lpmontop on 2026-04-18 12:19:
[Click to reveal]
(Thanks ia)
Zware.exe — Solution
The binary implements a custom virtual machine. The instruction set (xor, shl, shr, comp, ret) is registered in a global `std::unordered_map` by `sub_140001000`. The VM program is stored as bytecode in the `.zplus` section (`byte_14000D000`, 35 bytes), which `sub_140001480` decodes back into instruction names and `sub_140001900` parses into tokenized lines.
The VM engine (`sub_140001E10`) takes the user input as a byte buffer and applies 10 sequential transformations before comparing the result against a 21-byte target hardcoded in `main`:
```
XOR 0x5A → ROR 6 → XOR 0x5A → ROR 6 → XOR 0x5A → ROR 2 → XOR 0x5A → ROR 6 → XOR 0x5A → ROR 2
```
The target buffer (from stack immediates in main) is: `80 A8 D8 BC A4 84 4C 14 34 EC 00 14 38 D4 D4 14 58 EC 80 8C 9C`.
To recover the flag, I applied the inverse operations in reverse order (ROL 2, XOR 0x5A, ROL 6, XOR 0x5A, ROL 2, XOR 0x5A, ROL 6, XOR 0x5A, ROL 6, XOR 0x5A) on the target bytes.
**Flag:** `zplus{I_WaZ_Too_Lazy}`
@mike on 2026-04-18 22:47:
[Click to reveal]def ror(val, bits, size=8):
return ((val & ((1 << size) - 1)) >> bits) | (val << (size - bits) & ((1 << size) - 1))
def rol(val, bits, size=8):
return ((val << bits) & ((1 << size) - 1)) | ((val & ((1 << size) - 1)) >> (size - bits))
target = [
0x80, 0xA8, 0xD8, 0xBC,
0xA4, 0x84, 0x4C, 0x14,
0x34, 0xEC, 0x00, 0x14,
0x38, 0xD4, 0xD4, 0x14,
0x58, 0xEC, 0x80, 0x8C,
0x9C # need to verify this byte
]
# Sequence: z, p, z, p, z, l, z, p, z, l
# Reverse: l_inv, z_inv, p_inv, z_inv, l_inv, z_inv, p_inv, z_inv, p_inv, z_inv
def solve(data):
res = list(data)
# 1. l (ROR 2) -> ROL 2
res = [rol(b, 2) for b in res]
# 2. z (XOR 0x5A)
res = [b ^ 0x5A for b in res]
# 3. p (ROR 6) -> ROL 6
res = [rol(b, 6) for b in res]
# 4. z (XOR 0x5A)
res = [b ^ 0x5A for b in res]
# 5. l (ROR 2) -> ROL 2
res = [rol(b, 2) for b in res]
# 6. z (XOR 0x5A)
res = [b ^ 0x5A for b in res]
# 7. p (ROR 6) -> ROL 6
res = [rol(b, 6) for b in res]
# 8. z (XOR 0x5A)
res = [b ^ 0x5A for b in res]
# 9. p (ROR 6) -> ROL 6
res = [rol(b, 6) for b in res]
# 10. z (XOR 0x5A)
res = [b ^ 0x5A for b in res]
return "".join(map(chr, res))
print(f"Result with 0x9C: {solve(target)}")