[NCTF 2018]wcyvm re 复现

64位elf,无壳,由于本人电脑硬盘爆了,没有虚拟机的空间了,等硬盘运到再动调吧,找个简单的vm静态分析。纯ctf小白,求大佬指点。

极其简单的入口,结合题目,直接找vm代码就行了 ,在400DB7中。我觉得这道题对我来说,主要是指令比较多,构建了大概30个指令,像简单的mov,xor还好,像什么jmp,jne我掌握不是很好,只能对着大佬的wp复现了。

指令存在6021C0中,注意类型的大小 ,简单整理一下

opcode1=['0x8', '0x1', '0x0', '0x8', '0x3', '0x46', '0xe',
         '0x15', '0xa', '0x1', '0x9', '0x2', '0xb', '0xa',
         '0x1', '0xa', '0x2', '0x9', '0x1', '0x11', '0x1',
         '0xd', '0x1', '0x3', '0xf', '0x8', '0x8', '0x1',
         '0x0', '0x8', '0x3', '0x47', '0xe', '0x46', '0xa',
         '0x1', '0x1a', '0x2', '0x6', '0x1d', '0x1', '0x4',
         '0x14', '0x2', '0x1', '0x19', '0x1', '0x2', '0x1b',
         '0x1', '0x1', '0x1d', '0x1', '0x6e', '0x13', '0x1',
         '0x63', '0x15', '0x1', '0x74', '0x13', '0x1', '0x66',
         '0x1c', '0x2', '0x1', '0x9', '0x1', '0x11', '0x1',
         '0xd', '0x1', '0x3', '0xf', '0x22', '0x64', '0x0',
         '0x0', '0x0', '0x0', '0x0', '0x0', '0x0', '0x0', '0x0',
         '0x0', '0x0', '0x0', '0x0', '0x0', '0x0', '0x0', '0x0',
         '0x0', '0x0', '0x0', '0x0', '0x0', '0x0', '0x0']

这里对我较不熟悉的汇编指令的分析借鉴wp:(2条消息) CTF-RE-WcyVM_SuperGate的博客-CSDN博客(如有侵权,请联系删除)

0   mov R0 0
3   mov R2 70
6   jmp 21
8   push R0
10 pop R1
12 R0=getchar()
13 push R0
15 push R1
17 pop R0
19 inc R0
21 cmp R0,R2
     jnz 24
     mov a, 80
24 and a, 80
     test a a
     jnz 8
26 mov R0 0
29 mov R2 71
32 jmp 70
34 push R0
36 mov R1, 5
39 mul R0, 4
42 sub R1, R0
45 mov R0, R1
48 mov R0, [R0]
51 mul R0, 110
54 add R0, 99
57 xor R0, 116
60 add R0, 102
63 mov [R1], R0
66 pop R0
68 inc R0
70 cmp R0 R2
     jnz 73
     mov a, 80
73 and a, 80
     test a a
     jnz 34

读取自己分析出的汇编指令,逻辑是,先输入字符串,记为flag,加密逻辑是

((flag*110)+99)^116+102

逆向写出脚本

encarr=['0x36d3', '0x2aff', '0x2acb', '0x2b95', '0x2b95', '0x2b95', '0x169f', '0x186d', '0x18d7', '0x1611', '0x18d7', '0x2b95', '0x2c23', '0x2ca9', '0x1611', '0x1611', '0x18d7', '0x2aff', '0x1849', '0x18fb', '0x2acb', '0x2a71', '0x1735', '0x18d7', '0x1611', '0x2acb', '0x15dd', '0x18d7', '0x2c23', '0x169f', '0x15dd', '0x2b95', '0x169f', '0x156b', '0x186d', '0x2aff', '0x1611', '0x1611', '0x15dd', '0x2aff', '0x2c23', '0x2acb', '0x15dd', '0x15dd', '0x186d', '0x1849', '0x2b95', '0x156b', '0x1735', '0x18fb', '0x18fb', '0x2a71', '0x2aff', '0x1735', '0x2c23', '0x15dd', '0x18d7', '0x2a71', '0x18d7', '0x18d7', '0x2c23', '0x2aff', '0x156b', '0x2c23', '0x169f', '0x35af', '0x2ca9', '0x32b5', '0x2aff', '0x3039']
'''((flag*110)+99)^116+102'''
for i in encarr:
    a=int(i,16)
    b=(((a-102)^116)-99)/110
    print(chr(int(b)),end='')

这里我顺序搞反了,逆序为

nctf{3e1ce77b70e4cb9941d6800aec022c813d03e70a274ba96c722fed72783dddac}

  • 1
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值