xctf-polyre

一道ollvm的题,主要是去平坦化

先查壳,64位elf,无壳

直接拖入ida,定位到main函数

 

发现是ollvm平坦化,我们用在linux中使用deflat进行平坦化

去除之后用ida打开

找到关键的算法

while ( 1 )
  {
    do
      v12 = v6;
    while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
    v13 = v12 < 64;
    while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 )
      ;
    if ( !v13 )
      break;
    v14 = input[v6];
    do
      v15 = v14;
    while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
    if ( v15 == 10 )
    {
      v16 = &input[v6];
      *v16 = 0;
      break;
    }
    v17 = v6 + 1;
    do
      v6 = v17;
    while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
  }
  for ( i = 0; ; ++i )
  {
    do
      v18 = i;
    while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
    do
      v19 = v18 < 6;
    while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
    if ( !v19 )
      break;
    do
      v20 = input;
    while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
    v4 = *(_QWORD *)&v20[8 * i];
    v7 = 0;
    while ( 1 )
    {
      v21 = v7;
      do
        v22 = v21 < 64;
      while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
      if ( !v22 )
        break;
      v23 = v4;
      v24 = v4 < 0;
      if ( v4 >= 0 )
      {
        v27 = v4;
        do
          v28 = 2 * v27;
        while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
        v4 = v28;
      }
      else
      {
        v25 = 2 * v4;
        do
          v26 = v25;
        while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
        v4 = v26 ^ 0xB0004B7679FA26B3LL;
      }
      v29 = v7;
      do
        v7 = v29 + 1;
      while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
    }
    v30 = 8 * i;
    v31 = &s1[8 * i];
    if ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 )
LABEL_55:
      *(_QWORD *)v31 = v4;
    *(_QWORD *)v31 = v4;
    if ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 )
      goto LABEL_55;
    v32 = i + 1;
  }

此时还存在一些无用代码,将无用代码删除

while ( 1 )
  {
    v12 = v6;
    v13 = v12 < 64;
    if ( !v13 )
      break;
    v14 = s[v6];
    v15 = v14;
    if ( v15 == 10 )
    {
      v16 = &s[v6];
      *v16 = 0;
      break;
    }
    v17 = v6 + 1;
    v6 = v17;
  }
  for ( i = 0; ; ++i )
  {
    v18 = i;
    v19 = v18 < 6;
    if ( !v19 )
      break;
    
    v20 = s;
    v4 = *(_QWORD *)&v20[8 * i];
    v7 = 0;
    while ( 1 )
    {
      v21 = v7;
      v22 = v21 < 64;
      if ( !v22 )
        break;
      v23 = v4;
      v24 = v4 < 0;
      if ( v4 >= 0 )
      {
        v27 = v4;
        v28 = 2 * v27;
        v4 = v28;
      }
      else
      {
        v25 = 2 * v4;
        v26 = v25;
        v4 = v26 ^ 0xB0004B7679FA26B3LL;
      }
      v29 = v7;
      v7 = v29 + 1;
    }
    v30 = 8 * i;
    v31 = &s1[8 * i];
    *(_QWORD *)v31 = v4;
    v32 = i + 1;
  }
  v33 = memcmp(s1, &unk_402170, 0x30uLL);
  v34 = v33 != 0;

发现只是进行移位操作,直接把过程逆过来就可以

C++ exp

#include<iostream>
#include<stdio.h> 
#include<windows.h>

using namespace std;
unsigned  char l[] = {0x96,0x62,0x53,0x43,0x6d,0xf2,0x8f,0xbc,0x16,0xee,0x30,0x5,0x78,0x0,0x1,0x52,0xec,0x8,0x5f,0x93,0xea,0xb5,0xc0,0x4d,0x50,0xf4,0x53,0xd8,0xaf,0x90,0x2b,0x34,0x81,0x36,0x2c,0xaa,0xbc,0xe,0x25,0x8b,0xe4,0x8a,0xc6,0xa2,0x81,0x9f,0x75,0x55,0xb3,0x26,0xfa,0x79,0x76,0x4b,0x0,0xb0};
int main()
{
    __int64 v4;
    __int64 v23;
    for(int i = 0;i < 6;i++)
    {
        v4 = *(__int64 *)&l[8 * i];
        for(int j = 0;j < 64;j++){
            if (v4 &1)
            {
                v4 = (unsigned __int64)v4 ^ 0xB0004B7679FA26B3LL;
                v4 >>= 1;
                v4 |= 0x8000000000000000;
            }
            else
            {
                v4 = (unsigned __int64)v4 >> 1; 
            }
        }
        for(int i = 0;i < 8;i++)
        {
            printf("%c",(char)(v4&0xff));
            v4 >>= 8;
        }
    } 
}

 

posted @ 2022-11-25 18:53  写在风中的信  阅读(23)  评论(0编辑  收藏  举报