本帖最后由 yechen123 于 2019-3-9 21:06 编辑
这是第三周和第四周的逆向题
好像没有师傅写wp
恰巧第一次碰到webassembly 想记录一下
题目.rar
(135.21 KB, 下载次数: 31)
2019-3-6 22:35 上传
点击文件名下载附件
下载积分: 吾爱币 -1 CB
第三周
0x00 easy_math
[Asm] 纯文本查看 复制代码int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rax
__int64 v4; // rdx
unsigned int v5; // ebx
__int64 v6; // rdx
__int64 v7; // rax
__int64 v8; // rax
__int64 v9; // rdx
__int64 v10; // rax
__int64 v11; // rax
__int64 v12; // rdx
__int64 v13; // rax
__int64 v14; // rdx
__int64 v15; // rax
__int64 v16; // rax
__int64 v17; // rdx
__int64 v18; // rax
unsigned int input; // [rsp-48h] [rbp-48h]
unsigned int v21; // [rsp-44h] [rbp-44h]
__int64 flags; // [rsp-40h] [rbp-40h]
unsigned __int64 v23; // [rsp-18h] [rbp-18h]
v23 = __readfsqword(0x28u);
v3 = std::operator<<<:char_traits>>(
(__int64)&std::cout,
(__int64)"to continue, you have to guess the value of my dice first!",
(__int64)envp);
std::ostream::operator<>);
v21 = rolling_dice();
std::operator<<<:char_traits>>(
(__int64)&std::cout,
(__int64)"now the dice have been rolled, guess what it is: ",
v4);
std::istream::operator>>(&std::cin, &input);
v5 = input;
v7 = std::operator<<<:char_traits>>((__int64)&std::cout, (__int64)"expected: ", v6);
v8 = std::ostream::operator<
v10 = std::operator<<<:char_traits>>(v8, (__int64)", guess: ", v9);
v11 = std::ostream::operator<
std::ostream::operator<>);
if ( input != v21 )
{
v13 = std::operator<<<:char_traits>>((__int64)&std::cout, (__int64)"you are bad at guessing dice", v12);
std::ostream::operator<>);
exit(0);
}
std::operator<<<:char_traits>>(
(__int64)&std::cout,
(__int64)"wow, you are good at dice-guessing, now give me your flag: ",
v12);
std::__cxx11::basic_string,std::allocator>::basic_string(&flags);
std::operator>>,std::allocator>(&std::cin, &flags);
if ( std::__cxx11::basic_string,std::allocator>::length(&flags) != 32 )
{
v15 = std::operator<<<:char_traits>>((__int64)&std::cout, (__int64)"assert len(flag) == 32", v14);
std::ostream::operator<>);
exit(0);
}
v16 = std::operator<<<:char_traits>>((__int64)&std::cout, (__int64)"now the math part...", v14);
std::ostream::operator<>);
if ( (unsigned __int8)math_part((__int64)&flags) )
v18 = std::operator<<<:char_traits>>(
(__int64)&std::cout,
(__int64)"wow, you are good at doing math too, you deserve to have the flag, just submit it!",
v17);
else
v18 = std::operator<<<:char_traits>>((__int64)&std::cout, (__int64)"you are bad at doing math", v17);
std::ostream::operator<>);
std::__cxx11::basic_string,std::allocator>::~basic_string(&flags);
return 0;
}
提示用户先输入一个数字,要与rolling_dice函数返回的数值相同才能进行下一步
由于不涉及到flag 所以可以不理
当用户输入flag后会进入核心函数math_part()
[Asm] 纯文本查看 复制代码signed __int64 __fastcall math_part(__int64 flag_s)
{
int v1; // et1
int v2; // edx
int v3; // ecx
int v4; // et1
int v5; // et1
int v6; // et1
int v7; // edx
int v8; // edx
int v9; // et1
int v10; // ecx
int v11; // edx
int v12; // et1
int v13; // edx
int v14; // edx
int v15; // ecx
int v16; // edx
int v17; // et1
int v18; // edx
int v19; // et1
int v20; // ecx
int v21; // edx
int v22; // ecx
int v23; // et1
int v24; // edx
int v25; // edx
int v26; // ecx
int v27; // ecx
int v28; // ecx
int v29; // et1
int v30; // ecx
int v31; // ecx
int v32; // edx
signed __int64 result; // rax
char *flag; // [rsp-8h] [rbp-8h]
flag = (char *)std::__cxx11::basic_string,std::allocator>::c_str(flag_s);
v1 = 76 * flag[21]
+ 31 * flag[9]
+ 87 * flag[28]
+ 54 * flag[2]
+ 74 * flag[5]
+ 99 * flag[26]
+ 94 * flag[3]
+ 84 * flag[19]
+ 32 * flag[15]
+ 90 * flag[27]
+ 16 * flag[14]
+ 19 * flag[8]
+ 33 * flag[20]
+ 35 * flag[31]
+ 65 * flag[29]
+ 47 * flag[12]
+ 3 * flag[1]
+ 57 * flag[7]
+ 5 * flag[17]
+ 70 * flag[13]
+ 28 * flag[24]
+ 79 * flag[11]
+ 63 * flag[23]
+ 66 * flag[30]
+ 28 * flag[10]
+ flag[4];
if ( 82 * flag[16] + 58 * flag[25] + v1 + 81 * flag[6] + 61 * flag[18] + 31 * flag[22] + 71 * *flag != 0x237F5 )
goto LABEL_37;
v2 = 55 * flag[6]
+ 38 * flag[9]
+ 39 * flag[18]
+ 73 * flag[24]
+ 86 * flag[13]
+ 18 * flag[11]
+ 40 * flag[21]
+ 40 * flag[26]
+ 54 * flag[14]
+ 81 * flag[10]
+ 71 * flag[27]
+ 20 * flag[8]
+ 16 * flag[28]
+ 65 * flag[30]
+ 87 * flag[3]
+ 14 * flag[16]
+ flag[5]
+ 41 * *flag
+ 58 * flag[15]
+ 73 * flag[2]
+ 46 * flag[23]
+ 7 * flag[19]
+ 89 * flag[17]
+ 65 * flag[25]
+ 43 * flag[7]
+ 6 * flag[20];
if ( v2 + 60 * flag[12] + 40 * flag[31] + 57 * flag[29] + 40 * flag[4] + 30 * flag[1] + 63 * flag[22] != 0x1F21D )
goto LABEL_37;
v3 = 53 * flag[10]
+ 82 * flag[14]
+ 70 * flag[5]
+ 84 * flag[2]
+ 57 * flag[19]
+ 92 * flag[27]
+ 57 * flag[11]
+ 77 * flag[4]
+ 49 * flag[8]
+ 62 * flag[29]
+ 97 * flag[22]
+ 47 * flag[1]
+ 30 * flag[16]
+ 45 * flag[30]
+ 94 * flag[28]
+ 6 * flag[9]
+ 83 * flag[20]
+ 18 * flag[23]
+ 97 * flag[15]
+ 11 * flag[12]
+ 35 * flag[7]
+ 81 * flag[26]
+ 67 * flag[13]
+ 11 * flag[31]
+ 84 * flag[24];
if ( 28 * flag[6] + 17 * flag[21] + 18 * flag[3] + v3 + 63 * flag[25] + 61 * flag[18] != 0x22863 )
goto LABEL_37;
v4 = 14 * flag[24]
+ 46 * flag[6]
+ 56 * flag[7]
+ 13 * flag[2]
+ 82 * flag[11]
+ 49 * flag[30]
+ 97 * flag[18]
+ 50 * flag[14]
+ 83 * flag[27]
+ 38 * flag[13]
+ 49 * flag[29]
+ 9 * flag[4]
+ 91 * flag[20]
+ 33 * flag[25]
+ 4 * flag[22]
+ 5 * flag[17]
+ 61 * flag[15]
+ 65 * flag[3]
+ 68 * flag[28]
+ 6 * flag[16]
+ (flag[8] << 6)
+ 56 * flag[9]
+ 67 * flag[10]
+ 5 * flag[5]
+ flag[21]
+ 10 * flag[19];
if ( 86 * flag[23] + 52 * flag[1] + v4 + 83 * flag[12] + 37 * flag[26] + 85 * *flag != 0x1CA87 )
goto LABEL_37;
v5 = 9 * flag[28]
+ 63 * flag[5]
+ 20 * flag[4]
+ 96 * flag[8]
+ 39 * flag[11]
+ 91 * flag[1]
+ 40 * flag[9]
+ 85 * flag[14]
+ 62 * flag[16]
+ 95 * flag[19]
+ 34 * flag[22]
+ 67 * flag[31]
+ 51 * flag[27]
+ 45 * flag[26]
+ 92 * flag[15]
+ 91 * flag[21]
+ 85 * flag[13]
+ 12 * flag[7]
+ 26 * flag[23]
+ 56 * flag[30]
+ 82 * flag[18]
+ 72 * flag[17]
+ 54 * flag[6]
+ 17 * flag[12]
+ 84 * flag[29]
+ 17 * *flag;
if ( 53 * flag[3] + 91 * flag[2] + 57 * flag[25] + 66 * flag[20] + v5 + 8 * flag[24] + 63 * flag[10] != 0x261F8 )
goto LABEL_37;
v6 = 88 * flag[9]
+ 48 * flag[4]
+ 83 * flag[13]
+ 66 * flag[7]
+ 60 * flag[30]
+ 57 * flag[6]
+ 85 * flag[17]
+ 71 * flag[28]
+ 98 * flag[24]
+ 83 * flag[10]
+ 12 * flag[1]
+ 72 * flag[31]
+ 12 * flag[22]
+ 80 * flag[20]
+ 15 * flag[19]
+ 81 * flag[21]
+ 87 * *flag
+ 37 * flag[16]
+ 4 * flag[15]
+ 41 * flag[3]
+ 84 * flag[26]
+ 56 * flag[25]
+ 84 * flag[14]
+ 41 * flag[27]
+ 98 * flag[18]
+ 18 * flag[2];
if ( 55 * flag[23] + v6 + 95 * flag[11] + 33 * flag[29] + 66 * flag[8] != 0x245E3 )
goto LABEL_37;
v7 = 57 * flag[21]
+ 63 * flag[12]
+ 4 * flag[14]
+ 59 * flag[31]
+ 15 * flag[23]
+ 12 * flag[25]
+ 58 * flag[5]
+ 40 * flag[4]
+ 26 * flag[30]
+ 8 * flag[15]
+ 25 * flag[6]
+ 97 * flag[10]
+ 12 * flag[28]
+ 74 * flag[26]
+ 65 * flag[8]
+ 93 * flag[27]
+ 18 * flag[22]
+ 84 * flag[2]
+ 7 * flag[1]
+ 22 * flag[18]
+ 9 * flag[17]
+ 89 * flag[19]
+ 72 * flag[13]
+ 47 * flag[20]
+ 7 * flag[29];
if ( 43 * flag[16] + 47 * *flag + 53 * flag[24] + 75 * flag[11] + v7 + 8 * flag[9] + 24 * flag[7] + 75 * flag[3] != 121517 )
goto LABEL_37;
v8 = 86 * flag[17]
+ 74 * *flag
+ 72 * flag[4]
+ 27 * flag[20]
+ 88 * flag[9]
+ (flag[21] << 6)
+ 52 * flag[15]
+ 4 * flag[19]
+ 8 * flag[1]
+ 16 * flag[13]
+ 54 * flag[25]
+ 8 * flag[29]
+ 52 * flag[23]
+ 14 * flag[10]
+ 88 * flag[18]
+ 33 * flag[8]
+ 99 * flag[27]
+ 65 * flag[14]
+ 66 * flag[5]
+ 36 * flag[6]
+ 58 * flag[16]
+ 63 * flag[22]
+ 93 * flag[3]
+ 96 * flag[11]
+ 26 * flag[26]
+ 65 * flag[12];
if ( 77 * flag[30] + 89 * flag[31] + 55 * flag[7] + v8 + 42 * flag[28] + 14 * flag[2] + 57 * flag[24] != 0x24F96 )
goto LABEL_37;
v9 = 51 * flag[7]
+ 42 * flag[4]
+ 78 * flag[8]
+ 45 * flag[25]
+ 63 * flag[30]
+ 85 * flag[26]
+ 30 * flag[29]
+ 83 * flag[14]
+ 62 * flag[31]
+ 71 * flag[22]
+ 45 * flag[17]
+ (flag[6] << 6)
+ 87 * flag[23]
+ 49 * flag[28]
+ 14 * *flag
+ 4 * flag[21]
+ 63 * flag[5]
+ 53 * flag[13]
+ 19 * flag[19]
+ 44 * flag[16]
+ 5 * flag[3]
+ 74 * flag[15]
+ 19 * flag[18]
+ 89 * flag[11]
+ 11 * flag[20]
+ 34 * flag[12];
if ( 53 * flag[24] + 95 * flag[27] + v9 + 14 * flag[1] + 87 * flag[10] + 63 * flag[9] + 70 * flag[2] != 142830 )
goto LABEL_37;
v10 = 13 * flag[29]
+ 11 * flag[22]
+ 41 * flag[5]
+ 38 * flag[13]
+ 90 * flag[31]
+ 68 * flag[7]
+ 56 * flag[14]
+ 4 * flag[23]
+ 66 * flag[28]
+ 28 * flag[1]
+ 6 * flag[12]
+ 91 * flag[16]
+ 59 * flag[3]
+ 81 * flag[17]
+ 44 * flag[2]
+ 33 * flag[24]
+ 34 * flag[19]
+ 17 * flag[18]
+ 77 * flag[25]
+ 25 * flag[8]
+ 8 * flag[6]
+ 10 * flag[30]
+ 66 * flag[20];
if ( 69 * *flag
+ 67 * flag[9]
+ 57 * flag[15]
+ 77 * flag[10]
+ 67 * flag[26]
+ 94 * flag[11]
+ v10
+ 41 * flag[27]
+ 29 * flag[21] != 0x1DED9 )
goto LABEL_37;
v11 = 23 * flag[25]
+ 32 * flag[3]
+ 72 * flag[15]
+ 41 * flag[26]
+ 33 * flag[30]
+ 82 * flag[13]
+ 20 * *flag
+ 7 * flag[12]
+ 25 * flag[29]
+ 39 * flag[21]
+ 57 * flag[14]
+ 14 * flag[16]
+ 24 * flag[24]
+ 37 * flag[22]
+ 71 * flag[10]
+ 65 * flag[23]
+ 46 * flag[8]
+ 40 * flag[19]
+ 77 * flag[27]
+ 80 * flag[18]
+ 88 * flag[6]
+ 20 * flag[31]
+ 83 * flag[11]
+ 73 * flag[1]
+ 8 * flag[5]
+ 15 * flag[20];
if ( 31 * flag[9] + 17 * flag[4] + 6 * flag[28] + v11 + 70 * flag[7] + 24 * flag[17] + 16 * flag[2] != 0x19B4D )
goto LABEL_37;
v12 = 41 * flag[24]
+ 45 * flag[30]
+ 82 * flag[20]
+ 86 * flag[19]
+ 99 * flag[9]
+ 96 * flag[22]
+ 85 * flag[28]
+ 70 * flag[5]
+ 77 * flag[23]
+ 80 * flag[11]
+ 40 * flag[31]
+ 66 * flag[12]
+ 12 * flag[2]
+ 77 * flag[15]
+ 72 * flag[4]
+ 42 * flag[26]
+ 81 * flag[27]
+ 90 * flag[13]
+ 37 * flag[16]
+ 29 * flag[17]
+ 20 * flag[29]
+ 85 * flag[6]
+ 6 * flag[7]
+ 2 * *flag
+ 72 * flag[1]
+ 75 * flag[14];
if ( 25 * flag[21] + 79 * flag[3] + v12 + 40 * flag[25] + 29 * flag[8] + 25 * flag[10] != 0x2519A )
goto LABEL_37;
v13 = 42 * flag[31]
+ 95 * flag[30]
+ 58 * flag[8]
+ 47 * flag[13]
+ 65 * flag[15]
+ 24 * flag[17]
+ 97 * flag[10]
+ 24 * flag[21]
+ 28 * *flag
+ 77 * flag[5]
+ 97 * flag[6]
+ 24 * flag[26]
+ 32 * flag[12]
+ 5 * flag[25]
+ 55 * flag[28]
+ 9 * flag[23]
+ 85 * flag[4]
+ 6 * flag[9]
+ 61 * flag[19]
+ 12 * flag[3]
+ 7