2018huaweictf7月月賽
0x00 Mobile
解壓得到
class.dex後發現沒有加殼, 直接分析dex得知load了so庫, 可知用了so中的CheckString函式.IDA分析so得到如下反彙編程式碼.
1. so檔案主要加密原始碼:
_BOOL4 __cdecl Java_com_testjava_jack_pingan2_cyberpeace_CheckString(int a1, int a2, int a3)
{
const char *v3; // ST1C_4
size_t v4; // edi
char *v5; // esi
size_t v6; // edi
char v7; // al
char v8; // al
size_t v9; // edi
char v10; // al
v3 = (const char *)(*(int (__cdecl **)(int, int, _DWORD))(*(_DWORD *)a1 + 676))(a1, a3, 0);
v4 = strlen(v3);
v5 = (char *)malloc(v4 + 1);
memset(&v5[v4], 0, v4 != -1);
memcpy(v5, v3, v4); // 輸入flag為v5
if ( strlen(v5) >= 2 )
{
v6 = 0;
do
{
v7 = v5[v6];
v5[v6] = v5[v6 + 16];
v5[v6++ + 16] = v7;
}
while ( v6 < strlen(v5) >> 1 ); // flag相隔16bit的字元互換
}
v8 = *v5;
if ( *v5 )
{
*v5 = v5[1];
v5[1] = v8;
if ( strlen(v5) >= 3 )
{
v9 = 2;
do
{
v10 = v5[v9];
v5[v9] = v5[v9 + 1];
v5[v9 + 1] = v10;
v9 += 2;
}
while ( v9 < strlen(v5) );
}
}
return strcmp(v5, "f72c5a36569418a20907b55be5bf95ad") == 0;
}
2. 解法1(cpp實現):
#include<iostream>
#include <string.h>
#include <Windows.h>
using namespace std;
int main()
{
size_t v1; // edi
char v2; // al
size_t v3; // eax
unsigned int v4; // edi
char v5; // al
char str[] = "f72c5a36569418a20907b55be5bf95ad";
char *s = str;
if (strlen(s) >= 2)
{
v1 = 0;
do
{
v2 = s[v1];
s[v1] = s[v1 + 16];
s[v1++ + 16] = v2;
} while (v1 < strlen(s) >> 1);
}
v3 = *s;
if (*s)
{
*s = s[1];
s[1] = v3;
v3 = strlen(s);
if (v3 >= 3)
{
v4 = 2;
do
{
v5 = s[v4];
s[v4] = s[v4 + 1];
s[v4 + 1] = v5;
v4 += 2;
v3 = strlen(s);
} while (v4 < v3);
}
}
printf("flag{%s}", s);
return 0;
}
3. 解法2(python實現, 又分為正向解法/逆向解法)
其實這個演算法加密解密過程是對稱的, 也就有了正向演算法, 即重新加密一次f72c5a36569418a20907b55be5bf95ad即得到flag. 下面的code兩個函式re()/rev()都能得出flag.
#!usr/bin/python2
# -*- coding: utf-8 -*-
p = "f72c5a36569418a20907b55be5bf95ad"
plain = list(p)
def re():
global plain,p
if len(plain) >= 2:
j = 0
while j < (len(plain) >> 1):
temp = plain[j]
plain[j] = plain[j+16]
plain[j+16] = temp
j += 1
temp = plain[0]
if temp:
plain[0] = plain[1]
plain[1] = temp
if len(plain) > 3:
i = 2
while i < len(plain):
temp = plain[i]
plain[i] = plain[i+1]
plain[i+1] = temp
i += 2
print "flag: " + "".join(plain)
def rev():
global plain,p
if len(plain) >= 2:
i = 2
while i < len(plain):
temp = plain[i]
plain[i] = plain[i+1]
plain[i+1] = temp
i += 2
temp = plain[0]
if temp:
plain[0] = plain[1]
plain[1] = temp
if len(plain) > 3:
j = 0
while j < (len(plain) >> 1):
temp = plain[j]
plain[j] = plain[j+16]
plain[j+16] = temp
j += 1
print "flag: " + "".join(plain)
if __name__ == '__main__':
# re()
rev()
flag
flag
flag為:
90705bb55efb59da7fc2a5636549812a
0x01 Misc
這道題有點狗血啊, 今天看了一下題目才做出來, 上週用了AVR模擬器解...結果跑了半天沒著落, IDA分析又沒看main函式, 直接看hex去了...然後就...放棄了.
今天看了一下main函式, 發現直接是Arduino的標準函式: keyboard.press() keyboard.release(), 輸入的直接是ASCII碼, 也就是flag...
.text:00000A7E loc_A7E: ; CODE XREF: main+9E↑j
.text:00000A7E ldi r22, 0xE8
.text:00000A7F ldi r23, 3
.text:00000A80 ldi r24, 0
.text:00000A81 ldi r25, 0
.text:00000A82 call delay
.text:00000A84 ldi r22, 0xC1
.text:00000A85 ldi r24, 0xED
.text:00000A86 ldi r25, 1
.text:00000A87 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000A89 ldi r22, 0xC1
.text:00000A8A ldi r24, 0xED
.text:00000A8B ldi r25, 1
.text:00000A8C call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000A8E ldi r22, 0xF4
.text:00000A8F ldi r23, 1
.text:00000A90 ldi r24, 0
.text:00000A91 ldi r25, 0
.text:00000A92 call delay
.text:00000A94 ldi r22, 0x83
.text:00000A95 ldi r24, 0xED
.text:00000A96 ldi r25, 1
.text:00000A97 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000A99 ldi r22, 0xF4
.text:00000A9A ldi r23, 1
.text:00000A9B ldi r24, 0
.text:00000A9C ldi r25, 0
.text:00000A9D call delay
.text:00000A9F ldi r22, 0x72 ; 'r'
.text:00000AA0 ldi r24, 0xED
.text:00000AA1 ldi r25, 1
.text:00000AA2 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000AA4 ldi r22, 0xF4
.text:00000AA5 ldi r23, 1
.text:00000AA6 ldi r24, 0
.text:00000AA7 ldi r25, 0
.text:00000AA8 call delay
.text:00000AAA ldi r22, 0x83
.text:00000AAB ldi r24, 0xED
.text:00000AAC ldi r25, 1
.text:00000AAD call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000AAF ldi r22, 0x72 ; 'r'
.text:00000AB0 ldi r24, 0xED
.text:00000AB1 ldi r25, 1
.text:00000AB2 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000AB4 ldi r22, 0xF4
.text:00000AB5 ldi r23, 1
.text:00000AB6 ldi r24, 0
.text:00000AB7 ldi r25, 0
.text:00000AB8 call delay
.text:00000ABA ldi r20, 7
.text:00000ABB ldi r21, 0
.text:00000ABC ldi r22, 0x3D ; '='
.text:00000ABD ldi r23, 1
.text:00000ABE ldi r24, 0xED
.text:00000ABF ldi r25, 1
.text:00000AC0 call _ZN5Print5writeEPKhj ; Print::write(uchar const*,uint)
.text:00000AC2 ldi r20, 2
.text:00000AC3 ldi r21, 0
.text:00000AC4 ldi r22, 0x45 ; 'E'
.text:00000AC5 ldi r23, 1
.text:00000AC6 ldi r24, 0xED
.text:00000AC7 ldi r25, 1
.text:00000AC8 call _ZN5Print5writeEPKhj ; Print::write(uchar const*,uint)
.text:00000ACA ldi r22, 0xF4
.text:00000ACB ldi r23, 1
.text:00000ACC ldi r24, 0
.text:00000ACD ldi r25, 0
.text:00000ACE call delay
.text:00000AD0 ldi r22, 0xB0
.text:00000AD1 ldi r24, 0xED
.text:00000AD2 ldi r25, 1
.text:00000AD3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000AD5 ldi r22, 0xB0
.text:00000AD6 ldi r24, 0xED
.text:00000AD7 ldi r25, 1 # 前面的一系列不可見字元是一些按鍵操作.
.text:00000AD8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000ADA ldi r22, 0xF4
.text:00000ADB ldi r23, 1
.text:00000ADC ldi r24, 0
.text:00000ADD ldi r25, 0
.text:00000ADE call delay
.text:00000AE0 ldi r22, 0x66 ; 'f'
.text:00000AE1 ldi r24, 0xED
.text:00000AE2 ldi r25, 1
.text:00000AE3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000AE5 ldi r22, 0x66 ; 'f'
.text:00000AE6 ldi r24, 0xED
.text:00000AE7 ldi r25, 1
.text:00000AE8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000AEA ldi r22, 0xF4
.text:00000AEB ldi r23, 1
.text:00000AEC ldi r24, 0
.text:00000AED ldi r25, 0
.text:00000AEE call delay
.text:00000AF0 ldi r22, 0x6C ; 'l'
.text:00000AF1 ldi r24, 0xED
.text:00000AF2 ldi r25, 1
.text:00000AF3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000AF5 ldi r22, 0x6C ; 'l'
.text:00000AF6 ldi r24, 0xED
.text:00000AF7 ldi r25, 1
.text:00000AF8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000AFA ldi r22, 0xF4
.text:00000AFB ldi r23, 1
.text:00000AFC ldi r24, 0
.text:00000AFD ldi r25, 0
.text:00000AFE
.text:00000AFE loc_AFE: ; DATA XREF: TIMER1_COMPA+1EC↑r
.text:00000AFE ; TIMER1_COMPA+1F5↑w ...
.text:00000AFE call delay
.text:00000B00 ldi r22, 0x61 ; 'a'
.text:00000B01 ldi r24, 0xED
.text:00000B02 ldi r25, 1
.text:00000B03 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B05 ldi r22, 0x61 ; 'a'
.text:00000B06 ldi r24, 0xED
.text:00000B07 ldi r25, 1
.text:00000B08 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B0A ldi r22, 0xF4
.text:00000B0B ldi r23, 1
.text:00000B0C ldi r24, 0
.text:00000B0D ldi r25, 0
.text:00000B0E call delay
.text:00000B10 ldi r22, 0x67 ; 'g'
.text:00000B11 ldi r24, 0xED
.text:00000B12 ldi r25, 1
.text:00000B13 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B15 ldi r22, 0x67 ; 'g'
.text:00000B16 ldi r24, 0xED
.text:00000B17 ldi r25, 1
.text:00000B18 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B1A ldi r22, 0xF4
.text:00000B1B ldi r23, 1
.text:00000B1C ldi r24, 0
.text:00000B1D ldi r25, 0
.text:00000B1E call delay
.text:00000B20 ldi r22, 0x7B ; '{'
.text:00000B21 ldi r24, 0xED
.text:00000B22 ldi r25, 1
.text:00000B23 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B25 ldi r22, 0x7B ; '{'
.text:00000B26 ldi r24, 0xED
.text:00000B27 ldi r25, 1
.text:00000B28 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B2A ldi r22, 0xF4
.text:00000B2B ldi r23, 1
.text:00000B2C ldi r24, 0
.text:00000B2D ldi r25, 0
.text:00000B2E call delay
.text:00000B30 ldi r22, 0x61 ; 'a'
.text:00000B31 ldi r24, 0xED
.text:00000B32 ldi r25, 1
.text:00000B33 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B35 ldi r22, 0x61 ; 'a'
.text:00000B36 ldi r24, 0xED
.text:00000B37 ldi r25, 1
.text:00000B38 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B3A ldi r22, 0xF4
.text:00000B3B ldi r23, 1
.text:00000B3C ldi r24, 0
.text:00000B3D ldi r25, 0
.text:00000B3E call delay
.text:00000B40 ldi r22, 0x72 ; 'r'
.text:00000B41 ldi r24, 0xED
.text:00000B42 ldi r25, 1
.text:00000B43 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B45 ldi r22, 0x72 ; 'r'
.text:00000B46 ldi r24, 0xED
.text:00000B47 ldi r25, 1
.text:00000B48 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B4A ldi r22, 0xF4
.text:00000B4B ldi r23, 1
.text:00000B4C ldi r24, 0
.text:00000B4D ldi r25, 0
.text:00000B4E call delay
.text:00000B50 ldi r22, 0x64 ; 'd'
.text:00000B51 ldi r24, 0xED
.text:00000B52 ldi r25, 1
.text:00000B53 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B55 ldi r22, 0x64 ; 'd'
.text:00000B56 ldi r24, 0xED
.text:00000B57 ldi r25, 1
.text:00000B58 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B5A ldi r22, 0xF4
.text:00000B5B ldi r23, 1
.text:00000B5C ldi r24, 0
.text:00000B5D ldi r25, 0
.text:00000B5E call delay
.text:00000B60 ldi r22, 0x75 ; 'u'
.text:00000B61 ldi r24, 0xED
.text:00000B62 ldi r25, 1
.text:00000B63 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B65 ldi r22, 0x75 ; 'u'
.text:00000B66 ldi r24, 0xED
.text:00000B67 ldi r25, 1
.text:00000B68 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B6A ldi r22, 0xF4
.text:00000B6B ldi r23, 1
.text:00000B6C ldi r24, 0
.text:00000B6D ldi r25, 0
.text:00000B6E call delay
.text:00000B70 ldi r22, 0x69 ; 'i'
.text:00000B71 ldi r24, 0xED
.text:00000B72 ldi r25, 1
.text:00000B73 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B75 ldi r22, 0x69 ; 'i'
.text:00000B76 ldi r24, 0xED
.text:00000B77 ldi r25, 1
.text:00000B78 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B7A ldi r22, 0xF4
.text:00000B7B ldi r23, 1
.text:00000B7C ldi r24, 0
.text:00000B7D ldi r25, 0
.text:00000B7E call delay
.text:00000B80 ldi r22, 0x6E ; 'n'
.text:00000B81 ldi r24, 0xED
.text:00000B82 ldi r25, 1
.text:00000B83 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B85 ldi r22, 0x6E ; 'n'
.text:00000B86 ldi r24, 0xED
.text:00000B87 ldi r25, 1
.text:00000B88 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B8A ldi r22, 0xF4
.text:00000B8B ldi r23, 1
.text:00000B8C ldi r24, 0
.text:00000B8D ldi r25, 0
.text:00000B8E call delay
.text:00000B90 ldi r22, 0x6F ; 'o'
.text:00000B91 ldi r24, 0xED
.text:00000B92 ldi r25, 1
.text:00000B93 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000B95 ldi r22, 0x6F ; 'o'
.text:00000B96 ldi r24, 0xED
.text:00000B97 ldi r25, 1
.text:00000B98 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000B9A ldi r22, 0xF4
.text:00000B9B ldi r23, 1
.text:00000B9C ldi r24, 0
.text:00000B9D ldi r25, 0
.text:00000B9E call delay
.text:00000BA0 ldi r22, 0x5F ; '_'
.text:00000BA1 ldi r24, 0xED
.text:00000BA2 ldi r25, 1
.text:00000BA3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000BA5 ldi r22, 0x5F ; '_'
.text:00000BA6 ldi r24, 0xED
.text:00000BA7 ldi r25, 1
.text:00000BA8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000BAA ldi r22, 0xF4
.text:00000BAB ldi r23, 1
.text:00000BAC ldi r24, 0
.text:00000BAD ldi r25, 0
.text:00000BAE call delay
.text:00000BB0 ldi r22, 0x69 ; 'i'
.text:00000BB1 ldi r24, 0xED
.text:00000BB2 ldi r25, 1
.text:00000BB3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000BB5 ldi r22, 0x69 ; 'i'
.text:00000BB6 ldi r24, 0xED
.text:00000BB7 ldi r25, 1
.text:00000BB8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000BBA ldi r22, 0xF4
.text:00000BBB ldi r23, 1
.text:00000BBC ldi r24, 0
.text:00000BBD ldi r25, 0
.text:00000BBE call delay
.text:00000BC0 ldi r22, 0x73 ; 's'
.text:00000BC1 ldi r24, 0xED
.text:00000BC2 ldi r25, 1
.text:00000BC3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000BC5 ldi r22, 0x73 ; 's'
.text:00000BC6 ldi r24, 0xED
.text:00000BC7 ldi r25, 1
.text:00000BC8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000BCA ldi r22, 0xF4
.text:00000BCB ldi r23, 1
.text:00000BCC ldi r24, 0
.text:00000BCD ldi r25, 0
.text:00000BCE call delay
.text:00000BD0 ldi r22, 0x5F ; '_'
.text:00000BD1 ldi r24, 0xED
.text:00000BD2 ldi r25, 1
.text:00000BD3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000BD5 ldi r22, 0x5F ; '_'
.text:00000BD6 ldi r24, 0xED
.text:00000BD7 ldi r25, 1
.text:00000BD8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000BDA ldi r22, 0xF4
.text:00000BDB ldi r23, 1
.text:00000BDC ldi r24, 0
.text:00000BDD ldi r25, 0
.text:00000BDE call delay
.text:00000BE0 ldi r22, 0x68 ; 'h'
.text:00000BE1 ldi r24, 0xED
.text:00000BE2 ldi r25, 1
.text:00000BE3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000BE5 ldi r22, 0x68 ; 'h'
.text:00000BE6 ldi r24, 0xED
.text:00000BE7 ldi r25, 1
.text:00000BE8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000BEA ldi r22, 0xF4
.text:00000BEB ldi r23, 1
.text:00000BEC ldi r24, 0
.text:00000BED ldi r25, 0
.text:00000BEE call delay
.text:00000BF0 ldi r22, 0x61 ; 'a'
.text:00000BF1 ldi r24, 0xED
.text:00000BF2 ldi r25, 1
.text:00000BF3 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000BF5 ldi r22, 0x61 ; 'a'
.text:00000BF6 ldi r24, 0xED
.text:00000BF7 ldi r25, 1
.text:00000BF8 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000BFA ldi r22, 0xF4
.text:00000BFB ldi r23, 1
.text:00000BFC ldi r24, 0
.text:00000BFD ldi r25, 0
.text:00000BFE call delay
.text:00000C00 ldi r22, 0x63 ; 'c'
.text:00000C01 ldi r24, 0xED
.text:00000C02 ldi r25, 1
.text:00000C03 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C05 ldi r22, 0x63 ; 'c'
.text:00000C06 ldi r24, 0xED
.text:00000C07 ldi r25, 1
.text:00000C08 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C0A ldi r22, 0xF4
.text:00000C0B ldi r23, 1
.text:00000C0C ldi r24, 0
.text:00000C0D ldi r25, 0
.text:00000C0E call delay
.text:00000C10 ldi r22, 0x6B ; 'k'
.text:00000C11 ldi r24, 0xED
.text:00000C12 ldi r25, 1
.text:00000C13 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C15 ldi r22, 0x6B ; 'k'
.text:00000C16 ldi r24, 0xED
.text:00000C17 ldi r25, 1
.text:00000C18 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C1A ldi r22, 0xF4
.text:00000C1B ldi r23, 1
.text:00000C1C ldi r24, 0
.text:00000C1D ldi r25, 0
.text:00000C1E call delay
.text:00000C20 ldi r22, 0x65 ; 'e'
.text:00000C21 ldi r24, 0xED
.text:00000C22 ldi r25, 1
.text:00000C23 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C25 ldi r22, 0x65 ; 'e'
.text:00000C26 ldi r24, 0xED
.text:00000C27 ldi r25, 1
.text:00000C28 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C2A ldi r22, 0xF4
.text:00000C2B ldi r23, 1
.text:00000C2C ldi r24, 0
.text:00000C2D ldi r25, 0
.text:00000C2E call delay
.text:00000C30 ldi r22, 0x72 ; 'r'
.text:00000C31 ldi r24, 0xED
.text:00000C32 ldi r25, 1
.text:00000C33 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C35 ldi r22, 0x72 ; 'r'
.text:00000C36 ldi r24, 0xED
.text:00000C37 ldi r25, 1
.text:00000C38 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C3A ldi r22, 0xF4
.text:00000C3B ldi r23, 1
.text:00000C3C ldi r24, 0
.text:00000C3D ldi r25, 0
.text:00000C3E call delay
.text:00000C40 ldi r22, 0x73 ; 's'
.text:00000C41 ldi r24, 0xED
.text:00000C42 ldi r25, 1
.text:00000C43 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C45 ldi r22, 0x73 ; 's'
.text:00000C46 ldi r24, 0xED
.text:00000C47 ldi r25, 1
.text:00000C48 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C4A ldi r22, 0xF4
.text:00000C4B ldi r23, 1
.text:00000C4C ldi r24, 0
.text:00000C4D ldi r25, 0
.text:00000C4E call delay
.text:00000C50 ldi r22, 0x5F ; '_'
.text:00000C51 ldi r24, 0xED
.text:00000C52 ldi r25, 1
.text:00000C53 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C55 ldi r22, 0x5F ; '_'
.text:00000C56 ldi r24, 0xED
.text:00000C57 ldi r25, 1
.text:00000C58 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C5A ldi r22, 0xF4
.text:00000C5B ldi r23, 1
.text:00000C5C ldi r24, 0
.text:00000C5D ldi r25, 0
.text:00000C5E call delay
.text:00000C60 ldi r22, 0x6C ; 'l'
.text:00000C61 ldi r24, 0xED
.text:00000C62 ldi r25, 1
.text:00000C63 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C65 ldi r22, 0x6C ; 'l'
.text:00000C66 ldi r24, 0xED
.text:00000C67 ldi r25, 1
.text:00000C68 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C6A ldi r22, 0xF4
.text:00000C6B ldi r23, 1
.text:00000C6C ldi r24, 0
.text:00000C6D ldi r25, 0
.text:00000C6E call delay
.text:00000C70 ldi r22, 0x6F ; 'o'
.text:00000C71 ldi r24, 0xED
.text:00000C72 ldi r25, 1
.text:00000C73 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C75 ldi r22, 0x6F ; 'o'
.text:00000C76 ldi r24, 0xED
.text:00000C77 ldi r25, 1
.text:00000C78 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C7A ldi r22, 0xF4
.text:00000C7B ldi r23, 1
.text:00000C7C ldi r24, 0
.text:00000C7D ldi r25, 0
.text:00000C7E call delay
.text:00000C80 ldi r22, 0x76 ; 'v'
.text:00000C81 ldi r24, 0xED
.text:00000C82 ldi r25, 1
.text:00000C83 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C85 ldi r22, 0x76 ; 'v'
.text:00000C86 ldi r24, 0xED
.text:00000C87 ldi r25, 1
.text:00000C88 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C8A ldi r22, 0xF4
.text:00000C8B ldi r23, 1
.text:00000C8C ldi r24, 0
.text:00000C8D ldi r25, 0
.text:00000C8E call delay
.text:00000C90 ldi r22, 0x65 ; 'e'
.text:00000C91 ldi r24, 0xED
.text:00000C92 ldi r25, 1
.text:00000C93 call _ZN9Keyboard_5pressEh ; Keyboard_::press(uchar)
.text:00000C95 ldi r22, 0x65 ; 'e'
.text:00000C96 ldi r24, 0xED
.text:00000C97 ldi r25, 1
.text:00000C98 call _ZN9Keyboard_7releaseEh ; Keyboard_::release(uchar)
.text:00000C9A ldi r22, 0xF4
.text:00000C9B ldi r23, 1
.text:00000C9C ldi r24, 0
.text:0000
如上, flag即為:
flag{arduino_is_hacker_love}
Re
先用hex2bin轉換成bin檔案(ps: 之前找到一個線上編譯工具, 網址忘了...難受, 做筆記的重要性啊!)
Port Registers
The following Registers are used for reading and writing to the I/O ports.
| Register | Type | Description | Notes |
|---|---|---|---|
| DDRB | Read/Write | Port B Data Direction Register | 1=output, 0=input |
| PORTB | Read/Write | Port B Data Register | |
| PINB | Read only | Port B Input Register | |
| DDRC | Read/Write | Port C Data Direction Register | 1=output, 0=input |
| PORTC | Read/Write | Port C Data Register | |
| PINC | Read only | Port C Input Register | |
| DDRD | Read/Write | Port D Data Direction Register | 1=output, 0=input |
| PORTD | Read/Write | Port D Data Register | |
| PIND | Read only | Port D Input Register |
相關文章
- ZOJ2019年1月月賽
- 洛谷11月月賽題解(A-C)
- 洛谷十月月賽T2[深海少女與胖頭魚]小結
- Apache DolphinScheduler 社群 3 月月報Apache
- Apache SeaTunnel 社群 3 月月報Apache
- 【ACM演算法競賽日常訓練】DAY10題解與分析【月月給華華出題】【華華給月月出題】| 篩法 | 尤拉函式 | 數論ACM演算法函式
- Apache SeaTunnel社群5月月報更新!Apache
- Apache DolphinScheduler 社群5月月報更新!Apache
- 10月月報 | Apache DolphinScheduler進展總結Apache
- 【二分】華華給月月準備禮物
- 網路安全政策法規月月談(第3期)
- 網路安全政策法規月月談(第4期)
- 360CERT網路安全四月月報
- 網路安全政策法規月月談(第一期)
- 7-8月月報 | Apache SeaTunnel社群進展一覽Apache
- Roguelike DBG遊戲,為什麼月月有佳作,個個受好評?遊戲
- Emacs月月積累(二):視窗、緩衝區和常用模式切換Mac模式
- 社群6月月報 | Apache SeaTunnel重要更新與最佳化記錄Apache
- 3個月月薪上萬,我用的是這套學習體系
- 社群6月月報 | Apache DolphinScheduler重要修復和最佳化記錄Apache
- 社群1月月報|OceanBase 4.1 即將發版,哪些功能將會更新?
- 360CERT網路安全十二月月報 | “雙重勒索”攻擊模式愈演愈烈模式
- 比亞迪:2023年比亞迪連續8個月月均銷量超3萬
- 歡歡樂樂賽賽
- 天梯賽賽前總結
- 新生賽及預選賽 10
- 2022天梯賽-全國總決賽覆盤賽
- 競無限速,S聯賽2019年春季賽今日開賽
- 360釋出網路安全九月月報 共收錄13個漏洞、211項安全事件事件
- 360CERT網路安全十一月月報 | 本月新增四大雙重勒索病毒家族
- 2018王者榮耀KPL秋季賽賽程表 2018王者榮耀KPL秋季賽賽制
- 2018天梯賽、藍橋杯、(CCPC省賽、邀請賽、ICPC邀請賽)校內選拔賽反思總結!
- [賽記] NOIP2024加賽5
- [賽記] NOIP2024加賽8
- [賽記] NOIP2024加賽7
- [賽記] csp-s加賽1
- 11.26 CW 模擬賽 賽時記錄
- 12.10 CW 模擬賽 賽時記錄