Mas0n
to be reverse engineer🐧
翻车鱼

2022HWS硬件安全冬令营 X DASCTF Jan

总共三题逆向,2题VM,1题LLVM FLA

之前一直没机会去做VM类型的题目(其实是我懒),这次做到了,算是练手了。题目也比较适合入门。

badPDF

右键属性提取出shell

%SystemRoot%\system32\cmd.exe /c copy "20200308-sitrep-48-covid-19.pdf.lnk" %tmp%\\g4ZokyumBB2gDn.tmp /y&for /r C:\\Windows\\System32\\ %i in (*ertu*.exe) do copy %i %tmp%\\msoia.exe /y&findstr.exe "TVNDRgAAAA" %tmp%\\g4ZokyumBB2gDn.tmp>%tmp%\\cSi1r0uywDNvDu.

运行ink,看到%tmp%目录下释放的一些文件

https://cdn.shi1011.cn/2022/01/1f4cd90dcefe44d45d13b256786cbef2.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
 <ms:script implements-prefix="user" language="VBScript">
 <![CDATA[
 rBOH7OLTCVxzkH=HrtvBsRh3gNUbe("676d60667a64333665326564333665326564333665326536653265643336656564333665327c"):execute(rBOH7OLTCVxzkH):function HrtvBsRh3gNUbe(bhhz6HalbOkrki):for rBOH7OLTCVxzkH=1 to len(bhhz6HalbOkrki)step 2:HrtvBsRh3gNUbe=HrtvBsRh3gNUbe&chr(asc(chr("&h"&mid(bhhz6HalbOkrki,rBOH7OLTCVxzkH,2)))xor 1):next:end function:
 ]]> </ms:script>
</stylesheet>

简单异或

https://cdn.shi1011.cn/2022/01/a2e5fbb9d77c60e93b62bfef8caf6dc3.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

babyrsa

factordb分解e

import gmpy2
from Crypto.Util.number import bytes_to_long, long_to_bytes

N = 13123058934861171416713230498081453101147538789122070079961388806126697916963123413431108069961369055630747412550900239402710827847917960870358653962948282381351741121884528399369764530446509936240262290248305226552117100584726616255292963971141510518678552679033220315246377746270515853987903184512948801397452104554589803725619076066339968999308910127885089547678968793196148780382182445270838659078189316664538631875879022325427220682805580410213245364855569367702919157881367085677283124732874621569379901272662162025780608669577546548333274766058755786449491277002349918598971841605936268030140638579388226573929
c = 1492164290534197296766878830710549288168716657792979479408332026408553210558539364503279432780006256047888761718878241924947937039103166564146378209168719163067531460700424309878383312837345239570897122826051628153030129647363574035072755426112229160684859510640271933580581310029921376842631120847546030843821787623965614564745724229763999106839802052036834811357341644073138100679508864747009014415530176077648226083725813290110828240582884113726976794751006967153951269748482024859714451264220728184903144004573228365893961477199925864862018084224563883101101842275596219857205470076943493098825250412323522013524

p = 98197216341757567488149177586991336976901080454854408243068885480633972200382596026756300968618883148721598031574296054706280190113587145906781375704611841087782526897314537785060868780928063942914187241017272444601926795083433477673935377466676026146695321415853502288291409333200661670651818749836420808033
q = 133639826298015917901017908376475546339925646165363264658181838203059432536492968144231040597990919971381628901127402671873954769629458944972912180415794436700950304720548263026421362847590283353425105178540468631051824814390421486132775876582962969734956410033443729557703719598998956317920674659744121941513
phi = (q - 1) * (p - 1)
d = gmpy2.invert(e, phi)
m = gmpy2.powmod(c, d, N)
m = long_to_bytes(m)
print(m)

EasyVM

小型VM

魔改Base64,魔改点:

v4[v6 - 4] = aAbcdefghijklmn[v8 >> 2] ^ 0xA;
v4[v6 - 3] = aAbcdefghijklmn[(*((unsigned __int8 *)v7 - 3) >> 4) | (16 * (*(v7 - 4) & 3))] ^ 0xB;
v4[v6 - 2] = aAbcdefghijklmn[(*((unsigned __int8 *)v7 - 2) >> 6) | (4 * (*(v7 - 3) & 0xF))] ^ 0xC;
v4[v6 - 1] = aAbcdefghijklmn[*(v7 - 2) & 0x3F] ^ 0xD;

而后分析VM

结构体

struct vm {
    void* vm;
	_BYTE* opcode;
	_DWORD eax;
    _DWORD ebx;
	_DWORD ecx;
	_DWORD edx;
	_BYTE* uncode;
	_DWORD vla;
	_BYTE* flag;
}

写parser

vmcode = [0xCA, 0x00, 0x00, 0x00, 0x00, 0xCB, 0x00, 0x00, 0x00, 0x00, 0xCC, 0xCF, 0xC9, 0xEE, 0x00, 0x00, 0x00, 0xCF,
          0xD1, 0xD3, 0x01, 0xFE, 0xC2, 0xD2, 0x39, 0x00, 0x00, 0x00, 0xD4, 0xEC, 0xFF]

func = ["scheduler",
        {"name": "inc_eax", "step": 1},
        {"name": "inc_ebx", "step": 1},
        {"name": "inc_ecx", "step": 1},
        {"name": "mov_eax_ebx", "step": 1},
        {"name": "mov_eax_ecx", "step": 1},
        {"name": "mov_ebx_eax", "step": 1},
        {"name": "mov_ebx_ecx", "step": 1},
        {"name": "mov_ecx_eax", "step": 1},
        {"name": "mov_ecx_ebx", "step": 1},
        {"name": "mov_eax_data", "step": 5},
        {"name": "mov_ebx_data", "step": 5},
        {"name": "mov_ecx_data", "step": 5},
        {"name": "mov_eax_flag", "step": 1},
        {"name": "mov_ebx_flag", "step": 1},
        {"name": "xor_eax_ebx", "step": 1},
        {"name": "xor_ebx_eax", "step": 1},
        {"name": "cmp_eax_uncode", "step": 1},
        {"name": "cmp_ebx_uncode", "step": 1},
        {"name": "cmp_ecx_data", "step": 5},

        {"name": "sub_4015D0", "step": 3},
        {"name": "sub_4015F0", "step": 3},
        ]

def findit():
    rt = [192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 0xfe, 0xff]
    ip = 0
    while ip < len(vmcode):
        idx = rt.index(vmcode[ip]) + 1

        if func[idx]["step"] == 5:
            print(func[idx]["name"], hex(int.from_bytes(vmcode[ip+1:ip+5], byteorder="little")))
        else:
            print(func[idx]["name"])
        ip += func[idx]["step"]


findit()

"""
ebx = 0x0
ecx = 0x0
loop: eax = flag[ecx]
ebx ^= eax
eax = 0xee
ebx ^= eax
uncode[ecx] == ebx
ecx++
jmp loop;
"""

逆运算

# -*- coding:utf-8 -*-
"""
@Author: Mas0n
@File: hws1.py
@Time: 2022-01-23 15:10
@Desc: It's all about getting better.
"""
from base64 import b64decode


def dec(strs):
    lt = bytearray(strs.encode())
    for i in range(0, len(lt), 4):
        lt[i] ^= 0xa
        lt[i + 1] ^= 0xb
        lt[i + 2] ^= 0xc
        lt[i + 3] ^= 0xd
    return b64decode(lt)


code = bytearray([0xBE, 0x36, 0xAC, 0x27, 0x99, 0x4F, 0xDE, 0x44, 0xEE, 0x5F, 0xDA, 0x0B, 0xB5, 0x17, 0xB8, 0x68, 0xC2, 0x4E, 0x9C, 0x4A, 0xE1, 0x43, 0xF0, 0x22, 0x8A, 0x3B, 0x88, 0x5B, 0xE5, 0x54, 0xFF, 0x68, 0xD5, 0x67, 0xD4, 0x06, 0xAD, 0x0B, 0xD8, 0x50, 0xF9, 0x58, 0xE0, 0x6F, 0xC5, 0x4A, 0xFD, 0x2F, 0x84, 0x36, 0x85, 0x52, 0xFB, 0x73, 0xD7, 0x0D, 0xE3, 0x00, 0x00, 0x00])

for i in range(len(code) - 1 - 2, -1, -1):
    code[i] ^= 0xee
    if i > 0:
        code[i] ^= code[i - 1]
print(dec(code.decode()))

babyre

llvm控制流混淆

patch掉花指令

比较明显的换表Base64

https://cdn.shi1011.cn/2022/01/5779d329928f00c2a5e6567e1e0b8834.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

指令不是特别多,调试确定执行流程

大致如下

Src = sub_4221F0(dword_452E50);
memmove(data, Src, 0x20u);
for (int i = 0; i < 8; i++) { 
	v6 = ~*(_DWORD *)&data[4 * v33];
	v7 = v6 & v34;
	v34 = v6 & v34 | ~v34 & *(_DWORD *)&data[4 * v33];
}
    
for (int i = 0; i < 8; i++) { 
	v9 = ~*(_DWORD *)&data[4 * v32];
	*(_DWORD *)&data[4 * v32] = v9 & v34 | ~v34 & *(_DWORD *)&data[4 * v32];
}


for (int i = 0; i < 33; i+=3) {
    ··· // 换表Base64

    for (int v23 = i; v23 < 33; v23+=3) {
    	data[v23] = (v27 & 0xF4 | ~v27 & 0xB) ^ (data[v23] & 0xF4 | ~data[v23] & 0xB);
    	data[v23 + 1] = ~v26 & data[v23 + 1] | ~data[v23 + 1] & v26;
    	data[v23 + 2] = ~v25 & data[v23 + 2] | ~data[v23 + 2] & v25;
    
}

综上,z3求解

# -*- coding:utf-8 -*-
"""
@Author: Mas0n
@File: hws3.py
@Time: 2022-01-23 17:45
@Desc: It's all about getting better.
"""


from z3 import *
import base64


def z3enc(inputs):
    data = inputs.copy()
    i = 0
    for _ in range((len(data) - 1) % 3):
        data.append(0)
    while 1:
        chr1 = (data[i])
        i += 1
        chr2 = (data[i])
        i += 1
        chr3 = (data[i])
        i += 1

        enc1 = chr1 >> 2
        enc2 = ((chr1 & 3) << 4) | (chr2 >> 4)
        enc3 = ((chr2 & 15) << 2) | (chr3 >> 6)

        for j in range(i, len(data), 3):
            data[j] = (enc1 & 0xF4 | ~enc1 & 0xB) ^ (data[j] & 0xF4 | ~data[j] & 0xB)
            data[j + 1] = ~enc2 & data[j + 1] | ~data[j + 1] & enc2
            data[j + 2] = ~enc3 & data[j + 2] | ~data[j + 2] & enc3

        if i >= len(data):
            break

    return data


baseMaps = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
newMaps = "QVEJAfHmUYjBac+u8Ph5n9Od16FrICL/X0GvtM4qk7T2z3wNSsyoebilxWKgZpRD="

cipherText = "Fi9X/fxX6Q6JBfUfBM1V/y6V6PcPjMaQLl9IuttFuH68"
cipherText = cipherText.translate(cipherText.maketrans(newMaps, baseMaps))

bingo = base64.b64decode(cipherText.encode('utf-8'))

# Step 1
sol = Solver()
flag = [BitVec(f"flag[{i}]", 8) for i in range(32)]
res = z3enc(flag)

for i in range(32):
    sol.add(res[i] == bingo[i])

assert sol.check() == sat
mol = sol.model()
# print(mol)
end = bytearray([mol.eval(i).as_long() for i in flag])
print(end)

# Step 2
ended = [int.from_bytes(end[4*i:4*i+4], byteorder="little") for i in range(8)]
sol = Solver()
flag = [BitVec(f"flag[{i}]", 32) for i in range(8)]
tmps = flag.copy()
v32 = 0
for i in range(8):
    v6 = ~tmps[i]
    v7 = v6 & v32
    v32 = v6 & v32 | ~v32 & tmps[i]

for i in range(8):
    tmps[i] = ~tmps[i] & v32 | ~v32 & tmps[i]


for i in range(8):
    sol.add(ended[i] == tmps[i])
assert sol.check() == sat
mol = sol.model()
# print(mol)
print("".join([int.to_bytes(mol.eval(i).as_long(), byteorder="little", length=4).decode() for i in flag]))

做完找llvm资料的时候直呼:脚本小子真香

moliam/llvm-fla-cracker: cracker for the llvm-fla-obfuscator (github.com)

https://cdn.shi1011.cn/2022/01/b6c5768d8b62f6793695d411d544291b.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

BabyVM

还是VM

patch花指令

from ida_bytes import get_bytes, patch_bytes
import re

addr = 0x00412CC0
end = 0x00413991
buf = get_bytes(addr, end-addr)
buf = buf.replace(b"\x74\x03\x75\x01\xE8", b"\x90"*5)
patch_bytes(addr, buf)

初始化函数sub_292BB0

void sub_292BB0()
{
  __CheckForDebuggerJustMyCode(&unk_2A1002);
  stack = malloc(0x8000u);
  memory = malloc(0x800000u);
  j_memset(&reg, 0, sizeof(reg));
  j_memset(flags, 0, sizeof(flags));
  LODWORD(reg.R[4]) = 256;
  HIDWORD(reg.R[4]) = 0;
  vmrun((int)vm0);
  vmrun((int)vm1);
}

执行函数sub_292CC0

寄存器结构

struct regs { 
    _QWORD R0;
    _QWORD R1;
    _QWORD R2;
    _QWORD R3;
    _QWORD R4;
    _QWORD R5;
    _QWORD R6;
    _QWORD R7;
    _QWORD R8;
    _QWORD R9;
    _QWORD R10;
    _QWORD R11;
    _QWORD R12;
    _QWORD R13;
    _QWORD R14;
    _QWORD RIP;
}

VM结构

struct vm {
	_DWORD opcode;
	_QWORD num;
	_QWORD right;
}

分析指令

https://cdn.shi1011.cn/2022/01/82b6848370385affe9dd59fa2362ee1e.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

parser

maps = {
    0x0: "mov Memory[R[{num}]], {right}",
    0x1: "mov R[{num}], {right}",
    0x2: "mov R[{num}], R[{right}]",
    0x3: "mov R[{num}], Memory[R[{right}]]",
    0x4: "mov Memory[R[{num}]], R[{right}]",
    0x5: "push R[{num}]",
    0x6: "pop R[{num}]",
    0x7: "add R[{num}], {right}",
    0x8: "add R[{num}], R[{right}]",
    0x9: "dec R[{num}], {right}",
    0xa: "dec R[{num}], R[{right}]",
    0xb: "mul R[{num}], {right}",
    0xc: "mul R[{num}], R[{right}]",
    0xd: "shl R[{num}], {right}",
    0xe: "shl R[{num}], R[{right}]",
    0xf: "shr R[{num}], {right}",
    0x10: "shr R[{num}], R[{right}]",
    0x11: "xor R[{num}], {right}",
    0x12: "xor R[{num}], R[{right}]",
    0x13: "or R[{num}], {right}",
    0x14: "or R[{num}], R[{right}]",
    0x15: "and R[{num}], {right}",
    0x16: "and R[{num}], R[{right}]",
    0x17: "getchar R[{num}]",
    0x18: "putchar R[{num}]",
    0x19: "exit",
    0x1a: "cmp R[{num}], {right}",
    0x1b: "cmp R[{num}], R[{right}]",
    0x1c: "je {num}",
    0x1d: "jmp {num}",
    0x1e: "jb {num}",
    0x1f: "jne {num}",
}
_hex = lambda _d: hex(_d) if _d > 0x9 else _d


class VM:
    def __init__(self, opcode, regnum, right):
        self.opcode = opcode
        self.regnum = regnum
        self.right = right

    def __str__(self):
        return ' '.join(['%s:0x%x' % item for item in self.__dict__.items()])

    def to_code(self):
        try:
            return maps[self.opcode].format(num=_hex(self.regnum), right=_hex(self.right))
        except KeyError:
            return "(error):" + self.__str__()


def parse(code: list):
    starr = []
    for _i in range(0, len(code), 3):
        vm = VM(code[_i + 0], code[_i + 1], code[_i + 2])
        starr.append(vm)

    for _i, v in enumerate(starr):
        print(_hex(_i), ":", v.to_code())

共计四组数据

https://cdn.shi1011.cn/2022/01/5af8a8ce8eec48c372fd2c5d27fc6884.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

加载了比对数据

0 : xor R[2], R[2]
1 : mov Memory[R[2]], 0xff
2 : add R[2], 1
3 : mov Memory[R[2]], 0x223
4 : add R[2], 1
5 : mov Memory[R[2]], 0x23b
6 : add R[2], 1
7 : mov Memory[R[2]], 0x237
8 : add R[2], 1
9 : mov Memory[R[2]], 0x237
0xa : add R[2], 1
0xb : mov Memory[R[2]], 0x24b
0xc : add R[2], 1
0xd : mov Memory[R[2]], 0x22b
0xe : add R[2], 1
0xf : mov Memory[R[2]], 0xfb
0x10 : add R[2], 1
0x11 : mov Memory[R[2]], 0x22b
0x12 : add R[2], 1
0x13 : mov Memory[R[2]], 0x223
0x14 : add R[2], 1
0x15 : mov Memory[R[2]], 0x24f
0x16 : add R[2], 1
0x17 : mov Memory[R[2]], 0xef
0x18 : add R[2], 1
0x19 : mov Memory[R[2]], 0x237
0x1a : add R[2], 1
0x1b : mov Memory[R[2]], 0xef
0x1c : add R[2], 1
0x1d : mov Memory[R[2]], 0x24f
0x1e : add R[2], 1
0x1f : mov Memory[R[2]], 0x24f
0x20 : add R[2], 1
0x21 : mov Memory[R[2]], 0x223
0x22 : add R[2], 1
0x23 : mov Memory[R[2]], 0x223
0x24 : add R[2], 1
0x25 : mov Memory[R[2]], 0x23b
0x26 : add R[2], 1
0x27 : mov Memory[R[2]], 0x237
0x28 : add R[2], 1
0x29 : mov Memory[R[2]], 0xff
0x2a : add R[2], 1
0x2b : mov Memory[R[2]], 0x233
0x2c : add R[2], 1
0x2d : mov Memory[R[2]], 0x233
0x2e : add R[2], 1
0x2f : mov Memory[R[2]], 0x233
0x30 : add R[2], 1
0x31 : mov Memory[R[2]], 0x237
0x32 : add R[2], 1
0x33 : mov Memory[R[2]], 0x24b
0x34 : add R[2], 1
0x35 : mov Memory[R[2]], 0x233
0x36 : add R[2], 1
0x37 : mov Memory[R[2]], 0x24f
0x38 : add R[2], 1
0x39 : mov Memory[R[2]], 0x22b
0x3a : add R[2], 1
0x3b : mov Memory[R[2]], 0x22b
0x3c : add R[2], 1
0x3d : mov Memory[R[2]], 0x24b
0x3e : add R[2], 1
0x3f : mov Memory[R[2]], 0xef
0x40 : add R[2], 1

比对数据循环自减0x63

0 : xor R[2], R[2]
1 : mov R[0], Memory[R[2]]
2 : dec R[0], 0x63
3 : mov Memory[R[2]], R[0]
4 : add R[2], 1
5 : cmp R[2], 0x20
6 : jb 1
7 : exit

获取输入文本,check输入长度0x26

0 : xor R[0], R[0]
1 : xor R[1], R[1]
2 : xor R[2], R[2]
3 : xor R[3], R[3]
4 : xor R[6], R[6]
5 : xor R[7], R[7]
6 : mov R[0], 0x69
7 : mov R[1], 0x6e
8 : mov R[2], 0x70
9 : mov R[3], 0x75
0xa : mov R[6], 0x74
0xb : mov R[7], 0x20
0xc : putchar R[0]
0xd : putchar R[1]
0xe : putchar R[2]
0xf : putchar R[3]
0x10 : putchar R[6]
0x11 : putchar R[7]
0x12 : mov R[0], 0x66
0x13 : mov R[1], 0x6c
0x14 : mov R[2], 0x61
0x15 : mov R[3], 0x67
0x16 : mov R[6], 0x3a
0x17 : mov R[7], 0x20
0x18 : putchar R[0]
0x19 : putchar R[1]
0x1a : putchar R[2]
0x1b : putchar R[3]
0x1c : putchar R[6]
0x1d : putchar R[7]
0x1e : xor R[1], R[1]
0x1f : getchar R[0]
0x20 : push R[0]
0x21 : add R[1], 1
0x22 : cmp R[1], 0x26
0x23 : jb 0x1f
0x24 : exit
  • 与0x42异或
  • 左移2位

与比对数据比对

0 : pop R[0]
1 : cmp R[0], 0x7d
2 : je 0x12
3 : mov R[0], 0x77
4 : mov R[1], 0x72
5 : mov R[2], 0x6f
6 : mov R[3], 0x6e
7 : mov R[6], 0x67
8 : mov R[7], 0x21
9 : putchar R[0]
0xa : putchar R[1]
0xb : putchar R[2]
0xc : putchar R[3]
0xd : putchar R[6]
0xe : putchar R[7]
0xf : mov R[0], 0xa
0x10 : putchar R[0]
0x11 : exit
0x12 : mov R[8], 0x100
0x13 : cmp R[8], 0xe1
0x14 : jb 0x19
0x15 : pop R[0]
0x16 : mov Memory[R[8]], R[0]
0x17 : dec R[8], 1
0x18 : jmp 0x13
0x19 : pop R[0]
0x1a : cmp R[0], 0x7b
0x1b : jne 3
0x1c : pop R[0]
0x1d : cmp R[0], 0x67
0x1e : jne 3
0x1f : pop R[0]
0x20 : cmp R[0], 0x61
0x21 : jne 3
0x22 : pop R[0]
0x23 : cmp R[0], 0x6c
0x24 : jne 3
0x25 : pop R[0]
0x26 : cmp R[0], 0x66
0x27 : jne 3
0x28 : xor R[9], R[9]
0x29 : mov R[0xa], 0xe1
0x2a : mov R[7], Memory[R[9]]
0x2b : mov R[6], Memory[R[0xa]]
0x2c : xor R[6], 0x42
0x2d : shl R[6], 2
0x2e : cmp R[6], R[7]
0x2f : jne 3
0x30 : add R[9], 1
0x31 : add R[0xa], 1
0x32 : cmp R[9], 0x20
0x33 : jb 0x2a
0x34 : mov R[0], 0x63
0x35 : mov R[1], 0x6f
0x36 : mov R[2], 0x72
0x37 : mov R[3], 0x72
0x38 : mov R[6], 0x65
0x39 : mov R[7], 0x63
0x3a : putchar R[0]
0x3b : putchar R[1]
0x3c : putchar R[2]
0x3d : putchar R[3]
0x3e : putchar R[6]
0x3f : putchar R[7]

逆过程

enc = [0xff, 0x223, 0x23b, 0x237, 0x237, 0x24b, 0x22b, 0xfb, 0x22b, 0x223, 0x24f, 0xef, 0x237, 0xef, 0x24f, 0x24f, 0x223, 0x223, 0x23b, 0x237, 0xff, 0x233, 0x233, 0x233, 0x237, 0x24b, 0x233, 0x24f, 0x22b, 0x22b, 0x24b, 0xef]
for i in range(0x20):
    enc[i] -= 0x63

for i in range(0x20):
    enc[i] = enc[i] >> 2
    enc[i] = enc[i] ^ 0x42
print(bytearray(enc))
本文链接:https://blog.shi1011.cn/ctf/2077
本文采用 CC BY-NC-SA 3.0 Unported 协议进行许可

Mas0n

文章作者

发表评论

textsms
account_circle
email

翻车鱼

2022HWS硬件安全冬令营 X DASCTF Jan
总共三题逆向,2题VM,1题LLVM FLA 之前一直没机会去做VM类型的题目(其实是我懒),这次做到了,算是练手了。题目也比较适合入门。 badPDF 右键属性提取出shell %SystemRoot…
扫描二维码继续阅读
2022-01-25