RoarCTF2019逆向题writeup
现在还在思考为啥要打RoarCTF,自己找虐。既然打了就分享一波,polyre题,现在还没有该文件的地址,之后我放出来。
话不多说,直接上解法,首先用IDA逆向,拿伪代码如下(这个代码写的是挺恶心的,请教了一个专门做嵌入式工作的朋友也被恶心到了):
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
signed int v3; // ecx
signed int v4; // ecx
signed int v5; // ecx
signed int v6; // ecx
signed int v7; // ecx
signed int v8; // ecx
signed int v9; // ecx
signed int v10; // ecx
signed int v11; // ecx
signed int v12; // ecx
signed int v13; // ecx
signed int v14; // ecx
signed int v15; // ecx
signed int v16; // ecx
signed int v17; // ecx
signed int v18; // ecx
signed int v19; // ecx
signed int v20; // ecx
signed int v21; // ecx
signed int v22; // esi
signed int v23; // ecx
signed int v24; // ecx
signed int v25; // ecx
signed int v26; // ecx
signed int v28; // [rsp+1DCh] [rbp-114h]
unsigned __int64 v29; // [rsp+1E0h] [rbp-110h]
int v30; // [rsp+1E8h] [rbp-108h]
int v31; // [rsp+1ECh] [rbp-104h]
char s1[48]; // [rsp+1F0h] [rbp-100h]
char s[60]; // [rsp+220h] [rbp-D0h]
unsigned int v34; // [rsp+25Ch] [rbp-94h]
char *v35; // [rsp+260h] [rbp-90h]
int v36; // [rsp+26Ch] [rbp-84h]
bool v37; // [rsp+272h] [rbp-7Eh]
unsigned __int8 v38; // [rsp+273h] [rbp-7Dh]
int v39; // [rsp+274h] [rbp-7Ch]
char *v40; // [rsp+278h] [rbp-78h]
int v41; // [rsp+284h] [rbp-6Ch]
int v42; // [rsp+288h] [rbp-68h]
bool v43; // [rsp+28Fh] [rbp-61h]
char *v44; // [rsp+290h] [rbp-60h]
int v45; // [rsp+298h] [rbp-58h]
bool v46; // [rsp+29Fh] [rbp-51h]
__int64 v47; // [rsp+2A0h] [rbp-50h]
bool v48; // [rsp+2AFh] [rbp-41h]
unsigned __int64 v49; // [rsp+2B0h] [rbp-40h]
unsigned __int64 v50; // [rsp+2B8h] [rbp-38h]
unsigned __int64 v51; // [rsp+2C0h] [rbp-30h]
unsigned __int64 v52; // [rsp+2C8h] [rbp-28h]
int v53; // [rsp+2D0h] [rbp-20h]
int v54; // [rsp+2D4h] [rbp-1Ch]
char *v55; // [rsp+2D8h] [rbp-18h]
int v56; // [rsp+2E0h] [rbp-10h]
int v57; // [rsp+2E4h] [rbp-Ch]
bool v58; // [rsp+2EBh] [rbp-5h]
unsigned int v59; // [rsp+2ECh] [rbp-4h]
v34 = 0;
v28 = 2013758019;
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( v28 == -2119479925 )
{
v30 = 0;
v28 = 1768345936;
}
if ( v28 != -2087982142 )
break;
v28 = -477867459;
}
if ( v28 != -2048748379 )
break;
v28 = 283854908;
}
if ( v28 != -1971893440 )
break;
v28 = -981997032;
}
if ( v28 != -1876979972 )
break;
v28 = 1278104886;
}
if ( v28 != -1843952179 )
break;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v21 = -1358401961;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
v21 = -759088748;
v28 = v21;
}
if ( v28 != -1841026192 )
break;
v28 = -981997032;
}
if ( v28 != -1835257763 )
break;
v31 = 0;
v28 = -194920207;
}
if ( v28 != -1834653726 )
break;
v42 = v30;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v13 = 762694599;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
v13 = 1591698962;
v28 = v13;
}
if ( v28 != -1799275846 )
break;
v28 = 1988968584;
}
if ( v28 != -1780989165 )
break;
v29 = *(_QWORD *)&v44[8 * v30];
v28 = -1835257763;
}
if ( v28 != -1732387288 )
break;
a3 = (char **)2110558301;
if ( v58 )
a3 = (char **)3153606742LL;
v28 = (signed int)a3;
}
if ( v28 != -1682981725 )
break;
a3 = (char **)873723531;
if ( v43 )
a3 = (char **)1558414728;
v28 = (signed int)a3;
}
if ( v28 != -1679168360 )
break;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v8 = -1608245220;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
v8 = -1039797642;
v28 = v8;
}
if ( v28 != -1658420490 )
break;
v28 = 738697886;
}
if ( v28 != -1608245220 )
break;
v28 = -1039797642;
}
if ( v28 != -1593453884 )
break;
v29 = v49;
v28 = -210664208;
}
if ( v28 != -1588745861 )
break;
v49 = 2 * v29;
v28 = -1099829591;
}
if ( v28 != -1578333348 )
break;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v7 = -1015938266;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
v7 = 977391758;
v28 = v7;
}
if ( v28 != -1453272720 )
break;
v51 = v29;
v28 = 1416478473;
}
if ( v28 != -1395524712 )
break;
v57 = memcmp(s1, &unk_402170, 0x30uLL);
v24 = 2127761645;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
v24 = -2048748379;
v28 = v24;
}
if ( v28 != -1358463792 )
break;
v28 = 165194735;
}
if ( v28 != -1358401961 )
break;
*(_QWORD *)v55 = v29;
v28 = -759088748;
}
if ( v28 != -1243245941 )
break;
v28 = 1852460924;
}
if ( v28 != -1241653263 )
break;
v31 = v41;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v11 = 1958488484;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
v11 = 397199458;
v28 = v11;
}
if ( v28 != -1146236158 )
break;
a3 = (char **)3169640671LL;
if ( v46 )
a3 = (char **)174114970;
v28 = (signed int)a3;
}
if ( v28 != -1141360554 )
break;
v28 = -1971893440;
puts("Wrong!");
}
if ( v28 != -1125326625 )
break;
v54 = 8 * v30;
v28 = 1241066884;
}
if ( v28 != -1104384261 )
break;
v40 = &s[v31];
v28 = -199559592;
}
if ( v28 != -1099829591 )
break;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v17 = -1593453884;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
v17 = -210664208;
v28 = v17;
}
if ( v28 != -1039797642 )
break;
v39 = v38;
a3 = (char **)2686722076LL;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
a3 = (char **)2417987324LL;
v28 = (signed int)a3;
}
if ( v28 != -1015938266 )
break;
v28 = -1578333348;
}
if ( v28 != -1008576722 )
break;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v16 = -2087982142;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
v16 = -477867459;
v28 = v16;
}
if ( v28 != -1002050507 )
break;
v29 = v52;
v28 = 1471710476;
}
if ( v28 != -987629196 )
break;
v53 = v31;
v28 = 183264728;
}
if ( v28 != -981997032 )
break;
v59 = v34;
v28 = 1934644251;
}
if ( v28 != -853256898 )
break;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v10 = 1958488484;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
v10 = -1241653263;
v28 = v10;
}
if ( v28 != -759088748 )
break;
*(_QWORD *)v55 = v29;
a3 = (char **)140103415;
v22 = -1358401961;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
v22 = 140103415;
v28 = v22;
}
if ( v28 != -744786104 )
break;
v38 = s[v31];
v28 = -1679168360;
}
if ( v28 != -718028952 )
break;
v28 = -213314773;
}
if ( v28 != -506887986 )
break;
v31 = 0;
v28 = -469992559;
__isoc99_scanf("%s", v35, a3);
}
if ( v28 != -490420216 )
break;
a3 = (char **)2841694576LL;
if ( v48 )
a3 = (char **)2706221435LL;
v28 = (signed int)a3;
}
if ( v28 != -484679360 )
break;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v14 = 550812935;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
v14 = 253474089;
v28 = v14;
}
if ( v28 != -477867459 )
break;
v46 = v45 < 64;
a3 = (char **)2206985154LL;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
a3 = (char **)1590869113;
v28 = (signed int)a3;
}
if ( v28 != -469992559 )
break;
__isoc99_scanf(
"%s",
v35,
a3);
v31 = 0;
a3 = (char **)3788079310LL;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
a3 = (char **)1091618206;
v28 = (signed int)a3;
}
if ( v28 != -351376304 )
break;
v28 = -1682981725;
}
if ( v28 != -309679135 )
break;
v28 = 385821084;
}
if ( v28 != -213314773 )
break;
v41 = v31 + 1;
v28 = -853256898;
}
if ( v28 != -210664208 )
break;
v29 = v49;
v50 = v49;
a3 = (char **)2701513412LL;
if ( dword_603058 < 10
|| (((_BYTE)dword_603054 - 1)
* (_BYTE)dword_603054 & 1) == 0 )
{
a3 = (char **)481625179;
}
v28 = (signed int)a3;
}
if ( v28 != -199559592 )
break;
*v40 = 0;
v28 = 2024088016;
}
if ( v28 != -197416524 )
break;
v30 = v56;
v28 = 1478643244;
}
if ( v28 != -194920207 )
break;
v45 = v31;
v28 = -1008576722;
}
if ( v28 != -172688243 )
break;
v28 = -1780989165;
}
if ( v28 != 30189008 )
break;
v44 = s;
a3 = (char **)325614949;
if ( dword_603058 < 10
|| (((_BYTE)dword_603054 - 1)
* (_BYTE)dword_603054 & 1) == 0 )
{
a3 = (char **)4122279053LL;
}
v28 = (signed int)a3;
}
if ( v28 != 35266435 )
break;
v28 = -1002050507;
}
if ( v28 != 111496758 )
break;
v31 = v53 + 1;
v28 = 1585728989;
}
if ( v28 != 140103415 )
break;
v28 = 1783499399;
}
if ( v28 != 165194735 )
break;
v52 = 2 * v51;
a3 = (char **)2936503504LL;
if ( dword_603058 < 10
|| (((_BYTE)dword_603054 - 1)
* (_BYTE)dword_603054 & 1) == 0 )
{
a3 = (char **)35266435;
}
v28 = (signed int)a3;
}
if ( v28 != 165636912 )
break;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v12 = 762694599;
if ( dword_603058 < 10
|| (((_BYTE)dword_603054 - 1)
* (_BYTE)dword_603054 & 1) == 0 )
{
v12 = -1834653726;
}
v28 = v12;
}
if ( v28 != 174114970 )
break;
v47 = v29;
v28 = 2008447103;
}
if ( v28 != 183264728 )
break;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v19 = 111496758;
if ( dword_603058 < 10
|| (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
{
v19 = 1585728989;
}
v28 = v19;
}
if ( v28 != 189818242 )
break;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v6 = -1015938266;
if ( dword_603058 < 10
|| (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
{
v6 = -1578333348;
}
v28 = v6;
}
if ( v28 != 253474089 )
break;
v43 = v42 < 6;
a3 = (char **)550812935;
if ( dword_603058 < 10
|| (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
{
a3 = (char **)3943590992LL;
}
v28 = (signed int)a3;
}
if ( v28 != 283854908 )
break;
v58 = v57 != 0;
v28 = 2103827861;
}
if ( v28 != 325614949 )
break;
v28 = 30189008;
}
if ( v28 != 385821084 )
break;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v26 = -309679135;
if ( dword_603058 < 10
|| (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
{
v26 = -1732387288;
}
v28 = v26;
}
if ( v28 != 397199458 )
break;
v28 = -1243245941;
}
if ( v28 != 481625179 )
break;
v28 = 1771563692;
}
if ( v28 != 550812935 )
break;
v28 = 253474089;
}
if ( v28 != 738697886 )
break;
v37 = v36 < 64;
v28 = 189818242;
}
if ( v28 != 762694599 )
break;
v28 = -1834653726;
}
if ( v28 != 873723531 )
break;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v23 = 2127761645;
if ( dword_603058 < 10
|| (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
{
v23 = -1395524712;
}
v28 = v23;
}
if ( v28 != 895115152 )
break;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v3 = -506887986;
if ( dword_603058 < 10
|| (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
{
v3 = -469992559;
}
v28 = v3;
}
if ( v28 != 977391758 )
break;
a3 = (char **)2175487371LL;
if ( v37 )
a3 = (char **)3550181192LL;
v28 = (signed int)a3;
}
if ( v28 != 998079252 )
break;
v28 = -194920207;
}
if ( v28 != 1091618206 )
break;
v28 = 1852460924;
}
if ( v28 != 1241066884 )
break;
a3 = (char **)&s1[v54];
v55 = &s1[v54];
v28 = -1843952179;
}
if ( v28 != 1278104886 )
break;
v9 = -718028952;
if ( v39 == 10 )
v9 = -1104384261;
v28 = v9;
}
if ( v28 != 1416478473 )
break;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v18 = -1358463792;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
v18 = 165194735;
v28 = v18;
}
if ( v28 != 1471710476 )
break;
v28 = -987629196;
}
if ( v28 != 1478643244 )
break;
v28 = 165636912;
}
if ( v28 != 1558414728 )
break;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v15 = 325614949;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
v15 = 30189008;
v28 = v15;
}
if ( v28 != 1585728989 )
break;
v31 = v53 + 1;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v20 = 111496758;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
v20 = 1636541262;
v28 = v20;
}
if ( v28 != 1590869113 )
break;
v28 = -1146236158;
}
if ( v28 != 1591698962 )
break;
v28 = -484679360;
}
if ( v28 != 1636541262 )
break;
v28 = 998079252;
}
if ( v28 != 1768345936 )
break;
v28 = 165636912;
}
if ( v28 != 1771563692 )
break;
v29 = v50 ^ 0xB0004B7679FA26B3LL;
v28 = 1471710476;
}
if ( v28 != 1783499399 )
break;
v56 = v30 + 1;
v28 = -197416524;
}
if ( v28 != 1852460924 )
break;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v4 = -1799275846;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
v4 = 1988968584;
v28 = v4;
}
if ( v28 == 1934644251 )
break;
switch ( v28 )
{
case 1958488484:
v31 = v41;
v28 = -1241653263;
break;
case 1988968584:
v36 = v31;
a3 = (char **)(unsigned int)(dword_603054 - 1);
v5 = -1799275846;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
v5 = -1658420490;
v28 = v5;
break;
case 2008447103:
v48 = v47 < 0;
v28 = -490420216;
break;
case 2013758019:
memset(s, 0, 0x30uLL);
memset(s1, 0, 0x30uLL);
printf("Input:", 0LL);
a3 = (char **)s;
v35 = s;
v28 = 895115152;
break;
case 2024088016:
v28 = -2119479925;
break;
case 2103827861:
a3 = (char **)(unsigned int)(dword_603054 - 1);
v25 = -309679135;
if ( dword_603058 < 10 || (((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054 & 1) == 0 )
v25 = 385821084;
v28 = v25;
break;
case 2110558301:
v28 = -1841026192;
puts("Correct!");
break;
case 2127761645:
v28 = -1395524712;
break;
}
}
return v59;
}
简化如下(团队里大佬简化的)
#include <stdint.h>
#include <iostream>
using namespace std;
uint64_t encrypt(uint64_t v29) {
int v45;
int64_t tmp;
v45 = 0;
while ( v45 < 64 ) {
tmp = v29;
if ( tmp < 0 ) {
v29 = 2 * v29;
v29 = v29 ^ 0xB0004B7679FA26B3LL;
} else {
v29 = 2 * v29;
}
v45++;
}
return v29;
}
int main() {
//只要加密后和下面的数据一致就成功
uint8_t unk_402170[0x30] = {
0x96,0x62,0x53,0x43,0x6D,0xF2,0x8F,0xBC,0x16,0xEE,0x30,
0x05,0x78,0x00,0x01,0x52,0xEC,0x08,0x5F,0x93,0xEA,0xB5,
0xC0,0x4D,0x50,0xF4,0x53,0xD8,0xAF,0x90,0x2B,0x34,0x81,
0x36,0x2C,0xAA,0xBC,0x0E,0x25,0x8B,0xE4,0x8A,0xC6,0xA2,
0x81,0x9F,0x75,0x55
};
char str[49] = "hello";
uint64_t v29;
for (int i=0; i<48; i+=8) {
v29 = *(uint64_t *)&str[i];
cout << hex << encrypt(v29) << endl;
}
return 0;
}
开始分析吧,首先思路就是根据encrypt算法写出decrypt,然后把加密后的uint8带进去就可以了,代码怎么写呢?观察下encrypt,处理逻辑为v29为uint64,tmp为int64,算了我加注释,看下面:
uint64_t encrypt(uint64_t v29) {
int v45;
int64_t tmp; //tmp有符号64bit整形,上面定义的v29为无符号64bit整形
v45 = 0;
while ( v45 < 64 ) { //循环64次
tmp = v29; //v29赋值给tmp
if ( tmp < 0 ) {//这里关键了,这个是判断v29*2溢出的点,中位为8000000000000000,后面说。
v29 = 2 * v29;//此处溢出了。溢出值为65bit最高位bit去掉,保留64位
v29 = v29 ^ 0xB0004B7679FA26B3LL;//与hex异或运算v29值
} else {
v29 = 2 * v29;
}
v45++;
}
return v29;
}
注释到这样基本可以了,需要理清的重点就是tmp<0的话,为啥v29*2会溢出,还有溢出后的值是多少,需要查阅一些资料。不多说了跟这次题目无关
下面说decrypt怎么写。首先要知道,既然加密是分情况的,那解密必须也要分情况,首先如果溢出情况下,异或0xB0004B7679FA26B3LL此值,肯定为奇数,因为前面的v29=2*v29已经赋值为偶数了,所以我们从这个角度来写一个判断。原谅我C语言写不出来,用的是python:
def decrypt(Ev29):
for i in range(64):#循环64次,跟加密一致
if Ev29&1 ==0:#如果加密的int跟1与运算为1,说明是奇数,为0则为偶数,这里判断是为偶数的情况,也就是加密中未做异或运算的情况。
Ev29 //=2#加密是乘2,那解密就是除2了
代码根据注释应该也很好理解,下面是重要的部分,也就是异或的运算怎么去解密,直接上代码:
else:
Ev29 ^=0xB0004B7679FA26B3#异或回去,现在的值是v29*2后溢出的异或值
Ev29 >>=1#全部右移一位,等同于//2
Ev29 +=0x8000000000000000#这里是还原原值,溢出后除2再加一个中位值也就是0x8000000000000000就为原来的值,相关知识点自行百度。
return Ev29
到这里基本上差不多了,带上加密的int8,每8个一组,解密之后转字符串就行,最后解密的结果为:ff6{galfc6-09392-65c4-0259a-07abf1d3e857}8
这个看起来还不是flag,但是看着像了,考虑下大小端存储的问题,内存的11 22 33 44,读取成int之后为0x44332211,所以每8个倒序,最后的flag为:
flag{6ff29390-6c20-4c56-ba70-a95758e3d1f8}
到此劫持
