2019 红帽杯 Re WP

0x01 xx

测试文件:https://www.lanzous.com/i7dyqhc

 

1.准备

2019 红帽杯 Re WP_第1张图片

获取信息

  • 64位文件

 

2.IDA打开

2019 红帽杯 Re WP_第2张图片

 

使用Findcrypt脚本可以看到

2019 红帽杯 Re WP_第3张图片

结合文件名是xx,因此猜测代码用到了xxtea加密方法

 

3.流程总结

因此,总的流程为:

  1. 判断输入的字符串的每个字符是否包含在"qwertyuiopasdfghjklzxcvbnm1234567890"中
  2. 取输入字符串的前4位字符,即"flag",扩展为16位,作为xxtea加密的秘钥key
  3. 将输入的字符串使用key加密,加密后的字符保存在字符数组v18,共24位字符
  4. 打乱v18数组,保存到v19数组中
  5. 将24位字符,每3位为一组,每一组异或值(具体看代码),得到新的加密字符串
  6. 将新的加密字符串与已经存在的字符串比较,相同即获得胜利

因此,只需要逆向变换,就能得到flag

使用动态调试,可以获取到已经存在的字符串

2019 红帽杯 Re WP_第4张图片

 

enc = 'CEBC406B7C3A95C0EF9B202091F70235231802C8E75656FA'

 

4.脚本解密

Python带了xxtea的包,不过我用的时候,一直提示我“ValueError: Need a 16-byte key.”,用rjust或者'\x00'*16补足了16位也不管用。(已解决)

import xxtea

result = 'CE BC 40 6B 7C 3A 95 C0 EF 9B 20 20 91 F7 02 35 23 18 02 C8 E7 56 56 FA'.split(" ")
res = [int(i,16) for i in result]


for i in range(7,-1,-1):
    t = 0
    for n in range(0,i):
        if t == 0 :
            t = res[0]
        else :
            t ^= res[n]
    for j in range(3) :
        res[i*3+j] ^= t

box = [1,3,0,2,5,7,4,6,9,11,8,10,13,15,12,14,17,19,16,18,21,23,20,22]
m = []


for i in range(len(box)):
    m.append(res[box[i]])


key = 'flag'+'\x00'*12

print(xxtea.decrypt(bytes(m),key,padding=False))
xxtea解密

所以用了另外一种方法,借用了下面xxtea的文章:

 

参考文章:https://blog.csdn.net/weixin_41474364/article/details/84314674 

# encoding: utf-8
import struct

_DELTA = 0x9E3779B9

def _long2str(v, w):
    n = (len(v) - 1) << 2
    if w:
        m = v[-1]
        if (m < n - 3) or (m > n): return ''
        n = m
    s = struct.pack('<%iL' % len(v), *v)
    return s[0:n] if w else s

def _str2long(s, w):
    n = len(s)
    m = (4 - (n & 3) & 3) + n
    s = s.ljust(m, "\0")
    v = list(struct.unpack('<%iL' % (m >> 2), s))
    if w: v.append(n)
    return v

def encrypt(str, key):
    if str == '': return str
    v = _str2long(str, True)
    k = _str2long(key.ljust(16, "\0"), False)
    n = len(v) - 1
    z = v[n]
    y = v[0]
    sum = 0
    q = 6 + 52 // (n + 1)
    while q > 0:
        sum = (sum + _DELTA) & 0xffffffff
        e = sum >> 2 & 3
        for p in xrange(n):
            y = v[p + 1]
            v[p] = (v[p] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))) & 0xffffffff
            z = v[p]
        y = v[0]
        v[n] = (v[n] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[n & 3 ^ e] ^ z))) & 0xffffffff
        z = v[n]
        q -= 1
    return _long2str(v, False)

def decrypt(str, key):
    if str == '': return str
    v = _str2long(str, False)
    k = _str2long(key.ljust(16, "\0"), False)
    n = len(v) - 1
    z = v[n]
    y = v[0]
    q = 6 + 52 // (n + 1)
    sum = (q * _DELTA) & 0xffffffff
    while (sum != 0):
        e = sum >> 2 & 3
        for p in xrange(n, 0, -1):
            z = v[p - 1]
            v[p] = (v[p] - ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))) & 0xffffffff
            y = v[p]
        z = v[n]
        v[0] = (v[0] - ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[0 & 3 ^ e] ^ z))) & 0xffffffff
        y = v[0]
        sum = (sum - _DELTA) & 0xffffffff
    return _long2str(v, True)

def xor(x ,y):
    return ord(x) ^ ord(y)

# 转换为16进制
arr = 'CEBC406B7C3A95C0EF9B202091F70235231802C8E75656FA'.decode('hex')

dec = ''

# 因为加密时是正向加密,会用到加密之后的字符,因此解密需要逆向解密
for i in range(7,-1,-1):
    res = ''
    # 每3个为一组
    for j in range(3):
        temp = ord(arr[i*3+j])
        # 需要异或的值,例如第i组的值就是,arr[i*3+j]^(arr[n] for n in range(i))
        for m in range(i):
            temp ^= ord(arr[m])
        res += chr(temp)
    dec = res + dec

# 原来的v18到v19数组是被打乱排序了的
num = [2,0,3,1,6,4,7,5,10,8,11,9,14,12,15,13,18,16,19,17,22,20,23,21]
enc = [0] * 24
# key需要是16位
key = 'flag'+'\x00'*12
for i in range(24):
    enc[num[i]] = dec[i]
dec2 = ''.join(enc)

dec3 = decrypt(dec2, key)
print dec3

2019 红帽杯 Re WP_第5张图片

 

5.get flag!

flag{CXX_and_++tea}

 

0x02  easyRE

测试文件:https://share.weiyun.com/5qzM6bU

 

1.准备

2019 红帽杯 Re WP_第6张图片

获取信息

  • 64位文件

 

2.IDA打开

signed __int64 sub_4009C6()
{
  char *v0; // rsi
  char *v1; // rdi
  signed __int64 result; // rax
  __int64 v3; // ST10_8
  __int64 v4; // ST18_8
  __int64 v5; // ST20_8
  __int64 v6; // ST28_8
  __int64 v7; // ST30_8
  __int64 v8; // ST38_8
  __int64 v9; // ST40_8
  __int64 v10; // ST48_8
  __int64 v11; // ST50_8
  __int64 v12; // ST58_8
  int i; // [rsp+Ch] [rbp-114h]
  char arraym[36]; // [rsp+60h] [rbp-C0h]
  char v15[32]; // [rsp+90h] [rbp-90h]
  int v16; // [rsp+B0h] [rbp-70h]
  char v17; // [rsp+B4h] [rbp-6Ch]
  char v18; // [rsp+C0h] [rbp-60h]
  char v19; // [rsp+E7h] [rbp-39h]
  char v20; // [rsp+100h] [rbp-20h]
  unsigned __int64 v21; // [rsp+108h] [rbp-18h]

  v21 = __readfsqword(0x28u);
  arraym[0] = 73;
  arraym[1] = 111;
  arraym[2] = 100;
  arraym[3] = 108;
  arraym[4] = 62;
  arraym[5] = 81;
  arraym[6] = 110;
  arraym[7] = 98;
  arraym[8] = 40;
  arraym[9] = 111;
  arraym[10] = 99;
  arraym[11] = 121;
  arraym[12] = 127;
  arraym[13] = 121;
  arraym[14] = 46;
  arraym[15] = 105;
  arraym[16] = 127;
  arraym[17] = 100;
  arraym[18] = 96;
  arraym[19] = 51;
  arraym[20] = 119;
  arraym[21] = 125;
  arraym[22] = 119;
  arraym[23] = 101;
  arraym[24] = 107;
  arraym[25] = 57;
  arraym[26] = 123;
  arraym[27] = 105;
  arraym[28] = 121;
  arraym[29] = 61;
  arraym[30] = 126;
  arraym[31] = 121;
  arraym[32] = 76;
  arraym[33] = 64;
  arraym[34] = 69;
  arraym[35] = 67;
  memset(v15, 0, sizeof(v15));
  v16 = 0;
  v17 = 0;
  v0 = v15;
  sub_4406E0(0LL, (__int64)v15);
  v17 = 0;
  v1 = v15;
  if ( sub_424BA0(v15) == 36 )
  {
    for ( i = 0; ; ++i )
    {
      v1 = v15;
      if ( i >= (unsigned __int64)sub_424BA0(v15) )
        break;
      if ( (unsigned __int8)(v15[i] ^ i) != arraym[i] )
      {
        result = 4294967294LL;
        goto LABEL_13;
      }
    }
    sub_410CC0("continue!");
    memset(&v18, 0, 0x40uLL);
    v20 = 0;
    v0 = &v18;
    sub_4406E0(0LL, (__int64)&v18);
    v19 = 0;
    v1 = &v18;
    if ( sub_424BA0(&v18) == 39 )
    {
      v3 = sub_400E44(&v18);
      v4 = sub_400E44(v3);
      v5 = sub_400E44(v4);
      v6 = sub_400E44(v5);
      v7 = sub_400E44(v6);
      v8 = sub_400E44(v7);
      v9 = sub_400E44(v8);
      v10 = sub_400E44(v9);
      v11 = sub_400E44(v10);
      v12 = sub_400E44(v11);
      v0 = off_6CC090;
      v1 = (char *)v12;
      if ( !(unsigned int)sub_400360(v12, off_6CC090) )
      {
        sub_410CC0("You found me!!!");
        v1 = "bye bye~";
        sub_410CC0("bye bye~");
      }
      result = 0LL;
    }
    else
    {
      result = 4294967293LL;
    }
  }
  else
  {
    result = 0xFFFFFFFFLL;
  }
LABEL_13:
  if ( __readfsqword(0x28u) != v21 )
    sub_444020(v1, v0);
  return result;
}

 

 

3.代码分析

首先有两次输入,第一次输入32位字符串,将每位字符异或后与已存在的marray数组比较,因此可以写出脚本,正确输入

arr = [73,111,100,108,62,81,110,98,40,111,99,121,127,121,46,105,127,100,96,51,119,125,
       119,101,107,57,123,105,121,61,126,121,76,64,69,67]

dec = ''
for i in range(36):
    dec += chr(arr[i]^i)

print(dec)

Info:The first four chars are `flag`

 

第二次输入,将输入的字符串进行10次base64加密后,与已知的字符串比较,反向解密就行

enc = "Vm0wd2VHUXhTWGhpUm1SWVYwZDRWVll3Wkc5WFJsbDNXa1pPVlUxV2NIcFhhMk0xVmpKS1NHVkdXbFpOYmtKVVZtcEtTMUl5VGtsaVJtUk9ZV3hhZVZadGVHdFRNVTVYVW01T2FGSnRVbGhhVjNoaFZWWmtWMXBFVWxSTmJFcElWbTAxVDJGV1NuTlhia0pXWWxob1dGUnJXbXRXTVZaeVdrWm9hVlpyV1hwV1IzaGhXVmRHVjFOdVVsWmlhMHBZV1ZSR1lWZEdVbFZTYlhSWFRWWndNRlZ0TVc5VWJGcFZWbXR3VjJKSFVYZFdha1pXWlZaT2NtRkhhRk5pVjJoWVYxZDBhMVV3TlhOalJscFlZbGhTY1ZsclduZGxiR1J5VmxSR1ZXSlZjRWhaTUZKaFZqSktWVkZZYUZkV1JWcFlWV3BHYTFkWFRrZFRiV3hvVFVoQ1dsWXhaRFJpTWtsM1RVaG9hbEpYYUhOVmJUVkRZekZhY1ZKcmRGTk5Wa3A2VjJ0U1ExWlhTbFpqUldoYVRVWndkbFpxUmtwbGJVWklZVVprYUdFeGNHOVhXSEJIWkRGS2RGSnJhR2hTYXpWdlZGVm9RMlJzV25STldHUlZUVlpXTlZadE5VOVdiVXBJVld4c1dtSllUWGhXTUZwell6RmFkRkpzVWxOaVNFSktWa1phVTFFeFduUlRhMlJxVWxad1YxWnRlRXRXTVZaSFVsUnNVVlZVTURrPQ=="

for i in range(10):
    enc = enc.decode('base64')
print (enc)

https://bbs.pediy.com/thread-254172.htm

 

在第二次输入加密后对比的常量下面,还发现了一个常量,在sub_400D35函数中调用

2019 红帽杯 Re WP_第7张图片

__int64 __fastcall sub_400D35(__int64 a1, __int64 a2)
{
  __int64 v2; // rdi
  __int64 result; // rax
  unsigned __int64 v4; // rt1
  unsigned int v5; // [rsp+Ch] [rbp-24h]
  signed int i; // [rsp+10h] [rbp-20h]
  signed int j; // [rsp+14h] [rbp-1Ch]
  unsigned int v8; // [rsp+24h] [rbp-Ch]
  unsigned __int64 v9; // [rsp+28h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  v2 = 0LL;
  v5 = sub_43FD20(0LL) - qword_6CEE38;
  for ( i = 0; i <= 1233; ++i )
  {
    v2 = v5;
    sub_40F790(v5);
    sub_40FE60();
    sub_40FE60();
    v5 = (unsigned __int64)sub_40FE60() ^ 0x98765432;
  }
  v8 = v5;
  if ( ((unsigned __int8)v5 ^ byte_6CC0A0[0]) == 'f' && (HIBYTE(v8) ^ (unsigned __int8)byte_6CC0A3) == 'g' )
  {
    for ( j = 0; j <= 24; ++j )
    {
      v2 = (unsigned __int8)(byte_6CC0A0[j] ^ *((_BYTE *)&v8 + j % 4));
      sub_410E90(v2);
    }
  }
  v4 = __readfsqword(0x28u);
  result = v4 ^ v9;
  if ( v4 != v9 )
    sub_444020(v2, a2);
  return result;
}

两段异或,第一段异或,能够通过'flag'和已知数组反向解出v5

第二段异或。通过已知数组和v5解出flag

key = ''
enc1 = 'flag'
dec = ''
enc = [0x40,0x35,0x20,0x56,0x5D,0x18,0x22,0x45,0x17,0x2F,0x24,0x6E,0x62,0x3C,0x27,0x54,0x48,0x6C,0x24,0x6E,0x72,0x3C,0x32,0x45,0x5B]
for i in range(4):
    key += chr(enc[i] ^ ord(enc1[i]))
print (key)

for i in range(len(enc)):
    dec += chr(enc[i] ^ ord(key[i%4]))
print(dec)

2019 红帽杯 Re WP_第8张图片

 

4.get flag!

flag{Act1ve_Defen5e_Test}

 

 0x03  calc

测试文件:https://www.lanzous.com/i7frprg

 

1准备

2019 红帽杯 Re WP_第9张图片

获取信息

  • 64位文件 

 

2.IDA打开

  1 __int64 sub_140002540()
  2 {
  3   __int64 v0; // rax
  4   __int64 v1; // rax
  5   __int64 v2; // rax
  6   __int64 v3; // rax
  7   __int64 v4; // rax
  8   void *v5; // rcx
  9   void *v6; // rcx
 10   void *v7; // rcx
 11   __int64 v8; // rax
 12   __int64 v9; // rax
 13   void *v10; // rcx
 14   void *v11; // rcx
 15   void *v12; // rcx
 16   __int64 v13; // rax
 17   void *v14; // rcx
 18   void *v15; // rcx
 19   char *v16; // r8
 20   unsigned __int64 v17; // r11
 21   _BYTE *v18; // rbx
 22   unsigned __int64 v19; // rax
 23   char *v20; // r9
 24   bool v21; // al
 25   int v22; // er10
 26   __int64 v23; // rdx
 27   _DWORD *v24; // rcx
 28   unsigned int v25; // edi
 29   _BYTE *v26; // rcx
 30   unsigned __int64 v27; // rax
 31   bool v28; // al
 32   int v29; // er10
 33   __int64 v30; // rdx
 34   _DWORD *v31; // rcx
 35   __int64 v32; // rax
 36   __int64 v33; // rax
 37   __int64 v34; // r14
 38   __int64 v35; // rbx
 39   __int64 v36; // rax
 40   __int64 v37; // r15
 41   const void *v38; // rsi
 42   _BYTE *v39; // rdi
 43   unsigned __int64 v40; // rbx
 44   size_t v41; // rbx
 45   __int64 v42; // rax
 46   __int64 v43; // rcx
 47   char *v44; // rax
 48   char *v45; // rbx
 49   __int64 v46; // rax
 50   __int64 v47; // rbx
 51   __int64 v48; // rax
 52   __int64 v49; // rax
 53   _QWORD *v50; // rcx
 54   __int64 v51; // rax
 55   __int64 v52; // rax
 56   void *v53; // rcx
 57   void *v54; // rcx
 58   _BYTE *v55; // rcx
 59   _BYTE *v56; // rcx
 60   _BYTE *v57; // rcx
 61   _BYTE *v58; // rcx
 62   _BYTE *v59; // rcx
 63   _BYTE *v60; // rcx
 64   void *v61; // rcx
 65   void *v62; // rcx
 66   void *v63; // rcx
 67   void *v64; // rcx
 68   __int64 v65; // rsi
 69   __int64 v66; // rax
 70   __int64 v67; // rbx
 71   __int64 v68; // rax
 72   void **v69; // rdi
 73   __int64 v70; // rax
 74   __int64 v71; // rax
 75   _QWORD *v72; // rcx
 76   __int64 v73; // rax
 77   __int64 v74; // rax
 78   void *v75; // rcx
 79   __int64 v76; // rax
 80   __int64 v77; // rax
 81   void *v78; // rcx
 82   _BYTE *v79; // rcx
 83   _BYTE *v80; // rcx
 84   _BYTE *v81; // rcx
 85   _BYTE *v82; // rcx
 86   void *v83; // rcx
 87   void *v84; // rcx
 88   void *v85; // rcx
 89   void *v86; // rcx
 90   char *v87; // r15
 91   __int64 v88; // rcx
 92   char *v89; // r14
 93   int v90; // eax
 94   __int64 v91; // rdx
 95   _DWORD *v92; // rcx
 96   _BYTE *v93; // rcx
 97   _BYTE *v94; // rax
 98   int v95; // eax
 99   __int64 v96; // rsi
100   _BYTE *v97; // rcx
101   _BYTE *v98; // rax
102   int v99; // eax
103   __int64 v100; // rsi
104   _BYTE *v101; // rsi
105   int v102; // eax
106   __int64 i; // rsi
107   char *v104; // rax
108   char *v105; // rax
109   _BYTE *v106; // rcx
110   _BYTE *v107; // rcx
111   _BYTE *v108; // rax
112   char *v109; // rax
113   char *v110; // rax
114   void *v112[2]; // [rsp+20h] [rbp-E0h]
115   __int64 v113; // [rsp+30h] [rbp-D0h]
116   void *v114[2]; // [rsp+38h] [rbp-C8h]
117   char *v115; // [rsp+48h] [rbp-B8h]
118   void **v116; // [rsp+50h] [rbp-B0h]
119   void *Memory[2]; // [rsp+58h] [rbp-A8h]
120   __int64 v118; // [rsp+68h] [rbp-98h]
121   void *v119[2]; // [rsp+70h] [rbp-90h]
122   __int64 v120; // [rsp+80h] [rbp-80h]
123   void *v121[2]; // [rsp+88h] [rbp-78h]
124   __int64 v122; // [rsp+98h] [rbp-68h]
125   void *v123[2]; // [rsp+A0h] [rbp-60h]
126   __int64 v124; // [rsp+B0h] [rbp-50h]
127   void *v125[2]; // [rsp+B8h] [rbp-48h]
128   __int64 v126; // [rsp+C8h] [rbp-38h]
129   void *v127; // [rsp+D0h] [rbp-30h]
130   __int64 v128; // [rsp+D8h] [rbp-28h]
131   __int64 v129; // [rsp+E0h] [rbp-20h]
132   void *v130; // [rsp+E8h] [rbp-18h]
133   __int64 v131; // [rsp+F0h] [rbp-10h]
134   __int64 v132; // [rsp+F8h] [rbp-8h]
135   void *v133; // [rsp+100h] [rbp+0h]
136   __int64 v134; // [rsp+108h] [rbp+8h]
137   __int64 v135; // [rsp+110h] [rbp+10h]
138   void *v136; // [rsp+118h] [rbp+18h]
139   __int64 v137; // [rsp+120h] [rbp+20h]
140   __int64 v138; // [rsp+128h] [rbp+28h]
141   char v139; // [rsp+130h] [rbp+30h]
142   void *v140; // [rsp+148h] [rbp+48h]
143   __int64 v141; // [rsp+150h] [rbp+50h]
144   __int64 v142; // [rsp+158h] [rbp+58h]
145   char v143; // [rsp+160h] [rbp+60h]
146   __int64 v144; // [rsp+178h] [rbp+78h]
147   void *Src[2]; // [rsp+180h] [rbp+80h]
148   __int64 v146; // [rsp+190h] [rbp+90h]
149   void *v147[2]; // [rsp+198h] [rbp+98h]
150   __int64 v148; // [rsp+1A8h] [rbp+A8h]
151   void *v149[2]; // [rsp+1B0h] [rbp+B0h]
152   __int64 v150; // [rsp+1C0h] [rbp+C0h]
153   void *v151; // [rsp+1C8h] [rbp+C8h]
154   __int128 v152; // [rsp+1D0h] [rbp+D0h]
155   void *v153; // [rsp+1E0h] [rbp+E0h]
156   __int64 v154; // [rsp+1E8h] [rbp+E8h]
157   __int64 v155; // [rsp+1F0h] [rbp+F0h]
158   void *v156; // [rsp+1F8h] [rbp+F8h]
159   __int64 v157; // [rsp+200h] [rbp+100h]
160   __int64 v158; // [rsp+208h] [rbp+108h]
161   void *v159; // [rsp+210h] [rbp+110h]
162   __int64 v160; // [rsp+220h] [rbp+120h]
163   void *v161; // [rsp+228h] [rbp+128h]
164   __int64 v162; // [rsp+238h] [rbp+138h]
165 
166   v0 = sub_140004120(std::cout, "A few days ago,Someone asked me for Windows RE...");
167   std::basic_ostream<char,std::char_traits<char>>::operator<<(v0, sub_1400042F0);
168   v1 = sub_140004120(std::cout, "But Windows + STL is terrible!");
169   std::basic_ostream<char,std::char_traits<char>>::operator<<(v1, sub_1400042F0);
170   LODWORD(v144) = 0;
171   _mm_storeu_si128((__m128i *)Src, (__m128i)0i64);
172   v146 = 0i64;
173   sub_140004330(Src, 0i64, &v144);
174   sub_140001270(Src);
175   LODWORD(v144) = 0;
176   _mm_storeu_si128((__m128i *)v147, (__m128i)0i64);
177   v148 = 0i64;
178   sub_140004330(v147, 0i64, &v144);
179   sub_140001270(v147);
180   LODWORD(v144) = 0;
181   _mm_storeu_si128((__m128i *)v149, (__m128i)0i64);
182   v150 = 0i64;
183   sub_140004330(v149, 0i64, &v144);
184   sub_140001270(v149);
185   v2 = sub_140004120(std::cout, "Enjoy it");
186   std::basic_ostream<char,std::char_traits<char>>::operator<<(v2, sub_1400042F0);
187   sub_1400013D0(std::cin, Src);
188   v3 = sub_140004120(std::cout, "Calculating...");
189   std::basic_ostream<char,std::char_traits<char>>::operator<<(v3, sub_1400042F0);
190   LODWORD(v144) = 4;
191   _mm_storeu_si128((__m128i *)v114, (__m128i)0i64);
192   v115 = 0i64;
193   sub_140004330(v114, 0i64, &v144);
194   sub_140001270(v114);
195   LODWORD(v144) = 2;
196   _mm_storeu_si128((__m128i *)v112, (__m128i)0i64);
197   v113 = 0i64;
198   sub_140004330(v112, 0i64, &v144);
199   sub_140001270(v112);
200   v4 = cacl_pow(Memory, Src, v112);
201   calc_mul(&v161, v4, v114);
202   v5 = Memory[0];
203   if ( Memory[0] )
204   {
205     if ( (unsigned __int64)(4 * ((signed __int64)(v118 - (unsigned __int64)Memory[0]) >> 2)) >= 0x1000 )
206     {
207       v5 = (void *)*((_QWORD *)Memory[0] - 1);
208       if ( (unsigned __int64)(Memory[0] - v5 - 8) > 0x1F )
209         invalid_parameter_noinfo_noreturn();
210     }
211     j_j_free(v5);
212     Memory[0] = 0i64;
213     _mm_storeu_si128((__m128i *)&Memory[1], (__m128i)0i64);
214   }
215   v6 = v112[0];
216   if ( v112[0] )
217   {
218     if ( (unsigned __int64)(4 * ((signed __int64)(v113 - (unsigned __int64)v112[0]) >> 2)) >= 0x1000 )
219     {
220       v6 = (void *)*((_QWORD *)v112[0] - 1);
221       if ( (unsigned __int64)(v112[0] - v6 - 8) > 0x1F )
222         invalid_parameter_noinfo_noreturn();
223     }
224     j_j_free(v6);
225   }
226   v7 = v114[0];
227   if ( v114[0] )
228   {
229     if ( (unsigned __int64)(4 * ((v115 - (char *)v114[0]) >> 2)) >= 0x1000 )
230     {
231       v7 = (void *)*((_QWORD *)v114[0] - 1);
232       if ( (unsigned __int64)(v114[0] - v7 - 8) > 0x1F )
233         invalid_parameter_noinfo_noreturn();
234     }
235     j_j_free(v7);
236   }
237   Sleep(0x75BCD15u);
238   sub_1400013D0(std::cin, v147);
239   v8 = sub_140004120(std::cout, "Calculating......");
240   std::basic_ostream<char,std::char_traits<char>>::operator<<(v8, sub_1400042F0);
241   LODWORD(v144) = 2;
242   _mm_storeu_si128((__m128i *)v114, (__m128i)0i64);
243   v115 = 0i64;
244   sub_140004330(v114, 0i64, &v144);
245   sub_140001270(v114);
246   LODWORD(v144) = 3;
247   _mm_storeu_si128((__m128i *)v112, (__m128i)0i64);
248   v113 = 0i64;
249   sub_140004330(v112, 0i64, &v144);
250   sub_140001270(v112);
251   v9 = calc_mul(Memory, v147, v112);
252   cacl_pow(&v156, v9, v114);
253   v10 = Memory[0];
254   if ( Memory[0] )
255   {
256     if ( (unsigned __int64)(4 * ((signed __int64)(v118 - (unsigned __int64)Memory[0]) >> 2)) >= 0x1000 )
257     {
258       v10 = (void *)*((_QWORD *)Memory[0] - 1);
259       if ( (unsigned __int64)(Memory[0] - v10 - 8) > 0x1F )
260         invalid_parameter_noinfo_noreturn();
261     }
262     j_j_free(v10);
263     Memory[0] = 0i64;
264     _mm_storeu_si128((__m128i *)&Memory[1], (__m128i)0i64);
265   }
266   v11 = v112[0];
267   if ( v112[0] )
268   {
269     if ( (unsigned __int64)(4 * ((signed __int64)(v113 - (unsigned __int64)v112[0]) >> 2)) >= 0x1000 )
270     {
271       v11 = (void *)*((_QWORD *)v112[0] - 1);
272       if ( (unsigned __int64)(v112[0] - v11 - 8) > 0x1F )
273         invalid_parameter_noinfo_noreturn();
274     }
275     j_j_free(v11);
276   }
277   v12 = v114[0];
278   if ( v114[0] )
279   {
280     if ( (unsigned __int64)(4 * ((v115 - (char *)v114[0]) >> 2)) >= 0x1000 )
281     {
282       v12 = (void *)*((_QWORD *)v114[0] - 1);
283       if ( (unsigned __int64)(v114[0] - v12 - 8) > 0x1F )
284         invalid_parameter_noinfo_noreturn();
285     }
286     j_j_free(v12);
287   }
288   Sleep(0x3ADE68B1u);
289   sub_1400013D0(std::cin, v149);
290   sub_140004120(std::cout, "Calculating............");
291   LODWORD(v144) = 7;
292   _mm_storeu_si128((__m128i *)v112, (__m128i)0i64);
293   v113 = 0i64;
294   sub_140004330(v112, 0i64, &v144);
295   sub_140001270(v112);
296   v13 = calc_mul(Memory, v112, v149);
297   calc_mul(&v159, v13, v149);
298   v14 = Memory[0];
299   if ( Memory[0] )
300   {
301     if ( (unsigned __int64)(4 * ((signed __int64)(v118 - (unsigned __int64)Memory[0]) >> 2)) >= 0x1000 )
302     {
303       v14 = (void *)*((_QWORD *)Memory[0] - 1);
304       if ( (unsigned __int64)(Memory[0] - v14 - 8) > 0x1F )
305         invalid_parameter_noinfo_noreturn();
306     }
307     j_j_free(v14);
308     Memory[0] = 0i64;
309     _mm_storeu_si128((__m128i *)&Memory[1], (__m128i)0i64);
310   }
311   v15 = v112[0];
312   if ( v112[0] )
313   {
314     if ( (unsigned __int64)(4 * ((signed __int64)(v113 - (unsigned __int64)v112[0]) >> 2)) >= 0x1000 )
315     {
316       v15 = (void *)*((_QWORD *)v112[0] - 1);
317       if ( (unsigned __int64)(v112[0] - v15 - 8) > 0x1F )
318         invalid_parameter_noinfo_noreturn();
319     }
320     j_j_free(v15);
321   }
322   Sleep(0x7777777u);
323   v16 = (char *)Src[0];                         // 需要满足 x < z
324   v17 = (_QWORD)(Src[1] - Src[0]) >> 2;
325   v18 = v149[0];
326   v19 = (_QWORD)(v149[1] - v149[0]) >> 2;
327   v20 = (char *)v147[0];
328   if ( v17 == v19 )
329   {
330     v22 = v17 - 1;
331     if ( (signed int)v17 - 1 < 0 )
332       goto LABEL_47;
333     v23 = v22;
334     v24 = (char *)v149[0] + 4 * v22;
335     while ( *(_DWORD *)((char *)v24 + Src[0] - v149[0]) == *v24 )
336     {
337       --v22;
338       --v24;
339       if ( --v23 < 0 )
340         goto LABEL_47;
341     }
342     v21 = *((_DWORD *)Src[0] + v22) < *((_DWORD *)v149[0] + v22);
343   }
344   else
345   {
346     v21 = v17 < v19;
347   }
348   if ( !v21 )
349     goto LABEL_47;
350   v27 = (_QWORD)(v147[1] - v147[0]) >> 2;       // 需要瞒住x > y
351   if ( v27 != v17 )
352   {
353     v28 = v27 < v17;
354     goto LABEL_62;
355   }
356   v29 = v27 - 1;
357   if ( (signed int)v27 - 1 < 0 )
358   {
359 LABEL_47:
360     v25 = -1;
361     goto LABEL_48;
362   }
363   v30 = v29;
364   v31 = (char *)Src[0] + 4 * v29;
365   while ( *(_DWORD *)((char *)v31 + v147[0] - Src[0]) == *v31 )
366   {
367     --v29;
368     --v31;
369     if ( --v30 < 0 )
370       goto LABEL_47;
371   }
372   v28 = *((_DWORD *)v147[0] + v29) < *((_DWORD *)Src[0] + v29);
373 LABEL_62:
374   if ( !v28 )
375     goto LABEL_47;
376   LODWORD(v144) = 3;
377   _mm_storeu_si128((__m128i *)v125, (__m128i)0i64);
378   v126 = 0i64;
379   sub_140004330(v125, 0i64, &v144);
380   sub_140001270(v125);
381   LODWORD(v144) = 2;
382   _mm_storeu_si128((__m128i *)v123, (__m128i)0i64);
383   v124 = 0i64;
384   sub_140004330(v123, 0i64, &v144);
385   sub_140001270(v123);
386   LODWORD(v144) = 3;
387   _mm_storeu_si128((__m128i *)v121, (__m128i)0i64);
388   v122 = 0i64;
389   sub_140004330(v121, 0i64, &v144);
390   sub_140001270(v121);
391   LODWORD(v144) = 3;
392   _mm_storeu_si128((__m128i *)v119, (__m128i)0i64);
393   v120 = 0i64;
394   sub_140004330(v119, 0i64, &v144);
395   sub_140001270(v119);
396   v32 = calc_mul(&v136, v125, Src);
397   v33 = calc_mul(&v133, v32, Src);
398   v34 = calc_mul(&v130, v33, v147);
399   v35 = cacl_pow(&v127, v147, v123);
400   v36 = calc_mul(&v151, v121, Src);
401   v37 = calc_mul(&v140, v36, v35);
402   _mm_storeu_si128((__m128i *)v114, (__m128i)0i64);
403   v115 = 0i64;
404   v38 = Src[0];
405   v39 = Src[1];
406   if ( Src[0] != Src[1] )
407   {
408     v40 = (_QWORD)(Src[1] - Src[0]) >> 2;
409     if ( v40 <= 0x3FFFFFFFFFFFFFFFi64 )
410     {
411       v41 = 4 * v40;
412       if ( v41 < 0x1000 )
413       {
414         if ( v41 )
415           v44 = (char *)sub_140004A84(v41);
416         else
417           v44 = 0i64;
418 LABEL_73:
419         v114[0] = v44;
420         v114[1] = v44;
421         v45 = &v44[v41];
422         v115 = v45;
423         memmove(v44, v38, v39 - (_BYTE *)v38);
424         v114[1] = v45;
425         goto LABEL_74;
426       }
427       if ( v41 + 39 > v41 )
428       {
429         v42 = sub_140004A84(v41 + 39);
430         v43 = v42;
431         if ( !v42 )
432           invalid_parameter_noinfo_noreturn();
433         v44 = (char *)((v42 + 39) & 0xFFFFFFFFFFFFFFE0ui64);
434         *((_QWORD *)v44 - 1) = v43;
435         goto LABEL_73;
436       }
437     }
438     sub_140001110();
439   }
440 LABEL_74:
441   v46 = cacl_add(Memory, v114, v147);
442   v47 = cacl_pow(&v139, v46, v119);
443   v144 = v47;
444   v48 = cacl_equal(&v153, v37);
445   v49 = cacl_sub(v47, v48);
446   cacl_equal(v112, v49);
447   v50 = *(_QWORD **)v47;
448   if ( *(_QWORD *)v47 )
449   {
450     if ( (unsigned __int64)(4i64 * ((*(_QWORD *)(v47 + 16) - (_QWORD)v50) >> 2)) >= 0x1000 )
451     {
452       if ( (unsigned __int64)((char *)v50 - *(v50 - 1) - 8) > 0x1F )
453         invalid_parameter_noinfo_noreturn();
454       v50 = (_QWORD *)*(v50 - 1);
455     }
456     j_j_free(v50);
457     *(_QWORD *)v47 = 0i64;
458     *(_QWORD *)(v47 + 8) = 0i64;
459     *(_QWORD *)(v47 + 16) = 0i64;
460   }
461   v116 = v112;
462   v51 = cacl_equal(&v143, v34);
463   v52 = cacl_sub(v112, v51);
464   cacl_equal(&v153, v52);
465   v53 = v112[0];
466   if ( v112[0] )
467   {
468     if ( (unsigned __int64)(4 * ((signed __int64)(v113 - (unsigned __int64)v112[0]) >> 2)) >= 0x1000 )
469     {
470       v53 = (void *)*((_QWORD *)v112[0] - 1);
471       if ( (unsigned __int64)(v112[0] - v53 - 8) > 0x1F )
472         invalid_parameter_noinfo_noreturn();
473     }
474     j_j_free(v53);
475     _mm_storeu_si128((__m128i *)v112, (__m128i)0i64);
476     v113 = 0i64;
477   }
478   v54 = Memory[0];
479   if ( Memory[0] )
480   {
481     if ( (unsigned __int64)(4 * ((signed __int64)(v118 - (unsigned __int64)Memory[0]) >> 2)) >= 0x1000 )
482     {
483       v54 = (void *)*((_QWORD *)Memory[0] - 1);
484       if ( (unsigned __int64)(Memory[0] - v54 - 8) > 0x1F )
485         invalid_parameter_noinfo_noreturn();
486     }
487     j_j_free(v54);
488     Memory[0] = 0i64;
489     _mm_storeu_si128((__m128i *)&Memory[1], (__m128i)0i64);
490   }
491   v55 = v140;
492   if ( v140 )
493   {
494     if ( (unsigned __int64)(4 * ((v142 - (signed __int64)v140) >> 2)) >= 0x1000 )
495     {
496       v55 = (_BYTE *)*((_QWORD *)v140 - 1);
497       if ( (unsigned __int64)((_BYTE *)v140 - v55 - 8) > 0x1F )
498         invalid_parameter_noinfo_noreturn();
499     }
500     j_j_free(v55);
501     v140 = 0i64;
502     _mm_storeu_si128((__m128i *)&v141, (__m128i)0i64);
503   }
504   v56 = v151;
505   if ( v151 )
506   {
507     if ( (unsigned __int64)(4i64 * ((*((_QWORD *)&v152 + 1) - (_QWORD)v151) >> 2)) >= 0x1000 )
508     {
509       v56 = (_BYTE *)*((_QWORD *)v151 - 1);
510       if ( (unsigned __int64)((_BYTE *)v151 - v56 - 8) > 0x1F )
511         invalid_parameter_noinfo_noreturn();
512     }
513     j_j_free(v56);
514     v151 = 0i64;
515     _mm_storeu_si128((__m128i *)&v152, (__m128i)0i64);
516   }
517   v57 = v127;
518   if ( v127 )
519   {
520     if ( (unsigned __int64)(4 * ((v129 - (signed __int64)v127) >> 2)) >= 0x1000 )
521     {
522       v57 = (_BYTE *)*((_QWORD *)v127 - 1);
523       if ( (unsigned __int64)((_BYTE *)v127 - v57 - 8) > 0x1F )
524         invalid_parameter_noinfo_noreturn();
525     }
526     j_j_free(v57);
527     v127 = 0i64;
528     _mm_storeu_si128((__m128i *)&v128, (__m128i)0i64);
529   }
530   v58 = v130;
531   if ( v130 )
532   {
533     if ( (unsigned __int64)(4 * ((v132 - (signed __int64)v130) >> 2)) >= 0x1000 )
534     {
535       v58 = (_BYTE *)*((_QWORD *)v130 - 1);
536       if ( (unsigned __int64)((_BYTE *)v130 - v58 - 8) > 0x1F )
537         invalid_parameter_noinfo_noreturn();
538     }
539     j_j_free(v58);
540     v130 = 0i64;
541     _mm_storeu_si128((__m128i *)&v131, (__m128i)0i64);
542   }
543   v59 = v133;
544   if ( v133 )
545   {
546     if ( (unsigned __int64)(4 * ((v135 - (signed __int64)v133) >> 2)) >= 0x1000 )
547     {
548       v59 = (_BYTE *)*((_QWORD *)v133 - 1);
549       if ( (unsigned __int64)((_BYTE *)v133 - v59 - 8) > 0x1F )
550         invalid_parameter_noinfo_noreturn();
551     }
552     j_j_free(v59);
553     v133 = 0i64;
554     _mm_storeu_si128((__m128i *)&v134, (__m128i)0i64);
555   }
556   v60 = v136;
557   if ( v136 )
558   {
559     if ( (unsigned __int64)(4 * ((v138 - (signed __int64)v136) >> 2)) >= 0x1000 )
560     {
561       v60 = (_BYTE *)*((_QWORD *)v136 - 1);
562       if ( (unsigned __int64)((_BYTE *)v136 - v60 - 8) > 0x1F )
563         invalid_parameter_noinfo_noreturn();
564     }
565     j_j_free(v60);
566     v136 = 0i64;
567     _mm_storeu_si128((__m128i *)&v137, (__m128i)0i64);
568   }
569   v61 = v119[0];
570   if ( v119[0] )
571   {
572     if ( (unsigned __int64)(4 * ((signed __int64)(v120 - (unsigned __int64)v119[0]) >> 2)) >= 0x1000 )
573     {
574       v61 = (void *)*((_QWORD *)v119[0] - 1);
575       if ( (unsigned __int64)(v119[0] - v61 - 8) > 0x1F )
576         invalid_parameter_noinfo_noreturn();
577     }
578     j_j_free(v61);
579   }
580   v62 = v121[0];
581   if ( v121[0] )
582   {
583     if ( (unsigned __int64)(4 * ((signed __int64)(v122 - (unsigned __int64)v121[0]) >> 2)) >= 0x1000 )
584     {
585       v62 = (void *)*((_QWORD *)v121[0] - 1);
586       if ( (unsigned __int64)(v121[0] - v62 - 8) > 0x1F )
587         invalid_parameter_noinfo_noreturn();
588     }
589     j_j_free(v62);
590   }
591   v63 = v123[0];
592   if ( v123[0] )
593   {
594     if ( (unsigned __int64)(4 * ((signed __int64)(v124 - (unsigned __int64)v123[0]) >> 2)) >= 0x1000 )
595     {
596       v63 = (void *)*((_QWORD *)v123[0] - 1);
597       if ( (unsigned __int64)(v123[0] - v63 - 8) > 0x1F )
598         invalid_parameter_noinfo_noreturn();
599     }
600     j_j_free(v63);
601   }
602   v64 = v125[0];
603   if ( v125[0] )
604   {
605     if ( (unsigned __int64)(4 * ((signed __int64)(v126 - (unsigned __int64)v125[0]) >> 2)) >= 0x1000 )
606     {
607       v64 = (void *)*((_QWORD *)v125[0] - 1);
608       if ( (unsigned __int64)(v125[0] - v64 - 8) > 0x1F )
609         invalid_parameter_noinfo_noreturn();
610     }
611     j_j_free(v64);
612   }
613   LODWORD(v144) = 22;
614   _mm_storeu_si128((__m128i *)v119, (__m128i)0i64);
615   v120 = 0i64;
616   sub_140004330(v119, 0i64, &v144);
617   sub_140001270(v119);
618   LODWORD(v144) = 48;
619   _mm_storeu_si128((__m128i *)v121, (__m128i)0i64);
620   v122 = 0i64;
621   sub_140004330(v121, 0i64, &v144);
622   sub_140001270(v121);
623   LODWORD(v144) = 12;
624   _mm_storeu_si128((__m128i *)v123, (__m128i)0i64);
625   v124 = 0i64;
626   sub_140004330(v123, 0i64, &v144);
627   sub_140001270(v123);
628   LODWORD(v144) = 3;
629   _mm_storeu_si128((__m128i *)v125, (__m128i)0i64);
630   v126 = 0i64;
631   sub_140004330(v125, 0i64, &v144);
632   sub_140001270(v125);
633   v116 = Memory;
634   v65 = calc_mul(&v127, v121, v149);
635   v66 = calc_mul(&v130, v123, v149);
636   v67 = calc_mul(&v133, v66, v149);
637   LODWORD(v144) = 4;
638   _mm_storeu_si128((__m128i *)Memory, (__m128i)0i64);
639   v118 = 0i64;
640   sub_140004330(Memory, 0i64, &v144);
641   sub_140001270(Memory);
642   v68 = cacl_add(&v136, Memory, v149);
643   v69 = (void **)cacl_pow(&v143, v68, v125);
644   v116 = v69;
645   v70 = cacl_equal(&v139, v67);
646   v71 = cacl_sub(v69, v70);
647   cacl_equal(v112, v71);
648   v72 = *v69;
649   if ( *v69 )
650   {
651     if ( (unsigned __int64)(4 * (((_BYTE *)v69[2] - (_BYTE *)v72) >> 2)) >= 0x1000 )
652     {
653       if ( (unsigned __int64)((char *)v72 - *(v72 - 1) - 8) > 0x1F )
654         invalid_parameter_noinfo_noreturn();
655       v72 = (_QWORD *)*(v72 - 1);
656     }
657     j_j_free(v72);
658     *v69 = 0i64;
659     v69[1] = 0i64;
660     v69[2] = 0i64;
661   }
662   v116 = v112;
663   v73 = cacl_equal(&v139, v65);
664   v74 = cacl_sub(v112, v73);
665   cacl_equal(v114, v74);
666   v75 = v112[0];
667   if ( v112[0] )
668   {
669     if ( (unsigned __int64)(4 * ((signed __int64)(v113 - (unsigned __int64)v112[0]) >> 2)) >= 0x1000 )
670     {
671       v75 = (void *)*((_QWORD *)v112[0] - 1);
672       if ( (unsigned __int64)(v112[0] - v75 - 8) > 0x1F )
673         invalid_parameter_noinfo_noreturn();
674     }
675     j_j_free(v75);
676     _mm_storeu_si128((__m128i *)v112, (__m128i)0i64);
677     v113 = 0i64;
678   }
679   v116 = v114;
680   v76 = cacl_equal(&v139, v119);
681   v77 = cacl_sub(v114, v76);
682   cacl_equal(&v151, v77);
683   v78 = v114[0];
684   if ( v114[0] )
685   {
686     if ( (unsigned __int64)(4 * ((v115 - (char *)v114[0]) >> 2)) >= 0x1000 )
687     {
688       v78 = (void *)*((_QWORD *)v114[0] - 1);
689       if ( (unsigned __int64)(v114[0] - v78 - 8) > 0x1F )
690         invalid_parameter_noinfo_noreturn();
691     }
692     j_j_free(v78);
693     _mm_storeu_si128((__m128i *)v114, (__m128i)0i64);
694     v115 = 0i64;
695   }
696   v79 = v136;
697   if ( v136 )
698   {
699     if ( (unsigned __int64)(4 * ((v138 - (signed __int64)v136) >> 2)) >= 0x1000 )
700     {
701       v79 = (_BYTE *)*((_QWORD *)v136 - 1);
702       if ( (unsigned __int64)((_BYTE *)v136 - v79 - 8) > 0x1F )
703         invalid_parameter_noinfo_noreturn();
704     }
705     j_j_free(v79);
706     v136 = 0i64;
707     _mm_storeu_si128((__m128i *)&v137, (__m128i)0i64);
708   }
709   v80 = v133;
710   if ( v133 )
711   {
712     if ( (unsigned __int64)(4 * ((v135 - (signed __int64)v133) >> 2)) >= 0x1000 )
713     {
714       v80 = (_BYTE *)*((_QWORD *)v133 - 1);
715       if ( (unsigned __int64)((_BYTE *)v133 - v80 - 8) > 0x1F )
716         invalid_parameter_noinfo_noreturn();
717     }
718     j_j_free(v80);
719     v133 = 0i64;
720     _mm_storeu_si128((__m128i *)&v134, (__m128i)0i64);
721   }
722   v81 = v130;
723   if ( v130 )
724   {
725     if ( (unsigned __int64)(4 * ((v132 - (signed __int64)v130) >> 2)) >= 0x1000 )
726     {
727       v81 = (_BYTE *)*((_QWORD *)v130 - 1);
728       if ( (unsigned __int64)((_BYTE *)v130 - v81 - 8) > 0x1F )
729         invalid_parameter_noinfo_noreturn();
730     }
731     j_j_free(v81);
732     v130 = 0i64;
733     _mm_storeu_si128((__m128i *)&v131, (__m128i)0i64);
734   }
735   v82 = v127;
736   if ( v127 )
737   {
738     if ( (unsigned __int64)(4 * ((v129 - (signed __int64)v127) >> 2)) >= 0x1000 )
739     {
740       v82 = (_BYTE *)*((_QWORD *)v127 - 1);
741       if ( (unsigned __int64)((_BYTE *)v127 - v82 - 8) > 0x1F )
742         invalid_parameter_noinfo_noreturn();
743     }
744     j_j_free(v82);
745     v127 = 0i64;
746     _mm_storeu_si128((__m128i *)&v128, (__m128i)0i64);
747   }
748   v83 = v125[0];
749   if ( v125[0] )
750   {
751     if ( (unsigned __int64)(4 * ((signed __int64)(v126 - (unsigned __int64)v125[0]) >> 2)) >= 0x1000 )
752     {
753       v83 = (void *)*((_QWORD *)v125[0] - 1);
754       if ( (unsigned __int64)(v125[0] - v83 - 8) > 0x1F )
755         invalid_parameter_noinfo_noreturn();
756     }
757     j_j_free(v83);
758   }
759   v84 = v123[0];
760   if ( v123[0] )
761   {
762     if ( (unsigned __int64)(4 * ((signed __int64)(v124 - (unsigned __int64)v123[0]) >> 2)) >= 0x1000 )
763     {
764       v84 = (void *)*((_QWORD *)v123[0] - 1);
765       if ( (unsigned __int64)(v123[0] - v84 - 8) > 0x1F )
766         invalid_parameter_noinfo_noreturn();
767     }
768     j_j_free(v84);
769   }
770   v85 = v121[0];
771   if ( v121[0] )
772   {
773     if ( (unsigned __int64)(4 * ((signed __int64)(v122 - (unsigned __int64)v121[0]) >> 2)) >= 0x1000 )
774     {
775       v85 = (void *)*((_QWORD *)v121[0] - 1);
776       if ( (unsigned __int64)(v121[0] - v85 - 8) > 0x1F )
777         invalid_parameter_noinfo_noreturn();
778     }
779     j_j_free(v85);
780   }
781   v86 = v119[0];
782   if ( v119[0] )
783   {
784     if ( (unsigned __int64)(4 * ((signed __int64)(v120 - (unsigned __int64)v119[0]) >> 2)) >= 0x1000 )
785     {
786       v86 = (void *)*((_QWORD *)v119[0] - 1);
787       if ( (unsigned __int64)(v119[0] - v86 - 8) > 0x1F )
788         invalid_parameter_noinfo_noreturn();
789     }
790     j_j_free(v86);
791   }
792   v87 = (char *)v153;
793   v88 = (v154 - (signed __int64)v153) >> 2;
794   v89 = (char *)v151;
795   v18 = v149[0];
796   if ( v88 == ((_QWORD)v152 - (_QWORD)v151) >> 2 )
797   {
798     v90 = v88 - 1;
799     if ( (signed int)v88 - 1 < 0 )
800     {
801 LABEL_201:
802       sub_140004120(std::cout, "You win!\nflag{MD5(\"");
803       v93 = Src[0];
804       v94 = Src[1];
805       if ( Src[0] == Src[1] )
806       {
807         std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, 0i64);
808         v94 = Src[1];
809         v93 = Src[0];
810       }
811       v95 = (unsigned __int64)((v94 - v93) >> 2) - 1;
812       v96 = v95;
813       if ( v95 >= 0 )
814       {
815         while ( 1 )
816         {
817           std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, *(unsigned int *)&v93[4 * v96--]);
818           if ( v96 < 0 )
819             break;
820           v93 = Src[0];
821         }
822       }
823       v97 = v147[0];
824       v98 = v147[1];
825       if ( v147[0] == v147[1] )
826       {
827         std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, 0i64);
828         v98 = v147[1];
829         v97 = v147[0];
830       }
831       v99 = (unsigned __int64)((v98 - v97) >> 2) - 1;
832       v100 = v99;
833       if ( v99 >= 0 )
834       {
835         while ( 1 )
836         {
837           std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, *(unsigned int *)&v97[4 * v100--]);
838           if ( v100 < 0 )
839             break;
840           v97 = v147[0];
841         }
842       }
843       v101 = v149[1];
844       if ( v18 == v149[1] )
845         std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, 0i64);
846       v102 = (unsigned __int64)((v101 - v18) >> 2) - 1;
847       for ( i = v102;
848             i >= 0;
849             std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, *(unsigned int *)&v18[4 * i--]) )
850       {
851         ;
852       }
853       sub_140004120(std::cout, "\").tolower()}\n");
854     }
855     else
856     {
857       v91 = v90;
858       v92 = (char *)v151 + 4 * v90;
859       while ( *(_DWORD *)((char *)v92 + (_BYTE *)v153 - (_BYTE *)v151) == *v92 )
860       {
861         --v92;
862         if ( --v91 < 0 )
863           goto LABEL_201;
864       }
865     }
866   }
867   v25 = 0;
868   if ( v89 )
869   {
870     v104 = v89;
871     if ( (unsigned __int64)(4i64 * ((*((_QWORD *)&v152 + 1) - (_QWORD)v89) >> 2)) >= 0x1000 )
872     {
873       v89 = (char *)*((_QWORD *)v89 - 1);
874       if ( (unsigned __int64)(v104 - v89 - 8) > 0x1F )
875         invalid_parameter_noinfo_noreturn();
876     }
877     j_j_free(v89);
878   }
879   if ( v87 )
880   {
881     v105 = v87;
882     if ( (unsigned __int64)(4 * ((v155 - (signed __int64)v87) >> 2)) >= 0x1000 )
883     {
884       v87 = (char *)*((_QWORD *)v87 - 1);
885       if ( (unsigned __int64)(v105 - v87 - 8) > 0x1F )
886         invalid_parameter_noinfo_noreturn();
887     }
888     j_j_free(v87);
889   }
890   v16 = (char *)Src[0];
891   v20 = (char *)v147[0];
892 LABEL_48:
893   v26 = v159;
894   if ( v159 )
895   {
896     if ( (unsigned __int64)(4 * ((v160 - (signed __int64)v159) >> 2)) >= 0x1000 )
897     {
898       v26 = (_BYTE *)*((_QWORD *)v159 - 1);
899       if ( (unsigned __int64)((_BYTE *)v159 - v26 - 8) > 0x1F )
900         invalid_parameter_noinfo_noreturn();
901     }
902     j_j_free(v26);
903     v16 = (char *)Src[0];
904     v20 = (char *)v147[0];
905   }
906   v106 = v156;
907   if ( v156 )
908   {
909     if ( (unsigned __int64)(4 * ((v158 - (signed __int64)v156) >> 2)) >= 0x1000 )
910     {
911       v106 = (_BYTE *)*((_QWORD *)v156 - 1);
912       if ( (unsigned __int64)((_BYTE *)v156 - v106 - 8) > 0x1F )
913         invalid_parameter_noinfo_noreturn();
914     }
915     j_j_free(v106);
916     v156 = 0i64;
917     _mm_storeu_si128((__m128i *)&v157, (__m128i)0i64);
918     v16 = (char *)Src[0];
919     v20 = (char *)v147[0];
920   }
921   v107 = v161;
922   if ( v161 )
923   {
924     if ( (unsigned __int64)(4 * ((v162 - (signed __int64)v161) >> 2)) >= 0x1000 )
925     {
926       v107 = (_BYTE *)*((_QWORD *)v161 - 1);
927       if ( (unsigned __int64)((_BYTE *)v161 - v107 - 8) > 0x1F )
928         invalid_parameter_noinfo_noreturn();
929     }
930     j_j_free(v107);
931     v16 = (char *)Src[0];
932     v20 = (char *)v147[0];
933   }
934   if ( v18 )
935   {
936     v108 = v18;
937     if ( (unsigned __int64)(4 * ((v150 - (signed __int64)v18) >> 2)) >= 0x1000 )
938     {
939       v18 = (_BYTE *)*((_QWORD *)v18 - 1);
940       if ( (unsigned __int64)(v108 - v18 - 8) > 0x1F )
941         invalid_parameter_noinfo_noreturn();
942     }
943     j_j_free(v18);
944     v16 = (char *)Src[0];
945     v20 = (char *)v147[0];
946   }
947   if ( v20 )
948   {
949     v109 = v20;
950     if ( (unsigned __int64)(4 * ((v148 - (signed __int64)v20) >> 2)) >= 0x1000 )
951     {
952       v20 = (char *)*((_QWORD *)v20 - 1);
953       if ( (unsigned __int64)(v109 - v20 - 8) > 0x1F )
954         invalid_parameter_noinfo_noreturn();
955     }
956     j_j_free(v20);
957     _mm_storeu_si128((__m128i *)v147, (__m128i)0i64);
958     v148 = 0i64;
959     v16 = (char *)Src[0];
960   }
961   if ( v16 )
962   {
963     v110 = v16;
964     if ( ((v146 - (_QWORD)v16) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 )
965     {
966       v16 = (char *)*((_QWORD *)v16 - 1);
967       if ( (unsigned __int64)(v110 - v16 - 8) > 0x1F )
968         invalid_parameter_noinfo_noreturn();
969     }
970     j_j_free(v16);
971   }
972   return v25;
973 }
伪C代码

 

3.流程总结

整个过程,有三次输入,定义为变量x, y, z。在满足x < z and x > y的条件下,进行x**3+y**3+z**3=42,搜了一下有关“三次方42”的新闻

2019 红帽杯 Re WP_第10张图片

得到

(-80538738812075974)^3 + 80435758145817515^3 + 12602123297335631^3 = 42

根据x,y,z关系式得到

x=80435758145817515
y=12602123297335631
z=80538738812075974

将Sleep的时间全部改为0

 

2019 红帽杯 Re WP_第11张图片

 

写出脚本得到flag

2019 红帽杯 Re WP_第12张图片

 

 

4.get flag!

flag{951e27be2b2f10b7fa22a6dc8f4682bd}

 

0x04 childRE

测试文件:https://www.lanzous.com/i7h66wd

 

1.准备

2019 红帽杯 Re WP_第13张图片

  • 64位文件

 

2.IDA代码分析

2019 红帽杯 Re WP_第14张图片

 

3.流程总结

  • 因此总的运算流程就是:
  • 输入长度为31的字符串
  • 进行置换运算
  • 取消修饰函数名
  • 将未修饰函数名的商和余数与指定字符串比较

 

我们能够逆向操作来得到未修饰的函数名。

 

4.获取未修饰函数名

IDA动态调试

2019 红帽杯 Re WP_第15张图片

 

写出脚本

str1 = "(_@4620!08!6_0*0442!@186%%0@3=66!!974*3234=&0^3&1@=&0908!6_0*&"
str2 = "55565653255552225565565555243466334653663544426565555525555222"
str3 = '1234567890-=!@#$%^&*()_+qwertyuiop[]QWERTYUIOP{}asdfghjkl;,ASDFGHJKL:"ZXCVBNM<>?zxcvbnm,./'

name = ''

for i in range(62):
    name += chr(str3.index(str1[i]) + str3.index(str2[i])*23 )

print (name)

得到:private: char * __thiscall R0Pxx::My_Aut0_PWN(unsigned char *)

 

使用C++写出一个上面函数的例子:

#include 

class R0Pxx {
public:
    R0Pxx() {
        My_Aut0_PWN((unsigned char*)"hello");
    }
private:
    char* __thiscall My_Aut0_PWN(unsigned char*);
};

char* __thiscall R0Pxx::My_Aut0_PWN(unsigned char*) {
    std::cout << __FUNCDNAME__ << std::endl;

    return 0;
}

int main()
{
    R0Pxx A;

    system("PAUSE");
    return 0;
}

得到:?My_Aut0_PWN@R0Pxx@@AAEPADPAE@Z

 

5.置换运算

通过动态调试,发现乱序取值的数值是固定的,因此随便输入一组长度31的字符串(其中的字符不能重复)

2019 红帽杯 Re WP_第16张图片2019 红帽杯 Re WP_第17张图片

 

反向操作,写出脚本来解决flag

from hashlib import md5

str1 = 'abcdefghijklmnopqrstuvwxyz12345'
dec1 = '7071687273696474756A76776B656278796C7A316D6632336E34356F676361'.decode('hex')
serial = []

print dec1

for i in dec1:
    serial.append(str1.index(i))

print serial

name = '?My_Aut0_PWN@R0Pxx@@AAEPADPAE@Z'
enc = [''] * 31

for i in range(31):
    enc[serial[i]] = name[i]
enc = ''.join(enc)

print enc

print md5(enc).hexdigest()

2019 红帽杯 Re WP_第18张图片

 

6.get flag!

flag{63b148e750fed3a33419168ac58083f5}

 

0x05 Snake

测试文件:https://www.lanzous.com/i7gol0d

 

Unity逆向

1.查看DLL文件

运行Snake,查看调用的DLL文件

2019 红帽杯 Re WP_第19张图片

 

2.DLL文件分析

使用ILSpy打开Interface.dll文件

发现了DLL文件使用的函数GameObject

2019 红帽杯 Re WP_第20张图片

 

使用IDA打开DLL文件

  1 signed __int64 __fastcall GameObject(int a1)
  2 {
  3   char v1; // di
  4   __int64 *v2; // rbx
  5   __int64 *v3; // rax
  6   int v4; // er8
  7   int v5; // er9
  8   __int64 v6; // rax
  9   _BYTE *v7; // rcx
 10   __int64 v8; // rax
 11   __int64 v9; // rax
 12   __int64 *v10; // rdx
 13   __int64 v11; // rax
 14   __int64 *v12; // rcx
 15   _BYTE *v13; // rcx
 16   __int64 v15; // rax
 17   int v16; // er8
 18   int v17; // er9
 19   __int64 v18; // rax
 20   __int64 v19; // rax
 21   __int64 *v20; // rdx
 22   __int64 v21; // rax
 23   __int64 *v22; // rcx
 24   _BYTE *v23; // rcx
 25   _BYTE *v24; // rcx
 26   unsigned __int64 v25; // rdx
 27   void *v26; // rcx
 28   unsigned __int64 v27; // rdx
 29   _BYTE *v28; // rcx
 30   _BYTE *v29; // rcx
 31   _BYTE *v30; // rcx
 32   __int64 v31; // rax
 33   _BYTE *v32; // rcx
 34   __int64 v33; // rax
 35   const void *v34; // rdx
 36   bool v35; // bl
 37   _BYTE *v36; // rcx
 38   _BYTE *v37; // rcx
 39   __int64 v38; // rax
 40   const char *v39; // rdx
 41   __int64 v40; // rax
 42   __int64 v41; // rax
 43   void *v42; // rcx
 44   _BYTE *v43; // rcx
 45   void *v44; // rcx
 46   _BYTE *v45; // rcx
 47   void *Memory; // [rsp+20h] [rbp-E0h]
 48   _BYTE *v47; // [rsp+28h] [rbp-D8h]
 49   __int128 v48; // [rsp+30h] [rbp-D0h]
 50   int v49; // [rsp+40h] [rbp-C0h]
 51   int v50; // [rsp+48h] [rbp-B8h]
 52   int v51; // [rsp+50h] [rbp-B0h]
 53   int v52; // [rsp+58h] [rbp-A8h]
 54   int v53; // [rsp+60h] [rbp-A0h]
 55   int v54; // [rsp+68h] [rbp-98h]
 56   int v55; // [rsp+70h] [rbp-90h]
 57   __int64 *v56; // [rsp+78h] [rbp-88h]
 58   void *Buf1[2]; // [rsp+80h] [rbp-80h]
 59   unsigned __int64 v58; // [rsp+90h] [rbp-70h]
 60   void *Dst; // [rsp+98h] [rbp-68h]
 61   void *v60; // [rsp+A0h] [rbp-60h]
 62   __int128 v61; // [rsp+A8h] [rbp-58h]
 63   unsigned __int64 v62; // [rsp+B8h] [rbp-48h]
 64   __int64 v63; // [rsp+C0h] [rbp-40h]
 65   void *v64; // [rsp+C8h] [rbp-38h]
 66   __int128 v65; // [rsp+D0h] [rbp-30h]
 67   unsigned __int64 v66; // [rsp+E0h] [rbp-20h]
 68   __int64 v67; // [rsp+E8h] [rbp-18h]
 69   _BYTE *v68; // [rsp+F0h] [rbp-10h]
 70   __int128 v69; // [rsp+F8h] [rbp-8h]
 71   unsigned __int64 v70; // [rsp+108h] [rbp+8h]
 72   __int64 v71; // [rsp+110h] [rbp+10h]
 73   void *v72; // [rsp+118h] [rbp+18h]
 74   __int64 v73; // [rsp+120h] [rbp+20h]
 75   __int128 v74; // [rsp+128h] [rbp+28h]
 76   char v75; // [rsp+138h] [rbp+38h]
 77   void *v76; // [rsp+140h] [rbp+40h]
 78   unsigned __int64 v77; // [rsp+158h] [rbp+58h]
 79 
 80   v50 = 0;
 81   v1 = 0;
 82   if ( a1 >= 0 )
 83   {
 84     if ( (unsigned int)(a1 - 2) <= 0x61 )       // 输入的数字小于等于99
 85     {
 86       LOBYTE(Memory) = 0;
 87       _mm_storeu_si128((__m128i *)&v48, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
 88       sub_180006D10(
 89         &Memory,
 90         "1399072626417208846352501054493274635311312275165004973073110020948852453223868050494068786439822163264935277024"
 91         "1468943993009079475334584417852835617853909482524738983614292847460710826226708785021132264080613569807620798681"
 92         "8086837911361480181444157057782599277473843153161174504240064610043962720953514451563",
 93         0x135ui64);
 94       sub_180001530(&v75, &Memory);
 95       LOBYTE(Memory) = 0;
 96       _mm_storeu_si128((__m128i *)&v48, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
 97       sub_180006D10(
 98         &Memory,
 99         "7998185649085699985067170036073312083199999558942120746049018587653186051852759776790516809918289134512387896640"
100         "3548022646956365158864209467614850251731806682037300712511185681164865174187586907707195428804234739667769742078"
101         "793162639867922056194688917569369338005327309973680573581158754297630654105882382426",
102         0x134ui64);
103       sub_180001530(&v63, &Memory);
104       v15 = sub_18000A9D0(&Memory);
105       sub_180001530(&v71, v15);
106       LOBYTE(Memory) = v75;
107       sub_180006C40(&v47, &v76);
108       LOBYTE(Dst) = v71;
109       sub_180006C40(&v60, &v72);
110       LOBYTE(v51) = v63;
111       sub_180006C40(&v52, &v64);
112       sub_180006250(&v67, &v51, &Dst, &Memory);
113       LOBYTE(v51) = v67;
114       sub_180006C40(&v52, &v68);
115       sub_18000AAB0(
116         (unsigned __int64)&v56,
117         (unsigned __int64)&v51,
118         v16,
119         v17,
120         (_DWORD)Memory,
121         (_DWORD)v47,
122         v48,
123         DWORD2(v48),
124         v49,
125         v50,
126         v51,
127         v52,
128         v53,
129         v54,
130         v55,
131         (_DWORD)v56,
132         Buf1[0],
133         Buf1[1],
134         v58,
135         (_DWORD)Dst,
136         (_DWORD)v60,
137         v61,
138         DWORD2(v61),
139         v62,
140         v63,
141         (_DWORD)v64,
142         v65,
143         DWORD2(v65),
144         v66);
145       LOBYTE(Memory) = 0;
146       _mm_storeu_si128((__m128i *)&v48, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
147       sub_180006D10(&Memory, "flag", 4ui64);
148       v18 = sub_180006C40(&Dst, &v56);
149       if ( sub_18000AFA0(v18, (__int64)&Memory) )
150       {
151         v19 = sub_18000A7C0(std::cout, "You win! flag is ");
152         std::basic_ostream<char,std::char_traits<char>>::operator<<(v19, sub_18000A990);
153         v20 = (__int64 *)&v56;
154         if ( v58 >= 0x10 )
155           v20 = v56;
156         v21 = sub_180007570(std::cout, v20, Buf1[1]);
157       }
158       else
159       {
160         v21 = sub_18000A7C0(std::cout, "Try again");
161       }
162       std::basic_ostream<char,std::char_traits<char>>::operator<<(v21, sub_18000A990);
163       if ( v58 >= 0x10 )
164       {
165         v22 = v56;
166         if ( v58 + 1 >= 0x1000 )
167         {
168           v22 = (__int64 *)*(v56 - 1);
169           if ( (unsigned __int64)((char *)v56 - (char *)v22 - 8) > 0x1F )
170             goto LABEL_50;
171         }
172         j_j_free(v22);
173       }
174       Buf1[1] = 0i64;
175       v58 = 15i64;
176       LOBYTE(v56) = 0;
177       if ( v70 >= 0x10 )
178       {
179         v23 = v68;
180         if ( v70 + 1 >= 0x1000 )
181         {
182           v23 = (_BYTE *)*((_QWORD *)v68 - 1);
183           if ( (unsigned __int64)(v68 - v23 - 8) > 0x1F )
184             goto LABEL_50;
185         }
186         j_j_free(v23);
187       }
188       if ( *((_QWORD *)&v74 + 1) >= 0x10ui64 )
189       {
190         v24 = v72;
191         if ( (unsigned __int64)(*((_QWORD *)&v74 + 1) + 1i64) >= 0x1000 )
192         {
193           v24 = (_BYTE *)*((_QWORD *)v72 - 1);
194           if ( (unsigned __int64)((_BYTE *)v72 - v24 - 8) > 0x1F )
195             goto LABEL_50;
196         }
197         j_j_free(v24);
198       }
199       v25 = v66;
200       LOBYTE(v72) = 0;
201       _mm_storeu_si128((__m128i *)&v74, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
202       if ( v25 < 0x10 )
203         goto LABEL_47;
204       v26 = v64;
205       if ( v25 + 1 < 0x1000
206         || (v26 = (void *)*((_QWORD *)v64 - 1), (unsigned __int64)((_BYTE *)v64 - (_BYTE *)v26 - 8) <= 0x1F) )
207       {
208         j_j_free(v26);
209 LABEL_47:
210         v27 = v77;
211         LOBYTE(v64) = 0;
212         _mm_storeu_si128((__m128i *)((char *)&v65 + 8), _mm_load_si128((const __m128i *)&xmmword_18000EB70));
213         if ( v27 >= 0x10 )
214         {
215           v28 = v76;
216           if ( v27 + 1 >= 0x1000 )
217           {
218             v28 = (_BYTE *)*((_QWORD *)v76 - 1);
219             if ( (unsigned __int64)((_BYTE *)v76 - v28 - 8) > 0x1F )
220               goto LABEL_50;
221           }
222           j_j_free(v28);
223         }
224         return 7i64;
225       }
226 LABEL_50:
227       invalid_parameter_noinfo_noreturn();
228     }
229     if ( (unsigned int)(a1 - 101) > 0x62 )      // 传入的数字大于199则退出
230       return 996i64;
231     v71 = 0i64;
232     v72 = 0i64;
233     v73 = 0i64;
234     *(_QWORD *)&v74 = 0i64;
235     _mm_storeu_si128((__m128i *)&v61, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
236     LOBYTE(Dst) = 0;
237     sub_180006D10(
238       &Dst,
239       "139907262641720884635250105449327463531131227516500497307311002094885245322386805049406878643982216326493527702414"
240       "689439930090794753345844178528356178539094825247389836142928474607108262267087850211322640806135698076207986818086"
241       "837911361480181444157057782599277473843153161174504240064610043962720953514451563",
242       0x135ui64);
243     sub_1800078F0(&v71, &Dst);
244     if ( *((_QWORD *)&v61 + 1) >= 0x10ui64 )
245     {
246       v29 = Dst;
247       if ( (unsigned __int64)(*((_QWORD *)&v61 + 1) + 1i64) >= 0x1000 )
248       {
249         v29 = (_BYTE *)*((_QWORD *)Dst - 1);
250         if ( (unsigned __int64)((_BYTE *)Dst - v29 - 8) > 0x1F )
251           goto LABEL_99;
252       }
253       j_j_free(v29);
254     }
255     v63 = 0i64;
256     v64 = 0i64;
257     v65 = 0ui64;
258     _mm_storeu_si128((__m128i *)&v61, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
259     LOBYTE(Dst) = 0;
260     sub_180006D10(
261       &Dst,
262       "122107611316850260321590575768393047216806481837919054910332579385088745494833866045797079936947058335743437609060"
263       "618364037361749600119005166359303873659401522100249312696661209787316369738806133852177861917757996075304470648951"
264       "037632182891401322685617735478597953000103146149534977902885706852338811895661809",
265       0x135ui64);
266     sub_1800078F0(&v63, &Dst);
267     if ( *((_QWORD *)&v61 + 1) >= 0x10ui64 )
268     {
269       v30 = Dst;
270       if ( (unsigned __int64)(*((_QWORD *)&v61 + 1) + 1i64) >= 0x1000 )
271       {
272         v30 = (_BYTE *)*((_QWORD *)Dst - 1);
273         if ( (unsigned __int64)((_BYTE *)Dst - v30 - 8) > 0x1F )
274           goto LABEL_99;
275       }
276       j_j_free(v30);
277     }
278     v67 = 0i64;
279     v68 = 0i64;
280     v69 = 0ui64;
281     v31 = sub_18000A9D0(&Memory);
282     sub_1800078F0(&v67, v31);
283     if ( *((_QWORD *)&v48 + 1) >= 0x10ui64 )
284     {
285       v32 = Memory;
286       if ( (unsigned __int64)(*((_QWORD *)&v48 + 1) + 1i64) >= 0x1000 )
287       {
288         v32 = (_BYTE *)*((_QWORD *)Memory - 1);
289         if ( (unsigned __int64)((_BYTE *)Memory - v32 - 8) > 0x1F )
290           invalid_parameter_noinfo_noreturn();
291       }
292       j_j_free(v32);
293     }
294     v56 = 0i64;
295     Buf1[0] = 0i64;
296     Buf1[1] = 0i64;
297     v58 = 0i64;
298     sub_180009B40(&v63, &v56, &v67, &v71);
299     LOBYTE(Dst) = 0;
300     _mm_storeu_si128((__m128i *)&v61, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
301     sub_180006D10(&Dst, "7777777", 7ui64);
302     v33 = sub_1800078F0(&Memory, &Dst);
303     v35 = 0;
304     if ( (_BYTE)v56 == *(_BYTE *)v33 )
305     {
306       v34 = *(const void **)(v33 + 8);
307       if ( !(((Buf1[1] - Buf1[0]) ^ (*(_QWORD *)(v33 + 16) - (_QWORD)v34)) & 0xFFFFFFFFFFFFFFFCui64)
308         && !memcmp(Buf1[0], v34, Buf1[1] - Buf1[0]) )
309       {
310         v35 = 1;
311       }
312     }
313     v36 = v47;
314     if ( v47 )
315     {
316       if ( ((*((_QWORD *)&v48 + 1) - (_QWORD)v47) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 )
317       {
318         v36 = (_BYTE *)*((_QWORD *)v47 - 1);
319         if ( (unsigned __int64)(v47 - v36 - 8) > 0x1F )
320 LABEL_79:
321           invalid_parameter_noinfo_noreturn();
322       }
323       j_j_free(v36);
324       v47 = 0i64;
325       _mm_storeu_si128((__m128i *)&v48, (__m128i)0i64);
326     }
327     if ( *((_QWORD *)&v61 + 1) >= 0x10ui64 )
328     {
329       v37 = Dst;
330       if ( (unsigned __int64)(*((_QWORD *)&v61 + 1) + 1i64) >= 0x1000 )
331       {
332         v37 = (_BYTE *)*((_QWORD *)Dst - 1);
333         if ( (unsigned __int64)((_BYTE *)Dst - v37 - 8) > 0x1F )
334           goto LABEL_79;
335       }
336       j_j_free(v37);
337     }
338     if ( v35 )
339     {
340       v38 = sub_18000A7C0(std::cout, "EDG fight for S10");
341       std::basic_ostream<char,std::char_traits<char>>::operator<<(v38, sub_18000A990);
342       v39 = "You fight for the next snake";
343     }
344     else
345     {
346       v40 = sub_18000A7C0(std::cout, "EDG failed to fight for their S9");
347       std::basic_ostream<char,std::char_traits<char>>::operator<<(v40, sub_18000A990);
348       v39 = "But you can fight for next snake";
349     }
350     v41 = sub_18000A7C0(std::cout, v39);
351     std::basic_ostream<char,std::char_traits<char>>::operator<<(v41, sub_18000A990);
352     v42 = Buf1[0];
353     if ( Buf1[0] )
354     {
355       if ( ((v58 - (unsigned __int64)Buf1[0]) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 )
356       {
357         v42 = (void *)*((_QWORD *)Buf1[0] - 1);
358         if ( (unsigned __int64)(Buf1[0] - v42 - 8) > 0x1F )
359           goto LABEL_99;
360       }
361       j_j_free(v42);
362       v58 = 0i64;
363       _mm_storeu_si128((__m128i *)Buf1, (__m128i)0i64);
364     }
365     v43 = v68;
366     if ( v68 )
367     {
368       if ( ((*((_QWORD *)&v69 + 1) - (_QWORD)v68) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 )
369       {
370         v43 = (_BYTE *)*((_QWORD *)v68 - 1);
371         if ( (unsigned __int64)(v68 - v43 - 8) > 0x1F )
372           goto LABEL_99;
373       }
374       j_j_free(v43);
375       v68 = 0i64;
376       _mm_storeu_si128((__m128i *)&v69, (__m128i)0i64);
377     }
378     v44 = v64;
379     if ( !v64 )
380       goto LABEL_96;
381     if ( ((*((_QWORD *)&v65 + 1) - (_QWORD)v64) & 0xFFFFFFFFFFFFFFFCui64) < 0x1000
382       || (v44 = (void *)*((_QWORD *)v64 - 1), (unsigned __int64)((_BYTE *)v64 - (_BYTE *)v44 - 8) <= 0x1F) )
383     {
384       j_j_free(v44);
385       v64 = 0i64;
386       _mm_storeu_si128((__m128i *)&v65, (__m128i)0i64);
387 LABEL_96:
388       v45 = v72;
389       if ( v72 )
390       {
391         if ( (((_QWORD)v74 - (_QWORD)v72) & 0xFFFFFFFFFFFFFFFCui64) >= 0x1000 )
392         {
393           v45 = (_BYTE *)*((_QWORD *)v72 - 1);
394           if ( (unsigned __int64)((_BYTE *)v72 - v45 - 8) > 0x1F )
395             goto LABEL_99;
396         }
397         j_j_free(v45);
398       }
399       return 996i64;
400     }
401 LABEL_99:
402     invalid_parameter_noinfo_noreturn();
403   }
404   LOBYTE(Memory) = 0;
405   _mm_storeu_si128((__m128i *)&v48, _mm_load_si128((const __m128i *)&xmmword_18000EB70));
406   sub_180006D10(&Memory, "35297982045181952350813323813224883208572049226586980", 0x35ui64);
407   sub_180001530(&Dst, &Memory);
408   v2 = &qword_180012038;
409   v3 = &qword_180012038;
410   if ( *((_QWORD *)&xmmword_180012048 + 1) >= 0x10ui64 )
411     v3 = (__int64 *)qword_180012038;
412   if ( (_QWORD)xmmword_180012048 == 4i64 && *(_DWORD *)v3 == *(_DWORD *)"null" )
413   {
414     v75 = (char)Dst;
415     sub_180006C40(&v76, &v60);
416     v6 = sub_18000AAB0(
417            (unsigned __int64)&Memory,
418            (unsigned __int64)&v75,
419            v4,
420            v5,
421            (_DWORD)Memory,
422            (_DWORD)v47,
423            v48,
424            DWORD2(v48),
425            v49,
426            v50,
427            v51,
428            v52,
429            v53,
430            v54,
431            v55,
432            (_DWORD)v56,
433            Buf1[0],
434            Buf1[1],
435            v58,
436            (_DWORD)Dst,
437            (_DWORD)v60,
438            v61,
439            DWORD2(v61),
440            v62,
441            v63,
442            (_DWORD)v64,
443            v65,
444            DWORD2(v65),
445            v66);
446     v2 = (__int64 *)sub_180006A70(&qword_180012038, v6);
447     v1 = 1;
448   }
449   sub_180006C40(&v56, v2);
450   if ( v1 & 1 && *((_QWORD *)&v48 + 1) >= 0x10ui64 )
451   {
452     v7 = Memory;
453     if ( (unsigned __int64)(*((_QWORD *)&v48 + 1) + 1i64) >= 0x1000 )
454     {
455       v7 = (_BYTE *)*((_QWORD *)Memory - 1);
456       if ( (unsigned __int64)((_BYTE *)Memory - v7 - 8) > 0x1F )
457         invalid_parameter_noinfo_noreturn();
458     }
459     j_j_free(v7);
460   }
461   v8 = sub_18000A7C0(std::cout, "If SKT win S9 champion");
462   v9 = sub_18000A7C0(v8, "this is real flag");
463   std::basic_ostream<char,std::char_traits<char>>::operator<<(v9, sub_18000A990);
464   v10 = (__int64 *)&v56;
465   if ( v58 >= 0x10 )
466     v10 = v56;
467   v11 = sub_180007570(std::cout, v10, Buf1[1]);
468   std::basic_ostream<char,std::char_traits<char>>::operator<<(v11, sub_18000A990);
469   if ( v58 >= 0x10 )
470   {
471     v12 = v56;
472     if ( v58 + 1 >= 0x1000 )
473     {
474       v12 = (__int64 *)*(v56 - 1);
475       if ( (unsigned __int64)((char *)v56 - (char *)v12 - 8) > 0x1F )
476 LABEL_22:
477         invalid_parameter_noinfo_noreturn();
478     }
479     j_j_free(v12);
480   }
481   Buf1[1] = 0i64;
482   v58 = 15i64;
483   LOBYTE(v56) = 0;
484   if ( v62 >= 0x10 )
485   {
486     v13 = v60;
487     if ( v62 + 1 >= 0x1000 )
488     {
489       v13 = (_BYTE *)*((_QWORD *)v60 - 1);
490       if ( (unsigned __int64)((_BYTE *)v60 - v13 - 8) > 0x1F )
491         goto LABEL_22;
492     }
493     j_j_free(v13);
494   }
495   return 0xFFFFFFFFi64;
496 }
GameObject

判断出GameObject函数传入的参数,最大应该是199,因此直接写程序,调用DLL文件,爆破求flag

 

3.爆破求解

开多个进程,同时求解。

#include 
#include 
#include 

using namespace std;

int main(int argc, char* argv[])
{
    const char* funcName = "GameObject";
    HMODULE hDLL = LoadLibrary(TEXT("C:\\Users\\10245\\Desktop\\Snake\\Snake_Data\\Plugins\\Interface.dll"));
    if (hDLL != NULL)
    {
        cout << "Load Success!" << endl;
        typedef int(_cdecl *FuncPtr)(int);
        FuncPtr func = (FuncPtr)GetProcAddress(hDLL, funcName);
        func(atoi(argv[1]));    
    }
    else
    {
        cout << "Load Failed!" << endl;
    }


    system("PAUSE");
    return 0;
}

2019 红帽杯 Re WP_第21张图片

 

4.get flag!

flag{Ch4rp_W1th_R$@}

 

 

你可能感兴趣的:(2019 红帽杯 Re WP)