Reverse

SignIn

exeinfope 載入查殼。一個64位的ELF程序，無殼。

NOT Win EXE - .o - ELF executable [ 64bit obj. Shared obj file - CPU : AMD x86-64 - OS: unspecified ] 

先來靜態分析一波，載入IDA。找到 main 函數地址，F5大法...

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  char N; // [rsp+0h] [rbp-4A0h]
  char e; // [rsp+10h] [rbp-490h]
  char m; // [rsp+20h] [rbp-480h]
  char c; // [rsp+30h] [rbp-470h]
  char v8; // [rsp+40h] [rbp-460h]
  char v9; // [rsp+B0h] [rbp-3F0h]
  unsigned __int64 v10; // [rsp+498h] [rbp-8h]

  v10 = __readfsqword(0x28u);
  puts("[sign in]");
  printf("[input your flag]: ", a2);
  __isoc99_scanf("%99s", &v8);
  sub_96A(&v8, (__int64)&v9);
  __gmpz_init_set_str((__int64)&c, (__int64)"ad939ff59f6e70bcbfad406f2494993757eee98b91bc244184a377520d06fc35", 16LL);
  __gmpz_init_set_str((__int64)&m, (__int64)&v9, 16LL);
  __gmpz_init_set_str(
    (__int64)&N,
    (__int64)"103461035900816914121390101299049044413950405173712170434161686539878160984549",
    10LL);
  __gmpz_init_set_str((__int64)&e, (__int64)"65537", 10LL);
  __gmpz_powm((__int64)&m, (__int64)&m, (__int64)&e, (__int64)&N);
  if ( (unsigned int)__gmpz_cmp(&m, &c) )
    puts("GG!");
  else
    puts("TTTTTTTTTTql!");
  return 0LL;
}

可以看到程序先接收了輸入到 v8 數組。然后經過sub_96A函數的處理。通過 gdb 動態調試可得該函數的作用即是將 HEX 轉 ASCII。

繼續往下看，程序調用了 __gmpz_init_set_str 函數，經過 Google 之后得知這其實是一個 GNU 高精度算法庫(GNU Multiple Precision Arithmetic Library)。

官方文檔入口

通過查閱官方文檔，我知道了 __gmpz_init_set_str 其實就是 mpz_init_set_str

int mpz_init_set_str (mpz_t rop, const char *str, int base) [Function]
Initialize rop and set its value like mpz_set_str 

int mpz_set_str (mpz_t rop, const char *str, int base) [Function]
Set the value of rop from str, a null-terminated C string in base base. White space is allowed
in the string, and is simply ignored.

很顯然這個函數的作用就是將 str 字符數組以 base 指定的進制解讀成數值并寫入 rop 所指向的內存。該程序通過調用這個函數來實現數據的初始化賦值。

之后調用的一個函數 __gmpz_powm 在文檔中的定義是這樣的:

void mpz_powm (mpz_t rop, const mpz_t base, const mpz_t exp, const mpz_t mod) [Function]
Set rop to base^exp mod mod.

該函數將計算 base 的 exp 次方，并對 mod 取模，最后將結果寫入 rop 中。

這種計算與RSA中的加密過程如出一轍。

再往下就是關鍵比較函數 __gmpz_cmp

int mpz_cmp (const mpz t op1, const mpz t op2) [Function]
Compare op1 and op2. Return a positive value if op1 > op2, zero if op1 = op2, or a negative
value if op1 < op2.

程序中比較之前 mpz_powm 運算的結果與程序中硬編碼的值是否相等，如果相等則輸出 tql?？吹竭@里應該可以基本確定這是一道已知密文求解RSA明文的題目。

根據RSA的實現過程，首先來計算密鑰。第一步是獲得大整數 N ，根據程序可得

N = 103461035900816914121390101299049044413950405173712170434161686539878160984549

值得注意的是，這里的 N 是十進制的。

接下來對它進行大整數的因數分解，這里借助 yafu 工具。

>yafu-x64.exe
factor(103461035900816914121390101299049044413950405173712170434161686539878160984549)


fac: factoring 103461035900816914121390101299049044413950405173712170434161686539878160984549
fac: using pretesting plan: normal
fac: no tune info: using qs/gnfs crossover of 95 digits

starting SIQS on c78: 103461035900816914121390101299049044413950405173712170434161686539878160984549

==== sieving in progress (1 thread):   36224 relations needed ====
====           Press ctrl-c to abort and save state           ====


SIQS elapsed time = 1.8809 seconds.
Total factoring time = 1.9647 seconds


***factors found***

P39 = 366669102002966856876605669837014229419
P39 = 282164587459512124844245113950593348271

ans = 1

至此我們得到了 p 和 q

p = 366669102002966856876605669837014229419
q = 282164587459512124844245113950593348271

再從程序中得知 e 的值為

e = 65537

接下來就可以求出私鑰 d，并通過私鑰 d，求出明文 m，再將其轉化成 ASCII 即可得到 flag

import gmpy2

p = 366669102002966856876605669837014229419
q = 282164587459512124844245113950593348271
N = 103461035900816914121390101299049044413950405173712170434161686539878160984549
c = 0xad939ff59f6e70bcbfad406f2494993757eee98b91bc244184a377520d06fc35
e = 65537

d = gmpy2.invert(e,(p-1)*(q-1))
m = gmpy2.powmod(c,d,p*q)

print hex(m)[2:].decode('hex')

Rev

一個 64 位的沒有加殼的程序

先看字符串

.rdata:0000000140005428 0000000E    C   You lost sth.
.rdata:0000000140005438 00000006    C   pause
.rdata:0000000140005448 00000009    C   You win!
.rdata:00000001400054C8 00000010    C   string too long

看到 You win ! 和 You lost sth，執行一下程序，輸入 inputflagtest 猜測應該返回 You lost sth

D:\CTF\SUCTF2019\Rev>cpp.exe
inputflagtest

D:\CTF\SUCTF2019\Rev>

實際上什么也沒有返回，說明程序在輸出 You lost sth 之前就停止了，動態調試一下找到是在哪里停下的

調試之后發現

if ( v4 != 3 )
    _exit(v4); 

.text:00000001400016A0 cmp     esi, 3
.text:00000001400016A3 jz      short loc_1400016AE
.text:00000001400016A5 mov     ecx, esi                        ; Code
.text:00000001400016A7 call    cs:__imp__exit

我們首先得知道這個 v4 是干什么用的，才有可能阻止程序停止。于是往前看，找到一個循環

while ( 1 )
{                                             // while start
    v129 = v83;
    sub_140002120(v83, &v113);
    sub_140002120(&v84, &v115);
    v85 = v117;
    v86 = BYTE2(v117);
    v8 = *(&v112 + 1);
    v129 = v87;
    sub_140002120(v87, v83);
    sub_140002120(&v88, &v84);
    v89 = v85;
    v90 = v86;
    v91 = v8;
    v92 = v8;
    v95 = 0i64;
    v96 = 15i64;
    LOBYTE(v94) = 0;
    v93 = 0;
    sub_140001FC0(v83);
    v7 |= 4u;
    if ( v93 && BYTE8(v107) )                   // 不進
        v9 = v91 != *(&v106 + 1) || v92 != v107;
    else
        v9 = v93 != BYTE8(v107);                  // v9 = 1
    if ( v96 >= 0x10 )                          // 不進
    {
        v10 = v94;
        if ( v96 + 1 >= 0x1000 )
        {
            v10 = *(v94 - 1);
            if ( (v94 - v10 - 8) > 0x1F )
                invalid_parameter_noinfo_noreturn();
        }
        j_j_free(v10);
    }
    v95 = 0i64;
    v96 = 0xFi64;
    LOBYTE(v94) = 0;
    sub_140001FC0(v87);
    if ( !v9 )
        break;
    if ( !BYTE8(v107) )
        wassert(L"valid_", L"E:\\boost_1_69_0\\boost\\token_iterator.hpp", 0x3Bu);
    v11 = &Src[32 * v4];
    if ( v11 != Memory )
    {
        v12 = Memory;
        if ( v109[1] >= 0x10 )
            v12 = Memory[0];
        sub_140002240(v11, v12, v109[0]);
    }
    ++v4;  // 在這里發現可以增加 v4
    if ( !BYTE8(v107) )
        wassert(L"valid_", L"E:\\boost_1_69_0\\boost\\token_iterator.hpp", 0x36u);
    BYTE8(v107) = sub_140002B80(&Buf, &v106 + 1, v107, Memory);
}                                             // while end

在這個循環之前程序將 v4 初始化為 0，也就是說我們需要通過 ++v4 這條語句讓 v4 = 3 才能讓程序不退出。很自然的想到去找這個循環的出口。于是找到一個

if ( !v9 )
    break;

再往前看與 v9 相關的代碼

v93 = 0;

...
    
if ( v93 && BYTE8(v107) )                   
    v9 = v91 != *(&v106 + 1) || v92 != v107;
else
    v9 = v93 != BYTE8(v107);                  

v93 已經確定是 0 了。這里涉及到一個 v107 的值，它的值直接決定了 v9 會怎么變化，于是往前找到

BYTE8(v107) = sub_140002B80(&Buf, &v106 + 1, v5, Memory);

發現 v107 的值是由函數 sub_140002B80 決定的。于是現在的問題就變成了研究這個函數的作用

這個函數的邏輯跳轉比較復雜，但是經過動態調試之后，可以總結出來的是

strEnd = a3;
strI = a2;

v35 = *strI + 1;                          // 取下一個字符
*strI = v35;
if ( v35 == strEnd )
    return 1;

該函數的第二個參數是我們輸入的字符串指針，它會移動該指針，去取字符串中的每一位字符，取到空白符或者標點符就會返回 1 并且指針的位置也會保存下來，換言之它起到了一個分割字符串的作用，只不過分割的字符可以是任意的標點符或空白符。主要借助的是以下兩個函數來實現

isspace()
ispunct()

知道了這個函數的作用我們就能弄清楚剛剛的循環的作用了，很顯然是在分割字符串，而 v3 = 3 也就意味著有三個部分

我們把輸入重新改成 input_flag_test，再動態調試一遍，發現程序在此處停止了

if ( v122 != 10 )                             // 第一部分的長度要等于10才行
{
    v14 = sub_140002090(Src);
    _exit(v14);
}

v122 變量存儲的是第一部分字符串的長度，于是我們更改輸入為 input2nput_flag_test 繼續調試

發現了以下循環

do
{
    v20 = &Dst;
    if ( v18 >= 0x10 )
    v20 = v19;
    if ( (*(v20 + v17) ^ 0xAB) != *(&v129 + v17) )
    {
        Sleep(0xD4A51000);
        _exit(0);
    }
    v21 = &Dst;
    if ( v18 >= 0x10 )
    v21 = v19;
    sub_140001020("%c", *(v21 + v17));
    ++v15;
    ++v17;
}
while ( v15 < v16 ); 

此時 v16 的值是 10 v15與v17 保存了當前的字符下標，我們發現 Dst 的每一位必須要與 0xAB 異或，且得到的值要與 v129 表中的值要相等。往前看到

sub_140002690(&Dst, Src, &v76);               // 在一個字符串中搜索另一個字符串，并去掉另一個字符串
LODWORD(v129) = 0xDFC8DED8;                   // 異或之后 是 suctf
WORD2(v129) = 0xCD;

分析一下 sub_140002690，首先從看它傳入的參數 v76 被固定成了 0x31，即 '1'

動態調試后，發現它的作用很簡單 sub_140002690(d,s,a) ，在 s 中去除 a 字符串并拷貝給 d

寫個腳本跑一下

v129 = "CD DF C8 DE D8".split(" ")
r = ""
for i in v129 :
    r += chr(int(i,16)^0xAB)
print(r)

# suctf

由于只有 5 個字符，但前面得到的信息是第一部分要有 10 個字符，這說明有 5 個字符是 '1'，在 sub_140002690 中被去除了。于是第一部分就可以確定下來是 11111suctf

輸入 11111suctf_flag_test ，繼續調試遇到了

if ( Size != 4 )                              // 第二段的長度得 = 4 否則就 you lost
    goto LABEL_149;

這里的 Size 剛好保存了第二部分的數據長度，我們這里剛剛好是 4 個

if ( v25 != v24 )                             // 判斷字符是否取到尾了
{
    while ( (*v25 - 97) <= 6u || (*v25 - 65) <= 6u )// [a-gA-G]
    {
        if ( ++v25 == v24 )
        goto LABEL_55;
    }
    goto LABEL_149; // You lost
}

...

LABEL_149:
    v71 = sub_140002810(std::cout, "You lost sth.");

這里的循環主要限定了第二部分的字符范圍為 [a-gA-G]

于是我們轉換一下輸入為 11111suctf_abcd_test 繼續調試

do
{
    v37 = *v33;                               // 取一個字符給 v37
    v38 = sub_1400023D0(&v78);
    *v33 = std::ctype<char>::toupper(v38, v37);// 替換 v38~v37 范圍內的小寫字母為大寫字母
    v33 = (v33 + 1);
}
while ( (v33 - v35) != v36 );               // 是否處理完字符

這里將剛才輸入的字符串第二部分的字母從小寫轉到大寫

if ( Size == v100 && !memcmp(v41, v40, Size) )   // 原來就得是大寫

這里 memcmp 將剛才轉化成大寫之后的字符串與原先轉化之前的字符串進行了比較，換句話說，我原先輸入的第二部分字符串就必須是大寫否則這里就無法進入分支

于是改變輸入 11111suctf_ABCD_test 繼續調試

v44 = 0i64;
do
{
    v45 = Buf2;
    if ( v30 >= 0x10 )
    v45 = v29;
    v46 = Buf2;
    if ( v30 >= 0x10 )
    v46 = v29;
    if ( *(v45 + v44) + 2 != *(v46 + v44 + 1) )// 后一個字符要和前一個字符相差2
    v22 = 1;
    ++v43;
    ++v44;
}
while ( v43 < (v42 - 1) );

這一段的主要作用是告訴我們第二段的字符串內容，每兩個字符之間后一個字符要和前一個字符相差 2

結合 [a-gA-G] 的范圍得出結果 11111suctf_ACEG_test 繼續調試

while ( 1 )
{
    v53 = *v52;                               // 取了一個字符 v52 = "test" v53=0x74
    v54 = Buf2[0];                            // 字符串長度 Buf[0] = 4  v54 = 4
    if ( !(v54 & *(*(sub_1400023D0(&Buf2[1]) + 24) + 2 * v53)) )// *(sub_1400023D0(&Buf2[1]) + 24) = 000000000043EA00
    // *(000000000043EA00) = 0x20
    // 判斷是否是純數字
        break;
    v52 = (v52 + 1);
    if ( v52 == v73 )
    goto LABEL_104;
}

這里用了一種很奇妙的方法來判斷第三部分的字符是否是純數字的

我們去內存中 dump 出 0x0000000000500210 這個位置往下某一塊區域的表

debug013:0000000000500210 db  84h
debug013:0000000000500211 db    0
debug013:0000000000500212 db  84h
debug013:0000000000500213 db    0
debug013:0000000000500214 db  84h
debug013:0000000000500215 db    0
debug013:0000000000500216 db  84h
debug013:0000000000500217 db    0
debug013:0000000000500218 db  84h
debug013:0000000000500219 db    0
debug013:000000000050021A db  84h
debug013:000000000050021B db    0
debug013:000000000050021C db  84h
debug013:000000000050021D db    0
debug013:000000000050021E db  84h
debug013:000000000050021F db    0
debug013:0000000000500220 db  84h
debug013:0000000000500221 db    0
debug013:0000000000500222 db  84h
debug013:0000000000500223 db    0

正好 10 個 0x84 代表著 0-9 ，經過運算只有落在這部分區域里才有可能讓 v54(=4) 與 0x84 與運算，才有可能不觸發 break，所以這里的作用就是要求第三部分的所有字符都是數字字符

最后關鍵的一部分

v62 = v61 + v127 - v59;                     // 取第三部分長度
if ( v59 > (v61 + v127) )
    v62 = 0i64;
if ( v62 )
{
    do
    {
        v3 = *v60 + 2 * (5 * v3 - 24);          // 把字符串型的數字轉為數值型的數字 例如 '3'=>3
        v60 = (v60 + 1);                        // 取下一個字符
    }
    while ( v60 - v59 != v62 );
}
if ( !(v3 & 1)
    && ((1234 * v3 + 5678) / 4396 ^ 0xABCDDCBA) == 0xABCDB8B9
    && ((2334 * v3 + 9875) / 7777 ^ 0x12336790) == 0x1233FC70 )
{
    v63 = std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, v3, v60);
    v64 = sub_140002810(v63, "}");
    std::basic_ostream<char,std::char_traits<char>>::operator<<(v64, sub_1400029E0);
}
v65 = sub_140002810(std::cout, "You win!");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v65, sub_1400029E0);

直接分析可能很難理解，但是通過動態調試觀察可以發現是先將數字字符轉化為數值型數據，然后滿足一個表達式才能輸出 '}'，這里我們用 z3 來計算 v3 的確定值

from z3 import *

x = BitVec('x',32)
s = Solver()

s.add(x&1==0)
s.add((1234 * x + 5678) / 4396 ^ 0xABCDDCBA == 0xABCDB8B9)
s.add((2334 * x + 9875) / 7777 ^ 0x12336790 == 0x1233FC70)

if s.check() == sat :
    print(s.model())

# [x = 31415926]

至此，我們就得到了最終的答案 11111suctf_ACEG_31415926

hardCPP

這題用了OLLVM混淆(控制流平坦化)，我在分析前選擇了基于angr框架的符號執行來實現去除控制流平坦化。

$ python deflat.py ~/Desktop/hardCpp 0x4007E0

*******************relevant blocks************************
prologue: 0x4007e0
main_dispatcher: 0x400876
pre_dispatcher: 0x4012e3
retn: 0x40114a
relevant_blocks: ['0x400caa', '0x400dd3', '0x400d71', '0x400ba6', '0x400d15', '0x4010ea', '0x40107d', '0x400c30', '0x4012c4', '0x400d8d', '0x401172', '0x400bea', '0x400f40', '0x400ccf', '0x401155', '0x401037', '0x400ff1', '0x4010a4', '0x400bb0', '0x40108c', '0x400d62', '0x400f5e', '0x401188', '0x4012b5']
*******************symbolic execution*********************
-------------------dse 0x400caa---------------------
-------------------dse 0x400dd3---------------------
CRITICAL | 2019-10-08 06:28:05,385 | angr.sim_state | The name state.se is deprecated; please use state.solver.
-------------------dse 0x400d71---------------------
-------------------dse 0x400ba6---------------------
-------------------dse 0x400d15---------------------
-------------------dse 0x4010ea---------------------
-------------------dse 0x40107d---------------------
-------------------dse 0x400c30---------------------
-------------------dse 0x4012c4---------------------
-------------------dse 0x400d8d---------------------
-------------------dse 0x401172---------------------
-------------------dse 0x400bea---------------------
-------------------dse 0x400f40---------------------
-------------------dse 0x400ccf---------------------
-------------------dse 0x401155---------------------
-------------------dse 0x401037---------------------
-------------------dse 0x400ff1---------------------
-------------------dse 0x4010a4---------------------
-------------------dse 0x400bb0---------------------
-------------------dse 0x40108c---------------------
-------------------dse 0x400d62---------------------
-------------------dse 0x400f5e---------------------
-------------------dse 0x401188---------------------
-------------------dse 0x4012b5---------------------
-------------------dse 0x4007e0---------------------
************************flow******************************
0x400caa:  ['0x400ccf']
0x4010ea:  ['0x40114a', '0x4012c4']
0x400d71:  ['0x400d8d', '0x4010a4']
0x4010a4:  ['0x4010ea', '0x4012c4']
0x400ba6:  ['0x400dd3']
0x400bb0:  ['0x400bea']
0x40108c:  ['0x400d71']
0x4007e0:  ['0x400bb0']
0x401155:  ['0x400c30']
0x400d62:  ['0x400d71']
0x400d15:  ['0x400d62', '0x401172']
0x401188:  ['0x400dd3']
0x400ff1:  ['0x401037', '0x4012b5']
0x40107d:  ['0x40108c']
0x400c30:  ['0x400caa', '0x401155']
0x4012c4:  ['0x4010ea']
0x401172:  ['0x400d15']
0x400dd3:  ['0x400f40', '0x400f40']
0x400bea:  ['0x400c30', '0x401155']
0x400d8d:  ['0x400dd3', '0x401188']
0x400f40:  ['0x400f5e', '0x400ff1']
0x400ccf:  ['0x400d15', '0x401172']
0x4012b5:  ['0x401037']
0x401037:  ['0x40107d', '0x4012b5']
0x40114a:  []
************************patch*****************************
Successful! The recovered file: /home/puret/Desktop/hardCpp_recovered

相關資料可以看:
bird 大佬最早發布的腳本 https://github.com/SnowGirls/deflat
后來有大佬改成 python3版本的 https://github.com/cq674350529/deflat
我直接拿來用的時候發現有一些小bug，fork了之后修正了小bug 對這道題的處理上不會再出現問題了 https://github.com/Pure-T/deflat

不過這題不用去除控制流平坦化也是可以做的，問題不大。

這是我去控制流平坦化之后的結果

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v3; // al
  char v4; // al
  char v5; // al
  char v6; // al
  char v8; // al
  char v9; // al
  char v10; // al
  char v11; // al
  char v12; // [rsp+A0h] [rbp-90h]
  char v13; // [rsp+A8h] [rbp-88h]
  char v14; // [rsp+B0h] [rbp-80h]
  char v15; // [rsp+B8h] [rbp-78h]
  char v16; // [rsp+C0h] [rbp-70h]
  char v17; // [rsp+C8h] [rbp-68h]
  char v18; // [rsp+CFh] [rbp-61h]
  int v19; // [rsp+D0h] [rbp-60h]
  int v20; // [rsp+D4h] [rbp-5Ch]
  int v21; // [rsp+D8h] [rbp-58h]
  int v22; // [rsp+DCh] [rbp-54h]
  char s[24]; // [rsp+E0h] [rbp-50h]
  char v24; // [rsp+F8h] [rbp-38h]
  char v25; // [rsp+100h] [rbp-30h]
  char v26; // [rsp+108h] [rbp-28h]
  char v27; // [rsp+110h] [rbp-20h]
  int v28; // [rsp+114h] [rbp-1Ch]
  const char **v29; // [rsp+118h] [rbp-18h]
  int v30; // [rsp+120h] [rbp-10h]
  int v31; // [rsp+124h] [rbp-Ch]
  int v32; // [rsp+128h] [rbp-8h]
  bool v33; // [rsp+12Eh] [rbp-2h]
  bool v34; // [rsp+12Fh] [rbp-1h]

  v31 = 0;
  v30 = argc;
  v29 = argv;
  v28 = time(0LL);
  puts("func(?)=\"01abfc750a0c942167651c40d088531d\"?");// #
  s[0] = getchar();
  fgets(&s[1], 21, stdin);
  v22 = time(0LL);
  v21 = v22 - v28;
  v32 = v22 - v28;
  if ( y >= 10 && (((_BYTE)x - 1) * (_BYTE)x & 1) != 0 )
    goto LABEL_14;
  while ( 1 )
  {
    v20 = strlen(s);
    v33 = v20 != 21;
    if ( y < 10 || (((_BYTE)x - 1) * (_BYTE)x & 1) == 0 )
      break;
LABEL_14:
    v20 = strlen(s);
  }
  if ( y >= 10 && (((_BYTE)x - 1) * (_BYTE)x & 1) != 0 )
    goto LABEL_15;
  while ( 1 )
  {
    v19 = 1;
    if ( y < 10 || (((_BYTE)x - 1) * (_BYTE)x & 1) == 0 )
      break;
LABEL_15:
    v19 = 1;
  }
  while ( v19 < 21 )                            // v19 [1,20]
  {
    if ( y >= 10 && (((_BYTE)x - 1) * (_BYTE)x & 1) != 0 )
    {
      v18 = v21 ^ s[v19];
      v17 = main::$_0::operator() const((__int64)&v26, v18);
      v16 = main::$_1::operator() const((__int64)&v24, s[v21 - 1 + v19]);
      v8 = main::$_1::operator() const(char)::{lambda(int)#1}::operator() const(&v16, 7);
      v18 = main::$_0::operator() const(char)::{lambda(char)#1}::operator() const((__int64)&v17, v8);
      v15 = main::$_2::operator() const(&v27, (unsigned int)v18);
      v14 = main::$_2::operator() const(&v27, (unsigned int)s[v21 - 1 + v19]);
      v9 = main::$_2::operator() const(char)::{lambda(char)#1}::operator() const(&v14, 18LL);
      v13 = main::$_3::operator() const((__int64)&v25, v9);
      v10 = main::$_3::operator() const(char)::{lambda(char)#1}::operator() const(&v13, 3LL);
      v12 = main::$_0::operator() const((__int64)&v26, v10);
      v11 = main::$_0::operator() const(char)::{lambda(char)#1}::operator() const((__int64)&v12, 2);
      v18 = main::$_2::operator() const(char)::{lambda(char)#1}::operator() const(&v15, (unsigned int)v11);
    }
    do
    {
      v18 = v21 ^ s[v19];
      v17 = main::$_0::operator() const((__int64)&v26, v18);
      v16 = main::$_1::operator() const((__int64)&v24, s[v21 - 1 + v19]);
      v3 = main::$_1::operator() const(char)::{lambda(int)#1}::operator() const(&v16, 7);
      v18 = main::$_0::operator() const(char)::{lambda(char)#1}::operator() const((__int64)&v17, v3);
      v15 = main::$_2::operator() const(&v27, (unsigned int)v18);
      v14 = main::$_2::operator() const(&v27, (unsigned int)s[v21 - 1 + v19]);
      v4 = main::$_2::operator() const(char)::{lambda(char)#1}::operator() const(&v14, 18LL);
      v13 = main::$_3::operator() const((__int64)&v25, v4);
      v5 = main::$_3::operator() const(char)::{lambda(char)#1}::operator() const(&v13, 3LL);
      v12 = main::$_0::operator() const((__int64)&v26, v5);
      v6 = main::$_0::operator() const(char)::{lambda(char)#1}::operator() const((__int64)&v12, 2);
      v18 = main::$_2::operator() const(char)::{lambda(char)#1}::operator() const(&v15, (unsigned int)v6);
      v34 = enc[v19 - 1] != v18;
    }
    while ( v34 );
    while ( y >= 10 && (((_BYTE)x - 1) * (_BYTE)x & 1) != 0 )
      ;
    ++v19;
  }
  if ( y >= 10 && (((_BYTE)x - 1) * (_BYTE)x & 1) != 0 )
    goto LABEL_17;
  while ( 1 )
  {
    puts("You win");
    if ( y < 10 || (((_BYTE)x - 1) * (_BYTE)x & 1) == 0 )
      break;
LABEL_17:
    puts("You win");
  }
  return 0;
}

去除的并不是很完美，還是有很多地方沒有處理好，后來對比原程序有丟失一些信息，問題主要發生在去除控制流平坦化時，識別返回塊的處理上，這里不展開。

先給了一個 md5 值

puts("func(?)=\"01abfc750a0c942167651c40d088531d\"?");

反查 md5 知道是 '#' 字符

s[0] = getchar();
fgets(&s[1], 21, stdin);

這種寫法應該是在暗示我第一個字符是 '#'，之后還要輸入20個字符，一共21個字符

在往后他記錄了一個時間差

v28 = time(0LL);
puts("func(?)=\"01abfc750a0c942167651c40d088531d\"?");// #
s[0] = getchar();
fgets(&s[1], 21, stdin);
v22 = time(0LL);
v21 = v22 - v28;
v32 = v22 - v28;

將開始輸入前的時間和開始輸入之后的時間差記錄成了一個變量，后來我注意到在原程序中判斷了這個時間差，若大于0就退出程序，在我這里被去除控制流平坦化的腳本給刪去了。當時我選擇先不管這個變量，往后看看，也許不影響解題。

再往后看，有一些多余的流程，忽略就好了。

v20 = strlen(s);
v33 = v20 != 21;

這里獲取了輸入字符串的長度，并記錄下長度是否等于 21

v19 = 1;

初始化 v19 = 1，緊接著一個大循環

while ( v19 < 21 )                            // v19 [1,20]
{
    if ( y >= 10 && (((_BYTE)x - 1) * (_BYTE)x & 1) != 0 )
    {
        v18 = v21 ^ s[v19];
        v17 = main::$_0::operator() const((__int64)&v26, v18);
        v16 = main::$_1::operator() const((__int64)&v24, s[v21 - 1 + v19]);
        v8 = main::$_1::operator() const(char)::{lambda(int)#1}::operator() const(&v16, 7);
        v18 = main::$_0::operator() const(char)::{lambda(char)#1}::operator() const((__int64)&v17, v8);
        v15 = main::$_2::operator() const(&v27, (unsigned int)v18);
        v14 = main::$_2::operator() const(&v27, (unsigned int)s[v21 - 1 + v19]);
        v9 = main::$_2::operator() const(char)::{lambda(char)#1}::operator() const(&v14, 18LL);
        v13 = main::$_3::operator() const((__int64)&v25, v9);
        v10 = main::$_3::operator() const(char)::{lambda(char)#1}::operator() const(&v13, 3LL);
        v12 = main::$_0::operator() const((__int64)&v26, v10);
        v11 = main::$_0::operator() const(char)::{lambda(char)#1}::operator() const((__int64)&v12, 2);
        v18 = main::$_2::operator() const(char)::{lambda(char)#1}::operator() const(&v15, (unsigned int)v11);
    }
    do
    {
        v18 = v21 ^ s[v19];
        v17 = main::$_0::operator() const((__int64)&v26, v18);
        v16 = main::$_1::operator() const((__int64)&v24, s[v21 - 1 + v19]);
        v3 = main::$_1::operator() const(char)::{lambda(int)#1}::operator() const(&v16, 7);
        v18 = main::$_0::operator() const(char)::{lambda(char)#1}::operator() const((__int64)&v17, v3);
        v15 = main::$_2::operator() const(&v27, (unsigned int)v18);
        v14 = main::$_2::operator() const(&v27, (unsigned int)s[v21 - 1 + v19]);
        v4 = main::$_2::operator() const(char)::{lambda(char)#1}::operator() const(&v14, 18LL);
        v13 = main::$_3::operator() const((__int64)&v25, v4);
        v5 = main::$_3::operator() const(char)::{lambda(char)#1}::operator() const(&v13, 3LL);
        v12 = main::$_0::operator() const((__int64)&v26, v5);
        v6 = main::$_0::operator() const(char)::{lambda(char)#1}::operator() const((__int64)&v12, 2);
        v18 = main::$_2::operator() const(char)::{lambda(char)#1}::operator() const(&v15, (unsigned int)v6);
        v34 = enc[v19 - 1] != v18;
    }
    while ( v34 );
    while ( y >= 10 && (((_BYTE)x - 1) * (_BYTE)x & 1) != 0 )
    ;
    ++v19;
}

注意到循環的條件是 v19 < 21，猜測這里 v19 代表的是當前處理的字符串中字符的下標，也就是說它是從字符串的第二個字符開始處理的，這與之前猜測的以 '#' 開頭呼應了

這個循環里還是有冗余的代碼，我們把它處理一下去除不會執行的地方

while ( v19 < 21 )                            // v19 [1,20]
{
    do
    {
        v18 = v21 ^ s[v19];
        v17 = main::$_0::operator() const((__int64)&v26, v18);
        v16 = main::$_1::operator() const((__int64)&v24, s[v21 - 1 + v19]);
        v3 = main::$_1::operator() const(char)::{lambda(int)#1}::operator() const(&v16, 7);
        v18 = main::$_0::operator() const(char)::{lambda(char)#1}::operator() const((__int64)&v17, v3);
        v15 = main::$_2::operator() const(&v27, (unsigned int)v18);
        v14 = main::$_2::operator() const(&v27, (unsigned int)s[v21 - 1 + v19]);
        v4 = main::$_2::operator() const(char)::{lambda(char)#1}::operator() const(&v14, 18LL);
        v13 = main::$_3::operator() const((__int64)&v25, v4);
        v5 = main::$_3::operator() const(char)::{lambda(char)#1}::operator() const(&v13, 3LL);
        v12 = main::$_0::operator() const((__int64)&v26, v5);
        v6 = main::$_0::operator() const(char)::{lambda(char)#1}::operator() const((__int64)&v12, 2);
        v18 = main::$_2::operator() const(char)::{lambda(char)#1}::operator() const(&v15, (unsigned int)v6);
        v34 = enc[v19 - 1] != v18;
    } while ( v34 );
    ++v19;
}

邏輯更加清晰了，在 do While 循環的最后，判斷前面經過處理之后的結果 v18 是否等于 enc 表中的值，如果不等于就繼續處理變化。換句話說，我們要控制我們的輸入使得經過它規定的算法變化之后，等于 enc 表中的值，即可得到 flag

一個一個函數分析，我們隨便輸入 #input_flag_test_6789 調試看看

char __fastcall main::$_0::operator() const(__int64 a1, char a2)
{
  return a2;
}

.text:00000000004012F0 push    rbp
.text:00000000004012F1 mov     rbp, rsp
.text:00000000004012F4 mov     al, sil
.text:00000000004012F7 mov     [rbp+var_10], rdi
.text:00000000004012FB mov     [rbp+var_11], al
.text:00000000004012FE mov     al, [rbp+var_11]
.text:0000000000401301 mov     [rbp+var_8], al
.text:0000000000401304 mov     al, [rbp+var_8]
.text:0000000000401307 pop     rbp
.text:0000000000401308 retn

main::$_0 很顯然就做了一件事情返回參數 a2，怕偽代碼出錯，我還特意看了一眼匯編

char __fastcall main::$_1::operator() const(__int64 a1, char a2)
{
  return a2;
}

main::_0 一樣

__int64 __fastcall main::$_1::operator() const(char)::{lambda(int)#1}::operator() const(char *a1, int a2)
{
  return (unsigned int)(char)(*a1 % a2);
}

該函數取 a1 數組的第一個字符值與 a2 進行取模運算

__int64 __fastcall main::$_0::operator() const(char)::{lambda(char)#1}::operator() const(__int64 a1, char a2)
{
  signed int v2; // eax
  signed int v3; // eax
  __int64 v5; // [rsp+0h] [rbp-40h]
  int v6; // [rsp+4h] [rbp-3Ch]
  int v7; // [rsp+8h] [rbp-38h]
  int v8; // [rsp+Ch] [rbp-34h]
  int v9; // [rsp+10h] [rbp-30h]
  int v10; // [rsp+14h] [rbp-2Ch]
  __int64 v11; // [rsp+18h] [rbp-28h]
  char v12; // [rsp+23h] [rbp-1Dh]
  int v13; // [rsp+24h] [rbp-1Ch]
  bool v14; // [rsp+2Ah] [rbp-16h]
  bool v15; // [rsp+2Bh] [rbp-15h]
  unsigned int v16; // [rsp+2Ch] [rbp-14h]

  v14 = (((_BYTE)x_5 - 1) * (_BYTE)x_5 & 1) == 0;// v14 = 1
  v15 = y_6 < 10;                               // v15 = 1
  v13 = 1023500310;
  v12 = a2;
  v11 = a1;
  do
  {
    while ( 1 )
    {
      while ( 1 )
      {
        while ( 1 )
        {
          v10 = v13;
          v9 = v13 + 0x796B2E2C;
          if ( v13 != 0x8694D1D4 )
            break;                              
          *(&v5 - 2) = v11;
          *((_BYTE *)&v5 - 16) = v12;
          v13 = 0xAB705FC8;
        }
        v8 = v10 + 0x548FA038;
        if ( v10 != 0xAB705FC8 )
          break;                                
        v3 = 0x8694D1D4;
        *(&v5 - 2) = v11;
        *((_BYTE *)&v5 - 16) = v12;
        v16 = *((char *)&v5 - 16) + *(char *)*(&v5 - 2);// v16 = v11 + v12
        if ( y_6 < 10 || (((_BYTE)x_5 - 1) * (_BYTE)x_5 & 1) == 0 )
          v3 = 0x56CAF6B1;
        v13 = v3;
      }
      v7 = v10 - 0x3D016016;
      if ( v10 != 0x3D016016 )
        break;                                  
      v2 = 0x8694D1D4;
      if ( v15 || v14 )                         
        v2 = 0xAB705FC8;
      v13 = v2;
    }
    v6 = v10 - 0x56CAF6B1;
  }
  while ( v10 != 0x56CAF6B1 );
  return v16;
}

這個函數看上去代碼那么多。。其實都是混淆，真正執行的就一句話

v16 = v11 + v12

這里的 v11 v12 就是傳入的參數 a1 a2

下一個函數也是一樣...

char __fastcall main::$_2::operator() const(__int64 a1, char a2)
{
  signed int v2; // eax
  signed int v3; // eax
  char v5; // [rsp+0h] [rbp-50h]
  int v6; // [rsp+Ch] [rbp-44h]
  int v7; // [rsp+10h] [rbp-40h]
  int v8; // [rsp+14h] [rbp-3Ch]
  int v9; // [rsp+18h] [rbp-38h]
  int v10; // [rsp+1Ch] [rbp-34h]
  __int64 v11; // [rsp+20h] [rbp-30h]
  char v12; // [rsp+2Fh] [rbp-21h]
  int v13; // [rsp+30h] [rbp-20h]
  bool v14; // [rsp+35h] [rbp-1Bh]
  bool v15; // [rsp+36h] [rbp-1Ah]
  char v16; // [rsp+37h] [rbp-19h]

  v14 = (((_BYTE)x_11 - 1) * (_BYTE)x_11 & 1) == 0;
  v15 = y_12 < 10;
  v13 = -1990873412;
  v12 = a2;
  v11 = a1;
  while ( 1 )
  {
    while ( 1 )
    {
      while ( 1 )
      {
        v10 = v13;
        v9 = v13 + 1990873412;
        if ( v13 != -1990873412 )
          break;
        v2 = -1373097315;
        if ( v15 || v14 )
          v2 = 1457028246;
        v13 = v2;
      }
      v8 = v10 + 1373097315;
      if ( v10 != -1373097315 )
        break;
      *((_QWORD *)&v5 - 2) = v11;
      *(&v5 - 16) = v12;
      v5 = *(&v5 - 16);
      v13 = 1457028246;
    }
    v7 = v10 + 961146335;
    if ( v10 == -961146335 )
      break;
    v6 = v10 - 1457028246;
    if ( v10 == 1457028246 )
    {
      v3 = -1373097315;
      *((_QWORD *)&v5 - 2) = v11;
      *(&v5 - 16) = v12;
      v5 = *(&v5 - 16);
      v16 = v5;
      if ( y_12 < 10 || (((_BYTE)x_11 - 1) * (_BYTE)x_11 & 1) == 0 )
        v3 = -961146335;
      v13 = v3;
    }
  }
  return v16;
}

也是一樣虛胖...看上去很復雜，實際上執行的就三句話

*((_QWORD *)&v5 - 2) = v11;
*(&v5 - 16) = v12;
v5 = *(&v5 - 16);
v16 = v5;

其實就是把第二個參數 a2 返回

__int64 __fastcall main::$_2::operator() const(char)::{lambda(char)#1}::operator() const(_BYTE *a1, char a2)
{
  return (unsigned int)(char)(a2 ^ *a1);
}

這個函數也比較友好...異或一下

char __fastcall main::$_3::operator() const(__int64 a1, char a2)
{
  signed int v2; // eax
  signed int v3; // eax
  char v5; // [rsp+0h] [rbp-50h]
  int v6; // [rsp+Ch] [rbp-44h]
  int v7; // [rsp+10h] [rbp-40h]
  int v8; // [rsp+14h] [rbp-3Ch]
  int v9; // [rsp+18h] [rbp-38h]
  int v10; // [rsp+1Ch] [rbp-34h]
  __int64 v11; // [rsp+20h] [rbp-30h]
  char v12; // [rsp+2Fh] [rbp-21h]
  int v13; // [rsp+30h] [rbp-20h]
  bool v14; // [rsp+35h] [rbp-1Bh]
  bool v15; // [rsp+36h] [rbp-1Ah]
  char v16; // [rsp+37h] [rbp-19h]

  v14 = (((_BYTE)x_15 - 1) * (_BYTE)x_15 & 1) == 0;
  v15 = y_16 < 10;
  v13 = -538471561;
  v12 = a2;
  v11 = a1;
  while ( 1 )
  {
    while ( 1 )
    {
      v10 = v13;
      v9 = v13 + 2065325572;
      if ( v13 != -2065325572 )
        break;
      *((_QWORD *)&v5 - 2) = v11;
      *(&v5 - 16) = v12;
      v5 = *(&v5 - 16);
      v13 = 975002192;
    }
    v8 = v10 + 983538015;
    if ( v10 == -983538015 )
      break;
    v7 = v10 + 538471561;
    if ( v10 == -538471561 )
    {
      v2 = -2065325572;
      if ( v15 || v14 )
        v2 = 975002192;
      v13 = v2;
    }
    else
    {
      v6 = v10 - 975002192;
      if ( v10 == 975002192 )
      {
        v3 = -2065325572;
        *((_QWORD *)&v5 - 2) = v11;
        *(&v5 - 16) = v12;
        v5 = *(&v5 - 16);
        v16 = v5;
        if ( y_16 < 10 || (((_BYTE)x_15 - 1) * (_BYTE)x_15 & 1) == 0 )
          v3 = -983538015;
        v13 = v3;
      }
    }
  }
  return v16;
}

返回第二個參數 a2

__int64 __fastcall main::$_3::operator() const(char)::{lambda(char)#1}::operator() const(char *a1, char a2)
{
  return (unsigned int)(a2 * *a1);
}

第二個參數跟第一個參數的第一個字符相乘

最后給出一個 enc 數組

.data:0000000000602060 public enc
.data:0000000000602060 ; char enc[20]
.data:0000000000602060 enc db 0F3h                             ; DATA XREF: main+70A↑r
.data:0000000000602061 db  2Eh ; .
.data:0000000000602062 db  18h
.data:0000000000602063 db  36h ; 6
.data:0000000000602064 db 0E1h
.data:0000000000602065 db  4Ch ; L
.data:0000000000602066 db  22h ; "
.data:0000000000602067 db 0D1h
.data:0000000000602068 db 0F9h
.data:0000000000602069 db  8Ch
.data:000000000060206A db  40h ; @
.data:000000000060206B db  76h ; v
.data:000000000060206C db 0F4h
.data:000000000060206D db  0Eh
.data:000000000060206E db    0
.data:000000000060206F db    5
.data:0000000000602070 db 0A3h
.data:0000000000602071 db  90h
.data:0000000000602072 db  0Eh
.data:0000000000602073 db 0A5h
.data:0000000000602073 _data ends

剛好 20 個值

將上面的函數邏輯整理一下，大概就是下面的代碼，可能語法會有點問題不影響理解

v18 = v21 ^ s[v19];
v17 = v18
v16 = s[v21 - 1 + v19]
v3 = v16[0] % 7  
v18 = v17 + v3
v15 = v18
v14 = s[v21 - 1 + v19]
v4 = 18 ^ v14[0]
v13 = v4
v5 = v13[0] * 3
v12 = v5
v6 = v12[0] + 2
v18 = v15[0] ^ v6

// 最后整理成
v18 = ((v21 ^ s[v19]) + (s[v21 - 1 + v19] % 7)) ^ ((18 ^ s[v21 - 1 + v19]) * 3 + 2)
c = ((time ^ input[i]) + (input[time - 1 + i] % 7)) ^ ((18 ^ input[time - 1 + i]) * 3 + 2)

由于這里 time 預期為 0 所以

c = ((0 ^ input[i]) + (input[i-1] % 7)) ^ ((18 ^ input[i-1]) * 3 + 2)

已知 c 和 i 的情況下，很顯然這個算法是可逆的

flag = [0 for i in range(21)]
flag[0] = 0x23
enc = 'F3 2E 18 36 E1 4C 22 D1 F9 8C 40 76 F4 0E 00 05 A3 90 0E A5'.split(' ')
c = [int(i,16) for i in enc]
for i in range(1,len(c)+1) :
    flag[i] = (((c[i-1] ^ ((flag[i-1] ^ 18) * 3 + 2)) - (flag[i-1]%7)) ^ 0) & 0xff 
print(''.join(map(chr,flag)))

最后得到答案 #flag{mY-CurR1ed_Fns}

babyunic

考察的是 unicorn CPU 模擬器

func 文件里放的是機器指令，babyunic 會借助 un.so.1 模擬執行 func 里的指令

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  const void *s1; // ST10_8
  const char *v4; // ST18_8
  __int64 v5; // ST00_8

  if ( a1 == 2 )
  {
    puts("SUCTF 2019");
    printf("input your flag:", a2);
    s1 = malloc(0x200uLL);
    v4 = (const char *)malloc(0x200uLL);
    __isoc99_scanf("%50s", v4);
    sub_CBA(v4, (__int64)s1, *(const char **)(v5 + 8));
    if ( !memcmp(s1, &unk_202020, 168uLL) )
      puts("congratuation!");
    else
      puts("fail!");
  }
  else
  {
    puts("no input files");
  }
  return 0LL;
}

給了一張常量表 unk_202020，與 s1 比較相等就說明輸入的 flag 是正確的

將輸入的內容傳入 sub_CBA 處理

uc_open(3LL, 0x40000004LL, &uc_engine);

借助 uc_open 函數我們可以確定 func 的指令架構和位數

在 unicorn/include/unicorn/unicorn.h 位置處，我們可以找到

UNICORN_EXPORT
uc_err uc_open(uc_arch arch, uc_mode mode, uc_engine **uc);

/*
 Close a Unicorn engine instance.
 NOTE: this must be called only when there is no longer any
 usage of @uc. This API releases some of @uc's cached memory, thus
 any use of the Unicorn API with @uc after it has been closed may
 crash your application. After this, @uc is invalid, and is no
 longer usable.
 @uc: pointer to a handle returned by uc_open()
 @return UC_ERR_OK on success, or other value on failure (refer to uc_err enum
   for detailed error).
*/

知道了三個參數的作用，我們再去找 arch 和 mode 的值定義

// Architecture type
typedef enum uc_arch {
    UC_ARCH_ARM = 1,    // ARM architecture (including Thumb, Thumb-2)
    UC_ARCH_ARM64,      // ARM-64, also called AArch64
    UC_ARCH_MIPS,       // Mips architecture
    UC_ARCH_X86,        // X86 architecture (including x86 & x86-64)
    UC_ARCH_PPC,        // PowerPC architecture (currently unsupported)
    UC_ARCH_SPARC,      // Sparc architecture
    UC_ARCH_M68K,       // M68K architecture
    UC_ARCH_MAX,
} uc_arch;

// Mode type
typedef enum uc_mode {
    UC_MODE_LITTLE_ENDIAN = 0,    // little-endian mode (default mode)
    UC_MODE_BIG_ENDIAN = 1 << 30, // big-endian mode
    // arm / arm64
    UC_MODE_ARM = 0,              // ARM mode
    UC_MODE_THUMB = 1 << 4,       // THUMB mode (including Thumb-2)
    UC_MODE_MCLASS = 1 << 5,      // ARM's Cortex-M series (currently unsupported)
    UC_MODE_V8 = 1 << 6,          // ARMv8 A32 encodings for ARM (currently unsupported)
    // mips
    UC_MODE_MICRO = 1 << 4,       // MicroMips mode (currently unsupported)
    UC_MODE_MIPS3 = 1 << 5,       // Mips III ISA (currently unsupported)
    UC_MODE_MIPS32R6 = 1 << 6,    // Mips32r6 ISA (currently unsupported)
    UC_MODE_MIPS32 = 1 << 2,      // Mips32 ISA
    UC_MODE_MIPS64 = 1 << 3,      // Mips64 ISA
    // x86 / x64
    UC_MODE_16 = 1 << 1,          // 16-bit mode
    UC_MODE_32 = 1 << 2,          // 32-bit mode
    UC_MODE_64 = 1 << 3,          // 64-bit mode
    // ppc 
    UC_MODE_PPC32 = 1 << 2,       // 32-bit mode (currently unsupported)
    UC_MODE_PPC64 = 1 << 3,       // 64-bit mode (currently unsupported)
    UC_MODE_QPX = 1 << 4,         // Quad Processing eXtensions mode (currently unsupported)
    // sparc
    UC_MODE_SPARC32 = 1 << 2,     // 32-bit mode
    UC_MODE_SPARC64 = 1 << 3,     // 64-bit mode
    UC_MODE_V9 = 1 << 4,          // SparcV9 mode (currently unsupported)
    // m68k
} uc_mode;

因此 uc_open 中的 3 對應的是 UC_ARCH_MIPS ，0x40000004 其實等于 0x40000000 + 0x4 對應 UC_MODE_MIPS32 + UC_MODE_BIG_ENDIAN

知道了架構和位數我們就可以反匯編它了，這里我借助一個神器 ghidra 直接反編譯

由于代碼量有點大就不全部貼出來了

void UndefinedFunction_00000000(byte *param_1,int *param_2)

{
  int iStack16;
  int iStack12;
  
  iStack12 = 0;
  while (param_1[iStack12] != 0) {
    iStack12 = iStack12 + 1;
  }
  iStack16 = 0;
  while (iStack16 < iStack12) {
    param_1[iStack16] = (param_1[iStack16] << 3 | param_1[iStack16] >> 5) ^ (byte)iStack16;
    iStack16 = iStack16 + 1;
  }
  *param_2 = ((((((((((((((((((((((((((((((((uint)*param_1 + (uint)param_1[1] + (uint)param_1[2]) -
                                          (uint)param_1[3]) + (uint)param_1[4]) - (uint)param_1[5])
                                       - (uint)param_1[6]) - (uint)param_1[7]) - (uint)param_1[8])+
                                     (uint)param_1[9] + (uint)param_1[10]) - (uint)param_1[0xb]) +
                                  (uint)param_1[0xc]) - (uint)param_1[0xd]) - (uint)param_1[0xe])+
                               (uint)param_1[0xf]) - (uint)param_1[0x10]) - (uint)param_1[0x11]) +
                             (uint)param_1[0x12] + (uint)param_1[0x13]) - (uint)param_1[0x14]) +
                           (uint)param_1[0x15] + (uint)param_1[0x16] + (uint)param_1[0x17] +
                          (uint)param_1[0x18]) - (uint)param_1[0x19]) + (uint)param_1[0x1a]) -
                       (uint)param_1[0x1b]) + (uint)param_1[0x1c] + (uint)param_1[0x1d]) -
                     (uint)param_1[0x1e]) - (uint)param_1[0x1f]) + (uint)param_1[0x20]) -
                  (uint)param_1[0x21]) + (uint)param_1[0x22] + (uint)param_1[0x23]) -
                (uint)param_1[0x24]) - (uint)param_1[0x25]) + (uint)param_1[0x26]) -
             (uint)param_1[0x27]) + (uint)param_1[0x28] + (uint)param_1[0x29];
  param_2[1] = (((((((((((((((((((((((((((((((((((uint)*param_1 - (uint)param_1[1]) +
                                               (uint)param_1[2]) - (uint)param_1[3]) -
                                             (uint)param_1[4]) + (uint)param_1[5]) -
                                           (uint)param_1[6]) - (uint)param_1[7]) -(uint)param_1[8])
                                        - (uint)param_1[9]) + (uint)param_1[10]) -
                                      (uint)param_1[0xb]) + (uint)param_1[0xc]) -(uint)param_1[0xd]
                                    ) - (uint)param_1[0xe]) + (uint)param_1[0xf]) -
                                 (uint)param_1[0x10]) - (uint)param_1[0x11]) +(uint)param_1[0x12])
                              - (uint)param_1[0x13]) + (uint)param_1[0x14] + (uint)param_1[0x15])-
                            (uint)param_1[0x16]) - (uint)param_1[0x17]) - (uint)param_1[0x18]) +
                         (uint)param_1[0x19]) - (uint)param_1[0x1a]) + (uint)param_1[0x1b]) -
                      (uint)param_1[0x1c]) - (uint)param_1[0x1d]) + (uint)param_1[0x1e] +
                     (uint)param_1[0x1f] + (uint)param_1[0x20] + (uint)param_1[0x21] +
                     (uint)param_1[0x22] + (uint)param_1[0x23]) - (uint)param_1[0x24]) -
                  (uint)param_1[0x25]) - (uint)param_1[0x26]) - (uint)param_1[0x27]) -
               (uint)param_1[0x28]) + (uint)param_1[0x29];
  param_2[2] = ((((((((((((((((((((((((((((((uint)*param_1 - (uint)param_1[1]) + (uint)param_1[2] +
                                          (uint)param_1[3]) - (uint)param_1[4]) + (uint)param_1[5])
                                       - (uint)param_1[6]) - (uint)param_1[7]) + (uint)param_1[8])-
                                    (uint)param_1[9]) - (uint)param_1[10]) - (uint)param_1[0xb]) -
                                 (uint)param_1[0xc]) - (uint)param_1[0xd]) + (uint)param_1[0xe]) -
                              (uint)param_1[0xf]) - (uint)param_1[0x10]) + (uint)param_1[0x11] +
                             (uint)param_1[0x12] + (uint)param_1[0x13] + (uint)param_1[0x14] +
                            (uint)param_1[0x15]) - (uint)param_1[0x16]) + (uint)param_1[0x17] +
                           (uint)param_1[0x18] + (uint)param_1[0x19] + (uint)param_1[0x1a]) -
                         (uint)param_1[0x1b]) + (uint)param_1[0x1c]) - (uint)param_1[0x1d]) +
                      (uint)param_1[0x1e]) - (uint)param_1[0x1f]) + (uint)param_1[0x20] +
                    (uint)param_1[0x21]) - (uint)param_1[0x22]) - (uint)param_1[0x23]) +
                  (uint)param_1[0x24] + (uint)param_1[0x25] + (uint)param_1[0x26]) -
                (uint)param_1[0x27]) + (uint)param_1[0x28]) - (uint)param_1[0x29];
  param_2[3] = ...
  
  ......

這里第一個參數 param_1 是我們輸入的字符串, param_2 最后得到的值要等于那個常量表

這里借助 z3 一把梭，不過要注意的是 enc 那個常量是以補碼形式表示的

from z3 import *
import ctypes

e = [0xFFFFFF94,0xFFFFFF38,0x00000126,0xFFFFFF28,0xFFFFFC10,0x00000294,0xFFFFFC9E,0x000006EA,0x000000DC,0x00000006,0xFFFFFF0C,0xFFFFFDF6,0xFFFFFA82,0xFFFFFCD0,0x00000182,0x000003DE,0x0000014E,0x000002B2,0xFFFFF8D8,0x00000174,0xFFFFFAA6,0xFFFFF9D4,0x000001C2,0xFFFFF97C,0x0000035A,0x00000146,0xFFFFFF3C,0xFFFFFA14,0x000001CE,0x000007DC,0xFFFFFD48,0x00000098,0x0000085E,0xFFFFFDB0,0xFFFFFFBC,0x0000036E,0xFFFFFF4E,0xFFFFF836,0x000005C0,0x000006AE,0x00000694,0x00000022]
en = map(lambda x: ctypes.c_int32(x).value,e)
enc = [IntVal(i) for i in en]

# enc = map(lambda x: ctypes.c_int32(x).value, enc)
c = [Int('c%d' % i) for i in range(42)]
flag = []
solver = Solver()

for v in c :
    solver.add(v >= 0x0)
    solver.add(v <= 0xff)

solver.add(enc[0]==(((((((((((((((((((((((((((((((c[0]+c[1]+c[2])-c[3])+c[4])-c[5])-c[6])-c[7])-c[8])+c[9]+c[10])-c[0xb])+c[0xc])-c[0xd])-c[0xe])+c[0xf])-c[0x10])-c[0x11])+c[0x12]+c[0x13])-c[0x14])+c[0x15]+c[0x16]+c[0x17]+c[0x18])-c[0x19])+c[0x1a])-c[0x1b])+c[0x1c]+c[0x1d])-c[0x1e])-c[0x1f])+c[0x20])-c[0x21])+c[0x22]+c[0x23])-c[0x24])-c[0x25])+c[0x26])-c[0x27])+c[0x28]+c[0x29])

solver.add(enc[1]==((((((((((((((((((((((((((((((((((c[0]-c[1])+c[2])-c[3])-c[4])+c[5])-c[6])-c[7])-c[8])-c[9])+c[10])-c[0xb])+c[0xc])-c[0xd])-c[0xe])+c[0xf])-c[0x10])-c[0x11])+c[0x12])-c[0x13])+c[0x14]+c[0x15])-c[0x16])-c[0x17])-c[0x18])+c[0x19])-c[0x1a])+c[0x1b])-c[0x1c])-c[0x1d])+c[0x1e]+c[0x1f]+c[0x20]+c[0x21]+c[0x22]+c[0x23])-c[0x24])-c[0x25])-c[0x26])-c[0x27])-c[0x28])+c[0x29])

solver.add(enc[2]==(((((((((((((((((((((((((((((c[0]-c[1])+c[2]+c[3])-c[4])+c[5])-c[6])-c[7])+c[8])-c[9])-c[10])-c[0xb])-c[0xc])-c[0xd])+c[0xe])-c[0xf])-c[0x10])+c[0x11]+c[0x12]+c[0x13]+c[0x14]+c[0x15])-c[0x16])+c[0x17]+c[0x18]+c[0x19]+c[0x1a])-c[0x1b])+c[0x1c])-c[0x1d])+c[0x1e])-c[0x1f])+c[0x20]+c[0x21])-c[0x22])-c[0x23])+c[0x24]+c[0x25]+c[0x26])-c[0x27])+c[0x28])-c[0x29])

solver.add(enc[3]==(((((((((((((((((((((((((((((((c[0]-c[1])-c[2])-c[3])-c[4])-c[5])+c[6]+c[7])-c[8])-c[9])-c[10])-c[0xb])+c[0xc])-c[0xd])+c[0xe])-c[0xf])+c[0x10])-c[0x11])+c[0x12]+c[0x13]+c[0x14])-c[0x15])+c[0x16]+c[0x17]+c[0x18])-c[0x19])-c[0x1a])+c[0x1b])-c[0x1c])+c[0x1d]+c[0x1e])-c[0x1f])-c[0x20])-c[0x21])+c[0x22])-c[0x23])+c[0x24]+c[0x25]+c[0x26])-c[0x27])+c[0x28]+c[0x29])

solver.add(enc[4]==(((((((((((((((((((((((((((((((((c[0]-c[1])-c[2])+c[3])-c[4])-c[5])+c[6]+c[7]+c[8]+c[9])-c[10])+c[0xb]+c[0xc])-c[0xd])+c[0xe])-c[0xf])+c[0x10]+c[0x11])-c[0x12])+c[0x13])-c[0x14])+c[0x15])-c[0x16])-c[0x17])-c[0x18])+c[0x19])-c[0x1a])-c[0x1b])-c[0x1c])+c[0x1d]+c[0x1e]+c[0x1f])-c[0x20])+c[0x21])-c[0x22])-c[0x23])+c[0x24])-c[0x25])+c[0x26])-c[0x27])-c[0x28])-c[0x29])

solver.add(enc[5]==((((((((((((((((((((((((((((c[0]+c[1]+c[2]+c[3]+c[4]+c[5]+c[6]+c[7]+c[8])-c[9])-c[10])-c[0xb])-c[0xc])-c[0xd])-c[0xe])+c[0xf])-c[0x10])+c[0x11])-c[0x12])+c[0x13]+c[0x14])-c[0x15])+c[0x16])-c[0x17])+c[0x18])-c[0x19])+c[0x1a]+c[0x1b])-c[0x1c])+c[0x1d])-c[0x1e])+c[0x1f]+c[0x20]+c[0x21])-c[0x22])-c[0x23])-c[0x24])+c[0x25])-c[0x26])-c[0x27])+c[0x28]+c[0x29])

solver.add(enc[6]==(((((((((((((((((((((((((((c[0]-c[1])+c[2]+c[3]+c[4])-c[5])+c[6]+c[7]+c[8]+c[9])-c[10])+c[0xb]+c[0xc])-c[0xd])+c[0xe]+c[0xf]+c[0x10]+c[0x11])-c[0x12])-c[0x13])-c[0x14])-c[0x15])-c[0x16])-c[0x17])+c[0x18]+c[0x19])-c[0x1a])+c[0x1b]+c[0x1c]+c[0x1d])-c[0x1e])-c[0x1f])-c[0x20])-c[0x21])-c[0x22])-c[0x23])+c[0x24]+c[0x25])-c[0x26])-c[0x27])+c[0x28])-c[0x29])

solver.add(enc[7]==((((((((((((((((((((((((((((((c[0]+c[1])-c[2])-c[3])-c[4])+c[5]+c[6])-c[7])+c[8]+c[9])-c[10])+c[0xb])-c[0xc])+c[0xd])-c[0xe])+c[0xf])-c[0x10])+c[0x11])-c[0x12])-c[0x13])+c[0x14])-c[0x15])+c[0x16])-c[0x17])-c[0x18])+c[0x19])-c[0x1a])+c[0x1b]+c[0x1c]+c[0x1d]+c[0x1e]+c[0x1f]+c[0x20])-c[0x21])+c[0x22])-c[0x23])+c[0x24]+c[0x25]+c[0x26]+c[0x27])-c[0x28])-c[0x29])

solver.add(enc[8]==(((((((((((((((((((((((((((((c[0]-c[1])-c[2])+c[3]+c[4])-c[5])+c[6]+c[7]+c[8]+c[9]+c[10])-c[0xb])-c[0xc])+c[0xd])-c[0xe])+c[0xf]+c[0x10]+c[0x11]+c[0x12])-c[0x13])+c[0x14]+c[0x15])-c[0x16])-c[0x17])+c[0x18]+c[0x19]+c[0x1a])-c[0x1b])+c[0x1c])-c[0x1d])-c[0x1e])-c[0x1f])-c[0x20])-c[0x21])+c[0x22])-c[0x23])-c[0x24])+c[0x25])-c[0x26])-c[0x27])+c[0x28])-c[0x29])

solver.add(enc[9]==(((((((((((((((((((((((((((((c[0]+c[1]+c[2])-c[3])+c[4]+c[5]+c[6])-c[7])-c[8])-c[9])-c[10])+c[0xb]+c[0xc]+c[0xd])-c[0xe])+c[0xf]+c[0x10])-c[0x11])-c[0x12])+c[0x13]+c[0x14])-c[0x15])-c[0x16])-c[0x17])+c[0x18])-c[0x19])-c[0x1a])-c[0x1b])+c[0x1c]+c[0x1d]+c[0x1e])-c[0x1f])+c[0x20]+c[0x21])-c[0x22])-c[0x23])-c[0x24])-c[0x25])+c[0x26])-c[0x27])+c[0x28]+c[0x29])

solver.add(enc[10]==((((((((((((((((((((((((((((((((c[0]-c[1])+c[2]+c[3])-c[4])-c[5])+c[6]+c[7])-c[8])-c[9])-c[10])-c[0xb])+c[0xc]+c[0xd]+c[0xe])-c[0xf])+c[0x10])-c[0x11])+c[0x12]+c[0x13]+c[0x14])-c[0x15])+c[0x16])-c[0x17])-c[0x18])-c[0x19])+c[0x1a])-c[0x1b])-c[0x1c])+c[0x1d])-c[0x1e])+c[0x1f]+c[0x20])-c[0x21])-c[0x22])+c[0x23])-c[0x24])-c[0x25])+c[0x26])-c[0x27])+c[0x28]+c[0x29])

solver.add(enc[0xb]==((((((((((((((((((((((((((((((c[0]-c[1])+c[2]+c[3]+c[4])-c[5])+c[6]+c[7])-c[8])+c[9]+c[10])-c[0xb])-c[0xc])-c[0xd])-c[0xe])+c[0xf])-c[0x10])-c[0x11])-c[0x12])+c[0x13]+c[0x14])-c[0x15])+c[0x16])-c[0x17])+c[0x18]+c[0x19]+c[0x1a]+c[0x1b])-c[0x1c])+c[0x1d]+c[0x1e])-c[0x1f])-c[0x20])-c[0x21])-c[0x22])-c[0x23])+c[0x24]+c[0x25])-c[0x26])-c[0x27])-c[0x28])-c[0x29])

solver.add(enc[0xc]==(((((((((((((((((((((((((((((((((((((c[0]-c[1])-c[2])-c[3])+c[4])-c[5])-c[6])+c[7]+c[8])-c[9])+c[10])-c[0xb])-c[0xc])-c[0xd])+c[0xe])-c[0xf])+c[0x10])-c[0x11])+c[0x12])-c[0x13])-c[0x14])-c[0x15])-c[0x16])+c[0x17])-c[0x18])+c[0x19])-c[0x1a])+c[0x1b])-c[0x1c])+c[0x1d])-c[0x1e])-c[0x1f])+c[0x20]+c[0x21]+c[0x22])-c[0x23])-c[0x24])-c[0x25])-c[0x26])+c[0x27])-c[0x28])-c[0x29])

solver.add(enc[0xd]==(((((((((((((((((((((((((((((((((c[0]-c[1])+c[2])-c[3])+c[4])-c[5])+c[6])-c[7])+c[8])-c[9])+c[10])-c[0xb])+c[0xc]+c[0xd]+c[0xe]+c[0xf])-c[0x10])-c[0x11])-c[0x12])+c[0x13]+c[0x14]+c[0x15])-c[0x16])-c[0x17])+c[0x18]+c[0x19])-c[0x1a])-c[0x1b])+c[0x1c]+c[0x1d])-c[0x1e])-c[0x1f])-c[0x20])+c[0x21])-c[0x22])-c[0x23])+c[0x24])-c[0x25])-c[0x26])-c[0x27])+c[0x28])-c[0x29])

solver.add(enc[0xe]==(((((((((((((((((((((((((c[0]+c[1]+c[2])-c[3])-c[4])-c[5])+c[6])-c[7])+c[8]+c[9]+c[10])-c[0xb])+c[0xc])-c[0xd])-c[0xe])+c[0xf]+c[0x10]+c[0x11])-c[0x12])-c[0x13])-c[0x14])-c[0x15])+c[0x16]+c[0x17]+c[0x18])-c[0x19])+c[0x1a]+c[0x1b]+c[0x1c])-c[0x1d])-c[0x1e])-c[0x1f])+c[0x20]+c[0x21]+c[0x22]+c[0x23]+c[0x24]+c[0x25]+c[0x26])-c[0x27])-c[0x28])-c[0x29])

solver.add(enc[0xf]==((((((((((((((((((((((((((c[0]-c[1])+c[2]+c[3]+c[4]+c[5])-c[6])+c[7])-c[8])-c[9])-c[10])+c[0xb]+c[0xc]+c[0xd])-c[0xe])-c[0xf])-c[0x10])+c[0x11])-c[0x12])-c[0x13])-c[0x14])-c[0x15])+c[0x16]+c[0x17]+c[0x18]+c[0x19]+c[0x1a]+c[0x1b])-c[0x1c])-c[0x1d])-c[0x1e])-c[0x1f])+c[0x20])-c[0x21])+c[0x22]+c[0x23]+c[0x24]+c[0x25])-c[0x26])+c[0x27]+c[0x28])-c[0x29])

solver.add(enc[0x10]==((((((((((((((((((((((((((((((c[0]-c[1])+c[2]+c[3])-c[4])-c[5])+c[6]+c[7]+c[8]+c[9]+c[10])-c[0xb])+c[0xc])-c[0xd])+c[0xe]+c[0xf]+c[0x10])-c[0x11])+c[0x12])-c[0x13])+c[0x14])-c[0x15])-c[0x16])-c[0x17])-c[0x18])-c[0x19])+c[0x1a]+c[0x1b]+c[0x1c]+c[0x1d])-c[0x1e])-c[0x1f])+c[0x20])-c[0x21])-c[0x22])+c[0x23])-c[0x24])+c[0x25])-c[0x26])+c[0x27])-c[0x28])+c[0x29])

solver.add(enc[0x11]==((((((((((((((((((((((((((((((((c[0]+c[1]+c[2]+c[3]+c[4])-c[5])+c[6]+c[7]+c[8])-c[9])-c[10])+c[0xb])-c[0xc])+c[0xd]+c[0xe]+c[0xf])-c[0x10])+c[0x11])-c[0x12])-c[0x13])+c[0x14])-c[0x15])+c[0x16])-c[0x17])-c[0x18])+c[0x19])-c[0x1a])+c[0x1b])-c[0x1c])+c[0x1d])-c[0x1e])-c[0x1f])+c[0x20])-c[0x21])-c[0x22])+c[0x23])-c[0x24])+c[0x25])-c[0x26])+c[0x27]+c[0x28])-c[0x29])

solver.add(enc[0x12]==((((((((((((((((((((((((((((((((((c[0]-c[1])-c[2])-c[3])+c[4]+c[5])-c[6])+c[7])-c[8])+c[9]+c[10])-c[0xb])-c[0xc])-c[0xd])+c[0xe])-c[0xf])-c[0x10])+c[0x11]+c[0x12]+c[0x13])-c[0x14])-c[0x15])-c[0x16])-c[0x17])-c[0x18])-c[0x19])-c[0x1a])-c[0x1b])+c[0x1c]+c[0x1d]+c[0x1e])-c[0x1f])-c[0x20])-c[0x21])+c[0x22])-c[0x23])-c[0x24])-c[0x25])-c[0x26])-c[0x27])-c[0x28])+c[0x29])

solver.add(enc[0x13]==((((((((((((((((((((((((((c[0]+c[1]+c[2]+c[3])-c[4])-c[5])+c[6])-c[7])-c[8])-c[9])-c[10])-c[0xb])-c[0xc])-c[0xd])+c[0xe]+c[0xf]+c[0x10])-c[0x11])+c[0x12]+c[0x13]+c[0x14]+c[0x15])-c[0x16])+c[0x17]+c[0x18])-c[0x19])+c[0x1a]+c[0x1b])-c[0x1c])+c[0x1d]+c[0x1e]+c[0x1f]+c[0x20]+c[0x21])-c[0x22])+c[0x23])-c[0x24])-c[0x25])-c[0x26])+c[0x27]+c[0x28])-c[0x29])

solver.add(enc[0x14]==((((((((((((((((((((((((((((((((((((c[0]+c[1])-c[2])-c[3])-c[4])+c[5])-c[6])+c[7])-c[8])-c[9])+c[10]+c[0xb])-c[0xc])-c[0xd])+c[0xe])-c[0xf])-c[0x10])+c[0x11])-c[0x12])-c[0x13])+c[0x14]+c[0x15])-c[0x16])+c[0x17]+c[0x18])-c[0x19])-c[0x1a])-c[0x1b])-c[0x1c])-c[0x1d])-c[0x1e])-c[0x1f])-c[0x20])+c[0x21])-c[0x22])+c[0x23]+c[0x24])-c[0x25])+c[0x26])-c[0x27])+c[0x28])-c[0x29])

solver.add(enc[0x15]==(((((((((((((((((((((((((((((((((((c[0]-c[1])-c[2])-c[3])+c[4]+c[5]+c[6]+c[7])-c[8])-c[9])-c[10])-c[0xb])-c[0xc])-c[0xd])-c[0xe])-c[0xf])-c[0x10])+c[0x11])-c[0x12])-c[0x13])+c[0x14])-c[0x15])+c[0x16]+c[0x17]+c[0x18])-c[0x19])-c[0x1a])+c[0x1b])-c[0x1c])-c[0x1d])-c[0x1e])-c[0x1f])-c[0x20])-c[0x21])-c[0x22])-c[0x23])-c[0x24])+c[0x25])-c[0x26])-c[0x27])-c[0x28])+c[0x29])

solver.add(enc[0x16]==(((((((((((((((((((((((((((c[0]+c[1]+c[2]+c[3]+c[4]+c[5]+c[6]+c[7])-c[8])+c[9])-c[10])+c[0xb])-c[0xc])+c[0xd]+c[0xe]+c[0xf])-c[0x10])+c[0x11]+c[0x12])-c[0x13])-c[0x14])+c[0x15]+c[0x16])-c[0x17])+c[0x18])-c[0x19])-c[0x1a])+c[0x1b])-c[0x1c])+c[0x1d]+c[0x1e]+c[0x1f])-c[0x20])+c[0x21])-c[0x22])-c[0x23])-c[0x24])-c[0x25])+c[0x26])-c[0x27])+c[0x28]+c[0x29])

solver.add(enc[0x17]==(((((((((((((((((((((((((((((((((((c[0]-c[1])+c[2]+c[3])-c[4])-c[5])-c[6])-c[7])+c[8])-c[9])-c[10])+c[0xb]+c[0xc])-c[0xd])-c[0xe])+c[0xf])-c[0x10])-c[0x11])+c[0x12]+c[0x13])-c[0x14])-c[0x15])+c[0x16])-c[0x17])+c[0x18]+c[0x19])-c[0x1a])+c[0x1b])-c[0x1c])+c[0x1d]+c[0x1e])-c[0x1f])-c[0x20])-c[0x21])-c[0x22])-c[0x23])-c[0x24])-c[0x25])+c[0x26])-c[0x27])-c[0x28])-c[0x29])

solver.add(enc[0x18]==(((((((((((((((((((((((((c[0]+c[1])-c[2])+c[3]+c[4])-c[5])+c[6]+c[7])-c[8])+c[9]+c[10])-c[0xb])-c[0xc])-c[0xd])-c[0xe])+c[0xf]+c[0x10]+c[0x11])-c[0x12])+c[0x13]+c[0x14]+c[0x15]+c[0x16]+c[0x17]+c[0x18]+c[0x19])-c[0x1a])-c[0x1b])-c[0x1c])+c[0x1d]+c[0x1e])-c[0x1f])+c[0x20]+c[0x21]+c[0x22])-c[0x23])-c[0x24])-c[0x25])-c[0x26])+c[0x27]+c[0x28])-c[0x29])

solver.add(enc[0x19]==((((((((((((((((((((((((((((((((c[0]-c[1])+c[2]+c[3])-c[4])+c[5]+c[6])-c[7])+c[8]+c[9]+c[10])-c[0xb])-c[0xc])+c[0xd])-c[0xe])+c[0xf])-c[0x10])+c[0x11]+c[0x12]+c[0x13])-c[0x14])-c[0x15])+c[0x16]+c[0x17])-c[0x18])-c[0x19])+c[0x1a])-c[0x1b])+c[0x1c])-c[0x1d])+c[0x1e])-c[0x1f])-c[0x20])+c[0x21])-c[0x22])-c[0x23])-c[0x24])-c[0x25])+c[0x26])-c[0x27])+c[0x28]+c[0x29])

solver.add(enc[0x1a]==(((((((((((((((((((((((((((((c[0]+c[1]+c[2]+c[3]+c[4])-c[5])-c[6])+c[7])-c[8])-c[9])-c[10])-c[0xb])+c[0xc])-c[0xd])+c[0xe])-c[0xf])+c[0x10])-c[0x11])+c[0x12])-c[0x13])-c[0x14])+c[0x15]+c[0x16]+c[0x17]+c[0x18]+c[0x19])-c[0x1a])-c[0x1b])-c[0x1c])-c[0x1d])+c[0x1e]+c[0x1f])-c[0x20])-c[0x21])-c[0x22])+c[0x23]+c[0x24])-c[0x25])-c[0x26])+c[0x27]+c[0x28]+c[0x29])

solver.add(enc[0x1b]==(((((((((((((((((((((((((((((((c[0]-c[1])+c[2])-c[3])+c[4])-c[5])-c[6])-c[7])-c[8])-c[9])-c[10])-c[0xb])+c[0xc]+c[0xd])-c[0xe])+c[0xf]+c[0x10]+c[0x11]+c[0x12]+c[0x13])-c[0x14])-c[0x15])-c[0x16])-c[0x17])+c[0x18]+c[0x19]+c[0x1a])-c[0x1b])+c[0x1c]+c[0x1d]+c[0x1e])-c[0x1f])-c[0x20])-c[0x21])-c[0x22])+c[0x23])-c[0x24])-c[0x25])-c[0x26])-c[0x27])-c[0x28])-c[0x29])

solver.add(enc[0x1c]==((((((((((((((((((((((((((((((c[0]-c[1])+c[2]+c[3]+c[4])-c[5])+c[6]+c[7])-c[8])-c[9])+c[10]+c[0xb])-c[0xc])+c[0xd])-c[0xe])+c[0xf])-c[0x10])+c[0x11]+c[0x12]+c[0x13])-c[0x14])-c[0x15])+c[0x16])-c[0x17])-c[0x18])-c[0x19])-c[0x1a])+c[0x1b])-c[0x1c])-c[0x1d])-c[0x1e])+c[0x1f])-c[0x20])-c[0x21])+c[0x22]+c[0x23]+c[0x24])-c[0x25])-c[0x26])+c[0x27]+c[0x28]+c[0x29])

solver.add(enc[0x1d]==((((((((((((((((((((((((((c[0]+c[1])-c[2])-c[3])-c[4])+c[5]+c[6]+c[7])-c[8])+c[9])-c[10])-c[0xb])+c[0xc])-c[0xd])+c[0xe]+c[0xf])-c[0x10])+c[0x11]+c[0x12])-c[0x13])+c[0x14]+c[0x15]+c[0x16]+c[0x17])-c[0x18])+c[0x19]+c[0x1a])-c[0x1b])+c[0x1c]+c[0x1d]+c[0x1e]+c[0x1f]+c[0x20])-c[0x21])-c[0x22])+c[0x23]+c[0x24])-c[0x25])+c[0x26]+c[0x27])-c[0x28])+c[0x29])

solver.add(enc[0x1e]==((((((((((((((((((((((((((((((((c[0]+c[1]+c[2]+c[3])-c[4])-c[5])-c[6])-c[7])+c[8]+c[9])-c[10])-c[0xb])-c[0xc])+c[0xd])-c[0xe])-c[0xf])+c[0x10])-c[0x11])-c[0x12])-c[0x13])+c[0x14])-c[0x15])-c[0x16])+c[0x17]+c[0x18])-c[0x19])-c[0x1a])+c[0x1b])-c[0x1c])-c[0x1d])-c[0x1e])-c[0x1f])-c[0x20])-c[0x21])-c[0x22])+c[0x23]+c[0x24]+c[0x25])-c[0x26])+c[0x27]+c[0x28]+c[0x29])

solver.add(enc[0x1f]==((((((((((((((((((((((((((((((c[0]+c[1])-c[2])+c[3]+c[4])-c[5])-c[6])+c[7]+c[8]+c[9]+c[10]+c[0xb]+c[0xc])-c[0xd])-c[0xe])-c[0xf])+c[0x10]+c[0x11]+c[0x12]+c[0x13])-c[0x14])+c[0x15])-c[0x16])+c[0x17])-c[0x18])-c[0x19])+c[0x1a]+c[0x1b])-c[0x1c])+c[0x1d])-c[0x1e])-c[0x1f])-c[0x20])+c[0x21])-c[0x22])+c[0x23])-c[0x24])+c[0x25])-c[0x26])+c[0x27])-c[0x28])-c[0x29])

solver.add(enc[0x20]==(((((((((((((((((((((((((((c[0]-c[1])+c[2]+c[3])-c[4])+c[5]+c[6]+c[7]+c[8])-c[9])+c[10]+c[0xb])-c[0xc])+c[0xd]+c[0xe])-c[0xf])+c[0x10])-c[0x11])+c[0x12]+c[0x13]+c[0x14])-c[0x15])-c[0x16])+c[0x17])-c[0x18])+c[0x19]+c[0x1a]+c[0x1b])-c[0x1c])-c[0x1d])-c[0x1e])-c[0x1f])-c[0x20])-c[0x21])+c[0x22]+c[0x23]+c[0x24]+c[0x25])-c[0x26])+c[0x27])-c[0x28])+c[0x29])

solver.add(enc[0x21]==(((((((((((((((((((((((((((((((c[0]-c[1])-c[2])+c[3]+c[4]+c[5]+c[6])-c[7])-c[8])+c[9]+c[10]+c[0xb])-c[0xc])-c[0xd])+c[0xe]+c[0xf])-c[0x10])+c[0x11])-c[0x12])+c[0x13])-c[0x14])+c[0x15]+c[0x16]+c[0x17])-c[0x18])-c[0x19])+c[0x1a]+c[0x1b])-c[0x1c])+c[0x1d])-c[0x1e])-c[0x1f])-c[0x20])-c[0x21])-c[0x22])-c[0x23])+c[0x24])-c[0x25])+c[0x26])-c[0x27])-c[0x28])-c[0x29])

solver.add(enc[0x22]==((((((((((((((((((((((((((((((c[0]+c[1])-c[2])+c[3])-c[4])-c[5])-c[6])+c[7]+c[8]+c[9]+c[10]+c[0xb])-c[0xc])-c[0xd])-c[0xe])+c[0xf])-c[0x10])+c[0x11])-c[0x12])+c[0x13])-c[0x14])-c[0x15])+c[0x16]+c[0x17])-c[0x18])-c[0x19])+c[0x1a]+c[0x1b]+c[0x1c]+c[0x1d])-c[0x1e])-c[0x1f])-c[0x20])-c[0x21])-c[0x22])-c[0x23])-c[0x24])+c[0x25]+c[0x26]+c[0x27])-c[0x28])-c[0x29])

solver.add(enc[0x23]==((((((((((((((((((((((((((c[0]-c[1])+c[2]+c[3]+c[4])-c[5])-c[6])+c[7]+c[8])-c[9])-c[10])+c[0xb]+c[0xc]+c[0xd])-c[0xe])-c[0xf])+c[0x10])-c[0x11])+c[0x12]+c[0x13])-c[0x14])-c[0x15])-c[0x16])+c[0x17]+c[0x18])-c[0x19])-c[0x1a])+c[0x1b]+c[0x1c])-c[0x1d])-c[0x1e])+c[0x1f]+c[0x20])-c[0x21])+c[0x22]+c[0x23]+c[0x24]+c[0x25]+c[0x26]+c[0x27])-c[0x28])-c[0x29])

solver.add(enc[0x24]==(((((((((((((((((((((((((c[0]+c[1]+c[2])-c[3])-c[4])-c[5])-c[6])+c[7]+c[8]+c[9])-c[10])+c[0xb]+c[0xc])-c[0xd])+c[0xe]+c[0xf]+c[0x10]+c[0x11]+c[0x12]+c[0x13]+c[0x14]+c[0x15])-c[0x16])-c[0x17])+c[0x18])-c[0x19])-c[0x1a])-c[0x1b])-c[0x1c])+c[0x1d]+c[0x1e]+c[0x1f]+c[0x20])-c[0x21])-c[0x22])-c[0x23])-c[0x24])+c[0x25])-c[0x26])+c[0x27]+c[0x28])-c[0x29])

solver.add(enc[0x25]==((((((((((((((((((((((((((((((((((((((c[0]-c[1])-c[2])+c[3])-c[4])+c[5])-c[6])-c[7])-c[8])-c[9])+c[10])-c[0xb])-c[0xc])-c[0xd])-c[0xe])-c[0xf])-c[0x10])+c[0x11]+c[0x12])-c[0x13])-c[0x14])-c[0x15])+c[0x16])-c[0x17])+c[0x18])-c[0x19])-c[0x1a])+c[0x1b])-c[0x1c])-c[0x1d])+c[0x1e]+c[0x1f])-c[0x20])+c[0x21])-c[0x22])+c[0x23])-c[0x24])-c[0x25])+c[0x26])-c[0x27])-c[0x28])-c[0x29])

solver.add(enc[0x26]==((((((((((((((((((((((((((c[0]+c[1]+c[2]+c[3])-c[4])+c[5]+c[6]+c[7])-c[8])-c[9])-c[10])+c[0xb]+c[0xc]+c[0xd])-c[0xe])-c[0xf])-c[0x10])-c[0x11])-c[0x12])-c[0x13])+c[0x14]+c[0x15])-c[0x16])+c[0x17]+c[0x18]+c[0x19]+c[0x1a]+c[0x1b])-c[0x1c])-c[0x1d])+c[0x1e]+c[0x1f])-c[0x20])-c[0x21])+c[0x22])-c[0x23])-c[0x24])-c[0x25])+c[0x26]+c[0x27]+c[0x28])-c[0x29])

solver.add(enc[0x27]==(((((((((((((((((((((((((c[0]-c[1])-c[2])-c[3])-c[4])+c[5])-c[6])-c[7])-c[8])+c[9])-c[10])+c[0xb])-c[0xc])+c[0xd]+c[0xe])-c[0xf])-c[0x10])-c[0x11])+c[0x12]+c[0x13]+c[0x14]+c[0x15]+c[0x16])-c[0x17])+c[0x18]+c[0x19]+c[0x1a]+c[0x1b]+c[0x1c])-c[0x1d])+c[0x1e]+c[0x1f]+c[0x20]+c[0x21]+c[0x22])-c[0x23])-c[0x24])+c[0x25]+c[0x26]+c[0x27])-c[0x28])+c[0x29])

solver.add(enc[0x28]==((((((((((((((((((((((c[0]-c[1])-c[2])-c[3])+c[4]+c[5]+c[6])-c[7])+c[8]+c[9])-c[10])+c[0xb])-c[0xc])-c[0xd])-c[0xe])+c[0xf]+c[0x10]+c[0x11]+c[0x12]+c[0x13]+c[0x14]+c[0x15]+c[0x16])-c[0x17])+c[0x18]+c[0x19])-c[0x1a])+c[0x1b]+c[0x1c])-c[0x1d])+c[0x1e]+c[0x1f]+c[0x20])-c[0x21])-c[0x22])+c[0x23]+c[0x24])-c[0x25])+c[0x26]+c[0x27]+c[0x28]+c[0x29])

solver.add(enc[0x29]==(((((((((((((((((((((((((((((((c[0]+c[1]+c[2]+c[3]+c[4]+c[5]+c[6])-c[7])-c[8])-c[9])+c[10]+c[0xb])-c[0xc])+c[0xd])-c[0xe])-c[0xf])-c[0x10])-c[0x11])-c[0x12])-c[0x13])+c[0x14])-c[0x15])+c[0x16])-c[0x17])-c[0x18])+c[0x19]+c[0x1a]+c[0x1b]+c[0x1c])-c[0x1d])-c[0x1e])-c[0x1f])-c[0x20])-c[0x21])-c[0x22])-c[0x23])-c[0x24])-c[0x25])-c[0x26])-c[0x27])-c[0x28])+c[0x29])

if solver.check() == sat :
    r = solver.model()
    for i in range(42) :
        flag.append(r[c[i]].as_long()^i)

    flag = ''.join(map(lambda x : chr(((x >> 3) | (x << 5)) & 0xff),flag))
    print(flag)

# SUCTF{Un1c0rn_Engin3_Is_@_P0wer7ul_TO0ls!}

Akira Homework

程序有反調試，nop 掉 call cs:IsDebuggerPresent，還開了 ASLR，用 010editor 關閉 ASLR

  v1 = 0;
  memset(&v4, 0, 0x13ui64);
  memset(&Dst, 0, 0x6Dui64);
  memcpy(&Dst, aJLJLJL1pzxcp6b, 0x6Cui64);
  for ( i = 0; (unsigned __int64)i < 0x6C; ++i )
    aJLJLJL1pzxcp6b[i] ^= byte_140015F20[0];
  puts(aJLJLJL1pzxcp6b);
  sub_140009FF0((__int64)"%18s", &v4, 19i64);

調試到這，發現程序很多的字符串應該都是加密了，而 key 就是 byte_140015F20

sub_140009FF0 應該是一個輸入函數，但是每次調試到那程序都自動退出，不知道是反調試還是本身有 bug

只好 nop 掉它，手工修改內存

  v13 = a1;
  memset(Dst, 0, 0x13ui64);
  memcpy(Dst, &unk_140015E38, 0x12ui64);
  for ( i = 0; (unsigned __int64)i < 19; ++i )
    Dst[i] ^= byte_140015F20[1];
  memset(v12, 0, 0x13ui64);
  for ( j = 0; (unsigned __int64)j < 18; ++j )
    v12[j] = j ^ *(_BYTE *)(v13 + j);
  v5 = 1;
  v6 = 5;
  v7 = 4;
  v8 = 2;
  v9 = 3;
  v10 = 0;
  for ( k = 0; (unsigned __int64)k < 0x12; ++k )
  {
    if ( Dst[k] != v12[6 * (k / 6) + *(&v5 + k % 6)] )
      return 0;
  }
  return 1;

第一段算法很好懂，逆向一下

s = [0 for i in range(18)]
v5 = [1,5,4,2,3,0]
dst =[int(i,16) for i in '6A 5A 65 6B 71 41 72 68 55 7C 39 67 3E 30 4F 7D 7C 64 45'.split(" ")]

for k in range(0x12) :
    s[6 * (int(k / 6)) + v5[k % 6] ] = dst[k]

for j in range(18) :
    s[j] = s[j] ^ j 

print(''.join(map(chr,s)))

# Akira_aut0_ch3ss_!

得到一段字符串

繼續調試然后程序執行到了

sub_140008300((__int64)&v9, 3i64, 1048578);
return sub_140006C10(qword_140016178, v9, 0i64);

跟進 sub_140006C10 函數看看

發現這里對大量的數據進行解密操作

char __fastcall sub_140008910(__int64 a1, const char *a2)
{
  int i; // [rsp+20h] [rbp-28h]
  int v4; // [rsp+24h] [rbp-24h]
  char *Str; // [rsp+28h] [rbp-20h]

  Str = (char *)a2;
  v4 = strlen(a2);
  for ( i = 0; i < dword_140011194; ++i )
  {
    if ( !(i % 3) )
      byte_1400111A0[i] ^= Str[i / 3 % v4];     //  .data:00000001400111A0
  }
  SetEvent(Handles[0]);                         // 設置事件 Handles[0] 為激發狀態
  return 1;
}

密鑰就是我們剛才傳入的字符串，這說明 sub_140006C10 是一個解密函數，交叉引用看下有三處調用，結合前面有一段創建三個空事件的代碼，猜測可能是要進行三次解密之后將這塊數據 dump 出來

調試到 sub_1400093B0 獲取了當前進程的路徑

hFile = CreateFileW(&Filename, 0x80000000, 1u, 0i64, 3u, 0, 0i64);

并且讀取了 filePath:signature 交換數據流

sub_140007DD0(&Buffer, v2, (__int64)v26); // md5
v10 = 0xFCu;
v11 = 0xAEu;
v12 = 0xEBu;
v13 = 0x6E;
v14 = 0x34;
v15 = 0xB4u;
v16 = 0x30;
v17 = 0x3E;
v18 = 0x99u;
v19 = 0xB9u;
v20 = 0x12;
v21 = 6;
v22 = 0xBDu;
v23 = 0x32;
v24 = 0x5F;
v25 = 0x2B;

并且經過 md5 運算然后比較

反查 FCAEEB6E34B4303E99B91206BD325F2B 得到 Overwatch

添加交換數據流信息

echo Overwatch > WinRev.exe:signature

還要注意在內存中把截斷符加上，不然 md5 值不一樣

Stack[00002EE4]:000000000014FC2B db  4Fh ; O
Stack[00002EE4]:000000000014FC2C db  76h ; v
Stack[00002EE4]:000000000014FC2D db  65h ; e
Stack[00002EE4]:000000000014FC2E db  72h ; r
Stack[00002EE4]:000000000014FC2F db  77h ; w
Stack[00002EE4]:000000000014FC30 db  61h ; a
Stack[00002EE4]:000000000014FC31 db  74h ; t
Stack[00002EE4]:000000000014FC32 db  63h ; c
Stack[00002EE4]:000000000014FC33 db  68h ; h
Stack[00002EE4]:000000000014FC34 db    0

最后一樣也是會執行到解密函數 sub_140006C10

if ( (unsigned __int64)k >= 0x10 )
{
    sub_140008300((__int64)&v9, 3i64, 1048578);
    return sub_140006C10(qword_140016178, v9, 0i64);
}

之后程序就開啟 sleep 了，應該還遺漏了什么，回頭去檢查發現

v6 = beginthreadex(0i64, 0, (unsigned int (__stdcall *)(void *))StartAddress, &ArgList, 0, 0i64);

這個函數啟動了一個子線程，調試一下子線程看看它做了什么

在調試的過程中，要注意這里有個 TLS 回調函數

__int64 TlsCallback_0()
{
  __int64 result; // rax
  int i; // [rsp+20h] [rbp-18h]
  int j; // [rsp+24h] [rbp-14h]
  int k; // [rsp+28h] [rbp-10h]
  int l; // [rsp+2Ch] [rbp-Ch]

  for ( i = 0; (unsigned __int64)i < 0x1A; ++i )
    ProcName[i] ^= byte_140015F20[6];           // NtQueryInformationProcess
  for ( j = 0; (unsigned __int64)j < 0x19; ++j )
    asc_140015EA8[j] ^= byte_140015F20[7];      // ZwQueryInformationThread
  for ( k = 0; (unsigned __int64)k < 0x11; ++k )
    asc_140015EC8[k] ^= byte_140015F20[8];      // NtQueueApcThread
  for ( l = 0; ; ++l )
  {
    result = l;
    if ( (unsigned __int64)l >= 0xA )
      break;
    byte_140015E78[l] ^= byte_140015F20[5];     // ntdll.dll
  }
  return result;
}

主要用來解密出三個函數的名字，由于這題開了多線程，TLS 回調函數會被多次執行。。我們在這里下個斷點，讓它只解密一次。。之后斷到這里都直接修改 RIP 跳過

接著繼續分析我們的子線程

v4 = Process32FirstW(hSnapshot, &pe);
if ( !v4 )
    return 0i64;
while ( v4 )
{
    memset(v9, 0, 0x21ui64);
    memset(Str1, 0, 0x42ui64);
    v1 = wcslen(pe.szExeFile);
    sub_140007DD0(pe.szExeFile, v1, (__int64)v9);
    for ( i = 0; i < 16; ++i )
    sub_140008DF0((__int64)&Str1[2 * i], 3i64, (__int64)L"%02x", (unsigned __int8)v9[i]);
    for ( j = 0; (unsigned __int64)j < 0x31; ++j )
    {
        if ( !wcscmp((const wchar_t *)Str1, &a438078d884693c[33 * j]) )
        exit(-1);
    }
    v4 = Process32NextW(hSnapshot, &pe);        // 列進程 判斷進程 md5 是否有跟常量表中相同的 相同就退出
}

這里建了一個循環獲取所有進程名的 md5 跟常量表的 md5 比較，相同就退出程序，猜測是反調試。F9 一運行程序果然停止了，應該是檢測到了 IDA 的進程 (我用 IDA 調試的)

看到后面又運行了

if ( !byte_140016158 )
{
    sub_140006C10(qword_140016178, v7, (__int64)&v5);
    byte_140016158 = 1;
}

這里我直接修改 RIP 到 sub_140006C10，執行解密函數，到這里應該要開始考慮解密函數的調用順序問題，應該是子線程先執行，接著是 Akira_aut0_ch3ss_! 密鑰解密，最后是數據流密碼的解密。

由于子線程還沒執行完，我們繼續跟蹤下去

sub_140008500(qword_140016188);

這個函數傳了一個全局變量，該全局變量指向 TLS 回調函數中解密出來的三個函數地址

NtQueryInformationProcess ZwQueryInformationThread NtQueueApcThread

單步進去發現各種反調試函數...

sub_140008D20(qword_140016188, *v1, (__int64)sub_140009850);

這里通過調用 NtQueueApcThread 將 sub_140009850 函數加入 APC 隊列 (此處涉及 windows 內核理解不是很深，不到位的地方煩請大佬補充)

接下來進入了 sub_140009850

WaitForMultipleObjects(3u, Handles, 1, 5000u);

這里等待 5 秒，需要三個事件都處于激活狀態才能往下執行。

到這里我選擇重新調試，先暫停主線程，將子線程運行到 WaitForMultipleObjects 處，并暫停子線程，恢復主線程，再按照前面說的順序把主線程的解密函數執行完，然后暫停主線程，恢復子線程，此時三個事件已經都激活了

往下調發現在校驗文件頭

if ( *v11 == 'M' && *((_BYTE *)v5 + 1) == 'Z' )
{
    sub_140007D80((__int64)v5, v4, 0, (__int64)v8);
    v10 = v0;
    if ( v0 )
    v2 = 0;
}

接著就可以單步進入 sub_140007D80 了

這個函數粗略看下做了一些拷貝的工作和釋放內存的操作，我們把解密出來的 DLL 導出，然后再拖入 IDA 分析

if ( Src )
{
    CloseHandle(hFileMappingObject);
    Dst = malloc(0x8000ui64);
    memset(Dst, 0, 0x8000ui64);
    memcpy(Dst, Src, 0x8000ui64);
    strcpy(&v7, "Ak1i3aS3cre7K3y");
    memset(&Str1, 0, 0x11ui64);
    sub_7FFFDA782800(&v7, &Str1, Dst);
    if ( !strcmp(&Str1, &Str2) )
        sub_7FFFDA7826F0("Get finally answer!\n");
    else
        sub_7FFFDA7826F0("wow... game start!\n");
    result = 1;
}

sub_7FFFDA782800 函數往里走會發現 AES S盒代換表，因此猜測是 AES 加密，并且密鑰是 Ak1i3aS3cre7K3y 按這個密鑰來看應該是 128 bit 的長度

密文在子線程中

Src = 0x94u;
v16 = 0xBFu;
v17 = 0x7A;
v18 = 0xC;
v19 = 0xA4u;
v20 = 0x35;
v21 = 0x50;
v22 = 0xD1u;
v23 = 0xC2u;
v24 = 0x15;
v25 = 0xECu;
v26 = 0xEFu;
v27 = 0x9Du;
v28 = 0x9Au;
v29 = 0xAAu;
v30 = 0x56;

最后得到 flag{Ak1rAWin!}