frankli0324 · March 17, 2021 09:38
diff --git a/solve.py b/solve.py
 from requests import session
 import base64
 import json
 from collections import OrderedDict
 from multiprocessing import Pool

 ses = session()
 token = '阿巴阿巴阿巴'


 def lv1(pull): return pull['a']


 def lv2(pull): return pull['a'] * pull['a'] + pull['a']


 def lv3(pull):
    a = pull['a']
    for n in range(10000000):
        if (n * a[2] + a[1]) % a[0] == 0:
            return (n * a[2] + a[1]) // a[0]


 def lv4(pull):
    ops = [
        lambda a, b: a + b,
        lambda a, b: a - b,
        lambda a, b: a * b,
    ]
    ans = 0
    tasks = pull['a']
    tasks.sort()
    for i in range(len(tasks)):
        ans = ops[(i + 1) % 3](ans, tasks[i])
    return -ans


 def lv5(pull):
    base, num = pull['a']
    for i in range(num - 1):
        a, b = int(min(str(base))), int(max(str(base)))
        if a == 0:
            break
        base += a * b
    return base



 def lv6(pull, bases):
    a = pull['a']
    ans = 0
    for i in range(0, 12, 2):
        tmp = 1
        tmp *= pow(factors[i], a[i], 1125899906842597)
        tmp *= pow(factors[i + 1], a[i + 1], 1125899906842597)
        ans += tmp
        ans %= 1125899906842597
    return ans


 cache = {}


 def lv6extract_bases(c, challenge):
    if c in cache:
        return cache[c]
    opcodes = eval('[' + challenge[
        challenge.find('__TENCENT_CHAOS_VM(0,[') + len('__TENCENT_CHAOS_VM(0,['):
        challenge.find('],window)}();__T')
    ] + ']')
    funcs = challenge[
        challenge.find(';var t=[],o=null,u=[') + len(';var t=[],o=null,u=['):
        challenge.find('];for(0;;)try{f')
    ]
    with open('tmp.js', 'w')as f:
        f.write(f'''
 let cmds = [{funcs}]
 for (let i = 0; i < cmds.length; i++)
    if (cmds[i] !== undefined)
        console.log(i, ':', cmds[i].toString(), ',')
 ''')
    import os
    res = os.popen('node tmp.js | grep \'String\|push("")\'').read().strip()
    for i in res.split('\n'):
        if 'push("")' in i:
            strbgn = int(i.split(' : ')[0])
        else:
            appchr = int(i.split(' : ')[0])
    factors = []
    i = 0
    while i < len(opcodes):
        if opcodes[i] != strbgn:
            i += 1
            continue
        i += 1
        s = ''
        while opcodes[i] == appchr:
            s += chr(opcodes[i + 1])
            i += 2
        if len(s) == 7 and s.isnumeric():
            factors.append(int(s))
    cache[c] = factors
    return factors
  
 def lv7(pull):
  # https://github.com/frankli0324/chaos_vm_disasm
  # 阿巴阿巴阿巴，没毅力做完力
  # 按理来说由于嵌套vm的handler基本都熟悉了，可以直接下断点黑箱分析第三层的handler表，然后直接跑第三重vm
  pass
	from requests import session
	import base64
	import json
	from collections import OrderedDict
	from multiprocessing import Pool

	ses = session()
	token = '阿巴阿巴阿巴'


	def lv1(pull): return pull['a']


	def lv2(pull): return pull['a'] * pull['a'] + pull['a']


	def lv3(pull):
	a = pull['a']
	for n in range(10000000):
	if (n * a[2] + a[1]) % a[0] == 0:
	return (n * a[2] + a[1]) // a[0]


	def lv4(pull):
	ops = [
	lambda a, b: a + b,
	lambda a, b: a - b,
	lambda a, b: a * b,
	]
	ans = 0
	tasks = pull['a']
	tasks.sort()
	for i in range(len(tasks)):
	ans = ops[(i + 1) % 3](ans, tasks[i])
	return -ans


	def lv5(pull):
	base, num = pull['a']
	for i in range(num - 1):
	a, b = int(min(str(base))), int(max(str(base)))
	if a == 0:
	break
	base += a * b
	return base



	def lv6(pull, bases):
	a = pull['a']
	ans = 0
	for i in range(0, 12, 2):
	tmp = 1
	tmp *= pow(factors[i], a[i], 1125899906842597)
	tmp *= pow(factors[i + 1], a[i + 1], 1125899906842597)
	ans += tmp
	ans %= 1125899906842597
	return ans


	cache = {}


	def lv6extract_bases(c, challenge):
	if c in cache:
	return cache[c]
	opcodes = eval('[' + challenge[
	challenge.find('__TENCENT_CHAOS_VM(0,[') + len('__TENCENT_CHAOS_VM(0,['):
	challenge.find('],window)}();__T')
	] + ']')
	funcs = challenge[
	challenge.find(';var t=[],o=null,u=[') + len(';var t=[],o=null,u=['):
	challenge.find('];for(0;;)try{f')
	]
	with open('tmp.js', 'w')as f:
	f.write(f'''
	let cmds = [{funcs}]
	for (let i = 0; i < cmds.length; i++)
	if (cmds[i] !== undefined)
	console.log(i, ':', cmds[i].toString(), ',')
	''')
	import os
	res = os.popen('node tmp.js \| grep \'String\\|push("")\'').read().strip()
	for i in res.split('\n'):
	if 'push("")' in i:
	strbgn = int(i.split(' : ')[0])
	else:
	appchr = int(i.split(' : ')[0])
	factors = []
	i = 0
	while i < len(opcodes):
	if opcodes[i] != strbgn:
	i += 1
	continue
	i += 1
	s = ''
	while opcodes[i] == appchr:
	s += chr(opcodes[i + 1])
	i += 2
	if len(s) == 7 and s.isnumeric():
	factors.append(int(s))
	cache[c] = factors
	return factors

	def lv7(pull):
	# https://github.com/frankli0324/chaos_vm_disasm
	# 阿巴阿巴阿巴，没毅力做完力
	# 按理来说由于嵌套vm的handler基本都熟悉了，可以直接下断点黑箱分析第三层的handler表，然后直接跑第三重vm
	pass