-
-
[原创]看雪CTF.TSRC 2018 团队赛 第九题 谍战
-
2018-12-19 02:06 2889
-
看雪CTF.TSRC 2018 团队赛 第九题 谍战
(先占个坑,一般占坑这样的,后面就没后文了,这个除外)
主要部分代码
DirextX编程,Shader编程,nana库
主要部分代码:
DWORD __userpurge window_or_more_403E70@<eax>(__m128 a1@<xmm3>, LPVOID lpThreadParameter)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
memset_47C9E0(&l_win_class, 0, 0x30);
hWnd = 0;
v2 = 0;
Msg.hwnd = 1;
Msg.message = 5;
Msg.wParam = 4;
v138 = 0xB000;
v139 = 0xA100;
v140 = 0xA000;
l_FeatureLevel = 0xB000;
l_pDevice = 0;
l_pImmediateContext = 0;
memset_47C9E0(&v94, 0, 0x3C);
l_pSwapChain = 0;
memset_47C9E0(&l_Desc, 0, 0x2C);
v84 = 0;
v83 = 0;
l_pTexture2D_1 = 0;
l_pTexture2D_2 = 0;
l_pRTView_1 = 0;
l_pRTView_2 = 0;
l_pSRView_1 = 0;
l_pSRView_2 = 0;
v102 = 0i64;
v103 = 0i64;
v141 = "POSITION";
v142 = 0;
v143 = 6;
v144 = 0;
v145 = 0;
v146 = 0;
v147 = 0;
v148 = "TEXCOORD";
v149 = 0;
v150 = 16;
v151 = 0;
v152 = 12;
v153 = 0;
v154 = 0;
v155 = "COLOR";
v156 = 0;
v157 = 2;
v158 = 0;
v159 = 20;
v160 = 0;
v161 = 0;
l_VertexShader = 0;
l_pPixelShader_1 = 0;
l_pPixelShader = 0;
l_pInputLayout = 0;
l_pSamplerState = 0;
v71 = 0i64;
v72 = 0;
v98 = 0i64;
v99 = 0i64;
l_buffer_4C4C30 = 0;
l_buffer_4C22DC = 0;
l_buffer_4C4CC0 = 0;
l_buffer_4C22E8 = 0;
l_buffer_4D4680 = 0;
l_buffer_4BFAB0 = 0.0;
l_buffer_0 = 0;
v100 = 36;
v101 = 0;
v162 = xmmword_4AEA00;
v136 = 0i64;
v137 = 0i64;
if ( !lpThreadParameter )
goto LABEL_93;
if ( !*(lpThreadParameter + 15) )
goto LABEL_93;
if ( !*(lpThreadParameter + 16) )
goto LABEL_93;
v3 = *(lpThreadParameter + 4);
l_win_class.cbSize = 48;
l_win_class.style = 3;
l_win_class.lpfnWndProc = msg_handler_403DB0;
l_win_class.cbClsExtra = 0;
l_win_class.cbWndExtra = 0;
l_win_class.hInstance = GetWindowLongW(v3, -6);
*&l_win_class.hIcon = xmmword_4AE980;
l_win_class.lpszClassName = L"LOGO";
l_win_class.hIconSm = 0;
if ( RegisterClassExW(&l_win_class) )
{
v4 = GetWindowLongW(*(lpThreadParameter + 4), -6);
v5 = CreateWindowExW(
0,
l_win_class.lpszClassName,
L"2018CTF@pediy.com",
0x50000000u,
*(lpThreadParameter + 13),
*(lpThreadParameter + 14),
*(lpThreadParameter + 15),
*(lpThreadParameter + 16),
*(lpThreadParameter + 4),
0,
v4,
0);
hWnd = v5;
if ( v5 )
{
ShowWindow(v5, 5);
}
else
{
GetLastError();
v2 = 0x80004005;
}
}
else
{
LABEL_93:
v2 = 0x80070057;
}
v6 = *(lpThreadParameter + 4);
*&Rect[12] = 0i64;
GetClientRect(v6, &Rect[12]);
GetWindowRect(*(lpThreadParameter + 4), &Rect[12]);
if ( v2 >= 0 )
{
v7 = *(lpThreadParameter + 9);
*&v136 = v7;
v8 = *(lpThreadParameter + 10);
*(&v136 + 1) = v8;
v9 = *(lpThreadParameter + 11);
*(&v136 + 2) = v9;
v10 = *(lpThreadParameter + 12);
*(&v136 + 3) = v10;
v11 = *(lpThreadParameter + 13);
*&v137 = v11;
v12 = *(lpThreadParameter + 14);
*(&v137 + 1) = v12;
v13 = *(lpThreadParameter + 15);
*(&v137 + 2) = v13;
*(&v137 + 3) = *(lpThreadParameter + 16);
memset_47C9E0(&v94, 0, 0x3C);
v94 = *(lpThreadParameter + 15);
LODWORD(v95) = *(lpThreadParameter + 16);
v97[1] = __PAIR__(1, hWnd);
v14 = 0;
DWORD1(v95) = 60;
*(&v95 + 1) = 0x1C00000001i64;
v97[0] = 0x100000020i64;
*(&v96 + 1) = 1i64;
v67 = 0;
while ( 1 )
{
v2 = D3D11CreateDeviceAndSwapChain(
0,
*(&Msg.hwnd + v14),
0,
0,
&v138,
3,
7,
&v94,
&l_pSwapChain,
&l_pDevice,
&l_FeatureLevel,
&l_pImmediateContext);
if ( v2 >= 0 )
break;
v14 = v67 + 1;
v67 = v14;
if ( v14 >= 3 )
goto LABEL_35;
}
v2 = l_pSwapChain->lpVtbl->GetBuffer(l_pSwapChain, 0, &g_riid_4AB690, &v84);
if ( v2 >= 0 )
{
(*(*v84 + 40))(v84, &l_Desc);
v2 = (l_pDevice->lpVtbl->CreateRenderTargetView1)(l_pDevice, v84, 0, &v83);
if ( v2 >= 0 )
{
v113 = 0;
*Rect = 40;
*&Rect[4] = 0;
*&Rect[8] = 1;
v2 = (l_pDevice->lpVtbl->CreateTexture2D1)(l_pDevice, &l_Desc, 0, &l_pTexture2D_1);
if ( v2 >= 0 )
{
v2 = (l_pDevice->lpVtbl->CreateTexture2D1)(l_pDevice, &l_Desc, 0, &l_pTexture2D_2);
if ( v2 >= 0 )
{
l_Desc_1 = v112;
v110 = 0i64;
v107 = 4;
v108 = 0;
v109 = -1;
v2 = (l_pDevice->lpVtbl->CreateRenderTargetView1)(
l_pDevice,
l_pTexture2D_1,
0,
&l_pRTView_1);
if ( v2 >= 0 )
{
v2 = (l_pDevice->lpVtbl->CreateRenderTargetView1)(
l_pDevice,
l_pTexture2D_2,
0,
&l_pRTView_2);
if ( v2 >= 0 )
{
v2 = (l_pDevice->lpVtbl->CreateShaderResourceView1)(
l_pDevice,
l_pTexture2D_1,
&l_Desc_1,
&l_pSRView_1);
if ( v2 >= 0 )
{
v2 = (l_pDevice->lpVtbl->CreateShaderResourceView1)(
l_pDevice,
l_pTexture2D_2,
&l_Desc_1,
&l_pSRView_2);
if ( v2 >= 0 )
{
v15 = *(lpThreadParameter + 15);
v102 = 0i64;
v103 = 0x3F80000000000000i64;
v16 = v15;
v17 = *(lpThreadParameter + 16);
*&v102 = 0i64;
*&v16 = v16;
DWORD2(v102) = LODWORD(v16);
*(&v102 + 3) = v17;
v2 = (l_pDevice->lpVtbl->CreateVertexShader1)(
l_pDevice,
&hlsl2,
0x51C,
0,
&l_VertexShader);
if ( v2 >= 0 )
{
v2 = (l_pDevice->lpVtbl->CreateInputLayout1)(
l_pDevice,
&v141,
3,
&hlsl2,
0x51C,
&l_pInputLayout);
if ( v2 >= 0 )
{
v2 = (l_pDevice->lpVtbl->CreatePixelShader1)(
l_pDevice,
&hlsl1,
0x1F0,
0,
&l_pPixelShader_1);
if ( v2 >= 0 )
{
v2 = (l_pDevice->lpVtbl->CreatePixelShader1)(
l_pDevice,
&hlsl,
0xC24,
0,
&l_pPixelShader);
if ( v2 >= 0 )
{
memset_47C9E0(&l_SamplerDesc, 0, 52);
l_SamplerDesc = xmmword_4AE9B0;
v133 = 1;
v134 = 0;
v135 = 0x7F7FFFFF;
v2 = (l_pDevice->lpVtbl->CreateSamplerState1)(
l_pDevice,
&l_SamplerDesc,
&l_pSamplerState);
if ( v2 >= 0 )
{
v72 = 0;
v71 = 0i64;
v99 = 0i64;
*&v98 = 144i64;
*(&v98 + 1) = 1i64;
LODWORD(v71) = &flt_4C4C30;
v2 = (l_pDevice->lpVtbl->CreateBuffer1)(
l_pDevice,
&v98,
&v71,
&l_buffer_4C4C30);
if ( v2 >= 0 )
{
LODWORD(v98) = 0xF9C0;
v71 = 0i64;
v72 = 0;
LODWORD(v71) = &flt_4C4CC0;
v2 = (l_pDevice->lpVtbl->CreateBuffer1)(
l_pDevice,
&v98,
&v71,
&l_buffer_4C4CC0);
if ( v2 >= 0 )
{
LODWORD(v98) = 0xF24C;
v71 = 0i64;
v72 = 0;
LODWORD(v71) = &flt_4D4680;
v2 = (l_pDevice->lpVtbl->CreateBuffer1)(
l_pDevice,
&v98,
&v71,
&l_buffer_4D4680);
if ( v2 >= 0 )
{
v72 = 0;
v71 = 0i64;
v99 = 0i64;
*&v98 = 12i64;
*(&v98 + 1) = 2i64;
LODWORD(v71) = &word_4C22DC;
v2 = (l_pDevice->lpVtbl->CreateBuffer1)(
l_pDevice,
&v98,
&v71,
&l_buffer_4C22DC);
if ( v2 >= 0 )
{
LODWORD(v98) = 0x2946;
v71 = 0i64;
v72 = 0;
LODWORD(v71) = &word_4C22E8;
v2 = (l_pDevice->lpVtbl->CreateBuffer1)(
l_pDevice,
&v98,
&v71,
&l_buffer_4C22E8);
if ( v2 >= 0 )
{
LODWORD(v98) = 0x282C;
v71 = 0i64;
v72 = 0;
LODWORD(v71) = &word_4BFAB0;
v2 = (l_pDevice->lpVtbl->CreateBuffer1)(
l_pDevice,
&v98,
&v71,
&l_buffer_4BFAB0);
if ( v2 >= 0 )
{
v99 = 0i64;
*&v98 = 240i64;
*(&v98 + 1) = 4i64;
v2 = (l_pDevice->lpVtbl->CreateBuffer1)(
l_pDevice,
&v98,
0,
&l_buffer_0);
if ( v2 >= 0 )
{
memset_47C9E0(&v115, 0, 240);
v18 = _mm_sub_ps(0i64, xmmword_4AE9A0);
sub_402090();
v19 = *(lpThreadParameter + 15);
Msg.message = 0x401A8279;
Msg.wParam = 0x3F800347;
v20 = _mm_shuffle_ps(xmmword_4AE9A0, v18, 0x44);
v21 = _mm_shuffle_ps(xmmword_4AE9A0, v18, 0xEE);
v22 = v20;
Msg.lParam = 0xBC23DB3C;
v23 = _mm_shuffle_ps(xmmword_4AE960, a1, 0xEE);
v117 = _mm_shuffle_ps(v21, v23, 0x88);
v24 = _mm_shuffle_ps(xmmword_4AE960, a1, 0x44);
v25 = _mm_shuffle_ps(v20, v24, 0xDD);
v26 = _mm_shuffle_ps(v22, v24, 0x88);
v24.m128_f32[0] = v19;
v27 = *(lpThreadParameter + 16);
v28 = *(lpThreadParameter + 16) >> 31;
v116 = v25;
v29 = 0i64;
v30 = v27 + qword_4AEB30[v28];
v115 = v26;
v118 = _mm_shuffle_ps(v21, v23, 0xDD);
*&v30 = v30;
*&Msg.hwnd = 2.4142134 / (v24.m128_f32[0] / *&v30);
v29.m128_f32[0] = *&Msg.hwnd;
v31 = _mm_and_ps(*&Msg.hwnd, xmmword_4ACAD0);
v32 = _mm_shuffle_ps(*&Msg.hwnd, xmmword_4ACAE0, 238);
v33 = _mm_shuffle_ps(0i64, v32, 0xC0);
v34 = _mm_shuffle_ps(v29, v31, 0x44);// 1010
v35 = _mm_shuffle_ps(v33, v32, 0x90);// 2100
v36 = _mm_shuffle_ps(v33, v35, 0x44);
v37 = _mm_shuffle_ps(v33, v35, 0xEE);// 3232
v38 = v34;
v39 = _mm_shuffle_ps(v34, v36, 0xDD);// 3131
v40 = _mm_shuffle_ps(v29, v31, 0xEE);
v41 = _mm_shuffle_ps(v38, v36, 0x88);// 2020
v42 = _mm_shuffle_ps(v40, v37, 0x88);
v43 = _mm_shuffle_ps(v40, v37, 0xDD);
v120 = v39;
v44 = _mm_shuffle_ps(xmmword_4ACB10, xmmword_4ACB00, 0x44);
v45 = _mm_shuffle_ps(xmmword_4ACB10, xmmword_4ACB00, 0xEE);
v121 = v42;
v119 = v41;
v122 = v43;
v46 = _mm_shuffle_ps(xmmword_4ACAF0, xmmword_4ACAE0, 0x44);
v47 = _mm_shuffle_ps(v44, v46, 0x88);
a1 = _mm_shuffle_ps(v44, v46, 0xDD);
v48 = _mm_shuffle_ps(xmmword_4ACAF0, xmmword_4ACAE0, 0xEE);
v125 = _mm_shuffle_ps(v45, v48, 0x88);
v127 = v136;
v123 = v47;
v124 = a1;
v126 = _mm_shuffle_ps(v45, v48, 0xDD);
v128 = v137;
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
LABEL_35:
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_UpdateSubresource)(
l_pImmediateContext,
l_buffer_0,
0,
0,
&v115,
0,
0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_ClearRenderTargetView)(l_pImmediateContext, l_pRTView_1, &v136);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_OMSetRenderTargets)(l_pImmediateContext, 1, &l_pRTView_1, 0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_RSSetViewports)(l_pImmediateContext, 1, &v102);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_IASetVertexBuffers)(
l_pImmediateContext,
0,
1,
&l_buffer_4C4CC0,
&v100,
&v101);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_IASetIndexBuffer)(l_pImmediateContext, l_buffer_4C22E8, 57, 0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_IASetInputLayout)(l_pImmediateContext, l_pInputLayout);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_IASetPrimitiveTopology)(l_pImmediateContext, 4);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetShader)(l_pImmediateContext, l_VertexShader, 0, 0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetConstantBuffers)(l_pImmediateContext, 0, 1, &l_buffer_0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetShader1)(l_pImmediateContext, l_pPixelShader_1, 0, 0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetConstantBuffers1)(l_pImmediateContext, 0, 1, &l_buffer_0);
(LODWORD(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetSamplers))(l_pImmediateContext, 0, 1, &l_pSamplerState);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetSamplers1)(l_pImmediateContext, 0x14A3, 0, 0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_GenerateMips)(l_pImmediateContext, l_pSRView_1);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_UpdateSubresource)(
l_pImmediateContext,
l_buffer_0,
0,
0,
&v115,
0,
0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_ClearRenderTargetView)(l_pImmediateContext, l_pRTView_2, &v137);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_OMSetRenderTargets)(l_pImmediateContext, 1, &l_pRTView_2, 0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_RSSetViewports)(l_pImmediateContext, 1, &v102);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_IASetVertexBuffers)(
l_pImmediateContext,
0,
1,
&l_buffer_4D4680,
&v100,
&v101);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_IASetIndexBuffer)(
l_pImmediateContext,
LODWORD(l_buffer_4BFAB0),
57,
0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_IASetInputLayout)(l_pImmediateContext, l_pInputLayout);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_IASetPrimitiveTopology)(l_pImmediateContext, 4);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetShader)(l_pImmediateContext, l_VertexShader, 0, 0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetConstantBuffers)(l_pImmediateContext, 0, 1, &l_buffer_0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetShader1)(l_pImmediateContext, l_pPixelShader_1, 0, 0);// TID3D11DeviceContext_SetShader
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetConstantBuffers1)(l_pImmediateContext, 0, 1, &l_buffer_0);
(LODWORD(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetSamplers))(l_pImmediateContext, 0, 1, &l_pSamplerState);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetSamplers1)(l_pImmediateContext, 0x1416, 0, 0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_GenerateMips)(l_pImmediateContext, l_pSRView_2);
if ( v2 >= 0 )
{
while ( WaitForSingleObjectEx(*(lpThreadParameter + 2), 0, 0) == WAIT_TIMEOUT )
{
Msg.pt.y = 0;
*&Msg.hwnd = 0i64;
*&Msg.time = 0i64;
if ( PeekMessageW(&Msg, 0, 0, 0, 1u) )
{
TranslateMessage(&Msg);
DispatchMessageW(&Msg);
}
EnterCriticalSection((lpThreadParameter + 136));
v129 = *(lpThreadParameter + 40);
v130 = *(lpThreadParameter + 41);
v131 = *(lpThreadParameter + 42);
LeaveCriticalSection((lpThreadParameter + 136));
v49 = _mm_sub_ps(0i64, xmmword_4AE990);
sub_402090();
v50 = _mm_shuffle_ps(xmmword_4AE990, v49, 0xEE);// 3232
v51 = _mm_shuffle_ps(xmmword_4AE990, v49, 0x44);// 1010
v52 = _mm_shuffle_ps(xmmword_4AE960, a1, 0xEE);
v53 = _mm_shuffle_ps(xmmword_4AE960, a1, 0x44);
v54 = _mm_shuffle_ps(v50, v52, 0x88); // 2020
v55 = _mm_shuffle_ps(v50, v52, 0xDD); // 3131
v115 = _mm_shuffle_ps(v51, v53, 0x88); // 2020
v56 = _mm_shuffle_ps(xmmword_4ACB10, xmmword_4ACB00, 0x44);
v57 = _mm_shuffle_ps(xmmword_4ACB10, xmmword_4ACB00, 0xEE);
v117 = v54;
v58 = _mm_shuffle_ps(xmmword_4ACAF0, xmmword_4ACAE0, 0x44);
v59 = _mm_shuffle_ps(xmmword_4ACAF0, xmmword_4ACAE0, 0xEE);
v60 = _mm_shuffle_ps(v51, v53, 0xDD);
v61 = _mm_shuffle_ps(v56, v58, 0x88);
a1 = _mm_shuffle_ps(v56, v58, 0xDD);
v116 = v60;
v118 = v55;
v123 = v61;
v124 = a1;
v125 = _mm_shuffle_ps(v57, v59, 0x88);
v126 = _mm_shuffle_ps(v57, v59, 0xDD);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_UpdateSubresource)(
l_pImmediateContext,
l_buffer_0,
0,
0,
&v115,
0,
0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_ClearRenderTargetView)(l_pImmediateContext, v83, &v162);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_OMSetRenderTargets)(l_pImmediateContext, 1, &v83, 0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_RSSetViewports)(l_pImmediateContext, 1, &v102);// TID3D11DeviceContext_RSSetViewports
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_IASetVertexBuffers)(
l_pImmediateContext,
0,
1,
&l_buffer_4C4C30,
&v100,
&v101);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_IASetIndexBuffer)(
l_pImmediateContext,
l_buffer_4C22DC,
0x39,
0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_IASetInputLayout)(l_pImmediateContext, l_pInputLayout);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_IASetPrimitiveTopology)(l_pImmediateContext, 4);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetShader)(l_pImmediateContext, l_VertexShader, 0, 0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetConstantBuffers)(l_pImmediateContext, 0, 1, &l_buffer_0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetShader1)(l_pImmediateContext, l_pPixelShader, 0, 0);// TID3D11DeviceContext_SetShader
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetConstantBuffers1)(l_pImmediateContext, 0, 1, &l_buffer_0);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetShaderResources)(l_pImmediateContext, 0, 1, &l_pSRView_1);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetShaderResources)(l_pImmediateContext, 1, 1, &l_pSRView_2);
(LODWORD(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetSamplers))(
l_pImmediateContext,
0,
1,
&l_pSamplerState);
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetSamplers1)(l_pImmediateContext, 6, 0, 0);// TID3D11DeviceContext_DrawIndexed
l_pSwapChain->lpVtbl->Present(l_pSwapChain, 0, 0);
Sleep(2u);
}
}
if ( l_buffer_0 )
{
(*(*l_buffer_0 + 8))(l_buffer_0);
l_buffer_0 = 0;
}
if ( l_buffer_4BFAB0 != 0.0 )
{
(*(*LODWORD(l_buffer_4BFAB0) + 8))(LODWORD(l_buffer_4BFAB0));
l_buffer_4BFAB0 = 0.0;
}
if ( l_buffer_4D4680 )
{
(*(*l_buffer_4D4680 + 8))(l_buffer_4D4680);
l_buffer_4D4680 = 0;
}
if ( l_buffer_4C22E8 )
{
(*(*l_buffer_4C22E8 + 8))(l_buffer_4C22E8);
l_buffer_4C22E8 = 0;
}
if ( l_buffer_4C4CC0 )
{
(*(*l_buffer_4C4CC0 + 8))(l_buffer_4C4CC0);
l_buffer_4C4CC0 = 0;
}
if ( l_buffer_4C22DC )
{
(*(*l_buffer_4C22DC + 8))(l_buffer_4C22DC);
l_buffer_4C22DC = 0;
}
if ( l_buffer_4C4C30 )
{
(*(*l_buffer_4C4C30 + 8))(l_buffer_4C4C30);
l_buffer_4C4C30 = 0;
}
if ( l_pSamplerState )
{
(*(*l_pSamplerState + 8))(l_pSamplerState);
l_pSamplerState = 0;
}
if ( l_pPixelShader )
{
(*(*l_pPixelShader + 8))(l_pPixelShader);
l_pPixelShader = 0;
}
if ( l_pPixelShader_1 )
{
(*(*l_pPixelShader_1 + 8))(l_pPixelShader_1);
l_pPixelShader_1 = 0;
}
if ( l_pInputLayout )
{
(*(*l_pInputLayout + 8))(l_pInputLayout);
l_pInputLayout = 0;
}
if ( l_VertexShader )
{
(*(*l_VertexShader + 8))(l_VertexShader);
l_VertexShader = 0;
}
if ( l_pSRView_2 )
{
(*(*l_pSRView_2 + 8))(l_pSRView_2);
l_pSRView_2 = 0;
}
if ( l_pSRView_1 )
{
(*(*l_pSRView_1 + 8))(l_pSRView_1);
l_pSRView_1 = 0;
}
if ( l_pRTView_2 )
{
(*(*l_pRTView_2 + 8))(l_pRTView_2);
l_pRTView_2 = 0;
}
if ( l_pRTView_1 )
{
(*(*l_pRTView_1 + 8))(l_pRTView_1);
l_pRTView_1 = 0;
}
if ( l_pTexture2D_2 )
{
(*(*l_pTexture2D_2 + 8))(l_pTexture2D_2);
l_pTexture2D_2 = 0;
}
if ( l_pTexture2D_1 )
{
(*(*l_pTexture2D_1 + 8))(l_pTexture2D_1);
l_pTexture2D_1 = 0;
}
if ( v83 )
{
(*(*v83 + 8))(v83);
v83 = 0;
}
if ( v84 )
{
(*(*v84 + 8))(v84);
v84 = 0;
}
(l_pImmediateContext->lpVtbl[1].field_B4)(l_pImmediateContext);
if ( l_pSwapChain )
{
l_pSwapChain->lpVtbl->Release(l_pSwapChain);
l_pSwapChain = 0;
}
if ( l_pImmediateContext )
{
(l_pImmediateContext->lpVtbl->field_8)(l_pImmediateContext);
l_pImmediateContext = 0;
}
if ( l_pDevice )
{
l_pDevice->lpVtbl->Release(l_pDevice);
l_pDevice = 0;
}
if ( hWnd )
DestroyWindow(hWnd);
v62 = l_win_class.lpszClassName;
v63 = GetWindowLongW(*(lpThreadParameter + 4), -6);
if ( GetClassInfoExW(v63, v62, &l_win_class) )
{
v64 = GetWindowLongW(*(lpThreadParameter + 4), -6);
UnregisterClassW(l_win_class.lpszClassName, v64);
}
return 0;
}
把资源的序号0、1交换下,程序运行直接显示正确,涉及以下代码:
(l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetShaderResources)(l_pImmediateContext, 0, 1, &l_pSRView_1); (l_pImmediateContext->lpVtbl->TID3D11DeviceContext_SetShaderResources)(l_pImmediateContext, 1, 1, &l_pSRView_2);
反编译hlsl编译后的程序,一共3个,其中一个涉及显示结果的资源选用。
# DXBC chunk 0: RDEF offset 52 size 468 # DXBC chunk 1: ISGN offset 528 size 108 # DXBC chunk 2: OSGN offset 644 size 44 # DXBC chunk 3: SHDR offset 696 size 2280 # DXBC chunk 4: STAT offset 2984 size 116 ps_4_0 dcl_constant_buffer cb0[15].xyzw, immediateIndexed dcl_sampler sampler[0] dcl_resource_texture2d resource[0] dcl_resource_texture2d resource[1] dcl_input_ps linear v1.xy dcl_output o0.xyzw dcl_temps 4 ine r0.xyz, cb0[14].xyzx, l(0, 0, 0, 0) //!=0 and r0.x, r0.y, r0.x and r0.x, r0.z, r0.x ult r0.y, l(1000000000), cb0[14].x //x>1000000000 and r0.x, r0.y, r0.x ult r0.yz, cb0[14].xxyx, cb0[14].yyzy //x<y<z and r0.x, r0.y, r0.x and r0.x, r0.z, r0.x ult r0.y, cb0[14].z, l(4294967295) and r0.x, r0.y, r0.x udiv r0.yzw, null, cb0[14].zzxy, l(0, 100000, 100000, 100000) //cb14/100000 imad r1.xyz, r0.zwyz, l(-100000, -100000, -100000, 0), cb0[14].xyzx //r1.xyz = cb14.xyz%100000 udiv r2.x, r3.x, r0.z, l(10) //r2.x=cb14.x/100000/10 r3.x=cb14.x/100000%10 7 6 udiv null, r1.w, r2.x, l(10) //r1.w=cb14.x/100000/10%10 7 udiv r2.xyzw, null, r0.zzzw, l(100, 1000, 10000, 100)//r2.xyzw=cb[14][xxxy]/(100000)/(100, 1000, 10000, 100) 8 9 10 8 udiv null, r2.xyzw, r2.xyzw, l(10, 10, 10, 10)//r2.xyzw%=10 8 9 10 y[8] imul null, r1.w, r1.w, l(1000) //r1.w *= 1000 6789a imad r1.w, r3.x, l(10000), r1.w //r1.w += r3.x*10000 imad r1.w, r2.x, l(100), r1.w //r1.w += r2.x*100 imad r1.w, r2.y, l(10), r1.w //r1.w += r2.y*10 iadd r1.w, r2.z, r1.w //r1.w += r2.z ieq r1.x, r1.x, r1.w // r1.x == r1.w x[6789a]==x[54321] and r0.x, r0.x, r1.x udiv r1.x, r2.x, r0.w, l(10) //r1.x = cb14.x/100000/10 r2.x = cb14.x/100000%10 6 udiv null, r1.x, r1.x, l(10) //r1.x %= 10 7 udiv r3.xyzw, null, r0.wwyy, l(1000, 10000, 100, 1000) r3.xyzw=cb[14][yyzz]/(100000)/(1000, 10000, 100, 1000) udiv null, r3.xyzw, r3.xyzw, l(10, 10, 10, 10) 9 10 z:8 9 imul null, r1.x, r1.x, l(1000) //r1.x *= 1000 6789a imad r1.x, r2.x, l(10000), r1.x //r1.x += r2.x*10000 imad r1.x, r2.w, l(100), r1.x //r1.x += r2.w*100 imad r1.x, r3.x, l(10), r1.x //r1.x += r3.x*10 iadd r1.x, r3.y, r1.x //r1.x += r3.y ieq r1.x, r1.y, r1.x //r1.x == r1.y y[6789a] == y[54321] and r0.x, r0.x, r1.x udiv r1.x, r2.x, r0.y, l(10) //r1.x = cb14.z/100000/10 r2.x = cb14.z/100000%10 6 udiv r1.y, null, r0.y, l(10000) //r1.y = cb14.z/100000/10000 udiv null, r1.xy, r1.xyxx, l(10, 10, 0, 0) //r1.xy = r1.xy%10 7 10 imul null, r1.x, r1.x, l(1000) imad r1.x, r2.x, l(10000), r1.x imad r1.x, r3.z, l(100), r1.x imad r1.x, r3.w, l(10), r1.x iadd r1.x, r1.y, r1.x ieq r1.x, r1.z, r1.x and r0.x, r0.x, r1.x movc r0.yzw, r0.xxxx, r0.yyzw, cb0[14].zzxy iadd r1.x, r0.w, r0.z //r1.x = cb14.y+cb14.x iadd r1.x, r0.y, r1.x //r1.x += cb14.z iadd r1.x, r1.x, l(14159) //r1.x += 14159 ieq r1.x, r1.x, l(95028) //r1.x == 95028 and r0.x, r0.x, r1.x imad r1.xy, l(3, 6, 0, 0), r0.zyzz, r0.wzww //r1.x = cv14.x*3+cb14.y r1.y = cb14.z*6+cb14.x iadd r1.xy, r1.xyxx, l(14159, 42477, 0, 0) //r1.x += 14159 r1.y += 42477 iadd r1.xy, -r0.ywyy, r1.xyxx //r1.x -= cb14.z r1.y -= cb14.y ieq r1.xy, r1.xyxx, l(53574, 264917, 0, 0) //r1.x == 53574 r1.y == 264917 and r0.x, r0.x, r1.x ishl r0.w, r0.w, l(1) //cb14.y <<= 1 *2 iadd r0.y, r0.w, r0.y //cb14.z += cb14.y iadd r0.y, r0.y, l(28318) //cb14.z += 28318 iadd r0.y, -r0.z, r0.y //cb14.z -= cb14.x ieq r0.y, r0.y, l(99009) //cb14.z == 99009 and r0.x, r0.y, r0.x and r0.x, r1.y, r0.x if_nz r0.x sample o0.xyzw, v1.xyxx, resource[0].xyzw, sampler[0] ret else sample o0.xyzw, v1.xyxx, resource[1].xyzw, sampler[0] ret endif ret
得到校验条件:
x+y+z+14159 == 95028 3*x+y-z+14159 == 53574 x-y+6*z+42477 == 264917 2*y+z-x+28318 == 99009
其中的x,y,z是三段输入中的高5字节,每段输入都是10字节数字,且是回文数。
以上算式求解得:
x = 17580 y = 24982 z = 38307
所以flag为175800857124982289423830770383
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
|
|
|---|---|
|
|
他的文章
