xctf-polyre
一道ollvm的题,主要是去平坦化
先查壳,64位elf,无壳
直接拖入ida,定位到main函数
发现是ollvm平坦化,我们用在linux中使用deflat进行平坦化
去除之后用ida打开
找到关键的算法
while ( 1 ) { do v12 = v6; while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 ); v13 = v12 < 64; while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 ) ; if ( !v13 ) break; v14 = input[v6]; do v15 = v14; while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 ); if ( v15 == 10 ) { v16 = &input[v6]; *v16 = 0; break; } v17 = v6 + 1; do v6 = v17; while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 ); } for ( i = 0; ; ++i ) { do v18 = i; while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 ); do v19 = v18 < 6; while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 ); if ( !v19 ) break; do v20 = input; while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 ); v4 = *(_QWORD *)&v20[8 * i]; v7 = 0; while ( 1 ) { v21 = v7; do v22 = v21 < 64; while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 ); if ( !v22 ) break; v23 = v4; v24 = v4 < 0; if ( v4 >= 0 ) { v27 = v4; do v28 = 2 * v27; while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 ); v4 = v28; } else { v25 = 2 * v4; do v26 = v25; while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 ); v4 = v26 ^ 0xB0004B7679FA26B3LL; } v29 = v7; do v7 = v29 + 1; while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 ); } v30 = 8 * i; v31 = &s1[8 * i]; if ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 ) LABEL_55: *(_QWORD *)v31 = v4; *(_QWORD *)v31 = v4; if ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 ) goto LABEL_55; v32 = i + 1; }
此时还存在一些无用代码,将无用代码删除
while ( 1 ) { v12 = v6; v13 = v12 < 64; if ( !v13 ) break; v14 = s[v6]; v15 = v14; if ( v15 == 10 ) { v16 = &s[v6]; *v16 = 0; break; } v17 = v6 + 1; v6 = v17; } for ( i = 0; ; ++i ) { v18 = i; v19 = v18 < 6; if ( !v19 ) break; v20 = s; v4 = *(_QWORD *)&v20[8 * i]; v7 = 0; while ( 1 ) { v21 = v7; v22 = v21 < 64; if ( !v22 ) break; v23 = v4; v24 = v4 < 0; if ( v4 >= 0 ) { v27 = v4; v28 = 2 * v27; v4 = v28; } else { v25 = 2 * v4; v26 = v25; v4 = v26 ^ 0xB0004B7679FA26B3LL; } v29 = v7; v7 = v29 + 1; } v30 = 8 * i; v31 = &s1[8 * i]; *(_QWORD *)v31 = v4; v32 = i + 1; } v33 = memcmp(s1, &unk_402170, 0x30uLL); v34 = v33 != 0;
发现只是进行移位操作,直接把过程逆过来就可以
C++ exp
#include<iostream> #include<stdio.h> #include<windows.h> using namespace std; unsigned char l[] = {0x96,0x62,0x53,0x43,0x6d,0xf2,0x8f,0xbc,0x16,0xee,0x30,0x5,0x78,0x0,0x1,0x52,0xec,0x8,0x5f,0x93,0xea,0xb5,0xc0,0x4d,0x50,0xf4,0x53,0xd8,0xaf,0x90,0x2b,0x34,0x81,0x36,0x2c,0xaa,0xbc,0xe,0x25,0x8b,0xe4,0x8a,0xc6,0xa2,0x81,0x9f,0x75,0x55,0xb3,0x26,0xfa,0x79,0x76,0x4b,0x0,0xb0}; int main() { __int64 v4; __int64 v23; for(int i = 0;i < 6;i++) { v4 = *(__int64 *)&l[8 * i]; for(int j = 0;j < 64;j++){ if (v4 &1) { v4 = (unsigned __int64)v4 ^ 0xB0004B7679FA26B3LL; v4 >>= 1; v4 |= 0x8000000000000000; } else { v4 = (unsigned __int64)v4 >> 1; } } for(int i = 0;i < 8;i++) { printf("%c",(char)(v4&0xff)); v4 >>= 8; } } }