跳转至

RE2_FPC

观察

regcode: 1234 5678 9abc 分别对应x y z 输入任意regcode,跟一下,发现是一个无解方程

然后上下拉一下,观察到可疑乱序代码,考虑使用栈溢出return过去 段首:00413131,对应11A结尾字符串,字符串长度15

ps.在考虑段首这里有过犹豫,如果定位在代码0041312F处,这样return进来的参数在乱序段末最终被xor为00401021,进而跳回原处几乎完美地继续执行,这样会导致无穷解的出现,不知是作者有意为之还是无意凑巧。

//无穷解(x为任意字符):
xxxxxxxxxxxx/1A
话说因为这个原因我还在想是不是题目有问题,后来观察了一下花指令才发现新东西
//还原的加花乱序
////////////////////////////////////////
 add esp,-0x10
 xor eax,eax
 mov dword ptr ds:[0x41B034],eax

 pop eax        //eax=x
 mov ecx,eax    //ecx=x

 pop eax        //eax=y
 mov ebx,eax    //ebx=y

 pop eax        //eax=z
 mov edx,eax    //edx=z
 mov edx,eax    
 mov eax,ecx    //eax=x
 sub eax,ebx    //eax=x-y
 shl eax,0x2    //eax shl 2
 add eax,ecx    //eax+=x
 add eax,edx    //eax+=z
 sub eax,0xEAF917E2 //(必须为零)
 add eax, ecx   //eax=x
 sub eax, ebx   //eax-=y
 mov ebx, eax   //ebx=(x-y)
 shl eax, 1     //eax shl 1
 add eax, ebx   //eax+=(x-y)
 add eax, ecx   //eax+=x
 mov ecx, eax   //ecx=eax
 add eax, edx   //eax+=edx
 sub eax, 0xe8f508c8 //(必须为零)
 mov eax, ecx   //eax=original
 mov eax, ecx
 sub eax, edx   //eax-=edx
 sub eax, 0xc0a3c68 //(必须为零)
 pop eax
 xor eax, 0x8101
 mov edi, eax
 xor eax, eax
 stosd dword ptr es:[edi], eax
 call 0x413841  //00413830 PUSH 00413835
 pop eax
 push eax
 mov edi, eax
 mov edi, eax
 push 0x4e000969
 pop eax
 xor eax, edx
 stosd dword ptr es:[edi], eax
 xor eax, 0x10a3e
 stosd dword ptr es:[edi], eax
 xor eax, ebx
 xor eax, 0x22511e14
 stosd dword ptr es:[edi], eax
 xor eax, 0x61642d
 xor eax, dword ptr [0x41b034]
 jmp eax
 ////////////////////////////////////////////

Algorithm:

((x-y) shl 2)+x+z==0xEAF917E2 3942193122? (x-y) shl 1 + (x-y) +x+z==0xe8f508c8 3908372680 (x-y) shl 1 + (x-y) +x-z==0xc0a3c68 201997416

z=1853187632=0x6e756630

4x-3y==3908372680-1853187632=2055185048 4(x-y)+x=5x-4y=3942193122?-1853187632=2089005490 x -> 1953723722(0x7473754A), y -> 1919903280(0x726F6630)

Regcode:

x y z: 4A75737430666F723066756E J u s t 0 f o r 0 f u n

Total:

Just0for0fun11A