PHP AST + 反混淆 + 矩阵快速幂

唯一带有Web特征的逆向题

题目是一个经过混淆的PHP抽象语法树文件,请点击题目下载

一开始想直接找抽象语法树(AST)转为PHP代码的函数,找到了pretty_printing,但是尝试许久,无法直接将AST初始化

JsonDecoder

继续查资料看到PHP-Parser可以将json字符串和AST进行互转

https://github.com/nikic/PHP-Parser/blob/master/lib/PhpParser/JsonDecoder.php

AST转json脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<?php
require dirname(__FILE__).'/vendor/autoload.php';
use PhpParser\Error;
use PhpParser\ParserFactory;
use PhpParser\PrettyPrinter;
use PhpParser\NodeDumper;

$code = <<<'CODE'
<?php

function printLine($msg) {
echo $msg;
}
CODE;

// PHP转化为AST再转化为Json
$parser = (new ParserFactory)->create(ParserFactory::PREFER_PHP7);
try {
// PHP => AST
$ast = $parser->parse($code);
$dumper = new NodeDumper;
echo $dumper->dump($ast) . "\n";

// AST => Json
$json = json_encode($ast, JSON_PRETTY_PRINT);
echo $json, "\n";

} catch (PhpParser\Error $e) {
echo 'Parse Error: ', $e->getMessage();
}

// Json转化为AST再转化为PHP
$json = file_get_contents("3.json");
// $json = <<<'CODE'
// ]
// CODE;
// Json => AST
$jsonDecoder = new PhpParser\JsonDecoder();
$ast = $jsonDecoder->decode($json);
// AST => PHP
$parser = (new ParserFactory)->create(ParserFactory::PREFER_PHP7);
$prettyPrinter = new PrettyPrinter\Standard;
$code = $prettyPrinter->prettyPrint($ast);
echo $code, "\n";

其中json字符串如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
[
{
"nodeType": "Stmt_Function",
"byRef": false,
"name": {
"nodeType": "Identifier",
"name": "printLine"
},
"params": [
{
"nodeType": "Param",
"type": null,
"byRef": false,
"variadic": false,
"var": {
"nodeType": "Expr_Variable",
"name": "msg",
"attributes": {
"startLine": 3,
"endLine": 3
}
},
"default": null,
"flags": 0,
"attrGroups": []
}
],
"returnType": null,
"stmts": [
{
"nodeType": "Stmt_Echo",
"exprs": [
{
"nodeType": "Expr_Variable",
"name": "msg"
}
]
}
],
"attrGroups": []
}
]

AST如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
array(
0: Stmt_Function(
attrGroups: array(
)
byRef: false
name: Identifier(
name: printLine
)
params: array(
0: Param(
attrGroups: array(
)
flags: 0
type: null
byRef: false
variadic: false
var: Expr_Variable(
name: msg
)
default: null
)
)
returnType: null
stmts: array(
0: Stmt_Echo(
exprs: array(
0: Expr_Variable(
name: msg
)
)
)
)
)
)

根据上面的例子,我们可以观察到要把AST转为Json需要进行以下处理:

  1. array(...)转换为[...]
  2. Stmt_Function(...) 转化为{"nodeType": "Stmt_Function", ...}
  3. 对于全部字符串要加上引号
  4. "nodeType"后面添加"attributes": {}属性

这里给出一个AST转Json的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
import re

data = open("output.txt", "r").readlines()
out = open("4.json", "w")
lines = len(data)

brackets = []

for line in range(lines):
tmp = data[line].strip("\n")
# 检测 array
res1 = re.findall(r"array\(", tmp)
if res1:
brackets.append("]")
tmp = tmp.replace("array(", "[")
# 检测 class
res2 = re.findall(r"(\w+)\(", tmp)
if res2:
brackets.append("}")
tmp = tmp.replace(res2[0] + "(", "{nodeType: %s, attributes: {}" % res2[0])
# 删除多余标签
res3 = re.findall(r"(\d+: )", tmp)
if res3:
tmp = tmp.replace(res3[0], '')
# 添加引号
res4 = re.findall(r"(flag\{| \}|[\w\-]+)", tmp)
if res4:
for word in res4:
if not (word.isdigit() or word == "null" or word == "true" or word == "false"):
if word == " }":
word = "}"
tmp = tmp.replace(word, '"%s"' % word)
# 匹配右括号
if ")" in tmp:
tmp = tmp.replace(")", brackets.pop())

# 添加逗号
if ((line + 1) < lines) and (not ")" in data[line + 1]) and (not "[" in tmp):
tmp = tmp + ","
# 写进文件
out.write(tmp + "\n")
out.close()

最后再用上面的pretty_printing代码转出一份稍微好看点的混淆过的PHP代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
<?php 
$l1IIl1II1l = function ($lII1lI1IlI) {
return function ($II1IlllI11) use($lII1lI1IlI) {
return function ($ll1IlllIIl) use($II1IlllI11, $lII1lI1IlI) {
return $II1IlllI11($lII1lI1IlI($II1IlllI11)($ll1IlllIIl));
};
};
};
$llIIllIlll = function ($lII1lI1IlI) {
return $lII1lI1IlI + 1;
};
$I1lll111II = function ($lIlIll1111) {
return function ($II1IIl1Ill) use($lIlIll1111) {
return function ($II1IlllI11) use($lIlIll1111, $II1IIl1Ill) {
return function ($ll1IlllIIl) use($II1IlllI11, $lIlIll1111, $II1IIl1Ill) {
return $lIlIll1111($II1IlllI11)($II1IIl1Ill($II1IlllI11)($ll1IlllIIl));
};
};
};
};
$I1II11lIl1 = function ($lII1lI1IlI) {
return $lII1lI1IlI - 1;
};
$I1IIlII1Il = function ($II1IlllI11) {
return function ($ll1IlllIIl) {
return $ll1IlllIIl;
};
};
$IIl1II1lIl = function ($lII1lI1IlI) {
return $lII1lI1IlI * 3 % 7;
};
$I1IllI1l11 = function ($lIlIll1111) use($I1lll111II, $I1IIlII1Il) {
return function ($II1IIl1Ill) use($lIlIll1111, $I1lll111II, $I1IIlII1Il) {
return $lIlIll1111($I1lll111II($II1IIl1Ill))($I1IIlII1Il);
};
};
$l1I11lll1l = function ($II1IlllI11) {
return function ($ll1IlllIIl) use($II1IlllI11) {
return $II1IlllI11($ll1IlllIIl);
};
};
$lIl1l1lIlI = function ($lII1lI1IlI) {
return ($lII1lI1IlI + 1) % 1000000007;
};
$l1llIlll1l = array(array($I1lll111II($l1IIl1II1l($I1lll111II($I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($I1lll111II($l1IIl1II1l($l1I11lll1l))($l1I11lll1l))))($l1I11lll1l)))($l1I11lll1l), $I1lll111II($I1lll111II($l1I11lll1l)($l1IIl1II1l($l1IIl1II1l($l1I11lll1l))))($I1lll111II($l1I11lll1l)($I1lll111II($l1IIl1II1l($l1I11lll1l))($I1lll111II($l1I11lll1l)($l1I11lll1l)))), $l1IIl1II1l($I1lll111II($I1lll111II($l1IIl1II1l($I1lll111II($l1I11lll1l)($I1lll111II($I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1I11lll1l)))($l1I11lll1l))))($l1I11lll1l))($l1I11lll1l)), $I1IllI1l11($l1IIl1II1l($l1I11lll1l))($l1IIl1II1l($l1I11lll1l)), $I1IIlII1Il, $I1IllI1l11($l1IIl1II1l($l1I11lll1l))($I1lll111II($l1I11lll1l)($l1IIl1II1l($l1IIl1II1l($l1I11lll1l)))), $I1lll111II($l1IIl1II1l($l1I11lll1l))($I1lll111II($l1I11lll1l)($I1IllI1l11($I1lll111II($l1I11lll1l)($l1I11lll1l))($l1IIl1II1l($I1lll111II($l1I11lll1l)($l1I11lll1l))))), $l1IIl1II1l($l1IIl1II1l($I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1I11lll1l)))), $I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1I11lll1l))), array($I1lll111II($I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1I11lll1l)))($I1lll111II($l1I11lll1l)($I1lll111II($I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1I11lll1l)))($l1I11lll1l))), $I1IIlII1Il, $l1IIl1II1l($l1IIl1II1l($l1I11lll1l)), $I1lll111II($I1lll111II($I1IllI1l11($I1lll111II($l1IIl1II1l($l1I11lll1l))($l1I11lll1l))($I1lll111II($l1I11lll1l)($l1I11lll1l)))($l1I11lll1l))($l1I11lll1l), $I1IIlII1Il, $l1IIl1II1l($I1lll111II($I1lll111II($l1I11lll1l)($l1I11lll1l))($l1IIl1II1l($l1I11lll1l))), $I1lll111II($I1lll111II($I1lll111II($I1lll111II($l1I11lll1l)($l1IIl1II1l($l1I11lll1l)))($I1lll111II($l1I11lll1l)($l1I11lll1l)))($l1I11lll1l))($I1lll111II($l1I11lll1l)($l1IIl1II1l($l1I11lll1l))), $I1lll111II($I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1I11lll1l)))($I1lll111II($I1lll111II($l1IIl1II1l($l1I11lll1l))($I1lll111II($l1I11lll1l)($l1I11lll1l)))($I1lll111II($l1I11lll1l)($l1I11lll1l))), $I1IllI1l11($l1IIl1II1l($l1I11lll1l))($I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1IIl1II1l($l1I11lll1l))))), array($I1lll111II($I1lll111II($l1I11lll1l)($l1I11lll1l))($l1I11lll1l), $l1IIl1II1l($l1I11lll1l), $I1IIlII1Il, $l1IIl1II1l($I1lll111II($I1IllI1l11($l1IIl1II1l($l1I11lll1l))($I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1I11lll1l))))($l1I11lll1l)), $I1lll111II($l1I11lll1l)($l1I11lll1l), $I1lll111II($l1I11lll1l)($I1lll111II($l1IIl1II1l($I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1I11lll1l))))($l1I11lll1l)), $I1IIlII1Il, $l1I11lll1l, $I1lll111II($l1I11lll1l)($I1lll111II($I1lll111II($I1lll111II($l1I11lll1l)($l1IIl1II1l($l1I11lll1l)))($I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1I11lll1l))))($l1IIl1II1l($l1I11lll1l)))), array($l1IIl1II1l($I1lll111II($I1lll111II($l1IIl1II1l($I1lll111II($l1I11lll1l)($l1I11lll1l)))($l1IIl1II1l($I1lll111II($l1I11lll1l)($l1I11lll1l))))($I1lll111II($l1I11lll1l)($l1I11lll1l))), $I1lll111II($l1IIl1II1l($I1lll111II($I1lll111II($l1I11lll1l)($l1I11lll1l))($l1I11lll1l)))($l1IIl1II1l($I1lll111II($l1I11lll1l)($l1I11lll1l))), $l1IIl1II1l($l1IIl1II1l($l1I11lll1l)), $I1lll111II($l1I11lll1l)($l1I11lll1l), $l1I11lll1l, $I1IIlII1Il, $I1lll111II($l1I11lll1l)($I1IllI1l11($I1lll111II($l1I11lll1l)($l1I11lll1l))($I1lll111II($l1I11lll1l)($l1I11lll1l))), $I1lll111II($l1IIl1II1l($I1IllI1l11($I1lll111II($I1lll111II($l1I11lll1l)($l1I11lll1l))($l1I11lll1l))($I1lll111II($l1I11lll1l)($l1I11lll1l))))($I1lll111II($l1I11lll1l)($l1I11lll1l)), $I1lll111II($I1lll111II($I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1I11lll1l)))($I1lll111II($I1lll111II($l1IIl1II1l($l1I11lll1l))($l1I11lll1l))($l1I11lll1l)))($I1lll111II($l1I11lll1l)($l1I11lll1l))), array($I1lll111II($I1lll111II($I1lll111II($l1I11lll1l)($l1I11lll1l))($l1I11lll1l))($I1lll111II($l1I11lll1l)($I1lll111II($I1lll111II($l1I11lll1l)($l1I11lll1l))($I1lll111II($l1I11lll1l)($l1I11lll1l)))), $I1lll111II($I1lll111II($l1I11lll1l)($l1IIl1II1l($I1lll111II($l1I11lll1l)($l1IIl1II1l($l1I11lll1l)))))($I1lll111II($l1I11lll1l)($l1IIl1II1l($l1I11lll1l))), $I1IllI1l11($I1lll111II($l1IIl1II1l($l1I11lll1l))($l1I11lll1l))($I1lll111II($l1IIl1II1l($l1I11lll1l))($l1I11lll1l)), $I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1I11lll1l))), $I1IIlII1Il, $I1lll111II($l1IIl1II1l($l1I11lll1l))($l1I11lll1l), $I1lll111II($I1lll111II($l1I11lll1l)($l1IIl1II1l($l1IIl1II1l($l1I11lll1l))))($l1I11lll1l), $l1I11lll1l, $I1lll111II($l1I11lll1l)($I1lll111II($I1lll111II($l1I11lll1l)($l1I11lll1l))($I1lll111II($l1I11lll1l)($l1I11lll1l)))), array($I1lll111II($l1I11lll1l)($l1I11lll1l), $l1IIl1II1l($I1lll111II($l1IIl1II1l($l1I11lll1l))($I1IllI1l11($I1lll111II($l1IIl1II1l($l1I11lll1l))($l1I11lll1l))($l1IIl1II1l($l1I11lll1l)))), $l1IIl1II1l($l1I11lll1l), $I1IIlII1Il, $I1lll111II($I1IllI1l11($l1IIl1II1l($l1I11lll1l))($l1IIl1II1l($l1I11lll1l)))($I1lll111II($I1lll111II($l1I11lll1l)($l1I11lll1l))($I1lll111II($I1lll111II($l1I11lll1l)($l1I11lll1l))($l1I11lll1l))), $I1lll111II($I1lll111II($l1I11lll1l)($l1I11lll1l))($l1IIl1II1l($I1lll111II($l1I11lll1l)($l1IIl1II1l($I1lll111II($l1I11lll1l)($l1I11lll1l))))), $I1lll111II($I1lll111II($I1lll111II($l1IIl1II1l($l1I11lll1l))($l1I11lll1l))($l1I11lll1l))($l1I11lll1l), $I1IIlII1Il, $I1lll111II($l1IIl1II1l($l1IIl1II1l($I1lll111II($l1IIl1II1l($I1lll111II($l1I11lll1l)($l1IIl1II1l($l1I11lll1l))))($l1I11lll1l))))($l1I11lll1l)), array($I1IIlII1Il, $I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1I11lll1l)), $I1lll111II($l1IIl1II1l($I1lll111II($l1I11lll1l)($l1I11lll1l)))($I1IllI1l11($l1IIl1II1l($l1I11lll1l))($I1lll111II($l1I11lll1l)($l1I11lll1l))), $I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1IIl1II1l($l1I11lll1l))), $I1IIlII1Il, $I1lll111II($I1lll111II($I1lll111II($I1lll111II($l1I11lll1l)($l1I11lll1l))($l1I11lll1l))($l1IIl1II1l($I1IllI1l11($I1lll111II($l1I11lll1l)($l1I11lll1l))($I1lll111II($l1I11lll1l)($l1I11lll1l)))))($l1I11lll1l), $I1IIlII1Il, $I1lll111II($I1lll111II($I1lll111II($l1IIl1II1l($l1I11lll1l))($l1IIl1II1l($I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1I11lll1l)))))($l1I11lll1l))($l1I11lll1l), $l1IIl1II1l($l1I11lll1l)), array($I1lll111II($l1I11lll1l)($l1I11lll1l), $I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($I1lll111II($l1IIl1II1l($I1lll111II($l1I11lll1l)($l1IIl1II1l($l1I11lll1l))))($I1lll111II($l1I11lll1l)($l1I11lll1l)))), $l1I11lll1l, $I1lll111II($l1IIl1II1l($l1I11lll1l))($l1I11lll1l), $I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1I11lll1l)), $I1IllI1l11($l1IIl1II1l($l1I11lll1l))($I1lll111II($l1I11lll1l)($I1lll111II($I1lll111II($l1I11lll1l)($l1I11lll1l))($l1I11lll1l))), $I1IIlII1Il, $I1lll111II($I1lll111II($I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1I11lll1l)))($I1lll111II($l1I11lll1l)($l1I11lll1l)))($I1lll111II($l1I11lll1l)($l1I11lll1l)), $I1IllI1l11($l1IIl1II1l($l1I11lll1l))($I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($I1lll111II($l1I11lll1l)($l1I11lll1l))))));
$l11IlII11I = $l1llIlll1l[0];
for ($IlI11III11 = $I1IIlII1Il; $IlI11III11($llIIllIlll)(998244353) < $IlI11III11($I1II11lIl1)(6755399441055744); $IlI11III11 = $l1IIl1II1l($IlI11III11)) {
$l1l1l11Il1 = $l1llIlll1l[$IlI11III11($IIl1II1lIl)(1)];
$lIl11lI1I1 = $l1llIlll1l[$I1IllI1l11($IlI11III11)($IlI11III11)($IIl1II1lIl)(1)];
$lIl11lI1I1[0] = $I1IllI1l11($l11IlII11I[0])($l1l1l11Il1[0]);
$lIl11lI1I1[0] = $I1lll111II($I1IllI1l11($l1l1l11Il1[3])($l11IlII11I[1]))($lIl11lI1I1[0]);
$lIl11lI1I1[8] = $I1IllI1l11($l11IlII11I[8])($l1l1l11Il1[8]);
$lIl11lI1I1[8] = $I1lll111II($lIl11lI1I1[8])($I1IllI1l11($l11IlII11I[6])($l1l1l11Il1[2]));
$lIl11lI1I1[7] = $I1IllI1l11($l11IlII11I[7])($l1l1l11Il1[4]);
$lIl11lI1I1[7] = $I1lll111II($I1IllI1l11($l1l1l11Il1[1])($l11IlII11I[6]))($lIl11lI1I1[7]);
$lIl11lI1I1[1] = $I1IllI1l11($l11IlII11I[1])($l1l1l11Il1[4]);
$lIl11lI1I1[2] = $I1IllI1l11($l11IlII11I[1])($l1l1l11Il1[5]);
$lIl11lI1I1[8] = $I1lll111II($I1IllI1l11($l11IlII11I[7])($l1l1l11Il1[5]))($lIl11lI1I1[8]);
$lIl11lI1I1[4] = $I1IllI1l11($l11IlII11I[4])($l1l1l11Il1[4]);
$lIl11lI1I1[7] = $I1lll111II($I1IllI1l11($l11IlII11I[8])($l1l1l11Il1[7]))($lIl11lI1I1[7]);
$lIl11lI1I1[1] = $I1lll111II($I1IllI1l11($l1l1l11Il1[1])($l11IlII11I[0]))($lIl11lI1I1[1]);
$lIl11lI1I1[1] = $I1lll111II($lIl11lI1I1[1])($I1IllI1l11($l1l1l11Il1[7])($l11IlII11I[2]));
$lIl11lI1I1[5] = $I1IllI1l11($l11IlII11I[3])($l1l1l11Il1[2]);
$lIl11lI1I1[5] = $I1lll111II($I1IllI1l11($l1l1l11Il1[5])($l11IlII11I[4]))($lIl11lI1I1[5]);
$lIl11lI1I1[3] = $I1IllI1l11($l11IlII11I[4])($l1l1l11Il1[3]);
$lIl11lI1I1[0] = $I1lll111II($I1IllI1l11($l11IlII11I[2])($l1l1l11Il1[6]))($lIl11lI1I1[0]);
$lIl11lI1I1[5] = $I1lll111II($I1IllI1l11($l1l1l11Il1[8])($l11IlII11I[5]))($lIl11lI1I1[5]);
$lIl11lI1I1[3] = $I1lll111II($lIl11lI1I1[3])($I1IllI1l11($l1l1l11Il1[0])($l11IlII11I[3]));
$lIl11lI1I1[2] = $I1lll111II($I1IllI1l11($l11IlII11I[0])($l1l1l11Il1[2]))($lIl11lI1I1[2]);
$lIl11lI1I1[2] = $I1lll111II($I1IllI1l11($l11IlII11I[2])($l1l1l11Il1[8]))($lIl11lI1I1[2]);
$lIl11lI1I1[4] = $I1lll111II($I1IllI1l11($l11IlII11I[5])($l1l1l11Il1[7]))($lIl11lI1I1[4]);
$lIl11lI1I1[4] = $I1lll111II($I1IllI1l11($l1l1l11Il1[1])($l11IlII11I[3]))($lIl11lI1I1[4]);
$lIl11lI1I1[6] = $I1IllI1l11($l11IlII11I[7])($l1l1l11Il1[3]);
$lIl11lI1I1[3] = $I1lll111II($lIl11lI1I1[3])($I1IllI1l11($l11IlII11I[5])($l1l1l11Il1[6]));
$lIl11lI1I1[6] = $I1lll111II($I1IllI1l11($l1l1l11Il1[0])($l11IlII11I[6]))($lIl11lI1I1[6]);
$lIl11lI1I1[6] = $I1lll111II($lIl11lI1I1[6])($I1IllI1l11($l11IlII11I[8])($l1l1l11Il1[6]));
$l11IlII11I = $lIl11lI1I1;
}
echo 'flag{';
for ($IlI11III11 = $l1I11lll1l; $IlI11III11($llIIllIlll)(-9); $IlI11III11 = $I1lll111II($l1I11lll1l)($IlI11III11)) {
echo "{$l11IlII11I[$IlI11III11($I1II11lIl1)(9)]($lIl1l1lIlI)(0)}-";
}
echo "{$l11IlII11I[$IlI11III11($I1II11lIl1)(9)]($lIl1l1lIlI)(0)}}";

反混淆

因为混淆用的是闭包函数,所以用正常的xdebug调式并不能看出函数间的调用,而且会因为函数调用层数过多而报错,所以这里唯一的技巧就是手动化简变量名(x

这里给出一份自己处理后的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
<?php 
$f1 = function ($lII1lI1IlI) {
return function ($II1IlllI11) use($lII1lI1IlI) {
return function ($ll1IlllIIl) use($II1IlllI11, $lII1lI1IlI) {
return $II1IlllI11($lII1lI1IlI($II1IlllI11)($ll1IlllIIl));
};
};
};
// 自增
$increase = function ($lII1lI1IlI) {
return $lII1lI1IlI + 1;
};
$f2 = function ($lIlIll1111) {
return function ($II1IIl1Ill) use($lIlIll1111) {
return function ($II1IlllI11) use($lIlIll1111, $II1IIl1Ill) {
return function ($ll1IlllIIl) use($II1IlllI11, $lIlIll1111, $II1IIl1Ill) {
return $lIlIll1111($II1IlllI11)($II1IIl1Ill($II1IlllI11)($ll1IlllIIl));
};
};
};
};
// 自减
$decrease = function ($lII1lI1IlI) {
return $lII1lI1IlI - 1;
};
$ret_self = function ($II1IlllI11) {
return function ($ll1IlllIIl) {
return $ll1IlllIIl;
};
};
// 乘3模7
$mul_mod = function ($lII1lI1IlI) {
return $lII1lI1IlI * 3 % 7;
};
$f3 = function ($lIlIll1111) use($f2, $ret_self) {
return function ($II1IIl1Ill) use($lIlIll1111, $f2, $ret_self) {
return $lIlIll1111($f2($II1IIl1Ill))($ret_self);
};
};
$f4 = function ($II1IlllI11) {
return function ($ll1IlllIIl) use($II1IlllI11) {
return $II1IlllI11($ll1IlllIIl);
};
};
// 模1000000007自增
$increase_mod = function ($lII1lI1IlI) {
return ($lII1lI1IlI + 1) % 1000000007;
};
// array(8)
$v1 = array(array($f2($f1($f2($f2($f4)($f2($f4)($f2($f1($f4))($f4))))($f4)))($f4), $f2($f2($f4)($f1($f1($f4))))($f2($f4)($f2($f1($f4))($f2($f4)($f4)))), $f1($f2($f2($f1($f2($f4)($f2($f2($f4)($f2($f4)($f4)))($f4))))($f4))($f4)), $f3($f1($f4))($f1($f4)), $ret_self, $f3($f1($f4))($f2($f4)($f1($f1($f4)))), $f2($f1($f4))($f2($f4)($f3($f2($f4)($f4))($f1($f2($f4)($f4))))), $f1($f1($f2($f4)($f2($f4)($f4)))), $f2($f4)($f2($f4)($f4))), array($f2($f2($f4)($f2($f4)($f4)))($f2($f4)($f2($f2($f4)($f2($f4)($f4)))($f4))), $ret_self, $f1($f1($f4)), $f2($f2($f3($f2($f1($f4))($f4))($f2($f4)($f4)))($f4))($f4), $ret_self, $f1($f2($f2($f4)($f4))($f1($f4))), $f2($f2($f2($f2($f4)($f1($f4)))($f2($f4)($f4)))($f4))($f2($f4)($f1($f4))), $f2($f2($f4)($f2($f4)($f4)))($f2($f2($f1($f4))($f2($f4)($f4)))($f2($f4)($f4))), $f3($f1($f4))($f2($f4)($f2($f4)($f1($f4))))), array($f2($f2($f4)($f4))($f4), $f1($f4), $ret_self, $f1($f2($f3($f1($f4))($f2($f4)($f2($f4)($f4))))($f4)), $f2($f4)($f4), $f2($f4)($f2($f1($f2($f4)($f2($f4)($f4))))($f4)), $ret_self, $f4, $f2($f4)($f2($f2($f2($f4)($f1($f4)))($f2($f4)($f2($f4)($f4))))($f1($f4)))), array($f1($f2($f2($f1($f2($f4)($f4)))($f1($f2($f4)($f4))))($f2($f4)($f4))), $f2($f1($f2($f2($f4)($f4))($f4)))($f1($f2($f4)($f4))), $f1($f1($f4)), $f2($f4)($f4), $f4, $ret_self, $f2($f4)($f3($f2($f4)($f4))($f2($f4)($f4))), $f2($f1($f3($f2($f2($f4)($f4))($f4))($f2($f4)($f4))))($f2($f4)($f4)), $f2($f2($f2($f4)($f2($f4)($f4)))($f2($f2($f1($f4))($f4))($f4)))($f2($f4)($f4))), array($f2($f2($f2($f4)($f4))($f4))($f2($f4)($f2($f2($f4)($f4))($f2($f4)($f4)))), $f2($f2($f4)($f1($f2($f4)($f1($f4)))))($f2($f4)($f1($f4))), $f3($f2($f1($f4))($f4))($f2($f1($f4))($f4)), $f2($f4)($f2($f4)($f2($f4)($f4))), $ret_self, $f2($f1($f4))($f4), $f2($f2($f4)($f1($f1($f4))))($f4), $f4, $f2($f4)($f2($f2($f4)($f4))($f2($f4)($f4)))), array($f2($f4)($f4), $f1($f2($f1($f4))($f3($f2($f1($f4))($f4))($f1($f4)))), $f1($f4), $ret_self, $f2($f3($f1($f4))($f1($f4)))($f2($f2($f4)($f4))($f2($f2($f4)($f4))($f4))), $f2($f2($f4)($f4))($f1($f2($f4)($f1($f2($f4)($f4))))), $f2($f2($f2($f1($f4))($f4))($f4))($f4), $ret_self, $f2($f1($f1($f2($f1($f2($f4)($f1($f4))))($f4))))($f4)), array($ret_self, $f2($f4)($f2($f4)($f4)), $f2($f1($f2($f4)($f4)))($f3($f1($f4))($f2($f4)($f4))), $f2($f4)($f2($f4)($f1($f4))), $ret_self, $f2($f2($f2($f2($f4)($f4))($f4))($f1($f3($f2($f4)($f4))($f2($f4)($f4)))))($f4), $ret_self, $f2($f2($f2($f1($f4))($f1($f2($f4)($f2($f4)($f4)))))($f4))($f4), $f1($f4)), array($f2($f4)($f4), $f2($f4)($f2($f4)($f2($f1($f2($f4)($f1($f4))))($f2($f4)($f4)))), $f4, $f2($f1($f4))($f4), $f2($f4)($f2($f4)($f4)), $f3($f1($f4))($f2($f4)($f2($f2($f4)($f4))($f4))), $ret_self, $f2($f2($f2($f4)($f2($f4)($f4)))($f2($f4)($f4)))($f2($f4)($f4)), $f3($f1($f4))($f2($f4)($f2($f4)($f2($f4)($f4))))));

// 打印初始变量
for($i = 0; $i < 8; $i++) {
echo $i . ': [';
for ($f4_2 = $f4; $f4_2($increase)(-9); $f4_2 = $f2($f4)($f4_2)) {
echo "{$v1[$i][$f4_2($decrease)(9)]($increase_mod)(0)},";
}
echo "{$v1[$i][$f4_2($decrease)(9)]($increase_mod)(0)}]", "\n";
}

$v2 = $v1[0];

for ($f4_2 = $ret_self; $f4_2($increase)(998244353) < $f4_2($decrease)(6755399441055744); $f4_2 = $f1($f4_2)) {
// $v3 = 3 ** k % 7
$v3 = $v1[$f4_2($mul_mod)(1)];
// $v4 其实是无用的
// $v4 = $v1[$f3($f4_2)($f4_2)($mul_mod)(1)];
$v4 = array(9);

$v4[0] = $f3($v2[0])($v3[0]);
$v4[0] = $f2($f3($v3[3])($v2[1]))($v4[0]);
$v4[0] = $f2($f3($v2[2])($v3[6]))($v4[0]);

$v4[1] = $f3($v2[1])($v3[4]);
$v4[1] = $f2($f3($v3[1])($v2[0]))($v4[1]);
$v4[1] = $f2($v4[1])($f3($v3[7])($v2[2]));

$v4[2] = $f3($v2[1])($v3[5]);
$v4[2] = $f2($f3($v2[0])($v3[2]))($v4[2]);
$v4[2] = $f2($f3($v2[2])($v3[8]))($v4[2]);

$v4[3] = $f3($v2[4])($v3[3]);
$v4[3] = $f2($v4[3])($f3($v3[0])($v2[3]));
$v4[3] = $f2($v4[3])($f3($v2[5])($v3[6]));

$v4[4] = $f3($v2[4])($v3[4]);
$v4[4] = $f2($f3($v2[5])($v3[7]))($v4[4]);
$v4[4] = $f2($f3($v3[1])($v2[3]))($v4[4]);

$v4[5] = $f3($v2[3])($v3[2]);
$v4[5] = $f2($f3($v3[5])($v2[4]))($v4[5]);
$v4[5] = $f2($f3($v3[8])($v2[5]))($v4[5]);

$v4[6] = $f3($v2[7])($v3[3]);
$v4[6] = $f2($f3($v3[0])($v2[6]))($v4[6]);
$v4[6] = $f2($v4[6])($f3($v2[8])($v3[6]));

$v4[7] = $f3($v2[7])($v3[4]);
$v4[7] = $f2($f3($v3[1])($v2[6]))($v4[7]);
$v4[7] = $f2($f3($v2[8])($v3[7]))($v4[7]);

$v4[8] = $f3($v2[8])($v3[8]);
$v4[8] = $f2($v4[8])($f3($v2[6])($v3[2]));
$v4[8] = $f2($f3($v2[7])($v3[5]))($v4[8]);

$v2 = $v4;
}

// 倒序打印 v2
echo 'flag{';
for ($f4_2 = $f4; $f4_2($increase)(-9); $f4_2 = $f2($f4)($f4_2)) {
echo "{$v2[$f4_2($decrease)(9)]($increase_mod)(0)}-";
}
echo "{$v2[$f4_2($decrease)(9)]($increase_mod)(0)}}";

基本逻辑都写在注释里面了,代码的重点在如何找到for循环的规律,正所谓逆向七分解三分猜,这里其实就是对$v2,$v3的数据进行处理,而且是整整齐齐的三组数据连起来进行计算

我们先把矩阵打印出来看看

1
2
3
4
5
6
7
8
0: [3,5,9,8,0,4,9,9,8] => 第一步的$v2
1: [8,9,9,5,0,8,3,0,8] => 第一步的$v3
2: [9,1,0,6,2,8,0,2,3]
3: [9,9,5,0,1,2,3,7,9]
4: [5,1,5,3,0,4,9,8,8]
5: [8,0,5,7,9,0,2,9,2]
6: [2,8,0,9,0,4,7,3,0]
7: [8,7,0,8,3,3,1,8,2]

再把经过第一次转换的flag打印出来

1
flag{76-27-139-76-72-104-141-81-217}

然后我们就可以猜测其实它们就是进行了这样一个运算

1
$v4[0] = $v2[0] * $v3[0] + $v2[1] * $v3[3] + $v2[2] * $v3[6];

根据这个规律我们可以得到初步的exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
def calc():
global v1, v2, x

v3 = v1[(3 ** x) % 7]
v4 = [0] * 9

v4[0] = (v2[0]*v3[0] + v2[1]*v3[3] + v2[2]*v3[6]) % 1000000007
v4[1] = (v2[0]*v3[1] + v2[1]*v3[4] + v2[2]*v3[7]) % 1000000007
v4[2] = (v2[0]*v3[2] + v2[1]*v3[5] + v2[2]*v3[8]) % 1000000007

v4[3] = (v2[3]*v3[0] + v2[4]*v3[3] + v2[5]*v3[6]) % 1000000007
v4[4] = (v2[3]*v3[1] + v2[4]*v3[4] + v2[5]*v3[7]) % 1000000007
v4[5] = (v2[3]*v3[2] + v2[4]*v3[5] + v2[5]*v3[8]) % 1000000007

v4[6] = (v2[6]*v3[0] + v2[7]*v3[3] + v2[8]*v3[6]) % 1000000007
v4[7] = (v2[6]*v3[1] + v2[7]*v3[4] + v2[8]*v3[7]) % 1000000007
v4[8] = (v2[6]*v3[2] + v2[7]*v3[5] + v2[8]*v3[8]) % 1000000007

v2 = v4
x += 1

if __name__ == "__main__":

v1 = [
[3, 5, 9, 8, 0, 4, 9, 9, 8],
[8, 9, 9, 5, 0, 8, 3, 0, 8],
[9, 1, 0, 6, 2, 8, 0, 2, 3],
[9, 9, 5, 0, 1, 2, 3, 7, 9],
[5, 1, 5, 3, 0, 4, 9, 8, 8],
[8, 0, 5, 7, 9, 0, 2, 9, 2],
[2, 8, 0, 9, 0, 4, 7, 3, 0],
[8, 7, 0, 8, 3, 3, 1, 8, 2]
]
v2 = v1[0]
x = 0

count = (6755399441055744 - 998244353) // 2
count = 2
for _ in range(count):
calc()

print("flag{" + "-".join([str(_ % 1000000007) for _ in v2]) + "}")

矩阵快速幂

想要上面的脚本暴力解出来不可能的,因为需要3377699221405695次运算

仔细观察,其实这刚好是一个3组3*3矩阵连乘的运算,这里考察的是一个矩阵快速幂的算法

推荐使用SageMath解题,SageMath整合了很多数学的常用算法

参考**@ver**大哥exp给出自己的exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#/usr/bin/sage
# 变换矩阵
v1 = [
[3, 5, 9, 8, 0, 4, 9, 9, 8],
[8, 9, 9, 5, 0, 8, 3, 0, 8],
[9, 1, 0, 6, 2, 8, 0, 2, 3],
[9, 9, 5, 0, 1, 2, 3, 7, 9],
[5, 1, 5, 3, 0, 4, 9, 8, 8],
[8, 0, 5, 7, 9, 0, 2, 9, 2],
[2, 8, 0, 9, 0, 4, 7, 3, 0],
[8, 7, 0, 8, 3, 3, 1, 8, 2]
]
# 初始矩阵
v2 = v1[0]
# 模数
p = 1000000007
# 循环次数
count = (6755399441055744 - 998244353) // 2
# 初始化3个初始矩阵
vec = [Matrix(GF(p), 1, 3, v2[3 * i: 3 * i + 3]) for i in range(3)]
# 获取6个循环矩阵
ma = [Matrix(GF(p), 3, 3, v1[(3 ** k) % 7]) for k in range(6)]
# 获取1次循环结果
mm = 1
for i in range(6):
mm *= ma[i]
# 打印乘法余数
print(count % 6)
# 3
# 矩阵快速幂
mm = (mm ** (count//6)) * ma[0] * ma[1] * ma[2] * ma[3]
# 乘上初始矩阵
res = [(vec[i] * mm)[0] for i in range(3)]
# 打印结果
flag = [str(res[i // 3][i % 3]) for i in range(9)]
print("flag{" + "-".join(flag) + "}")
# flag{432734187-186275980-552238391-407500134-680581127-536698178-262495339-821428559-850467550}