攻防世界-easyvm

Writeup

IDA打开main函数如下

 v3就是条件判断的关键函数sub_400806,自定顺序执行以下一系列函数

 梳理一下代码,可以知道大致逻辑如下:

#include<stdio.h>
int main(){
    unsigned char a16=0,a17=0;
    char input[]="";
    unsigned char unk_6020A0[32]={0xF4,0x0A,0xF7,0x64,0x99,0x78,0x9E,0x7D,
        0xEA,0X7B,0X9E,0X7B,0X9F,0X7E,0XEB,0X71,
        0XE8,0X00,0XE8,0X07,0X98,0X19,0XF4,0X25,
        0XF3,0X21,0XA4,0X2F,0XF4,0X2F,0XA6,0X7C};
    for(int a18=0;a18<32;a18++)
    {
          a16=input[a18];
          a16-=a18;
          a17=a16 ^ a17;
          a16=-51;
          a16=a16^a17;
          if(a16==unk_6020A0[a18])
        {
            printf("YES");
            a17=a16;
          }
          else
        {
            printf("NO");
            break;
          }
    }
}
View Code

编写脚本

#include<stdio.h>
int main(){
    unsigned char a16=0,a17=0;
    unsigned char s[32]={0xF4,0x0A,0xF7,0x64,0x99,0x78,0x9E,0x7D,
        0xEA,0X7B,0X9E,0X7B,0X9F,0X7E,0XEB,0X71,
        0XE8,0X00,0XE8,0X07,0X98,0X19,0XF4,0X25,
        0XF3,0X21,0XA4,0X2F,0XF4,0X2F,0XA6,0X7C};
    for(int i=0;i<32;i++)
    {
        printf("%c",(s[i]^(-51)^s[i-1])+i);
    }
    return 0;
}
View Code

得到flag,UNCTF{942a4115be2359ffd675fa6338ba23b6}

也可以angr直接跑,angr学习不多,能出结果就算成功= =

import angr
import sys
proj=angr.Project("./vm")
st=proj.factory.entry_state()
sm=proj.factory.simulation_manager(st)
sm.explore(find=0x400BDA,avoid=0x400BFA)
if sm.found:
    solution_state = sm.found[0]
    solution = solution_state.posix.dumps(sys.stdin.fileno())
    print(solution)
else:
    raise Exception('Could not find the solution')

 

 

posted @ 2021-10-31 16:03  写忧  阅读(333)  评论(0编辑  收藏  举报