re | [NPUCTF2020]EzReverse

re | [NPUCTF2020]EzReverse

x64 linux 花指令

直接去花然后调整栈平衡f5,目测比较单纯:

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  __int64 *v3; // rbx
  char v4; // al
  __int64 v5; // rax

  v3 = (__int64 *)malloc(392uLL);               // 长度为49的int64数组
                                                // 根据下方-7的操作来看是7*7的二维数组
  *v3 = 234545231LL;
  v3[1] = 344556530LL;
  p_v3 = (__int64)v3;
  v3[7] = 1423431LL;
  v3[2] = 453523423550LL;
  v3[8] = 54535240LL;
  v3[3] = 46563455531LL;
  v3[9] = 234242550LL;
  v3[4] = 34524345344661LL;
  v3[12] = 123422421LL;
  v3[5] = 34533453453451LL;
  v3[13] = 2342420LL;
  v3[6] = 2343423124234420LL;
  v3[14] = 23414141LL;
  v3[10] = 23424242441LL;
  v3[15] = 23424420LL;
  v3[11] = 2345355345430LL;
  v3[16] = 13535231LL;
  v3[18] = 23423414240LL;
  v3[17] = 2341LL;
  v3[20] = 53366745350LL;
  v3[19] = 1234422441LL;
  v3[27] = 3453326640LL;
  v3[21] = 253244531LL;
  v3[28] = 245332535325535341LL;
  v3[22] = 45463320LL;
  v3[29] = 7568546234640LL;
  v3[23] = 24532661LL;
  v3[30] = 23445576731LL;
  v3[24] = 23433430LL;
  v3[25] = 23453660LL;
  v3[26] = 3453661LL;
  v3[31] = 234534460LL;
  v3[33] = 34455344551LL;
  v3[35] = 2354657721451LL;
  v3[32] = 234364561LL;
  v3[36] = 23464664430LL;
  v3[34] = 2345670LL;
  v3[39] = 23643643334561LL;
  v3[37] = 245646441LL;
  v3[40] = 2346463450LL;
  v3[38] = 234644640LL;
  v3[41] = 2343345620LL;
  v3[42] = 3444651LL;
  v3[43] = 23451LL;
  v3[44] = 67541LL;
  v3[45] = 34575860LL;
  v3[46] = 67856741LL;
  v3[47] = 567678671LL;
  v3[48] = 567565671LL;
  puts("Input your flag:");
  while ( 1 )
  {
    while ( 1 )
    {
      while ( 1 )
      {
        while ( 1 )
        {
          do
            v4 = _IO_getc(stdin);
          while ( v4 == 10 );                   // 循环读取直到换行
                                                // 输入其实就是h j k l 4种,估摸着是什么游戏
          if ( v4 != 'h' )
            break;
          if ( ((signed __int64)v3 - p_v3) >> 3 != 7
                                                 * (((signed __int64)((unsigned __int128)(0x4924924924924925LL
                                                                                        * (signed __int128)(((signed __int64)v3 - p_v3) >> 3)) >> 64) >> 1)
                                                  - (((signed __int64)v3 - p_v3) >> '?')) )
          {
            --v3;
            goto LABEL_11;
          }
        }
        if ( v4 != 'j' )
          break;
        if ( (unsigned __int64)v3 - p_v3 > 48 )
        {
          v3 -= 7;
          goto LABEL_11;
        }
      }
      if ( v4 == 'k' )
        break;
      if ( v4 == 'l' && (((signed __int64)v3 - p_v3) >> 3) % 7 != 6 )
      {
        ++v3;
        goto LABEL_11;
      }
    }
    if ( (unsigned __int64)((char *)v3 - p_v3 - 329) > '7' )
    {
      v3 += 7;
LABEL_11:
      v5 = *v3;
      if ( *v3 == 567565671 )
      {
        puts("Congratulations!");
        puts("The flag is: flag{ YOUR INPUT }");
        exit(0);
      }
      if ( !(v5 & 1) )
        break;
    }
  }
  puts("You Failed!");
  return 0LL;
}

目测7*7矩阵,打出来看一下:
image

h向左
j向上
k向下
l向右
直接观察出最后一位是迷宫,出结果:
kkkkkklljjjjljjllkkkkhkkll

中间应该是加了ollvm的混淆,可是并不重要,因为逆向可以猜,所以充满浪漫色彩。

posted @ 2023-01-13 13:33  Mz1  阅读(105)  评论(1编辑  收藏  举报