[UNCTF2020]BetterCpu WriteUp
这题不同前一题虚拟机ezvm一样,指令很多而且复杂,需要通过写文档和脚本来化简过程。
直接丢进IDA7.2(如果使用IDA7.0则虚拟机的emulator部分会分析出错)查看。
进入main函数后按F5反编译,再进入ezvm::ezvm()里看构造函数的初始化,因为出题人已经给了符号表,所以捋清整个控制流其实是不难的(比赛时没做出来,问就是没加载符号表和不会写脚本)。&v1 + 4的地址就是局部变量enc_flag的地址,故unk_409020就是加密后的flag。
怎么加载符号表?就是进入IDA7.2时会弹出一个关于DWARF debug informa的对话框,选Yes就行了 。
然后进入ezvm::run(),里面一大段switch显然就是虚拟机的emulator部分,而且显然是个栈式虚拟机(什么是堆栈虚拟机和寄存器虚拟机?)如果还不清楚,后面写脚本生成的伪汇编代码就会看的更清楚。
需要注意的是,这个虚拟机栈的sp并不是指向栈的第一个元素,而是指向第一个元素的前面一个元素。
下面是虚拟机机器码的文档(其实也可以不用写)。
BetterCpu Virtual Machine Instructment 9bytes 0xEu cmp rflag,1 je $+idata 9bytes 0xFu cmp rflag,1 je $-idata 0x10u push reg 0x11u pop reg 0x12u pop mem[reg] 0x13u push mem[reg] 9bytes 0x20u mov reg,idata 0x21u mov reg,getchar() 0x22u putchar(reg) 0x30u sadd 0x31u ssub 0x32u sxor 0x33u slhs 0x34u srhs 0x40u scmp 0x80u return
其中sdd,ssub,sxor,scmp是我自己编的指令方便写脚本,读者可以对照反编译结构自行理解。
下面就可以写脚本将机器码翻译成汇编代码了。
codes =[ 0x20, 0x57, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x6D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x6C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x49, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x6E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x3A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x12, 0x21, 0x10, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x30, 0x11, 0x12, 0x20, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x30, 0x12, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x20, 0x2C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x40, 0x0F, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x12, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x30, 0x11, 0x13, 0x20, 0x66, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x30, 0x20, 0x36, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x32, 0x20, 0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x31, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x30, 0x11, 0x12, 0x20, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x30, 0x12, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x20, 0x2C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x40, 0x0F, 0x7A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x12, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x30, 0x11, 0x13, 0x20, 0x50, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x30, 0x11, 0x13, 0x40, 0x0E, 0x98, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x30, 0x12, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x20, 0x2C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x40, 0x0F, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x53, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x80, 0x20, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x49, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x4C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x20, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ] fp = open('./codes.asm','wb') def getQword(i): return (codes[i+1] + (codes[i+2] << 8) + (codes[i+3] << 16) + (codes[i+4] << 32) + (codes[i+5] << 8) + (codes[i+6] << 40) + (codes[i+7] << 48) + (codes[i+8] << 56)) i = 0 while i < len(codes): if codes[i] == 0xE: fp.write(b"cmp rflag,1\nje $ + "+ hex(getQword(i)).encode() + b"\n") i+=9 elif codes[i] == 0xF: fp.write(b"cmp rflag,1\nje $ - "+ hex(getQword(i)).encode() + b"\n") i+=9 elif codes[i] == 0x10: fp.write(b"push reg\n") i+=1 elif codes[i] == 0x11: fp.write(b"pop reg\n") i+=1 elif codes[i] == 0x12: fp.write(b"pop mem[reg]\n") i+=1 elif codes[i] == 0x13: fp.write(b"push mem[reg]\n") i+=1 elif codes[i] == 0x20: fp.write(b"mov reg," + hex(getQword(i)).encode()+ b"\n") i+=9 elif codes[i] == 0x21: fp.write(b"mov reg,getchar()\n") i+=1 elif codes[i] == 0x22: fp.write(b"putchar(reg)\n") i+=1 elif codes[i] == 0x30: fp.write(b"sadd\n") i+=1 elif codes[i] == 0x31: fp.write(b"ssub\n") i+=1 elif codes[i] == 0x32: fp.write(b"sxor\n") i+=1 elif codes[i] == 0x33: fp.write(b"slhs\n") i+=1 elif codes[i] == 0x34: fp.write(b"srhs\n") i+=1 elif codes[i] == 0x40: fp.write(b"scmp\n") i+=1 elif codes[i] == 0x80: fp.write(b"end\n") break
生成的伪汇编代码如下:
mov reg,0x57 putchar(reg) mov reg,0x65 putchar(reg) mov reg,0x31 putchar(reg) mov reg,0x63 putchar(reg) mov reg,0x30 putchar(reg) mov reg,0x6d putchar(reg) mov reg,0x65 putchar(reg) mov reg,0xa putchar(reg) mov reg,0x50 putchar(reg) mov reg,0x6c putchar(reg) mov reg,0x65 putchar(reg) mov reg,0x61 putchar(reg) mov reg,0x73 putchar(reg) mov reg,0x65 putchar(reg) mov reg,0x20 putchar(reg) mov reg,0x49 putchar(reg) mov reg,0x6e putchar(reg) mov reg,0x50 putchar(reg) mov reg,0x75 putchar(reg) mov reg,0x74 putchar(reg) mov reg,0x3a putchar(reg) mov reg,0xa putchar(reg) ;print Welc0me Input mov reg,0x0 push reg pop mem[reg] ;将UserInput字符串放入memory+0x100处 loop_1: mov reg,getchar() push reg mov reg,0x100 push reg mov reg,0x0 push mem[reg] ;stack men[reg] 0x100 UserInput sadd pop reg pop mem[reg] mov reg,0x1 push reg mov reg,0x0 push mem[reg] sadd pop mem[reg] mov reg,0x0 push mem[reg] mov reg,0x2c push reg scmp cmp rflag,1 ;循环够0x2C次 je loop_1 mov reg,0x0 push reg pop mem[reg] loop_2: mov reg,0x100 push reg mov reg,0x0 push mem[reg] sadd pop reg push mem[reg];pointer to UserInput mov reg,0x66 push reg sadd mov reg,0x36 push reg sxor mov reg,0x42 push reg ssub mov reg,0x100 push reg mov reg,0x0 push mem[reg] sadd pop reg pop mem[reg] ;enc_flag[i] == (UserInput[i] + 0x66)^0x36-0x42 mov reg,0x1 push reg mov reg,0x0 push mem[reg] sadd pop mem[reg] mov reg,0x0 push mem[reg] mov reg,0x2c push reg scmp cmp rflag,1 je loop_2 mov reg,0x0 push reg pop mem[reg] mov reg,0x100 push reg mov reg,0x0 push mem[reg] sadd pop reg push mem[reg] mov reg,0x150 push reg mov reg,0x0 push mem[reg] sadd pop reg push mem[reg] scmp cmp rflag,1 je $ + 0x98 mov reg,0x1 push reg mov reg,0x0 push mem[reg] sadd pop mem[reg] mov reg,0x0 push mem[reg] mov reg,0x2c push reg scmp cmp rflag,1 je $ - 0x63 ;print Success mov reg,0x53 putchar(reg) mov reg,0x75 putchar(reg) mov reg,0x63 putchar(reg) mov reg,0x63 putchar(reg) mov reg,0x65 putchar(reg) mov reg,0x73 putchar(reg) mov reg,0x73 putchar(reg) mov reg,0x21 putchar(reg) mov reg,0xa putchar(reg) end
加密过程很简单,注释已经写好在伪汇编代码里了,直接写脚本得flag:
#include<iostream> #include<string> using namespace std; int enc_flag[]= {171,160,189,170,184,149,74,86,87,77,177,72,67,177,183,173,177,92,187,170,170,187,172,177,74,182,175,160,177,71,66,92,121,173,177,91,107,177,108,104,107,94,147,4,0}; string flag; int main(void){ for(int i = 0;i < 0x2c; ++i){ flag += ((enc_flag[i]+0x42)^0x36)-0x66; } cout << flag << endl; return 0; }
flag: unctf{THIS_VM_is_Better_Than_YLB's_E5_2650}