强网杯 - 1ens's blog

GameMaster

.net程序

主要逻辑为异或和aes加密，解密message文件

from Crypto.Cipher import AES
key=bytes([66,114,97,105,110,115,116,111,114,109,105,110,103,33,33,33])
f=open('gamemessage','rb')
stream=f.read()
enc=[]
for i in stream:
    enc.append(i^34)
ae=AES.new(key,AES.MODE_ECB)
m=ae.decrypt(bytes(enc))
f.close()
ff=open('flag','wb')
ff.write(m)
ff.close()

得到文件用010edit打开，然后根据文件头提取文件，也是.net文件，dnspy打开

from z3 import *
f=[101,5,80,213,163,26,59,38,19,6,173,189,198,166,140,183,42,247,223,24,106,20,145,37,24,7,22,191,110,179,227,5,62,9,13,17,65,22,37,5]
x=BitVec('x',33)
y=BitVec('y',33)
z=BitVec('z',33)
s=Solver()
nums=-1
k=[0]*40
for i in range(320):
     x = (((x >> 29 ^ x >> 28 ^ x >> 25 ^ x >> 23) & 1) | x << 1)
     y = (((y >> 30 ^ y >> 27) & 1) | y << 1)
     z = (((z >> 31 ^ z >> 30 ^ z >> 29 ^ z >> 28 ^ z >> 26 ^ z >> 24) & 1) | z << 1)
     if i%8==0:
         nums+=1
     k[nums]=((k[nums]<<1)|((z >> 32 & 1 & (x >> 30 & 1)) ^ (((z >> 32 & 1) ^ 1) & (y >> 31 & 1))))&0xff
for i in range(40):
    s.add(k[i]==f[i])
if s.check()==sat:
 print(s.model())

还有移位然后异或的操作


s=[60,100,36,86,51,251,167,108,116,245,207,223,40,103,34,62,22,251,227]
z = 3131229747
y = 868387187
x = 156324965
L[0]=x
L[1]=y
L[2]=z
for i in range(3):
    for j in range(4):
        key[i * 4 + j] = ((L[i] >> j * 8) & 255)
for i in range(len(s)):
    print(chr(s[i]^key[i%len(key)]),end='')

#Y0u_@re_G3meM3s7er!

deeprev

Googlectf的一道同类型题，找到网上的脚本，format_addr函数修改了一下

GoogleCTF 2022 - eldar (333 pt / 14 solves) (harrisongreen.me)

# Author: hgarrereyn
# Desc: Lifter solution for GoogleCTF 2022 eldar

import lief
from collections import namedtuple
from dataclasses import dataclass
from typing import Any
from capstone import *



md = Cs(CS_ARCH_X86, CS_MODE_64)

b = None
try:
    b = lief.ELF.parse('./deeprev')
except:
    raise Exception('Must have the ./eldar binary in cwd')

rela = [x for x in b.sections if x.name == '.rela.dyn'][0]
print(rela)
dynsym = [x for x in b.sections if x.name == '.dynsym'][0]


@dataclass
class Symbol(object):
    idx: int
    def __repr__(self):
        return f's{self.idx}'
        
@dataclass
class Reloc(object):
    idx: int
    def __repr__(self):
        return f'r{self.idx}'

@dataclass
class Ref(object):
    val: Any
    def __repr__(self):
        return f'&{self.val}'

@dataclass
class SymAddr(object):
    sym: Symbol
    field: str
    def __repr__(self):
        return f'{self.sym}.{self.field}'

@dataclass
class RelocAddr(object):
    reloc: Reloc
    field: str
    def __repr__(self):
        return f'{self.reloc}.{self.field}'

    def vaddr(self):
        off = 0
        match self.field:
            case 'r_address':off = 0
            case 'r_info': off = 8
            case 'r_addend': off = 16
        
        return (self.reloc.idx * 24) + off + rela.virtual_address
    
@dataclass
class FlagAddr(object):
    idx: int
    def __repr__(self):
        return f'flag[{self.idx}]'

@dataclass
class OutAddr(object):
    idx: int
        
    def __repr__(self):
        return f'out[{self.idx}]'
    
@dataclass
class ArrAddr(object):
    idx: int
        
    def __repr__(self):
        return f'arr[{self.idx}]'

BaseAddr = namedtuple('baseaddr', [])
FailAddr = namedtuple('fail', [])

def format_addr(addr: int):
    if addr >= rela.virtual_address and addr < rela.virtual_address + rela.size:
        offset = addr - rela.virtual_address
        r_offset = (offset // 24)
        r_rem = offset % 24
        
        if r_offset >= 3 and r_offset <= 88:
            arr_idx = (r_offset - 3) * 3 + (r_rem // 8)
            return ArrAddr(arr_idx)
        elif r_offset == 89:
            return OutAddr(r_rem)
        
        match r_rem:
            case 0: return RelocAddr(Reloc(r_offset), 'r_address')
            case 8: return RelocAddr(Reloc(r_offset), 'r_info')
            case 16: return RelocAddr(Reloc(r_offset), 'r_addend')
            case _: return RelocAddr(Reloc(r_offset), r_rem)
    elif addr > dynsym.virtual_address and addr < dynsym.virtual_address + dynsym.size:
        offset = addr - dynsym.virtual_address
        r_offset = (offset // 24)
        r_rem = offset % 24
        
        match r_rem:
            case 0: return SymAddr(Symbol(r_offset), 'st_name')
            case 8: return Symbol(r_offset)
            case 16: return SymAddr(Symbol(r_offset), 'st_size')
            case _: return SymAddr(Symbol(r_offset), r_rem)
    elif addr >= 0x404040 and addr < 0x404040+33:
        off = addr-0x404040
        return FlagAddr(off)
    elif addr == 0x804000:
        return BaseAddr()
    elif addr == 0x404064:
        return FailAddr()
    else:
        return addr

def to_sym(name):
    assert len(name) == 1
    return Symbol(ord(name[0]))

Rel = namedtuple('REL', ['dst','val','ridx'])
Copy = namedtuple('CPY', ['dst', 'symbol', 'ridx'])
R64 = namedtuple('R64', ['dst','symbol','addend','ridx'])
R32 = namedtuple('R32', ['dst','symbol','addend','ridx'])

def parse(b) -> list:
    print('[*] Loading relocations...')
    relocs = list(b.relocations)
    
    print('[*] Parsing...')
    instructions = []
    for i in range(3, len(relocs)):
        r = relocs[i]
        match r.type:
            case 1: # R64
                instructions.append(R64(format_addr(r.address), to_sym(r.symbol.name), format_addr(r.addend), i))
            case 5: # CPY
                instructions.append(Copy(format_addr(r.address), to_sym(r.symbol.name), i))
            case 8: # REL
                instructions.append(Rel(format_addr(r.address), format_addr(r.addend), i))
            case 10: # R32
                instructions.append(R32(format_addr(r.address), to_sym(r.symbol.name), format_addr(r.addend), i))
                
    return instructions

Mov = namedtuple('mov', ['dst', 'src', 'sz', 'ridx'])
Add = namedtuple('add', ['dst', 'src', 'addend', 'ridx'])

def lift_mov_add(instructions):
    idx = 0
    
    sizes = []
    curr = [8] * 8
    sizes.append(curr)

    for instr in instructions:
        c = list(curr)
        match instr:
            case Rel(SymAddr(Symbol(idx), 'st_size'), val, ridx):
                c[idx] = val
        sizes.append(c)
    
    while idx < len(instructions):
        match instructions[idx]:
            case Rel(dst, val, ridx):
                instructions[idx] = Mov(dst, Ref(val), 8, ridx)
            case Copy(dst, sym, ridx):
                instructions[idx] = Mov(dst, sym, sizes[idx][sym.idx], ridx)
            case R64(dst, sym, add, ridx):
                instructions[idx] = Add(dst, sym, add, ridx)
        idx += 1
    return instructions

def remove_sizes(instructions):
    # Sizes are now nops
    idx = 0
    while idx < len(instructions):
        match instructions[idx]:
            case Mov(SymAddr(Symbol(s), 'st_size'), _, _, _) if s != 3:
                instructions[idx:idx+1] = []

        idx += 1
    return instructions

def lift_indirect(instructions):
    idx = 0
    while idx < len(instructions):
        match instructions[idx:idx+3]:
            case [
                Mov(RelocAddr(Reloc(rel_1), 'r_addend'), Symbol(sidx_1), sz_1, ridx_1),
                Add(dst_2, sym_2, _, ridx_2),
                Mov(RelocAddr(Reloc(rel_3), 'r_addend'), Ref(0), sz_3, _),
            ] if (
                (rel_1 == ridx_2) and (rel_3 == ridx_2)
            ):
                instructions[idx:idx+3] = [
                    Add(dst_2, sym_2, Symbol(sidx_1), ridx_1)
                ]

        idx += 1
    return instructions

Block = namedtuple('block', ['arr', 'flag', 'ridx'])
Output = namedtuple('output', ['out', 'arr', 'ridx'])

def lift_block(instructions):
 
    idx = 0
    while idx < len(instructions):
        match instructions[idx:idx+18]:
            case [
                Mov(_,arr,_,ridx),
                Add(_,_,_,_),
                Mov(_,flag,_,_),
                Mov(_,_,_,_),
                Mov(_,_,_,_),
                Add(_,_,_,_),
                R32(_,_,_,_),
                Mov(_,_,_,_),
                Mov(_,_,_,_),
                Mov(_,_,_,_),
                Add(_,_,_,_),
                Mov(_,_,_,_),
                Add(_,_,_,_),
                Add(_,_,_,_),
                Add(_,_,_,_),
                Mov(_,_,_,_),
                Mov(_,_,_,_),
                Add(_,_,_,_),
            ]:
                instructions[idx:idx+18] = [
                    Block(arr, flag, ridx)
                ]
        idx += 1
    return instructions

Reset = namedtuple('reset', ['ridx'])
ShuffleBlock = namedtuple('shuffleblock', ['f1', 'f2', 'ridx'])

def lift_reset(instructions):
    idx = 0
    while idx < len(instructions) - 256:
        good = True

        for i in range(256):
            op = instructions[idx+i]
            if type(op) == Mov:
                dst, src, _, _ = op
                if dst != ArrAddr(i) or src != Ref(i):
                    good = False
                    break
            else:
                good = False
                break

        if good:
            instructions[idx:idx+256] = [Reset(instructions[idx].ridx)]

        idx += 1
    return instructions

def lift_shuffle_block(instructions):
    idx = 0
    while idx < len(instructions) - 256:
        good = True

        for i in range(256):
            op = instructions[idx+i]
            if type(op) == Block:
                arr, flag, ridx = op
                if arr != Ref(ArrAddr(i)):
                    good = False
                    break
            else:
                good = False
                break

        if good:
            instructions[idx:idx+256] = [ShuffleBlock(instructions[idx].flag, instructions[idx+1].flag, instructions[idx].ridx)]

        idx += 1
    return instructions

Output = namedtuple('output', ['out', 'arr', 'ridx'])

def lift_output(instructions):
    idx = 0
    while idx < len(instructions):
        match instructions[idx:idx+26]:
            case [
                Mov(_,arr,_,ridx),
                Add(_,_,_,_),
                R32(_,_,_,_),
                Mov(_,_,_,_),
                Mov(_,_,_,_),
                Add(_,_,_,_),
                Mov(_,_,_,_),
                Add(_,_,_,_),
                Add(_,_,_,_),
                Add(_,_,_,_),
                Mov(_,_,_,_),
                Mov(_,_,_,_),
                Mov(_,_,_,_),
                Mov(_,_,_,_),
                Mov(_,_,_,_),
                Add(_,_,_,_),
                Mov(_,_,_,_),
                Add(_,_,_,_),
                R32(_,_,_,_),
                Mov(_,_,_,_),
                Add(_,_,_,_),
                Mov(_,_,_,_),
                Add(_,_,_,_),
                Add(_,_,_,_),
                Add(_,_,_,_),
                Mov(out,_,_,_),
            ]:
                instructions[idx:idx+26] = [Output(out, arr, ridx)]
        idx += 1
    return instructions

MultAdd = namedtuple('multadd', ['out', 'val', 'k', 'ridx'])

def lift_multadd(instructions):
    idx = 0
    while idx < len(instructions):
        match instructions[idx:idx+3]:
            # block prefix
            case [
                Mov(Symbol(2), out, _, ridx),
                Mov(Symbol(5), Symbol(2), _, _),
                Mov(Symbol(6), Ref(0), _, _),
            ]:
                k = 0
                double = False

                ptr = idx + 3

                good = True
                while ptr < len(instructions):
                    match instructions[ptr]:
                        case Mov(Symbol(2), Ref(Symbol(6)), _, _):
                            double = True
                        case Mov(Symbol(2), Ref(Symbol(5)), _, _):
                            double = False
                        case Add(Symbol(6), Symbol(6), Symbol(2), _):
                            k = (k * 2) if double else (k + 1)
                        case Add(Symbol(7), Symbol(7), Symbol(2), _):
                            ptr += 1
                            break
                        case _:
                            good = False
                            break

                    ptr += 1
                
                if good:
                    instructions[idx:ptr] = [
                        MultAdd(Symbol(7), out, k, ridx)
                    ]

        idx += 1

    return instructions

Trunc = namedtuple('trunc', ['val', 'k', 'ridx'])

def lift_truncate(instructions):
    idx = 0
    while idx < len(instructions):
        match instructions[idx:idx+2]:
            case [
                Mov(Symbol(2), Ref(SymAddr(Symbol(5), 11)), _, ridx),
                Mov(SymAddr(Symbol(7), 11), Symbol(2), 5, _)
            ]:
                instructions[idx:idx+2] = [
                    Trunc(Symbol(7), 0xffffff, ridx)]
        idx += 1
    return instructions

ArraySlots = namedtuple('arr', ['values', 'ridx'])

def lift_array_slots(instructions):
    idx = 0
   
    while idx < len(instructions):
        match instructions[idx]:
            case Mov(BaseAddr(), Ref(0), _, ridx):
                ptr = idx+1
                while ptr < len(instructions):
                    op = instructions[ptr]
                    if type(op) != Mov or op.dst != BaseAddr():
                        break
                    ptr += 1

                start = idx
                end = ptr

                data = []

                # Check for movs into array.
                vstart = RelocAddr(Reloc(ridx), 'r_address').vaddr()
                offset = 0
                while end + offset < len(instructions) and offset < ((end - start) * 3):
                    op = instructions[end + offset]
                    if type(op) == Mov and type(op.dst) is RelocAddr and op.dst.vaddr() == vstart + (offset * 8):
                        data.append(op.src.val)
                    else:
                        break
                    offset += 1

                if len(data) > 0:
                    data += [0] * (((end - start) * 3) - len(data))   
                    instructions[idx:end+offset] = [
                        ArraySlots(data, ridx)
                    ]

        idx += 1
    return instructions

Shellcode = namedtuple('shellcode', ['dst', 'code', 'ridx'])

def lift_shellcode(instructions):
    idx = 0
    while idx < len(instructions):
        match instructions[idx:idx+6]:
            case [
                ArraySlots(values, ridx),
                Mov(Symbol(3), Ref(RelocAddr(Reloc(rel2), 'r_address')), _, _),
                Mov(SymAddr(Symbol(3), 'st_name'), _, _, _),
                Add(dst, Symbol(3), _, _),
                Mov(Symbol(2), _, _, _),
                Mov(RelocAddr(Reloc(rel6), 'r_address'), Symbol(2), _, _)
            ] if (rel2 == ridx) and (rel6 == ridx):
                instructions[idx:idx+6] = [
                    Shellcode(dst, b''.join([(x & 0xffffffffffffffff).to_bytes(8, 'little') for x in values]), ridx)
                ]
        idx += 1
    return instructions

Aop = namedtuple('aop', ['dst', 'op', 'val', 'k', 'ridx'])

def lift_aop(instructions):
    idx = 0
    while idx < len(instructions):
        match instructions[idx:idx+5]:
            case [
                Mov(Symbol(2), val, _, ridx),
                Mov(Symbol(5), Symbol(2), _, _),
                Shellcode(_, data, _),
                Mov(Symbol(2), Ref(Symbol(5)), _, _),
                Add(dst, dst2, Symbol(2), _)
            ] if len(data) == 24 and (dst == dst2):
                op = next(md.disasm(data, 0))

                t = op.mnemonic
                k = int(op.op_str.split(', ')[-1], 16)

                instructions[idx:idx+5] = [
                    Aop(dst, t, val, k, ridx)
                ]

        idx += 1
    return instructions






def dump(instructions):
    for op in instructions:
        match op:
            case Mov(SymAddr(sym, 'st_name'), Ref(val), 8, ridx) if type(val) is int:
                name = val & 0xffffffff
                info = (val >> 4) & 0xff
                other = (val >> 5) & 0xff
                shndx = (val >> 6) & 0xffff
                print(f'[{ridx:04d}] :: setinfo {sym}, name=0x{name:x}, info=0x{info:x}, other=0x{other:x}, shndx=0x{shndx:x}')
            case Mov(BaseAddr(), Ref(0), _, ridx):
                print(f'[{ridx:04d}] :: [ARRAY SLOT]')
            case Mov(dst, src, 8, ridx):
                print(f'[{ridx:04d}] :: mov {dst}, {src}')
            case Mov(dst, src, sz, ridx):
                print(f'[{ridx:04d}] :: mov({sz}) {dst}, {src}')
            case Add(dst, src, add, ridx):
                print(f'[{ridx:04d}] :: add {dst}, {src}, {add}')
            case R32(dst, src, add, ridx):
                print(f'[{ridx:04d}] :: r32 {dst}, {src}, {add}')
            case Block(arr, flag, ridx):
                print(f'[{ridx:04d}] :: shuffle {arr}, {flag}')
            case Output(out, arr, ridx):
                print(f'[{ridx:04d}] :: output {out}, {arr}')
            case ShuffleBlock(f1, f2, ridx):
                print(f'[{ridx:04d}] :: shuffleblock {f1}, {f2}')
            case MultAdd(dst, val, k, ridx):
                print(f'[{ridx:04d}] :: madd {dst} += ({val} * {k})')
            case Aop(dst, op, val, k, ridx):
                print(f'[{ridx:04d}] :: aop {dst} += ({val} {op} {k})')
            case Reset(ridx):
                print(f'[{ridx:04d}] :: reset')
            case Trunc(val, k, ridx):
                print(f'[{ridx:04d}] :: trunc {val} &= 0x{k:x}')
            case ArraySlots(values, ridx):
                print(f'[{ridx:04d}] :: array [{", ".join([hex(x) for x in values])}]')
            case Shellcode(dst, code, ridx):
                print(f'[{ridx:04d}] :: exec {dst} <- {code.hex()}')
                print('-' * 20)
                for i in md.disasm(code, 0):
                    if i.mnemonic == 'ret':
                        break
                    print("    0x%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str.replace('0x8040e4', 's5').replace('0x8040cc', 's4')))
                print('-' * 20)
            case _:
                print(op)

LIFTS = [
    lift_mov_add,
    remove_sizes,
    lift_indirect,
    lift_block,
    lift_reset,
    lift_shuffle_block,
    lift_output,
    lift_multadd,
    lift_truncate,
    lift_array_slots,
    lift_shellcode,
    lift_aop,
]

def lift(instructions):
    for lift_fn in LIFTS:
        print(f'[*] {lift_fn.__name__}...')
        instructions = lift_fn(instructions)
    return instructions

instructions = parse(b)
instructions = lift(instructions)
dump(instructions)

得到：

[0005] :: mov s2, &flag[0]
[0007] :: mov(1) s4, s2
[0008] :: [ARRAY SLOT]
[0009] :: mov arr[15], &1585408084625667200
[0010] :: mov arr[16], &195
[0011] :: mov s3, &arr[15]
[0012] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0013] :: add arr[15], s3, 0
[0014] :: mov s2, &r101002.r_address
[0016] :: mov(24) arr[15], s2
[0017] :: [ARRAY SLOT]
[0018] :: mov arr[42], &141015791240320
[0019] :: mov arr[43], &195
[0020] :: mov s3, &arr[42]
[0021] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0022] :: add arr[42], s3, 0
[0023] :: mov arr[42], s2
[0024] :: mov s2, &s4
[0026] :: mov(1) arr[0], s2
[0027] :: mov s2, &flag[1]
[0028] :: mov s4, s2
[0029] :: [ARRAY SLOT]
[0030] :: mov arr[78], &1657465678663595136
[0031] :: mov arr[79], &195
[0032] :: mov s3, &arr[78]
[0033] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0034] :: add arr[78], s3, 0
[0035] :: mov s2, &r101002.r_address
[0037] :: mov(24) arr[78], s2
[0038] :: [ARRAY SLOT]
[0039] :: mov arr[105], &72198609829168256
[0040] :: mov arr[106], &195
[0041] :: mov s3, &arr[105]
[0042] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0043] :: add arr[105], s3, 0
[0044] :: mov arr[105], s2
[0045] :: mov s2, &s4
[0047] :: mov(1) arr[0], s2
[0048] :: mov s2, &flag[2]
[0049] :: mov s4, s2
[0050] :: [ARRAY SLOT]
[0051] :: mov arr[141], &1153062520398099584
[0052] :: mov arr[142], &195
[0053] :: mov s3, &arr[141]
[0054] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0055] :: add arr[141], s3, 0
[0056] :: mov s2, &r101002.r_address
[0058] :: mov(24) arr[141], s2
[0059] :: [ARRAY SLOT]
[0060] :: mov arr[168], &144256203867096192
[0061] :: mov arr[169], &195
[0062] :: mov s3, &arr[168]
[0063] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0064] :: add arr[168], s3, 0
[0065] :: mov arr[168], s2
[0066] :: mov s2, &s4
[0068] :: mov(1) arr[0], s2
[0069] :: mov s2, &flag[3]
[0070] :: mov s4, s2
[0071] :: [ARRAY SLOT]
[0072] :: mov arr[204], &1297177708473955456
[0073] :: mov arr[205], &195
[0074] :: mov s3, &arr[204]
[0075] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0076] :: add arr[204], s3, 0
[0077] :: mov s2, &r101002.r_address
[0079] :: mov(24) arr[204], s2
[0080] :: [ARRAY SLOT]
[0081] :: mov arr[231], &216313797905024128
[0082] :: mov arr[232], &195
[0083] :: mov s3, &arr[231]
[0084] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0085] :: add arr[231], s3, 0
[0086] :: mov arr[231], s2
[0087] :: mov s2, &s4
[0089] :: mov(1) arr[0], s2
[0090] :: mov s2, &flag[4]
[0091] :: mov s4, s2
[0092] :: exec r92.r_address <- 803425cc40800010c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x10
--------------------
[0101] :: array [0x4008040cc250480, 0xc3, 0x0]
[0104] :: mov s3, &r101.r_address
[0105] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0106] :: add r101.r_address, s3, 0
[0107] :: mov r101.r_address, s2
[0108] :: mov s2, &s4
[0110] :: mov(1) arr[0], s2
[0111] :: mov s2, &flag[5]
[0112] :: mov s4, s2
[0113] :: exec r113.r_address <- 803425cc40800011c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x11
--------------------
[0122] :: array [0x5008040cc250480, 0xc3, 0x0]
[0125] :: mov s3, &r122.r_address
[0126] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0127] :: add r122.r_address, s3, 0
[0128] :: mov r122.r_address, s2
[0129] :: mov s2, &s4
[0131] :: mov(1) arr[0], s2
[0132] :: mov s2, &flag[6]
[0133] :: mov s4, s2
[0134] :: exec r134.r_address <- 803425cc40800012c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x12
--------------------
[0143] :: array [0x6008040cc250480, 0xc3, 0x0]
[0146] :: mov s3, &r143.r_address
[0147] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0148] :: add r143.r_address, s3, 0
[0149] :: mov r143.r_address, s2
[0150] :: mov s2, &s4
[0152] :: mov(1) arr[0], s2
[0153] :: mov s2, &flag[7]
[0154] :: mov s4, s2
[0155] :: exec r155.r_address <- 803425cc40800013c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x13
--------------------
[0164] :: array [0x7008040cc250480, 0xc3, 0x0]
[0167] :: mov s3, &r164.r_address
[0168] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0169] :: add r164.r_address, s3, 0
[0170] :: mov r164.r_address, s2
[0171] :: mov s2, &s4
[0173] :: mov(1) arr[0], s2
[0174] :: mov s2, &flag[8]
[0175] :: mov s4, s2
[0176] :: exec r176.r_address <- 803425cc40800014c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x14
--------------------
[0185] :: array [0x8008040cc250480, 0xc3, 0x0]
[0188] :: mov s3, &r185.r_address
[0189] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0190] :: add r185.r_address, s3, 0
[0191] :: mov r185.r_address, s2
[0192] :: mov s2, &s4
[0194] :: mov(1) arr[1], s2
[0195] :: mov s2, &flag[9]
[0196] :: mov s4, s2
[0197] :: exec r197.r_address <- 803425cc40800015c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x15
--------------------
[0206] :: array [0x9008040cc250480, 0xc3, 0x0]
[0209] :: mov s3, &r206.r_address
[0210] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0211] :: add r206.r_address, s3, 0
[0212] :: mov r206.r_address, s2
[0213] :: mov s2, &s4
[0215] :: mov(1) arr[1], s2
[0216] :: mov s2, &flag[10]
[0217] :: mov s4, s2
[0218] :: exec r218.r_address <- 803425cc40800016c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x16
--------------------
[0227] :: array [0xa008040cc250480, 0xc3, 0x0]
[0230] :: mov s3, &r227.r_address
[0231] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0232] :: add r227.r_address, s3, 0
[0233] :: mov r227.r_address, s2
[0234] :: mov s2, &s4
[0236] :: mov(1) arr[1], s2
[0237] :: mov s2, &flag[11]
[0238] :: mov s4, s2
[0239] :: exec r239.r_address <- 803425cc40800017c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x17
--------------------
[0248] :: array [0xb008040cc250480, 0xc3, 0x0]
[0251] :: mov s3, &r248.r_address
[0252] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0253] :: add r248.r_address, s3, 0
[0254] :: mov r248.r_address, s2
[0255] :: mov s2, &s4
[0257] :: mov(1) arr[1], s2
[0258] :: mov s2, &flag[12]
[0259] :: mov s4, s2
[0260] :: exec r260.r_address <- 803425cc40800018c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x18
--------------------
[0269] :: array [0xc008040cc250480, 0xc3, 0x0]
[0272] :: mov s3, &r269.r_address
[0273] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0274] :: add r269.r_address, s3, 0
[0275] :: mov r269.r_address, s2
[0276] :: mov s2, &s4
[0278] :: mov(1) arr[1], s2
[0279] :: mov s2, &flag[13]
[0280] :: mov s4, s2
[0281] :: exec r281.r_address <- 803425cc40800019c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x19
--------------------
[0290] :: array [0xd008040cc250480, 0xc3, 0x0]
[0293] :: mov s3, &r290.r_address
[0294] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0295] :: add r290.r_address, s3, 0
[0296] :: mov r290.r_address, s2
[0297] :: mov s2, &s4
[0299] :: mov(1) arr[1], s2
[0300] :: mov s2, &flag[14]
[0301] :: mov s4, s2
[0302] :: exec r302.r_address <- 803425cc40800024c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x24
--------------------
[0311] :: array [0xe008040cc250480, 0xc3, 0x0]
[0314] :: mov s3, &r311.r_address
[0315] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0316] :: add r311.r_address, s3, 0
[0317] :: mov r311.r_address, s2
[0318] :: mov s2, &s4
[0320] :: mov(1) arr[1], s2
[0321] :: mov s2, &flag[15]
[0322] :: mov s4, s2
[0323] :: exec r323.r_address <- 803425cc4080002cc3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x2c
--------------------
[0332] :: array [0xf008040cc250480, 0xc3, 0x0]
[0335] :: mov s3, &r332.r_address
[0336] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0337] :: add r332.r_address, s3, 0
[0338] :: mov r332.r_address, s2
[0339] :: mov s2, &s4
[0341] :: mov(1) arr[1], s2
[0342] :: mov s2, &flag[16]
[0343] :: mov s4, s2
[0344] :: exec r344.r_address <- 803425cc40800026c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x26
--------------------
[0353] :: array [0x10008040cc250480, 0xc3, 0x0]
[0356] :: mov s3, &r353.r_address
[0357] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0358] :: add r353.r_address, s3, 0
[0359] :: mov r353.r_address, s2
[0360] :: mov s2, &s4
[0362] :: mov(1) arr[2], s2
[0363] :: mov s2, &flag[17]
[0364] :: mov s4, s2
[0365] :: exec r365.r_address <- 803425cc4080001ec3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x1e
--------------------
[0374] :: array [0x11008040cc250480, 0xc3, 0x0]
[0377] :: mov s3, &r374.r_address
[0378] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0379] :: add r374.r_address, s3, 0
[0380] :: mov r374.r_address, s2
[0381] :: mov s2, &s4
[0383] :: mov(1) arr[2], s2
[0384] :: mov s2, &flag[18]
[0385] :: mov s4, s2
[0386] :: exec r386.r_address <- 803425cc4080001fc3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x1f
--------------------
[0395] :: array [0x12008040cc250480, 0xc3, 0x0]
[0398] :: mov s3, &r395.r_address
[0399] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0400] :: add r395.r_address, s3, 0
[0401] :: mov r395.r_address, s2
[0402] :: mov s2, &s4
[0404] :: mov(1) arr[2], s2
[0405] :: mov s2, &flag[19]
[0406] :: mov s4, s2
[0407] :: exec r407.r_address <- 803425cc40800020c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x20
--------------------
[0416] :: array [0x13008040cc250480, 0xc3, 0x0]
[0419] :: mov s3, &r416.r_address
[0420] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0421] :: add r416.r_address, s3, 0
[0422] :: mov r416.r_address, s2
[0423] :: mov s2, &s4
[0425] :: mov(1) arr[2], s2
[0426] :: mov s2, &flag[20]
[0427] :: mov s4, s2
[0428] :: exec r428.r_address <- 803425cc40800020c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x20
--------------------
[0437] :: array [0x14008040cc250480, 0xc3, 0x0]
[0440] :: mov s3, &r437.r_address
[0441] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0442] :: add r437.r_address, s3, 0
[0443] :: mov r437.r_address, s2
[0444] :: mov s2, &s4
[0446] :: mov(1) arr[2], s2
[0447] :: mov s2, &flag[21]
[0448] :: mov s4, s2
[0449] :: exec r449.r_address <- 803425cc40800021c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x21
--------------------
[0458] :: array [0x15008040cc250480, 0xc3, 0x0]
[0461] :: mov s3, &r458.r_address
[0462] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0463] :: add r458.r_address, s3, 0
[0464] :: mov r458.r_address, s2
[0465] :: mov s2, &s4
[0467] :: mov(1) arr[2], s2
[0468] :: mov s2, &flag[22]
[0469] :: mov s4, s2
[0470] :: exec r470.r_address <- 803425cc40800023c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x23
--------------------
[0479] :: array [0x16008040cc250480, 0xc3, 0x0]
[0482] :: mov s3, &r479.r_address
[0483] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0484] :: add r479.r_address, s3, 0
[0485] :: mov r479.r_address, s2
[0486] :: mov s2, &s4
[0488] :: mov(1) arr[2], s2
[0489] :: mov s2, &flag[23]
[0490] :: mov s4, s2
[0491] :: exec r491.r_address <- 803425cc40800027c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x27
--------------------
[0500] :: array [0x17008040cc250480, 0xc3, 0x0]
[0503] :: mov s3, &r500.r_address
[0504] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0505] :: add r500.r_address, s3, 0
[0506] :: mov r500.r_address, s2
[0507] :: mov s2, &s4
[0509] :: mov(1) arr[2], s2
[0510] :: mov s2, &flag[24]
[0511] :: mov s4, s2
[0512] :: exec r512.r_address <- 803425cc40800024c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x24
--------------------
[0521] :: array [0x18008040cc250480, 0xc3, 0x0]
[0524] :: mov s3, &r521.r_address
[0525] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0526] :: add r521.r_address, s3, 0
[0527] :: mov r521.r_address, s2
[0528] :: mov s2, &s4
[0530] :: mov(1) arr[3], s2
[0531] :: mov s2, &flag[25]
[0532] :: mov s4, s2
[0533] :: exec r533.r_address <- 803425cc40800025c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x25
--------------------
[0542] :: array [0x19008040cc250480, 0xc3, 0x0]
[0545] :: mov s3, &r542.r_address
[0546] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0547] :: add r542.r_address, s3, 0
[0548] :: mov r542.r_address, s2
[0549] :: mov s2, &s4
[0551] :: mov(1) arr[3], s2
[0552] :: mov s2, &flag[26]
[0553] :: mov s4, s2
[0554] :: exec r554.r_address <- 803425cc40800026c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x26
--------------------
[0563] :: array [0x1a008040cc250480, 0xc3, 0x0]
[0566] :: mov s3, &r563.r_address
[0567] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0568] :: add r563.r_address, s3, 0
[0569] :: mov r563.r_address, s2
[0570] :: mov s2, &s4
[0572] :: mov(1) arr[3], s2
[0573] :: mov s2, &flag[27]
[0574] :: mov s4, s2
[0575] :: exec r575.r_address <- 803425cc40800027c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [s4], 0x27
--------------------
[0584] :: array [0x1b008040cc250480, 0xc3, 0x0]
[0587] :: mov s3, &r584.r_address
[0588] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0589] :: add r584.r_address, s3, 0
[0590] :: mov r584.r_address, s2
[0591] :: mov s2, &s4
[0593] :: mov(1) arr[3], s2
[0594] :: mov s4, &0
[0595] :: mov fail(), &0
[0596] :: mov s5, &0
[0597] :: mov s2, &arr[0]
[0599] :: mov s6, s2
[0600] :: exec r600.r_address <- 803425fc40800070c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x70
--------------------
[0609] :: mov s2, &s6
[0611] :: add s5, s5, s2
[0614] :: mov s6, &0
[0615] :: mov s2, &arr[0]
[0616] :: mov s6, s2
[0617] :: exec r617.r_address <- 803425fc4080007cc3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x7c
--------------------
[0626] :: mov s2, &s6
[0628] :: add s5, s5, s2
[0631] :: mov s6, &0
[0632] :: mov s2, &arr[0]
[0633] :: mov s6, s2
[0634] :: exec r634.r_address <- 803425fc40800073c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x73
--------------------
[0643] :: mov s2, &s6
[0645] :: add s5, s5, s2
[0648] :: mov s6, &0
[0649] :: mov s2, &arr[0]
[0650] :: mov s6, s2
[0651] :: exec r651.r_address <- 803425fc40800078c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x78
--------------------
[0660] :: mov s2, &s6
[0662] :: add s5, s5, s2
[0665] :: mov s6, &0
[0666] :: mov s2, &arr[0]
[0667] :: mov s6, s2
[0668] :: exec r668.r_address <- 803425fc4080006fc3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x6f
--------------------
[0677] :: mov s2, &s6
[0679] :: add s5, s5, s2
[0682] :: mov s6, &0
[0683] :: mov s2, &arr[0]
[0684] :: mov s6, s2
[0685] :: exec r685.r_address <- 803425fc40800027c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x27
--------------------
[0694] :: mov s2, &s6
[0696] :: add s5, s5, s2
[0699] :: mov s6, &0
[0700] :: mov s2, &arr[0]
[0701] :: mov s6, s2
[0702] :: exec r702.r_address <- 803425fc4080002ac3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x2a
--------------------
[0711] :: mov s2, &s6
[0713] :: add s5, s5, s2
[0716] :: mov s6, &0
[0717] :: mov s2, &arr[0]
[0718] :: mov s6, s2
[0719] :: exec r719.r_address <- 803425fc4080002cc3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x2c
--------------------
[0728] :: mov s2, &s6
[0730] :: add s5, s5, s2
[0733] :: mov s6, &0
[0734] :: mov s2, &arr[1]
[0735] :: mov s6, s2
[0736] :: exec r736.r_address <- 803425fc4080007fc3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x7f
--------------------
[0745] :: mov s2, &s6
[0747] :: add s5, s5, s2
[0750] :: mov s6, &0
[0751] :: mov s2, &arr[1]
[0752] :: mov s6, s2
[0753] :: exec r753.r_address <- 803425fc40800035c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x35
--------------------
[0762] :: mov s2, &s6
[0764] :: add s5, s5, s2
[0767] :: mov s6, &0
[0768] :: mov s2, &arr[1]
[0769] :: mov s6, s2
[0770] :: exec r770.r_address <- 803425fc4080002dc3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x2d
--------------------
[0779] :: mov s2, &s6
[0781] :: add s5, s5, s2
[0784] :: mov s6, &0
[0785] :: mov s2, &arr[1]
[0786] :: mov s6, s2
[0787] :: exec r787.r_address <- 803425fc40800032c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x32
--------------------
[0796] :: mov s2, &s6
[0798] :: add s5, s5, s2
[0801] :: mov s6, &0
[0802] :: mov s2, &arr[1]
[0803] :: mov s6, s2
[0804] :: exec r804.r_address <- 803425fc40800037c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x37
--------------------
[0813] :: mov s2, &s6
[0815] :: add s5, s5, s2
[0818] :: mov s6, &0
[0819] :: mov s2, &arr[1]
[0820] :: mov s6, s2
[0821] :: exec r821.r_address <- 803425fc4080003bc3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x3b
--------------------
[0830] :: mov s2, &s6
[0832] :: add s5, s5, s2
[0835] :: mov s6, &0
[0836] :: mov s2, &arr[1]
[0837] :: mov s6, s2
[0838] :: exec r838.r_address <- 803425fc40800022c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x22
--------------------
[0847] :: mov s2, &s6
[0849] :: add s5, s5, s2
[0852] :: mov s6, &0
[0853] :: mov s2, &arr[1]
[0854] :: mov s6, s2
[0855] :: exec r855.r_address <- 803425fc40800059c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x59
--------------------
[0864] :: mov s2, &s6
[0866] :: add s5, s5, s2
[0869] :: mov s6, &0
[0870] :: mov s2, &arr[2]
[0871] :: mov s6, s2
[0872] :: exec r872.r_address <- 803425fc40800053c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x53
--------------------
[0881] :: mov s2, &s6
[0883] :: add s5, s5, s2
[0886] :: mov s6, &0
[0887] :: mov s2, &arr[2]
[0888] :: mov s6, s2
[0889] :: exec r889.r_address <- 803425fc4080008ec3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x8e
--------------------
[0898] :: mov s2, &s6
[0900] :: add s5, s5, s2
[0903] :: mov s6, &0
[0904] :: mov s2, &arr[2]
[0905] :: mov s6, s2
[0906] :: exec r906.r_address <- 803425fc4080003dc3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x3d
--------------------
[0915] :: mov s2, &s6
[0917] :: add s5, s5, s2
[0920] :: mov s6, &0
[0921] :: mov s2, &arr[2]
[0922] :: mov s6, s2
[0923] :: exec r923.r_address <- 803425fc4080002ac3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x2a
--------------------
[0932] :: mov s2, &s6
[0934] :: add s5, s5, s2
[0937] :: mov s6, &0
[0938] :: mov s2, &arr[2]
[0939] :: mov s6, s2
[0940] :: exec r940.r_address <- 803425fc40800059c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x59
--------------------
[0949] :: mov s2, &s6
[0951] :: add s5, s5, s2
[0954] :: mov s6, &0
[0955] :: mov s2, &arr[2]
[0956] :: mov s6, s2
[0957] :: exec r957.r_address <- 803425fc40800027c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x27
--------------------
[0966] :: mov s2, &s6
[0968] :: add s5, s5, s2
[0971] :: mov s6, &0
[0972] :: mov s2, &arr[2]
[0973] :: mov s6, s2
[0974] :: exec r974.r_address <- 803425fc4080002dc3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x2d
--------------------
[0983] :: mov s2, &s6
[0985] :: add s5, s5, s2
[0988] :: mov s6, &0
[0989] :: mov s2, &arr[2]
[0990] :: mov s6, s2
[0991] :: exec r991.r_address <- 803425fc40800029c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x29
--------------------
[1000] :: mov s2, &s6
[1002] :: add s5, s5, s2
[1005] :: mov s6, &0
[1006] :: mov s2, &arr[3]
[1007] :: mov s6, s2
[1008] :: exec r1008.r_address <- 803425fc40800034c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x34
--------------------
[1017] :: mov s2, &s6
[1019] :: add s5, s5, s2
[1022] :: mov s6, &0
[1023] :: mov s2, &arr[3]
[1024] :: mov s6, s2
[1025] :: exec r1025.r_address <- 803425fc4080002dc3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x2d
--------------------
[1034] :: mov s2, &s6
[1036] :: add s5, s5, s2
[1039] :: mov s6, &0
[1040] :: mov s2, &arr[3]
[1041] :: mov s6, s2
[1042] :: exec r1042.r_address <- 803425fc40800061c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x61
--------------------
[1051] :: mov s2, &s6
[1053] :: add s5, s5, s2
[1056] :: mov s6, &0
[1057] :: mov s2, &arr[3]
[1058] :: mov s6, s2
[1059] :: exec r1059.r_address <- 803425fc40800032c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x8040fc], 0x32
--------------------
[1068] :: mov s2, &s6
[1070] :: add s5, s5, s2
[1073] :: mov s6, &0
[1074] :: mov s2, &flag[28]
[1075] :: mov s6, s2
[1076] :: mov s2, &flag[29]
[1077] :: mov s7, s2
[1078] :: mov s8, &0
[1079] :: mov s2, &s8
[1080] :: add s8, s8, s2
[1083] :: mov s2, &s6
[1084] :: add s8, s8, s2
[1087] :: mov s9, &0
[1088] :: mov s2, &s9
[1089] :: add s9, s9, s2
[1092] :: mov s2, &s7
[1093] :: add s9, s9, s2
[1096] :: mov s2, &s9
[1097] :: add s10, s8, s2
[1100] :: exec r1100.r_address <- 8034255c4180006cc3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x80415c], 0x6c
--------------------
[1109] :: mov s2, &s10
[1111] :: add s5, s5, s2
[1114] :: mov s6, &0
[1115] :: mov s7, &0
[1116] :: mov s8, &0
[1117] :: mov s9, &0
[1118] :: mov s10, &0
[1119] :: mov s2, &flag[28]
[1120] :: mov s6, s2
[1121] :: mov s2, &flag[29]
[1122] :: mov s7, s2
[1123] :: mov s8, &0
[1124] :: mov s2, &s8
[1125] :: add s8, s8, s2
[1128] :: mov s2, &s6
[1129] :: add s8, s8, s2
[1132] :: mov s2, &s8
[1133] :: add s8, s8, s2
[1136] :: mov s9, &0
[1137] :: mov s2, &s9
[1138] :: add s9, s9, s2
[1141] :: mov s2, &s7
[1142] :: add s9, s9, s2
[1145] :: mov s2, &s9
[1146] :: add s10, s8, s2
[1149] :: exec r1149.r_address <- 8034255c418000a1c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x80415c], 0xa1
--------------------
[1158] :: mov s2, &s10
[1160] :: add s5, s5, s2
[1163] :: mov s6, &0
[1164] :: mov s7, &0
[1165] :: mov s8, &0
[1166] :: mov s9, &0
[1167] :: mov s10, &0
[1168] :: mov s2, &flag[30]
[1169] :: mov s6, s2
[1170] :: mov s2, &flag[31]
[1171] :: mov s7, s2
[1172] :: mov s8, &0
[1173] :: mov s2, &s8
[1174] :: add s8, s8, s2
[1177] :: mov s2, &s6
[1178] :: add s8, s8, s2
[1181] :: mov s9, &0
[1182] :: mov s2, &s9
[1183] :: add s9, s9, s2
[1186] :: mov s2, &s7
[1187] :: add s9, s9, s2
[1190] :: mov s2, &s9
[1191] :: add s10, s8, s2
[1194] :: exec r1194.r_address <- 8034255c418000b1c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x80415c], 0xb1
--------------------
[1203] :: mov s2, &s10
[1205] :: add s5, s5, s2
[1208] :: mov s6, &0
[1209] :: mov s7, &0
[1210] :: mov s8, &0
[1211] :: mov s9, &0
[1212] :: mov s10, &0
[1213] :: mov s2, &flag[30]
[1214] :: mov s6, s2
[1215] :: mov s2, &flag[31]
[1216] :: mov s7, s2
[1217] :: mov s8, &0
[1218] :: mov s2, &s8
[1219] :: add s8, s8, s2
[1222] :: mov s2, &s6
[1223] :: add s8, s8, s2
[1226] :: mov s2, &s8
[1227] :: add s8, s8, s2
[1230] :: mov s9, &0
[1231] :: mov s2, &s9
[1232] :: add s9, s9, s2
[1235] :: mov s2, &s7
[1236] :: add s9, s9, s2
[1239] :: mov s2, &s9
[1240] :: add s10, s8, s2
[1243] :: exec r1243.r_address <- 8034255c418000e5c3000000000000000000000000000000
--------------------
    0x0:	xor	byte ptr [0x80415c], 0xe5
--------------------
[1252] :: mov s2, &s10
[1254] :: add s5, s5, s2
[1257] :: mov s6, &0
[1258] :: mov s7, &0
[1259] :: mov s8, &0
[1260] :: mov s9, &0
[1261] :: mov s10, &0
[1262] :: mov s2, &s5
[1264] :: mov(1) fail(),

大致思路是对输入异或然后+i对比数据

但是flag数组前四个没直接给出，有四个大数字以第一个为例1585408084625667200

转为16进制16008040cc253480 倒叙一下就是 803425cc40800016，再根据后面的数据类推，flag[0]就是0x16

import hashlib
xor=[0x16,0x17,0x10,0x12,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x24,0x2c,0x26,0x1e,0x1f,0x20,0x20,0x21,0x23,0x27,0x24,0x25,0x26,0x27]
encflag=[0x70,0x7c,0x73,0x78,0x6f,0x27,0x2a,0x2c,0x7f,0x35,0x2d,0x32,0x37,0x3b,0x22,0x59,0x53,0x8e,0x3d,0x2a,0x59,0x27,0x2d,0x29,0x34,0x2d,0x61,0x32]
a=""
for i in range(len(encflag)):
   a+=chr((encflag[i]-i)^xor[i])
l = "1234567890abcdef"
for b in l:
 for c in l:
  for d in l:
    flag = a+b+c+d+"}"
    sha = hashlib.sha256(flag.encode("utf-8")).hexdigest()
    if sha[0:16] == "f860464d767610bb":
     print(flag)
     break

最后的flag：flag{366c950370fec47e34581a0574}

find_basic

IDA 静态分析，可以明显看出程序加过 VM 且每个 handler 自身作为分发器

call进入的后是switch语句，再根据之前的赋值执行相应的操作

大概混肴逻辑是先赋值一个数，这个数决定了下面函数的操作，进入下面的call函数，执行相应的语句

trace记录

debugger打开tracing window

在的打开view里面的tracing

然后点亮代码跟踪

但是在调试时候会有如下报错

1	F7CF3464: got SIGTRAP signal (Trace trap) (exc.code 5, tid 8259)

正常调试是没用问题的，启用trace之后就会报错，这里设置一下ida调试debugger option

选择最下方edit exceptions

其他类似的报错也可如此，但是究其原理，类似是创造了一个死循环，有师傅懂得的话欢迎评论

参考：

常见反调试整理 (nigoule.com)

Linux进程被信号杀死后退出状态码(exit code)的分析_halfclear的博客-CSDN博客_exitcode

例如移除时钟报错，有一种思路就是更换函数

移除alarm函数
# 将程序名为ProgrammName中的alarm替换为isnan >

sed -i s/alarm/isnan/g ./ProgrammName

为了方便查看trace代码，这里还有一个垃圾循环我们可以修改一下

主要逻辑是产生了一个随机数后逻辑与0xFF，不断地比较。如果小于就自增一在继续判断，不断地循环直到和产生的随机数相等再推出循环。经过分析该循环体内没有需要的数据。我们可以直接patch跳转条件

或者在call完rand函数之后下一个不执行但是修改eax值的断点

然后我们就可以下断点trcace我们的代码

接着就可以分析相关的执行数据

例如这里就是我们的数据

以下类推可以得到最终的逻辑

或者我们可以写脚本

from idc import *
from capstone import *
from keystone import *

md = Cs(CS_ARCH_X86, CS_MODE_32)
ks = Ks(KS_ARCH_X86, KS_MODE_32)

def mydis(code, addr=0):
    for i in md.disasm(code, addr): 
        return ('%s %s' %(i.mnemonic, i.op_str))

def myasm(dis_txt, addr=0):
    #keystone fail
    encoding, count = ks.asm(dis_txt, addr=addr)
    return bytes(encoding)


class Block:
    def __init__(self, start_ea, end_ea, imm, reg, call_target):
        self.start_ea = start_ea
        self.end_ea = end_ea
        self.imm = imm
        self.reg = reg
        self.call_target = call_target

regnums = []

def get_block(start_ea):
    mnem_list = ['pushf', 'pusha', 'mov', 'call', 'pop']
    ea = start_ea
    i = 0
    while i < 5:
        mnem = idc.print_insn_mnem(ea)
        if mnem_list[i%5] != mnem:
            raise 0
        if mnem == 'mov':
            imm = idc.get_operand_value(ea, 1)
            # 17 -> cl, 18 -> dl, 19 -> bl
            reg = idc.get_operand_value(ea, 0) #reg_id
            '''
            if reg not in regnums:
                print ('reg=%s, ea=%x' %(reg, ea))
                regnums.append(reg)
            '''

        if mnem == 'call':
            call_target = idc.get_operand_value(ea, 0)
        i += 1
        ea += idc.get_item_size(ea)
    return Block(start_ea, ea, imm, reg, call_target)

def check_mnem(ea, should_mnem):
    mnem = idc.print_insn_mnem(ea)
    if mnem != should_mnem:
        assert 0


def get_real_code(block, new_code, new_code_ea):
    ea = block.call_target
    while True:
        mnem = idc.print_insn_mnem(ea)
        if mnem == 'cmp':
            reg = idc.get_operand_value(ea, 0)
            imm = idc.get_operand_value(ea, 1)
            if (reg == block.reg) & (imm == block.imm):
                break
        ea += idc.get_item_size(ea)

    ea += idc.get_item_size(ea)

    check_mnem(ea, 'jnz')
    ea += idc.get_item_size(ea)

    check_mnem(ea, 'popa')
    ea += idc.get_item_size(ea)

    check_mnem(ea, 'popf')
    ea += idc.get_item_size(ea)

    mnem = idc.print_insn_mnem(ea)
    if mnem == 'pushf':
        print ('find ret: ea=%x' %ea)
        new_code += myasm('ret', new_code_ea+len(new_code))
        return True, new_code
    while True:
        mnem = idc.print_insn_mnem(ea)
        if mnem == 'jmp':
            break
        dis = mydis(idc.get_bytes(ea, idc.get_item_size(ea)), ea)
        print ('block=%x, ea=%x, dis=%s' %(block.start_ea, ea, dis))
        new_code += myasm(dis, new_code_ea+len(new_code))
        ea += idc.get_item_size(ea)
    return False, new_code

def handle_one_fun(fun_start, new_code_ea):
    ea = fun_start
    new_code = b''
    while True:
        mnem = idc.print_insn_mnem(ea)
        if mnem != 'pushf':
            dis = mydis(idc.get_bytes(ea, idc.get_item_size(ea)), ea)
            print('ea=%x, dis=%s' % (ea, dis))
            new_code += myasm(dis, new_code_ea + len(new_code))
            if mnem == 'retn':
                break
            ea += idc.get_item_size(ea)
        else:
            print ('get_block ea=%x' %ea)
            myblock = get_block(ea)
            #print ('ea=%x, new_ea=%x' %(myblock.start_ea, new_code_ea+len(new_code)))
            ret, new_code = get_real_code(myblock, new_code, new_code_ea)
            if ret:
                break
            ea = myblock.end_ea
    return new_code

new_code_start = 0x96150
ida_bytes.patch_bytes(new_code_start, b'\x90'*0x10000)

for i in range(0x10000):
    idc.del_items(i+new_code_start)

funs = [0x48F4, 0x48c8, 0x3fbf, 0x3F1B, 0x4148, 0x750A9, 0x33EC]
new_code_ea = new_code_start
for fun in funs:
    print ('--------------------------------')
    print ('fun=%x, new_fun=%x' %(fun, new_code_ea))
    print ('--------------------------------')
    new_code = handle_one_fun(fun, new_code_ea)
    ida_bytes.patch_bytes(new_code_ea, new_code)
    idc.create_insn(new_code_ea)
    ida_funcs.add_func(new_code_ea)
    new_code_ea += len(new_code)

最后z3求解

from z3 import *
flag = [BitVec('x%d' % i, 8) for i in range(28)]
s = Solver()

v5 = 40085 * flag[3]- 222506 * flag[2]+ 54507 * flag[4]+ 88056 * flag[1]+ 212571 * flag[5]- 160722 * flag[0]-0x6A31D
s.add(v5==0)
v5 = 49300 * flag[3]+ 259229 * flag[0]+ 278066 * flag[2]- 127937 * flag[1]- 295169 * flag[4]- 8368677
s.add(v5==0)
v5 = 42214 * flag[1]- 108025 * flag[3]+ 205972 * flag[0]+ 27559 * flag[2]- 17114904
s.add(v5==0)
v5 = - 151496 * flag[1]+ 204740 * flag[0]+ 80143 * flag[2]- 12295783
s.add(v5==0)
v5 = 241935 * flag[1]+ 124128 * flag[0]- 38790036+ 273221 * flag[0]- 27868542
s.add(v5==0)

v6 = -279656 * flag[2]- 199574 * flag[1]- 258130 * flag[8]- 200399 * flag[3]- 173903 * flag[7]+ 175816 * flag[0]- 234569 * flag[6]- 108273 * flag[4]- 222957 * flag[5]+ 128244179
s.add(v6==0)
v6 = - 81541 * flag[1]- 268763 * flag[0]+ 219073 * flag[3]+ 34782 * flag[6]+ 21153 * flag[5]+ 173005 * flag[7]+ 76285 * flag[4]+ 32825 * flag[2]- 13874925
s.add(v6==0)
v6 = 85214 * flag[2]- 268299 * flag[3]- 230981 * flag[1]+ 290772 * flag[5]- 74394 * flag[4]+ 28044 * flag[6]- 242995 * flag[0]+ 50871139
s.add(v6==0)

v7 = -208564 * flag[0] + 81934 * flag[9] - 106641 * flag[7] + 198477 * flag[2] + 154505 * flag[1] + 48440 * flag[5] - 149004 * flag[3] - 108909 * flag[4] - 51714 * flag[10] - 296420 * flag[8] + 263021 * flag[6] + 688726 
s.add(v7==0)
v7 = - 131130 * flag[2] + 224265 * flag[3] + 230702 * flag[0] - 176285 * flag[7] - 274778 * flag[4] + 103848 * flag[8] - 136039 * flag[9] - 241151 * flag[5] + 15542 * flag[6] - 17521 * flag[1] + 41644083
s.add(v7==0)

v8 = 195056 * flag[4]- 15717 * flag[9]- 180214 * flag[6]- 114427 * flag[5]+ 277782 * flag[7]+ 261379 * flag[8]- 225266 * flag[2]+ 107609 * flag[0]+ 259792 * flag[3]+ 270563 * flag[11]+ 205124 * flag[1]+ 138334 * flag[10]+ 103474 * flag[12]- 117027475
s.add(v8==0)
v8 = 189573 * flag[8]+ 64393 * flag[6]+ 231137 * flag[1]+ 145315 * flag[4]- 53938 * flag[10]- 291345 * flag[5]+ 216413 * flag[3]- 204681 * flag[0]- 65519 * flag[9]- 262826 * flag[2]+ 187002 * flag[7]+ 271732 * flag[11]- 38663722
s.add(v8==0)

v9 = 15645 * flag[13] + 276267 * flag[12] + 31190 * flag[5] - 244002 * flag[2] + 81415 * flag[3] - 22940 * flag[10] - 126076 * flag[7] + 8932 * flag[8] + 112153 * flag[4] + 194218 * flag[11] + 197656 * flag[9] - 204463 * flag[0] - 219500 * flag[1] + 19777 * flag[6] - 24531260
s.add(v9==0)

v10 = 279969 * flag[8]- 123977 * flag[4]+ 162094 * flag[0]- 215769 * flag[1]- 18878 * flag[14]- 80292 * flag[11]- 237675 * flag[5]- 222121 * flag[6]+ 269381 * flag[12]+ 153934 * flag[13]- 165380 * flag[10]- 157137 * flag[2]- 186748 * flag[3]+ 170756 * flag[7]- 186932 * flag[9]+ 87264470
s.add(v10==0)

v11 = -87190 * flag[2]- 74836 * flag[1]+ 16892 * flag[9]- 185781 * flag[8]- 12726 * flag[7]+ 85022 * flag[12]+ 232989 * flag[10]+ 68516 * flag[0]- 120254 * flag[6]- 204892 * flag[5]- 65901 * flag[4]- 201087 * flag[13]+ 158612 * flag[11]- 49445 * flag[3]- 181860 * flag[14]- 111015 * flag[15]+ 43646834
s.add(v11==0)

v12 = -170184 * flag[3] - 137671 * flag[4] - 85374 * flag[9] - 73658 * flag[11] + 230891 * flag[13] + 54346 * flag[15] - 280694 * flag[0] + 60411 * flag[2] + 27171 * flag[7] - 50618 * flag[6] + 11843 * flag[10] + 131778 * flag[5] + 13956 * flag[8] - 42562 * flag[12] - 19972 * flag[1] - 145797 * flag[14] - 58717 * flag[16] + 74613584
s.add(v12==0)

v13 = 242475 * flag[16]- 234385 * flag[0]+ 124653 * flag[2]- 287929 * flag[13]- 190916 * flag[12]- 277578 * flag[11]+ 39 * flag[8]- 41625 * flag[6]+ 67262 * flag[5]- 250144 * flag[9]- 70886 * flag[10]- 223492 * flag[15]- 179651 * flag[7]+ 206538 * flag[17]+ 161965 * flag[3]- 146258 * flag[4]+ 167068 * flag[1]+ 196330 * flag[14]+ 76353817
s.add(v13==0)

v14 = 29700 * flag[18]- 60542 * flag[5]+ 274107 * flag[11]+ 154914 * flag[13]- 143185 * flag[12]+ 167424 * flag[2]+ 137439 * flag[8]- 186151 * flag[10]- 77157 * flag[9]- 233090 * flag[6]- 27400 * flag[7]- 76557 * flag[15]- 108002 * flag[17]+ 103161 * flag[14]- 133956 * flag[1]- 219502 * flag[4]- 202897 * flag[0]- 250957 * flag[3]- 119297 * flag[16]+ 100812197
s.add(v14==0)

v15 = -171971 * flag[9]+ 38740 * flag[4]+ -31661 * flag[10]+ -194653 * flag[18]+ -295910 * flag[16]+ 136489 * flag[12]+ 212619 * flag[17]+ 165592 * flag[11]+ 211791 * flag[1]+ 156909 * flag[2]+ -232187 * flag[8]+ -73709 * flag[7]+ 79735 * flag[14]+ 184882 * flag[13]+ 111105 * flag[6]+ 148840 * flag[3]+ -35774 * flag[19]+ -275711 * flag[0] + 135265 * flag[5] - 141221 * flag[15] - 39117122
s.add(v15==0)

v16 = -186514 * flag[17]+ -7791 * flag[2]+ 276755 * flag[11]+ -294815 * flag[14]+ -238763 * flag[15]+ -146099 * flag[5]+ 184977 * flag[16]+ 178413 * flag[1]+ 287303 * flag[3]+ -71946 * flag[10]+ -73771 * flag[9]+ -129032 * flag[18]+ 200202 * flag[20]+ -150509 * flag[6]+ -156625 * flag[13]+ 14093 * flag[7]+ 192584 * flag[12]- 122770 * flag[0]- 255494 * flag[8] + 65 * flag[4] - 108479 * flag[19] + 13521895
s.add(v16==0)

v17 = 210978 * flag[7]+ 300336 * flag[10]+ 207254 * flag[15]+ 216206 * flag[5]+ -63529 * flag[0]+ -274903 * flag[11]+ -10750 * flag[14]+ 25008 * flag[4]+ -100942 * flag[19]+ -104857 * flag[2]+ 266501 * flag[8]+ 229070 * flag[17]+ -234559 * flag[16]+ 298459 * flag[3]+ -172052 * flag[6]+ -98938 * flag[12]+ 66155 * flag[13]+ -84761 * flag[1]+ -283508 * flag[18]+ 288577 * flag[21] - 75407 * flag[20] - 204447 * flag[9] + 4351595
s.add(v17==0)

v18 = -201846 * flag[14]+ 272550 * flag[20]+ 60398 * flag[6]+ 45580 * flag[7]+ 195108 * flag[11]+ 38596 * flag[0]+ 220445 * flag[18]+ -190873 * flag[15]+ 103477 * flag[9]+ 118842 * flag[19]+ 206336 * flag[10]+ -249940 * flag[17]+ -48084 * flag[21]+ 104901 * flag[5]+ -48576 * flag[4]+ 287104 * flag[16]+ -286686 * flag[1]+ -30253 * flag[22]+ 121183 * flag[3]+ 90967 * flag[2]+ -195519 * flag[12] - 129304 * flag[8] + 141188 * flag[13] - 56642147
s.add(v18==0)

v19 = 110609 * flag[4]+ 5913 * flag[21]+ -197578 * flag[7]+ 45127 * flag[18]+ 282426 * flag[13]+ -71019 * flag[16]+ -6980 * flag[11]+ 208216 * flag[15]+ -13544 * flag[20]+ 17852 * flag[8]+ 167833 * flag[12]+ 145568 * flag[17]+ 3610 * flag[19]+ 91985 * flag[1]+ -267402 * flag[5]+ -32355 * flag[14]+ -197823 * flag[23]+ 135525 * flag[2]+ -229424 * flag[22]+ 38093 * flag[10]+ 50167 * flag[6]+ 118713 * flag[9] + 123874 * flag[0] - 89499 * flag[3] - 43090537
s.add(v19==0)

v1 = -164755 * flag[9] + 175470 * flag[8] - 28660 * flag[1] + 7217 * flag[11] - 295102 * flag[4] - 28531 * flag[19] - 106265 * flag[25] - 92750 * flag[10] + 16738 * flag[21] - 231714 * flag[6] + 172042 * flag[24] - 215890 * flag[17] + 199697 * flag[12] - 84235 * flag[7] + 44614 * flag[13] + 75104 * flag[5] - 195843 * flag[0] - 15784 * flag[14] - 131950 * flag[15] - 268167 * flag[16] - 197565 * flag[20] + 24340 * flag[23] + 105130 * flag[2] - 79750 * flag[22] - 264668 * flag[3] + 50329 * flag[18] + 137774797
s.add(v1==0)

v20 = 62119 * flag[17]- 17215 * flag[24]+ 289621 * flag[18]+ 53006 * flag[20]+ 95969 * flag[11]+ 202404 * flag[0]+ 247060 * flag[21]+ 144211 * flag[19]+ 280106 * flag[7]- 126431 * flag[10]- 226837 * flag[12]+ 10463 * flag[23]+ 121257 * flag[13]- 84190 * flag[9]+ 88917 * flag[1]+ 15453 * flag[14]+ 271442 * flag[4]+ 110851 * flag[3]- 231422 * flag[5]+ 176741 * flag[22]+ 266134 * flag[2]- 197327 * flag[6]- 55225 * flag[8] - 265465 * flag[15] + 119612 * flag[16] - 98514358
s.add(v20==0)

v2 = 151924 * flag[25] - 265311 * flag[6] + 107604 * flag[11] - 47851 * flag[24] + 227178 * flag[13] - 162699 * flag[2] + 2171 * flag[20] + 211070 * flag[23] + 94815 * flag[22] + 124760 * flag[16] + 41462 * flag[19] - 277022 * flag[15] - 62501 * flag[26] - 17727 * flag[14] - 257908 * flag[4] - 175112 * flag[21] + 8972 * flag[10] - 71801 * flag[8] - 114724 * flag[5] - 252898 * flag[9] + 161457 * flag[1] - 64461 * flag[0] - 111493 * flag[18] + 200145 * flag[17] - 290075 * flag[3] + 158466 * flag[12]
v21 = v2 - 275262 * flag[7] + 86899519
s.add(v21==0)

v3 = 142850 * flag[18]- 166704 * flag[1]+ 284852 * flag[22]+ 248972 * flag[7]- 76200 * flag[17]+ 261708 * flag[19]+ 91911 * flag[24]+ 22347 * flag[3]+ 76006 * flag[21]+ 256511 * flag[6]- 100052 * flag[14]- 115830 * flag[2]- 93202 * flag[23]+ 248858 * flag[12]- 262669 * flag[10]+ 67895 * flag[5]- 111771 * flag[8]- 132193 * flag[11]- 141512 * flag[13]+ 139406 * flag[27]+ 109646 * flag[16]- 286309 * flag[9]+ 175476 * flag[15] + 138067 * flag[20] + 192825 * flag[25]
s.add(flag[0] == 102)
s.add(flag[1] == 108)
s.add(flag[2] == 97)
s.add(flag[3] == 103)
s.add(flag[4] == 123)
s.add(flag[27] == 125)

s.add(199577 * flag[0] - 63091 * flag[4] + v3 - 285207 * flag[26] - 58820340 + v21 == 0)

print(s.check())
print(s.model())
mod = s.model()
print(''.join([chr(mod[x].as_long()) for x in flag]))

easyre

首先来卡一下main函数 finger识别一下函数

fork函数在主进程返回的是子进程的PID，在子进程返回的是0，这里生成一个re3的文件

ptrace函数深入分析 - 黑箱 - 博客园 (cnblogs.com)

这里的ptrace比较重要代表不同的类型

光标在第一个参数上按M，搜索 ptrace，就可以得到相应的参数。

进入401f2f函数

4017e5函数，有一大串数据

似乎是对子进程进行了一些操作，我们去看看之前的re3文件

Int setjmp(jmp_buf env);

返回值：若直接调用则返回0，若从longjmp调用返回则返回非0值的longjmp中的val值

Void longjmp(jmp_buf env,int val);

调用此函数则返回到语句setjmp所在的地方，其中env 就是setjmp中的 env，而val 则是使setjmp的返回值变为val。

这里的loc_21F9是重要逻辑，跟进，看到一个int3，这里发出中断信号，等待主处理进程，然后主进程判断异常类型（这就是后面的值），然后执行smc操作，也照应了之前的wait函数。

下面我们再回到主进程分析一下smc

带参数启动调试。

主要smc逻辑

我们运用断点把数据提取出来

xorKey = {8723: 2533025110152939745, 8739: 5590097037203163468, 8755: 17414346542877855401, 8771: 17520503086133755340, 8787: 12492599841064285544, 8803: 12384833368350302160, 8819: 11956541642520230699, 8835: 12628929057681570616, 8851: 910654967627959011, 8867: 5684234031469876551, 8883: 6000358478182005051, 8899: 3341586462889168127, 8915: 11094889238442167020, 8931: 17237527861538956365, 8947: 17178915143649401084, 8963: 11176844209899222046, 8979: 18079493192679046363, 8995: 7090159446630928781, 9011: 863094436381699168, 9027: 6906972144372600884, 9043: 16780793948225765908, 9059: 7086655467811962655, 9075: 13977154540038163446, 9091: 7066662532691991888, 9107: 15157921356638311270, 9123: 12585839823593393444, 9139: 1360651393631625694, 9155: 2139328426318955142, 9171: 2478274715212481947, 9187: 12876028885252459748, 9203: 18132176846268847269, 9219: 17242441603067001509, 9235: 8492111998925944081, 9251: 14679986489201789069, 9267: 13188777131396593592, 9283: 5298970373130621883, 9299: 525902164359904478, 9315: 2117701741234018776, 9331: 9158760851580517972}

addr = 0x2213

while True:
    data = get_qword(addr)
    key = xorKey[addr]
    dec = data ^ key
    idc.patch_qword(addr, dec)
    addr += 16

之后跑脚本

_BYTE *__fastcall sub_21F9(__int64 a1, __int64 a2, __int64 a3)
{
  _BYTE *result; // rax
  int v4; // [rsp+20h] [rbp-28h]
  int v5; // [rsp+24h] [rbp-24h]
  char v6; // [rsp+28h] [rbp-20h]
  int v7; // [rsp+2Ch] [rbp-1Ch]
  int j; // [rsp+30h] [rbp-18h]
  int v9; // [rsp+34h] [rbp-14h]
  int v10; // [rsp+38h] [rbp-10h]
  char v11; // [rsp+3Ch] [rbp-Ch]
  int v12; // [rsp+40h] [rbp-8h]
  int i; // [rsp+44h] [rbp-4h]

  __debugbreak();
  for ( i = 0; i <= 24; ++i )
  {
    v12 = 0;
    v11 = 0;
    v10 = 0;
    v9 = 1;
    while ( v12 <= 24 )
    {
      if ( *(_BYTE *)(25 * i + v12 + a1) )
      {
        ++v11;
        v10 = 1;
      }
      else
      {
        if ( v10 )
        {
          *(_BYTE *)(a2 + 25LL * i + v9) = v11;
          v11 = 0;
          ++v9;
        }
        v10 = 0;
      }
      if ( ++v12 == 25 && v10 )
      {
        *(_BYTE *)(a2 + 25LL * i + v9) = v11;
        v11 = 0;
        ++v9;
      }
    }
    result = (_BYTE *)(25LL * i + a2);
    *result = v9 - 1;
  }
  for ( j = 0; j <= 24; ++j )
  {
    v7 = 0;
    v6 = 0;
    v5 = 0;
    v4 = 1;
    while ( v7 <= 24 )
    {
      if ( *(_BYTE *)(25 * v7 + j + a1) )
      {
        ++v6;
        v5 = 1;
      }
      else
      {
        if ( v5 )
        {
          *(_BYTE *)(a3 + 25LL * j + v4) = v6;
          v6 = 0;
          ++v4;
        }
        v5 = 0;
      }
      if ( ++v7 == 25 && v5 )
      {
        *(_BYTE *)(a3 + 25LL * j + v4) = v6;
        v6 = 0;
        ++v4;
      }
    }
    result = (_BYTE *)(25LL * j + a3);
    *result = v4 - 1;
  }
  __debugbreak();
  return result;
}