攻防世界-easyvm
Writeup
IDA打开main函数如下
v3就是条件判断的关键函数sub_400806,自定顺序执行以下一系列函数
梳理一下代码,可以知道大致逻辑如下:
#include<stdio.h> int main(){ unsigned char a16=0,a17=0; char input[]=""; unsigned char unk_6020A0[32]={0xF4,0x0A,0xF7,0x64,0x99,0x78,0x9E,0x7D, 0xEA,0X7B,0X9E,0X7B,0X9F,0X7E,0XEB,0X71, 0XE8,0X00,0XE8,0X07,0X98,0X19,0XF4,0X25, 0XF3,0X21,0XA4,0X2F,0XF4,0X2F,0XA6,0X7C}; for(int a18=0;a18<32;a18++) { a16=input[a18]; a16-=a18; a17=a16 ^ a17; a16=-51; a16=a16^a17; if(a16==unk_6020A0[a18]) { printf("YES"); a17=a16; } else { printf("NO"); break; } } }
编写脚本
#include<stdio.h> int main(){ unsigned char a16=0,a17=0; unsigned char s[32]={0xF4,0x0A,0xF7,0x64,0x99,0x78,0x9E,0x7D, 0xEA,0X7B,0X9E,0X7B,0X9F,0X7E,0XEB,0X71, 0XE8,0X00,0XE8,0X07,0X98,0X19,0XF4,0X25, 0XF3,0X21,0XA4,0X2F,0XF4,0X2F,0XA6,0X7C}; for(int i=0;i<32;i++) { printf("%c",(s[i]^(-51)^s[i-1])+i); } return 0; }
得到flag,UNCTF{942a4115be2359ffd675fa6338ba23b6}
也可以angr直接跑,angr学习不多,能出结果就算成功= =
import angr import sys proj=angr.Project("./vm") st=proj.factory.entry_state() sm=proj.factory.simulation_manager(st) sm.explore(find=0x400BDA,avoid=0x400BFA) if sm.found: solution_state = sm.found[0] solution = solution_state.posix.dumps(sys.stdin.fileno()) print(solution) else: raise Exception('Could not find the solution')