xx
测试文件:https://www.lanzous.com/i7dyqhc
准备
获取信息
- 64位文件
IDA打开
使用Findcrypt脚本可以看到
结合文件名是xx,因此猜测代码用到了xxtea加密方法
流程总结
因此,总的流程为:
- 判断输入的字符串的每个字符是否包含在"qwertyuiopasdfghjklzxcvbnm1234567890"中
- 取输入字符串的前4位字符,即"flag",扩展为16位,作为xxtea加密的秘钥key
- 将输入的字符串使用key加密,加密后的字符保存在字符数组v18,共24位字符
- 打乱v18数组,保存到v19数组中
- 将24位字符,每3位为一组,每一组异或值(具体看代码),得到新的加密字符串
- 将新的加密字符串与已经存在的字符串比较,相同即获得胜利
因此,只需要逆向变换,就能得到flag
使用动态调试,可以获取到已经存在的字符串
enc = 'CEBC406B7C3A95C0EF9B202091F70235231802C8E75656FA'
脚本解密
Python带了xxtea的包,不过我用的时候,一直提示我“ValueError: Need a 16-byte key.”,用rjust或者'\x00'*16补足了16位也不管用。(已解决)
import xxtea
result = 'CE BC 40 6B 7C 3A 95 C0 EF 9B 20 20 91 F7 02 35 23 18 02 C8 E7 56 56 FA'.split(" ")
res = [int(i,16) for i in result]
for i in range(7,-1,-1):
t = 0
for n in range(0,i):
if t == 0 :
t = res[0]
else :
t ^= res[n]
for j in range(3) :
res[i*3+j] ^= t
box = [1,3,0,2,5,7,4,6,9,11,8,10,13,15,12,14,17,19,16,18,21,23,20,22]
m = []
for i in range(len(box)):
m.append(res[box[i]])
key = 'flag'+'\x00'*12
print(xxtea.decrypt(bytes(m),key,padding=False))xxtea解密
所以用了另外一种方法,借用了下面xxtea的文章:
参考文章:https://blog.csdn.net/weixin_41474364/article/details/84314674
# encoding: utf-8
import struct _DELTA = 0x9E3779B9 def _long2str(v, w):
n = (len(v) - 1) << 2
if w:
m = v[-1]
if (m < n - 3) or (m > n): return ''
n = m
s = struct.pack('<%iL' % len(v), *v)
return s[0:n] if w else s def _str2long(s, w):
n = len(s)
m = (4 - (n & 3) & 3) + n
s = s.ljust(m, "\0")
v = list(struct.unpack('<%iL' % (m >> 2), s))
if w: v.append(n)
return v def encrypt(str, key):
if str == '': return str
v = _str2long(str, True)
k = _str2long(key.ljust(16, "\0"), False)
n = len(v) - 1
z = v[n]
y = v[0]
sum = 0
q = 6 + 52 // (n + 1)
while q > 0:
sum = (sum + _DELTA) & 0xffffffff
e = sum >> 2 & 3
for p in xrange(n):
y = v[p + 1]
v[p] = (v[p] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))) & 0xffffffff
z = v[p]
y = v[0]
v[n] = (v[n] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[n & 3 ^ e] ^ z))) & 0xffffffff
z = v[n]
q -= 1
return _long2str(v, False) def decrypt(str, key):
if str == '': return str
v = _str2long(str, False)
k = _str2long(key.ljust(16, "\0"), False)
n = len(v) - 1
z = v[n]
y = v[0]
q = 6 + 52 // (n + 1)
sum = (q * _DELTA) & 0xffffffff
while (sum != 0):
e = sum >> 2 & 3
for p in xrange(n, 0, -1):
z = v[p - 1]
v[p] = (v[p] - ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))) & 0xffffffff
y = v[p]
z = v[n]
v[0] = (v[0] - ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[0 & 3 ^ e] ^ z))) & 0xffffffff
y = v[0]
sum = (sum - _DELTA) & 0xffffffff
return _long2str(v, True) def xor(x ,y):
return ord(x) ^ ord(y) # 转换为16进制
arr = 'CEBC406B7C3A95C0EF9B202091F70235231802C8E75656FA'.decode('hex') dec = '' # 因为加密时是正向加密,会用到加密之后的字符,因此解密需要逆向解密
for i in range(7,-1,-1):
res = ''
# 每3个为一组
for j in range(3):
temp = ord(arr[i*3+j])
# 需要异或的值,例如第i组的值就是,arr[i*3+j]^(arr[n] for n in range(i))
for m in range(i):
temp ^= ord(arr[m])
res += chr(temp)
dec = res + dec # 原来的v18到v19数组是被打乱排序了的
num = [2,0,3,1,6,4,7,5,10,8,11,9,14,12,15,13,18,16,19,17,22,20,23,21]
enc = [0] * 24
# key需要是16位
key = 'flag'+'\x00'*12
for i in range(24):
enc[num[i]] = dec[i]
dec2 = ''.join(enc) dec3 = decrypt(dec2, key)
print dec3
get flag!
flag{CXX_and_++tea}easyRE
测试文件:https://share.weiyun.com/5qzM6bU
准备
获取信息
- 64位文件
IDA打开
signed __int64 sub_4009C6()
{
char *v0; // rsi
char *v1; // rdi
signed __int64 result; // rax
__int64 v3; // ST10_8
__int64 v4; // ST18_8
__int64 v5; // ST20_8
__int64 v6; // ST28_8
__int64 v7; // ST30_8
__int64 v8; // ST38_8
__int64 v9; // ST40_8
__int64 v10; // ST48_8
__int64 v11; // ST50_8
__int64 v12; // ST58_8
int i; // [rsp+Ch] [rbp-114h]
char arraym[]; // [rsp+60h] [rbp-C0h]
char v15[]; // [rsp+90h] [rbp-90h]
int v16; // [rsp+B0h] [rbp-70h]
char v17; // [rsp+B4h] [rbp-6Ch]
char v18; // [rsp+C0h] [rbp-60h]
char v19; // [rsp+E7h] [rbp-39h]
char v20; // [rsp+100h] [rbp-20h]
unsigned __int64 v21; // [rsp+108h] [rbp-18h] v21 = __readfsqword(0x28u);
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
arraym[] = ;
memset(v15, , sizeof(v15));
v16 = ;
v17 = ;
v0 = v15;
sub_4406E0(0LL, (__int64)v15);
v17 = ;
v1 = v15;
if ( sub_424BA0(v15) == )
{
for ( i = ; ; ++i )
{
v1 = v15;
if ( i >= (unsigned __int64)sub_424BA0(v15) )
break;
if ( (unsigned __int8)(v15[i] ^ i) != arraym[i] )
{
result = 4294967294LL;
goto LABEL_13;
}
}
sub_410CC0("continue!");
memset(&v18, , 0x40uLL);
v20 = ;
v0 = &v18;
sub_4406E0(0LL, (__int64)&v18);
v19 = ;
v1 = &v18;
if ( sub_424BA0(&v18) == )
{
v3 = sub_400E44(&v18);
v4 = sub_400E44(v3);
v5 = sub_400E44(v4);
v6 = sub_400E44(v5);
v7 = sub_400E44(v6);
v8 = sub_400E44(v7);
v9 = sub_400E44(v8);
v10 = sub_400E44(v9);
v11 = sub_400E44(v10);
v12 = sub_400E44(v11);
v0 = off_6CC090;
v1 = (char *)v12;
if ( !(unsigned int)sub_400360(v12, off_6CC090) )
{
sub_410CC0("You found me!!!");
v1 = "bye bye~";
sub_410CC0("bye bye~");
}
result = 0LL;
}
else
{
result = 4294967293LL;
}
}
else
{
result = 0xFFFFFFFFLL;
}
LABEL_13:
if ( __readfsqword(0x28u) != v21 )
sub_444020(v1, v0);
return result;
}
代码分析
首先有两次输入,第一次输入32位字符串,将每位字符异或后与已存在的marray数组比较,因此可以写出脚本,正确输入
arr = [73,111,100,108,62,81,110,98,40,111,99,121,127,121,46,105,127,100,96,51,119,125,
119,101,107,57,123,105,121,61,126,121,76,64,69,67] dec = ''
for i in range(36):
dec += chr(arr[i]^i) print(dec)
第二次输入,将输入的字符串进行10次base64加密后,与已知的字符串比较,反向解密就行
enc = "Vm0wd2VHUXhTWGhpUm1SWVYwZDRWVll3Wkc5WFJsbDNXa1pPVlUxV2NIcFhhMk0xVmpKS1NHVkdXbFpOYmtKVVZtcEtTMUl5VGtsaVJtUk9ZV3hhZVZadGVHdFRNVTVYVW01T2FGSnRVbGhhVjNoaFZWWmtWMXBFVWxSTmJFcElWbTAxVDJGV1NuTlhia0pXWWxob1dGUnJXbXRXTVZaeVdrWm9hVlpyV1hwV1IzaGhXVmRHVjFOdVVsWmlhMHBZV1ZSR1lWZEdVbFZTYlhSWFRWWndNRlZ0TVc5VWJGcFZWbXR3VjJKSFVYZFdha1pXWlZaT2NtRkhhRk5pVjJoWVYxZDBhMVV3TlhOalJscFlZbGhTY1ZsclduZGxiR1J5VmxSR1ZXSlZjRWhaTUZKaFZqSktWVkZZYUZkV1JWcFlWV3BHYTFkWFRrZFRiV3hvVFVoQ1dsWXhaRFJpTWtsM1RVaG9hbEpYYUhOVmJUVkRZekZhY1ZKcmRGTk5Wa3A2VjJ0U1ExWlhTbFpqUldoYVRVWndkbFpxUmtwbGJVWklZVVprYUdFeGNHOVhXSEJIWkRGS2RGSnJhR2hTYXpWdlZGVm9RMlJzV25STldHUlZUVlpXTlZadE5VOVdiVXBJVld4c1dtSllUWGhXTUZwell6RmFkRkpzVWxOaVNFSktWa1phVTFFeFduUlRhMlJxVWxad1YxWnRlRXRXTVZaSFVsUnNVVlZVTURrPQ==" for i in range(10):
enc = enc.decode('base64')
print (enc)
在第二次输入加密后对比的常量下面,还发现了一个常量,在sub_400D35函数中调用
__int64 __fastcall sub_400D35(__int64 a1, __int64 a2)
{
__int64 v2; // rdi
__int64 result; // rax
unsigned __int64 v4; // rt1
unsigned int v5; // [rsp+Ch] [rbp-24h]
signed int i; // [rsp+10h] [rbp-20h]
signed int j; // [rsp+14h] [rbp-1Ch]
unsigned int v8; // [rsp+24h] [rbp-Ch]
unsigned __int64 v9; // [rsp+28h] [rbp-8h] v9 = __readfsqword(0x28u);
v2 = 0LL;
v5 = sub_43FD20(0LL) - qword_6CEE38;
for ( i = 0; i <= 1233; ++i )
{
v2 = v5;
sub_40F790(v5);
sub_40FE60();
sub_40FE60();
v5 = (unsigned __int64)sub_40FE60() ^ 0x98765432;
}
v8 = v5;
if ( ((unsigned __int8)v5 ^ byte_6CC0A0[0]) == 'f' && (HIBYTE(v8) ^ (unsigned __int8)byte_6CC0A3) == 'g' )
{
for ( j = 0; j <= 24; ++j )
{
v2 = (unsigned __int8)(byte_6CC0A0[j] ^ *((_BYTE *)&v8 + j % 4));
sub_410E90(v2);
}
}
v4 = __readfsqword(0x28u);
result = v4 ^ v9;
if ( v4 != v9 )
sub_444020(v2, a2);
return result;
}
两段异或,第一段异或,能够通过'flag'和已知数组反向解出v5
第二段异或。通过已知数组和v5解出flag
key = ''
enc1 = 'flag'
dec = ''
enc = [0x40,0x35,0x20,0x56,0x5D,0x18,0x22,0x45,0x17,0x2F,0x24,0x6E,0x62,0x3C,0x27,0x54,0x48,0x6C,0x24,0x6E,0x72,0x3C,0x32,0x45,0x5B]
for i in range(4):
key += chr(enc[i] ^ ord(enc1[i]))
print (key) for i in range(len(enc)):
dec += chr(enc[i] ^ ord(key[i%4]))
print(dec)
get flag!
calc
测试文件:https://www.lanzous.com/i7frprg
准备
获取信息
- 64位文件
IDA打开
__int64 sub_140002540()
{
__int64 v0; // rax
__int64 v1; // rax
__int64 v2; // rax
__int64 v3; // rax
__int64 v4; // rax
void *v5; // rcx
void *v6; // rcx
void *v7; // rcx
__int64 v8; // rax
__int64 v9; // rax
void *v10; // rcx
void *v11; // rcx
void *v12; // rcx
__int64 v13; // rax
void *v14; // rcx
void *v15; // rcx
char *v16; // r8
unsigned __int64 v17; // r11
_BYTE *v18; // rbx
unsigned __int64 v19; // rax
char *v20; // r9
bool v21; // al
int v22; // er10
__int64 v23; // rdx
_DWORD *v24; // rcx
unsigned int v25; // edi
_BYTE *v26; // rcx
unsigned __int64 v27; // rax
bool v28; // al
int v29; // er10
__int64 v30; // rdx
_DWORD *v31; // rcx
__int64 v32; // rax
__int64 v33; // rax
__int64 v34; // r14
__int64 v35; // rbx
__int64 v36; // rax
__int64 v37; // r15
const void *v38; // rsi
_BYTE *v39; // rdi
unsigned __int64 v40; // rbx
size_t v41; // rbx
__int64 v42; // rax
__int64 v43; // rcx
char *v44; // rax
char *v45; // rbx
__int64 v46; // rax
__int64 v47; // rbx
__int64 v48; // rax
__int64 v49; // rax
_QWORD *v50; // rcx
__int64 v51; // rax
__int64 v52; // rax
void *v53; // rcx
void *v54; // rcx
_BYTE *v55; // rcx
_BYTE *v56; // rcx
_BYTE *v57; // rcx
_BYTE *v58; // rcx
_BYTE *v59; // rcx
_BYTE *v60; // rcx
void *v61; // rcx
void *v62; // rcx
void *v63; // rcx
void *v64; // rcx
__int64 v65; // rsi
__int64 v66; // rax
__int64 v67; // rbx
__int64 v68; // rax
void **v69; // rdi
__int64 v70; // rax
__int64 v71; // rax
_QWORD *v72; // rcx
__int64 v73; // rax
__int64 v74; // rax
void *v75; // rcx
__int64 v76; // rax
__int64 v77; // rax
void *v78; // rcx
_BYTE *v79; // rcx
_BYTE *v80; // rcx
_BYTE *v81; // rcx
_BYTE *v82; // rcx
void *v83; // rcx
void *v84; // rcx
void *v85; // rcx
void *v86; // rcx
char *v87; // r15
__int64 v88; // rcx
char *v89; // r14
int v90; // eax
__int64 v91; // rdx
_DWORD *v92; // rcx
_BYTE *v93; // rcx
_BYTE *v94; // rax
int v95; // eax
__int64 v96; // rsi
_BYTE *v97; // rcx
_BYTE *v98; // rax
int v99; // eax
__int64 v100; // rsi
_BYTE *v101; // rsi
int v102; // eax
__int64 i; // rsi
char *v104; // rax
char *v105; // rax
_BYTE *v106; // rcx
_BYTE *v107; // rcx
_BYTE *v108; // rax
char *v109; // rax
char *v110; // rax
void *v112[]; // [rsp+20h] [rbp-E0h]
__int64 v113; // [rsp+30h] [rbp-D0h]
void *v114[]; // [rsp+38h] [rbp-C8h]
char *v115; // [rsp+48h] [rbp-B8h]
void **v116; // [rsp+50h] [rbp-B0h]
void *Memory[]; // [rsp+58h] [rbp-A8h]
__int64 v118; // [rsp+68h] [rbp-98h]
void *v119[]; // [rsp+70h] [rbp-90h]
__int64 v120; // [rsp+80h] [rbp-80h]
void *v121[]; // [rsp+88h] [rbp-78h]
__int64 v122; // [rsp+98h] [rbp-68h]
void *v123[]; // [rsp+A0h] [rbp-60h]
__int64 v124; // [rsp+B0h] [rbp-50h]
void *v125[]; // [rsp+B8h] [rbp-48h]
__int64 v126; // [rsp+C8h] [rbp-38h]
void *v127; // [rsp+D0h] [rbp-30h]
__int64 v128; // [rsp+D8h] [rbp-28h]
__int64 v129; // [rsp+E0h] [rbp-20h]
void *v130; // [rsp+E8h] [rbp-18h]
__int64 v131; // [rsp+F0h] [rbp-10h]
__int64 v132; // [rsp+F8h] [rbp-8h]
void *v133; // [rsp+100h] [rbp+0h]
__int64 v134; // [rsp+108h] [rbp+8h]
__int64 v135; // [rsp+110h] [rbp+10h]
void *v136; // [rsp+118h] [rbp+18h]
__int64 v137; // [rsp+120h] [rbp+20h]
__int64 v138; // [rsp+128h] [rbp+28h]
char v139; // [rsp+130h] [rbp+30h]
void *v140; // [rsp+148h] [rbp+48h]
__int64 v141; // [rsp+150h] [rbp+50h]
__int64 v142; // [rsp+158h] [rbp+58h]
char v143; // [rsp+160h] [rbp+60h]
__int64 v144; // [rsp+178h] [rbp+78h]
void *Src[]; // [rsp+180h] [rbp+80h]
__int64 v146; // [rsp+190h] [rbp+90h]
void *v147[]; // [rsp+198h] [rbp+98h]
__int64 v148; // [rsp+1A8h] [rbp+A8h]
void *v149[]; // [rsp+1B0h] [rbp+B0h]
__int64 v150; // [rsp+1C0h] [rbp+C0h]
void *v151; // [rsp+1C8h] [rbp+C8h]
__int128 v152; // [rsp+1D0h] [rbp+D0h]
void *v153; // [rsp+1E0h] [rbp+E0h]
__int64 v154; // [rsp+1E8h] [rbp+E8h]
__int64 v155; // [rsp+1F0h] [rbp+F0h]
void *v156; // [rsp+1F8h] [rbp+F8h]
__int64 v157; // [rsp+200h] [rbp+100h]
__int64 v158; // [rsp+208h] [rbp+108h]
void *v159; // [rsp+210h] [rbp+110h]
__int64 v160; // [rsp+220h] [rbp+120h]
void *v161; // [rsp+228h] [rbp+128h]
__int64 v162; // [rsp+238h] [rbp+138h] v0 = sub_140004120(std::cout, "A few days ago,Someone asked me for Windows RE...");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v0, sub_1400042F0);
v1 = sub_140004120(std::cout, "But Windows + STL is terrible!");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v1, sub_1400042F0);
LODWORD(v144) = ;
_mm_storeu_si128((__m128i *)Src, (__m128i)0i64);
v146 = 0i64;
sub_140004330(Src, 0i64, &v144);
sub_140001270(Src);
LODWORD(v144) = ;
_mm_storeu_si128((__m128i *)v147, (__m128i)0i64);
v148 = 0i64;
sub_140004330(v147, 0i64, &v144);
sub_140001270(v147);
LODWORD(v144) = ;
_mm_storeu_si128((__m128i *)v149, (__m128i)0i64);
v150 = 0i64;
sub_140004330(v149, 0i64, &v144);
sub_140001270(v149);
v2 = sub_140004120(std::cout, "Enjoy it");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v2, sub_1400042F0);
sub_1400013D0(std::cin, Src);
v3 = sub_140004120(std::cout, "Calculating...");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v3, sub_1400042F0);
LODWORD(v144) = ;
_mm_storeu_si128((__m128i *)v114, (__m128i)0i64);
v115 = 0i64;
sub_140004330(v114, 0i64, &v144);
sub_140001270(v114);
LODWORD(v144) = ;
_mm_storeu_si128((__m128i *)v112, (__m128i)0i64);
v113 = 0i64;
sub_140004330(v112, 0i64, &v144);
sub_140001270(v112);
v4 = cacl_pow(Memory, Src, v112);
calc_mul(&v161, v4, v114);
v5 = Memory[];
if ( Memory[] )
{
if ( (unsigned __int64)( * ((signed __int64)(v118 - (unsigned __int64)Memory[]) >> )) >= 0x1000 )
{
v5 = (void *)*((_QWORD *)Memory[] - );
if ( (unsigned __int64)(Memory[] - v5 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v5);
Memory[] = 0i64;
_mm_storeu_si128((__m128i *)&Memory[], (__m128i)0i64);
}
v6 = v112[];
if ( v112[] )
{
if ( (unsigned __int64)( * ((signed __int64)(v113 - (unsigned __int64)v112[]) >> )) >= 0x1000 )
{
v6 = (void *)*((_QWORD *)v112[] - );
if ( (unsigned __int64)(v112[] - v6 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v6);
}
v7 = v114[];
if ( v114[] )
{
if ( (unsigned __int64)( * ((v115 - (char *)v114[]) >> )) >= 0x1000 )
{
v7 = (void *)*((_QWORD *)v114[] - );
if ( (unsigned __int64)(v114[] - v7 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v7);
}
Sleep(0x75BCD15u);
sub_1400013D0(std::cin, v147);
v8 = sub_140004120(std::cout, "Calculating......");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v8, sub_1400042F0);
LODWORD(v144) = ;
_mm_storeu_si128((__m128i *)v114, (__m128i)0i64);
v115 = 0i64;
sub_140004330(v114, 0i64, &v144);
sub_140001270(v114);
LODWORD(v144) = ;
_mm_storeu_si128((__m128i *)v112, (__m128i)0i64);
v113 = 0i64;
sub_140004330(v112, 0i64, &v144);
sub_140001270(v112);
v9 = calc_mul(Memory, v147, v112);
cacl_pow(&v156, v9, v114);
v10 = Memory[];
if ( Memory[] )
{
if ( (unsigned __int64)( * ((signed __int64)(v118 - (unsigned __int64)Memory[]) >> )) >= 0x1000 )
{
v10 = (void *)*((_QWORD *)Memory[] - );
if ( (unsigned __int64)(Memory[] - v10 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v10);
Memory[] = 0i64;
_mm_storeu_si128((__m128i *)&Memory[], (__m128i)0i64);
}
v11 = v112[];
if ( v112[] )
{
if ( (unsigned __int64)( * ((signed __int64)(v113 - (unsigned __int64)v112[]) >> )) >= 0x1000 )
{
v11 = (void *)*((_QWORD *)v112[] - );
if ( (unsigned __int64)(v112[] - v11 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v11);
}
v12 = v114[];
if ( v114[] )
{
if ( (unsigned __int64)( * ((v115 - (char *)v114[]) >> )) >= 0x1000 )
{
v12 = (void *)*((_QWORD *)v114[] - );
if ( (unsigned __int64)(v114[] - v12 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v12);
}
Sleep(0x3ADE68B1u);
sub_1400013D0(std::cin, v149);
sub_140004120(std::cout, "Calculating............");
LODWORD(v144) = ;
_mm_storeu_si128((__m128i *)v112, (__m128i)0i64);
v113 = 0i64;
sub_140004330(v112, 0i64, &v144);
sub_140001270(v112);
v13 = calc_mul(Memory, v112, v149);
calc_mul(&v159, v13, v149);
v14 = Memory[];
if ( Memory[] )
{
if ( (unsigned __int64)( * ((signed __int64)(v118 - (unsigned __int64)Memory[]) >> )) >= 0x1000 )
{
v14 = (void *)*((_QWORD *)Memory[] - );
if ( (unsigned __int64)(Memory[] - v14 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v14);
Memory[] = 0i64;
_mm_storeu_si128((__m128i *)&Memory[], (__m128i)0i64);
}
v15 = v112[];
if ( v112[] )
{
if ( (unsigned __int64)( * ((signed __int64)(v113 - (unsigned __int64)v112[]) >> )) >= 0x1000 )
{
v15 = (void *)*((_QWORD *)v112[] - );
if ( (unsigned __int64)(v112[] - v15 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v15);
}
Sleep(0x7777777u);
v16 = (char *)Src[]; // 需要满足 x < z
v17 = (_QWORD)(Src[] - Src[]) >> ;
v18 = v149[];
v19 = (_QWORD)(v149[] - v149[]) >> ;
v20 = (char *)v147[];
if ( v17 == v19 )
{
v22 = v17 - ;
if ( (signed int)v17 - < )
goto LABEL_47;
v23 = v22;
v24 = (char *)v149[] + * v22;
while ( *(_DWORD *)((char *)v24 + Src[] - v149[]) == *v24 )
{
--v22;
--v24;
if ( --v23 < )
goto LABEL_47;
}
v21 = *((_DWORD *)Src[] + v22) < *((_DWORD *)v149[] + v22);
}
else
{
v21 = v17 < v19;
}
if ( !v21 )
goto LABEL_47;
v27 = (_QWORD)(v147[] - v147[]) >> ; // 需要瞒住x > y
if ( v27 != v17 )
{
v28 = v27 < v17;
goto LABEL_62;
}
v29 = v27 - ;
if ( (signed int)v27 - < )
{
LABEL_47:
v25 = -;
goto LABEL_48;
}
v30 = v29;
v31 = (char *)Src[] + * v29;
while ( *(_DWORD *)((char *)v31 + v147[] - Src[]) == *v31 )
{
--v29;
--v31;
if ( --v30 < )
goto LABEL_47;
}
v28 = *((_DWORD *)v147[] + v29) < *((_DWORD *)Src[] + v29);
LABEL_62:
if ( !v28 )
goto LABEL_47;
LODWORD(v144) = ;
_mm_storeu_si128((__m128i *)v125, (__m128i)0i64);
v126 = 0i64;
sub_140004330(v125, 0i64, &v144);
sub_140001270(v125);
LODWORD(v144) = ;
_mm_storeu_si128((__m128i *)v123, (__m128i)0i64);
v124 = 0i64;
sub_140004330(v123, 0i64, &v144);
sub_140001270(v123);
LODWORD(v144) = ;
_mm_storeu_si128((__m128i *)v121, (__m128i)0i64);
v122 = 0i64;
sub_140004330(v121, 0i64, &v144);
sub_140001270(v121);
LODWORD(v144) = ;
_mm_storeu_si128((__m128i *)v119, (__m128i)0i64);
v120 = 0i64;
sub_140004330(v119, 0i64, &v144);
sub_140001270(v119);
v32 = calc_mul(&v136, v125, Src);
v33 = calc_mul(&v133, v32, Src);
v34 = calc_mul(&v130, v33, v147);
v35 = cacl_pow(&v127, v147, v123);
v36 = calc_mul(&v151, v121, Src);
v37 = calc_mul(&v140, v36, v35);
_mm_storeu_si128((__m128i *)v114, (__m128i)0i64);
v115 = 0i64;
v38 = Src[];
v39 = Src[];
if ( Src[] != Src[] )
{
v40 = (_QWORD)(Src[] - Src[]) >> ;
if ( v40 <= 0x3FFFFFFFFFFFFFFFi64 )
{
v41 = * v40;
if ( v41 < 0x1000 )
{
if ( v41 )
v44 = (char *)sub_140004A84(v41);
else
v44 = 0i64;
LABEL_73:
v114[] = v44;
v114[] = v44;
v45 = &v44[v41];
v115 = v45;
memmove(v44, v38, v39 - (_BYTE *)v38);
v114[] = v45;
goto LABEL_74;
}
if ( v41 + > v41 )
{
v42 = sub_140004A84(v41 + );
v43 = v42;
if ( !v42 )
invalid_parameter_noinfo_noreturn();
v44 = (char *)((v42 + ) & 0xFFFFFFFFFFFFFFE0ui64);
*((_QWORD *)v44 - ) = v43;
goto LABEL_73;
}
}
sub_140001110();
}
LABEL_74:
v46 = cacl_add(Memory, v114, v147);
v47 = cacl_pow(&v139, v46, v119);
v144 = v47;
v48 = cacl_equal(&v153, v37);
v49 = cacl_sub(v47, v48);
cacl_equal(v112, v49);
v50 = *(_QWORD **)v47;
if ( *(_QWORD *)v47 )
{
if ( (unsigned __int64)(4i64 * ((*(_QWORD *)(v47 + ) - (_QWORD)v50) >> )) >= 0x1000 )
{
if ( (unsigned __int64)((char *)v50 - *(v50 - ) - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
v50 = (_QWORD *)*(v50 - );
}
j_j_free(v50);
*(_QWORD *)v47 = 0i64;
*(_QWORD *)(v47 + ) = 0i64;
*(_QWORD *)(v47 + ) = 0i64;
}
v116 = v112;
v51 = cacl_equal(&v143, v34);
v52 = cacl_sub(v112, v51);
cacl_equal(&v153, v52);
v53 = v112[];
if ( v112[] )
{
if ( (unsigned __int64)( * ((signed __int64)(v113 - (unsigned __int64)v112[]) >> )) >= 0x1000 )
{
v53 = (void *)*((_QWORD *)v112[] - );
if ( (unsigned __int64)(v112[] - v53 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v53);
_mm_storeu_si128((__m128i *)v112, (__m128i)0i64);
v113 = 0i64;
}
v54 = Memory[];
if ( Memory[] )
{
if ( (unsigned __int64)( * ((signed __int64)(v118 - (unsigned __int64)Memory[]) >> )) >= 0x1000 )
{
v54 = (void *)*((_QWORD *)Memory[] - );
if ( (unsigned __int64)(Memory[] - v54 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v54);
Memory[] = 0i64;
_mm_storeu_si128((__m128i *)&Memory[], (__m128i)0i64);
}
v55 = v140;
if ( v140 )
{
if ( (unsigned __int64)( * ((v142 - (signed __int64)v140) >> )) >= 0x1000 )
{
v55 = (_BYTE *)*((_QWORD *)v140 - );
if ( (unsigned __int64)((_BYTE *)v140 - v55 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v55);
v140 = 0i64;
_mm_storeu_si128((__m128i *)&v141, (__m128i)0i64);
}
v56 = v151;
if ( v151 )
{
if ( (unsigned __int64)(4i64 * ((*((_QWORD *)&v152 + ) - (_QWORD)v151) >> )) >= 0x1000 )
{
v56 = (_BYTE *)*((_QWORD *)v151 - );
if ( (unsigned __int64)((_BYTE *)v151 - v56 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v56);
v151 = 0i64;
_mm_storeu_si128((__m128i *)&v152, (__m128i)0i64);
}
v57 = v127;
if ( v127 )
{
if ( (unsigned __int64)( * ((v129 - (signed __int64)v127) >> )) >= 0x1000 )
{
v57 = (_BYTE *)*((_QWORD *)v127 - );
if ( (unsigned __int64)((_BYTE *)v127 - v57 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v57);
v127 = 0i64;
_mm_storeu_si128((__m128i *)&v128, (__m128i)0i64);
}
v58 = v130;
if ( v130 )
{
if ( (unsigned __int64)( * ((v132 - (signed __int64)v130) >> )) >= 0x1000 )
{
v58 = (_BYTE *)*((_QWORD *)v130 - );
if ( (unsigned __int64)((_BYTE *)v130 - v58 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v58);
v130 = 0i64;
_mm_storeu_si128((__m128i *)&v131, (__m128i)0i64);
}
v59 = v133;
if ( v133 )
{
if ( (unsigned __int64)( * ((v135 - (signed __int64)v133) >> )) >= 0x1000 )
{
v59 = (_BYTE *)*((_QWORD *)v133 - );
if ( (unsigned __int64)((_BYTE *)v133 - v59 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v59);
v133 = 0i64;
_mm_storeu_si128((__m128i *)&v134, (__m128i)0i64);
}
v60 = v136;
if ( v136 )
{
if ( (unsigned __int64)( * ((v138 - (signed __int64)v136) >> )) >= 0x1000 )
{
v60 = (_BYTE *)*((_QWORD *)v136 - );
if ( (unsigned __int64)((_BYTE *)v136 - v60 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v60);
v136 = 0i64;
_mm_storeu_si128((__m128i *)&v137, (__m128i)0i64);
}
v61 = v119[];
if ( v119[] )
{
if ( (unsigned __int64)( * ((signed __int64)(v120 - (unsigned __int64)v119[]) >> )) >= 0x1000 )
{
v61 = (void *)*((_QWORD *)v119[] - );
if ( (unsigned __int64)(v119[] - v61 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v61);
}
v62 = v121[];
if ( v121[] )
{
if ( (unsigned __int64)( * ((signed __int64)(v122 - (unsigned __int64)v121[]) >> )) >= 0x1000 )
{
v62 = (void *)*((_QWORD *)v121[] - );
if ( (unsigned __int64)(v121[] - v62 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v62);
}
v63 = v123[];
if ( v123[] )
{
if ( (unsigned __int64)( * ((signed __int64)(v124 - (unsigned __int64)v123[]) >> )) >= 0x1000 )
{
v63 = (void *)*((_QWORD *)v123[] - );
if ( (unsigned __int64)(v123[] - v63 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v63);
}
v64 = v125[];
if ( v125[] )
{
if ( (unsigned __int64)( * ((signed __int64)(v126 - (unsigned __int64)v125[]) >> )) >= 0x1000 )
{
v64 = (void *)*((_QWORD *)v125[] - );
if ( (unsigned __int64)(v125[] - v64 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v64);
}
LODWORD(v144) = ;
_mm_storeu_si128((__m128i *)v119, (__m128i)0i64);
v120 = 0i64;
sub_140004330(v119, 0i64, &v144);
sub_140001270(v119);
LODWORD(v144) = ;
_mm_storeu_si128((__m128i *)v121, (__m128i)0i64);
v122 = 0i64;
sub_140004330(v121, 0i64, &v144);
sub_140001270(v121);
LODWORD(v144) = ;
_mm_storeu_si128((__m128i *)v123, (__m128i)0i64);
v124 = 0i64;
sub_140004330(v123, 0i64, &v144);
sub_140001270(v123);
LODWORD(v144) = ;
_mm_storeu_si128((__m128i *)v125, (__m128i)0i64);
v126 = 0i64;
sub_140004330(v125, 0i64, &v144);
sub_140001270(v125);
v116 = Memory;
v65 = calc_mul(&v127, v121, v149);
v66 = calc_mul(&v130, v123, v149);
v67 = calc_mul(&v133, v66, v149);
LODWORD(v144) = ;
_mm_storeu_si128((__m128i *)Memory, (__m128i)0i64);
v118 = 0i64;
sub_140004330(Memory, 0i64, &v144);
sub_140001270(Memory);
v68 = cacl_add(&v136, Memory, v149);
v69 = (void **)cacl_pow(&v143, v68, v125);
v116 = v69;
v70 = cacl_equal(&v139, v67);
v71 = cacl_sub(v69, v70);
cacl_equal(v112, v71);
v72 = *v69;
if ( *v69 )
{
if ( (unsigned __int64)( * (((_BYTE *)v69[] - (_BYTE *)v72) >> )) >= 0x1000 )
{
if ( (unsigned __int64)((char *)v72 - *(v72 - ) - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
v72 = (_QWORD *)*(v72 - );
}
j_j_free(v72);
*v69 = 0i64;
v69[] = 0i64;
v69[] = 0i64;
}
v116 = v112;
v73 = cacl_equal(&v139, v65);
v74 = cacl_sub(v112, v73);
cacl_equal(v114, v74);
v75 = v112[];
if ( v112[] )
{
if ( (unsigned __int64)( * ((signed __int64)(v113 - (unsigned __int64)v112[]) >> )) >= 0x1000 )
{
v75 = (void *)*((_QWORD *)v112[] - );
if ( (unsigned __int64)(v112[] - v75 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v75);
_mm_storeu_si128((__m128i *)v112, (__m128i)0i64);
v113 = 0i64;
}
v116 = v114;
v76 = cacl_equal(&v139, v119);
v77 = cacl_sub(v114, v76);
cacl_equal(&v151, v77);
v78 = v114[];
if ( v114[] )
{
if ( (unsigned __int64)( * ((v115 - (char *)v114[]) >> )) >= 0x1000 )
{
v78 = (void *)*((_QWORD *)v114[] - );
if ( (unsigned __int64)(v114[] - v78 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v78);
_mm_storeu_si128((__m128i *)v114, (__m128i)0i64);
v115 = 0i64;
}
v79 = v136;
if ( v136 )
{
if ( (unsigned __int64)( * ((v138 - (signed __int64)v136) >> )) >= 0x1000 )
{
v79 = (_BYTE *)*((_QWORD *)v136 - );
if ( (unsigned __int64)((_BYTE *)v136 - v79 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v79);
v136 = 0i64;
_mm_storeu_si128((__m128i *)&v137, (__m128i)0i64);
}
v80 = v133;
if ( v133 )
{
if ( (unsigned __int64)( * ((v135 - (signed __int64)v133) >> )) >= 0x1000 )
{
v80 = (_BYTE *)*((_QWORD *)v133 - );
if ( (unsigned __int64)((_BYTE *)v133 - v80 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v80);
v133 = 0i64;
_mm_storeu_si128((__m128i *)&v134, (__m128i)0i64);
}
v81 = v130;
if ( v130 )
{
if ( (unsigned __int64)( * ((v132 - (signed __int64)v130) >> )) >= 0x1000 )
{
v81 = (_BYTE *)*((_QWORD *)v130 - );
if ( (unsigned __int64)((_BYTE *)v130 - v81 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v81);
v130 = 0i64;
_mm_storeu_si128((__m128i *)&v131, (__m128i)0i64);
}
v82 = v127;
if ( v127 )
{
if ( (unsigned __int64)( * ((v129 - (signed __int64)v127) >> )) >= 0x1000 )
{
v82 = (_BYTE *)*((_QWORD *)v127 - );
if ( (unsigned __int64)((_BYTE *)v127 - v82 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v82);
v127 = 0i64;
_mm_storeu_si128((__m128i *)&v128, (__m128i)0i64);
}
v83 = v125[];
if ( v125[] )
{
if ( (unsigned __int64)( * ((signed __int64)(v126 - (unsigned __int64)v125[]) >> )) >= 0x1000 )
{
v83 = (void *)*((_QWORD *)v125[] - );
if ( (unsigned __int64)(v125[] - v83 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v83);
}
v84 = v123[];
if ( v123[] )
{
if ( (unsigned __int64)( * ((signed __int64)(v124 - (unsigned __int64)v123[]) >> )) >= 0x1000 )
{
v84 = (void *)*((_QWORD *)v123[] - );
if ( (unsigned __int64)(v123[] - v84 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v84);
}
v85 = v121[];
if ( v121[] )
{
if ( (unsigned __int64)( * ((signed __int64)(v122 - (unsigned __int64)v121[]) >> )) >= 0x1000 )
{
v85 = (void *)*((_QWORD *)v121[] - );
if ( (unsigned __int64)(v121[] - v85 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v85);
}
v86 = v119[];
if ( v119[] )
{
if ( (unsigned __int64)( * ((signed __int64)(v120 - (unsigned __int64)v119[]) >> )) >= 0x1000 )
{
v86 = (void *)*((_QWORD *)v119[] - );
if ( (unsigned __int64)(v119[] - v86 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v86);
}
v87 = (char *)v153;
v88 = (v154 - (signed __int64)v153) >> ;
v89 = (char *)v151;
v18 = v149[];
if ( v88 == ((_QWORD)v152 - (_QWORD)v151) >> )
{
v90 = v88 - ;
if ( (signed int)v88 - < )
{
LABEL_201:
sub_140004120(std::cout, "You win!\nflag{MD5(\"");
v93 = Src[];
v94 = Src[];
if ( Src[] == Src[] )
{
std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, 0i64);
v94 = Src[];
v93 = Src[];
}
v95 = (unsigned __int64)((v94 - v93) >> ) - ;
v96 = v95;
if ( v95 >= )
{
while ( )
{
std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, *(unsigned int *)&v93[ * v96--]);
if ( v96 < )
break;
v93 = Src[];
}
}
v97 = v147[];
v98 = v147[];
if ( v147[] == v147[] )
{
std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, 0i64);
v98 = v147[];
v97 = v147[];
}
v99 = (unsigned __int64)((v98 - v97) >> ) - ;
v100 = v99;
if ( v99 >= )
{
while ( )
{
std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, *(unsigned int *)&v97[ * v100--]);
if ( v100 < )
break;
v97 = v147[];
}
}
v101 = v149[];
if ( v18 == v149[] )
std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, 0i64);
v102 = (unsigned __int64)((v101 - v18) >> ) - ;
for ( i = v102;
i >= ;
std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, *(unsigned int *)&v18[ * i--]) )
{
;
}
sub_140004120(std::cout, "\").tolower()}\n");
}
else
{
v91 = v90;
v92 = (char *)v151 + * v90;
while ( *(_DWORD *)((char *)v92 + (_BYTE *)v153 - (_BYTE *)v151) == *v92 )
{
--v92;
if ( --v91 < )
goto LABEL_201;
}
}
}
v25 = ;
if ( v89 )
{
v104 = v89;
if ( (unsigned __int64)(4i64 * ((*((_QWORD *)&v152 + ) - (_QWORD)v89) >> )) >= 0x1000 )
{
v89 = (char *)*((_QWORD *)v89 - );
if ( (unsigned __int64)(v104 - v89 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v89);
}
if ( v87 )
{
v105 = v87;
if ( (unsigned __int64)( * ((v155 - (signed __int64)v87) >> )) >= 0x1000 )
{
v87 = (char *)*((_QWORD *)v87 - );
if ( (unsigned __int64)(v105 - v87 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v87);
}
v16 = (char *)Src[];
v20 = (char *)v147[];
LABEL_48:
v26 = v159;
if ( v159 )
{
if ( (unsigned __int64)( * ((v160 - (signed __int64)v159) >> )) >= 0x1000 )
{
v26 = (_BYTE *)*((_QWORD *)v159 - );
if ( (unsigned __int64)((_BYTE *)v159 - v26 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v26);
v16 = (char *)Src[];
v20 = (char *)v147[];
}
v106 = v156;
if ( v156 )
{
if ( (unsigned __int64)( * ((v158 - (signed __int64)v156) >> )) >= 0x1000 )
{
v106 = (_BYTE *)*((_QWORD *)v156 - );
if ( (unsigned __int64)((_BYTE *)v156 - v106 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v106);
v156 = 0i64;
_mm_storeu_si128((__m128i *)&v157, (__m128i)0i64);
v16 = (char *)Src[];
v20 = (char *)v147[];
}
v107 = v161;
if ( v161 )
{
if ( (unsigned __int64)( * ((v162 - (signed __int64)v161) >> )) >= 0x1000 )
{
v107 = (_BYTE *)*((_QWORD *)v161 - );
if ( (unsigned __int64)((_BYTE *)v161 - v107 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v107);
v16 = (char *)Src[];
v20 = (char *)v147[];
}
if ( v18 )
{
v108 = v18;
if ( (unsigned __int64)( * ((v150 - (signed __int64)v18) >> )) >= 0x1000 )
{
v18 = (_BYTE *)*((_QWORD *)v18 - );
if ( (unsigned __int64)(v108 - v18 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v18);
v16 = (char *)Src[];
v20 = (char *)v147[];
}
if ( v20 )
{
v109 = v20;
if ( (unsigned __int64)( * ((v148 - (signed __int64)v20) >> )) >= 0x1000 )
{
v20 = (char *)*((_QWORD *)v20 - );
if ( (unsigned __int64)(v109 - v20 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v20);
_mm_storeu_si128((__m128i *)v147, (__m128i)0i64);
v148 = 0i64;
v16 = (char *)Src[];
}
if ( v16 )
{
v110 = v16;
if ( ((v146 - (_QWORD)v16) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 )
{
v16 = (char *)*((_QWORD *)v16 - );
if ( (unsigned __int64)(v110 - v16 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v16);
}
return v25;
}
伪C代码
流程总结
整个过程,有三次输入,定义为变量x, y, z。在满足x < z and x > y的条件下,进行x**3+y**3+z**3=42,搜了一下有关“三次方42”的新闻
得到
根据x,y,z关系式得到
将Sleep的时间全部改为0
写出脚本得到flag
get flag!
childRE
测试文件:https://www.lanzous.com/i7h66wd
准备
- 64位文件
IDA代码分析
流程总结
- 因此总的运算流程就是:
- 输入长度为31的字符串
- 进行置换运算
- 取消修饰函数名
- 将未修饰函数名的商和余数与指定字符串比较
我们能够逆向操作来得到未修饰的函数名。
获取未修饰函数名
IDA动态调试
写出脚本
str1 = "(_@4620!08!6_0*0442!@186%%0@3=66!!974*3234=&0^3&1@=&0908!6_0*&"
str2 = ""
str3 = '1234567890-=!@#$%^&*()_+qwertyuiop[]QWERTYUIOP{}asdfghjkl;,ASDFGHJKL:"ZXCVBNM<>?zxcvbnm,./' name = '' for i in range(62):
name += chr(str3.index(str1[i]) + str3.index(str2[i])*23 ) print (name)
得到:private: char * __thiscall R0Pxx::My_Aut0_PWN(unsigned char *)
使用C++写出一个上面函数的例子:
#include <iostream>
class R0Pxx {
public:
R0Pxx() {
My_Aut0_PWN((unsigned char*)"hello");
}
private:
char* __thiscall My_Aut0_PWN(unsigned char*);
};
char* __thiscall R0Pxx::My_Aut0_PWN(unsigned char*) {
std::cout << __FUNCDNAME__ << std::endl;
return ;
}
int main()
{
R0Pxx A;
system("PAUSE");
return ;
}得到:?My_Aut0_PWN@R0Pxx@@AAEPADPAE@Z
置换运算
通过动态调试,发现乱序取值的数值是固定的,因此随便输入一组长度31的字符串(其中的字符不能重复)
反向操作,写出脚本来解决flag
from hashlib import md5 str1 = 'abcdefghijklmnopqrstuvwxyz12345'
dec1 = '7071687273696474756A76776B656278796C7A316D6632336E34356F676361'.decode('hex')
serial = [] print dec1 for i in dec1:
serial.append(str1.index(i)) print serial name = '?My_Aut0_PWN@R0Pxx@@AAEPADPAE@Z'
enc = [''] * 31 for i in range(31):
enc[serial[i]] = name[i]
enc = ''.join(enc) print enc print md5(enc).hexdigest()
get flag!
Snake
测试文件:https://www.lanzous.com/i7gol0d
Unity逆向
查看DLL文件
运行Snake,查看调用的DLL文件
DLL文件分析
使用ILSpy打开Interface.dll文件
发现了DLL文件使用的函数GameObject
使用IDA打开DLL文件
signed __int64 __fastcall GameObject(int a1)
{
char v1; // di
__int64 *v2; // rbx
__int64 *v3; // rax
int v4; // er8
int v5; // er9
__int64 v6; // rax
_BYTE *v7; // rcx
__int64 v8; // rax
__int64 v9; // rax
__int64 *v10; // rdx
__int64 v11; // rax
__int64 *v12; // rcx
_BYTE *v13; // rcx
__int64 v15; // rax
int v16; // er8
int v17; // er9
__int64 v18; // rax
__int64 v19; // rax
__int64 *v20; // rdx
__int64 v21; // rax
__int64 *v22; // rcx
_BYTE *v23; // rcx
_BYTE *v24; // rcx
unsigned __int64 v25; // rdx
void *v26; // rcx
unsigned __int64 v27; // rdx
_BYTE *v28; // rcx
_BYTE *v29; // rcx
_BYTE *v30; // rcx
__int64 v31; // rax
_BYTE *v32; // rcx
__int64 v33; // rax
const void *v34; // rdx
bool v35; // bl
_BYTE *v36; // rcx
_BYTE *v37; // rcx
__int64 v38; // rax
const char *v39; // rdx
__int64 v40; // rax
__int64 v41; // rax
void *v42; // rcx
_BYTE *v43; // rcx
void *v44; // rcx
_BYTE *v45; // rcx
void *Memory; // [rsp+20h] [rbp-E0h]
_BYTE *v47; // [rsp+28h] [rbp-D8h]
__int128 v48; // [rsp+30h] [rbp-D0h]
int v49; // [rsp+40h] [rbp-C0h]
int v50; // [rsp+48h] [rbp-B8h]
int v51; // [rsp+50h] [rbp-B0h]
int v52; // [rsp+58h] [rbp-A8h]
int v53; // [rsp+60h] [rbp-A0h]
int v54; // [rsp+68h] [rbp-98h]
int v55; // [rsp+70h] [rbp-90h]
__int64 *v56; // [rsp+78h] [rbp-88h]
void *Buf1[]; // [rsp+80h] [rbp-80h]
unsigned __int64 v58; // [rsp+90h] [rbp-70h]
void *Dst; // [rsp+98h] [rbp-68h]
void *v60; // [rsp+A0h] [rbp-60h]
__int128 v61; // [rsp+A8h] [rbp-58h]
unsigned __int64 v62; // [rsp+B8h] [rbp-48h]
__int64 v63; // [rsp+C0h] [rbp-40h]
void *v64; // [rsp+C8h] [rbp-38h]
__int128 v65; // [rsp+D0h] [rbp-30h]
unsigned __int64 v66; // [rsp+E0h] [rbp-20h]
__int64 v67; // [rsp+E8h] [rbp-18h]
_BYTE *v68; // [rsp+F0h] [rbp-10h]
__int128 v69; // [rsp+F8h] [rbp-8h]
unsigned __int64 v70; // [rsp+108h] [rbp+8h]
__int64 v71; // [rsp+110h] [rbp+10h]
void *v72; // [rsp+118h] [rbp+18h]
__int64 v73; // [rsp+120h] [rbp+20h]
__int128 v74; // [rsp+128h] [rbp+28h]
char v75; // [rsp+138h] [rbp+38h]
void *v76; // [rsp+140h] [rbp+40h]
unsigned __int64 v77; // [rsp+158h] [rbp+58h] v50 = ;
v1 = ;
if ( a1 >= )
{
if ( (unsigned int)(a1 - ) <= 0x61 ) // 输入的数字小于等于99
{
LOBYTE(Memory) = ;
_mm_storeu_si128((__m128i *)&v48, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
sub_180006D10(
&Memory,
""
""
"",
0x135ui64);
sub_180001530(&v75, &Memory);
LOBYTE(Memory) = ;
_mm_storeu_si128((__m128i *)&v48, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
sub_180006D10(
&Memory,
""
""
"",
0x134ui64);
sub_180001530(&v63, &Memory);
v15 = sub_18000A9D0(&Memory);
sub_180001530(&v71, v15);
LOBYTE(Memory) = v75;
sub_180006C40(&v47, &v76);
LOBYTE(Dst) = v71;
sub_180006C40(&v60, &v72);
LOBYTE(v51) = v63;
sub_180006C40(&v52, &v64);
sub_180006250(&v67, &v51, &Dst, &Memory);
LOBYTE(v51) = v67;
sub_180006C40(&v52, &v68);
sub_18000AAB0(
(unsigned __int64)&v56,
(unsigned __int64)&v51,
v16,
v17,
(_DWORD)Memory,
(_DWORD)v47,
v48,
DWORD2(v48),
v49,
v50,
v51,
v52,
v53,
v54,
v55,
(_DWORD)v56,
Buf1[],
Buf1[],
v58,
(_DWORD)Dst,
(_DWORD)v60,
v61,
DWORD2(v61),
v62,
v63,
(_DWORD)v64,
v65,
DWORD2(v65),
v66);
LOBYTE(Memory) = ;
_mm_storeu_si128((__m128i *)&v48, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
sub_180006D10(&Memory, "flag", 4ui64);
v18 = sub_180006C40(&Dst, &v56);
if ( sub_18000AFA0(v18, (__int64)&Memory) )
{
v19 = sub_18000A7C0(std::cout, "You win! flag is ");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v19, sub_18000A990);
v20 = (__int64 *)&v56;
if ( v58 >= 0x10 )
v20 = v56;
v21 = sub_180007570(std::cout, v20, Buf1[]);
}
else
{
v21 = sub_18000A7C0(std::cout, "Try again");
}
std::basic_ostream<char,std::char_traits<char>>::operator<<(v21, sub_18000A990);
if ( v58 >= 0x10 )
{
v22 = v56;
if ( v58 + >= 0x1000 )
{
v22 = (__int64 *)*(v56 - );
if ( (unsigned __int64)((char *)v56 - (char *)v22 - ) > 0x1F )
goto LABEL_50;
}
j_j_free(v22);
}
Buf1[] = 0i64;
v58 = 15i64;
LOBYTE(v56) = ;
if ( v70 >= 0x10 )
{
v23 = v68;
if ( v70 + >= 0x1000 )
{
v23 = (_BYTE *)*((_QWORD *)v68 - );
if ( (unsigned __int64)(v68 - v23 - ) > 0x1F )
goto LABEL_50;
}
j_j_free(v23);
}
if ( *((_QWORD *)&v74 + ) >= 0x10ui64 )
{
v24 = v72;
if ( (unsigned __int64)(*((_QWORD *)&v74 + ) + 1i64) >= 0x1000 )
{
v24 = (_BYTE *)*((_QWORD *)v72 - );
if ( (unsigned __int64)((_BYTE *)v72 - v24 - ) > 0x1F )
goto LABEL_50;
}
j_j_free(v24);
}
v25 = v66;
LOBYTE(v72) = ;
_mm_storeu_si128((__m128i *)&v74, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
if ( v25 < 0x10 )
goto LABEL_47;
v26 = v64;
if ( v25 + < 0x1000
|| (v26 = (void *)*((_QWORD *)v64 - ), (unsigned __int64)((_BYTE *)v64 - (_BYTE *)v26 - ) <= 0x1F) )
{
j_j_free(v26);
LABEL_47:
v27 = v77;
LOBYTE(v64) = ;
_mm_storeu_si128((__m128i *)((char *)&v65 + ), _mm_load_si128((const __m128i *)&xmmword_18000EB70));
if ( v27 >= 0x10 )
{
v28 = v76;
if ( v27 + >= 0x1000 )
{
v28 = (_BYTE *)*((_QWORD *)v76 - );
if ( (unsigned __int64)((_BYTE *)v76 - v28 - ) > 0x1F )
goto LABEL_50;
}
j_j_free(v28);
}
return 7i64;
}
LABEL_50:
invalid_parameter_noinfo_noreturn();
}
if ( (unsigned int)(a1 - ) > 0x62 ) // 传入的数字大于199则退出
return 996i64;
v71 = 0i64;
v72 = 0i64;
v73 = 0i64;
*(_QWORD *)&v74 = 0i64;
_mm_storeu_si128((__m128i *)&v61, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
LOBYTE(Dst) = ;
sub_180006D10(
&Dst,
""
""
"",
0x135ui64);
sub_1800078F0(&v71, &Dst);
if ( *((_QWORD *)&v61 + ) >= 0x10ui64 )
{
v29 = Dst;
if ( (unsigned __int64)(*((_QWORD *)&v61 + ) + 1i64) >= 0x1000 )
{
v29 = (_BYTE *)*((_QWORD *)Dst - );
if ( (unsigned __int64)((_BYTE *)Dst - v29 - ) > 0x1F )
goto LABEL_99;
}
j_j_free(v29);
}
v63 = 0i64;
v64 = 0i64;
v65 = 0ui64;
_mm_storeu_si128((__m128i *)&v61, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
LOBYTE(Dst) = ;
sub_180006D10(
&Dst,
""
""
"",
0x135ui64);
sub_1800078F0(&v63, &Dst);
if ( *((_QWORD *)&v61 + ) >= 0x10ui64 )
{
v30 = Dst;
if ( (unsigned __int64)(*((_QWORD *)&v61 + ) + 1i64) >= 0x1000 )
{
v30 = (_BYTE *)*((_QWORD *)Dst - );
if ( (unsigned __int64)((_BYTE *)Dst - v30 - ) > 0x1F )
goto LABEL_99;
}
j_j_free(v30);
}
v67 = 0i64;
v68 = 0i64;
v69 = 0ui64;
v31 = sub_18000A9D0(&Memory);
sub_1800078F0(&v67, v31);
if ( *((_QWORD *)&v48 + ) >= 0x10ui64 )
{
v32 = Memory;
if ( (unsigned __int64)(*((_QWORD *)&v48 + ) + 1i64) >= 0x1000 )
{
v32 = (_BYTE *)*((_QWORD *)Memory - );
if ( (unsigned __int64)((_BYTE *)Memory - v32 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v32);
}
v56 = 0i64;
Buf1[] = 0i64;
Buf1[] = 0i64;
v58 = 0i64;
sub_180009B40(&v63, &v56, &v67, &v71);
LOBYTE(Dst) = ;
_mm_storeu_si128((__m128i *)&v61, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
sub_180006D10(&Dst, "", 7ui64);
v33 = sub_1800078F0(&Memory, &Dst);
v35 = ;
if ( (_BYTE)v56 == *(_BYTE *)v33 )
{
v34 = *(const void **)(v33 + );
if ( !(((Buf1[] - Buf1[]) ^ (*(_QWORD *)(v33 + ) - (_QWORD)v34)) & 0xFFFFFFFFFFFFFFFCui64)
&& !memcmp(Buf1[], v34, Buf1[] - Buf1[]) )
{
v35 = ;
}
}
v36 = v47;
if ( v47 )
{
if ( ((*((_QWORD *)&v48 + ) - (_QWORD)v47) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 )
{
v36 = (_BYTE *)*((_QWORD *)v47 - );
if ( (unsigned __int64)(v47 - v36 - ) > 0x1F )
LABEL_79:
invalid_parameter_noinfo_noreturn();
}
j_j_free(v36);
v47 = 0i64;
_mm_storeu_si128((__m128i *)&v48, (__m128i)0i64);
}
if ( *((_QWORD *)&v61 + ) >= 0x10ui64 )
{
v37 = Dst;
if ( (unsigned __int64)(*((_QWORD *)&v61 + ) + 1i64) >= 0x1000 )
{
v37 = (_BYTE *)*((_QWORD *)Dst - );
if ( (unsigned __int64)((_BYTE *)Dst - v37 - ) > 0x1F )
goto LABEL_79;
}
j_j_free(v37);
}
if ( v35 )
{
v38 = sub_18000A7C0(std::cout, "EDG fight for S10");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v38, sub_18000A990);
v39 = "You fight for the next snake";
}
else
{
v40 = sub_18000A7C0(std::cout, "EDG failed to fight for their S9");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v40, sub_18000A990);
v39 = "But you can fight for next snake";
}
v41 = sub_18000A7C0(std::cout, v39);
std::basic_ostream<char,std::char_traits<char>>::operator<<(v41, sub_18000A990);
v42 = Buf1[];
if ( Buf1[] )
{
if ( ((v58 - (unsigned __int64)Buf1[]) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 )
{
v42 = (void *)*((_QWORD *)Buf1[] - );
if ( (unsigned __int64)(Buf1[] - v42 - ) > 0x1F )
goto LABEL_99;
}
j_j_free(v42);
v58 = 0i64;
_mm_storeu_si128((__m128i *)Buf1, (__m128i)0i64);
}
v43 = v68;
if ( v68 )
{
if ( ((*((_QWORD *)&v69 + ) - (_QWORD)v68) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 )
{
v43 = (_BYTE *)*((_QWORD *)v68 - );
if ( (unsigned __int64)(v68 - v43 - ) > 0x1F )
goto LABEL_99;
}
j_j_free(v43);
v68 = 0i64;
_mm_storeu_si128((__m128i *)&v69, (__m128i)0i64);
}
v44 = v64;
if ( !v64 )
goto LABEL_96;
if ( ((*((_QWORD *)&v65 + ) - (_QWORD)v64) & 0xFFFFFFFFFFFFFFFCui64) < 0x1000
|| (v44 = (void *)*((_QWORD *)v64 - ), (unsigned __int64)((_BYTE *)v64 - (_BYTE *)v44 - ) <= 0x1F) )
{
j_j_free(v44);
v64 = 0i64;
_mm_storeu_si128((__m128i *)&v65, (__m128i)0i64);
LABEL_96:
v45 = v72;
if ( v72 )
{
if ( (((_QWORD)v74 - (_QWORD)v72) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 )
{
v45 = (_BYTE *)*((_QWORD *)v72 - );
if ( (unsigned __int64)((_BYTE *)v72 - v45 - ) > 0x1F )
goto LABEL_99;
}
j_j_free(v45);
}
return 996i64;
}
LABEL_99:
invalid_parameter_noinfo_noreturn();
}
LOBYTE(Memory) = ;
_mm_storeu_si128((__m128i *)&v48, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
sub_180006D10(&Memory, "", 0x35ui64);
sub_180001530(&Dst, &Memory);
v2 = &qword_180012038;
v3 = &qword_180012038;
if ( *((_QWORD *)&xmmword_180012048 + ) >= 0x10ui64 )
v3 = (__int64 *)qword_180012038;
if ( (_QWORD)xmmword_180012048 == 4i64 && *(_DWORD *)v3 == *(_DWORD *)"null" )
{
v75 = (char)Dst;
sub_180006C40(&v76, &v60);
v6 = sub_18000AAB0(
(unsigned __int64)&Memory,
(unsigned __int64)&v75,
v4,
v5,
(_DWORD)Memory,
(_DWORD)v47,
v48,
DWORD2(v48),
v49,
v50,
v51,
v52,
v53,
v54,
v55,
(_DWORD)v56,
Buf1[],
Buf1[],
v58,
(_DWORD)Dst,
(_DWORD)v60,
v61,
DWORD2(v61),
v62,
v63,
(_DWORD)v64,
v65,
DWORD2(v65),
v66);
v2 = (__int64 *)sub_180006A70(&qword_180012038, v6);
v1 = ;
}
sub_180006C40(&v56, v2);
if ( v1 & && *((_QWORD *)&v48 + ) >= 0x10ui64 )
{
v7 = Memory;
if ( (unsigned __int64)(*((_QWORD *)&v48 + ) + 1i64) >= 0x1000 )
{
v7 = (_BYTE *)*((_QWORD *)Memory - );
if ( (unsigned __int64)((_BYTE *)Memory - v7 - ) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v7);
}
v8 = sub_18000A7C0(std::cout, "If SKT win S9 champion");
v9 = sub_18000A7C0(v8, "this is real flag");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v9, sub_18000A990);
v10 = (__int64 *)&v56;
if ( v58 >= 0x10 )
v10 = v56;
v11 = sub_180007570(std::cout, v10, Buf1[]);
std::basic_ostream<char,std::char_traits<char>>::operator<<(v11, sub_18000A990);
if ( v58 >= 0x10 )
{
v12 = v56;
if ( v58 + >= 0x1000 )
{
v12 = (__int64 *)*(v56 - );
if ( (unsigned __int64)((char *)v56 - (char *)v12 - ) > 0x1F )
LABEL_22:
invalid_parameter_noinfo_noreturn();
}
j_j_free(v12);
}
Buf1[] = 0i64;
v58 = 15i64;
LOBYTE(v56) = ;
if ( v62 >= 0x10 )
{
v13 = v60;
if ( v62 + >= 0x1000 )
{
v13 = (_BYTE *)*((_QWORD *)v60 - );
if ( (unsigned __int64)((_BYTE *)v60 - v13 - ) > 0x1F )
goto LABEL_22;
}
j_j_free(v13);
}
return 0xFFFFFFFFi64;
}
GameObject
判断出GameObject函数传入的参数,最大应该是199,因此直接写程序,调用DLL文件,爆破求flag
爆破求解
开多个进程,同时求解。
#include <Windows.h>
#include <iostream>
#include <libloaderapi.h> using namespace std; int main(int argc, char* argv[])
{
const char* funcName = "GameObject";
HMODULE hDLL = LoadLibrary(TEXT("C:\\Users\\10245\\Desktop\\Snake\\Snake_Data\\Plugins\\Interface.dll"));
if (hDLL != NULL)
{
cout << "Load Success!" << endl;
typedef int(_cdecl *FuncPtr)(int);
FuncPtr func = (FuncPtr)GetProcAddress(hDLL, funcName);
func(atoi(argv[]));
}
else
{
cout << "Load Failed!" << endl;
} system("PAUSE");
return ;
}