解题领红包之一 {送分题}
没什么好说的
解题领红包之二 {Windows 初级题}
运行动调直接拿flag
解题领红包之三 {Android 初级题}
base64+xxtea
复制代码 隐藏代码
from struct import *
def shift(z, y, x, k, p, e):
return ((((z >> 5) ^ (y << 2)) + ((y >> 3) ^ (z << 4))) ^ ((x ^ y) + (k[(p & 3) ^ e] ^ z)))
def encrypt(v, k):
delta = 0x9E3779B9
n = len(v)
rounds = 6 + 52 // n
x = 0
z = v[n - 1]
for i in range(rounds):
x = (x + delta) & 0xFFFFFFFF
e = (x >> 2) & 3
for p in range(n - 1):
y = v[p + 1]
v[p] = (v[p] + shift(z, y, x, k, p, e)) & 0xFFFFFFFF
z = v[p]
p += 1
y = v[0]
v[n - 1] = (v[n - 1] + shift(z, y, x, k, p, e)) & 0xFFFFFFFF
z = v[n - 1]
return v
def decrypt(v, k):
delta = 0x9E3779B9
n = len(v)
rounds = 6 + 52 // n
x = (rounds * delta) & 0xFFFFFFFF
y = v[0]
for i in range(rounds):
e = (x >> 2) & 3
for p in range(n - 1, 0, -1):
z = v[p - 1]
v[p] = (v[p] - shift(z, y, x, k, p, e)) & 0xFFFFFFFF
y = v[p]
p -= 1
z = v[n - 1]
v[0] = (v[0] - shift(z, y, x, k, p, e)) & 0xFFFFFFFF
y = v[0]
x = (x - delta) & 0xFFFFFFFF
return v
from base64 import *
if __name__ == '__main__':
key = list(unpack("<4I",b"my-xxtea-secret\x00"))
enc = b64decode(b"hjyaQ8jNSdp+mZic7Kdtyw==")
print(len(enc))
enc = list(unpack(f",enc))
print(enc)
pt = decrypt(enc,key)
s = b''
for i in range(len(pt)):
s+=pack(",pt[i])
print(s.decode())
解题领红包之四 {Android 中级题}
白盒aes,但是是ofb模式。本来直接调试拿xor的值就完事了,但是懒得掏出来一年没用的测试机直接静态看恢复密钥了。
直接用的前年的强网杯的白盒aes模版跑的dfa,把so中的数据提取一下放到对应的变量中去就行
复制代码 隐藏代码
from test2 import *
#abcdefghijklmnop
def change_index():
global v16
array2 = [0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, 1, 6, 11]
arr = [0] * 16
for i in range(16):
arr[i] = v16[array2[i]]
v16 = arr
import numpy
v11 = numpy.array(v11).reshape((9,16,256)).tolist()
v12 = numpy.array(v12).reshape((9,96,16,16)).tolist()
print(len(v13))
v13 = numpy.array(v13).reshape((9,16,256)).tolist()
table4 = numpy.array(table4).reshape((16,256)).tolist()
def AAA():
global v16
global ss
global flag
for i in range(9):
change_index()
if i==8 and flag: #最后一轮修改得到dump
v16[ss] = 0
for j in range(4):
num = v11[i][4 * j][v16[4 * j]]
num2 = v11[i][4 * j + 1][v16[4 * j + 1]]
num3 = v11[i][4 * j + 2][v16[4 * j + 2]]
num4 = v11[i][4 * j + 3][v16[4 * j + 3]]
num5 = v12[i][24 * j][(num >> 28 & 15)][(num2 >> 28 & 15)]
num6 = v12[i][24 * j + 1][(num3 >> 28 & 15)][(num4 >> 28 & 15)]
num7 = v12[i][24 * j + 2][(num >> 24 & 15)][(num2 >> 24 & 15)]
num8 = v12[i][24 * j + 3][(num3 >> 24 & 15)][(num4 >> 24 & 15)]
v16[4 * j] = (v12[i][24 * j + 4][num5][num6] << 4 | v12[i][24 * j + 5][num7][num8])
num5 = v12[i][24 * j + 6][(num >> 20 & 15)][(num2 >> 20 & 15)]
num6 = v12[i][24 * j + 7][(num3 >> 20 & 15)][(num4 >> 20 & 15)]
num7 = v12[i][24 * j + 8][(num >> 16 & 15)][(num2 >> 16 & 15)]
num8 = v12[i][24 * j + 9][(num3 >> 16 & 15)][(num4 >> 16 & 15)]
v16[4 * j + 1] = (v12[i][24 * j + 10][num5][num6] << 4 | v12[i][24 * j + 11][num7][num8])
num5 = v12[i][24 * j + 12][(num >> 12 & 15)][(num2 >> 12 & 15)]
num6 = v12[i][24 * j + 13][(num3 >> 12 & 15)][(num4 >> 12 & 15)]
num7 = v12[i][24 * j + 14][(num >> 8 & 15)][(num2 >> 8 & 15)]
num8 = v12[i][24 * j + 15][(num3 >> 8 & 15)][(num4 >> 8 & 15)]
v16[4 * j + 2] = (v12[i][24 * j + 16][num5][num6] << 4 | v12[i][24 * j + 17][num7][num8])
num5 = v12[i][24 * j + 18][(num >> 4 & 15)][(num2 >> 4 & 15)]
num6 = v12[i][24 * j + 19][(num3 >> 4 & 15)][(num4 >> 4 & 15)]
num7 = v12[i][24 * j + 20][(num & 15)][(num2 & 15)]
num8 = v12[i][24 * j + 21][(num3 & 15)][(num4 & 15)]
v16[4 * j + 3] = (v12[i][24 * j + 22][num5][num6] << 4 | v12[i][24 * j + 23][num7][num8])
num = v13[i][4 * j][v16[4 * j]]
num2 = v13[i][4 * j + 1][v16[4 * j + 1]]
num3 = v13[i][4 * j + 2][v16[4 * j + 2]]
num4 = v13[i][4 * j + 3][v16[4 * j + 3]]
num5 = v12[i][24 * j][(num >> 28 & 15)][(num2 >> 28 & 15)]
num6 = v12[i][24 * j + 1][(num3 >> 28 & 15)][(num4 >> 28 & 15)]
num7 = v12[i][24 * j + 2][(num >> 24 & 15)][(num2 >> 24 & 15)]
num8 = v12[i][24 * j + 3][(num3 >> 24 & 15)][(num4 >> 24 & 15)]
v16[4 * j] = (v12[i][24 * j + 4][num5][num6] << 4 | v12[i][24 * j + 5][num7][num8])
num5 = v12[i][24 * j + 6][(num >> 20 & 15)][(num2 >> 20 & 15)]
num6 = v12[i][24 * j + 7][(num3 >> 20 & 15)][(num4 >> 20 & 15)]
num7 = v12[i][24 * j + 8][(num >> 16 & 15)][(num2 >> 16 & 15)]
num8 = v12[i][24 * j + 9][(num3 >> 16 & 15)][(num4 >> 16 & 15)]
v16[4 * j + 1] = (v12[i][24 * j + 10][num5][num6] << 4 | v12[i][24 * j + 11][num7][num8])
num5 = v12[i][24 * j + 12][(num >> 12 & 15)][(num2 >> 12 & 15)]
num6 = v12[i][24 * j + 13][(num3 >> 12 & 15)][(num4 >> 12 & 15)]
num7 = v12[i][24 * j + 14][(num >> 8 & 15)][(num2 >> 8 & 15)]
num8 = v12[i][24 * j + 15][(num3 >> 8 & 15)][(num4 >> 8 & 15)]
v16[4 * j + 2] = (v12[i][24 * j + 16][num5][num6] << 4 | v12[i][24 * j + 17][num7][num8])
num5 = v12[i][24 * j + 18][(num >> 4 & 15)][(num2 >> 4 & 15)]
num6 = v12[i][24 * j + 19][(num3 >> 4 & 15)][(num4 >> 4 & 15)]
num7 = v12[i][24 * j + 20][(num & 15)][(num2 & 15)]
num8 = v12[i][24 * j + 21][(num3 & 15)][(num4 & 15)]
v16[4 * j + 3] = (v12[i][24 * j + 22][num5][num6] << 4 | v12[i][24 * j + 23][num7][num8])
change_index()
for k in range(16):
v16[k] = table4[k][v16[k]]
for l in range(16):
v16[l] = v16[l]
flag = 1
for ss in range(16):
v16 = [i for i in range(97, 97 + 16)]
AAA()
for i in v16:
print(hex(i)[2:].zfill(2), end='')
print()
# 3694bf644864b8474a4576bb89c69f14
# 1094bf644864b85e4a4554bb89ac9f14
# 9d94bf644864b8514a45d7bb89299f14
# 0ff94bf644864b8f74a45a7bb8939f14
# 1894bf644864b8eb4a4567bb896a9f14
# 0360bf642c64b8474a4576cb89c62f14
# 3660bf646764b8474a45768e89c6af14
# 3697bf646764b8474a45764289c61b14
# 36d5bf647f64b8474a45763589c64214
# 3694e96448afb847834576bb89c69f54
# 3694fd64486db847814576bb89c69f8d
# 3694ae6448d9b847744576bb89c69fbb
# 3694c1644893b847214576bb89c69f97
# 3694bfc84864ef474ab176bbcac69f14
# 03694bf3f48647474ab576bb23c69f14
# 03694bf84864ef474ad176bb11c69f14
# 3694bf3f4864c2474ad476bbcac69f14
data = b"""
43941d39cd79f798851e0f2928123ad2
24941d39cd79f76a851ebb2928103ad2
84941d39cd79f726851ec42928373ad2
83941d39cd79f7bf851ed12928633ad2
c4941d39cd79f78b851e822928373ad2
43e81d398b79f798851e0f06281246d2
43d01d39c479f798851e0f72281238d2
43d61d39ee79f798851e0fab28128ed2
432f1d399a79f798851e0faa281269d2
43947d39cdcaf798511e0f2928123ae0
43942339cd18f798bd1e0f2928123a27
4394ce39cd26f798bd1e0f2928123ab4
43949f39cd2af7983b1e0f2928123a1c
43941d9ccd79c69885d20f2931123ad2
43941d9bcd794c9885eb0f2930123ad2
43941d2ccd79099885010f2929123ad2
43941d47cd79879885230f2942123ad2"""
with open("E://trace",'wb') as f:
f.write(data)
import phoenixAES
phoenixAES.crack_file('E://trace',[],True,False,3)
复制代码 隐藏代码
Last round key #N found:
931C3A97F6D1C217E58CF94FC843B226931C3A97F6D1C217E58CF94FC843B226
用stark解出原密钥为7E13141528AED2A6ABF7158809CF4F3C
复制代码 隐藏代码
from Crypto.
Cipher.AES import *
a = new(key=bytes.fromhex("7E13141528AED2A6ABF7158809CF4F3C"),mode=MODE_OFB,iv=b'\x00'*16)
enc = [0x48, 0x27, 0x8F, 0xAF, 0x9B, 0xF8, 0xEC, 0x72, 0x98, 0x07, 0x72, 0x0C, 0x6B, 0xE2, 0x3A, 0xB6,0x42,0x59,0xf7]
print(a.decrypt(bytes(enc)))
from hashlib import md5
print("flag{"+md5(b"19150922025").hexdigest()+"}")
解题领红包之五 {Windows 高级题}
感觉是最难的一道题
首先脱壳
先去dll can mov
去掉后就可以脱壳 参考upx脱壳即可
但是发现脱壳后无法正常的弹窗
原因:tlscallback有三个函数,在sub_140007DB0中未脱壳时全局变量qword_14000B540应当为0x80,但是脱壳后为4
在第一次进行tlscallback时会执行true分支对setinformationthread函数进行hook因为在140004400函数的执行过程中会首先对第二个参数进行取负影响返回结果
解决方法:patch main函数使其不进入sub_140004400, 并返回正确的结果,函数返回值会进入到后续的线程回调函数中,通过加偏移0x542到目的地址。通过带壳调试获取正确的函数地址0x140008600 140008600-542 = 1400080be
过反调试
通过对thread_proc下断点,发现程序执行时首先会进入到sub_140008EC0中校验程序文件数据的hash
绕过方法:对kernel32_CreateFileW下断点,将rcx指向的文件目录修改为源文件目录即可
程序运行逻辑
继续跟踪sub_140008600 dispatch到的函数
发现其在sub_140008A80->sub_140008AE0中通过WakeConditionVariable,SleepConditionVariable api实现了异步处理,对应的处理函数在sub_140007F40
通过v32变量控制异步处理的分支
逐个跟进可以整理其逻辑如下:
-
将password由str转为hex
-
在sub_140004E80中将hex_password进行tea算法解密,key由rc4生成
经分析需要输入48个字节的flag内容 tea dec后的最后四字节data[20:24]为04040404
-
dec后的data[16:20]字节需要与魔改md5(custom_pad('52pojie 2025 爱飞的猫',data[:16]))相等
-
data[0:8] = 整时或半时的时间戳
-
data[8:16] = uid
解密脚本
复制代码 隐藏代码
#include
#include
//加密函数
void encrypt (uint32_t* v, uint32_t* k) {
uint32_t v0=v[1], v1=v[0], sum=0, i; /* set up */
uint32_t delta=0xB979379E; /* a key schedule constant */
uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
for (i=0; i < 12; i++) { /* basic cycle start */
sum += delta;
v1 += ((v0<<4) + k0) ^ (v0 + sum) ^ ((v0>>5) + k1);
v0 += ((v1<<4) + k2) ^ (v1 + sum) ^ ((v1>>5) + k3);
} /* end cycle */
v[0]=v0; v[1]=v1;
}
//解密函数
void decrypt (uint32_t* v, uint32_t* k) {
uint32_t v0=v[0], v1=v[1], sum=0xB1AE9B68, i; /* set up */
uint32_t delta=0xB979379E; /* a key schedule constant */
uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
for (i=0; i<12; i++) { /* basic cycle start */
v0 -= ((v1<<4) + k2) ^ (v1 + sum) ^ ((v1>>5) + k3);
v1 -= ((v0<<4) + k0) ^ (v0 + sum) ^ ((v0>>5) + k1);
sum -= delta;
} /* end cycle */
v[0]=v1; v[1]=v0;
}
int main()
{
uint32_t v2[2]={0x04040404,0x20375DA2}/*魔改的hash值*/,k1[4]={0x1231F787, 0x9ACD6D9A, 0xD7851B65, 0x473457C1},k2[4]={0xC52D865C, 0x10778A6E, 0xB728E994, 0x1746382E},k3[4]={0x779375B2, 0xEFCB8541, 0x7459F437, 0x090D1E5D};
uint32_t v0[2]={0,1738762200};/*时间戳*/
uint32_t v1[2]={0,0x1d38d4};/*uid*/
// v为要加密的数据是两个32位无符号整数
// k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位
printf("加密前原始数据:%x %x\n",v2[0],v2[1]);
encrypt(v2, k3);
printf("\n");
encrypt(v0, k1);
encrypt(v1, k2);
for(int i=0;i<8;i++)
{
printf("%02x",*((unsigned char*)v0+i));
}
for(int i=0;i<8;i++)
{
printf("%02x",*((unsigned char*)v1+i));
}
for(int i=0;i<8;i++)
{
printf("%02x",*((unsigned char*)v2+i));
}
printf("\n");
return 0;
}
# 98cb14e80b42d569ed33224c27a8b943a6695125feffda2d
uid: 1915092
flag{98cb14e80b42d569ed33224c27a8b943a6695125feffda2d}
解题领红包之六 {Windows & Android 高级题}
跟上一题差不多的压缩壳,脱完是个基于栈的vm
vm的结构大致如下,mem中存放的输入、stack和opcodes
复制代码 隐藏代码
00000000 vm_s struc ; (sizeof=0x10008, mappedto_33)
00000000 mem dd 16384 dup(?)
00010000 pc dw ?
00010002 top dw ?
00010004 flag dw ?
00010006 field_10006 dw ?
00010008 vm_s ends
因为有vm初始化的时候会把密文放到内存中,所以直接动调拿了vm_s.mem中的数据,由于数据太多占地方就省略了
复制代码 隐藏代码
opcodes = [0xBF, 0x7F, 0x80, 0xF0, 0xF0, 0xE0, 0xE6, 0xC7, 0x14, 0x41, 0xF7, 0x24, 0xB0, 0xE3, 0xE5, 0xE3, 0xD8, 0xD8, 0xE0, 0xF0, 0xC7, 0x25, 0x68, 0xF8, 0x41, 0xF1, 0x68, 0x7F, 0xE8, 0x19, 0xE0, 0x97, 0x19, 0xF0, 0xC7, 0x1C, 0xF1, 0x68, 0xE5, 0xF7, 0x35, 0xF7, 0xDA, 0x93, 0x94, 0x52, 0x56, 0x28, 0x52, 0x56, 0xF7, 0x41, 0x28, 0xB0, 0xE4, 0xA8, 0x68, 0x98, 0x34, 0x28, 0xF1, 0x28, 0x28, 0x34, 0xF1, 0x28, 0x34, 0xE2, 0xBF, 0x43, 0xF5, 0x7F, 0x0B, 0x41, 0xE4, 0xE2, 0xD8, 0xF7, 0x2D, 0x38, 0x28, 0x41, 0xF1, 0x68, 0xE5, 0xA8, 0xF5, 0xE6, 0xE3, 0x68, 0xE6, 0xBF, 0xA6, 0xE2, 0x28, 0x42, 0x19, 0xE5, 0x97, 0x08, 0x46, 0x19, 0xF5, 0x68, 0xE0, 0xF7, 0x1C, 0xCF, 0xDC, 0x19, 0xF8, 0xF7, 0xFB, 0xF7, 0x53, 0xF7
, 0xC1, 0x55, 0x53, 0x28, 0x52, 0x56, 0xF3, 0x28, 0x54, 0x54, 0x28, 0x08, 0x33, 0xE3, 0xBF, 0x32, 0xE3, 0xE3, 0xBF, 0xBB, 0x80, 0xF0, 0xF7, 0x66, 0xE3, 0xF0, 0xD8, 0x08, 0x28, 0xF7, 0x6C, 0xE3, 0xF1, 0xD8, 0x08, 0x28, 0xF7, 0x61, 0xE3, 0xF2, 0xD8, 0x08, 0x28, 0xF7, 0x67, 0xE3, 0xF3, 0xD8, 0x08, 0x28, 0xF7, 0x7B, 0xE3, 0xF4, 0xD8, 0x08, 0x28, 0xF7, 0x7D, 0xE3, 0xF7, 0x1C, 0xD8, 0x08, 0x28, 0x31, 0xF1, 0x53, 0x54, 0xE0, 0x57, 0x10, 0x28, 0xE0, 0x55, 0x53, 0x28, 0xF0, 0xF8, 0xF7, 0x32, 0xBF, 0x61, 0xF7, 0x30, 0xBF, 0x5D, 0xF7, 0x32, 0xBF, 0x59, 0xF7, 0x35, 0xBF, 0x55, 0xE3, 0x95, 0x96, 0x94, 0x95, 0x94, 0xBF, 0x4D, 0xF7, 0x35, 0xBF, 0x49, 0xF7, 0x32, 0xBF, 0x45, 0xF7, 0x70, 0xBF, 0x41, 0xF7, 0x6F, 0xBF, 0x3D, 0xF7, 0x6A, 0xBF, 0x39, 0xF7, 0x69, 0xBF, 0x35, 0xF7, 0x65, 0xBF, 0x31, 0xE3, 0x96, 0x94, 0x96, 0xBF, 0x2B, 0xF7, 0x61, 0xBF, 0x27, 0xF7, 0x66, 0xBF, 0x23, 0xF7, 0x64, 0xBF, 0x1F, 0xF7, 0x6D, 0xBF, 0x1B, 0xE3, 0x92, 0x96, 0xBF, 0x16, 0xF7, 0x32, 0xBF, 0x12, 0xF7, 0x30, 0xBF, 0x0E, 0xF7, 0x32, 0xBF, 0x0A, 0xF7, 0x35, 0xBF, 0x06, 0xE3, 0xBF, 0x03, 0x58, 0x28, 0x31, 0xF7, 0x20, 0xF7, 0x83, 0x57, 0x08, 0x28, 0xF7, 0xB8, 0xF7, 0xED, 0x57, 0x08, 0x28, 0x57, 0x10, 0x28, 0xF4, 0xF3, 0x68, 0xE4, 0xE4, 0xA8, 0x08, 0xE0, 0xF1, 0x48, 0x10, 0xE3, 0x48, 0x41, 0x91, 0x08, 0xE1, 0xF8, 0x42, 0xF0, 0xCF, 0xF1, 0x42, 0x1A, 0x32, 0x36, 0x6D, 0xB4, 0xB5, 0x11, 0x86, 0x2C, 0x24, 0xC0, 0x49, 0xB4, 0xBA, 0x1C, 0x09, 0x94, 0xF2, 0x24, 0x17, 0x17, 0xB9, 0xD3, 0x89, 0x2A, 0x05, 0xA2, 0xD6, 0x08, 0x9F, 0xF3, 0x90, 0xCB, 0xF3, 0x14, 0x4D, 0xA2, 0x9C, 0xFA, 0xB3, 0x0E, 0x9A, 0x82, 0x0F, 0x14, 0x63, 0x38, 0x5C, 0x94, 0xD4, 0x59, 0x0D, 0xB0, 0xCF, 0xC4, 0x8E, 0x23, 0x38, 0xBB, 0xB4, 0x68, 0x53, 0x09, 0xE7, 0x9B, 0x29, 0x8D, 0xD4, 0x36, 0x9D, 0x83, 0xB3, 0x55, 0xDA, 0xB5, 0xAB, 0xF7, 0xD8, 0x6E, 0xD1, 0xD9, 0xB4, 0xA8, 0x18, 0xBF, 0x58, 0xCC, 0x1E, 0x13, 0x38, 0x66, 0xFB, 0x95, 0xD1, 0x37, 0xC1, 0x78, 0x77, 0x59, 0x10, 0xF8, 0x5D, 0x44, 0xA7, 0xA8, 0xCD, 0x85, 0xBF, 0x01, 0xD7, 0xC3, 0xC2, 0x3B, 0x0C, 0x0A, 0x52, 0x15, 0xE2, 0x13, 0xE6, 0xD8, 0x05, 0x5E, 0x0E, 0x3E, 0x1F, 0xC3, 0x0A, 0xA6
, 0xA5, 0xCD, 0xD6, 0xAE, 0x45, 0xEF, 0x2C, 0xCB, 0x05, 0x4D, 0xCC, 0xA3, 0x93, 0x91, 0xA7, 0xF0, 0x98, 0xB9, 0x02, 0x65, 0x95, 0xEB, 0x2C, 0x48, 0xC7, 0xFF, 0xF4, 0x6B, 0x2C, 0xA1, 0x5C, 0xB3, 0xDA, 0xE6, 0x99, 0xEB, 0xC7, 0x1E, 0x2A, 0xE9, 0x58, 0x06, 0x2A, 0x71, 0x14, 0xC3, 0xE8]
pc = 0
stack = [0,1915092,0x1000,0x2000]+[0]*0x1000
top = 3
mem = [...]
while True:
next_pc = pc+1
op = opcodes[pc]>>3
imm = opcodes[pc]&7
print("pc=", hex(pc), hex(op),hex(top*4), end="\t")
if imm == 7:
imm = opcodes[next_pc]
next_pc+=1
if op in [0,12,14,17,20,29]:
f = 1
result = stack[top]
break
elif op == 1:
print(f"xor {stack[top]=:x},{stack[top-1]=:x}")
stack[top-1] = stack[top]^stack[top-1]
top-=1
elif op == 2:
print(f"neg {stack[top]=:x}")
stack[top] = (-stack[top])&0xffffffff
elif op == 3:
print(f"pop {imm=}")
top-=imm
elif op == 4 or op == 26:
print("nop")
elif op == 5:
print(f"or {stack[top]=:x},{stack[top - 1]=:x}")
stack[top - 1] = stack[top] | stack[top - 1]
top -= 1
elif op == 6:
print(f"ret")
stack[top-1-imm] = stack[top]
next_pc = stack[top-1]
top -= imm+1
elif op == 7:
print(f"cmpnz {stack[top - 1]=:x},{stack[top]=:x}")
stack[top - 1] = stack[top] != stack[top - 1]
top -= 1
elif op == 8:
print(f"swap {stack[top - imm]=:x},{stack[top]=:x}")
stack[top - imm] ,stack[top] = stack[top] ,stack[top - imm]
elif op == 9:
print(f"and {stack[top - 1]=:x},{stack[top]=:x}")
stack[top - 1] = stack[top] & stack[top - 1]
top -= 1
elif op == 10:
print(f"shl {stack[top]=:x},{imm=}")
stack[top] = (stack[top]<0xffffffff
elif op == 11:
print(f"not {stack[top]=:x}")
stack[top] = (~stack[top]) & 0xffffffff
elif op == 13:
print(f"add {stack[top - 1]=:x},{stack[top]=:x}")
stack[top - 1] = stack[top] + stack[top - 1]
top -= 1
elif op == 15:
if imm&0x80!=0:
imm = -(0x100-imm)
print(f"jmp {next_pc=}+{imm=}")
next_pc+=imm
elif op == 16:
f = 0x101
result = stack[top]
break
elif op == 18:
print(f"shr {stack[top]=:x},{imm=}")
stack[top] = (stack[top] >> imm) & 0xffffffff
elif op == 19:
print(f"div {stack[top-1]=:x},{stack[top]=:x}")
stack[top-1] = stack[top-1] // stack[top]
top -= 1
elif op == 21:
print(f"movzx {stack[top]=:x}")
stack[top] = stack[top]&0xff
elif op == 22:
print(f"mul {stack[top-1]=:x},{stack[top]=:x}")
stack[top-1] = (stack[top-1] * stack[top]) & 0xffffffff
top -= 1
elif op == 23:
if imm&0x80!=0:
imm = -(0x100-imm)
print(f"call {next_pc=}+{imm}")
stack[top + 1] =next_pc
next_pc+=imm
top += 1
elif op == 24 :
if imm&0x80!=0:
imm = -(0x100-imm)
print(f"jz {stack[top-1]=:x},{stack[top]=:x}+{imm=}")
if stack[top-1] == stack[top]:
next_pc = next_pc+imm
top-=2
elif op == 25:
if imm&0x80!=0:
imm = -(0x100-imm)
print(f"jnz {stack[top - 1]=:x},{stack[top]=:x}+{imm=}")
if stack[top - 1] != stack[top]:
next_pc = next_pc + imm
top -= 2
elif op == 27:
print(f"load mem[{stack[top-1]=:x},{stack[top]=:x}]")
stack[top-1] = mem[(stack[top]+(stack[top-1]&0xffff))]
top -= 1
elif op == 28:
print(f"push stack[{top-imm=}] {stack[top-imm]:x}")
stack[top+1] = stack[top-imm]
top += 1
elif op == 30:
print(f"push {imm=:x}")
stack[top + 1] = imm
top += 1
elif op == 31:
print(f"dec {stack[top]=:x}")
stack[top] = (stack[top]-1) & 0xffffffff
pc = next_pc
另一个不带模拟的版本
复制代码 隐藏代码
opcodes = [0xBF, 0x7F, 0x80, 0xF0, 0xF0, 0xE0, 0xE6, 0xC7, 0x14, 0x41, 0xF7, 0x24, 0xB0
, 0xE3, 0xE5, 0xE3, 0xD8, 0xD8, 0xE0, 0xF0, 0xC7, 0x25, 0x68, 0xF8, 0x41, 0xF1, 0x68, 0x7F, 0xE8, 0x19, 0xE0, 0x97, 0x19, 0xF0, 0xC7, 0x1C, 0xF1, 0x68, 0xE5, 0xF7, 0x35, 0xF7, 0xDA, 0x93, 0x94, 0x52, 0x56, 0x28, 0x52, 0x56, 0xF7, 0x41, 0x28, 0xB0, 0xE4, 0xA8, 0x68, 0x98, 0x34, 0x28, 0xF1, 0x28, 0x28, 0x34, 0xF1, 0x28, 0x34, 0xE2, 0xBF, 0x43, 0xF5, 0x7F, 0x0B, 0x41, 0xE4, 0xE2, 0xD8, 0xF7, 0x2D, 0x38, 0x28, 0x41, 0xF1, 0x68, 0xE5, 0xA8, 0xF5, 0xE6, 0xE3, 0x68, 0xE6, 0xBF, 0xA6, 0xE2, 0x28, 0x42, 0x19, 0xE5, 0x97, 0x08, 0x46, 0x19, 0xF5, 0x68, 0xE0, 0xF7, 0x1C, 0xCF, 0xDC, 0x19, 0xF8, 0xF7, 0xFB, 0xF7, 0x53, 0xF7, 0xC1, 0x55, 0x53, 0x28, 0x52, 0x56, 0xF3, 0x28, 0x54, 0x54, 0x28, 0x08, 0x33, 0xE3, 0xBF, 0x32, 0xE3, 0xE3, 0xBF, 0xBB, 0x80, 0xF0, 0xF7, 0x66, 0xE3, 0xF0, 0xD8, 0x08, 0x28, 0xF7, 0x6C, 0xE3, 0xF1, 0xD8, 0x08, 0x28, 0xF7, 0x61, 0xE3, 0xF2, 0xD8, 0x08, 0x28, 0xF7, 0x67, 0xE3, 0xF3, 0xD8, 0x08, 0x28, 0xF7, 0x7B, 0xE3, 0xF4, 0xD8, 0x08, 0x28, 0xF7, 0x7D, 0xE3, 0xF7, 0x1C, 0xD8, 0x08, 0x28, 0x31, 0xF1, 0x53, 0x54, 0xE0, 0x57, 0x10, 0x28, 0xE0, 0x55, 0x53, 0x28, 0xF0, 0xF8, 0xF7, 0x32, 0xBF, 0x61, 0xF7, 0x30, 0xBF, 0x5D, 0xF7, 0x32, 0xBF, 0x59, 0xF7, 0x35, 0xBF, 0x55, 0xE3, 0x95, 0x96, 0x94, 0x95, 0x94, 0xBF, 0x4D, 0xF7, 0x35, 0xBF, 0x49, 0xF7, 0x32, 0xBF, 0x45, 0xF7, 0x70, 0xBF, 0x41, 0xF7, 0x6F, 0xBF, 0x3D, 0xF7, 0x6A, 0xBF, 0x39, 0xF7, 0x69, 0xBF, 0x35, 0xF7, 0x65, 0xBF, 0x31, 0xE3, 0x96, 0x94, 0x96, 0xBF, 0x2B, 0xF7, 0x61, 0xBF, 0x27, 0xF7, 0x66, 0xBF, 0x23, 0xF7, 0x64, 0xBF, 0x1F, 0xF7, 0x6D, 0xBF, 0x1B, 0xE3, 0x92, 0x96, 0xBF, 0x16, 0xF7, 0x32, 0xBF, 0x12, 0xF7, 0x30, 0xBF, 0x0E, 0xF7, 0x32, 0xBF, 0x0A, 0xF7, 0x35, 0xBF, 0x06, 0xE3, 0xBF, 0x03, 0x58, 0x28, 0x31, 0xF7, 0x20, 0xF7, 0x83, 0x57, 0x08, 0x28, 0xF7, 0xB8, 0xF7, 0xED, 0x57, 0x08, 0x28, 0x57, 0x10, 0x28, 0xF4, 0xF3, 0x68, 0xE4, 0xE4, 0xA8, 0x08, 0xE0, 0xF1, 0x48, 0x10, 0xE3, 0x48, 0x41, 0x91, 0x08, 0xE1, 0xF8, 0x42, 0xF0, 0xCF, 0xF1, 0x42, 0x1A, 0x32, 0x36, 0x6D, 0xB4, 0xB5, 0x11, 0x86, 0x2C, 0x24, 0xC0, 0x49, 0xB4, 0xBA, 0x1C, 0x09, 0x94, 0xF2, 0x24, 0x17, 0x17, 0xB9, 0xD3, 0x89, 0x2A, 0x05
, 0xA2, 0xD6, 0x08, 0x9F, 0xF3, 0x90, 0xCB, 0xF3, 0x14, 0x4D, 0xA2, 0x9C, 0xFA, 0xB3, 0x0E, 0x9A, 0x82, 0x0F, 0x14, 0x63, 0x38, 0x5C, 0x94, 0xD4, 0x59, 0x0D, 0xB0, 0xCF, 0xC4, 0x8E, 0x23, 0x38, 0xBB, 0xB4, 0x68, 0x53, 0x09, 0xE7, 0x9B, 0x29, 0x8D, 0xD4, 0x36, 0x9D, 0x83, 0xB3, 0x55, 0xDA, 0xB5, 0xAB, 0xF7, 0xD8, 0x6E, 0xD1, 0xD9, 0xB4, 0xA8, 0x18, 0xBF, 0x58, 0xCC, 0x1E, 0x13, 0x38, 0x66, 0xFB, 0x95, 0xD1, 0x37, 0xC1, 0x78, 0x77, 0x59, 0x10, 0xF8, 0x5D, 0x44, 0xA7, 0xA8, 0xCD, 0x85, 0xBF, 0x01, 0xD7, 0xC3, 0xC2, 0x3B, 0x0C, 0x0A, 0x52, 0x15, 0xE2, 0x13, 0xE6, 0xD8, 0x05, 0x5E, 0x0E, 0x3E, 0x1F, 0xC3, 0x0A, 0xA6, 0xA5, 0xCD, 0xD6, 0xAE, 0x45, 0xEF, 0x2C, 0xCB, 0x05, 0x4D, 0xCC, 0xA3, 0x93, 0x91, 0xA7, 0xF0, 0x98, 0xB9, 0x02, 0x65, 0x95, 0xEB, 0x2C, 0x48, 0xC7, 0xFF, 0xF4, 0x6B, 0x2C, 0xA1, 0x5C, 0xB3, 0xDA, 0xE6, 0x99, 0xEB, 0xC7, 0x1E, 0x2A, 0xE9, 0x58, 0x06, 0x2A, 0x71, 0x14, 0xC3, 0xE8]
pc = 0
stack = [0,0x1E240,0x1000,0x2000]+[0]*0x1000
top = 3
mem = [0]*0x8000
mem[0x400:0x408] = [0x67616C66, 0x3131317B, 0x322D3131, 0x32323232, 0x3333332D, 0x342D3333, 0x34343434,0x7d]
mem[0x80c:0x80c+11] = [0x15100A09, 0x040C1321, 0x00001C11, 0x00000000, 0x200F0300, 0x0623020D, 0x010E141B, 0x12081916, 0x0B24171F, 0x051A071E, 0x00221D18]
while True:
next_pc = pc+1
op = opcodes[pc]>>3
imm = opcodes[pc]&7
print("pc=", hex(pc), hex(op), end="\t")
if imm == 7:
imm = opcodes[next_pc]
next_pc+=1
if op in [0,12,14,17,20,29]:
print("break 1")
elif op == 1:
print("xor stack[-1],stack[-2] -> stack[-2]")
elif op == 2:
print("neg stack[-1]")
elif op == 3:
print(f"pop top {imm=:x}")
elif op == 4 or op == 26:
print("nop")
elif op == 5:
print("or stack[-1],stack[-2] -> stack[-2]")
elif op == 6:
print(f"ret {imm=:x}")
print()
elif op == 7:
print(f"cmpnz stack[-1],stack[-2] -> stack[-2]")
elif op == 8:
print(f"swap stack[top- {imm=:x}],stack[top]")
elif op == 9:
print(f"and stack[-1],stack[-2] -> stack[-2]")
elif op == 10:
print(f"shl stack[top],{imm=:x}")
elif op == 11:
print(f"not stack[top]")
elif op == 13:
print(f"add stack[-1],stack[-2] -> stack[-2]")
elif op == 15:
if imm&0x80!=0:
imm = -(0x100-imm)
print(f"jmp {next_pc+imm:x}")
elif op == 16:
print("break 0x101")
elif op == 18:
print(f"shr stack[top],{imm=}")
elif op == 19:
print(f"div stack[top-1],stack[top] -> stack[top-1]")
elif op == 21:
print(f"movzx stack[top]&0xff")
elif op == 22:
print(f"mul stack[top-1],stack[top] -> stack[top-1]")
elif op == 23:
if imm&0x80!=0:
imm = -(0x100-imm)
print(f"call {next_pc+imm:x}")
elif op == 24 :
if imm&0x80!=0:
imm = -(0x100-imm)
print(f"jz stack[top-1],stack[top] -> $+{imm=:x} {next_pc+imm:x}")
elif op == 25:
if imm&0x80!=0:
imm = -(0x100-imm)
print(f"jnz stack[top-1],stack[top] -> $+{imm=:x} {next_pc+imm:x}")
elif op == 27:
print(f"load mem[stack[top-1],stack[top]]")
elif op == 28:
print(f"push stack[top-{imm=}]")
elif op == 30:
print(f"push {imm=}")
elif op == 31:
print(f"dec stack[top]")
pc = next_pc
配合第一个带模拟结果的理解程序语义
复制代码 隐藏代码
pc= 0x0 0x17 call 81
pc= 0x2 0x10 break 0x101
for i in b"11111":
sum*=36
sum+=sbox[i]-1
pc= 0x3 0x1e push imm=0
pc= 0x4 0x1e push imm=0
pc= 0x5 0x1c push stack[top-imm=0]
pc= 0x6 0x1c push stack[top-imm=6]
pc= 0x7 0x18
jz stack[top-1],stack[top] -> $+imm=14 1d
pc= 0x9 0x8 swap stack[top- imm=1],stack[top]
pc= 0xa 0x1e push imm=36
pc= 0xc 0x16 mul stack[top-1],stack[top] -> stack[top-1]
pc= 0xd 0x1c push stack[top-imm=3]
pc= 0xe 0x1c push stack[top-imm=5]
pc= 0xf 0x1c push stack[top-imm=3]
pc= 0x10 0x1b load mem[stack[top-1],stack[top]]
pc= 0x11 0x1b load mem[stack[top-1],stack[top]] sbox
pc= 0x12 0x1c push stack[top-imm=0]
pc= 0x13 0x1e push imm=0
pc= 0x14 0x18 jz stack[top-1],stack[top] -> $+imm=25 3b
pc= 0x16 0xd add stack[-1],stack[-2] -> stack[-2]
pc= 0x17 0x1f dec stack[top]
pc= 0x18 0x8 swap stack[top- imm=1],stack[top]
pc= 0x19 0x1e push imm=1
pc= 0x1a 0xd add stack[-1],stack[-2] -> stack[-2]
pc= 0x1b 0xf jmp 5
pc= 0x1d 0x3 pop top imm=1
pc= 0x1e 0x1c push stack[top-imm=0]
pc= 0x1f 0x12 shr stack[top],imm=25
pc= 0x21 0x1e push imm=0
pc= 0x22 0x18 jz stack[top-1],stack[top] -> $+imm=1c 40
pc= 0x24 0x1e push imm=1
pc= 0x25 0xd add stack[-1],stack[-2] -> stack[-2]
pc= 0x26 0x1c push stack[top-imm=5]
pc= 0x27 0x1e push imm=53
pc= 0x29 0x1e push imm=218
pc= 0x2b 0x12 shr stack[top],imm=3
pc= 0x2c 0x12 shr stack[top],imm=4
pc= 0x2d 0xa shl stack[top],imm=2
pc= 0x2e 0xa shl stack[top],imm=6
pc= 0x2f 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x30 0xa shl stack[top],imm=2
pc= 0x31 0xa shl stack[top],imm=6
pc= 0x32 0x1e push imm=65
pc= 0x34 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x35 0x16 mul stack[top-1],stack[top] -> stack[top-1]
pc= 0x36 0x1c push stack[top-imm=4]
pc= 0x37 0x15 movzx stack[top]&0xff
pc= 0x38 0xd add stack[-1],stack[-2] -> stack[-2]
pc= 0x39 0x13 div stack[top-1],stack[top] -> stack[top-1]
pc= 0x3a 0x6 ret imm=4
pc= 0x3b 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x3c 0x1e push imm=1
pc= 0x3d 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x3e 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x3f 0x6 ret imm=4
pc= 0x40 0x1e push imm=1
pc= 0x41 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x42 0x6 ret imm=4
pc= 0x43 0x1c push stack[top-imm=2]
pc= 0x44 0x17 call 89
pc= 0x46 0x1e push imm=5
pc= 0x47 0xf jmp 54
pc= 0x49 0x8 swap stack[top- imm=1],stack[top]
pc= 0x4a 0x1c push stack[top-imm=4]
pc= 0x4b 0x1c push stack[top-imm=2]
pc= 0x4c 0x1b load mem[stack[top-1],stack[top]]
pc= 0x4d 0x1e push imm=45
pc= 0x4f 0x7 cmpnz stack[-1],stack[-2] -> stack[-2]
pc= 0x50 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x51 0x8 swap stack[top- imm=1],stack[top]
pc= 0x52 0x1e push imm=1
pc= 0x53 0xd add stack[-1],stack[-2] -> stack[-2]
pc= 0x54 0x1c push stack[top-imm=5]
pc= 0x55 0x15 movzx stack[top]&0xff 8d90c3bd crc32
pc= 0x56 0x1e push imm=5
pc= 0x57 0x1c push stack[top-imm=6]
pc= 0x58 0x1c push stack[top-imm=3]
pc= 0x59 0xd add stack[-1],stack[-2] -> stack[-2]
pc= 0x5a 0x1c push stack[top-imm=6]
pc= 0x5b 0x17 call 3
pc= 0x5d 0x1c push stack[top-imm=2]
pc= 0x5e 0x5 or
stack[-1],stack[-2] -> stack[-2]
pc= 0x5f 0x8 swap stack[top- imm=2],stack[top]
pc= 0x60 0x3 pop top imm=1
pc= 0x61 0x1c push stack[top-imm=5]
pc= 0x62 0x12 shr stack[top],imm=8
pc= 0x64 0x8 swap stack[top- imm=6],stack[top]
pc= 0x65 0x3 pop top imm=1
pc= 0x66 0x1e push imm=5
pc= 0x67 0xd add stack[-1],stack[-2] -> stack[-2]
pc= 0x68 0x1c push stack[top-imm=0]
pc= 0x69 0x1e push imm=28
pc= 0x6b 0x19 jnz stack[top-1],stack[top] -> $+imm=-24 49
pc= 0x6d 0x3 pop top imm=1
pc= 0x6e 0x1f dec stack[top]
pc= 0x6f 0x1e push imm=251
pc= 0x71 0x1e push imm=83
pc= 0x73 0x1e push imm=193
pc= 0x75 0xa shl stack[top],imm=5
pc= 0x76 0xa shl stack[top],imm=3
pc= 0x77 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x78 0xa shl stack[top],imm=2
pc= 0x79 0xa shl stack[top],imm=6
pc= 0x7a 0x1e push imm=3
pc= 0x7b 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x7c 0xa shl stack[top],imm=4
pc= 0x7d 0xa shl stack[top],imm=4
pc= 0x7e 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x7f 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0x80 0x6 ret imm=3
main
pc= 0x81 0x1c push stack[top-imm=3]
pc= 0x82 0x17 call b6
crc32-> 8d90c3bd
pc= 0x84 0x1c push stack[top-imm=3]
pc= 0x85 0x1c push stack[top-imm=3]
pc= 0x86 0x17 call 43
pc= 0x88 0x10 break 0x101
检查flag{}
pc= 0x89 0x1e push imm=0
pc= 0x8a 0x1e push imm=102
pc= 0x8c 0x1c push stack[top-imm=3]
pc= 0x8d 0x1e push imm=0
pc= 0x8e 0x1b load mem[stack[top-1],stack[top]]
pc= 0x8f 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0x90 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x91 0x1e push imm=108
pc= 0x93 0x1c push stack[top-imm=3]
pc= 0x94 0x1e push imm=1
pc= 0x95 0x1b load mem[stack[top-1],stack[top]]
pc= 0x96 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0x97 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x98 0x1e push imm=97
pc= 0x9a 0x1c push stack[top-imm=3]
pc= 0x9b 0x1e push imm=2
pc= 0x9c 0x1b load mem[stack[top-1],stack[top]]
pc= 0x9d 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0x9e 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x9f 0x1e push imm=103
pc= 0xa1 0x1c push stack[top-imm=3]
pc= 0xa2 0x1e push imm=3
pc= 0xa3 0x1b load mem[stack[top-1],stack[top]]
pc= 0xa4 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0xa5 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0xa6 0x1e push imm=123
pc= 0xa8 0x1c push stack[top-imm=3]
pc= 0xa9 0x1e push imm=4
pc= 0xaa 0x1b load mem[stack[top-1],stack[top]]
pc= 0xab 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0xac 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0xad 0x1e push imm=125
pc= 0xaf 0x1c push stack[top-imm=3]
pc= 0xb0 0x1e push imm=28
pc= 0xb2 0x1b load mem[stack[top-1],stack[top]]
pc= 0xb3 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0xb4 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0xb5 0x6 ret imm=1
serial_crc32
pc= 0xb6 0x1e push imm=1
pc= 0xb7 0xa shl
stack[top],imm=3
pc= 0xb8 0xa shl stack[top],imm=4
pc= 0xb9 0x1c push stack[top-imm=0]
pc= 0xba 0xa shl stack[top],imm=10
pc= 0xbc 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0xbd 0x1c push stack[top-imm=0]
pc= 0xbe 0xa shl stack[top],imm=5
pc= 0xbf 0xa shl stack[top],imm=3
pc= 0xc0 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0xc1 0x1e push imm=0
pc= 0xc2 0x1f dec stack[top]
pc= 0xc3 0x1e push imm=50
pc= 0xc5 0x17 call 128
pc= 0xc7 0x1e push imm=48
pc= 0xc9 0x17 call 128
pc= 0xcb 0x1e push imm=50
pc= 0xcd 0x17 call 128
pc= 0xcf 0x1e push imm=53
pc= 0xd1 0x17 call 128
pc= 0xd3 0x1c push stack[top-imm=3]
pc= 0xd4 0x12 shr stack[top],imm=5
pc= 0xd5 0x12 shr stack[top],imm=6
pc= 0xd6 0x12 shr stack[top],imm=4
pc= 0xd7 0x12 shr stack[top],imm=5
pc= 0xd8 0x12 shr stack[top],imm=4
pc= 0xd9 0x17 call 128
pc= 0xdb 0x1e push imm=53
pc= 0xdd 0x17 call 128
pc= 0xdf 0x1e push imm=50
pc= 0xe1 0x17 call 128
pc= 0xe3 0x1e push imm=112
pc= 0xe5 0x17 call 128
pc= 0xe7 0x1e push imm=111
pc= 0xe9 0x17 call 128
pc= 0xeb 0x1e push imm=106
pc= 0xed 0x17 call 128
pc= 0xef 0x1e push imm=105
pc= 0xf1 0x17 call 128
pc= 0xf3 0x1e push imm=101
pc= 0xf5 0x17 call 128
pc= 0xf7 0x1c push stack[top-imm=3]
pc= 0xf8 0x12 shr stack[top],imm=6
pc= 0xf9 0x12 shr stack[top],imm=4
pc= 0xfa 0x12 shr stack[top],imm=6
pc= 0xfb 0x17 call 128
pc= 0xfd 0x1e push imm=97
pc= 0xff 0x17 call 128
pc= 0x101 0x1e push imm=102
pc= 0x103 0x17 call 128
pc= 0x105 0x1e push imm=100
pc= 0x107 0x17 call 128
pc= 0x109 0x1e push imm=109
pc= 0x10b 0x17 call 128
pc= 0x10d 0x1c push stack[top-imm=3]
pc= 0x10e 0x12 shr stack[top],imm=2
pc= 0x10f 0x12 shr stack[top],imm=6
pc= 0x110 0x17 call 128
pc= 0x112 0x1e push imm=50
pc= 0x114 0x17 call 128
pc= 0x116 0x1e push imm=48
pc= 0x118 0x17 call 128
pc= 0x11a 0x1e push imm=50
pc= 0x11c 0x17 call 128
pc= 0x11e 0x1e push imm=53
pc= 0x120 0x17 call 128
pc= 0x122 0x1c push stack[top-imm=3]
pc= 0x123 0x17 call 128
pc= 0x125 0xb not stack[top]
pc= 0x126 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x127 0x6 ret imm=1
crc32
pc= 0x128 0x1e push imm=32
pc= 0x12a 0x1e push imm=131
pc= 0x12c 0xa shl stack[top],imm=8
pc= 0x12e 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x12f 0x1e push imm=184
pc= 0x131 0x1e push imm=237
pc= 0x133 0xa shl stack[top],imm=8
pc= 0x135 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x136 0xa shl stack[top],imm=10
pc= 0x138 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x139 0x1e push imm=4
pc= 0x13a
0x1e push imm=3
pc= 0x13b 0xd add stack[-1],stack[-2] -> stack[-2]
pc= 0x13c 0x1c push stack[top-imm=4]
pc= 0x13d 0x1c push stack[top-imm=4]
pc= 0x13e 0x15 movzx stack[top]&0xff
pc= 0x13f 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0x140 0x1c push stack[top-imm=0]
pc= 0x141 0x1e push imm=1
pc= 0x142 0x9 and stack[-1],stack[-2] -> stack[-2]
pc= 0x143 0x2 neg stack[-1]
pc= 0x144 0x1c push stack[top-imm=3]
pc= 0x145 0x9 and stack[-1],stack[-2] -> stack[-2]
pc= 0x146 0x8 swap stack[top- imm=1],stack[top]
pc= 0x147 0x12 shr stack[top],imm=1
pc= 0x148 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0x149 0x1c push stack[top-imm=1]
pc= 0x14a 0x1f dec stack[top]
pc= 0x14b 0x8 swap stack[top- imm=2],stack[top]
pc= 0x14c 0x1e push imm=0
pc= 0x14d 0x19 jnz stack[top-1],stack[top] -> $+imm=-f 140
pc= 0x14f 0x8 swap stack[top- imm=2],stack[top]
pc= 0x150 0x3 pop top imm=2
pc= 0x151 0x6 ret imm=2
pc= 0x152 0x6 ret imm=6
pc= 0x153 0xd add stack[-1],stack[-2] -> stack[-2]
pc= 0x154 0x16 mul stack[top-1],stack[top] -> stack[top-1]
pc= 0x155 0x16 mul stack[top-1],stack[top] -> stack[top-1]
pc= 0x156 0x2 neg stack[-1]
pc= 0x157 0x10 break 0x101
pc= 0x158 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x159 0x4 nop
pc= 0x15a 0x18 jz stack[top-1],stack[top] -> $+imm=0 15b
pc= 0x15b 0x9 and stack[-1],stack[-2] -> stack[-2]
pc= 0x15c 0x16 mul stack[top-1],stack[top] -> stack[top-1]
pc= 0x15d 0x17 call 160
pc= 0x15e 0x3 pop top imm=4
pc= 0x15f 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0x160 0x12 shr stack[top],imm=4
pc= 0x161 0x1e push imm=2
pc= 0x162 0x4 nop
pc= 0x163 0x2 neg stack[-1]
pc= 0x165 0x17 call 167
pc= 0x166 0x1a nop
pc= 0x167 0x11 break 1
pc= 0x168 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x169 0x0 break 1
pc= 0x16a 0x14 break 1
pc= 0x16b 0x1a nop
pc= 0x16c 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0x16d 0x13 div stack[top-1],stack[top] -> stack[top-1]
pc= 0x16f 0x12 shr stack[top],imm=0
pc= 0x170 0x19 jnz stack[top-1],stack[top] -> $+imm=3 174
pc= 0x171 0x1e push imm=3
pc= 0x172 0x2 neg stack[-1]
pc= 0x173 0x9 and stack[-1],stack[-2] -> stack[-2]
pc= 0x174 0x14 break 1
pc= 0x175 0x13 div stack[top-1],stack[top] -> stack[top-1]
pc= 0x176 0x1f dec stack[top]
pc= 0x177 0x16 mul stack[top-1],stack[top] -> stack[top-1]
pc= 0x178 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0x179 0x13 div stack[top-1],stack[top] -> stack[top-1]
pc= 0x17a 0x10 break 0x101
pc= 0x17b 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0x17d 0xc break 1
pc= 0x17e 0x7 cmpnz stack[-1],stack[-2] -> stack[-2]
pc= 0x17f 0xb not stack[top]
pc= 0x180 0x12 shr stack[top],imm=4
pc= 0x181 0x1a nop
pc= 0x182 0xb not stack[top]
pc= 0x183 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0x184 0x16 mul stack[top-1],stack[top] -> stack[top-1]
pc= 0x185 0x19 jnz stack[top-1],stack[top] -> $+imm=-3c 14b
pc= 0x187 0x11 break 1
pc= 0x188 0x4 nop
pc= 0x189 0x7 cmpnz stack[-1],stack[-2] -> stack[-2
]
pc= 0x18a 0x17 call 18e
pc= 0x18b 0x16 mul stack[top-1],stack[top] -> stack[top-1]
pc= 0x18c 0xd add stack[-1],stack[-2] -> stack[-2]
pc= 0x18d 0xa shl stack[top],imm=3
pc= 0x18e 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0x18f 0x1c push stack[top-imm=155]
pc= 0x191 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x192 0x11 break 1
pc= 0x193 0x1a nop
pc= 0x194 0x6 ret imm=6
pc= 0x195 0x13 div stack[top-1],stack[top] -> stack[top-1]
pc= 0x196 0x10 break 0x101
pc= 0x197 0x16 mul stack[top-1],stack[top] -> stack[top-1]
pc= 0x198 0xa shl stack[top],imm=5
pc= 0x199 0x1b load mem[stack[top-1],stack[top]]
pc= 0x19a 0x16 mul stack[top-1],stack[top] -> stack[top-1]
pc= 0x19b 0x15 movzx stack[top]&0xff
pc= 0x19c 0x1e push imm=216
pc= 0x19e 0xd add stack[-1],stack[-2] -> stack[-2]
pc= 0x19f 0x1a nop
pc= 0x1a0 0x1b load mem[stack[top-1],stack[top]]
pc= 0x1a1 0x16 mul stack[top-1],stack[top] -> stack[top-1]
pc= 0x1a2 0x15 movzx stack[top]&0xff
pc= 0x1a3 0x3 pop top imm=0
pc= 0x1a4 0x17 call 1fe
pc= 0x1a6 0x19 jnz stack[top-1],stack[top] -> $+imm=4 1ab
pc= 0x1a7 0x3 pop top imm=6
pc= 0x1a8 0x2 neg stack[-1]
pc= 0x1a9 0x7 cmpnz stack[-1],stack[-2] -> stack[-2]
pc= 0x1aa 0xc break 1
pc= 0x1ab 0x1f dec stack[top]
pc= 0x1ac 0x12 shr stack[top],imm=5
pc= 0x1ad 0x1a nop
pc= 0x1ae 0x6 ret imm=c1
pc= 0x1b0 0xf jmp 1b1
pc= 0x1b1 0xe break 1
pc= 0x1b3 0x2 neg stack[-1]
pc= 0x1b4 0x1f dec stack[top]
pc= 0x1b5 0xb not stack[top]
pc= 0x1b6 0x8 swap stack[top- imm=4],stack[top]
pc= 0x1b7 0x14 break 1
pc= 0x1b9 0x19 jnz stack[top-1],stack[top] -> $+imm=5 1bf
pc= 0x1ba 0x10 break 0x101
pc= 0x1bb 0x17 call 1be
pc= 0x1bd 0x1a nop
pc= 0x1bf 0x18 jz stack[top-1],stack[top] -> $+imm=2 1c2
pc= 0x1c0 0x7 cmpnz stack[-1],stack[-2] -> stack[-2]
pc= 0x1c1 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0x1c2 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0x1c3 0xa shl stack[top],imm=2
pc= 0x1c4 0x2 neg stack[-1]
pc= 0x1c5 0x1c push stack[top-imm=2]
pc= 0x1c6 0x2 neg stack[-1]
pc= 0x1c7 0x1c push stack[top-imm=6]
pc= 0x1c8 0x1b load mem[stack[top-1],stack[top]]
pc= 0x1c9 0x0 break 1
pc= 0x1ca 0xb not stack[top]
pc= 0x1cb 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0x1cc 0x7 cmpnz stack[-1],stack[-2] -> stack[-2]
pc= 0x1cd 0x3 pop top imm=c3
pc= 0x1cf 0x1 xor stack[-1],stack[-2] -> stack[-2]
pc= 0x1d0 0x14 break 1
pc= 0x1d1 0x14 break 1
pc= 0x1d2 0x19 jnz stack[top-1],stack[top] -> $+imm=5 1d8
pc= 0x1d3 0x1a nop
pc= 0x1d4 0x15 movzx stack[top]&0xff
pc= 0x1d5 0x8 swap stack[top- imm=5],stack[top]
pc= 0x1d6 0x1d break 1
pc= 0x1d8 0x19 jnz stack[top-1],stack[top] -> $+imm=3 1dc
pc= 0x1d9 0x0 break 1
pc= 0x1da 0x9 and stack[-1],stack[-2] -> stack[-2]
pc= 0x1db 0x19 jnz stack[top-1],stack[top] -> $+imm=4 1e0
pc= 0x1dc 0x14 break 1
pc= 0x1dd 0x12 shr stack[top],imm=3
pc= 0x1de 0x12 shr stack[top],imm=1
pc= 0x1df 0x14 break 1
pc= 0x1e1 0x13 div stack[top-1],stack[top] -> stack[top-1]
pc= 0x1e2 0x17 call 1e4
pc= 0x1e3 0x0 break 1
pc= 0x1e4 0xc break 1
pc= 0x1e5 0x12 shr stack[top],imm=5
pc= 0x1e6 0x1d break 1
pc= 0x1e7 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x1e8 0x9 and stack[-1],stack[-2] -> stack[-2]
pc= 0x1e9 0x18 jz stack[top-1],stack[top] -> $+imm=-1 1ea
pc= 0x1eb 0x1e push imm=4
pc= 0x1ec 0xd add stack[-1],stack[-2] -> stack[-2]
pc= 0x1ed 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x1ee 0x14 break 1
pc= 0x1ef 0xb not stack[top]
pc= 0x1f0 0x16 mul stack[top-1],stack[top] -> stack[top-1]
pc= 0x1f1 0x1b load mem[stack[top-1],stack[top]]
pc= 0x1f2 0x1c push stack[top-imm=6]
pc= 0x1f3 0x13 div stack[top-1],stack[top] -> stack[top-1]
pc= 0x1f4 0x1d break 1
pc= 0x1f5 0x18 jz stack[top-1],stack[top] -> $+imm=1e 215
pc= 0x1f7 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x1f8 0x1d break 1
pc= 0x1f9 0xb not stack[top]
pc= 0x1fa 0x0 break 1
pc= 0x1fb 0x5 or stack[-1],stack[-2] -> stack[-2]
pc= 0x1fc 0xe break 1
pc= 0x1fd 0x2 neg stack[-1]
pc= 0x1fe 0x18 jz stack[top-1],stack[top] -> $+imm=3 202
pc= 0x1ff 0x1d break 1
逻辑看代码吧 大体是每5个字符一组base36后的结果crc32需要被指定data整除,直接爆破即可
复制代码 隐藏代码
def crc32_2(data):
crc = 0xFFFFFFFF # 初始值
for i in data:
crc = crc ^ i
for j in range(8):
if crc & 0x00000001:
crc = (crc >> 1) ^ 0xEDB88320 # 逆序后的多项式 0xEDB88320= reverse 0x04C11DB7
else:
crc = (crc >> 1)
# print(hex(crc))
return (crc ^ 0xFFFFFFFF) | 0x80808080 # 或者写成~crc&0xffffffff 结果异或值
print(bytes([50,48,50,53,53,50,112,111,106,105,101,97,102,100,109,50,48,50,53]))
print(bytes([102,108,97,103]))
sbox = [0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x0A, 0x10, 0x15, 0x21, 0x13, 0x0C, 0x04, 0x11, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x0F, 0x20, 0x0D, 0x02, 0x23, 0x06, 0x1B, 0x14, 0x0E, 0x01, 0x16, 0x19, 0x08, 0x12, 0x1F, 0x17, 0x24, 0x0B, 0x1E, 0x07, 0x1A, 0x05, 0x18, 0x1D, 0x22, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]
sum = 0
for i in b"11111":
sum*=36
sum+=sbox[i]-1
# print(hex(sum))
print(hex(sum))
sum=0
for i in b"22222":
sum*=36
sum+=sbox[i]-1
# print(hex(sum))
print(hex(sum))
crc32_val = [0xbd,0xc3,0x90,0x8d]
flag_off = [5,11,17,23]
sum = 0
table = b"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
for i in range(4):
print(hex(0x13541*crc32_val[i] + flag_off[i]))
data = [0xe45102,
0xeb908e,
0xadf4a1,
0xaa54e4]
for i in range(4):
s=chr(sbox.index(data[i]%36+1))+chr(sbox.index(data[i]//36%36+1))+chr(sbox.index(data[i]//36//36%36+1))+chr(sbox.index(data[i]//36//36//36%36+1))+chr(sbox.index(data[i]//36//36//36//36%36+1))
s=s[::-1]
print(s,end="-")
print()
for i in b"HHW8A-5JYKV-3JEV6-HLE09":
print(i,end=",")
print()
for _ in range(4):
for t1 in table:
for t2 in table:
for t3 in table:
for t4 in table:
for t5 in table:
t = [t1,t2,t3,t4,t5]
sum = 0
for i in t:
sum*=36
sum+=sbox[i]-1
if (sum+1) % data[_] == 0 and sum>>25!=0:
print(bytes(t),_)
解题领红包之七 {Windows 高级题}
在First数组中添加了初始化和反调试
base 0x7FF7A5930000
check函数逻辑根据时间创建ecc的a p
但是跟ecc没什么关系
只需要在动调的过程中拿到a和p放到key的后面即可
ida写个条件断点直接动态赋值
地址07FF7A5931AD4
复制代码 隐藏代码
import ida_dbg
import idaapi
p = idaapi.get_qword(0x7FF7A5956AF8)
a = idaapi.get_qword(0x7FF7A5956B08)
ida_dbg.set_reg_val("r14",p)
ida_dbg.set_reg_val("r15",a)
地址07FF7A5931B37
复制代码 隐藏代码
import ida_dbg
import idaapi
py = ida_dbg.get_reg_val("rax")
px = ida_dbg.get_reg_val("rcx")
r12 = ida_dbg.get_reg_val("r12")
print(py,px,r12)
p = idaapi.get_qword(0x7FF7A5956AF8)
a = idaapi.get_qword(0x7FF7A5956B08)
print(f"{a=} {p=}")
import ida_dbg
import idaapi
rbp = ida_dbg.get_reg_val("rbp")
enc = idaapi.get_bytes(rbp+0x30,0x10)
print(enc)
t = 0
for i in range(16):
for bf in range(1000000):
temp = ((bf+(-10*py)-t)//px)&0xff
if temp == enc[i]:
print(str(bf).zfill(6),end='')
break
t+=0x27DA
print(str(a).zfill(6)+str(p).zfill(6))
但是实际测试时发现有时输出不正确,有时正确。存在点小bug
