{"id":18,"date":"2026-04-14T15:12:17","date_gmt":"2026-04-14T07:12:17","guid":{"rendered":"https:\/\/www.seekinthevortex.cn\/?p=18"},"modified":"2026-04-14T15:12:17","modified_gmt":"2026-04-14T07:12:17","slug":"2025-%e5%bc%ba%e7%bd%91%e6%8b%9f%e6%80%81%e5%86%b3%e8%b5%9b","status":"publish","type":"post","link":"https:\/\/www.seekinthevortex.cn\/index.php\/2026\/04\/14\/2025-%e5%bc%ba%e7%bd%91%e6%8b%9f%e6%80%81%e5%86%b3%e8%b5%9b\/","title":{"rendered":"2025 \u5f3a\u7f51\u62df\u6001\u51b3\u8d5b"},"content":{"rendered":"

easyre<\/h1>\n
__int64 sub_7FF703D296F0()\n{\n    __int64 (__fastcall *psub_140009510)(_QWORD); \/\/ rbx\n    Stream *Stream; \/\/ rax\n    Stream *Stream_1; \/\/ rax\n    char Buffer[8]; \/\/ [rsp+20h] [rbp-50h] BYREF\n    __int64 v5; \/\/ [rsp+28h] [rbp-48h]\n    __int64 v6; \/\/ [rsp+30h] [rbp-40h]\n    __int64 v7; \/\/ [rsp+38h] [rbp-38h]\n    __int64 v8; \/\/ [rsp+40h] [rbp-30h]\n    __int64 v9; \/\/ [rsp+48h] [rbp-28h]\n    __int64 v10; \/\/ [rsp+50h] [rbp-20h]\n    __int64 v11; \/\/ [rsp+58h] [rbp-18h]\n\n    sub_7FF703D219B7();\n    psub_140009510 = psub_140009510;\n    *Buffer = 0LL;\n    v5 = 0LL;\n    v6 = 0LL;\n    v7 = 0LL;\n    v8 = 0LL;\n    v9 = 0LL;\n    v10 = 0LL;\n    v11 = 0LL;\n    Stream = psub_140009510(1LL);\n    setvbuf(Stream, 0LL, 4, 0LL);\n    sub_7FF703D22FD0("Input flag: ");\n    Stream_1 = psub_140009510(0LL);\n    if ( !fgets(Buffer, 64, Stream_1) )\n        return 1LL;\n    Buffer[strcspn(Buffer, "\\n")] = 0;\n    if ( strlen(Buffer) == 32 )\n    {\n        \/\/ \u4fe1\u53f7\u5904\u7406\u51fd\u6570\n        \/\/ Function\u6307\u5411\u5904\u7406\u4fe1\u53f7\u7684\u51fd\u6570\u5730\u5740\n        \/\/ 11  SIGSEGV \u6bb5\u9519\u8bef\uff08\u975e\u6cd5\u5185\u5b58\u8bbf\u95ee\uff09\n        signal(11, Function);\n        if ( !setjmp(Buf) )\n        {\n            MEMORY[0] = 0;\n            BUG();\n        }\n        sub_7FF703D21850(Buffer);\n    }\n    else\n    {\n        puts("Wrong length! Hint: 32 chars.");\n    }\n    return 0LL;\n}\n<\/code><\/pre>\n
\u641c\u7d22\u5b57\u7b26\u4e32\u6765\u5230\u4e3b\u51fd\u6570<\/p>\n
\/\/ \u4fe1\u53f7\u5904\u7406\u51fd\u6570\n\/\/ Function\u6307\u5411\u5904\u7406\u4fe1\u53f7\u7684\u51fd\u6570\u5730\u5740\n\/\/ 11  SIGSEGV \u6bb5\u9519\u8bef\uff08\u975e\u6cd5\u5185\u5b58\u8bbf\u95ee\uff09\nsignal(11, Function);\n\nif ( !setjmp(Buf) )\n{\n\tMEMORY[0] = 0;\n\tBUG();\n}\n<\/code><\/pre>\n
\u8bbe\u7f6e\u4e86\u4e00\u4e2a\u4fe1\u53f7\u5904\u7406\u51fd\u6570,\u800c\u5728\u4e0b\u9762\u89e6\u53d1\u4e86\u4e00\u4e2a\u8bbf\u95ee\u975e\u6cd5\u6bb5\u7684\u5f02\u5e38\u4ece\u800c\u8fdb\u5165\u5230\u5f02\u5e38\u5904\u7406\u51fd\u6570<\/p>\n
void __fastcall __noreturn Function()\n{\n    key = _mm_unpacklo_epi64(\n              _mm_unpacklo_epi32(_mm_cvtsi32_si128(key ^ 0xDEADBEEF), _mm_cvtsi32_si128(DWORD1(key) - 2023406815)),\n              _mm_unpacklo_epi32(\n                  _mm_cvtsi32_si128(DWORD2(key) - 287454020),\n                  _mm_cvtsi32_si128(HIDWORD(key) ^ 0xCCDDEEFF)));\n    longjmp(Buf, 1);\n}\n<\/code><\/pre>\n
\u91cc\u9762\u4f1a\u5bf9key\u8fdb\u884c\u4e00\u4e9b\u5904\u7406,\u5904\u7406\u540e\u4f1a\u8c03\u7528setjump\u51fd\u6570\u56de\u5230\u539f\u6765\u7684\u4f4d\u7f6e<\/p>\n
int __fastcall sub_7FF703D21850(const __m128i *Buffer)\n{\n    __m128i v1; \/\/ xmm1\n    char *v2; \/\/ rax\n    _DWORD *i; \/\/ rdx\n    _OWORD v5[2]; \/\/ [rsp+20h] [rbp-28h] BYREF\n    char v6; \/\/ [rsp+40h] [rbp-8h] BYREF\n\n    v1 = _mm_loadu_si128(Buffer + 1);\n    v5[0] = _mm_loadu_si128(Buffer);\n    v5[1] = v1;\n    TEA(v5, 8LL, &key);\n    v2 = v5;\n    for ( i = &cipher; *v2 == *i; ++i )\n    {\n        v2 += 4;\n        if ( v2 == &v6 )\n            return puts("Success! You got the flag.");\n    }\n    return puts("Wrong flag! Try again.");\n}\n<\/code><\/pre>\n
\u6700\u540e\u8fdb\u5165\u5230\u8fd9\u91cc,\u53ef\u4ee5\u53d1\u73b0\u662f\u6807\u51c6TEA\u52a0\u5bc6,\u89e3\u5bc6\u5373\u53ef<\/p>\n
\u89e3\u5bc6\u811a\u672c<\/h2>\n
#include <stdint.h>\n#include <stdio.h>\n\n#include <cstring>\n\n\/\/ \u52a0\u5bc6\u51fd\u6570\n\nvoid encrypt(uint32_t* value, uint32_t* key) {\n    uint32_t v0 = value[0], v1 = value[1], sum = 0, i; \/* set up *\/\n    uint32_t delta = 0x9e3779b9;\n    uint32_t k0 = key[0], k1 = key[1], k2 = key[2], k3 = key[3]; \/* cache key *\/\n\n    for (i = 0; i < 32; i++) { \/* basic cycle start *\/\n        sum += delta;\n        v0 += ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);\n        v1 += ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);\n    } \/* end cycle *\/\n    value[0] = v0;\n    value[1] = v1;\n}\n\n\/\/ \u89e3\u5bc6\u51fd\u6570\n\nvoid decrypt(uint32_t* value, uint32_t* key) {\n    uint32_t v0 = value[0], v1 = value[1], sum = 0xC6EF3720, i;\n    uint32_t delta = 0x9e3779b9;\n    uint32_t k0 = key[0], k1 = key[1], k2 = key[2], k3 = key[3];\n\n    for (i = 0; i < 32; i++) {\n        v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);\n        v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);\n        sum -= delta;\n    }\n    value[0] = v0;\n    value[1] = v1;\n}\n\nunsigned char cipher[] = {0x86, 0x29, 0xC2, 0xE1, 0xC5, 0xDD, 0x9E, 0xD3, 0x4D, 0x48, 0xA1, 0xDF, 0x3C, 0xE5, 0xD4, 0x10, 0xE4, 0x3B, 0x9A, 0xC4, 0x8A, 0xF4, 0xDB, 0x77, 0x29, 0xAE, 0xEB, 0xE5, 0x5C, 0xEC, 0x9F, 0xE9};\n\nint main() {\n    uint32_t key[] = {0xCC99E897, 0x22222211, 0xEDBA8754, 0xBA89DCEF};\n    printf("\\nAfter decryption:\\n");\n    uint32_t tmp[8];\n    memcpy(tmp, cipher, 32);\n    for (int i = 0; i < 8; i += 2) {\n        decrypt(&tmp[i], key);\n    }\n    printf("%.32s\\n", (char*)tmp);\n    return 0;\n}\n\n\/**\n * After decryption:\n * flag{s1gn4l_h4ndl3r_1s_tr1cky!!}\n *\/\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
easyre __int64 sub_7FF703D296F0() { __int64 (__fastcall […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-18","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/18","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/comments?post=18"}],"version-history":[{"count":1,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/18\/revisions"}],"predecessor-version":[{"id":19,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/18\/revisions\/19"}],"wp:attachment":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/media?parent=18"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/categories?post=18"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/tags?post=18"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}