{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-cryptoversectf-2023-en","result":{"data":{"markdownRemark":{"id":"5bc815af-6e39-5f98-a147-bdcb60556efd","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-cryptoversectf-2023\">original page</a>.</p>\n</blockquote>\n<p>I participated in Cryptoverse CTF 2023, which started on May 6, 2023, with 0nePadding.</p>\n<p>We finished 17th out of 364 teams.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 743px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/835fb6991ec9059a80c7c748f30c993c/f2793/image-20230509225600693.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 42.083333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA9UlEQVQoz42S22qEQBBE/RGdi6zGu6igBgKi+Kjfsm/5/MrUrLMrxCx5ONgzdFdXT+v5vo8wDDHPM7Ztw77vWJYFUso/UQahFHQg8H1LcDcoYe7MvSeEMIIaTdOg73sMw4BxHBHH8Vsiw0cU4esW4dOgtYYyTYygRBAEmKYJZVlauq6zMIEN6YoFV/gHjOVDUNjCPM+RJAnqukZRFKiqyn7d2Yky94x2vBw+HLAoTVM7tnPI8XlmI3UUXaGuBDkqC+mMMR2zSZZlJ3e/HT6dupGZzE2v64q2be1y6IwPz7d9935XTr3ArN6q83c4urn4nPgfWPcDPffnlfo9360AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/835fb6991ec9059a80c7c748f30c993c/8ac56/image-20230509225600693.webp 240w,\n/static/835fb6991ec9059a80c7c748f30c993c/d3be9/image-20230509225600693.webp 480w,\n/static/835fb6991ec9059a80c7c748f30c993c/53666/image-20230509225600693.webp 743w\"\n              sizes=\"(max-width: 743px) 100vw, 743px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/835fb6991ec9059a80c7c748f30c993c/8ff5a/image-20230509225600693.png 240w,\n/static/835fb6991ec9059a80c7c748f30c993c/e85cb/image-20230509225600693.png 480w,\n/static/835fb6991ec9059a80c7c748f30c993c/f2793/image-20230509225600693.png 743w\"\n            sizes=\"(max-width: 743px) 100vw, 743px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/835fb6991ec9059a80c7c748f30c993c/f2793/image-20230509225600693.png\"\n            alt=\"image-20230509225600693\"\n            title=\"image-20230509225600693\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>It was a very fun CTF and I learned a lot, so as usual I’m writing a writeup.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#simple-checkinrev\">Simple Checkin(Rev)</a></li>\n<li><a href=\"#micro-assemblyrev\">Micro Assembly(Rev)</a></li>\n<li><a href=\"#mac-and-cheeserev\">Mac and Cheese(Rev)</a></li>\n<li><a href=\"#solid-reverserev\">Solid Reverse(Rev)</a></li>\n<li><a href=\"#standard-vmrev\">Standard VM(Rev)</a></li>\n<li><a href=\"#touhou-danmaku-kagurarev\">Touhou Danmaku Kagura(Rev)</a></li>\n<li><a href=\"#the-cyber-heistforensic\">The Cyber Heist(Forensic)</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"simple-checkinrev\" style=\"position:relative;\"><a href=\"#simple-checkinrev\" aria-label=\"simple checkinrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Simple Checkin(Rev)</h2>\n<blockquote>\n<p>Just a checkin challenge. Nothing special.</p>\n</blockquote>\n<p>You can recover the flag by extracting the arrays from the data section and XORing them.</p>\n<p>I was able to recover the flag with the following solver.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>local_58<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>local_68<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token operator\">^</span>local_58<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>end<span class=\"token operator\">=</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>The flag was the following, and it was the longest flag I had ever seen.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">cvctf<span class=\"token punctuation\">{</span>i_apologize_for_such_a_long_string_in_this_checkin_challenge,but_it_might_be_a_good_time_to_learn_about_automating_this_process?You_might_need_to_do_it_because_here_is_a_painful_hex:32a16b3a7eef8de1263812.Enjoy<span class=\"token punctuation\">(</span>or_not<span class=\"token punctuation\">)</span><span class=\"token operator\">!</span><span class=\"token punctuation\">}</span></code></pre></div>\n<h2 id=\"micro-assemblyrev\" style=\"position:relative;\"><a href=\"#micro-assemblyrev\" aria-label=\"micro assemblyrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Micro Assembly(Rev)</h2>\n<blockquote>\n<p>A special message is computed out of this short piece of assembly. Wrap the message you got in <code class=\"language-text\">cvctf{}</code>.</p>\n</blockquote>\n<p>The following assembly code is provided.</p>\n<p>In the end, the values computed by this assembly code form the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">main<span class=\"token operator\">:</span>\n   PUSH <span class=\"token operator\">%</span>BP\n   MOV  <span class=\"token operator\">%</span>SP<span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span>BP\n@main_body<span class=\"token operator\">:</span>\n   SUB  <span class=\"token operator\">%</span>SP<span class=\"token punctuation\">,</span> $<span class=\"token number\">28</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span>SP\n   MOV  $<span class=\"token number\">154</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">28</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span>\n   MOV  $<span class=\"token number\">16</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">24</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span>\n   MOV  $<span class=\"token number\">16</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">20</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span>\n   MOV  $<span class=\"token number\">228</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">16</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span>\n   MOV  $<span class=\"token number\">66</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">12</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span>\n   MOV  $<span class=\"token number\">286</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">8</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span>\n   MOV  $<span class=\"token number\">3</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">4</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span>\n@if0<span class=\"token operator\">:</span>\n   DIV  <span class=\"token operator\">-</span><span class=\"token number\">28</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   CMP  <span class=\"token operator\">%</span><span class=\"token number\">12</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">0</span>\n   JNE  @false0\n@true0<span class=\"token operator\">:</span>\n   DIV  <span class=\"token operator\">-</span><span class=\"token number\">28</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   MOV  <span class=\"token operator\">%</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">28</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span>\n   JMP  @exit0\n@false0<span class=\"token operator\">:</span>\n@exit0<span class=\"token operator\">:</span>\n   MUL  <span class=\"token operator\">-</span><span class=\"token number\">24</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">3</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   ADD  <span class=\"token operator\">%</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   MOV  <span class=\"token operator\">%</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">24</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span>\n   SHL  <span class=\"token operator\">-</span><span class=\"token number\">20</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   ADD  <span class=\"token operator\">%</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">3</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   MOV  <span class=\"token operator\">%</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">20</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span>\n@if1<span class=\"token operator\">:</span>\n   DIV  <span class=\"token operator\">-</span><span class=\"token number\">16</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">3</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   CMP  <span class=\"token operator\">%</span><span class=\"token number\">12</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">1</span>\n   JNE  @false1\n@true1<span class=\"token operator\">:</span>\n   SUB  <span class=\"token operator\">-</span><span class=\"token number\">16</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   DIV  <span class=\"token operator\">%</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">3</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   MOV  <span class=\"token operator\">%</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">16</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span>\n   JMP  @exit1\n@false1<span class=\"token operator\">:</span>\n   DIV  <span class=\"token operator\">-</span><span class=\"token number\">16</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   MOV  <span class=\"token operator\">%</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">16</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span>\n@exit1<span class=\"token operator\">:</span>\n   SUB  <span class=\"token operator\">-</span><span class=\"token number\">12</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   MOV  <span class=\"token operator\">%</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">12</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span>\n@if2<span class=\"token operator\">:</span>\n   DIV  <span class=\"token operator\">-</span><span class=\"token number\">8</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">3</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   CMP  <span class=\"token operator\">%</span><span class=\"token number\">12</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">1</span>\n   JNE  @false2\n@true2<span class=\"token operator\">:</span>\n   SUB  <span class=\"token operator\">-</span><span class=\"token number\">8</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   DIV  <span class=\"token operator\">%</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">3</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   MOV  <span class=\"token operator\">%</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">8</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span>\n   JMP  @exit2\n@false2<span class=\"token operator\">:</span>\n   DIV  <span class=\"token operator\">-</span><span class=\"token number\">8</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   MOV  <span class=\"token operator\">%</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">8</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span>\n@exit2<span class=\"token operator\">:</span>\n   SHL  $<span class=\"token number\">11</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">4</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   ADD  <span class=\"token operator\">%</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> $<span class=\"token number\">11</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   MOV  <span class=\"token operator\">%</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">4</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span>\n   LEA  <span class=\"token operator\">-</span><span class=\"token number\">28</span><span class=\"token punctuation\">(</span><span class=\"token operator\">%</span>BP<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">0</span>\n   MOV  <span class=\"token operator\">%</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span><span class=\"token number\">13</span>\n   JMP  @main_exit\n@main_exit<span class=\"token operator\">:</span>\n   MOV  <span class=\"token operator\">%</span>BP<span class=\"token punctuation\">,</span> <span class=\"token operator\">%</span>SP\n   POP  <span class=\"token operator\">%</span>BP\n   RET </code></pre></div>\n<p>I recovered the flag by tracing the assembly from top to bottom and rewriting it in C.</p>\n<p>The code I wrote is shown below.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">int</span> a <span class=\"token operator\">=</span> <span class=\"token number\">154</span><span class=\"token punctuation\">,</span> b <span class=\"token operator\">=</span> <span class=\"token number\">16</span><span class=\"token punctuation\">,</span> c <span class=\"token operator\">=</span> <span class=\"token number\">16</span><span class=\"token punctuation\">,</span> d <span class=\"token operator\">=</span> <span class=\"token number\">228</span><span class=\"token punctuation\">,</span> e <span class=\"token operator\">=</span> <span class=\"token number\">66</span><span class=\"token punctuation\">,</span> f <span class=\"token operator\">=</span> <span class=\"token number\">286</span><span class=\"token punctuation\">,</span> g <span class=\"token operator\">=</span> <span class=\"token number\">3</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">int</span> result <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n\n    a <span class=\"token operator\">=</span> a <span class=\"token operator\">/</span> <span class=\"token number\">2</span><span class=\"token punctuation\">;</span>\n    b <span class=\"token operator\">=</span> b <span class=\"token operator\">*</span> <span class=\"token number\">3</span> <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n\n    c <span class=\"token operator\">&lt;&lt;=</span> <span class=\"token number\">2</span><span class=\"token punctuation\">;</span>\n    c <span class=\"token operator\">+=</span> <span class=\"token number\">3</span><span class=\"token punctuation\">;</span>\n\n    d <span class=\"token operator\">=</span> d <span class=\"token operator\">/</span> <span class=\"token number\">2</span><span class=\"token punctuation\">;</span>\n    e <span class=\"token operator\">-=</span> <span class=\"token number\">2</span><span class=\"token punctuation\">;</span>\n\n    f <span class=\"token operator\">=</span> f <span class=\"token operator\">/</span> <span class=\"token number\">3</span><span class=\"token punctuation\">;</span>\n    g <span class=\"token operator\">=</span> <span class=\"token number\">11</span> <span class=\"token operator\">&lt;&lt;</span> g<span class=\"token punctuation\">;</span>\n    g <span class=\"token operator\">+=</span> <span class=\"token number\">11</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%d %d %d %d %d %d %d\\n\"</span><span class=\"token punctuation\">,</span> a<span class=\"token punctuation\">,</span> b<span class=\"token punctuation\">,</span> c<span class=\"token punctuation\">,</span> d<span class=\"token punctuation\">,</span> e<span class=\"token punctuation\">,</span> f<span class=\"token punctuation\">,</span> g<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<h2 id=\"mac-and-cheeserev\" style=\"position:relative;\"><a href=\"#mac-and-cheeserev\" aria-label=\"mac and cheeserev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Mac and Cheese(Rev)</h2>\n<blockquote>\n<p>Sorry that I lied, there’s Mac but no Cheese.</p>\n</blockquote>\n<p>This was a reverse-engineering challenge involving an x86 macOS binary.</p>\n<p>After decompiling it with Ghidra, I found that the program accepts five numeric inputs in total and checks whether each input value matches the value returned by <code class=\"language-text\">FUN_100003e10</code>.</p>\n<p>So I rewrote in Python the sequence of processing that calls <code class=\"language-text\">FUN_100003e10</code> from <code class=\"language-text\">main</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># void FUN_100003e10(void)</span>\n<span class=\"token comment\"># {</span>\n<span class=\"token comment\">#   uint uVar1;</span>\n  \n<span class=\"token comment\">#   uVar1 = DAT_100008018 ^ DAT_100008018 &lt;&lt; 0xb;</span>\n<span class=\"token comment\">#   DAT_100008018 = DAT_10000801c;</span>\n<span class=\"token comment\">#   DAT_10000801c = DAT_100008020;</span>\n<span class=\"token comment\">#   DAT_100008020 = DAT_100008024;</span>\n<span class=\"token comment\">#   DAT_100008024 = DAT_100008024 ^ DAT_100008024 >> 0x13 ^ uVar1 ^ uVar1 >> 8;</span>\n<span class=\"token comment\">#   return;</span>\n<span class=\"token comment\"># }</span>\n\nlocal10 <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nDAT_100008018 <span class=\"token operator\">=</span> int.from_bytes<span class=\"token punctuation\">(</span>b<span class=\"token string\">'\\xff\\xd4\\xb5\\x20'</span>,<span class=\"token string\">'little'</span><span class=\"token punctuation\">)</span>\nDAT_10000801c <span class=\"token operator\">=</span> int.from_bytes<span class=\"token punctuation\">(</span>b<span class=\"token string\">'\\xc7\\x8f\\x37\\x32'</span>,<span class=\"token string\">'little'</span><span class=\"token punctuation\">)</span>\nDAT_100008020 <span class=\"token operator\">=</span> int.from_bytes<span class=\"token punctuation\">(</span>b<span class=\"token string\">'\\x67\\x87\\x5f\\xd5'</span>,<span class=\"token string\">'little'</span><span class=\"token punctuation\">)</span>\nDAT_100008024 <span class=\"token operator\">=</span> int.from_bytes<span class=\"token punctuation\">(</span>b<span class=\"token string\">'\\xad\\xa1\\x4a\\x10'</span>,<span class=\"token string\">'little'</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> <span class=\"token for-or-select variable\">i</span> <span class=\"token keyword\">in</span> range<span class=\"token punctuation\">(</span><span class=\"token number\">5</span><span class=\"token punctuation\">)</span>:\n\n    uVar1 <span class=\"token operator\">=</span> DAT_100008018 ^ DAT_100008018 <span class=\"token operator\">&lt;&lt;</span> 0xb\n    DAT_100008018 <span class=\"token operator\">=</span> DAT_10000801c\n    DAT_10000801c <span class=\"token operator\">=</span> DAT_100008020\n    DAT_100008020 <span class=\"token operator\">=</span> DAT_100008024\n    DAT_100008024 <span class=\"token operator\">=</span> DAT_100008024 ^ DAT_100008024 <span class=\"token operator\">>></span> 0x13 ^ uVar1 ^ uVar1 <span class=\"token operator\">>></span> <span class=\"token number\">8</span>\n\n    print<span class=\"token punctuation\">(</span>DAT_100008024<span class=\"token punctuation\">)</span>\n\n    result <span class=\"token operator\">=</span> DAT_100008024\n    local10 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>result % 0x539<span class=\"token punctuation\">)</span> + local10</code></pre></div>\n<p>However, even though the logic seemed correct, I could not recover the flag.</p>\n<p>I realized later that when doing arithmetic in Python, integers do not overflow at the <code class=\"language-text\">uint32</code> boundary, and that seems to have caused the difference in the final result.</p>\n<p>After fixing the arithmetic as shown below, I was able to recover the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">uVar1 <span class=\"token operator\">=</span> DAT_100008018 <span class=\"token operator\">^</span> <span class=\"token punctuation\">(</span>DAT_100008018 <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">0xb</span><span class=\"token punctuation\">)</span>\nuVar1 <span class=\"token operator\">=</span> uVar1 <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xFFFFFFFF</span>\nDAT_100008018 <span class=\"token operator\">=</span> DAT_10000801c\nDAT_10000801c <span class=\"token operator\">=</span> DAT_100008020\nDAT_100008020 <span class=\"token operator\">=</span> DAT_100008024\nDAT_100008024 <span class=\"token operator\">=</span> DAT_100008024 <span class=\"token operator\">^</span> <span class=\"token punctuation\">(</span>DAT_100008024 <span class=\"token operator\">>></span> <span class=\"token number\">0x13</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">^</span> uVar1 <span class=\"token operator\">^</span> <span class=\"token punctuation\">(</span>uVar1 <span class=\"token operator\">>></span> <span class=\"token number\">8</span><span class=\"token punctuation\">)</span>\nDAT_100008024 <span class=\"token operator\">=</span> DAT_100008024 <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xFFFFFFFF</span></code></pre></div>\n<p>I did not think of that fix while solving the challenge, so in the end I recovered the flag through dynamic analysis.</p>\n<p>To run a macOS binary on WSL2, I used <a href=\"https://github.com/darlinghq/darling\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">darling</a>.</p>\n<p>I installed it with the following steps.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># 依存モジュールのインストール(deb ファイルでインストールする場合は不要かも)</span>\n<span class=\"token function\">sudo</span> <span class=\"token function\">apt</span> <span class=\"token function\">install</span> cmake clang bison flex libfuse-dev libudev-dev pkg-config libc6-dev-i386 <span class=\"token punctuation\">\\</span>\ngcc-multilib libcairo2-dev libgl1-mesa-dev libglu1-mesa-dev libtiff5-dev <span class=\"token punctuation\">\\</span>\nlibfreetype6-dev <span class=\"token function\">git</span> git-lfs libelf-dev libxml2-dev libegl1-mesa-dev libfontconfig1-dev <span class=\"token punctuation\">\\</span>\nlibbsd-dev libxrandr-dev libxcursor-dev libgif-dev libavutil-dev libpulse-dev <span class=\"token punctuation\">\\</span>\nlibavformat-dev libavcodec-dev libswresample-dev libdbus-1-dev libxkbfile-dev <span class=\"token punctuation\">\\</span>\nlibssl-dev python2\n\n<span class=\"token comment\"># deb ファイルのダウンロード</span>\n<span class=\"token function\">wget</span> https://github.com/darlinghq/darling/releases/download/v0.1.20220704/darling_0.1.20220704.focal_amd64.deb\n\n<span class=\"token comment\"># インストール</span>\n<span class=\"token function\">sudo</span> dpkg -i darling_0.1.20220704.focal_amd64.deb</code></pre></div>\n<p>Next, you can run the macOS binary in darling with the following steps.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># シェルの起動</span>\ndarling shell\n\n<span class=\"token comment\"># macOS バイナリの実行</span>\n./challenge</code></pre></div>\n<p>The process of the application started here can be seen from the host-side WSL2 environment.</p>\n<p>So by opening another shell and running the following commands, you can attach <code class=\"language-text\">gdb</code> to the macOS binary running under darling.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">ps</span> aux <span class=\"token operator\">|</span> <span class=\"token function\">grep</span> challenge\ngdb attach <span class=\"token operator\">&lt;</span>PID<span class=\"token operator\">></span></code></pre></div>\n<p>With that, I was able to recover the flag through dynamic analysis.</p>\n<h2 id=\"solid-reverserev\" style=\"position:relative;\"><a href=\"#solid-reverserev\" aria-label=\"solid reverserev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Solid Reverse(Rev)</h2>\n<blockquote>\n<p>Crypto in reverse??</p>\n</blockquote>\n<p>The following script is provided as the challenge.</p>\n<p>It appears to be code written in <a href=\"https://soliditylang.org/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Solidity</a>, a statically typed curly-brace language designed for developing smart contracts that run on Ethereum.</p>\n<div class=\"gatsby-highlight\" data-language=\"solidity\"><pre class=\"language-solidity\"><code class=\"language-solidity\"><span class=\"token comment\">// SPDX-License-Identifier: MIT</span>\n<span class=\"token keyword\">pragma</span> <span class=\"token keyword\">solidity</span> <span class=\"token operator\">^</span><span class=\"token version number\">0.8.0</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">contract</span> <span class=\"token class-name\">ReverseMe</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token builtin\">uint</span> goal <span class=\"token operator\">=</span> <span class=\"token number\">0x57e4e375661c72654c31645f78455d19</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">function</span> <span class=\"token function\">magic1</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">uint</span> x<span class=\"token punctuation\">,</span> <span class=\"token builtin\">uint</span> n<span class=\"token punctuation\">)</span> <span class=\"token keyword\">public</span> <span class=\"token keyword\">pure</span> <span class=\"token keyword\">returns</span> <span class=\"token punctuation\">(</span><span class=\"token builtin\">uint</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token comment\">// Something magic</span>\n        <span class=\"token builtin\">uint</span> m <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">1</span> <span class=\"token operator\">&lt;&lt;</span> n<span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">return</span> x <span class=\"token operator\">&amp;</span> m<span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token keyword\">function</span> <span class=\"token function\">magic2</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">uint</span> x<span class=\"token punctuation\">)</span> <span class=\"token keyword\">public</span> <span class=\"token keyword\">pure</span> <span class=\"token keyword\">returns</span> <span class=\"token punctuation\">(</span><span class=\"token builtin\">uint</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token comment\">// Something else magic</span>\n        <span class=\"token builtin\">uint</span> i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>x <span class=\"token operator\">>>=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">></span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            i <span class=\"token operator\">+=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">return</span> i<span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token keyword\">function</span> <span class=\"token function\">checkflag</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">bytes16</span> flag<span class=\"token punctuation\">,</span> <span class=\"token builtin\">bytes16</span> y<span class=\"token punctuation\">)</span> <span class=\"token keyword\">public</span> <span class=\"token keyword\">view</span> <span class=\"token keyword\">returns</span> <span class=\"token punctuation\">(</span><span class=\"token builtin\">bool</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">return</span> <span class=\"token punctuation\">(</span><span class=\"token builtin\">uint128</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span> <span class=\"token operator\">^</span> <span class=\"token builtin\">uint128</span><span class=\"token punctuation\">(</span>y<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> goal<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token keyword\">modifier</span> <span class=\"token function\">checker</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">bytes16</span> key<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">require</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">bytes8</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x3492800100670155</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"Wrong key!\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">require</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">uint64</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">uint128</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token builtin\">uint32</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">uint128</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"Wrong key!\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">require</span><span class=\"token punctuation\">(</span><span class=\"token function\">magic1</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">uint128</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x1964</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"Wrong key!\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">require</span><span class=\"token punctuation\">(</span><span class=\"token function\">magic2</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">uint64</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">uint128</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">16</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"Wrong key!\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">_</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token keyword\">function</span> <span class=\"token function\">unlock</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">bytes16</span> key<span class=\"token punctuation\">,</span> <span class=\"token builtin\">bytes16</span> flag<span class=\"token punctuation\">)</span> <span class=\"token keyword\">public</span> <span class=\"token keyword\">view</span> <span class=\"token function\">checker</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token comment\">// Main function</span>\n        <span class=\"token keyword\">require</span><span class=\"token punctuation\">(</span><span class=\"token function\">checkflag</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">,</span> key<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"Flag is wrong!\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Ethereum? To be honest, I did not understand it at all, and I could not set up an execution environment, so I decided to statically analyze the code with the help of the documentation.</p>\n<p>It seemed that the flag would be the result of XORing <code class=\"language-text\">goal</code> with a 16-byte value that can get past the checks in the <code class=\"language-text\">checker</code> function.</p>\n<p>As I read the Solidity documentation, I learned that functions like <code class=\"language-text\">bytes8</code> have a characteristic behavior where the upper bits are taken and the lower bits are discarded.</p>\n<p>In other words, from the line <code class=\"language-text\">require(bytes8(key) == 0x3492800100670155, \"Wrong key!\");</code>, we know that the first 8 bytes of <code class=\"language-text\">key</code> must match <code class=\"language-text\">0x3492800100670155</code>.</p>\n<p>Next, from <code class=\"language-text\">require(uint64(uint128(key)) == uint32(uint128(key)), \"Wrong key!\");</code>, we can see that the value of the last 8 bytes of <code class=\"language-text\">key</code> must match the value of the last 4 bytes.</p>\n<p>In other words, we can determine that bytes 5 through 8 of <code class=\"language-text\">key</code> are <code class=\"language-text\">0</code>.</p>\n<p>Next, <code class=\"language-text\">magic1(uint128(key), 16) == 0x1964</code> means that the lower 2 bytes must match <code class=\"language-text\">0x1964</code>.</p>\n<p>That is because the following logic returns the result of an AND with <code class=\"language-text\">0xFFFF</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">uint m <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">1</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">return</span> x <span class=\"token operator\">&amp;</span> m<span class=\"token punctuation\">;</span></code></pre></div>\n<p>Finally, I rewrote the <code class=\"language-text\">magic2</code> function in Python as shown below and searched for a value whose upper 4 bytes are <code class=\"language-text\">0</code>, whose lower 2 bytes are <code class=\"language-text\">0x1964</code>, and that satisfies <code class=\"language-text\">magic2(uint64(uint128(key))) == 16</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">def</span> <span class=\"token function\">magic2</span><span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">:</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span><span class=\"token operator\">></span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">:</span>\n    i <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n    <span class=\"token keyword\">while</span> <span class=\"token boolean\">True</span><span class=\"token punctuation\">:</span>\n        x <span class=\"token operator\">=</span> x <span class=\"token operator\">>></span> <span class=\"token number\">1</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">if</span> x <span class=\"token operator\">></span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n            i <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n        <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">break</span>\n    <span class=\"token keyword\">return</span> i\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>magic2<span class=\"token punctuation\">(</span><span class=\"token number\">0x0000000000011964</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>In the end, I found that <code class=\"language-text\">0x0000000000011964</code> was the corresponding value, which means <code class=\"language-text\">key</code> is <code class=\"language-text\">0x34928001006701550000000000011964</code>.</p>\n<p>With that, XORing <code class=\"language-text\">key</code> and <code class=\"language-text\">goal</code> recovered the flag.</p>\n<h2 id=\"standard-vmrev\" style=\"position:relative;\"><a href=\"#standard-vmrev\" aria-label=\"standard vmrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Standard VM(Rev)</h2>\n<blockquote>\n<p>Yet Another Virtual Machine.</p>\n</blockquote>\n<p>This was the only Hard problem we solved this time, but it was super easy. (Probably a challenge-authoring mistake?)</p>\n<p>The challenge binary seems to take user input and validate the flag.</p>\n<p>The decompiled output of the main part is as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">undefined8 <span class=\"token function\">FUN_00101396</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">int</span> iVar1<span class=\"token punctuation\">;</span>\n  undefined8 uVar2<span class=\"token punctuation\">;</span>\n  \n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Flag: \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">__isoc99_scanf</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>DAT_0010200b<span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>DAT_00104110<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  uVar2 <span class=\"token operator\">=</span> <span class=\"token function\">FUN_00101209</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">FUN_00101356</span><span class=\"token punctuation\">(</span>uVar2<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  iVar1 <span class=\"token operator\">=</span> <span class=\"token function\">strcmp</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"N]N_MVdP}dSOT\"</span><span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>DAT_00104110<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>iVar1 <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Correct!\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Wrong!\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The part that validates the input looked like it was doing various complicated things, but as soon as I saw this decompilation I knew it looked solvable with <code class=\"language-text\">angr</code>, so I did not analyze it further.</p>\n<p>I was able to recover the flag with the following script.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> angr\n\nproj <span class=\"token operator\">=</span> angr<span class=\"token punctuation\">.</span>Project<span class=\"token punctuation\">(</span><span class=\"token string\">\"standard_vm\"</span><span class=\"token punctuation\">,</span> auto_load_libs<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"EntryPoint\"</span><span class=\"token punctuation\">,</span> proj<span class=\"token punctuation\">.</span>entry<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># initial_state at the entry point of the binary</span>\ninit_state <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>entry_state<span class=\"token punctuation\">(</span>args <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token string\">'standard_vm'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># create simulation</span>\nsimgr <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>simgr<span class=\"token punctuation\">(</span>init_state<span class=\"token punctuation\">)</span>\n\nsimgr<span class=\"token punctuation\">.</span>explore<span class=\"token punctuation\">(</span>find<span class=\"token operator\">=</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x401403</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> avoid<span class=\"token operator\">=</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x401411</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>simgr<span class=\"token punctuation\">.</span>found<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>posix<span class=\"token punctuation\">.</span>dumps<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># b'cvctf{MyVMxd}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'</span></code></pre></div>\n<h2 id=\"touhou-danmaku-kagurarev\" style=\"position:relative;\"><a href=\"#touhou-danmaku-kagurarev\" aria-label=\"touhou danmaku kagurarev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Touhou Danmaku Kagura(Rev)</h2>\n<blockquote>\n<p>You will control Hakurei Reimu, a popular character from the Touhou Project, and challenge a danmaku battle. This game has a new style where you attack in rhythm while dodging enemy bullets. Clear it and the flag will be displayed. To find the flag, you need to reverse engineer the game. Good luck!</p>\n</blockquote>\n<p>The fact that the challenge description itself was in Japanese made this a very amusing problem.</p>\n<p>When you run the challenge binary, a bullet-hell shooter game screen appears.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 801px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3bc35df7a8e825e9903ef66e9b30fe17/2ad15/image-20230509214254302.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 79.16666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAAD2klEQVQ4y1WS2VIbVxCGh6VsDMigXUgghNhBQoA2JBiNltFoGQkksQiEEDYpZ3HlYXKXF0iVL5JcOY5jV0ICMalK4iSP9KWRc5OLrjNnuv/ur/u08uUXL/juxUu+/eobXn39hru3f/LH9V/89tPvXH//MzevfhG7/WA//Mrt6xve/3jH39f/yPmed69vuXtzx7u3Ev/yBmXXWSbn1Ml7TYqBY1SXSdph0AjWyLqLpOx5NkeThB9sEh9PkJpIchU+ob18jmav0grUqU1X0DwNyrNHKM3IKSWvQehhnG0J1nxl2qvHdEI9YpNpVh4uELckKbsSREYW2bUleK5+Lv4LKRDHmNqi7i/SXjnls+1LlM5Wj5q/StyWwpzO0Yl8xHnsUw5WDrlK9HgW79ENtThZMtDdKc4WTHrhDvtzNZLWGJtjG5QDNQ7DXboRSdhcOeZUBBnnjgQe0Vppc7Z6wkWoQ3f9iLJ7l9ZcFWNayAN5Kt4k1XmTSsBAtW1QmNqhIXQt6ai7eYFysHpOL/KUyrROwZUUgc7F2hmH801O56sUbLvodpXGjE7JV0JzZMjLbEtulbo3RsYWl7vW158s11ByU2VJVOBsVsf0pKXtIvveIpfLJmVvjpQljG7dImdLortUDM8ejbk6WWuGhGWLo4BOd6lOdbqA4cuhJCdC0kqGuiTTxkIY0kbFtcPFQp7MZATdEaHi2Cb6IMj2sJ+Sa5eD2So7jyKkRldo+zMy2zydpX0MAVAyj0OczBkcz2apO+TFXNs0vClKDnlBZ5yniyqfLGekyDb65DpNT5TufFZGsYkp8ztfa0urh7QWmtK6ipK1hjGF6MSv0nJHMKyrPJlX6c2mORCxPrFM1RmWIjEhjVCzhWh5YhQl7tAf51nI5FL2srPWoBUsyqN4ElTtUTTLKu3ZHZqyVxV7mJo9xKFnk6tAlNOZqJCvU7DM0XTKiGYSAhGmLgANd0wKRqm6UtR9aZRuUOtTfbwge+jYwHSuSYItzv0xCqNBnge3qE3MoQ570IbdFEcDGGNBiuMBIRXi+xFNxSgJQFnGpOiSrCDOM39UqNYojfvJibA84iM75CKtTKIN2jAtXlTFTmbQgTpgF5+DmhDnRwIcuDbkpdOy9HsoNU+IJ4spjHGhGHB8ECk2MvciuecGbOQkYWHYjibJ80Nyiu/erw46yQr53oCTvSE3dZm1YjqXqViC7ClWCXaSF4KsCHNyvz+zykTftL49/u+c6Pvyg3bRuNBEpw7cJ/fJ2oz5JLuQDQnV4L1Zpfrk/0wV08RffOTpm/7Q1f/XN4lXhX5v2EFKvv8FcO4WiYZZucsAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3bc35df7a8e825e9903ef66e9b30fe17/8ac56/image-20230509214254302.webp 240w,\n/static/3bc35df7a8e825e9903ef66e9b30fe17/d3be9/image-20230509214254302.webp 480w,\n/static/3bc35df7a8e825e9903ef66e9b30fe17/99a1d/image-20230509214254302.webp 801w\"\n              sizes=\"(max-width: 801px) 100vw, 801px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3bc35df7a8e825e9903ef66e9b30fe17/8ff5a/image-20230509214254302.png 240w,\n/static/3bc35df7a8e825e9903ef66e9b30fe17/e85cb/image-20230509214254302.png 480w,\n/static/3bc35df7a8e825e9903ef66e9b30fe17/2ad15/image-20230509214254302.png 801w\"\n            sizes=\"(max-width: 801px) 100vw, 801px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3bc35df7a8e825e9903ef66e9b30fe17/2ad15/image-20230509214254302.png\"\n            alt=\"image-20230509214254302\"\n            title=\"image-20230509214254302\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Apparently, clearing this game gives you the flag, but by design it seems impossible to clear.</p>\n<p>I stared at the binary in Ghidra for a while, but there were too many functions and I could not narrow down the right analysis target.</p>\n<p>So I decided to change approaches, and after investigating a bit I noticed that the target executable was built with PyInstaller.</p>\n<p>So I tried extracting the file with PyInstaller Extractor.</p>\n<p>Reference: <a href=\"https://github.com/extremecoders-re/pyinstxtractor\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">extremecoders-re/pyinstxtractor: PyInstaller Extractor</a></p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">py.exe pyinstxtractor.py Main.exe</code></pre></div>\n<p>After extracting the binary with PyInstaller Extractor, I found that it had been created with PyGame.</p>\n<p>To retrieve the executable code, I fed the extracted <code class=\"language-text\">Main.pyc</code> into the following online decompiler.</p>\n<p>Reference: <a href=\"https://www.toolnb.com/tools-lang-en/pyc.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">PyC decompile - Toolnb online toolbox</a></p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># uncompyle6 version 3.5.0</span>\n<span class=\"token comment\"># Python bytecode 3.7 (3394)</span>\n<span class=\"token comment\"># Decompiled from: Python 2.7.5 (default, Nov 16 2020, 22:23:17) </span>\n<span class=\"token comment\"># [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]</span>\n<span class=\"token comment\"># Embedded file name: Main.py</span>\n<span class=\"token keyword\">import</span> os\nos<span class=\"token punctuation\">.</span>environ<span class=\"token punctuation\">[</span><span class=\"token string\">'PYGAME_HIDE_SUPPORT_PROMPT'</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token string\">'hide'</span>\n<span class=\"token keyword\">import</span> pygame<span class=\"token punctuation\">,</span> math<span class=\"token punctuation\">,</span> random<span class=\"token punctuation\">,</span> time\n\n<span class=\"token keyword\">class</span> <span class=\"token class-name\">sizes</span><span class=\"token punctuation\">:</span>\n\n    <span class=\"token keyword\">def</span> <span class=\"token function\">__init__</span><span class=\"token punctuation\">(</span>self<span class=\"token punctuation\">,</span> width<span class=\"token punctuation\">,</span> height<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        self<span class=\"token punctuation\">.</span>Width <span class=\"token operator\">=</span> width\n        self<span class=\"token punctuation\">.</span>Height <span class=\"token operator\">=</span> height\n\n\ncurrentCount <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\ncurrentAnim <span class=\"token operator\">=</span> <span class=\"token number\">1</span>\nanimLimit <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\nplayerX <span class=\"token operator\">=</span> <span class=\"token number\">400</span>\nplayerY <span class=\"token operator\">=</span> <span class=\"token number\">450</span>\nlastBullet <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nbulletLimit <span class=\"token operator\">=</span> <span class=\"token number\">5000</span>\ntotalBullets <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\ntoX <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\ntoY <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nbullets <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\nbulletsDirection <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span>\n <span class=\"token number\">1</span><span class=\"token punctuation\">]</span>\nbulletsY <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\nbulletsX <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">global</span> bullets\n    <span class=\"token keyword\">global</span> bulletsX\n    <span class=\"token keyword\">global</span> bulletsY\n    <span class=\"token keyword\">global</span> currentAnim\n    <span class=\"token keyword\">global</span> currentCount\n    <span class=\"token keyword\">global</span> lastBullet\n    <span class=\"token keyword\">global</span> playerX\n    <span class=\"token keyword\">global</span> playerY\n    <span class=\"token keyword\">global</span> toX\n    <span class=\"token keyword\">global</span> toY\n    <span class=\"token keyword\">global</span> totalBullets\n    pygame<span class=\"token punctuation\">.</span>init<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    pygame<span class=\"token punctuation\">.</span>mixer<span class=\"token punctuation\">.</span>init<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    pygame<span class=\"token punctuation\">.</span>mixer<span class=\"token punctuation\">.</span>music<span class=\"token punctuation\">.</span>load<span class=\"token punctuation\">(</span><span class=\"token string\">'Song.mp3'</span><span class=\"token punctuation\">)</span>\n    pygame<span class=\"token punctuation\">.</span>mixer<span class=\"token punctuation\">.</span>music<span class=\"token punctuation\">.</span>play<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    screenSizes <span class=\"token operator\">=</span> sizes<span class=\"token punctuation\">(</span><span class=\"token number\">800</span><span class=\"token punctuation\">,</span> <span class=\"token number\">600</span><span class=\"token punctuation\">)</span>\n    screen <span class=\"token operator\">=</span> pygame<span class=\"token punctuation\">.</span>display<span class=\"token punctuation\">.</span>set_mode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>screenSizes<span class=\"token punctuation\">.</span>Width<span class=\"token punctuation\">,</span> screenSizes<span class=\"token punctuation\">.</span>Height<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    startBullet <span class=\"token operator\">=</span> pygame<span class=\"token punctuation\">.</span>image<span class=\"token punctuation\">.</span>load<span class=\"token punctuation\">(</span><span class=\"token string\">'Bullet.png'</span><span class=\"token punctuation\">)</span>\n    startBullet <span class=\"token operator\">=</span> screen<span class=\"token punctuation\">.</span>blit<span class=\"token punctuation\">(</span>startBullet<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token number\">450</span><span class=\"token punctuation\">,</span> <span class=\"token number\">300</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    bullets<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>startBullet<span class=\"token punctuation\">)</span>\n    bulletsX<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token number\">450</span><span class=\"token punctuation\">)</span>\n    bulletsY<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token number\">300</span><span class=\"token punctuation\">)</span>\n    pygame<span class=\"token punctuation\">.</span>display<span class=\"token punctuation\">.</span>set_caption<span class=\"token punctuation\">(</span><span class=\"token string\">'Touhou Danmaku Kagura'</span><span class=\"token punctuation\">)</span>\n    pygame<span class=\"token punctuation\">.</span>display<span class=\"token punctuation\">.</span>set_icon<span class=\"token punctuation\">(</span>pygame<span class=\"token punctuation\">.</span>image<span class=\"token punctuation\">.</span>load<span class=\"token punctuation\">(</span><span class=\"token string\">'Icon.png'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    background <span class=\"token operator\">=</span> pygame<span class=\"token punctuation\">.</span>image<span class=\"token punctuation\">.</span>load<span class=\"token punctuation\">(</span><span class=\"token string\">'Background.jpg'</span><span class=\"token punctuation\">)</span>\n    background <span class=\"token operator\">=</span> pygame<span class=\"token punctuation\">.</span>transform<span class=\"token punctuation\">.</span>scale<span class=\"token punctuation\">(</span>background<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span>screenSizes<span class=\"token punctuation\">.</span>Width<span class=\"token punctuation\">,</span> screenSizes<span class=\"token punctuation\">.</span>Height<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">def</span> <span class=\"token function\">getPlayerDirection</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">global</span> animLimit\n        <span class=\"token keyword\">if</span> toX <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n            animLimit <span class=\"token operator\">=</span> <span class=\"token builtin\">bool</span><span class=\"token punctuation\">(</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">return</span> <span class=\"token string\">'Idle'</span>\n        <span class=\"token keyword\">if</span> toX <span class=\"token operator\">>=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n            animLimit <span class=\"token operator\">=</span> <span class=\"token builtin\">bool</span><span class=\"token punctuation\">(</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">return</span> <span class=\"token string\">'Right'</span>\n        <span class=\"token keyword\">if</span> toX <span class=\"token operator\">&lt;=</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n            animLimit <span class=\"token operator\">=</span> <span class=\"token builtin\">bool</span><span class=\"token punctuation\">(</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">return</span> <span class=\"token string\">'Left'</span>\n\n    <span class=\"token keyword\">def</span> <span class=\"token function\">getAnimation</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">global</span> currentAnim\n        <span class=\"token keyword\">global</span> currentCount\n        <span class=\"token keyword\">if</span> currentCount <span class=\"token operator\">>=</span> <span class=\"token number\">150</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">if</span> currentAnim <span class=\"token operator\">&lt;=</span> <span class=\"token number\">7</span><span class=\"token punctuation\">:</span>\n                currentCount <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n                currentAnim <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n            <span class=\"token keyword\">elif</span> animLimit <span class=\"token operator\">==</span> <span class=\"token boolean\">False</span><span class=\"token punctuation\">:</span>\n                currentCount <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n                currentAnim <span class=\"token operator\">=</span> <span class=\"token number\">1</span>\n\n    <span class=\"token keyword\">def</span> <span class=\"token function\">loadBullet</span><span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">,</span> y<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        newBullet <span class=\"token operator\">=</span> pygame<span class=\"token punctuation\">.</span>image<span class=\"token punctuation\">.</span>load<span class=\"token punctuation\">(</span><span class=\"token string\">'Bullet.png'</span><span class=\"token punctuation\">)</span>\n        newBullet <span class=\"token operator\">=</span> screen<span class=\"token punctuation\">.</span>blit<span class=\"token punctuation\">(</span>newBullet<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">,</span> y<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">def</span> <span class=\"token function\">bullet</span><span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">,</span> y<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        newBullet <span class=\"token operator\">=</span> pygame<span class=\"token punctuation\">.</span>image<span class=\"token punctuation\">.</span>load<span class=\"token punctuation\">(</span><span class=\"token string\">'Bullet.png'</span><span class=\"token punctuation\">)</span>\n        newBullet <span class=\"token operator\">=</span> screen<span class=\"token punctuation\">.</span>blit<span class=\"token punctuation\">(</span>newBullet<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">,</span> y<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        bulletsDirection<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>random<span class=\"token punctuation\">.</span>randint<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        bullets<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>newBullet<span class=\"token punctuation\">)</span>\n        bulletsX<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">)</span>\n        bulletsY<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>y<span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">def</span> <span class=\"token function\">editDirection</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">global</span> playerX\n        <span class=\"token keyword\">global</span> playerY\n        <span class=\"token keyword\">if</span> toY <span class=\"token operator\">&lt;=</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">if</span> playerY <span class=\"token operator\">&lt;=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">pass</span>\n            <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n                playerY <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n        <span class=\"token keyword\">elif</span> toY <span class=\"token operator\">>=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">if</span> playerY <span class=\"token operator\">>=</span> screenSizes<span class=\"token punctuation\">.</span>Height <span class=\"token operator\">-</span> <span class=\"token number\">60</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">pass</span>\n            <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n                playerY <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n            <span class=\"token keyword\">if</span> toX <span class=\"token operator\">&lt;=</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">if</span> playerX <span class=\"token operator\">&lt;=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n                    <span class=\"token keyword\">pass</span>\n                <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n                    playerX <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n            <span class=\"token keyword\">elif</span> toX <span class=\"token operator\">>=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">if</span> playerX <span class=\"token operator\">>=</span> screenSizes<span class=\"token punctuation\">.</span>Width <span class=\"token operator\">-</span> <span class=\"token number\">25</span><span class=\"token punctuation\">:</span>\n                    <span class=\"token keyword\">pass</span>\n                <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n                    playerX <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n\n    <span class=\"token keyword\">def</span> <span class=\"token function\">isCollision</span><span class=\"token punctuation\">(</span>bulletX<span class=\"token punctuation\">,</span> bulletY<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        distance <span class=\"token operator\">=</span> math<span class=\"token punctuation\">.</span>sqrt<span class=\"token punctuation\">(</span>math<span class=\"token punctuation\">.</span><span class=\"token builtin\">pow</span><span class=\"token punctuation\">(</span>playerX <span class=\"token operator\">-</span> bulletX<span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> math<span class=\"token punctuation\">.</span><span class=\"token builtin\">pow</span><span class=\"token punctuation\">(</span>playerY <span class=\"token operator\">-</span> bulletY<span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">if</span> distance <span class=\"token operator\">&lt;</span> <span class=\"token number\">12</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">return</span> <span class=\"token boolean\">True</span>\n        <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">return</span> <span class=\"token boolean\">False</span>\n\n    <span class=\"token keyword\">def</span> <span class=\"token function\">makePlayer</span><span class=\"token punctuation\">(</span>posX<span class=\"token punctuation\">,</span> posY<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        getAnimation<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        editDirection<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        getDir <span class=\"token operator\">=</span> getPlayerDirection<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        screen<span class=\"token punctuation\">.</span>blit<span class=\"token punctuation\">(</span>pygame<span class=\"token punctuation\">.</span>image<span class=\"token punctuation\">.</span>load<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"Reimu</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>getDir<span class=\"token punctuation\">}</span></span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>currentAnim<span class=\"token punctuation\">}</span></span><span class=\"token string\">.png\"</span></span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span>posX<span class=\"token punctuation\">,</span> posY<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n    screen<span class=\"token punctuation\">.</span>fill<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token number\">24</span><span class=\"token punctuation\">,</span> <span class=\"token number\">24</span><span class=\"token punctuation\">,</span> <span class=\"token number\">24</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    pygame<span class=\"token punctuation\">.</span>display<span class=\"token punctuation\">.</span>update<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    isGameRunning <span class=\"token operator\">=</span> <span class=\"token boolean\">True</span>\n    start <span class=\"token operator\">=</span> time<span class=\"token punctuation\">.</span>time<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">while</span> isGameRunning<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">if</span> time<span class=\"token punctuation\">.</span>time<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span> start <span class=\"token operator\">&lt;=</span> <span class=\"token number\">1800</span><span class=\"token punctuation\">:</span>\n            screen<span class=\"token punctuation\">.</span>blit<span class=\"token punctuation\">(</span>background<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">for</span> event <span class=\"token keyword\">in</span> pygame<span class=\"token punctuation\">.</span>event<span class=\"token punctuation\">.</span>get<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">if</span> event<span class=\"token punctuation\">.</span><span class=\"token builtin\">type</span> <span class=\"token operator\">==</span> pygame<span class=\"token punctuation\">.</span>QUIT<span class=\"token punctuation\">:</span>\n                    isGameRunning <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\n                    <span class=\"token keyword\">break</span>\n                <span class=\"token keyword\">if</span> event<span class=\"token punctuation\">.</span><span class=\"token builtin\">type</span> <span class=\"token operator\">==</span> pygame<span class=\"token punctuation\">.</span>KEYDOWN<span class=\"token punctuation\">:</span>\n                    <span class=\"token keyword\">if</span> event<span class=\"token punctuation\">.</span>key <span class=\"token operator\">==</span> pygame<span class=\"token punctuation\">.</span>K_LEFT<span class=\"token punctuation\">:</span>\n                        toX <span class=\"token operator\">=</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span>\n                        currentAnim <span class=\"token operator\">=</span> <span class=\"token number\">1</span>\n                    <span class=\"token keyword\">elif</span> event<span class=\"token punctuation\">.</span>key <span class=\"token operator\">==</span> pygame<span class=\"token punctuation\">.</span>K_RIGHT<span class=\"token punctuation\">:</span>\n                        toX <span class=\"token operator\">=</span> <span class=\"token number\">1</span>\n                        currentAnim <span class=\"token operator\">=</span> <span class=\"token number\">1</span>\n                    <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n                        <span class=\"token keyword\">if</span> event<span class=\"token punctuation\">.</span><span class=\"token builtin\">type</span> <span class=\"token operator\">==</span> pygame<span class=\"token punctuation\">.</span>KEYDOWN<span class=\"token punctuation\">:</span>\n                            <span class=\"token keyword\">pass</span>\n\n                <span class=\"token keyword\">if</span> event<span class=\"token punctuation\">.</span>key <span class=\"token operator\">==</span> pygame<span class=\"token punctuation\">.</span>K_DOWN<span class=\"token punctuation\">:</span>\n                    toY <span class=\"token operator\">=</span> <span class=\"token number\">1</span>\n                <span class=\"token keyword\">elif</span> event<span class=\"token punctuation\">.</span>key <span class=\"token operator\">==</span> pygame<span class=\"token punctuation\">.</span>K_UP<span class=\"token punctuation\">:</span>\n                    toY <span class=\"token operator\">=</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span>\n                <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n                    <span class=\"token keyword\">if</span> event<span class=\"token punctuation\">.</span><span class=\"token builtin\">type</span> <span class=\"token operator\">==</span> pygame<span class=\"token punctuation\">.</span>KEYUP<span class=\"token punctuation\">:</span>\n                        <span class=\"token keyword\">if</span> event<span class=\"token punctuation\">.</span>key <span class=\"token operator\">==</span> pygame<span class=\"token punctuation\">.</span>K_LEFT<span class=\"token punctuation\">:</span>\n                            <span class=\"token keyword\">pass</span>\n                    <span class=\"token keyword\">if</span> toX <span class=\"token operator\">&lt;=</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n                        toX <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n                    <span class=\"token keyword\">elif</span> event<span class=\"token punctuation\">.</span>key <span class=\"token operator\">==</span> pygame<span class=\"token punctuation\">.</span>K_RIGHT<span class=\"token punctuation\">:</span>\n                        toX <span class=\"token operator\">=</span> toX <span class=\"token operator\">>=</span> <span class=\"token number\">1</span> <span class=\"token keyword\">and</span> <span class=\"token number\">0</span>\n                    <span class=\"token keyword\">elif</span> event<span class=\"token punctuation\">.</span>key <span class=\"token operator\">==</span> pygame<span class=\"token punctuation\">.</span>K_UP<span class=\"token punctuation\">:</span>\n                        <span class=\"token keyword\">if</span> toY <span class=\"token operator\">&lt;=</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n                            toY <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n\n                <span class=\"token keyword\">if</span> event<span class=\"token punctuation\">.</span>key <span class=\"token operator\">==</span> pygame<span class=\"token punctuation\">.</span>K_DOWN<span class=\"token punctuation\">:</span>\n                    <span class=\"token keyword\">if</span> toY <span class=\"token operator\">>=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n                        toY <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n\n            currentCount <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n            lastBullet <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n            <span class=\"token keyword\">for</span> x <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>bullets<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">if</span> lastBullet <span class=\"token operator\">>=</span> <span class=\"token number\">5</span><span class=\"token punctuation\">:</span>\n                    lastBullet <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n                    <span class=\"token keyword\">if</span> totalBullets <span class=\"token operator\">&lt;=</span> bulletLimit<span class=\"token punctuation\">:</span>\n                        totalBullets <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n                        bullet<span class=\"token punctuation\">(</span>random<span class=\"token punctuation\">.</span>randint<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">800</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n                    <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n                        <span class=\"token keyword\">if</span> bulletsDirection<span class=\"token punctuation\">[</span>x<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n                            bulletsX<span class=\"token punctuation\">[</span>x<span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> <span class=\"token number\">0.5</span>\n                        <span class=\"token keyword\">elif</span> bulletsDirection<span class=\"token punctuation\">[</span>x<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token number\">2</span><span class=\"token punctuation\">:</span>\n                            bulletsX<span class=\"token punctuation\">[</span>x<span class=\"token punctuation\">]</span> <span class=\"token operator\">-=</span> <span class=\"token number\">0.5</span>\n                        <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n                            bulletsY<span class=\"token punctuation\">[</span>x<span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> <span class=\"token number\">1.5</span>\n                            loadBullet<span class=\"token punctuation\">(</span>bulletsX<span class=\"token punctuation\">[</span>x<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> bulletsY<span class=\"token punctuation\">[</span>x<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n                            <span class=\"token keyword\">if</span> bulletsY<span class=\"token punctuation\">[</span>x<span class=\"token punctuation\">]</span> <span class=\"token operator\">>=</span> <span class=\"token number\">600</span><span class=\"token punctuation\">:</span>\n                                totalBullets <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n                                bullets<span class=\"token punctuation\">.</span>pop<span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">)</span>\n                                bulletsX<span class=\"token punctuation\">.</span>pop<span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">)</span>\n                                bulletsY<span class=\"token punctuation\">.</span>pop<span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">)</span>\n\n                    <span class=\"token keyword\">except</span><span class=\"token punctuation\">:</span>\n                        <span class=\"token keyword\">pass</span>\n\n                    <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n                        <span class=\"token keyword\">if</span> isCollision<span class=\"token punctuation\">(</span>bulletsX<span class=\"token punctuation\">[</span>x<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> bulletsY<span class=\"token punctuation\">[</span>x<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token boolean\">True</span><span class=\"token punctuation\">:</span>\n                            totalBullets <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n                            isGameRunning <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\n                            bullets<span class=\"token punctuation\">.</span>pop<span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">)</span>\n                            bulletsX<span class=\"token punctuation\">.</span>pop<span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">)</span>\n                            bulletsY<span class=\"token punctuation\">.</span>pop<span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">)</span>\n                    <span class=\"token keyword\">except</span><span class=\"token punctuation\">:</span>\n                        <span class=\"token keyword\">pass</span>\n\n            makePlayer<span class=\"token punctuation\">(</span>playerX<span class=\"token punctuation\">,</span> playerY<span class=\"token punctuation\">)</span>\n            pygame<span class=\"token punctuation\">.</span>display<span class=\"token punctuation\">.</span>update<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">if</span> isGameRunning<span class=\"token punctuation\">:</span>\n        dx <span class=\"token operator\">=</span> <span class=\"token number\">50</span>\n        dy <span class=\"token operator\">=</span> <span class=\"token number\">300</span>\n        totalBullets <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n        bullet<span class=\"token punctuation\">(</span>dx<span class=\"token punctuation\">,</span> dy<span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">for</span> _ <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">42</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n            loadBullet<span class=\"token punctuation\">(</span>bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n        dx <span class=\"token operator\">+=</span> <span class=\"token number\">62</span>\n        bullet<span class=\"token punctuation\">(</span>dx<span class=\"token punctuation\">,</span> dy<span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">for</span> _ <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">42</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n            loadBullet<span class=\"token punctuation\">(</span>bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n        dx <span class=\"token operator\">+=</span> <span class=\"token number\">62</span>\n        bullet<span class=\"token punctuation\">(</span>dx<span class=\"token punctuation\">,</span> dy<span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">for</span> _ <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">30</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n            bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n            loadBullet<span class=\"token punctuation\">(</span>bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">for</span> _ <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">30</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n            bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n            loadBullet<span class=\"token punctuation\">(</span>bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">for</span> _ <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">30</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n            bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n            loadBullet<span class=\"token punctuation\">(</span>bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">for</span> _ <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">30</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n            bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n            loadBullet<span class=\"token punctuation\">(</span>bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n            \n        <span class=\"token punctuation\">{</span><span class=\"token punctuation\">{</span> 省略 <span class=\"token punctuation\">}</span><span class=\"token punctuation\">}</span>\n            \n        pygame<span class=\"token punctuation\">.</span>display<span class=\"token punctuation\">.</span>update<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n\n<span class=\"token keyword\">if</span> __name__ <span class=\"token operator\">==</span> <span class=\"token string\">'__main__'</span><span class=\"token punctuation\">:</span>\n    main<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>It seems that if you get through the loop starting with <code class=\"language-text\">while isGameRunning:</code> while keeping <code class=\"language-text\">isGameRunning</code> true, the game is treated as cleared, but there is no clear condition.</p>\n<p>So I identified the post-clear processing from the reversing results.</p>\n<p>In the post-clear processing, it looked like the following two patterns were repeated.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># パターン 1</span>\ndx <span class=\"token operator\">+=</span> <span class=\"token number\">62</span>\nbullet<span class=\"token punctuation\">(</span>dx<span class=\"token punctuation\">,</span> dy<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">for</span> _ <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">42</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n    loadBullet<span class=\"token punctuation\">(</span>bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># パターン 2</span>\ndx <span class=\"token operator\">+=</span> <span class=\"token number\">62</span>\nbullet<span class=\"token punctuation\">(</span>dx<span class=\"token punctuation\">,</span> dy<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">for</span> _ <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">30</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n    bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n    loadBullet<span class=\"token punctuation\">(</span>bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> _ <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">30</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n    bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n    loadBullet<span class=\"token punctuation\">(</span>bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> _ <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">30</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n    bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n    loadBullet<span class=\"token punctuation\">(</span>bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> _ <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">30</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n    bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n    loadBullet<span class=\"token punctuation\">(</span>bulletsX<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> bulletsY<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>This code was drawing strings of <code class=\"language-text\">1</code> and <code class=\"language-text\">0</code> on the screen as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 580px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/60639679e1c1d9d0f537046d16a21572/b6272/image-20230509220457983.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 80%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAABTUlEQVQ4y7WTO07DQBCGfQLwc9fPuACJggqaJCBEw0sgIZEmAnEFSi7BAajSIBoqKpBbW7bPNfnHrC3HxKmc4vPMzv7779qz1hYfX5QkSUOWZVSWJRVF0cQ+6vk8z6s8TVPSojCkcIWgM+4nCIJ/uSakJCHEYGiu69KQVIYSp9yOYZ8x1/toa2rDetLr4Ku4ybCt53FlaAIHGGAX7LTgmgVsRTfXFawTfEIfjwt05xjul4jzOKZ5FNETeB6N6Mbz6BT1E8wz58gniGNwhvze9+ghhs5xaK82fMTiqe/TK+KnYdCPadI3+AVvlkV3ML7FHWNm4Bq6K+hniO/CoYWu0wvyfWz+1xQkkl+bT4OdjrDzGEzBAU5io+6ypgWvsxAPMT9xBJnYYKXLUn1UXX1TQ2Grpsk1cN1Sulqjda+Lt6Zzm+5do9v6xR6Kwf/lJZ7tydi//vzvAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/60639679e1c1d9d0f537046d16a21572/8ac56/image-20230509220457983.webp 240w,\n/static/60639679e1c1d9d0f537046d16a21572/d3be9/image-20230509220457983.webp 480w,\n/static/60639679e1c1d9d0f537046d16a21572/4fac6/image-20230509220457983.webp 580w\"\n              sizes=\"(max-width: 580px) 100vw, 580px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/60639679e1c1d9d0f537046d16a21572/8ff5a/image-20230509220457983.png 240w,\n/static/60639679e1c1d9d0f537046d16a21572/e85cb/image-20230509220457983.png 480w,\n/static/60639679e1c1d9d0f537046d16a21572/b6272/image-20230509220457983.png 580w\"\n            sizes=\"(max-width: 580px) 100vw, 580px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/60639679e1c1d9d0f537046d16a21572/b6272/image-20230509220457983.png\"\n            alt=\"image-20230509220457983\"\n            title=\"image-20230509220457983\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So by replacing “pattern 1” in the code above with <code class=\"language-text\">1</code> and “pattern 2” with <code class=\"language-text\">0</code>, I was able to obtain the following bit string.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token number\">11000111110110110001111101001100110111101110100100110011100100110011011110101011110001100111111101</span></code></pre></div>\n<p>I fed this bit string into CyberChef and recovered the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 676px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3df8abf6a60ce39c354b2742fb9624f1/9bb7a/image-20230509220645018.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 40.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABFUlEQVQoz41R226DMAzl/z9t0tqXVVsLpSVFjEvIhWsgJGchEk8d3Rwd2Vbi42MnoCXFI0lhtMUyL9AOizaIwisO70fE1xs4Y0jTFNM0QWuNeZ53ERAa45ydcK8jfDcEefNA3qZI6BVR9om4uICKCkVeQEoJzjnquoZw8ep9LIS7E2CucRDSE47ZGz7yA4iMkMgLYu6IxBcSEeLGzhAjg1nMsyKn+Elh2WYoWYlxHmHdkYqh7ijEIKDNjEF3aCeJ/1rAhgqsqyCdimbi4KMjU7WPpfNrLjuOcVQYhsHv8eUOrbF/du27DoQQv6v1U5RSuwiMWfyo1v4OT9j3/perinqVK+keHKHxRVvxZlu++u3xNu4r+wGwHWsd176a1gAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3df8abf6a60ce39c354b2742fb9624f1/8ac56/image-20230509220645018.webp 240w,\n/static/3df8abf6a60ce39c354b2742fb9624f1/d3be9/image-20230509220645018.webp 480w,\n/static/3df8abf6a60ce39c354b2742fb9624f1/0ed05/image-20230509220645018.webp 676w\"\n              sizes=\"(max-width: 676px) 100vw, 676px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3df8abf6a60ce39c354b2742fb9624f1/8ff5a/image-20230509220645018.png 240w,\n/static/3df8abf6a60ce39c354b2742fb9624f1/e85cb/image-20230509220645018.png 480w,\n/static/3df8abf6a60ce39c354b2742fb9624f1/9bb7a/image-20230509220645018.png 676w\"\n            sizes=\"(max-width: 676px) 100vw, 676px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3df8abf6a60ce39c354b2742fb9624f1/9bb7a/image-20230509220645018.png\"\n            alt=\"image-20230509220645018\"\n            title=\"image-20230509220645018\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"the-cyber-heistforensic\" style=\"position:relative;\"><a href=\"#the-cyber-heistforensic\" aria-label=\"the cyber heistforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>The Cyber Heist(Forensic)</h2>\n<blockquote>\n<p>A group of hackers has stolen a sensitive piece of data, and it’s up to you to recover it. We only found this USB sniffer capture that was taken during the cyber attack. Can you uncover the message from the hackers left to us?</p>\n<p>Note: All alphabetical characters in the flag are lower-case.</p>\n</blockquote>\n<p>When I opened the challenge <code class=\"language-text\">pcapng</code> file in WireShark, I found that it was a series of communications captured with USBPcap.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 904px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/8c2367d735e1783a34b9afbd3284b0ec/d9217/image-20230509222312992.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 84.58333333333331%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACYElEQVQ4y22UC3OCMBCE+f8/zam1TkGRh6KgCAoqL1GB6+1JqGPLDIMxyZe92wVtt9vRZrOhb12n/X5PruvyMyLLsmi73dJyuaQ1z+N/b70mrLcsmxzHkdvzPHJkz55OpxNpt9uNDocDjUYjOp3PdDweqSxLeT4eD4qiiK7XK2WXCzVNS13byiE6C9D1b1qtVrRYLMjkG3u0pmkoSRIajz8oz3NK05TqupZDMIdFt1stcy3DcAWsHBBjZgyVVFUpB2td1wnw62tCeVHI73cgxnmW9cCONr4vwIW14DZ4ZNs2JSwELA2LsHnGpxVc6pnLRhugFCWe+Ilx9gJEH1H2culSEARyYxzF0bPkOD6QYTCweAMyIO2BRZEPwDAMxRCoXLNRMFFdAgzDPU0mE8q4T3AKJaJUKZnVY/yqEBDTNBloks/q0EckAWZqLZcV7kL6YFOw6U8Pe+CFlSugH/gCNAxdYIAiDSli81QY0nQ6FVPeXU4Gl38VBr0qKERsVpzFO0dsKDmOYzZl9o8pzWBKyYe1bTeY8gSt5DfCjQOGHMYsFyEteNO7yym3AOPfHD5NQVRgCmAq/JJDAHEKkg+FCpAcE1F06Hv46jLigv55rBCQR1/uUDKSjthU1VVMARBtUBkFcCiZw4vIYL3PAUeYceEpwVaxgWtlVQ25AxhAZcprDxHiuTkXIdj/B4jNyBYUoof3+13yCIAypeLDFHDDa23Hll6q91spFSDKch1XgnnhrwqAUAqA6inmFBBG4D1G7/8FYmI+mw85BAAKsQgJqGv+fGWXwRS4+/k5lui8A38A+kwHVKjVVUMAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/8c2367d735e1783a34b9afbd3284b0ec/8ac56/image-20230509222312992.webp 240w,\n/static/8c2367d735e1783a34b9afbd3284b0ec/d3be9/image-20230509222312992.webp 480w,\n/static/8c2367d735e1783a34b9afbd3284b0ec/82aba/image-20230509222312992.webp 904w\"\n              sizes=\"(max-width: 904px) 100vw, 904px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/8c2367d735e1783a34b9afbd3284b0ec/8ff5a/image-20230509222312992.png 240w,\n/static/8c2367d735e1783a34b9afbd3284b0ec/e85cb/image-20230509222312992.png 480w,\n/static/8c2367d735e1783a34b9afbd3284b0ec/d9217/image-20230509222312992.png 904w\"\n            sizes=\"(max-width: 904px) 100vw, 904px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/8c2367d735e1783a34b9afbd3284b0ec/d9217/image-20230509222312992.png\"\n            alt=\"image-20230509222312992\"\n            title=\"image-20230509222312992\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Coincidentally, a similar challenge had appeared in the WaniCTF I participated in previously, so I thought I might be able to solve it the same way. However, there were no packets containing <code class=\"language-text\">Leftcver Capture Data</code>, so I could not recover the flag.</p>\n<p>Reference: <a href=\"/ctf-wanictf-2023#lowkey_messedupforensic\">Wani CTF 2023 Writeup - Frog’s Secret Base</a></p>\n<p>I wondered whether it might not be keyboard traffic after all, so I decided to investigate what kinds of devices were connected.</p>\n<p>I looked up the devices from the vendor IDs and product IDs as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">tshark -r ./challenge.pcap -T fields -e usb.idProduct -e usb.idVendor <span class=\"token operator\">|</span> <span class=\"token function\">grep</span> -v <span class=\"token string\">'^\\s*$'</span>\n\n<span class=\"token comment\"># https://www.usb.org/sites/default/files/vendor_ids042523.pdf でベンダ ID を調べる</span>\n0x2813  0x2109 VIA Labs, Inc\n0x0203  0x04d9 Holtek Semiconductor, Inc.\n0x0037  0x1532 Razer <span class=\"token punctuation\">(</span>Asia‐Pacific<span class=\"token punctuation\">)</span> Pte Ltd.\n0x006d  0x256c GRAPHICS TECHNOLOGY <span class=\"token punctuation\">(</span>HK<span class=\"token punctuation\">)</span> CO., LIMITED</code></pre></div>\n<p>As a result, I became interested in the fact that <code class=\"language-text\">Holtek Semiconductor, Inc.</code> is a manufacturer that makes keyboards and similar devices.</p>\n<p>So I filtered WireShark to this device’s traffic and inspected it, and found that the values in <code class=\"language-text\">HID Data</code> looked very similar to the values in <code class=\"language-text\">Leftcver Capture Data</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 762px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/11096cf25eefb4afd25ae17a05c1607b/a016c/image-20230509225119158.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 40.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABmElEQVQoz21Ra3OqQAzl//8ue++VgiiwoFBAFrA8lKdYReXc7LbTD51mZifZk5PsSVb5Y+tYxAu88AW08hWvRw0qef2kk1fxN1/iJVexLFSJ/yuWX7EKjbiregWjWWPVGNApVnaeB55wmJaJtzBAURWwHRt5mWPrbbHzd4TlEuMpp7sHP3hDnMQIogDMZZIXxZGsVeq6AY85XMeBt/Nwn+7I0gzTbUJZlBiGs4wTnmB+zmibFje6CzuWJSzTxNowwCkvapW267Df7xGFIYIgxDzPKIoCMxXUdY3Lx4csfj8cpB+GAY/HQ8Zt02DrumAOw3ueS0w5nk7UKIDv+7AsG+N4QZZluF5vKElB1/Wk6EYKOTW6fz5yueD5fKKiPGM2TFKZ0lSCpzjuFpqmY7MxqaEFh0ZnzCGSBV1fwbaZLBBnvdlIz4gjlFmUExzBNYw1XOqlCDWu69ALKeJ4jzAKEUWRVNLROoRC4fu+R9u2Mk6SFAdagdhbQh96Pp8lfxxHKH0/YJomGvEqAZEUR+zyNxN4VVXfY/+0/2Q/ThCBcq7YAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/11096cf25eefb4afd25ae17a05c1607b/8ac56/image-20230509225119158.webp 240w,\n/static/11096cf25eefb4afd25ae17a05c1607b/d3be9/image-20230509225119158.webp 480w,\n/static/11096cf25eefb4afd25ae17a05c1607b/093df/image-20230509225119158.webp 762w\"\n              sizes=\"(max-width: 762px) 100vw, 762px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/11096cf25eefb4afd25ae17a05c1607b/8ff5a/image-20230509225119158.png 240w,\n/static/11096cf25eefb4afd25ae17a05c1607b/e85cb/image-20230509225119158.png 480w,\n/static/11096cf25eefb4afd25ae17a05c1607b/a016c/image-20230509225119158.png 762w\"\n            sizes=\"(max-width: 762px) 100vw, 762px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/11096cf25eefb4afd25ae17a05c1607b/a016c/image-20230509225119158.png\"\n            alt=\"image-20230509225119158\"\n            title=\"image-20230509225119158\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So I used <code class=\"language-text\">tshark</code> to extract only the <code class=\"language-text\">HID Data</code> of this device into <code class=\"language-text\">keystrokes.txt</code> and was able to recover the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># HID Data を取得</span>\ntshark -r challenge.pcap -Y <span class=\"token string\">'usbhid.data &amp;&amp; usb.addr == \"1.2.1\"'</span> -T fields -e usbhid.data <span class=\"token operator\">|</span> <span class=\"token function\">sed</span> <span class=\"token string\">'s/../:&amp;/g2'</span> <span class=\"token operator\">></span> keystrokes.txt\n\n<span class=\"token comment\"># keystrokes.txt からキー入力を解析</span>\npython3 solver.py ./keystrokes.txt</code></pre></div>\n<p>I used the following <code class=\"language-text\">solver.py</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\">#!/usr/bin/python</span>\n<span class=\"token comment\"># -*- coding: utf-8 -*-</span>\n\n<span class=\"token keyword\">import</span> sys\n\n<span class=\"token comment\">#More symbols in https://www.fileformat.info/search/google.htm?q=capslock+symbol&amp;domains=www.fileformat.info&amp;sitesearch=www.fileformat.info&amp;client=pub-6975096118196151&amp;forid=1&amp;channel=1657057343&amp;ie=UTF-8&amp;oe=UTF-8&amp;cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID%3A11&amp;hl=en</span>\nKEY_CODES <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token number\">0x04</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'a'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'A'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x05</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'b'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'B'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x06</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'c'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'C'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x07</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'d'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'D'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x08</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'e'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'E'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x09</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'f'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'F'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x0A</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'g'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'G'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x0B</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'h'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'H'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x0C</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'i'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'I'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x0D</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'j'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'J'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x0E</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'k'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'K'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x0F</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'l'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'L'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x10</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'m'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'M'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x11</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'n'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'N'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x12</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'o'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'O'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x13</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'p'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'P'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x14</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'q'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'Q'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x15</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'r'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'R'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x16</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'s'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'S'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x17</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'t'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'T'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x18</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'u'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'U'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x19</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'v'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'V'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x1A</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'w'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'W'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x1B</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'x'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'X'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x1C</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'y'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'Y'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x1D</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'z'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'Z'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x1E</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'1'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'!'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x1F</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'2'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'@'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x20</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'3'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'#'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x21</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'4'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'$'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x22</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'5'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'%'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x23</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'6'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'^'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x24</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'7'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'&amp;'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x25</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'8'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'*'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x26</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'9'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'('</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x27</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'0'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">')'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x28</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'\\n'</span><span class=\"token punctuation\">,</span><span class=\"token string\">'\\n'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x29</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'␛'</span><span class=\"token punctuation\">,</span><span class=\"token string\">'␛'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x2a</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'⌫'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'⌫'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x2b</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'\\t'</span><span class=\"token punctuation\">,</span><span class=\"token string\">'\\t'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x2C</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">' '</span><span class=\"token punctuation\">,</span> <span class=\"token string\">' '</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x2D</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'-'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'_'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x2E</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'='</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'+'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x2F</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'['</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'{'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x30</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">']'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'}'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x32</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'#'</span><span class=\"token punctuation\">,</span><span class=\"token string\">'~'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x33</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">';'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">':'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x34</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'\\''</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'\"'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x36</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">','</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'&lt;'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x37</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'.'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'>'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x38</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'/'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'?'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x39</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'⇪'</span><span class=\"token punctuation\">,</span><span class=\"token string\">'⇪'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x4f</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">u'→'</span><span class=\"token punctuation\">,</span><span class=\"token string\">u'→'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x50</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">u'←'</span><span class=\"token punctuation\">,</span><span class=\"token string\">u'←'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x51</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">u'↓'</span><span class=\"token punctuation\">,</span><span class=\"token string\">u'↓'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x52</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">u'↑'</span><span class=\"token punctuation\">,</span><span class=\"token string\">u'↑'</span><span class=\"token punctuation\">]</span>\n<span class=\"token punctuation\">}</span>\n\n\n<span class=\"token comment\">#tshark -r ./usb.pcap -Y 'usb.capdata &amp;&amp; usb.data_len == 8' -T fields -e usb.capdata | sed 's/../:&amp;/g2' > keyboards.txt</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">read_use</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">file</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">file</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'r'</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n        datas <span class=\"token operator\">=</span> f<span class=\"token punctuation\">.</span>readlines<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    \n    datas <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span>d<span class=\"token punctuation\">.</span>strip<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">for</span> d <span class=\"token keyword\">in</span> datas <span class=\"token keyword\">if</span> d<span class=\"token punctuation\">]</span> \n    cursor_x <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n    cursor_y <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n    lines <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\n    output <span class=\"token operator\">=</span> <span class=\"token string\">''</span>\n    skip_next <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\n    lines<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n    \n    <span class=\"token keyword\">for</span> data <span class=\"token keyword\">in</span> datas<span class=\"token punctuation\">:</span>\n        shift <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">':'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span> <span class=\"token comment\"># 0x2 is left shift 0x20 is right shift</span>\n        key <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">':'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">if</span> skip_next<span class=\"token punctuation\">:</span>\n            skip_next <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\n            <span class=\"token keyword\">continue</span>\n        \n        <span class=\"token keyword\">if</span> key <span class=\"token operator\">==</span> <span class=\"token number\">0</span> <span class=\"token keyword\">or</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">':'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">></span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">continue</span>\n        \n        <span class=\"token comment\">#If you don't like output get a more verbose output here (maybe you need to map new rekeys or remap some of them)</span>\n        <span class=\"token keyword\">if</span> <span class=\"token keyword\">not</span> key <span class=\"token keyword\">in</span> KEY_CODES<span class=\"token punctuation\">:</span>\n            <span class=\"token comment\">#print(\"Not found: \"+str(key))</span>\n            <span class=\"token keyword\">continue</span>\n        \n        <span class=\"token keyword\">if</span> shift <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n            shift<span class=\"token operator\">=</span><span class=\"token number\">1</span>\n            skip_next <span class=\"token operator\">=</span> <span class=\"token boolean\">True</span>\n\n        <span class=\"token keyword\">if</span> KEY_CODES<span class=\"token punctuation\">[</span>key<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>shift<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">u'↑'</span><span class=\"token punctuation\">:</span>\n            lines<span class=\"token punctuation\">[</span>cursor_y<span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> output\n            output <span class=\"token operator\">=</span> <span class=\"token string\">''</span>\n            cursor_y <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n        \n        <span class=\"token keyword\">elif</span> KEY_CODES<span class=\"token punctuation\">[</span>key<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>shift<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">u'↓'</span><span class=\"token punctuation\">:</span>\n            lines<span class=\"token punctuation\">[</span>cursor_y<span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> output\n            output <span class=\"token operator\">=</span> <span class=\"token string\">''</span>\n            cursor_y <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n\n        <span class=\"token keyword\">elif</span> KEY_CODES<span class=\"token punctuation\">[</span>key<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>shift<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">u'→'</span><span class=\"token punctuation\">:</span>\n            cursor_x <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n\n        <span class=\"token keyword\">elif</span> KEY_CODES<span class=\"token punctuation\">[</span>key<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>shift<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">u'←'</span><span class=\"token punctuation\">:</span>\n            cursor_x <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n\n        <span class=\"token keyword\">elif</span> KEY_CODES<span class=\"token punctuation\">[</span>key<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>shift<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">'\\n'</span><span class=\"token punctuation\">:</span>\n            lines<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n            lines<span class=\"token punctuation\">[</span>cursor_y<span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> output\n            cursor_x <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n            cursor_y <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n            output <span class=\"token operator\">=</span> <span class=\"token string\">''</span>\n\n        <span class=\"token keyword\">elif</span> KEY_CODES<span class=\"token punctuation\">[</span>key<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>shift<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">'[BACKSPACE]'</span><span class=\"token punctuation\">:</span>\n            output <span class=\"token operator\">=</span> output<span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span>cursor_x<span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> output<span class=\"token punctuation\">[</span>cursor_x<span class=\"token punctuation\">:</span><span class=\"token punctuation\">]</span>\n            cursor_x <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n        \n        <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n            output <span class=\"token operator\">=</span> output<span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span>cursor_x<span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> KEY_CODES<span class=\"token punctuation\">[</span>key<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>shift<span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> output<span class=\"token punctuation\">[</span>cursor_x<span class=\"token punctuation\">:</span><span class=\"token punctuation\">]</span>\n            cursor_x <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n    \n    <span class=\"token keyword\">if</span> lines <span class=\"token operator\">==</span> <span class=\"token punctuation\">[</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">:</span>\n        lines<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> output\n    \n    <span class=\"token keyword\">if</span> output <span class=\"token operator\">!=</span> <span class=\"token string\">''</span> <span class=\"token keyword\">and</span> output <span class=\"token keyword\">not</span> <span class=\"token keyword\">in</span> lines<span class=\"token punctuation\">:</span>\n        lines<span class=\"token punctuation\">[</span>cursor_y<span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> output\n    \n    <span class=\"token keyword\">return</span> <span class=\"token string\">'\\n'</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>lines<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">if</span> __name__ <span class=\"token operator\">==</span> <span class=\"token string\">'__main__'</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>sys<span class=\"token punctuation\">.</span>argv<span class=\"token punctuation\">)</span> <span class=\"token operator\">&lt;</span> <span class=\"token number\">2</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">'Missing file to read...'</span><span class=\"token punctuation\">)</span>\n        exit<span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n    sys<span class=\"token punctuation\">.</span>stdout<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>read_use<span class=\"token punctuation\">(</span>sys<span class=\"token punctuation\">.</span>argv<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>","fields":{"slug":"/ctf-cryptoversectf-2023-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/forensic-en/","/tag/web-en/","/tag/english/"]},"frontmatter":{"date":"2023-05-09","description":"Cryptoverse CTF 2023 Writeup","tags":["CTF (en)","Rev (en)","Forensic (en)","Web (en)","English"],"title":"Cryptoverse CTF 2023 Writeup","socialImage":{"publicURL":"/static/83443fae00dbbc167b885d1a51f0946a/ctf-cryptoversectf-2023.png"}}}},"pageContext":{"slug":"/ctf-cryptoversectf-2023-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}