];
                    r.push(function i() {
                        var n = u.slice(0);
                        n[0] = [this], n[1] = [arguments], n[2] = [i];
                        for (var t = 0; t < p.length && t < arguments.length; t++) 0 < p[t] && (n[p[t]] = [arguments[t]]);
                        return __TENCENT_CHAOS_VM(o, e, c, n, l, g, s, a)
                    })
                }, ,
                function () {
                    r.push(undefined)
                }, ,
                function () {
                    return !0
                },
                function () {
                    var n = r[r.length - 2];
                    n[0][n[1]] = r[r.length - 1]
                },
                function () {
                    r.push(!r.pop())
                }, , ,
                function () {
                    r.push([e[f++]])
                },
                function () {
                    r[r.length - 1] = e[f++]
                }, ,
                function () {
                    r[r.length - 2] = r[r.length - 2] % r.pop()
                },
                function () {
                    r.push("")
                },
                function () {
                    f = e[f++]
                }, , , , , , ,
                function () {
                    var n = r.pop();
                    r.push([r[r.pop()][0], n])
                },
                function () {
                    var n = e[f++];
                    r[n] = r[n] === undefined ? [] : r[n]
                }, , , , , ,
                function () {
                    var n = e[f++],
                        t = r[r.length - 2 - n];
                    r[r.length - 2 - n] = r.pop(), r.push(t)
                },
                function () {
                    var n = e[f++];
                    r[r.length - 1] && (f = n)
                },
                function () {
                    r.length = e[f++]
                },
                function () {
                    r[r.length - 2] = r[r.length - 2] >= r.pop()
                }, , ,
                function () {
                    r.pop()
                }, , , ,
                function () {
                    r[r[r.length - 2][0]][0] = r[r.length - 1]
                }, , ,
                function () {
                    r[r.length - 2] = r[r.length - 2] * r.pop()
                },
                function () {
                    r.push([c, r.pop()])
                }, , ,
                function () {
                    r.push(r[r.pop()[0]][0])
                }, , , ,
                function () {
                    var n = e[f++],
                        t = n ? r.slice(-n) : [];
                    r.length -= n;
                    var o = r.pop();
                    r.push(o[0][o[1]].apply(o[0], t))
                },
                function () {
                    r.push(r[e[f++]][0])
                }, ,
                function () {
                    r.push(e[f++])
                }, ,
                function () {
                    var n = r.pop();
                    r.push(n[0][n[1]])
                },
                function () {
                    r.push(r[r.length - 1])
                }, , , , ,
                function () {
                    r.length -= e[f++]
                }, ,
                function () {
                    var n = r.pop(),
                        t = r.pop();
                    r.push([t[0][t[1]], n])
                },
                function () {
                    r[r.length - 2] = r[r.length - 2] + r.pop()
                }, ,
                function () {
                    r[r.length - 1] += String.fromCharCode(e[f++])
                }
            ];
        for (0;;) try {
            for (var p = !1; !p;) p = u[e[f++]]();
            if (0, o) throw o;
            return n ? (r.pop(), r.slice(3 + __TENCENT_CHAOS_VM.v)) : r.pop()
        } catch (i) {
            0;
            var h = t.pop();
            if (h === undefined) throw i;
            o = i, f = h[0], r.length = h[1], h[2] && (r[h[2]][0] = o)
        }
    }
    __TENCENT_CHAOS_VM.v = 0;
    return __TENCENT_CHAOS_VM(0, [33, 3, 25, 2, 16, 68, 119, 68, 105, 68, 110, 68, 100, 68, 111, 68, 119, 45, 16, 68, 67, 68, 65, 68, 49, 68, 56, 68, 48, 68, 55, 68, 69, 68, 66, 65, 17, 2426, 33, 7, 25, 2, 25, 3, 25, 4, 25, 5, 25, 6, 12, 4, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 55, 0, 52, 1, 41, 12, 5, 55, 0, 41, 31, 0, 12, 6, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 55, 1, 52, 1, 41, 31, 0, 63, 6, 12, 5, 48, 12, 3, 16, 68, 97, 24, 55, 0, 65, 57, 34, 9, 32, 123, 37, 17, 243, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 54, 68, 54, 68, 49, 68, 53, 68, 57, 68, 52, 52, 1, 44, 41, 31, 0, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 12, 5, 58, 48, 58, 31, 1, 31, 0, 55, 1, 66, 41, 37, 13, 0, 31, 0, 0, 63, 5, 37, 17, 103, 12, 5, 55, 0, 41, 31, 0, 37, 37, 12, 5, 48, 12, 3, 16, 68, 97, 24, 55, 1, 65, 57, 34, 9, 32, 272, 37, 17, 392, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 50, 68, 52, 68, 55, 68, 55, 68, 54, 68, 50, 68, 55, 52, 1, 44, 41, 31, 0, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 12, 5, 58, 48, 58, 31, 1, 31, 0, 55, 1, 66, 41, 37, 13, 0, 31, 0, 0, 63, 5, 37, 17, 252, 12, 4, 58, 48, 53, 6, 66, 41, 31, 0, 12, 4, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 12, 5, 55, 0, 41, 31, 0, 12, 6, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 55, 1, 52, 1, 41, 31, 0, 63, 8, 12, 5, 48, 12, 3, 16, 68, 97, 24, 55, 2, 65, 57, 34, 9, 32, 511, 37, 17, 631, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 54, 68, 56, 68, 55, 68, 56, 68, 55, 68, 57, 68, 52, 52, 1, 44, 41, 31, 0, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 12, 5, 58, 48, 58, 31, 1, 31, 0, 55, 1, 66, 41, 37, 13, 0, 31, 0, 0, 63, 5, 37, 17, 491, 12, 5, 55, 0, 41, 31, 0, 37, 37, 12, 5, 48, 12, 3, 16, 68, 97, 24, 55, 3, 65, 57, 34, 9, 32, 660, 37, 17, 780, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 55, 68, 53, 68, 52, 68, 54, 68, 51, 68, 54, 68, 52, 52, 1, 44, 41, 31, 0, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 12, 5, 58, 48, 58, 31, 1, 31, 0, 55, 1, 66, 41, 37, 13, 0, 31, 0, 0, 63, 5, 37, 17, 640, 12, 4, 58, 48, 53, 6, 66, 41, 31, 0, 12, 4, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 12, 5, 55, 0, 41, 31, 0, 12, 6, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 55, 1, 52, 1, 41, 31, 0, 63, 8, 12, 5, 48, 12, 3, 16, 68, 97, 24, 55, 4, 65, 57, 34, 9, 32, 899, 37, 17, 1019, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 50, 68, 57, 68, 57, 68, 49, 68, 57, 68, 49, 68, 57, 52, 1, 44, 41, 31, 0, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 12, 5, 58, 48, 58, 31, 1, 31, 0, 55, 1, 66, 41, 37, 13, 0, 31, 0, 0, 63, 5, 37, 17, 879, 12, 5, 55, 0, 41, 31, 0, 37, 37, 12, 5, 48, 12, 3, 16, 68, 97, 24, 55, 5, 65, 57, 34, 9, 32, 1048, 37, 17, 1168, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 50, 68, 49, 68, 56, 68, 50, 68, 54, 68, 52, 68, 51, 52, 1, 44, 41, 31, 0, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 12, 5, 58, 48, 58, 31, 1, 31, 0, 55, 1, 66, 41, 37, 13, 0, 31, 0, 0, 63, 5, 37, 17, 1028, 12, 4, 58, 48, 53, 6, 66, 41, 31, 0, 12, 4, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 12, 5, 55, 0, 41, 31, 0, 12, 6, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 55, 1, 52, 1, 41, 31, 0, 63, 8, 12, 5, 48, 12, 3, 16, 68, 97, 24, 55, 6, 65, 57, 34, 9, 32, 1287, 37, 17, 1407, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 55, 68, 57, 68, 51, 68, 48, 68, 48, 68, 57, 68, 52, 52, 1, 44, 41, 31, 0, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 12, 5, 58, 48, 58, 31, 1, 31, 0, 55, 1, 66, 41, 37, 13, 0, 31, 0, 0, 63, 5, 37, 17, 1267, 12, 5, 55, 0, 41, 31, 0, 37, 37, 12, 5, 48, 12, 3, 16, 68, 97, 24, 55, 7, 65, 57, 34, 9, 32, 1436, 37, 17, 1556, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 52, 68, 52, 68, 52, 68, 56, 68, 54, 68, 49, 52, 1, 44, 41, 31, 0, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 12, 5, 58, 48, 58, 31, 1, 31, 0, 55, 1, 66, 41, 37, 13, 0, 31, 0, 0, 63, 5, 37, 17, 1416, 12, 4, 58, 48, 53, 6, 66, 41, 31, 0, 12, 4, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 12, 5, 55, 0, 41, 31, 0, 12, 6, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 55, 1, 52, 1, 41, 31, 0, 63, 8, 12, 5, 48, 12, 3, 16, 68, 97, 24, 55, 8, 65, 57, 34, 9, 32, 1675, 37, 17, 1795, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 53, 68, 53, 68, 57, 68, 54, 68, 48, 68, 50, 68, 52, 52, 1, 44, 41, 31, 0, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 12, 5, 58, 48, 58, 31, 1, 31, 0, 55, 1, 66, 41, 37, 13, 0, 31, 0, 0, 63, 5, 37, 17, 1655, 12, 5, 55, 0, 41, 31, 0, 37, 37, 12, 5, 48, 12, 3, 16, 68, 97, 24, 55, 9, 65, 57, 34, 9, 32, 1824, 37, 17, 1944, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 54, 68, 50, 68, 52, 68, 54, 68, 56, 68, 55, 68, 51, 52, 1, 44, 41, 31, 0, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 12, 5, 58, 48, 58, 31, 1, 31, 0, 55, 1, 66, 41, 37, 13, 0, 31, 0, 0, 63, 5, 37, 17, 1804, 12, 4, 58, 48, 53, 6, 66, 41, 31, 0, 12, 4, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 12, 5, 55, 0, 41, 31, 0, 12, 6, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 55, 1, 52, 1, 41, 31, 0, 63, 8, 12, 5, 48, 12, 3, 16, 68, 97, 24, 55, 10, 65, 57, 34, 9, 32, 2063, 37, 17, 2183, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 56, 68, 55, 68, 50, 68, 54, 68, 57, 68, 48, 68, 57, 52, 1, 44, 41, 31, 0, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 12, 5, 58, 48, 58, 31, 1, 31, 0, 55, 1, 66, 41, 37, 13, 0, 31, 0, 0, 63, 5, 37, 17, 2043, 12, 5, 55, 0, 41, 31, 0, 37, 37, 12, 5, 48, 12, 3, 16, 68, 97, 24, 55, 11, 65, 57, 34, 9, 32, 2212, 37, 17, 2332, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 53, 68, 56, 68, 49, 68, 49, 68, 55, 68, 55, 68, 51, 52, 1, 44, 41, 31, 0, 12, 6, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 12, 5, 58, 48, 58, 31, 1, 31, 0, 55, 1, 66, 41, 37, 13, 0, 31, 0, 0, 63, 5, 37, 17, 2192, 12, 4, 58, 48, 53, 6, 66, 41, 31, 0, 12, 4, 58, 48, 16, 68, 66, 68, 105, 68, 103, 68, 73, 68, 110, 68, 116, 45, 16, 68, 49, 68, 49, 68, 50, 68, 53, 68, 56, 68, 57, 68, 57, 68, 57, 68, 48, 68, 54, 68, 56, 68, 52, 68, 50, 68, 53, 68, 57, 68, 55, 52, 1, 15, 41, 31, 0, 16, 68, 112, 68, 97, 68, 114, 68, 115, 68, 101, 68, 73, 68, 110, 68, 116, 45, 53, 4, 52, 1, 7, 5, 7, 63, 4, 3, 38, 0, 1, 3, 8, 31, 0, 5, 7, 37, 37], window)
}();
__TENCENT_CHAOS_STACK.g = function () {
    return __TENCENT_CHAOS_STACK.shift()[0]
};

看到这代码愣了一会儿。。。

用javascript写的栈型虚拟机= =

我是没想到还能这么写

只能操作上打log，把数字改小了看看什么效果

发现是bytecode中存着12个数字，对应着每个输入的参数，然后还有一个大数，应该是避免溢出的模数。

数字是底数，输入的参数是指数

具体的算法不写出来了，看python：

import requests
import json,time
import math

def power(a, b):
    c = 1125899906842597
    res = 1
    a = a % c
    while (b):
        if (b & 1):
            res = (res * a) % c
        a = (a * a) % c
        b >>= 1
    return res

while(True):
    a = requests.get("http://159.75.70.9:8081/pull?u=00000594E3FF0D82DA2B94E8A44213A4")
    info = json.loads(a.text)
    a = []
    mod = 1125899906842597
    num = [3189791,9142623,8280866,8923375,3923204,6018905,7820930,3693364,4293459,7422123,8287107,1645950]
    group = info["a"]
    for i in range(len(group)):
        if(i % 2 == 0 and i != 12):
            a.append(power(num[i],group[i]))
            a[int(i/2)] = a[int(i/2)] * power(num[i+1],group[i+1])
    result = 0
    for i in a:
        result = (result + i) % mod
    print(result)
    a = requests.get("http://159.75.70.9:8081/push?t="+str(info["t"])+"&a="+str(result))
    print(a.text)

然而有几率会报错，应该是找数字时，解析出错了，还是要手动找出数字来解析= =

2000000 + 1

一开始看到的时候，觉得不是跟上一题一样嘛，ez

事实上是我太天真，

居然能套三层…

整整五天比赛时间，花了一半在这上面，比赛结束还没能解出来。。。

等wp吧。。。