强网先锋

babyre

主函数分析如下
2023-12-18T213604
同时注意到有 TLS 反调试
2023-12-18T213728
2023-12-18T213816
TLS反调试里修改了数据，考虑动调获取数据
先绕过两个 BeingDebugged
运行到 jz 跳转指令处，修改 ZF 标志为 0
2023-12-18T215532
下一个 jz 跳转指令处，修改 ZF 标志为 0
2023-12-18T220305
此时再 F9 运行，提示进到主函数里
随便输入长度为32的字符串，此时 IDA 进入了 TEA 函数
2023-12-18T220546
TEA 函数 IDA 分析有点问题
看看汇编
可以看到实际的 delta 值为 0x88408067
2023-12-18T221055
我们可以通过计算获取到解密脚本需要的 sum 值
也可以顺手在该函数中获取一下，运行第二个断点 return 处
查看一下 v4 的值 0xD192C263
2023-12-18T221555
最后回到主函数获取一下经过修改的 key 和 enc
2023-12-18T222002

exp

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
void decrypt(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) {
    unsigned int i,j;
    uint32_t v0 = v[0], v1 = v[1], delta = 0x88408067, sum = 0xD192C263;
    for (j=0; j< 4; j++){
    for (i=0; i < num_rounds; i++) {
        sum -= delta;
        v1 -= (((v0 << 5) ^ (v0 >> 4)) + v0) ^ (sum + key[(sum>>11) & 3]);
        v0 -= (((v1 << 5) ^ (v1 >> 4)) + v1) ^ (sum + key[sum & 3]) ^ sum;
        
    }
    }
    v[0] = v0; v[1] = v1;
}
int main() {
    uint32_t const k[4] = {0x62, 0x6F, 0x6D, 0x62};
    uint32_t enc[] = {
      0x9523F2E0, 0x8ED8C293, 0x8668C393, 0xDDF250BC, 0x510E4499, 0x8C60BD44, 0x34DCABF2, 0xC10FD260};
    unsigned int r = 33;
    for(int i=0; i<8; i+=2){
        decrypt(r, &enc[i], k);
    }
    printf("Decrypted data is: %s\n",(char*)enc);
    return 0;
}
//Decrypted data is: flag{K1k1_S_1ov3_fr0m_Ch1ck_wh0_1s_w0rk1ng_h@rD}4

flag

flag{K1k1_S_1ov3_fr0m_Ch1ck_wh0_1s_w0rk1ng_h@rD}

ezre

OLLVM 混淆控制流平坦化 D810 梭
主函数如下
2023-12-19T001617
先看最后一步 sub_401EB0
2023-12-19T000844
先逆一下，动调取出 base64_Table
2023-12-19T002300
2023-12-19T001904
2023-12-19T002034
2023-12-19T002122
2023-12-19T002158

enc =[0x3A, 0x2C, 0x4B, 0x51, 0x68, 0x46, 0x59, 0x63, 0x24, 0x04, 0x5E, 0x5F, 0x00, 0x0C, 0x2B, 0x03, 0x29, 0x5C, 0x74, 0x70, 0x6A, 0x62, 0x7F, 0x3D, 0x2C, 0x4E, 0x6F, 0x13, 0x06, 0x0D, 0x06, 0x0C, 0x4D, 0x56, 0x0F, 0x28, 0x4D, 0x51, 0x76, 0x70, 0x2B, 0x05, 0x51, 0x68, 0x48, 0x55, 0x24, 0x19]
table = ["l+USN4J5Rfj0TaVOcnzXiPGZIBpoAExuQtHyKD692hwmqe7/Mgk8v1sdCW3bYFLr",
       "FGseVD3ibtHWR1czhLnUfJK6SEZ2OyPAIpQoqgY0w49u+7rad5CxljMXvNTBkm/8",
       "Hc0xwuZmy3DpQnSgj2LhUtrlVvNYks+BX/MOoETaKqR4eb9WF8ICGzf6id1P75JA",
       "pnHQwlAveo4DhGg1jE3SsIqJ2mrzxCiNb+Mf0YVd5L8c97/WkOTtuKFZyRBUPX6a",
       "plxXOZtaiUneJIhk7qSYEjD1Km94o0FTu52VQgNL3vCBH8zsA/b+dycGPRMwWfr6"]
v5 = [ord(i) ^ 0x27 for i in table[4]][6:6+0x15]
idx = 2023
xor = []
for i in range(47):
    if i % 3 == 1:
       idx = (idx + 5) % 20
       tmp = v5[idx + 1]
    elif i % 3 == 2:
       idx = (idx + 7) % 19
       tmp = v5[idx + 2]
    else:
       idx = (idx + 3) % 17
       tmp = v5[idx + 3]
    xor.append(tmp)
for i in range(46, -1, -1):
    enc[i + 1] ^= enc[i]
    enc[i] ^= xor[i]
for i in enc:
   print(chr(i), end='')
#WZqSWcUtWBLlOriEfcajWBSRstLlkEfFWR7j/R7dMCDGnp==

最后再返回去依次用
plxXOZtaiUneJIhk7qSYEjD1Km94o0FTu52VQgNL3vCBH8zsA/b+dycGPRMwWfr6解码
pnHQwlAveo4DhGg1jE3SsIqJ2mrzxCiNb+Mf0YVd5L8c97/WkOTtuKFZyRBUPX6a编码
Hc0xwuZmy3DpQnSgj2LhUtrlVvNYks+BX/MOoETaKqR4eb9WF8ICGzf6id1P75JA解码
FGseVD3ibtHWR1czhLnUfJK6SEZ2OyPAIpQoqgY0w49u+7rad5CxljMXvNTBkm/8编码
l+USN4J5Rfj0TaVOcnzXiPGZIBpoAExuQtHyKD692hwmqe7/Mgk8v1sdCW3bYFLr解码
2023-12-19T004209

exp

import base64
enc =[0x3A, 0x2C, 0x4B, 0x51, 0x68, 0x46, 0x59, 0x63, 0x24, 0x04, 0x5E, 0x5F, 0x00, 0x0C, 0x2B, 0x03, 0x29, 0x5C, 0x74, 0x70, 0x6A, 0x62, 0x7F, 0x3D, 0x2C, 0x4E, 0x6F, 0x13, 0x06, 0x0D, 0x06, 0x0C, 0x4D, 0x56, 0x0F, 0x28, 0x4D, 0x51, 0x76, 0x70, 0x2B, 0x05, 0x51, 0x68, 0x48, 0x55, 0x24, 0x19]
table = ["l+USN4J5Rfj0TaVOcnzXiPGZIBpoAExuQtHyKD692hwmqe7/Mgk8v1sdCW3bYFLr",
       "FGseVD3ibtHWR1czhLnUfJK6SEZ2OyPAIpQoqgY0w49u+7rad5CxljMXvNTBkm/8",
       "Hc0xwuZmy3DpQnSgj2LhUtrlVvNYks+BX/MOoETaKqR4eb9WF8ICGzf6id1P75JA",
       "pnHQwlAveo4DhGg1jE3SsIqJ2mrzxCiNb+Mf0YVd5L8c97/WkOTtuKFZyRBUPX6a",
       "plxXOZtaiUneJIhk7qSYEjD1Km94o0FTu52VQgNL3vCBH8zsA/b+dycGPRMwWfr6"]
v5 = [ord(i) ^ 0x27 for i in table[4]][6:6+0x15]
idx = 2023
xor = []
for i in range(47):
    if i % 3 == 1:
       idx = (idx + 5) % 20
       tmp = v5[idx + 1]
    elif i % 3 == 2:
       idx = (idx + 7) % 19
       tmp = v5[idx + 2]
    else:
       idx = (idx + 3) % 17
       tmp = v5[idx + 3]
    xor.append(tmp)
for i in range(46, -1, -1):
    enc[i + 1] ^= enc[i]
    enc[i] ^= xor[i]
cipher = ''
for i in enc:
   cipher += chr(i)
print(cipher)
#WZqSWcUtWBLlOriEfcajWBSRstLlkEfFWR7j/R7dMCDGnp==
def custom_base64_decode(data, custom_chars):
    # 创建标准Base64字符集和自定义字符集的映射表
    base64_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    char_map = str.maketrans( custom_chars, base64_chars)
    # 替换为自定义字符
    data = data.translate(char_map)
    # 使用标准Base64解码
    decoded_data = base64.b64decode(data.encode())
    return decoded_data
def custom_base64_encode(data, custom_chars):
    # 创建标准Base64字符集和自定义字符集的映射表
    base64_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    char_map = str.maketrans(base64_chars, custom_chars)
    # 使用标准Base64编码
    encoded_data = base64.b64encode(data).decode()
    # 替换为自定义字符
    encoded_data = encoded_data.translate(char_map)
    return encoded_data
flag = custom_base64_decode(cipher, table[4])
flag = custom_base64_encode(flag, table[3])
flag = custom_base64_decode(flag, table[2])
flag = custom_base64_encode(flag, table[1])
flag = custom_base64_decode(flag, table[0])
print(flag.decode())
#flag{3ea590ccwxehg715264fzxnzepqz}

flag

flag{3ea590ccwxehg715264fzxnzepqz}

Reverse

ezre

同样的 OLLVM 混淆控制流平坦化 D810 梭
主函数如下
2023-12-21T202310
没什么有价值信息，只在 sub_3180 里看到了假 flag
函数不多一个个找，发现 sub_3580 里有个可疑数据，长得很像加密过程
2023-12-21T202638
而且调用了 sub_2220 可以看出来是 SM4 加密 signsrch 也识别出来了
2023-12-21T203148
直接 cyberchef 梭
2023-12-21T203431

flag

flag{h3kk0_w0rld_sur3_3n0ugh}

dotdot

DIE 查看 PE 结构发现是 .NET 程序
用 dnSpy 打开，发现有数据没有反编译出来
改用 ILSpy 打开，正常反编译可以看到数据
AAA 是白盒 AES
BBB 是长度判断，要求长度为16
CCC 是比较函数，
DDD 是 License.dat 的读取函数
EEE 是将输入作为 key 进行 RC4 解密 License.dat
FFF 里进行 TEA 加密，然后校验加密结果，并且对 License.dat 进行MD5校验，校验正确了再异或求出正确flag
一步步来，先解白盒 AES 可以看到 v14 是 Tboxes
2023-12-22T171348
whitebox-aes
解出来主密钥为 QWB2023HappyGame
2023-12-22T171604
AES 解密一下 v4 解出 RC4 的 key 也就是输入

from Crypto.Cipher import AES
enc = [97, 147, 49, 123, 248, 150, 224, 0, 165, 39, 183, 55, 74, 227, 3, 168]
key = b'QWB2023HappyGame'
aes = AES.new(key, AES.MODE_ECB)
input = aes.decrypt(bytes(enc)).decode()
print(input)
# WelcomeToQWB2023

然后 RC4 解密 License.dat

from Crypto.Cipher import ARC4
with open('License.dat', 'rb') as f:
    data = f.read()
key = b'WelcomeToQWB2023'
rc4 = ARC4.new(key)
with open('License_decry.dat', 'wb') as f:
    f.write(rc4.decrypt(data))

接着随便写个 C# 读取 License_decry.dat

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
namespace ConsoleApp1
{
    class Program
    {
        static void Main(string[] args)
        {
            byte[] data = File.ReadAllBytes("License_decry.dat");
            string str = Encoding.UTF8.GetString(data);
            Console.WriteLine(str);
        }
    }
}

发现报错，应该是需要修复
2023-12-22T175437
这一段数据前一段0字节长度为0x15，后一段长度为0x10
应该是 TEA 加密的数据，长度为0x15的数据是 enc，长度为0x10的数据是 key
根据 FFF 函数解一下 TEA
2023-12-22T180819

import struct
v28 = bytes([
		69, 182, 171, 33, 121, 107, 254, 150, 92, 29, 4, 178, 138, 166, 184, 106, 53, 241, 42, 191, 23, 211, 3, 107])
key = struct.unpack('<4I', b'WelcomeToQWB2023')
delta = 3735928559
flag = b''
for i in range(0, len(v28), 8):
    sum = (32*delta) & 0xFFFFFFFF
    v0, v1 = struct.unpack_from('<2I', v28, i)
    for k in range(32):
        v1 -= ((v0 << 4) + key[2] ^ v0 + sum ^ (v0 >> 5) + key[3])
        v1 &= 0xFFFFFFFF
        v0 -= ((v1 << 4) + key[0] ^ v1 + sum ^ (v1 >> 5) + key[1])
        v0 &= 0xFFFFFFFF
        sum -= delta
        sum &= 0xFFFFFFFF
    flag += struct.pack('<2I', v0, v1)
print(flag.decode())
# dotN3t_Is_1nt3r3sting

填入 License_decry.dat 修复一下
0x15和0x10是长度
2023-12-22T182329
最后由 MD5 求出 flag

# 将缺失的数据填入 License_decry.dat
with open('License_decry.dat', 'rb') as f:
    data = list(f.read())
    data[658] = 21
    data[659:680] = list(b'dotN3t_Is_1nt3r3sting')
    data[685] = 16
    data[686:702] = list(b'WelcomeToQWB2023')
with open('License_decry.dat', 'wb') as f:
    f.write(bytes(data))
# MD5 解密出 flag
h = md5(open("License_decry.dat", "rb").read()).digest()
v10 =[59, 65, 108, 110, 223, 90, 245, 226, 6, 122, 219, 170, 147, 176, 22, 190, 60, 24, 58, 86, 150, 97, 188, 166, 113, 104, 232, 197, 234, 225, 22, 183, 40, 78, 102, 116]
for i in range(len(v10)):
    v10[i] ^= h[i % len(h)]
print(bytes(v10).decode())
# flag{d0tN3t_I5_Ea57_2_y09!G00d_Luck}

exp

from Crypto.Cipher import AES
from Crypto.Cipher import ARC4
import struct
from hashlib import md5
# AES 解密出输入作为 key
enc = [97, 147, 49, 123, 248, 150, 224, 0, 165, 39, 183, 55, 74, 227, 3, 168]
key = b'QWB2023HappyGame'
aes = AES.new(key, AES.MODE_ECB)
input = aes.decrypt(bytes(enc)).decode()
print(input)
# WelcomeToQWB2023
# ARC4 解密 License.dat
with open('License.dat', 'rb') as f:
    data = f.read()
key = b'WelcomeToQWB2023'
rc4 = ARC4.new(key)
with open('License_decry.dat', 'wb') as f:
    f.write(rc4.decrypt(data))
# TEA 解密出缺失的数据
v28 = bytes([
		69, 182, 171, 33, 121, 107, 254, 150, 92, 29, 4, 178, 138, 166, 184, 106, 53, 241, 42, 191, 23, 211, 3, 107])
key = struct.unpack('<4I', b'WelcomeToQWB2023')
delta = 3735928559
flag = b''
for i in range(0, len(v28), 8):
    sum = (32*delta) & 0xFFFFFFFF
    v0, v1 = struct.unpack_from('<2I', v28, i)
    for k in range(32):
        v1 -= ((v0 << 4) + key[2] ^ v0 + sum ^ (v0 >> 5) + key[3])
        v1 &= 0xFFFFFFFF
        v0 -= ((v1 << 4) + key[0] ^ v1 + sum ^ (v1 >> 5) + key[1])
        v0 &= 0xFFFFFFFF
        sum -= delta
        sum &= 0xFFFFFFFF
    flag += struct.pack('<2I', v0, v1)
print(flag.decode())
# dotN3t_Is_1nt3r3sting
# 将缺失的数据填入 License_decry.dat
with open('License_decry.dat', 'rb') as f:
    data = list(f.read())
    data[658] = 21
    data[659:680] = list(b'dotN3t_Is_1nt3r3sting')
    data[685] = 16
    data[686:702] = list(b'WelcomeToQWB2023')
with open('License_decry.dat', 'wb') as f:
    f.write(bytes(data))
# MD5 解密出 flag
h = md5(open("License_decry.dat", "rb").read()).digest()
v10 =[59, 65, 108, 110, 223, 90, 245, 226, 6, 122, 219, 170, 147, 176, 22, 190, 60, 24, 58, 86, 150, 97, 188, 166, 113, 104, 232, 197, 234, 225, 22, 183, 40, 78, 102, 116]
for i in range(len(v10)):
    v10[i] ^= h[i % len(h)]
print(bytes(v10).decode())
# flag{d0tN3t_I5_Ea57_2_y09!G00d_Luck}

flag

flag{d0tN3t_I5_Ea57_2_y09!G00d_Luck}

unname

java 层面的反调试，用 jadx 打开，没发现什么逻辑，
只能看到调用了 native 层的 check 函数
so 文件里 check 函数挺长的，调试一下
找到关键运算
2023-12-25T222532
label_147 是最终的判断
计算一下
2023-12-24T213230

from z3 import *

solver = Solver()
# 使用BitVec而不是Int，并指定位数
x1 = BitVec('x1', 64)
x2 = BitVec('x2', 64)
x3 = BitVec('x3', 64)
x4 = BitVec('x4', 64)

solver.add((x1 + 0x5474374041455247) ^ 0x6835B4293DD0D39E == 0)
solver.add((x4 - 0x7DC131EF140E7742) ^ 0xE69C68D3BC875A19 == 0)
solver.add((x3 - 0x452C699C4F4C522D) ^ 0x1B69DAF30AE1351F == 0)
solver.add((x2 + 0x6523745F644E5642) ^ 0xACA0DA795EF62809 == 0)

if solver.check() == sat:
    model = solver.model()
    for i in model:
        # 使用int()函数将BitVecNumRef转换为整数
        print(i, hex(int(model[i].as_long())))
# x3 0x6096448f5a2d874c
# x2 0x477d6619faa7d1c7
# x1 0x13c17ce8fc8b8157
# x4 0x645d9ac2d095d15b

通过 ida/plugins/defs.h 查看__ROR8__定义
2023-12-25T220302
2023-12-25T220701
2023-12-25T221021
即

unsigned long long __ROR8__(unsigned long long val, unsigned int shift){
    shift = shift % 64; 
    if (shift == 0) return val;
    return (val >> shift) | (val << (64 - shift));
}
void vaddq_s64(unsigned long long* a, unsigned long long* b, unsigned long long* res){
    res[0] = a[0] + b[0]; res[1] = a[1] + b[1];
}

unsigned long long vaddvq_s64(unsigned long long* a){
    return a[0] + a[1];
}

模拟while循环的加密过程

#include <stdio.h>

unsigned long long ptr[80] = {
 0x465F5530595F4E6F, 0xB378E3C5C3A47B89, 0xD3A49492B08792C3, 0x5474374041455247,
 0x6523745F644E5630, 0xD3A49492B08792C3, 0x8E9565954947CC84, 0x33E95EAA8C9B6366,
 0x5F30535F5933335F, 0x8E9565954947CC84, 0x823ECE10EBF188BE, 0x465F5530595F4E71,
 0x5474374041455247, 0x823ECE10EBF188BE, 0xBAD39663B0B3ADD3, 0x6523745F644E5633,
 0x33E95EAA8C9B6365, 0xBAD39663B0B3ADD3, 0x9F44A2B46C50D06D, 0x5F30535F59333363,
 0x465F5530595F4E6F, 0x9F44A2B46C50D06D, 0xAD85C2C5B88958B8, 0x547437404145524C,
 0x6523745F644E5630, 0xAD85C2C5B88958B8, 0xC8E878739899B1AB, 0x33E95EAA8C9B636B,
 0x5F30535F5933335F, 0xC8E878739899B1AB, 0x6E0A8CFF949DDDA2, 0x465F5530595F4E76,
 0x5474374041455247, 0x6E0A8CFF949DDDA2, 0x94B4C496B8B573C8, 0x6523745F644E5638,
 0x33E95EAA8C9B6365, 0x94B4C496B8B573C8, 0xD997B592BBA2B594, 0x5F30535F59333368,
 0x465F5530595F4E6F, 0xD997B592BBA2B594, 0x995181B46135AD9C, 0x5474374041455251,
 0x6523745F644E5630, 0x995181B46135AD9C, 0xA2C9A6A6A09B77A0, 0x33E95EAA8C9B6370,
 0x5F30535F5933335F, 0xA2C9A6A6A09B77A0, 0xA85D9FDDE3EFC2C9, 0x465F5530595F4E7B,
 0x5474374041455247, 0xA85D9FDDE3EFC2C9, 0x808083856161C8AC, 0x6523745F644E563D,
 0x33E95EAA8C9B6365, 0x808083856161C8AC, 0xB378E3C5C3A47B89, 0x5F30535F5933336D,
 0x465F5530595F4E6F, 0xB378E3C5C3A47B89, 0xD3A49492B08792C3, 0x5474374041455256,
 0x6523745F644E5630, 0xD3A49492B08792C3, 0x8E9565954947CC84, 0x33E95EAA8C9B6375,
 0x5F30535F5933335F, 0x8E9565954947CC84, 0x823ECE10EBF188BE, 0x465F5530595F4E80,
 0x0000007A414B22C2, 0x0000000000000028, 0x0000000000000000, 0xB400007B596C6C00,
 0xB400007A99ABAC40, 0x0000000000000010, 0x0000000000000010, 0x0000000000000001
};

//x1, x2, x3, x4最终的结果
unsigned long long res[4] = {
    0x3c17ce8fc8b8157, 0x477d6619faa7d1c7, 0x6096448f5a2d874c,0x645d9ac2d095d15b
};

unsigned char ror_num[16] = {
    0x0E, 0x10, 0x34, 0x39, 0x17, 0x28, 0x05, 0x25, 0x19, 0x21, 0x2E, 0x0C, 0x3A, 0x16, 0x20, 0x20
};

unsigned long long __ROR8__(unsigned long long val, unsigned int shift){
    shift = shift % 64; 
    if (shift == 0) return val;
    return (val >> shift) | (val << (64 - shift));
}
void vaddq_s64(unsigned long long* a, unsigned long long* b, unsigned long long* res){
    res[0] = a[0] + b[0]; res[1] = a[1] + b[1];
}

unsigned long long vaddvq_s64(unsigned long long* a){
    return a[0] + a[1];
}

int main(){
    unsigned long long input[4] = {
        0x3c17ce8fc8b8157, 0x477d6619faa7d1c7, 0x6096448f5a2d874c,0x645d9ac2d095d15b
    };
    int v49 = 0;
    int v61 = 0;
    unsigned char * v52, * v62;
    unsigned long long* v53;
    unsigned long long v54[2] = { 0 };
    unsigned long long * v51 = &input[2];
    unsigned long long v55, v58, v63;
    unsigned long long x1, x2, x3, x4;
    do {
        while (1){
            v61 = v49 % 8;
            if (v49 % 4 != 0){
                break;
            }
            v52 = &ror_num[2 * v61];
            v53 = &ptr[4 * (v49 >> 2)];
            vaddq_s64(v53+2, &input[2], v54);
            v55 = v53[1] + input[1];
            x1 = v53[0] + input[0] + v55;
            x2 = __ROR8__(v55, 64 - v52[0]) ^ x1;
            input[0] = x1;
            v58 = __ROR8__(v54[1], 64 - v52[1]);
            v51[1] = x2;
            x3 = vaddvq_s64(v54);
            x4 = v58 ^ x3;
            input[1] = x4;
            v49++;
            v51[0] = x3;
            printf("v49: %d\n", v49);
            printf("0x%llX\n", x1);
            printf("0x%llX\n", x2);
            printf("0x%llX\n", x3);
            printf("0x%llX\n", x4);
            printf("-----------------------------------\n");
            if (v49 == 72)
                goto LABEL_147;
        }
        v62 = &ror_num[2 * v61];
        x1 = input[1] + input[0];
        input[0] = x1;
        x2 = __ROR8__(input[1], 64 - v62[0]) ^ x1;
        v51[0] = vaddvq_s64(v51);
        v63 = __ROR8__(v51[1], 64 - v62[1]);
        x3 = v51[0];
        v51[1] = x2;
        x4 = v63 ^ v51[0];
        input[1] = x4;
        ++v49;
        printf("v49: %d\n", v49);
        printf("0x%llX\n", x1);
        printf("0x%llX\n", x2);
        printf("0x%llX\n", x3);
        printf("0x%llX\n", x4);
        printf("-----------------------------------\n");
    } while (v49 != 72);

LABEL_147:
    printf("end\n");
    printf("0x%llX\n", x1);
    printf("0x%llX\n", x2);
    printf("0x%llX\n", x3);
    printf("0x%llX\n", x4);
    return 0;
}

逆一下

exp

#include <stdio.h>

unsigned long long ptr[80] = {
 0x465F5530595F4E6F, 0xB378E3C5C3A47B89, 0xD3A49492B08792C3, 0x5474374041455247,
 0x6523745F644E5630, 0xD3A49492B08792C3, 0x8E9565954947CC84, 0x33E95EAA8C9B6366,
 0x5F30535F5933335F, 0x8E9565954947CC84, 0x823ECE10EBF188BE, 0x465F5530595F4E71,
 0x5474374041455247, 0x823ECE10EBF188BE, 0xBAD39663B0B3ADD3, 0x6523745F644E5633,
 0x33E95EAA8C9B6365, 0xBAD39663B0B3ADD3, 0x9F44A2B46C50D06D, 0x5F30535F59333363,
 0x465F5530595F4E6F, 0x9F44A2B46C50D06D, 0xAD85C2C5B88958B8, 0x547437404145524C,
 0x6523745F644E5630, 0xAD85C2C5B88958B8, 0xC8E878739899B1AB, 0x33E95EAA8C9B636B,
 0x5F30535F5933335F, 0xC8E878739899B1AB, 0x6E0A8CFF949DDDA2, 0x465F5530595F4E76,
 0x5474374041455247, 0x6E0A8CFF949DDDA2, 0x94B4C496B8B573C8, 0x6523745F644E5638,
 0x33E95EAA8C9B6365, 0x94B4C496B8B573C8, 0xD997B592BBA2B594, 0x5F30535F59333368,
 0x465F5530595F4E6F, 0xD997B592BBA2B594, 0x995181B46135AD9C, 0x5474374041455251,
 0x6523745F644E5630, 0x995181B46135AD9C, 0xA2C9A6A6A09B77A0, 0x33E95EAA8C9B6370,
 0x5F30535F5933335F, 0xA2C9A6A6A09B77A0, 0xA85D9FDDE3EFC2C9, 0x465F5530595F4E7B,
 0x5474374041455247, 0xA85D9FDDE3EFC2C9, 0x808083856161C8AC, 0x6523745F644E563D,
 0x33E95EAA8C9B6365, 0x808083856161C8AC, 0xB378E3C5C3A47B89, 0x5F30535F5933336D,
 0x465F5530595F4E6F, 0xB378E3C5C3A47B89, 0xD3A49492B08792C3, 0x5474374041455256,
 0x6523745F644E5630, 0xD3A49492B08792C3, 0x8E9565954947CC84, 0x33E95EAA8C9B6375,
 0x5F30535F5933335F, 0x8E9565954947CC84, 0x823ECE10EBF188BE, 0x465F5530595F4E80,
 0x0000007A414B22C2, 0x0000000000000028, 0x0000000000000000, 0xB400007B596C6C00,
 0xB400007A99ABAC40, 0x0000000000000010, 0x0000000000000010, 0x0000000000000001
};

//x1, x2, x3, x4最终的结果
unsigned long long res[4] = {
    0x3c17ce8fc8b8157, 0x477d6619faa7d1c7, 0x6096448f5a2d874c,0x645d9ac2d095d15b
};

unsigned char ror_num[16] = {
    0x0E, 0x10, 0x34, 0x39, 0x17, 0x28, 0x05, 0x25, 0x19, 0x21, 0x2E, 0x0C, 0x3A, 0x16, 0x20, 0x20
};

unsigned long long __ROR8__(unsigned long long val, unsigned int shift){
    shift = shift % 64; 
    if (shift == 0) return val;
    return (val >> shift) | (val << (64 - shift));
}
void vaddq_s64(unsigned long long* a, unsigned long long* b, unsigned long long* res){
    res[0] = a[0] + b[0]; res[1] = a[1] + b[1];
}

unsigned long long vaddvq_s64(unsigned long long* a){
    return a[0] + a[1];
}

int main(){
    unsigned long long input[4] = { 0 };
    int v49 = 72;
    int v61 = 0;
    unsigned char * v52, * v62;
    unsigned long long* v53;
    unsigned long long v54[2] = { 0 };
    unsigned long long * v51 = &input[2];
    unsigned long long v55, v58, v63;
    unsigned long long x1 = 0x13c17ce8fc8b8157, x2 = 0x477d6619faa7d1c7, x3 = 0x6096448f5a2d874c, x4 = 0x645d9ac2d095d15b;
    while (v49 >= 1){
        --v49;
        v61 = v49 % 8;
        if (v49 % 4 != 0){
            v62 = &ror_num[2 * v61];
            input[1] = x4;
            v51[1] = x2;
            v51[0] = x3;
            v63 = v51[0] ^ x4;
            v51[1] = __ROR8__(v63, v62[1]);
            v51[0] = v51[0] - v51[1];
            input[1] = __ROR8__(x1 ^ x2, v62[0]);
            input[0] = x1 - input[1];
        }else {
            v52 = &ror_num[2 * v61];
            v53 = &ptr[4 * (v49 >> 2)];
            v51[0] = x3;
            input[1] = x4;
            v58 = x3 ^ x4;
            v51[1] = x2;
            v54[1] = __ROR8__(v58, v52[1]);
            v54[0] = x3 - v54[1];
            input[0] = x1;
            v55 = __ROR8__(x1 ^ x2, v52[0]);
            input[0] = x1 - v55 - v53[0];
            input[1] = v55 - v53[1];
            unsigned long long* v53_2 = v53 + 2;
            input[2] = v54[0] - v53_2[0];
            input[3] = v54[1] - v53_2[1];
        }
        x1 = input[0];
        x4 = input[1];
        x3 = input[2];
        x2 = input[3];
    }
    printf("%s\n", (char*)input);
    return 0;
}
// flag{7hIs_I$_nEw_Try1N9_@cu7U@1}0@@

flag

flag{7hIs_I$_nEw_Try1N9_@cu7U@1}