\u770b\u5230\u9644\u4ef6,\u7ed9\u51fa\u4e86\u4e00\u4e2akey\u548c\u52a0\u5bc6\u540e\u7684\u5bc6\u6587
\n\u7b80\u5355\u5206\u6790\u540e\u5c31\u53ef\u4ee5\u76f4\u63a5\u5199\u51fa\u89e3\u5bc6\u811a\u672c,\u751a\u81f3ai\u80fd\u76f4\u63a5\u8dd1\u51fa\u6765<\/p>\n
#!\/usr\/bin\/env python3\n"""\nMMXEncode2024 \u89e3\u5bc6\u811a\u672c\n\u7528\u4e8e\u89e3\u5bc6\u4f7f\u7528 MMX \u52a0\u5bc6\u7b97\u6cd5\u52a0\u5bc6\u7684\u6587\u4ef6\n"""\n\nimport sys\nimport struct\n\n\ndef swap_bytes_in_words(data):\n """\u5728\u6bcf\u4e2a16\u4f4d\u5b57\u5185\u4ea4\u6362\u9ad8\u4f4e\u5b57\u8282"""\n result = bytearray(8)\n for i in range(4): # 4\u4e2a16\u4f4d\u5b57\n result[i*2] = data[i*2 + 1] # \u9ad8\u5b57\u8282\n result[i*2 + 1] = data[i*2] # \u4f4e\u5b57\u8282\n return bytes(result)\n\n\ndef rotate_right_1bit(data):\n """\u5c0664\u4f4d\u6570\u636e\u5faa\u73af\u53f3\u79fb1\u4f4d"""\n num = struct.unpack('<Q', data)[0] # \u8f6c\u6362\u4e3a64\u4f4d\u6574\u6570\uff08\u5c0f\u7aef\u5e8f\uff09\n # \u5faa\u73af\u53f3\u79fb1\u4f4d\n rotated = ((num >> 1) | ((num & 1) << 63)) & 0xFFFFFFFFFFFFFFFF\n return struct.pack('<Q', rotated)\n\n\ndef byte_subtract(data, key):\n """\u5b57\u8282\u7ea7\u51cf\u6cd5\uff08\u5e26\u56de\u7ed5\uff09"""\n result = bytearray(8)\n for i in range(8):\n result[i] = (data[i] - key[i]) & 0xFF\n return bytes(result)\n\n\ndef xor_bytes(data, key):\n """XOR\u64cd\u4f5c"""\n result = bytearray(8)\n for i in range(8):\n result[i] = data[i] ^ key[i]\n return bytes(result)\n\n\ndef decrypt_block(encrypted_block, key):\n """\n \u89e3\u5bc6\u5355\u4e2a8\u5b57\u8282\u5757\n \n \u52a0\u5bc6\u6b65\u9aa4\uff08\u6b63\u5411\uff09\uff1a\n 1. XOR \u5bc6\u94a5\n 2. \u5b57\u8282\u4ea4\u6362\n 3. \u5faa\u73af\u5de6\u79fb1\u4f4d\n 4. \u52a0\u5bc6\u94a5\n \n \u89e3\u5bc6\u6b65\u9aa4\uff08\u53cd\u5411\uff09\uff1a\n 1. \u51cf\u5bc6\u94a5\n 2. \u5faa\u73af\u53f3\u79fb1\u4f4d\n 3. \u5b57\u8282\u4ea4\u6362\n 4. XOR \u5bc6\u94a5\n """\n # \u6b65\u9aa41: \u51cf\u53bb\u5bc6\u94a5\n data = byte_subtract(encrypted_block, key)\n \n # \u6b65\u9aa42: \u5faa\u73af\u53f3\u79fb1\u4f4d\n data = rotate_right_1bit(data)\n \n # \u6b65\u9aa43: \u5b57\u8282\u4ea4\u6362\n data = swap_bytes_in_words(data)\n \n # \u6b65\u9aa44: XOR\u5bc6\u94a5\n data = xor_bytes(data, key)\n \n return data\n\n\ndef decrypt_file(input_file, output_file, key_file=None):\n """\n \u89e3\u5bc6\u6587\u4ef6\n \n Args:\n input_file: \u52a0\u5bc6\u7684\u8f93\u5165\u6587\u4ef6\n output_file: \u89e3\u5bc6\u540e\u7684\u8f93\u51fa\u6587\u4ef6\n key_file: \u5bc6\u94a5\u6587\u4ef6\uff08\u53ef\u9009\uff0c\u9ed8\u8ba4\u4f7f\u7528\u786c\u7f16\u7801\u5bc6\u94a5\uff09\n """\n # \u8bfb\u53d6\u5bc6\u94a5\n if key_file:\n try:\n with open(key_file, 'rb') as f:\n key_data = f.read(32)\n if len(key_data) >= 16:\n key = key_data[:8] # \u4f7f\u7528\u524d8\u5b57\u8282\n print(f"[+] \u4ece\u6587\u4ef6\u52a0\u8f7d\u5bc6\u94a5: {key_file}")\n else:\n print(f"[-] \u5bc6\u94a5\u6587\u4ef6\u592a\u5c0f\uff0c\u4f7f\u7528\u9ed8\u8ba4\u5bc6\u94a5")\n key = b"MMXEncod" # "MMXEncode2024"\u7684\u524d8\u5b57\u8282\n except FileNotFoundError:\n print(f"[-] \u5bc6\u94a5\u6587\u4ef6\u4e0d\u5b58\u5728: {key_file}\uff0c\u4f7f\u7528\u9ed8\u8ba4\u5bc6\u94a5")\n key = b"MMXEncod"\n else:\n # \u9ed8\u8ba4\u5bc6\u94a5\n key = b"MMXEncod" # "MMXEncode2024"\u7684\u524d8\u5b57\u8282\n print("[+] \u4f7f\u7528\u9ed8\u8ba4\u5bc6\u94a5: MMXEncode2024")\n \n # \u8bfb\u53d6\u52a0\u5bc6\u6587\u4ef6\n try:\n with open(input_file, 'rb') as f:\n encrypted_data = f.read()\n except FileNotFoundError:\n print(f"[-] \u9519\u8bef: \u65e0\u6cd5\u6253\u5f00\u6587\u4ef6 {input_file}")\n return False\n \n if len(encrypted_data) == 0:\n print("[-] \u9519\u8bef: \u6587\u4ef6\u4e3a\u7a7a")\n return False\n \n print(f"[+] \u52a0\u5bc6\u6587\u4ef6\u5927\u5c0f: {len(encrypted_data)} \u5b57\u8282")\n \n # \u89e3\u5bc6\u6570\u636e\n decrypted = bytearray()\n \n # \u63098\u5b57\u8282\u5757\u5904\u7406\n for i in range(0, len(encrypted_data), 8):\n if i + 8 <= len(encrypted_data):\n block = encrypted_data[i:i+8]\n decrypted_block = decrypt_block(block, key)\n decrypted.extend(decrypted_block)\n else:\n # \u5904\u7406\u4e0d\u8db38\u5b57\u8282\u7684\u6700\u540e\u4e00\u5757\uff08\u5982\u679c\u6709\uff09\n remaining = encrypted_data[i:]\n decrypted.extend(remaining)\n \n # \u4ece\u89e3\u5bc6\u6570\u636e\u672b\u5c3e\u8bfb\u53d6\u539f\u59cb\u6587\u4ef6\u5927\u5c0f\n # \u52a0\u5bc6\u65f6\u5728\u6587\u4ef6\u672b\u5c3e\u5b58\u50a8\u4e86\u539f\u59cb\u5927\u5c0f\n if len(decrypted) >= 8:\n # \u5c1d\u8bd5\u8bfb\u53d6\u6587\u4ef6\u5927\u5c0f\u6807\u8bb0\uff08\u6700\u540e\u51e0\u4e2a\u5b57\u8282\u53ef\u80fd\u5b58\u50a8\u4e86\u539f\u59cb\u5927\u5c0f\uff09\n # \u7531\u4e8e\u4e0d\u786e\u5b9a\u786e\u5207\u4f4d\u7f6e\uff0c\u6211\u4eec\u8f93\u51fa\u5b8c\u6574\u89e3\u5bc6\u6570\u636e\n pass\n \n # \u5199\u5165\u89e3\u5bc6\u6587\u4ef6\n try:\n with open(output_file, 'wb') as f:\n f.write(decrypted)\n print(f"[+] \u6210\u529f\u89e3\u5bc6\u5230: {output_file}")\n print(f"[+] \u89e3\u5bc6\u6587\u4ef6\u5927\u5c0f: {len(decrypted)} \u5b57\u8282")\n return True\n except Exception as e:\n print(f"[-] \u5199\u5165\u6587\u4ef6\u5931\u8d25: {e}")\n return False\n\n\ndef main():\n """\u4e3b\u51fd\u6570"""\n if len(sys.argv) < 3:\n print("\u7528\u6cd5: python decrypt.py <\u52a0\u5bc6\u6587\u4ef6> <\u8f93\u51fa\u6587\u4ef6> [\u5bc6\u94a5\u6587\u4ef6]")\n print("\u793a\u4f8b: python decrypt.py encoded.dat plaintext.txt")\n print("\u793a\u4f8b: python decrypt.py encoded.dat plaintext.txt encoded.dat.key")\n return 1\n \n input_file = sys.argv[1]\n output_file = sys.argv[2]\n key_file = sys.argv[3] if len(sys.argv) > 3 else None\n \n print("=" * 50)\n print("MMXEncode2024 \u89e3\u5bc6\u5de5\u5177")\n print("=" * 50)\n \n if decrypt_file(input_file, output_file, key_file):\n print("[+] \u89e3\u5bc6\u5b8c\u6210!")\n return 0\n else:\n print("[-] \u89e3\u5bc6\u5931\u8d25!")\n return 1\n\n\nif __name__ == "__main__":\n sys.exit(main())\n<\/code><\/pre>\nflag{butter_fly_mmx_encode_7778167}\n<\/code><\/pre>\ntradere<\/h1>\n
\u8fd9\u9053\u9898\u603b\u611f\u89c9\u8fd8\u662f\u80fd\u505a\u51fa\u6765\u7684,\u4f46\u662f\u4e0d\u77e5\u9053\u5b50\u8fdb\u7a0b\u5230\u5e95\u600e\u4e48\u8c03\u8bd5,\u6570\u636e\u4e5f\u4e0d\u77e5\u9053\u600e\u4e48\u5904\u7406,\u8d5b\u540e\u770b\u770b\u80fd\u4e0d\u80fd\u6709\u590d\u73b0\u5427,\u6211\u8fd8\u662f\u597d\u83dc…<\/p>\n
\u7a0b\u5e8f\u5206\u6790<\/h2>\n
\u9996\u5148\u770b\u5230main\u51fd\u6570<\/p>\n
void __fastcall main(__int64 n60, char **a2, char **a3)\n{\n __pid_t son_pid; \/\/ [rsp+1Ch] [rbp-4h]\n\n init_func(n60);\n son_pid = fork();\n if ( son_pid )\n {\n if ( son_pid <= 0 )\n perror("Fork.");\n else\n parent_func(son_pid);\n }\n else\n {\n son_func(n60);\n }\n}\n<\/code><\/pre>\nmain\u51fd\u6570\u8fd8\u662f\u5f88\u7b80\u5355\u7684,\u53ef\u4ee5\u770b\u5230\u6709\u4e00\u4e2a\u7236\u8fdb\u7a0b\u548c\u5b50\u8fdb\u7a0b,\u5206\u522b\u5bf9\u5e94\u4e00\u4e2a\u51fd\u6570
\n\u6ce8\u610f\u7684\u662f\u5f00\u5934\u6709\u4e00\u4e2a\u53cd\u8c03\u8bd5,60\u79d2\u540e\u4f1a\u53d1\u51fa\u4e00\u4e2a\u4fe1\u53f7,\u68c0\u6d4b\u5230\u8fd9\u4e2a\u4fe1\u53f7\u5c31\u4f1a\u7ed3\u675f\u8fdb\u7a0b,\u6211\u4eec\u5148\u628a\u8fd9\u4e2a\u4e1c\u897fnop\u6389,\u65b9\u4fbf\u8c03\u8bd5.<\/p>\n
unsigned __int64 __fastcall parent_func(unsigned int son_pid)\n{\n __WAIT_STATUS stat_loc; \/\/ [rsp+18h] [rbp-2A8h] BYREF\n int v3; \/\/ [rsp+20h] [rbp-2A0h]\n int v4; \/\/ [rsp+24h] [rbp-29Ch]\n int i; \/\/ [rsp+28h] [rbp-298h]\n int v6; \/\/ [rsp+2Ch] [rbp-294h]\n int op_RIP; \/\/ [rsp+30h] [rbp-290h]\n int oprator; \/\/ [rsp+34h] [rbp-28Ch]\n __int64 op_RIP_prev; \/\/ [rsp+38h] [rbp-288h]\n _BYTE reg_context[128]; \/\/ [rsp+40h] [rbp-280h] BYREF\n uint64_t next; \/\/ [rsp+C0h] [rbp-200h]\n __int64 son_stk; \/\/ [rsp+D8h] [rbp-1E8h]\n _QWORD par_stack[51]; \/\/ [rsp+120h] [rbp-1A0h]\n unsigned __int64 v14; \/\/ [rsp+2B8h] [rbp-8h]\n\n v14 = __readfsqword(0x28u);\n v6 = 0;\n HIDWORD(stat_loc.__iptr) = 0;\n ptable = table_0;\n wait(&stat_loc);\n \/\/ \u5199\u5165\u7684\u5730\u5740\n while ( LOBYTE(stat_loc.__uptr) == 127 )\n {\n ptrace(PTRACE_GETREGS, son_pid, 0LL, reg_context);\/\/ \u8bfb\u53d6\u5b50\u8fdb\u7a0b\u4e2d\u7684\u5bc4\u5b58\u5668\u6570\u636e\n op_RIP = ptrace(PTRACE_PEEKTEXT, son_pid, next, 0LL);\n op_RIP_prev = ptrace(PTRACE_PEEKDATA, son_pid, next - 1, 0LL);\n if ( op_RIP_prev != 0xCC )\n {\n ptrace(PTRACE_KILL, son_pid, 0LL, 0LL);\n exit(0);\n }\n v3 = 1;\n if ( ptable->handler )\n {\n oprator = (ptable->handler)(reg_context);\n if ( oprator == 1 ) \/\/ op = 1, \u79fb\u52a8\u5230\u4e0b\u4e00\u4e2a\u64cd\u4f5c\u8868\n {\n ptable = ptable->next;\n }\n else if ( oprator )\n {\n switch ( oprator )\n {\n case 2: \/\/ ret\n if ( SHIDWORD(stat_loc.__iptr) <= 0 )\n exit(-1);\n ptable = par_stack[--HIDWORD(stat_loc.__iptr)];\n son_stk += 8LL;\n break;\n case 3: \/\/ call\n next = ptable->next;\n ptable = ptable->jump_target;\n son_stk -= 8LL;\n ptrace(PTRACE_POKEDATA, son_pid, son_stk, ptable->rip_value);\/\/ \u5199\u5165\u7684\u5730\u5740\n v3 = 0;\n break;\n case 4: \/\/ push\n if ( SHIDWORD(stat_loc.__iptr) > 48 )\n exit(-1);\n par_stack[SHIDWORD(stat_loc.__iptr)] = ptable->jump_target;\n ++HIDWORD(stat_loc.__iptr);\n son_stk -= 8LL;\n ptable = ptable->next;\n break;\n case 5:\n if ( SHIDWORD(stat_loc.__iptr) > 48 )\n exit(-1);\n par_stack[SHIDWORD(stat_loc.__iptr)] = ptable->jump_target;\n ++HIDWORD(stat_loc.__iptr);\n son_stk -= 8LL;\n v4 = 0;\n for ( i = 0; i <= 180; ++i )\n {\n if ( qword_606AD8[4 * i] == next )\n {\n ptable = &table_0[4 * i];\n v4 = 1;\n break;\n }\n }\n if ( !v4 )\n exit(-1);\n v3 = 0;\n break;\n }\n }\n else\n {\n ptable = ptable->jump_target;\n }\n }\n else\n {\n ptable = ptable->next;\n }\n if ( v3 )\n next = ptable->rip_value;\n ptrace(PTRACE_SETREGS, son_pid, 0LL, reg_context);\n if ( ptrace(PTRACE_CONT, son_pid, 0LL, 0LL) < 0 )\n {\n perror("Ptrace.");\n return __readfsqword(0x28u) ^ v14;\n }\n wait(&stat_loc);\n }\n return __readfsqword(0x28u) ^ v14;\n}\n<\/code><\/pre>\n\u770b\u5230\u7236\u8fdb\u7a0b\u7684\u4ee3\u7801,\u5927\u6982\u7684\u903b\u8f91\u5c31\u662f,\u7236\u8fdb\u7a0b\u4f1a\u4ece\u4e00\u4e2aptable\u4e2d\u8bfb\u53d6\u6570\u636e,\u6211\u4eec\u5199\u4e2a\u811a\u672cdump\u51fatable\u4e2d\u7684\u6570\u636e<\/p>\n
========================================================================================================================\nVM Table Dump - Base Address: 0x606AC0\n========================================================================================================================\nIndex Jump_Target Next Handler RIP_Value \n------------------------------------------------------------------------------------------------------------------------\n0 0x607160 0x607FE0 ret4 0x4009F7 \n1 0x607540 0x4008D0 ret3 0x400AFD \n2 NULL 0x606F00 NULL 0x400B03 \n3 0x607DC0 0x607E00 ret4 0x400B6E \n4 0x607920 0x400870 ret3 0x400B79 \n5 0x608000 0x607460 sub_401CA6 0x400B7C \n6 0x6077C0 0x607EA0 sub_401D22 0x400B81 \n7 0x6071E0 0x607BA0 ret4 0x400BAB \n8 0x607140 0x608120 sub_401D22 0x400BBE \n9 0x607840 0x400830 ret3 0x400BEB \n10 0x6070A0 0x400870 ret3 0x400BF8 \n11 0x607BE0 0x607120 ret4 0x400BFE \n12 0x607AC0 0x607F60 ret4 0x400C10 \n13 0x607600 0x607D20 sub_401D5B 0x400C25 \n14 0x607B80 0x607BA0 ret4 0x400C34 \n15 NULL 0x608100 NULL 0x400C47 \n16 0x606B80 0x400900 ret3 0x400C4F \n17 0x607B60 0x606EE0 sub_401CA6 0x400C74 \n18 0x6072C0 0x607A80 sub_401CA6 0x400C7C \n19 0x607CA0 0x607F40 sub_401CA6 0x400C84 \n20 NULL NULL ret2 0x400C8C \n21 0x607280 0x606FC0 ret4 0x400C96 \n22 NULL 0x607A20 NULL 0x400CCF \n23 0x6079C0 0x608060 ret4 0x400CDF \n24 NULL 0x6080C0 NULL 0x400D1F \n25 0x607040 0x400810 ret3 0x400D45 \n26 0x608020 0x607E00 ret4 0x400D4D \n27 NULL NULL ret2 0x400D58 \n28 NULL 0x607620 NULL 0x400D5B \n29 0x606D60 0x607120 ret4 0x400D90 \n30 NULL 0x607520 NULL 0x400DA3 \n31 NULL NULL ret2 0x400DDB \n32 0x607480 0x607340 sub_401D5B 0x400DE0 \n33 0x606BC0 0x400900 ret3 0x400DEF \n34 0x606CA0 0x606B00 sub_401CA6 0x400E1A \n35 NULL 0x6080C0 NULL 0x400E22 \n36 0x6077E0 0x608060 ret4 0x400E3A \n37 0x606DE0 0x400810 ret3 0x400E55 \n38 NULL NULL ret2 0x400E5D \n39 0x607100 0x606D40 sub_401D5B 0x400F5C \n40 0x607EC0 0x607860 sub_401DCD 0x400F6A \n41 NULL NULL ret2 0x400F7A \n42 NULL 0x607960 NULL 0x400F83 \n43 0x606B20 0x6080E0 sub_401CA6 0x400FB1 \n44 0x606C00 0x400810 ret3 0x400FC1 \n45 0x607080 0x607C80 ret4 0x400FC9 \n46 0x6079E0 0x607780 ret4 0x400FDB \n47 NULL 0x606B60 NULL 0x400FEE \n48 NULL NULL ret2 0x400FF6 \n49 NULL NULL ret2 0x400FF9 \n50 0x606D40 0x400820 ret3 0x400FFB \n51 0x607B40 0x606FC0 ret4 0x400FFC \n52 NULL 0x608120 NULL 0x401010 \n53 0x607260 0x4008A0 ret3 0x401018 \n54 NULL NULL ret2 0x401032 \n55 NULL 0x606D00 NULL 0x401034 \n56 0x607060 0x607C80 ret4 0x40104D \n57 0x6071C0 0x606C40 ret4 0x401060 \n58 NULL 0x608100 NULL 0x401073 \n59 NULL NULL ret2 0x401080 \n60 NULL 0x606B60 NULL 0x40117F \n61 0x607C40 0x4008A0 ret3 0x401184 \n62 0x607CC0 0x607120 ret4 0x40119E \n63 0x608140 0x607C80 ret4 0x4011B1 \n64 NULL 0x607A40 NULL 0x4011C4 \n65 NULL 0x606CE0 NULL 0x4011FF \n66 NULL 0x607C00 NULL 0x40120A \n67 NULL 0x606FA0 NULL 0x40120B \n68 NULL NULL ret2 0x40120C \n69 0x6078C0 0x608060 ret4 0x401213 \n70 0x607D00 0x608060 ret4 0x40122E \n71 0x607400 0x607E00 ret4 0x401249 \n72 0x607420 0x400810 ret3 0x401254 \n73 NULL 0x607F80 NULL 0x40125C \n74 0x607500 0x607220 ret4 0x40129F \n75 0x6074E0 0x400810 ret3 0x4012AA \n76 0x606DC0 0x4008D0 ret3 0x4012B2 \n77 NULL 0x6078E0 NULL 0x4012B8 \n78 0x607340 0x400820 ret3 0x4012C0 \n79 NULL 0x607C00 NULL 0x4012C1 \n80 NULL 0x607B00 NULL 0x4012C3 \n81 0x606F60 0x400810 ret3 0x4012E7 \n82 0x6080A0 0x608060 ret4 0x4012EF \n83 0x607000 0x606E80 sub_401CA6 0x40130A \n84 0x606F20 0x6074A0 sub_401D5B 0x401312 \n85 0x606F40 0x607E80 ret4 0x401319 \n86 0x607C60 0x606FC0 ret4 0x401324 \n87 0x607980 0x607C80 ret4 0x40132A \n88 NULL 0x6077A0 NULL 0x40133D \n89 NULL 0x606D00 NULL 0x40137F \n90 0x607D20 0x400820 ret3 0x40138A \n91 0x6070C0 0x606E40 sub_401CA6 0x40138B \n92 NULL 0x607A40 NULL 0x401390 \n93 0x607320 0x400810 ret3 0x4013C3 \n94 0x6075A0 0x606C40 ret4 0x4013CE \n95 0x6078A0 0x606FC0 ret4 0x4013E0 \n96 0x607680 0x606C40 ret4 0x4013F4 \n97 0x606AE0 0x607540 sub_401F0C 0x401407 \n98 0x607AE0 0x606DC0 ret4 0x40140F \n99 0x607440 0x400810 ret3 0x40141C \n100 0x6076E0 0x400860 ret3 0x40142F \n101 NULL 0x607A20 NULL 0x401441 \n102 0x607940 0x607F60 ret4 0x401476 \n103 0x606E20 0x6075C0 sub_401CA6 0x40148B \n104 NULL 0x607EA0 NULL 0x401490 \n105 NULL 0x607FA0 NULL 0x401498 \n106 0x607180 0x400820 ret3 0x4014A0 \n107 NULL NULL ret2 0x4014A1 \n108 0x6075E0 0x606DC0 ret4 0x4014AD \n109 NULL 0x607900 NULL 0x4014BD \n110 NULL NULL ret2 0x4014C4 \n111 0x607BC0 0x606FC0 ret4 0x4014C7 \n112 NULL 0x607020 NULL 0x4014CD \n113 0x607240 0x607DA0 sub_401CA6 0x4014D5 \n114 NULL NULL ret2 0x4014DA \n115 NULL 0x607D60 NULL 0x4014DC \n116 0x607F20 0x6076A0 ret4 0x4014F1 \n117 NULL 0x606F00 NULL 0x4014FA \n118 0x606C80 0x607780 ret4 0x401505 \n119 NULL NULL ret2 0x401518 \n120 NULL 0x607FA0 NULL 0x40151A \n121 0x6076C0 0x607BA0 ret4 0x401525 \n122 0x607700 0x400840 ret3 0x401538 \n123 0x607880 0x607760 sub_401CA6 0x401561 \n124 0x607200 0x607640 sub_401C31 0x401566 \n125 0x606C20 0x607120 ret4 0x401576 \n126 0x6071A0 0x400900 ret3 0x401589 \n127 0x6070E0 0x400820 ret3 0x40158A \n128 0x607820 0x6076A0 ret4 0x40158B \n129 0x607E40 0x4008C0 ret3 0x401594 \n130 0x606EC0 0x607F00 sub_401CA6 0x40159C \n131 NULL NULL ret2 0x4015A1 \n132 NULL NULL ret2 0x4015AD \n133 0x607660 0x607E60 sub_401CA6 0x4015B2 \n134 0x607E20 0x607BA0 ret4 0x4015BA \n135 0x607D40 0x607F60 ret4 0x4015CC \n136 NULL NULL ret2 0x4015E1 \n137 0x6073E0 0x606FC0 ret4 0x4015E3 \n138 0x607AA0 0x6070E0 sub_401D5B 0x401612 \n139 0x607360 0x607E80 ret4 0x401633 \n140 0x606BE0 0x4008A0 ret3 0x40163E \n141 0x6079A0 0x606FC0 ret4 0x401658 \n142 0x606EA0 0x607F60 ret4 0x40165E \n143 0x608040 0x607960 sub_401D22 0x401672 \n144 0x607A60 0x606FC0 ret4 0x401684 \n145 NULL 0x607B00 NULL 0x4016BF \n146 0x606B40 0x400900 ret3 0x401702 \n147 NULL NULL ret2 0x401703 \n148 0x607B20 0x606FC0 ret4 0x40170A \n149 0x6072E0 0x606CC0 sub_401CA6 0x401713 \n150 0x607C20 0x607220 ret4 0x40171B \n151 NULL 0x6078E0 NULL 0x401726 \n152 0x607380 0x607220 ret4 0x4017B9 \n153 0x606E60 0x606FC0 ret4 0x4017C4 \n154 NULL 0x607620 NULL 0x4017D1 \n155 0x6072A0 0x606C40 ret4 0x4017E1 \n156 0x607800 0x607180 sub_401D5B 0x4017F4 \n157 0x607FC0 0x400810 ret3 0x401802 \n158 NULL 0x607F80 NULL 0x40180D \n159 NULL 0x607D60 NULL 0x401831 \n160 NULL 0x607900 NULL 0x401839 \n161 NULL 0x607020 NULL 0x401843 \n162 0x606BA0 0x607780 ret4 0x40184E \n163 0x606FE0 0x606FC0 ret4 0x40185B \n164 NULL 0x606D20 NULL 0x401864 \n165 0x607580 0x606FC0 ret4 0x4018A3 \n166 0x606C60 0x607DE0 sub_401CA6 0x4018B7 \n167 0x6073A0 0x606E00 sub_401CA6 0x4018BC \n168 NULL 0x606FA0 NULL 0x4018CC \n169 0x6073C0 0x400810 ret3 0x4018CE \n170 NULL NULL ret2 0x4018E2 \n171 0x607560 0x607220 ret4 0x4018E5 \n172 NULL 0x607520 NULL 0x4018F0 \n173 NULL 0x6077A0 NULL 0x40193C \n174 NULL 0x606D20 NULL 0x401953 \n175 0x607EE0 0x608060 ret4 0x40195E \n176 0x607300 0x607740 sub_401C31 0x4019A2 \n177 0x607D80 0x607E00 ret4 0x4019AC \n178 0x606DA0 0x608080 sub_401C31 0x4019B7 \n179 NULL 0x606CE0 NULL 0x4019CA \n180 0x607CE0 0x607780 ret4 0x4019D2 \n------------------------------------------------------------------------------------------------------------------------\n\nTotal Valid Entries: 181\/181\n\nHandler Statistics:\n------------------------------------------------------------\n ret4 : 57 times\n ret3 : 30 times\n ret2 : 19 times\n sub_401CA6 : 16 times\n sub_401D5B : 6 times\n sub_401D22 : 3 times\n sub_401C31 : 3 times\n sub_401DCD : 1 times\n sub_401F0C : 1 times\n\n[+] Dump completed!\n<\/code><\/pre>\n\u6062\u590d\u4e00\u4e0b\u6267\u884c\u6d41,\u5230\u8fd9\u91cc\u5c31\u6ca1\u62db\u4e86,\u5b9e\u5728\u505a\u4e0d\u6765\u4e86<\/p>\n
========================================================================================================================\nVM Execution Trace (Mode: assume_false)\n========================================================================================================================\nStep PC Handler Op RIP Depth Note\n------------------------------------------------------------------------------------------------------------------------\n0 0 ret4 PUSH 0x4009F7 1 Push PC=53 to stack, depth=1\n1 169 ret3 CALL 0x4018CE 1 Call PC=72, push return=None, depth=1\n2 72 ret3 CALL 0x401254 1 Call PC=75, push return=None, depth=1\n3 75 ret3 CALL 0x4012AA 1 Call PC=81, push return=None, depth=1\n4 81 ret3 CALL 0x4012E7 1 Call PC=37, push return=None, depth=1\n5 37 ret3 CALL 0x400E55 1 Call PC=25, push return=None, depth=1\n6 25 ret3 CALL 0x400D45 1 Call PC=44, push return=None, depth=1\n7 44 ret3 CALL 0x400FC1 1 Call PC=10, push return=None, depth=1\n8 10 ret3 CALL 0x400BF8 1 Call PC=47, push return=None, depth=1\n9 47 NULL NEXT 0x400FEE 1 Unconditional next\n10 5 sub_401CA6 JUMP 0x400B7C 1 JLE [ASSUME FALSE] -> jump to PC=170\n11 170 ret2 RET 0x4018E2 0 Return to PC=53, stack depth=0\n12 53 ret3 CALL 0x401018 0 Call PC=61, push return=None, depth=0\n13 61 ret3 CALL 0x401184 0 Call PC=140, push return=None, depth=0\n14 140 ret3 CALL 0x40163E 0 Call PC=9, push return=None, depth=0\n15 9 ret3 CALL 0x400BEB 0 Call PC=108, push return=None, depth=0 \/\/ Input Your Flag...\n16 108 ret4 PUSH 0x4014AD 1 Push PC=89 to stack, depth=1\n17 24 NULL NEXT 0x400D1F 1 Unconditional next\n18 176 sub_401C31 JUMP 0x4019A2 1 JG [ASSUME FALSE] -> jump to PC=66\n19 66 NULL NEXT 0x40120A 1 Unconditional next\n20 138 sub_401D5B JUMP 0x401612 1 JZ [ASSUME FALSE] -> jump to PC=127\n21 127 ret3 CALL 0x40158A 1 Call PC=49, push return=None, depth=1\n22 49 ret2 RET 0x400FF9 0 Return to PC=89, stack depth=0\n23 89 NULL NEXT 0x40137F 0 Unconditional next\n24 18 sub_401CA6 JUMP 0x400C7C 0 JLE [ASSUME FALSE] -> jump to PC=64\n25 64 NULL NEXT 0x4011C4 0 Unconditional next\n26 124 sub_401C31 JUMP 0x401566 0 JG [ASSUME FALSE] -> jump to PC=58\n27 58 NULL NEXT 0x401073 0 Unconditional next\n28 178 sub_401C31 JUMP 0x4019B7 0 JG [ASSUME FALSE] -> jump to PC=23\n29 23 ret4 PUSH 0x400CDF 1 Push PC=120 to stack, depth=1\n30 173 NULL NEXT 0x40193C 1 Unconditional next\n31 103 sub_401CA6 JUMP 0x40148B 1 JLE [ASSUME FALSE] -> jump to PC=27\n32 27 ret2 RET 0x400D58 0 Return to PC=120, stack depth=0\n33 120 NULL NEXT 0x40151A 0 Unconditional next\n34 167 sub_401CA6 JUMP 0x4018BC 0 JLE [ASSUME FALSE] -> jump to PC=71\n35 71 ret4 PUSH 0x401249 1 Push PC=74 to stack, depth=1\n36 154 NULL NEXT 0x4017D1 1 Unconditional next\n37 91 sub_401CA6 JUMP 0x40138B 1 JLE [ASSUME FALSE] -> jump to PC=48\n38 48 ret2 RET 0x400FF6 0 Return to PC=74, stack depth=0\n39 74 ret4 PUSH 0x40129F 1 Push PC=82 to stack, depth=1\n40 59 ret2 RET 0x401080 0 Return to PC=82, stack depth=0\n41 82 ret4 PUSH 0x4012EF 1 Push PC=175 to stack, depth=1\n42 173 NULL NEXT 0x40193C 1 Unconditional next\n43 103 sub_401CA6 JUMP 0x40148B 1 JLE [ASSUME FALSE] -> jump to PC=27\n44 27 ret2 RET 0x400D58 0 Return to PC=175, stack depth=0\n45 175 ret4 PUSH 0x40195E 1 Push PC=161 to stack, depth=1\n46 173 NULL NEXT 0x40193C 1 Unconditional next\n47 103 sub_401CA6 JUMP 0x40148B 1 JLE [ASSUME FALSE] -> jump to PC=27\n48 27 ret2 RET 0x400D58 0 Return to PC=161, stack depth=0\n49 161 NULL NEXT 0x401843 0 Unconditional next\n50 43 sub_401CA6 JUMP 0x400FB1 0 JLE [ASSUME FALSE] -> jump to PC=3\n51 3 ret4 PUSH 0x400B6E 1 Push PC=152 to stack, depth=1\n52 154 NULL NEXT 0x4017D1 1 Unconditional next\n53 91 sub_401CA6 JUMP 0x40138B 1 JLE [ASSUME FALSE] -> jump to PC=48\n54 48 ret2 RET 0x400FF6 0 Return to PC=152, stack depth=0\n55 152 ret4 PUSH 0x4017B9 1 Push PC=70 to stack, depth=1\n56 59 ret2 RET 0x401080 0 Return to PC=70, stack depth=0\n57 70 ret4 PUSH 0x40122E 1 Push PC=146 to stack, depth=1\n58 173 NULL NEXT 0x40193C 1 Unconditional next\n59 103 sub_401CA6 JUMP 0x40148B 1 JLE [ASSUME FALSE] -> jump to PC=27\n60 27 ret2 RET 0x400D58 0 Return to PC=146, stack depth=0\n61 146 ret3 CALL 0x401702 0 Call PC=4, push return=None, depth=0\n62 4 ret3 CALL 0x400B79 0 Call PC=115, push return=None, depth=0\n63 115 NULL NEXT 0x4014DC 0 Unconditional next\n64 149 sub_401CA6 JUMP 0x401713 0 JLE [ASSUME FALSE] -> jump to PC=65\n66 17 sub_401CA6 JUMP 0x400C74 0 JLE [ASSUME FALSE] -> jump to PC=133 \/\/ cmp [rbp+var_1E0], 0Fh\n65 65 NULL NEXT 0x4011FF 0 Unconditional next\n66 17 sub_401CA6 JUMP 0x400C74 0 JLE [ASSUME FALSE] -> jump to PC=133 \/\/ cmp [rbp+var_1E0], 0Fh\n67 133 sub_401CA6 JUMP 0x4015B2 0 JLE [ASSUME FALSE] -> jump to PC=93 \/\/ cmp dword ptr [rbp-1DCh], 1Fh\n68 93 ret3 CALL 0x4013C3 0 Call PC=67, push return=None, depth=0 \/\/ Congratulation...\n69 67 NULL NEXT 0x40120B 0 Unconditional next\n70 39 sub_401D5B JUMP 0x400F5C 0 JZ [ASSUME FALSE] -> jump to PC=50\n71 50 ret3 CALL 0x400FFB 0 Call PC=20, push return=None, depth=0\n72 20 ret2 RET 0x400C8C 0 Stack Empty - PROGRAM EXIT\n========================================================================================================================\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"butterfly \u770b\u5230\u9644\u4ef6,\u7ed9\u51fa\u4e86\u4e00\u4e2akey\u548c\u52a0\u5bc6\u540e\u7684\u5bc6\u6587 \u7b80\u5355\u5206\u6790\u540e\u5c31\u53ef\u4ee5\u76f4\u63a5\u5199\u51fa\u89e3\u5bc6\u811a\u672c,\u751a\u81f3ai\u80fd\u76f4\u63a5 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-34","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/34","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/comments?post=34"}],"version-history":[{"count":1,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/34\/revisions"}],"predecessor-version":[{"id":35,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/34\/revisions\/35"}],"wp:attachment":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/media?parent=34"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/categories?post=34"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/tags?post=34"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}