X-nuca 逆向-Code_Interpreter

比赛弄了半天就做出这一题。

ida载入

图片.png

输入三个数字，进行判断如果符合出flag，向上看函数 400806。

图片.png

看到一个虚拟机。。。硬着头皮上吧。

虚拟机的内容在code文件中
虚拟机执行操作的伪代码

   switch(code[i]){
        case code[i]==0:
            printf("ret");
            i+=3;break;
        case code[i]==1:
            printf("mov number[%d],%lld ",k,code[i+4]<<24+code[i+3]<<16+code[i+2]<<8+code[t+1]);
            i+=5;
            break;
        case code[i]==2:
            k--;
            printf("%d",k);
            t+=1;break;
        case code[i]==3:
            printf("add str[%d],str[%d]",code[i+1],code[i+2]);
            i+=3;break;
        case code[i]==4:
            printf("sub str[%d],str[%d]",code[i+1],code[i+2]);
            i+=3;break;
        case code[i]==5:
            printf("mul str[%d],%d",code[i+1],code[i+2]);
            i+=3;break;
        case code[i]==6:
            printf("sar str[%d],str[%d]",code[i+1],code[i+2]);
            i+=3;
        case code[i]==7;
            printf("mov str[%d],str[%d]",code[i+1],code[i+2]);
            i+=3;break;
        case code[i]==8:
            printf("mov str[%d],str[%d]",code[i+1],code[i+2]);
            i+=3;break;
        case code[i]==9:
            printf("xor str[%d],str[%d]",code[i+1],code[i+2]);
            i+=3;break;
   }
   return 0;
  }

逻辑没错，就是不能执行~

#include
#include
//#define _a 0
//#define _b 1
//#define _c 2
//#define _d 3
//#define _e 4
//#define _f 5
//#define _g 6
//#define _h 7
//#define _i 8
//#define _j 9
int main() 
{
    
  long long code[]= {9,4,4,9,0,0,8,1,0,8,2,1,8,3,2,6,1,4,5,1,0x15,7,0,1,4,0,3,1,0x6B,0xCC,0x7E,0x1D,8,1,3,4,0,1,2,0xA,4,0,9,0,0,8,1,0,8,2,1,8,3,2,6,3,8,5,3,3,7,0,3,3,0,2,1,0x7C,0x79,0x79,0x60,8,1,3,4,0,1,2,0xA,4,0,9,0,0,8,1,0,8,2,1,8,3,2,6,1,8,7,0,1,3,0,2,1,0xBD,0xBD,0xBC,0x5F,8,1,3,4,0,1,2,0xA,4,0,0};
  int i=0;
  int k=2;
  int j;
  j=sizeof(code);
  while(i

还是python写脚本好点。。。就因为这个拖了一个小时

xor str[4],str[0]
xor str[0],str[0]
mov str[1],str[0]
mov str[2],str[0]
mov str[3],str[0]
sar str[1],str[0]
mul str[1],0
mov str[0],str[0]
sub str[0],str[0]
mov number[2],494849131
mov str[1],str[0]
sub str[0],str[0]
1
or str[4],str[0]
xor str[0],str[0]
mov str[1],str[0]
mov str[2],str[0]
mov str[3],str[0]
sar str[3],str[0]
mul str[3],0
mov str[0],str[0]
add str[0],str[0]
mov number[1],1618573692
mov str[1],str[0]
sub str[0],str[0]
0
or str[4],str[0]
xor str[0],str[0]
mov str[1],str[0]
mov str[2],str[0]
mov str[3],str[0]
sar str[1],str[0]
mov str[0],str[0]
add str[0],str[0]
mov number[0],1606204861
mov str[1],str[0]
sub str[0],str[0]
-1
or str[4],str[0]
ret

z3跑出结果

from z3 import *
import claripy

s = claripy.Solver() 
x = claripy.BVS("x", 32)
y = claripy.BVS("y", 32)
z = claripy.BVS("z", 32)

s.add((x/16)*0x15-z  == 0x1d7ecc6b)
s.add((z/256)*3+y == 0x6079797c)
s.add((x/256)+y == 0x5fbcbdbd)
s.add(x&0xff==0x5e)
s.add(y&0xff0000==0x5e0000)
s.add(z&0xff==0x5e)
res = s.batch_eval([x, y, z], 3)
print res

FLAG : X-NUCA{5e5f5e5e5f5e5e5f5e5e5f5e}