首页
社区
课程
招聘
[原创]DASCTF Apr.2023 X SU战队2023开局之战 reverse&&blockchain writeup
发表于: 2023-4-23 15:27 21232

[原创]DASCTF Apr.2023 X SU战队2023开局之战 reverse&&blockchain writeup

2023-4-23 15:27
21232

今天坐牢坐满了八小时,出了三道逆向,一道区块链,帮助我们队拿到了这次比赛的第一名,也算可喜可贺!自己终于不是以前的菜鸡了,遥想去年还啥也不会呢

现在比赛结束了,那就写一下wp好咯

PS: 第一次拿到一道困难题的一血,还是很激动的,有一道题目我记得叫做easyRE,拿了二血是因为吃饭吃到10点多才开始做题了,下次一定准时比赛!(下次一定(●'◡'●))

这题是python逆向,做python逆向的方法我感觉挺固定的,就是pyinstxtractor解包一下,再把里面的pyc转成py就可以了

今年年初的时候还对python逆向做了些整理呢,可以看看我博客的这篇文章(用的是githubpage而且没有弄国内访问加速,所以访问的慢应该是很正常的啦)

回到题目,这题呀要怎么刁难我们呢?没错,就是python3.11

这个版本挺新的,我相信你不管是用uncompyle6还是pycdc还是在线网站,应该都会遇到反编译失败的情况,那么这个时候我们该怎么办呢?

其实是有方法的,首先,我们可以用如下的python代码得到这个pyc的字节码

到了这一步其实就可以做题了,但是或许有小伙伴一看到字节码头都大了

这时就要请出我们神奇的chatgpt了,网址在这里https://chat.openai.com/

直接把字节码丢给他然后说:给我转成py代码!

然后chatgpt就会刷刷刷的给出py源代码

这一看随机数种子都固定了,那随机数其实就不随机了

基于题目的代码改一改就是flag了

这题是一道go语言的逆向题,做这种go语言的题目,其实把那些函数都给复原就相当好做了(做go逆向找不到main_main就好像...emmm想不出来用什么比喻好了qwq)

所以我们首先要做的是还原函数名称,用这个ida脚本就可以了https://github.com/renshareck/IDAGolangHelper_SupportGo1.20
然后按照下图的流程依次点击按钮
图片描述
还原之后发现是梅森旋转算法随机数生成器,这是一个伪随机数生成器,每次异或的值都是一样的
图片描述

那就随便输入一个字符串比如我这里输入的是0000000000000000000000000000000000000000000000,然后打个断点把异或后的那个数组复制下来,然后再去异或后面要比较的数组,这样就可以拿到flag了

挺简单的题目,直接给exp吧

这题拿了一血(没想到我也有拿一血的一天!肯定是大佬们还没有发力唔)

这题呀也是go逆向,不过就是和c代码交叉编译了一下

同样,第一步还是恢复函数名称,可以用这个ida脚本https://github.com/0xjiayu/go_parser ,然后就可以了,这里运行脚本之后可能会卡住,不过没关系,cancel掉脚本,函数名称一样可以恢复过来

之后呐就是随便输入一个40位的字符串,然后在输入后的字符串的内存地址处打个硬件断点,动态调试之后断点一路触发下去,跟到这个函数sub_7FF631BCF2E0,我觉得你有可能找不到这个函数因为动态调试后基址可能不一样,我的基址是0x7FF631B30000,如果你找不到加密函数的话在ida里面换成我这个基址就可以找得到了(什么你不会换基址?!跟着我来:在ida左上角找到Edit->Segments->Rebase program然后把我这个基址输进去就可以了)

这个函数的伪代码如下

这个加密也是有迹可循的,就是异或来~异或去,你可以把这个加密看成很多下方代码块的重复

这个算法要注意(unsigned __int8),BYTE1,HIBYTE,BYTE2表示的含义

假设v11=0x12345678,那么

while循环最后的两个异或也不能忽略

提醒一点,当你在result数组的内存地址打下硬件断点后,会发现这个函数执行完毕后,后面还有一个小型的加密
图片描述

记得也要把这个循环左移三位再异或也体现到exp里面去

那就可以写出exp来了

一道简单的区块链题目,去年b站1024程序员节的时候做了一道区块链,那一题的wp在这里,和这题考的知识点的关系应该是包含吧,这题考的知识点b站的那题也有,所以做起来当然是很轻松的,直接上攻击合约吧

 
 
 
 
import dis
import marshal
 
with open('easyRE.pyc', 'rb') as f:
    f.seek(16)
    dis.dis(marshal.load(f))
import dis
import marshal
 
with open('easyRE.pyc', 'rb') as f:
    f.seek(16)
    dis.dis(marshal.load(f))
0           0 RESUME                   0
 
 1           2 LOAD_CONST               0 (0)
             4 LOAD_CONST               1 (None)
             6 IMPORT_NAME              0 (random)
             8 STORE_NAME               0 (random)
 
 3          10 PUSH_NULL
            12 LOAD_NAME                0 (random)
            14 LOAD_ATTR                1 (Random)
            24 LOAD_CONST               2 (322376503)
            26 PRECALL                  1
            30 CALL                     1
            40 STORE_NAME               2 (r)
 
 6          42 PUSH_NULL
            44 LOAD_NAME                3 (input)
            46 LOAD_CONST               3 ('Enter your flag: ')
            48 PRECALL                  1
            52 CALL                     1
            62 LOAD_METHOD              4 (encode)
            84 PRECALL                  0
            88 CALL                     0
            98 STORE_NAME               5 (pt)
 
 8         100 LOAD_CONST               4 (b'\x8b\xcck\xd3\xed\x96\xffFb\x06r\x085\x82\xbc \xb2\xde)p\x88Q`\x1bf\x18\xb6QUSw\x10\xcd\xd9\x13A$\x86\xe5\xcd\xd9\xff')
           102 STORE_NAME               6 (ct)
 
10         104 BUILD_LIST               0
           106 STORE_NAME               7 (buf)
 
12         108 LOAD_NAME                5 (pt)
           110 GET_ITER
       >>  112 FOR_ITER                46 (to 206)
           114 STORE_NAME               8 (b)
 
13         116 LOAD_NAME                7 (buf)
           118 LOAD_METHOD              9 (append)
           140 LOAD_NAME                2 (r)
           142 LOAD_METHOD             10 (randint)
           164 LOAD_CONST               0 (0)
           166 LOAD_CONST               5 (255)
           168 PRECALL                  2
           172 CALL                     2
           182 LOAD_NAME                8 (b)
           184 BINARY_OP               12 (^)
           188 PRECALL                  1
           192 CALL                     1
           202 POP_TOP
           204 JUMP_BACKWARD           47 (to 112)
 
15     >>  206 PUSH_NULL
           208 LOAD_NAME               11 (bytes)
           210 LOAD_NAME                7 (buf)
           212 PRECALL                  1
           216 CALL                     1
           226 LOAD_NAME                6 (ct)
           228 COMPARE_OP               2 (==)
           234 POP_JUMP_FORWARD_IF_TRUE     2 (to 240)
           236 LOAD_ASSERTION_ERROR
           238 RAISE_VARARGS            1
 
17     >>  240 PUSH_NULL
           242 LOAD_NAME               12 (print)
           244 LOAD_CONST               6 ('Correct!')
           246 PRECALL                  1
           250 CALL                     1
           260 POP_TOP
           262 LOAD_CONST               1 (None)
           264 RETURN_VALUE
0           0 RESUME                   0
 
 1           2 LOAD_CONST               0 (0)
             4 LOAD_CONST               1 (None)
             6 IMPORT_NAME              0 (random)
             8 STORE_NAME               0 (random)
 
 3          10 PUSH_NULL
            12 LOAD_NAME                0 (random)
            14 LOAD_ATTR                1 (Random)
            24 LOAD_CONST               2 (322376503)
            26 PRECALL                  1
            30 CALL                     1
            40 STORE_NAME               2 (r)
 
 6          42 PUSH_NULL
            44 LOAD_NAME                3 (input)
            46 LOAD_CONST               3 ('Enter your flag: ')
            48 PRECALL                  1
            52 CALL                     1
            62 LOAD_METHOD              4 (encode)
            84 PRECALL                  0
            88 CALL                     0
            98 STORE_NAME               5 (pt)
 
 8         100 LOAD_CONST               4 (b'\x8b\xcck\xd3\xed\x96\xffFb\x06r\x085\x82\xbc \xb2\xde)p\x88Q`\x1bf\x18\xb6QUSw\x10\xcd\xd9\x13A$\x86\xe5\xcd\xd9\xff')
           102 STORE_NAME               6 (ct)
 
10         104 BUILD_LIST               0
           106 STORE_NAME               7 (buf)
 
12         108 LOAD_NAME                5 (pt)
           110 GET_ITER
       >>  112 FOR_ITER                46 (to 206)
           114 STORE_NAME               8 (b)
 
13         116 LOAD_NAME                7 (buf)
           118 LOAD_METHOD              9 (append)
           140 LOAD_NAME                2 (r)
           142 LOAD_METHOD             10 (randint)
           164 LOAD_CONST               0 (0)
           166 LOAD_CONST               5 (255)
           168 PRECALL                  2
           172 CALL                     2
           182 LOAD_NAME                8 (b)
           184 BINARY_OP               12 (^)
           188 PRECALL                  1
           192 CALL                     1
           202 POP_TOP
           204 JUMP_BACKWARD           47 (to 112)
 
15     >>  206 PUSH_NULL
           208 LOAD_NAME               11 (bytes)
           210 LOAD_NAME                7 (buf)
           212 PRECALL                  1
           216 CALL                     1
           226 LOAD_NAME                6 (ct)
           228 COMPARE_OP               2 (==)
           234 POP_JUMP_FORWARD_IF_TRUE     2 (to 240)
           236 LOAD_ASSERTION_ERROR
           238 RAISE_VARARGS            1
 
17     >>  240 PUSH_NULL
           242 LOAD_NAME               12 (print)
           244 LOAD_CONST               6 ('Correct!')
           246 PRECALL                  1
           250 CALL                     1
           260 POP_TOP
           262 LOAD_CONST               1 (None)
           264 RETURN_VALUE
 
 
 
import random
 
r = random.Random(322376503)
 
pt = input('Enter your flag: ').encode()
 
ct = b'\x8b\xcck\xd3\xed\x96\xffFb\x06r\x085\x82\xbc \xb2\xde)p\x88Q`\x1bf\x18\xb6QUSw\x10\xcd\xd9\x13A$\x86\xe5\xcd\xd9\xff'
 
buf = []
for b in pt:
    buf.append(r.randint(0, 255) ^ b)
 
assert bytes(buf) == ct
 
print('Correct!')
import random
 
r = random.Random(322376503)
 
pt = input('Enter your flag: ').encode()
 
ct = b'\x8b\xcck\xd3\xed\x96\xffFb\x06r\x085\x82\xbc \xb2\xde)p\x88Q`\x1bf\x18\xb6QUSw\x10\xcd\xd9\x13A$\x86\xe5\xcd\xd9\xff'
 
buf = []
for b in pt:
    buf.append(r.randint(0, 255) ^ b)
 
assert bytes(buf) == ct
 
print('Correct!')
 
import random
 
r = random.Random(322376503)
 
pt = input('Enter your flag: ').encode()
 
ct = b'\x8b\xcck\xd3\xed\x96\xffFb\x06r\x085\x82\xbc \xb2\xde)p\x88Q`\x1bf\x18\xb6QUSw\x10\xcd\xd9\x13A$\x86\xe5\xcd\xd9\xff'
 
for k in ct:
    print(chr(r.randint(0, 255) ^ k),end='')
# flag{69858b56-4987-438f-a02c-5ab5c09e5138}
import random
 
r = random.Random(322376503)
 
pt = input('Enter your flag: ').encode()
 
ct = b'\x8b\xcck\xd3\xed\x96\xffFb\x06r\x085\x82\xbc \xb2\xde)p\x88Q`\x1bf\x18\xb6QUSw\x10\xcd\xd9\x13A$\x86\xe5\xcd\xd9\xff'
 
for k in ct:
    print(chr(r.randint(0, 255) ^ k),end='')
# flag{69858b56-4987-438f-a02c-5ab5c09e5138}
 
 
 
testinput = "0000000000000000000000000000000000000000000000"
byte = [0x67, 0x88, 0xBE, 0x8C, 0x79, 0xAB, 0x7C, 0xB7, 0x5F, 0xD3, 0x24, 0xD0, 0x16, 0xF0, 0x02, 0x8D, 0x5C, 0xF7, 0xB5, 0x16, 0xD2, 0x69, 0xDE, 0xA6, 0xE1, 0x5F, 0xA1, 0xA5, 0x7F, 0x6C, 0x78, 0x70, 0x76, 0x88, 0x75, 0x2E, 0x2F, 0x30, 0x99, 0x61, 0x5A, 0xD1, 0xBF, 0x71, 0x7A, 0x4E]
key = [0x35, 0x8C, 0xEB, 0x85, 0x2C, 0xFA, 0x2D, 0xB1, 0x42, 0x82, 0x27, 0xD0, 0x10, 0xED, 0x06, 0x8E, 0x0D, 0xFE, 0xA8, 0x1E, 0x81, 0x3C, 0x8A, 0xBB, 0xB7, 0x0B, 0xF4, 0xF0, 0x7C, 0x6B, 0x70, 0x26, 0x71, 0x8B, 0x73, 0x7D]
for i in range(len(key)):
    print(chr(ord(testinput[i])^byte[i]^key[i]),end='')# b4e9eaa6-a306-43a9-8ced-fdee378f736c
testinput = "0000000000000000000000000000000000000000000000"
byte = [0x67, 0x88, 0xBE, 0x8C, 0x79, 0xAB, 0x7C, 0xB7, 0x5F, 0xD3, 0x24, 0xD0, 0x16, 0xF0, 0x02, 0x8D, 0x5C, 0xF7, 0xB5, 0x16, 0xD2, 0x69, 0xDE, 0xA6, 0xE1, 0x5F, 0xA1, 0xA5, 0x7F, 0x6C, 0x78, 0x70, 0x76, 0x88, 0x75, 0x2E, 0x2F, 0x30, 0x99, 0x61, 0x5A, 0xD1, 0xBF, 0x71, 0x7A, 0x4E]
key = [0x35, 0x8C, 0xEB, 0x85, 0x2C, 0xFA, 0x2D, 0xB1, 0x42, 0x82, 0x27, 0xD0, 0x10, 0xED, 0x06, 0x8E, 0x0D, 0xFE, 0xA8, 0x1E, 0x81, 0x3C, 0x8A, 0xBB, 0xB7, 0x0B, 0xF4, 0xF0, 0x7C, 0x6B, 0x70, 0x26, 0x71, 0x8B, 0x73, 0x7D]
for i in range(len(key)):
    print(chr(ord(testinput[i])^byte[i]^key[i]),end='')# b4e9eaa6-a306-43a9-8ced-fdee378f736c
 
 
 
 
unsigned int *__fastcall sub_7FF631BCF2E0(void *a1, __int64 a2, unsigned int *a3, _DWORD *a4, size_t a5, int a6)
{
  unsigned int *v7; // rcx
  unsigned __int64 v8; // rsi
  unsigned int *result; // rax
  unsigned int *v10; // r8
  unsigned int v11; // r9d
  int v12; // ecx
  unsigned int v13; // ecx
  int v14; // edx
  unsigned int v15; // edx
  int v16; // ecx
  unsigned int v17; // ecx
  int v18; // edx
  unsigned int v19; // edx
  int v20; // ecx
  unsigned int v21; // ecx
  int v22; // edx
  unsigned int v23; // edx
  int v24; // ecx
  unsigned int v25; // ecx
  int v26; // edx
  unsigned int v27; // edx
  int v28; // ecx
  unsigned int v29; // ecx
  int v30; // edx
  unsigned int v31; // edx
  int v32; // ecx
  unsigned int v33; // ecx
  int v34; // edx
  unsigned int v35; // edx
  int v36; // ecx
  unsigned int v37; // ecx
  int v38; // edx
  unsigned int v39; // edx
  unsigned int v40; // r9d
  __m128i v41; // xmm5
  int v42; // edx
  unsigned int v43; // edx
  int v44; // ecx
 
  v7 = a3;
  v8 = a6;
  if ( a3 != (unsigned int *)a5 )
    v7 = (unsigned int *)memcpy(a1, (const void *)a6, a5);
  result = v7;
  v10 = (unsigned int *)((char *)v7 + (v8 & 0xFFFFFFFFFFFFFFF8LL));
  if ( v8 >> 3 )
  {
    do
    {
      v11 = *a4 ^ *result;
      *result = v11;
      v12 = result[1] ^ (a4[(unsigned __int8)v11 + 786]
                       + (a4[BYTE1(v11) + 530] ^ (a4[HIBYTE(v11) + 18] + a4[BYTE2(v11) + 274])));
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v12), _mm_cvtsi32_si128(v11)).m128i_u64[0];
      v13 = a4[1] ^ v12;
      *result = v13;
      v14 = v11 ^ (a4[(unsigned __int8)v13 + 786]
                 + (a4[BYTE1(v13) + 530] ^ (a4[HIBYTE(v13) + 18] + a4[BYTE2(v13) + 274])));
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v14), _mm_cvtsi32_si128(v13)).m128i_u64[0];
      v15 = a4[2] ^ v14;
      *result = v15;
      v16 = (a4[(unsigned __int8)v15 + 786] + (a4[BYTE1(v15) + 530] ^ (a4[HIBYTE(v15) + 18] + a4[BYTE2(v15) + 274]))) ^ v13;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v16), _mm_cvtsi32_si128(v15)).m128i_u64[0];
      v17 = a4[3] ^ v16;
      *result = v17;
      v18 = (a4[(unsigned __int8)v17 + 786] + (a4[BYTE1(v17) + 530] ^ (a4[HIBYTE(v17) + 18] + a4[BYTE2(v17) + 274]))) ^ v15;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v18), _mm_cvtsi32_si128(v17)).m128i_u64[0];
      v19 = a4[4] ^ v18;
      *result = v19;
      v20 = (a4[(unsigned __int8)v19 + 786] + (a4[BYTE1(v19) + 530] ^ (a4[HIBYTE(v19) + 18] + a4[BYTE2(v19) + 274]))) ^ v17;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v20), _mm_cvtsi32_si128(v19)).m128i_u64[0];
      v21 = a4[5] ^ v20;
      *result = v21;
      v22 = (a4[(unsigned __int8)v21 + 786] + (a4[BYTE1(v21) + 530] ^ (a4[HIBYTE(v21) + 18] + a4[BYTE2(v21) + 274]))) ^ v19;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v22), _mm_cvtsi32_si128(v21)).m128i_u64[0];
      v23 = a4[6] ^ v22;
      *result = v23;
      v24 = (a4[(unsigned __int8)v23 + 786] + (a4[BYTE1(v23) + 530] ^ (a4[HIBYTE(v23) + 18] + a4[BYTE2(v23) + 274]))) ^ v21;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v24), _mm_cvtsi32_si128(v23)).m128i_u64[0];
      v25 = a4[7] ^ v24;
      *result = v25;
      v26 = (a4[(unsigned __int8)v25 + 786] + (a4[BYTE1(v25) + 530] ^ (a4[HIBYTE(v25) + 18] + a4[BYTE2(v25) + 274]))) ^ v23;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v26), _mm_cvtsi32_si128(v25)).m128i_u64[0];
      v27 = a4[8] ^ v26;
      *result = v27;
      v28 = (a4[(unsigned __int8)v27 + 786] + (a4[BYTE1(v27) + 530] ^ (a4[HIBYTE(v27) + 18] + a4[BYTE2(v27) + 274]))) ^ v25;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v28), _mm_cvtsi32_si128(v27)).m128i_u64[0];
      v29 = a4[9] ^ v28;
      *result = v29;
      v30 = (a4[(unsigned __int8)v29 + 786] + (a4[BYTE1(v29) + 530] ^ (a4[HIBYTE(v29) + 18] + a4[BYTE2(v29) + 274]))) ^ v27;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v30), _mm_cvtsi32_si128(v29)).m128i_u64[0];
      v31 = a4[10] ^ v30;
      *result = v31;
      v32 = (a4[(unsigned __int8)v31 + 786] + (a4[BYTE1(v31) + 530] ^ (a4[HIBYTE(v31) + 18] + a4[BYTE2(v31) + 274]))) ^ v29;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v32), _mm_cvtsi32_si128(v31)).m128i_u64[0];
      v33 = a4[11] ^ v32;
      *result = v33;
      v34 = (a4[(unsigned __int8)v33 + 786] + (a4[BYTE1(v33) + 530] ^ (a4[HIBYTE(v33) + 18] + a4[BYTE2(v33) + 274]))) ^ v31;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v34), _mm_cvtsi32_si128(v33)).m128i_u64[0];
      v35 = a4[12] ^ v34;
      *result = v35;
      v36 = (a4[(unsigned __int8)v35 + 786] + (a4[BYTE1(v35) + 530] ^ (a4[HIBYTE(v35) + 18] + a4[BYTE2(v35) + 274]))) ^ v33;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v36), _mm_cvtsi32_si128(v35)).m128i_u64[0];
      v37 = a4[13] ^ v36;
      *result = v37;
      result += 2;
      v38 = (a4[(unsigned __int8)v37 + 786] + (a4[BYTE1(v37) + 530] ^ (a4[HIBYTE(v37) + 18] + a4[BYTE2(v37) + 274]))) ^ v35;
      *((_QWORD *)result - 1) = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v38), _mm_cvtsi32_si128(v37)).m128i_u64[0];
      v39 = a4[14] ^ v38;
      *(result - 2) = v39;
      v40 = v39;
      v41 = _mm_cvtsi32_si128(v39);
      v42 = v37 ^ (a4[(unsigned __int8)v39 + 786]
                 + ((a4[HIBYTE(v39) + 18] + a4[BYTE2(v39) + 274]) ^ a4[BYTE1(v39) + 530]));
      *((_QWORD *)result - 1) = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v42), v41).m128i_u64[0];
      v43 = a4[15] ^ v42;
      *(result - 2) = v43;
      v44 = v40 ^ (a4[(unsigned __int8)v43 + 786]
                 + (a4[BYTE1(v43) + 530] ^ (a4[HIBYTE(v43) + 18] + a4[BYTE2(v43) + 274])));
      *((_QWORD *)result - 1) = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v43), _mm_cvtsi32_si128(v44)).m128i_u64[0];
      *(result - 1) = a4[16] ^ v44;
      *(result - 2) = a4[17] ^ v43;
    }
    while ( result != v10 );
  }
  return result;
}
unsigned int *__fastcall sub_7FF631BCF2E0(void *a1, __int64 a2, unsigned int *a3, _DWORD *a4, size_t a5, int a6)
{
  unsigned int *v7; // rcx
  unsigned __int64 v8; // rsi
  unsigned int *result; // rax
  unsigned int *v10; // r8
  unsigned int v11; // r9d
  int v12; // ecx
  unsigned int v13; // ecx
  int v14; // edx
  unsigned int v15; // edx
  int v16; // ecx
  unsigned int v17; // ecx
  int v18; // edx
  unsigned int v19; // edx
  int v20; // ecx
  unsigned int v21; // ecx
  int v22; // edx
  unsigned int v23; // edx
  int v24; // ecx
  unsigned int v25; // ecx
  int v26; // edx
  unsigned int v27; // edx
  int v28; // ecx
  unsigned int v29; // ecx
  int v30; // edx
  unsigned int v31; // edx
  int v32; // ecx
  unsigned int v33; // ecx
  int v34; // edx
  unsigned int v35; // edx
  int v36; // ecx
  unsigned int v37; // ecx
  int v38; // edx
  unsigned int v39; // edx
  unsigned int v40; // r9d
  __m128i v41; // xmm5
  int v42; // edx
  unsigned int v43; // edx
  int v44; // ecx
 
  v7 = a3;
  v8 = a6;
  if ( a3 != (unsigned int *)a5 )
    v7 = (unsigned int *)memcpy(a1, (const void *)a6, a5);
  result = v7;
  v10 = (unsigned int *)((char *)v7 + (v8 & 0xFFFFFFFFFFFFFFF8LL));
  if ( v8 >> 3 )
  {
    do
    {
      v11 = *a4 ^ *result;
      *result = v11;
      v12 = result[1] ^ (a4[(unsigned __int8)v11 + 786]
                       + (a4[BYTE1(v11) + 530] ^ (a4[HIBYTE(v11) + 18] + a4[BYTE2(v11) + 274])));
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v12), _mm_cvtsi32_si128(v11)).m128i_u64[0];
      v13 = a4[1] ^ v12;
      *result = v13;
      v14 = v11 ^ (a4[(unsigned __int8)v13 + 786]
                 + (a4[BYTE1(v13) + 530] ^ (a4[HIBYTE(v13) + 18] + a4[BYTE2(v13) + 274])));
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v14), _mm_cvtsi32_si128(v13)).m128i_u64[0];
      v15 = a4[2] ^ v14;
      *result = v15;
      v16 = (a4[(unsigned __int8)v15 + 786] + (a4[BYTE1(v15) + 530] ^ (a4[HIBYTE(v15) + 18] + a4[BYTE2(v15) + 274]))) ^ v13;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v16), _mm_cvtsi32_si128(v15)).m128i_u64[0];
      v17 = a4[3] ^ v16;
      *result = v17;
      v18 = (a4[(unsigned __int8)v17 + 786] + (a4[BYTE1(v17) + 530] ^ (a4[HIBYTE(v17) + 18] + a4[BYTE2(v17) + 274]))) ^ v15;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v18), _mm_cvtsi32_si128(v17)).m128i_u64[0];
      v19 = a4[4] ^ v18;
      *result = v19;
      v20 = (a4[(unsigned __int8)v19 + 786] + (a4[BYTE1(v19) + 530] ^ (a4[HIBYTE(v19) + 18] + a4[BYTE2(v19) + 274]))) ^ v17;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v20), _mm_cvtsi32_si128(v19)).m128i_u64[0];
      v21 = a4[5] ^ v20;
      *result = v21;
      v22 = (a4[(unsigned __int8)v21 + 786] + (a4[BYTE1(v21) + 530] ^ (a4[HIBYTE(v21) + 18] + a4[BYTE2(v21) + 274]))) ^ v19;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v22), _mm_cvtsi32_si128(v21)).m128i_u64[0];
      v23 = a4[6] ^ v22;
      *result = v23;
      v24 = (a4[(unsigned __int8)v23 + 786] + (a4[BYTE1(v23) + 530] ^ (a4[HIBYTE(v23) + 18] + a4[BYTE2(v23) + 274]))) ^ v21;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v24), _mm_cvtsi32_si128(v23)).m128i_u64[0];
      v25 = a4[7] ^ v24;
      *result = v25;
      v26 = (a4[(unsigned __int8)v25 + 786] + (a4[BYTE1(v25) + 530] ^ (a4[HIBYTE(v25) + 18] + a4[BYTE2(v25) + 274]))) ^ v23;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v26), _mm_cvtsi32_si128(v25)).m128i_u64[0];
      v27 = a4[8] ^ v26;
      *result = v27;
      v28 = (a4[(unsigned __int8)v27 + 786] + (a4[BYTE1(v27) + 530] ^ (a4[HIBYTE(v27) + 18] + a4[BYTE2(v27) + 274]))) ^ v25;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v28), _mm_cvtsi32_si128(v27)).m128i_u64[0];
      v29 = a4[9] ^ v28;
      *result = v29;
      v30 = (a4[(unsigned __int8)v29 + 786] + (a4[BYTE1(v29) + 530] ^ (a4[HIBYTE(v29) + 18] + a4[BYTE2(v29) + 274]))) ^ v27;
      *(_QWORD *)result = _mm_unpacklo_epi32(_mm_cvtsi32_si128(v30), _mm_cvtsi32_si128(v29)).m128i_u64[0];
      v31 = a4[10] ^ v30;
      *result = v31;
      v32 = (a4[(unsigned __int8)v31 + 786] + (a4[BYTE1(v31) + 530] ^ (a4[HIBYTE(v31) + 18] + a4[BYTE2(v31) + 274]))) ^ v29;

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

最后于 2023-5-3 21:38 被oacia编辑 ,原因: 修改了gotots所使用的ida go插件,先前的插件无法重命名函数
上传的附件:
收藏
免费 3
支持
分享
最新回复 (7)
雪    币: 27071
活跃值: (63057)
能力值: (RANK:135 )
在线值:
发帖
回帖
粉丝
2
帖子讨论的实例附件,论坛上传一份?
2023-4-23 15:48
0
雪    币: 3519
活跃值: (4728)
能力值: ( LV9,RANK:140 )
在线值:
发帖
回帖
粉丝
3
Editor 帖子讨论的实例附件,论坛上传一份?
好的
2023-4-23 15:53
0
雪    币: 548
活跃值: (60)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
佬!泰裤辣
2023-4-26 19:55
0
雪    币: 555
活跃值: (243)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
感谢分享
2023-4-27 00:33
0
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
6
师傅您好,ida7.7,用了你这个恢复脚本无效果
2023-4-27 01:21
0
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
7

2023-4-27 01:30
0
雪    币: 3519
活跃值: (4728)
能力值: ( LV9,RANK:140 )
在线值:
发帖
回帖
粉丝
8
mb_mvhtftgt

你好,我使用的也是ida7.7,但是由于我无法复现你的报错所以不清楚问题是出在哪里,我在github的issue里面发现有一个issue递交了与你同样的问题

https://github.com/0xjiayu/go_parser/issues/20 ,但是作者还未对该问题做出回复.

下图是我运行成功时ida的Output,希望这对你有所帮助!

2023-4-27 10:52
0
游客
登录 | 注册 方可回帖
返回
//