今天坐牢坐满了八小时,出了三道逆向,一道区块链,帮助我们队拿到了这次比赛的第一名,也算可喜可贺!自己终于不是以前的菜鸡了,遥想去年还啥也不会呢
现在比赛结束了,那就写一下wp好咯
PS: 第一次拿到一道困难题的一血,还是很激动的,有一道题目我记得叫做easyRE,拿了二血是因为吃饭吃到10点多才开始做题了,下次一定准时比赛!(下次一定(●'◡'●))
这题是python逆向,做python逆向的方法我感觉挺固定的,就是pyinstxtractor解包一下,再把里面的pyc转成py就可以了
今年年初的时候还对python逆向做了些整理呢,可以看看我博客的这篇文章(用的是githubpage而且没有弄国内访问加速,所以访问的慢应该是很正常的啦)
回到题目,这题呀要怎么刁难我们呢?没错,就是python3.11
这个版本挺新的,我相信你不管是用uncompyle6
还是pycdc
还是在线网站,应该都会遇到反编译失败的情况,那么这个时候我们该怎么办呢?
其实是有方法的,首先,我们可以用如下的python代码得到这个pyc的字节码
到了这一步其实就可以做题了,但是或许有小伙伴一看到字节码头都大了
这时就要请出我们神奇的chatgpt了,网址在这里https://chat.openai.com/
直接把字节码丢给他然后说:给我转成py代码!
然后chatgpt就会刷刷刷的给出py源代码
这一看随机数种子都固定了,那随机数其实就不随机了
基于题目的代码改一改就是flag了
这题是一道go语言的逆向题,做这种go语言的题目,其实把那些函数都给复原就相当好做了(做go逆向找不到main_main
就好像...emmm想不出来用什么比喻好了qwq)
所以我们首先要做的是还原函数名称,用这个ida脚本就可以了https://github.com/renshareck/IDAGolangHelper_SupportGo1.20
然后按照下图的流程依次点击按钮
还原之后发现是梅森旋转算法随机数生成器,这是一个伪随机数生成器,每次异或的值都是一样的
那就随便输入一个字符串比如我这里输入的是0000000000000000000000000000000000000000000000
,然后打个断点把异或后的那个数组复制下来,然后再去异或后面要比较的数组,这样就可以拿到flag了
挺简单的题目,直接给exp吧
这题拿了一血(没想到我也有拿一血的一天!肯定是大佬们还没有发力唔)
这题呀也是go逆向,不过就是和c代码交叉编译了一下
同样,第一步还是恢复函数名称,可以用这个ida脚本https://github.com/0xjiayu/go_parser ,然后就可以了,这里运行脚本之后可能会卡住,不过没关系,cancel掉脚本,函数名称一样可以恢复过来
之后呐就是随便输入一个40位的字符串,然后在输入后的字符串的内存地址处打个硬件断点,动态调试之后断点一路触发下去,跟到这个函数sub_7FF631BCF2E0
,我觉得你有可能找不到这个函数因为动态调试后基址可能不一样,我的基址是0x7FF631B30000
,如果你找不到加密函数的话在ida里面换成我这个基址就可以找得到了(什么你不会换基址?!跟着我来:在ida左上角找到Edit
->Segments
->Rebase program
然后把我这个基址输进去就可以了)
这个函数的伪代码如下
这个加密也是有迹可循的,就是异或来~异或去,你可以把这个加密看成很多下方代码块的重复
这个算法要注意(unsigned __int8)
,BYTE1
,HIBYTE
,BYTE2
表示的含义
假设v11=0x12345678
,那么
while循环最后的两个异或也不能忽略
提醒一点,当你在result
数组的内存地址打下硬件断点后,会发现这个函数执行完毕后,后面还有一个小型的加密
记得也要把这个循环左移三位再异或也体现到exp里面去
那就可以写出exp来了
一道简单的区块链题目,去年b站1024程序员节的时候做了一道区块链,那一题的wp在这里,和这题考的知识点的关系应该是包含吧,这题考的知识点b站的那题也有,所以做起来当然是很轻松的,直接上攻击合约吧
import
dis
import
marshal
with
open
(
'easyRE.pyc'
,
'rb'
) as f:
f.seek(
16
)
dis.dis(marshal.load(f))
import
dis
import
marshal
with
open
(
'easyRE.pyc'
,
'rb'
) as f:
f.seek(
16
)
dis.dis(marshal.load(f))
0
0
RESUME
0
1
2
LOAD_CONST
0
(
0
)
4
LOAD_CONST
1
(
None
)
6
IMPORT_NAME
0
(random)
8
STORE_NAME
0
(random)
3
10
PUSH_NULL
12
LOAD_NAME
0
(random)
14
LOAD_ATTR
1
(Random)
24
LOAD_CONST
2
(
322376503
)
26
PRECALL
1
30
CALL
1
40
STORE_NAME
2
(r)
6
42
PUSH_NULL
44
LOAD_NAME
3
(
input
)
46
LOAD_CONST
3
(
'Enter your flag: '
)
48
PRECALL
1
52
CALL
1
62
LOAD_METHOD
4
(encode)
84
PRECALL
0
88
CALL
0
98
STORE_NAME
5
(pt)
8
100
LOAD_CONST
4
(b
'\x8b\xcck\xd3\xed\x96\xffFb\x06r\x085\x82\xbc \xb2\xde)p\x88Q`\x1bf\x18\xb6QUSw\x10\xcd\xd9\x13A$\x86\xe5\xcd\xd9\xff'
)
102
STORE_NAME
6
(ct)
10
104
BUILD_LIST
0
106
STORE_NAME
7
(buf)
12
108
LOAD_NAME
5
(pt)
110
GET_ITER
>>
112
FOR_ITER
46
(to
206
)
114
STORE_NAME
8
(b)
13
116
LOAD_NAME
7
(buf)
118
LOAD_METHOD
9
(append)
140
LOAD_NAME
2
(r)
142
LOAD_METHOD
10
(randint)
164
LOAD_CONST
0
(
0
)
166
LOAD_CONST
5
(
255
)
168
PRECALL
2
172
CALL
2
182
LOAD_NAME
8
(b)
184
BINARY_OP
12
(^)
188
PRECALL
1
192
CALL
1
202
POP_TOP
204
JUMP_BACKWARD
47
(to
112
)
15
>>
206
PUSH_NULL
208
LOAD_NAME
11
(bytes)
210
LOAD_NAME
7
(buf)
212
PRECALL
1
216
CALL
1
226
LOAD_NAME
6
(ct)
228
COMPARE_OP
2
(
=
=
)
234
POP_JUMP_FORWARD_IF_TRUE
2
(to
240
)
236
LOAD_ASSERTION_ERROR
238
RAISE_VARARGS
1
17
>>
240
PUSH_NULL
242
LOAD_NAME
12
(
print
)
244
LOAD_CONST
6
(
'Correct!'
)
246
PRECALL
1
250
CALL
1
260
POP_TOP
262
LOAD_CONST
1
(
None
)
264
RETURN_VALUE
0
0
RESUME
0
1
2
LOAD_CONST
0
(
0
)
4
LOAD_CONST
1
(
None
)
6
IMPORT_NAME
0
(random)
8
STORE_NAME
0
(random)
3
10
PUSH_NULL
12
LOAD_NAME
0
(random)
14
LOAD_ATTR
1
(Random)
24
LOAD_CONST
2
(
322376503
)
26
PRECALL
1
30
CALL
1
40
STORE_NAME
2
(r)
6
42
PUSH_NULL
44
LOAD_NAME
3
(
input
)
46
LOAD_CONST
3
(
'Enter your flag: '
)
48
PRECALL
1
52
CALL
1
62
LOAD_METHOD
4
(encode)
84
PRECALL
0
88
CALL
0
98
STORE_NAME
5
(pt)
8
100
LOAD_CONST
4
(b
'\x8b\xcck\xd3\xed\x96\xffFb\x06r\x085\x82\xbc \xb2\xde)p\x88Q`\x1bf\x18\xb6QUSw\x10\xcd\xd9\x13A$\x86\xe5\xcd\xd9\xff'
)
102
STORE_NAME
6
(ct)
10
104
BUILD_LIST
0
106
STORE_NAME
7
(buf)
12
108
LOAD_NAME
5
(pt)
110
GET_ITER
>>
112
FOR_ITER
46
(to
206
)
114
STORE_NAME
8
(b)
13
116
LOAD_NAME
7
(buf)
118
LOAD_METHOD
9
(append)
140
LOAD_NAME
2
(r)
142
LOAD_METHOD
10
(randint)
164
LOAD_CONST
0
(
0
)
166
LOAD_CONST
5
(
255
)
168
PRECALL
2
172
CALL
2
182
LOAD_NAME
8
(b)
184
BINARY_OP
12
(^)
188
PRECALL
1
192
CALL
1
202
POP_TOP
204
JUMP_BACKWARD
47
(to
112
)
15
>>
206
PUSH_NULL
208
LOAD_NAME
11
(bytes)
210
LOAD_NAME
7
(buf)
212
PRECALL
1
216
CALL
1
226
LOAD_NAME
6
(ct)
228
COMPARE_OP
2
(
=
=
)
234
POP_JUMP_FORWARD_IF_TRUE
2
(to
240
)
236
LOAD_ASSERTION_ERROR
238
RAISE_VARARGS
1
17
>>
240
PUSH_NULL
242
LOAD_NAME
12
(
print
)
244
LOAD_CONST
6
(
'Correct!'
)
246
PRECALL
1
250
CALL
1
260
POP_TOP
262
LOAD_CONST
1
(
None
)
264
RETURN_VALUE
import
random
r
=
random.Random(
322376503
)
pt
=
input
(
'Enter your flag: '
).encode()
ct
=
b
'\x8b\xcck\xd3\xed\x96\xffFb\x06r\x085\x82\xbc \xb2\xde)p\x88Q`\x1bf\x18\xb6QUSw\x10\xcd\xd9\x13A$\x86\xe5\xcd\xd9\xff'
buf
=
[]
for
b
in
pt:
buf.append(r.randint(
0
,
255
) ^ b)
assert
bytes(buf)
=
=
ct
print
(
'Correct!'
)
import
random
r
=
random.Random(
322376503
)
pt
=
input
(
'Enter your flag: '
).encode()
ct
=
b
'\x8b\xcck\xd3\xed\x96\xffFb\x06r\x085\x82\xbc \xb2\xde)p\x88Q`\x1bf\x18\xb6QUSw\x10\xcd\xd9\x13A$\x86\xe5\xcd\xd9\xff'
buf
=
[]
for
b
in
pt:
buf.append(r.randint(
0
,
255
) ^ b)
assert
bytes(buf)
=
=
ct
print
(
'Correct!'
)
import
random
r
=
random.Random(
322376503
)
pt
=
input
(
'Enter your flag: '
).encode()
ct
=
b
'\x8b\xcck\xd3\xed\x96\xffFb\x06r\x085\x82\xbc \xb2\xde)p\x88Q`\x1bf\x18\xb6QUSw\x10\xcd\xd9\x13A$\x86\xe5\xcd\xd9\xff'
for
k
in
ct:
print
(
chr
(r.randint(
0
,
255
) ^ k),end
=
'')
import
random
r
=
random.Random(
322376503
)
pt
=
input
(
'Enter your flag: '
).encode()
ct
=
b
'\x8b\xcck\xd3\xed\x96\xffFb\x06r\x085\x82\xbc \xb2\xde)p\x88Q`\x1bf\x18\xb6QUSw\x10\xcd\xd9\x13A$\x86\xe5\xcd\xd9\xff'
for
k
in
ct:
print
(
chr
(r.randint(
0
,
255
) ^ k),end
=
'')
testinput
=
"0000000000000000000000000000000000000000000000"
byte
=
[
0x67
,
0x88
,
0xBE
,
0x8C
,
0x79
,
0xAB
,
0x7C
,
0xB7
,
0x5F
,
0xD3
,
0x24
,
0xD0
,
0x16
,
0xF0
,
0x02
,
0x8D
,
0x5C
,
0xF7
,
0xB5
,
0x16
,
0xD2
,
0x69
,
0xDE
,
0xA6
,
0xE1
,
0x5F
,
0xA1
,
0xA5
,
0x7F
,
0x6C
,
0x78
,
0x70
,
0x76
,
0x88
,
0x75
,
0x2E
,
0x2F
,
0x30
,
0x99
,
0x61
,
0x5A
,
0xD1
,
0xBF
,
0x71
,
0x7A
,
0x4E
]
key
=
[
0x35
,
0x8C
,
0xEB
,
0x85
,
0x2C
,
0xFA
,
0x2D
,
0xB1
,
0x42
,
0x82
,
0x27
,
0xD0
,
0x10
,
0xED
,
0x06
,
0x8E
,
0x0D
,
0xFE
,
0xA8
,
0x1E
,
0x81
,
0x3C
,
0x8A
,
0xBB
,
0xB7
,
0x0B
,
0xF4
,
0xF0
,
0x7C
,
0x6B
,
0x70
,
0x26
,
0x71
,
0x8B
,
0x73
,
0x7D
]
for
i
in
range
(
len
(key)):
print
(
chr
(
ord
(testinput[i])^byte[i]^key[i]),end
=
'')
testinput
=
"0000000000000000000000000000000000000000000000"
byte
=
[
0x67
,
0x88
,
0xBE
,
0x8C
,
0x79
,
0xAB
,
0x7C
,
0xB7
,
0x5F
,
0xD3
,
0x24
,
0xD0
,
0x16
,
0xF0
,
0x02
,
0x8D
,
0x5C
,
0xF7
,
0xB5
,
0x16
,
0xD2
,
0x69
,
0xDE
,
0xA6
,
0xE1
,
0x5F
,
0xA1
,
0xA5
,
0x7F
,
0x6C
,
0x78
,
0x70
,
0x76
,
0x88
,
0x75
,
0x2E
,
0x2F
,
0x30
,
0x99
,
0x61
,
0x5A
,
0xD1
,
0xBF
,
0x71
,
0x7A
,
0x4E
]
key
=
[
0x35
,
0x8C
,
0xEB
,
0x85
,
0x2C
,
0xFA
,
0x2D
,
0xB1
,
0x42
,
0x82
,
0x27
,
0xD0
,
0x10
,
0xED
,
0x06
,
0x8E
,
0x0D
,
0xFE
,
0xA8
,
0x1E
,
0x81
,
0x3C
,
0x8A
,
0xBB
,
0xB7
,
0x0B
,
0xF4
,
0xF0
,
0x7C
,
0x6B
,
0x70
,
0x26
,
0x71
,
0x8B
,
0x73
,
0x7D
]
for
i
in
range
(
len
(key)):
print
(
chr
(
ord
(testinput[i])^byte[i]^key[i]),end
=
'')
unsigned
int
*
__fastcall sub_7FF631BCF2E0(void
*
a1, __int64 a2, unsigned
int
*
a3, _DWORD
*
a4, size_t a5,
int
a6)
{
unsigned
int
*
v7;
/
/
rcx
unsigned __int64 v8;
/
/
rsi
unsigned
int
*
result;
/
/
rax
unsigned
int
*
v10;
/
/
r8
unsigned
int
v11;
/
/
r9d
int
v12;
/
/
ecx
unsigned
int
v13;
/
/
ecx
int
v14;
/
/
edx
unsigned
int
v15;
/
/
edx
int
v16;
/
/
ecx
unsigned
int
v17;
/
/
ecx
int
v18;
/
/
edx
unsigned
int
v19;
/
/
edx
int
v20;
/
/
ecx
unsigned
int
v21;
/
/
ecx
int
v22;
/
/
edx
unsigned
int
v23;
/
/
edx
int
v24;
/
/
ecx
unsigned
int
v25;
/
/
ecx
int
v26;
/
/
edx
unsigned
int
v27;
/
/
edx
int
v28;
/
/
ecx
unsigned
int
v29;
/
/
ecx
int
v30;
/
/
edx
unsigned
int
v31;
/
/
edx
int
v32;
/
/
ecx
unsigned
int
v33;
/
/
ecx
int
v34;
/
/
edx
unsigned
int
v35;
/
/
edx
int
v36;
/
/
ecx
unsigned
int
v37;
/
/
ecx
int
v38;
/
/
edx
unsigned
int
v39;
/
/
edx
unsigned
int
v40;
/
/
r9d
__m128i v41;
/
/
xmm5
int
v42;
/
/
edx
unsigned
int
v43;
/
/
edx
int
v44;
/
/
ecx
v7
=
a3;
v8
=
a6;
if
( a3 !
=
(unsigned
int
*
)a5 )
v7
=
(unsigned
int
*
)memcpy(a1, (const void
*
)a6, a5);
result
=
v7;
v10
=
(unsigned
int
*
)((char
*
)v7
+
(v8 &
0xFFFFFFFFFFFFFFF8LL
));
if
( v8 >>
3
)
{
do
{
v11
=
*
a4 ^
*
result;
*
result
=
v11;
v12
=
result[
1
] ^ (a4[(unsigned __int8)v11
+
786
]
+
(a4[BYTE1(v11)
+
530
] ^ (a4[HIBYTE(v11)
+
18
]
+
a4[BYTE2(v11)
+
274
])));
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v12), _mm_cvtsi32_si128(v11)).m128i_u64[
0
];
v13
=
a4[
1
] ^ v12;
*
result
=
v13;
v14
=
v11 ^ (a4[(unsigned __int8)v13
+
786
]
+
(a4[BYTE1(v13)
+
530
] ^ (a4[HIBYTE(v13)
+
18
]
+
a4[BYTE2(v13)
+
274
])));
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v14), _mm_cvtsi32_si128(v13)).m128i_u64[
0
];
v15
=
a4[
2
] ^ v14;
*
result
=
v15;
v16
=
(a4[(unsigned __int8)v15
+
786
]
+
(a4[BYTE1(v15)
+
530
] ^ (a4[HIBYTE(v15)
+
18
]
+
a4[BYTE2(v15)
+
274
]))) ^ v13;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v16), _mm_cvtsi32_si128(v15)).m128i_u64[
0
];
v17
=
a4[
3
] ^ v16;
*
result
=
v17;
v18
=
(a4[(unsigned __int8)v17
+
786
]
+
(a4[BYTE1(v17)
+
530
] ^ (a4[HIBYTE(v17)
+
18
]
+
a4[BYTE2(v17)
+
274
]))) ^ v15;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v18), _mm_cvtsi32_si128(v17)).m128i_u64[
0
];
v19
=
a4[
4
] ^ v18;
*
result
=
v19;
v20
=
(a4[(unsigned __int8)v19
+
786
]
+
(a4[BYTE1(v19)
+
530
] ^ (a4[HIBYTE(v19)
+
18
]
+
a4[BYTE2(v19)
+
274
]))) ^ v17;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v20), _mm_cvtsi32_si128(v19)).m128i_u64[
0
];
v21
=
a4[
5
] ^ v20;
*
result
=
v21;
v22
=
(a4[(unsigned __int8)v21
+
786
]
+
(a4[BYTE1(v21)
+
530
] ^ (a4[HIBYTE(v21)
+
18
]
+
a4[BYTE2(v21)
+
274
]))) ^ v19;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v22), _mm_cvtsi32_si128(v21)).m128i_u64[
0
];
v23
=
a4[
6
] ^ v22;
*
result
=
v23;
v24
=
(a4[(unsigned __int8)v23
+
786
]
+
(a4[BYTE1(v23)
+
530
] ^ (a4[HIBYTE(v23)
+
18
]
+
a4[BYTE2(v23)
+
274
]))) ^ v21;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v24), _mm_cvtsi32_si128(v23)).m128i_u64[
0
];
v25
=
a4[
7
] ^ v24;
*
result
=
v25;
v26
=
(a4[(unsigned __int8)v25
+
786
]
+
(a4[BYTE1(v25)
+
530
] ^ (a4[HIBYTE(v25)
+
18
]
+
a4[BYTE2(v25)
+
274
]))) ^ v23;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v26), _mm_cvtsi32_si128(v25)).m128i_u64[
0
];
v27
=
a4[
8
] ^ v26;
*
result
=
v27;
v28
=
(a4[(unsigned __int8)v27
+
786
]
+
(a4[BYTE1(v27)
+
530
] ^ (a4[HIBYTE(v27)
+
18
]
+
a4[BYTE2(v27)
+
274
]))) ^ v25;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v28), _mm_cvtsi32_si128(v27)).m128i_u64[
0
];
v29
=
a4[
9
] ^ v28;
*
result
=
v29;
v30
=
(a4[(unsigned __int8)v29
+
786
]
+
(a4[BYTE1(v29)
+
530
] ^ (a4[HIBYTE(v29)
+
18
]
+
a4[BYTE2(v29)
+
274
]))) ^ v27;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v30), _mm_cvtsi32_si128(v29)).m128i_u64[
0
];
v31
=
a4[
10
] ^ v30;
*
result
=
v31;
v32
=
(a4[(unsigned __int8)v31
+
786
]
+
(a4[BYTE1(v31)
+
530
] ^ (a4[HIBYTE(v31)
+
18
]
+
a4[BYTE2(v31)
+
274
]))) ^ v29;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v32), _mm_cvtsi32_si128(v31)).m128i_u64[
0
];
v33
=
a4[
11
] ^ v32;
*
result
=
v33;
v34
=
(a4[(unsigned __int8)v33
+
786
]
+
(a4[BYTE1(v33)
+
530
] ^ (a4[HIBYTE(v33)
+
18
]
+
a4[BYTE2(v33)
+
274
]))) ^ v31;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v34), _mm_cvtsi32_si128(v33)).m128i_u64[
0
];
v35
=
a4[
12
] ^ v34;
*
result
=
v35;
v36
=
(a4[(unsigned __int8)v35
+
786
]
+
(a4[BYTE1(v35)
+
530
] ^ (a4[HIBYTE(v35)
+
18
]
+
a4[BYTE2(v35)
+
274
]))) ^ v33;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v36), _mm_cvtsi32_si128(v35)).m128i_u64[
0
];
v37
=
a4[
13
] ^ v36;
*
result
=
v37;
result
+
=
2
;
v38
=
(a4[(unsigned __int8)v37
+
786
]
+
(a4[BYTE1(v37)
+
530
] ^ (a4[HIBYTE(v37)
+
18
]
+
a4[BYTE2(v37)
+
274
]))) ^ v35;
*
((_QWORD
*
)result
-
1
)
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v38), _mm_cvtsi32_si128(v37)).m128i_u64[
0
];
v39
=
a4[
14
] ^ v38;
*
(result
-
2
)
=
v39;
v40
=
v39;
v41
=
_mm_cvtsi32_si128(v39);
v42
=
v37 ^ (a4[(unsigned __int8)v39
+
786
]
+
((a4[HIBYTE(v39)
+
18
]
+
a4[BYTE2(v39)
+
274
]) ^ a4[BYTE1(v39)
+
530
]));
*
((_QWORD
*
)result
-
1
)
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v42), v41).m128i_u64[
0
];
v43
=
a4[
15
] ^ v42;
*
(result
-
2
)
=
v43;
v44
=
v40 ^ (a4[(unsigned __int8)v43
+
786
]
+
(a4[BYTE1(v43)
+
530
] ^ (a4[HIBYTE(v43)
+
18
]
+
a4[BYTE2(v43)
+
274
])));
*
((_QWORD
*
)result
-
1
)
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v43), _mm_cvtsi32_si128(v44)).m128i_u64[
0
];
*
(result
-
1
)
=
a4[
16
] ^ v44;
*
(result
-
2
)
=
a4[
17
] ^ v43;
}
while
( result !
=
v10 );
}
return
result;
}
unsigned
int
*
__fastcall sub_7FF631BCF2E0(void
*
a1, __int64 a2, unsigned
int
*
a3, _DWORD
*
a4, size_t a5,
int
a6)
{
unsigned
int
*
v7;
/
/
rcx
unsigned __int64 v8;
/
/
rsi
unsigned
int
*
result;
/
/
rax
unsigned
int
*
v10;
/
/
r8
unsigned
int
v11;
/
/
r9d
int
v12;
/
/
ecx
unsigned
int
v13;
/
/
ecx
int
v14;
/
/
edx
unsigned
int
v15;
/
/
edx
int
v16;
/
/
ecx
unsigned
int
v17;
/
/
ecx
int
v18;
/
/
edx
unsigned
int
v19;
/
/
edx
int
v20;
/
/
ecx
unsigned
int
v21;
/
/
ecx
int
v22;
/
/
edx
unsigned
int
v23;
/
/
edx
int
v24;
/
/
ecx
unsigned
int
v25;
/
/
ecx
int
v26;
/
/
edx
unsigned
int
v27;
/
/
edx
int
v28;
/
/
ecx
unsigned
int
v29;
/
/
ecx
int
v30;
/
/
edx
unsigned
int
v31;
/
/
edx
int
v32;
/
/
ecx
unsigned
int
v33;
/
/
ecx
int
v34;
/
/
edx
unsigned
int
v35;
/
/
edx
int
v36;
/
/
ecx
unsigned
int
v37;
/
/
ecx
int
v38;
/
/
edx
unsigned
int
v39;
/
/
edx
unsigned
int
v40;
/
/
r9d
__m128i v41;
/
/
xmm5
int
v42;
/
/
edx
unsigned
int
v43;
/
/
edx
int
v44;
/
/
ecx
v7
=
a3;
v8
=
a6;
if
( a3 !
=
(unsigned
int
*
)a5 )
v7
=
(unsigned
int
*
)memcpy(a1, (const void
*
)a6, a5);
result
=
v7;
v10
=
(unsigned
int
*
)((char
*
)v7
+
(v8 &
0xFFFFFFFFFFFFFFF8LL
));
if
( v8 >>
3
)
{
do
{
v11
=
*
a4 ^
*
result;
*
result
=
v11;
v12
=
result[
1
] ^ (a4[(unsigned __int8)v11
+
786
]
+
(a4[BYTE1(v11)
+
530
] ^ (a4[HIBYTE(v11)
+
18
]
+
a4[BYTE2(v11)
+
274
])));
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v12), _mm_cvtsi32_si128(v11)).m128i_u64[
0
];
v13
=
a4[
1
] ^ v12;
*
result
=
v13;
v14
=
v11 ^ (a4[(unsigned __int8)v13
+
786
]
+
(a4[BYTE1(v13)
+
530
] ^ (a4[HIBYTE(v13)
+
18
]
+
a4[BYTE2(v13)
+
274
])));
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v14), _mm_cvtsi32_si128(v13)).m128i_u64[
0
];
v15
=
a4[
2
] ^ v14;
*
result
=
v15;
v16
=
(a4[(unsigned __int8)v15
+
786
]
+
(a4[BYTE1(v15)
+
530
] ^ (a4[HIBYTE(v15)
+
18
]
+
a4[BYTE2(v15)
+
274
]))) ^ v13;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v16), _mm_cvtsi32_si128(v15)).m128i_u64[
0
];
v17
=
a4[
3
] ^ v16;
*
result
=
v17;
v18
=
(a4[(unsigned __int8)v17
+
786
]
+
(a4[BYTE1(v17)
+
530
] ^ (a4[HIBYTE(v17)
+
18
]
+
a4[BYTE2(v17)
+
274
]))) ^ v15;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v18), _mm_cvtsi32_si128(v17)).m128i_u64[
0
];
v19
=
a4[
4
] ^ v18;
*
result
=
v19;
v20
=
(a4[(unsigned __int8)v19
+
786
]
+
(a4[BYTE1(v19)
+
530
] ^ (a4[HIBYTE(v19)
+
18
]
+
a4[BYTE2(v19)
+
274
]))) ^ v17;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v20), _mm_cvtsi32_si128(v19)).m128i_u64[
0
];
v21
=
a4[
5
] ^ v20;
*
result
=
v21;
v22
=
(a4[(unsigned __int8)v21
+
786
]
+
(a4[BYTE1(v21)
+
530
] ^ (a4[HIBYTE(v21)
+
18
]
+
a4[BYTE2(v21)
+
274
]))) ^ v19;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v22), _mm_cvtsi32_si128(v21)).m128i_u64[
0
];
v23
=
a4[
6
] ^ v22;
*
result
=
v23;
v24
=
(a4[(unsigned __int8)v23
+
786
]
+
(a4[BYTE1(v23)
+
530
] ^ (a4[HIBYTE(v23)
+
18
]
+
a4[BYTE2(v23)
+
274
]))) ^ v21;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v24), _mm_cvtsi32_si128(v23)).m128i_u64[
0
];
v25
=
a4[
7
] ^ v24;
*
result
=
v25;
v26
=
(a4[(unsigned __int8)v25
+
786
]
+
(a4[BYTE1(v25)
+
530
] ^ (a4[HIBYTE(v25)
+
18
]
+
a4[BYTE2(v25)
+
274
]))) ^ v23;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v26), _mm_cvtsi32_si128(v25)).m128i_u64[
0
];
v27
=
a4[
8
] ^ v26;
*
result
=
v27;
v28
=
(a4[(unsigned __int8)v27
+
786
]
+
(a4[BYTE1(v27)
+
530
] ^ (a4[HIBYTE(v27)
+
18
]
+
a4[BYTE2(v27)
+
274
]))) ^ v25;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v28), _mm_cvtsi32_si128(v27)).m128i_u64[
0
];
v29
=
a4[
9
] ^ v28;
*
result
=
v29;
v30
=
(a4[(unsigned __int8)v29
+
786
]
+
(a4[BYTE1(v29)
+
530
] ^ (a4[HIBYTE(v29)
+
18
]
+
a4[BYTE2(v29)
+
274
]))) ^ v27;
*
(_QWORD
*
)result
=
_mm_unpacklo_epi32(_mm_cvtsi32_si128(v30), _mm_cvtsi32_si128(v29)).m128i_u64[
0
];
v31
=
a4[
10
] ^ v30;
*
result
=
v31;
v32
=
(a4[(unsigned __int8)v31
+
786
]
+
(a4[BYTE1(v31)
+
530
] ^ (a4[HIBYTE(v31)
+
18
]
+
a4[BYTE2(v31)
+
274
]))) ^ v29;
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2023-5-3 21:38
被oacia编辑
,原因: 修改了gotots所使用的ida go插件,先前的插件无法重命名函数