0x00 前言

是真的坐牢,真的阴间题目

0x01 baby_tree

题目附件为一大段非代码格式的文字

由附件的后缀名 .ast 结合题目名字可以知道是 AST抽象语法树

525dd4ec80968e78cb66a2416e8df87.png

阴间解法(硬看)

推一下大佬写的wp,tql:2022国赛Re1 baby_tree_Hofiy的博客-CSDN博客

第一步

由文件开头的“re.swift”可以发现这是由 swift 编写的程序

大佬博客中放了一段英文资料片段

我这边直接翻译一下,大致内容如下:

Swift编译器有一个有趣的模式:-dump-ast,它输出Swift源代码的抽象语法树

AST用于以包含语法信息的树的形式表示源代码

得知本题的考点是swift的ast 语法

第二步

最为阴间的来了

大佬开始逐行分析附件,六百多行的代码

8_KHGPLUGN@3R41D0BD_YBV.jpg

化作人形IDA反编译源代码,tqltqltql

恕我学艺不精,暂时还做不到

1.找到密文

在附件的527行附近找到了密文,发现了比对的痕迹

cbfa4a5423fd9569ad6f2b577ca452d.png

2.逐行分析

大佬反编译完的加密流程如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
def check(data,key):
    b=data
    k=key
    for i in range(len(b)-4+1):
        r0,r1,r2,r3=b[i],b[i+1],b[i+2],b[i+3]
        b[i]=r2^((k[0]+(r0>>4))&0xff)
        b[i+1]=r3^((k[1]+(r1>>2))&0xff)
        b[i+2]=r0^k[2]
        b[i+3]=r1^k[3]
        k[0] = k[1]
        k[1] = k[2]
        k[2] = k[3]
        k[3] = k[0]
    return b==res

逆向解密脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
def decode(data,key):
    b=data
    k=key
    k[0] = k[2]
    k[1] = k[3]
    k[2] = k[0]
    k[3] = k[1]
    r1 = b[38 + 3] ^ k[3]
    r0 = b[38 + 2] ^ k[2]
    r3 = b[38 + 1] ^ ((k[1] + (r1 >> 2)) & 0xff)
    r2 = b[38] ^ ((k[0] + (r0 >> 4)) & 0xff)
    b[38], b[38 + 1], b[38 + 2], b[38 + 3] = r0, r1, r2, r3
    for i in range(37,-1,-1):
        k[1] = k[0]
        k[2] = k[1]
        k[3] = k[2]
        k[0] = k[3]
        r1=b[i+3]^k[3]
        r0=b[i+2]^k[2]
        r3=b[i+1]^((k[1]+(r1>>2))&0xff)
        r2=b[i]^((k[0]+(r0>>4))&0xff)
        b[i], b[i + 1], b[i + 2], b[i + 3] = r0, r1, r2, r3
    print("".join(chr(i) for i in b))

SwiftAST

搜到的一个有关的swift和ast转换的开源库

GIthub:GitHub - krzkaczor/SwiftAST

其中给出了示例

output:

1
2
3
4
5
6
7
8
9
10
11
12
13
func fib (n : Int) -> Int {
    if n == 0 {
        return 0;
    }

    if n == 1 {
        return 1;
    }

    return fib(n-1) + fib(n-2);
}

let resultFor7 = fib(7);

output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
{ CLASS: 'TopLevelBlock',
  statements:
   [ { CLASS: 'FunctionDeclaration',
       name: 'fib',
       parameters:
        [ { CLASS: 'Parameter',
            name: 'n',
            typeDeclared: { CLASS: 'NamedTypeNode', name: 'Int', type: Int },
            externalName: undefined,
            type: Int } ],
       block:
        { CLASS: 'Block',
          statements:
           [ { condition:
                { CLASS: 'LogicalOperatorCall',
                  operator: '==',
                  left:
                   { CLASS: 'Id',
                     value: 'n',
                     symbol:
                      { CLASS: 'ConstantTypeSymbol',
                        name: 'n',
                        type: Int,
                        cannotOverwrite: true },
                     type: Int },
                  right: { CLASS: 'IntLiteral', value: 0, symbol: undefined, type: Int },
                  type: Bool },
               block:
                { CLASS: 'Block',
                  statements:
                   [ { CLASS: 'ReturnStatement',
                       expression: { CLASS: 'IntLiteral', value: 0, symbol: undefined, type: Int },
                       type: Int } ] } },
             { condition:
                { CLASS: 'LogicalOperatorCall',
                  operator: '==',
                  left:
                   { CLASS: 'Id',
                     value: 'n',
                     symbol:
                      { CLASS: 'ConstantTypeSymbol',
                        name: 'n',
                        type: Int,
                        cannotOverwrite: true },
                     type: Int },
                  right: { CLASS: 'IntLiteral', value: 1, symbol: undefined, type: Int },
                  type: Bool },
               block:
                { CLASS: 'Block',
                  statements:
                   [ { CLASS: 'ReturnStatement',
                       expression: { CLASS: 'IntLiteral', value: 1, symbol: undefined, type: Int },
                       type: Int } ] } },
             { CLASS: 'ReturnStatement',
               expression:
                { CLASS: 'OperatorCall',
                  operator: '+',
                  left:
                   { CLASS: 'FunctionCall',
                     callee: 'fib',
                     args:
                      { CLASS: 'ParenthesizedExpression',
                        expressions:
                         [ { CLASS: 'OperatorCall',
                             operator: '-',
                             left:
                              { CLASS: 'Id',
                                value: 'n',
                                symbol:
                                 { CLASS: 'ConstantTypeSymbol',
                                   name: 'n',
                                   type: Int,
                                   cannotOverwrite: true },
                                type: Int },
                             right: { CLASS: 'IntLiteral', value: 1, symbol: undefined, type: Int },
                             type: Int } ],
                        ids: [ undefined ],
                        expressionsTypes: [ Int ],
                        type: (Int) },
                     functionType: Function (Int) -> Int,
                     type: Int },
                  right:
                   { CLASS: 'FunctionCall',
                     callee: 'fib',
                     args:
                      { CLASS: 'ParenthesizedExpression',
                        expressions:
                         [ { CLASS: 'OperatorCall',
                             operator: '-',
                             left:
                              { CLASS: 'Id',
                                value: 'n',
                                symbol:
                                 { CLASS: 'ConstantTypeSymbol',
                                   name: 'n',
                                   type: Int,
                                   cannotOverwrite: true },
                                type: Int },
                             right: { CLASS: 'IntLiteral', value: 2, symbol: undefined, type: Int },
                             type: Int } ],
                        ids: [ undefined ],
                        expressionsTypes: [ Int ],
                        type: (Int) },
                     functionType: Function (Int) -> Int,
                     type: Int },
                  type: Int },
               type: Int } ] },
       returnTypeDeclaredBare: { CLASS: 'NamedTypeNode', name: 'Int', type: Int },
       paramsTypes: (Int),
       returnType: Int },
     { CLASS: 'ConstantDeclaration',
       pattern:
        { CLASS: 'IdentifierPattern',
          name: 'resultFor7',
          typeBare: undefined,
          type: Int },
       expression:
        { CLASS: 'FunctionCall',
          callee: 'fib',
          args:
           { CLASS: 'ParenthesizedExpression',
             expressions: [ { CLASS: 'IntLiteral', value: 7, symbol: undefined, type: Int } ],
             ids: [ undefined ],
             expressionsTypes: [ Int ],
             type: (Int) },
          functionType: Function (Int) -> Int,
          type: Int },
       type: Int } ] }