0x00 Mobile
解压得到
class.dex
后发现没有加壳, 直接分析dex得知load了so库, 可知用了so中的CheckString
函数.IDA分析so得到如下反汇编代码.
1. so文件主要加密源码:
_BOOL4 __cdecl Java_com_testjava_jack_pingan2_cyberpeace_CheckString(int a1, int a2, int a3)
{
const char *v3; // ST1C_4
size_t v4; // edi
char *v5; // esi
size_t v6; // edi
char v7; // al
char v8; // al
size_t v9; // edi
char v10; // al
v3 = (const char *)(*(int (__cdecl **)(int, int, _DWORD))(*(_DWORD *)a1 + 676))(a1, a3, 0);
v4 = strlen(v3);
v5 = (char *)malloc(v4 + 1);
memset(&v5[v4], 0, v4 != -1);
memcpy(v5, v3, v4); // 输入flag为v5
if ( strlen(v5) >= 2 )
{
v6 = 0;
do
{
v7 = v5[v6];
v5[v6] = v5[v6 + 16];
v5[v6++ + 16] = v7;
}
while ( v6 < strlen(v5) >> 1 ); // flag相隔16bit的字符互换
}
v8 = *v5;
if ( *v5 )
{
*v5 = v5[1];
v5[1] = v8;
if ( strlen(v5) >= 3 )
{
v9 = 2;
do
{
v10 = v5[v9];
v5[v9] = v5[v9 + 1];
v5[v9 + 1] = v10;
v9 += 2;
}
while ( v9 < strlen(v5) );
}
}
return strcmp(v5, "f72c5a36569418a20907b55be5bf95ad") == 0;
}
2. 解法1(cpp实现):
#include
#include
#include
using namespace std;
int main()
{
size_t v1; // edi
char v2; // al
size_t v3; // eax
unsigned int v4; // edi
char v5; // al
char str[] = "f72c5a36569418a20907b55be5bf95ad";
char *s = str;
if (strlen(s) >= 2)
{
v1 = 0;
do
{
v2 = s[v1];
s[v1] = s[v1 + 16];
s[v1++ + 16] = v2;
} while (v1 < strlen(s) >> 1);
}
v3 = *s;
if (*s)
{
*s = s[1];
s[1] = v3;
v3 = strlen(s);
if (v3 >= 3)
{
v4 = 2;
do
{
v5 = s[v4];
s[v4] = s[v4 + 1];
s[v4 + 1] = v5;
v4 += 2;
v3 = strlen(s);
} while (v4 < v3);
}
}
printf("flag{%s}", s);
return 0;
}
3. 解法2(python实现, 又分为正向解法/逆向解法)
其实这个算法加密解密过程是对称的, 也就有了正向算法, 即重新加密一次f72c5a36569418a20907b55be5bf95ad
即得到flag. 下面的code两个函数re()
/rev()
都能得出flag.
#!usr/bin/python2
# -*- coding: utf-8 -*-
p = "f72c5a36569418a20907b55be5bf95ad"
plain = list(p)
def re():
global plain,p
if len(plain) >= 2:
j = 0
while j < (len(plain) >> 1):
temp = plain[j]
plain[j] = plain[j+16]
plain[j+16] = temp
j += 1
temp = plain[0]
if temp:
plain[0] = plain[1]
plain[1] = temp
if len(plain) > 3:
i = 2
while i < len(plain):
temp = plain[i]
plain[i] = plain[i+1]
plain[i+1] = temp
i += 2
print "flag: " + "".join(plain)
def rev():
global plain,p
if len(plain) >= 2:
i = 2
while i < len(plain):
temp = plain[i]
plain[i] = plain[i+1]
plain[i+1] = temp
i += 2
temp = plain[0]
if temp:
plain[0] = plain[1]
plain[1] = temp
if len(plain) > 3:
j = 0
while j < (len(plain) >> 1):
temp = plain[j]
plain[j] = plain[j+16]
plain[j+16] = temp
j += 1
print "flag: " + "".join(plain)
if __name__ == '__main__':
# re()
rev()
flag为:
90705bb55efb59da7fc2a5636549812a
0x01 Misc
这道题有点狗血啊, 今天看了一下题目才做出来, 上周用了AVR模拟器解...结果跑了半天没着落, IDA分析又没看main函数, 直接看hex去了...然后就...放弃了.
今天看了一下main函数, 发现直接是Arduino的标准函数: keyboard.press()
keyboard.release()
, 输入的直接是ASCII码, 也就是flag...
.text:00000A7E loc_A7E: ; CODE XREF: main+9E↑j
.text:00000A7E ldi r22, 0xE8
.text:00000A7F ldi r23, 3
.text:00000A80 ldi r24, 0
.text:00000A81 ldi r25, 0
.text:00000A82 call delay
.text:00000A84 ldi r22, 0xC1
.text:00000A85 ldi r24, 0xED
.text:00000A86 ldi r25, 1
.text:00000A87 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000A89 ldi r22, 0xC1
.text:00000A8A ldi r24, 0xED
.text:00000A8B ldi r25, 1
.text:00000A8C call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000A8E ldi r22, 0xF4
.text:00000A8F ldi r23, 1
.text:00000A90 ldi r24, 0
.text:00000A91 ldi r25, 0
.text:00000A92 call delay
.text:00000A94 ldi r22, 0x83
.text:00000A95 ldi r24, 0xED
.text:00000A96 ldi r25, 1
.text:00000A97 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000A99 ldi r22, 0xF4
.text:00000A9A ldi r23, 1
.text:00000A9B ldi r24, 0
.text:00000A9C ldi r25, 0
.text:00000A9D call delay
.text:00000A9F ldi r22, 0x72 ; 'r'
.text:00000AA0 ldi r24, 0xED
.text:00000AA1 ldi r25, 1
.text:00000AA2 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000AA4 ldi r22, 0xF4
.text:00000AA5 ldi r23, 1
.text:00000AA6 ldi r24, 0
.text:00000AA7 ldi r25, 0
.text:00000AA8 call delay
.text:00000AAA ldi r22, 0x83
.text:00000AAB ldi r24, 0xED
.text:00000AAC ldi r25, 1
.text:00000AAD call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000AAF ldi r22, 0x72 ; 'r'
.text:00000AB0 ldi r24, 0xED
.text:00000AB1 ldi r25, 1
.text:00000AB2 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000AB4 ldi r22, 0xF4
.text:00000AB5 ldi r23, 1
.text:00000AB6 ldi r24, 0
.text:00000AB7 ldi r25, 0
.text:00000AB8 call delay
.text:00000ABA ldi r20, 7
.text:00000ABB ldi r21, 0
.text:00000ABC ldi r22, 0x3D ; '='
.text:00000ABD ldi r23, 1
.text:00000ABE ldi r24, 0xED
.text:00000ABF ldi r25, 1
.text:00000AC0 call _ZN5Print5writeEPKhj ; Print::write(uchar const*,uint)
.text:00000AC2 ldi r20, 2
.text:00000AC3 ldi r21, 0
.text:00000AC4 ldi r22, 0x45 ; 'E'
.text:00000AC5 ldi r23, 1
.text:00000AC6 ldi r24, 0xED
.text:00000AC7 ldi r25, 1
.text:00000AC8 call _ZN5Print5writeEPKhj ; Print::write(uchar const*,uint)
.text:00000ACA ldi r22, 0xF4
.text:00000ACB ldi r23, 1
.text:00000ACC ldi r24, 0
.text:00000ACD ldi r25, 0
.text:00000ACE call delay
.text:00000AD0 ldi r22, 0xB0
.text:00000AD1 ldi r24, 0xED
.text:00000AD2 ldi r25, 1
.text:00000AD3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000AD5 ldi r22, 0xB0
.text:00000AD6 ldi r24, 0xED
.text:00000AD7 ldi r25, 1 # 前面的一系列不可见字符是一些按键操作.
.text:00000AD8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000ADA ldi r22, 0xF4
.text:00000ADB ldi r23, 1
.text:00000ADC ldi r24, 0
.text:00000ADD ldi r25, 0
.text:00000ADE call delay
.text:00000AE0 ldi r22, 0x66 ; 'f'
.text:00000AE1 ldi r24, 0xED
.text:00000AE2 ldi r25, 1
.text:00000AE3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000AE5 ldi r22, 0x66 ; 'f'
.text:00000AE6 ldi r24, 0xED
.text:00000AE7 ldi r25, 1
.text:00000AE8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000AEA ldi r22, 0xF4
.text:00000AEB ldi r23, 1
.text:00000AEC ldi r24, 0
.text:00000AED ldi r25, 0
.text:00000AEE call delay
.text:00000AF0 ldi r22, 0x6C ; 'l'
.text:00000AF1 ldi r24, 0xED
.text:00000AF2 ldi r25, 1
.text:00000AF3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000AF5 ldi r22, 0x6C ; 'l'
.text:00000AF6 ldi r24, 0xED
.text:00000AF7 ldi r25, 1
.text:00000AF8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000AFA ldi r22, 0xF4
.text:00000AFB ldi r23, 1
.text:00000AFC ldi r24, 0
.text:00000AFD ldi r25, 0
.text:00000AFE
.text:00000AFE loc_AFE: ; DATA XREF: TIMER1_COMPA+1EC↑r
.text:00000AFE ; TIMER1_COMPA+1F5↑w ...
.text:00000AFE call delay
.text:00000B00 ldi r22, 0x61 ; 'a'
.text:00000B01 ldi r24, 0xED
.text:00000B02 ldi r25, 1
.text:00000B03 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B05 ldi r22, 0x61 ; 'a'
.text:00000B06 ldi r24, 0xED
.text:00000B07 ldi r25, 1
.text:00000B08 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B0A ldi r22, 0xF4
.text:00000B0B ldi r23, 1
.text:00000B0C ldi r24, 0
.text:00000B0D ldi r25, 0
.text:00000B0E call delay
.text:00000B10 ldi r22, 0x67 ; 'g'
.text:00000B11 ldi r24, 0xED
.text:00000B12 ldi r25, 1
.text:00000B13 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B15 ldi r22, 0x67 ; 'g'
.text:00000B16 ldi r24, 0xED
.text:00000B17 ldi r25, 1
.text:00000B18 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B1A ldi r22, 0xF4
.text:00000B1B ldi r23, 1
.text:00000B1C ldi r24, 0
.text:00000B1D ldi r25, 0
.text:00000B1E call delay
.text:00000B20 ldi r22, 0x7B ; '{'
.text:00000B21 ldi r24, 0xED
.text:00000B22 ldi r25, 1
.text:00000B23 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B25 ldi r22, 0x7B ; '{'
.text:00000B26 ldi r24, 0xED
.text:00000B27 ldi r25, 1
.text:00000B28 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B2A ldi r22, 0xF4
.text:00000B2B ldi r23, 1
.text:00000B2C ldi r24, 0
.text:00000B2D ldi r25, 0
.text:00000B2E call delay
.text:00000B30 ldi r22, 0x61 ; 'a'
.text:00000B31 ldi r24, 0xED
.text:00000B32 ldi r25, 1
.text:00000B33 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B35 ldi r22, 0x61 ; 'a'
.text:00000B36 ldi r24, 0xED
.text:00000B37 ldi r25, 1
.text:00000B38 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B3A ldi r22, 0xF4
.text:00000B3B ldi r23, 1
.text:00000B3C ldi r24, 0
.text:00000B3D ldi r25, 0
.text:00000B3E call delay
.text:00000B40 ldi r22, 0x72 ; 'r'
.text:00000B41 ldi r24, 0xED
.text:00000B42 ldi r25, 1
.text:00000B43 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B45 ldi r22, 0x72 ; 'r'
.text:00000B46 ldi r24, 0xED
.text:00000B47 ldi r25, 1
.text:00000B48 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B4A ldi r22, 0xF4
.text:00000B4B ldi r23, 1
.text:00000B4C ldi r24, 0
.text:00000B4D ldi r25, 0
.text:00000B4E call delay
.text:00000B50 ldi r22, 0x64 ; 'd'
.text:00000B51 ldi r24, 0xED
.text:00000B52 ldi r25, 1
.text:00000B53 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B55 ldi r22, 0x64 ; 'd'
.text:00000B56 ldi r24, 0xED
.text:00000B57 ldi r25, 1
.text:00000B58 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B5A ldi r22, 0xF4
.text:00000B5B ldi r23, 1
.text:00000B5C ldi r24, 0
.text:00000B5D ldi r25, 0
.text:00000B5E call delay
.text:00000B60 ldi r22, 0x75 ; 'u'
.text:00000B61 ldi r24, 0xED
.text:00000B62 ldi r25, 1
.text:00000B63 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B65 ldi r22, 0x75 ; 'u'
.text:00000B66 ldi r24, 0xED
.text:00000B67 ldi r25, 1
.text:00000B68 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B6A ldi r22, 0xF4
.text:00000B6B ldi r23, 1
.text:00000B6C ldi r24, 0
.text:00000B6D ldi r25, 0
.text:00000B6E call delay
.text:00000B70 ldi r22, 0x69 ; 'i'
.text:00000B71 ldi r24, 0xED
.text:00000B72 ldi r25, 1
.text:00000B73 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B75 ldi r22, 0x69 ; 'i'
.text:00000B76 ldi r24, 0xED
.text:00000B77 ldi r25, 1
.text:00000B78 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B7A ldi r22, 0xF4
.text:00000B7B ldi r23, 1
.text:00000B7C ldi r24, 0
.text:00000B7D ldi r25, 0
.text:00000B7E call delay
.text:00000B80 ldi r22, 0x6E ; 'n'
.text:00000B81 ldi r24, 0xED
.text:00000B82 ldi r25, 1
.text:00000B83 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B85 ldi r22, 0x6E ; 'n'
.text:00000B86 ldi r24, 0xED
.text:00000B87 ldi r25, 1
.text:00000B88 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B8A ldi r22, 0xF4
.text:00000B8B ldi r23, 1
.text:00000B8C ldi r24, 0
.text:00000B8D ldi r25, 0
.text:00000B8E call delay
.text:00000B90 ldi r22, 0x6F ; 'o'
.text:00000B91 ldi r24, 0xED
.text:00000B92 ldi r25, 1
.text:00000B93 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B95 ldi r22, 0x6F ; 'o'
.text:00000B96 ldi r24, 0xED
.text:00000B97 ldi r25, 1
.text:00000B98 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B9A ldi r22, 0xF4
.text:00000B9B ldi r23, 1
.text:00000B9C ldi r24, 0
.text:00000B9D ldi r25, 0
.text:00000B9E call delay
.text:00000BA0 ldi r22, 0x5F ; '_'
.text:00000BA1 ldi r24, 0xED
.text:00000BA2 ldi r25, 1
.text:00000BA3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000BA5 ldi r22, 0x5F ; '_'
.text:00000BA6 ldi r24, 0xED
.text:00000BA7 ldi r25, 1
.text:00000BA8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000BAA ldi r22, 0xF4
.text:00000BAB ldi r23, 1
.text:00000BAC ldi r24, 0
.text:00000BAD ldi r25, 0
.text:00000BAE call delay
.text:00000BB0 ldi r22, 0x69 ; 'i'
.text:00000BB1 ldi r24, 0xED
.text:00000BB2 ldi r25, 1
.text:00000BB3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000BB5 ldi r22, 0x69 ; 'i'
.text:00000BB6 ldi r24, 0xED
.text:00000BB7 ldi r25, 1
.text:00000BB8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000BBA ldi r22, 0xF4
.text:00000BBB ldi r23, 1
.text:00000BBC ldi r24, 0
.text:00000BBD ldi r25, 0
.text:00000BBE call delay
.text:00000BC0 ldi r22, 0x73 ; 's'
.text:00000BC1 ldi r24, 0xED
.text:00000BC2 ldi r25, 1
.text:00000BC3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000BC5 ldi r22, 0x73 ; 's'
.text:00000BC6 ldi r24, 0xED
.text:00000BC7 ldi r25, 1
.text:00000BC8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000BCA ldi r22, 0xF4
.text:00000BCB ldi r23, 1
.text:00000BCC ldi r24, 0
.text:00000BCD ldi r25, 0
.text:00000BCE call delay
.text:00000BD0 ldi r22, 0x5F ; '_'
.text:00000BD1 ldi r24, 0xED
.text:00000BD2 ldi r25, 1
.text:00000BD3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000BD5 ldi r22, 0x5F ; '_'
.text:00000BD6 ldi r24, 0xED
.text:00000BD7 ldi r25, 1
.text:00000BD8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000BDA ldi r22, 0xF4
.text:00000BDB ldi r23, 1
.text:00000BDC ldi r24, 0
.text:00000BDD ldi r25, 0
.text:00000BDE call delay
.text:00000BE0 ldi r22, 0x68 ; 'h'
.text:00000BE1 ldi r24, 0xED
.text:00000BE2 ldi r25, 1
.text:00000BE3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000BE5 ldi r22, 0x68 ; 'h'
.text:00000BE6 ldi r24, 0xED
.text:00000BE7 ldi r25, 1
.text:00000BE8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000BEA ldi r22, 0xF4
.text:00000BEB ldi r23, 1
.text:00000BEC ldi r24, 0
.text:00000BED ldi r25, 0
.text:00000BEE call delay
.text:00000BF0 ldi r22, 0x61 ; 'a'
.text:00000BF1 ldi r24, 0xED
.text:00000BF2 ldi r25, 1
.text:00000BF3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000BF5 ldi r22, 0x61 ; 'a'
.text:00000BF6 ldi r24, 0xED
.text:00000BF7 ldi r25, 1
.text:00000BF8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000BFA ldi r22, 0xF4
.text:00000BFB ldi r23, 1
.text:00000BFC ldi r24, 0
.text:00000BFD ldi r25, 0
.text:00000BFE call delay
.text:00000C00 ldi r22, 0x63 ; 'c'
.text:00000C01 ldi r24, 0xED
.text:00000C02 ldi r25, 1
.text:00000C03 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C05 ldi r22, 0x63 ; 'c'
.text:00000C06 ldi r24, 0xED
.text:00000C07 ldi r25, 1
.text:00000C08 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C0A ldi r22, 0xF4
.text:00000C0B ldi r23, 1
.text:00000C0C ldi r24, 0
.text:00000C0D ldi r25, 0
.text:00000C0E call delay
.text:00000C10 ldi r22, 0x6B ; 'k'
.text:00000C11 ldi r24, 0xED
.text:00000C12 ldi r25, 1
.text:00000C13 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C15 ldi r22, 0x6B ; 'k'
.text:00000C16 ldi r24, 0xED
.text:00000C17 ldi r25, 1
.text:00000C18 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C1A ldi r22, 0xF4
.text:00000C1B ldi r23, 1
.text:00000C1C ldi r24, 0
.text:00000C1D ldi r25, 0
.text:00000C1E call delay
.text:00000C20 ldi r22, 0x65 ; 'e'
.text:00000C21 ldi r24, 0xED
.text:00000C22 ldi r25, 1
.text:00000C23 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C25 ldi r22, 0x65 ; 'e'
.text:00000C26 ldi r24, 0xED
.text:00000C27 ldi r25, 1
.text:00000C28 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C2A ldi r22, 0xF4
.text:00000C2B ldi r23, 1
.text:00000C2C ldi r24, 0
.text:00000C2D ldi r25, 0
.text:00000C2E call delay
.text:00000C30 ldi r22, 0x72 ; 'r'
.text:00000C31 ldi r24, 0xED
.text:00000C32 ldi r25, 1
.text:00000C33 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C35 ldi r22, 0x72 ; 'r'
.text:00000C36 ldi r24, 0xED
.text:00000C37 ldi r25, 1
.text:00000C38 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C3A ldi r22, 0xF4
.text:00000C3B ldi r23, 1
.text:00000C3C ldi r24, 0
.text:00000C3D ldi r25, 0
.text:00000C3E call delay
.text:00000C40 ldi r22, 0x73 ; 's'
.text:00000C41 ldi r24, 0xED
.text:00000C42 ldi r25, 1
.text:00000C43 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C45 ldi r22, 0x73 ; 's'
.text:00000C46 ldi r24, 0xED
.text:00000C47 ldi r25, 1
.text:00000C48 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C4A ldi r22, 0xF4
.text:00000C4B ldi r23, 1
.text:00000C4C ldi r24, 0
.text:00000C4D ldi r25, 0
.text:00000C4E call delay
.text:00000C50 ldi r22, 0x5F ; '_'
.text:00000C51 ldi r24, 0xED
.text:00000C52 ldi r25, 1
.text:00000C53 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C55 ldi r22, 0x5F ; '_'
.text:00000C56 ldi r24, 0xED
.text:00000C57 ldi r25, 1
.text:00000C58 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C5A ldi r22, 0xF4
.text:00000C5B ldi r23, 1
.text:00000C5C ldi r24, 0
.text:00000C5D ldi r25, 0
.text:00000C5E call delay
.text:00000C60 ldi r22, 0x6C ; 'l'
.text:00000C61 ldi r24, 0xED
.text:00000C62 ldi r25, 1
.text:00000C63 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C65 ldi r22, 0x6C ; 'l'
.text:00000C66 ldi r24, 0xED
.text:00000C67 ldi r25, 1
.text:00000C68 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C6A ldi r22, 0xF4
.text:00000C6B ldi r23, 1
.text:00000C6C ldi r24, 0
.text:00000C6D ldi r25, 0
.text:00000C6E call delay
.text:00000C70 ldi r22, 0x6F ; 'o'
.text:00000C71 ldi r24, 0xED
.text:00000C72 ldi r25, 1
.text:00000C73 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C75 ldi r22, 0x6F ; 'o'
.text:00000C76 ldi r24, 0xED
.text:00000C77 ldi r25, 1
.text:00000C78 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C7A ldi r22, 0xF4
.text:00000C7B ldi r23, 1
.text:00000C7C ldi r24, 0
.text:00000C7D ldi r25, 0
.text:00000C7E call delay
.text:00000C80 ldi r22, 0x76 ; 'v'
.text:00000C81 ldi r24, 0xED
.text:00000C82 ldi r25, 1
.text:00000C83 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C85 ldi r22, 0x76 ; 'v'
.text:00000C86 ldi r24, 0xED
.text:00000C87 ldi r25, 1
.text:00000C88 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C8A ldi r22, 0xF4
.text:00000C8B ldi r23, 1
.text:00000C8C ldi r24, 0
.text:00000C8D ldi r25, 0
.text:00000C8E call delay
.text:00000C90 ldi r22, 0x65 ; 'e'
.text:00000C91 ldi r24, 0xED
.text:00000C92 ldi r25, 1
.text:00000C93 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C95 ldi r22, 0x65 ; 'e'
.text:00000C96 ldi r24, 0xED
.text:00000C97 ldi r25, 1
.text:00000C98 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C9A ldi r22, 0xF4
.text:00000C9B ldi r23, 1
.text:00000C9C ldi r24, 0
.text:0000
如上, flag即为:
flag{arduino_is_hacker_love}
Re
先用hex2bin
转换成bin文件(ps: 之前找到一个在线编译工具, 网址忘了...难受, 做笔记的重要性啊!)
Port Registers
The following Registers are used for reading and writing to the I/O ports.
Register | Type | Description | Notes |
---|---|---|---|
DDRB | Read/Write | Port B Data Direction Register | 1=output, 0=input |
PORTB | Read/Write | Port B Data Register | |
PINB | Read only | Port B Input Register | |
DDRC | Read/Write | Port C Data Direction Register | 1=output, 0=input |
PORTC | Read/Write | Port C Data Register | |
PINC | Read only | Port C Input Register | |
DDRD | Read/Write | Port D Data Direction Register | 1=output, 0=input |
PORTD | Read/Write | Port D Data Register | |
PIND | Read only | Port D Input Register |