BUUOJ [rev] signal1

Posted on

BUUOJ [rev] signal1

时隔好久再次更新博客。(失踪人口回归,这段时间学习了下编译原理还要准备期末考试)。写个简单题练练手。

逻辑过于简单就不用F5了。 就是一个简单的虚拟机,虚拟机dispatcher在__Z9vm_operadPii 里面找。

写个脚本试试:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
vm_codes = [0x0A, 0x4, 0x10, 0x8, 0x3, 0x5, 0x1, 0x4, 0x20, 0x8, 0x5, 0x3, 0x1, 0x3, 0x2, 0x8, 0x0B, 0x1, 0x0C, 0x8,
            0x4, 0x4, 0x1, 0x5, 0x3, 0x8, 0x3, 0x21, 0x1, 0x0B, 0x8, 0x0B, 0x1, 0x4, 0x9, 0x8, 0x3, 0x20, 0x1, 0x2,
            0x51, 0x8, 0x4, 0x24, 0x1, 0x0C, 0x8, 0x0B, 0x1, 0x5, 0x2, 0x8, 0x2, 0x25, 0x1, 0x2, 0x36, 0x8, 0x4, 0x41,
            0x1, 0x2, 0x20, 0x8, 0x5, 0x1, 0x1, 0x5, 0x3, 0x8, 0x2, 0x25, 0x1, 0x4, 0x9, 0x8, 0x3, 0x20, 0x1, 0x2, 0x41,
            0x8, 0x0C, 0x1, 0x7, 0x22, 0x7, 0x3F, 0x7, 0x34, 0x7, 0x32, 0x7, 0x72, 0x7, 0x33, 0x7, 0x18, 0x7,
            0x0FFFFFFA7, 0x7, 0x31, 0x7, 0x0FFFFFFF1, 0x7, 0x28, 0x7, 0x0FFFFFF84, 0x7, 0x0FFFFFFC1, 0x7, 0x1E, 0x7,
            0x7A]


def dis_1(codes):
    i = 0
    while i < 0x72:
        if codes[i] == 1:
            print("""Str[j_v6 + 100] = v4;
    ++i_v9;
    ++j_v6;
    ++m_v8;""")
            i += 1
        elif codes[i] == 2:
            print("""v4 = a1[i_v9 + 1] + Str[m_v8];
    i_v9 += 2;""")
            i += 2
        elif codes[i] == 3:
            print("""v4 = Str[m_v8] - LOBYTE(a1[i_v9 + 1]);
    i_v9 += 2;""")
            i += 2
        elif codes[i] == 4:
            print("""v4 = a1[i_v9 + 1] ^ Str[m_v8];
    i_v9 += 2;""")
            i += 2
        elif codes[i] == 5:
            print("""v4 = a1[i_v9 + 1] * Str[m_v8];
    i_v9 += 2;""")
            i += 2
        elif codes[i] == 6:
            print("    ++i_v9;")
            i += 1
        elif codes[i] == 7:
            print("""if ( Str[v7 + 100] != a1[i_v9 + 1] )
{
  printf("what a shame...");
  exit(0);
}
    ++v7;
    i_v9 += 2;""")
            i += 2
        elif codes[i] == 8:
            print("""Str[v5] = v4;
    ++i_v9;
    ++v5;""")
            i += 1
        elif codes[i] == 10:
            print("""read(Str);
    ++i_v9;""")
            i += 1
        elif codes[i] == 11:
            print("""v4 = Str[m_v8] - 1;
    ++i_v9;""")
            i += 1
        elif codes[i] == 12:
            print("""v4 = Str[m_v8] + 1;
    ++i_v9;""")
            i += 1
        else:
            print(i)


def dis_2(codes):
    i = 0
    j = 0
    m = 0
    v7 = 0
    v5 = 0
    while i < 0x72:
        if codes[i] == 1:
            print(f"""Str[{j} + 100] = tmp;
""")
            i += 1
            j += 1
            m += 1
        elif codes[i] == 2:
            print(f"""tmp = a1[{i} + 1] + Str[{m}];""")
            i += 2
        elif codes[i] == 3:
            print(f"""tmp = Str[{m}] - LOBYTE(a1[{i} + 1]);""")
            i += 2
        elif codes[i] == 4:
            print(f"""tmp = a1[{i} + 1] ^ Str[{m}];""")
            i += 2
        elif codes[i] == 5:
            print(f"""tmp = a1[{i} + 1] * Str[{m}];""")
            i += 2
        elif codes[i] == 6:
            i += 1
        elif codes[i] == 7:
            print(f"""if ( Str[{v7} + 100] != a1[{i} + 1] )
{{
  printf("what a shame...");
  exit(0);
}}""")
            i += 2
            v7 += 1
        elif codes[i] == 8:
            print(f"""Str[{v5}] = tmp;""")
            i += 1
            v5 += 1
        elif codes[i] == 10:
            print("""read(Str);""")
            i += 1
        elif codes[i] == 11:
            print(f"""tmp = Str[{m}] - 1;""")
            i += 1
        elif codes[i] == 12:
            print(f"""tmp = Str[{m}] + 1;""")
            i += 1
        else:
            print(i)


dis_2(codes=vm_codes)

上面的脚本只是把虚拟机字节码转换成IDA得到的C代码,其实在脚本中可以直接逆向拿到flag,但是我时间比较多(bushi,没有想到)拿手算完了。