nop
去掉花指令后的main函数如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| int __cdecl main(int a1, char **a2)
{
_BYTE *v2; // eax
sub_804865B(*a2);
puts("input your flag");
__isoc99_scanf("%d", &dword_804A038);
++dword_804A038;
sub_804857B();
++dword_804A038;
sub_80485C4();
dword_804A038 -= 0x33333334;
sub_80485C4();
++dword_804A038;
sub_80485C4();
v2 = sub_8048691((_BYTE *)dword_804A038);
sub_8048691(v2 + 1);
puts("Wrong!");
return 0;
}
|
输入是一个数字,sub_804857B和sub_80485C4都是反调试,sub_8048691会把参数处地址的值改为0x90,就是nop,调用了两次可以nop两个字节,所以可以把下面:
1
2
3
4
5
6
7
8
9
10
11
| .text:08048763 EB 00 jmp short $+2
.text:08048765 ; ---------------------------------------------------------------------------
.text:08048765
.text:08048765 loc_8048765: ; CODE XREF: main+C7↑j
.text:08048765 EB 12 jmp short loc_8048779
.text:08048767 ; ---------------------------------------------------------------------------
.text:08048767 83 EC 0C sub esp, 0Ch
.text:0804876A 68 35 88 04 08 push offset format ; "Right"
.text:0804876F E8 8C FC FF FF call _printf
.text:08048774 83 C4 10 add esp, 10h
.text:08048777 EB 10 jmp short loc_8048789
|
8048765处的两字节nop掉,可以输出Right
ManageCode
应该用了c#和cpp联合编译,用dnspy在c#中只能找到flag的格式是111111-111111-111111-11111111111111,但是没看到检测流程
用ida打开可以看到检测的流程,首先将输入转16进制,然后对这个16进制数下访问断点可以到检测的函数,直接解方程。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
| from z3 import *
solver = Solver()
a1 = [Int('s%i' % i) for i in range(16)]
v1 = 1
v2 = a1[0]
v3 = a1[2]
v32 = a1[0]
v29 = a1[2]
v31 = a1[1]
solver.add( -401736 * v2 == -4419096 )
v1 = 0
solver.add( 191967 * a1[1] + 473999 * v2 == 23642821 )
v1 = 0
v4 = 57125 * v2
v5 = a1[3]
v6 = a1[4]
v30 = a1[3]
v28 = a1[4]
solver.add( v4 + 465507 * v31 - 207145 * v3 == 42831307 )
v1 = 0
solver.add( 149773 * v5 + -488633 * v32 - 5245 * v31 - 280749 * v3 == -560637 )
v1 = 0
solver.add( 381790 * v3 + 59135 * v6 + 130415 * v31 + 174205 * v5 - 83562 * v32 == 27764403 )
v1 = 0
v7 = a1[5]
v27 = a1[5]
v8 = 500139 * v6
v9 = v1
solver.add( 386908 * v32 + 465831 * v30 + v8 + 500998 * v7 + 474240 * v3 - 4838 * v31 == 119143813 )
v9 = 0
v10 = a1[6]
v26 = v10
solver.add( 182991 * v30 + -200009 * v31 - 497601 * v32 - 153099 * v10 + 269682 * v28 + -269523 * v7 - 441164 * v29 == -52489521 )
v9 = 0
v11 = a1[7]
v23 = a1[7]
solver.add( -14894 * v11- 162386 * v32+ 522547 * v30+ 260922 * v27+ 428523 * v29+ 508037 * v28- 144626 * v31- 99507 * v10 == 67497415 )
v9 = 0
v12 = a1[8]
v25 = a1[8]
solver.add( 51126 * v29+ 145838 * v11+ 362957 * v28+ 43500 * v31+ 308294 * v32+ -375461 * v30- 174341 * v12- 394061 * v10- 65395 * v27 == -43306962 )
v9 = 0
v13 = a1[9]
v24 = v13
solver.add( 350654 * v32+ 495127 * v28+ 434878 * v11- 75418 * v26- 43467 * v31+ -521005 * v27- 226910 * v12- 215985 * v13- 121973 * v30- 446107 * v29 == -137046349 )
v9 = 0
v14 = a1[10]
v22 = v14
solver.add( -318934 * v31- 25936 * v32- 341583 * v25+ 320416 * v29+ 339525 * v23- 81574 * v28- 502348 * v26- 294177 * v14- 363326 * v30- 391486 * v27- 248464 * v13 == -244744603 )
v9 = 0
v15 = a1[11]
v21 = a1[11]
solver.add( 81654 * v23+ 432919 * v26+ 110106 * v25- 507164 * v29- 467060 * v27+ -384845 * v15- 197253 * v24- 354555 * v31- 16893 * v14- 254110 * v32- 479559 * v30- 50999 * v28 == -214023755 )
v9 = 0
v16 = a1[12]
v20 = v16
solver.add( -117388 * v24- 227694 * v32+ 457647 * v28+ 293306 * v23+ 101385 * v30+ 293124 * v22+ 92941 * v16+ 496679 * v25+ 79854 * v29+ -81913 * v31- 507308 * v27- 3285 * v15- 71736 * v26 == 50059304 )
v9 = 0
v17 = a1[13]
solver.add( 281406 * v29+ 314118 * v28+ -480916 * v23- 124091 * v17- 442447 * v22- 25649 * v32+ 389372 * v16+ 15089 * v30+ 210603 * v26+ 5 * (v25 + 17363 * v27 - 91574 * v21)- 469378 * v24- 117744 * v31 == -176657564 )
v9 = 0
v18 = a1[14]
solver.add( 180059 * v26+ 350603 * v32+ -439557 * v21- 485708 * v29+ 52520 * v24+ 303697 * v28+ 395976 * v22+ 406658 * v27+ -354103 * v17- 61339 * v20- 495692 * v31- 198340 * v30- 28153 * v25- 113385 * v23- 492085 * v18 == -48802225 )
v9 = 0
result = v9
solver.add( 473763 * v25+ 249640 * v26+ 450341 * v30+ 273347 * v17+ 386739 * v31+ 24246 * v27+ 20430 * v21+ 69055 * v28+ 391476 * v22+ 100872 * v23+ 458039 * v20+ 71004 * v24+ -277369 * v29- 482854 * a1[15]- 468152 * v32- 409044 * v18 == 224749784 )
print solver.check()
print solver.model()
# 111111-111111-111111-11111111111111
|
rev
rop控制指令的跳转,调试可以看大具体处理流程,用z3解一下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
| #coding=utf-8
from z3 import *
solver = Solver()
a1 = [BitVec('s%i' % i, 8) for i in range(16)]
res = [0x64, 0x25, 0x0F, 0x6C, 0x20, 0x23, 0x8A, 0xDE, 0x10, 0x0E, 0xA5, 0xE1, 0x43, 0x37, 0x11, 0x53]
# s = [ord('1'), ord('5'), ord('9'), ord('d')]
rt = []
for t in range(4):
s = []
for u in range(4):
s.append([a1[t + 4*u]])
for edx in range(1, 5):
eax = s[-1 + edx]
esi = eax * 2
ecx = esi
ecx = ecx ^ 0x1b
eax = edx
eax = eax & 3
ecx = s[eax]
eax = ecx + ecx
ebx = ecx
ebx = ebx ^ 0x1b
ebx = ebx ^ eax
eax = eax ^ ecx
ecx = edx + 1
ebx = edx + 2
ecx = ecx & 3
ebx = ebx & 3
ecx = s[ecx]
ecx = ecx ^ s[ebx]
ecx = ecx ^ esi
eax = eax ^ ecx
rt.append(eax ^ (4*t + edx - 1))
for i in range(len(rt)):
solver.add(rt[i] == res[i])
print solver.check()
print solver.model()
|
Nu1L的wp中用到了angr直接解题,当时我想着用但是不知道怎么输入参数(还是tcl)记录一下
1
2
3
4
5
6
7
8
9
10
11
| import angr,claripy
project = angr.Project("rev_v2")
argv1 = claripy.BVS("argv1",100*8)
initial_state = project.factory.entry_state(args=["./rev_v2",argv1])
simulation = project.factory.simgr(initial_state)
simulation.explore(find=0x400481)
found = simulation.found[0]
solution = found.solver.eval(argv1, cast_to=bytes)
print(repr(solution))
solution = solution[:solution.find(b"\x00")]
print(solution)
|
