2023强网杯部分RE_WP
# BabyreIDA打开分析,TLS中有反调试,直接patch
来到主函数分析加密算法,主逻辑是个魔改的xtea算法
直接调试取出key和密文,写对应的解密逻辑解密即可
```cpp
#include <stdio.h>
#include <stdint.h>
/* take 64 bits of data in v and v and 128 bits of key - key */
void encipher(uint32_t v, uint32_t const key) {
unsigned int i, j;
uint32_t v0 = v, v1 = v, sum = 0x90508D47;
for (i = 0; i < 4; ++i)
{
for (j = 0; j < 33; ++j)
{
v0 += (((32 * v1) ^ (v1 >> 4)) + v1) ^ (sum + key) ^ sum;
v1 += (((32 * v0) ^ (v0 >> 4)) + v0) ^ (sum + key[(sum >> 11) & 3]);
sum -= 0x77BF7F99;
}
}
v = v0; v = v1;
}
void decipher(uint32_t v, uint32_t const key) {
unsigned int i, j;
uint32_t v0 = v, v1 = v, sum = 0x90508D47;
for (i = 0; i < 4; ++i)
{
for (j = 0; j < 33; ++j)
{
sum -= 0x77BF7F99;
}
}
for (i = 0; i < 4; ++i)
{
for (j = 0; j < 33; ++j)
{
sum += 0x77BF7F99;
v1 -= (((32 * v0) ^ (v0 >> 4)) + v0) ^ (sum + key[(sum >> 11) & 3]);
v0 -= (((32 * v1) ^ (v1 >> 4)) + v1) ^ (sum + key) ^ sum;
}
}
v = v0; v = v1;
}
int main()
{
//char flag[] = "123456789012345678901234567890ab";
char flag[] = { 0xE0, 0xF2, 0x23, 0x95, 0x93, 0xC2, 0xD8, 0x8E, 0x93, 0xC3, 0x68, 0x86, 0xBC, 0x50, 0xF2, 0xDD, 0x99, 0x44, 0x0E, 0x51, 0x44, 0xBD, 0x60, 0x8C, 0xF2, 0xAB, 0xDC, 0x34, 0x60, 0xD2, 0x0F, 0xC1 ,0};
uint32_t * v = (uint32_t *)flag;
uint32_t const k = { 0x62, 0x6F, 0x6D, 0x62 };
//for (int i = 0; i < 4; i++)
//{
// encipher(&v, k);
//}
for (int i = 0; i < 4; i++)
{
decipher(&v, k);
}
printf("%s", flag);
return 0;
}
//W31com3_2_Th3_QwbS7_4nd_H4v3_Fun
```
Flag为 `flag{W31com3_2_Th3_QwbS7_4nd_H4v3_Fun}`
# dotdot
输入16位的key,将16位的key打乱,然后重组与密文对比,对比成功,用key进行RC4解密得到license.dat。爆破可解,用C爆破
贴出正向的代码
```Python
from utils_date import *
def GGG(v16):
array = bytearray(16)
array2 =
for i in range(16):
array = v16]
v16[:16] = array
def inverse_GGG(v16):
array = bytearray(16)
array2 =
for i in range(16):
array] = v16
v16[:16] = array
if __name__ == "__main__":
aaa = [# 模拟输入。aaa是最终要解密的key
0x31,
0x32,
0x33,
0x34,
0x35,
0x36,
0x37,
0x38,
0x39,
0x30,
0x61,
0x62,
0x63,
0x64,
0x65,
0x66,
]
for i in range(9):
GGG(aaa)
for j in range(4):
num = v11]
num2 = v11]
num3 = v11]
num4 = v11]
num5 = v12[(num >> 28 & 0xF)][(num2 >> 28 & 0xF)]
num6 = v12[(num3 >> 28 & 0xF)][(num4 >> 28 & 0xF)]
num7 = v12[(num >> 24 & 0xF)][(num2 >> 24 & 0xF)]
num8 = v12[(num3 >> 24 & 0xF)][(num4 >> 24 & 0xF)]
aaa = v12 << 4 | v12
num5 = v12[(num >> 20 & 0xF)][(num2 >> 20 & 0xF)]
num6 = v12[(num3 >> 20 & 0xF)][(num4 >> 20 & 0xF)]
num7 = v12[(num >> 16 & 0xF)][(num2 >> 16 & 0xF)]
num8 = v12[(num3 >> 16 & 0xF)][(num4 >> 16 & 0xF)]
aaa = v12 << 4 | v12
num5 = v12[(num >> 12 & 0xF)][(num2 >> 12 & 0xF)]
num6 = v12[(num3 >> 12 & 0xF)][(num4 >> 12 & 0xF)]
num7 = v12[(num >> 8 & 0xF)][(num2 >> 8 & 0xF)]
num8 = v12[(num3 >> 8 & 0xF)][(num4 >> 8 & 0xF)]
aaa = v12 << 4 | v12
num5 = v12[(num >> 4 & 0xF)][(num2 >> 4 & 0xF)]
num6 = v12[(num3 >> 4 & 0xF)][(num4 >> 4 & 0xF)]
num7 = v12[(num & 0xF)][(num2 & 0xF)]
num8 = v12[(num3 & 0xF)][(num4 & 0xF)]
aaa = v12 << 4 | v12
num = v13]
num2 = v13]
num3 = v13]
num4 = v13]
num5 = v12[(num >> 28 & 0xF)][(num2 >> 28 & 0xF)]
num6 = v12[(num3 >> 28 & 0xF)][(num4 >> 28 & 0xF)]
num7 = v12[(num >> 24 & 0xF)][(num2 >> 24 & 0xF)]
num8 = v12[(num3 >> 24 & 0xF)][(num4 >> 24 & 0xF)]
aaa = v12 << 4 | v12
num5 = v12[(num >> 20 & 0xF)][(num2 >> 20 & 0xF)]
num6 = v12[(num3 >> 20 & 0xF)][(num4 >> 20 & 0xF)]
num7 = v12[(num >> 16 & 0xF)][(num2 >> 16 & 0xF)]
num8 = v12[(num3 >> 16 & 0xF)][(num4 >> 16 & 0xF)]
aaa = v12 << 4 | v12
num5 = v12[(num >> 12 & 0xF)][(num2 >> 12 & 0xF)]
num6 = v12[(num3 >> 12 & 0xF)][(num4 >> 12 & 0xF)]
num7 = v12[(num >> 8 & 0xF)][(num2 >> 8 & 0xF)]
num8 = v12[(num3 >> 8 & 0xF)][(num4 >> 8 & 0xF)]
aaa = v12 << 4 | v12
num5 = v12[(num >> 4 & 0xF)][(num2 >> 4 & 0xF)]
num6 = v12[(num3 >> 4 & 0xF)][(num4 >> 4 & 0xF)]
num7 = v12[(num & 0xF)][(num2 & 0xF)]
num8 = v12[(num3 & 0xF)][(num4 & 0xF)]
aaa = v12 << 4 | v12
print(i, j, aaa, end="\n------------------\n")
# exit(-1)
GGG(aaa)
for k in range(16):
aaa = v14]
print(aaa)
bbb =
print(bbb)
# 最终对比的密文, 即上面的bbb的结果应该是
```
utils_date是我自己定义的,用到的数据都在里面(每次运行都一样), 太大了,直接调试获取数据即可
逻辑就是通过bbb,即反推出aaa就可以了,应该是需要爆破
先逆第一层
```python
from utils_date import *
def inverse_GGG(v16):
array = bytearray(16)
array2 =
for i in range(16):
array] = v16
v16[:16] = array
a = [
0x61,
0x93,
0x31,
0x7B,
0xF8,
0x96,
0xE0,
0x00,
0xA5,
0x27,
0xB7,
0x37,
0x4A,
0xE3,
0x03,
0xA8,
]
for k in range(16):
a = v14.index(a)
# print(a)
inverse_GGG(a)
print(a)
#
```
然后爆破
```cpp
#include <windows.h>
#include <stdio.h>
char v3[] = {}; //数据太大
char v1[] = {}; //。。。
char v4[] = {};//。。。
int * v13_int = (int *)v3;
int (*v13) = (int (*)) v13_int;
int * v11_int = (int *)v1;
int(*v11) = (int(*)) v11_int;
unsigned char (*v14) = (unsigned char (*)) v4;
unsigned char v12 = {{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15},
{1, 0, 3, 2, 5, 4, 7, 6, 9, 8, 11, 10, 13, 12, 15, 14},
{2, 3, 0, 1, 6, 7, 4, 5, 10, 11, 8, 9, 14, 15, 12, 13},
{3, 2, 1, 0, 7, 6, 5, 4, 11, 10, 9, 8, 15, 14, 13, 12},
{4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11},
{5, 4, 7, 6, 1, 0, 3, 2, 13, 12, 15, 14, 9, 8, 11, 10},
{6, 7, 4, 5, 2, 3, 0, 1, 14, 15, 12, 13, 10, 11, 8, 9},
{7, 6, 5, 4, 3, 2, 1, 0, 15, 14, 13, 12, 11, 10, 9, 8},
{8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7},
{9, 8, 11, 10, 13, 12, 15, 14, 1, 0, 3, 2, 5, 4, 7, 6},
{10, 11, 8, 9, 14, 15, 12, 13, 2, 3, 0, 1, 6, 7, 4, 5},
{11, 10, 9, 8, 15, 14, 13, 12, 3, 2, 1, 0, 7, 6, 5, 4},
{12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3},
{13, 12, 15, 14, 9, 8, 11, 10, 5, 4, 7, 6, 1, 0, 3, 2},
{14, 15, 12, 13, 10, 11, 8, 9, 6, 7, 4, 5, 2, 3, 0, 1},
{15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0}};
unsigned char v12 = {{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15},
{1, 0, 3, 2, 5, 4, 7, 6, 9, 8, 11, 10, 13, 12, 15, 14},
{2, 3, 0, 1, 6, 7, 4, 5, 10, 11, 8, 9, 14, 15, 12, 13},
{3, 2, 1, 0, 7, 6, 5, 4, 11, 10, 9, 8, 15, 14, 13, 12},
{4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11},
{5, 4, 7, 6, 1, 0, 3, 2, 13, 12, 15, 14, 9, 8, 11, 10},
{6, 7, 4, 5, 2, 3, 0, 1, 14, 15, 12, 13, 10, 11, 8, 9},
{7, 6, 5, 4, 3, 2, 1, 0, 15, 14, 13, 12, 11, 10, 9, 8},
{8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7},
{9, 8, 11, 10, 13, 12, 15, 14, 1, 0, 3, 2, 5, 4, 7, 6},
{10, 11, 8, 9, 14, 15, 12, 13, 2, 3, 0, 1, 6, 7, 4, 5},
{11, 10, 9, 8, 15, 14, 13, 12, 3, 2, 1, 0, 7, 6, 5, 4},
{12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3},
{13, 12, 15, 14, 9, 8, 11, 10, 5, 4, 7, 6, 1, 0, 3, 2},
{14, 15, 12, 13, 10, 11, 8, 9, 6, 7, 4, 5, 2, 3, 0, 1},
{15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0}};
void GGG(unsigned char v16[]) {
unsigned char array;
unsigned char array2[] = { 0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, 1, 6, 11 };
for (int i = 0; i < 16; i++) {
array = v16];
}
for (int i = 0; i < 16; i++) {
v16 = array;
}
}
void inverse_GGG(unsigned char v16[]) {
unsigned char array;
unsigned char array2[] = { 0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, 1, 6, 11 };
for (int i = 0; i < 16; i++) {
array] = v16;
}
for (int i = 0; i < 16; i++) {
v16 = array;
}
}
int baopo(unsigned char* res, int i, int j, unsigned char* target)
{
//res保存返回结果,即index1, index2, index3, index4
//i, j保存每次循环的轮数
//target保存要爆破的结果
unsigned char aaa = {0};
unsigned int num, num2, num3, num4;
unsigned int num5, num6, num7, num8;
unsigned int index1, index2, index3, index4;
for (index1 = 0; index1 < 256; index1++)
{
printf("%d %d %d\r", i, j, index1);
for (index2 = 0; index2 < 256; index2++)
{
for (index3 = 0; index3 < 256; index3++)
{
for (index4 = 0; index4 < 256; index4++)
{
num = v11;
num2 = v11;
num3 = v11;
num4 = v11;
num5 = v12[(num >> 28 & 0xF)][(num2 >> 28 & 0xF)];
num6 = v12[(num3 >> 28 & 0xF)][(num4 >> 28 & 0xF)];
num7 = v12[(num >> 24 & 0xF)][(num2 >> 24 & 0xF)];
num8 = v12[(num3 >> 24 & 0xF)][(num4 >> 24 & 0xF)];
aaa = v12 << 4 | v12;
num5 = v12[(num >> 20 & 0xF)][(num2 >> 20 & 0xF)];
num6 = v12[(num3 >> 20 & 0xF)][(num4 >> 20 & 0xF)];
num7 = v12[(num >> 16 & 0xF)][(num2 >> 16 & 0xF)];
num8 = v12[(num3 >> 16 & 0xF)][(num4 >> 16 & 0xF)];
aaa = v12 << 4 | v12;
num5 = v12[(num >> 12 & 0xF)][(num2 >> 12 & 0xF)];
num6 = v12[(num3 >> 12 & 0xF)][(num4 >> 12 & 0xF)];
num7 = v12[(num >> 8 & 0xF)][(num2 >> 8 & 0xF)];
num8 = v12[(num3 >> 8 & 0xF)][(num4 >> 8 & 0xF)];
aaa = v12 << 4 | v12;
num5 = v12[(num >> 4 & 0xF)][(num2 >> 4 & 0xF)];
num6 = v12[(num3 >> 4 & 0xF)][(num4 >> 4 & 0xF)];
num7 = v12[(num & 0xF)][(num2 & 0xF)];
num8 = v12[(num3 & 0xF)][(num4 & 0xF)];
aaa = v12 << 4 | v12;
num = v13];
num2 = v13];
num3 = v13];
num4 = v13];
num5 = v12[(num >> 28 & 0xF)][(num2 >> 28 & 0xF)];
num6 = v12[(num3 >> 28 & 0xF)][(num4 >> 28 & 0xF)];
num7 = v12[(num >> 24 & 0xF)][(num2 >> 24 & 0xF)];
num8 = v12[(num3 >> 24 & 0xF)][(num4 >> 24 & 0xF)];
aaa = v12 << 4 | v12;
num5 = v12[(num >> 20 & 0xF)][(num2 >> 20 & 0xF)];
num6 = v12[(num3 >> 20 & 0xF)][(num4 >> 20 & 0xF)];
num7 = v12[(num >> 16 & 0xF)][(num2 >> 16 & 0xF)];
num8 = v12[(num3 >> 16 & 0xF)][(num4 >> 16 & 0xF)];
aaa = v12 << 4 | v12;
num5 = v12[(num >> 12 & 0xF)][(num2 >> 12 & 0xF)];
num6 = v12[(num3 >> 12 & 0xF)][(num4 >> 12 & 0xF)];
num7 = v12[(num >> 8 & 0xF)][(num2 >> 8 & 0xF)];
num8 = v12[(num3 >> 8 & 0xF)][(num4 >> 8 & 0xF)];
aaa = v12 << 4 | v12;
num5 = v12[(num >> 4 & 0xF)][(num2 >> 4 & 0xF)];
num6 = v12[(num3 >> 4 & 0xF)][(num4 >> 4 & 0xF)];
num7 = v12[(num & 0xF)][(num2 & 0xF)];
num8 = v12[(num3 & 0xF)][(num4 & 0xF)];
aaa = v12 << 4 | v12;
if (aaa == target && aaa == target && aaa == target && aaa == target)
{
printf("baopo success\n");
printf("0x%02X 0x%02X 0x%02X 0x%02X\n", index1, index2, index3, index4);
res = index1;
res = index2;
res = index3;
res = index4;
return 0;
}
}
}
}
}
printf("baopo failed\n");
return -1;
}
int main()
{
int i = 0, j = 0;
unsigned char res = { 0 };
//unsigned char enddate = { 0x45, 0xB2, 0xBB, 0xBE, 0x9E, 0x57, 0xF7, 0x2E, 0x23, 0xB1, 0x2B, 0xD7, 0x70, 0xD6, 0x80, 0x4E };
unsigned char enddate = { 84, 198, 121, 220, 8, 66, 11, 175, 66, 40, 248, 34, 82, 252, 193, 146 };
for (int k = 0; k < 4; k++)
{
for (int m = 0; m < 4; m++)
{
res = enddate;
}
}
for (i = 8; i >=0; i--)
{
for (j = 3; j >=0; j--)
{
baopo(&res, i, j, &res);
}
inverse_GGG((unsigned char *)res);
printf("RES -->");
for (int i = 0; i < 4; i++) {
for (int j = 0; j < 4; j++) {
printf("0x%02X ", res);
}
}
printf("\n");
}
for (int i = 0; i < 4; i++) {
for (int j = 0; j < 4; j++) {
printf("0x%02X ", res);
}
}
return 0;
}
```
最终爆破res是WelcomeToQWB2023,这是RC4的key,解密license.dat,发现里面有FFF函数,去观察FFF函数
FFF函数tea解密得到b
```cpp
#include <stdio.h>
#include <stdint.h>
//加密函数
void encrypt(uint32_t* v, uint32_t* k) {
uint32_t v0 = v, v1 = v, sum = 0, i; /* set up */
uint32_t delta = 0xDEADBEEF; /* a key schedule constant */
uint32_t k0 = k, k1 = k, k2 = k, k3 = k; /* cache key */
for (i = 0; i < 32; i++) { /* basic cycle start */
sum += delta;
v0 += ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
v1 += ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
} /* end cycle */
v = v0; v = v1;
}
//解密函数
void decrypt(uint32_t* v, uint32_t* k) {
uint32_t v0 = v, v1 = v, sum = 0xDEADBEEF * 32, i;/* set up */
uint32_t delta = 0xDEADBEEF; /* a key schedule constant */
uint32_t k0 = k, k1 = k, k2 = k, k3 = k; /* cache key */
for (i = 0; i < 32; i++) { /* basic cycle start */
v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
sum -= delta;
} /* end cycle */
v = v0; v = v1;
}
int main()
{
uint32_t k = { 0x636C6557,0x54656D6F,0x4257516F,0x33323032 };
char v28 = {0x45, 0xB6, 0xAB, 0x21, 0x79, 0x6B, 0xFE, 0x96, 0x5C, 0x1D, 0x04, 0xB2, 0x8A, 0xA6, 0xB8, 0x6A,
0x35, 0xF1, 0x2A, 0xBF, 0x17, 0xD3, 0x03, 0x6B };
uint32_t* encc = (uint32_t*)v28;
for (int i = 0; i < 3; i++)
{
decrypt(&encc, k);
}
printf("%s", encc);
//dotN3t_Is_1nt3r3sting
return 0;
}
```
程序在执行`binaryFormatter.Deserialize(memoryStream);` 老是失败,结合题目提示Fix the lincense,再加上解密后的Lincense.dat并不包含FFF的参数dotN3t_Is_1nt3r3sting 和WelcomeToQWB2023,需要修复下V7,即RC4解密后的Lincense.dat,
自己写了点C#代码,序列化对象观察对应的dat文件
```C#
using System;
using System.IO;
using System.Runtime.Serialization;
using System.Runtime.Serialization.Formatters.Binary;
class MyClass
{
public int Id { get; set; }
public string Name { get; set; }
public SerializableAction MyFunction;
public void ExecuteFunction()
{
MyFunction?.Invoke();
}
}
class SerializableAction : ISerializable
{
public string Parameter1 { get; set; }
public string Parameter2 { get; set; }
public SerializableAction()
{
}
public SerializableAction(SerializationInfo info, StreamingContext context)
{
Parameter1 = info.GetString("Parameter1");
Parameter2 = info.GetString("Parameter2");
Invoke();
}
public void GetObjectData(SerializationInfo info, StreamingContext context)
{
info.AddValue("Parameter1", Parameter1);
info.AddValue("Parameter2", Parameter2);
}
public void Invoke()
{
Console.WriteLine($"Parameter1: {Parameter1}, Parameter2: {Parameter2}");
}
}
class Program
{
static void Main()
{
// 创建要序列化的对象
var obj = new MyClass
{
Id = 1,
Name = "Example",
MyFunction = new SerializableAction
{
Parameter1 = "WelcomeToQWB2023",
Parameter2 = "dotN3t_Is_1nt3r3sting"
}
};
// 创建 BinaryFormatter 对象
var formatter = new BinaryFormatter();
// 创建文件流
var fileStream = new FileStream("serialized_object.dat", FileMode.Create);
try
{
// 使用 BinaryFormatter 将对象序列化到文件流中
formatter.Serialize(fileStream, obj);
Console.WriteLine("对象已成功序列化并保存到文件中!");
}
catch (Exception ex)
{
Console.WriteLine("序列化对象时出现错误:" + ex.Message);
}
finally
{
// 关闭文件流
fileStream.Close();
}
}
}
```
发现是先小端形式保存大小,再后面跟着字符串,直接找Lincense.dat找对应的空闲空间
将其补入
直接调试起来,修改对应的V7
可以发现反序列化成功,flag直接被打印了出来
flag为`flag{d0tN3t_I5_Ea57_2_y09!G00d_Luck}`
# ezre
D-810去混淆,去混淆后SM4算法
密文: 067519471663887C8B6655FF3F7D0D4AF5D24E383FE9C2DEDB7C7F6F74B11F3C
KEY: 0123456789abcdef0123456789abcdef
直接在线网站解密即可
flag: `flag{h3kk0_w0rld_sur3_3n0ugh}`
# unname
初步看,flag的check逻辑在so文件里
但是apk没有加`android:extractNativeLibs="true"` 所以没法调试so,用脚本给apk这个属性设置为true且重新打包签名
```Python
import sys
import subprocess
import os
from xml.dom.minidom import parse
# 1、先解包APK
# 2、打开xml文件分析,android:debuggable 和 android:extractNativeLibs属性
# 3、如果没有android:debuggable,则可以加入并且设置为属性为 true
# 4、如果有android:debuggable, 则直接设置为true
# 5、如果没有android:extractNativeLibs 则不管,如果有且为false,则改为true
# 6、apktool重新打包
# 7、生成签名文件
# 8、将签名加入到apk中
def handle_xml():
# 3,4,5 处理XML文件并写回
# AndroidManifest.xml
dom = parse("AndroidManifest.xml")
data = dom.documentElement
# android:extractNativeLibs="true"
# android:debuggable="true"
application = data.getElementsByTagName("application")
print("[+] 正在修改 android:debuggable 属性")
application.setAttribute("android:debuggable", "true")
if application.getAttribute("android:extractNativeLibs") == 'false':
print("[+] 正在修改android:extractNativeLibs 属性")
application.setAttribute("android:extractNativeLibs", "true")
f = open("AndroidManifest.xml", 'w')
dom.writexml(f, encoding="utf-8")
f.close()
with open("AndroidManifest.xml", "r", encoding="utf-8") as f:
c = f.read()
c = c.replace('encoding="utf-8"', 'encoding="utf-8" standalone="no"')
f.close()
with open("AndroidManifest.xml", "w", encoding="utf-8")as f:
f.write(c)
if __name__ == "__main__":
if len(sys.argv) != 2:
print(" 格式有错! python后跟apk名字")
sys.exit(-1)
apkpath = sys.argv
apkname = os.path.splitext(apkpath)
apkdirpath = apkname + "_DIR"
# 1、解包APK
print("[+] 解包APK文件")
subprocess.run(['apktool.bat', 'd', apkpath, "-o", apkdirpath])
os.chdir(apkdirpath)
# 2、打开xml文件
print("[+] 当前工作路径为: " + os.getcwd())
handle_xml()
print("[+] 修改XML文件成功")
# 6、重新打包为APK
os.chdir('../')
print("[+] 重新打包APK文件")
print("[+] 当前工作路径为: " + os.getcwd())
apkpath_new = apkname + "_new.apk"
subprocess.run(['apktool.bat', 'b', apkdirpath, "-o", apkpath_new])
# 7、生成签名文件
print("[+] 密码请输入123456,否则会出错")
# keytool -genkey -keystore 签名文件的文件名 -keyalg RSA -validity 10000 -alias 签名文件别名
subprocess.run(['keytool', '-genkey', '-keystore', apkname + "_new.keystore",
'-keyalg', 'RSA', '-validity', '10000', '-alias', apkname])
# 8、给APK文件添加签名
print(f"[+] 给{apkname}_new.apk添加签名")
subprocess.run(['jarsigner.exe', '-verbose', '-keystore', apkname + "_new.keystore", '-storepass', '123456', '-signedjar',
apkname + '_new_sign.apk', '-digestalg', 'SHA1', '-sigalg', 'MD5withRSA', apkname + "_new.apk", apkname])
```
调试起来
找到了关键验证逻辑
```C
do
{
while ( 1 )
{
v62 = v50 & 7;
if ( (v50 & 3) != 0 )
break;
v53 = (char *)&unk_7AA8BD6750 + 2 * v62;// v53 = unk_7AA8BC0750
v54 = (int64x2_t *)&ptr;// v54 为QWORD v54
v55 = vaddq_s64(v54, v52); // v55 = vaddq_s64(0xB378E3C5C3A47B89, )
v56 = v54->n128_u64 + *((_QWORD *)&flag_0 + 1);// v54 + flag0flag0是QWORD 类型v56 = 0xB378E3C5C3A47B89+0x3635343332313039
// 即v56 = 0xe9ae17f8f5d5abc2
x11 = v54->n128_u64 + flag_0 + v56;// x11 = v54 + flag0 + v56 = 0x465F5530595F4E6F + 0x3837363534333231 + 0xe9ae17f8f5d5abc2
// x11 = 0x6844a35e83682c62
x12 = __ROR8__(v56, -*v53) ^ x11;// ROR8(v56, -0xe) ^ x11| 0x85fe3d756af0ba6b ^ v11 =0x85fe3d756af0ba6b ^0x6844a35e83682c62
// x12 = 0xedba9e2be9989609
*(_QWORD *)&flag_0 = x11; // flag_0 = x11(0x6844a35e83682c62)
v59 = __ROR8__(v55.n128_u64, -v53);// v59 = ROR8(v55, -16)
// v59 = 0x6779797C887CB6D5
// v55=0XB6D56779797C887C
v52.n128_u64 = x12; // v52 = 0xedba9e2be9989609
x13 = vaddvq_s64(v55); // x13 = vaddvq_s64(v55) = 0xBEAD2E3D5A3D5376
x14 = v59 ^ x13; // x14 = 0x6779797C887CB6D5 ^ 0xBEAD2E3D5A3D5376
// x14 = 0xd9d45741d241e5a3
*((_QWORD *)&flag_0 + 1) = x14; // flag0 = x14 = 0xd9d45741d241e5a3
++v50;
v52.n128_u64 = x13; // v52 = 0xBEAD2E3D5A3D5376
if ( v50 == 72 )
goto LABEL_147;
}
v63 = (char *)&unk_7AA8BD6750 + 2 * v62;// v63 = (char *)&unk_7AA8BC0750
x11 = *((_QWORD *)&flag_0 + 1) + flag_0;// x11 =0xd9d45741d241e5a3+ 0x6844a35e83682c62
// x11 = 0x4218FAA055AA1205
*(_QWORD *)&flag_0 = x11; // flag0 = x11(0x4218FAA055AA1205)
x12 = __ROR8__(*((_QWORD *)&flag_0 + 1), -*v63) ^ x11;// ROR8( 0xd9d45741d241e5a3, -0X34) ^ 0x4218FAA055AA1205
// x12 = 0x182567e521b7361b
v52.n128_u64 = vaddvq_s64(v52);// v52 = 0xBEAD2E3D5A3D5376 + 0xedba9e2be9989609
// v52 = 0xAC67CC6943D5E97F
v64 = __ROR8__(v52.n128_u64, -v63);// v64 = ROR8(v52, -0X39) = 0x13db753c57d3312c
x13 = v52.n128_u64; // x13 = 0xAC67CC6943D5E97F
v52.n128_u64 = x12; // v52 = x12 = 0x182567e521b7361b
x14 = v64 ^ v52.n128_u64; // x14 = 0x13db753c57d3312c ^0xAC67CC6943D5E97F
// x14 = 0xbfbcb9551406d853
*((_QWORD *)&flag_0 + 1) = x14; // flag0 = x14
++v50;
}
while ( v50 != 72 );
```
模拟了一遍程序逻辑
```C
#include <stdio.h>
unsigned long long key = {
0x465F5530595F4E6F, 0xB378E3C5C3A47B89, 0xD3A49492B08792C3, 0x5474374041455247,
0x6523745F644E5630, 0xD3A49492B08792C3, 0x8E9565954947CC84, 0x33E95EAA8C9B6366,
0x5F30535F5933335F, 0x8E9565954947CC84, 0x823ECE10EBF188BE, 0x465F5530595F4E71,
0x5474374041455247, 0x823ECE10EBF188BE, 0xBAD39663B0B3ADD3, 0x6523745F644E5633,
0x33E95EAA8C9B6365, 0xBAD39663B0B3ADD3, 0x9F44A2B46C50D06D, 0x5F30535F59333363,
0x465F5530595F4E6F, 0x9F44A2B46C50D06D, 0xAD85C2C5B88958B8, 0x547437404145524C,
0x6523745F644E5630, 0xAD85C2C5B88958B8, 0xC8E878739899B1AB, 0x33E95EAA8C9B636B,
0x5F30535F5933335F, 0xC8E878739899B1AB, 0x6E0A8CFF949DDDA2, 0x465F5530595F4E76,
0x5474374041455247, 0x6E0A8CFF949DDDA2, 0x94B4C496B8B573C8, 0x6523745F644E5638,
0x33E95EAA8C9B6365, 0x94B4C496B8B573C8, 0xD997B592BBA2B594, 0x5F30535F59333368,
0x465F5530595F4E6F, 0xD997B592BBA2B594, 0x995181B46135AD9C, 0x5474374041455251,
0x6523745F644E5630, 0x995181B46135AD9C, 0xA2C9A6A6A09B77A0, 0x33E95EAA8C9B6370,
0x5F30535F5933335F, 0xA2C9A6A6A09B77A0, 0xA85D9FDDE3EFC2C9, 0x465F5530595F4E7B,
0x5474374041455247, 0xA85D9FDDE3EFC2C9, 0x808083856161C8AC, 0x6523745F644E563D,
0x33E95EAA8C9B6365, 0x808083856161C8AC, 0xB378E3C5C3A47B89, 0x5F30535F5933336D,
0x465F5530595F4E6F, 0xB378E3C5C3A47B89, 0xD3A49492B08792C3, 0x5474374041455256,
0x6523745F644E5630, 0xD3A49492B08792C3, 0x8E9565954947CC84, 0x33E95EAA8C9B6375,
0x5F30535F5933335F, 0x8E9565954947CC84, 0x823ECE10EBF188BE, 0x465F5530595F4E80,
0x0000007A414B22C2, 0x0000000000000028, 0x0000000000000000, 0xB400007B596C6C00,
0xB400007A99ABAC40, 0x0000000000000010, 0x0000000000000010, 0x0000000000000001
};
//x11, x12, x13, x14最终的结果
unsigned long long res = {
0x13c17ce8fc8b8157,
0x477d6619faa7d1c7,
0x6096448f5a2d874c,
0x645d9ac2d095d15b
};
unsigned char ror_num = {
0x0E, 0x10, 0x34, 0x39, 0x17, 0x28, 0x05, 0x25, 0x19, 0x21, 0x2E, 0x0C, 0x3A, 0x16, 0x20, 0x20
};
unsigned long long rotateRight64(unsigned long long num, unsigned int shift)
{
unsigned int bits = sizeof(unsigned long long) * 8;
shift = shift % bits;// 确保位移值在合理范围内
if (shift == 0)
return num;
return (num >> shift) | (num << (bits - shift));
}
void vaddq_s64(unsigned long long* a, unsigned long long* b, unsigned long long * res)
{
res = a + b;
res = a + b;
}
unsigned long long vaddvq_s64(unsigned long long* a)
{
return a + a;
}
int main()
{
//模拟输入
unsigned long long input = {
0x3837363534333231, 0x3635343332313039, 0x3433323130393837, 0x6261303938373635
};
int v50 = 0;
int v62 = 0;
unsigned char * v53, * v63;
unsigned long long* v54;
unsigned long long v55 = { 0 };
unsigned long long * v52 = &input;
unsigned long long v56, v59, v64;
unsigned long long x11, x12, x13, x14;
do {
while (1)
{
v62 = v50 % 8;
if (v50 % 4 != 0)
{
break;
}
v53 = &ror_num;
v54 = &key;
vaddq_s64(v54+2, &input, v55);
v56 = v54 + input;
x11 = v54 + input + v56;
x12 = rotateRight64(v56, 64 - v53) ^ x11;
input = x11;
v59 = rotateRight64(v55, 64 - v53);
v52 = x12;
x13 = vaddvq_s64(v55);
x14 = v59 ^ x13;
input = x14;
v50++;
v52 = x13;
printf("v50: %d\n", v50);
printf("0x%llX\n", x11);
printf("0x%llX\n", x12);
printf("0x%llX\n", x13);
printf("0x%llX\n", x14);
printf("-----------------------------------\n");
if (v50 == 72)
goto LABEL_147;
}
v63 = &ror_num;
x11 = input + input;
input = x11;
x12 = rotateRight64(input, 64 - v63) ^ x11;
v52 = vaddvq_s64(v52);
v64 = rotateRight64(v52, 64 - v63);
x13 = v52;
v52 = x12;
x14 = v64 ^ v52;
input = x14;
++v50;
printf("v50: %d\n", v50);
printf("0x%llX\n", x11);
printf("0x%llX\n", x12);
printf("0x%llX\n", x13);
printf("0x%llX\n", x14);
printf("-----------------------------------\n");
} while (v50 != 72);
LABEL_147:
x11 = 0xbad39663b0b3add3 + x13;
printf("end\n");
printf("0x%llX\n", x11);
printf("0x%llX\n", x12);
printf("0x%llX\n", x13);
printf("0x%llX\n", x14);
return 0;
}
```
逆回去
```cpp
#include <stdio.h>
unsigned long long key = {
0x465F5530595F4E6F, 0xB378E3C5C3A47B89, 0xD3A49492B08792C3, 0x5474374041455247,
0x6523745F644E5630, 0xD3A49492B08792C3, 0x8E9565954947CC84, 0x33E95EAA8C9B6366,
0x5F30535F5933335F, 0x8E9565954947CC84, 0x823ECE10EBF188BE, 0x465F5530595F4E71,
0x5474374041455247, 0x823ECE10EBF188BE, 0xBAD39663B0B3ADD3, 0x6523745F644E5633,
0x33E95EAA8C9B6365, 0xBAD39663B0B3ADD3, 0x9F44A2B46C50D06D, 0x5F30535F59333363,
0x465F5530595F4E6F, 0x9F44A2B46C50D06D, 0xAD85C2C5B88958B8, 0x547437404145524C,
0x6523745F644E5630, 0xAD85C2C5B88958B8, 0xC8E878739899B1AB, 0x33E95EAA8C9B636B,
0x5F30535F5933335F, 0xC8E878739899B1AB, 0x6E0A8CFF949DDDA2, 0x465F5530595F4E76,
0x5474374041455247, 0x6E0A8CFF949DDDA2, 0x94B4C496B8B573C8, 0x6523745F644E5638,
0x33E95EAA8C9B6365, 0x94B4C496B8B573C8, 0xD997B592BBA2B594, 0x5F30535F59333368,
0x465F5530595F4E6F, 0xD997B592BBA2B594, 0x995181B46135AD9C, 0x5474374041455251,
0x6523745F644E5630, 0x995181B46135AD9C, 0xA2C9A6A6A09B77A0, 0x33E95EAA8C9B6370,
0x5F30535F5933335F, 0xA2C9A6A6A09B77A0, 0xA85D9FDDE3EFC2C9, 0x465F5530595F4E7B,
0x5474374041455247, 0xA85D9FDDE3EFC2C9, 0x808083856161C8AC, 0x6523745F644E563D,
0x33E95EAA8C9B6365, 0x808083856161C8AC, 0xB378E3C5C3A47B89, 0x5F30535F5933336D,
0x465F5530595F4E6F, 0xB378E3C5C3A47B89, 0xD3A49492B08792C3, 0x5474374041455256,
0x6523745F644E5630, 0xD3A49492B08792C3, 0x8E9565954947CC84, 0x33E95EAA8C9B6375,
0x5F30535F5933335F, 0x8E9565954947CC84, 0x823ECE10EBF188BE, 0x465F5530595F4E80,
0x0000007A414B22C2, 0x0000000000000028, 0x0000000000000000, 0xB400007B596C6C00,
0xB400007A99ABAC40, 0x0000000000000010, 0x0000000000000010, 0x0000000000000001
};
//x11, x12, x13, x14最终的结果
unsigned long long res = {
0x13c17ce8fc8b8157,
0x477d6619faa7d1c7,
0x6096448f5a2d874c,
0x645d9ac2d095d15b
};
unsigned char ror_num = {
0x0E, 0x10, 0x34, 0x39, 0x17, 0x28, 0x05, 0x25, 0x19, 0x21, 0x2E, 0x0C, 0x3A, 0x16, 0x20, 0x20
};
unsigned long long rotateRight64(unsigned long long num, unsigned int shift)
{
unsigned int bits = sizeof(unsigned long long) * 8;
shift = shift % bits;// 确保位移值在合理范围内
if (shift == 0)
return num;
return (num >> shift) | (num << (bits - shift));
}
void vaddq_s64(unsigned long long* a, unsigned long long* b, unsigned long long* res)
{
res = a + b;
res = a + b;
}
unsigned long long vaddvq_s64(unsigned long long* a)
{
return a + a;
}
int main()
{
unsigned long longinput = { 0 };
int v50 = 72;
int v62 = 0;
unsigned char* v53, * v63;
unsigned long long* v54;
unsigned long long v55 = { 0 };
unsigned long long* v52 = &input;
unsigned long long v56, v59, v64;
unsigned long long x11 = 0x13c17ce8fc8b8157;
unsigned long long x12 = 0x477d6619faa7d1c7;
unsigned long long x13 = 0x6096448f5a2d874c;
unsigned long long x14 = 0x645d9ac2d095d15b;
while (v50 >= 1)
{
--v50;
v62 = v50 % 8;
if (v50 % 4 != 0)
{
v63 = &ror_num;
input = x14;
v52 = x12;
v52 = x13;
v64 = v52 ^ x14;
v52 = rotateRight64(v64, v63);
v52 = v52 - v52;
input = rotateRight64(x11 ^ x12, v63);
input = x11 - input;
}
else {
v53 = &ror_num;
v54 = &key;
v52 = x13;
input = x14;
v59 = x13 ^ x14;
v52 = x12;
v55 = rotateRight64(v59, v53);
v55 = x13 - v55;
input = x11;
v56 = rotateRight64(x11 ^ x12, v53);
input = x11 - v56 - v54;
input = v56 - v54;
unsigned long long* v54_2 = v54 + 2;
input = v55 - v54_2;
input = v55 - v54_2;
}
x11 = input;
x14 = input;
x13 = input;
x12 = input;
}
printf("%s", (char*)input);
//
return 0;
}
//v50: 1
//0x6844A35E83682C62
//0xEDBA9E2BE9989609
//0xBEAD2E3D5A3D5376
//0xD9D45741D241E5A3
//---------------------------------- -
//v50 : 2
//0x4218FAA055AA1205
//0x182567E521B7361B
//0xAC67CC6943D5E97F
//0xBFBCB9551406D853
//v50: 72
//0x502B4560187D82BE
//0x893D3A3DAA3E518D
//0x9C3963553FA89D18
//0xB82C1832ED0CEB1A
```
flag为 `flag{7hIs_I$_nEw_Try1N9_@cu7U@1}`
比赛结束后做出来的,迟到了4h,主要是vaddq_s64函数这里浪费了太长的时间了
# 强网先锋_ezre
flag的长度是34
换表的base64 + 伪随机数,sub_402230那里有个反调试,需要patch掉
```C
__int64 __fastcall main(int a1, char **a2, char **a3)
{
unsigned int v3; // eax
unsigned __int64 v4; // rsi
unsigned int v5; // eax
int k; //
int j; //
int i; //
int v10; //
char v11; // BYREF
char v12; // BYREF
char v13; // BYREF
char s; // BYREF
int v15; //
size_t v16; //
v15 = 0;
printf("Welcome to the CTF world:");
memset(s, 0, 0x32uLL);
__isoc99_scanf("%s", s);
v16 = strlen(s);
v3 = strlen(s);
v10 = 0;
sub_401980((__int64)s, (__int64)v11, v3);
while ( v10 < 4 )
{
srand(aFgsevd3ibthwr1);
v4 = strlen((const char *)(unsigned int)aFgsevd3ibthwr1);
sub_401D10((__int64)aFgsevd3ibthwr1, v4); // 表格变换
if ( (v10 & 1) != 0 )
{ // 奇数
v5 = strlen(v11);
sub_401980((__int64)v11, (__int64)v12, v5); //base64加密
}
else
{
sub_401250(v11, v12); // 偶数 //base64解密
}
memset(v11, 0, 0x32uLL);
memcpy(v11, v12, 0x32uLL);
++v10;
}
if ( dword_4062C0 == 1 ) // 如果在调试状态
{
sub_402EE0(aFgsevd3ibthwr1, &aFgsevd3ibthwr1);
for ( i = 0; i < 64; ++i )
aFgsevd3ibthwr1 = (5 * (aFgsevd3ibthwr1 + 3)) ^ 0x15;
}
else
{
for ( j = 0; j < 64; ++j )
aFgsevd3ibthwr1 ^= 0x27u;
}
sub_401EB0(v12, v13); //错位异或
for ( k = 0; ; ++k )
{
if ( k >= strlen(v12) )
{
printf("right!");
return 0;
}
if ( byte_406180 != v13 )
break;
}
printf("wrong!");
return 0;
}
```
整体逻辑为输入flag,然后base64加密,然后换表,再base64解密,然后换表,再base64加密,然后换表,再base64解密,然后换表,再base64加密,然后一个错位异或得到密文,写对应的解密脚本即可
```Python
import base64
import string
enc = [
0x3A,
0x2C,
0x4B,
0x51,
0x68,
0x46,
0x59,
0x63,
0x24,
0x04,
0x5E,
0x5F,
0x00,
0x0C,
0x2B,
0x03,
0x29,
0x5C,
0x74,
0x70,
0x6A,
0x62,
0x7F,
0x3D,
0x2C,
0x4E,
0x6F,
0x13,
0x06,
0x0D,
0x06,
0x0C,
0x4D,
0x56,
0x0F,
0x28,
0x4D,
0x51,
0x76,
0x70,
0x2B,
0x05,
0x51,
0x68,
0x48,
0x55,
0x24,
0x19,
]
flag = * 48
v3s = [
109,
76,
22,
73,
110,
77,
74,
78,
16,
98,
22,
109,
16,
126,
78,
109,
76,
22,
73,
110,
77,
74,
78,
16,
98,
22,
109,
16,
126,
78,
109,
76,
22,
73,
110,
77,
74,
78,
16,
98,
22,
109,
16,
126,
78,
109,
76,
]
flag = enc ^ v3s
for i in range(1, 47):
flag = enc ^ enc ^ v3s
flag[-1] = enc[-2] ^ enc[-1]
print(flag)
print(bytes(flag))
# WZqSWcUtWBLlOriEfcajWBSRstLlkEfFWR7j/R7dMCDGnp==
# str1 = b"1234567890123456789012345678901234"
# string1 = "l+USN4J5Rfj0TaVOcnzXiPGZIBpoAExuQtHyKD692hwmqe7/Mgk8v1sdCW3bYFLr"
# string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
# string3 = "FGseVD3ibtHWR1czhLnUfJK6SEZ2OyPAIpQoqgY0w49u+7rad5CxljMXvNTBkm/8"# 随机后
# enc_str1 = base64.b64encode(str1).decode()
# enc_str2 = enc_str1.translate(str.maketrans(string2, string1))
# print(enc_str2)
def enc_str(_str: bytes, _base64_table):
string1 = _base64_table
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
enc_str1 = base64.b64encode(_str).decode()
enc_str2 = enc_str1.translate(str.maketrans(string2, string1))
print(enc_str2)
return enc_str2# 加密
def dec_str(_str: str, _base64_table):
str1 = _str
string1 = _base64_table
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
dec = base64.b64decode(str1.translate(str.maketrans(string1, string2)))
print(dec)
return dec
string1 = "l+USN4J5Rfj0TaVOcnzXiPGZIBpoAExuQtHyKD692hwmqe7/Mgk8v1sdCW3bYFLr"
string2 = "FGseVD3ibtHWR1czhLnUfJK6SEZ2OyPAIpQoqgY0w49u+7rad5CxljMXvNTBkm/8"
string3 = "Hc0xwuZmy3DpQnSgj2LhUtrlVvNYks+BX/MOoETaKqR4eb9WF8ICGzf6id1P75JA"
string4 = "pnHQwlAveo4DhGg1jE3SsIqJ2mrzxCiNb+Mf0YVd5L8c97/WkOTtuKFZyRBUPX6a"
string5 = "plxXOZtaiUneJIhk7qSYEjD1Km94o0FTu52VQgNL3vCBH8zsA/b+dycGPRMwWfr6"
enc = "WZqSWcUtWBLlOriEfcajWBSRstLlkEfFWR7j/R7dMCDGnp=="
dec = dec_str(enc, string5)
print(dec)
enc = enc_str(dec, string4)
print(enc)
dec = dec_str(enc, string3)
print(dec)
enc = enc_str(dec, string2)
print(enc)
dec = dec_str(enc, string1)
print(dec)
# flag{3ea590ccwxehg715264fzxnzepqz\x7f
```
代码可能有点小错误,直接修改flag的最后一个字符为}
得到flag为`flag{3ea590ccwxehg715264fzxnzepqz}` 膜拜大佬 学习学习 请问楼主的D810是什么配置,我试了一下没有你的这个效果,我的结果如下:
__int64 __fastcall sub_3580(const char *a1)
{
_BOOL4 v1; // esi
unsigned __int8 v2; // al
int v3; // eax
int v4; // eax
int v5; // eax
size_t v7; //
int v8; //
int v9; //
int v10; //
unsigned int v11; //
__int64 v12; //
__int64 v13; // BYREF
char s; // BYREF
unsigned __int64 v15; //
v15 = __readfsqword(0x28u);
memset(s, 0, 0x32uLL);
v13 = 0xEFCDAB8967452301LL;
v13 = 0xEFCDAB8967452301LL;
v12 = 0x7C88631647197506LL;
v12 = 0x4A0D7D3FFF55668BLL;
v12 = 0xDEC2E93F384ED2F5LL;
v12 = 0x3C1FB1746F7F7CDBLL;
v10 = 1;
v7 = 16 * (strlen(a1) >> 4);
v1 = (strlen(a1) & 0xF) != 0;
v2 = strlen(a1);
sub_2220(v2, (__int64)v13, (__int64)a1, (__int64)s);
v9 = 0;
v8 = -203550417;
while ( 1 )
{
while ( v8 == -2134881327 )
{
++v9;
v8 = -203550417;
}
if ( v8 == -1646760250 )
break;
switch ( v8 )
{
case -1501876533:
v8 = -2134881327;
break;
case -1282178164:
v8 = -1646760250;
break;
case -616716354:
v11 = 0;
v8 = -1282178164;
break;
case -444832285:
v8 = -616716354;
break;
case -203550417:
v3 = 1247253006;
if ( v9 < 16 * v1 + (int)v7 )
v3 = 732141033;
v8 = v3;
break;
case 732141033:
v4 = -1501876533;
if ( *((unsigned __int8 *)v12 + v9) != (unsigned __int8)s )
v4 = 1062261856;
v8 = v4;
break;
case 1062261856:
v10 = 0;
v8 = 1247253006;
break;
case 1247253006:
v5 = -444832285;
if ( v10 )
v5 = 1590710663;
v8 = v5;
break;
default:
v11 = 1;
v8 = -1646760250;
break;
}
}
return v11;
} 楼主yyds 牛啊牛啊膜拜大佬,学习学习{:1_918:} 这次成绩如何呢{:17_1068:} 紫色 发表于 2023-12-18 18:25
这次成绩如何呢
混了个前100 感谢分享 离巨佬最近的一次{:300_966:} 感谢分享,学习了 膜拜大佬{:1_887:}