Sctf2023 Re 部分题解
re
是谁不复习计网和数据库写re
Syclang
给出两个文件 一个是ir 一个是编译器
直接看ir即可
拿vscode正则匹配替换
relpace:
(var\d+)\(@exp.([XLRXkey]+)(\[\d\])\)
$1.$2$3
#(\d+)
$1
<\+\d+>
""
(var\d+)\(@exp(.key\[\d+\])\)
$1$2
LABEL
""
GOTO
goto
#!tempa := \{\d+\}\*\{(var\d+)\}\n (.*?)<.*>
$2[$1]
\[0\](\[var\d+\])
$1
:=
=
:
:
IF
if
得到
#include <stdint.h>
#include <stdint.h>
struct exp
{
uint64_t key[24];
uint64_t L[8];
uint64_t R[8];
uint64_t X[8];
};
uint64_t read(char arr[24]) {}
uint64_t writes() {}
uint64_t writef() {}
uint64_t exit(){};
void main()
{
char var11[24];
struct exp var22, var23, var24, var25;
register uint64_t temp0;
register uint64_t temp1;
register uint64_t temp2;
register uint64_t temp3;
register uint64_t temp4;
register uint64_t temp5;
register uint64_t temp6;
register uint64_t temp7;
register uint64_t temp8;
register uint64_t temp9;
register uint64_t temp10;
register uint64_t temp11;
register uint64_t temp12;
register uint64_t temp13;
register uint64_t temp14;
register uint64_t temp15;
register uint64_t temp16;
register uint64_t temp17;
register uint64_t temp18;
register uint64_t temp19;
register uint64_t temp20;
register uint64_t temp21;
register uint64_t temp22;
register uint64_t temp23;
register uint64_t temp24;
register uint64_t temp25;
register uint64_t temp26;
register uint64_t temp27;
register uint64_t temp28;
register uint64_t temp29;
register uint64_t temp30;
register uint64_t temp31;
register uint64_t temp32;
register uint64_t temp33;
register uint64_t temp34;
register uint64_t temp35;
register uint64_t temp36;
register uint64_t temp37;
register uint64_t temp38;
register uint64_t temp39;
register uint64_t temp40;
register uint64_t temp41;
register uint64_t temp42;
register uint64_t temp43;
register uint64_t temp44;
register uint64_t temp45;
register uint64_t temp46;
register uint64_t temp47;
register uint64_t temp48;
register uint64_t temp49;
register uint64_t temp50;
register uint64_t temp51;
register uint64_t temp52;
register uint64_t temp53;
register uint64_t temp54;
register uint64_t temp55;
register uint64_t temp56;
register uint64_t temp57;
register uint64_t temp58;
register uint64_t temp59;
register uint64_t temp60;
register uint64_t temp61;
register uint64_t temp62;
register uint64_t temp63;
register uint64_t temp64;
register uint64_t temp65;
register uint64_t temp66;
register uint64_t temp67;
register uint64_t temp68;
register uint64_t temp69;
register uint64_t temp70;
register uint64_t temp71;
register uint64_t temp72;
register uint64_t temp73;
register uint64_t temp74;
register uint64_t temp75;
register uint64_t temp76;
register uint64_t temp77;
register uint64_t temp78;
register uint64_t temp79;
register uint64_t temp80;
register uint64_t temp81;
register uint64_t temp82;
register uint64_t temp83;
register uint64_t temp84;
register uint64_t temp85;
register uint64_t temp86;
register uint64_t temp87;
register uint64_t temp88;
register uint64_t temp89;
register uint64_t temp90;
register uint64_t temp91;
register uint64_t temp92;
register uint64_t temp93;
register uint64_t temp94;
register uint64_t temp95;
register uint64_t temp96;
register uint64_t temp97;
register uint64_t temp98;
register uint64_t temp99;
register uint64_t temp100;
register uint64_t temp101;
register uint64_t temp102;
register uint64_t temp103;
register uint64_t temp104;
register uint64_t temp105;
register uint64_t temp106;
register uint64_t temp107;
register uint64_t temp108;
register uint64_t temp109;
register uint64_t temp110;
register uint64_t temp111;
register uint64_t temp112;
register uint64_t temp113;
register uint64_t temp114;
register uint64_t temp115;
register uint64_t temp116;
register uint64_t temp117;
register uint64_t temp118;
register uint64_t temp119;
register uint64_t temp120;
register uint64_t temp121;
register uint64_t temp122;
register uint64_t temp123;
register uint64_t temp124;
register uint64_t temp125;
register uint64_t temp126;
register uint64_t temp127;
register uint64_t temp128;
register uint64_t temp129;
register uint64_t temp130;
register uint64_t temp131;
register uint64_t temp132;
register uint64_t temp133;
register uint64_t temp134;
register uint64_t temp135;
register uint64_t temp136;
register uint64_t temp137;
register uint64_t temp138;
register uint64_t temp139;
register uint64_t temp140;
register uint64_t temp141;
register uint64_t temp142;
register uint64_t temp143;
register uint64_t temp144;
register uint64_t temp145;
register uint64_t temp146;
register uint64_t temp147;
register uint64_t temp148;
register uint64_t temp149;
register uint64_t temp150;
register uint64_t temp151;
register uint64_t temp152;
register uint64_t temp153;
register uint64_t temp154;
register uint64_t temp155;
register uint64_t temp156;
register uint64_t temp157;
register uint64_t temp158;
register uint64_t temp159;
register uint64_t temp160;
register uint64_t temp161;
register uint64_t temp162;
register uint64_t temp163;
register uint64_t temp164;
register uint64_t temp165;
register uint64_t temp166;
register uint64_t temp167;
register uint64_t temp168;
register uint64_t temp169;
register uint64_t temp170;
register uint64_t temp171;
register uint64_t temp172;
register uint64_t temp173;
register uint64_t temp174;
register uint64_t temp175;
register uint64_t temp176;
register uint64_t temp177;
register uint64_t temp178;
register uint64_t temp179;
register uint64_t temp180;
register uint64_t temp181;
register uint64_t temp182;
register uint64_t temp183;
register uint64_t temp184;
register uint64_t temp185;
register uint64_t temp186;
register uint64_t temp187;
register uint64_t temp188;
register uint64_t temp189;
register uint64_t temp190;
register uint64_t temp191;
register uint64_t temp192;
register uint64_t temp193;
register uint64_t temp194;
register uint64_t temp195;
register uint64_t temp196;
register uint64_t temp197;
register uint64_t temp198;
register uint64_t temp199;
register uint64_t temp200;
register uint64_t temp201;
register uint64_t temp202;
register uint64_t temp203;
register uint64_t temp204;
register uint64_t temp205;
register uint64_t temp206;
register uint64_t temp207;
register uint64_t temp208;
register uint64_t temp209;
register uint64_t temp210;
register uint64_t temp211;
register uint64_t temp212;
register uint64_t temp213;
register uint64_t temp214;
register uint64_t temp215;
register uint64_t temp216;
register uint64_t temp217;
register uint64_t temp218;
register uint64_t temp219;
register uint64_t temp220;
register uint64_t temp221;
register uint64_t temp222;
register uint64_t temp223;
register uint64_t temp224;
register uint64_t temp225;
register uint64_t temp226;
register uint64_t temp227;
register uint64_t temp228;
register uint64_t temp229;
register uint64_t temp230;
register uint64_t temp231;
register uint64_t temp232;
register uint64_t temp233;
register uint64_t temp234;
register uint64_t temp235;
register uint64_t temp236;
register uint64_t temp237;
register uint64_t temp238;
register uint64_t temp239;
register uint64_t temp240;
register uint64_t temp241;
register uint64_t temp242;
register uint64_t temp243;
register uint64_t temp244;
register uint64_t temp245;
register uint64_t temp246;
register uint64_t temp247;
register uint64_t temp248;
register uint64_t temp249;
register uint64_t temp250;
register uint64_t temp251;
register uint64_t temp252;
register uint64_t temp253;
register uint64_t temp254;
register uint64_t temp255;
register uint64_t temp256;
register uint64_t temp257;
register uint64_t temp258;
register uint64_t temp259;
register uint64_t temp260;
register uint64_t temp261;
register uint64_t temp262;
register uint64_t temp263;
register uint64_t temp264;
register uint64_t temp265;
register uint64_t temp266;
register uint64_t temp267;
register uint64_t temp268;
register uint64_t temp269;
register uint64_t temp270;
register uint64_t temp271;
register uint64_t temp272;
register uint64_t temp273;
register uint64_t temp274;
register uint64_t temp275;
register uint64_t temp276;
register uint64_t temp277;
register uint64_t temp278;
register uint64_t temp279;
register uint64_t temp280;
register uint64_t temp281;
register uint64_t temp282;
register uint64_t temp283;
register uint64_t temp284;
register uint64_t temp285;
register uint64_t temp286;
register uint64_t temp287;
register uint64_t temp288;
register uint64_t temp289;
register uint64_t temp290;
register uint64_t temp291;
register uint64_t temp292;
register uint64_t temp293;
register uint64_t temp294;
register uint64_t temp295;
register uint64_t temp296;
register uint64_t temp297;
register uint64_t temp298;
register uint64_t temp299;
register uint64_t temp300;
register uint64_t temp301;
register uint64_t temp302;
register uint64_t temp303;
register uint64_t temp304;
register uint64_t temp305;
register uint64_t temp306;
register uint64_t temp307;
register uint64_t temp308;
register uint64_t temp309;
register uint64_t temp310;
register uint64_t temp311;
register uint64_t temp312;
register uint64_t temp313;
register uint64_t temp314;
register uint64_t temp315;
register uint64_t temp316;
register uint64_t temp317;
register uint64_t temp318;
register uint64_t temp319;
register uint64_t temp320;
register uint64_t temp321;
register uint64_t temp322;
register uint64_t temp323;
register uint64_t temp324;
register uint64_t temp325;
register uint64_t temp326;
register uint64_t temp327;
register uint64_t temp328;
register uint64_t temp329;
register uint64_t temp330;
register uint64_t temp331;
register uint64_t temp332;
register uint64_t temp333;
register uint64_t temp334;
register uint64_t temp335;
register uint64_t temp336;
register uint64_t temp337;
register uint64_t temp338;
register uint64_t temp339;
register uint64_t temp340;
register uint64_t temp341;
register uint64_t temp342;
register uint64_t temp343;
register uint64_t temp344;
register uint64_t temp345;
register uint64_t temp346;
register uint64_t temp347;
register uint64_t temp348;
register uint64_t temp349;
register uint64_t temp350;
register uint64_t temp351;
register uint64_t temp352;
register uint64_t temp353;
register uint64_t temp354;
register uint64_t temp355;
register uint64_t temp356;
register uint64_t temp357;
register uint64_t temp358;
register uint64_t temp359;
register uint64_t temp360;
register uint64_t temp361;
register uint64_t temp362;
register uint64_t temp363;
register uint64_t temp364;
register uint64_t temp365;
register uint64_t temp366;
register uint64_t temp367;
register uint64_t temp368;
register uint64_t temp369;
register uint64_t temp370;
register uint64_t temp371;
register uint64_t temp372;
register uint64_t temp373;
register uint64_t temp374;
register uint64_t temp375;
register uint64_t temp376;
register uint64_t temp377;
register uint64_t temp378;
register uint64_t temp379;
register uint64_t temp380;
register uint64_t temp381;
register uint64_t temp382;
register uint64_t temp383;
register uint64_t temp384;
register uint64_t temp385;
register uint64_t temp386;
register uint64_t temp387;
register uint64_t temp388;
register uint64_t temp389;
register uint64_t temp390;
register uint64_t temp391;
register uint64_t temp392;
register uint64_t temp393;
register uint64_t temp394;
register uint64_t temp395;
register uint64_t temp396;
register uint64_t temp397;
register uint64_t temp398;
register uint64_t temp399;
register uint64_t var0;
register uint64_t var1;
register uint64_t var2;
register uint64_t var3;
register uint64_t var4;
register uint64_t var5;
register uint64_t var6;
register uint64_t var7;
register uint64_t var8;
register uint64_t var9;
register uint64_t var10;
register uint64_t var12;
register uint64_t var13;
register uint64_t var14;
register uint64_t var15;
register uint64_t var16;
register uint64_t var17;
register uint64_t var18;
register uint64_t var19;
register uint64_t var20;
register uint64_t var21;
register uint64_t var26;
register uint64_t var27;
register uint64_t var28;
register uint64_t var29;
temp1 = read(var11);
temp2 = 0;
var15 = temp2;
label4:
temp4 = 24;
if (var15 < temp4)
goto label3;
goto label2;
label3:
temp5 = 0;
var12 = temp5;
var16 = var15;
var12 = var11[var16];
temp6 = 23;
temp7 = temp6 - var15;
var18 = temp7;
var22.key[var18] = var12;
temp3 = 1;
var15 = var15 + temp3;
goto label4;
label2:
temp8 = 23;
var15 = temp8;
label11:
temp10 = 0;
if (var15 > temp10)
goto label10;
goto label9;
label10:
var18 = var15;
var19 = var22.key[var18];
temp11 = 1;
temp12 = var15 - temp11;
var16 = temp12;
var17 = var22.key[var16];
temp13 = var19 - var17;
var21 = temp13;
var22.key[var15] = var21;
temp9 = 1;
var15 = var15 - temp9;
goto label11;
label9:
temp15 = 0;
var22.L[0] = temp15;
temp17 = 8;
var22.R[0] = temp17;
temp19 = 11;
var22.X[0] = temp19;
temp21 = 15;
var22.L[1] = temp21;
temp23 = 23;
var22.R[1] = temp23;
temp25 = 0;
temp26 = 13;
temp27 = temp25 - temp26;
var22.X[1] = temp27;
temp29 = 2;
var22.L[2] = temp29;
temp31 = 11;
var22.R[2] = temp31;
temp33 = 17;
var22.X[2] = temp33;
temp35 = 10;
var22.L[3] = temp35;
temp37 = 20;
var22.R[3] = temp37;
temp39 = 0;
temp40 = 19;
temp41 = temp39 - temp40;
var22.X[3] = temp41;
temp43 = 6;
var22.L[4] = temp43;
temp45 = 13;
var22.R[4] = temp45;
temp47 = 23;
var22.X[4] = temp47;
temp49 = 9;
var22.L[5] = temp49;
temp51 = 21;
var22.R[5] = temp51;
temp53 = 0;
temp54 = 29;
temp55 = temp53 - temp54;
var22.X[5] = temp55;
temp57 = 1;
var22.L[6] = temp57;
temp59 = 19;
var22.R[6] = temp59;
temp61 = 31;
var22.X[6] = temp61;
temp63 = 4;
var22.L[7] = temp63;
temp65 = 17;
var22.R[7] = temp65;
temp67 = 0;
temp68 = 37;
temp69 = temp67 - temp68;
var22.X[7] = temp69;
temp70 = 0;
var15 = temp70;
label43:
temp72 = 8;
if (var15 < temp72)
goto label42;
goto label41;
label42:
var16 = var22.L[var15];
var18 = var22.R[var15];
var20 = var22.X[var15];
var17 = var22.key[var16];
var19 = var22.key[var18];
var17 = var17 + var20;
var19 = var19 - var20;
var22.key[var16] = var17;
var22.key[var18] = var19;
temp71 = 1;
var15 = var15 + temp71;
goto label43;
label41:
temp75 = 1;
var15 = temp75;
label54:
temp77 = 24;
if (var15 < temp77)
goto label53;
goto label52;
label53:
var17 = var22.key[var15];
temp78 = 1;
temp79 = var15 - temp78;
var16 = temp79;
var20 = var22.key[var16];
var17 = var17 + var20;
var22.key[var15] = var17;
temp76 = 1;
var15 = var15 + temp76;
goto label54;
label52:
temp81 = 0;
var15 = temp81;
label61:
temp83 = 23;
if (var15 < temp83)
goto label60;
goto label59;
label60:
var16 = var15;
var12 = var22.key[var16];
temp84 = 1;
temp85 = var15 + temp84;
var18 = temp85;
var13 = var22.key[var18];
temp86 = 0;
var13 = temp86;
temp87 = var12 ^ var13;
var14 = temp87;
var22.key[var16] = var14;
temp82 = 1;
var15 = var15 + temp82;
goto label61;
label59:
temp89 = 0;
var24.L[0] = temp89;
temp91 = 12;
var24.R[0] = temp91;
temp93 = 0;
temp94 = 19;
temp95 = temp93 - temp94;
var24.X[0] = temp95;
temp97 = 9;
var24.L[1] = temp97;
temp99 = 10;
var24.R[1] = temp99;
temp101 = 0;
temp102 = 10;
temp103 = temp101 - temp102;
var24.X[1] = temp103;
temp105 = 9;
var24.L[2] = temp105;
temp107 = 12;
var24.R[2] = temp107;
temp109 = 3;
var24.X[2] = temp109;
temp111 = 8;
var24.L[3] = temp111;
temp113 = 19;
var24.R[3] = temp113;
temp115 = 0;
temp116 = 11;
temp117 = temp115 - temp116;
var24.X[3] = temp117;
temp119 = 10;
var24.L[4] = temp119;
temp121 = 12;
var24.R[4] = temp121;
temp123 = 0;
temp124 = 9;
temp125 = temp123 - temp124;
var24.X[4] = temp125;
temp127 = 9;
var24.L[5] = temp127;
temp129 = 13;
var24.R[5] = temp129;
temp131 = 3;
var24.X[5] = temp131;
temp133 = 1;
var24.L[6] = temp133;
temp135 = 22;
var24.R[6] = temp135;
temp137 = 0;
temp138 = 19;
temp139 = temp137 - temp138;
var24.X[6] = temp139;
temp141 = 0;
var24.L[7] = temp141;
temp143 = 23;
var24.R[7] = temp143;
temp145 = 7;
var24.X[7] = temp145;
temp147 = 12;
var24.key[0] = temp147;
temp149 = 31;
var24.key[1] = temp149;
temp151 = 31;
var24.key[2] = temp151;
temp153 = 31;
var24.key[3] = temp153;
temp155 = 31;
var24.key[4] = temp155;
temp157 = 31;
var24.key[5] = temp157;
temp159 = 31;
var24.key[6] = temp159;
temp161 = 31;
var24.key[7] = temp161;
temp163 = 42;
var24.key[8] = temp163;
temp165 = 46;
var24.key[9] = temp165;
temp167 = 45;
var24.key[10] = temp167;
temp169 = 45;
var24.key[11] = temp169;
temp171 = 20;
var24.key[12] = temp171;
temp173 = 23;
var24.key[13] = temp173;
temp175 = 23;
var24.key[14] = temp175;
temp177 = 23;
var24.key[15] = temp177;
temp179 = 23;
var24.key[16] = temp179;
temp181 = 23;
var24.key[17] = temp181;
temp183 = 23;
var24.key[18] = temp183;
temp185 = 12;
var24.key[19] = temp185;
temp187 = 12;
var24.key[20] = temp187;
temp189 = 12;
var24.key[21] = temp189;
temp191 = 0;
temp192 = 7;
temp193 = temp191 - temp192;
var24.key[22] = temp193;
temp195 = 0;
var24.key[23] = temp195;
temp196 = 23;
var15 = temp196;
label118:
temp198 = 0;
if (var15 > temp198)
goto label117;
goto label116;
label117:
var18 = var15;
var19 = var24.key[var18];
temp199 = 1;
temp200 = var15 - temp199;
var16 = temp200;
var17 = var24.key[var16];
temp201 = var19 - var17;
var21 = temp201;
var24.key[var15] = var21;
temp197 = 1;
var15 = var15 - temp197;
goto label118;
label116:
temp202 = 0;
var15 = temp202;
label126:
temp204 = 8;
if (var15 < temp204)
goto label125;
goto label124;
label125:
var16 = var24.L[var15];
var18 = var24.R[var15];
var20 = var24.X[var15];
var17 = var24.key[var16];
var19 = var24.key[var18];
var17 = var17 + var20;
var19 = var19 - var20;
var24.key[var16] = var17;
var24.key[var18] = var19;
temp203 = 1;
var15 = var15 + temp203;
goto label126;
label124:
temp207 = 1;
var15 = temp207;
label137:
temp209 = 24;
if (var15 < temp209)
goto label136;
goto label135;
label136:
var17 = var24.key[var15];
temp210 = 1;
temp211 = var15 - temp210;
var16 = temp211;
var20 = var24.key[var16];
var17 = var17 + var20;
var24.key[var15] = var17;
temp208 = 1;
var15 = var15 + temp208;
goto label137;
label135:
temp214 = 252;
var23.key[0] = temp214;
temp216 = 352;
var23.key[1] = temp216;
temp218 = 484;
var23.key[2] = temp218;
temp220 = 470;
var23.key[3] = temp220;
temp222 = 496;
var23.key[4] = temp222;
temp224 = 487;
var23.key[5] = temp224;
temp226 = 539;
var23.key[6] = temp226;
temp228 = 585;
var23.key[7] = temp228;
temp230 = 447;
var23.key[8] = temp230;
temp232 = 474;
var23.key[9] = temp232;
temp234 = 577;
var23.key[10] = temp234;
temp236 = 454;
var23.key[11] = temp236;
temp238 = 466;
var23.key[12] = temp238;
temp240 = 345;
var23.key[13] = temp240;
temp242 = 344;
var23.key[14] = temp242;
temp244 = 486;
var23.key[15] = temp244;
temp246 = 501;
var23.key[16] = temp246;
temp248 = 423;
var23.key[17] = temp248;
temp250 = 490;
var23.key[18] = temp250;
temp252 = 375;
var23.key[19] = temp252;
temp254 = 257;
var23.key[20] = temp254;
temp256 = 203;
var23.key[21] = temp256;
temp258 = 265;
var23.key[22] = temp258;
temp260 = 125;
var23.key[23] = temp260;
temp261 = 0;
var15 = temp261;
label168:
temp263 = 24;
if (var15 < temp263)
goto label167;
goto label166;
label167:
var16 = var15;
var17 = var23.key[var16];
var18 = var15;
var19 = var24.key[var18];
temp264 = var17 ^ var19;
var21 = temp264;
var23.key[var15] = var21;
temp262 = 1;
var15 = var15 + temp262;
goto label168;
label166:
temp265 = 0;
var15 = temp265;
label176:
temp267 = 8;
if (var15 < temp267)
goto label175;
goto label174;
label175:
temp268 = var15 + var15;
temp269 = temp268 + var15;
var16 = temp269;
var17 = var22.key[var16];
var23.X[var15] = var17;
temp266 = 1;
var15 = var15 + temp266;
goto label176;
label174:
temp270 = 23;
var15 = temp270;
label181:
temp272 = 0;
if (var15 > temp272)
goto label180;
goto label179;
label180:
var18 = var15;
var19 = var23.key[var18];
var16 = var15;
temp273 = 1;
var16 = var16 - temp273;
var17 = var23.key[var16];
temp275 = var19 - var17;
var21 = temp275;
var23.key[var15] = var21;
temp271 = 1;
var15 = var15 - temp271;
goto label181;
label179:
temp276 = 0;
var15 = temp276;
label190:
temp278 = 8;
if (var15 < temp278)
goto label189;
goto label188;
label189:
var16 = var22.L[var15];
var18 = var22.R[var15];
var20 = var23.X[var15];
var17 = var23.key[var16];
var19 = var23.key[var18];
var17 = var17 - var20;
var19 = var19 + var20;
var23.key[var16] = var17;
var23.key[var18] = var19;
temp277 = 1;
var15 = var15 + temp277;
goto label190;
label188:
temp281 = 1;
var15 = temp281;
label201:
temp283 = 24;
if (var15 < temp283)
goto label200;
goto label199;
label200:
var17 = var23.key[var15];
temp284 = 1;
temp285 = var15 - temp284;
var16 = temp285;
var20 = var23.key[var16];
var17 = var17 + var20;
var23.key[var15] = var17;
temp282 = 1;
var15 = var15 + temp282;
goto label201;
label199:
temp287 = 0;
var15 = temp287;
label208:
temp289 = 7;
if (var15 < temp289)
goto label207;
goto label206;
label207:
var16 = var15;
var17 = var22.L[var16];
temp290 = 1;
temp291 = var15 + temp290;
var18 = temp291;
var19 = var22.L[var18];
temp292 = var17 ^ var19;
var21 = temp292;
temp293 = 23;
if (var21 > temp293)
goto label215;
goto label214;
label215:
temp294 = 23;
var21 = temp294;
label214:
var25.L[var15] = var21;
temp288 = 1;
var15 = var15 + temp288;
goto label208;
label206:
temp296 = 0;
var25.L[7] = temp296;
temp297 = 0;
var15 = temp297;
label219:
temp299 = 7;
if (var15 < temp299)
goto label218;
goto label217;
label218:
var16 = var15;
var17 = var22.R[var16];
temp300 = 1;
temp301 = var15 + temp300;
var18 = temp301;
var19 = var22.R[var18];
temp302 = var17 ^ var19;
var21 = temp302;
temp303 = 23;
if (var21 > temp303)
goto label226;
goto label225;
label226:
temp304 = 23;
var21 = temp304;
label225:
var25.R[var15] = var21;
temp298 = 1;
var15 = var15 + temp298;
goto label219;
label217:
temp306 = 23;
var25.R[7] = temp306;
temp307 = 0;
var15 = temp307;
label230:
temp309 = 7;
if (var15 < temp309)
goto label229;
goto label228;
label229:
var16 = var15;
var17 = var22.X[var16];
temp310 = 1;
temp311 = var15 + temp310;
var18 = temp311;
var19 = var22.X[var18];
temp312 = var17 ^ var19;
var21 = temp312;
var25.X[var15] = var21;
temp308 = 1;
var15 = var15 + temp308;
goto label230;
label228:
temp314 = 12;
var25.X[7] = temp314;
temp316 = 127;
var25.key[0] = temp316;
temp318 = 111;
var25.key[1] = temp318;
temp320 = 188;
var25.key[2] = temp320;
temp322 = 174;
var25.key[3] = temp322;
temp324 = 195;
var25.key[4] = temp324;
temp326 = 128;
var25.key[5] = temp326;
temp328 = 88;
var25.key[6] = temp328;
temp330 = 121;
var25.key[7] = temp330;
temp332 = 123;
var25.key[8] = temp332;
temp334 = 103;
var25.key[9] = temp334;
temp336 = 57;
var25.key[10] = temp336;
temp338 = 123;
var25.key[11] = temp338;
temp340 = 97;
var25.key[12] = temp340;
temp342 = 74;
var25.key[13] = temp342;
temp344 = 37;
var25.key[14] = temp344;
temp346 = 59;
var25.key[15] = temp346;
temp348 = 21;
var25.key[16] = temp348;
temp350 = 47;
var25.key[17] = temp350;
temp352 = 54;
var25.key[18] = temp352;
temp354 = 28;
var25.key[19] = temp354;
temp356 = 49;
var25.key[20] = temp356;
temp358 = 55;
var25.key[21] = temp358;
var25.key[22] = var1;
temp361 = 125;
var25.key[23] = temp361;
temp362 = 23;
var15 = temp362;
label263:
temp364 = 0;
if (var15 > temp364)
goto label262;
goto label261;
label262:
var18 = var15;
var19 = var25.key[var18];
var16 = var15;
temp365 = 1;
var16 = var16 - temp365;
var17 = var25.key[var16];
temp367 = var19 - var17;
var21 = temp367;
var25.key[var15] = var21;
temp363 = 1;
var15 = var15 - temp363;
goto label263;
label261:
temp368 = 0;
var15 = temp368;
label272:
temp370 = 8;
if (var15 < temp370)
goto label271;
goto label270;
label271:
var16 = var25.L[var15];
var18 = var25.R[var15];
var20 = var25.X[var15];
var17 = var25.key[var16];
var19 = var25.key[var18];
var17 = var17 - var20;
var19 = var19 + var20;
var25.key[var16] = var17;
var25.key[var18] = var19;
temp369 = 1;
var15 = var15 + temp369;
goto label272;
label270:
temp373 = 1;
var15 = temp373;
label283:
temp375 = 24;
if (var15 < temp375)
goto label282;
goto label281;
label282:
var17 = var25.key[var15];
temp376 = 1;
temp377 = var15 - temp376;
var16 = temp377;
var20 = var25.key[var16];
var17 = var17 + var20;
var25.key[var15] = var17;
temp374 = 1;
var15 = var15 + temp374;
goto label283;
label281:
temp379 = 0;
var12 = temp379;
temp380 = 0;
var13 = temp380;
temp381 = 0;
var15 = temp381;
label292:
temp382 = 24;
if (var15 < temp382)
goto label291;
goto label290;
label291:
var16 = var15;
var12 = var22.key[var15];
var18 = var15;
var13 = var23.key[var18];
if (var13 != var12)
goto label298;
goto label297;
label298:
temp383 = writef();
temp384 = exit();
label297:
temp385 = 1;
temp386 = var15 + temp385;
var15 = temp386;
goto label292;
label290:
temp387 = writes();
temp388 = exit();
}
直接编译即可 别开O3优化 会优化没()
然后ida识别 建结构体
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
unsigned __int64 v3; // [rsp+28h] [rbp-1348h]
unsigned __int64 v4; // [rsp+28h] [rbp-1348h]
__int64 v5; // [rsp+30h] [rbp-1340h]
__int64 v6; // [rsp+30h] [rbp-1340h]
__int64 v7; // [rsp+30h] [rbp-1340h]
__int64 v8; // [rsp+30h] [rbp-1340h]
__int64 v9; // [rsp+38h] [rbp-1338h]
__int64 v10; // [rsp+38h] [rbp-1338h]
__int64 v11; // [rsp+38h] [rbp-1338h]
__int64 v12; // [rsp+38h] [rbp-1338h]
__int64 v13; // [rsp+40h] [rbp-1330h]
__int64 v14; // [rsp+40h] [rbp-1330h]
__int64 v15; // [rsp+40h] [rbp-1330h]
__int64 v16; // [rsp+40h] [rbp-1330h]
unsigned __int64 i; // [rsp+58h] [rbp-1318h]
__int64 j; // [rsp+58h] [rbp-1318h]
unsigned __int64 k; // [rsp+58h] [rbp-1318h]
unsigned __int64 m; // [rsp+58h] [rbp-1318h]
unsigned __int64 n; // [rsp+58h] [rbp-1318h]
__int64 ii; // [rsp+58h] [rbp-1318h]
unsigned __int64 jj; // [rsp+58h] [rbp-1318h]
unsigned __int64 kk; // [rsp+58h] [rbp-1318h]
unsigned __int64 mm; // [rsp+58h] [rbp-1318h]
unsigned __int64 nn; // [rsp+58h] [rbp-1318h]
__int64 i1; // [rsp+58h] [rbp-1318h]
unsigned __int64 i2; // [rsp+58h] [rbp-1318h]
unsigned __int64 i3; // [rsp+58h] [rbp-1318h]
unsigned __int64 i4; // [rsp+58h] [rbp-1318h]
unsigned __int64 i5; // [rsp+58h] [rbp-1318h]
unsigned __int64 i6; // [rsp+58h] [rbp-1318h]
__int64 i7; // [rsp+58h] [rbp-1318h]
unsigned __int64 i8; // [rsp+58h] [rbp-1318h]
unsigned __int64 i9; // [rsp+58h] [rbp-1318h]
unsigned __int64 i10; // [rsp+58h] [rbp-1318h]
char v37; // [rsp+C0h] [rbp-12B0h]
exp var25; // [rsp+D50h] [rbp-620h]
exp var24; // [rsp+ED0h] [rbp-4A0h]
exp var23; // [rsp+1050h] [rbp-320h]
exp var22; // [rsp+11D0h] [rbp-1A0h]
char flag[32]; // [rsp+1350h] [rbp-20h] BYREF
read(flag, argv, envp);
for ( i = 0LL; i < 0x18; ++i )
var22.key[23 - i] = flag[i];
for ( j = 23LL; j; --j )
var22.key[j] -= var22.key[j - 1];
var22.L[0] = 0LL;
var22.R[0] = 8LL;
var22.X[0] = 11LL;
var22.L[1] = 15LL;
var22.R[1] = 23LL;
var22.X[1] = -13LL;
var22.L[2] = 2LL;
var22.R[2] = 11LL;
var22.X[2] = 17LL;
var22.L[3] = 10LL;
var22.R[3] = 20LL;
var22.X[3] = -19LL;
var22.L[4] = 6LL;
var22.R[4] = 13LL;
var22.X[4] = 23LL;
var22.L[5] = 9LL;
var22.R[5] = 21LL;
var22.X[5] = -29LL;
var22.L[6] = 1LL;
var22.R[6] = 19LL;
var22.X[6] = 31LL;
var22.L[7] = 4LL;
var22.R[7] = 17LL;
var22.X[7] = -37LL;
for ( k = 0LL; k < 8; ++k )
{
v13 = var22.R[k];
v5 = var22.X[k];
v9 = var22.key[v13] - v5;
var22.key[var22.L[k]] += v5;
var22.key[v13] = v9;
}
for ( m = 1LL; m < 0x18; ++m )
var22.key[m] += var22.key[m - 1];
for ( n = 0LL; n < 0x17; ++n )
var22.key[n] = var22.key[n];
var24.L[0] = 0LL;
var24.R[0] = 12LL;
var24.X[0] = -19LL;
var24.L[1] = 9LL;
var24.R[1] = 10LL;
var24.X[1] = -10LL;
var24.L[2] = 9LL;
var24.R[2] = 12LL;
var24.X[2] = 3LL;
var24.L[3] = 8LL;
var24.R[3] = 19LL;
var24.X[3] = -11LL;
var24.L[4] = 10LL;
var24.R[4] = 12LL;
var24.X[4] = -9LL;
var24.L[5] = 9LL;
var24.R[5] = 13LL;
var24.X[5] = 3LL;
var24.L[6] = 1LL;
var24.R[6] = 22LL;
var24.X[6] = -19LL;
var24.L[7] = 0LL;
var24.R[7] = 23LL;
var24.X[7] = 7LL;
var24.key[0] = 12LL;
var24.key[1] = 31LL;
var24.key[2] = 31LL;
var24.key[3] = 31LL;
var24.key[4] = 31LL;
var24.key[5] = 31LL;
var24.key[6] = 31LL;
var24.key[7] = 31LL;
var24.key[8] = 42LL;
var24.key[9] = 46LL;
var24.key[10] = 45LL;
var24.key[11] = 45LL;
var24.key[12] = 20LL;
var24.key[13] = 23LL;
var24.key[14] = 23LL;
var24.key[15] = 23LL;
var24.key[16] = 23LL;
var24.key[17] = 23LL;
var24.key[18] = 23LL;
var24.key[19] = 12LL;
var24.key[20] = 12LL;
var24.key[21] = 12LL;
var24.key[22] = -7LL;
var24.key[23] = 0LL;
for ( ii = 23LL; ii; --ii )
var24.key[ii] -= var24.key[ii - 1];
for ( jj = 0LL; jj < 8; ++jj )
{
v14 = var24.R[jj];
v6 = var24.X[jj];
v10 = var24.key[v14] - v6;
var24.key[var24.L[jj]] += v6;
var24.key[v14] = v10;
}
for ( kk = 1LL; kk < 0x18; ++kk )
var24.key[kk] += var24.key[kk - 1];
var23.key[0] = 252LL;
var23.key[1] = 352LL;
var23.key[2] = 484LL;
var23.key[3] = 470LL;
var23.key[4] = 496LL;
var23.key[5] = 487LL;
var23.key[6] = 539LL;
var23.key[7] = 585LL;
var23.key[8] = 447LL;
var23.key[9] = 474LL;
var23.key[10] = 577LL;
var23.key[11] = 454LL;
var23.key[12] = 466LL;
var23.key[13] = 345LL;
var23.key[14] = 344LL;
var23.key[15] = 486LL;
var23.key[16] = 501LL;
var23.key[17] = 423LL;
var23.key[18] = 490LL;
var23.key[19] = 375LL;
var23.key[20] = 257LL;
var23.key[21] = 203LL;
var23.key[22] = 265LL;
var23.key[23] = 125LL;
for ( mm = 0LL; mm < 0x18; ++mm )
var23.key[mm] ^= var24.key[mm];
for ( nn = 0LL; nn < 8; ++nn )
var23.X[nn] = var22.key[3 * nn];
for ( i1 = 23LL; i1; --i1 )
var23.key[i1] -= var23.key[i1 - 1];
for ( i2 = 0LL; i2 < 8; ++i2 )
{
v15 = var22.R[i2];
v7 = var23.X[i2];
v11 = v7 + var23.key[v15];
var23.key[var22.L[i2]] -= v7;
var23.key[v15] = v11;
}
for ( i3 = 1LL; i3 < 0x18; ++i3 )
var23.key[i3] += var23.key[i3 - 1];
for ( i4 = 0LL; i4 < 7; ++i4 )
{
v3 = var22.R[i4 - 7] ^ var22.L[i4];
if ( v3 > 0x17 )
v3 = 23LL;
var25.L[i4] = v3;
}
var25.L[7] = 0LL;
for ( i5 = 0LL; i5 < 7; ++i5 )
{
v4 = var22.X[i5 - 7] ^ var22.R[i5];
if ( v4 > 0x17 )
v4 = 23LL;
var25.R[i5] = v4;
}
var25.R[7] = 23LL;
for ( i6 = 0LL; i6 < 7; ++i6 )
var25.X[i6] = var22.X[i6 + 1] ^ var22.X[i6];
var25.X[7] = 12LL;
var25.key[0] = 127LL;
var25.key[1] = 111LL;
var25.key[2] = 188LL;
var25.key[3] = 174LL;
var25.key[4] = 195LL;
var25.key[5] = 128LL;
var25.key[6] = 88LL;
var25.key[7] = 121LL;
var25.key[8] = 123LL;
var25.key[9] = 103LL;
var25.key[10] = 57LL;
var25.key[11] = 123LL;
var25.key[12] = 97LL;
var25.key[13] = 74LL;
var25.key[14] = 37LL;
var25.key[15] = 59LL;
var25.key[16] = 21LL;
var25.key[17] = 47LL;
var25.key[18] = 54LL;
var25.key[19] = 28LL;
var25.key[20] = 49LL;
var25.key[21] = 0x37LL;
var25.key[22] = *(_QWORD *)&v37;
var25.key[23] = 0x7DLL;
for ( i7 = 23LL; i7; --i7 )
var25.key[i7] -= var25.key[i7 - 1];
for ( i8 = 0LL; i8 < 8; ++i8 )
{
v16 = var25.R[i8];
v8 = var25.X[i8];
v12 = v8 + var25.key[v16];
var25.key[var25.L[i8]] -= v8;
var25.key[v16] = v12;
}
for ( i9 = 1LL; i9 < 0x18; ++i9 )
var25.key[i9] += var25.key[i9 - 1];
for ( i10 = 0LL; i10 < 0x18; ++i10 )
{
if ( var23.key[i10] != var22.key[i10] )
{
writef();
exit();
}
}
writes();
exit();
}
然后z3解即可
偷一份
from z3 import *
class exp:
def __init__(self):
self.key = [0] * 24
self.L = [0] * 8
self.R = [0] * 8
self.X = [0] * 8
var22 = exp()
flag = [BitVec(f"flag[{i}]", 8) for i in range(24)]
for i in range(0x18):
var22.key[i] = flag[i]
for i in range(23, 0, -1):
var22.key[i] -= var22.key[i - 1]
var22.L = [0, 15, 2, 10, 6, 9, 1, 4]
var22.R = [8, 23, 11, 20, 13, 21, 19, 17]
var22.X = [11, -13, 17, -19, 23, -29, 31, -37]
for k in range(8):
var22.key[var22.L[k]] += var22.X[k]
var22.key[var22.R[k]] -= var22.X[k]
for m in range(1, 0x18):
var22.key[m] += var22.key[m - 1]
var24 = exp()
var24.key = [12, 31, 31, 31, 31, 31, 31, 31, 42, 46, 45, 45, 20, 23, 23, 23, 23, 23, 23, 12, 12, 12, -7, 0]
var24.L = [0, 9, 9, 8, 10, 9, 1, 0]
var24.R = [12, 10, 12, 19, 12, 13, 22, 23]
var24.X = [-19, -10, 3, -11, -9, 3, -19, 7]
for i in range(23, 0, -1):
var24.key[i] -= var24.key[i - 1]
for k in range(8):
var24.key[var24.L[k]] += var24.X[k]
var24.key[var24.R[k]] -= var24.X[k]
for m in range(1, 0x18):
var24.key[m] += var24.key[m - 1]
var23 = exp()
var23.key = [252, 352, 484, 470, 496, 487, 539, 585, 447, 474, 577, 454, 466, 345, 344, 486, 501, 423, 490, 375, 257,
203, 265, 125]
for mm in range(0x18):
var23.key[mm] ^= var24.key[mm]
for nn in range(0x8):
var23.X[nn] = var22.key[3 * nn]
for i1 in range(23, 0, -1):
var23.key[i1] -= var23.key[i1 - 1]
for k in range(8):
var23.key[var22.L[k]] -= var23.X[k]
var23.key[var22.R[k]] += var23.X[k]
for i in range(1, 0x18):
var23.key[i] += var23.key[i - 1]
s = Solver()
for i in range(0x18):
s.add(var23.key[i] == var22.key[i])
s.add(flag[i] > 0)
s.add(flag[i] < 0x7f)
print(s.check())
r = s.model()
print(r)
for i in range(0x18):
print(chr(r[flag[i]].as_long()), end="")
sctf{r5cbsumyqpjy0stc7u}
Digital_circuit_learning
stm32固件逆向
参照[原创]固件安全之加载地址分析-智能设备-看雪-安全社区|安全招聘|kanxue.com
[原创]一个简单的STM32固件分析-智能设备-看雪-安全社区|安全招聘|kanxue.com
这里使用binaryninja
设置基址0x8000000
memory map设置
通过字符串找到main
逻辑就是接受输入 检测flag头 然后strcpy复制走去掉flag{}的那部分
然后hex2int得到10位int
然后
赋值到input中
给一堆东西赋予初值
然后encode
前面都是没啥用的函数
最后走一个调用
call的定义如下
func记录要调用的函数
value记录那一位flag
但是ptr是空的,查找在哪赋值
交叉引用未果
从start函数开始跟
start即为0x4的值
bd8没啥玩的
570中将地址当函数用了 uint32_t
直接跳转过去
调用了0x3和0x7处的函数,参数就是函数前面的三个值
分析易知是赋值
直接看参数即可
将0x8001f68开始0x50个赋值到2000000处
即
而ptr在
hex(0x1f68+0x24)
'0x1f8c'
所以ptr的值即为check1到j
除了check1以外形式都一致,为path的当前位赋值为一个字符,然后对arg1的每一位变换
看看这些函数在哪调用 交叉应用call数组找到check函数
根据cond和value的关系来决定调用顺序
而cond的初值是
再查看check1函数
要求path相同
至此逻辑就清晰了
cond的初值确定,经过十次变换,变换函数确定
所以十次cond的值是一定的
而程序会根据value和cond的对应关系来决定函数的调用顺序,调用顺序已经确定,所以value即输入也是确定的
上脚本
import ctypes
def ts(arg1):
return ((1 & (~((arg1 >> 6) & (arg1 >> 2)))) | (arg1 << 1)) & 0xff
cond = [0] * 10
cond[0] = 0x77
for i in range(1, 10):
cond[i] = ts(cond[i - 1])
print(cond)
t1 = "abcdefghij"
t2 = "bdgfciejha"
flag = [0] * 10
for i in range(10):
flag[t1.index(t2[i])] = cond[i]
print(flag)
for i in range(10):
flag[i] = flag[i] - 1 & 0xff
for i in range(10):
flag[i] ^= 0x35
for i in range(10):
flag[i] = (flag[i] >> 4) | (flag[i] << 4) & 0xff
for i in range(10):
flag[i] ^= flag[(i + 1) % 10]
for i in range(10):
flag[i] = flag[i] + 1 & 0xff
for i in range(10):
flag[i] = (flag[i] >> 3) | (flag[i] << 5) & 0xff
for i in range(10):
flag[i] ^= flag[9 - i]
for i in range(10):
flag[i] ^= 0xf7
for i in range(10):
flag[i] = (flag[i] >> 2) | (flag[i] << 6) & 0xff
print(f'SCTF{{{bytes(flag).hex()}}}')
