DDCTF2018-黑盒破解 详细WP
分析直接在IDA中打开,找到 main 函数程序一开始需要我们输入一串 10 位长的密码,然后拼接字符串成 “flag-****.txt” 的形式,然后打开这个文件,读入数据到内存。实际上这个就是 flag 文件,只有当满足后续条件时,程序就会打印出来。这个条件就是输入一段passcode,让程序输出 “Binggo” 。大致看上去,后面的这几个函数是与虚拟机有关的。作者自己编...
分析
-
直接在IDA中打开,找到 main 函数
-
程序一开始需要我们输入一串 10 位长的密码,然后拼接字符串成 “flag-****.txt” 的形式,然后打开这个文件,读入数据到内存。实际上这个就是 flag 文件,只有当满足后续条件时,程序就会打印出来。这个条件就是输入一段passcode,让程序输出 “Binggo” 。
-
大致看上去,后面的这几个函数是与虚拟机有关的。作者自己编写了一套简易的虚拟机,用户输入的 passcode 就是虚拟机执行的代码。我已经重定义了部分函数名,现在重点关注Dispatcher 这个函数。
-
这是虚拟机的 分派函数 ,主要工作就是根据输入的操作码跳转到对应的 操作函数 里执行。观察第二个 for 循环,可以猜测出一共有 9 种 操作函数。现在我们想要知道哪一种字符对应哪一种操作。先动态调试,然后找出 *(a1 + *(a1 + 4 * (j + 72LL) + 8) + 408) ,j 从 0 变化到 8 的所有数据,然后再找到所有满足条件的 v2 的取值。
-
这一步的 IDC脚本 为
auto j; auto a1=0x18d8440; for(j=0;j<=8;j++){ Message("0x%x,",Byte(a1+Byte(a1+4*(j+72)+8)+408)); }
-
再将 byte_603900 的数据也 dump 下来,转用python处理。 python脚本 为
data=[0x2,0x0,0x0,0xe,0x16,0x54,0x20,0x18,0x11,0x45,0x50,0x59,0x58,0x53,0x0,0x8,0x44,0x2d,0x46,0x39,0x0,0x54,0x42,0x1,0x3c,0xf,0x0,0x7,0x17,0x0,0x56,0x21,0x0,0x37,0x6d,0x2b,0x2a,0x6e,0x59,0x5d,0x47,0x3a,0x4a,0x34,0x44,0x48,0x43,0x6c,0x3f,0x59,0x25,0x33,0x55,0x2f,0x31,0x68,0x27,0x34,0x7c,0x28,0x67,0x59,0x0,0x52,0x0,0x26,0x0,0x3e,0x56,0x4e,0x33,0x21,0x45,0x6d,0x60,0x39,0x46,0x72,0x6d,0x4d,0x54,0x40,0x0,0x74,0x57,0x73,0x72,0x7a,0x47,0x45,0x0,0x71,0x0,0x4a,0x35,0x70,0x3b,0x36,0x2e,0x26,0x2c,0x6c,0x4a,0x0,0x7c,0x63,0x35,0x57,0x4d,0x41,0x43,0x62,0x0,0x68,0x37,0x0,0x5a,0x6a,0x6b,0x7c,0x29,0x69,0x4c,0x70,0x50,0x71,0x26,0x36,0x3c,0x6,0x1b,0x0,0x3c,0x30,0x0,0x0,0x0,0x4c,0xb,0x4b,0x48,0x8,0x54,0x47,0x12,0x9,0x24,0x0,0x0,0x24,0x40,0xd,0x39,0x6,0x5c,0x2c,0x1a,0x2d,0xa,0x38,0x35,0x37,0x16,0x3b,0x0,0x24,0x48,0x0,0x49,0x0,0x37,0x8,0x1f,0x24,0x45,0x1d,0x11,0x40,0x2f,0x4a,0x8,0x15,0x0,0x11,0x0,0x1a,0x22,0x41,0x52,0x5b,0xb,0x45,0x31,0x19,0x43,0x19,0x1e,0xa,0x21,0x5,0x4d,0x59,0x38,0x34,0x9,0x36,0x2f,0x43,0x2,0x53,0x12,0x2f,0x4c,0x21,0xd,0x3c,0x31,0x2e,0x37,0x8,0x30,0x29,0x32,0x2f,0x0,0x1a,0x14,0x41,0x53,0x15,0x21,0x0,0x8,0x13,0x38,0x5c,0x36,0x3b,0x50,0x0,0x2f,0x1e,0x57,0x0,0x30,0x2e,0xc,0x2e,0x37,0x52,0x1c,0x33,0x34,0x11,0x38,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0] inpt=[0x2a,0x27,0x3e,0x5a,0x3f,0x4e,0x6a,0x2b,0x28] indx=[] for ch in inpt: indx.append(chr(data.index(ch))) print indx
-
得到调用相关操作函数的字符串有
[’$’, ‘8’, ‘C’, ‘t’, ‘0’, ‘E’, ‘u’, ‘#’, ‘;’] -
动态调试中,发现
*(a1 + 672) = *(a1 + 8 * (*(a1 + 4 * (j + 72LL) + 8) + 84LL) + 8); (*(a1 + 672))(a1);
-
先修改函数地址的最低一个字节,然后调用该地址。到这里有两种方法可以找出这9个操作函数:
1.回到 main 函数中,对 correct 变量进行交叉引用,就时会来到修改它的函数中,再对该函数进行一次交叉引用就来到了函数列表中。
2.重新调试,输入上面得到的9个字符,动态跟踪也行
-
函数列表
-
结合动态分析可以得出字符与操作函数的对应关系:
$->sub_400DC1 8->sub_400E7A C->sub_400F3A t->sub_401064 0->sub_4011C9 E->sub_40133D u->sub_4012F3 #->sub_4014B9 ;->sub_400CF1
-
审计一下这些函数,为了方便阅读。令
a1+288=index a1+292=index_max *(_BYTE *)(*(_QWORD *)(a1 + 280) + *(signed int *)(a1 + 288) + *(_QWORD *)a1)=data[index] *(char *)(a1 + 664)=input[i] *(_BYTE *)(a1 + 665) =tmp *(*(a1 + 8) + *(a1 + 288))=data[index]
-
这些都可以通过动态调试得到他们的对应关系,这样我们就可以清晰地了解这9个操作函数的作用了,分别是
$->sub_400DC1:tmp=data[index] 8->sub_400E7A:data[index]=tmp C->sub_400F3A:tmp+=input[i]-33 t->sub_401064:tmp-=input[i]+33 0->sub_4011C9:++index E->sub_40133D:check u->sub_4012F3:--index #->sub_4014B9:data[index]=input[index+input[i]-48]-49 ;->sub_400CF1: for(int j=0;j<input[i];j++) ++index data[index]=input[index+input[i]-48]-49
-
从 sub_40133D 这个函数中,可以知道我们要使程序将 “data[20]= ‘PaF0!&Prv}H{ojDQ#7v=’ ” 变为 “Binggo” 才能得到flag。
-
我是从头开始构造passcode的,过程如下:
首先是 $,使得 tmp=data[index],此时 index=0 ,就会得到 tmp=‘P’ 。此时我们观察 P的 ASCII 是 80 , B 的 ASCII 是 66 , P > B ,选择 t 操作。此时,再来计算一下这个方程:
80-input[i]+33=66 ,得到 input[i]=‘/’ ,所以将 P 转为 B 的 passcode:$t/80 -
同理得到
a -> i: $C)80 F->n:$CI80 0->g:$CX80 !->g:$Cg80 &->o:$Cj80
-
注意字符串末尾是 NULL ,但不能用前面的构造方式,因为 sub_400F3A 得到的是不可见字符,而 sub_401064 有 NULL 的检查
-
只能选用 sub_4014B9 操作,所以完整的passcode如下:
$t/80$C)80$CI80$CX80$Cg80$Cj80#J1uuuuuuEs
总结
- VM 的运作流程:分派器(dispatcher)解析字节码(bytecode),调用对应的操作函数(handler)。
- VM 一般的结构包含:寄存器,堆栈,操作函数,字节码
- 逆向 VM 时,先要整体感知其结构,明确字节码对应的操作,以及每个操作都做些什么,这常常需要多多调试。所以可见VM 逆向是非常磨人的 orz ヽ(´¬`)ノ
更多推荐
所有评论(0)