打个卡吧,就作一个小题。不过小题挺特别。
__int64 __fastcall main(int a1, char **a2, char **a3)
{
void *v3; // rsp
__int64 v4; // rax
__int64 v6; // [rsp+0h] [rbp-C0h] BYREF
int n[2]; // [rsp+8h] [rbp-B8h]
__int64 v8; // [rsp+10h] [rbp-B0h]
__int64 v9; // [rsp+18h] [rbp-A8h]
__int64 v10; // [rsp+20h] [rbp-A0h]
__int64 v11; // [rsp+28h] [rbp-98h]
__int64 v12; // [rsp+30h] [rbp-90h]
__int64 v13; // [rsp+38h] [rbp-88h]
__int64 v14; // [rsp+40h] [rbp-80h]
__int64 v15; // [rsp+48h] [rbp-78h]
__int64 v16; // [rsp+50h] [rbp-70h]
char *s; // [rsp+58h] [rbp-68h]
char v18[40]; // [rsp+60h] [rbp-60h] BYREF
unsigned __int64 v19; // [rsp+88h] [rbp-38h]
v19 = __readfsqword(0x28u);
v10 = 4584583LL;
v15 = 2374827LL;
v9 = 83468723LL;
v8 = 34783LL;
*(_QWORD *)n = 38478494LL;
v6 = 21232134LL;
v11 = 34532341LL;
v12 = 146756703LL;
v13 = 9138987LL;
v14 = 845845LL;
while ( v14 == 845845 )
{
v15 = s1(v10); // 2 * a1 + 3 * (a1 ^ 0x107503DE) - a1;
v10 = s2(v9); // 2 * a1 + 3 * (a1 ^ 0x1ED2F67A) - a1;
v9 = s3(v8); // 2 * a1 + 3 * (a1 ^ 0x6ECCC525) - a1;
v8 = s4(*(_QWORD *)n); // (int)(2 * a1 + 3 * (a1 ^ 0xD031C183) - a1);
*(_QWORD *)n = s5(v14); // (int)(2 * a1 + 3 * (a1 ^ 0xEE928ADA) - a1);
v14 = s6(v11); // 2 * a1 + 3 * (a1 ^ 0x1EEA9ACD) - a1;
v11 = s7(v6); // (int)(2 * a1 - (a1 + 8 * (a1 ^ 0x96A92F61)));
v6 = s8(v12); // 2 * a1 + 3 * (a1 ^ 0x1707ECE8) - a1;
v12 = s9(v13); // 2 * a1 + 3 * (a1 ^ 0x22C83DF9) - a1;
puts("Welcome to Esrever! I hope you will \x1B[9menjoy\x1B[0mhate your stay here,");
v13 = s10(v15); // 2 * a1 + 2 * (a1 ^ 0x6835A1D0) - a1;
v15 = v10 + v9 - (*(_QWORD *)n + v8 + v13); // null
v15 = s1(v10); // 2 * a1 + 3 * (a1 ^ 0x107503DE) - a1;
v10 = s2(v9); // 2 * a1 + 3 * (a1 ^ 0x1ED2F67A) - a1;
v9 = s3(v8); // 2 * a1 + 3 * (a1 ^ 0x6ECCC525) - a1;
v8 = s4(*(_QWORD *)n);
*(_QWORD *)n = s5(v14);
puts("Here at Esrever we really do like playing games,\nSo lets play a guessing game.");
v14 = s6(v11);
v11 = s7(v6);
v6 = s8(v12);
*(_QWORD *)n = v10 + v8 + v9 - v12 + v15;
v12 = s9(v13);
v13 = s10(v15);
v15 = s1(v10);
strcpy(v18, "Make your best guess: ");
printf("%s", v18);
sub_B7B();
v10 = s2(v9);
v9 = s3(v8);
v8 = s4(*(_QWORD *)n);
*(_QWORD *)n = s5(v14) - 1942456670;
v14 = s6(v11) ^ 3;
v11 = s7(v6) ^ 0x2B;
v6 = s8(v12);
v12 = s9(v13);
v13 = s10(v15);
v16 = *(_QWORD *)n - 1LL;
v3 = alloca(16 * ((*(_QWORD *)n + 15LL) / 0x10uLL));
s = (char *)&v6;
v15 = s1(v10);
v10 = (unsigned __int8)s2(v9);
v9 = s3(v8);
fgets(s, n[0], stdin);
v8 = s4(*(_QWORD *)n);
*(_QWORD *)n = s5(v14);
if ( *(_QWORD *)n != v8 )
{
v11 = s6(4521LL);
if ( s != (char *)v11 )
{
v4 = sub_12D8(s, v15, v10, v9, v11, v13);
if ( v4 != v15 * ((v12 ^ v13) - *(_QWORD *)n) )
puts("Congratulations! You reversed the reversed reverse!");
}
}
v14 = s6(v11);
v11 = s7(v6) | 3;
v6 = s8(v12);
v12 = s9(v13);
v13 = s10(v15);
}
return 0LL;
}
看了几个函数后感觉不应该看了。因为这种东西是固定值,只要跟进去永远是那样的。gdb跟一下就好了。
后边的函数更有意思,比较全用的不等于。也就是说,只要不对就能进行下去。所以就直接往后看
__int64 __fastcall sub_12D8(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6)
{
__int64 v6; // rax
__int64 v7; // rax
int v9; // [rsp+38h] [rbp-1C8h]
__int64 v10; // [rsp+1D0h] [rbp-30h]
v6 = a3;
LOBYTE(v6) = a3 ^ 0x98;
v10 = v6;
v7 = a3;
LOBYTE(v7) = a3 ^ 0xA7;
v9 = (__int64)((unsigned __int16)a4 * (unsigned __int8)a5 * (unsigned __int64)(unsigned __int8)a6
- (unsigned __int16)(a2 * a3 * a4)) >> 8;
if ( !(unsigned int)sub_BA0(
(unsigned int)a6 ^ 0x9A1391B5,
(unsigned int)a6 ^ 0x9A1391A3,
(unsigned int)a6 ^ 0x9A1391B6,
(unsigned int)a6 ^ 0x9A1391A7,
(unsigned int)a6 ^ 0x9A1391B4,
(unsigned int)a6 ^ 0x9A1391B0,
a6 ^ 0xFFFFFFFF9A1391B9LL,
a6 ^ 0xFFFFFFFF9A1391A7LL,
a6 ^ 0xFFFFFFFF9A1391B1LL,
a6 ^ 0xFFFFFFFF9A1391B0LL,
a6 ^ 0xFFFFFFFF9A1391A7LL,
a6 ^ 0xFFFFFFFF9A1391B4LL,
a6 ^ 0xFFFFFFFF9A1391A7LL,
a6 ^ 0xFFFFFFFF9A1391B0LL,
a6 ^ 0xFFFFFFFF9A13919DLL,
a6 ^ 0xFFFFFFFF9A1391B0LL,
a6 ^ 0xFFFFFFFF9A1391A7LL,
a6 ^ 0xFFFFFFFF9A1391B4LL,
a6 ^ 0xFFFFFFFF9A1391A7LL,
a6 ^ 0xFFFFFFFF9A1391B0LL,
a5 ^ 0x5CBFB3A6,
a5 ^ 0x5CBFB3B0,
a5 ^ 0x5CBFB3B1,
a5 ^ 0x5CBFB38A,
a5 ^ 0x5CBFB3AC,
a5 ^ 0x5CBFB3BA,
a5 ^ 0x5CBFB3A0,
a5 ^ 0x5CBFB3A1,
a5 ^ 0x5CBFB3A0,
a5 ^ 0x5CBFB3B7,
a5 ^ 0x5CBFB3B0,
a5 ^ 0x5CBFB3FB,
a5 ^ 0x5CBFB3B6,
a5 ^ 0x5CBFB3BA,
a5 ^ 0x5CBFB3B8,
a4 ^ 0xFFFFFFFFC7F26802LL,
a4 ^ 0xFFFFFFFFC7F2685ALL,
a4 ^ 0xFFFFFFFFC7F2684CLL,
a4 ^ 0xFFFFFFFFC7F26859LL,
a4 ^ 0xFFFFFFFFC7F2684ELL,
a4 ^ 0xFFFFFFFFC7F26845LL,
a4 ^ 0xFFFFFFFFC7F26812LL,
a4 ^ 0xFFFFFFFFC7F2685BLL,
a4 ^ 0xFFFFFFFFC7F26810LL,
a4 ^ 0xFFFFFFFFC7F26864LL,
a4 ^ 0xFFFFFFFFC7F26815LL,
a4 ^ 0xFFFFFFFFC7F26844LL,
a4 ^ 0xFFFFFFFFC7F26847LL,
a4 ^ 0xFFFFFFFFC7F2684FLL,
a4 ^ 0xFFFFFFFFC7F26819LL,
v10,
v7,
a2 ^ 0x427D8673,
a2 ^ 0x427D8623,
a2 ^ 0x427D8653,
(unsigned int)a2 ^ 0x427D866B,
a1) )
exit(0);
return v9;
}
到这就是把输入的东西跟一堆固定的数字比较,所以跟到sub_ba0看参数就OK了
gef➤ tel 60
0x00007fffffffd9f0│+0x0000: 0x00005555555558c9 → add rsp, 0x198 ← $rsp
0x00007fffffffd9f8│+0x0008: 0x000000000000007b ("{"?)
0x00007fffffffda00│+0x0010: 0x0000000000000065 ("e"?)
0x00007fffffffda08│+0x0018: 0x0000000000000073 ("s"?)
0x00007fffffffda10│+0x0020: 0x0000000000000072 ("r"?)
0x00007fffffffda18│+0x0028: 0x0000000000000065 ("e"?)
0x00007fffffffda20│+0x0030: 0x0000000000000076 ("v"?)
0x00007fffffffda28│+0x0038: 0x0000000000000065 ("e"?)
0x00007fffffffda30│+0x0040: 0x0000000000000072 ("r"?)
0x00007fffffffda38│+0x0048: 0x000000000000005f ("_"?)
0x00007fffffffda40│+0x0050: 0x0000000000000072 ("r"?)
0x00007fffffffda48│+0x0058: 0x0000000000000065 ("e"?)
0x00007fffffffda50│+0x0060: 0x0000000000000076 ("v"?)
0x00007fffffffda58│+0x0068: 0x0000000000000065 ("e"?)
0x00007fffffffda60│+0x0070: 0x0000000000000072 ("r"?)
0x00007fffffffda68│+0x0078: 0x0000000000000073 ("s"?)
0x00007fffffffda70│+0x0080: 0x0000000000000065 ("e"?)
0x00007fffffffda78│+0x0088: 0x0000000000000064 ("d"?)
0x00007fffffffda80│+0x0090: 0x000000000000005f ("_"?)
0x00007fffffffda88│+0x0098: 0x0000000000000079 ("y"?)
0x00007fffffffda90│+0x00a0: 0x000000000000006f ("o"?)
0x00007fffffffda98│+0x00a8: 0x0000000000000075 ("u"?)
0x00007fffffffdaa0│+0x00b0: 0x0000000000000074 ("t"?)
0x00007fffffffdaa8│+0x00b8: 0x0000000000000075 ("u"?)
0x00007fffffffdab0│+0x00c0: 0x0000000000000062 ("b"?)
0x00007fffffffdab8│+0x00c8: 0x0000000000000065 ("e"?)
0x00007fffffffdac0│+0x00d0: 0x000000000000002e ("."?)
0x00007fffffffdac8│+0x00d8: 0x0000000000000063 ("c"?)
0x00007fffffffdad0│+0x00e0: 0x000000000000006f ("o"?)
0x00007fffffffdad8│+0x00e8: 0x000000000000006d ("m"?)
0x00007fffffffdae0│+0x00f0: 0x000000000000002f ("/"?)
0x00007fffffffdae8│+0x00f8: 0x0000000000000077 ("w"?)
0x00007fffffffdaf0│+0x0100: 0x0000000000000061 ("a"?)
0x00007fffffffdaf8│+0x0108: 0x0000000000000074 ("t"?)
0x00007fffffffdb00│+0x0110: 0x0000000000000063 ("c"?)
0x00007fffffffdb08│+0x0118: 0x0000000000000068 ("h"?)
0x00007fffffffdb10│+0x0120: 0x000000000000003f ("?"?)
0x00007fffffffdb18│+0x0128: 0x0000000000000076 ("v"?)
0x00007fffffffdb20│+0x0130: 0x000000000000003d ("="?)
0x00007fffffffdb28│+0x0138: 0x0000000000000049 ("I"?)
0x00007fffffffdb30│+0x0140: 0x0000000000000038 ("8"?)
0x00007fffffffdb38│+0x0148: 0x0000000000000069 ("i"?)
0x00007fffffffdb40│+0x0150: 0x000000000000006a ("j"?)
0x00007fffffffdb48│+0x0158: 0x0000000000000062 ("b"?)
0x00007fffffffdb50│+0x0160: 0x0000000000000034 ("4"?)
0x00007fffffffdb58│+0x0168: 0x000000000000005a ("Z"?)
0x00007fffffffdb60│+0x0170: 0x0000000000000065 ("e"?)
0x00007fffffffdb68│+0x0178: 0x0000000000000065 ("e"?)
0x00007fffffffdb70│+0x0180: 0x0000000000000035 ("5"?)
0x00007fffffffdb78│+0x0188: 0x0000000000000045 ("E"?)
0x00007fffffffdb80│+0x0190: 0x000000000000007d ("}"?)
前6个参数在rdi,rsi,rdx,rcx,r8,r9不过没用,因为buu要重包上flag提交
flag{esrever_reversed_youtube.com/watch?v=I8ijb4Zee5E}