先用deflat去以下流平坦化
~/Desktop/re/file took 3s │ tools Py │ at 00:43:37
❯ python ../tools/deflat-master/flat_control_flow/deflat.py ./attachment 0x400620
*******************relevant blocks************************
prologue: 0x400620
main_dispatcher: 0x40063f
pre_dispatcher: 0x4020cc
retn: 0x401f54
relevant_blocks: ['0x4015d4', '0x40201b', '0x401e00', '0x401f2d', '0x401481', '0x401c69', '0x401efa', '0x401830', '0x401642', '0x401f97', '0x40180b', '0x401eb9', '0x401748', '0x4013ef', '0x4012f6', '0x401fb5', '0x402033', '0x40197d', '0x40136c', '0x401a73', '0x401d9a', '0x40204d', '0x402096', '0x4015c5', '0x401567', '0x401909', '0x401f09', '0x401c2b', '0x4014ae', '0x40199b', '0x401435', '0x401fa6', '0x401861', '0x401b34', '0x401b5d', '0x401f3c', '0x401521', '0x401caf', '0x4013cf', '0x4014f7', '0x401f60', '0x401960', '0x4016a0', '0x4018a7', '0x4011de', '0x401739', '0x4020c2', '0x401506', '0x4019e1', '0x4014d2', '0x401d2d', '0x401849', '0x4017fc', '0x4017ab', '0x401b25', '0x402072', '0x401d03', '0x401ad3', '0x4015fc', '0x401926', '0x401b75', '0x401326', '0x4016e6', '0x401e0f', '0x40200c', '0x401e73', '0x4015b6', '0x401a3d', '0x401ff4', '0x401305', '0x401fe5', '0x401d54', '0x401198', '0x4013b2', '0x401c1c', '0x40124f', '0x401c46', '0x401490', '0x401a8d', '0x401b4e', '0x401d45', '0x401765', '0x401bbb', '0x4018fa', '0x401691', '0x401c0d', '0x4015ed', '0x401a4c', '0x401d12', '0x40125e', '0x401fcd', '0x4012a4', '0x401940', '0x401121', '0x4014e8', '0x401e2d', '0x401ed6', '0x4020b3', '0x401117']
*******************symbolic execution*********************
-------------------dse 0x4015d4---------------------
WARNING | 2024-11-20 00:45:00,434 | angr.storage.memory_mixins.default_filler_mixin | The program is accessing register with an unspecified value. This could indicate unwanted behavior.
WARNING | 2024-11-20 00:45:00,434 | angr.storage.memory_mixins.default_filler_mixin | angr will cope with this by generating an unconstrained symbolic variable and continuing. You can resolve this
.........
************************flow******************************
0x4015d4: ['0x4015ed']
0x40201b: ['0x4018a7']
0x401e00: ['0x401e0f']
0x401f2d: ['0x401f3c']
0x401481: ['0x401490']
0x401c69: ['0x401caf', '0x402096']
0x401efa: ['0x401f3c']
0x401830: ['0x401849']
0x401642: ['0x401691', '0x401fe5']
0x401f97: ['0x4012a4']
0x40180b: ['0x401830']
0x401eb9: ['0x401f09', '0x401ed6']
0x401748: ['0x401765', '0x401d54']
0x4013ef: ['0x401435', '0x401fb5']
0x4012f6: ['0x401305']
0x401fb5: ['0x401435']
0x402033: ['0x4019e1']
0x40197d: ['0x40199b']
0x40136c: ['0x4013b2', '0x401fa6']
0x401a73: ['0x401a8d']
0x401d9a: ['0x401e00', '0x4020b3']
0x40204d: ['0x401ad3']
0x402096: ['0x401caf']
0x4015c5: ['0x40125e']
0x401567: ['0x4015b6', '0x401fcd']
0x401909: ['0x401926', '0x401c2b']
0x401f09: ['0x401f2d']
0x401c2b: ['0x401c46']
0x4014ae: ['0x4014d2']
0x40199b: ['0x4019e1', '0x402033']
0x401435: ['0x401481', '0x401fb5']
0x401fa6: ['0x40136c']
0x401861: ['0x4018a7', '0x40201b']
0x401b34: ['0x401b4e']
0x401b5d: ['0x401b75']
0x401f3c: ['0x401f54']
0x401521: ['0x401567', '0x401fcd']
0x401caf: ['0x401d03', '0x402096']
0x4013cf: ['0x4013ef']
0x4014f7: ['0x401506']
0x401f60: ['0x4011de']
0x401960: ['0x40197d', '0x401a73']
0x4016a0: ['0x4016e6', '0x401ff4']
0x4018a7: ['0x4018fa', '0x40201b']
0x4011de: ['0x40124f', '0x401f60']
0x401739: ['0x401748']
0x4020c2: ['0x401e73']
0x401506: ['0x401521']
0x4019e1: ['0x401a3d', '0x402033']
0x4014d2: ['0x4014e8']
0x401d2d: ['0x401d45']
0x401849: ['0x401861']
0x4017fc: ['0x40180b']
0x4017ab: ['0x4017fc', '0x40200c']
0x401b25: ['0x401b34']
0x402072: ['0x401bbb']
0x401d03: ['0x401d12']
0x401ad3: ['0x401b25', '0x40204d']
0x4015fc: ['0x401642', '0x401fe5']
0x401926: ['0x401940']
0x401b75: ['0x401bbb', '0x402072']
0x401326: ['0x40136c', '0x401fa6']
0x4016e6: ['0x401739', '0x401ff4']
0x401e0f: ['0x401e2d']
0x40200c: ['0x4017ab']
0x401e73: ['0x401eb9', '0x4020c2']
0x4015b6: ['0x4015c5']
0x401a3d: ['0x401a4c']
0x401ff4: ['0x4016e6']
0x401305: ['0x401326']
0x401fe5: ['0x401642']
0x401d54: ['0x401d9a', '0x4020b3']
0x401198: ['0x4011de', '0x401f60']
0x4013b2: ['0x4013cf', '0x4015d4']
0x401c1c: ['0x401849']
0x40124f: ['0x40125e']
0x401c46: ['0x401c69']
0x401490: ['0x4014ae', '0x4014f7']
0x401a8d: ['0x401ad3', '0x40204d']
0x401b4e: ['0x401b5d']
0x401d45: ['0x4015fc']
0x401765: ['0x4017ab', '0x40200c']
0x401bbb: ['0x401c0d', '0x402072']
0x4018fa: ['0x401909']
0x401691: ['0x4016a0']
0x401c0d: ['0x401c1c']
0x4015ed: ['0x4015fc']
0x401a4c: ['0x401b4e']
0x401d12: ['0x401d2d']
0x40125e: ['0x4012a4', '0x401f97']
0x401fcd: ['0x401567']
0x4012a4: ['0x4012f6', '0x401f97']
0x401940: ['0x401960']
0x401121: ['0x401198']
0x4014e8: ['0x4015d4']
0x401e2d: ['0x401e73', '0x4020c2']
0x401ed6: ['0x401efa']
0x4020b3: ['0x401d9a']
0x401117: ['0x4015d4']
0x400620: ['0x401121']
0x401f54: []
************************patch*****************************
Successful! The recovered file: ./attachment_recovered
__int64 __fastcall main(int a1, char **a2, char **a3)
{signed __int64 v4; // [rsp+1E0h] [rbp-110h]int i; // [rsp+1E8h] [rbp-108h]int v6; // [rsp+1ECh] [rbp-104h]int v7; // [rsp+1ECh] [rbp-104h]char s1[48]; // [rsp+1F0h] [rbp-100h] BYREFchar s[60]; // [rsp+220h] [rbp-D0h] BYREFunsigned int v10; // [rsp+25Ch] [rbp-94h]char *v11; // [rsp+260h] [rbp-90h]int v12; // [rsp+26Ch] [rbp-84h]bool v13; // [rsp+272h] [rbp-7Eh]unsigned __int8 v14; // [rsp+273h] [rbp-7Dh]int v15; // [rsp+274h] [rbp-7Ch]char *v16; // [rsp+278h] [rbp-78h]int v17; // [rsp+284h] [rbp-6Ch]int v18; // [rsp+288h] [rbp-68h]bool v19; // [rsp+28Fh] [rbp-61h]char *v20; // [rsp+290h] [rbp-60h]int v21; // [rsp+298h] [rbp-58h]bool v22; // [rsp+29Fh] [rbp-51h]__int64 v23; // [rsp+2A0h] [rbp-50h]bool v24; // [rsp+2AFh] [rbp-41h]__int64 v25; // [rsp+2B0h] [rbp-40h]__int64 v26; // [rsp+2B8h] [rbp-38h]__int64 v27; // [rsp+2C0h] [rbp-30h]__int64 v28; // [rsp+2C8h] [rbp-28h]int v29; // [rsp+2D0h] [rbp-20h]int v30; // [rsp+2D4h] [rbp-1Ch]char *v31; // [rsp+2D8h] [rbp-18h]int v32; // [rsp+2E0h] [rbp-10h]int v33; // [rsp+2E4h] [rbp-Ch]bool v34; // [rsp+2EBh] [rbp-5h]v10 = 0;memset(s, 0, 0x30uLL);memset(s1, 0, sizeof(s1));printf("Input:");v11 = s;if ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 )goto LABEL_43;while ( 1 ){__isoc99_scanf("%s", v11);v6 = 0;if ( dword_603058 < 10 || ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) == 0 )break;
LABEL_43:__isoc99_scanf("%s", v11);}while ( 1 ){dov12 = v6;while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );v13 = v12 < 64;while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );if ( !v13 )break;v14 = s[v6];dov15 = v14;while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );if ( v15 == 10 ){v16 = &s[v6];*v16 = 0;break;}v17 = v6 + 1;dov6 = v17;while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );}for ( i = 0; ; ++i ){dov18 = i;while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );dov19 = v18 < 6;while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );if ( !v19 )break;dov20 = s;while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );v4 = *(_QWORD *)&v20[8 * i];v7 = 0;while ( 1 ){v21 = v7;dov22 = v21 < 64;while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );if ( !v22 )break;v23 = v4;v24 = v4 < 0;if ( v4 >= 0 ){v27 = v4;dov28 = 2 * v27;while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );v4 = v28;}else{v25 = 2 * v4;dov26 = v25;while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );v4 = v26 ^ 0xB0004B7679FA26B3LL;}v29 = v7;dov7 = v29 + 1;while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );}v30 = 8 * i;v31 = &s1[8 * i];if ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 )
LABEL_55:*(_QWORD *)v31 = v4;*(_QWORD *)v31 = v4;if ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 )goto LABEL_55;v32 = i + 1;}dov33 = memcmp(s1, &unk_402170, 0x30uLL);while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );v34 = v33 != 0;while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );if ( v34 )puts("Wrong!");elseputs("Correct!");return v10;
}
使用ida新的插件gooMBA
(PS:不知道为啥能化简,偶然发现的,这玩意不是化简公式的吗,怎么能化简这玩意,硬推了半天右键偶然点到的,先搁置)
IDA is analysing the input file...
You may start to explore the input file right now.
[Patching] Loaded v0.1.2 - (c) Markus Gaasedelen - 2022
Propagating type information...
Function argument information has been propagated
The initial autoanalysis has been finished.
400520: using guessed type __int64 __isoc99_scanf(const char *, ...);
603054: using guessed type int dword_603054;
603058: using guessed type int dword_603058;
400620: using guessed type char s[60];
Found MBA instruction jz (($dword_603058.4 <s #0xA.4) | (xdu.4(((($dword_603054.1{5}-#1.1){4}*$dword_603054.1{5}) & #1.1)) == #0.4)), #0.1, @43
Unhandled opcode in emulator 44
err: Unhandled opcode
Found MBA instruction or ($dword_603058.4 <s #0xA.4), (xdu.4(((($dword_603054.1{5}-#1.1){4}*$dword_603054.1{5}) & #1.1)) == #0.4), .1
Testing candidate mov #1.1, .1
Instruction is probably equivalent to candidate
SMT check result: 0
Time taken: 9703 us
Found MBA instruction jz (($dword_603058.4{8} <s #0xA.4){9} | (xdu.4(((($dword_603054.1{7}-#1.1){6}*$dword_603054.1{7}){13} & #1.1){12}){11} == #0.4){10}), #0.1, @43
Unhandled opcode in emulator 44
err: Unhandled opcode
Found MBA instruction or ($dword_603058.4{8} <s #0xA.4){9}, (xdu.4(((($dword_603054.1{7}-#1.1){6}*$dword_603054.1{7}){13} & #1.1){12}){11} == #0.4){10}, .1
Testing candidate mov #1.1, .1
Instruction is probably equivalent to candidate
SMT check result: 0
Time taken: 9288 us
Found MBA instruction jz (($dword_603058.4 <s #0xA.4) | (xdu.4(((($dword_603054.1{16}-#1.1)*$dword_603054.1{16}) & #1.1)) == #0.4)), #0.1, @44
Unhandled opcode in emulator 44
err: Unhandled opcode
Found MBA instruction or ($dword_603058.4 <s #0xA.4), (xdu.4(((($dword_603054.1{16}-#1.1)*$dword_603054.1{16}) & #1.1)) == #0.4), .1
Testing candidate mov #1.1, .1
Instruction is probably equivalent to candidate
SMT check result: 0
Time taken: 9218 us
Found MBA instruction jz (($dword_603058.4 <s #0xA.4) | (xdu.4(((($dword_603054.1{18}-#1.1)*$dword_603054.1{18}) & #1.1)) == #0.4)), #0.1, @45
Unhandled opcode in emulator 44
err: Unhandled opcode
Found MBA instruction or ($dword_603058.4 <s #0xA.4), (xdu.4(((($dword_603054.1{18}-#1.1)*$dword_603054.1{18}) & #1.1)) == #0.4), .1
Testing candidate mov #1.1, .1
Instruction is probably equivalent to candidate
SMT check result: 0
Time taken: 9415 us
Found MBA instruction jz (($dword_603058.4 <s #0xA.4) | (xdu.4(((($dword_603054.1{20}-#1.1)*$dword_603054.1{20}) & #1.1)) == #0.4)), #0.1, @46
Unhandled opcode in emulator 44
err: Unhandled opcode
Found MBA instruction or ($dword_603058.4 <s #0xA.4), (xdu.4(((($dword_603054.1{20}-#1.1)*$dword_603054.1{20}) & #1.1)) == #0.4), .1
Testing candidate mov #1.1, .1
Instruction is probably equivalent to candidate
SMT check result: 0
Time taken: 9190 us
Found MBA instruction jz (($dword_603058.4 <s #0xA.4) | (xdu.4(((($dword_603054.1{23}-#1.1)*$dword_603054.1{23}) & #1.1)) == #0.4)), #0.1, @47
Unhandled opcode in emulator 44
err: Unhandled opcode
Found MBA instruction or ($dword_603058.4 <s #0xA.4), (xdu.4(((($dword_603054.1{23}-#1.1)*$dword_603054.1{23}) & #1.1)) == #0.4), .1
Testing candidate mov #1.1, .1
Instruction is probably equivalent to candidate
SMT check result: 0
Time taken: 9031 us
Found MBA instruction jz (($dword_603058.4 <s #0xA.4) | (xdu.4(((($dword_603054.1{26}-#1.1)*$dword_603054.1{26}) & #1.1)) == #0.4)), #0.1, @48
Unhandled opcode in emulator 44
err: Unhandled opcode
Found MBA instruction or ($dword_603058.4 <s #0xA.4), (xdu.4(((($dword_603054.1{26}-#1.1)*$dword_603054.1{26}) & #1.1)) == #0.4), .1
Testing candidate mov #1.1, .1
Instruction is probably equivalent to candidate
SMT check result: 0
Time taken: 9160 us
Found MBA instruction jz (($dword_603058.4 <s #0xA.4) | (xdu.4(((($dword_603054.1{28}-#1.1)*$dword_603054.1{28}) & #1.1)) == #0.4)), #0.1, @49
Unhandled opcode in emulator 44
err: Unhandled opcode
Found MBA instruction or ($dword_603058.4 <s #0xA.4), (xdu.4(((($dword_603054.1{28}-#1.1)*$dword_603054.1{28}) & #1.1)) == #0.4), .1
Testing candidate mov #1.1, .1
Instruction is probably equivalent to candidate
SMT check result: 0
Time taken: 9081 us
Found MBA instruction jz (($dword_603058.4 <s #0xA.4) | (xdu.4(((($dword_603054.1{30}-#1.1)*$dword_603054.1{30}) & #1.1)) == #0.4)), #0.1, @50
Unhandled opcode in emulator 44
err: Unhandled opcode
Found MBA instruction or ($dword_603058.4 <s #0xA.4), (xdu.4(((($dword_603054.1{30}-#1.1)*$dword_603054.1{30}) & #1.1)) == #0.4), .1
Testing candidate mov #1.1, .1
Instruction is probably equivalent to candidate
SMT check result: 0
Time taken: 9567 us
Found MBA instruction jz (($dword_603058.4 <s #0xA.4) | (xdu.4(((($dword_603054.1{33}-#1.1)*$dword_603054.1{33}) & #1.1)) == #0.4)), #0.1, @51
Unhandled opcode in emulator 44
err: Unhandled opcode
Found MBA instruction or ($dword_603058.4 <s #0xA.4), (xdu.4(((($dword_603054.1{33}-#1.1)*$dword_603054.1{33}) & #1.1)) == #0.4), .1
Testing candidate mov #1.1, .1
Instruction is probably equivalent to candidate
SMT check result: 0
Time taken: 9143 us
Found MBA instruction jz (($dword_603058.4 <s #0xA.4) | (xdu.4(((($dword_603054.1{37}-#1.1)*$dword_603054.1{37}) & #1.1)) == #0.4)), #0.1, @52
Unhandled opcode in emulator 44
err: Unhandled opcode
Found MBA instruction or ($dword_603058.4 <s #0xA.4), (xdu.4(((($dword_603054.1{37}-#1.1)*$dword_603054.1{37}) & #1.1)) == #0.4), .1
Testing candidate mov #1.1, .1
Instruction is probably equivalent to candidate
SMT check result: 0
Time taken: 9224 us
Found MBA instruction jz (($dword_603058.4 <s #0xA.4) | (xdu.4(((($dword_603054.1{40}-#1.1)*$dword_603054.1{40}) & #1.1)) == #0.4)), #0.1, @53
Unhandled opcode in emulator 44
err: Unhandled opcode
Found MBA instruction or ($dword_603058.4 <s #0xA.4), (xdu.4(((($dword_603054.1{40}-#1.1)*$dword_603054.1{40}) & #1.1)) == #0.4), .1
Testing candidate mov #1.1, .1
Instruction is probably equivalent to candidate
SMT check result: 0
Time taken: 8971 us
Found MBA instruction jz (($dword_603058.4 <s #0xA.4) | (xdu.4(((($dword_603054.1{44}-#1.1)*$dword_603054.1{44}) & #1.1)) == #0.4)), #0.1, @54
Unhandled opcode in emulator 44
err: Unhandled opcode
Found MBA instruction or ($dword_603058.4 <s #0xA.4), (xdu.4(((($dword_603054.1{44}-#1.1)*$dword_603054.1{44}) & #1.1)) == #0.4), .1
Testing candidate mov #1.1, .1
Instruction is probably equivalent to candidate
SMT check result: 0
Time taken: 8999 us
Found MBA instruction jz (($dword_603058.4 <s #0xA.4) | (xdu.4(((($dword_603054.1{45}-#1.1)*$dword_603054.1{45}) & #1.1)) == #0.4)), #0.1, @55
Unhandled opcode in emulator 44
err: Unhandled opcode
Found MBA instruction or ($dword_603058.4 <s #0xA.4), (xdu.4(((($dword_603054.1{45}-#1.1)*$dword_603054.1{45}) & #1.1)) == #0.4), .1
Testing candidate mov #1.1, .1
Instruction is probably equivalent to candidate
SMT check result: 0
Time taken: 9083 us
Found MBA instruction jz (($dword_603058.4 <s #0xA.4) | (xdu.4(((($dword_603054.1{47}-#1.1)*$dword_603054.1{47}) & #1.1)) == #0.4)), #0.1, @55
Unhandled opcode in emulator 44
err: Unhandled opcode
Found MBA instruction or ($dword_603058.4 <s #0xA.4), (xdu.4(((($dword_603054.1{47}-#1.1)*$dword_603054.1{47}) & #1.1)) == #0.4), .1
Testing candidate mov #1.1, .1
Instruction is probably equivalent to candidate
SMT check result: 0
Time taken: 9436 us
Found MBA instruction jz (($dword_603058.4 <s #0xA.4) | (xdu.4(((($dword_603054.1{51}-#1.1)*$dword_603054.1{51}) & #1.1)) == #0.4)), #0.1, @56
Unhandled opcode in emulator 44
err: Unhandled opcode
Found MBA instruction or ($dword_603058.4 <s #0xA.4), (xdu.4(((($dword_603054.1{51}-#1.1)*$dword_603054.1{51}) & #1.1)) == #0.4), .1
Testing candidate mov #1.1, .1
Instruction is probably equivalent to candidate
SMT check result: 0
Time taken: 9536 us
Found MBA instruction jz (($dword_603058.4 <s #0xA.4) | (xdu.4(((($dword_603054.1{52}-#1.1)*$dword_603054.1{52}) & #1.1)) == #0.4)), #0.1, @57
Unhandled opcode in emulator 44
err: Unhandled opcode
Found MBA instruction or ($dword_603058.4 <s #0xA.4), (xdu.4(((($dword_603054.1{52}-#1.1)*$dword_603054.1{52}) & #1.1)) == #0.4), .1
Testing candidate mov #1.1, .1
Instruction is probably equivalent to candidate
SMT check result: 0
Time taken: 8979 us
Completed mba optimization pass, improved 17 expressions
400520: using guessed type __int64 __isoc99_scanf(const char *, ...);
603054: using guessed type int dword_603054;
603058: using guessed type int dword_603058;
400620: using guessed type char s[60];
__int64 __fastcall main(int a1, char **a2, char **a3)
{signed __int64 v4; // [rsp+1E0h] [rbp-110h]int j; // [rsp+1E8h] [rbp-108h]int i; // [rsp+1ECh] [rbp-104h]int k; // [rsp+1ECh] [rbp-104h]char s1[48]; // [rsp+1F0h] [rbp-100h] BYREFchar s[60]; // [rsp+220h] [rbp-D0h] BYREFunsigned int v10; // [rsp+25Ch] [rbp-94h]char *v11; // [rsp+260h] [rbp-90h]int v12; // [rsp+26Ch] [rbp-84h]bool v13; // [rsp+272h] [rbp-7Eh]unsigned __int8 v14; // [rsp+273h] [rbp-7Dh]int v15; // [rsp+274h] [rbp-7Ch]char *v16; // [rsp+278h] [rbp-78h]int v17; // [rsp+284h] [rbp-6Ch]int v18; // [rsp+288h] [rbp-68h]bool v19; // [rsp+28Fh] [rbp-61h]char *v20; // [rsp+290h] [rbp-60h]int v21; // [rsp+298h] [rbp-58h]bool v22; // [rsp+29Fh] [rbp-51h]__int64 v23; // [rsp+2A0h] [rbp-50h]bool v24; // [rsp+2AFh] [rbp-41h]__int64 v25; // [rsp+2B0h] [rbp-40h]__int64 v26; // [rsp+2B8h] [rbp-38h]__int64 v27; // [rsp+2C0h] [rbp-30h]__int64 v28; // [rsp+2C8h] [rbp-28h]int v29; // [rsp+2D0h] [rbp-20h]int v30; // [rsp+2D4h] [rbp-1Ch]char *v31; // [rsp+2D8h] [rbp-18h]int v32; // [rsp+2E0h] [rbp-10h]int v33; // [rsp+2E4h] [rbp-Ch]bool v34; // [rsp+2EBh] [rbp-5h]v10 = 0;memset(s, 0, 0x30uLL);memset(s1, 0, sizeof(s1));printf("Input:");v11 = s;__isoc99_scanf("%s", s);for ( i = 0; ; ++i ){v12 = i;v13 = i < 64;if ( i >= 64 )break;v14 = s[i];v15 = v14;if ( v14 == 10 ){v16 = &s[i];*v16 = 0;break;}v17 = i + 1;}for ( j = 0; ; ++j ){v18 = j;v19 = j < 6;if ( j >= 6 )break;v20 = s;v4 = *(_QWORD *)&s[8 * j];for ( k = 0; ; ++k ){v21 = k;v22 = k < 64;if ( k >= 64 )break;v23 = v4;v24 = v4 < 0;if ( v4 >= 0 ){v27 = v4;v28 = 2 * v4;v4 *= 2LL;}else{v25 = 2 * v4;v26 = 2 * v4;v4 = (2 * v4) ^ 0xB0004B7679FA26B3LL;}v29 = k;}v30 = 8 * j;v31 = &s1[8 * j];*(_QWORD *)v31 = v4;v32 = j + 1;}v33 = memcmp(s1, &unk_402170, 0x30uLL);v34 = v33 != 0;if ( v33 )puts("Wrong!");elseputs("Correct!");return v10;
}
int main() { uint64_t secret[] = { 0xBC8FF26D43536296, 0x520100780530EE16, 0x4DC0B5EA935F08EC, 0x342B90AFD853F450, 0x8B250EBCAA2C3681, 0x55759F81A2C68AE4 }; size_t secret_len = sizeof(secret) / sizeof(secret[0]); char flag[65]; // 长度64字符 + '\0' = 65 char *flag_ptr = flag; // 使用 flag_ptr 来遍历 flag 数组 for (size_t i = 0; i < secret_len; i++) { uint64_t s = secret[i]; // 执行位操作 for (int j = 0; j < 64; j++) { /* bin(0xB0004B7679FA26B3) '0b1011000000000000010010110111011001111001111110100010011010110011' 如果最低为是一说明之前是负数,因为 0 ^ 1 = 1,如果没异或过左移后为0 * */ int sign = s & 1; if (sign == 1) { s ^= 0xB0004B7679FA26B3; } s >>= 1; // 右移一位 // 再恢复为负数 if (sign == 1) { s |= 0x8000000000000000; } } // 转换小端序为大端序 for (int j = 0; j < 8; j++) { *flag_ptr++ = (char)(s & 0xFF); s >>= 8; // 右移8位 } } *flag_ptr = '\0'; // 结束字符 printf("Flag: %s\n", flag); // 输出flag return 0;
}
)
」2024年4月10日)
)
)
![HTB:MonitorsTwo[WriteUP]](http://pic.xiahunao.cn/HTB:MonitorsTwo[WriteUP])
)
)
