TSCTF-J 2022 Reverse Robot赛题复现

前言

题目名叫🤖,因为害怕奇奇怪怪的编码错误,我暂且叫它Robot

HNCTF有相似的题目,名叫WEIRD VM

半年前拿到这题我连看都不敢看一眼,现在回想起来再看花10小时做出来了,可能这就是进步吧(胡言乱语((

分析

程序没有加混淆,主函数一目了然是一个简单到过头的虚拟机

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
int __cdecl main(int argc, const char **argv, const char **envp)
{
unsigned __int16 *v3; // rax
unsigned __int16 *v4; // rbx
int result; // eax
__int64 v6; // rdx
__int64 v7; // r8
__int64 src1; // rcx
__int64 src0; // rax
__int64 dst; // r9
unsigned __int16 v11; // dx

v3 = (unsigned __int16 *)VirtualAlloc(0i64, 0x20000ui64, 0x1000u, 4u);
vm = (__int64)v3;
v4 = v3;
if ( v3 )
{
memmove(v3 + 300, &code, 0x4088ui64);
*v4 = 300;
do
{
if ( v4[4] == 1 )
{
v6 = v4[3];
v4[4] = 0;
printch((int)&unk_7FF6216D1740, v6);
v4 = (unsigned __int16 *)vm;
}
if ( v4[6] == 1 )
{
v4[6] = 0;
((void (__fastcall *)(void *, unsigned __int16 *))getch)(&unk_7FF6216D1740, v4 + 5);
v4 = (unsigned __int16 *)vm;
}
v7 = *v4;
src1 = v4[v7 + 1];
src0 = v4[v7];
dst = v4[v7 + 2];
*v4 = v7 + 3;
v11 = ~(v4[src0] | v4[src1]);
v4[dst] = v11;
v4[1] = __ROL2__(v11, 1);
}
while ( *v4 != 0xFFFF );
VirtualFree(v4, 0i64, 0x8000u);
result = 0;
vm = 0i64;
}
else
{
printch((int)"Init ?? failed\n");
return 0;
}
return result;
}

显然这个虚拟机字长为2字节,v4[0]是pc,v[3],v[4]用于输出,v[5],v[6]用于输入。v4[300]开始存储指令。比较特别的是,这个虚拟机只能进行nor运算,指令长度为3个word,前两个是源操作数的地址,第三个是目的操作数的地址。特殊地,v4[1]的位置存储了nor运算结果循环左移1位的结果。

为了更好了解这个虚拟机是怎么工作的,我们可以单步调试观察。观察可得v4[7]是一个用于暂存数据的寄存器。在存取数据时,src0==src1;数据从一个内存地址转移到另一个内存地址时,常用v4[7]作为中转,即src->v4[7]->dst,这样相当于进行了两次取反运算,即dst的值等于src的值。程序将立即数夹杂在指令中,并在指令中进行跳转操作,跳过中间夹杂的立即数,并取走立即数。循环左移则用于对输入内容的加密。

虽然指令已经很明确了(毕竟只有nor),但是如果这样将code直接翻译过来,那工作量会大幅上升。我们可以根据虚拟机通过nor实现复杂指令的特点,识别复杂指令。将code dump下来后,编写反汇编器如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
from pwn import *
#context.log_level='warning'
ip = 300
reg=0
originalCode=b'\x00'*600+open('code.bin','rb').read()
CodeList=[]
assert(len(originalCode)%2==0)
for i in range(len(originalCode)//2):
CodeList.append(u16(originalCode[i*2:i*2+2]))

def rol(num):
assert(0<=num<=0xffff)
return ((num<<1)&0xffff)+(num>>15)

def rol_back(num):
assert(0<=num<=0xffff)
return (num>>1)+(num%2)*(1<<15)

def rev(num):
return (~num)&0xffff

def jmp(addr):
global ip
info(f'ip={hex(ip)}:set ip to {hex(addr)}')
if addr-ip>30 or addr-ip<0:
input(f"error at ip={hex(ip)}")
ip=addr

def pattern_nor_reg(code):
src0,src1,dst=code[0],code[1],code[2]
if dst!=7:
return -1
return [src0,src1]

def nor_reg_handler(result):
reg=0xffffffff
return f'reg=~(*({hex(result[0])})|*({hex(result[1])}))'

def pattern_not(code):
src0,src1,dst=code[0],code[1],code[2]
if src0!=src1:
return -1
return [src0,dst]

def not_handler(result):
return f'*({hex(result[1])})=~(*({hex(result[0])}))'

def pattern_load_reg(code):
src0,src1,dst=code[0],code[1],code[2]
if src0!=src1 or dst!=7:
return -1
return src0

def load_reg_handler(result):
reg=rev(CodeList[result])
return f'reg=~(*({hex(result)}))'

def pattern_save_reg(code):
src0,src1,dst=code[0],code[1],code[2]
if src0!=src1 or src0!=7:
return -1
return dst

def save_reg_handler(result):
global reg
global ip
if result==0:
jmp(reg)
info('regjump')
ip-=3
return
return f'*({hex(result)})=~reg'

def pattern_jmp(code):
addr=pattern_load_reg(code)
if addr==-1:
return -1
code=code[3:]
src0,src1,dst=code[0],code[1],code[2]
if src0==src1==7 and dst==0:
return addr
return -1

def jmp_handler(result):
jmp(CodeList[result])

def pattern_load_imm(code):
addr=pattern_jmp(code)
if addr==-1:
return -1
if not (CodeList[addr]-addr==2 and pattern_load_reg(code[8:])==addr+1):
return -1
return code[7]

def load_imm_handler(result):
global reg
reg=result
return f'reg={hex(result)}'

def pattern_put(code):
chraddr=pattern_load_reg(code)
if chraddr==-1:
return -1
code=code[3:]
pos=pattern_save_reg(code)
if pos!=3:
return -1
code=code[3:]
imm=pattern_load_imm(code)
if imm!=1:
return -1
code=code[11:]
pos=pattern_save_reg(code)
if pos!=4:
return -1
return chraddr

def put_handler(result):
return f"putchar('{chr(CodeList[result])}')"

def pattern_get(code):
imm=pattern_load_imm(code)
if imm!=1:
return -1
code=code[11:]
pos=pattern_save_reg(code)
if pos!=6:
return -1
code=code[3:]
pos=pattern_load_reg(code)
if pos!=5:
return -1
code=code[3:]
addr=pattern_save_reg(code)
if addr==-1:
return -1
return addr

def get_handler(result):
return f"*({hex(result)})=getchar()"

def pattern_load_mem(code):
addrsrc=pattern_load_reg(code)
code=code[3:]
addrdst=pattern_save_reg(code)
if addrsrc==-1 or addrdst==-1:
return -1
return [addrsrc,addrdst]

def load_mem_handler(result):
return f"*({hex(result[1])})={f'*({hex(result[0])})' if result[0]!=7 else 'reg'}"

def pattern_rol(code):
result=pattern_load_mem(code)
if result==-1:
return -1
if result[0]!=result[1]:
return -1
addr=result[0]
code=code[6:]
result=pattern_load_mem(code)
if result==-1:
return -1
if result[1]!=addr or result[0]!=1:
return -1
return addr

def pattern_rols(code):
global ip
i=1
addr0=pattern_rol(code)
if addr0==-1:
return -1
ip+=12
while True:
addr1=pattern_rol(CodeList[ip:])
if addr1==-1 or addr1!=addr0:
break
i+=1
ip+=12
addr0=addr1
return [addr0, i%16]

def rols_handler(result):
return f'rol(*({hex(result[0])}), {str(result[1])})'

patterns=[[pattern_rols,rols_handler,0],[pattern_get,get_handler,20],[pattern_put,put_handler,20],[pattern_load_imm,load_imm_handler,11],[pattern_jmp,jmp_handler,0],[pattern_load_mem,load_mem_handler,6],[pattern_load_reg,load_reg_handler,3],[pattern_save_reg,save_reg_handler,3],[pattern_not,not_handler,3],[pattern_nor_reg,nor_reg_handler,3]]

def disassemble():
global ip
ip=300
while ip<len(CodeList):
flag=0
for pattern in patterns:
result=pattern[0](CodeList[ip:])
if result!=-1:
dis=pattern[1](result)
#print(pattern)
if dis!=None:
print(f'{hex(ip)}:{dis}')
ip+=pattern[2]
flag=1
break
if flag==0:
input(f'unknown instruction at ip={hex(ip)}')

为了避免程序到处乱跳,或者出现指令错位的情况,可以在jmp函数中插入调试信息跟踪程序跳转。观察结果发现程序没有远跳转,也无指令错位,这样我们就可以放心看输出结果了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
0x12c:putchar('P')
0x140:putchar('l')
0x154:putchar('e')
0x168:putchar('a')
0x17c:putchar('s')
0x190:putchar('e')
0x1a4:putchar(' ')
0x1b8:putchar('i')
0x1cc:putchar('n')
0x1e0:putchar('p')
0x1f4:putchar('u')
0x208:putchar('t')
0x21c:putchar(' ')
0x230:putchar('y')
0x244:putchar('o')
0x258:putchar('u')
0x26c:putchar('r')
0x280:putchar(' ')
0x294:putchar('f')
0x2a8:putchar('l')
0x2bc:putchar('a')
0x2d0:putchar('g')
0x2e4:putchar(':')
0x2f8:reg=0x307
[*] ip=0x303:set ip to 0x307
[*] regjump
0x307:*(0x2137)=getchar()
0x31b:*(0x2138)=getchar()
0x32f:*(0x2139)=getchar()
0x343:*(0x213a)=getchar()
0x357:*(0x213b)=getchar()
0x36b:*(0x213c)=getchar()
0x37f:*(0x213d)=getchar()
0x393:*(0x213e)=getchar()
0x3a7:*(0x213f)=getchar()
0x3bb:*(0x2140)=getchar()
0x3cf:*(0x2141)=getchar()
0x3e3:*(0x2142)=getchar()
0x3f7:*(0x2143)=getchar()
0x40b:*(0x2144)=getchar()
0x41f:*(0x2145)=getchar()
0x433:*(0x2146)=getchar()
0x447:*(0x2147)=getchar()
0x45b:*(0x2148)=getchar()
0x46f:*(0x2149)=getchar()
0x483:*(0x214a)=getchar()
0x497:*(0x214b)=getchar()
0x4ab:*(0x214c)=getchar()
0x4bf:*(0x214d)=getchar()
0x4d3:*(0x214e)=getchar()
0x4e7:*(0x214f)=getchar()
0x4fb:*(0x2150)=getchar()
0x50f:*(0x2151)=getchar()
0x523:*(0x2152)=getchar()
0x537:*(0x2153)=getchar()
0x54b:*(0x2154)=getchar()
0x55f:*(0x2155)=getchar()
0x573:*(0x2156)=getchar()
0x587:*(0x2157)=getchar()
0x59b:*(0x2158)=getchar()
0x5af:*(0x2159)=getchar()
0x5c3:*(0x202f)=*(0x2137)
0x67d:rol(*(0x202f), 15)
[*] ip=0x67d:set ip to 0x686
0x686:*(0x684)=~(*(0x202f))
0x689:*(0x685)=~(*(0x212c))
[*] ip=0x68c:set ip to 0x695
0x695:*(0x693)=~(*(0x202f))
0x698:*(0x694)=~(*(0x685))
0x69b:reg=~(*(0x693)|*(0x694))
0x69e:*(0x685)=reg
[*] ip=0x6a4:set ip to 0x6ad
0x6ad:*(0x6ab)=~(*(0x212c))
0x6b0:*(0x6ac)=~(*(0x684))
0x6b3:reg=~(*(0x6ab)|*(0x6ac))
0x6b6:*(0x684)=reg
0x6bc:reg=~(*(0x684)|*(0x685))
0x6bf:*(0x202f)=~reg
0x6c2:reg=~(*(0x202f)|*(0x306))
0x6c5:*(0x306)=~reg
0x6c8:*(0x202f)=*(0x2138)
0x782:rol(*(0x202f), 15)
[*] ip=0x782:set ip to 0x78b
0x78b:*(0x789)=~(*(0x202f))
0x78e:*(0x78a)=~(*(0x212b))
[*] ip=0x791:set ip to 0x79a
0x79a:*(0x798)=~(*(0x202f))
0x79d:*(0x799)=~(*(0x78a))
0x7a0:reg=~(*(0x798)|*(0x799))
0x7a3:*(0x78a)=reg
[*] ip=0x7a9:set ip to 0x7b2
0x7b2:*(0x7b0)=~(*(0x212b))
0x7b5:*(0x7b1)=~(*(0x789))
0x7b8:reg=~(*(0x7b0)|*(0x7b1))
0x7bb:*(0x789)=reg
0x7c1:reg=~(*(0x789)|*(0x78a))
0x7c4:*(0x202f)=~reg
0x7c7:reg=~(*(0x202f)|*(0x306))
0x7ca:*(0x306)=~reg
0x7cd:*(0x202f)=*(0x2139)
0x887:rol(*(0x202f), 15)
[*] ip=0x887:set ip to 0x890
0x890:*(0x88e)=~(*(0x202f))
0x893:*(0x88f)=~(*(0x2123))
[*] ip=0x896:set ip to 0x89f
0x89f:*(0x89d)=~(*(0x202f))
0x8a2:*(0x89e)=~(*(0x88f))
0x8a5:reg=~(*(0x89d)|*(0x89e))
0x8a8:*(0x88f)=reg
[*] ip=0x8ae:set ip to 0x8b7
0x8b7:*(0x8b5)=~(*(0x2123))
0x8ba:*(0x8b6)=~(*(0x88e))
0x8bd:reg=~(*(0x8b5)|*(0x8b6))
0x8c0:*(0x88e)=reg
0x8c6:reg=~(*(0x88e)|*(0x88f))
0x8c9:*(0x202f)=~reg
0x8cc:reg=~(*(0x202f)|*(0x306))
0x8cf:*(0x306)=~reg
0x8d2:*(0x202f)=*(0x213a)
0x98c:rol(*(0x202f), 15)
[*] ip=0x98c:set ip to 0x995
0x995:*(0x993)=~(*(0x202f))
0x998:*(0x994)=~(*(0x212c))
[*] ip=0x99b:set ip to 0x9a4
0x9a4:*(0x9a2)=~(*(0x202f))
0x9a7:*(0x9a3)=~(*(0x994))
0x9aa:reg=~(*(0x9a2)|*(0x9a3))
0x9ad:*(0x994)=reg
[*] ip=0x9b3:set ip to 0x9bc
0x9bc:*(0x9ba)=~(*(0x212c))
0x9bf:*(0x9bb)=~(*(0x993))
0x9c2:reg=~(*(0x9ba)|*(0x9bb))
0x9c5:*(0x993)=reg
0x9cb:reg=~(*(0x993)|*(0x994))
0x9ce:*(0x202f)=~reg
0x9d1:reg=~(*(0x202f)|*(0x306))
0x9d4:*(0x306)=~reg
0x9d7:*(0x202f)=*(0x213b)
0xa91:rol(*(0x202f), 15)
[*] ip=0xa91:set ip to 0xa9a
0xa9a:*(0xa98)=~(*(0x202f))
0xa9d:*(0xa99)=~(*(0x2125))
[*] ip=0xaa0:set ip to 0xaa9
0xaa9:*(0xaa7)=~(*(0x202f))
0xaac:*(0xaa8)=~(*(0xa99))
0xaaf:reg=~(*(0xaa7)|*(0xaa8))
0xab2:*(0xa99)=reg
[*] ip=0xab8:set ip to 0xac1
0xac1:*(0xabf)=~(*(0x2125))
0xac4:*(0xac0)=~(*(0xa98))
0xac7:reg=~(*(0xabf)|*(0xac0))
0xaca:*(0xa98)=reg
0xad0:reg=~(*(0xa98)|*(0xa99))
0xad3:*(0x202f)=~reg
0xad6:reg=~(*(0x202f)|*(0x306))
0xad9:*(0x306)=~reg
0xadc:*(0x202f)=*(0x213c)
0xb96:rol(*(0x202f), 15)
[*] ip=0xb96:set ip to 0xb9f
0xb9f:*(0xb9d)=~(*(0x202f))
0xba2:*(0xb9e)=~(*(0x211b))
[*] ip=0xba5:set ip to 0xbae
0xbae:*(0xbac)=~(*(0x202f))
0xbb1:*(0xbad)=~(*(0xb9e))
0xbb4:reg=~(*(0xbac)|*(0xbad))
0xbb7:*(0xb9e)=reg
[*] ip=0xbbd:set ip to 0xbc6
0xbc6:*(0xbc4)=~(*(0x211b))
0xbc9:*(0xbc5)=~(*(0xb9d))
0xbcc:reg=~(*(0xbc4)|*(0xbc5))
0xbcf:*(0xb9d)=reg
0xbd5:reg=~(*(0xb9d)|*(0xb9e))
0xbd8:*(0x202f)=~reg
0xbdb:reg=~(*(0x202f)|*(0x306))
0xbde:*(0x306)=~reg
0xbe1:*(0x202f)=*(0x213d)
0xc9b:rol(*(0x202f), 15)
[*] ip=0xc9b:set ip to 0xca4
0xca4:*(0xca2)=~(*(0x202f))
0xca7:*(0xca3)=~(*(0x2127))
[*] ip=0xcaa:set ip to 0xcb3
0xcb3:*(0xcb1)=~(*(0x202f))
0xcb6:*(0xcb2)=~(*(0xca3))
0xcb9:reg=~(*(0xcb1)|*(0xcb2))
0xcbc:*(0xca3)=reg
[*] ip=0xcc2:set ip to 0xccb
0xccb:*(0xcc9)=~(*(0x2127))
0xcce:*(0xcca)=~(*(0xca2))
0xcd1:reg=~(*(0xcc9)|*(0xcca))
0xcd4:*(0xca2)=reg
0xcda:reg=~(*(0xca2)|*(0xca3))
0xcdd:*(0x202f)=~reg
0xce0:reg=~(*(0x202f)|*(0x306))
0xce3:*(0x306)=~reg
0xce6:*(0x202f)=*(0x213e)
0xda0:rol(*(0x202f), 15)
[*] ip=0xda0:set ip to 0xda9
0xda9:*(0xda7)=~(*(0x202f))
0xdac:*(0xda8)=~(*(0x2135))
[*] ip=0xdaf:set ip to 0xdb8
0xdb8:*(0xdb6)=~(*(0x202f))
0xdbb:*(0xdb7)=~(*(0xda8))
0xdbe:reg=~(*(0xdb6)|*(0xdb7))
0xdc1:*(0xda8)=reg
[*] ip=0xdc7:set ip to 0xdd0
0xdd0:*(0xdce)=~(*(0x2135))
0xdd3:*(0xdcf)=~(*(0xda7))
0xdd6:reg=~(*(0xdce)|*(0xdcf))
0xdd9:*(0xda7)=reg
0xddf:reg=~(*(0xda7)|*(0xda8))
0xde2:*(0x202f)=~reg
0xde5:reg=~(*(0x202f)|*(0x306))
0xde8:*(0x306)=~reg
0xdeb:*(0x202f)=*(0x213f)
0xea5:rol(*(0x202f), 15)
[*] ip=0xea5:set ip to 0xeae
0xeae:*(0xeac)=~(*(0x202f))
0xeb1:*(0xead)=~(*(0x212b))
[*] ip=0xeb4:set ip to 0xebd
0xebd:*(0xebb)=~(*(0x202f))
0xec0:*(0xebc)=~(*(0xead))
0xec3:reg=~(*(0xebb)|*(0xebc))
0xec6:*(0xead)=reg
[*] ip=0xecc:set ip to 0xed5
0xed5:*(0xed3)=~(*(0x212b))
0xed8:*(0xed4)=~(*(0xeac))
0xedb:reg=~(*(0xed3)|*(0xed4))
0xede:*(0xeac)=reg
0xee4:reg=~(*(0xeac)|*(0xead))
0xee7:*(0x202f)=~reg
0xeea:reg=~(*(0x202f)|*(0x306))
0xeed:*(0x306)=~reg
[*] ip=0xef0:set ip to 0xef9
0xef9:*(0xef7)=~(*(0x2140))
0xefc:*(0xef8)=~(*(0x2118))
[*] ip=0xeff:set ip to 0xf08
0xf08:*(0xf06)=~(*(0x2140))
0xf0b:*(0xf07)=~(*(0xef8))
0xf0e:reg=~(*(0xf06)|*(0xf07))
0xf11:*(0xef8)=reg
[*] ip=0xf17:set ip to 0xf20
0xf20:*(0xf1e)=~(*(0x2118))
0xf23:*(0xf1f)=~(*(0xef7))
0xf26:reg=~(*(0xf1e)|*(0xf1f))
0xf29:*(0xef7)=reg
0xf2f:reg=~(*(0xef7)|*(0xef8))
0xf32:*(0x202f)=~reg
[*] ip=0xf35:set ip to 0xf3e
0xf3e:*(0xf3c)=~(*(0x202f))
0xf41:*(0xf3d)=~(*(0x2133))
[*] ip=0xf44:set ip to 0xf4d
0xf4d:*(0xf4b)=~(*(0x202f))
0xf50:*(0xf4c)=~(*(0xf3d))
0xf53:reg=~(*(0xf4b)|*(0xf4c))
0xf56:*(0xf3d)=reg
[*] ip=0xf5c:set ip to 0xf65
0xf65:*(0xf63)=~(*(0x2133))
0xf68:*(0xf64)=~(*(0xf3c))
0xf6b:reg=~(*(0xf63)|*(0xf64))
0xf6e:*(0xf3c)=reg
0xf74:reg=~(*(0xf3c)|*(0xf3d))
0xf77:*(0x202f)=~reg
0xf7a:reg=~(*(0x202f)|*(0x306))
0xf7d:*(0x306)=~reg
[*] ip=0xf80:set ip to 0xf89
0xf89:*(0xf87)=~(*(0x2141))
0xf8c:*(0xf88)=~(*(0x2116))
[*] ip=0xf8f:set ip to 0xf98
0xf98:*(0xf96)=~(*(0x2141))
0xf9b:*(0xf97)=~(*(0xf88))
0xf9e:reg=~(*(0xf96)|*(0xf97))
0xfa1:*(0xf88)=reg
[*] ip=0xfa7:set ip to 0xfb0
0xfb0:*(0xfae)=~(*(0x2116))
0xfb3:*(0xfaf)=~(*(0xf87))
0xfb6:reg=~(*(0xfae)|*(0xfaf))
0xfb9:*(0xf87)=reg
0xfbf:reg=~(*(0xf87)|*(0xf88))
0xfc2:*(0x202f)=~reg
[*] ip=0xfc5:set ip to 0xfce
0xfce:*(0xfcc)=~(*(0x202f))
0xfd1:*(0xfcd)=~(*(0x211f))
[*] ip=0xfd4:set ip to 0xfdd
0xfdd:*(0xfdb)=~(*(0x202f))
0xfe0:*(0xfdc)=~(*(0xfcd))
0xfe3:reg=~(*(0xfdb)|*(0xfdc))
0xfe6:*(0xfcd)=reg
[*] ip=0xfec:set ip to 0xff5
0xff5:*(0xff3)=~(*(0x211f))
0xff8:*(0xff4)=~(*(0xfcc))
0xffb:reg=~(*(0xff3)|*(0xff4))
0xffe:*(0xfcc)=reg
0x1004:reg=~(*(0xfcc)|*(0xfcd))
0x1007:*(0x202f)=~reg
0x100a:reg=~(*(0x202f)|*(0x306))
0x100d:*(0x306)=~reg
0x1010:*(0x202f)=*(0x2142)
0x10ca:rol(*(0x202f), 15)
[*] ip=0x10ca:set ip to 0x10d3
0x10d3:*(0x10d1)=~(*(0x202f))
0x10d6:*(0x10d2)=~(*(0x2132))
[*] ip=0x10d9:set ip to 0x10e2
0x10e2:*(0x10e0)=~(*(0x202f))
0x10e5:*(0x10e1)=~(*(0x10d2))
0x10e8:reg=~(*(0x10e0)|*(0x10e1))
0x10eb:*(0x10d2)=reg
[*] ip=0x10f1:set ip to 0x10fa
0x10fa:*(0x10f8)=~(*(0x2132))
0x10fd:*(0x10f9)=~(*(0x10d1))
0x1100:reg=~(*(0x10f8)|*(0x10f9))
0x1103:*(0x10d1)=reg
0x1109:reg=~(*(0x10d1)|*(0x10d2))
0x110c:*(0x202f)=~reg
0x110f:reg=~(*(0x202f)|*(0x306))
0x1112:*(0x306)=~reg
0x1115:*(0x202f)=*(0x2143)
0x11cf:rol(*(0x202f), 15)
[*] ip=0x11cf:set ip to 0x11d8
0x11d8:*(0x11d6)=~(*(0x202f))
0x11db:*(0x11d7)=~(*(0x211d))
[*] ip=0x11de:set ip to 0x11e7
0x11e7:*(0x11e5)=~(*(0x202f))
0x11ea:*(0x11e6)=~(*(0x11d7))
0x11ed:reg=~(*(0x11e5)|*(0x11e6))
0x11f0:*(0x11d7)=reg
[*] ip=0x11f6:set ip to 0x11ff
0x11ff:*(0x11fd)=~(*(0x211d))
0x1202:*(0x11fe)=~(*(0x11d6))
0x1205:reg=~(*(0x11fd)|*(0x11fe))
0x1208:*(0x11d6)=reg
0x120e:reg=~(*(0x11d6)|*(0x11d7))
0x1211:*(0x202f)=~reg
0x1214:reg=~(*(0x202f)|*(0x306))
0x1217:*(0x306)=~reg
0x121a:*(0x202f)=*(0x2144)
0x12d4:rol(*(0x202f), 15)
[*] ip=0x12d4:set ip to 0x12dd
0x12dd:*(0x12db)=~(*(0x202f))
0x12e0:*(0x12dc)=~(*(0x2124))
[*] ip=0x12e3:set ip to 0x12ec
0x12ec:*(0x12ea)=~(*(0x202f))
0x12ef:*(0x12eb)=~(*(0x12dc))
0x12f2:reg=~(*(0x12ea)|*(0x12eb))
0x12f5:*(0x12dc)=reg
[*] ip=0x12fb:set ip to 0x1304
0x1304:*(0x1302)=~(*(0x2124))
0x1307:*(0x1303)=~(*(0x12db))
0x130a:reg=~(*(0x1302)|*(0x1303))
0x130d:*(0x12db)=reg
0x1313:reg=~(*(0x12db)|*(0x12dc))
0x1316:*(0x202f)=~reg
0x1319:reg=~(*(0x202f)|*(0x306))
0x131c:*(0x306)=~reg
0x131f:*(0x2145)=*(0x2145)
0x1325:*(0x202f)=*(0x1)
[*] ip=0x132b:set ip to 0x1334
0x1334:*(0x1332)=~(*(0x202f))
0x1337:*(0x1333)=~(*(0x2136))
[*] ip=0x133a:set ip to 0x1343
0x1343:*(0x1341)=~(*(0x202f))
0x1346:*(0x1342)=~(*(0x1333))
0x1349:reg=~(*(0x1341)|*(0x1342))
0x134c:*(0x1333)=reg
[*] ip=0x1352:set ip to 0x135b
0x135b:*(0x1359)=~(*(0x2136))
0x135e:*(0x135a)=~(*(0x1332))
0x1361:reg=~(*(0x1359)|*(0x135a))
0x1364:*(0x1332)=reg
0x136a:reg=~(*(0x1332)|*(0x1333))
0x136d:*(0x202f)=~reg
0x1370:reg=~(*(0x202f)|*(0x306))
0x1373:*(0x306)=~reg
0x1376:*(0x2146)=*(0x2146)
0x137c:*(0x202f)=*(0x1)
[*] ip=0x1382:set ip to 0x138b
0x138b:*(0x1389)=~(*(0x202f))
0x138e:*(0x138a)=~(*(0x2126))
[*] ip=0x1391:set ip to 0x139a
0x139a:*(0x1398)=~(*(0x202f))
0x139d:*(0x1399)=~(*(0x138a))
0x13a0:reg=~(*(0x1398)|*(0x1399))
0x13a3:*(0x138a)=reg
[*] ip=0x13a9:set ip to 0x13b2
0x13b2:*(0x13b0)=~(*(0x2126))
0x13b5:*(0x13b1)=~(*(0x1389))
0x13b8:reg=~(*(0x13b0)|*(0x13b1))
0x13bb:*(0x1389)=reg
0x13c1:reg=~(*(0x1389)|*(0x138a))
0x13c4:*(0x202f)=~reg
0x13c7:reg=~(*(0x202f)|*(0x306))
0x13ca:*(0x306)=~reg
0x13cd:*(0x2147)=*(0x2147)
0x13d3:*(0x202f)=*(0x1)
[*] ip=0x13d9:set ip to 0x13e2
0x13e2:*(0x13e0)=~(*(0x202f))
0x13e5:*(0x13e1)=~(*(0x2122))
[*] ip=0x13e8:set ip to 0x13f1
0x13f1:*(0x13ef)=~(*(0x202f))
0x13f4:*(0x13f0)=~(*(0x13e1))
0x13f7:reg=~(*(0x13ef)|*(0x13f0))
0x13fa:*(0x13e1)=reg
[*] ip=0x1400:set ip to 0x1409
0x1409:*(0x1407)=~(*(0x2122))
0x140c:*(0x1408)=~(*(0x13e0))
0x140f:reg=~(*(0x1407)|*(0x1408))
0x1412:*(0x13e0)=reg
0x1418:reg=~(*(0x13e0)|*(0x13e1))
0x141b:*(0x202f)=~reg
0x141e:reg=~(*(0x202f)|*(0x306))
0x1421:*(0x306)=~reg
0x1424:*(0x2148)=*(0x2148)
0x142a:*(0x202f)=*(0x1)
[*] ip=0x1430:set ip to 0x1439
0x1439:*(0x1437)=~(*(0x202f))
0x143c:*(0x1438)=~(*(0x2114))
[*] ip=0x143f:set ip to 0x1448
0x1448:*(0x1446)=~(*(0x202f))
0x144b:*(0x1447)=~(*(0x1438))
0x144e:reg=~(*(0x1446)|*(0x1447))
0x1451:*(0x1438)=reg
[*] ip=0x1457:set ip to 0x1460
0x1460:*(0x145e)=~(*(0x2114))
0x1463:*(0x145f)=~(*(0x1437))
0x1466:reg=~(*(0x145e)|*(0x145f))
0x1469:*(0x1437)=reg
0x146f:reg=~(*(0x1437)|*(0x1438))
0x1472:*(0x202f)=~reg
0x1475:reg=~(*(0x202f)|*(0x306))
0x1478:*(0x306)=~reg
[*] ip=0x147b:set ip to 0x1484
0x1484:*(0x1482)=~(*(0x2149))
0x1487:*(0x1483)=~(*(0x212d))
[*] ip=0x148a:set ip to 0x1493
0x1493:*(0x1491)=~(*(0x2149))
0x1496:*(0x1492)=~(*(0x1483))
0x1499:reg=~(*(0x1491)|*(0x1492))
0x149c:*(0x1483)=reg
[*] ip=0x14a2:set ip to 0x14ab
0x14ab:*(0x14a9)=~(*(0x212d))
0x14ae:*(0x14aa)=~(*(0x1482))
0x14b1:reg=~(*(0x14a9)|*(0x14aa))
0x14b4:*(0x1482)=reg
0x14ba:reg=~(*(0x1482)|*(0x1483))
0x14bd:*(0x202f)=~reg
[*] ip=0x14c0:set ip to 0x14c9
0x14c9:*(0x14c7)=~(*(0x202f))
0x14cc:*(0x14c8)=~(*(0x2115))
[*] ip=0x14cf:set ip to 0x14d8
0x14d8:*(0x14d6)=~(*(0x202f))
0x14db:*(0x14d7)=~(*(0x14c8))
0x14de:reg=~(*(0x14d6)|*(0x14d7))
0x14e1:*(0x14c8)=reg
[*] ip=0x14e7:set ip to 0x14f0
0x14f0:*(0x14ee)=~(*(0x2115))
0x14f3:*(0x14ef)=~(*(0x14c7))
0x14f6:reg=~(*(0x14ee)|*(0x14ef))
0x14f9:*(0x14c7)=reg
0x14ff:reg=~(*(0x14c7)|*(0x14c8))
0x1502:*(0x202f)=~reg
0x1505:reg=~(*(0x202f)|*(0x306))
0x1508:*(0x306)=~reg
0x150b:*(0x214a)=*(0x214a)
0x1511:*(0x202f)=*(0x1)
[*] ip=0x1517:set ip to 0x1520
0x1520:*(0x151e)=~(*(0x202f))
0x1523:*(0x151f)=~(*(0x212a))
[*] ip=0x1526:set ip to 0x152f
0x152f:*(0x152d)=~(*(0x202f))
0x1532:*(0x152e)=~(*(0x151f))
0x1535:reg=~(*(0x152d)|*(0x152e))
0x1538:*(0x151f)=reg
[*] ip=0x153e:set ip to 0x1547
0x1547:*(0x1545)=~(*(0x212a))
0x154a:*(0x1546)=~(*(0x151e))
0x154d:reg=~(*(0x1545)|*(0x1546))
0x1550:*(0x151e)=reg
0x1556:reg=~(*(0x151e)|*(0x151f))
0x1559:*(0x202f)=~reg
0x155c:reg=~(*(0x202f)|*(0x306))
0x155f:*(0x306)=~reg
0x1562:*(0x202f)=*(0x214b)
0x161c:rol(*(0x202f), 15)
[*] ip=0x161c:set ip to 0x1625
0x1625:*(0x1623)=~(*(0x202f))
0x1628:*(0x1624)=~(*(0x212e))
[*] ip=0x162b:set ip to 0x1634
0x1634:*(0x1632)=~(*(0x202f))
0x1637:*(0x1633)=~(*(0x1624))
0x163a:reg=~(*(0x1632)|*(0x1633))
0x163d:*(0x1624)=reg
[*] ip=0x1643:set ip to 0x164c
0x164c:*(0x164a)=~(*(0x212e))
0x164f:*(0x164b)=~(*(0x1623))
0x1652:reg=~(*(0x164a)|*(0x164b))
0x1655:*(0x1623)=reg
0x165b:reg=~(*(0x1623)|*(0x1624))
0x165e:*(0x202f)=~reg
0x1661:reg=~(*(0x202f)|*(0x306))
0x1664:*(0x306)=~reg
[*] ip=0x1667:set ip to 0x1670
0x1670:*(0x166e)=~(*(0x214c))
0x1673:*(0x166f)=~(*(0x2118))
[*] ip=0x1676:set ip to 0x167f
0x167f:*(0x167d)=~(*(0x214c))
0x1682:*(0x167e)=~(*(0x166f))
0x1685:reg=~(*(0x167d)|*(0x167e))
0x1688:*(0x166f)=reg
[*] ip=0x168e:set ip to 0x1697
0x1697:*(0x1695)=~(*(0x2118))
0x169a:*(0x1696)=~(*(0x166e))
0x169d:reg=~(*(0x1695)|*(0x1696))
0x16a0:*(0x166e)=reg
0x16a6:reg=~(*(0x166e)|*(0x166f))
0x16a9:*(0x202f)=~reg
[*] ip=0x16ac:set ip to 0x16b5
0x16b5:*(0x16b3)=~(*(0x202f))
0x16b8:*(0x16b4)=~(*(0x2131))
[*] ip=0x16bb:set ip to 0x16c4
0x16c4:*(0x16c2)=~(*(0x202f))
0x16c7:*(0x16c3)=~(*(0x16b4))
0x16ca:reg=~(*(0x16c2)|*(0x16c3))
0x16cd:*(0x16b4)=reg
[*] ip=0x16d3:set ip to 0x16dc
0x16dc:*(0x16da)=~(*(0x2131))
0x16df:*(0x16db)=~(*(0x16b3))
0x16e2:reg=~(*(0x16da)|*(0x16db))
0x16e5:*(0x16b3)=reg
0x16eb:reg=~(*(0x16b3)|*(0x16b4))
0x16ee:*(0x202f)=~reg
0x16f1:reg=~(*(0x202f)|*(0x306))
0x16f4:*(0x306)=~reg
0x16f7:*(0x202f)=*(0x214d)
0x17b1:rol(*(0x202f), 15)
[*] ip=0x17b1:set ip to 0x17ba
0x17ba:*(0x17b8)=~(*(0x202f))
0x17bd:*(0x17b9)=~(*(0x2129))
[*] ip=0x17c0:set ip to 0x17c9
0x17c9:*(0x17c7)=~(*(0x202f))
0x17cc:*(0x17c8)=~(*(0x17b9))
0x17cf:reg=~(*(0x17c7)|*(0x17c8))
0x17d2:*(0x17b9)=reg
[*] ip=0x17d8:set ip to 0x17e1
0x17e1:*(0x17df)=~(*(0x2129))
0x17e4:*(0x17e0)=~(*(0x17b8))
0x17e7:reg=~(*(0x17df)|*(0x17e0))
0x17ea:*(0x17b8)=reg
0x17f0:reg=~(*(0x17b8)|*(0x17b9))
0x17f3:*(0x202f)=~reg
0x17f6:reg=~(*(0x202f)|*(0x306))
0x17f9:*(0x306)=~reg
[*] ip=0x17fc:set ip to 0x1805
0x1805:*(0x1803)=~(*(0x214e))
0x1808:*(0x1804)=~(*(0x211e))
[*] ip=0x180b:set ip to 0x1814
0x1814:*(0x1812)=~(*(0x214e))
0x1817:*(0x1813)=~(*(0x1804))
0x181a:reg=~(*(0x1812)|*(0x1813))
0x181d:*(0x1804)=reg
[*] ip=0x1823:set ip to 0x182c
0x182c:*(0x182a)=~(*(0x211e))
0x182f:*(0x182b)=~(*(0x1803))
0x1832:reg=~(*(0x182a)|*(0x182b))
0x1835:*(0x1803)=reg
0x183b:reg=~(*(0x1803)|*(0x1804))
0x183e:*(0x202f)=~reg
[*] ip=0x1841:set ip to 0x184a
0x184a:*(0x1848)=~(*(0x202f))
0x184d:*(0x1849)=~(*(0x212c))
[*] ip=0x1850:set ip to 0x1859
0x1859:*(0x1857)=~(*(0x202f))
0x185c:*(0x1858)=~(*(0x1849))
0x185f:reg=~(*(0x1857)|*(0x1858))
0x1862:*(0x1849)=reg
[*] ip=0x1868:set ip to 0x1871
0x1871:*(0x186f)=~(*(0x212c))
0x1874:*(0x1870)=~(*(0x1848))
0x1877:reg=~(*(0x186f)|*(0x1870))
0x187a:*(0x1848)=reg
0x1880:reg=~(*(0x1848)|*(0x1849))
0x1883:*(0x202f)=~reg
0x1886:reg=~(*(0x202f)|*(0x306))
0x1889:*(0x306)=~reg
0x188c:*(0x214f)=*(0x214f)
0x1892:*(0x202f)=*(0x1)
[*] ip=0x1898:set ip to 0x18a1
0x18a1:*(0x189f)=~(*(0x202f))
0x18a4:*(0x18a0)=~(*(0x2130))
[*] ip=0x18a7:set ip to 0x18b0
0x18b0:*(0x18ae)=~(*(0x202f))
0x18b3:*(0x18af)=~(*(0x18a0))
0x18b6:reg=~(*(0x18ae)|*(0x18af))
0x18b9:*(0x18a0)=reg
[*] ip=0x18bf:set ip to 0x18c8
0x18c8:*(0x18c6)=~(*(0x2130))
0x18cb:*(0x18c7)=~(*(0x189f))
0x18ce:reg=~(*(0x18c6)|*(0x18c7))
0x18d1:*(0x189f)=reg
0x18d7:reg=~(*(0x189f)|*(0x18a0))
0x18da:*(0x202f)=~reg
0x18dd:reg=~(*(0x202f)|*(0x306))
0x18e0:*(0x306)=~reg
0x18e3:*(0x202f)=*(0x2150)
0x199d:rol(*(0x202f), 15)
[*] ip=0x199d:set ip to 0x19a6
0x19a6:*(0x19a4)=~(*(0x202f))
0x19a9:*(0x19a5)=~(*(0x212e))
[*] ip=0x19ac:set ip to 0x19b5
0x19b5:*(0x19b3)=~(*(0x202f))
0x19b8:*(0x19b4)=~(*(0x19a5))
0x19bb:reg=~(*(0x19b3)|*(0x19b4))
0x19be:*(0x19a5)=reg
[*] ip=0x19c4:set ip to 0x19cd
0x19cd:*(0x19cb)=~(*(0x212e))
0x19d0:*(0x19cc)=~(*(0x19a4))
0x19d3:reg=~(*(0x19cb)|*(0x19cc))
0x19d6:*(0x19a4)=reg
0x19dc:reg=~(*(0x19a4)|*(0x19a5))
0x19df:*(0x202f)=~reg
0x19e2:reg=~(*(0x202f)|*(0x306))
0x19e5:*(0x306)=~reg
0x19e8:*(0x2151)=*(0x2151)
0x19ee:*(0x202f)=*(0x1)
[*] ip=0x19f4:set ip to 0x19fd
0x19fd:*(0x19fb)=~(*(0x202f))
0x1a00:*(0x19fc)=~(*(0x211c))
[*] ip=0x1a03:set ip to 0x1a0c
0x1a0c:*(0x1a0a)=~(*(0x202f))
0x1a0f:*(0x1a0b)=~(*(0x19fc))
0x1a12:reg=~(*(0x1a0a)|*(0x1a0b))
0x1a15:*(0x19fc)=reg
[*] ip=0x1a1b:set ip to 0x1a24
0x1a24:*(0x1a22)=~(*(0x211c))
0x1a27:*(0x1a23)=~(*(0x19fb))
0x1a2a:reg=~(*(0x1a22)|*(0x1a23))
0x1a2d:*(0x19fb)=reg
0x1a33:reg=~(*(0x19fb)|*(0x19fc))
0x1a36:*(0x202f)=~reg
0x1a39:reg=~(*(0x202f)|*(0x306))
0x1a3c:*(0x306)=~reg
[*] ip=0x1a3f:set ip to 0x1a48
0x1a48:*(0x1a46)=~(*(0x2152))
0x1a4b:*(0x1a47)=~(*(0x2119))
[*] ip=0x1a4e:set ip to 0x1a57
0x1a57:*(0x1a55)=~(*(0x2152))
0x1a5a:*(0x1a56)=~(*(0x1a47))
0x1a5d:reg=~(*(0x1a55)|*(0x1a56))
0x1a60:*(0x1a47)=reg
[*] ip=0x1a66:set ip to 0x1a6f
0x1a6f:*(0x1a6d)=~(*(0x2119))
0x1a72:*(0x1a6e)=~(*(0x1a46))
0x1a75:reg=~(*(0x1a6d)|*(0x1a6e))
0x1a78:*(0x1a46)=reg
0x1a7e:reg=~(*(0x1a46)|*(0x1a47))
0x1a81:*(0x202f)=~reg
[*] ip=0x1a84:set ip to 0x1a8d
0x1a8d:*(0x1a8b)=~(*(0x202f))
0x1a90:*(0x1a8c)=~(*(0x2128))
[*] ip=0x1a93:set ip to 0x1a9c
0x1a9c:*(0x1a9a)=~(*(0x202f))
0x1a9f:*(0x1a9b)=~(*(0x1a8c))
0x1aa2:reg=~(*(0x1a9a)|*(0x1a9b))
0x1aa5:*(0x1a8c)=reg
[*] ip=0x1aab:set ip to 0x1ab4
0x1ab4:*(0x1ab2)=~(*(0x2128))
0x1ab7:*(0x1ab3)=~(*(0x1a8b))
0x1aba:reg=~(*(0x1ab2)|*(0x1ab3))
0x1abd:*(0x1a8b)=reg
0x1ac3:reg=~(*(0x1a8b)|*(0x1a8c))
0x1ac6:*(0x202f)=~reg
0x1ac9:reg=~(*(0x202f)|*(0x306))
0x1acc:*(0x306)=~reg
[*] ip=0x1acf:set ip to 0x1ad8
0x1ad8:*(0x1ad6)=~(*(0x2153))
0x1adb:*(0x1ad7)=~(*(0x212f))
[*] ip=0x1ade:set ip to 0x1ae7
0x1ae7:*(0x1ae5)=~(*(0x2153))
0x1aea:*(0x1ae6)=~(*(0x1ad7))
0x1aed:reg=~(*(0x1ae5)|*(0x1ae6))
0x1af0:*(0x1ad7)=reg
[*] ip=0x1af6:set ip to 0x1aff
0x1aff:*(0x1afd)=~(*(0x212f))
0x1b02:*(0x1afe)=~(*(0x1ad6))
0x1b05:reg=~(*(0x1afd)|*(0x1afe))
0x1b08:*(0x1ad6)=reg
0x1b0e:reg=~(*(0x1ad6)|*(0x1ad7))
0x1b11:*(0x202f)=~reg
[*] ip=0x1b14:set ip to 0x1b1d
0x1b1d:*(0x1b1b)=~(*(0x202f))
0x1b20:*(0x1b1c)=~(*(0x2122))
[*] ip=0x1b23:set ip to 0x1b2c
0x1b2c:*(0x1b2a)=~(*(0x202f))
0x1b2f:*(0x1b2b)=~(*(0x1b1c))
0x1b32:reg=~(*(0x1b2a)|*(0x1b2b))
0x1b35:*(0x1b1c)=reg
[*] ip=0x1b3b:set ip to 0x1b44
0x1b44:*(0x1b42)=~(*(0x2122))
0x1b47:*(0x1b43)=~(*(0x1b1b))
0x1b4a:reg=~(*(0x1b42)|*(0x1b43))
0x1b4d:*(0x1b1b)=reg
0x1b53:reg=~(*(0x1b1b)|*(0x1b1c))
0x1b56:*(0x202f)=~reg
0x1b59:reg=~(*(0x202f)|*(0x306))
0x1b5c:*(0x306)=~reg
[*] ip=0x1b5f:set ip to 0x1b68
0x1b68:*(0x1b66)=~(*(0x2154))
0x1b6b:*(0x1b67)=~(*(0x211a))
[*] ip=0x1b6e:set ip to 0x1b77
0x1b77:*(0x1b75)=~(*(0x2154))
0x1b7a:*(0x1b76)=~(*(0x1b67))
0x1b7d:reg=~(*(0x1b75)|*(0x1b76))
0x1b80:*(0x1b67)=reg
[*] ip=0x1b86:set ip to 0x1b8f
0x1b8f:*(0x1b8d)=~(*(0x211a))
0x1b92:*(0x1b8e)=~(*(0x1b66))
0x1b95:reg=~(*(0x1b8d)|*(0x1b8e))
0x1b98:*(0x1b66)=reg
0x1b9e:reg=~(*(0x1b66)|*(0x1b67))
0x1ba1:*(0x202f)=~reg
[*] ip=0x1ba4:set ip to 0x1bad
0x1bad:*(0x1bab)=~(*(0x202f))
0x1bb0:*(0x1bac)=~(*(0x2120))
[*] ip=0x1bb3:set ip to 0x1bbc
0x1bbc:*(0x1bba)=~(*(0x202f))
0x1bbf:*(0x1bbb)=~(*(0x1bac))
0x1bc2:reg=~(*(0x1bba)|*(0x1bbb))
0x1bc5:*(0x1bac)=reg
[*] ip=0x1bcb:set ip to 0x1bd4
0x1bd4:*(0x1bd2)=~(*(0x2120))
0x1bd7:*(0x1bd3)=~(*(0x1bab))
0x1bda:reg=~(*(0x1bd2)|*(0x1bd3))
0x1bdd:*(0x1bab)=reg
0x1be3:reg=~(*(0x1bab)|*(0x1bac))
0x1be6:*(0x202f)=~reg
0x1be9:reg=~(*(0x202f)|*(0x306))
0x1bec:*(0x306)=~reg
0x1bef:*(0x202f)=*(0x2155)
0x1ca9:rol(*(0x202f), 15)
[*] ip=0x1ca9:set ip to 0x1cb2
0x1cb2:*(0x1cb0)=~(*(0x202f))
0x1cb5:*(0x1cb1)=~(*(0x212e))
[*] ip=0x1cb8:set ip to 0x1cc1
0x1cc1:*(0x1cbf)=~(*(0x202f))
0x1cc4:*(0x1cc0)=~(*(0x1cb1))
0x1cc7:reg=~(*(0x1cbf)|*(0x1cc0))
0x1cca:*(0x1cb1)=reg
[*] ip=0x1cd0:set ip to 0x1cd9
0x1cd9:*(0x1cd7)=~(*(0x212e))
0x1cdc:*(0x1cd8)=~(*(0x1cb0))
0x1cdf:reg=~(*(0x1cd7)|*(0x1cd8))
0x1ce2:*(0x1cb0)=reg
0x1ce8:reg=~(*(0x1cb0)|*(0x1cb1))
0x1ceb:*(0x202f)=~reg
0x1cee:reg=~(*(0x202f)|*(0x306))
0x1cf1:*(0x306)=~reg
[*] ip=0x1cf4:set ip to 0x1cfd
0x1cfd:*(0x1cfb)=~(*(0x2156))
0x1d00:*(0x1cfc)=~(*(0x2127))
[*] ip=0x1d03:set ip to 0x1d0c
0x1d0c:*(0x1d0a)=~(*(0x2156))
0x1d0f:*(0x1d0b)=~(*(0x1cfc))
0x1d12:reg=~(*(0x1d0a)|*(0x1d0b))
0x1d15:*(0x1cfc)=reg
[*] ip=0x1d1b:set ip to 0x1d24
0x1d24:*(0x1d22)=~(*(0x2127))
0x1d27:*(0x1d23)=~(*(0x1cfb))
0x1d2a:reg=~(*(0x1d22)|*(0x1d23))
0x1d2d:*(0x1cfb)=reg
0x1d33:reg=~(*(0x1cfb)|*(0x1cfc))
0x1d36:*(0x202f)=~reg
[*] ip=0x1d39:set ip to 0x1d42
0x1d42:*(0x1d40)=~(*(0x202f))
0x1d45:*(0x1d41)=~(*(0x2117))
[*] ip=0x1d48:set ip to 0x1d51
0x1d51:*(0x1d4f)=~(*(0x202f))
0x1d54:*(0x1d50)=~(*(0x1d41))
0x1d57:reg=~(*(0x1d4f)|*(0x1d50))
0x1d5a:*(0x1d41)=reg
[*] ip=0x1d60:set ip to 0x1d69
0x1d69:*(0x1d67)=~(*(0x2117))
0x1d6c:*(0x1d68)=~(*(0x1d40))
0x1d6f:reg=~(*(0x1d67)|*(0x1d68))
0x1d72:*(0x1d40)=reg
0x1d78:reg=~(*(0x1d40)|*(0x1d41))
0x1d7b:*(0x202f)=~reg
0x1d7e:reg=~(*(0x202f)|*(0x306))
0x1d81:*(0x306)=~reg
0x1d84:*(0x2157)=*(0x2157)
0x1d8a:*(0x202f)=*(0x1)
[*] ip=0x1d90:set ip to 0x1d99
0x1d99:*(0x1d97)=~(*(0x202f))
0x1d9c:*(0x1d98)=~(*(0x2122))
[*] ip=0x1d9f:set ip to 0x1da8
0x1da8:*(0x1da6)=~(*(0x202f))
0x1dab:*(0x1da7)=~(*(0x1d98))
0x1dae:reg=~(*(0x1da6)|*(0x1da7))
0x1db1:*(0x1d98)=reg
[*] ip=0x1db7:set ip to 0x1dc0
0x1dc0:*(0x1dbe)=~(*(0x2122))
0x1dc3:*(0x1dbf)=~(*(0x1d97))
0x1dc6:reg=~(*(0x1dbe)|*(0x1dbf))
0x1dc9:*(0x1d97)=reg
0x1dcf:reg=~(*(0x1d97)|*(0x1d98))
0x1dd2:*(0x202f)=~reg
0x1dd5:reg=~(*(0x202f)|*(0x306))
0x1dd8:*(0x306)=~reg
[*] ip=0x1ddb:set ip to 0x1de4
0x1de4:*(0x1de2)=~(*(0x2158))
0x1de7:*(0x1de3)=~(*(0x211a))
[*] ip=0x1dea:set ip to 0x1df3
0x1df3:*(0x1df1)=~(*(0x2158))
0x1df6:*(0x1df2)=~(*(0x1de3))
0x1df9:reg=~(*(0x1df1)|*(0x1df2))
0x1dfc:*(0x1de3)=reg
[*] ip=0x1e02:set ip to 0x1e0b
0x1e0b:*(0x1e09)=~(*(0x211a))
0x1e0e:*(0x1e0a)=~(*(0x1de2))
0x1e11:reg=~(*(0x1e09)|*(0x1e0a))
0x1e14:*(0x1de2)=reg
0x1e1a:reg=~(*(0x1de2)|*(0x1de3))
0x1e1d:*(0x202f)=~reg
[*] ip=0x1e20:set ip to 0x1e29
0x1e29:*(0x1e27)=~(*(0x202f))
0x1e2c:*(0x1e28)=~(*(0x2121))
[*] ip=0x1e2f:set ip to 0x1e38
0x1e38:*(0x1e36)=~(*(0x202f))
0x1e3b:*(0x1e37)=~(*(0x1e28))
0x1e3e:reg=~(*(0x1e36)|*(0x1e37))
0x1e41:*(0x1e28)=reg
[*] ip=0x1e47:set ip to 0x1e50
0x1e50:*(0x1e4e)=~(*(0x2121))
0x1e53:*(0x1e4f)=~(*(0x1e27))
0x1e56:reg=~(*(0x1e4e)|*(0x1e4f))
0x1e59:*(0x1e27)=reg
0x1e5f:reg=~(*(0x1e27)|*(0x1e28))
0x1e62:*(0x202f)=~reg
0x1e65:reg=~(*(0x202f)|*(0x306))
0x1e68:*(0x306)=~reg
0x1e6b:*(0x2159)=*(0x2159)
0x1e71:*(0x202f)=*(0x1)
[*] ip=0x1e77:set ip to 0x1e80
0x1e80:*(0x1e7e)=~(*(0x202f))
0x1e83:*(0x1e7f)=~(*(0x2134))
[*] ip=0x1e86:set ip to 0x1e8f
0x1e8f:*(0x1e8d)=~(*(0x202f))
0x1e92:*(0x1e8e)=~(*(0x1e7f))
0x1e95:reg=~(*(0x1e8d)|*(0x1e8e))
0x1e98:*(0x1e7f)=reg
[*] ip=0x1e9e:set ip to 0x1ea7
0x1ea7:*(0x1ea5)=~(*(0x2134))
0x1eaa:*(0x1ea6)=~(*(0x1e7e))
0x1ead:reg=~(*(0x1ea5)|*(0x1ea6))
0x1eb0:*(0x1e7e)=reg
0x1eb6:reg=~(*(0x1e7e)|*(0x1e7f))
0x1eb9:*(0x202f)=~reg
0x1ebc:reg=~(*(0x202f)|*(0x306))
0x1ebf:*(0x306)=~reg
0x1ec2:reg=0x0
0x1ecd:*(0x8)=~reg
0x1ed0:reg=~(*(0x8)|*(0x306))
0x1ed3:*(0x8)=~reg
0x1ee2:rol(*(0x8), 1)
0x1ee2:reg=~(*(0x8)|*(0x306))
0x1ee5:*(0x8)=~reg
0x1ef4:rol(*(0x8), 1)
0x1ef4:reg=~(*(0x8)|*(0x306))
0x1ef7:*(0x8)=~reg
0x1f06:rol(*(0x8), 1)
0x1f06:reg=~(*(0x8)|*(0x306))
0x1f09:*(0x8)=~reg
0x1f18:rol(*(0x8), 1)
0x1f18:reg=~(*(0x8)|*(0x306))
0x1f1b:*(0x8)=~reg
0x1f2a:rol(*(0x8), 1)
0x1f2a:reg=~(*(0x8)|*(0x306))
0x1f2d:*(0x8)=~reg
0x1f3c:rol(*(0x8), 1)
0x1f3c:reg=~(*(0x8)|*(0x306))
0x1f3f:*(0x8)=~reg
0x1f4e:rol(*(0x8), 1)
0x1f4e:reg=~(*(0x8)|*(0x306))
0x1f51:*(0x8)=~reg
0x1f60:rol(*(0x8), 1)
0x1f60:reg=~(*(0x8)|*(0x306))
0x1f63:*(0x8)=~reg
0x1f72:rol(*(0x8), 1)
0x1f72:reg=~(*(0x8)|*(0x306))
0x1f75:*(0x8)=~reg
0x1f84:rol(*(0x8), 1)
0x1f84:reg=~(*(0x8)|*(0x306))
0x1f87:*(0x8)=~reg
0x1f96:rol(*(0x8), 1)
0x1f96:reg=~(*(0x8)|*(0x306))
0x1f99:*(0x8)=~reg
0x1fa8:rol(*(0x8), 1)
0x1fa8:reg=~(*(0x8)|*(0x306))
0x1fab:*(0x8)=~reg
0x1fba:rol(*(0x8), 1)
0x1fba:reg=~(*(0x8)|*(0x306))
0x1fbd:*(0x8)=~reg
0x1fcc:rol(*(0x8), 1)
0x1fcc:reg=~(*(0x8)|*(0x306))
0x1fcf:*(0x8)=~reg
0x1fde:rol(*(0x8), 1)
0x1fde:reg=~(*(0x8)|*(0x306))
0x1fe1:*(0x8)=~reg
[*] ip=0x1fe4:set ip to 0x1fed
[*] ip=0x1fed:set ip to 0x1ff6
[*] ip=0x1ff6:set ip to 0x1fff
0x1fff:*(0x1ffd)=~(*(0x1fec))
0x2002:*(0x1ffe)=~(*(0x8))
0x2005:reg=~(*(0x1ffd)|*(0x1ffe))
0x2008:*(0x1ff4)=reg
0x200e:*(0x1ff5)=~(*(0x8))
[*] ip=0x2011:set ip to 0x201a
0x201a:*(0x2018)=~(*(0x1feb))
0x201d:*(0x2019)=~(*(0x1ff5))
0x2020:reg=~(*(0x2018)|*(0x2019))
0x2023:*(0x1ff5)=reg
0x2029:reg=~(*(0x1ff4)|*(0x1ff5))
[*] ip=0x202c:set ip to 0x0
error at ip=0x202c

观察后可以知道0x306是一个很关键的标志,程序将输入的字符进行某种运算后再与0x306位置进行运算。而0x1ecd位置处开始则像是对能否得到flag的判断,其中有对0x306处的移位操作,那猜测能得到flag的条件无非是0x306为0xffff或0,经过动调验证发现0x306位置必须为0。

现在再跟踪对输入字符的运算,比如从0x5c3开始的部分,可以大致简化如下:

1
2
3
4
5
6
*(0x202f)=*(0x2137)
rol(*(0x202f), 15)
*(0x685)=~(~(*(0x202f))|*(0x212c))
*(0x684)=~(~(*(0x212c))|*(0x202f))
*(0x202f)=(*(0x684)|*(0x685))
*(0x306)=(*(0x202f)|*(0x306))

由此可得0x202f处要为0。注意到位运算有如下特征:若(~(~a|b))|(~(~b|a))==0,则a==b,因此这里是在移位后判断相等。类似地,程序中还包含另外两种加密方式:移动1位,和进行或运算。通过脚本输出的指令,我们可以很好判断对应位置使用的加密方式,得到如下解题脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
from pwn import *
#context.log_level='warning'
ip = 300
reg=0
originalCode=b'\x00'*600+open('code.bin','rb').read()
CodeList=[]
assert(len(originalCode)%2==0)
for i in range(len(originalCode)//2):
CodeList.append(u16(originalCode[i*2:i*2+2]))

def rol(num):
assert(0<=num<=0xffff)
return ((num<<1)&0xffff)+(num>>15)

def rol_back(num):
assert(0<=num<=0xffff)
return (num>>1)+(num%2)*(1<<15)

def rev(num):
return (~num)&0xffff

def jmp(addr):
global ip
info(f'ip={hex(ip)}:set ip to {hex(addr)}')
if addr-ip>30 or addr-ip<0:
input(f"error at ip={hex(ip)}")
ip=addr

def pattern_nor_reg(code):
src0,src1,dst=code[0],code[1],code[2]
if dst!=7:
return -1
return [src0,src1]

def nor_reg_handler(result):
reg=0xffffffff
return f'reg=~(*({hex(result[0])})|*({hex(result[1])}))'

def pattern_not(code):
src0,src1,dst=code[0],code[1],code[2]
if src0!=src1:
return -1
return [src0,dst]

def not_handler(result):
return f'*({hex(result[1])})=~(*({hex(result[0])}))'

def pattern_load_reg(code):
src0,src1,dst=code[0],code[1],code[2]
if src0!=src1 or dst!=7:
return -1
return src0

def load_reg_handler(result):
reg=rev(CodeList[result])
return f'reg=~(*({hex(result)}))'

def pattern_save_reg(code):
src0,src1,dst=code[0],code[1],code[2]
if src0!=src1 or src0!=7:
return -1
return dst

def save_reg_handler(result):
global reg
global ip
if result==0:
jmp(reg)
info('regjump')
ip-=3
return
return f'*({hex(result)})=~reg'

def pattern_jmp(code):
addr=pattern_load_reg(code)
if addr==-1:
return -1
code=code[3:]
src0,src1,dst=code[0],code[1],code[2]
if src0==src1==7 and dst==0:
return addr
return -1

def jmp_handler(result):
jmp(CodeList[result])

def pattern_load_imm(code):
addr=pattern_jmp(code)
if addr==-1:
return -1
if not (CodeList[addr]-addr==2 and pattern_load_reg(code[8:])==addr+1):
return -1
return code[7]

def load_imm_handler(result):
global reg
reg=result
return f'reg={hex(result)}'

def pattern_put(code):
chraddr=pattern_load_reg(code)
if chraddr==-1:
return -1
code=code[3:]
pos=pattern_save_reg(code)
if pos!=3:
return -1
code=code[3:]
imm=pattern_load_imm(code)
if imm!=1:
return -1
code=code[11:]
pos=pattern_save_reg(code)
if pos!=4:
return -1
return chraddr

def put_handler(result):
return f"putchar('{chr(CodeList[result])}')"

def pattern_get(code):
imm=pattern_load_imm(code)
if imm!=1:
return -1
code=code[11:]
pos=pattern_save_reg(code)
if pos!=6:
return -1
code=code[3:]
pos=pattern_load_reg(code)
if pos!=5:
return -1
code=code[3:]
addr=pattern_save_reg(code)
if addr==-1:
return -1
return addr

def get_handler(result):
return f"*({hex(result)})=getchar()"

def pattern_load_mem(code):
addrsrc=pattern_load_reg(code)
code=code[3:]
addrdst=pattern_save_reg(code)
if addrsrc==-1 or addrdst==-1:
return -1
return [addrsrc,addrdst]

def load_mem_handler(result):
return f"*({hex(result[1])})={f'*({hex(result[0])})' if result[0]!=7 else 'reg'}"

def pattern_rol(code):
result=pattern_load_mem(code)
if result==-1:
return -1
if result[0]!=result[1]:
return -1
addr=result[0]
code=code[6:]
result=pattern_load_mem(code)
if result==-1:
return -1
if result[1]!=addr or result[0]!=1:
return -1
return addr

def pattern_rols(code):
global ip
i=1
addr0=pattern_rol(code)
if addr0==-1:
return -1
ip+=12
while True:
addr1=pattern_rol(CodeList[ip:])
if addr1==-1 or addr1!=addr0:
break
i+=1
ip+=12
addr0=addr1
return [addr0, i%16]

def rols_handler(result):
return f'rol(*({hex(result[0])}), {str(result[1])})'


patterns=[[pattern_rols,rols_handler,0],[pattern_get,get_handler,20],[pattern_put,put_handler,20],[pattern_load_imm,load_imm_handler,11],[pattern_jmp,jmp_handler,0],[pattern_load_mem,load_mem_handler,6],[pattern_load_reg,load_reg_handler,3],[pattern_save_reg,save_reg_handler,3],[pattern_not,not_handler,3],[pattern_nor_reg,nor_reg_handler,3]]

def disassemble():
global ip
ip=300
while ip<len(CodeList):
flag=0
for pattern in patterns:
result=pattern[0](CodeList[ip:])
if result!=-1:
dis=pattern[1](result)
#print(pattern)
if dis!=None:
print(f'{hex(ip)}:{dis}')
ip+=pattern[2]
flag=1
break
if flag==0:
input(f'unknown instruction at ip={hex(ip)}')
def solve1(pc,l):
global ip
ip=pc
diff=0x78e-0x689
for i in range(l):
for pattern in patterns:
result=pattern[0](CodeList[ip:])
if result!=-1:
dis=pattern[1](result)
if dis!=None:
#print(f'{hex(ip)}:{dis}')
dis=dis
break
print(chr(rol(CodeList[pattern_not(CodeList[ip:])[0]])),end='')
ip+=diff
def solve2(pc,l):
global ip
ip=pc
diff1=0xf41-0xefc
diff2=0xf8c-0xf41
for j in range(l):
result=pattern_not(CodeList[ip:])
#print(not_handler(result))
num1=CodeList[result[0]]
ip+=diff1
result=pattern_not(CodeList[ip:])
#print(not_handler(result))
num2=CodeList[result[0]]
ip+=diff2
for i in range(32,127):
if (rev(rev(num1)|i)|rev(rev(i)|num1)) == num2:
print(chr(i),end='')
def solve3(pc,l):
global ip
ip=pc
diff=0x138e-0x1337
for i in range(l):
for pattern in patterns:
result=pattern[0](CodeList[ip:])
if result!=-1:
dis=pattern[1](result)
if dis!=None:
#print(f'{hex(ip)}:{dis}')
dis=dis
break
print(chr(rol_back(CodeList[pattern_not(CodeList[ip:])[0]])),end='')
ip+=diff

solve1(0x689,9)
solve2(0xefc,2)
solve1(0x10d6,3)
solve3(0x1337,4)
solve2(0x1487,1)
solve3(0x1523,1)
solve1(0x1628,1)
solve2(0x1673,1)
solve1(0x17bd,1)
solve2(0x1808,1)
solve3(0x18a4,1)
solve1(0x19a9,1)
solve3(0x1a00,1)
solve2(0x1a4b,3)
solve1(0x1cb5,1)
solve2(0x1d00,1)
solve3(0x1d9c,1)
solve2(0x1de7,1)
solve3(0x1e83,1)

因为这个程序多半是由脚本生成的,指令单一且规律,因此也可以写个脚本自动识别加密方式解密,不过考虑到flag不长我就直接观察了(

最终得到flag:TSCTF-J{StUp1D_r0BoT_0N1Y_KnOw_n0R}