2019 红帽杯 Re WP
xx
测试文件:https://www.lanzous.com/i7dyqhc
准备
获取信息
- 64位文件
IDA打开
使用Findcrypt脚本可以看到
结合文件名是xx,因此猜测代码用到了xxtea加密方法
流程总结
因此,总的流程为:
- 判断输入的字符串的每个字符是否包含在"qwertyuiopasdfghjklzxcvbnm1234567890"中
- 取输入字符串的前4位字符,即"flag",扩展为16位,作为xxtea加密的秘钥key
- 将输入的字符串使用key加密,加密后的字符保存在字符数组v18,共24位字符
- 打乱v18数组,保存到v19数组中
- 将24位字符,每3位为一组,每一组异或值(具体看代码),得到新的加密字符串
- 将新的加密字符串与已经存在的字符串比较,相同即获得胜利
因此,只需要逆向变换,就能得到flag
使用动态调试,可以获取到已经存在的字符串
enc = 'CEBC406B7C3A95C0EF9B202091F70235231802C8E75656FA'
脚本解密
Python带了xxtea的包,不过我用的时候,一直提示我“ValueError: Need a 16-byte key.”,用rjust或者'\x00'*16补足了16位也不管用。(已解决)
import xxtea result = 'CE BC 40 6B 7C 3A 95 C0 EF 9B 20 20 91 F7 02 35 23 18 02 C8 E7 56 56 FA'.split(" ") res = [int(i,16) for i in result] for i in range(7,-1,-1): t = 0 for n in range(0,i): if t == 0 : t = res[0] else : t ^= res[n] for j in range(3) : res[i*3+j] ^= t box = [1,3,0,2,5,7,4,6,9,11,8,10,13,15,12,14,17,19,16,18,21,23,20,22] m = [] for i in range(len(box)): m.append(res[box[i]]) key = 'flag'+'\x00'*12 print(xxtea.decrypt(bytes(m),key,padding=False))
所以用了另外一种方法,借用了下面xxtea的文章:
参考文章:https://blog.csdn.net/weixin_41474364/article/details/84314674
# encoding: utf-8 import struct _DELTA = 0x9E3779B9 def _long2str(v, w): n = (len(v) - 1) << 2 if w: m = v[-1] if (m < n - 3) or (m > n): return '' n = m s = struct.pack('<%iL' % len(v), *v) return s[0:n] if w else s def _str2long(s, w): n = len(s) m = (4 - (n & 3) & 3) + n s = s.ljust(m, "\0") v = list(struct.unpack('<%iL' % (m >> 2), s)) if w: v.append(n) return v def encrypt(str, key): if str == '': return str v = _str2long(str, True) k = _str2long(key.ljust(16, "\0"), False) n = len(v) - 1 z = v[n] y = v[0] sum = 0 q = 6 + 52 // (n + 1) while q > 0: sum = (sum + _DELTA) & 0xffffffff e = sum >> 2 & 3 for p in xrange(n): y = v[p + 1] v[p] = (v[p] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))) & 0xffffffff z = v[p] y = v[0] v[n] = (v[n] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[n & 3 ^ e] ^ z))) & 0xffffffff z = v[n] q -= 1 return _long2str(v, False) def decrypt(str, key): if str == '': return str v = _str2long(str, False) k = _str2long(key.ljust(16, "\0"), False) n = len(v) - 1 z = v[n] y = v[0] q = 6 + 52 // (n + 1) sum = (q * _DELTA) & 0xffffffff while (sum != 0): e = sum >> 2 & 3 for p in xrange(n, 0, -1): z = v[p - 1] v[p] = (v[p] - ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))) & 0xffffffff y = v[p] z = v[n] v[0] = (v[0] - ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[0 & 3 ^ e] ^ z))) & 0xffffffff y = v[0] sum = (sum - _DELTA) & 0xffffffff return _long2str(v, True) def xor(x ,y): return ord(x) ^ ord(y) # 转换为16进制 arr = 'CEBC406B7C3A95C0EF9B202091F70235231802C8E75656FA'.decode('hex') dec = '' # 因为加密时是正向加密,会用到加密之后的字符,因此解密需要逆向解密 for i in range(7,-1,-1): res = '' # 每3个为一组 for j in range(3): temp = ord(arr[i*3+j]) # 需要异或的值,例如第i组的值就是,arr[i*3+j]^(arr[n] for n in range(i)) for m in range(i): temp ^= ord(arr[m]) res += chr(temp) dec = res + dec # 原来的v18到v19数组是被打乱排序了的 num = [2,0,3,1,6,4,7,5,10,8,11,9,14,12,15,13,18,16,19,17,22,20,23,21] enc = [0] * 24 # key需要是16位 key = 'flag'+'\x00'*12 for i in range(24): enc[num[i]] = dec[i] dec2 = ''.join(enc) dec3 = decrypt(dec2, key) print dec3
get flag!
flag{CXX_and_++tea}
easyRE
测试文件:https://share.weiyun.com/5qzM6bU
准备
获取信息
- 64位文件
IDA打开
signed __int64 sub_4009C6() { char *v0; // rsi char *v1; // rdi signed __int64 result; // rax __int64 v3; // ST10_8 __int64 v4; // ST18_8 __int64 v5; // ST20_8 __int64 v6; // ST28_8 __int64 v7; // ST30_8 __int64 v8; // ST38_8 __int64 v9; // ST40_8 __int64 v10; // ST48_8 __int64 v11; // ST50_8 __int64 v12; // ST58_8 int i; // [rsp+Ch] [rbp-114h] char arraym[36]; // [rsp+60h] [rbp-C0h] char v15[32]; // [rsp+90h] [rbp-90h] int v16; // [rsp+B0h] [rbp-70h] char v17; // [rsp+B4h] [rbp-6Ch] char v18; // [rsp+C0h] [rbp-60h] char v19; // [rsp+E7h] [rbp-39h] char v20; // [rsp+100h] [rbp-20h] unsigned __int64 v21; // [rsp+108h] [rbp-18h] v21 = __readfsqword(0x28u); arraym[0] = 73; arraym[1] = 111; arraym[2] = 100; arraym[3] = 108; arraym[4] = 62; arraym[5] = 81; arraym[6] = 110; arraym[7] = 98; arraym[8] = 40; arraym[9] = 111; arraym[10] = 99; arraym[11] = 121; arraym[12] = 127; arraym[13] = 121; arraym[14] = 46; arraym[15] = 105; arraym[16] = 127; arraym[17] = 100; arraym[18] = 96; arraym[19] = 51; arraym[20] = 119; arraym[21] = 125; arraym[22] = 119; arraym[23] = 101; arraym[24] = 107; arraym[25] = 57; arraym[26] = 123; arraym[27] = 105; arraym[28] = 121; arraym[29] = 61; arraym[30] = 126; arraym[31] = 121; arraym[32] = 76; arraym[33] = 64; arraym[34] = 69; arraym[35] = 67; memset(v15, 0, sizeof(v15)); v16 = 0; v17 = 0; v0 = v15; sub_4406E0(0LL, (__int64)v15); v17 = 0; v1 = v15; if ( sub_424BA0(v15) == 36 ) { for ( i = 0; ; ++i ) { v1 = v15; if ( i >= (unsigned __int64)sub_424BA0(v15) ) break; if ( (unsigned __int8)(v15[i] ^ i) != arraym[i] ) { result = 4294967294LL; goto LABEL_13; } } sub_410CC0("continue!"); memset(&v18, 0, 0x40uLL); v20 = 0; v0 = &v18; sub_4406E0(0LL, (__int64)&v18); v19 = 0; v1 = &v18; if ( sub_424BA0(&v18) == 39 ) { v3 = sub_400E44(&v18); v4 = sub_400E44(v3); v5 = sub_400E44(v4); v6 = sub_400E44(v5); v7 = sub_400E44(v6); v8 = sub_400E44(v7); v9 = sub_400E44(v8); v10 = sub_400E44(v9); v11 = sub_400E44(v10); v12 = sub_400E44(v11); v0 = off_6CC090; v1 = (char *)v12; if ( !(unsigned int)sub_400360(v12, off_6CC090) ) { sub_410CC0("You found me!!!"); v1 = "bye bye~"; sub_410CC0("bye bye~"); } result = 0LL; } else { result = 4294967293LL; } } else { result = 0xFFFFFFFFLL; } LABEL_13: if ( __readfsqword(0x28u) != v21 ) sub_444020(v1, v0); return result; }
代码分析
首先有两次输入,第一次输入32位字符串,将每位字符异或后与已存在的marray数组比较,因此可以写出脚本,正确输入
arr = [73,111,100,108,62,81,110,98,40,111,99,121,127,121,46,105,127,100,96,51,119,125, 119,101,107,57,123,105,121,61,126,121,76,64,69,67] dec = '' for i in range(36): dec += chr(arr[i]^i) print(dec)
Info:The first four chars are `flag`
第二次输入,将输入的字符串进行10次base64加密后,与已知的字符串比较,反向解密就行
enc = "Vm0wd2VHUXhTWGhpUm1SWVYwZDRWVll3Wkc5WFJsbDNXa1pPVlUxV2NIcFhhMk0xVmpKS1NHVkdXbFpOYmtKVVZtcEtTMUl5VGtsaVJtUk9ZV3hhZVZadGVHdFRNVTVYVW01T2FGSnRVbGhhVjNoaFZWWmtWMXBFVWxSTmJFcElWbTAxVDJGV1NuTlhia0pXWWxob1dGUnJXbXRXTVZaeVdrWm9hVlpyV1hwV1IzaGhXVmRHVjFOdVVsWmlhMHBZV1ZSR1lWZEdVbFZTYlhSWFRWWndNRlZ0TVc5VWJGcFZWbXR3VjJKSFVYZFdha1pXWlZaT2NtRkhhRk5pVjJoWVYxZDBhMVV3TlhOalJscFlZbGhTY1ZsclduZGxiR1J5VmxSR1ZXSlZjRWhaTUZKaFZqSktWVkZZYUZkV1JWcFlWV3BHYTFkWFRrZFRiV3hvVFVoQ1dsWXhaRFJpTWtsM1RVaG9hbEpYYUhOVmJUVkRZekZhY1ZKcmRGTk5Wa3A2VjJ0U1ExWlhTbFpqUldoYVRVWndkbFpxUmtwbGJVWklZVVprYUdFeGNHOVhXSEJIWkRGS2RGSnJhR2hTYXpWdlZGVm9RMlJzV25STldHUlZUVlpXTlZadE5VOVdiVXBJVld4c1dtSllUWGhXTUZwell6RmFkRkpzVWxOaVNFSktWa1phVTFFeFduUlRhMlJxVWxad1YxWnRlRXRXTVZaSFVsUnNVVlZVTURrPQ==" for i in range(10): enc = enc.decode('base64') print (enc)
https://bbs.pediy.com/thread-254172.htm
在第二次输入加密后对比的常量下面,还发现了一个常量,在sub_400D35函数中调用
__int64 __fastcall sub_400D35(__int64 a1, __int64 a2) { __int64 v2; // rdi __int64 result; // rax unsigned __int64 v4; // rt1 unsigned int v5; // [rsp+Ch] [rbp-24h] signed int i; // [rsp+10h] [rbp-20h] signed int j; // [rsp+14h] [rbp-1Ch] unsigned int v8; // [rsp+24h] [rbp-Ch] unsigned __int64 v9; // [rsp+28h] [rbp-8h] v9 = __readfsqword(0x28u); v2 = 0LL; v5 = sub_43FD20(0LL) - qword_6CEE38; for ( i = 0; i <= 1233; ++i ) { v2 = v5; sub_40F790(v5); sub_40FE60(); sub_40FE60(); v5 = (unsigned __int64)sub_40FE60() ^ 0x98765432; } v8 = v5; if ( ((unsigned __int8)v5 ^ byte_6CC0A0[0]) == 'f' && (HIBYTE(v8) ^ (unsigned __int8)byte_6CC0A3) == 'g' ) { for ( j = 0; j <= 24; ++j ) { v2 = (unsigned __int8)(byte_6CC0A0[j] ^ *((_BYTE *)&v8 + j % 4)); sub_410E90(v2); } } v4 = __readfsqword(0x28u); result = v4 ^ v9; if ( v4 != v9 ) sub_444020(v2, a2); return result; }
两段异或,第一段异或,能够通过'flag'和已知数组反向解出v5
第二段异或。通过已知数组和v5解出flag
key = '' enc1 = 'flag' dec = '' enc = [0x40,0x35,0x20,0x56,0x5D,0x18,0x22,0x45,0x17,0x2F,0x24,0x6E,0x62,0x3C,0x27,0x54,0x48,0x6C,0x24,0x6E,0x72,0x3C,0x32,0x45,0x5B] for i in range(4): key += chr(enc[i] ^ ord(enc1[i])) print (key) for i in range(len(enc)): dec += chr(enc[i] ^ ord(key[i%4])) print(dec)
get flag!
flag{Act1ve_Defen5e_Test}
calc
测试文件:https://www.lanzous.com/i7frprg
准备
获取信息
- 64位文件
IDA打开
1 __int64 sub_140002540() 2 { 3 __int64 v0; // rax 4 __int64 v1; // rax 5 __int64 v2; // rax 6 __int64 v3; // rax 7 __int64 v4; // rax 8 void *v5; // rcx 9 void *v6; // rcx 10 void *v7; // rcx 11 __int64 v8; // rax 12 __int64 v9; // rax 13 void *v10; // rcx 14 void *v11; // rcx 15 void *v12; // rcx 16 __int64 v13; // rax 17 void *v14; // rcx 18 void *v15; // rcx 19 char *v16; // r8 20 unsigned __int64 v17; // r11 21 _BYTE *v18; // rbx 22 unsigned __int64 v19; // rax 23 char *v20; // r9 24 bool v21; // al 25 int v22; // er10 26 __int64 v23; // rdx 27 _DWORD *v24; // rcx 28 unsigned int v25; // edi 29 _BYTE *v26; // rcx 30 unsigned __int64 v27; // rax 31 bool v28; // al 32 int v29; // er10 33 __int64 v30; // rdx 34 _DWORD *v31; // rcx 35 __int64 v32; // rax 36 __int64 v33; // rax 37 __int64 v34; // r14 38 __int64 v35; // rbx 39 __int64 v36; // rax 40 __int64 v37; // r15 41 const void *v38; // rsi 42 _BYTE *v39; // rdi 43 unsigned __int64 v40; // rbx 44 size_t v41; // rbx 45 __int64 v42; // rax 46 __int64 v43; // rcx 47 char *v44; // rax 48 char *v45; // rbx 49 __int64 v46; // rax 50 __int64 v47; // rbx 51 __int64 v48; // rax 52 __int64 v49; // rax 53 _QWORD *v50; // rcx 54 __int64 v51; // rax 55 __int64 v52; // rax 56 void *v53; // rcx 57 void *v54; // rcx 58 _BYTE *v55; // rcx 59 _BYTE *v56; // rcx 60 _BYTE *v57; // rcx 61 _BYTE *v58; // rcx 62 _BYTE *v59; // rcx 63 _BYTE *v60; // rcx 64 void *v61; // rcx 65 void *v62; // rcx 66 void *v63; // rcx 67 void *v64; // rcx 68 __int64 v65; // rsi 69 __int64 v66; // rax 70 __int64 v67; // rbx 71 __int64 v68; // rax 72 void **v69; // rdi 73 __int64 v70; // rax 74 __int64 v71; // rax 75 _QWORD *v72; // rcx 76 __int64 v73; // rax 77 __int64 v74; // rax 78 void *v75; // rcx 79 __int64 v76; // rax 80 __int64 v77; // rax 81 void *v78; // rcx 82 _BYTE *v79; // rcx 83 _BYTE *v80; // rcx 84 _BYTE *v81; // rcx 85 _BYTE *v82; // rcx 86 void *v83; // rcx 87 void *v84; // rcx 88 void *v85; // rcx 89 void *v86; // rcx 90 char *v87; // r15 91 __int64 v88; // rcx 92 char *v89; // r14 93 int v90; // eax 94 __int64 v91; // rdx 95 _DWORD *v92; // rcx 96 _BYTE *v93; // rcx 97 _BYTE *v94; // rax 98 int v95; // eax 99 __int64 v96; // rsi 100 _BYTE *v97; // rcx 101 _BYTE *v98; // rax 102 int v99; // eax 103 __int64 v100; // rsi 104 _BYTE *v101; // rsi 105 int v102; // eax 106 __int64 i; // rsi 107 char *v104; // rax 108 char *v105; // rax 109 _BYTE *v106; // rcx 110 _BYTE *v107; // rcx 111 _BYTE *v108; // rax 112 char *v109; // rax 113 char *v110; // rax 114 void *v112[2]; // [rsp+20h] [rbp-E0h] 115 __int64 v113; // [rsp+30h] [rbp-D0h] 116 void *v114[2]; // [rsp+38h] [rbp-C8h] 117 char *v115; // [rsp+48h] [rbp-B8h] 118 void **v116; // [rsp+50h] [rbp-B0h] 119 void *Memory[2]; // [rsp+58h] [rbp-A8h] 120 __int64 v118; // [rsp+68h] [rbp-98h] 121 void *v119[2]; // [rsp+70h] [rbp-90h] 122 __int64 v120; // [rsp+80h] [rbp-80h] 123 void *v121[2]; // [rsp+88h] [rbp-78h] 124 __int64 v122; // [rsp+98h] [rbp-68h] 125 void *v123[2]; // [rsp+A0h] [rbp-60h] 126 __int64 v124; // [rsp+B0h] [rbp-50h] 127 void *v125[2]; // [rsp+B8h] [rbp-48h] 128 __int64 v126; // [rsp+C8h] [rbp-38h] 129 void *v127; // [rsp+D0h] [rbp-30h] 130 __int64 v128; // [rsp+D8h] [rbp-28h] 131 __int64 v129; // [rsp+E0h] [rbp-20h] 132 void *v130; // [rsp+E8h] [rbp-18h] 133 __int64 v131; // [rsp+F0h] [rbp-10h] 134 __int64 v132; // [rsp+F8h] [rbp-8h] 135 void *v133; // [rsp+100h] [rbp+0h] 136 __int64 v134; // [rsp+108h] [rbp+8h] 137 __int64 v135; // [rsp+110h] [rbp+10h] 138 void *v136; // [rsp+118h] [rbp+18h] 139 __int64 v137; // [rsp+120h] [rbp+20h] 140 __int64 v138; // [rsp+128h] [rbp+28h] 141 char v139; // [rsp+130h] [rbp+30h] 142 void *v140; // [rsp+148h] [rbp+48h] 143 __int64 v141; // [rsp+150h] [rbp+50h] 144 __int64 v142; // [rsp+158h] [rbp+58h] 145 char v143; // [rsp+160h] [rbp+60h] 146 __int64 v144; // [rsp+178h] [rbp+78h] 147 void *Src[2]; // [rsp+180h] [rbp+80h] 148 __int64 v146; // [rsp+190h] [rbp+90h] 149 void *v147[2]; // [rsp+198h] [rbp+98h] 150 __int64 v148; // [rsp+1A8h] [rbp+A8h] 151 void *v149[2]; // [rsp+1B0h] [rbp+B0h] 152 __int64 v150; // [rsp+1C0h] [rbp+C0h] 153 void *v151; // [rsp+1C8h] [rbp+C8h] 154 __int128 v152; // [rsp+1D0h] [rbp+D0h] 155 void *v153; // [rsp+1E0h] [rbp+E0h] 156 __int64 v154; // [rsp+1E8h] [rbp+E8h] 157 __int64 v155; // [rsp+1F0h] [rbp+F0h] 158 void *v156; // [rsp+1F8h] [rbp+F8h] 159 __int64 v157; // [rsp+200h] [rbp+100h] 160 __int64 v158; // [rsp+208h] [rbp+108h] 161 void *v159; // [rsp+210h] [rbp+110h] 162 __int64 v160; // [rsp+220h] [rbp+120h] 163 void *v161; // [rsp+228h] [rbp+128h] 164 __int64 v162; // [rsp+238h] [rbp+138h] 165 166 v0 = sub_140004120(std::cout, "A few days ago,Someone asked me for Windows RE..."); 167 std::basic_ostream<char,std::char_traits<char>>::operator<<(v0, sub_1400042F0); 168 v1 = sub_140004120(std::cout, "But Windows + STL is terrible!"); 169 std::basic_ostream<char,std::char_traits<char>>::operator<<(v1, sub_1400042F0); 170 LODWORD(v144) = 0; 171 _mm_storeu_si128((__m128i *)Src, (__m128i)0i64); 172 v146 = 0i64; 173 sub_140004330(Src, 0i64, &v144); 174 sub_140001270(Src); 175 LODWORD(v144) = 0; 176 _mm_storeu_si128((__m128i *)v147, (__m128i)0i64); 177 v148 = 0i64; 178 sub_140004330(v147, 0i64, &v144); 179 sub_140001270(v147); 180 LODWORD(v144) = 0; 181 _mm_storeu_si128((__m128i *)v149, (__m128i)0i64); 182 v150 = 0i64; 183 sub_140004330(v149, 0i64, &v144); 184 sub_140001270(v149); 185 v2 = sub_140004120(std::cout, "Enjoy it"); 186 std::basic_ostream<char,std::char_traits<char>>::operator<<(v2, sub_1400042F0); 187 sub_1400013D0(std::cin, Src); 188 v3 = sub_140004120(std::cout, "Calculating..."); 189 std::basic_ostream<char,std::char_traits<char>>::operator<<(v3, sub_1400042F0); 190 LODWORD(v144) = 4; 191 _mm_storeu_si128((__m128i *)v114, (__m128i)0i64); 192 v115 = 0i64; 193 sub_140004330(v114, 0i64, &v144); 194 sub_140001270(v114); 195 LODWORD(v144) = 2; 196 _mm_storeu_si128((__m128i *)v112, (__m128i)0i64); 197 v113 = 0i64; 198 sub_140004330(v112, 0i64, &v144); 199 sub_140001270(v112); 200 v4 = cacl_pow(Memory, Src, v112); 201 calc_mul(&v161, v4, v114); 202 v5 = Memory[0]; 203 if ( Memory[0] ) 204 { 205 if ( (unsigned __int64)(4 * ((signed __int64)(v118 - (unsigned __int64)Memory[0]) >> 2)) >= 0x1000 ) 206 { 207 v5 = (void *)*((_QWORD *)Memory[0] - 1); 208 if ( (unsigned __int64)(Memory[0] - v5 - 8) > 0x1F ) 209 invalid_parameter_noinfo_noreturn(); 210 } 211 j_j_free(v5); 212 Memory[0] = 0i64; 213 _mm_storeu_si128((__m128i *)&Memory[1], (__m128i)0i64); 214 } 215 v6 = v112[0]; 216 if ( v112[0] ) 217 { 218 if ( (unsigned __int64)(4 * ((signed __int64)(v113 - (unsigned __int64)v112[0]) >> 2)) >= 0x1000 ) 219 { 220 v6 = (void *)*((_QWORD *)v112[0] - 1); 221 if ( (unsigned __int64)(v112[0] - v6 - 8) > 0x1F ) 222 invalid_parameter_noinfo_noreturn(); 223 } 224 j_j_free(v6); 225 } 226 v7 = v114[0]; 227 if ( v114[0] ) 228 { 229 if ( (unsigned __int64)(4 * ((v115 - (char *)v114[0]) >> 2)) >= 0x1000 ) 230 { 231 v7 = (void *)*((_QWORD *)v114[0] - 1); 232 if ( (unsigned __int64)(v114[0] - v7 - 8) > 0x1F ) 233 invalid_parameter_noinfo_noreturn(); 234 } 235 j_j_free(v7); 236 } 237 Sleep(0x75BCD15u); 238 sub_1400013D0(std::cin, v147); 239 v8 = sub_140004120(std::cout, "Calculating......"); 240 std::basic_ostream<char,std::char_traits<char>>::operator<<(v8, sub_1400042F0); 241 LODWORD(v144) = 2; 242 _mm_storeu_si128((__m128i *)v114, (__m128i)0i64); 243 v115 = 0i64; 244 sub_140004330(v114, 0i64, &v144); 245 sub_140001270(v114); 246 LODWORD(v144) = 3; 247 _mm_storeu_si128((__m128i *)v112, (__m128i)0i64); 248 v113 = 0i64; 249 sub_140004330(v112, 0i64, &v144); 250 sub_140001270(v112); 251 v9 = calc_mul(Memory, v147, v112); 252 cacl_pow(&v156, v9, v114); 253 v10 = Memory[0]; 254 if ( Memory[0] ) 255 { 256 if ( (unsigned __int64)(4 * ((signed __int64)(v118 - (unsigned __int64)Memory[0]) >> 2)) >= 0x1000 ) 257 { 258 v10 = (void *)*((_QWORD *)Memory[0] - 1); 259 if ( (unsigned __int64)(Memory[0] - v10 - 8) > 0x1F ) 260 invalid_parameter_noinfo_noreturn(); 261 } 262 j_j_free(v10); 263 Memory[0] = 0i64; 264 _mm_storeu_si128((__m128i *)&Memory[1], (__m128i)0i64); 265 } 266 v11 = v112[0]; 267 if ( v112[0] ) 268 { 269 if ( (unsigned __int64)(4 * ((signed __int64)(v113 - (unsigned __int64)v112[0]) >> 2)) >= 0x1000 ) 270 { 271 v11 = (void *)*((_QWORD *)v112[0] - 1); 272 if ( (unsigned __int64)(v112[0] - v11 - 8) > 0x1F ) 273 invalid_parameter_noinfo_noreturn(); 274 } 275 j_j_free(v11); 276 } 277 v12 = v114[0]; 278 if ( v114[0] ) 279 { 280 if ( (unsigned __int64)(4 * ((v115 - (char *)v114[0]) >> 2)) >= 0x1000 ) 281 { 282 v12 = (void *)*((_QWORD *)v114[0] - 1); 283 if ( (unsigned __int64)(v114[0] - v12 - 8) > 0x1F ) 284 invalid_parameter_noinfo_noreturn(); 285 } 286 j_j_free(v12); 287 } 288 Sleep(0x3ADE68B1u); 289 sub_1400013D0(std::cin, v149); 290 sub_140004120(std::cout, "Calculating............"); 291 LODWORD(v144) = 7; 292 _mm_storeu_si128((__m128i *)v112, (__m128i)0i64); 293 v113 = 0i64; 294 sub_140004330(v112, 0i64, &v144); 295 sub_140001270(v112); 296 v13 = calc_mul(Memory, v112, v149); 297 calc_mul(&v159, v13, v149); 298 v14 = Memory[0]; 299 if ( Memory[0] ) 300 { 301 if ( (unsigned __int64)(4 * ((signed __int64)(v118 - (unsigned __int64)Memory[0]) >> 2)) >= 0x1000 ) 302 { 303 v14 = (void *)*((_QWORD *)Memory[0] - 1); 304 if ( (unsigned __int64)(Memory[0] - v14 - 8) > 0x1F ) 305 invalid_parameter_noinfo_noreturn(); 306 } 307 j_j_free(v14); 308 Memory[0] = 0i64; 309 _mm_storeu_si128((__m128i *)&Memory[1], (__m128i)0i64); 310 } 311 v15 = v112[0]; 312 if ( v112[0] ) 313 { 314 if ( (unsigned __int64)(4 * ((signed __int64)(v113 - (unsigned __int64)v112[0]) >> 2)) >= 0x1000 ) 315 { 316 v15 = (void *)*((_QWORD *)v112[0] - 1); 317 if ( (unsigned __int64)(v112[0] - v15 - 8) > 0x1F ) 318 invalid_parameter_noinfo_noreturn(); 319 } 320 j_j_free(v15); 321 } 322 Sleep(0x7777777u); 323 v16 = (char *)Src[0]; // 需要满足 x < z 324 v17 = (_QWORD)(Src[1] - Src[0]) >> 2; 325 v18 = v149[0]; 326 v19 = (_QWORD)(v149[1] - v149[0]) >> 2; 327 v20 = (char *)v147[0]; 328 if ( v17 == v19 ) 329 { 330 v22 = v17 - 1; 331 if ( (signed int)v17 - 1 < 0 ) 332 goto LABEL_47; 333 v23 = v22; 334 v24 = (char *)v149[0] + 4 * v22; 335 while ( *(_DWORD *)((char *)v24 + Src[0] - v149[0]) == *v24 ) 336 { 337 --v22; 338 --v24; 339 if ( --v23 < 0 ) 340 goto LABEL_47; 341 } 342 v21 = *((_DWORD *)Src[0] + v22) < *((_DWORD *)v149[0] + v22); 343 } 344 else 345 { 346 v21 = v17 < v19; 347 } 348 if ( !v21 ) 349 goto LABEL_47; 350 v27 = (_QWORD)(v147[1] - v147[0]) >> 2; // 需要瞒住x > y 351 if ( v27 != v17 ) 352 { 353 v28 = v27 < v17; 354 goto LABEL_62; 355 } 356 v29 = v27 - 1; 357 if ( (signed int)v27 - 1 < 0 ) 358 { 359 LABEL_47: 360 v25 = -1; 361 goto LABEL_48; 362 } 363 v30 = v29; 364 v31 = (char *)Src[0] + 4 * v29; 365 while ( *(_DWORD *)((char *)v31 + v147[0] - Src[0]) == *v31 ) 366 { 367 --v29; 368 --v31; 369 if ( --v30 < 0 ) 370 goto LABEL_47; 371 } 372 v28 = *((_DWORD *)v147[0] + v29) < *((_DWORD *)Src[0] + v29); 373 LABEL_62: 374 if ( !v28 ) 375 goto LABEL_47; 376 LODWORD(v144) = 3; 377 _mm_storeu_si128((__m128i *)v125, (__m128i)0i64); 378 v126 = 0i64; 379 sub_140004330(v125, 0i64, &v144); 380 sub_140001270(v125); 381 LODWORD(v144) = 2; 382 _mm_storeu_si128((__m128i *)v123, (__m128i)0i64); 383 v124 = 0i64; 384 sub_140004330(v123, 0i64, &v144); 385 sub_140001270(v123); 386 LODWORD(v144) = 3; 387 _mm_storeu_si128((__m128i *)v121, (__m128i)0i64); 388 v122 = 0i64; 389 sub_140004330(v121, 0i64, &v144); 390 sub_140001270(v121); 391 LODWORD(v144) = 3; 392 _mm_storeu_si128((__m128i *)v119, (__m128i)0i64); 393 v120 = 0i64; 394 sub_140004330(v119, 0i64, &v144); 395 sub_140001270(v119); 396 v32 = calc_mul(&v136, v125, Src); 397 v33 = calc_mul(&v133, v32, Src); 398 v34 = calc_mul(&v130, v33, v147); 399 v35 = cacl_pow(&v127, v147, v123); 400 v36 = calc_mul(&v151, v121, Src); 401 v37 = calc_mul(&v140, v36, v35); 402 _mm_storeu_si128((__m128i *)v114, (__m128i)0i64); 403 v115 = 0i64; 404 v38 = Src[0]; 405 v39 = Src[1]; 406 if ( Src[0] != Src[1] ) 407 { 408 v40 = (_QWORD)(Src[1] - Src[0]) >> 2; 409 if ( v40 <= 0x3FFFFFFFFFFFFFFFi64 ) 410 { 411 v41 = 4 * v40; 412 if ( v41 < 0x1000 ) 413 { 414 if ( v41 ) 415 v44 = (char *)sub_140004A84(v41); 416 else 417 v44 = 0i64; 418 LABEL_73: 419 v114[0] = v44; 420 v114[1] = v44; 421 v45 = &v44[v41]; 422 v115 = v45; 423 memmove(v44, v38, v39 - (_BYTE *)v38); 424 v114[1] = v45; 425 goto LABEL_74; 426 } 427 if ( v41 + 39 > v41 ) 428 { 429 v42 = sub_140004A84(v41 + 39); 430 v43 = v42; 431 if ( !v42 ) 432 invalid_parameter_noinfo_noreturn(); 433 v44 = (char *)((v42 + 39) & 0xFFFFFFFFFFFFFFE0ui64); 434 *((_QWORD *)v44 - 1) = v43; 435 goto LABEL_73; 436 } 437 } 438 sub_140001110(); 439 } 440 LABEL_74: 441 v46 = cacl_add(Memory, v114, v147); 442 v47 = cacl_pow(&v139, v46, v119); 443 v144 = v47; 444 v48 = cacl_equal(&v153, v37); 445 v49 = cacl_sub(v47, v48); 446 cacl_equal(v112, v49); 447 v50 = *(_QWORD **)v47; 448 if ( *(_QWORD *)v47 ) 449 { 450 if ( (unsigned __int64)(4i64 * ((*(_QWORD *)(v47 + 16) - (_QWORD)v50) >> 2)) >= 0x1000 ) 451 { 452 if ( (unsigned __int64)((char *)v50 - *(v50 - 1) - 8) > 0x1F ) 453 invalid_parameter_noinfo_noreturn(); 454 v50 = (_QWORD *)*(v50 - 1); 455 } 456 j_j_free(v50); 457 *(_QWORD *)v47 = 0i64; 458 *(_QWORD *)(v47 + 8) = 0i64; 459 *(_QWORD *)(v47 + 16) = 0i64; 460 } 461 v116 = v112; 462 v51 = cacl_equal(&v143, v34); 463 v52 = cacl_sub(v112, v51); 464 cacl_equal(&v153, v52); 465 v53 = v112[0]; 466 if ( v112[0] ) 467 { 468 if ( (unsigned __int64)(4 * ((signed __int64)(v113 - (unsigned __int64)v112[0]) >> 2)) >= 0x1000 ) 469 { 470 v53 = (void *)*((_QWORD *)v112[0] - 1); 471 if ( (unsigned __int64)(v112[0] - v53 - 8) > 0x1F ) 472 invalid_parameter_noinfo_noreturn(); 473 } 474 j_j_free(v53); 475 _mm_storeu_si128((__m128i *)v112, (__m128i)0i64); 476 v113 = 0i64; 477 } 478 v54 = Memory[0]; 479 if ( Memory[0] ) 480 { 481 if ( (unsigned __int64)(4 * ((signed __int64)(v118 - (unsigned __int64)Memory[0]) >> 2)) >= 0x1000 ) 482 { 483 v54 = (void *)*((_QWORD *)Memory[0] - 1); 484 if ( (unsigned __int64)(Memory[0] - v54 - 8) > 0x1F ) 485 invalid_parameter_noinfo_noreturn(); 486 } 487 j_j_free(v54); 488 Memory[0] = 0i64; 489 _mm_storeu_si128((__m128i *)&Memory[1], (__m128i)0i64); 490 } 491 v55 = v140; 492 if ( v140 ) 493 { 494 if ( (unsigned __int64)(4 * ((v142 - (signed __int64)v140) >> 2)) >= 0x1000 ) 495 { 496 v55 = (_BYTE *)*((_QWORD *)v140 - 1); 497 if ( (unsigned __int64)((_BYTE *)v140 - v55 - 8) > 0x1F ) 498 invalid_parameter_noinfo_noreturn(); 499 } 500 j_j_free(v55); 501 v140 = 0i64; 502 _mm_storeu_si128((__m128i *)&v141, (__m128i)0i64); 503 } 504 v56 = v151; 505 if ( v151 ) 506 { 507 if ( (unsigned __int64)(4i64 * ((*((_QWORD *)&v152 + 1) - (_QWORD)v151) >> 2)) >= 0x1000 ) 508 { 509 v56 = (_BYTE *)*((_QWORD *)v151 - 1); 510 if ( (unsigned __int64)((_BYTE *)v151 - v56 - 8) > 0x1F ) 511 invalid_parameter_noinfo_noreturn(); 512 } 513 j_j_free(v56); 514 v151 = 0i64; 515 _mm_storeu_si128((__m128i *)&v152, (__m128i)0i64); 516 } 517 v57 = v127; 518 if ( v127 ) 519 { 520 if ( (unsigned __int64)(4 * ((v129 - (signed __int64)v127) >> 2)) >= 0x1000 ) 521 { 522 v57 = (_BYTE *)*((_QWORD *)v127 - 1); 523 if ( (unsigned __int64)((_BYTE *)v127 - v57 - 8) > 0x1F ) 524 invalid_parameter_noinfo_noreturn(); 525 } 526 j_j_free(v57); 527 v127 = 0i64; 528 _mm_storeu_si128((__m128i *)&v128, (__m128i)0i64); 529 } 530 v58 = v130; 531 if ( v130 ) 532 { 533 if ( (unsigned __int64)(4 * ((v132 - (signed __int64)v130) >> 2)) >= 0x1000 ) 534 { 535 v58 = (_BYTE *)*((_QWORD *)v130 - 1); 536 if ( (unsigned __int64)((_BYTE *)v130 - v58 - 8) > 0x1F ) 537 invalid_parameter_noinfo_noreturn(); 538 } 539 j_j_free(v58); 540 v130 = 0i64; 541 _mm_storeu_si128((__m128i *)&v131, (__m128i)0i64); 542 } 543 v59 = v133; 544 if ( v133 ) 545 { 546 if ( (unsigned __int64)(4 * ((v135 - (signed __int64)v133) >> 2)) >= 0x1000 ) 547 { 548 v59 = (_BYTE *)*((_QWORD *)v133 - 1); 549 if ( (unsigned __int64)((_BYTE *)v133 - v59 - 8) > 0x1F ) 550 invalid_parameter_noinfo_noreturn(); 551 } 552 j_j_free(v59); 553 v133 = 0i64; 554 _mm_storeu_si128((__m128i *)&v134, (__m128i)0i64); 555 } 556 v60 = v136; 557 if ( v136 ) 558 { 559 if ( (unsigned __int64)(4 * ((v138 - (signed __int64)v136) >> 2)) >= 0x1000 ) 560 { 561 v60 = (_BYTE *)*((_QWORD *)v136 - 1); 562 if ( (unsigned __int64)((_BYTE *)v136 - v60 - 8) > 0x1F ) 563 invalid_parameter_noinfo_noreturn(); 564 } 565 j_j_free(v60); 566 v136 = 0i64; 567 _mm_storeu_si128((__m128i *)&v137, (__m128i)0i64); 568 } 569 v61 = v119[0]; 570 if ( v119[0] ) 571 { 572 if ( (unsigned __int64)(4 * ((signed __int64)(v120 - (unsigned __int64)v119[0]) >> 2)) >= 0x1000 ) 573 { 574 v61 = (void *)*((_QWORD *)v119[0] - 1); 575 if ( (unsigned __int64)(v119[0] - v61 - 8) > 0x1F ) 576 invalid_parameter_noinfo_noreturn(); 577 } 578 j_j_free(v61); 579 } 580 v62 = v121[0]; 581 if ( v121[0] ) 582 { 583 if ( (unsigned __int64)(4 * ((signed __int64)(v122 - (unsigned __int64)v121[0]) >> 2)) >= 0x1000 ) 584 { 585 v62 = (void *)*((_QWORD *)v121[0] - 1); 586 if ( (unsigned __int64)(v121[0] - v62 - 8) > 0x1F ) 587 invalid_parameter_noinfo_noreturn(); 588 } 589 j_j_free(v62); 590 } 591 v63 = v123[0]; 592 if ( v123[0] ) 593 { 594 if ( (unsigned __int64)(4 * ((signed __int64)(v124 - (unsigned __int64)v123[0]) >> 2)) >= 0x1000 ) 595 { 596 v63 = (void *)*((_QWORD *)v123[0] - 1); 597 if ( (unsigned __int64)(v123[0] - v63 - 8) > 0x1F ) 598 invalid_parameter_noinfo_noreturn(); 599 } 600 j_j_free(v63); 601 } 602 v64 = v125[0]; 603 if ( v125[0] ) 604 { 605 if ( (unsigned __int64)(4 * ((signed __int64)(v126 - (unsigned __int64)v125[0]) >> 2)) >= 0x1000 ) 606 { 607 v64 = (void *)*((_QWORD *)v125[0] - 1); 608 if ( (unsigned __int64)(v125[0] - v64 - 8) > 0x1F ) 609 invalid_parameter_noinfo_noreturn(); 610 } 611 j_j_free(v64); 612 } 613 LODWORD(v144) = 22; 614 _mm_storeu_si128((__m128i *)v119, (__m128i)0i64); 615 v120 = 0i64; 616 sub_140004330(v119, 0i64, &v144); 617 sub_140001270(v119); 618 LODWORD(v144) = 48; 619 _mm_storeu_si128((__m128i *)v121, (__m128i)0i64); 620 v122 = 0i64; 621 sub_140004330(v121, 0i64, &v144); 622 sub_140001270(v121); 623 LODWORD(v144) = 12; 624 _mm_storeu_si128((__m128i *)v123, (__m128i)0i64); 625 v124 = 0i64; 626 sub_140004330(v123, 0i64, &v144); 627 sub_140001270(v123); 628 LODWORD(v144) = 3; 629 _mm_storeu_si128((__m128i *)v125, (__m128i)0i64); 630 v126 = 0i64; 631 sub_140004330(v125, 0i64, &v144); 632 sub_140001270(v125); 633 v116 = Memory; 634 v65 = calc_mul(&v127, v121, v149); 635 v66 = calc_mul(&v130, v123, v149); 636 v67 = calc_mul(&v133, v66, v149); 637 LODWORD(v144) = 4; 638 _mm_storeu_si128((__m128i *)Memory, (__m128i)0i64); 639 v118 = 0i64; 640 sub_140004330(Memory, 0i64, &v144); 641 sub_140001270(Memory); 642 v68 = cacl_add(&v136, Memory, v149); 643 v69 = (void **)cacl_pow(&v143, v68, v125); 644 v116 = v69; 645 v70 = cacl_equal(&v139, v67); 646 v71 = cacl_sub(v69, v70); 647 cacl_equal(v112, v71); 648 v72 = *v69; 649 if ( *v69 ) 650 { 651 if ( (unsigned __int64)(4 * (((_BYTE *)v69[2] - (_BYTE *)v72) >> 2)) >= 0x1000 ) 652 { 653 if ( (unsigned __int64)((char *)v72 - *(v72 - 1) - 8) > 0x1F ) 654 invalid_parameter_noinfo_noreturn(); 655 v72 = (_QWORD *)*(v72 - 1); 656 } 657 j_j_free(v72); 658 *v69 = 0i64; 659 v69[1] = 0i64; 660 v69[2] = 0i64; 661 } 662 v116 = v112; 663 v73 = cacl_equal(&v139, v65); 664 v74 = cacl_sub(v112, v73); 665 cacl_equal(v114, v74); 666 v75 = v112[0]; 667 if ( v112[0] ) 668 { 669 if ( (unsigned __int64)(4 * ((signed __int64)(v113 - (unsigned __int64)v112[0]) >> 2)) >= 0x1000 ) 670 { 671 v75 = (void *)*((_QWORD *)v112[0] - 1); 672 if ( (unsigned __int64)(v112[0] - v75 - 8) > 0x1F ) 673 invalid_parameter_noinfo_noreturn(); 674 } 675 j_j_free(v75); 676 _mm_storeu_si128((__m128i *)v112, (__m128i)0i64); 677 v113 = 0i64; 678 } 679 v116 = v114; 680 v76 = cacl_equal(&v139, v119); 681 v77 = cacl_sub(v114, v76); 682 cacl_equal(&v151, v77); 683 v78 = v114[0]; 684 if ( v114[0] ) 685 { 686 if ( (unsigned __int64)(4 * ((v115 - (char *)v114[0]) >> 2)) >= 0x1000 ) 687 { 688 v78 = (void *)*((_QWORD *)v114[0] - 1); 689 if ( (unsigned __int64)(v114[0] - v78 - 8) > 0x1F ) 690 invalid_parameter_noinfo_noreturn(); 691 } 692 j_j_free(v78); 693 _mm_storeu_si128((__m128i *)v114, (__m128i)0i64); 694 v115 = 0i64; 695 } 696 v79 = v136; 697 if ( v136 ) 698 { 699 if ( (unsigned __int64)(4 * ((v138 - (signed __int64)v136) >> 2)) >= 0x1000 ) 700 { 701 v79 = (_BYTE *)*((_QWORD *)v136 - 1); 702 if ( (unsigned __int64)((_BYTE *)v136 - v79 - 8) > 0x1F ) 703 invalid_parameter_noinfo_noreturn(); 704 } 705 j_j_free(v79); 706 v136 = 0i64; 707 _mm_storeu_si128((__m128i *)&v137, (__m128i)0i64); 708 } 709 v80 = v133; 710 if ( v133 ) 711 { 712 if ( (unsigned __int64)(4 * ((v135 - (signed __int64)v133) >> 2)) >= 0x1000 ) 713 { 714 v80 = (_BYTE *)*((_QWORD *)v133 - 1); 715 if ( (unsigned __int64)((_BYTE *)v133 - v80 - 8) > 0x1F ) 716 invalid_parameter_noinfo_noreturn(); 717 } 718 j_j_free(v80); 719 v133 = 0i64; 720 _mm_storeu_si128((__m128i *)&v134, (__m128i)0i64); 721 } 722 v81 = v130; 723 if ( v130 ) 724 { 725 if ( (unsigned __int64)(4 * ((v132 - (signed __int64)v130) >> 2)) >= 0x1000 ) 726 { 727 v81 = (_BYTE *)*((_QWORD *)v130 - 1); 728 if ( (unsigned __int64)((_BYTE *)v130 - v81 - 8) > 0x1F ) 729 invalid_parameter_noinfo_noreturn(); 730 } 731 j_j_free(v81); 732 v130 = 0i64; 733 _mm_storeu_si128((__m128i *)&v131, (__m128i)0i64); 734 } 735 v82 = v127; 736 if ( v127 ) 737 { 738 if ( (unsigned __int64)(4 * ((v129 - (signed __int64)v127) >> 2)) >= 0x1000 ) 739 { 740 v82 = (_BYTE *)*((_QWORD *)v127 - 1); 741 if ( (unsigned __int64)((_BYTE *)v127 - v82 - 8) > 0x1F ) 742 invalid_parameter_noinfo_noreturn(); 743 } 744 j_j_free(v82); 745 v127 = 0i64; 746 _mm_storeu_si128((__m128i *)&v128, (__m128i)0i64); 747 } 748 v83 = v125[0]; 749 if ( v125[0] ) 750 { 751 if ( (unsigned __int64)(4 * ((signed __int64)(v126 - (unsigned __int64)v125[0]) >> 2)) >= 0x1000 ) 752 { 753 v83 = (void *)*((_QWORD *)v125[0] - 1); 754 if ( (unsigned __int64)(v125[0] - v83 - 8) > 0x1F ) 755 invalid_parameter_noinfo_noreturn(); 756 } 757 j_j_free(v83); 758 } 759 v84 = v123[0]; 760 if ( v123[0] ) 761 { 762 if ( (unsigned __int64)(4 * ((signed __int64)(v124 - (unsigned __int64)v123[0]) >> 2)) >= 0x1000 ) 763 { 764 v84 = (void *)*((_QWORD *)v123[0] - 1); 765 if ( (unsigned __int64)(v123[0] - v84 - 8) > 0x1F ) 766 invalid_parameter_noinfo_noreturn(); 767 } 768 j_j_free(v84); 769 } 770 v85 = v121[0]; 771 if ( v121[0] ) 772 { 773 if ( (unsigned __int64)(4 * ((signed __int64)(v122 - (unsigned __int64)v121[0]) >> 2)) >= 0x1000 ) 774 { 775 v85 = (void *)*((_QWORD *)v121[0] - 1); 776 if ( (unsigned __int64)(v121[0] - v85 - 8) > 0x1F ) 777 invalid_parameter_noinfo_noreturn(); 778 } 779 j_j_free(v85); 780 } 781 v86 = v119[0]; 782 if ( v119[0] ) 783 { 784 if ( (unsigned __int64)(4 * ((signed __int64)(v120 - (unsigned __int64)v119[0]) >> 2)) >= 0x1000 ) 785 { 786 v86 = (void *)*((_QWORD *)v119[0] - 1); 787 if ( (unsigned __int64)(v119[0] - v86 - 8) > 0x1F ) 788 invalid_parameter_noinfo_noreturn(); 789 } 790 j_j_free(v86); 791 } 792 v87 = (char *)v153; 793 v88 = (v154 - (signed __int64)v153) >> 2; 794 v89 = (char *)v151; 795 v18 = v149[0]; 796 if ( v88 == ((_QWORD)v152 - (_QWORD)v151) >> 2 ) 797 { 798 v90 = v88 - 1; 799 if ( (signed int)v88 - 1 < 0 ) 800 { 801 LABEL_201: 802 sub_140004120(std::cout, "You win!\nflag{MD5(\""); 803 v93 = Src[0]; 804 v94 = Src[1]; 805 if ( Src[0] == Src[1] ) 806 { 807 std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, 0i64); 808 v94 = Src[1]; 809 v93 = Src[0]; 810 } 811 v95 = (unsigned __int64)((v94 - v93) >> 2) - 1; 812 v96 = v95; 813 if ( v95 >= 0 ) 814 { 815 while ( 1 ) 816 { 817 std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, *(unsigned int *)&v93[4 * v96--]); 818 if ( v96 < 0 ) 819 break; 820 v93 = Src[0]; 821 } 822 } 823 v97 = v147[0]; 824 v98 = v147[1]; 825 if ( v147[0] == v147[1] ) 826 { 827 std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, 0i64); 828 v98 = v147[1]; 829 v97 = v147[0]; 830 } 831 v99 = (unsigned __int64)((v98 - v97) >> 2) - 1; 832 v100 = v99; 833 if ( v99 >= 0 ) 834 { 835 while ( 1 ) 836 { 837 std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, *(unsigned int *)&v97[4 * v100--]); 838 if ( v100 < 0 ) 839 break; 840 v97 = v147[0]; 841 } 842 } 843 v101 = v149[1]; 844 if ( v18 == v149[1] ) 845 std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, 0i64); 846 v102 = (unsigned __int64)((v101 - v18) >> 2) - 1; 847 for ( i = v102; 848 i >= 0; 849 std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, *(unsigned int *)&v18[4 * i--]) ) 850 { 851 ; 852 } 853 sub_140004120(std::cout, "\").tolower()}\n"); 854 } 855 else 856 { 857 v91 = v90; 858 v92 = (char *)v151 + 4 * v90; 859 while ( *(_DWORD *)((char *)v92 + (_BYTE *)v153 - (_BYTE *)v151) == *v92 ) 860 { 861 --v92; 862 if ( --v91 < 0 ) 863 goto LABEL_201; 864 } 865 } 866 } 867 v25 = 0; 868 if ( v89 ) 869 { 870 v104 = v89; 871 if ( (unsigned __int64)(4i64 * ((*((_QWORD *)&v152 + 1) - (_QWORD)v89) >> 2)) >= 0x1000 ) 872 { 873 v89 = (char *)*((_QWORD *)v89 - 1); 874 if ( (unsigned __int64)(v104 - v89 - 8) > 0x1F ) 875 invalid_parameter_noinfo_noreturn(); 876 } 877 j_j_free(v89); 878 } 879 if ( v87 ) 880 { 881 v105 = v87; 882 if ( (unsigned __int64)(4 * ((v155 - (signed __int64)v87) >> 2)) >= 0x1000 ) 883 { 884 v87 = (char *)*((_QWORD *)v87 - 1); 885 if ( (unsigned __int64)(v105 - v87 - 8) > 0x1F ) 886 invalid_parameter_noinfo_noreturn(); 887 } 888 j_j_free(v87); 889 } 890 v16 = (char *)Src[0]; 891 v20 = (char *)v147[0]; 892 LABEL_48: 893 v26 = v159; 894 if ( v159 ) 895 { 896 if ( (unsigned __int64)(4 * ((v160 - (signed __int64)v159) >> 2)) >= 0x1000 ) 897 { 898 v26 = (_BYTE *)*((_QWORD *)v159 - 1); 899 if ( (unsigned __int64)((_BYTE *)v159 - v26 - 8) > 0x1F ) 900 invalid_parameter_noinfo_noreturn(); 901 } 902 j_j_free(v26); 903 v16 = (char *)Src[0]; 904 v20 = (char *)v147[0]; 905 } 906 v106 = v156; 907 if ( v156 ) 908 { 909 if ( (unsigned __int64)(4 * ((v158 - (signed __int64)v156) >> 2)) >= 0x1000 ) 910 { 911 v106 = (_BYTE *)*((_QWORD *)v156 - 1); 912 if ( (unsigned __int64)((_BYTE *)v156 - v106 - 8) > 0x1F ) 913 invalid_parameter_noinfo_noreturn(); 914 } 915 j_j_free(v106); 916 v156 = 0i64; 917 _mm_storeu_si128((__m128i *)&v157, (__m128i)0i64); 918 v16 = (char *)Src[0]; 919 v20 = (char *)v147[0]; 920 } 921 v107 = v161; 922 if ( v161 ) 923 { 924 if ( (unsigned __int64)(4 * ((v162 - (signed __int64)v161) >> 2)) >= 0x1000 ) 925 { 926 v107 = (_BYTE *)*((_QWORD *)v161 - 1); 927 if ( (unsigned __int64)((_BYTE *)v161 - v107 - 8) > 0x1F ) 928 invalid_parameter_noinfo_noreturn(); 929 } 930 j_j_free(v107); 931 v16 = (char *)Src[0]; 932 v20 = (char *)v147[0]; 933 } 934 if ( v18 ) 935 { 936 v108 = v18; 937 if ( (unsigned __int64)(4 * ((v150 - (signed __int64)v18) >> 2)) >= 0x1000 ) 938 { 939 v18 = (_BYTE *)*((_QWORD *)v18 - 1); 940 if ( (unsigned __int64)(v108 - v18 - 8) > 0x1F ) 941 invalid_parameter_noinfo_noreturn(); 942 } 943 j_j_free(v18); 944 v16 = (char *)Src[0]; 945 v20 = (char *)v147[0]; 946 } 947 if ( v20 ) 948 { 949 v109 = v20; 950 if ( (unsigned __int64)(4 * ((v148 - (signed __int64)v20) >> 2)) >= 0x1000 ) 951 { 952 v20 = (char *)*((_QWORD *)v20 - 1); 953 if ( (unsigned __int64)(v109 - v20 - 8) > 0x1F ) 954 invalid_parameter_noinfo_noreturn(); 955 } 956 j_j_free(v20); 957 _mm_storeu_si128((__m128i *)v147, (__m128i)0i64); 958 v148 = 0i64; 959 v16 = (char *)Src[0]; 960 } 961 if ( v16 ) 962 { 963 v110 = v16; 964 if ( ((v146 - (_QWORD)v16) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 ) 965 { 966 v16 = (char *)*((_QWORD *)v16 - 1); 967 if ( (unsigned __int64)(v110 - v16 - 8) > 0x1F ) 968 invalid_parameter_noinfo_noreturn(); 969 } 970 j_j_free(v16); 971 } 972 return v25; 973 }
流程总结
整个过程,有三次输入,定义为变量x, y, z。在满足x < z and x > y的条件下,进行x**3+y**3+z**3=42,搜了一下有关“三次方42”的新闻
得到
(-80538738812075974)^3 + 80435758145817515^3 + 12602123297335631^3 = 42
根据x,y,z关系式得到
x=80435758145817515
y=12602123297335631
z=80538738812075974
将Sleep的时间全部改为0
写出脚本得到flag
get flag!
flag{951e27be2b2f10b7fa22a6dc8f4682bd}
childRE
测试文件:https://www.lanzous.com/i7h66wd
准备
- 64位文件
IDA代码分析
流程总结
- 因此总的运算流程就是:
- 输入长度为31的字符串
- 进行置换运算
- 取消修饰函数名
- 将未修饰函数名的商和余数与指定字符串比较
我们能够逆向操作来得到未修饰的函数名。
获取未修饰函数名
IDA动态调试
写出脚本
str1 = "(_@4620!08!6_0*0442!@186%%0@3=66!!974*3234=&0^3&1@=&0908!6_0*&" str2 = "55565653255552225565565555243466334653663544426565555525555222" str3 = '1234567890-=!@#$%^&*()_+qwertyuiop[]QWERTYUIOP{}asdfghjkl;,ASDFGHJKL:"ZXCVBNM<>?zxcvbnm,./' name = '' for i in range(62): name += chr(str3.index(str1[i]) + str3.index(str2[i])*23 ) print (name)
得到:private: char * __thiscall R0Pxx::My_Aut0_PWN(unsigned char *)
使用C++写出一个上面函数的例子:
#include <iostream> class R0Pxx { public: R0Pxx() { My_Aut0_PWN((unsigned char*)"hello"); } private: char* __thiscall My_Aut0_PWN(unsigned char*); }; char* __thiscall R0Pxx::My_Aut0_PWN(unsigned char*) { std::cout << __FUNCDNAME__ << std::endl; return 0; } int main() { R0Pxx A; system("PAUSE"); return 0; }
得到:?My_Aut0_PWN@R0Pxx@@AAEPADPAE@Z
置换运算
通过动态调试,发现乱序取值的数值是固定的,因此随便输入一组长度31的字符串(其中的字符不能重复)
反向操作,写出脚本来解决flag
from hashlib import md5 str1 = 'abcdefghijklmnopqrstuvwxyz12345' dec1 = '7071687273696474756A76776B656278796C7A316D6632336E34356F676361'.decode('hex') serial = [] print dec1 for i in dec1: serial.append(str1.index(i)) print serial name = '?My_Aut0_PWN@R0Pxx@@AAEPADPAE@Z' enc = [''] * 31 for i in range(31): enc[serial[i]] = name[i] enc = ''.join(enc) print enc print md5(enc).hexdigest()
get flag!
flag{63b148e750fed3a33419168ac58083f5}
Snake
测试文件:https://www.lanzous.com/i7gol0d
Unity逆向
查看DLL文件
运行Snake,查看调用的DLL文件
DLL文件分析
使用ILSpy打开Interface.dll文件
发现了DLL文件使用的函数GameObject
使用IDA打开DLL文件
1 signed __int64 __fastcall GameObject(int a1) 2 { 3 char v1; // di 4 __int64 *v2; // rbx 5 __int64 *v3; // rax 6 int v4; // er8 7 int v5; // er9 8 __int64 v6; // rax 9 _BYTE *v7; // rcx 10 __int64 v8; // rax 11 __int64 v9; // rax 12 __int64 *v10; // rdx 13 __int64 v11; // rax 14 __int64 *v12; // rcx 15 _BYTE *v13; // rcx 16 __int64 v15; // rax 17 int v16; // er8 18 int v17; // er9 19 __int64 v18; // rax 20 __int64 v19; // rax 21 __int64 *v20; // rdx 22 __int64 v21; // rax 23 __int64 *v22; // rcx 24 _BYTE *v23; // rcx 25 _BYTE *v24; // rcx 26 unsigned __int64 v25; // rdx 27 void *v26; // rcx 28 unsigned __int64 v27; // rdx 29 _BYTE *v28; // rcx 30 _BYTE *v29; // rcx 31 _BYTE *v30; // rcx 32 __int64 v31; // rax 33 _BYTE *v32; // rcx 34 __int64 v33; // rax 35 const void *v34; // rdx 36 bool v35; // bl 37 _BYTE *v36; // rcx 38 _BYTE *v37; // rcx 39 __int64 v38; // rax 40 const char *v39; // rdx 41 __int64 v40; // rax 42 __int64 v41; // rax 43 void *v42; // rcx 44 _BYTE *v43; // rcx 45 void *v44; // rcx 46 _BYTE *v45; // rcx 47 void *Memory; // [rsp+20h] [rbp-E0h] 48 _BYTE *v47; // [rsp+28h] [rbp-D8h] 49 __int128 v48; // [rsp+30h] [rbp-D0h] 50 int v49; // [rsp+40h] [rbp-C0h] 51 int v50; // [rsp+48h] [rbp-B8h] 52 int v51; // [rsp+50h] [rbp-B0h] 53 int v52; // [rsp+58h] [rbp-A8h] 54 int v53; // [rsp+60h] [rbp-A0h] 55 int v54; // [rsp+68h] [rbp-98h] 56 int v55; // [rsp+70h] [rbp-90h] 57 __int64 *v56; // [rsp+78h] [rbp-88h] 58 void *Buf1[2]; // [rsp+80h] [rbp-80h] 59 unsigned __int64 v58; // [rsp+90h] [rbp-70h] 60 void *Dst; // [rsp+98h] [rbp-68h] 61 void *v60; // [rsp+A0h] [rbp-60h] 62 __int128 v61; // [rsp+A8h] [rbp-58h] 63 unsigned __int64 v62; // [rsp+B8h] [rbp-48h] 64 __int64 v63; // [rsp+C0h] [rbp-40h] 65 void *v64; // [rsp+C8h] [rbp-38h] 66 __int128 v65; // [rsp+D0h] [rbp-30h] 67 unsigned __int64 v66; // [rsp+E0h] [rbp-20h] 68 __int64 v67; // [rsp+E8h] [rbp-18h] 69 _BYTE *v68; // [rsp+F0h] [rbp-10h] 70 __int128 v69; // [rsp+F8h] [rbp-8h] 71 unsigned __int64 v70; // [rsp+108h] [rbp+8h] 72 __int64 v71; // [rsp+110h] [rbp+10h] 73 void *v72; // [rsp+118h] [rbp+18h] 74 __int64 v73; // [rsp+120h] [rbp+20h] 75 __int128 v74; // [rsp+128h] [rbp+28h] 76 char v75; // [rsp+138h] [rbp+38h] 77 void *v76; // [rsp+140h] [rbp+40h] 78 unsigned __int64 v77; // [rsp+158h] [rbp+58h] 79 80 v50 = 0; 81 v1 = 0; 82 if ( a1 >= 0 ) 83 { 84 if ( (unsigned int)(a1 - 2) <= 0x61 ) // 输入的数字小于等于99 85 { 86 LOBYTE(Memory) = 0; 87 _mm_storeu_si128((__m128i *)&v48, _mm_load_si128((const __m128i *)&xmmword_18000EB70)); 88 sub_180006D10( 89 &Memory, 90 "1399072626417208846352501054493274635311312275165004973073110020948852453223868050494068786439822163264935277024" 91 "1468943993009079475334584417852835617853909482524738983614292847460710826226708785021132264080613569807620798681" 92 "8086837911361480181444157057782599277473843153161174504240064610043962720953514451563", 93 0x135ui64); 94 sub_180001530(&v75, &Memory); 95 LOBYTE(Memory) = 0; 96 _mm_storeu_si128((__m128i *)&v48, _mm_load_si128((const __m128i *)&xmmword_18000EB70)); 97 sub_180006D10( 98 &Memory, 99 "7998185649085699985067170036073312083199999558942120746049018587653186051852759776790516809918289134512387896640" 100 "3548022646956365158864209467614850251731806682037300712511185681164865174187586907707195428804234739667769742078" 101 "793162639867922056194688917569369338005327309973680573581158754297630654105882382426", 102 0x134ui64); 103 sub_180001530(&v63, &Memory); 104 v15 = sub_18000A9D0(&Memory); 105 sub_180001530(&v71, v15); 106 LOBYTE(Memory) = v75; 107 sub_180006C40(&v47, &v76); 108 LOBYTE(Dst) = v71; 109 sub_180006C40(&v60, &v72); 110 LOBYTE(v51) = v63; 111 sub_180006C40(&v52, &v64); 112 sub_180006250(&v67, &v51, &Dst, &Memory); 113 LOBYTE(v51) = v67; 114 sub_180006C40(&v52, &v68); 115 sub_18000AAB0( 116 (unsigned __int64)&v56, 117 (unsigned __int64)&v51, 118 v16, 119 v17, 120 (_DWORD)Memory, 121 (_DWORD)v47, 122 v48, 123 DWORD2(v48), 124 v49, 125 v50, 126 v51, 127 v52, 128 v53, 129 v54, 130 v55, 131 (_DWORD)v56, 132 Buf1[0], 133 Buf1[1], 134 v58, 135 (_DWORD)Dst, 136 (_DWORD)v60, 137 v61, 138 DWORD2(v61), 139 v62, 140 v63, 141 (_DWORD)v64, 142 v65, 143 DWORD2(v65), 144 v66); 145 LOBYTE(Memory) = 0; 146 _mm_storeu_si128((__m128i *)&v48, _mm_load_si128((const __m128i *)&xmmword_18000EB70)); 147 sub_180006D10(&Memory, "flag", 4ui64); 148 v18 = sub_180006C40(&Dst, &v56); 149 if ( sub_18000AFA0(v18, (__int64)&Memory) ) 150 { 151 v19 = sub_18000A7C0(std::cout, "You win! flag is "); 152 std::basic_ostream<char,std::char_traits<char>>::operator<<(v19, sub_18000A990); 153 v20 = (__int64 *)&v56; 154 if ( v58 >= 0x10 ) 155 v20 = v56; 156 v21 = sub_180007570(std::cout, v20, Buf1[1]); 157 } 158 else 159 { 160 v21 = sub_18000A7C0(std::cout, "Try again"); 161 } 162 std::basic_ostream<char,std::char_traits<char>>::operator<<(v21, sub_18000A990); 163 if ( v58 >= 0x10 ) 164 { 165 v22 = v56; 166 if ( v58 + 1 >= 0x1000 ) 167 { 168 v22 = (__int64 *)*(v56 - 1); 169 if ( (unsigned __int64)((char *)v56 - (char *)v22 - 8) > 0x1F ) 170 goto LABEL_50; 171 } 172 j_j_free(v22); 173 } 174 Buf1[1] = 0i64; 175 v58 = 15i64; 176 LOBYTE(v56) = 0; 177 if ( v70 >= 0x10 ) 178 { 179 v23 = v68; 180 if ( v70 + 1 >= 0x1000 ) 181 { 182 v23 = (_BYTE *)*((_QWORD *)v68 - 1); 183 if ( (unsigned __int64)(v68 - v23 - 8) > 0x1F ) 184 goto LABEL_50; 185 } 186 j_j_free(v23); 187 } 188 if ( *((_QWORD *)&v74 + 1) >= 0x10ui64 ) 189 { 190 v24 = v72; 191 if ( (unsigned __int64)(*((_QWORD *)&v74 + 1) + 1i64) >= 0x1000 ) 192 { 193 v24 = (_BYTE *)*((_QWORD *)v72 - 1); 194 if ( (unsigned __int64)((_BYTE *)v72 - v24 - 8) > 0x1F ) 195 goto LABEL_50; 196 } 197 j_j_free(v24); 198 } 199 v25 = v66; 200 LOBYTE(v72) = 0; 201 _mm_storeu_si128((__m128i *)&v74, _mm_load_si128((const __m128i *)&xmmword_18000EB70)); 202 if ( v25 < 0x10 ) 203 goto LABEL_47; 204 v26 = v64; 205 if ( v25 + 1 < 0x1000 206 || (v26 = (void *)*((_QWORD *)v64 - 1), (unsigned __int64)((_BYTE *)v64 - (_BYTE *)v26 - 8) <= 0x1F) ) 207 { 208 j_j_free(v26); 209 LABEL_47: 210 v27 = v77; 211 LOBYTE(v64) = 0; 212 _mm_storeu_si128((__m128i *)((char *)&v65 + 8), _mm_load_si128((const __m128i *)&xmmword_18000EB70)); 213 if ( v27 >= 0x10 ) 214 { 215 v28 = v76; 216 if ( v27 + 1 >= 0x1000 ) 217 { 218 v28 = (_BYTE *)*((_QWORD *)v76 - 1); 219 if ( (unsigned __int64)((_BYTE *)v76 - v28 - 8) > 0x1F ) 220 goto LABEL_50; 221 } 222 j_j_free(v28); 223 } 224 return 7i64; 225 } 226 LABEL_50: 227 invalid_parameter_noinfo_noreturn(); 228 } 229 if ( (unsigned int)(a1 - 101) > 0x62 ) // 传入的数字大于199则退出 230 return 996i64; 231 v71 = 0i64; 232 v72 = 0i64; 233 v73 = 0i64; 234 *(_QWORD *)&v74 = 0i64; 235 _mm_storeu_si128((__m128i *)&v61, _mm_load_si128((const __m128i *)&xmmword_18000EB70)); 236 LOBYTE(Dst) = 0; 237 sub_180006D10( 238 &Dst, 239 "139907262641720884635250105449327463531131227516500497307311002094885245322386805049406878643982216326493527702414" 240 "689439930090794753345844178528356178539094825247389836142928474607108262267087850211322640806135698076207986818086" 241 "837911361480181444157057782599277473843153161174504240064610043962720953514451563", 242 0x135ui64); 243 sub_1800078F0(&v71, &Dst); 244 if ( *((_QWORD *)&v61 + 1) >= 0x10ui64 ) 245 { 246 v29 = Dst; 247 if ( (unsigned __int64)(*((_QWORD *)&v61 + 1) + 1i64) >= 0x1000 ) 248 { 249 v29 = (_BYTE *)*((_QWORD *)Dst - 1); 250 if ( (unsigned __int64)((_BYTE *)Dst - v29 - 8) > 0x1F ) 251 goto LABEL_99; 252 } 253 j_j_free(v29); 254 } 255 v63 = 0i64; 256 v64 = 0i64; 257 v65 = 0ui64; 258 _mm_storeu_si128((__m128i *)&v61, _mm_load_si128((const __m128i *)&xmmword_18000EB70)); 259 LOBYTE(Dst) = 0; 260 sub_180006D10( 261 &Dst, 262 "122107611316850260321590575768393047216806481837919054910332579385088745494833866045797079936947058335743437609060" 263 "618364037361749600119005166359303873659401522100249312696661209787316369738806133852177861917757996075304470648951" 264 "037632182891401322685617735478597953000103146149534977902885706852338811895661809", 265 0x135ui64); 266 sub_1800078F0(&v63, &Dst); 267 if ( *((_QWORD *)&v61 + 1) >= 0x10ui64 ) 268 { 269 v30 = Dst; 270 if ( (unsigned __int64)(*((_QWORD *)&v61 + 1) + 1i64) >= 0x1000 ) 271 { 272 v30 = (_BYTE *)*((_QWORD *)Dst - 1); 273 if ( (unsigned __int64)((_BYTE *)Dst - v30 - 8) > 0x1F ) 274 goto LABEL_99; 275 } 276 j_j_free(v30); 277 } 278 v67 = 0i64; 279 v68 = 0i64; 280 v69 = 0ui64; 281 v31 = sub_18000A9D0(&Memory); 282 sub_1800078F0(&v67, v31); 283 if ( *((_QWORD *)&v48 + 1) >= 0x10ui64 ) 284 { 285 v32 = Memory; 286 if ( (unsigned __int64)(*((_QWORD *)&v48 + 1) + 1i64) >= 0x1000 ) 287 { 288 v32 = (_BYTE *)*((_QWORD *)Memory - 1); 289 if ( (unsigned __int64)((_BYTE *)Memory - v32 - 8) > 0x1F ) 290 invalid_parameter_noinfo_noreturn(); 291 } 292 j_j_free(v32); 293 } 294 v56 = 0i64; 295 Buf1[0] = 0i64; 296 Buf1[1] = 0i64; 297 v58 = 0i64; 298 sub_180009B40(&v63, &v56, &v67, &v71); 299 LOBYTE(Dst) = 0; 300 _mm_storeu_si128((__m128i *)&v61, _mm_load_si128((const __m128i *)&xmmword_18000EB70)); 301 sub_180006D10(&Dst, "7777777", 7ui64); 302 v33 = sub_1800078F0(&Memory, &Dst); 303 v35 = 0; 304 if ( (_BYTE)v56 == *(_BYTE *)v33 ) 305 { 306 v34 = *(const void **)(v33 + 8); 307 if ( !(((Buf1[1] - Buf1[0]) ^ (*(_QWORD *)(v33 + 16) - (_QWORD)v34)) & 0xFFFFFFFFFFFFFFFCui64) 308 && !memcmp(Buf1[0], v34, Buf1[1] - Buf1[0]) ) 309 { 310 v35 = 1; 311 } 312 } 313 v36 = v47; 314 if ( v47 ) 315 { 316 if ( ((*((_QWORD *)&v48 + 1) - (_QWORD)v47) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 ) 317 { 318 v36 = (_BYTE *)*((_QWORD *)v47 - 1); 319 if ( (unsigned __int64)(v47 - v36 - 8) > 0x1F ) 320 LABEL_79: 321 invalid_parameter_noinfo_noreturn(); 322 } 323 j_j_free(v36); 324 v47 = 0i64; 325 _mm_storeu_si128((__m128i *)&v48, (__m128i)0i64); 326 } 327 if ( *((_QWORD *)&v61 + 1) >= 0x10ui64 ) 328 { 329 v37 = Dst; 330 if ( (unsigned __int64)(*((_QWORD *)&v61 + 1) + 1i64) >= 0x1000 ) 331 { 332 v37 = (_BYTE *)*((_QWORD *)Dst - 1); 333 if ( (unsigned __int64)((_BYTE *)Dst - v37 - 8) > 0x1F ) 334 goto LABEL_79; 335 } 336 j_j_free(v37); 337 } 338 if ( v35 ) 339 { 340 v38 = sub_18000A7C0(std::cout, "EDG fight for S10"); 341 std::basic_ostream<char,std::char_traits<char>>::operator<<(v38, sub_18000A990); 342 v39 = "You fight for the next snake"; 343 } 344 else 345 { 346 v40 = sub_18000A7C0(std::cout, "EDG failed to fight for their S9"); 347 std::basic_ostream<char,std::char_traits<char>>::operator<<(v40, sub_18000A990); 348 v39 = "But you can fight for next snake"; 349 } 350 v41 = sub_18000A7C0(std::cout, v39); 351 std::basic_ostream<char,std::char_traits<char>>::operator<<(v41, sub_18000A990); 352 v42 = Buf1[0]; 353 if ( Buf1[0] ) 354 { 355 if ( ((v58 - (unsigned __int64)Buf1[0]) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 ) 356 { 357 v42 = (void *)*((_QWORD *)Buf1[0] - 1); 358 if ( (unsigned __int64)(Buf1[0] - v42 - 8) > 0x1F ) 359 goto LABEL_99; 360 } 361 j_j_free(v42); 362 v58 = 0i64; 363 _mm_storeu_si128((__m128i *)Buf1, (__m128i)0i64); 364 } 365 v43 = v68; 366 if ( v68 ) 367 { 368 if ( ((*((_QWORD *)&v69 + 1) - (_QWORD)v68) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 ) 369 { 370 v43 = (_BYTE *)*((_QWORD *)v68 - 1); 371 if ( (unsigned __int64)(v68 - v43 - 8) > 0x1F ) 372 goto LABEL_99; 373 } 374 j_j_free(v43); 375 v68 = 0i64; 376 _mm_storeu_si128((__m128i *)&v69, (__m128i)0i64); 377 } 378 v44 = v64; 379 if ( !v64 ) 380 goto LABEL_96; 381 if ( ((*((_QWORD *)&v65 + 1) - (_QWORD)v64) & 0xFFFFFFFFFFFFFFFCui64) < 0x1000 382 || (v44 = (void *)*((_QWORD *)v64 - 1), (unsigned __int64)((_BYTE *)v64 - (_BYTE *)v44 - 8) <= 0x1F) ) 383 { 384 j_j_free(v44); 385 v64 = 0i64; 386 _mm_storeu_si128((__m128i *)&v65, (__m128i)0i64); 387 LABEL_96: 388 v45 = v72; 389 if ( v72 ) 390 { 391 if ( (((_QWORD)v74 - (_QWORD)v72) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 ) 392 { 393 v45 = (_BYTE *)*((_QWORD *)v72 - 1); 394 if ( (unsigned __int64)((_BYTE *)v72 - v45 - 8) > 0x1F ) 395 goto LABEL_99; 396 } 397 j_j_free(v45); 398 } 399 return 996i64; 400 } 401 LABEL_99: 402 invalid_parameter_noinfo_noreturn(); 403 } 404 LOBYTE(Memory) = 0; 405 _mm_storeu_si128((__m128i *)&v48, _mm_load_si128((const __m128i *)&xmmword_18000EB70)); 406 sub_180006D10(&Memory, "35297982045181952350813323813224883208572049226586980", 0x35ui64); 407 sub_180001530(&Dst, &Memory); 408 v2 = &qword_180012038; 409 v3 = &qword_180012038; 410 if ( *((_QWORD *)&xmmword_180012048 + 1) >= 0x10ui64 ) 411 v3 = (__int64 *)qword_180012038; 412 if ( (_QWORD)xmmword_180012048 == 4i64 && *(_DWORD *)v3 == *(_DWORD *)"null" ) 413 { 414 v75 = (char)Dst; 415 sub_180006C40(&v76, &v60); 416 v6 = sub_18000AAB0( 417 (unsigned __int64)&Memory, 418 (unsigned __int64)&v75, 419 v4, 420 v5, 421 (_DWORD)Memory, 422 (_DWORD)v47, 423 v48, 424 DWORD2(v48), 425 v49, 426 v50, 427 v51, 428 v52, 429 v53, 430 v54, 431 v55, 432 (_DWORD)v56, 433 Buf1[0], 434 Buf1[1], 435 v58, 436 (_DWORD)Dst, 437 (_DWORD)v60, 438 v61, 439 DWORD2(v61), 440 v62, 441 v63, 442 (_DWORD)v64, 443 v65, 444 DWORD2(v65), 445 v66); 446 v2 = (__int64 *)sub_180006A70(&qword_180012038, v6); 447 v1 = 1; 448 } 449 sub_180006C40(&v56, v2); 450 if ( v1 & 1 && *((_QWORD *)&v48 + 1) >= 0x10ui64 ) 451 { 452 v7 = Memory; 453 if ( (unsigned __int64)(*((_QWORD *)&v48 + 1) + 1i64) >= 0x1000 ) 454 { 455 v7 = (_BYTE *)*((_QWORD *)Memory - 1); 456 if ( (unsigned __int64)((_BYTE *)Memory - v7 - 8) > 0x1F ) 457 invalid_parameter_noinfo_noreturn(); 458 } 459 j_j_free(v7); 460 } 461 v8 = sub_18000A7C0(std::cout, "If SKT win S9 champion"); 462 v9 = sub_18000A7C0(v8, "this is real flag"); 463 std::basic_ostream<char,std::char_traits<char>>::operator<<(v9, sub_18000A990); 464 v10 = (__int64 *)&v56; 465 if ( v58 >= 0x10 ) 466 v10 = v56; 467 v11 = sub_180007570(std::cout, v10, Buf1[1]); 468 std::basic_ostream<char,std::char_traits<char>>::operator<<(v11, sub_18000A990); 469 if ( v58 >= 0x10 ) 470 { 471 v12 = v56; 472 if ( v58 + 1 >= 0x1000 ) 473 { 474 v12 = (__int64 *)*(v56 - 1); 475 if ( (unsigned __int64)((char *)v56 - (char *)v12 - 8) > 0x1F ) 476 LABEL_22: 477 invalid_parameter_noinfo_noreturn(); 478 } 479 j_j_free(v12); 480 } 481 Buf1[1] = 0i64; 482 v58 = 15i64; 483 LOBYTE(v56) = 0; 484 if ( v62 >= 0x10 ) 485 { 486 v13 = v60; 487 if ( v62 + 1 >= 0x1000 ) 488 { 489 v13 = (_BYTE *)*((_QWORD *)v60 - 1); 490 if ( (unsigned __int64)((_BYTE *)v60 - v13 - 8) > 0x1F ) 491 goto LABEL_22; 492 } 493 j_j_free(v13); 494 } 495 return 0xFFFFFFFFi64; 496 }
判断出GameObject函数传入的参数,最大应该是199,因此直接写程序,调用DLL文件,爆破求flag
爆破求解
开多个进程,同时求解。
#include <Windows.h> #include <iostream> #include <libloaderapi.h> using namespace std; int main(int argc, char* argv[]) { const char* funcName = "GameObject"; HMODULE hDLL = LoadLibrary(TEXT("C:\\Users\\10245\\Desktop\\Snake\\Snake_Data\\Plugins\\Interface.dll")); if (hDLL != NULL) { cout << "Load Success!" << endl; typedef int(_cdecl *FuncPtr)(int); FuncPtr func = (FuncPtr)GetProcAddress(hDLL, funcName); func(atoi(argv[1])); } else { cout << "Load Failed!" << endl; } system("PAUSE"); return 0; }
get flag!
flag{Ch4rp_W1th_R$@}
