首页 > 代码库 > 看雪CTF第八题

看雪CTF第八题

 

 

vm_context

00000000 vm_context      struc ; (sizeof=0x70, mappedto_32)00000000 r0              dd ?00000004 r1              dd ?00000008 r2              dd ?0000000C r3              dd ?00000010 r4              dd ?00000014 opcode          dd ?00000018 cmdA0           dd ?0000001C fn_set_imm      dd ?00000020 cmdA1           dd ?00000024 fn_xor_r0_r1    dd ?00000028 cmdA2           dd ?0000002C fn_cmp          dd ?00000030 cmdA4           dd ?00000034 fn_prompt       dd ?00000038 cmdA5           dd ?0000003C fn_exit         dd ?00000040 cmdA3           dd ?00000044 fn_null         dd ?00000048 cmdA6           dd ?0000004C fn_jnz          dd ?00000050 cmdA7           dd ?00000054 fn_input        dd ?00000058 cmdA8           dd ?0000005C fn_output       dd ?00000060 cmdA9           dd ?00000064 fn_check        dd ?00000068 cmdAA           dd ?0000006C fn_decrypt_string dd ?00000070 vm_context      ends

vm_init()

void *__usercall vm_init@<eax>(vm_context *vm_ctx@<eax>, void *data_start){  char *v2; // ecx@1  signed int v3; // edx@1  vm_ctx->r0 = 0;  vm_ctx->r1 = 0;  vm_ctx->r2 = 0;  vm_ctx->r3 = 0;  vm_ctx->r4 = 0;  v2 = (char *)&vm_ctx->cmdA0;  v3 = 32;  do  {    *v2 = 0;    v2 += 8;    --v3;  }  while ( v3 );  LOBYTE(vm_ctx->cmdA0) = 0xA0u;  vm_ctx->fn_set_imm = (int)fn_set_imm;  LOBYTE(vm_ctx->cmdA1) = 0xA1u;  vm_ctx->fn_xor_r0_r1 = (int)fn_xor_r0_r1;  LOBYTE(vm_ctx->cmdA2) = 0xA2u;  vm_ctx->fn_cmp = (int)fn_cmp;  LOBYTE(vm_ctx->cmdA4) = 0xA4u;  vm_ctx->fn_prompt = (int)fn_prompt;  LOBYTE(vm_ctx->cmdA5) = 0xA5u;  vm_ctx->fn_exit = (int)fn_exit;  LOBYTE(vm_ctx->cmdA3) = 0xA3u;  vm_ctx->fn_null = (int)fn_null;  LOBYTE(vm_ctx->cmdA6) = 0xA6u;  vm_ctx->fn_jnz = (int)fn_jnz;  LOBYTE(vm_ctx->cmdA7) = 0xA7u;  vm_ctx->fn_input = (int)fn_input;  LOBYTE(vm_ctx->cmdA8) = 0xA8u;  vm_ctx->fn_output = (int)fn_output;  LOBYTE(vm_ctx->cmdA9) = 0xA9u;  vm_ctx->fn_check = (int)fn_check;  LOBYTE(vm_ctx->cmdAa) = 0xAAu;  vm_ctx->fn_decrypt_string = (int)fn_decrypt_string;  return memset(data_start, 0, 0x1000u);}

vm_dispatcher()

int __usercall vm_dispatcher@<eax>(int opcode_start@<eax>, vm_context *vm_ctx@<esi>, int data_start){  char *vm_handler_type; // ecx@2  vm_ctx->opcode = opcode_start;  while ( *(_BYTE *)vm_ctx->opcode != 0xA3u )  {    opcode_start = 0;    vm_handler_type = (char *)&vm_ctx->cmdA0;    while ( opcode_start < 0x20 )    {      if ( *(_BYTE *)vm_ctx->opcode == *vm_handler_type )      {        opcode_start = (*((int (__cdecl **)(_DWORD, _DWORD))&vm_ctx->fn_set_imm + 2 * opcode_start))(vm_ctx, data_start);        break;      }      ++opcode_start;      vm_handler_type += 8;    }  }  return opcode_start;}

自定义vm虚拟机

技术分享

 

python指令解析器

 

#!/usr/bin/python# -*- coding: UTF-8 -*-# 代码段text = [0xAA, 0x15, 0x20, 0x01, 0x00, 0x00, 0xAA, 0x15, 0x40, 0x01, 0x00, 0x00, 0xA0, 0x10, 0x00, 0x00,        0x00, 0x00, 0xA8, 0xA0, 0x10, 0xF0, 0x00, 0x00, 0x00, 0xA8, 0xA0, 0x10, 0x60, 0x01, 0x00, 0x00,        0xA7, 0xAA, 0x11, 0x80, 0x00, 0x00, 0x00, 0xAA, 0x10, 0x60, 0x00, 0x00, 0x00, 0xAA, 0x12, 0xB0,        0x00, 0x00, 0x00, 0xA9, 0xA2, 0xEA, 0xA6, 0x0E, 0xA0, 0x10, 0x20, 0x01, 0x00, 0x00, 0xA0, 0x11,        0x10, 0x01, 0x00, 0x00, 0xA4, 0xA5, 0xA0, 0x10, 0x40, 0x01, 0x00, 0x00, 0xA0, 0x11, 0x10, 0x01,        0x00, 0x00, 0xA4, 0xA5]def toUint(arr):        return arr[0] | (arr[1]<<8 | arr[2]<<16 | arr[3]<<24)class Context:        def __init__(self):                self.ip = 0        def cmdA0(self):                c = text[self.ip + 1]                p = toUint(text[self.ip+2:self.ip+6])                self.ip += 6                if 0x10 <= c <= 0x13:                        print "mov r{0}, {1}".format(c-0x10, hex(p))                elif c == 0x14:                        print "movb r0, [{0}]".format(hex(p))                elif c == 0x15:                        print "movb [{0}], r0".format(hex(p))                else:                        assert False        def cmdA1(self):                self.ip += 1                print "xor r0, r1"        def cmdA2(self):                p = text[self.ip+1]                self.ip += 2                print "equb r0, [{0}]".format(hex(p))        def cmdA3(self):                assert False        def cmdA4(self):                self.ip += 1                print "msg [r0], [r1]"        def cmdA5(self):                self.ip += 1                print "exit"        def cmdA6(self):                p = text[self.ip + 1]                self.ip += 2                print "jne +{0}".format(hex(p))        def cmdA7(self):                self.ip += 1                print "in [r0]"        def cmdA8(self):                self.ip += 1                print "out [r0]"        def cmdA9(self):                self.ip += 1                print "check [r0]"        def cmdAA(self):                c = text[self.ip + 1]                p = toUint(text[self.ip+2:self.ip+6])                self.ip += 6                if 0x10 <= c <= 0x12:                        print "xorstr key{0}, [{1}], [32]".format(c - 0x10, hex(p))                else:                        print "xorstr [{0}], [32]".format(hex(p))        def run(self):                ops = [self.cmdA0, self.cmdA1, self.cmdA2, self.cmdA3, self.cmdA4, self.cmdA5,                        self.cmdA6, self.cmdA7, self.cmdA8, self.cmdA9, self.cmdAA]                while self.ip < len(text):                        c = text[self.ip]                        ops[c - 0xA0]()ctx = Context()ctx.run()

运行结果

xorstr [0x120], [32]xorstr [0x140], [32]mov r0, 0x0out [r0]mov r0, 0xf0out [r0]mov r0, 0x160in [r0]xorstr key1, [0x80], [32]xorstr key0, [0x60], [32]xorstr key2, [0xb0], [32]check [r0]equb r0, [0xea]jne +0xemov r0, 0x120mov r1, 0x110msg [r0], [r1]exitmov r0, 0x140mov r1, 0x110msg [r0], [r1]exit

 

看雪CTF第八题