GeekPWN2020-部分re

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

......  
int main()  
{  
    char s[40];  
    scanf("%s", s);  
    if(sub_848(s) == 0)  
        printf("Right\n");  
    else  
        printf("Wrong\n");  
}  

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

import angr, sys  
  
def is_successful(state):  
    stdout_output = state.posix.dumps(sys.stdout.fileno()) # (1)  
    if b'Right' in stdout_output: # (2)  
        return True # (3)  
    else:  
        return False  
  
def should_abort(state):  
    stdout_output = state.posix.dumps(sys.stdout.fileno())     
    if b'Wrong' in  stdout_output:  
        return True  
    else:  
        return False  
  
def main():  
    filename = "test"  
    proj = angr.Project(filename)  
    initial_state = proj.factory.entry_state()  
    simgr = proj.factory.simgr(initial_state)  
    simgr.explore(find=is_successful, avoid=should_abort)  
    if simgr.found:  
        solution = simgr.found[0]  
        print(solution.posix.dumps(sys.stdin.fileno()))  
  
if __name__ == "__main__":  
    main()  

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

consts = xxx  
j = 0  
for i in range(0, 32, 8):  
    a=consts^(flag[i] | (flag[i+2]<<8))  
    buf[j]=(a&0xffff)^nums[j]  
    j = j + 1  
    b=consts^(flag[i+1] | (flag[i+3]<<8))  
    buf[j]=(b&0xffff)^nums[j]  
    j = j + 1  
    c=consts^(flag[i+7] | (flag[i+4]<<8))  
    buf[j]=(c&0xffff)^nums[j]  
    j = j + 1  
    d=consts^(flag[i+6] | flag[i+5] << 8)  
    buf[j]=(d&0xffff)^nums[j]  
    j = j + 1  
    consts=consts ^ buf[j-1] ^ buf[j-2] ^ buf[j-3] ^ buf[j-4]  
  
a=consts^(flag[32] | flag[35]<< 8)^0xFFFFBF9E  
buf[j]=(a&0xffff)  
j = j + 1  
a = (flag[33] << 8 | flag[34]) ^ consts ^ 0xFA2C  
buf[j]=(a&0xffff)  

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

#coding=utf-8  
from unicorn import *  
from unicorn.x86_const import *  
  
mu = Uc (UC_ARCH_X86, UC_MODE_64)  
  
BASE = 0x400000  
STACK_ADDR = 0x0  
STACK_SIZE = 1024*1024  
mu.mem_map(BASE, 1024*1024) # 初始化存储空间  
mu.mem_map(STACK_ADDR, STACK_SIZE) # 初始化栈空间  
  
mu.mem_write(BASE, read("./babyre")) # 加载程序  
mu.reg_write(UC_X86_REG_RSP, STACK_ADDR + STACK_SIZE - 1)  
  
def hook_code(mu, address, size, user_data):  
    if address == 0x4054A9:  
        c = mu.reg_read(UC_X86_REG_RBX)  
        print(hex(c))  
  
mu.hook_add(UC_HOOK_CODE, hook_code)  
  
mu.emu_start(0x40546B, 0x4054B0)  

1
2
3
4
5

def HIDWORD(a):  
    b = a & 0xffffffff00000000  
    b = b >> 32  
    return b  
consts = (v5&0xffffffff) ^ ((v5&0xffffffff) >> 16) ^ HIDWORD(v5) ^ (v5 >> 48)  

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

nums = [7107, 2676, 52815, 3666, 54091, 28777, 35367, 10586, 25358, 65063, 6311, 24454, 42823, 33695, 16895, 7107, 49054, 64044]  
  
enc = [55568, 49906, 1737, 38871, 50041, 14151, 40283, 30065, 9059, 61980, 19841, 3054, 26730, 6325, 56961, 34785, 23561, 8122]  
  
def dec(consts):  
    const_list = []  
    for i in range(0,16,4):  
        const_list.append(consts)  
        consts=consts^enc[i]^enc[i+1]^enc[i+2]^enc[i+3]  
    const_list.append(consts)  
    j = 0  
    for i in range(4):  
        consts=const_list[i]  
        for j in range(4*i, 4*i+4):  
            enc[j]=enc[j]^nums[j]  
            enc[j]=enc[j]^consts  
            enc[j]=enc[j]&0xffff  
    enc[16] = enc[16] ^ 0xFFFFBF9E  
    enc[16] = enc[16] ^ const_list[-1]  
    enc[16] = enc[16] & 0xffff  
    enc[17] = enc[17] ^ 0xFA2C  
    enc[17] = enc[17] ^ const_list[-1]  
    enc[17] = enc[17] & 0xffff  
  
if __name__ == "__main__":  
    dec(0x64e2fbe3)  
    s = "".join(hex(i)[2:].zfill(2) for i in enc)  
    print(bytes.fromhex(s).decode('utf-8'))