menu 牢记自己是菜
GACTF2020其余题目的复现与学习
774 浏览 | 2020-09-02 | 阅读时间: 约 3 分钟 | 分类: XCTF比赛 | 标签:
请注意,本文编写于 633 天前,最后修改于 633 天前,其中某些信息可能已经过时。

0x1 前言

没有前言,简单的复现。


0x2 EasyRe

一个VM,比赛的时候懒得使用IDA进行动态调试,但是忘记了一件很重要的事情,就是IDA的动态调试是支持F5的。而gdb只能看汇编,导致效率直线下降,好在子洋师傅靠谱,很迅速的完成了这道题目,把我从苦痛中解放出来。比赛后的复现将采用IDA动调的方式,毕竟IDA才是逆向选手的爸爸(误)。比赛的时候已经注意到0x8048838这个地方应该是指令集了,这是gdb下搞出来的汇编:

   0x08048838:    55    push   ebp
   0x08048839:    89 e5    mov    ebp,esp
   0x0804883b:    53    push   ebx
   0x0804883c:    83 ec 34    sub    esp,0x34
   0x0804883f:    8b 45 08    mov    eax,DWORD PTR [ebp+0x8]
   0x08048842:    89 45 d4    mov    DWORD PTR [ebp-0x2c],eax
   0x08048845:    65 a1 14 00 00 00    mov    eax,gs:0x14
   0x0804884b:    89 45 f4    mov    DWORD PTR [ebp-0xc],eax
   0x0804884e:    31 c0    xor    eax,eax
   0x08048850:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]     //返回跳转至这里
   0x08048853:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048856:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048859:    3c 71    cmp    al,0x71                                          //0x71
   0x0804885b:    75 2f    jne    0x804888c
   0x0804885d:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048860:    8b 40 18    mov    eax,DWORD PTR [eax+0x18]
   0x08048863:    8d 50 fc    lea    edx,[eax-0x4]
   0x08048866:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048869:    89 50 18    mov    DWORD PTR [eax+0x18],edx
   0x0804886c:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x0804886f:    8b 40 18    mov    eax,DWORD PTR [eax+0x18]
   0x08048872:    8b 55 d4    mov    edx,DWORD PTR [ebp-0x2c]
   0x08048875:    8b 52 20    mov    edx,DWORD PTR [edx+0x20]
   0x08048878:    8b 52 01    mov    edx,DWORD PTR [edx+0x1]
   0x0804887b:    89 10    mov    DWORD PTR [eax],edx
   0x0804887d:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048880:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048883:    8d 50 05    lea    edx,[eax+0x5]
   0x08048886:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048889:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x0804888c:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x0804888f:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048892:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048895:    3c 41    cmp    al,0x41                                              //0x41 ADD
   0x08048897:    75 23    jne    0x80488bc
   0x08048899:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x0804889c:    8b 50 04    mov    edx,DWORD PTR [eax+0x4]
   0x0804889f:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080488a2:    8b 40 08    mov    eax,DWORD PTR [eax+0x8]
   0x080488a5:    01 c2    add    edx,eax
   0x080488a7:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080488aa:    89 50 04    mov    DWORD PTR [eax+0x4],edx
   0x080488ad:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080488b0:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x080488b3:    8d 50 01    lea    edx,[eax+0x1]
   0x080488b6:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080488b9:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x080488bc:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080488bf:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x080488c2:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x080488c5:    3c 42    cmp    al,0x42                                           //0x42   sub
   0x080488c7:    75 23    jne    0x80488ec
   0x080488c9:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080488cc:    8b 50 04    mov    edx,DWORD PTR [eax+0x4]
   0x080488cf:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080488d2:    8b 40 10    mov    eax,DWORD PTR [eax+0x10]
   0x080488d5:    29 c2    sub    edx,eax
   0x080488d7:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080488da:    89 50 04    mov    DWORD PTR [eax+0x4],edx
   0x080488dd:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080488e0:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x080488e3:    8d 50 01    lea    edx,[eax+0x1]
   0x080488e6:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080488e9:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x080488ec:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080488ef:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x080488f2:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x080488f5:    3c 43    cmp    al,0x43                                       //C  0x43 *
   0x080488f7:    75 24    jne    0x804891d
   0x080488f9:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080488fc:    8b 50 04    mov    edx,DWORD PTR [eax+0x4]
   0x080488ff:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048902:    8b 40 0c    mov    eax,DWORD PTR [eax+0xc]
   0x08048905:    0f af d0    imul   edx,eax
   0x08048908:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x0804890b:    89 50 04    mov    DWORD PTR [eax+0x4],edx
   0x0804890e:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048911:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048914:    8d 50 01    lea    edx,[eax+0x1]
   0x08048917:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x0804891a:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x0804891d:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048920:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048923:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048926:    3c 44    cmp    al,0x44                                        //D  0x44  div
   0x08048928:    75 2a    jne    0x8048954
   0x0804892a:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x0804892d:    8b 40 04    mov    eax,DWORD PTR [eax+0x4]
   0x08048930:    8b 55 d4    mov    edx,DWORD PTR [ebp-0x2c]
   0x08048933:    8b 5a 14    mov    ebx,DWORD PTR [edx+0x14]
   0x08048936:    ba 00 00 00 00    mov    edx,0x0
   0x0804893b:    f7 f3    div    ebx
   0x0804893d:    89 c2    mov    edx,eax
   0x0804893f:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048942:    89 50 04    mov    DWORD PTR [eax+0x4],edx
   0x08048945:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048948:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x0804894b:    8d 50 01    lea    edx,[eax+0x1]
   0x0804894e:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048951:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048954:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048957:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x0804895a:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x0804895d:    3c 80    cmp    al,0x80                                          //0x80 
   0x0804895f:    75 33    jne    0x8048994
   0x08048961:    8b 5d d4    mov    ebx,DWORD PTR [ebp-0x2c]
   0x08048964:    83 ec 08    sub    esp,0x8
   0x08048967:    6a 01    push   0x1
   0x08048969:    ff 75 d4    push   DWORD PTR [ebp-0x2c]
   0x0804896c:    e8 7e fe ff ff    call   0x80487ef
   0x08048971:    83 c4 10    add    esp,0x10
   0x08048974:    c1 e0 02    shl    eax,0x2
   0x08048977:    8d 14 03    lea    edx,[ebx+eax*1]
   0x0804897a:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x0804897d:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048980:    8b 40 02    mov    eax,DWORD PTR [eax+0x2]
   0x08048983:    89 02    mov    DWORD PTR [edx],eax
   0x08048985:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048988:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x0804898b:    8d 50 06    lea    edx,[eax+0x6]
   0x0804898e:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048991:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048994:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048997:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x0804899a:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x0804899d:    3c 77    cmp    al,0x77                                          //0x77 w
   0x0804899f:    75 23    jne    0x80489c4
   0x080489a1:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080489a4:    8b 50 04    mov    edx,DWORD PTR [eax+0x4]
   0x080489a7:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080489aa:    8b 40 24    mov    eax,DWORD PTR [eax+0x24]
   0x080489ad:    31 c2    xor    edx,eax
   0x080489af:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080489b2:    89 50 04    mov    DWORD PTR [eax+0x4],edx
   0x080489b5:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080489b8:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x080489bb:    8d 50 01    lea    edx,[eax+0x1]
   0x080489be:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080489c1:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x080489c4:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080489c7:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x080489ca:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x080489cd:    3c 53    cmp    al,0x53                                         //S putchr(??)
   0x080489cf:    75 27    jne    0x80489f8
   0x080489d1:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080489d4:    8b 40 0c    mov    eax,DWORD PTR [eax+0xc]
   0x080489d7:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x080489da:    0f be c0    movsx  eax,al
   0x080489dd:    83 ec 0c    sub    esp,0xc
   0x080489e0:    50    push   eax
   0x080489e1:    e8 0a fc ff ff    call   0x80485f0 <putchar@plt>
   0x080489e6:    83 c4 10    add    esp,0x10
   0x080489e9:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080489ec:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x080489ef:    8d 50 02    lea    edx,[eax+0x2]
   0x080489f2:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080489f5:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x080489f8:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x080489fb:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x080489fe:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048a01:    3c 22    cmp    al,0x22                                       //0x22 逻辑右移
   0x08048a03:    75 25    jne    0x8048a2a
   0x08048a05:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048a08:    8b 50 04    mov    edx,DWORD PTR [eax+0x4]
   0x08048a0b:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048a0e:    8b 40 08    mov    eax,DWORD PTR [eax+0x8]
   0x08048a11:    89 c1    mov    ecx,eax
   0x08048a13:    d3 ea    shr    edx,cl
   0x08048a15:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048a18:    89 50 04    mov    DWORD PTR [eax+0x4],edx
   0x08048a1b:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048a1e:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048a21:    8d 50 01    lea    edx,[eax+0x1]
   0x08048a24:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048a27:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048a2a:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048a2d:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048a30:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048a33:    3c 23    cmp    al,0x23                                                //0x23 逻辑左移
   0x08048a35:    75 25    jne    0x8048a5c
   0x08048a37:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048a3a:    8b 50 04    mov    edx,DWORD PTR [eax+0x4]
   0x08048a3d:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048a40:    8b 40 08    mov    eax,DWORD PTR [eax+0x8]
   0x08048a43:    89 c1    mov    ecx,eax
   0x08048a45:    d3 e2    shl    edx,cl
   0x08048a47:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048a4a:    89 50 04    mov    DWORD PTR [eax+0x4],edx
   0x08048a4d:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048a50:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048a53:    8d 50 01    lea    edx,[eax+0x1]
   0x08048a56:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048a59:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048a5c:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048a5f:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048a62:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048a65:    3c 99    cmp    al,0x99                                                   //0x99 
   0x08048a67:    0f 84 5d 03 00 00    je     0x8048dca                                  //退出报错
   0x08048a6d:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048a70:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048a73:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048a76:    3c 76    cmp    al,0x76                                             //0x76
   0x08048a78:    75 38    jne    0x8048ab2
   0x08048a7a:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048a7d:    8b 40 18    mov    eax,DWORD PTR [eax+0x18]
   0x08048a80:    8b 10    mov    edx,DWORD PTR [eax]
   0x08048a82:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048a85:    89 50 0c    mov    DWORD PTR [eax+0xc],edx
   0x08048a88:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048a8b:    8b 40 18    mov    eax,DWORD PTR [eax+0x18]
   0x08048a8e:    c7 00 00 00 00 00    mov    DWORD PTR [eax],0x0
   0x08048a94:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048a97:    8b 40 18    mov    eax,DWORD PTR [eax+0x18]
   0x08048a9a:    8d 50 04    lea    edx,[eax+0x4]
   0x08048a9d:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048aa0:    89 50 18    mov    DWORD PTR [eax+0x18],edx
   0x08048aa3:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048aa6:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048aa9:    8d 50 05    lea    edx,[eax+0x5]
   0x08048aac:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048aaf:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048ab2:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048ab5:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048ab8:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048abb:    3c 54    cmp    al,0x54                                                   //0x54 getchar
   0x08048abd:    75 24    jne    0x8048ae3
   0x08048abf:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048ac2:    8b 40 0c    mov    eax,DWORD PTR [eax+0xc]
   0x08048ac5:    89 45 e0    mov    DWORD PTR [ebp-0x20],eax
   0x08048ac8:    e8 b3 fa ff ff    call   0x8048580 <getchar@plt>
   0x08048acd:    89 c2    mov    edx,eax
   0x08048acf:    8b 45 e0    mov    eax,DWORD PTR [ebp-0x20]
   0x08048ad2:    88 10    mov    BYTE PTR [eax],dl
   0x08048ad4:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048ad7:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048ada:    8d 50 02    lea    edx,[eax+0x2]
   0x08048add:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048ae0:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048ae3:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048ae6:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048ae9:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048aec:    3c 30    cmp    al,0x30                                                     //0x30 |
   0x08048aee:    75 23    jne    0x8048b13
   0x08048af0:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048af3:    8b 50 04    mov    edx,DWORD PTR [eax+0x4]
   0x08048af6:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048af9:    8b 40 08    mov    eax,DWORD PTR [eax+0x8]
   0x08048afc:    09 c2    or     edx,eax
   0x08048afe:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b01:    89 50 04    mov    DWORD PTR [eax+0x4],edx
   0x08048b04:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b07:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048b0a:    8d 50 01    lea    edx,[eax+0x1]
   0x08048b0d:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b10:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048b13:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b16:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048b19:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048b1c:    3c 31    cmp    al,0x31                                                   //0x31 and
   0x08048b1e:    75 23    jne    0x8048b43
   0x08048b20:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b23:    8b 50 04    mov    edx,DWORD PTR [eax+0x4]
   0x08048b26:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b29:    8b 40 08    mov    eax,DWORD PTR [eax+0x8]
   0x08048b2c:    21 c2    and    edx,eax
   0x08048b2e:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b31:    89 50 04    mov    DWORD PTR [eax+0x4],edx
   0x08048b34:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b37:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048b3a:    8d 50 01    lea    edx,[eax+0x1]
   0x08048b3d:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b40:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048b43:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b46:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048b49:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048b4c:    3c 09    cmp    al,0x9                                                           //0x9 初始化
   0x08048b4e:    75 1b    jne    0x8048b6b
   0x08048b50:    8b 15 8c b2 04 08    mov    edx,DWORD PTR ds:0x804b28c
   0x08048b56:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b59:    89 50 04    mov    DWORD PTR [eax+0x4],edx
   0x08048b5c:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b5f:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048b62:    8d 50 01    lea    edx,[eax+0x1]
   0x08048b65:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b68:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048b6b:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b6e:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048b71:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048b74:    3c 10    cmp    al,0x10                                                         //0x10
   0x08048b76:    75 1b    jne    0x8048b93
   0x08048b78:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b7b:    8b 50 04    mov    edx,DWORD PTR [eax+0x4]
   0x08048b7e:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b81:    89 50 24    mov    DWORD PTR [eax+0x24],edx
   0x08048b84:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b87:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048b8a:    8d 50 01    lea    edx,[eax+0x1]
   0x08048b8d:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b90:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048b93:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048b96:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048b99:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048b9c:    3c 11    cmp    al,0x11                                               //0x11
   0x08048b9e:    75 26    jne    0x8048bc6
   0x08048ba0:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048ba3:    8b 40 04    mov    eax,DWORD PTR [eax+0x4]
   0x08048ba6:    83 ec 08    sub    esp,0x8
   0x08048ba9:    50    push   eax
   0x08048baa:    68 0c 92 04 08    push   0x804920c             "%P"
   0x08048baf:    e8 bc f9 ff ff    call   0x8048570 <printf@plt>
   0x08048bb4:    83 c4 10    add    esp,0x10
   0x08048bb7:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048bba:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048bbd:    8d 50 01    lea    edx,[eax+0x1]
   0x08048bc0:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048bc3:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048bc6:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048bc9:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048bcc:    0f b6 00    movzx  eax,BYTE PTR [eax]                        //虚拟机取操作   
   0x08048bcf:    3c a0    cmp    al,0xa0                                                 //0xa0
   0x08048bd1:    75 28    jne    0x8048bfb
   0x08048bd3:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048bd6:    8b 40 04    mov    eax,DWORD PTR [eax+0x4]
   0x08048bd9:    3d 00 d1 f8 26    cmp    eax,0x26f8d100             //很像判断
   0x08048bde:    75 11    jne    0x8048bf1
   0x08048be0:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048be3:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048be6:    8d 50 01    lea    edx,[eax+0x1]
   0x08048be9:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048bec:    89 50 20    mov    DWORD PTR [eax+0x20],edx
   0x08048bef:    eb 0a    jmp    0x8048bfb                                       //重头开始
   0x08048bf1:    83 ec 0c    sub    esp,0xc
   0x08048bf4:    6a 00    push   0x0
   0x08048bf6:    e8 c5 f9 ff ff    call   0x80485c0 <exit@plt>

   0x08048bfb:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048bfe:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048c01:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048c04:    3c a1    cmp    al,0xa1                                                     //0xa1 打印print("flag:")并且读入数据检验长度
   0x08048c06:    75 52    jne    0x8048c5a
   0x08048c08:    83 ec 0c    sub    esp,0xc
   0x08048c0b:    68 10 92 04 08    push   0x8049210                            //flag
   0x08048c10:    e8 5b f9 ff ff    call   0x8048570 <printf@plt>       //print("flag:")
   0x08048c15:    83 c4 10    add    esp,0x10
   0x08048c18:    83 ec 04    sub    esp,0x4
   0x08048c1b:    6a 28    push   0x28
   0x08048c1d:    68 e0 b2 04 08    push   0x804b2e0
   0x08048c22:    6a 00    push   0x0
   0x08048c24:    e8 37 f9 ff ff    call   0x8048560 <read@plt>
   0x08048c29:    83 c4 10    add    esp,0x10
   0x08048c2c:    83 ec 0c    sub    esp,0xc
   0x08048c2f:    68 e0 b2 04 08    push   0x804b2e0                           //flag内存地址
   0x08048c34:    e8 97 f9 ff ff    call   0x80485d0 <strlen@plt>
   0x08048c39:    83 c4 10    add    esp,0x10
   0x08048c3c:    83 f8 21    cmp    eax,0x21                                                //len(flag)!=0x21 33
   0x08048c3f:    74 0a    je     0x8048c4b
   0x08048c41:    83 ec 0c    sub    esp,0xc                                                     
   0x08048c44:    6a 00    push   0x0
   0x08048c46:    e8 75 f9 ff ff    call   0x80485c0 <exit@plt>           //exit()
   0x08048c4b:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]                 //长度判断符合规则
   0x08048c4e:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]                 //[[ebp-0x2c]+0x20]+0x1
   0x08048c51:    8d 50 01    lea    edx,[eax+0x1]
   0x08048c54:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048c57:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048c5a:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048c5d:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048c60:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048c63:    3c b1    cmp    al,0xb1                                                    //0xb1 加载函数
   0x08048c65:    75 1b    jne    0x8048c82
   0x08048c67:    8b 15 a0 b2 04 08    mov    edx,DWORD PTR ds:0x804b2a0  //?下一个地址
   0x08048c6d:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048c70:    89 50 24    mov    DWORD PTR [eax+0x24],edx
   0x08048c73:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048c76:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048c79:    8d 50 01    lea    edx,[eax+0x1]                                      
   0x08048c7c:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048c7f:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048c82:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048c85:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048c88:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048c8b:    3c b2    cmp    al,0xb2                                                  //0xb2 
   0x08048c8d:    75 1b    jne    0x8048caa
   0x08048c8f:    8b 15 a4 b2 04 08    mov    edx,DWORD PTR ds:0x804b2a4
   0x08048c95:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048c98:    89 50 24    mov    DWORD PTR [eax+0x24],edx
   0x08048c9b:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048c9e:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048ca1:    8d 50 01    lea    edx,[eax+0x1]
   0x08048ca4:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048ca7:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048caa:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048cad:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048cb0:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048cb3:    3c a4    cmp    al,0xa4                                           //0xa4
   0x08048cb5:    75 37    jne    0x8048cee
   0x08048cb7:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048cba:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048cbd:    83 c0 01    add    eax,0x1
   0x08048cc0:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048cc3:    0f b6 c0    movzx  eax,al
   0x08048cc6:    89 45 e4    mov    DWORD PTR [ebp-0x1c],eax
   0x08048cc9:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048ccc:    8b 40 04    mov    eax,DWORD PTR [eax+0x4]
   0x08048ccf:    89 45 e8    mov    DWORD PTR [ebp-0x18],eax
   0x08048cd2:    8b 55 e8    mov    edx,DWORD PTR [ebp-0x18]
   0x08048cd5:    8b 45 e4    mov    eax,DWORD PTR [ebp-0x1c]
   0x08048cd8:    89 14 85 a0 b2 04 08    mov    DWORD PTR [eax*4+0x804b2a0],edx    //?存入函数
   0x08048cdf:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048ce2:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048ce5:    8d 50 04    lea    edx,[eax+0x4]
   0x08048ce8:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048ceb:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048cee:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048cf1:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048cf4:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048cf7:    3c b3    cmp    al,0xb3                                           //加载
   0x08048cf9:    75 1b    jne    0x8048d16
   0x08048cfb:    8b 15 a8 b2 04 08    mov    edx,DWORD PTR ds:0x804b2a8
   0x08048d01:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048d04:    89 50 24    mov    DWORD PTR [eax+0x24],edx
   0x08048d07:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048d0a:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048d0d:    8d 50 01    lea    edx,[eax+0x1]
   0x08048d10:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048d13:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048d16:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048d19:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048d1c:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048d1f:    3c b4    cmp    al,0xb4                                                            //0xb4
   0x08048d21:    75 1b    jne    0x8048d3e
   0x08048d23:    8b 15 ac b2 04 08    mov    edx,DWORD PTR ds:0x804b2ac  //加载
   0x08048d29:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048d2c:    89 50 24    mov    DWORD PTR [eax+0x24],edx
   0x08048d2f:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048d32:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048d35:    8d 50 01    lea    edx,[eax+0x1]
   0x08048d38:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048d3b:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048d3e:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048d41:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048d44:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048d47:    3c c1    cmp    al,0xc1                                                   //?存入
   0x08048d49:    75 35    jne    0x8048d80
   0x08048d4b:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048d4e:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048d51:    83 c0 01    add    eax,0x1
   0x08048d54:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048d57:    0f b6 c0    movzx  eax,al
   0x08048d5a:    89 45 ec    mov    DWORD PTR [ebp-0x14],eax
   0x08048d5d:    8b 45 ec    mov    eax,DWORD PTR [ebp-0x14]
   0x08048d60:    05 e0 b2 04 08    add    eax,0x804b2e0
   0x08048d65:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048d68:    0f b6 d0    movzx  edx,al
   0x08048d6b:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048d6e:    89 50 04    mov    DWORD PTR [eax+0x4],edx
   0x08048d71:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048d74:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048d77:    8d 50 02    lea    edx,[eax+0x2]
   0x08048d7a:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048d7d:    89 50 20    mov    DWORD PTR [eax+0x20],edx

   0x08048d80:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048d83:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048d86:    0f b6 00    movzx  eax,BYTE PTR [eax]
   0x08048d89:    3c c2    cmp    al,0xc2                                                  //0xc2
   0x08048d8b:    0f 85 bf fa ff ff    jne    0x8048850
   0x08048d91:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048d94:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048d97:    83 c0 01    add    eax,0x1
   0x08048d9a:    8b 00    mov    eax,DWORD PTR [eax]
   0x08048d9c:    89 45 f0    mov    DWORD PTR [ebp-0x10],eax
   0x08048d9f:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048da2:    8b 50 04    mov    edx,DWORD PTR [eax+0x4]
   0x08048da5:    8b 45 f0    mov    eax,DWORD PTR [ebp-0x10]
   0x08048da8:    39 c2    cmp    edx,eax                                       //edx?=eax  可能为判断指令是否取完
   0x08048daa:    74 0a    je     0x8048db6                                    //退出
   0x08048dac:    83 ec 0c    sub    esp,0xc
   0x08048daf:    6a 00    push   0x0
   0x08048db1:    e8 0a f8 ff ff    call   0x80485c0 <exit@plt>
   0x08048db6:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]   //不退出跳转
   0x08048db9:    8b 40 20    mov    eax,DWORD PTR [eax+0x20]
   0x08048dbc:    8d 50 05    lea    edx,[eax+0x5]
   0x08048dbf:    8b 45 d4    mov    eax,DWORD PTR [ebp-0x2c]
   0x08048dc2:    89 50 20    mov    DWORD PTR [eax+0x20],edx
   0x08048dc5:    e9 86 fa ff ff    jmp    0x8048850              //去指令继续跳转
   0x08048dca:    90    nop
   0x08048dcb:    90    nop
   0x08048dcc:    8b 45 f4    mov    eax,DWORD PTR [ebp-0xc]
   0x08048dcf:    65 33 05 14 00 00 00    xor    eax,DWORD PTR gs:0x14
   0x08048dd6:    74 05    je     0x8048ddd
   0x08048dd8:    e8 b3 f7 ff ff    call   0x8048590 <__stack_chk_fail@plt>
   0x08048ddd:    8b 5d fc    mov    ebx,DWORD PTR [ebp-0x4]
   0x08048de0:    c9    leave  

是不是看起来很恶心,那我们这次使用IDA试一下。在目标处打上断点,创建函数,直接F5。emmmmm由此观之能用IDA的时候最好不要偷懒。舒适~

int __cdecl sub_8048838(_DWORD *a1)
{
  _BYTE *v1; // ST28_4
  int result; // eax
  unsigned int v3; // et1
  int v4; // [esp-Ch] [ebp-44h]
  int v5; // [esp-8h] [ebp-40h]
  int v6; // [esp-4h] [ebp-3Ch]
  unsigned int v7; // [esp+2Ch] [ebp-Ch]

  v7 = __readgsdword(0x14u);
  while ( 1 )                               //VM取指令的标志
  {
    if ( *a1[8] == 113 )                    //a1[8]操作码                    
    {
      a1[6] -= 4;
      *a1[6] = *(a1[8] + 1);              //可能是一个取值
      a1[8] += 5;
    }
    if ( *a1[8] == 65 )                   //a[1]=a[1]+a[2]
    {
      a1[1] += a1[2];                      //add操作
      ++a1[8];
    }
    if ( *a1[8] == 66 )                    //sub操作
    {
      a1[1] -= a1[4];                      //a1[1]=a[1]-a[4]
      ++a1[8];
    }
    if ( *a1[8] == 67 )                    //乘操作
    {
      a1[1] *= a1[3];                      //a1[1]=a[1]*a[3]
      ++a1[8];
    }
    if ( *a1[8] == 68 )                    //dev操作
    {
      a1[1] /= a1[5];                      //a1[1]=a1[1]/a1[5]
      ++a1[8];
    }
    if ( *a1[8] == -128 )                 //
    {
      a1[(unk_80487EF)(a1, 1)] = *(a1[8] + 2);
      a1[8] += 6;
    }
    if ( *a1[8] == 119 )                 //xor
    {
      a1[1] ^= a1[9];                    //a1[1]=a1[1]^a1[9]
      ++a1[8];
    }
    if ( *a1[8] == 83 )
    {
      (unk_80485F0)(*a1[3]);
      a1[8] += 2;
    }
    if ( *a1[8] == 34 )                  //R移位操作
    {
      a1[1] >>= a1[2];
      ++a1[8];
    }
    if ( *a1[8] == 35 )                  //L移位操作
    {
      a1[1] <<= a1[2];
      ++a1[8];
    }
    if ( *a1[8] == -103 )               //退出
      break;
    if ( *a1[8] == 118 )                //
    {
      a1[3] = *a1[6];
      *a1[6] = 0;
      a1[6] += 4;
      a1[8] += 5;
    }
    if ( *a1[8] == 84 )               //取值?
    {
      v1 = a1[3];
      *v1 = (unk_8048580)();
      a1[8] += 2;
    }
    if ( *a1[8] == 48 )              //or
    {
      a1[1] |= a1[2];
      ++a1[8];
    }
    if ( *a1[8] == 49 )              //and
    {
      a1[1] &= a1[2];
      ++a1[8];
    }
    if ( *a1[8] == 9 )              //取值存如a1[1]
    {
      a1[1] = dword_804B28C;
      ++a1[8];
    }
    if ( *a1[8] == 16 )            //赋值a1[9]=a1[1]
    {
      a1[9] = a1[1];
      ++a1[8];
    }
    if ( *a1[8] == 17 )             //print(a1[1]) 
    {
      (unk_8048570)(&unk_804920C, a1[1]);
      ++a1[8];
    }
    if ( *a1[8] == -96 )               //if(a1[1]==653840640) next
    {
      if ( a1[1] == 653840640 )
        ++a1[8];
      else
        (unk_80485C0)(0, v4, v5, v6);
    }
    if ( *a1[8] == -95 )             //print(flag:)
    {
      (unk_8048570)("flag:");
      (unk_8048560)(0, byte_804B2E0, 40);   //cin>>flag==byte_804B2E0
      if ( (unk_80485D0)(byte_804B2E0) != 33 )
        (unk_80485C0)(0, v4, v5, v6);
      ++a1[8];
    }
    if ( *a1[8] == -79 )             //a1[9]==dword_804B2A0[0]
    {
      a1[9] = dword_804B2A0[0];
      ++a1[8];
    }
    if ( *a1[8] == -78 )            //a1[9]==dword_804B2A4
    {
      a1[9] = dword_804B2A4;
      ++a1[8];
    }
    if ( *a1[8] == -92 )
    {
      dword_804B2A0[*(a1[8] + 1)] = a1[1];    //存入操作
      a1[8] += 4;
    }
    if ( *a1[8] == -77 )                    //a1[9]=dword_804B2A8
    {
      a1[9] = dword_804B2A8;
      ++a1[8];
    }
    if ( *a1[8] == -76 )                       //a1[9] = dword_804B2AC
    {
      a1[9] = dword_804B2AC;
      ++a1[8];
    }
    if ( *a1[8] == -63 )                      //取一位bete 并且a1[8]+=2
    {
      a1[1] = byte_804B2E0[*(a1[8] + 1)];
      a1[8] += 2;
    }
    if ( *a1[8] == -62 )                    //if判断
    {
      if ( a1[1] != *(a1[8] + 1) )
        (unk_80485C0)(0, v4, v5, v6);
      a1[8] += 5;
    }
  }
  v3 = __readgsdword(0x14u);
  result = v3 ^ v7;
  if ( v3 != v7 )
    result = (unk_8048590)();
  return result;
}

然后我们导出字节码数据:
这里需要将字节码稍微的处理一下,起码处理成我们可以看的样子。这里稍微要注意的地方就是,不是所有的指令都会按照对应的格式排列,有些指令可能会用到好几位字节码,而有的也有可能只会用到一个。我们来写一个脚本稍微处理一下:(这里嫖了子洋师傅的指令集,因为我写的真的有点惨不忍睹)

A=[
      0x09, 0x10, 0x80, 0x02, 0x0D, 0x00, 0x00, 0x00, 0x22, 0x77, 
      0x10, 0x80, 0x02, 0x09, 0x00, 0x00, 0x00, 0x23, 0x80, 0x02, 
      0x00, 0x96, 0xF3, 0x78, 0x31, 0x77, 0x10, 0x80, 0x02, 0x11, 
      0x00, 0x00, 0x00, 0x23, 0x80, 0x02, 0x00, 0x00, 0xD4, 0x85, 
      0x31, 0x77, 0x10, 0x80, 0x02, 0x13, 0x00, 0x00, 0x00, 0x22, 
      0x77, 0xA0, 0x09, 0x80, 0x02, 0xFF, 0x00, 0x00, 0x00, 0x31, 
      0x80, 0x03, 0x02, 0x00, 0x00, 0x00, 0x43, 0x80, 0x02, 0x18, 
      0x00, 0x00, 0x00, 0x41, 0xA4, 0x00, 0x00, 0x00, 0x09, 0x80, 
      0x02, 0x08, 0x00, 0x00, 0x00, 0x22, 0x80, 0x02, 0xFF, 0x00, 
      0x00, 0x00, 0x31, 0x80, 0x05, 0x07, 0x00, 0x00, 0x00, 0x44, 
      0x80, 0x02, 0x21, 0x00, 0x00, 0x00, 0x41, 0xA4, 0x01, 0x00, 
      0x00, 0x09, 0x80, 0x02, 0x10, 0x00, 0x00, 0x00, 0x22, 0x80, 
      0x02, 0xFF, 0x00, 0x00, 0x00, 0x31, 0x80, 0x09, 0xBB, 0x00, 
      0x00, 0x00, 0x77, 0x80, 0x02, 0xFF, 0x00, 0x00, 0x00, 0x41, 
      0xA4, 0x02, 0x00, 0x00, 0x09, 0x80, 0x02, 0x18, 0x00, 0x00, 
      0x00, 0x22, 0x80, 0x02, 0xFF, 0x00, 0x00, 0x00, 0x31, 0x80, 
      0x04, 0xA0, 0x00, 0x00, 0x00, 0x42, 0x80, 0x02, 0x77, 0x00, 
      0x00, 0x00, 0x41, 0xA4, 0x03, 0x00, 0x00, 0xA1, 0xC1, 0x00, 
      0xB1, 0x77, 0xC2, 0x0B, 0x01, 0x00, 0x00, 0xC1, 0x01, 0xB2, 
      0x77, 0xC2, 0x7A, 0x00, 0x00, 0x00, 0xC1, 0x02, 0xB4, 0x77, 
      0xC2, 0x95, 0x00, 0x00, 0x00, 0xC1, 0x03, 0xB3, 0x77, 0xC2, 
      0x06, 0x01, 0x00, 0x00, 0xC1, 0x04, 0xB2, 0x77, 0xC2, 0x7D, 
      0x00, 0x00, 0x00, 0xC1, 0x05, 0xB4, 0x77, 0xC2, 0xAD, 0x00, 
      0x00, 0x00, 0xC1, 0x06, 0xB1, 0x77, 0xC2, 0x2F, 0x01, 0x00, 
      0x00, 0xC1, 0x07, 0xB3, 0x77, 0xC2, 0x65, 0x01, 0x00, 0x00, 
      0xC1, 0x08, 0xB1, 0x77, 0xC2, 0x2D, 0x01, 0x00, 0x00, 0xC1, 
      0x09, 0xB1, 0x77, 0xC2, 0x2F, 0x01, 0x00, 0x00, 0xC1, 0x0A, 
      0xB3, 0x77, 0xC2, 0x39, 0x01, 0x00, 0x00, 0xC1, 0x0B, 0xB3, 
      0x77, 0xC2, 0x0D, 0x01, 0x00, 0x00, 0xC1, 0x0C, 0xB4, 0x77, 
      0xC2, 0xBB, 0x00, 0x00, 0x00, 0xC1, 0x0D, 0xB2, 0x77, 0xC2, 
      0x08, 0x00, 0x00, 0x00, 0xC1, 0x0E, 0xB3, 0x77, 0xC2, 0x0D, 
      0x01, 0x00, 0x00, 0xC1, 0x0F, 0xB1, 0x77, 0xC2, 0x3F, 0x01, 
      0x00, 0x00, 0xC1, 0x10, 0xB3, 0x77, 0xC2, 0x3A, 0x01, 0x00, 
      0x00, 0xC1, 0x11, 0xB3, 0x77, 0xC2, 0x61, 0x01, 0x00, 0x00, 
      0xC1, 0x12, 0xB2, 0x77, 0xC2, 0x57, 0x00, 0x00, 0x00, 0xC1, 
      0x13, 0xB1, 0x77, 0xC2, 0x20, 0x01, 0x00, 0x00, 0xC1, 0x14, 
      0xB3, 0x77, 0xC2, 0x0D, 0x01, 0x00, 0x00, 0xC1, 0x15, 0xB1, 
      0x77, 0xC2, 0x3F, 0x01, 0x00, 0x00, 0xC1, 0x16, 0xB3, 0x77, 
      0xC2, 0x3F, 0x01, 0x00, 0x00, 0xC1, 0x17, 0xB4, 0x77, 0xC2, 
      0xB5, 0x00, 0x00, 0x00, 0xC1, 0x18, 0xB1, 0x77, 0xC2, 0x13, 
      0x01, 0x00, 0x00, 0xC1, 0x19, 0xB4, 0x77, 0xC2, 0xA0, 0x00, 
      0x00, 0x00, 0xC1, 0x1A, 0xB1, 0x77, 0xC2, 0x21, 0x01, 0x00, 
      0x00, 0xC1, 0x1B, 0xB3, 0x77, 0xC2, 0x0D, 0x01, 0x00, 0x00, 
      0xC1, 0x1C, 0xB2, 0x77, 0xC2, 0x0B, 0x00, 0x00, 0x00, 0xC1, 
      0x1D, 0xB3, 0x77, 0xC2, 0x39, 0x01, 0x00, 0x00, 0xC1, 0x1E, 
      0xB1, 0x77, 0xC2, 0x73, 0x01, 0x00, 0x00, 0xC1, 0x1F, 0xB2, 
      0x77, 0xC2, 0x46, 0x00, 0x00, 0x00, 0x99, 0x00, 0x00, 0x00, 
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
      0xC0, 0x4C, 0xF7, 0xF7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
      0x00, 0x00, 0xA0, 0x45, 0xF7, 0xF7, 0x60, 0x4D, 0xF7, 0xF7, 
      0x00, 0x00, 0x00, 0x00]
dic = [
    (65, 'a1[1] += a1[2]', 1),
    (66, 'a1[1] -= a1[4]', 1),
    (67, 'a1[1] *= a1[3]', 1),
    (68, 'a1[1] /= a1[5]', 1),
    (128, 'a1[?] = %d', 6),
    (119, 'a1[1] ^= a1[9]', 1),
    (34, 'a1[1] >>= a1[2]', 1),
    (35, 'a1[1] <<= a1[2]', 1),
    (153, '跳出循环', 1),
    (48, 'a1[1] |= a1[2]', 1),
    (49, 'a1[1] &= a1[2]', 1),
    (9, 'a1[1] = 输入int', 1),
    (16, 'a1[9] = a1[1]', 1),
    (17, 'printf("%p\n", a1[1])', 1),
    (160, 'if (a1[1] == 0x26F8D100) opn++ else exit()', 1),
    (161, '输入flag, flag = byte_804B2E0', 1),
    (177, 'a1[9] = dword_804B2A0[0]', 1),
    (178, 'a1[9] = dword_804B2A4', 1),
    (164, 'dword_804B2A0[%d] = a1[1]', 4),
    (179, 'a1[9] = dword_804B2A8', 1),
    (180, 'a1[9] = dword_804B2AC', 1),
    (193, 'a1[1] = byte_804B2E0[%d]', 2),
    (194, 'if (a1[1] == %d)', 5)
]
for i in range(0,len(A)):
    for j in range(0,len(dic)):
        if A[i]==dic[j][0]:
            print(dic[j][1],end="")
            H=dic[j][2]
            C=1
            while C!=(H):
                print(hex(A[i+C]),end=" ")
                C=C+1
            print()
            i=i+dic[j][3]
            break

然后分析一下结果:

a1[1] = 输入int
a1[9] = a1[1]
a1[?] = %d0x2 0xd 0x0 0x0 0x0 
a1[1] >>= a1[2]
a1[1] ^= a1[9]
a1[9] = a1[1]
a1[?] = %d0x2 0x9 0x0 0x0 0x0 

a1[1] = 输入int
a1[1] <<= a1[2]
a1[?] = %d0x2 0x0 0x96 0xf3 0x78 
a1[1] &= a1[2]
a1[1] ^= a1[9]
a1[9] = a1[1]
a1[?] = %d0x2 0x11 0x0 0x0 0x0 
printf("%p
", a1[1])
a1[1] <<= a1[2]
a1[?] = %d0x2 0x0 0x0 0xd4 0x85 
a1[1] &= a1[2]
a1[1] ^= a1[9]
a1[9] = a1[1]
a1[?] = %d0x2 0x13 0x0 0x0 0x0 
a1[1] >>= a1[2]
a1[1] ^= a1[9]
if (a1[1] == 0x26F8D100) opn++ else exit()
a1[1] = 输入int
a1[?] = %d0x2 0xff 0x0 0x0 0x0 
a1[1] &= a1[2]
a1[?] = %d0x3 0x2 0x0 0x0 0x0 
a1[1] *= a1[3]
a1[?] = %d0x2 0x18 0x0 0x0 0x0 
a1[1] += a1[2]
dword_804B2A0[%d] = a1[1]0x0 0x0 0x0 
a1[1] = 输入int
a1[?] = %d0x2 0x8 0x0 0x0 0x0 
a1[1] >>= a1[2]
a1[?] = %d0x2 0xff 0x0 0x0 0x0 
a1[1] &= a1[2]
a1[?] = %d0x5 0x7 0x0 0x0 0x0 
a1[1] /= a1[5]
a1[?] = %d0x2 0x21 0x0 0x0 0x0 
a1[1] += a1[2]
dword_804B2A0[%d] = a1[1]0x1 0x0 0x0 
a1[1] = 输入int
a1[?] = %d0x2 0x10 0x0 0x0 0x0 
a1[9] = a1[1]
a1[1] >>= a1[2]
a1[?] = %d0x2 0xff 0x0 0x0 0x0 
a1[1] &= a1[2]
a1[?] = %d0x9 0xbb 0x0 0x0 0x0 
a1[1] = 输入int
a1[1] ^= a1[9]
a1[?] = %d0x2 0xff 0x0 0x0 0x0 
a1[1] += a1[2]
dword_804B2A0[%d] = a1[1]0x2 0x0 0x0 
a1[1] = 输入int
a1[?] = %d0x2 0x18 0x0 0x0 0x0 
a1[1] >>= a1[2]
a1[?] = %d0x2 0xff 0x0 0x0 0x0 
a1[1] &= a1[2]
a1[?] = %d0x4 0xa0 0x0 0x0 0x0 
if (a1[1] == 0x26F8D100) opn++ else exit()
a1[1] -= a1[4]
a1[?] = %d0x2 0x77 0x0 0x0 0x0 
a1[1] ^= a1[9]
a1[1] += a1[2]
dword_804B2A0[%d] = a1[1]0x3 0x0 0x0 
输入flag, flag = byte_804B2E0
a1[1] = byte_804B2E0[%d]0x0 
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0xb 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x1 
a1[9] = dword_804B2A4
a1[1] ^= a1[9]
if (a1[1] == %d)0x7a 0x0 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x2 
a1[9] = dword_804B2AC
a1[1] ^= a1[9]
if (a1[1] == %d)0x95 0x0 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x3 
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0x6 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x4 
a1[9] = dword_804B2A4
a1[1] ^= a1[9]
if (a1[1] == %d)0x7d 0x0 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x5 
a1[9] = dword_804B2AC
a1[1] ^= a1[9]
if (a1[1] == %d)0xad 0x0 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x6 
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x2f 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x7 
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0x65 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x8 
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x2d 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x9 
a1[1] = 输入int
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x2f 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0xa 
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0x39 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0xb 
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0xd 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0xc 
a1[9] = dword_804B2AC
a1[1] ^= a1[9]
if (a1[1] == %d)0xbb 0x0 0x0 0x0 
a1[1] = byte_804B2E0[%d]0xd 
a1[9] = dword_804B2A4
a1[1] ^= a1[9]
if (a1[1] == %d)0x8 0x0 0x0 0x0 
a1[1] = byte_804B2E0[%d]0xe 
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0xd 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0xf 
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x3f 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x10 
a1[9] = a1[1]
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0x3a 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x11 
printf("%p
", a1[1])
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0x61 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x12 
a1[9] = dword_804B2A4
a1[1] ^= a1[9]
if (a1[1] == %d)0x57 0x0 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x13 
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x20 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x14 
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0xd 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x15 
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x3f 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x16 
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0x3f 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x17 
a1[9] = dword_804B2AC
a1[1] ^= a1[9]
if (a1[1] == %d)0xb5 0x0 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x18 
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x13 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x19 
a1[9] = dword_804B2AC
a1[1] ^= a1[9]
if (a1[1] == %d)0xa0 0x0 0x0 0x0 
if (a1[1] == 0x26F8D100) opn++ else exit()
a1[1] = byte_804B2E0[%d]0x1a 
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x21 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x1b 
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0xd 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x1c 
a1[9] = dword_804B2A4
a1[1] ^= a1[9]
if (a1[1] == %d)0xb 0x0 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x1d 
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0x39 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x1e 
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x73 0x1 0x0 0x0 
a1[1] = byte_804B2E0[%d]0x1f 
a1[9] = dword_804B2A4
a1[1] ^= a1[9]
if (a1[1] == %d)0x46 0x0 0x0 0x0 
跳出循环
if (a1[1] == 0x26F8D100) opn++ else exit()

这里偷懒了,为了使脚本简单一点,就把操作使用的寄存器与数据接到了指令的后面。我们只需要对程序进行亿点点的处理就可以了。
第一部分是一个小算法,以后就叫作子洋师傅的七夕节算法吧!这里是传送门
第二部分是一个加密小算法:具体流程这里。解出flag:GACTF{c7ack_m3_sh3ll_smc_vm_0k?}

0x3 WannaFlag

这道题目纯属出题师傅与我师傅的双重炫技,朴实无华的界面,配上朴实无华的音乐,再配上朴实无华的WP,对我造成了成吨的伤害。题目给的是一个解密的exe,和一个被加密过的flag。我们的目的就是获得KEY将flag进行解密,但是我的静态分析水平又很感人,导致我迟迟找不到关键的函数。


这道题目师傅已经写得很具体了,我只记录几个我觉得比较痛苦的东西。
首先就是结构体,有些时候我们在f5后会出现类似结构体的结构,不要怕,这是个好事。因为如果是出题人自己搞得结构体,一般来说IDA是无法识别的,需要我们自己进行创建。这里先说一下这里面的结构体。

typedef struct tagPAINTSTRUCT {
  HDC  hdc;
  BOOL fErase;
  RECT rcPaint;
  BOOL fRestore;
  BOOL fIncUpdate;
  BYTE rgbReserved[32];
} PAINTSTRUCT, *PPAINTSTRUCT;

hdc:用于绘制的设备环境句柄
fErase:1. 表示背景是否必须擦除,如果为非零值则擦除背景,否则不擦除背景2. 如果创建窗口类的时候没有设置背景画刷,则负责擦除背景
rcPaint:一个 RECT 结构,指定左上角和右下角的坐标确定一个要绘制的矩形范围
fRestore:系统保留
fIncUpdate:系统保留
rgbReserved:系统保留
所以本题目的这个结构体其实没有啥影响,最多也就影响到了一个加密的取值。
其次是一些函数,老恶心了,不知道是啥意思。但是IDA中命名还是有一点规则的,所以不要担心,看这里。
SSE指令集
这里说一个东西:_mm_unpacklo_epi8(_m128i S0,_m128i S1):将S0和S1的低64位数以8位为单位进行交错;
S0:A15 A14 A13 A12 A11 A10 A9 A8 A7 A6 A5 A4 A3 A2 A1 A0
S1:B15 B14 B13 B12 B11 B10 B9 B8 B7 B6 B5 B4 B3 B2 B1 B0
_mm_unpacklo_epi8(S0,S1):B7 A7 B6 A6 B5 A5 B4 A4 B3 A3 B2 A2 B1 A1 B0 A0

发表评论

email
web

全部评论 (共 1 条评论)

    2020-09-05 11:11
    求封面