楚慧杯ez_vm

最新推荐文章于 2024-05-21 23:16:53 发布

Mua王叔叔

最新推荐文章于 2024-05-21 23:16:53 发布

阅读量342

点赞数 11

文章标签：算法

本文链接：https://blog.csdn.net/weixin_52230368/article/details/136179710

版权

虚拟机逆向，感觉用z3模式程序执行然后z3来解比较好理解。这题目有个坑就是下标越界的问题。我动调的时候发现的，opcode中0x32做为下标为0，依此类推。这个坑就在这里。

opcode = [0x8,0x1,0x11,0x8,0x2,0x13,0x7,0x0,0x0,0x1,
0x0,0x1,0x2,0x0,0x2,0x6,0x0,0x0,0x7,0x0,
0x1,0x1,0x0,0x1,0x2,0x0,0x2,0x6,0x1,0x0,
0x7,0x0,0x2,0x1,0x0,0x1,0x2,0x0,0x2,0x6,
0x2,0x0,0x7,0x0,0x3,0x1,0x0,0x1,0x2,0x0,
0x2,0x6,0x3,0x0,0x7,0x0,0x4,0x1,0x0,0x1,
0x2,0x0,0x2,0x6,0x4,0x0,0x7,0x0,0x5,0x1,
0x0,0x1,0x2,0x0,0x2,0x6,0x5,0x0,0x7,0x0,
0x6,0x1,0x0,0x1,0x2,0x0,0x2,0x6,0x6,0x0,
0x7,0x0,0x7,0x1,0x0,0x1,0x2,0x0,0x2,0x6,
0x7,0x0,0x7,0x0,0x8,0x1,0x0,0x1,0x2,0x0,
0x2,0x6,0x8,0x0,0x7,0x0,0x9,0x1,0x0,0x1,
0x2,0x0,0x2,0x6,0x9,0x0,0x7,0x0,0xa,0x1,
0x0,0x1,0x2,0x0,0x2,0x6,0xa,0x0,0x7,0x0,
0xb,0x1,0x0,0x1,0x2,0x0,0x2,0x6,0xb,0x0,
0x7,0x0,0xc,0x1,0x0,0x1,0x2,0x0,0x2,0x6,
0xc,0x0,0x7,0x0,0xd,0x1,0x0,0x1,0x2,0x0,
0x2,0x6,0xd,0x0,0x7,0x0,0xe,0x1,0x0,0x1,
0x2,0x0,0x2,0x6,0xe,0x0,0x7,0x0,0xf,0x1,
0x0,0x1,0x2,0x0,0x2,0x6,0xf,0x0,0x7,0x0,
0x10,0x1,0x0,0x1,0x2,0x0,0x2,0x6,0x10,0x0,
0x7,0x0,0x11,0x1,0x0,0x1,0x2,0x0,0x2,0x6,
0x11,0x0,0x7,0x0,0x12,0x1,0x0,0x1,0x2,0x0,
0x2,0x6,0x12,0x0,0x7,0x0,0x13,0x1,0x0,0x1,
0x2,0x0,0x2,0x6,0x13,0x0,0x7,0x0,0x14,0x1,
0x0,0x1,0x2,0x0,0x2,0x6,0x14,0x0,0x7,0x0,
0x15,0x1,0x0,0x1,0x2,0x0,0x2,0x6,0x15,0x0,
0x7,0x0,0x16,0x1,0x0,0x1,0x2,0x0,0x2,0x6,
0x16,0x0,0x7,0x0,0x17,0x1,0x0,0x1,0x2,0x0,
0x2,0x6,0x17,0x0,0x7,0x0,0x18,0x1,0x0,0x1,
0x2,0x0,0x2,0x6,0x18,0x0,0x7,0x0,0x19,0x1,
0x0,0x1,0x2,0x0,0x2,0x6,0x19,0x0,0x7,0x0,
0x1a,0x1,0x0,0x1,0x2,0x0,0x2,0x6,0x1a,0x0,
0x7,0x0,0x1b,0x1,0x0,0x1,0x2,0x0,0x2,0x6,
0x1b,0x0,0x7,0x0,0x1c,0x1,0x0,0x1,0x2,0x0,
0x2,0x6,0x1c,0x0,0x7,0x0,0x1d,0x1,0x0,0x1,
0x2,0x0,0x2,0x6,0x1d,0x0,0x7,0x0,0x1e,0x1,
0x0,0x1,0x2,0x0,0x2,0x6,0x1e,0x0,0x7,0x0,
0x1f,0x1,0x0,0x1,0x2,0x0,0x2,0x6,0x1f,0x0,
0x7,0x0,0x20,0x1,0x0,0x1,0x2,0x0,0x2,0x6,
0x20,0x0,0x7,0x0,0x21,0x1,0x0,0x1,0x2,0x0,
0x2,0x6,0x21,0x0,0x7,0x0,0x22,0x1,0x0,0x1,
0x2,0x0,0x2,0x6,0x22,0x0,0x7,0x0,0x23,0x1,
0x0,0x1,0x2,0x0,0x2,0x6,0x23,0x0,0x7,0x0,
0x24,0x1,0x0,0x1,0x2,0x0,0x2,0x6,0x24,0x0,
0x7,0x0,0x25,0x1,0x0,0x1,0x2,0x0,0x2,0x6,
0x25,0x0
]

from z3 import *

flag = [BitVec(f'{i}',64) for i in range(38)]
temp = [0]*0x38

def xor_1(a,b):
    temp[a] ^= temp[b]

def add(a,b):
    temp[a] += temp[b]

def sub(a,b):
    temp[a] -= temp[b]

def left(a,b):
    temp[a]<<temp[b]

def right(a,b):
    temp[a] >> temp[b]

def temp1(a,b):
    a1 = temp[b]
    flag[a] = a1

def temp2(a,b):
    result = flag[b]
    temp[a] = result

def copy1(a,b):
    temp[a] = b

for v4 in range(0,len(opcode)-1,3):
    if opcode[v4]==1:

        xor_1(opcode[v4+1],opcode[v4+2])
    elif opcode[v4]==2:
        add(opcode[v4 + 1], opcode[v4 + 2])
    elif opcode[v4]==3:
        sub(opcode[v4 + 1], opcode[v4 + 2])
    elif opcode[v4]==4:
        left(opcode[v4 + 1], opcode[v4 + 2])
    elif opcode[v4]==5:
        right(opcode[v4 + 1], opcode[v4 + 2])
    elif opcode[v4]==6:
        print(opcode[v4 + 1], opcode[v4 + 2])
        temp1(opcode[v4 + 1], opcode[v4 + 2])
    elif opcode[v4]==7:
        temp2(opcode[v4 + 1], opcode[v4 + 2])
    elif opcode[v4]==8:
        copy1(opcode[v4 + 1], opcode[v4 + 2])

enc=[138, 144, 131, 137, 125, 136, 131, 52, 135, 134, 135, 51, 134, 57, 56, 55, 134, 135, 58, 58, 54, 60, 54, 56, 51, 138, 136, 53, 59, 134, 60, 52, 52, 55, 53, 54, 54, 127, 0]
from z3 import *
s = Solver()
for i in range(38):
    s.add(flag[i]==enc[i])

print(s.check())
m = s.model()
inp = [BitVec(f'{i}',64) for i in range(38)]
for i in inp:
    print(chr(m[i].as_long()),end='')