start함수에서 함수들을 쭈욱 추적한다.
// write access to const memory has been detected, the output may be wrong!
_BOOL8 __fastcall sub_4017FB(__int64 a1, int a2, int a3, int a4, int a5, int a6)
{
__int64 *v6; // r15
_BOOL8 result; // rax
__int64 v8; // rcx
__int64 v9; // rsi
char v10[4]; // [rsp+24h] [rbp-94h] BYREF
__int64 v11; // [rsp+28h] [rbp-90h]
__int64 *v12; // [rsp+30h] [rbp-88h]
__int64 i; // [rsp+44h] [rbp-74h]
__int64 v14; // [rsp+4Ch] [rbp-6Ch] BYREF
char v15[100]; // [rsp+54h] [rbp-64h] BYREF
sub_4016B9((int)sub_4016B9, a2, a3, a4, a5, a6, v15);
v14 = 0LL;
while ( 1 )
{
result = v14 < 16;
if ( v14 >= 16 )
break;
for ( i = 0LL; i < 4; ++i )
*(_QWORD *)&v10[8 * i] = (unsigned __int8)v15[i | (4 * v14)];
v8 = 32LL;
do
{
v8 -= 8LL;
v9 = *(_QWORD *)&v10[v8];
}
while ( v8 );
((void (__fastcall *)(_BOOL8 (__fastcall *)(__int64, __int64, __int64, __int64, __int64, __int64, char), __int64))sub_4016D7)(
sub_4016D7,
v9);
v11 = *v6;
((void (__fastcall *)(__int64 (__fastcall *)(__int64, __int64, __int64, __int64, __int64, __int64, unsigned __int64), __int64))sub_401054)(
sub_401054,
v9);
v12 = (__int64 *)&loc_401035;
v11 = 10LL;
((void (__fastcall *)(__int64 (__fastcall *)(__int64, __int64, __int64, __int64, __int64, __int64, unsigned __int64), __int64))sub_401054)(
sub_401054,
v9);
v12 = &v14;
v11 = 1LL;
*(_QWORD *)sub_401054 += sub_4016D7;
}
return result;
}
❯ cat result.txt
[2286297976,
1849597495,
1808544081,
1807704273,
1808647758,
1944172095,
1706613032,
1909844297,
1841821141,
1910684756,
1876359218,
1774427197,
1876254572,
1773795720,
1943752837,
4257423877]
do_while{} 구문에서 실행되는 sub_4016D7 함수에서 수행하는 계산들을 볼수 있다.
_BOOL8 __fastcall sub_4016D7(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6, char a7)
{
__int64 *v7; // r15
_BOOL8 result; // rax
__int64 v9; // [rsp+20h] [rbp-10h]
__int64 i; // [rsp+28h] [rbp-8h]
v9 = 0LL;
for ( i = 3LL; ; --i )
{
result = i >= 0;
if ( i < 0 )
break;
v9 = 324 * v9 + *((_QWORD *)&a7 + i);
}
*v7 = v9;
return result;
}
위 함수를 통해 최종적으로 result 값이 결정된다.
이 sub_4016d7 함수를 역산하면 된다. 위 함수 실행되기전 값들을 알 수 있게 된다.
results=[2286297976,1849597495,1808544081,1807704273,1808647758,1944172095,1706613032,1909844297,1841821141,1910684756,1876359218,1774427197,1876254572,1773795720,1943752837,4257423877]
def reverse_operation(result):
values = []
while result > 0:
values.append(result % 324)
result //= 324
return values[::-1]
original_values = []
for result in results:
original_values.append(reverse_operation(result))
print(original_values)
# Convert to ASCII characters
original_chars = []
for values in original_values:
original_chars.append(''.join(chr(value) for value in values))
#print(original_chars) #['CGOL', '6{NO', '5869', '5069', '5926', '9433', '2988', '8115', '6151', '8938', '7682', '4771', '7598', '4120', '9051', '}851']
#original_chars_reversed = ''.join(original_chars[::-1])
#print(original_chars_reversed) #158}1509412090571}8517682477189386151811588115298875943292650695869{NO6CGOL
# Reverse each string in the array
reversed_chars = [string[::-1] for string in original_chars]
#print(reversed_chars) #['LOGC', 'ON{6', '9685', '9605', '6295', '3349', '8892', '5118', '1516', '8398', '2867', '1774', '8957', '0214', '1509', '158}']
#reversed_chars 합
flag = ''.join(reversed_chars)
print(flag)