{"id":2236,"date":"2024-03-31T00:38:38","date_gmt":"2024-03-30T15:38:38","guid":{"rendered":"https:\/\/h4ck.kr\/?p=2236"},"modified":"2024-05-20T13:20:55","modified_gmt":"2024-05-20T04:20:55","slug":"x64-lotto","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=2236","title":{"rendered":"x64 Lotto"},"content":{"rendered":"\n

Exeinfo PE<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Decompiled-src <\/h2>\n\n\n\n

wmain<\/strong><\/p>\n\n\n\n

\n
\n
__int64 wmain()\n{\n  unsigned int v0; \/\/ eax\n  __int64 i; \/\/ rbx\n  char v2; \/\/ r8\n  int v3; \/\/ edx\n  __int64 v4; \/\/ rcx\n  _BYTE *v5; \/\/ rdx\n  __int64 v6; \/\/ rcx\n  char v7; \/\/ al\n  int v8; \/\/ ecx\n  __int16 *v9; \/\/ rdx\n  __int16 v10; \/\/ ax\n  __int16 v11; \/\/ ax\n  int v13; \/\/ [rsp+40h] [rbp-78h] BYREF\n  int v14; \/\/ [rsp+44h] [rbp-74h] BYREF\n  int v15; \/\/ [rsp+48h] [rbp-70h] BYREF\n  int v16; \/\/ [rsp+4Ch] [rbp-6Ch] BYREF\n  int v17; \/\/ [rsp+50h] [rbp-68h] BYREF\n  int v18; \/\/ [rsp+54h] [rbp-64h] BYREF\n  int v19[3]; \/\/ [rsp+58h] [rbp-60h]\n  int v20; \/\/ [rsp+64h] [rbp-54h]\n  int v21; \/\/ [rsp+68h] [rbp-50h]\n  int v22; \/\/ [rsp+6Ch] [rbp-4Ch]\n  __int16 v23[25]; \/\/ [rsp+70h] [rbp-48h] BYREF\n  __int16 v24; \/\/ [rsp+A2h] [rbp-16h]\n\n  v13 = 0;\n  v14 = 0;\n  v15 = 0;\n  v16 = 0;\n  v17 = 0;\n  v18 = 0;\n  v19[0] = 0;\n  v19[1] = 0;\n  v19[2] = 0;\n  v20 = 0;\n  v21 = 0;\n  v22 = 0;\n  v0 = time64(0i64);\n  srand(v0);\n  do\n  {\n    wprintf(L\"\\n\\t\\tL O T T O\\t\\t\\n\\n\");\n    wprintf(L\"Input the number: \");\n    wscanf_s(L\"%d %d %d %d %d %d\", &v13, &v14, &v15, &v16, &v17, &v18);\n    wsystem(L\"cls\");\n    Sleep(0x1F4u);\n    for ( i = 0i64; i < 6; v19[i - 1] = rand() % 100 )\n      ++i;\n    v2 = 1;\n    v3 = 0;\n    v4 = 0i64;\n    byte_7FF622EB35F0 = 1;\n    while ( v19[v4] == *(int *)((char *)&v13 + v4 * 4) )\n    {\n      ++v4;\n      ++v3;\n      if ( v4 >= 6 )\n        goto LABEL_9;\n    }\n    v2 = 0;\n    byte_7FF622EB35F0 = 0;\nLABEL_9:\n    ;\n  }\n  while ( v3 != 6 );\n  v5 = byte_7FF622EB3021;\n  v23[1] = 92;\n  v23[0] = 184;\n  v23[2] = 139;\n  v23[5] = 184;\n  v23[3] = 107;\n  v6 = 0i64;\n  v23[4] = 66;\n  v23[6] = 56;\n  v23[7] = 237;\n  v23[8] = 219;\n  v23[9] = 91;\n  v23[10] = 129;\n  v23[11] = 41;\n  v23[12] = 160;\n  v23[13] = 126;\n  v23[14] = 80;\n  v23[15] = 140;\n  v23[16] = 27;\n  v23[17] = 134;\n  v23[18] = 245;\n  v23[19] = 2;\n  v23[20] = 85;\n  v23[21] = 33;\n  v23[22] = 12;\n  v23[23] = 14;\n  v23[24] = 242;\n  v24 = 0;\n  do\n  {\n    v7 = byte_7FF622EB3021[v6 - 1];\n    v6 += 5i64;\n    *((_WORD *)&v20 + v6 + 1) ^= (unsigned __int8)(v7 - 12);\n    *((_WORD *)&v21 + v6) ^= (unsigned __int8)(byte_7FF622EB3021[v6 - 5] - 12);\n    *((_WORD *)&v21 + v6 + 1) ^= (unsigned __int8)(byte_7FF622EB3021[v6 - 4] - 12);\n    v23[v6 - 2] ^= (unsigned __int8)(byte_7FF622EB3021[v6 - 3] - 12);\n    v23[v6 - 1] ^= (unsigned __int8)(byte_7FF622EB3021[v6 - 2] - 12);\n  }\n  while ( v6 < 25 );\n  if ( v2 )\n  {\n    v8 = 0;\n    v9 = v23;\n    do\n    {\n      v10 = *v9++;\n      v11 = v8++ + (v10 ^ 0xF);\n      *(v9 - 1) = v11;\n    }\n    while ( v8 < 25 );\n    v24 = 0;\n    wprintf(L\"%s\\n\", v23);\n  }\n  wprintf(L\"\\n\", v5);\n  return 1i64;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n
6\uac1c\uc758 \uc218\ub97c \uc785\ub825\ubc1b\uc544 \ub79c\ub364\uc778 \uc218\ub97c \ub9de\ucdb0 \ud1b5\uacfc\ud588\uc744 \uacbd\uc6b0, 
XOR \ubcf5\ud638\ud654\ub97c \ud558\uc5ec printf \ud568\uc218\ub97c \ud1b5\ud574 \ucd9c\ub825\ud574\uc8fc\ub294 \uac83\uc73c\ub85c \ubcf4\uc778\ub2e4.<\/p>\n\n\n\n
Solution<\/h2>\n\n\n\n
.text:0000000140001138 \uc8fc\uc18c\uc5d0 \uc788\ub294 
xor r8b, r8b \uba85\ub839\uc5b4\ub97c mov r8b, 1\ub85c \ud328\uce58<\/p>\n\n\n\n
.text:0000000140001145 \uc8fc\uc18c\uc5d0 \uc788\ub294
jnz loc_7FF622EB1070 \uba85\ub839\uc5b4\uc5d0 \uc758\ud574 \ubd84\uae30\ub418\uc9c0 \uc54a\ub3c4\ub85d nop\uc73c\ub85c \ud328\uce58<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\uc704 2\uac00\uc9c0 \ud328\uce58\ub97c \ud558\uba74 
\ub79c\ub364\uc778 \uc218\uc640 \ub9de\uc9c0 \uc54a\ub354\ub77c\ub3c4 \ud1b5\uacfc\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
Result<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n
FLAG<\/h2>\n\n\n\n
from_GHL2_-_!<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"
Exeinfo PE Decompiled-src wmain 6\uac1c\uc758 \uc218\ub97c \uc785\ub825\ubc1b\uc544 \ub79c\ub364\uc778 \uc218\ub97c \ub9de\ucdb0 \ud1b5\uacfc\ud588\uc744 \uacbd\uc6b0, XOR \ubcf5\ud638\ud654\ub97c \ud558\uc5ec printf \ud568\uc218\ub97c \ud1b5\ud574 \ucd9c\ub825\ud574\uc8fc\ub294 \uac83\uc73c\ub85c \ubcf4\uc778\ub2e4. Solution .text:0000000140001138 \uc8fc\uc18c\uc5d0 \uc788\ub294 xor r8b, r8b \uba85\ub839\uc5b4\ub97c mov… \ub354 \ubcf4\uae30 »x64 Lotto<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[16],"tags":[24],"class_list":["post-2236","post","type-post","status-publish","format-standard","hentry","category-reversing-kr","tag-reversing"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2236","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2236"}],"version-history":[{"count":2,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2236\/revisions"}],"predecessor-version":[{"id":2241,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2236\/revisions\/2241"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2236"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2236"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2236"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}