比赛弄了半天就做出这一题。
ida载入
图片.png
输入三个数字,进行判断如果符合出flag,向上看函数 400806。
图片.png
看到一个虚拟机。。。硬着头皮上吧。
虚拟机的内容在code文件中
虚拟机执行操作的伪代码
switch(code[i]){
case code[i]==0:
printf("ret");
i+=3;break;
case code[i]==1:
printf("mov number[%d],%lld ",k,code[i+4]<<24+code[i+3]<<16+code[i+2]<<8+code[t+1]);
i+=5;
break;
case code[i]==2:
k--;
printf("%d",k);
t+=1;break;
case code[i]==3:
printf("add str[%d],str[%d]",code[i+1],code[i+2]);
i+=3;break;
case code[i]==4:
printf("sub str[%d],str[%d]",code[i+1],code[i+2]);
i+=3;break;
case code[i]==5:
printf("mul str[%d],%d",code[i+1],code[i+2]);
i+=3;break;
case code[i]==6:
printf("sar str[%d],str[%d]",code[i+1],code[i+2]);
i+=3;
case code[i]==7;
printf("mov str[%d],str[%d]",code[i+1],code[i+2]);
i+=3;break;
case code[i]==8:
printf("mov str[%d],str[%d]",code[i+1],code[i+2]);
i+=3;break;
case code[i]==9:
printf("xor str[%d],str[%d]",code[i+1],code[i+2]);
i+=3;break;
}
return 0;
}
逻辑没错,就是不能执行~
#include<stdio.h>
#include<stdlib.h>
//#define _a 0
//#define _b 1
//#define _c 2
//#define _d 3
//#define _e 4
//#define _f 5
//#define _g 6
//#define _h 7
//#define _i 8
//#define _j 9
int main()
{
long long code[]= {9,4,4,9,0,0,8,1,0,8,2,1,8,3,2,6,1,4,5,1,0x15,7,0,1,4,0,3,1,0x6B,0xCC,0x7E,0x1D,8,1,3,4,0,1,2,0xA,4,0,9,0,0,8,1,0,8,2,1,8,3,2,6,3,8,5,3,3,7,0,3,3,0,2,1,0x7C,0x79,0x79,0x60,8,1,3,4,0,1,2,0xA,4,0,9,0,0,8,1,0,8,2,1,8,3,2,6,1,8,7,0,1,3,0,2,1,0xBD,0xBD,0xBC,0x5F,8,1,3,4,0,1,2,0xA,4,0,0};
int i=0;
int k=2;
int j;
j=sizeof(code);
while(i<j){
if (code[i]==0){
printf("ret\n");
i+=3;
}
else if(code[i]==1){
printf("mov number[%d],%lld \n",k,(code[i+4]<<24)+(code[i+3]<<16)+(code[i+2]<<8)+(code[i+1]));
i+=5;
}
else if(code[i]==2){
k--;
printf("%d\n",k);
i+=1;
}
else if(code[i]==3){
printf("add str[%d],str[%d]\n",code[i+1],code[i+2]);
i+=3;
}
else if(code[i]==4){
printf("sub str[%d],str[%d]\n",code[i+1],code[i+2]);
i+=3;
}
else if(code[i]==5){
printf("mul str[%d],%d\n",code[i+1],code[i+2]);
i+=3;
}
else if(code[i]==6){
printf("sar str[%d],str[%d]\n",code[i+1],code[i+2]);
i+=3;}
else if(code[i]==7){
printf("mov str[%d],str[%d]\n",code[i+1],code[i+2]);
i+=3;
}
else if(code[i]==8){
printf("mov str[%d],str[%d]\n",code[i+1],code[i+2]);
i+=3;
}
else if(code[i]==9){
printf("xor str[%d],str[%d]\n",code[i+1],code[i+2]);
i+=3; }
else if(code[i] == 0xA){
printf( "or str[%d],str[%d]\n",code[i+1],code[i+2]);
i+=3;
}
}
return 0;
}
还是python写脚本好点。。。就因为这个拖了一个小时
xor str[4],str[0]
xor str[0],str[0]
mov str[1],str[0]
mov str[2],str[0]
mov str[3],str[0]
sar str[1],str[0]
mul str[1],0
mov str[0],str[0]
sub str[0],str[0]
mov number[2],494849131
mov str[1],str[0]
sub str[0],str[0]
1
or str[4],str[0]
xor str[0],str[0]
mov str[1],str[0]
mov str[2],str[0]
mov str[3],str[0]
sar str[3],str[0]
mul str[3],0
mov str[0],str[0]
add str[0],str[0]
mov number[1],1618573692
mov str[1],str[0]
sub str[0],str[0]
0
or str[4],str[0]
xor str[0],str[0]
mov str[1],str[0]
mov str[2],str[0]
mov str[3],str[0]
sar str[1],str[0]
mov str[0],str[0]
add str[0],str[0]
mov number[0],1606204861
mov str[1],str[0]
sub str[0],str[0]
-1
or str[4],str[0]
ret
z3跑出结果
from z3 import *
import claripy
s = claripy.Solver()
x = claripy.BVS("x", 32)
y = claripy.BVS("y", 32)
z = claripy.BVS("z", 32)
s.add((x/16)*0x15-z == 0x1d7ecc6b)
s.add((z/256)*3+y == 0x6079797c)
s.add((x/256)+y == 0x5fbcbdbd)
s.add(x&0xff==0x5e)
s.add(y&0xff0000==0x5e0000)
s.add(z&0xff==0x5e)
res = s.batch_eval([x, y, z], 3)
print res
FLAG : X-NUCA{5e5f5e5e5f5e5e5f5e5e5f5e}
网友评论