-
-
看雪CTF.TSRC 2018 团队赛-第9题
-
2018-12-18 07:21 2741
-
1. 总体逻辑
程序使用的nana库写的界面,
有两个label, 一个是显示"
Correct
", 一个是显示"Wrong", 都在相同的位置, 相同的大小
在textbox的text_changed事件中获取sn,
按"^([[:d:]]{10})([[:d:]]{10})([[:d:]]{10})$"的格式获取三个10位数字,
加锁处理sn(转换为16进制后写入directx的线程参数)
开启一个线程用于directx验证sn及在label处绘制"Correct"/"Wrong"
线程的参数如下
struct st_dx_param {
DWORD hThread;
DWORD dwThreadId;
HANDLE hEvent;
DWORD d03;
HWND hWndParent;
DWORD d05;
DWORD d06;
DWORD d07;
DWORD d08;
DWORD d09;
DWORD d10;
DWORD d11;
DWORD d12;
int X; // 50
int Y; // 20
int nWidth; // 200
int nHeight; // 80
DWORD d17;
double rgbSuccess[4]; // 0,128,0,1 green
double rgbFail[4]; // 255,0,0,1 red
CRITICAL_SECTION cs;
DWORD sn0; // 0
DWORD sn1; // 0
DWORD sn2; // 0
};2. nana::textbox(sn的处理及赋值)
// textbox.text_changed的lambda表达式 .text:00402D80 mov dword ptr [ebp-16Ch], offset ??_7textbox@nana@@6B@ ; const nana::textbox::`vftable' ... .text:00402DE3 mov dword ptr [ebp-420h], offset x_textbox_text_changed_lambda_vtbl ... .text:00402E0F mov dword ptr [edi], offset ??_7docker@?$basic_event@Uarg_textbox@nana@@@nana@@6B@ ; const nana::basic_event<nana::arg_textbox>::docker::`vftable' // x_DoCall是text_changed的处理函数 .rdata:004AB384 x_textbox_text_changed_lambda_vtbl dd offset sub_410C90 .rdata:004AB384 ; DATA XREF: wWinMain(x,x,x,x)+B43↑o .rdata:004AB388 dd offset sub_410C90 .rdata:004AB38C dd offset x_DoCall .rdata:004AB390 dd offset sub_410C80 .rdata:004AB394 dd offset sub_410C50 .rdata:004AB398 dd offset sub_410C70 // 字符串 -> 整数, 写入st_dx_param .text:00403528 call x_atoi .text:0040352D mov ecx, [eax] .text:0040352F mov ecx, [ecx+4] .text:00403532 test byte ptr [ecx+eax+0Ch], 6 .text:00403537 jnz short loc_403595 .text:00403539 lea eax, [ebp+var_1C] .text:0040353C push eax .text:0040353D lea ecx, [ebp+var_1D8] .text:00403543 call x_atoi .text:00403548 mov ecx, [eax] .text:0040354A mov ecx, [ecx+4] .text:0040354D test byte ptr [ecx+eax+0Ch], 6 .text:00403552 jnz short loc_403595 .text:00403554 lea eax, [ebp+sn0] .text:00403557 push eax .text:00403558 lea ecx, [ebp+var_130] .text:0040355E call x_atoi .text:00403563 mov ecx, [eax] .text:00403565 mov ecx, [ecx+4] .text:00403568 test byte ptr [ecx+eax+0Ch], 6 .text:0040356D jnz short loc_403595 .text:0040356F mov ecx, [esi+8] .text:00403572 mov eax, [ebp+var_18] .text:00403575 mov [ecx+st_dx_param.sn0], eax .text:0040357B mov ecx, [esi+8] .text:0040357E mov eax, [ebp+var_1C] .text:00403581 mov [ecx+st_dx_param.sn1], eax .text:00403587 mov ecx, [esi+8] .text:0040358A mov eax, [ebp+sn0] .text:0040358D mov [ecx+st_dx_param.sn2], eax
后面好像有一串计算过程及验证, 不过直接patch跳过去, 并不会显示"Correct",所以这里并不是真正的验证点
3. directx
.text:00403D75 mov eax, [esi+30h] .text:00403D78 mov [eax+10h], ecx .text:00403D7B mov ecx, [esi+30h] .text:00403D7E lea eax, [ecx+4] .text:00403D81 push eax ; lpThreadId .text:00403D82 push 0 ; dwCreationFlags .text:00403D84 push ecx ; lpParameter .text:00403D85 push offset x_dx_thread ; lpStartAddress .text:00403D8A push 0 ; dwStackSize .text:00403D8C push 0 ; lpThreadAttributes .text:00403D8E call ds:CreateThread
将d3d11.h的头文件修改下导入IDA
这里有3个Directx Shader Bytecode
__m128d ConstantBufferData[15];
sn放到ConstantBufferData[14]
VertexShader的输入格式
struct {
DXGI_FORMAT_R32G32B32_FLOAT POSITION;
DXGI_FORMAT_R32G32_FLOAT TEXCOORD;
DXGI_FORMAT_R32G32B32A32_FLOAT COLOR;
};g_buf_input1的点绘制出来是"绿色背景的Correct!"
g_buf_input2的点绘制出来是"红色背景的Wrong!"
DWORD __stdcall x_dx_thread(st_dx_param *param)
{
//...
WNDCLASSEXW a1;
//...
RegisterClassExW(&a1);
HWND hWnd = CreateWindowExW(0, a1.lpszClassName, L"2018CTF@pediy.com", 0x50000000,
param->X,
param->Y,
param->nWidth,
param->nHeight,
param->hWndParent,
0, GetWindowLongW(param->hWndParent, GWL_HINSTANCE), 0);
ShowWindow(hWnd, SW_SHOW);
//...
RECT rect;
GetClientRect(param->hWndParent, &rect);
GetWindowRect(param->hWndParent, &rect);
//...
float rgbSuccess[4];
float rgbFail[4];
memcpy(rgbSuccess, param->rgbSuccess, 16);
memcpy(rgbFail, param->rgbFail, 16);
//...
D3D_DRIVER_TYPE DriverTypes[3];
DriverTypes[0] = D3D_DRIVER_TYPE_HARDWARE;
DriverTypes[1] = D3D_DRIVER_TYPE_WARP;
DriverTypes[2] = D3D_DRIVER_TYPE_SOFTWARE;
D3D_FEATURE_LEVEL FeatureLevels[3];
FeatureLevels[0] = D3D_FEATURE_LEVEL_11_0;
FeatureLevels[1] = D3D_FEATURE_LEVEL_10_1;
FeatureLevels[2] = D3D_FEATURE_LEVEL_10_0;
D3D_FEATURE_LEVEL FeatureLevel = D3D_FEATURE_LEVEL_11_0;
DXGI_SWAP_CHAIN_DESC SwapChainDesc;
SwapChainDesc.BufferDesc.Width = param->nWidth;
SwapChainDesc.BufferDesc.Height = param->nHeight;
SwapChainDesc.OutputWindow = hWnd;
SwapChainDesc.BufferCount = 1;
SwapChainDesc.BufferDesc.Format = DXGI_FORMAT_R8G8B8A8_UNORM;
SwapChainDesc.BufferDesc.RefreshRate.Numerator = 60;
SwapChainDesc.BufferDesc.RefreshRate.Denominator = 1;
SwapChainDesc.BufferUsage = 32;
SwapChainDesc.SampleDesc.Count = 1;
SwapChainDesc.SampleDesc.Quality = 0;
SwapChainDesc.Windowed = 1;
IDXGISwapChain *SwapChain;
ID3D11Device *Device;
ID3D11DeviceContext *DeviceContext;
D3D11CreateDeviceAndSwapChain(0, DriverTypes[i], 0, 0, FeatureLevels, 3, 7, &SwapChainDesc, &SwapChain, &Device, &FeatureLevel, &DeviceContext);
ID3D11Texture2D *Surface;
D3D11_TEXTURE2D_DESC Desc;
ID3D11RenderTargetView *RenderTargetView;
SwapChain->lpVtbl->GetBuffer(SwapChain, 0, &IID_D3D11Texture2D, &Surface);
Surface->lpVtbl->GetDesc(Surface, &Desc);
Device->lpVtbl->CreateRenderTargetView(Device, Surface, 0, &RenderTargetView);
ID3D11Texture2D *Resource0;
ID3D11Texture2D *Resource1;
Desc.Usage = 0;
Desc.BindFlags = D3D11_BIND_RENDER_TARGET|D3D11_BIND_SHADER_RESOURCE;
Desc.CPUAccessFlags = 0;
Desc.MiscFlags = D3D11_RESOURCE_MISC_GENERATE_MIPS;
Device->lpVtbl->CreateTexture2D(Device, &Desc, 0, &Resource0);
Device->lpVtbl->CreateTexture2D(Device, &Desc, 0, &Resource1);
ID3D11RenderTargetView *RenderTargetViewSuccess;
ID3D11RenderTargetView *RenderTargetViewFail;
Device->lpVtbl->CreateRenderTargetView(Device, Resource0, 0, &RenderTargetViewSuccess);
Device->lpVtbl->CreateRenderTargetView(Device, Resource1, 0, &RenderTargetViewFail);
D3D11_SHADER_RESOURCE_VIEW_DESC ResourceViewDesc;
ResourceViewDesc.Format = Desc.Format;
ResourceViewDesc.Texture2D.MostDetailedMip = 0;
ResourceViewDesc.Texture2D.MipLevels = -1;
ResourceViewDesc.ViewDimension = D3D_SRV_DIMENSION_TEXTURE2D;
ID3D11ShaderResourceView *ShaderResourceViewSuccess;
ID3D11ShaderResourceView *ShaderResourceViewFail;
Device->lpVtbl->CreateShaderResourceView(Device, Resource0, &ResourceViewDesc, &ShaderResourceViewSuccess);
Device->lpVtbl->CreateShaderResourceView(Device, Resource1, &ResourceViewDesc, &ShaderResourceViewFail);
char g_buf_VertexShader[1308];
char g_buf_PixelShader0[496];
char g_buf_PixelShader1[3108];
D3D11_INPUT_ELEMENT_DESC InputElementDescs[3];
InputElementDescs[0].SemanticName = "POSITION";
InputElementDescs[0].SemanticIndex = 0;
InputElementDescs[0].Format = DXGI_FORMAT_R32G32B32_FLOAT;
InputElementDescs[0].InputSlot = 0;
InputElementDescs[0].AlignedByteOffset = 0;
InputElementDescs[0].InputSlotClass = 0;
InputElementDescs[0].InstanceDataStepRate = 0;
InputElementDescs[1].SemanticName = "TEXCOORD";
InputElementDescs[1].SemanticIndex = 0;
InputElementDescs[1].Format = DXGI_FORMAT_R32G32_FLOAT;
InputElementDescs[1].InputSlot = 0;
InputElementDescs[1].AlignedByteOffset = 12;
InputElementDescs[1].InputSlotClass = 0;
InputElementDescs[1].InstanceDataStepRate = 0;
InputElementDescs[2].SemanticName = "COLOR";
InputElementDescs[2].SemanticIndex = 0;
InputElementDescs[2].Format = DXGI_FORMAT_R32G32B32A32_FLOAT;
InputElementDescs[2].InputSlot = 0;
InputElementDescs[2].AlignedByteOffset = 20;
InputElementDescs[2].InputSlotClass = 0;
InputElementDescs[2].InstanceDataStepRate = 0;
ID3D11VertexShader *VertexShader;
ID3D11InputLayout *InputLayout;
ID3D11PixelShader *PixelShader0;
ID3D11PixelShader *PixelShader1;
Device->lpVtbl->CreateVertexShader(Device, g_buf_VertexShader, 1308, 0, &VertexShader);
Device->lpVtbl->CreateInputLayout(Device, InputElementDescs, 3, g_buf_VertexShader, 1308, &InputLayout);
Device->lpVtbl->CreatePixelShader(Device, g_buf_PixelShader0, 496, 0, &PixelShader0);
Device->lpVtbl->CreatePixelShader(Device, g_buf_PixelShader1, 3108, 0, &PixelShader1);
D3D11_SAMPLER_DESC SamplerDesc;
SamplerDesc.Filter = D3D11_FILTER_MIN_MAG_MIP_LINEAR;
SamplerDesc.AddressU = D3D11_TEXTURE_ADDRESS_WRAP;
SamplerDesc.AddressV = D3D11_TEXTURE_ADDRESS_WRAP;
SamplerDesc.AddressW = D3D11_TEXTURE_ADDRESS_WRAP;
SamplerDesc.ComparisonFunc = D3D11_COMPARISON_NEVER;
SamplerDesc.MinLOD = 0;
SamplerDesc.MaxLOD = FLT_MAX;
ID3D11SamplerState *Sampler;
Device->lpVtbl->CreateSamplerState(Device, &SamplerDesc, &Sampler);
char g_buf_input0[144];
char g_buf_input1[63936];
char g_buf_input2[62028];
__int16 g_buf_indice0[6];
__int16 g_buf_indice1[5283];
__int16 g_buf_indice2[5142];
D3D11_SUBRESOURCE_DATA InitialData;
D3D11_BUFFER_DESC BufferDesc;
ID3D11Buffer *VertexBuffer0;
ID3D11Buffer *VertexBuffer1;
ID3D11Buffer *VertexBuffer2;
ID3D11Buffer *IndexBuffer0;
ID3D11Buffer *IndexBuffer1;
ID3D11Buffer *IndexBuffer2;
ID3D11Buffer *ConstantBuffer;
//...
BufferDesc.BindFlags = D3D11_BIND_VERTEX_BUFFER;
InitialData.pSysMem = g_buf_input0;
BufferDesc.ByteWidth = sizeof(g_buf_input0);
Device->lpVtbl->CreateBuffer(Device, &BufferDesc, &InitialData, &VertexBuffer0);
//...
InitialData.pSysMem = g_buf_input1;
BufferDesc.ByteWidth = sizeof(g_buf_input1);
Device->lpVtbl->CreateBuffer(Device, &BufferDesc, &InitialData, &VertexBuffer1);
//...
InitialData.pSysMem = g_buf_input2;
BufferDesc.ByteWidth = sizeof(g_buf_input2);
Device->lpVtbl->CreateBuffer(Device, &BufferDesc, &InitialData, &VertexBuffer2);
//...
BufferDesc.BindFlags = D3D11_BIND_INDEX_BUFFER;
InitialData.pSysMem = g_buf_indice0;
BufferDesc.ByteWidth = sizeof(g_buf_indice0);
Device->lpVtbl->CreateBuffer(Device, &BufferDesc, &InitialData, &IndexBuffer0);
//...
InitialData.pSysMem = g_buf_indice1;
BufferDesc.ByteWidth = sizeof(g_buf_indice1);
Device->lpVtbl->CreateBuffer(Device, &BufferDesc, &InitialData, &IndexBuffer1);
//...
InitialData.pSysMem = g_buf_indice2;
BufferDesc.ByteWidth = sizeof(g_buf_indice2);
Device->lpVtbl->CreateBuffer(Device, &BufferDesc, &InitialData, &IndexBuffer2);
//...
BufferDesc.ByteWidth = 240;
BufferDesc.BindFlags = D3D11_BIND_CONSTANT_BUFFER;
Device->lpVtbl->CreateBuffer(Device, &BufferDesc, 0, &ConstantBuffer);
__m128d ConstantBufferData[15];
// ... ConstantBufferData init
D3D11_VIEWPORT Viewport;
Viewport.MinDepth = 0.0;
Viewport.MaxDepth = 1.0;
Viewport.TopLeftX = 0.0;
Viewport.TopLeftY = 0.0;
Viewport.Width = param->nWidth;
Viewport.Height = param->nHeight;
UINT Stride = 36;
UINT Offset = 0;
// g_buf_input1 -> VertexShader -> PixelShader0
DeviceContext->lpVtbl->UpdateSubresource(DeviceContext, ConstantBuffer, 0, 0, ConstantBufferData, 0, 0);
DeviceContext->lpVtbl->ClearRenderTargetView(DeviceContext, RenderTargetViewSuccess, rgbSuccess);
DeviceContext->lpVtbl->OMSetRenderTargets(DeviceContext, 1, &RenderTargetViewSuccess, 0);
DeviceContext->lpVtbl->RSSetViewports(DeviceContext, 1, &Viewport);
DeviceContext->lpVtbl->IASetVertexBuffers(DeviceContext, 0, 1, &VertexBuffer1, &Stride, &Offset);
DeviceContext->lpVtbl->IASetIndexBuffer(DeviceContext, IndexBuffer1, DXGI_FORMAT_R16_UINT, 0);
DeviceContext->lpVtbl->IASetInputLayout(DeviceContext, InputLayout);
DeviceContext->lpVtbl->IASetPrimitiveTopology(DeviceContext, D3D_PRIMITIVE_TOPOLOGY_TRIANGLELIST);
DeviceContext->lpVtbl->VSSetShader(DeviceContext, VertexShader, 0, 0);
DeviceContext->lpVtbl->VSSetConstantBuffers(DeviceContext, 0, 1, &ConstantBuffer);
DeviceContext->lpVtbl->PSSetShader(DeviceContext, PixelShader0, 0, 0);
DeviceContext->lpVtbl->PSSetConstantBuffers(DeviceContext, 0, 1, &ConstantBuffer);
DeviceContext->lpVtbl->PSSetSamplers(DeviceContext, 0, 1, &Sampler);
DeviceContext->lpVtbl->DrawIndexed(DeviceContext, ARRAYSIZE(g_buf_indice1), 0, 0);
// g_buf_input2 -> VertexShader -> PixelShader0
DeviceContext->lpVtbl->GenerateMips(DeviceContext, ShaderResourceViewSuccess);
DeviceContext->lpVtbl->UpdateSubresource(DeviceContext, ConstantBuffer, 0, 0, ConstantBufferData, 0, 0);
DeviceContext->lpVtbl->ClearRenderTargetView(DeviceContext, RenderTargetViewFail, rgbFail);
DeviceContext->lpVtbl->OMSetRenderTargets(DeviceContext, 1, &RenderTargetViewFail, 0);
DeviceContext->lpVtbl->RSSetViewports(DeviceContext, 1, &Viewport);
DeviceContext->lpVtbl->IASetVertexBuffers(DeviceContext, 0, 1, &VertexBuffer2, &Stride, &Offset);
DeviceContext->lpVtbl->IASetIndexBuffer(DeviceContext, IndexBuffer2, DXGI_FORMAT_R16_UINT, 0);
DeviceContext->lpVtbl->IASetInputLayout(DeviceContext, InputLayout);
DeviceContext->lpVtbl->IASetPrimitiveTopology(DeviceContext, D3D_PRIMITIVE_TOPOLOGY_TRIANGLELIST);
DeviceContext->lpVtbl->VSSetShader(DeviceContext, VertexShader, 0, 0);
DeviceContext->lpVtbl->VSSetConstantBuffers(DeviceContext, 0, 1, &ConstantBuffer);
DeviceContext->lpVtbl->PSSetShader(DeviceContext, PixelShader0, 0, 0);
DeviceContext->lpVtbl->PSSetConstantBuffers(DeviceContext, 0, 1, &ConstantBuffer);
DeviceContext->lpVtbl->PSSetSamplers(DeviceContext, 0, 1, &Sampler);
DeviceContext->lpVtbl->DrawIndexed(DeviceContext, ARRAYSIZE(g_buf_indice2), 0, 0);
DeviceContext->lpVtbl->GenerateMips(DeviceContext, ShaderResourceViewFail);
//...
while ( WaitForSingleObjectEx(param->hEvent, 0, 0) == WAIT_TIMEOUT )
{
MSG msg;
if (PeekMessageW(&msg, 0, 0, 0, 1))
{
TranslateMessage(&msg);
DispatchMessageW(&msg);
}
EnterCriticalSection(¶m->cs);
ConstantBufferData[14].m128d_f32[0] = param->sn0;
ConstantBufferData[14].m128d_f32[1] = param->sn1;
ConstantBufferData[14].m128d_f32[2] = param->sn2;
LeaveCriticalSection(¶m->cs);
//...
// g_buf_input0 -> VertexShader -> PixelShader1
DeviceContext->lpVtbl->UpdateSubresource(DeviceContext, ConstantBuffer, 0, 0, ConstantBufferData, 0, 0);
DeviceContext->lpVtbl->ClearRenderTargetView(DeviceContext, RenderTargetView, rgbBlack);
DeviceContext->lpVtbl->OMSetRenderTargets(DeviceContext, 1, &RenderTargetView, 0);
DeviceContext->lpVtbl->RSSetViewports(DeviceContext, 1, &Viewport);
DeviceContext->lpVtbl->IASetVertexBuffers(DeviceContext, 0, 1, &VertexBuffer0, &Stride, &Offset);
DeviceContext->lpVtbl->IASetIndexBuffer(DeviceContext, IndexBuffer0, DXGI_FORMAT_R16_UINT, 0);
DeviceContext->lpVtbl->IASetInputLayout(DeviceContext, InputLayout);
DeviceContext->lpVtbl->IASetPrimitiveTopology(DeviceContext, D3D_PRIMITIVE_TOPOLOGY_TRIANGLELIST);
DeviceContext->lpVtbl->VSSetShader(DeviceContext, VertexShader, 0, 0);
DeviceContext->lpVtbl->VSSetConstantBuffers(DeviceContext, 0, 1, &ConstantBuffer);
DeviceContext->lpVtbl->PSSetShader(DeviceContext, PixelShader1, 0, 0);
DeviceContext->lpVtbl->PSSetConstantBuffers(DeviceContext, 0, 1, &ConstantBuffer);
DeviceContext->lpVtbl->PSSetShaderResources(DeviceContext, 0, 1, &ShaderResourceViewSuccess);
DeviceContext->lpVtbl->PSSetShaderResources(DeviceContext, 1, 1, &ShaderResourceViewFail);
DeviceContext->lpVtbl->PSSetSamplers(DeviceContext, 0, 1, &Sampler);
DeviceContext->lpVtbl->DrawIndexed(DeviceContext, 6, 0, 0);
SwapChain->lpVtbl->Present(SwapChain, 0, 0);
Sleep(2);
}
//...
return 0;
将3个bytecode提取出来, 用fxdis反汇编下
VertexShader
# DXBC chunk 0: RDEF offset 52 size 352 # DXBC chunk 1: ISGN offset 412 size 104 # DXBC chunk 2: OSGN offset 524 size 108 # DXBC chunk 3: SHDR offset 640 size 536 # DXBC chunk 4: STAT offset 1184 size 116 vs_4_0 dcl_constant_buffer cb0[12].xyzw, immediateIndexed dcl_input v0.xyzw dcl_input v1.xy dcl_input v2.xyzw dcl_output_siv o0.xyzw, position dcl_output o1.xy dcl_output o2.xyzw dcl_temps 2 dp4 r0.x, v0.xyzw, cb0[8].xyzw dp4 r0.y, v0.xyzw, cb0[9].xyzw dp4 r0.z, v0.xyzw, cb0[10].xyzw dp4 r0.w, v0.xyzw, cb0[11].xyzw dp4 r1.x, r0.xyzw, cb0[0].xyzw dp4 r1.y, r0.xyzw, cb0[1].xyzw dp4 r1.z, r0.xyzw, cb0[2].xyzw dp4 r1.w, r0.xyzw, cb0[3].xyzw dp4 o0.x, r1.xyzw, cb0[4].xyzw dp4 o0.y, r1.xyzw, cb0[5].xyzw dp4 o0.z, r1.xyzw, cb0[6].xyzw dp4 o0.w, r1.xyzw, cb0[7].xyzw mov o1.xy, v1.xyxx mov o2.xyzw, v2.xyzw ret
PixelShader0
# DXBC chunk 0: RDEF offset 52 size 80 # DXBC chunk 1: ISGN offset 140 size 108 # DXBC chunk 2: OSGN offset 256 size 44 # DXBC chunk 3: SHDR offset 308 size 56 # DXBC chunk 4: STAT offset 372 size 116 ps_4_0 dcl_input_ps linear v2.xyzw dcl_output o0.xyzw mov o0.xyzw, v2.xyzw ret
PixelShader1(这个是验证sn的地方, 成功则绘制"Correct", 失败则绘制"Wrong")
# DXBC chunk 0: RDEF offset 52 size 468 # DXBC chunk 1: ISGN offset 528 size 108 # DXBC chunk 2: OSGN offset 644 size 44 # DXBC chunk 3: SHDR offset 696 size 2280 # DXBC chunk 4: STAT offset 2984 size 116 ps_4_0 dcl_constant_buffer cb0[15].xyzw, immediateIndexed dcl_sampler sampler[0] dcl_resource_texture2d resource[0] dcl_resource_texture2d resource[1] dcl_input_ps linear v1.xy dcl_output o0.xyzw dcl_temps 4 ine r0.xyz, cb0[14].xyzx, l(0, 0, 0, 0) and r0.x, r0.y, r0.x and r0.x, r0.z, r0.x ult r0.y, l(1000000000), cb0[14].x and r0.x, r0.y, r0.x ult r0.yz, cb0[14].xxyx, cb0[14].yyzy and r0.x, r0.y, r0.x and r0.x, r0.z, r0.x ult r0.y, cb0[14].z, l(4294967295) and r0.x, r0.y, r0.x udiv r0.yzw, null, cb0[14].zzxy, l(0, 100000, 100000, 100000) imad r1.xyz, r0.zwyz, l(-100000, -100000, -100000, 0), cb0[14].xyzx udiv r2.x, r3.x, r0.z, l(10) udiv null, r1.w, r2.x, l(10) udiv r2.xyzw, null, r0.zzzw, l(100, 1000, 10000, 100) udiv null, r2.xyzw, r2.xyzw, l(10, 10, 10, 10) imul null, r1.w, r1.w, l(1000) imad r1.w, r3.x, l(10000), r1.w imad r1.w, r2.x, l(100), r1.w imad r1.w, r2.y, l(10), r1.w iadd r1.w, r2.z, r1.w ieq r1.x, r1.x, r1.w and r0.x, r0.x, r1.x udiv r1.x, r2.x, r0.w, l(10) udiv null, r1.x, r1.x, l(10) udiv r3.xyzw, null, r0.wwyy, l(1000, 10000, 100, 1000) udiv null, r3.xyzw, r3.xyzw, l(10, 10, 10, 10) imul null, r1.x, r1.x, l(1000) imad r1.x, r2.x, l(10000), r1.x imad r1.x, r2.w, l(100), r1.x imad r1.x, r3.x, l(10), r1.x iadd r1.x, r3.y, r1.x ieq r1.x, r1.y, r1.x and r0.x, r0.x, r1.x udiv r1.x, r2.x, r0.y, l(10) udiv r1.y, null, r0.y, l(10000) udiv null, r1.xy, r1.xyxx, l(10, 10, 0, 0) imul null, r1.x, r1.x, l(1000) imad r1.x, r2.x, l(10000), r1.x imad r1.x, r3.z, l(100), r1.x imad r1.x, r3.w, l(10), r1.x iadd r1.x, r1.y, r1.x ieq r1.x, r1.z, r1.x and r0.x, r0.x, r1.x movc r0.yzw, r0.xxxx, r0.yyzw, cb0[14].zzxy iadd r1.x, r0.w, r0.z iadd r1.x, r0.y, r1.x iadd r1.x, r1.x, l(14159) ieq r1.x, r1.x, l(95028) and r0.x, r0.x, r1.x imad r1.xy, l(3, 6, 0, 0), r0.zyzz, r0.wzww iadd r1.xy, r1.xyxx, l(14159, 42477, 0, 0) iadd r1.xy, -r0.ywyy, r1.xyxx ieq r1.xy, r1.xyxx, l(53574, 264917, 0, 0) and r0.x, r0.x, r1.x ishl r0.w, r0.w, l(1) iadd r0.y, r0.w, r0.y iadd r0.y, r0.y, l(28318) iadd r0.y, -r0.z, r0.y ieq r0.y, r0.y, l(99009) and r0.x, r0.y, r0.x and r0.x, r1.y, r0.x if_nz r0.x sample o0.xyzw, v1.xyxx, resource[0].xyzw, sampler[0] ret else sample o0.xyzw, v1.xyxx, resource[1].xyzw, sampler[0] ret endif ret
参考: _https://docs.microsoft.com/en-us/windows/desktop/direct3dhlsl/dx-graphics-hlsl-sm4-asm
sn0=x sn1=y sn2=z 0xFFFFFFFF > z > y > x > 1000000000 r0_y = z/100000 r0_z = x/100000 r0_w = y/100000 r1_x = r0_z * (-100000) + x = x % 100000 r1_y = r0_w * (-100000) + y = y % 100000 r1_z = r0_y * (-100000) + z = z % 100000 r2_x = r0_z / 10 r3_x = r0_z % 10 r1_w = r2_x % 10 r2_x = r0_z / 100 r2_y = r0_z / 1000 r2_z = r0_z / 10000 r2_w = r0_w / 100 r2_x = r2_x % 10 r2_y = r2_y % 10 r2_z = r2_z % 10 r2_w = r2_w % 10 r1_w = r1_w * 1000 r1_w = r3_x * 10000 + r1_w r1_w = r2_x * 100 + r1_w r1_w = r2_y * 10 + r1_w r1_w = r2_z + r1_w r1_x == r1_w r1_x = r0_w / 10 r2_x = r0_w % 10 r1_x = r1_x % 10 r3_x = r0_w / 1000 r3_y = r0_w / 10000 r3_z = r0_y / 100 r3_w = r0_y / 1000 r3_x = r3_x % 10 r3_y = r3_y % 10 r3_z = r3_z % 10 r3_w = r3_w % 10 r1_x = r1_x * 1000 r1_x = r2_x * 10000 + r1_x r1_x = r2_w * 100 + r1_x r1_x = r3_x * 10 + r1_x r1_x = r3_y + r1_x r1_y == r1_x r1_x = r0_y / 10 r2_x = r0_y % 10 r1_y = r0_y / 10000 r1_x = r1_x % 10 r1_y = r1_y % 10 r1_x = r1_x * 1000 r1_x = r2_x * 10000 + r1_x r1_x = r3_z * 100 + r1_x r1_x = r3_w * 10 + r1_x r1_x = r1_y + r1_x r1_z == r1_x r1_x = r0_w + r0_z r1_x = r0_y + r1_x r1_x = r1_x + 14159 r1_x == 95028 r1_x = 3 * r0_z + r0_w r1_y = 6 * r0_y + r0_z r1_x = r1_x + 14159 r1_y = r1_y + 42477 r1_x = -r0_y + r1_x r1_y = -r0_w + r1_y r1_x == 53574 r1_y == 264917 r0_w = r0_w << 1 r0_y = r0_w + r0_y r0_y = r0_y + 28318 r0_y = -r0_z + r0_y r0_y == 99009
将上述代码化简下
sn0=x sn1=y sn2=z 0xFFFFFFFF > z > y > x > 1000000000 r0_y = z/100000 r0_z = x/100000 r0_w = y/100000 r1_x = x % 100000 r1_y = y % 100000 r1_z = z % 100000 r1_x == ((r0_z / 10000) % 10) + ((r0_z / 1000) % 10) * 10 + ((r0_z / 100) % 10) * 100 + (r0_z % 10) * 10000 + ((r0_z / 10) % 10) * 1000 r1_y == ((r0_w / 10000) % 10) + ((r0_w / 1000) % 10) * 10 + ((r0_w / 100) % 10) * 100 + (r0_w % 10) * 10000 + ((r0_w / 10) % 10) * 1000 r1_z == ((r0_y / 10000) % 10) + ((r0_y / 1000) % 10) * 10 + ((r0_y / 100) % 10) * 100 + (r0_y % 10) * 10000 + (((r0_y / 10) % 10) * 1000) 95028 == r0_w + r0_z + r0_y + 14159 53574 == -r0_y + 3 * r0_z + r0_w + 14159 264917 == -r0_w + 6 * r0_y + r0_z + 42477 99009 == -r0_z + r0_w * 2 + r0_y + 28318
直接用z3算出结果, 得到sn: 175800857124982289423830770383
[r0_z = 17580, r0_w = 24982, r1_z = 70383, r1_y = 28942, r1_x = 8571, r0_y = 38307]
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2018-12-18 15:19
被风间仁编辑
,原因:
赞赏
|
|
|---|---|
|
|
他的文章
KCTF2022春季赛 第三题 石像病毒
8239
KCTF2022春季赛 第二题 末日邀请
15368
KCTF2021秋季赛 第二题 迷失丛林
17896
KCTF2020秋季赛 第十题 终焉之战
8070
KCTF2020秋季赛 第九题 命悬一线
5806
