2021 羊城杯 EasyVM

最新推荐文章于 2022-12-06 20:54:13 发布
最新推荐文章于 2022-12-06 20:54:13 发布
阅读量767 收藏
点赞数 1
分类专栏: 逆向分析 CTF
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/abel_big_xu/article/details/120285565
版权

安全

正好学习一下vm的题目怎么分析

1.简单分析

主函数
1.初始化标准输入输出和错误
2.设置VMcontext
3.xxtea自解密dispatch代码
4.进入dispatch执行
在这里插入图片描述

2.解决smc问题

在自解密结束位置下断点,并将内容dump下来.
在这里插入图片描述
dump脚本

start = 0x80487A8
for idx in range(0x1000):
	if idx%16 == 0:
		print("")
	
    print(hex(get_wide_byte(start+idx)),end=',')

修复内容并保存

start = 0x80487A8
a = [0x55,0x89,0xe5,0x53,0x83,0xec,0x34,0x8b,0x45,0x8,0x89,
	0x45,0xd4,0x65,0xa1,0x14,0x0,0x0,0x0,0x89,0x45,0xf4,0x31,
	0xc0,0x8b,0x45,0xd4,0x8b,0x40,0x20,0xf,0xb6,0x0,0x3c,0x71,
	0x75,0x2f,0x8b,0x45,0xd4,0x8b,0x40,0x18,0x8d,0x50,0xfc,
	0x8b,0x45,0xd4,0x89,0x50,0x18,0x8b,0x45,0xd4,0x8b,0x40,
	0x18,0x8b,0x55,0xd4,0x8b,0x52,0x20,0x8b,0x52,0x1,0x89,
	0x10,0x8b,0x45,0xd4,0x8b,0x40,0x20,0x8d,0x50,0x5,0x8b,
	0x45,0xd4,0x89,0x50,0x20,0x8b,0x45,0xd4,0x8b,0x40,0x20,
	0xf,0xb6,0x0,0x3c,0x41,0x75,0x23,0x8b,0x45,0xd4,0x8b,
	0x50,0x4,0x8b,0x45,0xd4,0x8b,0x40,0x8,0x1,0xc2,0x8b,0x45,
	0xd4,0x89,0x50,0x4,0x8b,0x45,0xd4,0x8b,0x40,0x20,0x8d,0x50,
	0x1,0x8b,0x45,0xd4,0x89,0x50,0x20,0x8b,0x45,0xd4,0x8b,0x40,
	0x20,0xf,0xb6,0x0,0x3c,0x42,0x75,0x23,0x8b,0x45,0xd4,0x8b,
	0x50,0x4,0x8b,0x45,0xd4,0x8b,0x40,0x10,0x29,0xc2,0x8b,0x45,
	0xd4,0x89,0x50,0x4,0x8b,0x45,0xd4,0x8b,0x40,0x20,0x8d,0x50,
	0x1,0x8b,0x45,0xd4,0x89,0x50,0x20,0x8b,0x45,0xd4,0x8b,0x40,
	0x20,0xf,0xb6,0x0,0x3c,0x43,0x75,0x24,0x8b,0x45,0xd4,0x8b,
	0x50,0x4,0x8b,0x45,0xd4,0x8b,0x40,0xc,0xf,0xaf,0xd0,0x8b,
	0x45,0xd4,0x89,0x50,0x4,0x8b,0x45,0xd4,0x8b,0x40,0x20,0x8d,
	0x50,0x1,0x8b,0x45,0xd4,0x89,0x50,0x20,0x8b,0x45,0xd4,0x8b,
	0x40,0x20,0xf,0xb6,0x0,0x3c,0x37,0x75,0x1b,0x8b,0x45,0xd4,
	0x8b,0x50,0x14,0x8b,0x45,0xd4,0x89,0x50,0x4,0x8b,0x45,0xd4,
	0x8b,0x40,0x20,0x8d,0x50,0x1,0x8b,0x45,0xd4,0x89,0x50,0x20,
	0x8b,0x45,0xd4,0x8b,0x40,0x20,0xf,0xb6,0x0,0x3c,0x38,0x75,
	0x23,0x8b,0x45,0xd4,0x8b,0x50,0x4,0x8b,0x45,0xd4,0x8b,0x40,
	0x10,0x31,0xc2,0x8b,0x45,0xd4,0x89,0x50,0x4,0x8b,0x45,0xd4,
	0x8b,0x40,0x20,0x8d,0x50,0x1,0x8b,0x45,0xd4,0x89,0x50,0x20,
	0x8b,0x45,0xd4,0x8b,0x40,0x20,0xf,0xb6,0x0,0x3c,0x39,0x75,
	0x23,0x8b,0x45,0xd4,0x8b,0x50,0x4,0x8b,0x45,0xd4,0x8b,0x40,
	0x14,0x31,0xc2,0x8b,0x45,0xd4,0x89,0x50,0x4,0x8b,0x45,0xd4,
	0x8b,0x40,0x20,0x8d,0x50,0x1,0x8b,0x45,0xd4,0x89,0x50,0x20,
	0x8b,0x45,0xd4,0x8b,0x40,0x20,0xf,0xb6,0x0,0x3c,0x35,0x75,
	0x1b,0x8b,0x45,0xd4,0x8b,0x50,0x4,0x8b,0x45,0xd4,0x89,0x50,
	0x14,0x8b,0x45,0xd4,0x8b,0x40,0x20,0x8d,0x50,0x1,0x8b,0x45,
	0xd4,0x89,0x50,0x20,0x8b,0x45,0xd4,0x8b,0x40,0x20,0xf,0xb6,
	0x0,0x3c,0xf7,0x75,0x23,0x8b,0x45,0xd4,0x8b,0x50,0x24,0x8b,
	0x45,0xd4,0x8b,0x40,0x4,0x1,0xc2,0x8b,0x45,0xd4,0x89,0x50,
	0x24,0x8b,0x45,0xd4,0x8b,0x40,0x20,0x8d,0x50,0x1,0x8b,0x45,
	0xd4,0x89,0x50,0x20,0x8b,0x45,0xd4,0x8b,0x40,0x20,0xf,0xb6,
	0x0,0x3c,0x44,0x75,0x2a,0x8b,0x45,0xd4,0x8b,0x40,0x4,0x8b,
	0x55,0xd4,0x8b,0x5a,0x14,0xba,0x0,0x0,0x0,0x0,0xf7,0xf3,0x89,0xc2]
for i in range(len(a)):
    ida_bytes.patch_byte(start+i, a[i])

修复完成之后可以看出dispatch
在这里插入图片描述

2.提取opcode

第一列是操作码,第二列是opcode数量,第三列是对应的操作

table[4] = [0x7b,0x2f,0x37,0xe8]
table2[2] = [0x0CF1304DC,0x283B8E84]
0x9 1 reg[1] = 0x6FEBF967
0x10 1 reg[9] = reg[1]
0x11 1 printf(%x,reg[1])
0x22 1 reg[1] >>= reg[2]
0x23 1 reg[1] <<= reg[2]
0x30 1 reg[1] |= reg[2]
0x31 1 reg[1] &= reg[2]
0x32 2 reg[3] = (byte)data
0x33 1 reg[4] = reg[1]
0x34 2 reg[2] = (byte)data
0x35 1 reg[5] = reg[1]
0x37 1 reg[1] = reg[5]
0x38 1 reg[1] ^= reg[4]
0x39 1 reg[1] ^= reg[5]
0x41 1 reg[1] += reg[2]
0x42 1 reg[1] -= reg[4]
0x43 1 reg[1] *= reg[3]
0x44 1 reg[1] /= reg[5]
0x53 2 putchar(*(char *)reg[3])
0x54 2 getchar(reg[3])
0x71 5 reg[6] = (DWORD)data
0x76 5 reg[3] = *(DWORD*)reg[6];*(DWORD*)reg[6]=0;reg[6]+=4
0x77 1 reg[1] ^= reg[9]
0x80 6 reg[sub_804875F(reg, 1)] = *(_DWORD *)(reg[8] + 2);
0x99 1 break
0xa0 1 reg[1]!=0x6FEBF967 exit
0xa1 1 read(flag)
0xa4 4 table[(byte)data]=reg[1]
0xb1 1 reg[9] = table[0]
0xb2 1 reg[9] = table[1]
0xb3 1 reg[9] = table[2]
0xb4 1 reg[9] = table[3]
0xc1 2 reg[1] = flag[(byte)data]
0xc2 5 reg[1] != (byte)data exit
0xc7 1 reg[1] != table2[0] exit
0xc8 1 reg[1] != table2[1] exit
0xf7 1 reg[9] += reg[1]
0xfe 1 reg[1] = reg[9]

3.输出对应的操作流程

code = [0xA1,0xC1,0x00,0xB1,0x77,0xC2,0x4A,0x01,0x00,0x00,0xC1,0x01,0xB2,0x77,0xC2,0x19,
0x01,0x00,0x00,0xC1,0x02,0xB4,0x77,0xC2,0xDD,0x01,0x00,0x00,0xC1,0x03,0xB3,0x77,
0xC2,0x0F,0x01,0x00,0x00,0xC1,0x04,0xB2,0x77,0xC2,0x1B,0x01,0x00,0x00,0xC1,0x05,
0xB4,0x77,0xC2,0x89,0x01,0x00,0x00,0xC1,0x06,0xB1,0x77,0xC2,0x19,0x01,0x00,0x00,
0xC1,0x07,0xB3,0x77,0xC2,0x54,0x01,0x00,0x00,0xC1,0x08,0xB1,0x77,0xC2,0x4F,0x01,
0x00,0x00,0xC1,0x09,0xB1,0x77,0xC2,0x4E,0x01,0x00,0x00,0xC1,0x0A,0xB3,0x77,0xC2,
0x55,0x01,0x00,0x00,0xC1,0x0B,0xB3,0x77,0xC2,0x56,0x01,0x00,0x00,0xC1,0x0C,0xB4,
0x77,0xC2,0x8E,0x00,0x00,0x00,0xC1,0x0D,0xB2,0x77,0xC2,0x49,0x00,0x00,0x00,0xC1,
0x0E,0xB3,0x77,0xC2,0x0E,0x01,0x00,0x00,0xC1,0x0F,0xB1,0x77,0xC2,0x4B,0x01,0x00,
0x00,0xC1,0x10,0xB3,0x77,0xC2,0x06,0x01,0x00,0x00,0xC1,0x11,0xB3,0x77,0xC2,0x54,
0x01,0x00,0x00,0xC1,0x12,0xB2,0x77,0xC2,0x1A,0x00,0x00,0x00,0xC1,0x13,0xB1,0x77,
0xC2,0x42,0x01,0x00,0x00,0xC1,0x14,0xB3,0x77,0xC2,0x53,0x01,0x00,0x00,0xC1,0x15,
0xB1,0x77,0xC2,0x1F,0x01,0x00,0x00,0xC1,0x16,0xB3,0x77,0xC2,0x52,0x01,0x00,0x00,
0xC1,0x17,0xB4,0x77,0xC2,0xDB,0x00,0x00,0x00,0xC1,0x18,0xB1,0x77,0xC2,0x19,0x01,
0x00,0x00,0xC1,0x19,0xB4,0x77,0xC2,0xD9,0x00,0x00,0x00,0xC1,0x1A,0xB1,0x77,0xC2,
0x19,0x01,0x00,0x00,0xC1,0x1B,0xB3,0x77,0xC2,0x55,0x01,0x00,0x00,0xC1,0x1C,0xB2,
0x77,0xC2,0x19,0x00,0x00,0x00,0xC1,0x1D,0xB3,0x77,0xC2,0x00,0x01,0x00,0x00,0xC1,
0x1E,0xB1,0x77,0xC2,0x4B,0x01,0x00,0x00,0xC1,0x1F,0xB2,0x77,0xC2,0x1E,0x00,0x00,
0x00,0xC1,0x20,0x80,0x02,0x18,0x00,0x00,0x00,0x23,0x10,0xC1,0x21,0x80,0x02,0x10,
0x00,0x00,0x00,0x23,0xF7,0xC1,0x22,0x80,0x02,0x08,0x00,0x00,0x00,0x23,0xF7,0xC1,
0x23,0xF7,0xFE,0x80,0x02,0x05,0x00,0x00,0x00,0x22,0x77,0x10,0x80,0x02,0x07,0x00,
0x00,0x00,0x23,0x80,0x02,0x23,0x77,0xF1,0x98,0x31,0x77,0x10,0x80,0x02,0x18,0x00,
0x00,0x00,0x23,0x80,0x02,0x20,0xB9,0xE4,0x35,0x31,0x77,0x10,0x80,0x02,0x12,0x00,
0x00,0x00,0x22,0x77,0xA0,0xC1,0x24,0x80,0x02,0x18,0x00,0x00,0x00,0x23,0x10,0xC1,
0x25,0x80,0x02,0x10,0x00,0x00,0x00,0x23,0xF7,0xC1,0x26,0x80,0x02,0x08,0x00,0x00,
0x00,0x23,0xF7,0xC1,0x27,0xF7,0xFE,0x32,0x20,0x43,0x33,0x77,0x80,0x02,0x11,0x00,
0x00,0x00,0x22,0x35,0x37,0x38,0x77,0x80,0x02,0x0D,0x00,0x00,0x00,0x23,0x77,0x38,
0x39,0x10,0x32,0x20,0x43,0x33,0x77,0x80,0x02,0x11,0x00,0x00,0x00,0x22,0x35,0x37,
0x38,0x77,0x80,0x02,0x0D,0x00,0x00,0x00,0x23,0x77,0x38,0x39,0xC7,0xC1,0x28,0x80,
0x02,0x18,0x00,0x00,0x00,0x23,0x10,0xC1,0x29,0x80,0x02,0x10,0x00,0x00,0x00,0x23,
0xF7,0xC1,0x2A,0x80,0x02,0x08,0x00,0x00,0x00,0x23,0xF7,0xC1,0x2B,0xF7,0xFE,0x32,
0x20,0x43,0x33,0x77,0x80,0x02,0x11,0x00,0x00,0x00,0x22,0x35,0x37,0x38,0x77,0x80,
0x02,0x0D,0x00,0x00,0x00,0x23,0x77,0x38,0x39,0x10,0x32,0x20,0x43,0x33,0x77,0x80,
0x02,0x11,0x00,0x00,0x00,0x22,0x35,0x37,0x38,0x77,0x80,0x02,0x0D,0x00,0x00,0x00,
0x23,0x77,0x38,0x39,0xC8,0x99]
table = [0x7b,0x2f,0x37,0xe8]
table2 = [0x0CF1304DC,0x283B8E84]
codeLen = {
    0x9:1,0x10:1,0x11:1,0x22:1,
    0x23:1,0x30:1,0x31:1,0x32:2,
    0x33:1,0x34:2,0x35:1,0x37:1,
    0x38:1,0x39:1,0x41:1,0x42:1,
    0x43:1,0x44:1,0x53:2,0x54:2,
    0x71:5,0x76:5,0x77:1,0x80:6,
    0x99:1,0xa0:1,0xa1:1,0xa4:4,
    0xb1:1,0xb2:1,0xb3:1,0xb4:1,
    0xc1:2,0xc2:5,0xc7:1,0xc8:1,
    0xf7:1,0xfe:1
}
codeName = {
    0x9: "reg[1] = 0x6FEBF967",
    0x10:"reg[9] = reg[1]",
    0x11:"printf(%x,reg[1])",
    0x22:"reg[1] >>= reg[2]",
    0x23:"reg[1] <<= reg[2]",
    0x30:"reg[1] |= reg[2]",
    0x31:"reg[1] &= reg[2]",
    0x32:"reg[3] = {}",
    0x33:"reg[4] = reg[1]",
    0x34:"reg[2] = {}",
    0x35:"reg[5] = reg[1]",
    0x37:"reg[1] = reg[5]",
    0x38:"reg[1] ^= reg[4]",
    0x39:"reg[1] ^= reg[5]",
    0x41:"reg[1] += reg[2]",
    0x42:"reg[1] -= reg[4]",
    0x43:"reg[1] *= reg[3]",
    0x44:"reg[1] /= reg[5]",
    0x53:"putchar(*(char *)reg[3])",
    0x54:"getchar(reg[3])",
    0x71:"reg[6] = (DWORD)data",
    0x76:"reg[3] = *(DWORD*)reg[6];*(DWORD*)reg[6]=0;reg[6]+=4",
    0x77:"reg[1] ^= reg[9]",
    0x80:"reg[{}] = {};",#reg[code[idx+1]]=(DWORD)code[idx+2]
    0x99:"break",
    0xa0:"reg[1]!=0x6FEBF967 exit",
    0xa1:"read(flag)",
    0xa4:"table[{}]=reg[1]",
    0xb1:"reg[9] = table[0]",
    0xb2:"reg[9] = table[1]",
    0xb3:"reg[9] = table[2]",
    0xb4:"reg[9] = table[3]",
    0xc1:"reg[1] = flag[{}]",
    0xc2:"reg[1] != {} exit",
    0xc7:"reg[1] != table2[0] exit",
    0xc8:"reg[1] != table2[1] exit",
    0xf7:"reg[9] += reg[1]",
    0xfe:"reg[1] = reg[9]"
}
idx = 0
line = 0;
while idx<len(code):
    if code[idx] == 0x32 or code[idx] == 0x34 or code[idx] == 0xa4 or code[idx] == 0xc1 or code[idx] == 0xc2:
        print("line{0}  :".format(line),end="")
        print(codeName[code[idx]].format(hex(code[idx+1])))
        idx+=codeLen[code[idx]]
        line += 1
        continue
    if code[idx] == 0xb1 or code[idx] == 0xb2 or code[idx] == 0xb3 or code[idx] == 0xb4:
        print("line{0}  :".format(line),end="")
        print(codeName[code[idx]]," | :",hex(table[code[idx]-0xb1]))
        idx+=codeLen[code[idx]]
        line += 1
        continue
    if code[idx] == 0x80:
        print("line{0}  :".format(line),end="")
        dword = hex(code[idx+2]|(code[idx+3]<<0x8)|(code[idx+4]<<0x10)|(code[idx+5]<<0x18))
        print(codeName[code[idx]].format(code[idx+1],dword))
        idx+=codeLen[code[idx]]
        line += 1
        continue
    if code[idx] == 0x71:
        print("line{}  :".format(line),end="")
        print(codeName[code[idx]]," | (DWORD)data:",hex(code[idx+1]),hex(code[idx+2]),hex(code[idx+3]),hex(code[idx+4]))
        idx+=codeLen[code[idx]]
        line += 1
        continue
    print("line{}  :".format(line),end="")
    print(codeName[code[idx]])
    line += 1
    idx+=codeLen[code[idx]]

4.运行得到操作流程

第一部分:32个字节异或得到
第二部分:4字节,各种运行算之后与0x6FEBF967比较
第三部分:4字节,各种运算与之后与0x0CF1304DC比较
第四部分:4字节,各种运算与之后与0x283B8E84比较

line0  :read(flag)
line1  :reg[1] = flag[0x0]
line2  :reg[9] = table[0]  | : 0x7b
line3  :reg[1] ^= reg[9]
line4  :reg[1] != 0x4a exit
line5  :reg[1] = flag[0x1]
line6  :reg[9] = table[1]  | : 0x2f
line7  :reg[1] ^= reg[9]
line8  :reg[1] != 0x19 exit
line9  :reg[1] = flag[0x2]
line10  :reg[9] = table[3]  | : 0xe8
line11  :reg[1] ^= reg[9]
line12  :reg[1] != 0xdd exit
line13  :reg[1] = flag[0x3]
line14  :reg[9] = table[2]  | : 0x37
line15  :reg[1] ^= reg[9]
line16  :reg[1] != 0xf exit
line17  :reg[1] = flag[0x4]
line18  :reg[9] = table[1]  | : 0x2f
line19  :reg[1] ^= reg[9]
line20  :reg[1] != 0x1b exit
line21  :reg[1] = flag[0x5]
line22  :reg[9] = table[3]  | : 0xe8
line23  :reg[1] ^= reg[9]
line24  :reg[1] != 0x89 exit
line25  :reg[1] = flag[0x6]
line26  :reg[9] = table[0]  | : 0x7b
line27  :reg[1] ^= reg[9]
line28  :reg[1] != 0x19 exit
line29  :reg[1] = flag[0x7]
line30  :reg[9] = table[2]  | : 0x37
line31  :reg[1] ^= reg[9]
line32  :reg[1] != 0x54 exit
line33  :reg[1] = flag[0x8]
line34  :reg[9] = table[0]  | : 0x7b
line35  :reg[1] ^= reg[9]
line36  :reg[1] != 0x4f exit
line37  :reg[1] = flag[0x9]
line38  :reg[9] = table[0]  | : 0x7b
line39  :reg[1] ^= reg[9]
line40  :reg[1] != 0x4e exit
line41  :reg[1] = flag[0xa]
line42  :reg[9] = table[2]  | : 0x37
line43  :reg[1] ^= reg[9]
line44  :reg[1] != 0x55 exit
line45  :reg[1] = flag[0xb]
line46  :reg[9] = table[2]  | : 0x37
line47  :reg[1] ^= reg[9]
line48  :reg[1] != 0x56 exit
line49  :reg[1] = flag[0xc]
line50  :reg[9] = table[3]  | : 0xe8
line51  :reg[1] ^= reg[9]
line52  :reg[1] != 0x8e exit
line53  :reg[1] = flag[0xd]
line54  :reg[9] = table[1]  | : 0x2f
line55  :reg[1] ^= reg[9]
line56  :reg[1] != 0x49 exit
line57  :reg[1] = flag[0xe]
line58  :reg[9] = table[2]  | : 0x37
line59  :reg[1] ^= reg[9]
line60  :reg[1] != 0xe exit
line61  :reg[1] = flag[0xf]
line62  :reg[9] = table[0]  | : 0x7b
line63  :reg[1] ^= reg[9]
line64  :reg[1] != 0x4b exit
line65  :reg[1] = flag[0x10]
line66  :reg[9] = table[2]  | : 0x37
line67  :reg[1] ^= reg[9]
line68  :reg[1] != 0x6 exit
line69  :reg[1] = flag[0x11]
line70  :reg[9] = table[2]  | : 0x37
line71  :reg[1] ^= reg[9]
line72  :reg[1] != 0x54 exit
line73  :reg[1] = flag[0x12]
line74  :reg[9] = table[1]  | : 0x2f
line75  :reg[1] ^= reg[9]
line76  :reg[1] != 0x1a exit
line77  :reg[1] = flag[0x13]
line78  :reg[9] = table[0]  | : 0x7b
line79  :reg[1] ^= reg[9]
line80  :reg[1] != 0x42 exit
line81  :reg[1] = flag[0x14]
line82  :reg[9] = table[2]  | : 0x37
line83  :reg[1] ^= reg[9]
line84  :reg[1] != 0x53 exit
line85  :reg[1] = flag[0x15]
line86  :reg[9] = table[0]  | : 0x7b
line87  :reg[1] ^= reg[9]
line88  :reg[1] != 0x1f exit
line89  :reg[1] = flag[0x16]
line90  :reg[9] = table[2]  | : 0x37
line91  :reg[1] ^= reg[9]
line92  :reg[1] != 0x52 exit
line93  :reg[1] = flag[0x17]
line94  :reg[9] = table[3]  | : 0xe8
line95  :reg[1] ^= reg[9]
line96  :reg[1] != 0xdb exit
line97  :reg[1] = flag[0x18]
line98  :reg[9] = table[0]  | : 0x7b
line99  :reg[1] ^= reg[9]
line100  :reg[1] != 0x19 exit
line101  :reg[1] = flag[0x19]
line102  :reg[9] = table[3]  | : 0xe8
line103  :reg[1] ^= reg[9]
line104  :reg[1] != 0xd9 exit
line105  :reg[1] = flag[0x1a]
line106  :reg[9] = table[0]  | : 0x7b
line107  :reg[1] ^= reg[9]
line108  :reg[1] != 0x19 exit
line109  :reg[1] = flag[0x1b]
line110  :reg[9] = table[2]  | : 0x37
line111  :reg[1] ^= reg[9]
line112  :reg[1] != 0x55 exit
line113  :reg[1] = flag[0x1c]
line114  :reg[9] = table[1]  | : 0x2f
line115  :reg[1] ^= reg[9]
line116  :reg[1] != 0x19 exit
line117  :reg[1] = flag[0x1d]
line118  :reg[9] = table[2]  | : 0x37
line119  :reg[1] ^= reg[9]
line120  :reg[1] != 0x0 exit
line121  :reg[1] = flag[0x1e]
line122  :reg[9] = table[0]  | : 0x7b
line123  :reg[1] ^= reg[9]
line124  :reg[1] != 0x4b exit
line125  :reg[1] = flag[0x1f]
line126  :reg[9] = table[1]  | : 0x2f
line127  :reg[1] ^= reg[9]
line128  :reg[1] != 0x1e exit

line129  :reg[1] = flag[0x20]
line130  :reg[2] = 0x18;
line131  :reg[1] <<= reg[2]
line132  :reg[9] = reg[1]
line133  :reg[1] = flag[0x21]
line134  :reg[2] = 0x10;
line135  :reg[1] <<= reg[2]
line136  :reg[9] += reg[1]
line137  :reg[1] = flag[0x22]
line138  :reg[2] = 0x8;
line139  :reg[1] <<= reg[2]
line140  :reg[9] += reg[1]
line141  :reg[1] = flag[0x23]
line142  :reg[9] += reg[1]
line143  :reg[1] = reg[9]

line144  :reg[2] = 0x5;
line145  :reg[1] >>= reg[2]
line146  :reg[1] ^= reg[9]
line147  :reg[9] = reg[1]
line148  :reg[2] = 0x7;
line149  :reg[1] <<= reg[2]
line150  :reg[2] = 0x98f17723;
line151  :reg[1] &= reg[2]
line152  :reg[1] ^= reg[9]
line153  :reg[9] = reg[1]
line154  :reg[2] = 0x18;
line155  :reg[1] <<= reg[2]
line156  :reg[2] = 0x35e4b920;
line157  :reg[1] &= reg[2]
line158  :reg[1] ^= reg[9]
line159  :reg[9] = reg[1]
line160  :reg[2] = 0x12;
line161  :reg[1] >>= reg[2]
line162  :reg[1] ^= reg[9]
line163  :reg[1]!=0x6FEBF967 exit


line164  :reg[1] = flag[0x24]
line165  :reg[2] = 0x18;
line166  :reg[1] <<= reg[2]
line167  :reg[9] = reg[1]
line168  :reg[1] = flag[0x25]
line169  :reg[2] = 0x10;
line170  :reg[1] <<= reg[2]
line171  :reg[9] += reg[1]
line172  :reg[1] = flag[0x26]
line173  :reg[2] = 0x8;
line174  :reg[1] <<= reg[2]
line175  :reg[9] += reg[1]
line176  :reg[1] = flag[0x27]
line177  :reg[9] += reg[1]
line178  :reg[1] = reg[9]

line179  :reg[3] = 0x20
line180  :reg[1] *= reg[3]
line181  :reg[4] = reg[1]
line182  :reg[1] ^= reg[9]
line183  :reg[2] = 0x11;
line184  :reg[1] >>= reg[2]
line185  :reg[5] = reg[1]
line186  :reg[1] = reg[5]
line187  :reg[1] ^= reg[4]
line188  :reg[1] ^= reg[9]
line189  :reg[2] = 0xd;
line190  :reg[1] <<= reg[2]
line191  :reg[1] ^= reg[9]
line192  :reg[1] ^= reg[4]
line193  :reg[1] ^= reg[5]
line194  :reg[9] = reg[1]
line195  :reg[3] = 0x20
line196  :reg[1] *= reg[3]
line197  :reg[4] = reg[1]
line198  :reg[1] ^= reg[9]
line199  :reg[2] = 0x11;
line200  :reg[1] >>= reg[2]
line201  :reg[5] = reg[1]
line202  :reg[1] = reg[5]
line203  :reg[1] ^= reg[4]
line204  :reg[1] ^= reg[9]
line205  :reg[2] = 0xd;
line206  :reg[1] <<= reg[2]
line207  :reg[1] ^= reg[9]
line208  :reg[1] ^= reg[4]
line209  :reg[1] ^= reg[5]
line210  :reg[1] != table2[0] exit

line211  :reg[1] = flag[0x28]
line212  :reg[2] = 0x18;
line213  :reg[1] <<= reg[2]
line214  :reg[9] = reg[1]
line215  :reg[1] = flag[0x29]
line216  :reg[2] = 0x10;
line217  :reg[1] <<= reg[2]
line218  :reg[9] += reg[1]
line219  :reg[1] = flag[0x2a]
line220  :reg[2] = 0x8;
line221  :reg[1] <<= reg[2]
line222  :reg[9] += reg[1]
line223  :reg[1] = flag[0x2b]
line224  :reg[9] += reg[1]
line225  :reg[1] = reg[9]

line226  :reg[3] = 0x20
line227  :reg[1] *= reg[3]
line228  :reg[4] = reg[1]
line229  :reg[1] ^= reg[9]
line230  :reg[2] = 0x11;
line231  :reg[1] >>= reg[2]
line232  :reg[5] = reg[1]
line233  :reg[1] = reg[5]
line234  :reg[1] ^= reg[4]
line235  :reg[1] ^= reg[9]
line236  :reg[2] = 0xd;
line237  :reg[1] <<= reg[2]
line238  :reg[1] ^= reg[9]
line239  :reg[1] ^= reg[4]
line240  :reg[1] ^= reg[5]
line241  :reg[9] = reg[1]
line242  :reg[3] = 0x20
line243  :reg[1] *= reg[3]
line244  :reg[4] = reg[1]
line245  :reg[1] ^= reg[9]
line246  :reg[2] = 0x11;
line247  :reg[1] >>= reg[2]
line248  :reg[5] = reg[1]
line249  :reg[1] = reg[5]
line250  :reg[1] ^= reg[4]
line251  :reg[1] ^= reg[9]
line252  :reg[2] = 0xd;
line253  :reg[1] <<= reg[2]
line254  :reg[1] ^= reg[9]
line255  :reg[1] ^= reg[4]
line256  :reg[1] ^= reg[5]
line257  :reg[1] != table2[1] exit
line258  :break

5.爆破得到flag

第二部分爆破,直接将上面的操作复制下来,爆破。第三,四部分也一样。最后得到
flag:16584abc45baff901c59dde3b1bb6701a254b06cdc23

#include "stdio.h"

int main() {
    for (int i = 0; i < 0xffffffff; i++) {
        unsigned int reg[10] = { 0 };
        reg[1] = i;//初始化
        reg[9] = i;//初始化
        reg[2] = 0x5;
        reg[1] >>= reg[2];
        reg[1] ^= reg[9];
        reg[9] = reg[1];
        reg[2] = 0x7;
        reg[1] <<= reg[2];
        reg[2] = 0x98f17723;
        reg[1] &= reg[2];
        reg[1] ^= reg[9];
        reg[9] = reg[1];
        reg[2] = 0x18;
        reg[1] <<= reg[2];
        reg[2] = 0x35e4b920;
        reg[1] &= reg[2];
        reg[1] ^= reg[9];
        reg[9] = reg[1];
        reg[2] = 0x12;
        reg[1] >>= reg[2];
        reg[1] ^= reg[9];
        if (reg[1] == 0x6FEBF967) {
            printf("%x\n", i);
        }
    }
}

总结

vm的题目,
1.需要找到dispatch
2.找到opcode对应的操作
3.找到所有的code
4.输出所有的运行过程

这个流程有点像trace,如果很复杂会很麻烦的。不知道有没有什么更好的办法。如果能够解决vm的办法,大师傅教教我

努力学习的大康
关注
  • 1
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
easyVM v0.2
07-11
easyVM是一个简单的虚拟机。<br>0.1版本只支持8086指令集和一些简单的I/O设备,只支持英文文本显示方式。<br>0.2版本主要是在0.1版基础上加了一小部分32位指令(push eax等),使得easyVM可以运行MS-DOS 6.22自带的大部分程序。<br>
分析easyVM 未完成)
weixin_34198797的博客
10-01 127
E:\test\easyVM_Small_指令解析,cpu虚拟设备虚拟,比如display, DMA, floppy, harddisk, keyboard, PIC, printer, RTC, timer,serial程序flow, 架构低调发布easyVM 0.2版简介:====================easyVM是一个简单的虚拟机。0.1版本只支持8086指令集和一些简单的I/O设...
攻防世界 easyvm
weixin_43798872的博客
12-06 484
攻防世界 进阶 easyvm
2019UNCTF easyvm
weixin_43884935的博客
03-14 1082
虚拟机逆向入门----2019UNCTF easyvm 自己也是个萌新,难得做了一道虚拟机逆向的题目,还是想分享出来 看题目知道这是一个虚拟机逆向题目,运行一下知道这是匹配字符串 之后用IDA64进行分析,主函数的逻辑还是比较清楚的。 先给s上的96字节置0,再给v3分配40字节空间。调用sub_400C1E初始化v3上的内容。用s接收32字符,如果不是32长度就失败,如果是,则调用 v3函数指...
easyVM_v0.2
02-26
easyVM是一个简单的虚拟机。0.1版本只支持8086指令集和一些简单的I/O设备,只支持英文文本显示方式。0.2版本主要是在0.1版基础上加了一小部分32位指令(push eax等),使得easyVM可以运行MS-DOS 6.22自带的大部分程序。
2020YCBCTF羊城官方Writeup.pdf
10-28
2020YCBCTF羊城官方Writeup.pdf
2023 羊城 final
最新发布
11-21
附件
2020YCBCTF:2020羊城官方writeup及
03-24
2020年 2020羊城官方writeup及源码 各个过渡的分散的writeup后续会逐步上传,所有转移的writeup已经汇总在wp文件夹下的writeup文件里面了!
2023羊城 DASCTF EZ-Misc
09-03
2023羊城 DASCTF EZ-Misc
羊城快速通道
08-19
很抱歉,根据您提供的信息,“羊城快速通道”似乎并非一个具体的IT知识主题,而更像是一首描述广州景色或者交通状况的诗。羊城是广州的别称,"天路"、"银河"、"蛮腰"(可能指的是广州塔)和"珠江"则是广州的地标或...
vmpwn一&高校战役Easyvm复现
qq_39948058的博客
08-27 284
高校战役Easyvm 前言:本人tcl,刚接触vm不久,这个看了别人的wp感觉难度还可以,决定自己复现一下大佬勿喷哈 此题思路:就是依靠任意地址写来打freehook,然后再一把唆onegadget可以system也可以!! int __cdecl main(int argc, const char argv, const char **envp) { void *buf; // ST2C_4 _DWORD *ptr; // [esp+18h] [ebp-18h] int v5; // [esp+AC
VM pwn入门
weixin_44145820的博客
06-07 2072
VM pwn貌似是最近火起来的一类PWN题。最近打的好几场比赛都出现了VM pwn的题目,正好在BUU上面遇到一道2019年的OGeek中出现的VM pwn题,感觉应该会比较简单,另外听说高校战役里的EasyVM也是偏简单的VM pwn题。本文就主要对这两道题目进行分析。 [OGeek2019 Final]OVM 程序分析 作为VM pwn的第一步就是需要搞清楚指令的格式,操作码和操作数 本题使用的是定长指令,一共32bits,每一个占8bits,但除了操作码能利用完8bits之外,寄存器只占4bits,
[XCTF-Reverse] 83 2019_UNCTF_easyvm
weixin_52640415的博客
03-28 470
到了后边就都不会了,只有这个VM还可以磨磨 主程序非常短,输入32个字节然后就去比较了 signed __int64 __fastcall main(__int64 a1, char **a2, char **a3) { unsigned int (__fastcall ***v3)(_QWORD, void *, void *, char *); // rbx char s; // [rsp+10h] [rbp-80h] int v6; // [rsp+70h] [rbp-20h]
XMAN【我真的好菜-同pizza师傅修炼笔记一】easyvm&easywasm
BadRer的博客
08-13 1627
前言 -。-做这两题好想哭-。- 我好菜丫,大佬直接看伪汇编写脚本。我呢,脚本都快看不懂。 wasm wasm虐我千百遍我却待她如初恋。-。 之前遇到过类似的,但是没有仔细的研究,只知道夜影师傅的blog有写过类似的文章,但是没写全。 首先是用wabt项目将wasm转化为c代码,虽然效果感人,但至少比wat要强一点。 一直想要调试它,但我真的好菜,网上找了好多demo不过报了好多奇奇...
写一个虚拟机的模型
_KaQqi的博客
02-27 1426
代码虚拟化: 我认为代码虚拟化是将native转换为字节码,但是字节码是不能被机器识别的,所以就需要有对应的解释器来解释他。因为字节码是我们定义的,所以一般的工具不能正确的识别它。就因为这样,虚拟机保护的代码比较难以识别破解,但是解释器一般情况下都是native 因为这样才能使解释器运行起来并解释字节码。
vm虚拟机-简单题目(hgame-week4-easyvm、cg-ctf wxyVM1/2
令则
02-20 1915
vm 还是一个比较有感觉的虚拟机,中间有一个栈的结构, 还是比较好玩, 还有比较经典的虚拟机的题目是南邮的cg-ctf的题目, 文章目录vm 首先是 函数逻辑比较简单。输入一个data, 然后设定了一个大数组, 然后进入函数vm_fun,结束后和一段写好的数据对比, 我们看一下函数vm_fun,一个看着比较经典的使用while和switch构成的虚拟机的样子, 值得注意的是这个内存区: 这...
2022 TQLCTF pwn easyvm
yongbaoii的博客
02-22 621
题目很有意思,肝了不少时间。
羊城2020 wp
08-18
羊城2020是一场年度的电子竞技赛事,为广大电竞爱好者提供了一个展示技术和激发激情的舞台。今年的羊城聚集了来自全国各地的顶尖电竞选手,他们在各个游戏项目中展现了高水平的操作和战术。 在比赛的文化氛围...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值