zoukankan      html  css  js  c++  java
  • 2019 红帽杯 Re WP

    xx

    测试文件:https://www.lanzous.com/i7dyqhc

    准备

    获取信息

    • 64位文件

    IDA打开

    使用Findcrypt脚本可以看到

    结合文件名是xx,因此猜测代码用到了xxtea加密方法

    流程总结

    因此,总的流程为:

    1. 判断输入的字符串的每个字符是否包含在"qwertyuiopasdfghjklzxcvbnm1234567890"中
    2. 取输入字符串的前4位字符,即"flag",扩展为16位,作为xxtea加密的秘钥key
    3. 将输入的字符串使用key加密,加密后的字符保存在字符数组v18,共24位字符
    4. 打乱v18数组,保存到v19数组中
    5. 将24位字符,每3位为一组,每一组异或值(具体看代码),得到新的加密字符串
    6. 将新的加密字符串与已经存在的字符串比较,相同即获得胜利

    因此,只需要逆向变换,就能得到flag

    使用动态调试,可以获取到已经存在的字符串

    enc = 'CEBC406B7C3A95C0EF9B202091F70235231802C8E75656FA'

    脚本解密

    Python带了xxtea的包,不过我用的时候,一直提示我“ValueError: Need a 16-byte key.”,用rjust或者'x00'*16补足了16位也不管用。(已解决)

    import xxtea
    
    result = 'CE BC 40 6B 7C 3A 95 C0 EF 9B 20 20 91 F7 02 35 23 18 02 C8 E7 56 56 FA'.split(" ")
    res = [int(i,16) for i in result]
    
    
    for i in range(7,-1,-1):
        t = 0
        for n in range(0,i):
            if t == 0 :
                t = res[0]
            else :
                t ^= res[n]
        for j in range(3) :
            res[i*3+j] ^= t
    
    box = [1,3,0,2,5,7,4,6,9,11,8,10,13,15,12,14,17,19,16,18,21,23,20,22]
    m = []
    
    
    for i in range(len(box)):
        m.append(res[box[i]])
    
    
    key = 'flag'+'x00'*12
    
    print(xxtea.decrypt(bytes(m),key,padding=False))
    xxtea解密

    所以用了另外一种方法,借用了下面xxtea的文章:

    参考文章:https://blog.csdn.net/weixin_41474364/article/details/84314674 

    # encoding: utf-8
    import struct
    
    _DELTA = 0x9E3779B9
    
    def _long2str(v, w):
        n = (len(v) - 1) << 2
        if w:
            m = v[-1]
            if (m < n - 3) or (m > n): return ''
            n = m
        s = struct.pack('<%iL' % len(v), *v)
        return s[0:n] if w else s
    
    def _str2long(s, w):
        n = len(s)
        m = (4 - (n & 3) & 3) + n
        s = s.ljust(m, "")
        v = list(struct.unpack('<%iL' % (m >> 2), s))
        if w: v.append(n)
        return v
    
    def encrypt(str, key):
        if str == '': return str
        v = _str2long(str, True)
        k = _str2long(key.ljust(16, ""), False)
        n = len(v) - 1
        z = v[n]
        y = v[0]
        sum = 0
        q = 6 + 52 // (n + 1)
        while q > 0:
            sum = (sum + _DELTA) & 0xffffffff
            e = sum >> 2 & 3
            for p in xrange(n):
                y = v[p + 1]
                v[p] = (v[p] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))) & 0xffffffff
                z = v[p]
            y = v[0]
            v[n] = (v[n] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[n & 3 ^ e] ^ z))) & 0xffffffff
            z = v[n]
            q -= 1
        return _long2str(v, False)
    
    def decrypt(str, key):
        if str == '': return str
        v = _str2long(str, False)
        k = _str2long(key.ljust(16, ""), False)
        n = len(v) - 1
        z = v[n]
        y = v[0]
        q = 6 + 52 // (n + 1)
        sum = (q * _DELTA) & 0xffffffff
        while (sum != 0):
            e = sum >> 2 & 3
            for p in xrange(n, 0, -1):
                z = v[p - 1]
                v[p] = (v[p] - ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))) & 0xffffffff
                y = v[p]
            z = v[n]
            v[0] = (v[0] - ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[0 & 3 ^ e] ^ z))) & 0xffffffff
            y = v[0]
            sum = (sum - _DELTA) & 0xffffffff
        return _long2str(v, True)
    
    def xor(x ,y):
        return ord(x) ^ ord(y)
    
    # 转换为16进制
    arr = 'CEBC406B7C3A95C0EF9B202091F70235231802C8E75656FA'.decode('hex')
    
    dec = ''
    
    # 因为加密时是正向加密,会用到加密之后的字符,因此解密需要逆向解密
    for i in range(7,-1,-1):
        res = ''
        # 每3个为一组
        for j in range(3):
            temp = ord(arr[i*3+j])
            # 需要异或的值,例如第i组的值就是,arr[i*3+j]^(arr[n] for n in range(i))
            for m in range(i):
                temp ^= ord(arr[m])
            res += chr(temp)
        dec = res + dec
    
    # 原来的v18到v19数组是被打乱排序了的
    num = [2,0,3,1,6,4,7,5,10,8,11,9,14,12,15,13,18,16,19,17,22,20,23,21]
    enc = [0] * 24
    # key需要是16位
    key = 'flag'+'x00'*12
    for i in range(24):
        enc[num[i]] = dec[i]
    dec2 = ''.join(enc)
    
    dec3 = decrypt(dec2, key)
    print dec3

    get flag!

    flag{CXX_and_++tea}

    easyRE

    测试文件:https://share.weiyun.com/5qzM6bU

    准备

    获取信息

    • 64位文件

    IDA打开

    signed __int64 sub_4009C6()
    {
      char *v0; // rsi
      char *v1; // rdi
      signed __int64 result; // rax
      __int64 v3; // ST10_8
      __int64 v4; // ST18_8
      __int64 v5; // ST20_8
      __int64 v6; // ST28_8
      __int64 v7; // ST30_8
      __int64 v8; // ST38_8
      __int64 v9; // ST40_8
      __int64 v10; // ST48_8
      __int64 v11; // ST50_8
      __int64 v12; // ST58_8
      int i; // [rsp+Ch] [rbp-114h]
      char arraym[36]; // [rsp+60h] [rbp-C0h]
      char v15[32]; // [rsp+90h] [rbp-90h]
      int v16; // [rsp+B0h] [rbp-70h]
      char v17; // [rsp+B4h] [rbp-6Ch]
      char v18; // [rsp+C0h] [rbp-60h]
      char v19; // [rsp+E7h] [rbp-39h]
      char v20; // [rsp+100h] [rbp-20h]
      unsigned __int64 v21; // [rsp+108h] [rbp-18h]
    
      v21 = __readfsqword(0x28u);
      arraym[0] = 73;
      arraym[1] = 111;
      arraym[2] = 100;
      arraym[3] = 108;
      arraym[4] = 62;
      arraym[5] = 81;
      arraym[6] = 110;
      arraym[7] = 98;
      arraym[8] = 40;
      arraym[9] = 111;
      arraym[10] = 99;
      arraym[11] = 121;
      arraym[12] = 127;
      arraym[13] = 121;
      arraym[14] = 46;
      arraym[15] = 105;
      arraym[16] = 127;
      arraym[17] = 100;
      arraym[18] = 96;
      arraym[19] = 51;
      arraym[20] = 119;
      arraym[21] = 125;
      arraym[22] = 119;
      arraym[23] = 101;
      arraym[24] = 107;
      arraym[25] = 57;
      arraym[26] = 123;
      arraym[27] = 105;
      arraym[28] = 121;
      arraym[29] = 61;
      arraym[30] = 126;
      arraym[31] = 121;
      arraym[32] = 76;
      arraym[33] = 64;
      arraym[34] = 69;
      arraym[35] = 67;
      memset(v15, 0, sizeof(v15));
      v16 = 0;
      v17 = 0;
      v0 = v15;
      sub_4406E0(0LL, (__int64)v15);
      v17 = 0;
      v1 = v15;
      if ( sub_424BA0(v15) == 36 )
      {
        for ( i = 0; ; ++i )
        {
          v1 = v15;
          if ( i >= (unsigned __int64)sub_424BA0(v15) )
            break;
          if ( (unsigned __int8)(v15[i] ^ i) != arraym[i] )
          {
            result = 4294967294LL;
            goto LABEL_13;
          }
        }
        sub_410CC0("continue!");
        memset(&v18, 0, 0x40uLL);
        v20 = 0;
        v0 = &v18;
        sub_4406E0(0LL, (__int64)&v18);
        v19 = 0;
        v1 = &v18;
        if ( sub_424BA0(&v18) == 39 )
        {
          v3 = sub_400E44(&v18);
          v4 = sub_400E44(v3);
          v5 = sub_400E44(v4);
          v6 = sub_400E44(v5);
          v7 = sub_400E44(v6);
          v8 = sub_400E44(v7);
          v9 = sub_400E44(v8);
          v10 = sub_400E44(v9);
          v11 = sub_400E44(v10);
          v12 = sub_400E44(v11);
          v0 = off_6CC090;
          v1 = (char *)v12;
          if ( !(unsigned int)sub_400360(v12, off_6CC090) )
          {
            sub_410CC0("You found me!!!");
            v1 = "bye bye~";
            sub_410CC0("bye bye~");
          }
          result = 0LL;
        }
        else
        {
          result = 4294967293LL;
        }
      }
      else
      {
        result = 0xFFFFFFFFLL;
      }
    LABEL_13:
      if ( __readfsqword(0x28u) != v21 )
        sub_444020(v1, v0);
      return result;
    }

    代码分析

    首先有两次输入,第一次输入32位字符串,将每位字符异或后与已存在的marray数组比较,因此可以写出脚本,正确输入

    arr = [73,111,100,108,62,81,110,98,40,111,99,121,127,121,46,105,127,100,96,51,119,125,
           119,101,107,57,123,105,121,61,126,121,76,64,69,67]
    
    dec = ''
    for i in range(36):
        dec += chr(arr[i]^i)
    
    print(dec)

    Info:The first four chars are `flag`

    第二次输入,将输入的字符串进行10次base64加密后,与已知的字符串比较,反向解密就行

    enc = "Vm0wd2VHUXhTWGhpUm1SWVYwZDRWVll3Wkc5WFJsbDNXa1pPVlUxV2NIcFhhMk0xVmpKS1NHVkdXbFpOYmtKVVZtcEtTMUl5VGtsaVJtUk9ZV3hhZVZadGVHdFRNVTVYVW01T2FGSnRVbGhhVjNoaFZWWmtWMXBFVWxSTmJFcElWbTAxVDJGV1NuTlhia0pXWWxob1dGUnJXbXRXTVZaeVdrWm9hVlpyV1hwV1IzaGhXVmRHVjFOdVVsWmlhMHBZV1ZSR1lWZEdVbFZTYlhSWFRWWndNRlZ0TVc5VWJGcFZWbXR3VjJKSFVYZFdha1pXWlZaT2NtRkhhRk5pVjJoWVYxZDBhMVV3TlhOalJscFlZbGhTY1ZsclduZGxiR1J5VmxSR1ZXSlZjRWhaTUZKaFZqSktWVkZZYUZkV1JWcFlWV3BHYTFkWFRrZFRiV3hvVFVoQ1dsWXhaRFJpTWtsM1RVaG9hbEpYYUhOVmJUVkRZekZhY1ZKcmRGTk5Wa3A2VjJ0U1ExWlhTbFpqUldoYVRVWndkbFpxUmtwbGJVWklZVVprYUdFeGNHOVhXSEJIWkRGS2RGSnJhR2hTYXpWdlZGVm9RMlJzV25STldHUlZUVlpXTlZadE5VOVdiVXBJVld4c1dtSllUWGhXTUZwell6RmFkRkpzVWxOaVNFSktWa1phVTFFeFduUlRhMlJxVWxad1YxWnRlRXRXTVZaSFVsUnNVVlZVTURrPQ=="
    
    for i in range(10):
        enc = enc.decode('base64')
    print (enc)

    https://bbs.pediy.com/thread-254172.htm

    在第二次输入加密后对比的常量下面,还发现了一个常量,在sub_400D35函数中调用

    __int64 __fastcall sub_400D35(__int64 a1, __int64 a2)
    {
      __int64 v2; // rdi
      __int64 result; // rax
      unsigned __int64 v4; // rt1
      unsigned int v5; // [rsp+Ch] [rbp-24h]
      signed int i; // [rsp+10h] [rbp-20h]
      signed int j; // [rsp+14h] [rbp-1Ch]
      unsigned int v8; // [rsp+24h] [rbp-Ch]
      unsigned __int64 v9; // [rsp+28h] [rbp-8h]
    
      v9 = __readfsqword(0x28u);
      v2 = 0LL;
      v5 = sub_43FD20(0LL) - qword_6CEE38;
      for ( i = 0; i <= 1233; ++i )
      {
        v2 = v5;
        sub_40F790(v5);
        sub_40FE60();
        sub_40FE60();
        v5 = (unsigned __int64)sub_40FE60() ^ 0x98765432;
      }
      v8 = v5;
      if ( ((unsigned __int8)v5 ^ byte_6CC0A0[0]) == 'f' && (HIBYTE(v8) ^ (unsigned __int8)byte_6CC0A3) == 'g' )
      {
        for ( j = 0; j <= 24; ++j )
        {
          v2 = (unsigned __int8)(byte_6CC0A0[j] ^ *((_BYTE *)&v8 + j % 4));
          sub_410E90(v2);
        }
      }
      v4 = __readfsqword(0x28u);
      result = v4 ^ v9;
      if ( v4 != v9 )
        sub_444020(v2, a2);
      return result;
    }

    两段异或,第一段异或,能够通过'flag'和已知数组反向解出v5

    第二段异或。通过已知数组和v5解出flag

    key = ''
    enc1 = 'flag'
    dec = ''
    enc = [0x40,0x35,0x20,0x56,0x5D,0x18,0x22,0x45,0x17,0x2F,0x24,0x6E,0x62,0x3C,0x27,0x54,0x48,0x6C,0x24,0x6E,0x72,0x3C,0x32,0x45,0x5B]
    for i in range(4):
        key += chr(enc[i] ^ ord(enc1[i]))
    print (key)
    
    for i in range(len(enc)):
        dec += chr(enc[i] ^ ord(key[i%4]))
    print(dec)

    get flag!

    flag{Act1ve_Defen5e_Test}

    calc

    测试文件:https://www.lanzous.com/i7frprg

    准备

    获取信息

    • 64位文件 

    IDA打开

      1 __int64 sub_140002540()
      2 {
      3   __int64 v0; // rax
      4   __int64 v1; // rax
      5   __int64 v2; // rax
      6   __int64 v3; // rax
      7   __int64 v4; // rax
      8   void *v5; // rcx
      9   void *v6; // rcx
     10   void *v7; // rcx
     11   __int64 v8; // rax
     12   __int64 v9; // rax
     13   void *v10; // rcx
     14   void *v11; // rcx
     15   void *v12; // rcx
     16   __int64 v13; // rax
     17   void *v14; // rcx
     18   void *v15; // rcx
     19   char *v16; // r8
     20   unsigned __int64 v17; // r11
     21   _BYTE *v18; // rbx
     22   unsigned __int64 v19; // rax
     23   char *v20; // r9
     24   bool v21; // al
     25   int v22; // er10
     26   __int64 v23; // rdx
     27   _DWORD *v24; // rcx
     28   unsigned int v25; // edi
     29   _BYTE *v26; // rcx
     30   unsigned __int64 v27; // rax
     31   bool v28; // al
     32   int v29; // er10
     33   __int64 v30; // rdx
     34   _DWORD *v31; // rcx
     35   __int64 v32; // rax
     36   __int64 v33; // rax
     37   __int64 v34; // r14
     38   __int64 v35; // rbx
     39   __int64 v36; // rax
     40   __int64 v37; // r15
     41   const void *v38; // rsi
     42   _BYTE *v39; // rdi
     43   unsigned __int64 v40; // rbx
     44   size_t v41; // rbx
     45   __int64 v42; // rax
     46   __int64 v43; // rcx
     47   char *v44; // rax
     48   char *v45; // rbx
     49   __int64 v46; // rax
     50   __int64 v47; // rbx
     51   __int64 v48; // rax
     52   __int64 v49; // rax
     53   _QWORD *v50; // rcx
     54   __int64 v51; // rax
     55   __int64 v52; // rax
     56   void *v53; // rcx
     57   void *v54; // rcx
     58   _BYTE *v55; // rcx
     59   _BYTE *v56; // rcx
     60   _BYTE *v57; // rcx
     61   _BYTE *v58; // rcx
     62   _BYTE *v59; // rcx
     63   _BYTE *v60; // rcx
     64   void *v61; // rcx
     65   void *v62; // rcx
     66   void *v63; // rcx
     67   void *v64; // rcx
     68   __int64 v65; // rsi
     69   __int64 v66; // rax
     70   __int64 v67; // rbx
     71   __int64 v68; // rax
     72   void **v69; // rdi
     73   __int64 v70; // rax
     74   __int64 v71; // rax
     75   _QWORD *v72; // rcx
     76   __int64 v73; // rax
     77   __int64 v74; // rax
     78   void *v75; // rcx
     79   __int64 v76; // rax
     80   __int64 v77; // rax
     81   void *v78; // rcx
     82   _BYTE *v79; // rcx
     83   _BYTE *v80; // rcx
     84   _BYTE *v81; // rcx
     85   _BYTE *v82; // rcx
     86   void *v83; // rcx
     87   void *v84; // rcx
     88   void *v85; // rcx
     89   void *v86; // rcx
     90   char *v87; // r15
     91   __int64 v88; // rcx
     92   char *v89; // r14
     93   int v90; // eax
     94   __int64 v91; // rdx
     95   _DWORD *v92; // rcx
     96   _BYTE *v93; // rcx
     97   _BYTE *v94; // rax
     98   int v95; // eax
     99   __int64 v96; // rsi
    100   _BYTE *v97; // rcx
    101   _BYTE *v98; // rax
    102   int v99; // eax
    103   __int64 v100; // rsi
    104   _BYTE *v101; // rsi
    105   int v102; // eax
    106   __int64 i; // rsi
    107   char *v104; // rax
    108   char *v105; // rax
    109   _BYTE *v106; // rcx
    110   _BYTE *v107; // rcx
    111   _BYTE *v108; // rax
    112   char *v109; // rax
    113   char *v110; // rax
    114   void *v112[2]; // [rsp+20h] [rbp-E0h]
    115   __int64 v113; // [rsp+30h] [rbp-D0h]
    116   void *v114[2]; // [rsp+38h] [rbp-C8h]
    117   char *v115; // [rsp+48h] [rbp-B8h]
    118   void **v116; // [rsp+50h] [rbp-B0h]
    119   void *Memory[2]; // [rsp+58h] [rbp-A8h]
    120   __int64 v118; // [rsp+68h] [rbp-98h]
    121   void *v119[2]; // [rsp+70h] [rbp-90h]
    122   __int64 v120; // [rsp+80h] [rbp-80h]
    123   void *v121[2]; // [rsp+88h] [rbp-78h]
    124   __int64 v122; // [rsp+98h] [rbp-68h]
    125   void *v123[2]; // [rsp+A0h] [rbp-60h]
    126   __int64 v124; // [rsp+B0h] [rbp-50h]
    127   void *v125[2]; // [rsp+B8h] [rbp-48h]
    128   __int64 v126; // [rsp+C8h] [rbp-38h]
    129   void *v127; // [rsp+D0h] [rbp-30h]
    130   __int64 v128; // [rsp+D8h] [rbp-28h]
    131   __int64 v129; // [rsp+E0h] [rbp-20h]
    132   void *v130; // [rsp+E8h] [rbp-18h]
    133   __int64 v131; // [rsp+F0h] [rbp-10h]
    134   __int64 v132; // [rsp+F8h] [rbp-8h]
    135   void *v133; // [rsp+100h] [rbp+0h]
    136   __int64 v134; // [rsp+108h] [rbp+8h]
    137   __int64 v135; // [rsp+110h] [rbp+10h]
    138   void *v136; // [rsp+118h] [rbp+18h]
    139   __int64 v137; // [rsp+120h] [rbp+20h]
    140   __int64 v138; // [rsp+128h] [rbp+28h]
    141   char v139; // [rsp+130h] [rbp+30h]
    142   void *v140; // [rsp+148h] [rbp+48h]
    143   __int64 v141; // [rsp+150h] [rbp+50h]
    144   __int64 v142; // [rsp+158h] [rbp+58h]
    145   char v143; // [rsp+160h] [rbp+60h]
    146   __int64 v144; // [rsp+178h] [rbp+78h]
    147   void *Src[2]; // [rsp+180h] [rbp+80h]
    148   __int64 v146; // [rsp+190h] [rbp+90h]
    149   void *v147[2]; // [rsp+198h] [rbp+98h]
    150   __int64 v148; // [rsp+1A8h] [rbp+A8h]
    151   void *v149[2]; // [rsp+1B0h] [rbp+B0h]
    152   __int64 v150; // [rsp+1C0h] [rbp+C0h]
    153   void *v151; // [rsp+1C8h] [rbp+C8h]
    154   __int128 v152; // [rsp+1D0h] [rbp+D0h]
    155   void *v153; // [rsp+1E0h] [rbp+E0h]
    156   __int64 v154; // [rsp+1E8h] [rbp+E8h]
    157   __int64 v155; // [rsp+1F0h] [rbp+F0h]
    158   void *v156; // [rsp+1F8h] [rbp+F8h]
    159   __int64 v157; // [rsp+200h] [rbp+100h]
    160   __int64 v158; // [rsp+208h] [rbp+108h]
    161   void *v159; // [rsp+210h] [rbp+110h]
    162   __int64 v160; // [rsp+220h] [rbp+120h]
    163   void *v161; // [rsp+228h] [rbp+128h]
    164   __int64 v162; // [rsp+238h] [rbp+138h]
    165 
    166   v0 = sub_140004120(std::cout, "A few days ago,Someone asked me for Windows RE...");
    167   std::basic_ostream<char,std::char_traits<char>>::operator<<(v0, sub_1400042F0);
    168   v1 = sub_140004120(std::cout, "But Windows + STL is terrible!");
    169   std::basic_ostream<char,std::char_traits<char>>::operator<<(v1, sub_1400042F0);
    170   LODWORD(v144) = 0;
    171   _mm_storeu_si128((__m128i *)Src, (__m128i)0i64);
    172   v146 = 0i64;
    173   sub_140004330(Src, 0i64, &v144);
    174   sub_140001270(Src);
    175   LODWORD(v144) = 0;
    176   _mm_storeu_si128((__m128i *)v147, (__m128i)0i64);
    177   v148 = 0i64;
    178   sub_140004330(v147, 0i64, &v144);
    179   sub_140001270(v147);
    180   LODWORD(v144) = 0;
    181   _mm_storeu_si128((__m128i *)v149, (__m128i)0i64);
    182   v150 = 0i64;
    183   sub_140004330(v149, 0i64, &v144);
    184   sub_140001270(v149);
    185   v2 = sub_140004120(std::cout, "Enjoy it");
    186   std::basic_ostream<char,std::char_traits<char>>::operator<<(v2, sub_1400042F0);
    187   sub_1400013D0(std::cin, Src);
    188   v3 = sub_140004120(std::cout, "Calculating...");
    189   std::basic_ostream<char,std::char_traits<char>>::operator<<(v3, sub_1400042F0);
    190   LODWORD(v144) = 4;
    191   _mm_storeu_si128((__m128i *)v114, (__m128i)0i64);
    192   v115 = 0i64;
    193   sub_140004330(v114, 0i64, &v144);
    194   sub_140001270(v114);
    195   LODWORD(v144) = 2;
    196   _mm_storeu_si128((__m128i *)v112, (__m128i)0i64);
    197   v113 = 0i64;
    198   sub_140004330(v112, 0i64, &v144);
    199   sub_140001270(v112);
    200   v4 = cacl_pow(Memory, Src, v112);
    201   calc_mul(&v161, v4, v114);
    202   v5 = Memory[0];
    203   if ( Memory[0] )
    204   {
    205     if ( (unsigned __int64)(4 * ((signed __int64)(v118 - (unsigned __int64)Memory[0]) >> 2)) >= 0x1000 )
    206     {
    207       v5 = (void *)*((_QWORD *)Memory[0] - 1);
    208       if ( (unsigned __int64)(Memory[0] - v5 - 8) > 0x1F )
    209         invalid_parameter_noinfo_noreturn();
    210     }
    211     j_j_free(v5);
    212     Memory[0] = 0i64;
    213     _mm_storeu_si128((__m128i *)&Memory[1], (__m128i)0i64);
    214   }
    215   v6 = v112[0];
    216   if ( v112[0] )
    217   {
    218     if ( (unsigned __int64)(4 * ((signed __int64)(v113 - (unsigned __int64)v112[0]) >> 2)) >= 0x1000 )
    219     {
    220       v6 = (void *)*((_QWORD *)v112[0] - 1);
    221       if ( (unsigned __int64)(v112[0] - v6 - 8) > 0x1F )
    222         invalid_parameter_noinfo_noreturn();
    223     }
    224     j_j_free(v6);
    225   }
    226   v7 = v114[0];
    227   if ( v114[0] )
    228   {
    229     if ( (unsigned __int64)(4 * ((v115 - (char *)v114[0]) >> 2)) >= 0x1000 )
    230     {
    231       v7 = (void *)*((_QWORD *)v114[0] - 1);
    232       if ( (unsigned __int64)(v114[0] - v7 - 8) > 0x1F )
    233         invalid_parameter_noinfo_noreturn();
    234     }
    235     j_j_free(v7);
    236   }
    237   Sleep(0x75BCD15u);
    238   sub_1400013D0(std::cin, v147);
    239   v8 = sub_140004120(std::cout, "Calculating......");
    240   std::basic_ostream<char,std::char_traits<char>>::operator<<(v8, sub_1400042F0);
    241   LODWORD(v144) = 2;
    242   _mm_storeu_si128((__m128i *)v114, (__m128i)0i64);
    243   v115 = 0i64;
    244   sub_140004330(v114, 0i64, &v144);
    245   sub_140001270(v114);
    246   LODWORD(v144) = 3;
    247   _mm_storeu_si128((__m128i *)v112, (__m128i)0i64);
    248   v113 = 0i64;
    249   sub_140004330(v112, 0i64, &v144);
    250   sub_140001270(v112);
    251   v9 = calc_mul(Memory, v147, v112);
    252   cacl_pow(&v156, v9, v114);
    253   v10 = Memory[0];
    254   if ( Memory[0] )
    255   {
    256     if ( (unsigned __int64)(4 * ((signed __int64)(v118 - (unsigned __int64)Memory[0]) >> 2)) >= 0x1000 )
    257     {
    258       v10 = (void *)*((_QWORD *)Memory[0] - 1);
    259       if ( (unsigned __int64)(Memory[0] - v10 - 8) > 0x1F )
    260         invalid_parameter_noinfo_noreturn();
    261     }
    262     j_j_free(v10);
    263     Memory[0] = 0i64;
    264     _mm_storeu_si128((__m128i *)&Memory[1], (__m128i)0i64);
    265   }
    266   v11 = v112[0];
    267   if ( v112[0] )
    268   {
    269     if ( (unsigned __int64)(4 * ((signed __int64)(v113 - (unsigned __int64)v112[0]) >> 2)) >= 0x1000 )
    270     {
    271       v11 = (void *)*((_QWORD *)v112[0] - 1);
    272       if ( (unsigned __int64)(v112[0] - v11 - 8) > 0x1F )
    273         invalid_parameter_noinfo_noreturn();
    274     }
    275     j_j_free(v11);
    276   }
    277   v12 = v114[0];
    278   if ( v114[0] )
    279   {
    280     if ( (unsigned __int64)(4 * ((v115 - (char *)v114[0]) >> 2)) >= 0x1000 )
    281     {
    282       v12 = (void *)*((_QWORD *)v114[0] - 1);
    283       if ( (unsigned __int64)(v114[0] - v12 - 8) > 0x1F )
    284         invalid_parameter_noinfo_noreturn();
    285     }
    286     j_j_free(v12);
    287   }
    288   Sleep(0x3ADE68B1u);
    289   sub_1400013D0(std::cin, v149);
    290   sub_140004120(std::cout, "Calculating............");
    291   LODWORD(v144) = 7;
    292   _mm_storeu_si128((__m128i *)v112, (__m128i)0i64);
    293   v113 = 0i64;
    294   sub_140004330(v112, 0i64, &v144);
    295   sub_140001270(v112);
    296   v13 = calc_mul(Memory, v112, v149);
    297   calc_mul(&v159, v13, v149);
    298   v14 = Memory[0];
    299   if ( Memory[0] )
    300   {
    301     if ( (unsigned __int64)(4 * ((signed __int64)(v118 - (unsigned __int64)Memory[0]) >> 2)) >= 0x1000 )
    302     {
    303       v14 = (void *)*((_QWORD *)Memory[0] - 1);
    304       if ( (unsigned __int64)(Memory[0] - v14 - 8) > 0x1F )
    305         invalid_parameter_noinfo_noreturn();
    306     }
    307     j_j_free(v14);
    308     Memory[0] = 0i64;
    309     _mm_storeu_si128((__m128i *)&Memory[1], (__m128i)0i64);
    310   }
    311   v15 = v112[0];
    312   if ( v112[0] )
    313   {
    314     if ( (unsigned __int64)(4 * ((signed __int64)(v113 - (unsigned __int64)v112[0]) >> 2)) >= 0x1000 )
    315     {
    316       v15 = (void *)*((_QWORD *)v112[0] - 1);
    317       if ( (unsigned __int64)(v112[0] - v15 - 8) > 0x1F )
    318         invalid_parameter_noinfo_noreturn();
    319     }
    320     j_j_free(v15);
    321   }
    322   Sleep(0x7777777u);
    323   v16 = (char *)Src[0];                         // 需要满足 x < z
    324   v17 = (_QWORD)(Src[1] - Src[0]) >> 2;
    325   v18 = v149[0];
    326   v19 = (_QWORD)(v149[1] - v149[0]) >> 2;
    327   v20 = (char *)v147[0];
    328   if ( v17 == v19 )
    329   {
    330     v22 = v17 - 1;
    331     if ( (signed int)v17 - 1 < 0 )
    332       goto LABEL_47;
    333     v23 = v22;
    334     v24 = (char *)v149[0] + 4 * v22;
    335     while ( *(_DWORD *)((char *)v24 + Src[0] - v149[0]) == *v24 )
    336     {
    337       --v22;
    338       --v24;
    339       if ( --v23 < 0 )
    340         goto LABEL_47;
    341     }
    342     v21 = *((_DWORD *)Src[0] + v22) < *((_DWORD *)v149[0] + v22);
    343   }
    344   else
    345   {
    346     v21 = v17 < v19;
    347   }
    348   if ( !v21 )
    349     goto LABEL_47;
    350   v27 = (_QWORD)(v147[1] - v147[0]) >> 2;       // 需要瞒住x > y
    351   if ( v27 != v17 )
    352   {
    353     v28 = v27 < v17;
    354     goto LABEL_62;
    355   }
    356   v29 = v27 - 1;
    357   if ( (signed int)v27 - 1 < 0 )
    358   {
    359 LABEL_47:
    360     v25 = -1;
    361     goto LABEL_48;
    362   }
    363   v30 = v29;
    364   v31 = (char *)Src[0] + 4 * v29;
    365   while ( *(_DWORD *)((char *)v31 + v147[0] - Src[0]) == *v31 )
    366   {
    367     --v29;
    368     --v31;
    369     if ( --v30 < 0 )
    370       goto LABEL_47;
    371   }
    372   v28 = *((_DWORD *)v147[0] + v29) < *((_DWORD *)Src[0] + v29);
    373 LABEL_62:
    374   if ( !v28 )
    375     goto LABEL_47;
    376   LODWORD(v144) = 3;
    377   _mm_storeu_si128((__m128i *)v125, (__m128i)0i64);
    378   v126 = 0i64;
    379   sub_140004330(v125, 0i64, &v144);
    380   sub_140001270(v125);
    381   LODWORD(v144) = 2;
    382   _mm_storeu_si128((__m128i *)v123, (__m128i)0i64);
    383   v124 = 0i64;
    384   sub_140004330(v123, 0i64, &v144);
    385   sub_140001270(v123);
    386   LODWORD(v144) = 3;
    387   _mm_storeu_si128((__m128i *)v121, (__m128i)0i64);
    388   v122 = 0i64;
    389   sub_140004330(v121, 0i64, &v144);
    390   sub_140001270(v121);
    391   LODWORD(v144) = 3;
    392   _mm_storeu_si128((__m128i *)v119, (__m128i)0i64);
    393   v120 = 0i64;
    394   sub_140004330(v119, 0i64, &v144);
    395   sub_140001270(v119);
    396   v32 = calc_mul(&v136, v125, Src);
    397   v33 = calc_mul(&v133, v32, Src);
    398   v34 = calc_mul(&v130, v33, v147);
    399   v35 = cacl_pow(&v127, v147, v123);
    400   v36 = calc_mul(&v151, v121, Src);
    401   v37 = calc_mul(&v140, v36, v35);
    402   _mm_storeu_si128((__m128i *)v114, (__m128i)0i64);
    403   v115 = 0i64;
    404   v38 = Src[0];
    405   v39 = Src[1];
    406   if ( Src[0] != Src[1] )
    407   {
    408     v40 = (_QWORD)(Src[1] - Src[0]) >> 2;
    409     if ( v40 <= 0x3FFFFFFFFFFFFFFFi64 )
    410     {
    411       v41 = 4 * v40;
    412       if ( v41 < 0x1000 )
    413       {
    414         if ( v41 )
    415           v44 = (char *)sub_140004A84(v41);
    416         else
    417           v44 = 0i64;
    418 LABEL_73:
    419         v114[0] = v44;
    420         v114[1] = v44;
    421         v45 = &v44[v41];
    422         v115 = v45;
    423         memmove(v44, v38, v39 - (_BYTE *)v38);
    424         v114[1] = v45;
    425         goto LABEL_74;
    426       }
    427       if ( v41 + 39 > v41 )
    428       {
    429         v42 = sub_140004A84(v41 + 39);
    430         v43 = v42;
    431         if ( !v42 )
    432           invalid_parameter_noinfo_noreturn();
    433         v44 = (char *)((v42 + 39) & 0xFFFFFFFFFFFFFFE0ui64);
    434         *((_QWORD *)v44 - 1) = v43;
    435         goto LABEL_73;
    436       }
    437     }
    438     sub_140001110();
    439   }
    440 LABEL_74:
    441   v46 = cacl_add(Memory, v114, v147);
    442   v47 = cacl_pow(&v139, v46, v119);
    443   v144 = v47;
    444   v48 = cacl_equal(&v153, v37);
    445   v49 = cacl_sub(v47, v48);
    446   cacl_equal(v112, v49);
    447   v50 = *(_QWORD **)v47;
    448   if ( *(_QWORD *)v47 )
    449   {
    450     if ( (unsigned __int64)(4i64 * ((*(_QWORD *)(v47 + 16) - (_QWORD)v50) >> 2)) >= 0x1000 )
    451     {
    452       if ( (unsigned __int64)((char *)v50 - *(v50 - 1) - 8) > 0x1F )
    453         invalid_parameter_noinfo_noreturn();
    454       v50 = (_QWORD *)*(v50 - 1);
    455     }
    456     j_j_free(v50);
    457     *(_QWORD *)v47 = 0i64;
    458     *(_QWORD *)(v47 + 8) = 0i64;
    459     *(_QWORD *)(v47 + 16) = 0i64;
    460   }
    461   v116 = v112;
    462   v51 = cacl_equal(&v143, v34);
    463   v52 = cacl_sub(v112, v51);
    464   cacl_equal(&v153, v52);
    465   v53 = v112[0];
    466   if ( v112[0] )
    467   {
    468     if ( (unsigned __int64)(4 * ((signed __int64)(v113 - (unsigned __int64)v112[0]) >> 2)) >= 0x1000 )
    469     {
    470       v53 = (void *)*((_QWORD *)v112[0] - 1);
    471       if ( (unsigned __int64)(v112[0] - v53 - 8) > 0x1F )
    472         invalid_parameter_noinfo_noreturn();
    473     }
    474     j_j_free(v53);
    475     _mm_storeu_si128((__m128i *)v112, (__m128i)0i64);
    476     v113 = 0i64;
    477   }
    478   v54 = Memory[0];
    479   if ( Memory[0] )
    480   {
    481     if ( (unsigned __int64)(4 * ((signed __int64)(v118 - (unsigned __int64)Memory[0]) >> 2)) >= 0x1000 )
    482     {
    483       v54 = (void *)*((_QWORD *)Memory[0] - 1);
    484       if ( (unsigned __int64)(Memory[0] - v54 - 8) > 0x1F )
    485         invalid_parameter_noinfo_noreturn();
    486     }
    487     j_j_free(v54);
    488     Memory[0] = 0i64;
    489     _mm_storeu_si128((__m128i *)&Memory[1], (__m128i)0i64);
    490   }
    491   v55 = v140;
    492   if ( v140 )
    493   {
    494     if ( (unsigned __int64)(4 * ((v142 - (signed __int64)v140) >> 2)) >= 0x1000 )
    495     {
    496       v55 = (_BYTE *)*((_QWORD *)v140 - 1);
    497       if ( (unsigned __int64)((_BYTE *)v140 - v55 - 8) > 0x1F )
    498         invalid_parameter_noinfo_noreturn();
    499     }
    500     j_j_free(v55);
    501     v140 = 0i64;
    502     _mm_storeu_si128((__m128i *)&v141, (__m128i)0i64);
    503   }
    504   v56 = v151;
    505   if ( v151 )
    506   {
    507     if ( (unsigned __int64)(4i64 * ((*((_QWORD *)&v152 + 1) - (_QWORD)v151) >> 2)) >= 0x1000 )
    508     {
    509       v56 = (_BYTE *)*((_QWORD *)v151 - 1);
    510       if ( (unsigned __int64)((_BYTE *)v151 - v56 - 8) > 0x1F )
    511         invalid_parameter_noinfo_noreturn();
    512     }
    513     j_j_free(v56);
    514     v151 = 0i64;
    515     _mm_storeu_si128((__m128i *)&v152, (__m128i)0i64);
    516   }
    517   v57 = v127;
    518   if ( v127 )
    519   {
    520     if ( (unsigned __int64)(4 * ((v129 - (signed __int64)v127) >> 2)) >= 0x1000 )
    521     {
    522       v57 = (_BYTE *)*((_QWORD *)v127 - 1);
    523       if ( (unsigned __int64)((_BYTE *)v127 - v57 - 8) > 0x1F )
    524         invalid_parameter_noinfo_noreturn();
    525     }
    526     j_j_free(v57);
    527     v127 = 0i64;
    528     _mm_storeu_si128((__m128i *)&v128, (__m128i)0i64);
    529   }
    530   v58 = v130;
    531   if ( v130 )
    532   {
    533     if ( (unsigned __int64)(4 * ((v132 - (signed __int64)v130) >> 2)) >= 0x1000 )
    534     {
    535       v58 = (_BYTE *)*((_QWORD *)v130 - 1);
    536       if ( (unsigned __int64)((_BYTE *)v130 - v58 - 8) > 0x1F )
    537         invalid_parameter_noinfo_noreturn();
    538     }
    539     j_j_free(v58);
    540     v130 = 0i64;
    541     _mm_storeu_si128((__m128i *)&v131, (__m128i)0i64);
    542   }
    543   v59 = v133;
    544   if ( v133 )
    545   {
    546     if ( (unsigned __int64)(4 * ((v135 - (signed __int64)v133) >> 2)) >= 0x1000 )
    547     {
    548       v59 = (_BYTE *)*((_QWORD *)v133 - 1);
    549       if ( (unsigned __int64)((_BYTE *)v133 - v59 - 8) > 0x1F )
    550         invalid_parameter_noinfo_noreturn();
    551     }
    552     j_j_free(v59);
    553     v133 = 0i64;
    554     _mm_storeu_si128((__m128i *)&v134, (__m128i)0i64);
    555   }
    556   v60 = v136;
    557   if ( v136 )
    558   {
    559     if ( (unsigned __int64)(4 * ((v138 - (signed __int64)v136) >> 2)) >= 0x1000 )
    560     {
    561       v60 = (_BYTE *)*((_QWORD *)v136 - 1);
    562       if ( (unsigned __int64)((_BYTE *)v136 - v60 - 8) > 0x1F )
    563         invalid_parameter_noinfo_noreturn();
    564     }
    565     j_j_free(v60);
    566     v136 = 0i64;
    567     _mm_storeu_si128((__m128i *)&v137, (__m128i)0i64);
    568   }
    569   v61 = v119[0];
    570   if ( v119[0] )
    571   {
    572     if ( (unsigned __int64)(4 * ((signed __int64)(v120 - (unsigned __int64)v119[0]) >> 2)) >= 0x1000 )
    573     {
    574       v61 = (void *)*((_QWORD *)v119[0] - 1);
    575       if ( (unsigned __int64)(v119[0] - v61 - 8) > 0x1F )
    576         invalid_parameter_noinfo_noreturn();
    577     }
    578     j_j_free(v61);
    579   }
    580   v62 = v121[0];
    581   if ( v121[0] )
    582   {
    583     if ( (unsigned __int64)(4 * ((signed __int64)(v122 - (unsigned __int64)v121[0]) >> 2)) >= 0x1000 )
    584     {
    585       v62 = (void *)*((_QWORD *)v121[0] - 1);
    586       if ( (unsigned __int64)(v121[0] - v62 - 8) > 0x1F )
    587         invalid_parameter_noinfo_noreturn();
    588     }
    589     j_j_free(v62);
    590   }
    591   v63 = v123[0];
    592   if ( v123[0] )
    593   {
    594     if ( (unsigned __int64)(4 * ((signed __int64)(v124 - (unsigned __int64)v123[0]) >> 2)) >= 0x1000 )
    595     {
    596       v63 = (void *)*((_QWORD *)v123[0] - 1);
    597       if ( (unsigned __int64)(v123[0] - v63 - 8) > 0x1F )
    598         invalid_parameter_noinfo_noreturn();
    599     }
    600     j_j_free(v63);
    601   }
    602   v64 = v125[0];
    603   if ( v125[0] )
    604   {
    605     if ( (unsigned __int64)(4 * ((signed __int64)(v126 - (unsigned __int64)v125[0]) >> 2)) >= 0x1000 )
    606     {
    607       v64 = (void *)*((_QWORD *)v125[0] - 1);
    608       if ( (unsigned __int64)(v125[0] - v64 - 8) > 0x1F )
    609         invalid_parameter_noinfo_noreturn();
    610     }
    611     j_j_free(v64);
    612   }
    613   LODWORD(v144) = 22;
    614   _mm_storeu_si128((__m128i *)v119, (__m128i)0i64);
    615   v120 = 0i64;
    616   sub_140004330(v119, 0i64, &v144);
    617   sub_140001270(v119);
    618   LODWORD(v144) = 48;
    619   _mm_storeu_si128((__m128i *)v121, (__m128i)0i64);
    620   v122 = 0i64;
    621   sub_140004330(v121, 0i64, &v144);
    622   sub_140001270(v121);
    623   LODWORD(v144) = 12;
    624   _mm_storeu_si128((__m128i *)v123, (__m128i)0i64);
    625   v124 = 0i64;
    626   sub_140004330(v123, 0i64, &v144);
    627   sub_140001270(v123);
    628   LODWORD(v144) = 3;
    629   _mm_storeu_si128((__m128i *)v125, (__m128i)0i64);
    630   v126 = 0i64;
    631   sub_140004330(v125, 0i64, &v144);
    632   sub_140001270(v125);
    633   v116 = Memory;
    634   v65 = calc_mul(&v127, v121, v149);
    635   v66 = calc_mul(&v130, v123, v149);
    636   v67 = calc_mul(&v133, v66, v149);
    637   LODWORD(v144) = 4;
    638   _mm_storeu_si128((__m128i *)Memory, (__m128i)0i64);
    639   v118 = 0i64;
    640   sub_140004330(Memory, 0i64, &v144);
    641   sub_140001270(Memory);
    642   v68 = cacl_add(&v136, Memory, v149);
    643   v69 = (void **)cacl_pow(&v143, v68, v125);
    644   v116 = v69;
    645   v70 = cacl_equal(&v139, v67);
    646   v71 = cacl_sub(v69, v70);
    647   cacl_equal(v112, v71);
    648   v72 = *v69;
    649   if ( *v69 )
    650   {
    651     if ( (unsigned __int64)(4 * (((_BYTE *)v69[2] - (_BYTE *)v72) >> 2)) >= 0x1000 )
    652     {
    653       if ( (unsigned __int64)((char *)v72 - *(v72 - 1) - 8) > 0x1F )
    654         invalid_parameter_noinfo_noreturn();
    655       v72 = (_QWORD *)*(v72 - 1);
    656     }
    657     j_j_free(v72);
    658     *v69 = 0i64;
    659     v69[1] = 0i64;
    660     v69[2] = 0i64;
    661   }
    662   v116 = v112;
    663   v73 = cacl_equal(&v139, v65);
    664   v74 = cacl_sub(v112, v73);
    665   cacl_equal(v114, v74);
    666   v75 = v112[0];
    667   if ( v112[0] )
    668   {
    669     if ( (unsigned __int64)(4 * ((signed __int64)(v113 - (unsigned __int64)v112[0]) >> 2)) >= 0x1000 )
    670     {
    671       v75 = (void *)*((_QWORD *)v112[0] - 1);
    672       if ( (unsigned __int64)(v112[0] - v75 - 8) > 0x1F )
    673         invalid_parameter_noinfo_noreturn();
    674     }
    675     j_j_free(v75);
    676     _mm_storeu_si128((__m128i *)v112, (__m128i)0i64);
    677     v113 = 0i64;
    678   }
    679   v116 = v114;
    680   v76 = cacl_equal(&v139, v119);
    681   v77 = cacl_sub(v114, v76);
    682   cacl_equal(&v151, v77);
    683   v78 = v114[0];
    684   if ( v114[0] )
    685   {
    686     if ( (unsigned __int64)(4 * ((v115 - (char *)v114[0]) >> 2)) >= 0x1000 )
    687     {
    688       v78 = (void *)*((_QWORD *)v114[0] - 1);
    689       if ( (unsigned __int64)(v114[0] - v78 - 8) > 0x1F )
    690         invalid_parameter_noinfo_noreturn();
    691     }
    692     j_j_free(v78);
    693     _mm_storeu_si128((__m128i *)v114, (__m128i)0i64);
    694     v115 = 0i64;
    695   }
    696   v79 = v136;
    697   if ( v136 )
    698   {
    699     if ( (unsigned __int64)(4 * ((v138 - (signed __int64)v136) >> 2)) >= 0x1000 )
    700     {
    701       v79 = (_BYTE *)*((_QWORD *)v136 - 1);
    702       if ( (unsigned __int64)((_BYTE *)v136 - v79 - 8) > 0x1F )
    703         invalid_parameter_noinfo_noreturn();
    704     }
    705     j_j_free(v79);
    706     v136 = 0i64;
    707     _mm_storeu_si128((__m128i *)&v137, (__m128i)0i64);
    708   }
    709   v80 = v133;
    710   if ( v133 )
    711   {
    712     if ( (unsigned __int64)(4 * ((v135 - (signed __int64)v133) >> 2)) >= 0x1000 )
    713     {
    714       v80 = (_BYTE *)*((_QWORD *)v133 - 1);
    715       if ( (unsigned __int64)((_BYTE *)v133 - v80 - 8) > 0x1F )
    716         invalid_parameter_noinfo_noreturn();
    717     }
    718     j_j_free(v80);
    719     v133 = 0i64;
    720     _mm_storeu_si128((__m128i *)&v134, (__m128i)0i64);
    721   }
    722   v81 = v130;
    723   if ( v130 )
    724   {
    725     if ( (unsigned __int64)(4 * ((v132 - (signed __int64)v130) >> 2)) >= 0x1000 )
    726     {
    727       v81 = (_BYTE *)*((_QWORD *)v130 - 1);
    728       if ( (unsigned __int64)((_BYTE *)v130 - v81 - 8) > 0x1F )
    729         invalid_parameter_noinfo_noreturn();
    730     }
    731     j_j_free(v81);
    732     v130 = 0i64;
    733     _mm_storeu_si128((__m128i *)&v131, (__m128i)0i64);
    734   }
    735   v82 = v127;
    736   if ( v127 )
    737   {
    738     if ( (unsigned __int64)(4 * ((v129 - (signed __int64)v127) >> 2)) >= 0x1000 )
    739     {
    740       v82 = (_BYTE *)*((_QWORD *)v127 - 1);
    741       if ( (unsigned __int64)((_BYTE *)v127 - v82 - 8) > 0x1F )
    742         invalid_parameter_noinfo_noreturn();
    743     }
    744     j_j_free(v82);
    745     v127 = 0i64;
    746     _mm_storeu_si128((__m128i *)&v128, (__m128i)0i64);
    747   }
    748   v83 = v125[0];
    749   if ( v125[0] )
    750   {
    751     if ( (unsigned __int64)(4 * ((signed __int64)(v126 - (unsigned __int64)v125[0]) >> 2)) >= 0x1000 )
    752     {
    753       v83 = (void *)*((_QWORD *)v125[0] - 1);
    754       if ( (unsigned __int64)(v125[0] - v83 - 8) > 0x1F )
    755         invalid_parameter_noinfo_noreturn();
    756     }
    757     j_j_free(v83);
    758   }
    759   v84 = v123[0];
    760   if ( v123[0] )
    761   {
    762     if ( (unsigned __int64)(4 * ((signed __int64)(v124 - (unsigned __int64)v123[0]) >> 2)) >= 0x1000 )
    763     {
    764       v84 = (void *)*((_QWORD *)v123[0] - 1);
    765       if ( (unsigned __int64)(v123[0] - v84 - 8) > 0x1F )
    766         invalid_parameter_noinfo_noreturn();
    767     }
    768     j_j_free(v84);
    769   }
    770   v85 = v121[0];
    771   if ( v121[0] )
    772   {
    773     if ( (unsigned __int64)(4 * ((signed __int64)(v122 - (unsigned __int64)v121[0]) >> 2)) >= 0x1000 )
    774     {
    775       v85 = (void *)*((_QWORD *)v121[0] - 1);
    776       if ( (unsigned __int64)(v121[0] - v85 - 8) > 0x1F )
    777         invalid_parameter_noinfo_noreturn();
    778     }
    779     j_j_free(v85);
    780   }
    781   v86 = v119[0];
    782   if ( v119[0] )
    783   {
    784     if ( (unsigned __int64)(4 * ((signed __int64)(v120 - (unsigned __int64)v119[0]) >> 2)) >= 0x1000 )
    785     {
    786       v86 = (void *)*((_QWORD *)v119[0] - 1);
    787       if ( (unsigned __int64)(v119[0] - v86 - 8) > 0x1F )
    788         invalid_parameter_noinfo_noreturn();
    789     }
    790     j_j_free(v86);
    791   }
    792   v87 = (char *)v153;
    793   v88 = (v154 - (signed __int64)v153) >> 2;
    794   v89 = (char *)v151;
    795   v18 = v149[0];
    796   if ( v88 == ((_QWORD)v152 - (_QWORD)v151) >> 2 )
    797   {
    798     v90 = v88 - 1;
    799     if ( (signed int)v88 - 1 < 0 )
    800     {
    801 LABEL_201:
    802       sub_140004120(std::cout, "You win!
    flag{MD5("");
    803       v93 = Src[0];
    804       v94 = Src[1];
    805       if ( Src[0] == Src[1] )
    806       {
    807         std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, 0i64);
    808         v94 = Src[1];
    809         v93 = Src[0];
    810       }
    811       v95 = (unsigned __int64)((v94 - v93) >> 2) - 1;
    812       v96 = v95;
    813       if ( v95 >= 0 )
    814       {
    815         while ( 1 )
    816         {
    817           std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, *(unsigned int *)&v93[4 * v96--]);
    818           if ( v96 < 0 )
    819             break;
    820           v93 = Src[0];
    821         }
    822       }
    823       v97 = v147[0];
    824       v98 = v147[1];
    825       if ( v147[0] == v147[1] )
    826       {
    827         std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, 0i64);
    828         v98 = v147[1];
    829         v97 = v147[0];
    830       }
    831       v99 = (unsigned __int64)((v98 - v97) >> 2) - 1;
    832       v100 = v99;
    833       if ( v99 >= 0 )
    834       {
    835         while ( 1 )
    836         {
    837           std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, *(unsigned int *)&v97[4 * v100--]);
    838           if ( v100 < 0 )
    839             break;
    840           v97 = v147[0];
    841         }
    842       }
    843       v101 = v149[1];
    844       if ( v18 == v149[1] )
    845         std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, 0i64);
    846       v102 = (unsigned __int64)((v101 - v18) >> 2) - 1;
    847       for ( i = v102;
    848             i >= 0;
    849             std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, *(unsigned int *)&v18[4 * i--]) )
    850       {
    851         ;
    852       }
    853       sub_140004120(std::cout, "").tolower()}
    ");
    854     }
    855     else
    856     {
    857       v91 = v90;
    858       v92 = (char *)v151 + 4 * v90;
    859       while ( *(_DWORD *)((char *)v92 + (_BYTE *)v153 - (_BYTE *)v151) == *v92 )
    860       {
    861         --v92;
    862         if ( --v91 < 0 )
    863           goto LABEL_201;
    864       }
    865     }
    866   }
    867   v25 = 0;
    868   if ( v89 )
    869   {
    870     v104 = v89;
    871     if ( (unsigned __int64)(4i64 * ((*((_QWORD *)&v152 + 1) - (_QWORD)v89) >> 2)) >= 0x1000 )
    872     {
    873       v89 = (char *)*((_QWORD *)v89 - 1);
    874       if ( (unsigned __int64)(v104 - v89 - 8) > 0x1F )
    875         invalid_parameter_noinfo_noreturn();
    876     }
    877     j_j_free(v89);
    878   }
    879   if ( v87 )
    880   {
    881     v105 = v87;
    882     if ( (unsigned __int64)(4 * ((v155 - (signed __int64)v87) >> 2)) >= 0x1000 )
    883     {
    884       v87 = (char *)*((_QWORD *)v87 - 1);
    885       if ( (unsigned __int64)(v105 - v87 - 8) > 0x1F )
    886         invalid_parameter_noinfo_noreturn();
    887     }
    888     j_j_free(v87);
    889   }
    890   v16 = (char *)Src[0];
    891   v20 = (char *)v147[0];
    892 LABEL_48:
    893   v26 = v159;
    894   if ( v159 )
    895   {
    896     if ( (unsigned __int64)(4 * ((v160 - (signed __int64)v159) >> 2)) >= 0x1000 )
    897     {
    898       v26 = (_BYTE *)*((_QWORD *)v159 - 1);
    899       if ( (unsigned __int64)((_BYTE *)v159 - v26 - 8) > 0x1F )
    900         invalid_parameter_noinfo_noreturn();
    901     }
    902     j_j_free(v26);
    903     v16 = (char *)Src[0];
    904     v20 = (char *)v147[0];
    905   }
    906   v106 = v156;
    907   if ( v156 )
    908   {
    909     if ( (unsigned __int64)(4 * ((v158 - (signed __int64)v156) >> 2)) >= 0x1000 )
    910     {
    911       v106 = (_BYTE *)*((_QWORD *)v156 - 1);
    912       if ( (unsigned __int64)((_BYTE *)v156 - v106 - 8) > 0x1F )
    913         invalid_parameter_noinfo_noreturn();
    914     }
    915     j_j_free(v106);
    916     v156 = 0i64;
    917     _mm_storeu_si128((__m128i *)&v157, (__m128i)0i64);
    918     v16 = (char *)Src[0];
    919     v20 = (char *)v147[0];
    920   }
    921   v107 = v161;
    922   if ( v161 )
    923   {
    924     if ( (unsigned __int64)(4 * ((v162 - (signed __int64)v161) >> 2)) >= 0x1000 )
    925     {
    926       v107 = (_BYTE *)*((_QWORD *)v161 - 1);
    927       if ( (unsigned __int64)((_BYTE *)v161 - v107 - 8) > 0x1F )
    928         invalid_parameter_noinfo_noreturn();
    929     }
    930     j_j_free(v107);
    931     v16 = (char *)Src[0];
    932     v20 = (char *)v147[0];
    933   }
    934   if ( v18 )
    935   {
    936     v108 = v18;
    937     if ( (unsigned __int64)(4 * ((v150 - (signed __int64)v18) >> 2)) >= 0x1000 )
    938     {
    939       v18 = (_BYTE *)*((_QWORD *)v18 - 1);
    940       if ( (unsigned __int64)(v108 - v18 - 8) > 0x1F )
    941         invalid_parameter_noinfo_noreturn();
    942     }
    943     j_j_free(v18);
    944     v16 = (char *)Src[0];
    945     v20 = (char *)v147[0];
    946   }
    947   if ( v20 )
    948   {
    949     v109 = v20;
    950     if ( (unsigned __int64)(4 * ((v148 - (signed __int64)v20) >> 2)) >= 0x1000 )
    951     {
    952       v20 = (char *)*((_QWORD *)v20 - 1);
    953       if ( (unsigned __int64)(v109 - v20 - 8) > 0x1F )
    954         invalid_parameter_noinfo_noreturn();
    955     }
    956     j_j_free(v20);
    957     _mm_storeu_si128((__m128i *)v147, (__m128i)0i64);
    958     v148 = 0i64;
    959     v16 = (char *)Src[0];
    960   }
    961   if ( v16 )
    962   {
    963     v110 = v16;
    964     if ( ((v146 - (_QWORD)v16) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 )
    965     {
    966       v16 = (char *)*((_QWORD *)v16 - 1);
    967       if ( (unsigned __int64)(v110 - v16 - 8) > 0x1F )
    968         invalid_parameter_noinfo_noreturn();
    969     }
    970     j_j_free(v16);
    971   }
    972   return v25;
    973 }
    伪C代码

    流程总结

    整个过程,有三次输入,定义为变量x, y, z。在满足x < z and x > y的条件下,进行x**3+y**3+z**3=42,搜了一下有关“三次方42”的新闻

    得到

    (-80538738812075974)^3 + 80435758145817515^3 + 12602123297335631^3 = 42

    根据x,y,z关系式得到

    x=80435758145817515
    y=12602123297335631
    z=80538738812075974

    将Sleep的时间全部改为0

    写出脚本得到flag

    get flag!

    flag{951e27be2b2f10b7fa22a6dc8f4682bd}

    childRE

    测试文件:https://www.lanzous.com/i7h66wd

    准备

    • 64位文件

    IDA代码分析

    流程总结

    • 因此总的运算流程就是:
    • 输入长度为31的字符串
    • 进行置换运算
    • 取消修饰函数名
    • 将未修饰函数名的商和余数与指定字符串比较

    我们能够逆向操作来得到未修饰的函数名。

    获取未修饰函数名

    IDA动态调试

    写出脚本

    str1 = "(_@4620!08!6_0*0442!@186%%0@3=66!!974*3234=&0^3&1@=&0908!6_0*&"
    str2 = "55565653255552225565565555243466334653663544426565555525555222"
    str3 = '1234567890-=!@#$%^&*()_+qwertyuiop[]QWERTYUIOP{}asdfghjkl;,ASDFGHJKL:"ZXCVBNM<>?zxcvbnm,./'
    
    name = ''
    
    for i in range(62):
        name += chr(str3.index(str1[i]) + str3.index(str2[i])*23 )
    
    print (name)

    得到:private: char * __thiscall R0Pxx::My_Aut0_PWN(unsigned char *)

    使用C++写出一个上面函数的例子:

    #include <iostream>
    
    class R0Pxx {
    public:
        R0Pxx() {
            My_Aut0_PWN((unsigned char*)"hello");
        }
    private:
        char* __thiscall My_Aut0_PWN(unsigned char*);
    };
    
    char* __thiscall R0Pxx::My_Aut0_PWN(unsigned char*) {
        std::cout << __FUNCDNAME__ << std::endl;
    
        return 0;
    }
    
    int main()
    {
        R0Pxx A;
    
        system("PAUSE");
        return 0;
    }

    得到:?My_Aut0_PWN@R0Pxx@@AAEPADPAE@Z

    置换运算

    通过动态调试,发现乱序取值的数值是固定的,因此随便输入一组长度31的字符串(其中的字符不能重复)

    反向操作,写出脚本来解决flag

    from hashlib import md5
    
    str1 = 'abcdefghijklmnopqrstuvwxyz12345'
    dec1 = '7071687273696474756A76776B656278796C7A316D6632336E34356F676361'.decode('hex')
    serial = []
    
    print dec1
    
    for i in dec1:
        serial.append(str1.index(i))
    
    print serial
    
    name = '?My_Aut0_PWN@R0Pxx@@AAEPADPAE@Z'
    enc = [''] * 31
    
    for i in range(31):
        enc[serial[i]] = name[i]
    enc = ''.join(enc)
    
    print enc
    
    print md5(enc).hexdigest()

    get flag!

    flag{63b148e750fed3a33419168ac58083f5}

    Snake

    测试文件:https://www.lanzous.com/i7gol0d

    Unity逆向

    查看DLL文件

    运行Snake,查看调用的DLL文件

    DLL文件分析

    使用ILSpy打开Interface.dll文件

    发现了DLL文件使用的函数GameObject

    使用IDA打开DLL文件

      1 signed __int64 __fastcall GameObject(int a1)
      2 {
      3   char v1; // di
      4   __int64 *v2; // rbx
      5   __int64 *v3; // rax
      6   int v4; // er8
      7   int v5; // er9
      8   __int64 v6; // rax
      9   _BYTE *v7; // rcx
     10   __int64 v8; // rax
     11   __int64 v9; // rax
     12   __int64 *v10; // rdx
     13   __int64 v11; // rax
     14   __int64 *v12; // rcx
     15   _BYTE *v13; // rcx
     16   __int64 v15; // rax
     17   int v16; // er8
     18   int v17; // er9
     19   __int64 v18; // rax
     20   __int64 v19; // rax
     21   __int64 *v20; // rdx
     22   __int64 v21; // rax
     23   __int64 *v22; // rcx
     24   _BYTE *v23; // rcx
     25   _BYTE *v24; // rcx
     26   unsigned __int64 v25; // rdx
     27   void *v26; // rcx
     28   unsigned __int64 v27; // rdx
     29   _BYTE *v28; // rcx
     30   _BYTE *v29; // rcx
     31   _BYTE *v30; // rcx
     32   __int64 v31; // rax
     33   _BYTE *v32; // rcx
     34   __int64 v33; // rax
     35   const void *v34; // rdx
     36   bool v35; // bl
     37   _BYTE *v36; // rcx
     38   _BYTE *v37; // rcx
     39   __int64 v38; // rax
     40   const char *v39; // rdx
     41   __int64 v40; // rax
     42   __int64 v41; // rax
     43   void *v42; // rcx
     44   _BYTE *v43; // rcx
     45   void *v44; // rcx
     46   _BYTE *v45; // rcx
     47   void *Memory; // [rsp+20h] [rbp-E0h]
     48   _BYTE *v47; // [rsp+28h] [rbp-D8h]
     49   __int128 v48; // [rsp+30h] [rbp-D0h]
     50   int v49; // [rsp+40h] [rbp-C0h]
     51   int v50; // [rsp+48h] [rbp-B8h]
     52   int v51; // [rsp+50h] [rbp-B0h]
     53   int v52; // [rsp+58h] [rbp-A8h]
     54   int v53; // [rsp+60h] [rbp-A0h]
     55   int v54; // [rsp+68h] [rbp-98h]
     56   int v55; // [rsp+70h] [rbp-90h]
     57   __int64 *v56; // [rsp+78h] [rbp-88h]
     58   void *Buf1[2]; // [rsp+80h] [rbp-80h]
     59   unsigned __int64 v58; // [rsp+90h] [rbp-70h]
     60   void *Dst; // [rsp+98h] [rbp-68h]
     61   void *v60; // [rsp+A0h] [rbp-60h]
     62   __int128 v61; // [rsp+A8h] [rbp-58h]
     63   unsigned __int64 v62; // [rsp+B8h] [rbp-48h]
     64   __int64 v63; // [rsp+C0h] [rbp-40h]
     65   void *v64; // [rsp+C8h] [rbp-38h]
     66   __int128 v65; // [rsp+D0h] [rbp-30h]
     67   unsigned __int64 v66; // [rsp+E0h] [rbp-20h]
     68   __int64 v67; // [rsp+E8h] [rbp-18h]
     69   _BYTE *v68; // [rsp+F0h] [rbp-10h]
     70   __int128 v69; // [rsp+F8h] [rbp-8h]
     71   unsigned __int64 v70; // [rsp+108h] [rbp+8h]
     72   __int64 v71; // [rsp+110h] [rbp+10h]
     73   void *v72; // [rsp+118h] [rbp+18h]
     74   __int64 v73; // [rsp+120h] [rbp+20h]
     75   __int128 v74; // [rsp+128h] [rbp+28h]
     76   char v75; // [rsp+138h] [rbp+38h]
     77   void *v76; // [rsp+140h] [rbp+40h]
     78   unsigned __int64 v77; // [rsp+158h] [rbp+58h]
     79 
     80   v50 = 0;
     81   v1 = 0;
     82   if ( a1 >= 0 )
     83   {
     84     if ( (unsigned int)(a1 - 2) <= 0x61 )       // 输入的数字小于等于99
     85     {
     86       LOBYTE(Memory) = 0;
     87       _mm_storeu_si128((__m128i *)&v48, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
     88       sub_180006D10(
     89         &Memory,
     90         "1399072626417208846352501054493274635311312275165004973073110020948852453223868050494068786439822163264935277024"
     91         "1468943993009079475334584417852835617853909482524738983614292847460710826226708785021132264080613569807620798681"
     92         "8086837911361480181444157057782599277473843153161174504240064610043962720953514451563",
     93         0x135ui64);
     94       sub_180001530(&v75, &Memory);
     95       LOBYTE(Memory) = 0;
     96       _mm_storeu_si128((__m128i *)&v48, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
     97       sub_180006D10(
     98         &Memory,
     99         "7998185649085699985067170036073312083199999558942120746049018587653186051852759776790516809918289134512387896640"
    100         "3548022646956365158864209467614850251731806682037300712511185681164865174187586907707195428804234739667769742078"
    101         "793162639867922056194688917569369338005327309973680573581158754297630654105882382426",
    102         0x134ui64);
    103       sub_180001530(&v63, &Memory);
    104       v15 = sub_18000A9D0(&Memory);
    105       sub_180001530(&v71, v15);
    106       LOBYTE(Memory) = v75;
    107       sub_180006C40(&v47, &v76);
    108       LOBYTE(Dst) = v71;
    109       sub_180006C40(&v60, &v72);
    110       LOBYTE(v51) = v63;
    111       sub_180006C40(&v52, &v64);
    112       sub_180006250(&v67, &v51, &Dst, &Memory);
    113       LOBYTE(v51) = v67;
    114       sub_180006C40(&v52, &v68);
    115       sub_18000AAB0(
    116         (unsigned __int64)&v56,
    117         (unsigned __int64)&v51,
    118         v16,
    119         v17,
    120         (_DWORD)Memory,
    121         (_DWORD)v47,
    122         v48,
    123         DWORD2(v48),
    124         v49,
    125         v50,
    126         v51,
    127         v52,
    128         v53,
    129         v54,
    130         v55,
    131         (_DWORD)v56,
    132         Buf1[0],
    133         Buf1[1],
    134         v58,
    135         (_DWORD)Dst,
    136         (_DWORD)v60,
    137         v61,
    138         DWORD2(v61),
    139         v62,
    140         v63,
    141         (_DWORD)v64,
    142         v65,
    143         DWORD2(v65),
    144         v66);
    145       LOBYTE(Memory) = 0;
    146       _mm_storeu_si128((__m128i *)&v48, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
    147       sub_180006D10(&Memory, "flag", 4ui64);
    148       v18 = sub_180006C40(&Dst, &v56);
    149       if ( sub_18000AFA0(v18, (__int64)&Memory) )
    150       {
    151         v19 = sub_18000A7C0(std::cout, "You win! flag is ");
    152         std::basic_ostream<char,std::char_traits<char>>::operator<<(v19, sub_18000A990);
    153         v20 = (__int64 *)&v56;
    154         if ( v58 >= 0x10 )
    155           v20 = v56;
    156         v21 = sub_180007570(std::cout, v20, Buf1[1]);
    157       }
    158       else
    159       {
    160         v21 = sub_18000A7C0(std::cout, "Try again");
    161       }
    162       std::basic_ostream<char,std::char_traits<char>>::operator<<(v21, sub_18000A990);
    163       if ( v58 >= 0x10 )
    164       {
    165         v22 = v56;
    166         if ( v58 + 1 >= 0x1000 )
    167         {
    168           v22 = (__int64 *)*(v56 - 1);
    169           if ( (unsigned __int64)((char *)v56 - (char *)v22 - 8) > 0x1F )
    170             goto LABEL_50;
    171         }
    172         j_j_free(v22);
    173       }
    174       Buf1[1] = 0i64;
    175       v58 = 15i64;
    176       LOBYTE(v56) = 0;
    177       if ( v70 >= 0x10 )
    178       {
    179         v23 = v68;
    180         if ( v70 + 1 >= 0x1000 )
    181         {
    182           v23 = (_BYTE *)*((_QWORD *)v68 - 1);
    183           if ( (unsigned __int64)(v68 - v23 - 8) > 0x1F )
    184             goto LABEL_50;
    185         }
    186         j_j_free(v23);
    187       }
    188       if ( *((_QWORD *)&v74 + 1) >= 0x10ui64 )
    189       {
    190         v24 = v72;
    191         if ( (unsigned __int64)(*((_QWORD *)&v74 + 1) + 1i64) >= 0x1000 )
    192         {
    193           v24 = (_BYTE *)*((_QWORD *)v72 - 1);
    194           if ( (unsigned __int64)((_BYTE *)v72 - v24 - 8) > 0x1F )
    195             goto LABEL_50;
    196         }
    197         j_j_free(v24);
    198       }
    199       v25 = v66;
    200       LOBYTE(v72) = 0;
    201       _mm_storeu_si128((__m128i *)&v74, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
    202       if ( v25 < 0x10 )
    203         goto LABEL_47;
    204       v26 = v64;
    205       if ( v25 + 1 < 0x1000
    206         || (v26 = (void *)*((_QWORD *)v64 - 1), (unsigned __int64)((_BYTE *)v64 - (_BYTE *)v26 - 8) <= 0x1F) )
    207       {
    208         j_j_free(v26);
    209 LABEL_47:
    210         v27 = v77;
    211         LOBYTE(v64) = 0;
    212         _mm_storeu_si128((__m128i *)((char *)&v65 + 8), _mm_load_si128((const __m128i *)&xmmword_18000EB70));
    213         if ( v27 >= 0x10 )
    214         {
    215           v28 = v76;
    216           if ( v27 + 1 >= 0x1000 )
    217           {
    218             v28 = (_BYTE *)*((_QWORD *)v76 - 1);
    219             if ( (unsigned __int64)((_BYTE *)v76 - v28 - 8) > 0x1F )
    220               goto LABEL_50;
    221           }
    222           j_j_free(v28);
    223         }
    224         return 7i64;
    225       }
    226 LABEL_50:
    227       invalid_parameter_noinfo_noreturn();
    228     }
    229     if ( (unsigned int)(a1 - 101) > 0x62 )      // 传入的数字大于199则退出
    230       return 996i64;
    231     v71 = 0i64;
    232     v72 = 0i64;
    233     v73 = 0i64;
    234     *(_QWORD *)&v74 = 0i64;
    235     _mm_storeu_si128((__m128i *)&v61, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
    236     LOBYTE(Dst) = 0;
    237     sub_180006D10(
    238       &Dst,
    239       "139907262641720884635250105449327463531131227516500497307311002094885245322386805049406878643982216326493527702414"
    240       "689439930090794753345844178528356178539094825247389836142928474607108262267087850211322640806135698076207986818086"
    241       "837911361480181444157057782599277473843153161174504240064610043962720953514451563",
    242       0x135ui64);
    243     sub_1800078F0(&v71, &Dst);
    244     if ( *((_QWORD *)&v61 + 1) >= 0x10ui64 )
    245     {
    246       v29 = Dst;
    247       if ( (unsigned __int64)(*((_QWORD *)&v61 + 1) + 1i64) >= 0x1000 )
    248       {
    249         v29 = (_BYTE *)*((_QWORD *)Dst - 1);
    250         if ( (unsigned __int64)((_BYTE *)Dst - v29 - 8) > 0x1F )
    251           goto LABEL_99;
    252       }
    253       j_j_free(v29);
    254     }
    255     v63 = 0i64;
    256     v64 = 0i64;
    257     v65 = 0ui64;
    258     _mm_storeu_si128((__m128i *)&v61, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
    259     LOBYTE(Dst) = 0;
    260     sub_180006D10(
    261       &Dst,
    262       "122107611316850260321590575768393047216806481837919054910332579385088745494833866045797079936947058335743437609060"
    263       "618364037361749600119005166359303873659401522100249312696661209787316369738806133852177861917757996075304470648951"
    264       "037632182891401322685617735478597953000103146149534977902885706852338811895661809",
    265       0x135ui64);
    266     sub_1800078F0(&v63, &Dst);
    267     if ( *((_QWORD *)&v61 + 1) >= 0x10ui64 )
    268     {
    269       v30 = Dst;
    270       if ( (unsigned __int64)(*((_QWORD *)&v61 + 1) + 1i64) >= 0x1000 )
    271       {
    272         v30 = (_BYTE *)*((_QWORD *)Dst - 1);
    273         if ( (unsigned __int64)((_BYTE *)Dst - v30 - 8) > 0x1F )
    274           goto LABEL_99;
    275       }
    276       j_j_free(v30);
    277     }
    278     v67 = 0i64;
    279     v68 = 0i64;
    280     v69 = 0ui64;
    281     v31 = sub_18000A9D0(&Memory);
    282     sub_1800078F0(&v67, v31);
    283     if ( *((_QWORD *)&v48 + 1) >= 0x10ui64 )
    284     {
    285       v32 = Memory;
    286       if ( (unsigned __int64)(*((_QWORD *)&v48 + 1) + 1i64) >= 0x1000 )
    287       {
    288         v32 = (_BYTE *)*((_QWORD *)Memory - 1);
    289         if ( (unsigned __int64)((_BYTE *)Memory - v32 - 8) > 0x1F )
    290           invalid_parameter_noinfo_noreturn();
    291       }
    292       j_j_free(v32);
    293     }
    294     v56 = 0i64;
    295     Buf1[0] = 0i64;
    296     Buf1[1] = 0i64;
    297     v58 = 0i64;
    298     sub_180009B40(&v63, &v56, &v67, &v71);
    299     LOBYTE(Dst) = 0;
    300     _mm_storeu_si128((__m128i *)&v61, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
    301     sub_180006D10(&Dst, "7777777", 7ui64);
    302     v33 = sub_1800078F0(&Memory, &Dst);
    303     v35 = 0;
    304     if ( (_BYTE)v56 == *(_BYTE *)v33 )
    305     {
    306       v34 = *(const void **)(v33 + 8);
    307       if ( !(((Buf1[1] - Buf1[0]) ^ (*(_QWORD *)(v33 + 16) - (_QWORD)v34)) & 0xFFFFFFFFFFFFFFFCui64)
    308         && !memcmp(Buf1[0], v34, Buf1[1] - Buf1[0]) )
    309       {
    310         v35 = 1;
    311       }
    312     }
    313     v36 = v47;
    314     if ( v47 )
    315     {
    316       if ( ((*((_QWORD *)&v48 + 1) - (_QWORD)v47) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 )
    317       {
    318         v36 = (_BYTE *)*((_QWORD *)v47 - 1);
    319         if ( (unsigned __int64)(v47 - v36 - 8) > 0x1F )
    320 LABEL_79:
    321           invalid_parameter_noinfo_noreturn();
    322       }
    323       j_j_free(v36);
    324       v47 = 0i64;
    325       _mm_storeu_si128((__m128i *)&v48, (__m128i)0i64);
    326     }
    327     if ( *((_QWORD *)&v61 + 1) >= 0x10ui64 )
    328     {
    329       v37 = Dst;
    330       if ( (unsigned __int64)(*((_QWORD *)&v61 + 1) + 1i64) >= 0x1000 )
    331       {
    332         v37 = (_BYTE *)*((_QWORD *)Dst - 1);
    333         if ( (unsigned __int64)((_BYTE *)Dst - v37 - 8) > 0x1F )
    334           goto LABEL_79;
    335       }
    336       j_j_free(v37);
    337     }
    338     if ( v35 )
    339     {
    340       v38 = sub_18000A7C0(std::cout, "EDG fight for S10");
    341       std::basic_ostream<char,std::char_traits<char>>::operator<<(v38, sub_18000A990);
    342       v39 = "You fight for the next snake";
    343     }
    344     else
    345     {
    346       v40 = sub_18000A7C0(std::cout, "EDG failed to fight for their S9");
    347       std::basic_ostream<char,std::char_traits<char>>::operator<<(v40, sub_18000A990);
    348       v39 = "But you can fight for next snake";
    349     }
    350     v41 = sub_18000A7C0(std::cout, v39);
    351     std::basic_ostream<char,std::char_traits<char>>::operator<<(v41, sub_18000A990);
    352     v42 = Buf1[0];
    353     if ( Buf1[0] )
    354     {
    355       if ( ((v58 - (unsigned __int64)Buf1[0]) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 )
    356       {
    357         v42 = (void *)*((_QWORD *)Buf1[0] - 1);
    358         if ( (unsigned __int64)(Buf1[0] - v42 - 8) > 0x1F )
    359           goto LABEL_99;
    360       }
    361       j_j_free(v42);
    362       v58 = 0i64;
    363       _mm_storeu_si128((__m128i *)Buf1, (__m128i)0i64);
    364     }
    365     v43 = v68;
    366     if ( v68 )
    367     {
    368       if ( ((*((_QWORD *)&v69 + 1) - (_QWORD)v68) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 )
    369       {
    370         v43 = (_BYTE *)*((_QWORD *)v68 - 1);
    371         if ( (unsigned __int64)(v68 - v43 - 8) > 0x1F )
    372           goto LABEL_99;
    373       }
    374       j_j_free(v43);
    375       v68 = 0i64;
    376       _mm_storeu_si128((__m128i *)&v69, (__m128i)0i64);
    377     }
    378     v44 = v64;
    379     if ( !v64 )
    380       goto LABEL_96;
    381     if ( ((*((_QWORD *)&v65 + 1) - (_QWORD)v64) & 0xFFFFFFFFFFFFFFFCui64) < 0x1000
    382       || (v44 = (void *)*((_QWORD *)v64 - 1), (unsigned __int64)((_BYTE *)v64 - (_BYTE *)v44 - 8) <= 0x1F) )
    383     {
    384       j_j_free(v44);
    385       v64 = 0i64;
    386       _mm_storeu_si128((__m128i *)&v65, (__m128i)0i64);
    387 LABEL_96:
    388       v45 = v72;
    389       if ( v72 )
    390       {
    391         if ( (((_QWORD)v74 - (_QWORD)v72) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 )
    392         {
    393           v45 = (_BYTE *)*((_QWORD *)v72 - 1);
    394           if ( (unsigned __int64)((_BYTE *)v72 - v45 - 8) > 0x1F )
    395             goto LABEL_99;
    396         }
    397         j_j_free(v45);
    398       }
    399       return 996i64;
    400     }
    401 LABEL_99:
    402     invalid_parameter_noinfo_noreturn();
    403   }
    404   LOBYTE(Memory) = 0;
    405   _mm_storeu_si128((__m128i *)&v48, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
    406   sub_180006D10(&Memory, "35297982045181952350813323813224883208572049226586980", 0x35ui64);
    407   sub_180001530(&Dst, &Memory);
    408   v2 = &qword_180012038;
    409   v3 = &qword_180012038;
    410   if ( *((_QWORD *)&xmmword_180012048 + 1) >= 0x10ui64 )
    411     v3 = (__int64 *)qword_180012038;
    412   if ( (_QWORD)xmmword_180012048 == 4i64 && *(_DWORD *)v3 == *(_DWORD *)"null" )
    413   {
    414     v75 = (char)Dst;
    415     sub_180006C40(&v76, &v60);
    416     v6 = sub_18000AAB0(
    417            (unsigned __int64)&Memory,
    418            (unsigned __int64)&v75,
    419            v4,
    420            v5,
    421            (_DWORD)Memory,
    422            (_DWORD)v47,
    423            v48,
    424            DWORD2(v48),
    425            v49,
    426            v50,
    427            v51,
    428            v52,
    429            v53,
    430            v54,
    431            v55,
    432            (_DWORD)v56,
    433            Buf1[0],
    434            Buf1[1],
    435            v58,
    436            (_DWORD)Dst,
    437            (_DWORD)v60,
    438            v61,
    439            DWORD2(v61),
    440            v62,
    441            v63,
    442            (_DWORD)v64,
    443            v65,
    444            DWORD2(v65),
    445            v66);
    446     v2 = (__int64 *)sub_180006A70(&qword_180012038, v6);
    447     v1 = 1;
    448   }
    449   sub_180006C40(&v56, v2);
    450   if ( v1 & 1 && *((_QWORD *)&v48 + 1) >= 0x10ui64 )
    451   {
    452     v7 = Memory;
    453     if ( (unsigned __int64)(*((_QWORD *)&v48 + 1) + 1i64) >= 0x1000 )
    454     {
    455       v7 = (_BYTE *)*((_QWORD *)Memory - 1);
    456       if ( (unsigned __int64)((_BYTE *)Memory - v7 - 8) > 0x1F )
    457         invalid_parameter_noinfo_noreturn();
    458     }
    459     j_j_free(v7);
    460   }
    461   v8 = sub_18000A7C0(std::cout, "If SKT win S9 champion");
    462   v9 = sub_18000A7C0(v8, "this is real flag");
    463   std::basic_ostream<char,std::char_traits<char>>::operator<<(v9, sub_18000A990);
    464   v10 = (__int64 *)&v56;
    465   if ( v58 >= 0x10 )
    466     v10 = v56;
    467   v11 = sub_180007570(std::cout, v10, Buf1[1]);
    468   std::basic_ostream<char,std::char_traits<char>>::operator<<(v11, sub_18000A990);
    469   if ( v58 >= 0x10 )
    470   {
    471     v12 = v56;
    472     if ( v58 + 1 >= 0x1000 )
    473     {
    474       v12 = (__int64 *)*(v56 - 1);
    475       if ( (unsigned __int64)((char *)v56 - (char *)v12 - 8) > 0x1F )
    476 LABEL_22:
    477         invalid_parameter_noinfo_noreturn();
    478     }
    479     j_j_free(v12);
    480   }
    481   Buf1[1] = 0i64;
    482   v58 = 15i64;
    483   LOBYTE(v56) = 0;
    484   if ( v62 >= 0x10 )
    485   {
    486     v13 = v60;
    487     if ( v62 + 1 >= 0x1000 )
    488     {
    489       v13 = (_BYTE *)*((_QWORD *)v60 - 1);
    490       if ( (unsigned __int64)((_BYTE *)v60 - v13 - 8) > 0x1F )
    491         goto LABEL_22;
    492     }
    493     j_j_free(v13);
    494   }
    495   return 0xFFFFFFFFi64;
    496 }
    GameObject

    判断出GameObject函数传入的参数,最大应该是199,因此直接写程序,调用DLL文件,爆破求flag

    爆破求解

    开多个进程,同时求解。

    #include <Windows.h>
    #include <iostream>
    #include <libloaderapi.h>
    
    using namespace std;
    
    int main(int argc, char* argv[])
    {
        const char* funcName = "GameObject";
        HMODULE hDLL = LoadLibrary(TEXT("C:\Users\10245\Desktop\Snake\Snake_Data\Plugins\Interface.dll"));
        if (hDLL != NULL)
        {
            cout << "Load Success!" << endl;
            typedef int(_cdecl *FuncPtr)(int);
            FuncPtr func = (FuncPtr)GetProcAddress(hDLL, funcName);
            func(atoi(argv[1]));    
        }
        else
        {
            cout << "Load Failed!" << endl;
        }
    
    
        system("PAUSE");
        return 0;
    }

    get flag!

    flag{Ch4rp_W1th_R$@}

  • 相关阅读:
    测网速
    fseek 在以字符串模式打开的文件中工作不正常 [MSDN]
    Inno Setup: Ask for reboot after uninstall
    【Inno Setup】Pascal 脚本 ---- 事件函数
    在安装程序之前,预先安装别的程序
    【Inno Setup】查看是否安装了VC++ 2015 Redistributeable
    spark学习笔记
    docker学习笔记2
    kafka读书笔记《kafka权威指南》2018
    mongodb
  • 原文地址:https://www.cnblogs.com/Mayfly-nymph/p/11869959.html
Copyright © 2011-2022 走看看