sub_4006B6输出了flag,静态分析不方便,IDA+Remote动态调,防止输出flag时用到了期望骰子加入计算,还是要什么给什么3,1,3,3,7。还加了时间验证防作弊,改跳转。
signed __int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
char v3; // ST1F_1@1
unsigned int v4; // eax@1
int v5; // ST18_4@1
int v6; // ST14_4@1
signed __int64 result; // rax@6
int v8; // [sp+4h] [bp-1Ch]@1
int v9; // [sp+8h] [bp-18h]@1
int v10; // [sp+Ch] [bp-14h]@1
int v11; // [sp+10h] [bp-10h]@1
puts("hi all ----------------------");
puts("Welcome to dice game!");
puts("You have to roll 5 dices and get 3, 1, 3, 3, 7 in order.");
puts("Press enter to roll.");
v3 = getchar();
v4 = time(0LL);
srand(v4);
v5 = time(0LL);
v6 = rand() % 6 + 1;
v11 = rand() % 6 + 1;
v10 = rand() % 6 + 1;
v9 = rand() % 6 + 1;
v8 = rand() % 6 + 1;
printf(
"You rolled %d, %d, %d, %d, %d.\n",
(unsigned int)v6,
(unsigned int)v11,
(unsigned int)v10,
(unsigned int)v9,
(unsigned int)v8);
if ( v6 != 3 || (time(0LL), v11 != 1) || (time(0LL), v10 != 3) || (time(0LL), v9 != 3) || (time(0LL), v8 != 7) )
{
puts("You DID NOT roll as I said!");
puts("Bye bye~");
result = 0xFFFFFFFFLL;
}
else
{
time(0LL);
puts("You rolled as I said! I'll give you the flag.");
sub_4006B6();
result = 0LL;
}
return result;
}
转自实验吧,原文作者实验吧ID czr27