题目
Papa brought me a packed present! let's open it.
Download : http://pwnable.kr/bin/flag
This is reversing task. all you need is binary
题解
// positive sp value has been detected, the output may be wrong!
_BYTE *__fastcall sub_44A560(_BYTE *a1, _BYTE *a2, __int64 a3, __int64 a4, char a5)
{
int v5; // ebx
unsigned __int64 v6; // rbp
__int64 (__fastcall *v7)(_BYTE *, _BYTE *, __int64); // r11
bool v8; // cf
int v9; // ebx
int v10; // ett
int v11; // eax
__int64 v12; // rdx
int v13; // ecx
void (*v14)(void); // r11
unsigned int v15; // eax
bool v16; // cf
int v17; // ebx
int v18; // ett
unsigned int v19; // eax
int v20; // eax
bool v21; // cf
int v22; // ebx
int v23; // ett
__int64 v24; // rcx
bool v25; // cf
int v26; // ebx
int v27; // ett
int v28; // ecx
bool v29; // cf
int v30; // ebx
int v31; // ett
int v32; // ecx
int v33; // ecx
_BYTE *result; // rax
__int64 (__fastcall *v35)(_BYTE *, _BYTE *, __int64); // [rsp-30h] [rbp-30h]
__int64 v36; // [rsp-28h] [rbp-28h]
int v37; // [rsp-20h] [rbp-20h]
_DWORD *v38; // [rsp-18h] [rbp-18h]
v7 = v35;
if ( a5 == 8 )
{
while ( 1 )
{
while ( 1 )
{
LOBYTE(a3) = *a2;
v8 = __CFADD__(v5, v5);
v5 *= 2;
if ( !v5 )
{
v9 = *(_DWORD *)a2;
v8 = (unsigned __int64)a2 < 0xFFFFFFFFFFFFFFFCLL;
a2 += 4;
v10 = v8 + v9;
v8 = __CFADD__(v8, v9) | __CFADD__(v9, v10);
v5 = v9 + v10;
LOBYTE(a3) = *a2;
}
if ( !v8 )
break;
++a2;
*a1++ = a3;
}
while ( 1 )
{
v11 = v7(a1, a2, a3);
v15 = v11 + v8 + v11;
v16 = __CFADD__(v5, v5);
v5 *= 2;
if ( !v5 )
{
v17 = *(_DWORD *)a2;
v8 = (unsigned __int64)a2 < 0xFFFFFFFFFFFFFFFCLL;
a2 += 4;
v18 = v8 + v17;
v16 = __CFADD__(v8, v17) | __CFADD__(v17, v18);
v5 = v17 + v18;
LOBYTE(v12) = *a2;
}
if ( v16 )
break;
v14();
}
v8 = v15 < 3;
v19 = v15 - 3;
if ( v8 )
{
v21 = __CFADD__(v5, v5);
v5 *= 2;
if ( !v5 )
{
v22 = *(_DWORD *)a2;
v8 = (unsigned __int64)a2 < 0xFFFFFFFFFFFFFFFCLL;
a2 += 4;
v23 = v8 + v22;
v21 = __CFADD__(v8, v22) | __CFADD__(v22, v23);
v5 = v22 + v23;
}
if ( v21 )
goto LABEL_26;
}
else
{
v12 = (unsigned __int8)v12;
++a2;
v20 = ~((unsigned __int8)v12 | (v19 << 8));
if ( !v20 )
break;
v6 = v20 >> 1;
if ( v20 & 1 )
{
LABEL_26:
((void (__fastcall *)(_BYTE *, _BYTE *))v14)(a1, a2);
v32 = v33 + v8 + v33;
goto LABEL_27;
}
}
v24 = (unsigned int)(v13 + 1);
v25 = __CFADD__(v5, v5);
v5 *= 2;
if ( !v5 )
{
v26 = *(_DWORD *)a2;
v8 = (unsigned __int64)a2 < 0xFFFFFFFFFFFFFFFCLL;
a2 += 4;
v27 = v8 + v26;
v25 = __CFADD__(v8, v26) | __CFADD__(v26, v27);
v5 = v26 + v27;
}
if ( v25 )
goto LABEL_26;
do
{
((void (__fastcall *)(_BYTE *, _BYTE *, __int64, __int64))v14)(a1, a2, v12, v24);
v24 = v28 + (unsigned int)v8 + v28;
v29 = __CFADD__(v5, v5);
v5 *= 2;
if ( !v5 )
{
v30 = *(_DWORD *)a2;
v8 = (unsigned __int64)a2 < 0xFFFFFFFFFFFFFFFCLL;
a2 += 4;
v31 = v8 + v30;
v29 = __CFADD__(v8, v30) | __CFADD__(v30, v31);
v5 = v30 + v31;
}
}
while ( !v29 );
v32 = v24 + 2;
LABEL_27:
((void (__fastcall *)(_BYTE *, _BYTE *, __int64, _QWORD))sub_44A522)(
a1,
a2,
v12,
(unsigned int)(v6 < 0xFFFFFFFFFFFFFB00LL) + v32 + 2);
}
}
result = &a2[-v36];
*v38 = (_DWORD)a1 - v37;
return result;
}
可读性很差, 基本是加壳了, upx脱一下
upx -d flag
再逆向
int __cdecl main(int argc, const char **argv, const char **envp)
{
char *dest; // [rsp+8h] [rbp-8h]
puts("I will malloc() and strcpy the flag there. take it.", argv, envp);
dest = (char *)malloc(100LL);
strcpy(dest, flag);
return 0;
}
flag没有加密, 固定值