[网鼎杯 2020 青龙组]singal
vm,没有栈操作,找到opcode
0A 00 00 00 04 00 00 00 10 00 00 00 08 00 00 00 03 00 00 00 05 00 00 00 01 00 00 00 04 00 00 00 20 00 00 00 08 00 00 00 05 00 00 00 03 00 00 00 01 00 00 00 03 00 00 00 02 00 00 00 08 00 00 00 0B 00 00 00 01 00 00 00 0C 00 00 00 08 00 00 00 04 00 00 00 04 00 00 00 01 00 00 00 05 00 00 00 03 00 00 00 08 00 00 00 03 00 00 00 21 00 00 00 01 00 00 00 0B 00 00 00 08 00 00 00 0B 00 00 00 01 00 00 00 04 00 00 00 09 00 00 00 08 00 00 00 03 00 00 00 20 00 00 00 01 00 00 00 02 00 00 00 51 00 00 00 08 00 00 00 04 00 00 00 24 00 00 00 01 00 00 00 0C 00 00 00 08 00 00 00 0B 00 00 00 01 00 00 00 05 00 00 00 02 00 00 00 08 00 00 00 02 00 00 00 25 00 00 00 01 00 00 00 02 00 00 00 36 00 00 00 08 00 00 00 04 00 00 00 41 00 00 00 01 00 00 00 02 00 00 00 20 00 00 00 08 00 00 00 05 00 00 00 01 00 00 00 01 00 00 00 05 00 00 00 03 00 00 00 08 00 00 00 02 00 00 00 25 00 00 00 01 00 00 00 04 00 00 00 09 00 00 00 08 00 00 00 03 00 00 00 20 00 00 00 01 00 00 00 02 00 00 00 41 00 00 00 08 00 00 00 0C 00 00 00 01 00 00 00 07 00 00 00 22 00 00 00 07 00 00 00 3F 00 00 00 07 00 00 00 34 00 00 00 07 00 00 00 32 00 00 00 07 00 00 00 72 00 00 00 07 00 00 00 33 00 00 00 07 00 00 00 18 00 00 00 07 00 00 00 A7 FF FF FF 07 00 00 00 31 00 00 00 07 00 00 00 F1 FF FF FF 07 00 00 00 28 00 00 00 07 00 00 00 84 FF FF FF 07 00 00 00 C1 FF FF FF 07 00 00 00 1E 00 00 00 07 00 00 00 7A 00 00 00
with open("a.txt") as f:
f=f.read().split()
a=[]
for i in range(0,len(f),4):
a.append(eval("0x"+f[i]))
#print(a)
v10=0
v7=0
v9=0
v6=0
while(v10<len(a)):
if a[v10] == 1:
print("1: v4["+str(v7)+"] = v5;")
v10+=1
v7+=1
v9+=1
continue
if a[v10] == 2:
print("2: v5 = a1["+str(v10 + 1)+"] + v3["+str(v9)+"];")
v10 += 2
continue
if a[v10] == 3:
print("3: v5 = v3["+str(v9)+"] - a1["+str(v10 + 1)+"];")
v10 += 2
continue
if a[v10] == 4:
print("4: v5 = a1["+str(v10 + 1)+"] ^ v3["+str(v9)+"];")
v10 += 2
continue
if a[v10] == 5:
print("5: v5 = a1["+str(v10 + 1)+"] * v3["+str(v9)+"];")
v10 += 2
continue
if a[v10] == 6:
print("6: ")
v10+=1
continue
if a[v10] == 7:
#print("if ( v4[v8] != a1[v10 + 1] ){printf(\"what a shame...\");exit(0);}++v8;v10 += 2;")
continue
if a[v10] == 8:
print("8: v3["+str(v6)+"] = v5;")
v10+=1
v6+=1
continue
if a[v10] == 10:
print("10: read(v3)")
v10+=1
continue
if a[v10] == 11:
print("11: v5 = v3["+str(v9)+"] - 1;")
v10+=1
continue
if a[v10] == 12:
print("12: v5 = v3["+str(v9)+"] + 1;")
v10+=1
continue
else:
continue
得到处理过程
10: read(v3) 4: v5 = a1[2] ^ v3[0]; 8: v3[0] = v5; 3: v5 = v3[0] - a1[5]; 1: v4[0] = v5; 4: v5 = a1[8] ^ v3[1]; 8: v3[1] = v5; 5: v5 = a1[11] * v3[1]; 1: v4[1] = v5; 3: v5 = v3[2] - a1[14]; 8: v3[2] = v5; 11: v5 = v3[2] - 1; 1: v4[2] = v5; 12: v5 = v3[3] + 1; 8: v3[3] = v5; 4: v5 = a1[21] ^ v3[3]; 1: v4[3] = v5; 5: v5 = a1[24] * v3[4]; 8: v3[4] = v5; 3: v5 = v3[4] - a1[27]; 1: v4[4] = v5; 11: v5 = v3[5] - 1; 8: v3[5] = v5; 11: v5 = v3[5] - 1; 1: v4[5] = v5; 4: v5 = a1[34] ^ v3[6]; 8: v3[6] = v5; 3: v5 = v3[6] - a1[37]; 1: v4[6] = v5; 2: v5 = a1[40] + v3[7]; 8: v3[7] = v5; 4: v5 = a1[43] ^ v3[7]; 1: v4[7] = v5; 12: v5 = v3[8] + 1; 8: v3[8] = v5; 11: v5 = v3[8] - 1; 1: v4[8] = v5; 5: v5 = a1[50] * v3[9]; 8: v3[9] = v5; 2: v5 = a1[53] + v3[9]; 1: v4[9] = v5; 2: v5 = a1[56] + v3[10]; 8: v3[10] = v5; 4: v5 = a1[59] ^ v3[10]; 1: v4[10] = v5; 2: v5 = a1[62] + v3[11]; 8: v3[11] = v5; 5: v5 = a1[65] * v3[11]; 1: v4[11] = v5; 5: v5 = a1[68] * v3[12]; 8: v3[12] = v5; 2: v5 = a1[71] + v3[12]; 1: v4[12] = v5; 4: v5 = a1[74] ^ v3[13]; 8: v3[13] = v5; 3: v5 = v3[13] - a1[77]; 1: v4[13] = v5; 2: v5 = a1[80] + v3[14]; 8: v3[14] = v5; 12: v5 = v3[14] + 1; 1: v4[14] = v5;
其实v4的值就是opcode中7后面的值,但我是动调出来的
"22 3f 34 32 72 33 18 a7 31 f1 28 84 c1 1e 7a"
v4="22 3f 34 32 72 33 18 a7 31 f1 28 84 c1 1e 7a"
v4=v4.split()
a1=[10, 4, 16, 8, 3, 5, 1, 4, 32, 8, 5, 3, 1, 3, 2, 8, 11, 1, 12, 8, 4, 4, 1, 5, 3, 8, 3, 33, 1, 11, 8, 11, 1, 4, 9, 8, 3, 32, 1, 2, 81, 8, 4, 36, 1, 12, 8, 11, 1, 5, 2, 8, 2, 37, 1, 2, 54, 8, 4, 65, 1, 2, 32, 8, 5, 1, 1, 5, 3, 8, 2, 37, 1, 4, 9, 8, 3, 32, 1, 2, 65, 8, 12, 1, 7, 34, 7, 63, 7, 52, 7, 50, 7, 114, 7, 51, 7, 24, 7, 167, 7, 49, 7, 241, 7, 40, 7, 132, 7, 193, 7, 30, 7, 122]
v3=[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
for i in range(len(v4)):
v4[i]=eval("0x"+v4[i])
v3[0]=(v4[0]+a1[5])^a1[2]
v3[1]=(v4[1]//a1[11])^a1[8]
v3[2]=v4[2]+1+a1[14]
v3[3]=(v4[3]^a1[21])-1
v3[4]=(v4[4]+a1[27])//a1[24]
v3[5]=v4[5]+2
v3[6]=(v4[6]+a1[37])^a1[34]
v3[7]=(v4[7]^a1[43])-a1[40]
v3[8]=v4[8]
v3[9]=(v4[9]-a1[53])//a1[50]
v3[10]=(v4[10]^a1[59])-a1[56]
v3[11]=v4[11]//a1[65]-a1[62]
v3[12]=(v4[12]-a1[71])//a1[68]
v3[13]=(v4[13]+a1[77])^a1[74]
v3[14]=v4[14]-1-a1[80]
for i in v3:
print(chr(i),end="")
得到flag
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
做法二:
最近在学angr
import angr
def main():
p=angr.Project("signal.exe",auto_load_libs=False)
sm=p.factory.simulation_manager(p.factory.entry_state())
sm.explore(find=0x40179e,avoid=0x4016e6)
return sm.found[0].posix.dumps(0)
if __name__=='__main__':
print(main())