un4ckn0wl3z · April 24, 2025 20:56
diff --git a/rm_rs.py b/rm_rs.py
 import ida_bytes
 import ida_kernwin

 def extract_flag():
    # Src[0] = (__int128)_mm_load_si128((const __m128i *)&xmmword_140003440);
    # Src[1] = (__int128)_mm_load_si128((const __m128i *)&xmmword_140003450);
    # Src[2] = (__int128)_mm_load_si128((const __m128i *)&xmmword_140003460);
    # Src[3] = (__int128)_mm_load_si128((const __m128i *)&xmmword_140003480);
    # Src[4] = (__int128)_mm_load_si128((const __m128i *)&xmmword_140003470);
    xmmword_addrs = [
        0x140003440,
        0x140003450,
        0x140003460,
        0x140003480,
        0x140003470
    ]
    
    try:
        values = []
        
        for addr in xmmword_addrs:
            if not ida_bytes.is_mapped(addr):
                raise ValueError(f"Address 0x{addr:X} is not mapped - please update the addresses in the script")
            
            for i in range(0, 16, 4):
                val = ida_bytes.get_dword(addr + i)
                # Only keep the least significant byte
                values.append(val & 0xFF)
        
        # v19 = 0x2B;
        # or
        # loc_140001273:
        # xorps   xmm0, xmm0
        # movups  [rbp+57h+var_20], xmm0
        # movdqa  xmm1, cs:xmmword_140003440
        # movdqa  [rbp+57h+Src], xmm1
        # movdqa  xmm0, cs:xmmword_140003450
        # movdqa  [rbp+57h+var_90], xmm0
        # movdqa  xmm1, cs:xmmword_140003460
        # movdqa  [rbp+57h+var_80], xmm1
        # movdqa  xmm0, cs:xmmword_140003480
        # movdqa  [rbp+57h+var_70], xmm0
        # movdqa  xmm1, cs:xmmword_140003470
        # movdqa  [rbp+57h+var_60], xmm1
        # mov     [rbp+57h+var_50], 2Bh ; '+'
        # mov     ecx, 54h ; 'T'  ; Size
        # that's why I need to put 0x2b by myself
        values.append(0x2B)
        
        # v8[4 * v10] + 46
        flag = ''.join([chr(v + 46) for v in values])
        
        print("Extracted values:")
        print(' '.join([f"0x{v:02X}" for v in values]))
        print("\nCalculated flag:", flag)
        
        ida_kernwin.warning(f"The flag is: {flag}")
    
    except Exception as e:
        ida_kernwin.warning(f"Error: {str(e)}")

 extract_flag()
	import ida_bytes
	import ida_kernwin

	def extract_flag():
	# Src[0] = (__int128)_mm_load_si128((const __m128i *)&xmmword_140003440);
	# Src[1] = (__int128)_mm_load_si128((const __m128i *)&xmmword_140003450);
	# Src[2] = (__int128)_mm_load_si128((const __m128i *)&xmmword_140003460);
	# Src[3] = (__int128)_mm_load_si128((const __m128i *)&xmmword_140003480);
	# Src[4] = (__int128)_mm_load_si128((const __m128i *)&xmmword_140003470);
	xmmword_addrs = [
	0x140003440,
	0x140003450,
	0x140003460,
	0x140003480,
	0x140003470
	]

	try:
	values = []

	for addr in xmmword_addrs:
	if not ida_bytes.is_mapped(addr):
	raise ValueError(f"Address 0x{addr:X} is not mapped - please update the addresses in the script")

	for i in range(0, 16, 4):
	val = ida_bytes.get_dword(addr + i)
	# Only keep the least significant byte
	values.append(val & 0xFF)

	# v19 = 0x2B;
	# or
	# loc_140001273:
	# xorps xmm0, xmm0
	# movups [rbp+57h+var_20], xmm0
	# movdqa xmm1, cs:xmmword_140003440
	# movdqa [rbp+57h+Src], xmm1
	# movdqa xmm0, cs:xmmword_140003450
	# movdqa [rbp+57h+var_90], xmm0
	# movdqa xmm1, cs:xmmword_140003460
	# movdqa [rbp+57h+var_80], xmm1
	# movdqa xmm0, cs:xmmword_140003480
	# movdqa [rbp+57h+var_70], xmm0
	# movdqa xmm1, cs:xmmword_140003470
	# movdqa [rbp+57h+var_60], xmm1
	# mov [rbp+57h+var_50], 2Bh ; '+'
	# mov ecx, 54h ; 'T' ; Size
	# that's why I need to put 0x2b by myself
	values.append(0x2B)

	# v8[4 * v10] + 46
	flag = ''.join([chr(v + 46) for v in values])

	print("Extracted values:")
	print(' '.join([f"0x{v:02X}" for v in values]))
	print("\nCalculated flag:", flag)

	ida_kernwin.warning(f"The flag is: {flag}")

	except Exception as e:
	ida_kernwin.warning(f"Error: {str(e)}")

	extract_flag()