西湖论剑 2023
西湖论剑 2023
搞了一天出了俩逆向,还有一个没交上…
1. Dual personality
类似天堂之门,
将cs段寄存器设为0x33,切换到64位模式;设为0x23,切换回32位模式。
32位、64位模式切换。有反调试,静态分析即可。
import struct target = bytes.fromhex('AA4F0FE2E44199542C2B847EBC8F8B78D373885EAE47857031B309CE13F50DCA') key0 = [4, 0x77, 0x82, 0x4a] key1 = [0xc, 0x22, 0x38, 0x0E] key2 = (0x5df966ae - 0x21524111) & 0xffffffff flag = [target[_] ^ key0[_ % 4] for _ in range(32)] for i in range(4): v, = struct.unpack('<Q', bytes(flag[i * 8: (i + 1) * 8])) nv = (v >> key1[i]) | (v << (64 - key1[i])) & 0xffffffffffffffff vv = struct.pack('<Q', nv) for j in range(8): flag[i * 8 + j] = vv[j] for i in range(8): v, = struct.unpack('<L', bytes(flag[i * 4: (i + 1) * 4])) nv = (v - key2) & 0xffffffff key2 ^= v vv = struct.pack('<L', nv) for j in range(4): flag[i * 4 + j] = vv[j] print(''.join(chr(c) for c in flag))
2. Easy VT
总结一句话,逆向出 flag 很简单,但是在比赛已经结束的情况下,让我去测试这个 flag 是正确的,可以说是难死我了。
根据上述参考材料,关键在于这里。
int sub_401C90() { int len; // [esp+4h] [ebp-Ch] int cmd; // [esp+8h] [ebp-8h] cmd = vmread_from(0x4402); // vmexit 事件,指令 len = vmread_from(0x440C); // 指令长度 FREG__ = vmread_from(0x6820); ESP__ = vmread_from(0x681C); dword_4040C0 = vmread_from(0x681E); switch ( cmd ) { case 10: sub_401180(); break; case 18: // vmcall sub_401250(); break; case 19: sub_4012B0(); // vm_clear break; case 20: // launch sub_401450(); break; case 21: // vm_ptrld sub_4017B0(); break; case 22: // vm_ptrst set_real_value(); break; case 23: // vmread sub_401970(); break; case 24: // vmresume tea(); break; case 25: // wmwrite 指令 sub_401A90(); break; case 26: // vmx_off 指令 final_check(); break; case 27: // vmx_on 指令 sub_401610(); break; case 28: sub_4011D0(); break; default: break; } vmwrite_to(0x681E, len + dword_4040C0); vmwrite_to(0x681C, ESP__); return vmwrite_to(0x6820, FREG__); }
根据下图中指令的顺序,可以得出正确的分支执行顺序
发现是 rc4(标准) + tea(变种),中间还有v0 和 v1的来回交换。脚本如下
import ctypes from Crypto.Cipher import ARC4 import struct flag = [0x94, 0x39, 0x07, 0x5C, 0xB3, 0x5C, 0x80, 0x0D, 0x86, 0xA5, 0xDD, 0x87, 0x8E, 0xFB, 0x17, 0x03, 0x29, 0xEF, 0x20, 0x65, 0xAF, 0x87, 0x49, 0x5A, 0xA4, 0xC2, 0x2D, 0xEB, 0x0E, 0x47, 0xCF, 0x38] tea_key = [0x00102030, 0x40506070, 0x8090A0B0, 0xC0D0E0F0] key3 = tea_key[1] key2 = tea_key[3] key1 = tea_key[2] key0 = tea_key[0] def tea_dec(v0, v1): value_0 = ctypes.c_uint32(v0) value_1 = ctypes.c_uint32(v1) delta = ctypes.c_uint32(0xC95D6ABF) sum_ = ctypes.c_uint32(0x20000000 - delta.value * 32) for i in range(32): sum_.value += delta.value value_1.value -= (key0 + (value_0.value >> 5)) ^ (sum_.value + value_0.value) ^ (key1 + 16 * value_0.value) value_0.value += (key2 + (value_1.value >> 5)) ^ (sum_.value + value_1.value) ^ (key3 + 16 * value_1.value) return value_0.value, value_1.value def rc4_dec(v): rc4_key = b'04e52c7e31022b0b' rc4 = ARC4.new(rc4_key) return rc4.decrypt(v) for i in range(4): v0, v1 = struct.unpack('<LL', bytes(flag[i * 8: (i + 1) * 8])) nv0, nv1 = tea_dec(v0, v1) v = struct.pack('<LL', nv1, nv0) nv0, nv1 = struct.unpack('<LL', rc4_dec(v)) v = struct.pack('<LL', nv1, nv0) for j in range(8): flag[i * 8 + j] = v[j] print(''.join(chr(i) for i in flag))
关键:咋跑起来?
win11 、 win7 驱动后跑不起来,应该是签名的问题反正死活折腾不上去。最后无奈装了 xp,安装了一系列的 dll,补齐环境之后,发现驱动是跑起来了, Guest.exe 又不兼容了,我 ******。但是还好,我写个兼容的就是了
#include <stdio.h> int main() { char buff[100]; gets(buff); int EAX; for (int i = 0;; ++i) { if (i >= 4) { printf("Good, the flag is DASCTF{your input}\n"); return 0; } __asm__ __volatile__("mov eax, %1;" "mov ecx, %2;" "mov esi, [eax+ecx*8];" "mov edi, [eax+ecx*8+4];" "vmxon qword ptr [esp];" "vmclear qword ptr [esp];" "vmptrld qword ptr [esp];" "vmwrite eax, ecx;" "vmlaunch;" "vmread ecx, eax;" "vmcall;" "vmptrst qword ptr [esp];" "vmresume;" "vmxoff;" "mov %0, eax":"=r"(EAX):"r"(&buff), "r"(i)); if (!EAX) break; } printf("Wrong flag\n"); return 0; }
最后,经过一天的折腾终于….
3. Berkeley
bpf 逆向,参考 bpf,ebpf一些原理以及逆向基于libbpf-bootstrap编写的bpf文件
状态不太好,先是忽略了 BitVec 是有符号数,然后是迟迟没有想到去爆破。
cipher = [0xf3, 0x27, 0x47, 0x1b, 0x8f, 0x09, 0xfb, 0x17, 0x70, 0x48, 0xb0, 0x53, 0x32, 0xdb, 0xc0, 0xb8, 0x63, 0x2d, 0x40, 0x4b, 0xf5, 0x16, 0xf0, 0x35, 0xe7, 0xdf, 0xea, 0xa2, 0x9c, 0x41, 0xb3, 0x25, 0xd7, 0x0c, 0x33, 0x9c, 0x7b, 0x5a, 0xcd, 0x13, 0xbb, 0xee, 0x3e, 0x0e, 0xf2, 0xcf, 0x35, 0xda, 0xaf, 0xa2, 0x66, 0x7d, 0x38, 0x37, 0x67, 0x1e, 0x1f, 0x6b, 0x7b, 0x30, 0x0b, 0x7a, 0x02, 0xa9, 0xc8, 0x61, 0x27, 0x41, 0xdb, 0x01, 0x22, 0x31, 0x6f, 0xb6, 0xd4, 0x1b, 0x04, 0xd3, 0x94, 0xb8, 0x46, 0xc7, 0x24, 0xcf, 0xbd, 0xaf, 0x0b, 0xdc, 0x2e, 0xbb, 0xb2, 0x71, 0xf4, 0x99, 0x57, 0x36, 0xd1, 0x95, 0x52, 0x92, 0xba, 0x6d, 0xf3, 0x30, 0x50, 0x59, 0x9b, 0xea, 0x2f, 0x83, 0xdc, 0xf0, 0xde, 0x57, 0xa1, 0xac, 0xd2, 0x51, 0xa2, 0x1d, 0x59, 0xa8, 0x00, 0xb6, 0xe2, 0x65, 0x41, 0x0c, 0x4f, 0xeb, 0xf0, 0x2e, 0x58, 0x2a, 0x1f, 0xf4, 0x95, 0x72, 0x88, 0x7c, 0xa9, 0x0e, 0xcb, 0x3c, 0x42, 0xb9, 0xf3, 0x49, 0x9b, 0x52, 0x98, 0x12, 0xa3, 0x17, 0x51, 0xc0, 0x59, 0x40, 0x0a, 0xbc, 0xe8, 0x4c, 0x04, 0xfb, 0x13, 0x0a, 0x17, 0x3f, 0xe6, 0x36, 0x97, 0xdf, 0xb3, 0xe2, 0x42, 0x7f, 0xf8, 0xcc, 0x0e, 0xd1, 0x77, 0xc4, 0xa8, 0x46, 0x48, 0xe3, 0xf1, 0x0a, 0xef, 0x94, 0x56, 0x54, 0x5b, 0xca, 0xbd, 0xdd, 0x7f, 0x56, 0x47, 0xc2, 0x99, 0xfa, 0x89, 0xcc, 0xe1, 0xb9, 0x3a, 0x78, 0xe2, 0x37, 0x58, 0x01, 0x1b, 0xc3, 0x4b, 0xe6, 0x8c, 0xf3, 0xe5, 0xb6, 0x71, 0x9e, 0x63, 0xaf, 0x11, 0xce, 0x87, 0xf6, 0x6e, 0xde, 0xc8, 0xb1, 0xd0, 0x7a, 0x15, 0x6c, 0x10, 0x08, 0x99, 0x7b, 0x22, 0x55, 0x10, 0x7a, 0x82, 0x73, 0xfc, 0x62, 0xcb, 0x34, 0xa7, 0xb7, 0x62, 0xfa, 0x6b, 0x9f] key = [0xc1, 0xd1, 0x02, 0x61, 0xd6, 0xf7, 0x13, 0xa2, 0x9b, 0x20, 0xd0, 0x4a, 0x8f, 0x7f, 0xee, 0xb9, 0x00, 0x63, 0x34, 0xb0, 0x33, 0xb7, 0x8a, 0x8b, 0x94, 0x60, 0x2e, 0x8e, 0x21, 0xff, 0x90, 0x82, 0xd5, 0x87, 0x96, 0x78, 0x22, 0xb6, 0x48, 0x6c, 0x45, 0xc7, 0x5a, 0x16, 0x80, 0xfd, 0xe4, 0x8c, 0xbf, 0x01, 0x1f, 0x4b, 0x79, 0x24, 0xa0, 0xb4, 0x23, 0x4d, 0x3b, 0xc5, 0x5d, 0x6f, 0x0d, 0xc9, 0xd4, 0xca, 0x55, 0xe0, 0x39, 0xad, 0x2b, 0xcd, 0x2c, 0xec, 0xc2, 0x6b, 0x30, 0xe6, 0x0c, 0xa8, 0x9a, 0x2f, 0xf6, 0xe8, 0xbb, 0x32, 0x57, 0xfb, 0x0b, 0x9d, 0xf2, 0x3f, 0xb5, 0xf9, 0x59, 0xe5, 0x10, 0xcf, 0x51, 0x41, 0xe9, 0x50, 0xdf, 0x26, 0x74, 0x58, 0xcb, 0x64, 0x54, 0x73, 0xab, 0xf4, 0xb2, 0x9f, 0x18, 0xf8, 0x4e, 0xfe, 0x08, 0x1d, 0x4f, 0x49, 0xd3, 0xac, 0x38, 0x12, 0x77, 0x11, 0x69, 0x07, 0x1c, 0x99, 0xb3, 0xe7, 0x3d, 0x05, 0xd8, 0xfc, 0x70, 0x46, 0x93, 0x09, 0x65, 0x89, 0xb1, 0xc6, 0x52, 0xfa, 0xd2, 0x0e, 0xa9, 0x17, 0xe3, 0x91, 0xa1, 0x68, 0x5b, 0x2a, 0xf0, 0xc3, 0x42, 0xcc, 0x29, 0xde, 0xdc, 0x85, 0x98, 0x31, 0x5c, 0xbc, 0x2d, 0xef, 0x5e, 0x7e, 0xaf, 0x67, 0x62, 0xa7, 0x56, 0x88, 0xa4, 0x43, 0x40, 0xe1, 0x37, 0x9e, 0x36, 0x76, 0x71, 0x84, 0xbd, 0x06, 0x8d, 0x47, 0x7d, 0x53, 0xd7, 0xc8, 0xce, 0x15, 0x92, 0x95, 0x4c, 0x28, 0x6d, 0x75, 0xeb, 0x7c, 0xf3, 0xbe, 0xaa, 0xb8, 0xed, 0x03, 0x3c, 0x27, 0x3e, 0x19, 0xdd, 0xa6, 0x66, 0x25, 0x1e, 0xc4, 0x6e, 0xc0, 0xe2, 0xdb, 0x3a, 0xd9, 0x81, 0xa5, 0x1b, 0xf5, 0x04, 0xae, 0xba, 0xea, 0x97, 0x83, 0x35, 0x44, 0xa3, 0x7a, 0x1a, 0xf1, 0x86, 0xda, 0x7b, 0x14, 0x72, 0x9c, 0x6a, 0x0f, 0x5f, 0x0a] cst32 = [0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01] for i in range(256): cipher[i] = key.index(cipher[i]) ^ key[i] print(cipher) import z3 for i in range(32): c = z3.BitVec(f'x{i}', 8) s = z3.Solver() s.add(c & 0x80 == 0) # 万恶之源 s.add(c < 128) 不可以, 要用 s.add(c > 0),因为 BitVec 是有符号数 for j in range(8): s.add((~((cst32[j] + c) ^ c)) & 0xff == key.index(cipher[i * 8 + j])) if s.check() == z3.sat: print(chr(s.model()[c].as_long()), end='')
补充一些关于 bpf 逆向分析的细节
暂时没发现咋调试 bpf,但是可以通过 bpftool 查看执行后的某些值的变化,比如下面的这些
举个在解决这个题中非常有用的例子 execs ,
我们可以通过在 check_flag 函数下断点的方式来获取到在执行完 LBB0_1 之后的输出的值,即代码中偏移为 0x120 的部分,
通过这种方法,可以输入 0-9a-f,建立输入和输出的映射关系,使用下面的脚本解决
# from idaapi import * # # # buf = get_bytes(0x30060, 8472) # f = open(r'D:\dump.bin', 'wb') # f.write(buf) # f.close() import string cipher = [0xf3, 0x27, 0x47, 0x1b, 0x8f, 0x09, 0xfb, 0x17, 0x70, 0x48, 0xb0, 0x53, 0x32, 0xdb, 0xc0, 0xb8, 0x63, 0x2d, 0x40, 0x4b, 0xf5, 0x16, 0xf0, 0x35, 0xe7, 0xdf, 0xea, 0xa2, 0x9c, 0x41, 0xb3, 0x25, 0xd7, 0x0c, 0x33, 0x9c, 0x7b, 0x5a, 0xcd, 0x13, 0xbb, 0xee, 0x3e, 0x0e, 0xf2, 0xcf, 0x35, 0xda, 0xaf, 0xa2, 0x66, 0x7d, 0x38, 0x37, 0x67, 0x1e, 0x1f, 0x6b, 0x7b, 0x30, 0x0b, 0x7a, 0x02, 0xa9, 0xc8, 0x61, 0x27, 0x41, 0xdb, 0x01, 0x22, 0x31, 0x6f, 0xb6, 0xd4, 0x1b, 0x04, 0xd3, 0x94, 0xb8, 0x46, 0xc7, 0x24, 0xcf, 0xbd, 0xaf, 0x0b, 0xdc, 0x2e, 0xbb, 0xb2, 0x71, 0xf4, 0x99, 0x57, 0x36, 0xd1, 0x95, 0x52, 0x92, 0xba, 0x6d, 0xf3, 0x30, 0x50, 0x59, 0x9b, 0xea, 0x2f, 0x83, 0xdc, 0xf0, 0xde, 0x57, 0xa1, 0xac, 0xd2, 0x51, 0xa2, 0x1d, 0x59, 0xa8, 0x00, 0xb6, 0xe2, 0x65, 0x41, 0x0c, 0x4f, 0xeb, 0xf0, 0x2e, 0x58, 0x2a, 0x1f, 0xf4, 0x95, 0x72, 0x88, 0x7c, 0xa9, 0x0e, 0xcb, 0x3c, 0x42, 0xb9, 0xf3, 0x49, 0x9b, 0x52, 0x98, 0x12, 0xa3, 0x17, 0x51, 0xc0, 0x59, 0x40, 0x0a, 0xbc, 0xe8, 0x4c, 0x04, 0xfb, 0x13, 0x0a, 0x17, 0x3f, 0xe6, 0x36, 0x97, 0xdf, 0xb3, 0xe2, 0x42, 0x7f, 0xf8, 0xcc, 0x0e, 0xd1, 0x77, 0xc4, 0xa8, 0x46, 0x48, 0xe3, 0xf1, 0x0a, 0xef, 0x94, 0x56, 0x54, 0x5b, 0xca, 0xbd, 0xdd, 0x7f, 0x56, 0x47, 0xc2, 0x99, 0xfa, 0x89, 0xcc, 0xe1, 0xb9, 0x3a, 0x78, 0xe2, 0x37, 0x58, 0x01, 0x1b, 0xc3, 0x4b, 0xe6, 0x8c, 0xf3, 0xe5, 0xb6, 0x71, 0x9e, 0x63, 0xaf, 0x11, 0xce, 0x87, 0xf6, 0x6e, 0xde, 0xc8, 0xb1, 0xd0, 0x7a, 0x15, 0x6c, 0x10, 0x08, 0x99, 0x7b, 0x22, 0x55, 0x10, 0x7a, 0x82, 0x73, 0xfc, 0x62, 0xcb, 0x34, 0xa7, 0xb7, 0x62, 0xfa, 0x6b, 0x9f] key = [0xc1, 0xd1, 0x02, 0x61, 0xd6, 0xf7, 0x13, 0xa2, 0x9b, 0x20, 0xd0, 0x4a, 0x8f, 0x7f, 0xee, 0xb9, 0x00, 0x63, 0x34, 0xb0, 0x33, 0xb7, 0x8a, 0x8b, 0x94, 0x60, 0x2e, 0x8e, 0x21, 0xff, 0x90, 0x82, 0xd5, 0x87, 0x96, 0x78, 0x22, 0xb6, 0x48, 0x6c, 0x45, 0xc7, 0x5a, 0x16, 0x80, 0xfd, 0xe4, 0x8c, 0xbf, 0x01, 0x1f, 0x4b, 0x79, 0x24, 0xa0, 0xb4, 0x23, 0x4d, 0x3b, 0xc5, 0x5d, 0x6f, 0x0d, 0xc9, 0xd4, 0xca, 0x55, 0xe0, 0x39, 0xad, 0x2b, 0xcd, 0x2c, 0xec, 0xc2, 0x6b, 0x30, 0xe6, 0x0c, 0xa8, 0x9a, 0x2f, 0xf6, 0xe8, 0xbb, 0x32, 0x57, 0xfb, 0x0b, 0x9d, 0xf2, 0x3f, 0xb5, 0xf9, 0x59, 0xe5, 0x10, 0xcf, 0x51, 0x41, 0xe9, 0x50, 0xdf, 0x26, 0x74, 0x58, 0xcb, 0x64, 0x54, 0x73, 0xab, 0xf4, 0xb2, 0x9f, 0x18, 0xf8, 0x4e, 0xfe, 0x08, 0x1d, 0x4f, 0x49, 0xd3, 0xac, 0x38, 0x12, 0x77, 0x11, 0x69, 0x07, 0x1c, 0x99, 0xb3, 0xe7, 0x3d, 0x05, 0xd8, 0xfc, 0x70, 0x46, 0x93, 0x09, 0x65, 0x89, 0xb1, 0xc6, 0x52, 0xfa, 0xd2, 0x0e, 0xa9, 0x17, 0xe3, 0x91, 0xa1, 0x68, 0x5b, 0x2a, 0xf0, 0xc3, 0x42, 0xcc, 0x29, 0xde, 0xdc, 0x85, 0x98, 0x31, 0x5c, 0xbc, 0x2d, 0xef, 0x5e, 0x7e, 0xaf, 0x67, 0x62, 0xa7, 0x56, 0x88, 0xa4, 0x43, 0x40, 0xe1, 0x37, 0x9e, 0x36, 0x76, 0x71, 0x84, 0xbd, 0x06, 0x8d, 0x47, 0x7d, 0x53, 0xd7, 0xc8, 0xce, 0x15, 0x92, 0x95, 0x4c, 0x28, 0x6d, 0x75, 0xeb, 0x7c, 0xf3, 0xbe, 0xaa, 0xb8, 0xed, 0x03, 0x3c, 0x27, 0x3e, 0x19, 0xdd, 0xa6, 0x66, 0x25, 0x1e, 0xc4, 0x6e, 0xc0, 0xe2, 0xdb, 0x3a, 0xd9, 0x81, 0xa5, 0x1b, 0xf5, 0x04, 0xae, 0xba, 0xea, 0x97, 0x83, 0x35, 0x44, 0xa3, 0x7a, 0x1a, 0xf1, 0x86, 0xda, 0x7b, 0x14, 0x72, 0x9c, 0x6a, 0x0f, 0x5f, 0x0a] map = [17, 6, 195, 137, 218, 156, 15, 95, 17, 6, 195, 137, 218, 156, 15, 106, 17, 6, 195, 137, 218, 156, 20, 95, 17, 6, 195, 137, 218, 156, 20, 123, 17, 6, 195, 137, 218, 122, 15, 95, 17, 6, 195, 137, 218, 122, 15, 106, 17, 6, 195, 137, 218, 122, 68, 95, 17, 6, 195, 137, 218, 122, 68, 53, 17, 6, 195, 137, 5, 156, 15, 95, 17, 6, 195, 137, 5, 156, 15, 106, 17, 201, 130, 131, 218, 156, 15, 106, 17, 201, 130, 131, 218, 156, 20, 95, 17, 201, 130, 131, 218, 156, 20, 123, 17, 201, 130, 131, 218, 122, 15, 95, 17, 201, 130, 131, 218, 122, 15, 106, 17, 201, 130, 131, 218, 122, 68, 95, 17, 201, 130, 131, 218, 122, 68, 53, 17, 201, 130, 131, 165, 156, 15, 95, 17, 201, 130, 131, 165, 156, 15, 106, 17, 201, 130, 131, 165, 156, 20, 95, 17, 201, 130, 131, 165, 156, 20, 123, 17, 201, 130, 131, 165, 219, 15, 95, 17, 201, 130, 131, 165, 219, 15, 106, 17, 201, 130, 131, 165, 219, 192, 95, 17, 201, 130, 131, 165, 219, 192, 110, 17, 201, 130, 185, 218, 156, 15, 95, 17, 201, 130, 185, 218, 156, 15, 106, 17, 201, 130, 185, 218, 156, 20, 95, 17, 201, 130, 185, 218, 156, 20, 123, 17, 201, 130, 185, 218, 122, 15, 95, 17, 201, 130, 185, 218, 122, 15, 106, 17, 201, 130, 185, 218, 122, 68, 95] for i in range(256): cipher[i] = key.index(cipher[i]) ^ key[i] for i in range(32): v = cipher[i * 8: (i + 1) * 8] for j in range(32): if v == map[j * 8: (j + 1) * 8]: print(string.printable[j], end='')
