re每日一題（20200530）（補）

re每日一題（20200530）（補）

GKCTF2020

0x03 EzMachine

載入IDA，main函數不能F5，需要將0x1591的後三個字節nop

int __cdecl main(int argc, const char **argv, const char **envp)
{
  unsigned int i; // [esp+10h] [ebp-8h]

  sub_6014F0();
  while ( 1 )
  {
LABEL_2:
    for ( i = 0; ; i += 2 )
    {
      if ( i >= 0x58 )
        goto LABEL_2;
      if ( code[4 * i] == byte_6449A0[E_ip] )
        break;
    }
    call[i]();
  }
}

查看code這個數組，可以發現是VM。

分析過後，整理字節碼爲指令，指令爲三個字節長度

0x1 mov reg,const
0x2 push
0x3 mov [mem],reg
0x4 pop
0x5 print
0x6 add
0x7 sub
0x8 mul
0x9 idiv
0xa xor
0xb jmp
0xc cmp
0xd  jz  
0xf  ja
0x10 jb
0x11 gets
0x12 memset 
0x13 mov_reg_esp
0x14 movzx
0xff exit

大致整理後，加密算法爲

cipher = []
for i in range(len(input)):
	tmp = ord(input[i])
	sum = 0
	if input[i] <= 'z' and input[i] >= 'a':
		sum = (tmp^0x47)+1
	elif input[i] <= 'Z' and input[i] >= 'A':
		sum = (tmp^0x4b)-1
	cipher.append(sum%0x10)
	cipher.append(sum/0x10)

通過加密算法可以寫出解密算法。（由於在VM的棧中，需要反序）

cipher = [0x7,0xd,0x0,0x5,0x1,0xc,0x1,0x0,0x0,0xd,0x5,0xf,0x0,0x9,0x5,0xf,0x3,0x0,0x2,0x5,0x3,0x3,0x1,0x7,0x7,0xb,0x2,0x1,0x2,0x7,0x2,0xc,0x2,0x2]
cipher = cipher[::-1]
flag = ''
for i in range(0,len(cipher),2):
	tmp = cipher[i+1]*0x10+cipher[i]
	ch = chr((tmp-1)^0x47)
	if ch <= 'z' and ch >= 'a':
		flag += ch
		continue
	ch = chr((tmp+1)^0x4b)
	if ch <= 'Z' and ch >= 'A':
		flag += ch
		continue
	flag += chr(tmp)

print flag