[网鼎杯 2020 青龙组]singal

vm，没有栈操作，找到opcode

0A 00 00 00 04 00 00 00  10 00 00 00 08 00 00 00
03 00 00 00 05 00 00 00  01 00 00 00 04 00 00 00
20 00 00 00 08 00 00 00  05 00 00 00 03 00 00 00
01 00 00 00 03 00 00 00  02 00 00 00 08 00 00 00
0B 00 00 00 01 00 00 00  0C 00 00 00 08 00 00 00
04 00 00 00 04 00 00 00  01 00 00 00 05 00 00 00
03 00 00 00 08 00 00 00  03 00 00 00 21 00 00 00
01 00 00 00 0B 00 00 00  08 00 00 00 0B 00 00 00
01 00 00 00 04 00 00 00  09 00 00 00 08 00 00 00
03 00 00 00 20 00 00 00  01 00 00 00 02 00 00 00
51 00 00 00 08 00 00 00  04 00 00 00 24 00 00 00
01 00 00 00 0C 00 00 00  08 00 00 00 0B 00 00 00
01 00 00 00 05 00 00 00  02 00 00 00 08 00 00 00
02 00 00 00 25 00 00 00  01 00 00 00 02 00 00 00
36 00 00 00 08 00 00 00  04 00 00 00 41 00 00 00
01 00 00 00 02 00 00 00  20 00 00 00 08 00 00 00
05 00 00 00 01 00 00 00  01 00 00 00 05 00 00 00
03 00 00 00 08 00 00 00  02 00 00 00 25 00 00 00
01 00 00 00 04 00 00 00  09 00 00 00 08 00 00 00
03 00 00 00 20 00 00 00  01 00 00 00 02 00 00 00
41 00 00 00 08 00 00 00  0C 00 00 00 01 00 00 00
07 00 00 00 22 00 00 00  07 00 00 00 3F 00 00 00
07 00 00 00 34 00 00 00  07 00 00 00 32 00 00 00
07 00 00 00 72 00 00 00  07 00 00 00 33 00 00 00
07 00 00 00 18 00 00 00  07 00 00 00 A7 FF FF FF
07 00 00 00 31 00 00 00  07 00 00 00 F1 FF FF FF
07 00 00 00 28 00 00 00  07 00 00 00 84 FF FF FF
07 00 00 00 C1 FF FF FF  07 00 00 00 1E 00 00 00
07 00 00 00 7A 00 00 00 

with open("a.txt") as f:
    f=f.read().split()
a=[]
for i in range(0,len(f),4):
    a.append(eval("0x"+f[i]))
#print(a)
v10=0
v7=0
v9=0
v6=0
while(v10<len(a)):
    if a[v10] == 1:
        print("1:      v4["+str(v7)+"] = v5;")
        v10+=1
        v7+=1
        v9+=1
        continue
    if a[v10] == 2:
        print("2:      v5 = a1["+str(v10 + 1)+"] + v3["+str(v9)+"];")
        v10 += 2
        continue
    if a[v10] == 3:
        print("3:      v5 = v3["+str(v9)+"] - a1["+str(v10 + 1)+"];")
        v10 += 2
        continue
    if a[v10] == 4:
        print("4:      v5 = a1["+str(v10 + 1)+"] ^ v3["+str(v9)+"];")
        v10 += 2
        continue
    if a[v10] == 5:
        print("5:      v5 = a1["+str(v10 + 1)+"] * v3["+str(v9)+"];")
        v10 += 2
        continue
    if a[v10] == 6:
        print("6:    ")
        v10+=1
        continue
    if a[v10] == 7:
        #print("if ( v4[v8] != a1[v10 + 1] ){printf("what a shame...");exit(0);}++v8;v10 += 2;")
        continue
    if a[v10] == 8:
        print("8:      v3["+str(v6)+"] = v5;")
        v10+=1
        v6+=1
        continue
    if a[v10] == 10:
        print("10:     read(v3)")
        v10+=1
        continue
    if a[v10] == 11:
        print("11:     v5 = v3["+str(v9)+"] - 1;")
        v10+=1
        continue
    if a[v10] == 12:
        print("12:     v5 = v3["+str(v9)+"] + 1;")
        v10+=1
        continue
    else:
        continue

得到处理过程

10:     read(v3)
4:      v5 = a1[2] ^ v3[0];
8:      v3[0] = v5;
3:      v5 = v3[0] - a1[5];
1:      v4[0] = v5;

4:      v5 = a1[8] ^ v3[1];
8:      v3[1] = v5;
5:      v5 = a1[11] * v3[1];
1:      v4[1] = v5;

3:      v5 = v3[2] - a1[14];
8:      v3[2] = v5;
11:     v5 = v3[2] - 1;
1:      v4[2] = v5;

12:     v5 = v3[3] + 1;
8:      v3[3] = v5;
4:      v5 = a1[21] ^ v3[3];
1:      v4[3] = v5;

5:      v5 = a1[24] * v3[4];
8:      v3[4] = v5;
3:      v5 = v3[4] - a1[27];
1:      v4[4] = v5;

11:     v5 = v3[5] - 1;
8:      v3[5] = v5;
11:     v5 = v3[5] - 1;
1:      v4[5] = v5;

4:      v5 = a1[34] ^ v3[6];
8:      v3[6] = v5;
3:      v5 = v3[6] - a1[37];
1:      v4[6] = v5;

2:      v5 = a1[40] + v3[7];
8:      v3[7] = v5;
4:      v5 = a1[43] ^ v3[7];
1:      v4[7] = v5;

12:     v5 = v3[8] + 1;
8:      v3[8] = v5;
11:     v5 = v3[8] - 1;
1:      v4[8] = v5;

5:      v5 = a1[50] * v3[9];
8:      v3[9] = v5;
2:      v5 = a1[53] + v3[9];
1:      v4[9] = v5;

2:      v5 = a1[56] + v3[10];
8:      v3[10] = v5;
4:      v5 = a1[59] ^ v3[10];
1:      v4[10] = v5;

2:      v5 = a1[62] + v3[11];
8:      v3[11] = v5;
5:      v5 = a1[65] * v3[11];
1:      v4[11] = v5;

5:      v5 = a1[68] * v3[12];
8:      v3[12] = v5;
2:      v5 = a1[71] + v3[12];
1:      v4[12] = v5;

4:      v5 = a1[74] ^ v3[13];
8:      v3[13] = v5;
3:      v5 = v3[13] - a1[77];
1:      v4[13] = v5;

2:      v5 = a1[80] + v3[14];
8:      v3[14] = v5;
12:     v5 = v3[14] + 1;
1:      v4[14] = v5;

其实v4的值就是opcode中7后面的值，但我是动调出来的

"22 3f 34 32 72 33 18 a7 31 f1 28 84 c1 1e 7a"

v4="22 3f 34 32 72 33 18 a7 31 f1 28 84 c1 1e 7a"
v4=v4.split()
a1=[10, 4, 16, 8, 3, 5, 1, 4, 32, 8, 5, 3, 1, 3, 2, 8, 11, 1, 12, 8, 4, 4, 1, 5, 3, 8, 3, 33, 1, 11, 8, 11, 1, 4, 9, 8, 3, 32, 1, 2, 81, 8, 4, 36, 1, 12, 8, 11, 1, 5, 2, 8, 2, 37, 1, 2, 54, 8, 4, 65, 1, 2, 32, 8, 5, 1, 1, 5, 3, 8, 2, 37, 1, 4, 9, 8, 3, 32, 1, 2, 65, 8, 12, 1, 7, 34, 7, 63, 7, 52, 7, 50, 7, 114, 7, 51, 7, 24, 7, 167, 7, 49, 7, 241, 7, 40, 7, 132, 7, 193, 7, 30, 7, 122]
v3=[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
for i in range(len(v4)):
    v4[i]=eval("0x"+v4[i])
v3[0]=(v4[0]+a1[5])^a1[2]
v3[1]=(v4[1]//a1[11])^a1[8]
v3[2]=v4[2]+1+a1[14]
v3[3]=(v4[3]^a1[21])-1
v3[4]=(v4[4]+a1[27])//a1[24]
v3[5]=v4[5]+2
v3[6]=(v4[6]+a1[37])^a1[34]
v3[7]=(v4[7]^a1[43])-a1[40]
v3[8]=v4[8]
v3[9]=(v4[9]-a1[53])//a1[50]
v3[10]=(v4[10]^a1[59])-a1[56]
v3[11]=v4[11]//a1[65]-a1[62]
v3[12]=(v4[12]-a1[71])//a1[68]
v3[13]=(v4[13]+a1[77])^a1[74]
v3[14]=v4[14]-1-a1[80]

for i in v3:
    print(chr(i),end="")

得到flag

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

做法二：

最近在学angr

import angr

def main():
        p=angr.Project("signal.exe",auto_load_libs=False)
        sm=p.factory.simulation_manager(p.factory.entry_state())
        sm.explore(find=0x40179e,avoid=0x4016e6)
        return sm.found[0].posix.dumps(0)
if __name__=='__main__':
        print(main())