VM虚拟机逆向 --- [NCTF 2018]wcyvm 复现
文章目录
- 前言
- 题目分析
前言
第四题了,搞定,算是独立完成比较多的一题,虽然在还原汇编的时候还是很多问题。
题目分析
代码很简单,就是指令很多。
![VM虚拟机逆向 --- [NCTF 2018]wcyvm 复现_第1张图片](http://img.e-com-net.com/image/info8/1e43a98c236a4904bc63928906575abf.jpg)
opcode在unk_6021C0处,解密的数据在dword_6020A0处
![VM虚拟机逆向 --- [NCTF 2018]wcyvm 复现_第2张图片](http://img.e-com-net.com/image/info8/2318c7ca46c84bb4a2990eb7dc9780f5.jpg)
opcode = [0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
0x46, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x15, 0x00,
0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x09, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0B, 0x00,
0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x0A, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00,
0x03, 0x00, 0x00, 0x00, 0x47, 0x00, 0x00, 0x00, 0x0E, 0x00,
0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x1A, 0x00, 0x00, 0x00, 0x02, 0x00,
0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x1D, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x14, 0x00,
0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x19, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00,
0x00, 0x00, 0x1B, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x1D, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x6E, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x63, 0x00, 0x00, 0x00, 0x15, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00,
0x13, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x66, 0x00,
0x00, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x0D, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03, 0x00,
0x00, 0x00, 0x0F, 0x00, 0x00, 0x00, 0x22, 0x00, 0x00, 0x00,
0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]
# [8, 0, 1, 3, 70, 14, 21, 10, 9, 2, 11, 17, 13, 15, 71, 26, 6, 29, 4, 20, 25, 27, 110, 19, 99, 116, 102, 28, 34, 100]
i = 0
while opcode[i] != 0x64:
match opcode[i]:
case 8:
print(f"{i} mov reg[%d], %d" % (opcode[i + 4] - 1, opcode[i + 8]))
i += 12
case 9:
print(f"{i} pop reg[%d]" % (opcode[i + 4] - 1))
i += 8
case 10:
print(f"{i} push reg[%d]" % (opcode[i + 4] - 1))
i += 8
case 11:
print(f"{i} get")
i += 4
case 12:
print(f"{i} put")
i += 4
case 13:
print(f"{i} if reg[%d] == reg[%d]" % (opcode[i + 4] - 1, opcode[i + 8] - 1))
print(" v4 = 128 ")
print(" if reg[%d] > reg[%d]" % (opcode[i + 4] - 1, opcode[i + 8] - 1))
print(" v5 = 64 ")
print(" if reg[%d] < reg[%d]" % (opcode[i + 4] - 1, opcode[i + 8] - 1))
print(" v6 = 32 ")
i += 12
case 14:
print(f"{i} jmp %d" % (opcode[i + 4]*4))
i += 8
case 15:
print(f"{i} jz %d" % (opcode[i + 4]*4))
i += 8
case 16:
print(f"{i} jne %d" % (opcode[i + 4]*4))
i += 8
case 17:
print(f"{i} inc reg[%d]" % (opcode[i + 4]))
i += 8
case 18:
print(f"{i} dec reg[%d]" % (opcode[i + 4]))
i += 8
case 19:
print(f"{i} add reg[%d], %d" % (opcode[i + 4] - 1, opcode[i + 8]))
i += 12
case 20:
print(f"{i} sub reg[%d], reg[%d]" % (opcode[i + 4] - 1, opcode[i + 8] - 1))
i += 12
case 21:
print(f"{i} xor reg[%d], %d" % (opcode[i + 4] - 1, opcode[i + 8]))
i += 12
case 22:
print(f"{i} and reg[%d], reg[%d]" % (opcode[i + 4] - 1, opcode[i + 8] - 1))
i += 12
case 23:
print(f"{i} or reg[%d], reg[%d]" % (opcode[i + 4] - 1, opcode[i + 8] - 1))
i += 12
case 25:
print(f"{i} mov reg[%d], reg[%d]" % (opcode[i + 4] - 1, opcode[i + 8] - 1))
i += 12
case 26:
print(f"{i} lea reg[%d], reg[%d]" % (opcode[i + 4] - 1, opcode[i + 8] - 1))
i += 12
case 27:
print(f"{i} mov reg[%d], reg[%d]" % (opcode[i + 4] - 1, opcode[i + 8] - 1))
i += 12
case 28:
print(f"{i} mov [reg[%d]], reg[%d]" % (opcode[i + 4] - 1, opcode[i + 8] - 1))
i += 12
case 29:
print(f"{i} mul reg[%d], %d" % (opcode[i + 4] - 1, opcode[i + 8]))
i += 12
指令很多,费劲。
打印出来就是,
0 mov reg[0], 0
12 mov reg[2], 70
24 jmp 84
32 push reg[0]
40 pop reg[1]
48 get
52 push reg[0]
60 push reg[1]
68 pop reg[0]
76 inc reg[1]
84 if reg[0] == reg[2]
v4 = 128
if reg[0] > reg[2]
v5 = 64
if reg[0] < reg[2]
v6 = 32
96 jz 32
104 mov reg[0], 0
116 mov reg[2], 71
128 jmp 280
136 push reg[0]
144 lea reg[1], reg[5]
156 mul reg[0], 4
168 sub reg[1], reg[0]
180 mov reg[0], reg[1]
192 mov reg[0], reg[0]
204 mul reg[0], 110
216 add reg[0], 99
228 xor reg[0], 116
240 add reg[0], 102
252 mov [reg[1]], reg[0]
264 pop reg[0]
272 inc reg[1]
280 if reg[0] == reg[2]
v4 = 128
if reg[0] > reg[2]
v5 = 64
if reg[0] < reg[2]
v6 = 32
292 jz 136
前面就是压入了 70个输入,后面对输入进行处理,分析出来是(((reg0*110)+99)^116+102) 这样一个操作。
然后就是找到解密数据,写个exp就好了
enc = [0xD3, 0x36, 0x00, 0x00, 0xFF, 0x2A, 0x00, 0x00, 0xCB, 0x2A,
0x00, 0x00, 0x95, 0x2B, 0x00, 0x00, 0x95, 0x2B, 0x00, 0x00,
0x95, 0x2B, 0x00, 0x00, 0x9F, 0x16, 0x00, 0x00, 0x6D, 0x18,
0x00, 0x00, 0xD7, 0x18, 0x00, 0x00, 0x11, 0x16, 0x00, 0x00,
0xD7, 0x18, 0x00, 0x00, 0x95, 0x2B, 0x00, 0x00, 0x23, 0x2C,
0x00, 0x00, 0xA9, 0x2C, 0x00, 0x00, 0x11, 0x16, 0x00, 0x00,
0x11, 0x16, 0x00, 0x00, 0xD7, 0x18, 0x00, 0x00, 0xFF, 0x2A,
0x00, 0x00, 0x49, 0x18, 0x00, 0x00, 0xFB, 0x18, 0x00, 0x00,
0xCB, 0x2A, 0x00, 0x00, 0x71, 0x2A, 0x00, 0x00, 0x35, 0x17,
0x00, 0x00, 0xD7, 0x18, 0x00, 0x00, 0x11, 0x16, 0x00, 0x00,
0xCB, 0x2A, 0x00, 0x00, 0xDD, 0x15, 0x00, 0x00, 0xD7, 0x18,
0x00, 0x00, 0x23, 0x2C, 0x00, 0x00, 0x9F, 0x16, 0x00, 0x00,
0xDD, 0x15, 0x00, 0x00, 0x95, 0x2B, 0x00, 0x00, 0x9F, 0x16,
0x00, 0x00, 0x6B, 0x15, 0x00, 0x00, 0x6D, 0x18, 0x00, 0x00,
0xFF, 0x2A, 0x00, 0x00, 0x11, 0x16, 0x00, 0x00, 0x11, 0x16,
0x00, 0x00, 0xDD, 0x15, 0x00, 0x00, 0xFF, 0x2A, 0x00, 0x00,
0x23, 0x2C, 0x00, 0x00, 0xCB, 0x2A, 0x00, 0x00, 0xDD, 0x15,
0x00, 0x00, 0xDD, 0x15, 0x00, 0x00, 0x6D, 0x18, 0x00, 0x00,
0x49, 0x18, 0x00, 0x00, 0x95, 0x2B, 0x00, 0x00, 0x6B, 0x15,
0x00, 0x00, 0x35, 0x17, 0x00, 0x00, 0xFB, 0x18, 0x00, 0x00,
0xFB, 0x18, 0x00, 0x00, 0x71, 0x2A, 0x00, 0x00, 0xFF, 0x2A,
0x00, 0x00, 0x35, 0x17, 0x00, 0x00, 0x23, 0x2C, 0x00, 0x00,
0xDD, 0x15, 0x00, 0x00, 0xD7, 0x18, 0x00, 0x00, 0x71, 0x2A,
0x00, 0x00, 0xD7, 0x18, 0x00, 0x00, 0xD7, 0x18, 0x00, 0x00,
0x23, 0x2C, 0x00, 0x00, 0xFF, 0x2A, 0x00, 0x00, 0x6B, 0x15,
0x00, 0x00, 0x23, 0x2C, 0x00, 0x00, 0x9F, 0x16, 0x00, 0x00,
0xAF, 0x35, 0x00, 0x00, 0xA9, 0x2C, 0x00, 0x00, 0xB5, 0x32,
0x00, 0x00, 0xFF, 0x2A, 0x00, 0x00, 0x39, 0x30, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]
t = [enc[i] | (enc[i + 1] << 8) | (enc[i + 2] << 16) | (enc[i + 3] << 24) for i in range(0, len(enc), 4)]
flag = []
for i in t[:70]:
f = (((i - 102) ^ 116) - 99) // 110
flag.append(f)
print(flag)
print(bytes(flag)[::-1])
需要对enc做一点处理。
woqu,写完发现其实好像没什么好讲的了,但是写的时候的确问题好多,不写不知道,,,,,a