Solution de lrstx pour Polygraph

reverse

30 août 2025

Table des matières

Solution

Je suis sous Linux, j’ai bien une VM Windows qui traîne, mais je vais essayer de faire sans. On commence par lancer le binaire avec Wine.

$ wine polygraph.exe 
You told me you knew the correct key...
>>>
sqdqsdqdqds
Liar!!

C’est une simple application texte. je l’importe dans Ghidra.

Note : dans les bouts de code qui suivent, j’ai simplifié et renommer les variables suite à l’analyse. L’affichage initial dans Ghidra est loin d’être aussi clair. ;-)

Je commence par chercher les chaînes :

alt text

En cherchant les références, je tombe sur une fonction, qui contient notamment :

  puts("You told me you knew the correct key...\n>>> ");
  pFVar3 = (FILE *)__acrt_iob_func(1);
  fflush(pFVar3);
  input_size? = 0x11;
  gets_s(input_key,0x11);

C’est la saisie de la clef. Je passe pour l’instant le code qui suit pour aller directement à la fin. À l’analyse, je détermine rapidement que l’une des fonctions appelées est un calcul de SHA256, et que le flag est le hash de la clef attendue en entrée.

  lVar4 = 0;
  if (buffer == 0) {
    sha256_buf = local_40;
    iVar2 = sha256(input_key,input_size?,sha256_buf);
    if (iVar2 != 0) {
      puts("Something went wrong.");
      goto LAB_14000131d;
    }
    mystery("You\'re honest.\nFCSC{",input_size?,sha256_buf,i);
    do {
      mystery(&DAT_140003300,(ulonglong)(byte)local_40[lVar4],sha256_buf,i);
      lVar4 = lVar4 + 1;
    } while (lVar4 < 0x20);
    _Str = "}";
  }
  else {
    _Str = "Liar!!";
  }
  puts(_Str);

On remarque aussi que pour entrer dans cette partie, il est nécessaire que la variable que j’ai appelé buffer soit nulle. C’est l’indicateur que la clef saisie est bonne. Cela se fait donc dans le code situé au milieu :

  code = &DAT_140005041;
  _buffer = ZEXT816(0);
  i = 0x305;
  do {
    instruction = code[-1];
    if (instruction == 0xb) {
      uVar1 = (&buffer)[code[1]];
LAB_140001286:
      (&buffer)[*code] = (&buffer)[*code] + uVar1;
    }
    else if (instruction == 0x16) {
      (&buffer)[*code] = (&buffer)[*code] - (&buffer)[code[1]];
    }
    else if (instruction == 0x2c) {
      (&buffer)[*code] = (&buffer)[*code] << (code[1] & 0x1f);
    }
    else if (instruction == 0x37) {
      (&buffer)[*code] = (uint)(&buffer)[*code] >> (code[1] & 0x1f);
    }
    else if (instruction == 0x42) {
      input_size? = (ulonglong)*code;
      (&buffer)[input_size?] = (&buffer)[input_size?] * (&buffer)[code[1]];
    }
    else if (instruction == 0x4d) {
      (&buffer)[*code] = (&buffer)[*code] | (&buffer)[code[1]];
    }
    else if (instruction == 0x58) {
      (&buffer)[*code] = (uint)(byte)input_key[code[1]];
    }
    else if (instruction == 99) {
      uVar1 = (uint)code[1];
      goto LAB_140001286;
    }
    code = code + 3;
    i = i + -1;
  } while (i != 0);

La suite de if me fait rapidement penser à une machine virtuelle. En regardant chaque branche, je confirme que c’est le cas, qu’elle exécute un bytecode stocké à l’adresse DAT_140005041. Toutes les instructions de ce dernier comprennent deux paramètres, et elles implémentent des opérations simples : addition, multiplication, décalages… dont une qui lit le buffer contenant la clef saisie.

Un autre point intéressant à noter est que la variable que j’ai appelé buffer est un tableau de 4 entiers, que l’on pourrait considérer comme des registres. On peut s’en convaincre en implémentant cette VM en python (voir polygraph.py ci-dessous) et en regardant l’exécution.

On constate que des blocs similaires se répètent. Une trace montrant l’opcode et ses arguments, suivi d’une version assemblée plus lisible et les valeurs de registre (que j’ai décidé de nommer de b0 à b3). Voici le premier de ces blocs :

[...]
Code: 63 [3, 0]: b3 += 0		00000000 00000000 00000000 00000000
Code: 2c [3, 8]: b3 <<= 8		00000000 00000000 00000000 00000000
Code: 63 [3, 11]: b3 += 11		00000000 00000000 00000000 0000000b
Code: 2c [3, 8]: b3 <<= 8		00000000 00000000 00000000 00000b00
Code: 63 [3, 35]: b3 += 35		00000000 00000000 00000000 00000b23
Code: 2c [3, 8]: b3 <<= 8		00000000 00000000 00000000 000b2300
Code: 63 [3, 146]: b3 += 146		00000000 00000000 00000000 000b2392
Code: 16 [1, 3]: b1 -= b3		00000000 -00b2392 00000000 000b2392
Code: 16 [3, 3]: b3 -= b3		00000000 -00b2392 00000000 00000000
Code: 63 [3, 0]: b3 += 0		00000000 -00b2392 00000000 00000000
Code: 2c [3, 8]: b3 <<= 8		00000000 -00b2392 00000000 00000000
Code: 63 [3, 0]: b3 += 0		00000000 -00b2392 00000000 00000000
Code: 2c [3, 8]: b3 <<= 8		00000000 -00b2392 00000000 00000000
Code: 63 [3, 11]: b3 += 11		00000000 -00b2392 00000000 0000000b
Code: 2c [3, 8]: b3 <<= 8		00000000 -00b2392 00000000 00000b00
Code: 63 [3, 5]: b3 += 5		00000000 -00b2392 00000000 00000b05
Code: 16 [2, 3]: b2 -= b3		00000000 -00b2392 -0000b05 00000b05
Code: 58 [3, 0]: b3 = in[0]		00000000 -00b2392 -0000b05 00000030
Code: 42 [2, 3]: b2 *= b3		00000000 -00b2392 -00210f0 00000030
Code: 0b [1, 2]: b1 += b2		00000000 -00d3482 -00210f0 00000030
Code: 16 [2, 2]: b2 -= b2		00000000 -00d3482 00000000 00000030
Code: 16 [3, 3]: b3 -= b3		00000000 -00d3482 00000000 00000000
Code: 63 [3, 0]: b3 += 0		00000000 -00d3482 00000000 00000000
Code: 2c [3, 8]: b3 <<= 8		00000000 -00d3482 00000000 00000000
Code: 63 [3, 0]: b3 += 0		00000000 -00d3482 00000000 00000000
Code: 2c [3, 8]: b3 <<= 8		00000000 -00d3482 00000000 00000000
Code: 63 [3, 0]: b3 += 0		00000000 -00d3482 00000000 00000000
Code: 2c [3, 8]: b3 <<= 8		00000000 -00d3482 00000000 00000000
Code: 63 [3, 65]: b3 += 65		00000000 -00d3482 00000000 00000041
Code: 16 [2, 3]: b2 -= b3		00000000 -00d3482 -0000041 00000041
Code: 58 [3, 0]: b3 = in[0]		00000000 -00d3482 -0000041 00000030
Code: 42 [3, 3]: b3 *= b3		00000000 -00d3482 -0000041 00000900
Code: 42 [2, 3]: b2 *= b3		00000000 -00d3482 -0024900 00000900
Code: 0b [1, 2]: b1 += b2		00000000 -00f7d82 -0024900 00000900
Code: 16 [2, 2]: b2 -= b2		00000000 -00f7d82 00000000 00000900
Code: 58 [3, 0]: b3 = in[0]		00000000 -00f7d82 00000000 00000030
Code: 0b [2, 3]: b2 += b3		00000000 -00f7d82 00000030 00000030
Code: 42 [3, 3]: b3 *= b3		00000000 -00f7d82 00000030 00000900
Code: 42 [3, 2]: b3 *= b2		00000000 -00f7d82 00000030 0001b000
Code: 16 [2, 2]: b2 -= b2		00000000 -00f7d82 00000000 0001b000
Code: 63 [2, 13]: b2 += 13		00000000 -00f7d82 0000000d 0001b000
Code: 42 [2, 3]: b2 *= b3		00000000 -00f7d82 0015f000 0001b000
Code: 0b [1, 2]: b1 += b2		00000000 0006727e 0015f000 0001b000
Code: 4d [0, 1]: b0 |= b1		0006727e 0006727e 0015f000 0001b000
[...]

Les opérations et les constantes divergent, mais chaque bloc finit par lire un octet de la clef saisie, et stocke le résultat de son calcul par un OR avec b0. Or (haha), ce registre doit valoir 0 pour l’affichage du flag, donc chaque bloc semble tester indépendamment chacun des octets de la clef.

C’est une bonne nouvelle : à l’aide d’un interpréteur de ce bytecode, je peux bruteforcer chacun des octets de la clef afin de trouver la valeur qui va conduire à un b1 nul avant l’exécution de b0 |= b1.

C’est l’objectif de mon deuxième script python (voir polygraph_bf.py plus bas), qui va découper les blocs et leur soumettre les différentes valeurs entre 0 et 255 pour trouver celle qui est correcte. Voilà son exécution :

$ python polygraph_bf.py 
i=0 42
i=1 184
i=2 87
i=3 165
i=4 251
i=5 224
i=6 168
i=7 103
i=8 191
i=9 216
i=10 171
i=11 235
i=12 241
i=13 233
i=14 200
i=15 49
bytearray(b'*\xb8W\xa5\xfb\xe0\xa8g\xbf\xd8\xab\xeb\xf1\xe9\xc81')

C’est là que les ennuis commencent : il y a des valeurs supérieures à 127, et je ne vois pas comment passer ça correctement sur l’entrée standard du process émulé par Wine. J’ai fait quelques essais, mais rien n’a fonctionné, au point que je me suis posé des questions sur ma résolution.

Mais avant de tout remettre en cause, j’ai lancé une VM Windows qui traînait, j’ai lancé polygraph.exe et je lui ai donné la clef à coup de AltGr + code ascii. Et bingo !

alt text

Le flag est FCSC{374895262ded6e36581df74241cd22f005d993289bc7cceb0beb0504999b8}.

Fichiers Python

polygraph.py

#!/usr/bin/env python3

code = [ 0x16, 0x00, 0x00, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x0b, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x23, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x92, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x0b, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x05, 0x16, 0x02, 0x03, 0x58, 0x03, 0x00, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x41, 0x16, 0x02, 0x03, 0x58, 0x03, 0x00, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x00, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x0d, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x5c, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xeb, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xc0, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x02, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xad, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xc8, 0x16, 0x02, 0x03, 0x58, 0x03, 0x01, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x19, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xc2, 0x16, 0x02, 0x03, 0x58, 0x03, 0x01, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x01, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x2a, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x2f, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x10, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xd2, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x6a, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xe0, 0x16, 0x02, 0x03, 0x58, 0x03, 0x02, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x0a, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x18, 0x16, 0x02, 0x03, 0x58, 0x03, 0x02, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x02, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x26, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x2f, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xa9, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x9f, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x01, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x98, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x29, 0x16, 0x02, 0x03, 0x58, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x04, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x2b, 0x16, 0x02, 0x03, 0x58, 0x03, 0x03, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x03, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x0b, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x02, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xac, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xe7, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x44, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x1c, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x24, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x08, 0x16, 0x02, 0x03, 0x58, 0x03, 0x04, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x13, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x80, 0x16, 0x02, 0x03, 0x58, 0x03, 0x04, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x04, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x34, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x50, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xd8, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x60, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x02, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x3f, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x3b, 0x16, 0x02, 0x03, 0x58, 0x03, 0x05, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x03, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x25, 0x16, 0x02, 0x03, 0x58, 0x03, 0x05, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x05, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x07, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x04, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xe6, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x33, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x90, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x03, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x84, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x36, 0x16, 0x02, 0x03, 0x58, 0x03, 0x06, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x18, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x9c, 0x16, 0x02, 0x03, 0x58, 0x03, 0x06, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x06, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x3f, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x01, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xfc, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x89, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x90, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x01, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xec, 0x16, 0x02, 0x03, 0x58, 0x03, 0x07, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x02, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x22, 0x16, 0x02, 0x03, 0x58, 0x03, 0x07, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x07, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x2a, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x04, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xd0, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x1f, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x12, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x17, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x4b, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x34, 0x16, 0x02, 0x03, 0x58, 0x03, 0x08, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x6c, 0x16, 0x02, 0x03, 0x58, 0x03, 0x08, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x08, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x36, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x04, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xde, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x4e, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xc8, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x1a, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x65, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xe5, 0x16, 0x02, 0x03, 0x58, 0x03, 0x09, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x0d, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x58, 0x16, 0x02, 0x03, 0x58, 0x03, 0x09, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x09, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x3d, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x79, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x3c, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x80, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xeb, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x50, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0a, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x02, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xe8, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0a, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x0a, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x08, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x02, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x43, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x1c, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xdf, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x07, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x4f, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x85, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0b, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x0f, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xf9, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0b, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x0b, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x1d, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x02, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xfd, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xec, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x18, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x07, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x8f, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x50, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0c, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x1a, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x40, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0c, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x0c, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x28, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x02, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x57, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xfd, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xf8, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x1a, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x94, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x10, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0d, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x04, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x60, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0d, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x0d, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x28, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x01, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xe5, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x29, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x90, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x06, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x55, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xf6, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0e, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x0b, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x71, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0e, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x0e, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x1d, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x43, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xf3, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x05, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x50, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0f, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xd2, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0f, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x0f, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x05, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01 ]

buffer = [ 0 ] * 4

input_key = b'0123456789abcdefg'

for rip in range(0, len(code), 3):
    instruction = code[rip]
    print(f'Code: {code[rip]:02x} {code[rip+1:rip+3]}: ', end='')
    if (instruction == 0xb):
        buffer[code[rip+1]] += buffer[code[rip+2]]
        print(f'b{code[rip+1]} += b{code[rip+2]}', end='')
    elif (instruction == 0x16):
        buffer[code[rip+1]] -= buffer[code[rip+2]]
        print(f'b{code[rip+1]} -= b{code[rip+2]}', end='')
    elif (instruction == 0x2c):
        buffer[code[rip+1]] <<= (code[rip+2] & 0x1f)
        print(f'b{code[rip+1]} <<= {code[rip+2]}', end='')
    elif (instruction == 0x37):
        buffer[code[rip+1]] >>= (code[rip+2] & 0x1f)
        print(f'b{code[rip+1]} >>= {code[rip+2]}', end='')
    elif (instruction == 0x42):
        buffer[code[rip+1]] *= buffer[code[rip+2]]
        print(f'b{code[rip+1]} *= b{code[rip+2]}', end='')
    elif (instruction == 0x4d):
        buffer[code[rip+1]] |= buffer[code[rip+2]]
        print(f'b{code[rip+1]} |= b{code[rip+2]}', end='')
    elif (instruction == 0x58):
        buffer[code[rip+1]] = input_key[code[rip+2]]
        print(f'b{code[rip+1]} = in[{code[rip+2]}]', end='')
    elif (instruction == 0x63):
        buffer[code[rip+1]] += code[rip+2]
        print(f'b{code[rip+1]} += {code[rip+2]}', end='')
    print(f"\t\t{' '.join([ f'{x:08x}' for x in buffer ])}")

polygraph_bf.py

#!/usr/bin/env python3

code = [ 0x16, 0x00, 0x00, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x0b, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x23, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x92, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x0b, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x05, 0x16, 0x02, 0x03, 0x58, 0x03, 0x00, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x41, 0x16, 0x02, 0x03, 0x58, 0x03, 0x00, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x00, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x0d, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x5c, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xeb, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xc0, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x02, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xad, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xc8, 0x16, 0x02, 0x03, 0x58, 0x03, 0x01, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x19, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xc2, 0x16, 0x02, 0x03, 0x58, 0x03, 0x01, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x01, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x2a, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x2f, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x10, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xd2, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x6a, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xe0, 0x16, 0x02, 0x03, 0x58, 0x03, 0x02, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x0a, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x18, 0x16, 0x02, 0x03, 0x58, 0x03, 0x02, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x02, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x26, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x2f, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xa9, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x9f, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x01, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x98, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x29, 0x16, 0x02, 0x03, 0x58, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x04, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x2b, 0x16, 0x02, 0x03, 0x58, 0x03, 0x03, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x03, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x0b, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x02, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xac, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xe7, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x44, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x1c, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x24, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x08, 0x16, 0x02, 0x03, 0x58, 0x03, 0x04, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x13, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x80, 0x16, 0x02, 0x03, 0x58, 0x03, 0x04, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x04, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x34, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x50, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xd8, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x60, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x02, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x3f, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x3b, 0x16, 0x02, 0x03, 0x58, 0x03, 0x05, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x03, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x25, 0x16, 0x02, 0x03, 0x58, 0x03, 0x05, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x05, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x07, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x04, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xe6, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x33, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x90, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x03, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x84, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x36, 0x16, 0x02, 0x03, 0x58, 0x03, 0x06, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x18, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x9c, 0x16, 0x02, 0x03, 0x58, 0x03, 0x06, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x06, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x3f, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x01, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xfc, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x89, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x90, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x01, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xec, 0x16, 0x02, 0x03, 0x58, 0x03, 0x07, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x02, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x22, 0x16, 0x02, 0x03, 0x58, 0x03, 0x07, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x07, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x2a, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x04, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xd0, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x1f, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x12, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x17, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x4b, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x34, 0x16, 0x02, 0x03, 0x58, 0x03, 0x08, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x6c, 0x16, 0x02, 0x03, 0x58, 0x03, 0x08, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x08, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x36, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x04, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xde, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x4e, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xc8, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x1a, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x65, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xe5, 0x16, 0x02, 0x03, 0x58, 0x03, 0x09, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x0d, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x58, 0x16, 0x02, 0x03, 0x58, 0x03, 0x09, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x09, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x3d, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x79, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x3c, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x80, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xeb, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x50, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0a, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x02, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xe8, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0a, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x0a, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x08, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x02, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x43, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x1c, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xdf, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x07, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x4f, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x85, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0b, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x0f, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xf9, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0b, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x0b, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x1d, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x02, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xfd, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xec, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x18, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x07, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x8f, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x50, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0c, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x1a, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x40, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0c, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x0c, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x28, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x02, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x57, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xfd, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xf8, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x1a, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x94, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x10, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0d, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x04, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x60, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0d, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x0d, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x28, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x01, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xe5, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x29, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x90, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x06, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x55, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xf6, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0e, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x0b, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x71, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0e, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x0e, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x1d, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01, 0x16, 0x01, 0x01, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x43, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xf3, 0x16, 0x01, 0x03, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x05, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x50, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0f, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x16, 0x03, 0x03, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0x00, 0x2c, 0x03, 0x08, 0x63, 0x03, 0xd2, 0x16, 0x02, 0x03, 0x58, 0x03, 0x0f, 0x42, 0x03, 0x03, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x16, 0x02, 0x02, 0x58, 0x03, 0x0f, 0x0b, 0x02, 0x03, 0x42, 0x03, 0x03, 0x42, 0x03, 0x02, 0x16, 0x02, 0x02, 0x63, 0x02, 0x05, 0x42, 0x02, 0x03, 0x0b, 0x01, 0x02, 0x4d, 0x00, 0x01 ]

# On découpe le code en boxes
boxes = list()
start = 0
while True:
    try:
        ind = code.index(0x4d, start)
        boxes.append(code[start:ind+3])
        start = ind + 3
    except:
        break
# print(boxes)

code = bytearray()
for i, b in enumerate(boxes):
    # print(b)

    for c in range(0, 256):
        # print(f'#### {c}')
        buffer = [ 0 ] * 4

        for rip in range(0, len(b), 3):
            instruction = b[rip]
            if (instruction == 0xb):
                buffer[b[rip+1]] += buffer[b[rip+2]]
            elif (instruction == 0x16):
                buffer[b[rip+1]] -= buffer[b[rip+2]]
            elif (instruction == 0x2c):
                buffer[b[rip+1]] <<= (b[rip+2] & 0x1f)
            elif (instruction == 0x37):
                buffer[b[rip+1]] >>= (b[rip+2] & 0x1f)
            elif (instruction == 0x42):
                buffer[b[rip+1]] *= buffer[b[rip+2]]
            elif (instruction == 0x4d):
                buffer[b[rip+1]] |= buffer[b[rip+2]]
                # print(f'{buffer[0]=}')
            elif (instruction == 0x58):
                buffer[b[rip+1]] = c
                # print(f'{input_key[b[rip+2]]=}')
            elif (instruction == 0x63):
                buffer[b[rip+1]] += b[rip+2]

            buffer = [ 0x100000000 + x if x < 0 else x for x in buffer ]
            buffer = [ x % 0x100000000 for x in buffer ]

        # print(c, ' '.join([ f'{x:08x}' for x in buffer ]))
        if buffer[0] == 0:
            print(f'{i=} {c}')
            code.append(c)
            break

print(code)