首页 > 代码库 > 看雪CTF第八题
看雪CTF第八题
vm_context
00000000 vm_context struc ; (sizeof=0x70, mappedto_32)00000000 r0 dd ?00000004 r1 dd ?00000008 r2 dd ?0000000C r3 dd ?00000010 r4 dd ?00000014 opcode dd ?00000018 cmdA0 dd ?0000001C fn_set_imm dd ?00000020 cmdA1 dd ?00000024 fn_xor_r0_r1 dd ?00000028 cmdA2 dd ?0000002C fn_cmp dd ?00000030 cmdA4 dd ?00000034 fn_prompt dd ?00000038 cmdA5 dd ?0000003C fn_exit dd ?00000040 cmdA3 dd ?00000044 fn_null dd ?00000048 cmdA6 dd ?0000004C fn_jnz dd ?00000050 cmdA7 dd ?00000054 fn_input dd ?00000058 cmdA8 dd ?0000005C fn_output dd ?00000060 cmdA9 dd ?00000064 fn_check dd ?00000068 cmdAA dd ?0000006C fn_decrypt_string dd ?00000070 vm_context ends
vm_init()
void *__usercall vm_init@<eax>(vm_context *vm_ctx@<eax>, void *data_start){ char *v2; // ecx@1 signed int v3; // edx@1 vm_ctx->r0 = 0; vm_ctx->r1 = 0; vm_ctx->r2 = 0; vm_ctx->r3 = 0; vm_ctx->r4 = 0; v2 = (char *)&vm_ctx->cmdA0; v3 = 32; do { *v2 = 0; v2 += 8; --v3; } while ( v3 ); LOBYTE(vm_ctx->cmdA0) = 0xA0u; vm_ctx->fn_set_imm = (int)fn_set_imm; LOBYTE(vm_ctx->cmdA1) = 0xA1u; vm_ctx->fn_xor_r0_r1 = (int)fn_xor_r0_r1; LOBYTE(vm_ctx->cmdA2) = 0xA2u; vm_ctx->fn_cmp = (int)fn_cmp; LOBYTE(vm_ctx->cmdA4) = 0xA4u; vm_ctx->fn_prompt = (int)fn_prompt; LOBYTE(vm_ctx->cmdA5) = 0xA5u; vm_ctx->fn_exit = (int)fn_exit; LOBYTE(vm_ctx->cmdA3) = 0xA3u; vm_ctx->fn_null = (int)fn_null; LOBYTE(vm_ctx->cmdA6) = 0xA6u; vm_ctx->fn_jnz = (int)fn_jnz; LOBYTE(vm_ctx->cmdA7) = 0xA7u; vm_ctx->fn_input = (int)fn_input; LOBYTE(vm_ctx->cmdA8) = 0xA8u; vm_ctx->fn_output = (int)fn_output; LOBYTE(vm_ctx->cmdA9) = 0xA9u; vm_ctx->fn_check = (int)fn_check; LOBYTE(vm_ctx->cmdAa) = 0xAAu; vm_ctx->fn_decrypt_string = (int)fn_decrypt_string; return memset(data_start, 0, 0x1000u);}
vm_dispatcher()
int __usercall vm_dispatcher@<eax>(int opcode_start@<eax>, vm_context *vm_ctx@<esi>, int data_start){ char *vm_handler_type; // ecx@2 vm_ctx->opcode = opcode_start; while ( *(_BYTE *)vm_ctx->opcode != 0xA3u ) { opcode_start = 0; vm_handler_type = (char *)&vm_ctx->cmdA0; while ( opcode_start < 0x20 ) { if ( *(_BYTE *)vm_ctx->opcode == *vm_handler_type ) { opcode_start = (*((int (__cdecl **)(_DWORD, _DWORD))&vm_ctx->fn_set_imm + 2 * opcode_start))(vm_ctx, data_start); break; } ++opcode_start; vm_handler_type += 8; } } return opcode_start;}
自定义vm虚拟机
python指令解析器
#!/usr/bin/python# -*- coding: UTF-8 -*-# 代码段text = [0xAA, 0x15, 0x20, 0x01, 0x00, 0x00, 0xAA, 0x15, 0x40, 0x01, 0x00, 0x00, 0xA0, 0x10, 0x00, 0x00, 0x00, 0x00, 0xA8, 0xA0, 0x10, 0xF0, 0x00, 0x00, 0x00, 0xA8, 0xA0, 0x10, 0x60, 0x01, 0x00, 0x00, 0xA7, 0xAA, 0x11, 0x80, 0x00, 0x00, 0x00, 0xAA, 0x10, 0x60, 0x00, 0x00, 0x00, 0xAA, 0x12, 0xB0, 0x00, 0x00, 0x00, 0xA9, 0xA2, 0xEA, 0xA6, 0x0E, 0xA0, 0x10, 0x20, 0x01, 0x00, 0x00, 0xA0, 0x11, 0x10, 0x01, 0x00, 0x00, 0xA4, 0xA5, 0xA0, 0x10, 0x40, 0x01, 0x00, 0x00, 0xA0, 0x11, 0x10, 0x01, 0x00, 0x00, 0xA4, 0xA5]def toUint(arr): return arr[0] | (arr[1]<<8 | arr[2]<<16 | arr[3]<<24)class Context: def __init__(self): self.ip = 0 def cmdA0(self): c = text[self.ip + 1] p = toUint(text[self.ip+2:self.ip+6]) self.ip += 6 if 0x10 <= c <= 0x13: print "mov r{0}, {1}".format(c-0x10, hex(p)) elif c == 0x14: print "movb r0, [{0}]".format(hex(p)) elif c == 0x15: print "movb [{0}], r0".format(hex(p)) else: assert False def cmdA1(self): self.ip += 1 print "xor r0, r1" def cmdA2(self): p = text[self.ip+1] self.ip += 2 print "equb r0, [{0}]".format(hex(p)) def cmdA3(self): assert False def cmdA4(self): self.ip += 1 print "msg [r0], [r1]" def cmdA5(self): self.ip += 1 print "exit" def cmdA6(self): p = text[self.ip + 1] self.ip += 2 print "jne +{0}".format(hex(p)) def cmdA7(self): self.ip += 1 print "in [r0]" def cmdA8(self): self.ip += 1 print "out [r0]" def cmdA9(self): self.ip += 1 print "check [r0]" def cmdAA(self): c = text[self.ip + 1] p = toUint(text[self.ip+2:self.ip+6]) self.ip += 6 if 0x10 <= c <= 0x12: print "xorstr key{0}, [{1}], [32]".format(c - 0x10, hex(p)) else: print "xorstr [{0}], [32]".format(hex(p)) def run(self): ops = [self.cmdA0, self.cmdA1, self.cmdA2, self.cmdA3, self.cmdA4, self.cmdA5, self.cmdA6, self.cmdA7, self.cmdA8, self.cmdA9, self.cmdAA] while self.ip < len(text): c = text[self.ip] ops[c - 0xA0]()ctx = Context()ctx.run()
运行结果
xorstr [0x120], [32]xorstr [0x140], [32]mov r0, 0x0out [r0]mov r0, 0xf0out [r0]mov r0, 0x160in [r0]xorstr key1, [0x80], [32]xorstr key0, [0x60], [32]xorstr key2, [0xb0], [32]check [r0]equb r0, [0xea]jne +0xemov r0, 0x120mov r1, 0x110msg [r0], [r1]exitmov r0, 0x140mov r1, 0x110msg [r0], [r1]exit
看雪CTF第八题
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。