butterfly
看到附件,给出了一个key和加密后的密文
简单分析后就可以直接写出解密脚本,甚至ai能直接跑出来
解密脚本
#!/usr/bin/env python3
"""
MMXEncode2024 解密脚本
用于解密使用 MMX 加密算法加密的文件
"""
import sys
import struct
def swap_bytes_in_words(data):
"""在每个16位字内交换高低字节"""
result = bytearray(8)
for i in range(4): # 4个16位字
result[i*2] = data[i*2 + 1] # 高字节
result[i*2 + 1] = data[i*2] # 低字节
return bytes(result)
def rotate_right_1bit(data):
"""将64位数据循环右移1位"""
num = struct.unpack('<Q', data)[0] # 转换为64位整数(小端序)
# 循环右移1位
rotated = ((num >> 1) | ((num & 1) << 63)) & 0xFFFFFFFFFFFFFFFF
return struct.pack('<Q', rotated)
def byte_subtract(data, key):
"""字节级减法(带回绕)"""
result = bytearray(8)
for i in range(8):
result[i] = (data[i] - key[i]) & 0xFF
return bytes(result)
def xor_bytes(data, key):
"""XOR操作"""
result = bytearray(8)
for i in range(8):
result[i] = data[i] ^ key[i]
return bytes(result)
def decrypt_block(encrypted_block, key):
"""
解密单个8字节块
加密步骤(正向):
1. XOR 密钥
2. 字节交换
3. 循环左移1位
4. 加密钥
解密步骤(反向):
1. 减密钥
2. 循环右移1位
3. 字节交换
4. XOR 密钥
"""
# 步骤1: 减去密钥
data = byte_subtract(encrypted_block, key)
# 步骤2: 循环右移1位
data = rotate_right_1bit(data)
# 步骤3: 字节交换
data = swap_bytes_in_words(data)
# 步骤4: XOR密钥
data = xor_bytes(data, key)
return data
def decrypt_file(input_file, output_file, key_file=None):
"""
解密文件
Args:
input_file: 加密的输入文件
output_file: 解密后的输出文件
key_file: 密钥文件(可选,默认使用硬编码密钥)
"""
# 读取密钥
if key_file:
try:
with open(key_file, 'rb') as f:
key_data = f.read(32)
if len(key_data) >= 16:
key = key_data[:8] # 使用前8字节
print(f"[+] 从文件加载密钥: {key_file}")
else:
print(f"[-] 密钥文件太小,使用默认密钥")
key = b"MMXEncod" # "MMXEncode2024"的前8字节
except FileNotFoundError:
print(f"[-] 密钥文件不存在: {key_file},使用默认密钥")
key = b"MMXEncod"
else:
# 默认密钥
key = b"MMXEncod" # "MMXEncode2024"的前8字节
print("[+] 使用默认密钥: MMXEncode2024")
# 读取加密文件
try:
with open(input_file, 'rb') as f:
encrypted_data = f.read()
except FileNotFoundError:
print(f"[-] 错误: 无法打开文件 {input_file}")
return False
if len(encrypted_data) == 0:
print("[-] 错误: 文件为空")
return False
print(f"[+] 加密文件大小: {len(encrypted_data)} 字节")
# 解密数据
decrypted = bytearray()
# 按8字节块处理
for i in range(0, len(encrypted_data), 8):
if i + 8 <= len(encrypted_data):
block = encrypted_data[i:i+8]
decrypted_block = decrypt_block(block, key)
decrypted.extend(decrypted_block)
else:
# 处理不足8字节的最后一块(如果有)
remaining = encrypted_data[i:]
decrypted.extend(remaining)
# 从解密数据末尾读取原始文件大小
# 加密时在文件末尾存储了原始大小
if len(decrypted) >= 8:
# 尝试读取文件大小标记(最后几个字节可能存储了原始大小)
# 由于不确定确切位置,我们输出完整解密数据
pass
# 写入解密文件
try:
with open(output_file, 'wb') as f:
f.write(decrypted)
print(f"[+] 成功解密到: {output_file}")
print(f"[+] 解密文件大小: {len(decrypted)} 字节")
return True
except Exception as e:
print(f"[-] 写入文件失败: {e}")
return False
def main():
"""主函数"""
if len(sys.argv) < 3:
print("用法: python decrypt.py <加密文件> <输出文件> [密钥文件]")
print("示例: python decrypt.py encoded.dat plaintext.txt")
print("示例: python decrypt.py encoded.dat plaintext.txt encoded.dat.key")
return 1
input_file = sys.argv[1]
output_file = sys.argv[2]
key_file = sys.argv[3] if len(sys.argv) > 3 else None
print("=" * 50)
print("MMXEncode2024 解密工具")
print("=" * 50)
if decrypt_file(input_file, output_file, key_file):
print("[+] 解密完成!")
return 0
else:
print("[-] 解密失败!")
return 1
if __name__ == "__main__":
sys.exit(main())
flag{butter_fly_mmx_encode_7778167}
tradere
这道题总感觉还是能做出来的,但是不知道子进程到底怎么调试,数据也不知道怎么处理,赛后看看能不能有复现吧,我还是好菜…
程序分析
首先看到main函数
void __fastcall main(__int64 n60, char **a2, char **a3)
{
__pid_t son_pid; // [rsp+1Ch] [rbp-4h]
init_func(n60);
son_pid = fork();
if ( son_pid )
{
if ( son_pid <= 0 )
perror("Fork.");
else
parent_func(son_pid);
}
else
{
son_func(n60);
}
}
main函数还是很简单的,可以看到有一个父进程和子进程,分别对应一个函数
注意的是开头有一个反调试,60秒后会发出一个信号,检测到这个信号就会结束进程,我们先把这个东西nop掉,方便调试.
unsigned __int64 __fastcall parent_func(unsigned int son_pid)
{
__WAIT_STATUS stat_loc; // [rsp+18h] [rbp-2A8h] BYREF
int v3; // [rsp+20h] [rbp-2A0h]
int v4; // [rsp+24h] [rbp-29Ch]
int i; // [rsp+28h] [rbp-298h]
int v6; // [rsp+2Ch] [rbp-294h]
int op_RIP; // [rsp+30h] [rbp-290h]
int oprator; // [rsp+34h] [rbp-28Ch]
__int64 op_RIP_prev; // [rsp+38h] [rbp-288h]
_BYTE reg_context[128]; // [rsp+40h] [rbp-280h] BYREF
uint64_t next; // [rsp+C0h] [rbp-200h]
__int64 son_stk; // [rsp+D8h] [rbp-1E8h]
_QWORD par_stack[51]; // [rsp+120h] [rbp-1A0h]
unsigned __int64 v14; // [rsp+2B8h] [rbp-8h]
v14 = __readfsqword(0x28u);
v6 = 0;
HIDWORD(stat_loc.__iptr) = 0;
ptable = table_0;
wait(&stat_loc);
// 写入的地址
while ( LOBYTE(stat_loc.__uptr) == 127 )
{
ptrace(PTRACE_GETREGS, son_pid, 0LL, reg_context);// 读取子进程中的寄存器数据
op_RIP = ptrace(PTRACE_PEEKTEXT, son_pid, next, 0LL);
op_RIP_prev = ptrace(PTRACE_PEEKDATA, son_pid, next - 1, 0LL);
if ( op_RIP_prev != 0xCC )
{
ptrace(PTRACE_KILL, son_pid, 0LL, 0LL);
exit(0);
}
v3 = 1;
if ( ptable->handler )
{
oprator = (ptable->handler)(reg_context);
if ( oprator == 1 ) // op = 1, 移动到下一个操作表
{
ptable = ptable->next;
}
else if ( oprator )
{
switch ( oprator )
{
case 2: // ret
if ( SHIDWORD(stat_loc.__iptr) <= 0 )
exit(-1);
ptable = par_stack[--HIDWORD(stat_loc.__iptr)];
son_stk += 8LL;
break;
case 3: // call
next = ptable->next;
ptable = ptable->jump_target;
son_stk -= 8LL;
ptrace(PTRACE_POKEDATA, son_pid, son_stk, ptable->rip_value);// 写入的地址
v3 = 0;
break;
case 4: // push
if ( SHIDWORD(stat_loc.__iptr) > 48 )
exit(-1);
par_stack[SHIDWORD(stat_loc.__iptr)] = ptable->jump_target;
++HIDWORD(stat_loc.__iptr);
son_stk -= 8LL;
ptable = ptable->next;
break;
case 5:
if ( SHIDWORD(stat_loc.__iptr) > 48 )
exit(-1);
par_stack[SHIDWORD(stat_loc.__iptr)] = ptable->jump_target;
++HIDWORD(stat_loc.__iptr);
son_stk -= 8LL;
v4 = 0;
for ( i = 0; i <= 180; ++i )
{
if ( qword_606AD8[4 * i] == next )
{
ptable = &table_0[4 * i];
v4 = 1;
break;
}
}
if ( !v4 )
exit(-1);
v3 = 0;
break;
}
}
else
{
ptable = ptable->jump_target;
}
}
else
{
ptable = ptable->next;
}
if ( v3 )
next = ptable->rip_value;
ptrace(PTRACE_SETREGS, son_pid, 0LL, reg_context);
if ( ptrace(PTRACE_CONT, son_pid, 0LL, 0LL) < 0 )
{
perror("Ptrace.");
return __readfsqword(0x28u) ^ v14;
}
wait(&stat_loc);
}
return __readfsqword(0x28u) ^ v14;
}
看到父进程的代码,大概的逻辑就是,父进程会从一个ptable中读取数据,我们写个脚本dump出table中的数据
========================================================================================================================
VM Table Dump - Base Address: 0x606AC0
========================================================================================================================
Index Jump_Target Next Handler RIP_Value
------------------------------------------------------------------------------------------------------------------------
0 0x607160 0x607FE0 ret4 0x4009F7
1 0x607540 0x4008D0 ret3 0x400AFD
2 NULL 0x606F00 NULL 0x400B03
3 0x607DC0 0x607E00 ret4 0x400B6E
4 0x607920 0x400870 ret3 0x400B79
5 0x608000 0x607460 sub_401CA6 0x400B7C
6 0x6077C0 0x607EA0 sub_401D22 0x400B81
7 0x6071E0 0x607BA0 ret4 0x400BAB
8 0x607140 0x608120 sub_401D22 0x400BBE
9 0x607840 0x400830 ret3 0x400BEB
10 0x6070A0 0x400870 ret3 0x400BF8
11 0x607BE0 0x607120 ret4 0x400BFE
12 0x607AC0 0x607F60 ret4 0x400C10
13 0x607600 0x607D20 sub_401D5B 0x400C25
14 0x607B80 0x607BA0 ret4 0x400C34
15 NULL 0x608100 NULL 0x400C47
16 0x606B80 0x400900 ret3 0x400C4F
17 0x607B60 0x606EE0 sub_401CA6 0x400C74
18 0x6072C0 0x607A80 sub_401CA6 0x400C7C
19 0x607CA0 0x607F40 sub_401CA6 0x400C84
20 NULL NULL ret2 0x400C8C
21 0x607280 0x606FC0 ret4 0x400C96
22 NULL 0x607A20 NULL 0x400CCF
23 0x6079C0 0x608060 ret4 0x400CDF
24 NULL 0x6080C0 NULL 0x400D1F
25 0x607040 0x400810 ret3 0x400D45
26 0x608020 0x607E00 ret4 0x400D4D
27 NULL NULL ret2 0x400D58
28 NULL 0x607620 NULL 0x400D5B
29 0x606D60 0x607120 ret4 0x400D90
30 NULL 0x607520 NULL 0x400DA3
31 NULL NULL ret2 0x400DDB
32 0x607480 0x607340 sub_401D5B 0x400DE0
33 0x606BC0 0x400900 ret3 0x400DEF
34 0x606CA0 0x606B00 sub_401CA6 0x400E1A
35 NULL 0x6080C0 NULL 0x400E22
36 0x6077E0 0x608060 ret4 0x400E3A
37 0x606DE0 0x400810 ret3 0x400E55
38 NULL NULL ret2 0x400E5D
39 0x607100 0x606D40 sub_401D5B 0x400F5C
40 0x607EC0 0x607860 sub_401DCD 0x400F6A
41 NULL NULL ret2 0x400F7A
42 NULL 0x607960 NULL 0x400F83
43 0x606B20 0x6080E0 sub_401CA6 0x400FB1
44 0x606C00 0x400810 ret3 0x400FC1
45 0x607080 0x607C80 ret4 0x400FC9
46 0x6079E0 0x607780 ret4 0x400FDB
47 NULL 0x606B60 NULL 0x400FEE
48 NULL NULL ret2 0x400FF6
49 NULL NULL ret2 0x400FF9
50 0x606D40 0x400820 ret3 0x400FFB
51 0x607B40 0x606FC0 ret4 0x400FFC
52 NULL 0x608120 NULL 0x401010
53 0x607260 0x4008A0 ret3 0x401018
54 NULL NULL ret2 0x401032
55 NULL 0x606D00 NULL 0x401034
56 0x607060 0x607C80 ret4 0x40104D
57 0x6071C0 0x606C40 ret4 0x401060
58 NULL 0x608100 NULL 0x401073
59 NULL NULL ret2 0x401080
60 NULL 0x606B60 NULL 0x40117F
61 0x607C40 0x4008A0 ret3 0x401184
62 0x607CC0 0x607120 ret4 0x40119E
63 0x608140 0x607C80 ret4 0x4011B1
64 NULL 0x607A40 NULL 0x4011C4
65 NULL 0x606CE0 NULL 0x4011FF
66 NULL 0x607C00 NULL 0x40120A
67 NULL 0x606FA0 NULL 0x40120B
68 NULL NULL ret2 0x40120C
69 0x6078C0 0x608060 ret4 0x401213
70 0x607D00 0x608060 ret4 0x40122E
71 0x607400 0x607E00 ret4 0x401249
72 0x607420 0x400810 ret3 0x401254
73 NULL 0x607F80 NULL 0x40125C
74 0x607500 0x607220 ret4 0x40129F
75 0x6074E0 0x400810 ret3 0x4012AA
76 0x606DC0 0x4008D0 ret3 0x4012B2
77 NULL 0x6078E0 NULL 0x4012B8
78 0x607340 0x400820 ret3 0x4012C0
79 NULL 0x607C00 NULL 0x4012C1
80 NULL 0x607B00 NULL 0x4012C3
81 0x606F60 0x400810 ret3 0x4012E7
82 0x6080A0 0x608060 ret4 0x4012EF
83 0x607000 0x606E80 sub_401CA6 0x40130A
84 0x606F20 0x6074A0 sub_401D5B 0x401312
85 0x606F40 0x607E80 ret4 0x401319
86 0x607C60 0x606FC0 ret4 0x401324
87 0x607980 0x607C80 ret4 0x40132A
88 NULL 0x6077A0 NULL 0x40133D
89 NULL 0x606D00 NULL 0x40137F
90 0x607D20 0x400820 ret3 0x40138A
91 0x6070C0 0x606E40 sub_401CA6 0x40138B
92 NULL 0x607A40 NULL 0x401390
93 0x607320 0x400810 ret3 0x4013C3
94 0x6075A0 0x606C40 ret4 0x4013CE
95 0x6078A0 0x606FC0 ret4 0x4013E0
96 0x607680 0x606C40 ret4 0x4013F4
97 0x606AE0 0x607540 sub_401F0C 0x401407
98 0x607AE0 0x606DC0 ret4 0x40140F
99 0x607440 0x400810 ret3 0x40141C
100 0x6076E0 0x400860 ret3 0x40142F
101 NULL 0x607A20 NULL 0x401441
102 0x607940 0x607F60 ret4 0x401476
103 0x606E20 0x6075C0 sub_401CA6 0x40148B
104 NULL 0x607EA0 NULL 0x401490
105 NULL 0x607FA0 NULL 0x401498
106 0x607180 0x400820 ret3 0x4014A0
107 NULL NULL ret2 0x4014A1
108 0x6075E0 0x606DC0 ret4 0x4014AD
109 NULL 0x607900 NULL 0x4014BD
110 NULL NULL ret2 0x4014C4
111 0x607BC0 0x606FC0 ret4 0x4014C7
112 NULL 0x607020 NULL 0x4014CD
113 0x607240 0x607DA0 sub_401CA6 0x4014D5
114 NULL NULL ret2 0x4014DA
115 NULL 0x607D60 NULL 0x4014DC
116 0x607F20 0x6076A0 ret4 0x4014F1
117 NULL 0x606F00 NULL 0x4014FA
118 0x606C80 0x607780 ret4 0x401505
119 NULL NULL ret2 0x401518
120 NULL 0x607FA0 NULL 0x40151A
121 0x6076C0 0x607BA0 ret4 0x401525
122 0x607700 0x400840 ret3 0x401538
123 0x607880 0x607760 sub_401CA6 0x401561
124 0x607200 0x607640 sub_401C31 0x401566
125 0x606C20 0x607120 ret4 0x401576
126 0x6071A0 0x400900 ret3 0x401589
127 0x6070E0 0x400820 ret3 0x40158A
128 0x607820 0x6076A0 ret4 0x40158B
129 0x607E40 0x4008C0 ret3 0x401594
130 0x606EC0 0x607F00 sub_401CA6 0x40159C
131 NULL NULL ret2 0x4015A1
132 NULL NULL ret2 0x4015AD
133 0x607660 0x607E60 sub_401CA6 0x4015B2
134 0x607E20 0x607BA0 ret4 0x4015BA
135 0x607D40 0x607F60 ret4 0x4015CC
136 NULL NULL ret2 0x4015E1
137 0x6073E0 0x606FC0 ret4 0x4015E3
138 0x607AA0 0x6070E0 sub_401D5B 0x401612
139 0x607360 0x607E80 ret4 0x401633
140 0x606BE0 0x4008A0 ret3 0x40163E
141 0x6079A0 0x606FC0 ret4 0x401658
142 0x606EA0 0x607F60 ret4 0x40165E
143 0x608040 0x607960 sub_401D22 0x401672
144 0x607A60 0x606FC0 ret4 0x401684
145 NULL 0x607B00 NULL 0x4016BF
146 0x606B40 0x400900 ret3 0x401702
147 NULL NULL ret2 0x401703
148 0x607B20 0x606FC0 ret4 0x40170A
149 0x6072E0 0x606CC0 sub_401CA6 0x401713
150 0x607C20 0x607220 ret4 0x40171B
151 NULL 0x6078E0 NULL 0x401726
152 0x607380 0x607220 ret4 0x4017B9
153 0x606E60 0x606FC0 ret4 0x4017C4
154 NULL 0x607620 NULL 0x4017D1
155 0x6072A0 0x606C40 ret4 0x4017E1
156 0x607800 0x607180 sub_401D5B 0x4017F4
157 0x607FC0 0x400810 ret3 0x401802
158 NULL 0x607F80 NULL 0x40180D
159 NULL 0x607D60 NULL 0x401831
160 NULL 0x607900 NULL 0x401839
161 NULL 0x607020 NULL 0x401843
162 0x606BA0 0x607780 ret4 0x40184E
163 0x606FE0 0x606FC0 ret4 0x40185B
164 NULL 0x606D20 NULL 0x401864
165 0x607580 0x606FC0 ret4 0x4018A3
166 0x606C60 0x607DE0 sub_401CA6 0x4018B7
167 0x6073A0 0x606E00 sub_401CA6 0x4018BC
168 NULL 0x606FA0 NULL 0x4018CC
169 0x6073C0 0x400810 ret3 0x4018CE
170 NULL NULL ret2 0x4018E2
171 0x607560 0x607220 ret4 0x4018E5
172 NULL 0x607520 NULL 0x4018F0
173 NULL 0x6077A0 NULL 0x40193C
174 NULL 0x606D20 NULL 0x401953
175 0x607EE0 0x608060 ret4 0x40195E
176 0x607300 0x607740 sub_401C31 0x4019A2
177 0x607D80 0x607E00 ret4 0x4019AC
178 0x606DA0 0x608080 sub_401C31 0x4019B7
179 NULL 0x606CE0 NULL 0x4019CA
180 0x607CE0 0x607780 ret4 0x4019D2
------------------------------------------------------------------------------------------------------------------------
Total Valid Entries: 181/181
Handler Statistics:
------------------------------------------------------------
ret4 : 57 times
ret3 : 30 times
ret2 : 19 times
sub_401CA6 : 16 times
sub_401D5B : 6 times
sub_401D22 : 3 times
sub_401C31 : 3 times
sub_401DCD : 1 times
sub_401F0C : 1 times
[+] Dump completed!
恢复一下执行流,到这里就没招了,实在做不来了
========================================================================================================================
VM Execution Trace (Mode: assume_false)
========================================================================================================================
Step PC Handler Op RIP Depth Note
------------------------------------------------------------------------------------------------------------------------
0 0 ret4 PUSH 0x4009F7 1 Push PC=53 to stack, depth=1
1 169 ret3 CALL 0x4018CE 1 Call PC=72, push return=None, depth=1
2 72 ret3 CALL 0x401254 1 Call PC=75, push return=None, depth=1
3 75 ret3 CALL 0x4012AA 1 Call PC=81, push return=None, depth=1
4 81 ret3 CALL 0x4012E7 1 Call PC=37, push return=None, depth=1
5 37 ret3 CALL 0x400E55 1 Call PC=25, push return=None, depth=1
6 25 ret3 CALL 0x400D45 1 Call PC=44, push return=None, depth=1
7 44 ret3 CALL 0x400FC1 1 Call PC=10, push return=None, depth=1
8 10 ret3 CALL 0x400BF8 1 Call PC=47, push return=None, depth=1
9 47 NULL NEXT 0x400FEE 1 Unconditional next
10 5 sub_401CA6 JUMP 0x400B7C 1 JLE [ASSUME FALSE] -> jump to PC=170
11 170 ret2 RET 0x4018E2 0 Return to PC=53, stack depth=0
12 53 ret3 CALL 0x401018 0 Call PC=61, push return=None, depth=0
13 61 ret3 CALL 0x401184 0 Call PC=140, push return=None, depth=0
14 140 ret3 CALL 0x40163E 0 Call PC=9, push return=None, depth=0
15 9 ret3 CALL 0x400BEB 0 Call PC=108, push return=None, depth=0 // Input Your Flag...
16 108 ret4 PUSH 0x4014AD 1 Push PC=89 to stack, depth=1
17 24 NULL NEXT 0x400D1F 1 Unconditional next
18 176 sub_401C31 JUMP 0x4019A2 1 JG [ASSUME FALSE] -> jump to PC=66
19 66 NULL NEXT 0x40120A 1 Unconditional next
20 138 sub_401D5B JUMP 0x401612 1 JZ [ASSUME FALSE] -> jump to PC=127
21 127 ret3 CALL 0x40158A 1 Call PC=49, push return=None, depth=1
22 49 ret2 RET 0x400FF9 0 Return to PC=89, stack depth=0
23 89 NULL NEXT 0x40137F 0 Unconditional next
24 18 sub_401CA6 JUMP 0x400C7C 0 JLE [ASSUME FALSE] -> jump to PC=64
25 64 NULL NEXT 0x4011C4 0 Unconditional next
26 124 sub_401C31 JUMP 0x401566 0 JG [ASSUME FALSE] -> jump to PC=58
27 58 NULL NEXT 0x401073 0 Unconditional next
28 178 sub_401C31 JUMP 0x4019B7 0 JG [ASSUME FALSE] -> jump to PC=23
29 23 ret4 PUSH 0x400CDF 1 Push PC=120 to stack, depth=1
30 173 NULL NEXT 0x40193C 1 Unconditional next
31 103 sub_401CA6 JUMP 0x40148B 1 JLE [ASSUME FALSE] -> jump to PC=27
32 27 ret2 RET 0x400D58 0 Return to PC=120, stack depth=0
33 120 NULL NEXT 0x40151A 0 Unconditional next
34 167 sub_401CA6 JUMP 0x4018BC 0 JLE [ASSUME FALSE] -> jump to PC=71
35 71 ret4 PUSH 0x401249 1 Push PC=74 to stack, depth=1
36 154 NULL NEXT 0x4017D1 1 Unconditional next
37 91 sub_401CA6 JUMP 0x40138B 1 JLE [ASSUME FALSE] -> jump to PC=48
38 48 ret2 RET 0x400FF6 0 Return to PC=74, stack depth=0
39 74 ret4 PUSH 0x40129F 1 Push PC=82 to stack, depth=1
40 59 ret2 RET 0x401080 0 Return to PC=82, stack depth=0
41 82 ret4 PUSH 0x4012EF 1 Push PC=175 to stack, depth=1
42 173 NULL NEXT 0x40193C 1 Unconditional next
43 103 sub_401CA6 JUMP 0x40148B 1 JLE [ASSUME FALSE] -> jump to PC=27
44 27 ret2 RET 0x400D58 0 Return to PC=175, stack depth=0
45 175 ret4 PUSH 0x40195E 1 Push PC=161 to stack, depth=1
46 173 NULL NEXT 0x40193C 1 Unconditional next
47 103 sub_401CA6 JUMP 0x40148B 1 JLE [ASSUME FALSE] -> jump to PC=27
48 27 ret2 RET 0x400D58 0 Return to PC=161, stack depth=0
49 161 NULL NEXT 0x401843 0 Unconditional next
50 43 sub_401CA6 JUMP 0x400FB1 0 JLE [ASSUME FALSE] -> jump to PC=3
51 3 ret4 PUSH 0x400B6E 1 Push PC=152 to stack, depth=1
52 154 NULL NEXT 0x4017D1 1 Unconditional next
53 91 sub_401CA6 JUMP 0x40138B 1 JLE [ASSUME FALSE] -> jump to PC=48
54 48 ret2 RET 0x400FF6 0 Return to PC=152, stack depth=0
55 152 ret4 PUSH 0x4017B9 1 Push PC=70 to stack, depth=1
56 59 ret2 RET 0x401080 0 Return to PC=70, stack depth=0
57 70 ret4 PUSH 0x40122E 1 Push PC=146 to stack, depth=1
58 173 NULL NEXT 0x40193C 1 Unconditional next
59 103 sub_401CA6 JUMP 0x40148B 1 JLE [ASSUME FALSE] -> jump to PC=27
60 27 ret2 RET 0x400D58 0 Return to PC=146, stack depth=0
61 146 ret3 CALL 0x401702 0 Call PC=4, push return=None, depth=0
62 4 ret3 CALL 0x400B79 0 Call PC=115, push return=None, depth=0
63 115 NULL NEXT 0x4014DC 0 Unconditional next
64 149 sub_401CA6 JUMP 0x401713 0 JLE [ASSUME FALSE] -> jump to PC=65
66 17 sub_401CA6 JUMP 0x400C74 0 JLE [ASSUME FALSE] -> jump to PC=133 // cmp [rbp+var_1E0], 0Fh
65 65 NULL NEXT 0x4011FF 0 Unconditional next
66 17 sub_401CA6 JUMP 0x400C74 0 JLE [ASSUME FALSE] -> jump to PC=133 // cmp [rbp+var_1E0], 0Fh
67 133 sub_401CA6 JUMP 0x4015B2 0 JLE [ASSUME FALSE] -> jump to PC=93 // cmp dword ptr [rbp-1DCh], 1Fh
68 93 ret3 CALL 0x4013C3 0 Call PC=67, push return=None, depth=0 // Congratulation...
69 67 NULL NEXT 0x40120B 0 Unconditional next
70 39 sub_401D5B JUMP 0x400F5C 0 JZ [ASSUME FALSE] -> jump to PC=50
71 50 ret3 CALL 0x400FFB 0 Call PC=20, push return=None, depth=0
72 20 ret2 RET 0x400C8C 0 Stack Empty - PROGRAM EXIT
========================================================================================================================