前言
由于时间原因没有在比赛结束前提交
flag,所以干脆写一个详细的解答过程(自认为),适合小白阅读,Pizza大佬请绕过。?
分析
首先通过字符串搜索,很容易定位到关键的地方。
根据前面的一些信息,判断出长度为0x30,经过如下设置,我们可以很快开始进行动态调试。
主要引起我们关注的(*(void (**)(void))(*(_DWORD *)Memorya + 112))();函数,跟进去很明显是一个vm的结构。
所以此题的难点就在于逆向vm代码。一般套路:
- 提取出
bytecode - 根据
op代入函数 - 转化成伪汇编代码
- 转化成高级语言代码(C/C++/Python)
- 逆向算法,写出解密脚本
第一步
这里的bytecode很明显就是byte_3D4018[]我们可以使用lazyida快速的将数据提取出来。
第二步
接下来我们就需要对bytecode进行处理,此题中通过一个结构体来存储相关的信息。
从上自下可以依次认为r0-r9,可以类比为寄存器,这种思想一定要有。我们可以先跟进几个函数,查看大致结构。
this[9]对应的就是结构体的第九个值即r9也就是我们的bytecode,因为vm就是根据bytecode进行执行的,所以需要一个指针来指向我们的vm代码执行到何处。
`v1[3]`便代表着`bytecode[3]`
`v1[2]`代表`bytecode[2]`
`v1[1]`代表`bytecode[1]`
结合代码可以猜测此处应该为数据处理部分,因此我们记d1=v1[1] d2=v1[2] ...
那么`v2 = v1[3] + ((v1[2] + (v1[1] << 8)) << 8);`
便可转化为`v2 = (d2+d1<<8)<<8+d3)`
同样`v3 = v1[4];`->`v3=d4`
最后此函数便可以转化为`r8 = ((d2+d1<<8)<<8+d3)<<8+d4`
在该函数的最后r9+=5也就意味着我们的bytecode往前走了5字节
接下来便是体力活了,我们需要将所有case对应的函数进行转化,同时对bytecode进行处理,在调试时我们不必跟着bytecode的逻辑走,比如我们需要查看case 0x44对应的函数,完全可以手动修改result值也就是rax寄存器进行跳转,并且为了实时的查看r[0-9]的变化,可以取消stack syn
经过一番体力劳动之后,终于将
bytecode进行了初步的转化,代码太多我会在文章末尾附上完整代码?
第三步
OK!接下来,结合具体的bytecode写出伪汇编代码
这一步没有什么难点,也是体力活?
第四步
写完伪汇编代码之后,我们最好总览一下全局,便可以大致了解代码结构,为接下来的分析提供可靠的猜测。
其实大致看一眼,便可以知道是多个循环,求和,比较的结构。
当然我们不能靠猜(比赛的时候建议大胆猜测一下)
我在这里简单分析一下:
r8 = 0x2F
continue goto L:1
r4=r8=0x2f
r1=*r6 input[0]
r3=r3^r3=0
cmp r1,r3 r5=1
continue goto L:28
这一段容易看出是一个初始化,寄存器置零,传入输入字符
r4=r8=0x2f
r1=*r6 input[0]
r3=r3^r3=0
cmp r1,r3 r5=1
continue goto L:28
r6++
r8=0x46
r2=r8=0x46 'F'
cmp r1,r2 r5=0 or -1
continue goto L:28
r8=0x30
r2=r8=0x30 '0'
cmp r1,r2 r5=0 or 1
continue goto L:25
r8=0x39
r2=r8=0x39 '9'
cmp r1,r2 r5=0 or 1
continue goto L: 31
r8=0x41
r1=r8=0x41 'A'
cmp r1,r2 r5=0 or 1
continue goto L:28
r1=r1^r1=0
cmp r1,r1 r5=0
r9=r9+r1+2 goto L:31
r1=r1^r1
r1=r1+1
continue goto L:3
# L:num 代表跳转到第几行
此处是一个循环,并对输入进行判断,我们完全可以猜测,或者跟着代码去走一遍流程,也还是简单的,后面的代码也是类似的。
第五步
结合着上面的分析和转化,在理解伪汇编代码的基础上,我们尝试转化为高级语言代码,比如说第一部分的代码可以变成如下形式:
for i in range(0x2f):
cipher =ord(flag[i])
if (cipher > 0x46 and cipher <0x41) or (cipher > 0x39 and cipher < 0x30):
break
最后我们便可以写出解密脚本
从加密的过程来看,其实就是key的倒序,费了这么半天劲,结果加密算法这么简单,不过最后也只有15支队伍做出了此题。?
完整代码
#bytecode
0x4F, 0x00, 0x00, 0x00, 0x2F, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8 = 0x2F
0x55, 0x05, if r4 != 0 ;r4 = r4-1 ;r9 =r9-d1 else continue continue goto L:1
0x54, 0x30, r[d1>>4+1]=r8 r4=r8=0x2f
0x46, 0x00, r[d1>>4+1] = r6 r1=*r6 input[0]
0x47, 0x22, r[d1>>4+1]=r[d1&0xf+1]^r[d1>>4+1] r3=r3^r3=0
0x48, 0x02, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r1,r3 r5=1
0x4B, 0x33, if r5!=0 continue else r9 = r9+d1+2 continue goto L:28
0x49, r6++ r9++ r6++
0x4F, 0x00, 0x00, 0x00, 0x46, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x46
0x54, 0x10, r[d1>>4+1]=r8 r2=r8=0x46 'F'
0x48, 0x01, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r1,r2 r5=0 or -1
0x4D, 0x27, if r5 ==1 ; r9 = r9+d1+2 else continue continue goto L:28
0x4F, 0x00, 0x00, 0x00, 0x30, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x30
0x54, 0x10, r[d1>>4+1]=r8 r2=r8=0x30 '0'
0x48, 0x01, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r1,r2 r5=0 or 1
0x44, 0x16, if r5 == -1 ;r9 = r9+d1+2; else continue continue goto L:25
0x4F, 0x00, 0x00, 0x00, 0x39, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x39
0x54, 0x10, r[d1>>4+1]=r8 r2=r8=0x39 '9'
0x48, 0x01, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r1,r2 r5=0 or 1
0x44, 0x16, if r5 == -1 ;r9 = r9+d1+2; else continue continue goto L: 31
0x4F, 0x00, 0x00, 0x00, 0x41, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x41
0x54, 0x01, r[d1>>4+1]=r8 r1=r8=0x41 'A'
0x48, 0x01, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r1,r2 r5=0 or 1
0x44, 0x06, if r5 == -1 ;r9 = r9+d1+2; else continue continue goto L:28
0x47, 0x00, r[d1>>4+1]=r[d1&0xf+1]^r[d1>>4+1] r1=r1^r1=0
0x48, 0x00, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r1,r1 r5=0
0x4B, 0x05, if r5!=0 continue else r9 = r9+d1+2 r9=r9+r1+2 goto L:31
0x47, 0x00, r[d1>>4+1]=r[d1&0xf+1]^r[d1>>4+1] r1=r1^r1
0x50, 0x00, r[d1>>4+1]=r[d1>>4+1]+1 r1=r1+1
0x43, return
0x55, 0x40, if r4 != 0 ;r4 = r4-1 ;r9 =r9-d1 else continue continue goto L:3
0x4F, 0x00, 0x00, 0x00, 0x07, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x7
0x54, 0x30, r[d1>>4+1]=r8 r4=r8=0x7
0x47, 0x11, r[d1>>4+1]=r[d1&0xf+1]^r[d1>>4+1] r2=r2^r2
0x56, r6--;r9++ r6--
0x46, 0x00, r[d1>>4+1] = r6 r1=*r6=input[0x2f]
0x4F, 0x00, 0x00, 0x00, 0x30, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x30
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x30 '0'
0x59, 0x02, r[d1>>4+1]=r[d1>>4+1]-r[d1&0xf+1] r1=r1-r3=input[0x2f]-0x30
0x4F, 0x00, 0x00, 0x00, 0x0A, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0xa
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0xa
0x48, 0x02, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r1,r3 r5=0 or 1
0x44, 0x09, if r5 == -1 ;r9 = r9+d1+2; else continue continue goto L:47
0x4F, 0x00, 0x00, 0x00, 0x07, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x7
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x7
0x59, 0x02, r[d1>>4+1]=r[d1>>4+1]-r[d1&0xf+1] r1=r1-r3=r1-0x7
0x4F, 0x00, 0x00, 0x00, 0x10, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x10
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x10
0x58, 0x12, r[d1>>4+1]=r[d1>>4+1]*r[d1&0xf+1] r2=r2*r3
0x53, 0x10, r[d1>>4+1]=r[d1>>4+1]+r[d1&0xf+1] r2=r2+r1
0x55, 0x2B, if r4 != 0 ;r4 = r4-1 ;r9 =r9-d1 else continue continue goto L:34
0x4F, 0xEB, 0xBA, 0xA8, 0x4D, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=((0xba+0xeb<<8)<<8+0xa8)<<8+0x4d=0xEBBAA84D
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0xEC624D
0x48, 0x12, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r2,r3 r5=-1
0x47, 0x00, r[d1>>4+1]=r[d1&0xf+1]^r[d1>>4+1] r1=r1^r1
0x4B, 0x03, if r5!=0 continue else r9 = r9+d1+2 continue goto L:59
0x50, 0x00, r[d1>>4+1]=r[d1>>4+1]+1 r1=r1+1
0x43, return
0x4F, 0x00, 0x00, 0x00, 0x07, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x7
0x54, 0x30, r[d1>>4+1]=r8 r4=r8=0x7
0x47, 0x11, r[d1>>4+1]=r[d1&0xf+1]^r[d1>>4+1] r2=r2^r2
0x56, r6--;r9++ r6--
0x46, 0x00, r[d1>>4+1] = r6 r1=r6
0x4F, 0x00, 0x00, 0x00, 0x30, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x30
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x30 '0'
0x59, 0x02, r[d1>>4+1]=r[d1>>4+1]-r[d1&0xf+1] r1=r1-r3
0x4F, 0x00, 0x00, 0x00, 0x0A, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0xA
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0xA
0x48, 0x02, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r1,r3
0x44, 0x09, if r5 == -1 ;r9 = r9+d1+2; else continue continue goto L:74
0x4F, 0x00, 0x00, 0x00, 0x07, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x7
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x7
0x59, 0x02, r[d1>>4+1]=r[d1>>4+1]-r[d1&0xf+1] r1=r1-r3
0x4F, 0x00, 0x00, 0x00, 0x10, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x10
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x10
0x58, 0x12, r[d1>>4+1]=r[d1>>4+1]*r[d1&0xf+1] r2=r2*r3
0x53, 0x10, r[d1>>4+1]=r[d1>>4+1]+r[d1&0xf+1] r2=r2+r1
0x55, 0x2B, if r4 != 0 ;r4 = r4-1 ;r9 =r9-d1 else continue continue goto L:62
0x4F, 0x53, 0xDC, 0x2C, 0x9F, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=(((0xdc+0x53<<8)<<8+0x2c)<<8)+0x9f=0x53DC2C9F
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0xEBBAA84D
0x48, 0x12, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r2,r3
0x47, 0x00, r[d1>>4+1]=r[d1&0xf+1]^r[d1>>4+1] r1=r1^r1
0x4B, 0x03, if r5!=0 continue else r9 = r9+d1+2 continue goto L:86
0x50, 0x00, r[d1>>4+1]=r[d1>>4+1]+1 r1=r1+1
0x43, return
0x4F, 0x00, 0x00, 0x00, 0x07, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x7
0x54, 0x30, r[d1>>4+1]=r8 r4=r8=0x7
0x47, 0x11, r[d1>>4+1]=r[d1&0xf+1]^r[d1>>4+1] r2=r2^r2
0x56, r6--;r9++ r6--
0x46, 0x00, r[d1>>4+1] = r6 r1=r6
0x4F, 0x00, 0x00, 0x00, 0x30, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x30
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x30
0x59, 0x02, r[d1>>4+1]=r[d1>>4+1]-r[d1&0xf+1] r1=r1-r3
0x4F, 0x00, 0x00, 0x00, 0x0A, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0xA
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0xA
0x48, 0x02, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r1,r3
0x44, 0x09, if r5 == -1 ;r9 = r9+d1+2; else continue continue goto L:101
0x4F, 0x00, 0x00, 0x00, 0x07, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x7
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x7
0x59, 0x02, r[d1>>4+1]=r[d1>>4+1]-r[d1&0xf+1] r1=r1-r3
0x4F, 0x00, 0x00, 0x00, 0x10, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x10
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x10
0x58, 0x12, r[d1>>4+1]=r[d1>>4+1]*r[d1&0xf+1] r2=r2*r3
0x53, 0x10, r[d1>>4+1]=r[d1>>4+1]+r[d1&0xf+1] r2=r2+r1
0x55, 0x2B, if r4 != 0 ;r4 = r4-1 ;r9 =r9-d1 else continue continue goto L:89
0x4F, 0x6E, 0xCB, 0x67, 0x5D, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=(((0xcb+0x6e<<8)<<8+0x67)<<8+0x5d)=0x6ecb675d
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x6ecb675d
0x48, 0x12, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r2,r3
0x47, 0x00, r[d1>>4+1]=r[d1&0xf+1]^r[d1>>4+1] r1=r1^r1
0x4B, 0x03, if r5!=0 continue else r9 = r9+d1+2 continue goto L:113
0x50, 0x00, r[d1>>4+1]=r[d1>>4+1]+1 r1=r1+1
0x43, return
0x4F, 0x00, 0x00, 0x00, 0x07, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x7
0x54, 0x30, r[d1>>4+1]=r8 r4=r8=0x7
0x47, 0x11, r[d1>>4+1]=r[d1&0xf+1]^r[d1>>4+1] r2=r2^r2
0x56, r6--;r9++ r6--
0x46, 0x00, r[d1>>4+1] = r6 r1=r6
0x4F, 0x00, 0x00, 0x00, 0x30, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x30
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x30
0x59, 0x02, r[d1>>4+1]=r[d1>>4+1]-r[d1&0xf+1] r1=r1-r3
0x4F, 0x00, 0x00, 0x00, 0x0A, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0xA
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0xA
0x48, 0x02, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r1,r3
0x44, 0x09, if r5 == -1 ;r9 = r9+d1+2; else continue continue goto L:128
0x4F, 0x00, 0x00, 0x00, 0x07, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x7
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x7
0x59, 0x02, r[d1>>4+1]=r[d1>>4+1]-r[d1&0xf+1] r1=r1-r3
0x4F, 0x00, 0x00, 0x00, 0x10, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x10
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x10
0x58, 0x12, r[d1>>4+1]=r[d1>>4+1]*r[d1&0xf+1] r2=r2*r3
0x53, 0x10, r[d1>>4+1]=r[d1>>4+1]+r[d1&0xf+1] r2=r2+r1
0x55, 0x2B, if r4 != 0 ;r4 = r4-1 ;r9 =r9-d1 else continue continue goto L:116
0x4F, 0x7F, 0xCA, 0x1D, 0xC8, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=(((0xca+0x7f<<8)<<8+0x1d)<<8+0xc8)=0x7fca1dc8
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x7fca1dc8
0x48, 0x12, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r2,r3
0x47, 0x00, r[d1>>4+1]=r[d1&0xf+1]^r[d1>>4+1] r1=r1^r1
0x4B, 0x03, if r5!=0 continue else r9 = r9+d1+2 continue goto L:140
0x50, 0x00, r[d1>>4+1]=r[d1>>4+1]+1
0x43, return
0x4F, 0x00, 0x00, 0x00, 0x07, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x7
0x54, 0x30, r[d1>>4+1]=r8 r4=r8=0x7
0x47, 0x11, r[d1>>4+1]=r[d1&0xf+1]^r[d1>>4+1] r2=r2^r2
0x56, r6--;r9++ r6--
0x46, 0x00, r[d1>>4+1] = r6 r1=r6
0x4F, 0x00, 0x00, 0x00, 0x30, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x30
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x30
0x59, 0x02, r[d1>>4+1]=r[d1>>4+1]-r[d1&0xf+1] r1=r1-r3
0x4F, 0x00, 0x00, 0x00, 0x0A, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0xA
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0xA
0x48, 0x02, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r1,r3
0x44, 0x09, if r5 == -1 ;r9 = r9+d1+2; else continue continue goto L:155
0x4F, 0x00, 0x00, 0x00, 0x07, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x7
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x7
0x59, 0x02, r[d1>>4+1]=r[d1>>4+1]-r[d1&0xf+1] r1=r1-r3
0x4F, 0x00, 0x00, 0x00, 0x10, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x10
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x10
0x58, 0x12, r[d1>>4+1]=r[d1>>4+1]*r[d1&0xf+1] r2=r2*r3
0x53, 0x10, r[d1>>4+1]=r[d1>>4+1]+r[d1&0xf+1] r2=r2+r1
0x55, 0x2B, if r4 != 0 ;r4 = r4-1 ;r9 =r9-d1 else continue continue goto L:143
0x4F, 0x8E, 0x39, 0xB8, 0x69, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=(((0x39+0x8e<<8)<<8+0xb8)<<8+0x69)=0x8e39b869
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x8e39b869
0x48, 0x12, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r1,r3
0x47, 0x00, r[d1>>4+1]=r[d1&0xf+1]^r[d1>>4+1] r1=r1^r1
0x4B, 0x03, if r5!=0 continue else r9 = r9+d1+2 continue goto L:167
0x50, 0x00, r[d1>>4+1]=r[d1>>4+1]+1 r1=r1+1
0x43, return
0x4F, 0x00, 0x00, 0x00, 0x07, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x7
0x54, 0x30, r[d1>>4+1]=r8 r4=r8=0x7
0x47, 0x11, r[d1>>4+1]=r[d1&0xf+1]^r[d1>>4+1] r2=r2^r2
0x56, r6--;r9++ r6--
0x46, 0x00, r[d1>>4+1] = r6 r1=r6
0x4F, 0x00, 0x00, 0x00, 0x30, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x30
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x30
0x59, 0x02, r[d1>>4+1]=r[d1>>4+1]-r[d1&0xf+1] r1=r1-r3
0x4F, 0x00, 0x00, 0x00, 0x0A, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0xA
0x54, 0x20, r[d1>>4+1]=r8 r3=r8
0x48, 0x02, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r1,r3
0x44, 0x09, if r5 == -1 ;r9 = r9+d1+2; else continue continue goto L:182
0x4F, 0x00, 0x00, 0x00, 0x07, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x7
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x7
0x59, 0x02, r[d1>>4+1]=r[d1>>4+1]-r[d1&0xf+1] r1=r1-r3
0x4F, 0x00, 0x00, 0x00, 0x10, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=0x10
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x10
0x58, 0x12, r[d1>>4+1]=r[d1>>4+1]*r[d1&0xf+1] r2=r2*r3
0x53, 0x10, r[d1>>4+1]=r[d1>>4+1]+r[d1&0xf+1] r2=r2+r1
0x55, 0x2B, if r4 != 0 ;r4 = r4-1 ;r9 =r9-d1 else continue continue goto L:170
0x4F, 0x9A, 0xD8, 0x44, 0x3A, r8 = ((d2+d1<<8)<<8+d3)<<8+d4 r8=(((0xd8+0x9a<<8)<<8+0x44)<<8+0x3a)=0x9ad8443a
0x54, 0x20, r[d1>>4+1]=r8 r3=r8=0x9ad8443a
0x48, 0x12, cmp r[d1>>4+1] r[d1&0xf+1] if "==" r5==0 else if "<" r5==-1 else if ">" r5==1 cmp r2,r3
0x47, 0x00, r[d1>>4+1]=r[d1&0xf+1]^r[d1>>4+1] r1=r1^r1
0x4B, 0x02, if r5!=0 continue else r9 = r9+d1+2 continue goto L:193
0x50, 0x00, r[d1>>4+1]=r[d1>>4+1]+1 r1=r1+1
0x43, return
#encode & decode
#!/usr/bin/env python
# encode:
def encode():
flag="A3448DA9968B93E88CD1ACF7D576BCE6F9C2CD35D48AABBE"
for i in range(0x2f):
cipher =ord(flag[i])
if (cipher > 0x46 and cipher <0x41) or (cipher > 0x39 and cipher < 0x30):
break
sum=0
for i in range(8):
if ord(flag[0x2f-i])-0x30 < 0xa:
sum=sum*0x10+ord(flag[0x2f-i])-0x30
else:
sum=sum*0x10+ord(flag[0x2f-i])-0x30-0x7
# one
assert sum==0xEBBAA84D
sum=0
for i in range(8):
if ord(flag[0x2f-8-i])-0x30 < 0xa:
sum=sum*0x10+ord(flag[0x2f-8-i])-0x30
else:
sum=sum*0x10+ord(flag[0x2f-8-i])-0x30-0x7
# second
assert sum==0x53DC2C9F
sum=0
for i in range(8):
if ord(flag[0x2f-16-i])-0x30 < 0xa:
sum=sum*0x10+ord(flag[0x2f-16-i])-0x30
else:
sum=sum*0x10+ord(flag[0x2f-16-i])-0x30-0x7
# thrid
assert sum==0x6ECB675D
sum=0
for i in range(8):
if ord(flag[0x2f-24-i])-0x30 < 0xa:
sum=sum*0x10+ord(flag[0x2f-24-i])-0x30
else:
sum=sum*0x10+ord(flag[0x2f-24-i])-0x30-0x7
# four
assert sum==0x7FCA1DC8
sum=0
for i in range(8):
if ord(flag[0x2f-32-i])-0x30 < 0xa:
sum=sum*0x10+ord(flag[0x2f-32-i])-0x30
else:
sum=sum*0x10+ord(flag[0x2f-32-i])-0x30-0x7
# five
assert sum==0x8E39B869
sum=0
for i in range(8):
if ord(flag[0x2f-40-i])-0x30 < 0xa:
sum=sum*0x10+ord(flag[0x2f-40-i])-0x30
else:
sum=sum*0x10+ord(flag[0x2f-40-i])-0x30-0x7
# six
assert sum==0x9AD8443A
print ("flag{"+flag+"}")
# decode
def decode():
flag=[]
key=[0xEBBAA84D,0x53DC2C9F,0x6ecb675d,0x7fca1dc8,0x8e39b869,0x9ad8443a]
for i in range(6):
for j in range(8):
flag.append(hex((key[5-i]>>(4*j))&0xf)[2:].upper())
print ("flag{"+"".join(flag)+"}")
#decode()
注意行号❕
建议大家自己去写一遍,别嫌工作量大!?
总结
除了手动分析
bytecode我们还可以写一个解析器进行自动化分析,这里便不做介绍了
希望对大家有所帮助(如有问题还请师傅们指出!)