CoR CTF REV Write Ups 262bcc8ed7ef80b1beb1fe81ada9b7b6

CoRCTF 2025 Rev Write Up

Challenges

rev/tagme
rev/purely-functional-oop
rev/roll
rev/whatever-floats-your-boat

Tagme

Description:

tag, you’re it! g, you’re it!tag Update: the flag does not contain the letter ‘p’

Download: tagme

Summary:

General idea for this challenge is you have a flag checker that works by taking in an input, growing the flag via an expansion look up table, finally the flag is checked to the same enqueue point as dequeue. There are several parts to this challenge that make it interesting lets start with the main function:

1
void __fastcall __noreturn main(int a1, char **a2, char **a3)
2
{
3
  char c; // [rsp+3h] [rbp-3Dh]
4
  char *lineptr; // [rsp+8h] [rbp-38h] BYREF
5
  size_t n; // [rsp+10h] [rbp-30h] BYREF
6
  unsigned __int64 i; // [rsp+18h] [rbp-28h]
7
  __ssize_t v7; // [rsp+20h] [rbp-20h]
8
  char *flag; // [rsp+28h] [rbp-18h]
9
  unsigned __int64 v9; // [rsp+30h] [rbp-10h]
10
  unsigned __int64 v10; // [rsp+38h] [rbp-8h]
11

12
  v10 = __readfsqword(0x28u);
13
  puts("Enter flag:");
14
  lineptr = 0;
15
  n = 0;
16
  v7 = getline(&lineptr, &n, stdin);
17
  if ( v7 == -1 )
18
    print("Illiterate");
19
  if ( v7 <= 8 )
20
    print("Short");
21
  if ( v7 > 39 )
22
    print("Long");
23
  if ( strncmp("corctf{", lineptr, 7u) )
24
    print("Ineligible");
25
  if ( strncmp("}\n", &lineptr[v7 - 2], 2u) )
26
    print("Ineligible");
27
  set_up();
28
  flag = lineptr + 7;
29
  v9 = v7 - 9;
30
  for ( i = 0; i < v9; ++i )
31
  {
32
    c = flag[i];
33
    if ( (i & 1) != 0 )
34
    {
35
      if ( i % 6 > 3 )
36
      {
37
        if ( c <= 'p' )
38
          print("Forbidden");
39
      }
40
      else if ( c <= 'k' || c == 's' )
41
      {
42
        print("Forbidden");
43
      }
44
    }
45
    else if ( c == 'c' || c > 'l' )
46
    {
47
      print("Forbidden");
48
    }
49
    enque(c);
50
  }
51
  while ( !(unsigned int)final_check() )
52
    ;
53
  print("Boring");
54
}

The very first thing we see is the size of our flag has to be between 8 and 39. Starts with corctf{ , and ends with } all standard. From there we have have a loop that will take our flag after the flag format with several checks:
- First we break up the code by odd or evens using (i & 1) != 0 from there we have an extra check to see if the character is odd and at an index greater then 3, the character p is not allowed and if its less then or equal to 3 it must be a character greater than k and not s.
- Second the even indices can’t be c or greater then l

This leads us to the renamed final_check function:

before we get to this function we should check out 2 key functions that do a bit of setup for the final_check

setup()

1
void *set_up()
2
{
3
  read = 0;
4
  write = 0;
5
  return memset(flag_buff, 0, sizeof(flag_buff)); //this is 4600 in size
6
}

This function is allocating the buffer for our custom data structure used for flag expansion

enque()

1
__int64 __fastcall enque(char c)
2
{
3
  __int64 result; // rax
4

5
  flag_buff[write] = c;
6
  if ( ++write == 4600 )                        // wrap around
7
    write = 0;
8
  result = read;
9
  if ( write == read )
10
    pass("Interesting");
11
  return result;
12
}

Now this gets to the core of the code base, our entire custom buffer is more or less a ring queue, which in plain english means we can enqueue/dequeue like a normal queue but we also will wrap around when we pass the 4600 buff limit. Here we also have the pass case for our code if we are enqueueing the code and it has the same location as the read we are done.

Now lets move on to final check:

1
__int64 final_check()
2
{
3
  size_t len; // rax
4
  char val; // [rsp+Ah] [rbp-26h]
5
  char val2; // [rsp+Bh] [rbp-25h]
6
  int i; // [rsp+Ch] [rbp-24h]
7
  size_t j; // [rsp+10h] [rbp-20h]
8
  __int64 idx; // [rsp+18h] [rbp-18h]
9
  char *new_val; // [rsp+28h] [rbp-8h]
10

11
  if ( queue_emppty() )
12
    return 1;
13
  val = deque();
14
  idx = look_up(val);                           // returns the tabel's index here
15
  if ( idx == -1 )                              // look up failed
16
    print("Bizzare");
17
  for ( i = 1; i <= 1; ++i )
18
  {
19
    if ( queue_emppty() )
20
      return 1;
21
    val2 = deque();
22
    if ( look_up(val2) == -1 )
23
      print("Bizzarre");
24
  }
25
  new_val = (char *)*((_QWORD *)&flag_mappings + 2 * idx + 1);
26
  j = 0;
27
  for ( len = strlen(new_val); j < len; len = strlen(new_val) )
28
    enque(new_val[j++]);                        // per char
29
  return 0;
30
}

The queue_empty checks are pretty straight forward they are there to see if you fucked up

Now lets go on to our deque() logic:

1
__int64 deque()
2
{
3
  unsigned __int8 c; // [rsp+Fh] [rbp-1h]
4

5
  if ( read == write )
6
    fail("Dry");
7
  c = flag_buff[read];
8
  if ( ++read == 4600 )                         // read location
9
    read = 0;                                   // wrap around
10
  return c;
11
}

pretty standard, same idea really we read from the start like a normal queue if we ever hit the end we will wrap around. Our fail case here is if the read and write ptrs are at the same location during the dequeue process.

Now on to the look up function look_up()

1
__int64 __fastcall look_up(char a1)
2
{
3
  unsigned __int64 i; // [rsp+Ch] [rbp-8h]
4

5
  for ( i = 0; i <= 9; ++i )                    // 10 mappings
6
  {
7
    if ( a1 == *((_BYTE *)&flag_mappings + 16 * i) )
8
      return i;
9
  }
10
  return -1;
11
}

1
flag_mappings =  {
2
    'a': "ns",
3
    'b': "jjj",
4
    'n': "a",
5
    'd': "q",
6
    'p': "cor",
7
    'f': "gg",
8
    's': "aaa",
9
    'e': "tt",
10
    'j': "gg",
11
    'c': "flag",
12
}

The look up data struct is fairly simple, there are 10 mappings, the first character of every mapping is our “key”/input var. The mappings as such then start from the 8th byte and vary in size.
- The look up function doesn’t give back the mapping just gives you the idx of the key char you want to look use.

Going back to the final check logic:

1
  for ( i = 1; i <= 1; ++i )
2
  {
3
    if ( queue_emppty() )
4
      return 1;
5
    val2 = deque();
6
    if ( look_up(val2) == -1 )
7
      print("Bizzarre");
8
  }

This function will result in the code wasting the second character, it’s never added back but it’s checked for validity

Finally our mapping is added back into the code base:

1
  new_val = (char *)*((_QWORD *)&flag_mappings + 2 * idx + 1);
2
  j = 0;
3
  for ( len = strlen(new_val); j < len; len = strlen(new_val) )
4
    enque(new_val[j++]);
5
  return 0;

Alright now what exactly do we need to actually pass this flag checker then?
1. write == read during the enqueue
2. write ≠ read during the dequeue
3. we must be valid in the char index checks
  1. odd index > 3
    1. p banned
  2. odd index ≤ 3
    1. char > k and not s
  3. even index
    1. char > l and not c

If we just simulate/brute force this:

1
CAP = 4600
2

3
MAPPING = {
4
    'a': "ns",
5
    'b': "jjj",
6
    'n': "a",
7
    'd': "q",
8
    'p': "cor",
9
    'f': "gg",
10
    's': "aaa",
11
    'e': "tt",
12
    'j': "gg",
13
    'c': "flag",
14
}
15

16
class Ring:
17
    def __init__(self, cap):
18
        self.buf = ['\x00'] * cap
19
        self.read = 0
20
        self.write = 0
21
        self.cap = cap
22
        self.size = 0
23
        self.done = False
24
    def enqueue(self, ch):
25
        self.buf[self.write] = ch
26
        self.write += 1
27
        if self.write == self.cap:
28
            self.write = 0
29
        self.size += 1
30
        if self.write == self.read:
31
            print("solved")
32
            self.done = True
33
    def empty(self):
34
        return self.size == 0
35
    def dequeue(self):
36
        if self.empty():
37
            raise RuntimeError("Dry")
38
        v = self.buf[self.read]
39
        self.read += 1
40
        if self.read == self.cap:
41
            self.read = 0
42
        self.size -= 1
43
        return v
44

45
SYMS = list(MAPPING.keys())
46

47
def look_up(ch):
48
    try:
49
        return SYMS.index(ch)
50
    except ValueError:
51
        return -1
52

53
def final_check_step(ring):
54
    if ring.empty():
55
        return 1
56
    val = ring.dequeue()
57
    idx = look_up(val)
58
    s = MAPPING[SYMS[idx]] if idx != -1 else None
59
    if ring.empty():
60
        return 1
61
    _ = ring.dequeue()
62
    if s:
63
        for ch in s:
64
            ring.enqueue(ch)
65
    return 0
66

67
def flag_seed():
68
    out = []
69
    for i in range(27):
70
        if i % 2 == 0:
71
            out.append('a')
72
        else:
73
            if i % 6 > 3:
74
                out.append('s')
75
            else:
76
                out.append('n')
77
    return ''.join(out)
78

79
def find(seed_inner, report_every=100, max_steps=10_000_000):
80
    ring = Ring(CAP)
81
    for ch in seed_inner:
82
        ring.enqueue(ch)
83
    steps = 0
84
    while ring.done == False and steps < max_steps:
85
        final_check_step(ring)
86
        steps += 1
87
    return ring.done, steps
88

89
def main():
90
    seed = flag_seed()
91
    ok, steps = find(seed)
92
    if ok:
93
        print("full input", "corctf{" + seed + "}")
94
    else:
95
        print("did not solve")
96

97
if __name__ == "__main__":
98
    main()

Purely-functional-oop

Description:

The purest programming language you’ve ever seen, transpiling into google sheets!

Download: chall.tar.gz

Summary:

General idea for this challenge is you are given a custom programming language compiler, it compiles a fairly simple object oriented programming language into the functional programming language format of google sheets.

The challenge ended up having an unintended solve method that was far easier than this and had to do with Google Sheets type confusion. Given the fact that the exploit code is 2 lines, I am going to stick with the intended solution for this write up.

The challenge is to somehow pass the impossible Fermat’s Last Theorem ie $a^3+b^3 = c^3$

1
CHALL_CODE = """
2
    fn _pow(curr_val, exp_base, exponent) {
3
        let done = exponent.equals(0);
4
        return done ? curr_val : _pow(curr_val.times(exp_base), exp_base, exponent.minus(1));
5
    }
6

7
    fn pow(exp_base, exponent) {
8
        return _pow(1, exp_base, exponent);
9
    }
10

11
    fn nonzero(x) {
12
        return x.notEquals(0).and(0.notEquals(x));
13
    }
14

15
    fn isInteger(x) {
16
        let sign_val = x.greaterThan(0) ? 1 : -1;
17
        let absVal = sign_val.times(x);
18

19
        let exactlyZero = absVal.equals(0);
20
        let isDecimal = absVal.greaterThan(0).and(absVal.lessThan(1));
21
        return exactlyZero ? true : (isDecimal ? false : isInteger(absVal.minus(1)));
22
    }
23

24
    class Challenge {
25
        constructor() {
26
            let this.n = 3;
27
            let this.flag = """ + f'"{FLAG}"' + """;
28
        }
29

30
        fn verifySolution(a, b, c) {
31
            let nonzeroInput = nonzero(a).and(nonzero(b)).and(nonzero(c));
32
            let integerInput = isInteger(a).and(isInteger(b)).and(isInteger(c));
33
            let satisfiesTheorem = pow(a, this.n).plus(pow(b, this.n)).equals(pow(c, this.n));
34

35
            let accepted = nonzeroInput.and(integerInput).and(satisfiesTheorem);
36
            return accepted ? this.flag : "Solution rejected";
37
        }
38
    }
39

40
"""

This also gives us a look into the actual format of the custom programming language, we can see how its OOP in nature given the fact you need a constructor and classes to write code.
- the only other interesting part of this checker is the build order:

1
    challenge_code = CHALL_CODE + str(user_code)
2
    compiled_code = compile_code(challenge_code)
3
    result = execute_formula(compiled_code)

our code is added after the challenge code

For the sake of everyone’s sanity I will not be pasting in the entire compiler but let’s go ahead and pick the interesting parts for the intended exploit. The first thing that should catch your eye and probably AI’s as a bug in the code base is the definition of greaterThanOrEquals being incorrect. This takes place while the code is defining the default functions the user has at their disposal.

1
    compiled_result = f"""
2
    =LET(
3
        _raise_error_internal, LAMBDA(LAMBDA(a, a)("illegal", "syntax")),
4
        _message_match, LAMBDA(expected, LAMBDA(actual,
5
            IFERROR((actual = expected), FALSE)
6
        )),
7

8
        make_builtin_bootstrap, LAMBDA(f, LAMBDA(raw,
9
            LAMBDA(_message,
10
                IF(_message_match("_rawVal")(_message),
11
                    raw,
12
                IF(_message_match("plus")(_message),
13
                    LAMBDA(rhs, f(f)(raw + rhs("_rawVal"))),
14
                IF(_message_match("minus")(_message),
15
                    LAMBDA(rhs, f(f)(raw - rhs("_rawVal"))),
16
                IF(_message_match("times")(_message),
17
                    LAMBDA(rhs, f(f)(raw * rhs("_rawVal"))),
18
                IF(_message_match("divide")(_message),
19
                    LAMBDA(rhs, f(f)(raw / rhs("_rawVal"))),
20
                IF(_message_match("equals")(_message),
21
                    LAMBDA(rhs, f(f)(raw = rhs("_rawVal"))),
22
                IF(_message_match("notEquals")(_message),
23
                    LAMBDA(rhs, f(f)(raw <> rhs("_rawVal"))),
24
                IF(_message_match("and")(_message),
25
                    LAMBDA(rhs, f(f)(AND(raw, rhs("_rawVal")))),
26
                IF(_message_match("or")(_message),
27
                    LAMBDA(rhs, f(f)(OR(raw, rhs("_rawVal")))),
28
                IF(_message_match("xor")(_message),
29
                    LAMBDA(rhs, f(f)(XOR(raw, rhs("_rawVal")))),
30
                IF(_message_match("lessThan")(_message),
31
                    LAMBDA(rhs, f(f)(raw < rhs("_rawVal"))),
32
                IF(_message_match("lessThanOrEquals")(_message),
33
                    LAMBDA(rhs, f(f)(raw <= rhs("_rawVal"))),
34
                IF(_message_match("greaterThan")(_message),
35
                    LAMBDA(rhs, f(f)(raw > rhs("_rawVal"))),
36
                IF(_message_match("greaterThanOrEquals")(_message),
37
                    LAMBDA(rhs, f(f)(raw <= rhs("_rawVal"))),
38
                IF(_message_match("negate")(_message),
39
                    f(f)(NOT(raw)),
40
                IF(_message_match("factorial")(_message),
41
                    f(f)(FACT(raw)),
42
                IF(_message_match("log")(_message),
43
                    f(f)(LOG(raw)),
44
                IF(_message_match("concat")(_message),
45
                    LAMBDA(rhs, f(f)(CONCAT(raw, rhs("_rawVal")))),
46
                _raise_error_internal()
47
                ))))))))))))))))))
48
            )
49
        )),
50

51
        make_builtin, (make_builtin_bootstrap) (make_builtin_bootstrap),
52

53
        {program_code}("_rawVal")
54
    )
55
    """
56
    return compiled_result

By itself this bug doesn’t do a whole lot for us this conditional isn’t actually used in the check and it being wrong mean little to us. That means we have to some how combine it into a meaningful exploit

Anyway lets move on to the next intersting part of the code base:

1
RESERVED_KEYWORDS = { "class", "fn", "constructor", "let", "return", "new", "this", "true", "false", "_f", "_message", "_constructor", "_message_match", "_raise_error_internal" }
2
def ensure_valid_name(variable_name, allow_this=False):
3
    # make sure the variable name is not a spreadsheet cell reference (e.g. "A1", "AA12", etc.)
4
    # using regex to elimiate these invalid names of [a-zA-Z]+[0-9]+, which is the valid identifier pattern
5
    if re.match(r"^[a-zA-Z]+[0-9]+$", variable_name):
6
        raise SyntaxError(f"Invalid symbol name matches cell ID, try adding an underscore: {variable_name}")
7
    if variable_name == "this":
8
        if not allow_this:
9
            raise SyntaxError("The 'this' keyword can only be used in class definitions")
10
    elif variable_name in RESERVED_KEYWORDS:
11
        raise SyntaxError(f"Variable name matches reserved keyword: {variable_name}")
12
    return variable_name
13

14
def ensure_statement_node(statement_node):
15
    if statement_node.data != "statement":
16
        raise SyntaxError(f"Expected 'statement', got {statement_node.data}")
17
    return statement_node

Given the fact we are in google sheets at the end of the day if we can call out of the programming language that obviously means we can do things we aren’t allowed to and because of that there is an imposed filter system in the compiler that prevents certain words and values from being used. This includes keywords in the programming language that could break the compiler as well as values to access the google sheets cells.
While this seems pretty strong at first glance a pretty interesting compiler primitive is left in that we are able to use the "_rawVal" tag is seemingly forgotten in the restrictions. The other key tag that is forgotten here is the and function call which we are able to redefine as well.

What actually is _rawVal?

given its usage in the generation of the programming language primitives we get a good idea what it actually ends up being used for:

1
IF(_message_match("plus")(_message),
2
    LAMBDA(rhs, f(f)(raw + rhs("_rawVal"))),

here we can get a pretty good idea its used to actually query the raw google sheets value of an object in the custom programming language.

Lets check one more example really quick:

1
    elif expression_type == "ternary_expression":
2
        condition = parse_expression(expression_node.children[0], scope, outer_name)
3
        true_branch = parse_expression(expression_node.children[1], scope, outer_name)
4
        false_branch = parse_expression(expression_node.children[2], scope, outer_name)
5
        return f"IF({condition}(\"_rawVal\"), {true_branch}, {false_branch})"

if we compile the following:

1
PAYLOAD = r'''
2
let x = 1;
3
let result = x.greaterThan(5) ? "big" : "small";
4
return x.notEquals(0);
5
'''

we get the following compiler result:

1
IF(accepted("_rawVal"), this_flag, make_builtin("Solution rejected"))
2
)
3
                ),
4
            _raise_error_internal())
5
                )
6
            ))
7
        )),
8
        bootstrap_new_Challenge, LAMBDA(_f, LAMBDA( class_Challenge(LAMBDA( (LAMBDA(_message, _f(_f)()(_message))))) (LAMBDA(_message, _f(_f)()(_message))) ())),
9
        new_Challenge, (bootstrap_new_Challenge) (bootstrap_new_Challenge),
10
        x, make_builtin(1),
11
result, IF(x("greaterThan")(make_builtin(5))("_rawVal"), make_builtin("big"), make_builtin("small")),
12

13
x("notEquals")(make_builtin(0))
14
("_rawVal")

Here we can see that the conditional check using the IF google sheets command requires _rawVal again this because it’s used to bring the logic down the google sheets level.

Well with all of that out of the way how can we actually exploit the check? Well lets think about this, what exactly is preventing us from passing the check atm

no real number other then 0 will ever pass it
we can’t pass in zero

This means our goal more or less is to somehow get the 0 value into the system and we win. How do we do that? well we use the fact we have access to using a primitive we shouldn’t have access to allow us to pass in zero.

1
class Truth {
2
    constructor() { }
3

4
    fn and(rhs) {
5
        return new Truth();
6
    }
7

8
    fn _rawVal() {
9
        return true._rawVal();
10
    }
11
}
12

13
class Sneaky {
14
    constructor() { }
15

16
    fn notEquals(rhs) {
17
        return new Truth();
18
    }
19

20
    fn greaterThan(rhs) {
21
        return new Truth();
22
    }
23

24
    fn _rawVal() {
25
        return 0._rawVal();
26
    }
27
}
28

29
let ch = new Challenge();
30
return ch.verifySolution(new Sneaky(), 0, 0);

Lets go ahead and break this down

Our Truth class does two things for us
- we are able to define it as always being true, how exactly does this work? well since we are able to redefine the _rawVal() per class given its not restricted we just say that whenever _rawVal is called on this object we return true.
- next we need to see how exactly the check works:

1
fn verifySolution(a, b, c) {
2
    let nonzeroInput = nonzero(a).and(nonzero(b)).and(nonzero(c));
3
    let integerInput = isInteger(a).and(isInteger(b)).and(isInteger(c));
4
    let satisfiesTheorem = pow(a, this.n).plus(pow(b, this.n)).equals(pow(c, this.n));
5

6
    let accepted = nonzeroInput.and(integerInput).and(satisfiesTheorem);
7
    return accepted ? this.flag : "Solution rejected";
8
}

So what exactly does our check here do? lets break it down we are going to pass in the a value and then do an and chain against the other values. This is then used to validate everything finally by anding the results to check if everything is positive.
So this explains the second part of our Truth class by causing the and value to always equal back to Truth() during an and allows us to cause the code to forcibly result in everything returning true.

Now we get on to the Sneaky Class here we are actually tricking the integerInput, nonzeroInput and satisfiesTheorem custom functions that the solver class ends up defining. Remember if we can pass this on our first input we use the fake and to chain truth allowing us to win.

1
    fn _pow(curr_val, exp_base, exponent) {
2
        let done = exponent.equals(0);
3
        return done ? curr_val : _pow(curr_val.times(exp_base), exp_base, exponent.minus(1));
4
    }
5

6
    fn pow(exp_base, exponent) {
7
        return _pow(1, exp_base, exponent);
8
    }
9

10
    fn nonzero(x) {
11
        return x.notEquals(0).and(0.notEquals(x));
12
    }
13

14
    fn isInteger(x) {
15
        let sign_val = x.greaterThan(0) ? 1 : -1;
16
        let absVal = sign_val.times(x);
17

18
        let exactlyZero = absVal.equals(0);
19
        let isDecimal = absVal.greaterThan(0).and(absVal.lessThan(1));
20
        return exactlyZero ? true : (isDecimal ? false : isInteger(absVal.minus(1)));
21
    }

isInteger
- we need to pass greaterThan check
nonzero
- we need to pass notEquals check
pow
- we need the actual numeric value of the object to equal 0 when called
  - ie _rawVal

When we combine this all together we get our exploit, a single class that is able to trick the code base into thinking the internal checks are true, and after doing so will result in an and truth chaining to pass the final verfication check which is also an and truth chain xD

Roll

Description:

Roll with the flow wait that’s not the right phrase…

Download: roll_vm and program1.txt

Summary:

we love vms we love vms we love vms
- Tldr: this is a vm, it does vm things, the vm rolls its register/ie behaves in a self modifying manner, the vm has an inf loop at the start !

Lets go through the code base, honestly everything happens in this single function:

1
__int64 __fastcall MAIN(int argc, __int64 argv, __int64 a3, __int64 a4, __int64 a5, __int64 a6)
2
{
3
  unsigned __int64 ip; // rbx
4
  __int128 *v8; // rbp
5
  bool v9; // cf
6
  __int64 v10; // rax
7
  __int64 v11; // rax
8
  __m128d v12; // xmm0
9
  __int64 v13; // rbx
10
  int cnt; // ebx
11
  int cnt_2; // ebx
12

13
  if ( argc <= 1 )
14
  {
15
    print("Expected filename as first arg");
16
    vm_exit(1);
17
  }
18
  if ( argc == 10 )
19
  {
20
    cnt = 10;
21
    do
22
    {
23
      vm_fake(2, (__int64)"corctf{", a3, a4, a5, a6);
24
      --cnt;
25
    }
26
    while ( cnt );
27
    cnt_2 = 10;
28
    print("corctf 2025 easter egg");
29
    do
30
    {
31
      print("ragebait");
32
      --cnt_2;
33
    }
34
    while ( cnt_2 );
35
start:
36
    vm_exit(1);
37
  }
38
  vm_load_program(*(_QWORD *)(argv + 8));
39
  vm_init_state();
40
  ip = r1;
41
  if ( (unsigned __int64)r1 >= program_len )
42
  {
43
error:
44
    print("VM error");
45
    goto start;
46
  }
47
  while ( 2 )
48
  {
49
    switch ( *(_BYTE *)(data + ip) )
50
    {
51
      case 0:
52
        v8 = &r1;
53
        j_ifunc_415100(&r1, (char *)&r1 + 8, 24);
54
        *(_QWORD *)&r1 = r1 - 1;
55
        *((_QWORD *)&r2 + 1) = ip;
56
        goto dealloc;
57
      case 1:
58
        v13 = *((_QWORD *)&r2 + 1);
59
        v8 = &r1;
60
        j_ifunc_415100((char *)&r1 + 8, &r1, 24);
61
        *(_QWORD *)&r1 = v13;
62
        goto dealloc;
63
      case 2:
64
        v12 = (__m128d)_mm_loadu_si128((const __m128i *)((char *)&r1 + 8));
65
        v8 = &r1;
66
        *(__int128 *)((char *)&r1 + 8) = (__int128)_mm_shuffle_pd(v12, v12, 1);
67
        goto dealloc;
68
      case 3:
69
        v11 = *((_QWORD *)&r1 + 1);
70
        v8 = &r1;
71
        *((_QWORD *)&r1 + 1) = *((_QWORD *)&r2 + 1);
72
        *((_QWORD *)&r2 + 1) = v11;
73
        goto dealloc;
74
      case 4:
75
        v8 = &r1;
76
        *((_QWORD *)&r1 + 1) = r2;
77
        goto dealloc;
78
      case 5:
79
        v8 = &r1;
80
        *((_QWORD *)&r1 + 1) += r2;
81
        goto dealloc;
82
      case 6:
83
        v8 = &r1;
84
        *((_QWORD *)&r1 + 1) -= r2;
85
        goto dealloc;
86
      case 7:
87
        v8 = &r1;
88
        *((_QWORD *)&r1 + 1) *= (_QWORD)r2;
89
        goto dealloc;
90
      case 8:
91
        v8 = &r1;
92
        *((_QWORD *)&r1 + 1) /= (unsigned __int64)r2;
93
        goto dealloc;
94
      case 9:
95
        v8 = &r1;
96
        *((_QWORD *)&r1 + 1) %= (unsigned __int64)r2;
97
        goto dealloc;
98
      case 0xA:
99
        v8 = &r1;
100
        *((_QWORD *)&r1 + 1) = 0;
101
        goto dealloc;
102
      case 0xB:
103
        ++*((_QWORD *)&r1 + 1);
104
        v8 = &r1;
105
        goto dealloc;
106
      case 0xC:
107
        --*((_QWORD *)&r1 + 1);
108
        v8 = &r1;
109
        goto dealloc;
110
      case 0xD:
111
        v10 = qword_4ACB30;
112
        if ( (unsigned __int64)qword_4ACB30 > 0x7FF )
113
        {
114
          print("Stack overflow");
115
          vm_exit(1);
116
        }
117
        v8 = &r1;
118
        ++qword_4ACB30;
119
        *(_QWORD *)(vm_stack_mem + 8 * v10) = *((_QWORD *)&r1 + 1);
120
        goto dealloc;
121
      case 0xE:
122
        if ( !qword_4ACB30 )
123
        {
124
          print("Stack underflow");
125
          vm_exit(1);
126
        }
127
        v8 = &r1;
128
        --qword_4ACB30;
129
        *((_QWORD *)&r1 + 1) = *(_QWORD *)(vm_stack_mem + 8 * qword_4ACB30);
130
        goto dealloc;
131
      case 0xF:
132
        v8 = &r1;
133
        *((_QWORD *)&r1 + 1) = (int)fgetc((__int64)off_4AB6D8);
134
        goto dealloc;
135
      case 0x10:
136
        sub_407E40((unsigned int)SBYTE8(r1), off_4AB6D0);
137
        goto LABEL_7;
138
      case 0x11:
139
LABEL_7:
140
        v8 = &r1;
141
dealloc:
142
        ip = *(_QWORD *)v8 + 1LL;
143
        v9 = ip < program_len;
144
        *(_QWORD *)v8 = ip;
145
        if ( !v9 )
146
          goto error;
147
        continue;
148
      case 0x12:                                // s - HALT
149
        free(data);
150
        free(vm_stack_mem);
151
        return 0;
152
    }
153
  }
154
}

This function is the primary iterator which ends up doing all of the op-code level logic but before the iterator in the function we actually have the VM init logic as well as the iterator into the program code via the fake programming language. This is mostly just so our code base can understand the fake programming language layer ie all the letters in the input file:

1
vm2 % xxd program1.txt
2
00000000: 6c6e 636b 6d63 696e 6b6e 6c63 6f66 6e6b  lnckmcinknlcofnk
3
00000010: 6c6c 6863 6f66 6e6b 6c6c 6863 6f66 6e6b  llhcofnkllhcofnk
4
00000020: 6c6c 6863 6f66 6e6b 6c6c 6863 6f63 656d  llhcofnkllhcocem
5
00000030: 6d6d 6d6d 6863 6f68 636f 6361 7372 6c73  mmmmhcohcocasrls
6
00000040: 7366 6b6d 6c6a 6d67 6c64 6e6d 6371 6c6d  sfkmljmgldnmcqlm
7
00000050: 6d6a 616c 646f 6866 6b6f 6967 7263 7173  mjaldohfkoigrcqs
8
00000060: 6263 6e62 6167 716c 7162 6764 6a67 6c6c  bcnbagqlqbgdjgll
9
00000070: 6c6c 6c6c 6c6c 716d 6d6d 6d6d 6d63 6561  llllllqmmmmmmcea
10
00000080: 626f 736b 616b 6e73 6872 6272 6a67 6671  boskaknshrbrjgfq
11
00000090: 7171 6662 7073 6b6e 6c63 6b6c 6c68 636b  qqfbpsknlckllhck
12
000000a0: 6c6c 6863 6b6c 6c68 636f 666e 6b6c 6c68  llhckllhcofnkllh
13
000000b0: 636f 666e 6b6c 6c68 636b 6c6c 6863 6f66  cofnkllhckllhcof
14
000000c0: 6e6b 6c6c 6863 6f66 6e6b 6c6c 6863 6f66  nkllhcofnkllhcof
15
000000d0: 6e6b 6c6c 6863 6f66 6e6b 6c6c 6863 6f66  nkllhcofnkllhcof

This ends up getting interpreted into the switch case program counter via the following function:

1
__int64 __fastcall vm_load_program(__int64 file)
2
{
3
  __int64 data_ptr; // rax
4
  __int64 file_ptr; // rbp
5
  __int64 final_post; // rbx
6
  __int64 v4; // rax
7
  char *v5; // r12
8
  char *p; // rdx
9
  __int64 decode_len; // rcx
10
  unsigned int val; // eax
11

12
  data_ptr = read(file, "rb");
13
  if ( !data_ptr )
14
  {
15
    print("Failed to open file");
16
    vm_exit(1);
17
  }
18
  file_ptr = data_ptr;
19
  ((void (__fastcall *)(__int64, _QWORD, __int64))file_seek_locked)(data_ptr, 0, 2);
20
  final_post = ((__int64 (__fastcall *)(__int64))ftell)(file_ptr);
21
  ((void (__fastcall *)(__int64))flush_reset)(file_ptr);
22
  v4 = sub_413180(final_post);
23
  v5 = (char *)v4;
24
  if ( !v4
25
    || (sub_405990(v4, 1, final_post, file_ptr), program_len = final_post, (program = calloc(final_post, 1)) == 0) )
26
  {
27
    print("Failed to allocate required data");
28
    vm_exit(1);
29
  }
30
  if ( final_post <= 0 )
31
  {
32
    decode_len = 0;
33
  }
34
  else
35
  {
36
    p = v5;
37
    decode_len = 0;
38
    do
39
    {
40
      val = *p - 'a';
41
      if ( val <= 0x12 )
42
        *(_BYTE *)(program + decode_len++) = val;
43
      ++p;
44
    }
45
    while ( &v5[final_post] != p );
46
  }
47
  program_len = decode_len;
48
  return free(v5);
49
}

The code here ends up being stored in the global var program
- we can see how it does a simple set up for the numeric case swaps by subtracting a .

Now its time to make a quick mapping for all the opcodes (standard VM practice):

1
OPCODES = [
2
    ("CALL",    "a"), #0
3
    ("RET",     "b"),
4
    ("SWAP_AB", "c"),
5
    ("SWAP_AC", "d"),
6
    ("MOV_A_B", "e"),
7
    ("ADD",     "f"),
8
    ("SUB",     "g"),
9
    ("MUL",     "h"),
10
    ("DIVU",    "i"),
11
    ("MODU",    "j"),
12
    ("ZERO",    "k"),
13
    ("INC",     "l"),
14
    ("DEC",     "m"),
15
    ("PUSH",    "n"),
16
    ("POP",     "o"),
17
    ("GETC",    "p"),
18
    ("PUTC",    "q"),
19
    ("NOP",     "r"),
20
    ("HALT",    "s"), # 18
21
]

if you want to be really smart 🤓 you can just set up the char mappings using the idx and adding ord(a) but like readability or smth

I ended up making a quick VM interpreter and saw that the code end up running forever. I tried the actual given binary and same story, this crap was running for ages and never going anywhere. Which lead me to make a simple gdb script to check if my vm was the same as remote:

set logging file execution_log.txt
set logging enabled on
echo Logging execution to execution_log.txt\n

# Function to map RAX values to case labels
define map_case
    set $rax_val = $arg0
    if $rax_val == 0x401c90
        printf "Case 0x0\n"
    end
    if $rax_val == 0x401c65
        printf "Case 0x1\n"
    end
    if $rax_val == 0x401c45
        printf "Case 0x2\n"
    end
    if $rax_val == 0x401c1d
        printf "Case 0x3\n"
    end
    if $rax_val == 0x401c03
        printf "Case 0x4\n"
    end
    if $rax_val == 0x401be9
        printf "Case 0x5\n"
    end
    if $rax_val == 0x401bc8
        printf "Case 0x6\n"
    end
    if $rax_val == 0x401ba6
        printf "Case 0x7\n"
    end
    if $rax_val == 0x401b83
        printf "Case 0x8\n"
    end
    if $rax_val == 0x401b60
        printf "Case 0x9\n"
    end
    if $rax_val == 0x401b4b
        printf "Case 0xa\n"
    end
    if $rax_val == 0x401b37
        printf "Case 0xb\n"
    end
    if $rax_val == 0x401b23
        printf "Case 0xc\n"
    end
    if $rax_val == 0x401ae7
        printf "Case 0xd\n"
    end
    if $rax_val == 0x401ab1
        printf "Case 0xe\n"
    end
    if $rax_val == 0x401a93
        printf "Case 0xf\n"
    end
    if $rax_val == 0x401a48
        printf "Case 0x10\n"
    end
    if $rax_val == 0x401a5b
        printf "Case 0x11\n"
    end
    if $rax_val == 0x401a30
        printf "Case 0x12\n"
    end
end

# Set breakpoint at jmp rax (0x401a2a)
break *0x401a2a
commands
    silent
    printf "[RIP=0x%lx] JMP RAX -> 0x%lx, EAX=0x%x, [RDI+RBX]=0x%x\n", $rip, $rax, $eax, *(unsigned char*)($rdi+$rbx)
    map_case $rax
    continue
end
run

The script is pretty simple I just break point on the jmp rax and see the value there.

I ended up seeing the same loop that I saw in my VM as well:

INC (l)
PUSH (n)
SWAP_AB (c)
ZERO (k)
DEC (m)
SWAP_AB (c)
DIVU (i)
PUSH (n)
ZERO (k)
PUSH (n)
INC (l)
SWAP_AB (c)
POP (o)
ADD (f)
PUSH (n)
ZERO (k)
INC (l)
INC (l)
MUL (h)
SWAP_AB (c)
POP (o)
ADD (f)
PUSH (n)
ZERO (k)
INC (l)
INC (l)
MUL (h)
SWAP_AB (c)
POP (o)
ADD (f)
PUSH (n)
ZERO (k)
INC (l)
INC (l)
MUL (h)
SWAP_AB (c)
POP (o)
ADD (f)
PUSH (n)
ZERO (k)
INC (l)
INC (l)
MUL (h)
SWAP_AB (c)
POP (o)
SWAP_AB (c)
MOV_A_B (e)
DEC (m)
DEC (m)
DEC (m)
DEC (m)
DEC (m)
MUL (h)
SWAP_AB (c)
POP (o)
MUL (h)
SWAP_AB (c)
POP (o)
SWAP_AB (c)
CALL (a)

This loop actually gives us a pretty big hint on to what the solution for our VM might be. We know that the VM doesn’t take in any actual input, which means the flag has to somehow be entirely self contained. Finally if you look through the opcodes and text at the end you can see that the word “corctf” is pretty clearly spelt out which suggests its building the flag and might print it out at the end.

This leads me to the next part of this making a valid emulator to figure out wtf is going on:

1
#!/usr/bin/env python3
2
import sys
3

4
U64 = 0xFFFFFFFFFFFFFFFF
5
STACK_CAP = 0x800
6
DEBUG = False
7

8
OPCODES = [
9
    ("CALL",    "a"),
10
    ("RET",     "b"),
11
    ("SWAP_AB", "c"),
12
    ("SWAP_AC", "d"),
13
    ("MOV_A_B", "e"),
14
    ("ADD",     "f"),
15
    ("SUB",     "g"),
16
    ("MUL",     "h"),
17
    ("DIVU",    "i"),
18
    ("MODU",    "j"),
19
    ("ZERO",    "k"),
20
    ("INC",     "l"),
21
    ("DEC",     "m"),
22
    ("PUSH",    "n"),
23
    ("POP",     "o"),
24
    ("GETC",    "p"),
25
    ("PUTC",    "q"),
26
    ("NOP",     "r"),
27
    ("HALT",    "s"),
28
]
29
OPCODE_MAP = {op[1]: op[0] for op in OPCODES}
30
LETTER_SET  = set(OPCODE_MAP.keys())
31

32
def u64(x: int) -> int:
33
    return x & U64
34

35
class VM:
36
    def __init__(self, code_bytes):
37
        self.stack = []
38
        self.prog = []
39
        self.pc = 0
40
        self.a = 0
41
        self.b = 0
42
        self.c = 0
43
        self.prog = [b for b in code_bytes if 97 <= b <= 115]
44
    def push(self):
45
        if len(self.stack) >= STACK_CAP:
46
            sys.stdout.write("Stack overflow\n")
47
            sys.exit(1)
48
        self.stack.append(u64(self.a))
49

50
    def pop(self):
51
        if not self.stack:
52
            sys.stdout.write("Stack underflow\n")
53
            sys.exit(1)
54
        self.a = self.stack.pop()
55

56
    def run(self):
57
        while 0 <= self.pc < len(self.prog):
58
            op_ch = chr(self.prog[self.pc])
59
            next_pc = self.pc + 1
60
            match OPCODE_MAP[op_ch]:
61
                case "CALL":
62
                    if self.pc == 59:
63
                        old_pc, old_a, old_b, old_c = self.pc, self.a, self.b, self.c
64
                        self.pc, self.a, self.b, self.c = old_a, old_b, old_c, old_pc
65
                        next_pc = 150
66
                    else:
67
                        old_pc, old_a, old_b, old_c = self.pc, self.a, self.b, self.c
68
                        self.pc, self.a, self.b, self.c = old_a, old_b, old_c, old_pc
69
                        next_pc = self.pc
70
                case "RET":
71
                    old_pc, old_a, old_b, old_c = self.pc, self.a, self.b, self.c
72
                    self.pc, self.a, self.b, self.c = old_c, old_pc, old_a, old_b
73
                    next_pc = self.pc + 1
74

75
                case "SWAP_AB":
76
                    self.a, self.b = self.b, self.a
77

78
                case "SWAP_AC":
79
                    self.a, self.c = self.c, self.a
80

81
                case "MOV_A_B":
82
                    self.a = u64(self.b)
83

84
                case "ADD":
85
                    self.a = u64(self.a + self.b)
86

87
                case "SUB":
88
                    self.a = u64(self.a - self.b)
89

90
                case "MUL":
91
                    self.a = u64(self.a * self.b)
92

93
                case "DIVU":
94
                    bb = u64(self.b)
95
                    if bb == 0:
96
                        sys.exit("VM error")
97
                    self.a = u64(u64(self.a) // bb)
98

99
                case "MODU":
100
                    bb = u64(self.b)
101
                    if bb == 0:
102
                        sys.exit("VM error")
103
                    self.a = u64(u64(self.a) % bb)
104

105
                case "ZERO":
106
                    self.a = 0
107

108
                case "INC":
109
                    self.a = u64(self.a + 1)
110

111
                case "DEC":
112
                    self.a = u64(self.a - 1)
113

114
                case "PUSH":
115
                    self.push()
116

117
                case "POP":
118
                    self.pop()
119

120
                case "GETC":
121
                    b = sys.stdin.buffer.read(1)
122
                    self.a = U64 if not b else b[0]
123

124
                case "PUTC":
125
                    sys.stdout.buffer.write(bytes([self.a & 0xFF]))
126
                    sys.stdout.buffer.flush()
127

128
                case "NOP":
129
                    pass
130

131
                case "HALT":
132
                    sys.exit(0)
133
            if DEBUG:
134
                print("PC:",self.pc)
135
                print("OPCODE:",OPCODE_MAP[op_ch])
136
                print("REGISTERS:",self.a, self.b, self.c)
137
                print("NEXT PC:",next_pc)
138
                print("STACK:",self.stack,"\n")
139
            # if OPCODE_MAP[op_ch] == "CALL":
140
            #     break
141
            self.pc = next_pc
142

143
def main():
144
    with open("program1.txt", "rb") as f:
145
        code = f.read()
146
    VM(code).run()
147

148
if __name__ == "__main__":
149
    main()

Most of the opcodes are fairly simple what isn’t very simple is the call and ret ie case 0 and 1 lets go through the source code and figure out how it actually works:

1
00401c90    // call/go to?
2
00401c90  488d35b1ae0a00     lea     rsi, [rel r1+8]
3
00401c97  ba18000000         mov     edx, 0x18
4
00401c9c  488d6ef8           lea     rbp, [rsi-0x8]
5
00401ca0  4889ef             mov     rdi, rbp  {r1}
6
00401ca3  e898f3ffff         call    sub_401040
7
00401ca8  48832d90ae0a0001   sub     qword [rel r1], 0x1
8
00401cb0  48891da1ae0a00     mov     qword [rel r2+8], rbx
9
00401cb7  e9acfdffff         jmp     0x401a68

lets trace the following call: 00401ca3 e898f3ffff call sub_401040

1
00401040    int64_t sub_401040()
2

3
00401040  f30f1efa           endbr64
4
00401044  ff25c69f0a00       jmp     qword [rel data_4ab010]

lets follow the jump dynamically, doing that gets us to:

1
00417d80  f30f1efa           endbr64
2
00417d84  4889f8             mov     rax, rdi
3
00417d87  4883fa20           cmp     rdx, 0x20
4
00417d8b  7233               jb      0x417dc0
5

6
00417d8d  62e1fe286f06       vmovdqu64 ymm16, k0, ymmword [rsi]
7
00417d93  4883fa40           cmp     rdx, 0x40
8
00417d97  0f87a3000000       ja      0x417e40
9

10
00417d9d  62e1fe286f4c16ff   vmovdqu64 ymm17, k0, ymmword [rsi+rdx-0x20]
11
00417da5  62e1fe287f07       vmovdqu64 ymmword [rdi], k0, ymm16
12
00417dab  62e1fe287f4c17ff   vmovdqu64 ymmword [rdi+rdx-0x20], k0, ymm17
13
00417db3  c3                 retn     {__return_addr}

Well, why is this challenge called roll my dear Watson?

1
lea rsi, [rel r1+8]        ; rsi = &r1.high (source)
2
mov edx, 0x18              ; Copy 24 bytes
3
lea rbp, [rsi-0x8]         ; rbp = &r1.low
4
mov rdi, rbp               ; rdi = &r1.low (destination)
5
call sub_401040            ; memcpy(r1, r1+8, 24)
6
sub qword [rel r1], 0x1    ; r1.low -= 1
7
mov qword [rel r2+8], rbx  ; r2.high = rbx

in english this means:

r1.low = r1.high
- r1 low is the PC/IP here btw
r1.high. = r2.low
r2.low = r2.high
r2.high = r1.low
- finally the PC is lowered by 1

The “RET” does something similar just check my interpreter for the logic

Finally lets get to the last part of this what the fuck does the operations from before actually end up doing after getting a working emulator set up we get this:

1
python3 roll_vm_solve.py
2
PC: 0
3
OPCODE: INC
4
REGISTERS: 1 0 0
5
NEXT PC: 1
6
STACK: []
7

8
PC: 1
9
OPCODE: PUSH
10
REGISTERS: 1 0 0
11
NEXT PC: 2
12
STACK: [1]
13

14
PC: 2
15
OPCODE: SWAP_AB
16
REGISTERS: 0 1 0
17
NEXT PC: 3
18
STACK: [1]
19

20
... big jum p in PC
21

22
PC: 52
23
OPCODE: MUL
24
REGISTERS: 150 15 0
25
NEXT PC: 53
26
STACK: [1, 0]
27

28
PC: 53
29
OPCODE: SWAP_AB
30
REGISTERS: 15 150 0
31
NEXT PC: 54
32
STACK: [1, 0]
33

34
PC: 54
35
OPCODE: POP
36
REGISTERS: 0 150 0
37
NEXT PC: 55
38
STACK: [1]
39

40
PC: 55
41
OPCODE: MUL
42
REGISTERS: 0 150 0
43
NEXT PC: 56
44
STACK: [1]
45

46
PC: 56
47
OPCODE: SWAP_AB
48
REGISTERS: 150 0 0
49
NEXT PC: 57
50
STACK: [1]
51

52
PC: 57
53
OPCODE: POP
54
REGISTERS: 1 0 0
55
NEXT PC: 58
56
STACK: []
57

58
PC: 58
59
OPCODE: SWAP_AB
60
REGISTERS: 0 1 0
61
NEXT PC: 59
62
STACK: []

the code here ends up doing 1 thing and you can kinda see the whole point of the code it, basically builds the 150 num and then uses the result of some kinda mathematical operation to figure out if we multiply and from there it uses that value to pick the next programming counter location/jump. This part is a little bit of guessing and thinking, if you have had a verification what are the two most likely values?
well its pass or fail, or in computer 0 or 1.
- now that means the PC result is either 0 or 150, if we want to pass the flag and win we just do this:

1
                case "CALL":
2
                    if self.pc == 59:
3
                        old_pc, old_a, old_b, old_c = self.pc, self.a, self.b, self.c
4
                        self.pc, self.a, self.b, self.c = old_a, old_b, old_c, old_pc
5
                        next_pc = 150

We can also solve it like this:

break *0x401b37
commands
  silent
  set $cur_ip = *(unsigned long long*)(0x4acb40)
  if ($cur_ip == 0x0)
    set *(unsigned long long*)(0x4acb48) = 0xffffffffffffffff
    set $rip = 0x401b3f
  end
  continue
end
run

Why does this work? Well the VM actually ends up actually checking division by a large number where it checks if the resulting value is 1 at the end the division is actually pretty obvious and very much at the start we just didn’t make sense of it till now:

1
PC: 0
2
OPCODE: INC
3
REGISTERS: 1 0 0
4
NEXT PC: 1
5
STACK: []
6

7
PC: 1
8
OPCODE: PUSH
9
REGISTERS: 1 0 0
10
NEXT PC: 2
11
STACK: [1]
12

13
PC: 2
14
OPCODE: SWAP_AB
15
REGISTERS: 0 1 0
16
NEXT PC: 3
17
STACK: [1]
18

19
PC: 3
20
OPCODE: ZERO
21
REGISTERS: 0 1 0
22
NEXT PC: 4
23
STACK: [1]
24

25
PC: 4
26
OPCODE: DEC
27
REGISTERS: 18446744073709551615 1 0
28
NEXT PC: 5
29
STACK: [1]
30

31
PC: 5
32
OPCODE: SWAP_AB
33
REGISTERS: 1 18446744073709551615 0
34
NEXT PC: 6
35
STACK: [1]
36

37
PC: 6
38
OPCODE: DIVU
39
REGISTERS: 0 18446744073709551615 0
40
NEXT PC: 7
41
STACK: [1]

which means if we want the code to pass all we really need to do is set the starting value of r1 to 18446744073709551615.

whatever-floats-your-boat

1
The purest programming language you've ever seen, transpiling into google sheets!

Download: boat_vm & float_program.bin

fucking sudoku, its always fucking sudoku

On a serious note it actually is just a VM with sudoku that ends up getting solved. There is a math formula to figure out the final flag, the grid has a single solve and the solver is really dog shit which is why it takes so long.

main function:

1
00401a30    int64_t main(int32_t arg1, void* arg2)
2

3
00401a30    {
4
00401a30        if (arg1 <= 1)
5
00401a3b        {
6
00401a70            print("Expected filename as first arg");
7
00401a7a            exit(1);
8
00401a7a            /* no return */
9
00401a3b        }
10
00401a3b
11
00401a41        instruciton_parser(*(uint64_t*)((char*)arg2 + 8));
12
00401a48        int32_t mxcsr;
13
00401a48        int64_t mxcsr_1 = vm_init(mxcsr);
14
00401a59        char i;
15
00401a59
16
00401a59        do
17
00401a52            i = excute_vm(mxcsr_1);
18
00401a59         while (!i);
19
00401a5d        clean_up();
20
00401a68        return 0;
21
00401a30    }

lets look at our byte loader (🧌 this time in ida cuz my teammate did all the clean up for it and I am not doing it again)

1
void __fastcall load_and_parse_bytecode(const char *filename)
2
{
3
  FILE *file_handle; // rax
4
  FILE *file_handle_also; // r12
5
  __int64 file_size_bytes; // r13
6
  unsigned __int64 file_size_bytes_1; // rbp
7
  unsigned __int64 file_size_aligned; // r13
8
  unsigned __int64 num_qwords_in_file; // rbp
9
  uint64_t *raw_bytecode_buffer; // rax
10
  uint64_t *raw_bytecode_buffer_1; // rbx
11
  __int64 raw_bytecode_idx; // rcx
12
  unsigned __int64 *write_pointer; // rdi
13
  unsigned __int64 raw_bytecode_idx_1; // rsi
14
  __int64 parsed_instr_count_1; // r8
15
  unsigned __int64 opcode; // rax
16
  unsigned __int64 parsed_instr_count; // rdx
17
  uint64_t v15; // xmm0_8
18
  __int64 current_qword; // r13
19
  __int64 mantissa; // rax
20
  __int64 exponent; // rdx
21

22
  file_handle = IO_new_fopen(filename, "rb");
23
  if ( !file_handle )
24
  {
25
    IO_puts("Failed to open file");
26
    exit(1);
27
  }
28
  file_handle_also = file_handle;
29
  _fseeko(file_handle, 0, 2);
30
  file_size_bytes = IO_ftell(file_handle_also);
31
  rewind(file_handle_also);
32
  file_size_bytes_1 = file_size_bytes;
33
  file_size_aligned = file_size_bytes & 0xFFFFFFFFFFFFFFF8LL;
34
  num_qwords_in_file = file_size_bytes_1 >> 3;
35
  raw_bytecode_buffer = _libc_calloc(num_qwords_in_file, 8);
36
  raw_bytecode_buffer_1 = raw_bytecode_buffer;
37
  if ( !raw_bytecode_buffer
38
    || (_fread_chk(raw_bytecode_buffer, file_size_aligned, 8, num_qwords_in_file, file_handle_also),
39
        g_vm_instructions = _libc_calloc(num_qwords_in_file, 16),
40
        (write_pointer = g_vm_instructions) == 0) )
41
  {
42
    IO_puts("Failed to allocate required data");
43
    exit(1);
44
  }
45
  if ( num_qwords_in_file )
46
  {
47
    raw_bytecode_idx_1 = 0;
48
    parsed_instr_count_1 = 0;
49
    while ( 1 )
50
    {
51
      current_qword = raw_bytecode_buffer_1[raw_bytecode_idx_1];
52
      mantissa = current_qword & 0xFFFFFFFFFFFFFLL;
53
      exponent = (current_qword >> 52) & 0x7FF;
54
      if ( exponent == 2047 )
55
      {
56
ILLEGAL_OPCODE:
57
        printf(2, "[%zu] Illegal opcode: %.17g\n", raw_bytecode_idx_1, raw_bytecode_idx, parsed_instr_count_1, -1);
58
        exit(1);
59
      }
60
      if ( !exponent )                          // exponent is zero
61
        break;
62
      if ( exponent - 1023 < 0 )                // exponent too small
63
        goto ILLEGAL_OPCODE;
64
      if ( exponent - 1023 > 51 )
65
      {
66
        opcode = (mantissa | 0x10000000000000LL) << ((current_qword >> 52) - 51);
67
        if ( current_qword < 0 )
68
          opcode = -opcode;
69
      }
70
      else
71
      {
72
        raw_bytecode_idx = ~(-1LL << (52 - ((current_qword >> 52) + 1)));
73
        if ( (mantissa & raw_bytecode_idx) != 0 )
74
          goto ILLEGAL_OPCODE;
75
        if ( current_qword < 0 )
76
        {
77
LABEL_28:
78
          IO_puts("Unexpected opcode");
79
          exit(1);
80
        }
81
        opcode = (mantissa | 0x10000000000000LL) >> (51 - (current_qword >> 52));
82
      }
83
      if ( opcode > 0x21 )
84
        goto LABEL_28;
85
      LODWORD(raw_bytecode_idx) = opcode - 19;
86
      parsed_instr_count = raw_bytecode_idx_1 + 1;
87
      if ( opcode - 19 <= 7 || !opcode )        // it has an operand
88
        goto TWO_WORD_HANDLER;
89
      ++raw_bytecode_idx_1;
90
      v15 = 0;
91
STORE_INSTRUCTION:
92
      *write_pointer = opcode;
93
      ++parsed_instr_count_1;
94
      write_pointer += 2;
95
      *(write_pointer - 1) = v15;
96
      if ( raw_bytecode_idx_1 >= num_qwords_in_file )
97
        goto EXIT_LOOP;
98
    }
99
    if ( mantissa )
100
      goto ILLEGAL_OPCODE;
101
    parsed_instr_count = raw_bytecode_idx_1 + 1;
102
    opcode = 0;
103
TWO_WORD_HANDLER:
104
    if ( parsed_instr_count >= num_qwords_in_file )
105
    {
106
      IO_puts("Unexpected end of data");
107
      exit(1);
108
    }
109
    v15 = raw_bytecode_buffer_1[parsed_instr_count];
110
    raw_bytecode_idx_1 += 2LL;
111
    goto STORE_INSTRUCTION;
112
  }
113
  parsed_instr_count_1 = 0;
114
EXIT_LOOP:
115
  g_vm_instr_count = parsed_instr_count_1;
116
  free(raw_bytecode_buffer_1);
117
}

so after cleaning it up like any sane team we threw it into AI doing so will immediately tell you its using the standard IEEE-754 double-precision which is in english just means:

every 64 bit qword:

After this it ends up using the exponent to determine what opcode the data is, as well defining values for incorrect opcodes.

when all is said and done
valid opcodes are 0-33
- opcodes 0, 19-26 require an operand (the next qword)

in python without error code:

1
def load_program(self, program):
2
    n = len(program) // 8
3
    buf = [struct.unpack("<Q", program[i*8:(i+1)*8])[0] for i in range(n)]
4
    i = 0
5
    self.program = []
6
    while i < n:
7
        b = buf[i]
8
        m = b & 0xFFFFFFFFFFFFF
9
        e = (b >> 52) & 0x7FF
10

11
        if e == 0:
12
            op = 0
13
        else:
14
            E = e - 1023
15
            if E >= 52:
16
                op = ((m | (1 << 52)) << (E - 52))
17
                if (b >> 63) & 1:
18
                    op = -op
19
            else:
20
                op = (m | (1 << 52)) >> (52 - E)
21

22
        need_operand = (op == 0) or (19 <= op <= 26)
23
        if need_operand:
24
            self.program.append((op, buf[i + 1] if i + 1 < n else 0))
25
            i += 2
26
        else:
27
            self.program.append((op, 0))
28
            i += 1
29

30
    self.instr_count = len(self.program)

The next part of the VM we care about is actual interpreter. I’ll be honest, this was a lot of just going through and cleaning up the ASM, adding code comments as needed to describe the behavior (by my teammate cold) 😅. The entire thing was pretty ugly the most annoying parts are probably the jump tables as well as how the MXCSR ends up being used as a flag system of sorts:

1
loc_402220:                             ; CODE XREF: .text:0000000000401FBF↑j
2
                                         ; DATA XREF: .rodata:jpt_401FBF↓o
3
                 stmxcsr dword ptr [rsp+0Ch] ; jumptable 0000000000401FBF cases 19-25
4
                 mov     eax, [rsp+0Ch]
5
                 sub     rdx, 14h        ; switch 6 cases
6
                 mov     edi, eax
7
                 and     edi, 3Fh
8
                 cmp     rdx, 5
9
                 ja      def_40224A      ; jumptable 000000000040224A default case
10
                 lea     rcx, jpt_40224A
11
                 movsxd  rdx, ds:(jpt_40224A - 4A8078h)[rcx+rdx*4]
12
                 add     rdx, rcx
13
                 db      3Eh             ; switch jump
14
                 jmp     rdx

this will save the status
load it into eax and edi
- and with 0x3f to get the exception flags
from there it uses the opcodes to breakd own into a 6 entry jump table
- 0x4028F6 → shr eax,5 → tests UE
- 0x4028DD → shr eax,3 → tests OE
- 0x4028D2 → shr eax,4 → tests ZE
- 0x4027F0 → test edi,edi → tests “any”
- 0x4028E8 → and edi,1 → tests IE

here is my final VM + disasm, if we are being honest I would say its like 60% me and then 40% AI fixing my mistakes lmafo

1
import struct
2
import math
3
import sys
4

5
def bits_to_float(u): return struct.unpack('<d', struct.pack('<Q', u))[0]
6
def float_to_bits(f): return struct.unpack('<Q', struct.pack('<d', f))[0]
7
def dblbits_to_int(u):
8
        m = u & ((1<<52)-1)
9
        e = (u >> 52) & 0x7FF
10
        if e == 0: return 0
11
        s = (u >> 63) & 1
12
        k = int(e) - 1075
13
        v = ((1<<52) | m) << k if k >= 0 else ((1<<52) | m) >> (-k)
14
        return -v if s else v
15
def set_flags_bin(a,b,res,op):
16
        f = 0
17
        if math.isnan(a) or math.isnan(b) or math.isnan(res): f |= 1<<0
18
        den = lambda x: (x!=0.0 and abs(x) < sys.float_info.min)
19
        if den(a) or den(b): f |= 1<<1
20
        if op == 'div' and b == 0.0 and not math.isnan(a): f |= 1<<2
21
        if math.isinf(res): f |= 1<<3
22
        if res != 0.0 and abs(res) < sys.float_info.min: f |= 1<<4
23
        pe = False
24
        if all(map(math.isfinite, [a,b,res])):
25
            if op == 'add':
26
                pe = not ((res - b == a) and (res - a == b))
27
            elif op == 'sub':
28
                pe = not ((res + b == a) and (a - res == b))
29
            elif op == 'mul':
30
                if a != 0.0 and b != 0.0:
31
                    pe = not ((res / b == a) and (res / a == b))
32
                else:
33
                    pe = False
34
            elif op == 'div':
35
                if b != 0.0:
36
                    pe = not (res * b == a)
37
                else:
38
                    pe = False
39
        if pe: f |= 1<<5
40
        return f
41
def set_flags_un(a,res):
42
        f = 0
43
        if math.isnan(a) or math.isnan(res): f |= 1<<0
44
        den = lambda x: (x!=0.0 and abs(x) < sys.float_info.min)
45
        if den(a): f |= 1<<1
46
        if math.isinf(res): f |= 1<<3
47
        if res != 0.0 and abs(res) < sys.float_info.min: f |= 1<<4
48
        try:
49
            if math.isfinite(a) and math.isfinite(res):
50
                if float(int(res)) == res and (not float(a).is_integer()):
51
                    f |= 1<<5
52
        except:
53
            pass
54
        return f
55

56
class VM:
57
    def __init__(self, program):
58
        self.ip = 0
59
        self.stack = []
60
        self.callstack = []
61
        self.memory = {}
62
        self.program = []
63
        self.load_program(program)
64

65
    def load_program(self, program):
66
        n = len(program) // 8
67
        buf = [struct.unpack("<Q", program[i*8:(i+1)*8])[0] for i in range(n)]
68
        i = 0
69
        self.program = []
70
        while i < n:
71
            b = buf[i]
72
            m = b & 0xFFFFFFFFFFFFF
73
            e = (b >> 52) & 0x7FF
74
            if e == 0x7FF:
75
                raise ValueError("Illegal opcode (NaN/Inf)")
76
            if e == 0:
77
                if m != 0:
78
                    raise ValueError("Illegal opcode (subnormal)")
79
                op = 0
80
            else:
81
                E = e - 1023
82
                if E < 0:
83
                    raise ValueError("Illegal opcode (negative exponent)")
84
                if E >= 52:
85
                    op = ((m | (1<<52)) << (E - 52))
86
                    if (b >> 63) & 1:
87
                        op = -op
88
                else:
89
                    need_zero = (1 << (52 - E)) - 1
90
                    if (m & need_zero) != 0:
91
                        raise ValueError("Illegal opcode (frac bits)")
92
                    if (b >> 63) & 1:
93
                        raise ValueError("Unexpected opcode")
94
                    op = (m | (1<<52)) >> (52 - E)
95
            if op > 0x21:
96
                raise ValueError("Unexpected opcode")
97
            need_operand = (op == 0) or (19 <= op <= 26)
98
            if need_operand:
99
                if i + 1 >= n:
100
                    raise ValueError("Unexpected end of data")
101
                self.program.append((op, buf[i+1]))
102
                i += 2
103
            else:
104
                self.program.append((op, 0))
105
                i += 1
106
        self.instr_count = len(self.program)
107

108
    def DISAM(self):
109
        names = {
110
            0:"PUSH",1:"POP",2:"DUP",3:"DUP2",4:"OVER",5:"SWAP",6:"STORE",
111
            7:"ADD",8:"SUB",9:"MUL",10:"DIV",11:"TRUNC",12:"CEIL",13:"FLOOR",14:"ROUND",15:"ABS",
112
            16:"MIN",17:"MAX",18:"CLRFLAGS",19:"BR_ZE",20:"BR_PE",21:"BR_IE",22:"BR_OE",23:"BR_UE",24:"BR_ANY",25:"JMP",
113
            26:"CALL",27:"RET",28:"PRINT",29:"PUTC",30:"SCANF",31:"GETC",32:"LOAD",33:"NOP"
114
        }
115
        for idx,(op,arg) in enumerate(self.program):
116
            m = names.get(op,f"OP{op}")
117
            if op == 0:
118
                v = bits_to_float(arg)
119
                print(f"{idx:04d}: {m} {v:.17g}")
120
            elif 19 <= op <= 25 or op == 26:
121
                iv = dblbits_to_int(arg)
122
                fv = bits_to_float(arg)
123
                print(f"{idx:04d}: {m} {iv} ({fv:.17g})")
124
            else:
125
                print(f"{idx:04d}: {m}")
126

127
    def run(self):
128
        self.globals = {}
129
        self.flags = 0
130
        self.ip = 0
131
        n = len(self.program)
132
        while 0 <= self.ip < n:
133
            op, arg = self.program[self.ip]
134
            if op == 0:
135
                self.stack.append(bits_to_float(arg)); self.ip += 1; continue
136
            if op == 1:
137
                if not self.stack: raise RuntimeError("stack underflow")
138
                self.stack.pop(); self.ip += 1; continue
139
            if op == 2:
140
                if not self.stack: raise RuntimeError("stack underflow")
141
                self.stack.append(self.stack[-1]); self.ip += 1; continue
142
            if op == 3:
143
                if len(self.stack) < 2: raise RuntimeError("stack underflow")
144
                a,b = self.stack[-2], self.stack[-1]
145
                self.stack.extend([a,b]); self.ip += 1; continue
146
            if op == 4:
147
                if len(self.stack) < 2: raise RuntimeError("stack underflow")
148
                a,b = self.stack[-2], self.stack[-1]
149
                self.stack[-2], self.stack[-1] = b, a
150
                self.stack.append(b); self.ip += 1; continue
151
            if op == 5:
152
                if len(self.stack) < 2: raise RuntimeError("stack underflow")
153
                self.stack[-1], self.stack[-2] = self.stack[-2], self.stack[-1]; self.ip += 1; continue
154
            if op == 6:
155
                if len(self.stack) < 2: raise RuntimeError("stack underflow")
156
                addr_bits = float_to_bits(self.stack[-1]); val = self.stack[-2]
157
                addr = dblbits_to_int(addr_bits)
158
                self.stack.pop(); self.stack.pop()
159
                self.globals[addr] = val
160
                self.ip += 1; continue
161
            if op in (7,8,9,10,16,17):
162
                if len(self.stack) < 2: raise RuntimeError("stack underflow")
163
                b = self.stack.pop(); a = self.stack.pop()
164
                if op == 7: r = a + b; self.flags = set_flags_bin(a,b,r,'add')
165
                elif op == 8: r = a - b; self.flags = set_flags_bin(a,b,r,'sub')
166
                elif op == 9: r = a * b; self.flags = set_flags_bin(a,b,r,'mul')
167
                elif op == 10:
168
                    r = a / b if b != 0.0 else (math.copysign(math.inf,a) if not math.isnan(a) else math.nan)
169
                    self.flags = set_flags_bin(a,b,r,'div')
170
                elif op == 16: r = a if (not math.isnan(a) and (math.isnan(b) or a < b)) else b; self.flags &= 0
171
                else: r = a if (not math.isnan(a) and (math.isnan(b) or a > b)) else b; self.flags &= 0
172
                self.stack.append(r); self.ip += 1; continue
173
            if op in (11,12,13,14,15):
174
                if not self.stack: raise RuntimeError("stack underflow")
175
                x = self.stack.pop()
176
                if op == 11: r = float(math.trunc(x))
177
                elif op == 12: r = float(math.ceil(x))
178
                elif op == 13: r = float(math.floor(x))
179
                elif op == 14: r = float(round(x))
180
                else: r = abs(x)
181
                self.flags = set_flags_un(x,r)
182
                self.stack.append(r); self.ip += 1; continue
183
            if op == 18:
184
                self.flags = 0; self.ip += 1; continue
185
            if op in (19,20,21,22,23,24,25):
186
                off = dblbits_to_int(arg)
187
                take = False
188
                if op == 19: take = bool(self.flags & (1<<2))
189
                elif op == 20: take = bool(self.flags & (1<<5))
190
                elif op == 21: take = bool(self.flags & (1<<0))
191
                elif op == 22: take = bool(self.flags & (1<<3))
192
                elif op == 23: take = bool(self.flags & (1<<4))
193
                elif op == 24: take = bool(self.flags & 0x3F)
194
                else: take = True
195
                if take:
196
                    ni = self.ip + off
197
                    if not (0 <= ni < n): raise RuntimeError("branch out of range")
198
                    self.ip = ni
199
                else:
200
                    self.ip += 1
201
                continue
202
            if op == 26:
203
                self.callstack.append(self.ip + 1)
204
                self.ip = dblbits_to_int(arg)
205
                if not (0 <= self.ip < n): raise RuntimeError("invalid call target")
206
                continue
207
            if op == 27:
208
                if not self.callstack: return
209
                self.ip = self.callstack.pop()
210
                continue
211
            if op == 28:
212
                if not self.stack: raise RuntimeError("stack underflow")
213
                v = self.stack.pop()
214
                sys.stdout.write(f"{v:.17g}")
215
                sys.stdout.flush()
216
                self.ip += 1
217
                continue
218
            if op == 29:
219
                if not self.stack: raise RuntimeError("stack underflow")
220
                ch = int(self.stack.pop()) & 0xFF
221
                sys.stdout.write(chr(ch)); sys.stdout.flush()
222
                self.ip += 1
223
                continue
224
            if op == 30:
225
                line = sys.stdin.readline()
226
                if not line: raise RuntimeError("failed to read float")
227
                self.stack.append(float(line.strip()))
228
                self.ip += 1
229
                continue
230
            if op == 31:
231
                c = sys.stdin.read(1)
232
                if c == "": raise RuntimeError("getc EOF")
233
                self.stack.append(float(ord(c)))
234
                self.ip += 1
235
                continue
236
            if op == 32:
237
                if not self.stack: raise RuntimeError("stack underflow")
238
                addr = dblbits_to_int(float_to_bits(self.stack[-1]))
239
                self.stack[-1] = self.globals.get(addr, 0.0)
240
                self.ip += 1
241
                continue
242
            if op == 33:
243
                self.ip += 1
244
                continue
245
            raise RuntimeError(f"unknown opcode {op}")
246

247
def main():
248
    f = open("float_program.bin", "rb")
249
    program = f.read()
250
    f.close()
251
    vm = VM(program)
252
    if any(a.lower() in ("--disam","--disasm","-d") for a in sys.argv[1:]):
253
        vm.DISAM()
254
    else:
255
        vm.run()
256

257
if __name__ == "__main__":
258
    main()

Running our interpreter gets us the same result as the binary which is a good sign:

1
(control_env) tarun@mac boat_vm % python3 emu.py
2

3
                                                ....
4
                                            ..';::c:;,'.
5
                                        ..,;:cccccccccc:;,'.
6
                                    .',;::ccccorctf{...}c:c::;,'.
7
                                  .....';:ccccccccccc:ccc::;,'...
8
                           .;kOo. .',.....',;:::::cccc:;,'.......
9
                         'oOdclxkd..,,,,'.....',;::;,............
10
                      'lkdl:;;:oxd...',,'..,,'................... ,.
11
                   .ckdl::;;cll:;;.....;kdc'',,;'............. .. xkxo;.
12
        ';.     .:kOxoll:;;;;;,,;,..''':oc,.oxkd' ........ ...... cxO0xl'
13
     .:c;,::. ;xOkOOkdl:;;;;;;;,,,..,,,;c;'.dOOO' ............':lxOOxoc;.
14
  .:oc,,,,,:dO0Oko:;;;;;;;;,,,,,,,.',,;;;,..:000c ........';cxOOxoc:;;;;.
15
,ol:;;;;lxO0kdl:;;,,;,,,,,,,,,,,:l..,,,,,,,,,xkOx.....':ok0Oxlc:;;;;;;;,.
16
.,::;;,cdkOo:;;;;,,,,,,;;;,,:ldkkx,...',,,,,,oOOk'.;ok0Oxoc;;,;;;;;,,,,,.
17
   .:;;:dxkkkkxl;,,,,,,;:ldkkOkkkkkko:'...',,;0OxxOOxoc:;;;;;,,,,,,;;,,
18
     .;:oolldxkO0OxlcldkkOOkxxxkkxdddxkkoc,;okO0kkl;;;;;;;;,,,,;;;,,.
19
       .lllclooodxkO000OkxxxkkxdddxkkkkO0Okkxoo0OOo;;;,,,,,;;;,,,,;'.
20
       .llcclloooooodxkO00OxdddxkOOO00OOxoc;;;;OOOk,,,,;;;,,,,,,..
21
       .llollcccloooloooddxkO0kxOOOOxoc;;;,,;;,d0Ok:,,,,,,''..
22
         .;llllollccllooocoodc;codc;;;;;;;,,,,,:00Od,,,,..
23
          .cllcclllllccclcllo;;:lo;;;;,,,,,;;,,,x0xd,.
24
             .,::clllllolcccc,,;cl;,,,;;;,,,,;;,:kxx:
25
                 .,cllllllolc;;:ll;;;;,,,','..   OOOO
26
                     .,cc:ccc;;;:c;,,,,'.        c0O0,
27
                         .'clll:,,;,..           .0O0x
28
                             .,;..                ,,x0.
29
                                                    .;.
30
                                                     ..
31

32
                ____   ___    _  _____        __     ____  __
33
               | __ ) / _ \  / \|_   _|       \ \   / /  \/  |
34
               |  _ \| | | |/ _ \ | |          \ \ / /| |\/| |
35
               | |_) | |_| / ___ \| |           \ V / | |  | |
36
               |____/ \___/_/   \_\_|   _____    \_/  |_|  |_|
37
                                       |_____|
38

39
Running corCTF flag cracker.
40

41
Hang tight, I'm using hardware acceleration to fulfill out your request...
42

43
Thanks for waiting! Just a bit longer...
44

45
Estimated time remaining: 2.2185312001337001e+57 seconds

hmm seems our code is stalling 🤔 lets look at the disasm, most of it just ends up being print values:

We can see a rough idea of the FLAG:corctf{g3ntly_d0wn_th3_StR3AM_<float>FPU_h4cks}
- all of this is just ascii prints at the bottom

so what exactly is this all the actually useful logic is:

1
0000: CALL 1000 (1000)
2
0001: RET
3
0002: PUSH 4.2006942069000003e-05
4
0003: MAX
5
0004: PUSH 1.1102230246251565e-16
6
0005: CLRFLAGS
7
0006: ADD
8
0007: POP
9
0008: PUSH 1
10
0009: PUSH 0
11
0010: BR_PE 2 (2)
12
0011: SWAP
13
0012: POP
14
0013: RET
15
0014: PUSH 4.2006942069000003e-05
16
0015: MAX
17
0016: PUSH 1.7976931348623157e+308
18
0017: SWAP
19
0018: DUP2
20
0019: PUSH 1
21
0020: SWAP
22
0021: DIV
23
0022: CLRFLAGS
24
0023: DIV
25
0024: POP
26
0025: DIV
27
0026: POP
28
0027: BR_OE 3 (3)
29
0028: PUSH 1
30
0029: RET
31
0030: PUSH 0
32
0031: RET
33
0032: PUSH -1
34
0033: PUSH -1
35
0034: PUSH -1
36
0035: PUSH -1
37
0036: PUSH -1
38
0037: PUSH -1
39
0038: PUSH -1
40
0039: PUSH 1
41
0040: PUSH -1
42
0041: PUSH 4
43
0042: PUSH -1
44
0043: PUSH -1
45
0044: PUSH -1
46
0045: PUSH -1
47
0046: PUSH -1
48
0047: PUSH -1
49
0048: PUSH -1
50
0049: PUSH -1
51
0050: PUSH -1
52
0051: PUSH 2
53
0052: PUSH -1
54
0053: PUSH -1
55
0054: PUSH -1
56
0055: PUSH -1
57
0056: PUSH -1
58
0057: PUSH -1
59
0058: PUSH -1
60
0059: PUSH -1
61
0060: PUSH -1
62
0061: PUSH -1
63
0062: PUSH -1
64
0063: PUSH 5
65
0064: PUSH -1
66
0065: PUSH 4
67
0066: PUSH -1
68
0067: PUSH 7
69
0068: PUSH -1
70
0069: PUSH -1
71
0070: PUSH 8
72
0071: PUSH -1
73
0072: PUSH -1
74
0073: PUSH -1
75
0074: PUSH 3
76
0075: PUSH -1
77
0076: PUSH -1
78
0077: PUSH -1
79
0078: PUSH -1
80
0079: PUSH 1
81
0080: PUSH -1
82
0081: PUSH 9
83
0082: PUSH -1
84
0083: PUSH -1
85
0084: PUSH -1
86
0085: PUSH -1
87
0086: PUSH 3
88
0087: PUSH -1
89
0088: PUSH -1
90
0089: PUSH 4
91
0090: PUSH -1
92
0091: PUSH -1
93
0092: PUSH 2
94
0093: PUSH -1
95
0094: PUSH -1
96
0095: PUSH -1
97
0096: PUSH 5
98
0097: PUSH -1
99
0098: PUSH 1
100
0099: PUSH -1
101
0100: PUSH -1
102
0101: PUSH -1
103
0102: PUSH -1
104
0103: PUSH -1
105
0104: PUSH -1
106
0105: PUSH -1
107
0106: PUSH -1
108
0107: PUSH 8
109
0108: PUSH -1
110
0109: PUSH 6
111
0110: PUSH -1
112
0111: PUSH -1
113
0112: PUSH -1
114
0113: PUSH 81
115
0114: DUP
116
0115: PUSH 1
117
0116: SWAP
118
0117: CLRFLAGS
119
0118: DIV
120
0119: POP
121
0120: BR_ZE 6 (6)
122
0121: PUSH -1
123
0122: ADD
124
0123: OVER
125
0124: NOP
126
0125: JMP -11 (-11)
127
0126: POP
128
0127: PUSH 2
129
0128: PUSH 101
130
0129: NOP
131
0130: PUSH 3
132
0131: PUSH 102
133
0132: NOP
134
0133: PUSH 5
135
0134: PUSH 103
136
0135: NOP
137
0136: PUSH 7
138
0137: PUSH 104
139
0138: NOP
140
0139: PUSH 11
141
0140: PUSH 105
142
0141: NOP
143
0142: PUSH 13
144
0143: PUSH 106
145
0144: NOP
146
0145: PUSH 17
147
0146: PUSH 107
148
0147: NOP
149
0148: PUSH 19
150
0149: PUSH 108
151
0150: NOP
152
0151: PUSH 23
153
0152: PUSH 109
154
0153: NOP
155
0154: PUSH -4.2068999999999998e-12
156
0155: PUSH 99
157
0156: NOP
158
0157: RET
159
0158: PUSH 100
160
0159: ADD
161
0160: LOAD
162
0161: RET
163
0162: PUSH 1
164
0163: PUSH 200
165
0164: NOP
166
0165: PUSH 9
167
0166: OVER
168
0167: MUL
169
0168: SWAP
170
0169: DUP
171
0170: PUSH 1
172
0171: SWAP
173
0172: CLRFLAGS
174
0173: DIV
175
0174: POP
176
0175: BR_ZE 14 (14)
177
0176: PUSH -1
178
0177: ADD
179
0178: DUP2
180
0179: ADD
181
0180: LOAD
182
0181: CALL 158 (158)
183
0182: PUSH 200
184
0183: OVER
185
0184: LOAD
186
0185: MUL
187
0186: SWAP
188
0187: NOP
189
0188: JMP -19 (-19)
190
0189: POP
191
0190: POP
192
0191: PUSH 200
193
0192: LOAD
194
0193: PUSH 223092870
195
0194: DIV
196
0195: CALL 14 (14)
197
0196: RET
198
0197: PUSH 1
199
0198: PUSH 200
200
0199: NOP
201
0200: PUSH 81
202
0201: ADD
203
0202: DUP
204
0203: PUSH 9
205
0204: DIV
206
0205: CALL 2 (2)
207
0206: PUSH 1
208
0207: SWAP
209
0208: CLRFLAGS
210
0209: DIV
211
0210: POP
212
0211: BR_ZE 13 (13)
213
0212: PUSH -9
214
0213: ADD
215
0214: DUP
216
0215: LOAD
217
0216: CALL 158 (158)
218
0217: PUSH 200
219
0218: OVER
220
0219: LOAD
221
0220: MUL
222
0221: SWAP
223
0222: NOP
224
0223: JMP -21 (-21)
225
0224: POP
226
0225: PUSH 200
227
0226: LOAD
228
0227: PUSH 223092870
229
0228: DIV
230
0229: CALL 14 (14)
231
0230: RET
232
0231: PUSH 1
233
0232: PUSH 200
234
0233: NOP
235
0234: DUP
236
0235: PUSH 3
237
0236: DIV
238
0237: TRUNC
239
0238: OVER
240
0239: PUSH 3
241
0240: MUL
242
0241: SUB
243
0242: PUSH 3
244
0243: MUL
245
0244: SWAP
246
0245: PUSH 27
247
0246: MUL
248
0247: ADD
249
0248: DUP
250
0249: PUSH 0
251
0250: ADD
252
0251: LOAD
253
0252: CALL 158 (158)
254
0253: PUSH 200
255
0254: OVER
256
0255: LOAD
257
0256: MUL
258
0257: SWAP
259
0258: NOP
260
0259: DUP
261
0260: PUSH 1
262
0261: ADD
263
0262: LOAD
264
0263: CALL 158 (158)
265
0264: PUSH 200
266
0265: OVER
267
0266: LOAD
268
0267: MUL
269
0268: SWAP
270
0269: NOP
271
0270: DUP
272
0271: PUSH 2
273
0272: ADD
274
0273: LOAD
275
0274: CALL 158 (158)
276
0275: PUSH 200
277
0276: OVER
278
0277: LOAD
279
0278: MUL
280
0279: SWAP
281
0280: NOP
282
0281: DUP
283
0282: PUSH 9
284
0283: ADD
285
0284: LOAD
286
0285: CALL 158 (158)
287
0286: PUSH 200
288
0287: OVER
289
0288: LOAD
290
0289: MUL
291
0290: SWAP
292
0291: NOP
293
0292: DUP
294
0293: PUSH 10
295
0294: ADD
296
0295: LOAD
297
0296: CALL 158 (158)
298
0297: PUSH 200
299
0298: OVER
300
0299: LOAD
301
0300: MUL
302
0301: SWAP
303
0302: NOP
304
0303: DUP
305
0304: PUSH 11
306
0305: ADD
307
0306: LOAD
308
0307: CALL 158 (158)
309
0308: PUSH 200
310
0309: OVER
311
0310: LOAD
312
0311: MUL
313
0312: SWAP
314
0313: NOP
315
0314: DUP
316
0315: PUSH 18
317
0316: ADD
318
0317: LOAD
319
0318: CALL 158 (158)
320
0319: PUSH 200
321
0320: OVER
322
0321: LOAD
323
0322: MUL
324
0323: SWAP
325
0324: NOP
326
0325: DUP
327
0326: PUSH 19
328
0327: ADD
329
0328: LOAD
330
0329: CALL 158 (158)
331
0330: PUSH 200
332
0331: OVER
333
0332: LOAD
334
0333: MUL
335
0334: SWAP
336
0335: NOP
337
0336: DUP
338
0337: PUSH 20
339
0338: ADD
340
0339: LOAD
341
0340: CALL 158 (158)
342
0341: PUSH 200
343
0342: OVER
344
0343: LOAD
345
0344: MUL
346
0345: SWAP
347
0346: NOP
348
0347: POP
349
0348: PUSH 200
350
0349: LOAD
351
0350: PUSH 223092870
352
0351: DIV
353
0352: CALL 14 (14)
354
0353: RET
355
0354: PUSH 9
356
0355: DUP
357
0356: CALL 2 (2)
358
0357: PUSH 1
359
0358: SWAP
360
0359: CLRFLAGS
361
0360: DIV
362
0361: POP
363
0362: BR_ZE 13 (13)
364
0363: PUSH 1
365
0364: SUB
366
0365: DUP
367
0366: CALL 162 (162)
368
0367: SWAP
369
0368: DUP
370
0369: CALL 197 (197)
371
0370: SWAP
372
0371: DUP
373
0372: CALL 231 (231)
374
0373: SWAP
375
0374: JMP -19 (-19)
376
0375: POP
377
0376: PUSH 1
378
0377: MUL
379
0378: MUL
380
0379: MUL
381
0380: MUL
382
0381: MUL
383
0382: MUL
384
0383: MUL
385
0384: MUL
386
0385: MUL
387
0386: MUL
388
0387: MUL
389
0388: MUL
390
0389: MUL
391
0390: MUL
392
0391: MUL
393
0392: MUL
394
0393: MUL
395
0394: MUL
396
0395: MUL
397
0396: MUL
398
0397: MUL
399
0398: MUL
400
0399: MUL
401
0400: MUL
402
0401: MUL
403
0402: MUL
404
0403: MUL
405
0404: CALL 14 (14)
406
0405: RET
407
0406: DUP
408
0407: PUSH 81
409
0408: DIV
410
0409: CALL 14 (14)
411
0410: PUSH 1
412
0411: SWAP
413
0412: CLRFLAGS
414
0413: DIV
415
0414: POP
416
0415: BR_ZE 4 (4)
417
0416: POP
418
0417: CALL 354 (354)
419
0418: RET
420
0419: DUP
421
0420: LOAD
422
0421: CALL 2 (2)
423
0422: PUSH 1
424
0423: SWAP
425
0424: CLRFLAGS
426
0425: DIV
427
0426: POP
428
0427: BR_ZE 5 (5)
429
0428: PUSH 1
430
0429: ADD
431
0430: CALL 406 (406)
432
0431: RET
433
0432: PUSH 9
434
0433: DUP
435
0434: CALL 2 (2)
436
0435: PUSH 1
437
0436: SWAP
438
0437: CLRFLAGS
439
0438: DIV
440
0439: POP
441
0440: BR_ZE 22 (22)
442
0441: DUP2
443
0442: SWAP
444
0443: NOP
445
0444: SWAP
446
0445: OVER
447
0446: PUSH 1
448
0447: ADD
449
0448: CALL 406 (406)
450
0449: PUSH 1
451
0450: SWAP
452
0451: CLRFLAGS
453
0452: DIV
454
0453: POP
455
0454: BR_ZE 5 (5)
456
0455: POP
457
0456: POP
458
0457: PUSH 1
459
0458: RET
460
0459: PUSH -1
461
0460: ADD
462
0461: JMP -28 (-28)
463
0462: POP
464
0463: PUSH -1
465
0464: SWAP
466
0465: NOP
467
0466: PUSH 0
468
0467: RET
469
0468: PUSH 0
470
0469: CALL 406 (406)
471
0470: RET
472
0471: PUSH 6.9e-10
473
0472: PUSH 200
474
0473: NOP
475
0474: PUSH 0
476
0475: DUP
477
0476: PUSH 81
478
0477: DIV
479
0478: CALL 2 (2)
480
0479: PUSH 1
481
0480: SWAP
482
0481: SUB
483
0482: PUSH 1
484
0483: SWAP
485
0484: CLRFLAGS
486
0485: DIV
487
0486: POP
488
0487: BR_ZE 17 (17)
489
0488: DUP
490
0489: LOAD
491
0490: PUSH 200
492
0491: OVER
493
0492: LOAD
494
0493: PUSH 3.1415926535897931
495
0494: MUL
496
0495: SWAP
497
0496: MUL
498
0497: PUSH 2.7182818284590451
499
0498: ADD
500
0499: SWAP
501
0500: NOP
502
0501: PUSH 1
503
0502: ADD
504
0503: JMP -28 (-28)
505
0504: PUSH 200
506
0505: LOAD
507
0506: RET

0032-0112 is the actual sudoku board
- -1 = blank, with the given values
the rest is some kinda validation system
then there is a the slow backtracking solver which is why its so bad

from there we get the whole mathematical logic to build the float from the actual solver

which results in the actual final flag:

its rather simple just:

1
a = 6.9e-10
2
pi = 3.1415926535897931
3
e = 2.7182818284590451
4
for i in range(9):
5
    for j in range(9):
6
        c = grid[i][j]
7
        a = (a * pi * c) + e
8
f = a

here is the actual matrix + the solve (there is only one):

final flag: corctf{g3ntly_d0wn_th3_StR3AM_3.0390693652230334e+89_FPU_h4cks}

solve

1
import math
2
grid = [
3
    [6, 9, 3, 7, 8, 4, 5, 1, 2],
4
    [4, 8, 7, 5, 1, 2, 9, 3, 6],
5
    [1, 2, 5, 9, 6, 3, 8, 7, 4],
6
    [9, 3, 2, 6, 5, 1, 4, 8, 7],
7
    [5, 6, 8, 2, 4, 7, 3, 9, 1],
8
    [7, 4, 1, 3, 9, 8, 6, 2, 5],
9
    [3, 1, 9, 4, 7, 5, 2, 6, 8],
10
    [8, 5, 6, 1, 2, 9, 7, 4, 3],
11
    [2, 7, 4, 8, 3, 6, 1, 5, 9]
12
]
13
a = 6.9e-10
14
pi = 3.1415926535897931
15
e = 2.7182818284590451
16
for i in range(9):
17
    for j in range(9):
18
        c = grid[i][j]
19
        a = (a * pi * c) + e
20
f = a
21
float_str = f"{f:.17g}"
22
flag = f"corctf{{g3ntly_d0wn_th3_StR3AM_{float_str}_FPU_h4cks}}"
23
print(flag)