NSSCTF vm_wo

第一部分

无壳，mac，拖进IDA看看，有一个明显的比较，直接拿到flag最后比较的data

1	data = [0xDF, 0xD5, 0xF1, 0xD1, 0xFF, 0xDB, 0xA1, 0xA5, 0x89, 0xBD, 0xE9, 0x95, 0xB3, 0x9D, 0xE9, 0xB3, 0x85, 0x99, 0x87, 0xBF, 0xE9, 0xB1, 0x89, 0xE9, 0x91, 0x89, 0x89, 0x8F, 0xAD]

第二部分

接着点击myoperate函数看看，读代码发现，这直接告诉我们opcode了，即每一个8字节的十六进制拼接，注意要去掉最后一个因为他只是（v8 + 7）

# hex_string = "020D01011903001A"

# # 将十六进制字符串转换为字节列表
# byte_list = [int(hex_string[i:i+2], 16) for i in range(0, len(hex_string), 2)]

# # 将字节列表逆序
# byte_list.reverse()

# print(byte_list)


opcode = [26, 0, 3, 25, 1, 1, 13, 2, 7, 24, 1, 2, 1, 0, 3,

          26, 0, 3, 25, 1, 2, 13, 2, 6, 24, 1, 2, 1, 0, 4,

          26, 0, 3, 25, 1, 3, 13, 2, 5, 24, 1, 2, 1, 0, 5,
          
          26, 0, 3, 25, 1, 4, 13, 2, 4, 24, 1, 2, 1, 0, 6
          
          ,255] #255是自己加的，目的是打断while循环

注意IDA小端序存储，所以要倒序一下再拼接。

第三部分

点击interpretBytecode函数看看模拟器长什么样，发现有很多模拟指令，但是我们看我们的opcode只有这几个模拟的命令：

1	0 1 2 3 4 5 6 7 13 24 25 26

所以我们只用复现这几个命令即可

exp：

opcode = [26, 0, 3, 25, 1, 1, 13, 2, 7, 24, 1, 2, 1, 0, 3,

          26, 0, 3, 25, 1, 2, 13, 2, 6, 24, 1, 2, 1, 0, 4,

          26, 0, 3, 25, 1, 3, 13, 2, 5, 24, 1, 2, 1, 0, 5,
          
          26, 0, 3, 25, 1, 4, 13, 2, 4, 24, 1, 2, 1, 0, 6
          
          ,255]
i = 0

def swap():
    global i,opcode
    print(f"{i} swap r[{opcode[i + 1]}] r[{opcode[i + 2]}]")
    i += 3

def xor():
    global i,opcode
    print(f"{i} xor r[{opcode[i + 1]}] r[{opcode[i + 2]}]")
    i += 3

def add1():
    global i,opcode
    print(f"{i} add r[{opcode[i + 1]}] {opcode[i + 2]}")
    i += 3

def add2():
    global i,opcode
    print(f"{i} add r[{opcode[i + 1]}] r[{opcode[i + 2]}]")
    i += 3

def sub1():
    global i,opcode
    print(f"{i} sub r[{opcode[i + 1]}] {opcode[i + 2]}")
    i += 3

def sub2():
    global i,opcode
    print(f"{i} sub r[{opcode[i + 1]}] r[{opcode[i + 2]}]")
    i += 3

def mul1():
    global i,opcode
    print(f"{i} mul r[{opcode[i + 1]}] {opcode[i + 2]}")
    i += 3

def mul2():
    global i,opcode
    print(f"{i} mul r[{opcode[i + 1]}] r[{opcode[i + 2]}]")
    i += 3

def shl():
    global i,opcode
    print(f"{i} r[{opcode[i + 1]}] = r[0] << {opcode[i + 2]} ")
    i += 3

def fun24():
    global i,opcode
    print(f"{i} r[0] = r[2] | r[1] ")
    i += 3

def shr():
    global i,opcode
    print(f"{i} r[{opcode[i + 1]}] = r[0] >> {opcode[i + 2]}")
    i += 3

def fun26():
    global i,opcode
    print(f"{i} r[{opcode[i + 1]}] = {opcode[i + 2]}")
    i += 3



while(opcode[i] != 255):
        
        if(opcode[i] == 0):
            swap()

        if(opcode[i] == 1):
            xor()

        if(opcode[i] == 2):
            add1()

        if(opcode[i] == 3):
            add2()

        if(opcode[i] == 4):
            sub1()

        if(opcode[i] == 5):
            sub2()

        if(opcode[i] == 6):
            mul1()

        if(opcode[i] == 7):
            mul2()

        if(opcode[i] == 13):
            shl()

        if(opcode[i]== 24):
            fun24()

        if(opcode[i] == 25):
            shr()

        if(opcode[i] == 26):
            fun26()

得到的汇编指令：

0 r[0] = 3
3 r[1] = r[0] >> 1
6 r[2] = r[0] << 7 
9 r[0] = r[2] | r[1] 
12 xor r[0] r[3]
15 r[0] = 3
18 r[1] = r[0] >> 2
21 r[2] = r[0] << 6 
24 r[0] = r[2] | r[1] 
27 xor r[0] r[4]
30 r[0] = 3
33 r[1] = r[0] >> 3
36 r[2] = r[0] << 5 
39 r[0] = r[2] | r[1] 
42 xor r[0] r[5]
45 r[0] = 3
48 r[1] = r[0] >> 4
51 r[2] = r[0] << 4 
54 r[0] = r[2] | r[1] 
57 xor r[0] r[6]

这里r[0] = 3分析后3应该是我们输入的flag，这里有个重点：

1
2
3

case 24:
          vm_body[0] = byte_100008002 | byte_100008001;
          goto LABEL_35;

case24时有两个奇怪的东西，看他们的地址：

__bss:0000000100008001 byte_100008001  % 1                     
__bss:0000000100008002 byte_100008002  % 1                     
__bss:0000000100008003 deadbeef        % 4                     
__bss:0000000100008003                                         
__bss:0000000100008007                 % 1
__bss:0000000100008007 ; __bss         ends

这里可以看出他们应该是同一个数组，且byte_100008001表示r[1]，byte_100008002表示r[2]，deadbeef = 0xBEEDBEEF;这个东西应该表示r[3]到r[6],这样和汇编出的r[]数组便对上了

使用我们可以开始写脚本了，exp：

data = [0xDF, 0xD5, 0xF1, 0xD1, 0xFF, 0xDB, 0xA1, 0xA5, 0x89, 0xBD, 0xE9, 0x95, 0xB3, 0x9D, 0xE9, 0xB3, 0x85, 0x99, 0x87, 0xBF, 0xE9, 0xB1, 0x89, 0xE9, 0x91, 0x89, 0x89, 0x8F, 0xAD]
deadbeef = [0xEF, 0xBE, 0xED ,0xBE] #注意小端序倒序
flag = ""
for i in data:
    i = (i >> 3 | i << 5) &  0xff

    i = i ^ deadbeef[3]
    i = (i >> 4 | i << 4) & 0xff

    i = i ^ deadbeef[2]
    i = (i >> 5 | i << 3) & 0xff

    i = i ^ deadbeef[1]
    i = (i >> 6 | i << 2) & 0xff

    i = i ^ deadbeef[0]
    i = (i >> 7 | i << 1) & 0xff

    flag += "".join(chr(i))

print(flag)
#DASCTF{you_are_right_so_cool}

当然也可以用爆破直接跟他爆了，这里附上好兄弟的本题爆破解法链接

1	https://www.pri87.vip/posts/b22e135.html