int __cdecl main(int argc, const char **argv, const char **envp){ __int64 v

1. int __cdecl main(int argc, const char **argv, const char **envp)
2. {
3.   __int64 v4; // rdx
4.   __int64 v5; // r8
5.   __int64 v6; // r9
6.   __int64 v7; // rdx
7.   __int64 v8; // r8
8.   __int64 v9; // r9
9.   unsigned __int64 i; // [rsp+18h] [rbp-78h]
10.   unsigned __int64 j; // [rsp+20h] [rbp-70h]
11.   unsigned __int64 k; // [rsp+28h] [rbp-68h]
12.   char *INPUT_FLAG; // [rsp+30h] [rbp-60h]
13.   void *libc; // [rsp+40h] [rbp-50h]
14.   void *libgmp; // [rsp+48h] [rbp-48h]
15.   MP_INT a4; // [rsp+50h] [rbp-40h] BYREF
16.   MP_INT v17; // [rsp+60h] [rbp-30h] BYREF
17.   MP_INT mpint; // [rsp+70h] [rbp-20h] BYREF
18.   unsigned __int64 v19; // [rsp+88h] [rbp-8h]
19.  
20.   v19 = __readfsqword(0x28u);
21.   if ( argc > 1 )
22.   {
23.     INPUT_FLAG = (char *)argv[1];
24.     if ( strlen(INPUT_FLAG) == 40 )
25.     {
26.       libc = LoadLibraryA("libc.so.6");
27.       if ( !libc )
28.         __assert_fail("hLibc != NULL", "main.c", 0x4Au, "main");
29.       libgmp = LoadLibraryA("libgmp.so");
30.       if ( !libgmp )
31.         __assert_fail("hGMP != NULL", "main.c", 0x4Cu, "main");
32.  
33.       ResolveModuleFunction(libgmp, 0x71B5428D, &a4);// __gmpz_init
34.       ResolveModuleFunction(libgmp, 0x71B5428D, &v17);// __gmpz_init
35.       ResolveModuleFunction(libgmp, 0x71B5428D, &mpint);// __gmpz_init
36.       ResolveModuleFunction(libc, 0xFC7E7318, *(unsigned int *)main);// srandom
37.       ResolveModuleFunction(libc, 0x9419A860, _bss_start, 0LL);// setbuf
38.  
39.       printf("Checking...");
40.       for ( i = 0LL; i < 0x28; ++i )
41.       {
42.         if ( !(unsigned int)ResolveModuleFunction(libc, 0x4E8A031A, (unsigned int)INPUT_FLAG[i]) )// isprint
43.         {
44. LABEL_21:
45.           puts("\nWrong.");
46.           goto LABEL_22;
47.         }
48.       }
49.  
50.       for ( j = 0LL; j < 0x28; j += 4LL )
51.       {
52.         ResolveModuleFunction(libgmp, 0xF122F362, &v17, 1LL);// __gmpz_set_ui
53.         for ( k = 0LL; k <= 2; ++k )
54.         {
55.           ResolveModuleFunction(libc, 0xD588A9, '.');// putchar
56.           v4 = (int)ResolveModuleFunction(libc, 0x7B6CEA5D) % 0x10000;// rand
57.           inc_while_can(libc, libgmp, v4, &a4, v5, v6);
58.           ResolveModuleFunction(libgmp, 0x347D865B, &v17, &v17, &a4);// __gmpz_mul
59.         }
60.         ResolveModuleFunction(libc, 0xD588A9, '.');// putchar
61.         v7 = (int)ResolveModuleFunction(libc, 0x7B6CEA5D) % 0x10000;// rand
62.         inc_while_can(libc, libgmp, v7, &mpint, v8, v9);
63.         ResolveModuleFunction(libgmp, 0xF122F362, &a4, *(unsigned int *)&INPUT_FLAG[j]);// __gmpz_set_ui
64.         ResolveModuleFunction(libgmp, 0x9023667E, &a4, &a4, &mpint, &v17);// __gmpz_powm
65.         if ( (unsigned int)ResolveModuleFunction(libgmp, 0xB1F820DC, &a4, encoded[j >> 2]) )// __gmpz_cmp_ui
66.           goto LABEL_21;
67.       }
68.       puts("\nCorrect!");
69. LABEL_22:
70.       ResolveModuleFunction(libgmp, 0x31CC4F9F, &a4);
71.       ResolveModuleFunction(libgmp, 835473311, &v17);
72.       ResolveModuleFunction(libgmp, 835473311, &mpint);
73.       CloseHandle(libc);
74.       CloseHandle(libgmp);
75.       return 0;
76.     }
77.     else
78.     {
79.       puts("Nowhere near close.");
80.       return 0;
81.     }
82.   }
83.   else
84.   {
85.     printf("Usage: %s FLAG\n", *argv);
86.     return 1;
87.   }
88. }
89.  
90. unsigned __int64 __fastcall inc_while_can(void *a1, void *a2, __int64 a3, MP_INT *mpint, __int64 a5, __int64 a6)
91. {
92.   char fmt[4]; // [rsp+3Ch] [rbp-24h] BYREF
93.   char int_str[24]; // [rsp+40h] [rbp-20h] BYREF
94.   unsigned __int64 v11; // [rsp+58h] [rbp-8h]
95.  
96.   v11 = __readfsqword(0x28u);
97.   *(_DWORD *)fmt = 0x2A4E700F;                  // decoded = "%Zd"
98.  
99.   ResolveModuleFunction(a2, 0xF122F362, mpint, 0LL, a5, a6);// __gmpz_set_ui // SET MPINT TO 0, OTHER ARGS ARE TRASH?
100.   ResolveModuleFunction(a1, 0xE75E0FFE, a3);    // hcreate
101.   ResolveModuleFunction(a1, 0x1C46D38A, fmt, 4LL);// memfrob
102.   do
103.   {
104.     ResolveModuleFunction(a2, 0x7489AF98, int_str, fmt, mpint);// __gmp_sprintf
105.     ResolveModuleFunction(a2, 0xED3B7A10, mpint, mpint, 1LL);// __gmpz_add_ui
106.   }
107.   while ( ResolveModuleFunction(a1, 0x50AB4097, int_str, 0LL, 1LL) );// hsearch
108.   ResolveModuleFunction(a1, 0xAF4C09BD);        // hdestroy
109.   ResolveModuleFunction(a2, 0x1C3EF940, mpint, mpint, 1LL);// __gmpz_sub_ui
110.   return v11 - __readfsqword(0x28u);
111. }
112.  
113. //
114. .data:000056459C886020 encoded         dq 0FE4C025C5F4h        ; DATA XREF: main+381↑o
115. .data:000056459C886028                 dq 1B792FF17E8Ah
116. .data:000056459C886030                 dq 183B156AB40h
117. .data:000056459C886038                 dq 0BEFFCF5E5DAh
118. .data:000056459C886040                 dq 297CF86E251h
119. .data:000056459C886048                 dq 0EB3EDC1D4B4h
120. .data:000056459C886050                 dq 0FA10CE3A08h
121. .data:000056459C886058                 dq 2BDD418672h
122. .data:000056459C886060                 dq 5EBB5050EA46h
123. .data:000056459C886068                 dq 5BF9B73CF86h