64位elf,无壳,由于本人电脑硬盘爆了,没有虚拟机的空间了,等硬盘运到再动调吧,找个简单的vm静态分析。纯ctf小白,求大佬指点。
极其简单的入口,结合题目,直接找vm代码就行了 ,在400DB7中。我觉得这道题对我来说,主要是指令比较多,构建了大概30个指令,像简单的mov,xor还好,像什么jmp,jne我掌握不是很好,只能对着大佬的wp复现了。
指令存在6021C0中,注意类型的大小 ,简单整理一下
opcode1=['0x8', '0x1', '0x0', '0x8', '0x3', '0x46', '0xe',
'0x15', '0xa', '0x1', '0x9', '0x2', '0xb', '0xa',
'0x1', '0xa', '0x2', '0x9', '0x1', '0x11', '0x1',
'0xd', '0x1', '0x3', '0xf', '0x8', '0x8', '0x1',
'0x0', '0x8', '0x3', '0x47', '0xe', '0x46', '0xa',
'0x1', '0x1a', '0x2', '0x6', '0x1d', '0x1', '0x4',
'0x14', '0x2', '0x1', '0x19', '0x1', '0x2', '0x1b',
'0x1', '0x1', '0x1d', '0x1', '0x6e', '0x13', '0x1',
'0x63', '0x15', '0x1', '0x74', '0x13', '0x1', '0x66',
'0x1c', '0x2', '0x1', '0x9', '0x1', '0x11', '0x1',
'0xd', '0x1', '0x3', '0xf', '0x22', '0x64', '0x0',
'0x0', '0x0', '0x0', '0x0', '0x0', '0x0', '0x0', '0x0',
'0x0', '0x0', '0x0', '0x0', '0x0', '0x0', '0x0', '0x0',
'0x0', '0x0', '0x0', '0x0', '0x0', '0x0', '0x0']
这里对我较不熟悉的汇编指令的分析借鉴wp:(2条消息) CTF-RE-WcyVM_SuperGate的博客-CSDN博客(如有侵权,请联系删除)
0 mov R0 0
3 mov R2 70
6 jmp 21
8 push R0
10 pop R1
12 R0=getchar()
13 push R0
15 push R1
17 pop R0
19 inc R0
21 cmp R0,R2
jnz 24
mov a, 80
24 and a, 80
test a a
jnz 8
26 mov R0 0
29 mov R2 71
32 jmp 70
34 push R0
36 mov R1, 5
39 mul R0, 4
42 sub R1, R0
45 mov R0, R1
48 mov R0, [R0]
51 mul R0, 110
54 add R0, 99
57 xor R0, 116
60 add R0, 102
63 mov [R1], R0
66 pop R0
68 inc R0
70 cmp R0 R2
jnz 73
mov a, 80
73 and a, 80
test a a
jnz 34
读取自己分析出的汇编指令,逻辑是,先输入字符串,记为flag,加密逻辑是
((flag*110)+99)^116+102
逆向写出脚本
encarr=['0x36d3', '0x2aff', '0x2acb', '0x2b95', '0x2b95', '0x2b95', '0x169f', '0x186d', '0x18d7', '0x1611', '0x18d7', '0x2b95', '0x2c23', '0x2ca9', '0x1611', '0x1611', '0x18d7', '0x2aff', '0x1849', '0x18fb', '0x2acb', '0x2a71', '0x1735', '0x18d7', '0x1611', '0x2acb', '0x15dd', '0x18d7', '0x2c23', '0x169f', '0x15dd', '0x2b95', '0x169f', '0x156b', '0x186d', '0x2aff', '0x1611', '0x1611', '0x15dd', '0x2aff', '0x2c23', '0x2acb', '0x15dd', '0x15dd', '0x186d', '0x1849', '0x2b95', '0x156b', '0x1735', '0x18fb', '0x18fb', '0x2a71', '0x2aff', '0x1735', '0x2c23', '0x15dd', '0x18d7', '0x2a71', '0x18d7', '0x18d7', '0x2c23', '0x2aff', '0x156b', '0x2c23', '0x169f', '0x35af', '0x2ca9', '0x32b5', '0x2aff', '0x3039']
'''((flag*110)+99)^116+102'''
for i in encarr:
a=int(i,16)
b=(((a-102)^116)-99)/110
print(chr(int(b)),end='')
这里我顺序搞反了,逆序为
nctf{3e1ce77b70e4cb9941d6800aec022c813d03e70a274ba96c722fed72783dddac}