0%

南邮VM

Posted on In , , Views: Valine:
Symbols count in article: 6k Reading time ≈ 5 mins.

VM题目

真难.. 网鼎的pwn是vm虚拟机,没咋学过vm看不懂,这边先搞下简单的练习下

WxyVM1

image-20200512164410201

长度为24, 同时虚拟机运算后要跟指定字符比较, 比较结果对的上才可以成功

这个虚拟机很明显

image-20200512164521050

三个字节一读取,

第一个字节为操作码

第二个字节为操作对象

第三个字节为操作数

不过这数据有点多啊, 5000次的循环

然后取出handler

  1. arr[index] += v3
  2. arr[index] -= v3
  3. arr[index] ^= v3
  4. arr[index] *= v3
  5. arr[index] ^= (arr[v3])

写出idc脚本取出元数据

1
2
3
4
5
6
7
8
9
10
start = 0x6010C0
List = []
for i in range(0, 15000, 3):
    byte1 = Byte(start+i)
    byte2 = Byte(start+i+1)
    byte3 = Byte(start+i+2)
    if byte1 > 5 or byte1 < 0:
        continue
    List.append([byte1,byte2,byte3])
print(List)
1
2
3
4
5
6
7
start = 0x601060
List = []
for i in range(0, 96, 4):
    byte1 = Byte(start+i)
    List.append(byte1)
print(List)
#[196, 52, 34, 177, 211, 17, 151, 7, 219, 55, 196, 6, 29, 252, 91, 237, 152, 223, 148, 216, 179, 132, 204, 8]

最后跑一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
List = []
result = [0xC4, 0x34, 0x22, 0xB1, 0xD3, 0x11, 0x97, 0x7, 0xDB, 0x37, 0xC4, 0x6, 0x1D, 0xFC, 0x5B, 0xED, 0x98, 0xDF, 0x94, 0xD8, 0xB3, 0x84, 0xCC, 0x8]
for operate in List[::-1]:
    opcode = operate[0]
    if opcode == 1:
        result[operate[1]] -= operate[2]
    elif opcode == 2:
        result[operate[1]] += operate[2]
    elif opcode == 3:
        result[operate[1]] ^= operate[2]
    elif opcode == 4:
        result[operate[1]] /= operate[2]
    else:
        result[operate[1]] ^= result[operate[2]]

flag = ""
for i in result:
    flag += chr(i&0xff)
print(flag)

注意这里要逆序,for循环

WxyVM2

也是一道考idc脚本的题目, ida打不开,分析汇编又太多, 直接上脚本,他有特征, 全为byte

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
start = 0x40064E
end = 0x492D32
List = []
while start < end:
    next = idc.NextHead(start)
    get = GetOpnd(start,1)[3:]
    if 'byte' in get:
        index = int(get[-2:], 16)
        operate = GetMnem(next)
        if operate == 'mov':
            start = next
            continue
        elif operate == 'sub':
            operate = ' += '
        elif operate == 'add':
            operate = ' -= '
        elif operate == 'xor':
            operate = ' ^= '
        num = GetOpnd(next,1)
        num = num.replace('h','')
        num = int(num, 16)
        temp = "arr" + "[" + str(index)+ "]" + operate + str(num)
        List.append(temp)
        result = GetMnem(start)
        start = idc.NextHead(next)
    else:
        start = next
for i in List[::-1]:
    print(i)

脱掉数据后, 在看到cmp,取出数据

1
2
3
4
5
6
7
8
arr =[0xC0,0x85,0xF9,0x6C,0xE2,0x14,0xBB,0xe4,0xd,0x59,0x1c,0x23,0x88,0x6e,0x9b,0xca,0xba,0x5c,0x37,0xfff,0x48,0xd8,0x1f,0xab,0xa5]
print(len(arr))
# 这里填为上面脱出来的数据
print(arr)
flag = ''
for i in arr:
    flag += chr(i&0xff)
print(flag)

image-20200512220904171

GWCTF-babyvm

机器码备注
0xF1mov
0xF2xor
0xF4nop
0xF5input
0xF7mul
0xF8swap
0xF6add
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
0xF5, #read(0, buf, 0x20)
0xF1, 0xE1, 0x00, 0x00, 0x00, 0x00, #mov r1,flag[0]
0xF2, #xor r1,r2
0xF1, 0xE4, 0x20, 0x00, 0x00, 0x00, #mov flag[0x20],r1
0xF1, 0xE1, 0x01, 0x00, 0x00, 0x00, #mov r1,flag[1]
0xF2, #xor r1,r2
0xF1, 0xE4, 0x21, 0x00, 0x00, 0x00, #mov flag[0x21],r1
0xF1, 0xE1, 0x02, 0x00, 0x00, 0x00, #mov r1,flag[2]
0xF2, #xor r1,r2
0xF1, 0xE4, 0x22, 0x00, 0x00, 0x00, #mov flag[0x22],r1
0xF1, 0xE1, 0x03, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x23, 0x00, 0x00, 0x00, 
0xF1, 0xE1, 0x04, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x24, 0x00, 0x00, 0x00, 
0xF1, 0xE1, 0x05, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x25, 0x00, 0x00, 0x00, 
0xF1, 0xE1, 0x06, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x26, 0x00, 0x00, 0x00, 
0xF1, 0xE1, 0x07, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x27, 0x00, 0x00, 0x00, 
0xF1, 0xE1, 0x08, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x28, 0x00, 0x00,0x00, 
0xF1, 0xE1, 0x09, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x29, 0x00, 0x00, 0x00, 
0xF1, 0xE1, 0x0A, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x2A, 0x00, 0x00, 0x00, 
0xF1, 0xE1, 0x0B, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x2B, 0x00, 0x00, 0x00, 
0xF1, 0xE1, 0x0C, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x2C, 0x00, 0x00, 0x00, 
0xF1, 0xE1, 0x0D, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x2D, 0x00, 0x00, 0x00, 
0xF1, 0xE1, 0x0E, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x2E, 0x00, 0x00, 0x00, 
0xF1, 0xE1, 0x0F, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x2F, 0x00, 0x00, 0x00, 
0xF1, 0xE1, 0x10, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x30, 0x00, 0x00, 0x00, 
0xF1, 0xE1, 0x11, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x31, 0x00, 0x00, 0x00, 
0xF1, 0xE1, 0x12, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x32, 0x00, 0x00, 0x00, 
0xF1, 0xE1, 0x13, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x33, 0x00, 0x00, 0x00, 
0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
# 切割到这发觉不对劲... 咋全是00

随往下翻,发觉又有个f5输入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
0xF5, #read(0, buf,0x20)
0xF1, 0xE1, 0x00, 0x00, 0x00, 0x00, #mov r1,flag[0]
0xF1, 0xE2, 0x01, 0x00, 0x00, 0x00, #mov r2,flag[1]
0xF2, #xor r1, r2
0xF1, 0xE4, 0x00, 0x00, 0x00, 0x00, #mov flag[0],r1

0xF1, 0xE1, 0x01, 0x00, 0x00, 0x00, #mov r1,flag[1]
0xF1, 0xE2, 0x02, 0x00, 0x00, 0x00, #mov r2,flag[2]
0xF2, #xor r1,r2
0xF1, 0xE4, 0x01, 0x00, 0x00, 0x00, #mov flag[1],r1

0xF1, 0xE1, 0x02, 0x00, 0x00, 0x00, #mov r1,flag[2]
0xF1, 0xE2, 0x03, 0x00, 0x00, 0x00, #mov r2,flag[3]
0xF2, #xor r1,r2
0xF1, 0xE4, 0x02, 0x00, 0x00, 0x00, #mov flag[2],r1

0xF1, 0xE1, 0x03, 0x00, 0x00, 0x00, 
0xF1, 0xE2, 0x04, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x03, 0x00, 0x00, 0x00, #xor flag[3],flag[4]
0xF1, 0xE1, 0x04, 0x00, 0x00, 0x00, 
0xF1, 0xE2, 0x05, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x04, 0x00, 0x00, 0x00, #xor flag[4],flag[5]

0xF1, 0xE1, 0x05, 0x00, 0x00, 0x00, 
0xF1, 0xE2, 0x06, 0x00, 0x00, 0x00, 
0xF2, 
0xF1, 0xE4, 0x05, 0x00, 0x00, 0x00, #xor flag[5],flag[6]

0xF1, 0xE1, 0x06, 0x00, 0x00, 0x00, 
0xF1, 0xE2, 0x07, 0x00, 0x00, 0x00, 
0xF1, 0xE3, 0x08, 0x00, 0x00, 0x00, 
0xF1, 0xE5, 0x0C, 0x00, 0x00, 0x00, 
0xF6, # r1 = 3*flag[6] + 2*flag[7]+flag[8]
0xF7, # r1 *= flag[0xC]
0xF1, 0xE4, 0x06, 0x00, 0x00, 0x00, #flag[6] = (3*flag[6] + 2*flag[7]+flag[8])*flag[0xC]

0xF1, 0xE1, 0x07, 0x00, 0x00, 0x00,
0xF1, 0xE2, 0x08, 0x00, 0x00, 0x00, 
0xF1, 0xE3, 0x09, 0x00, 0x00, 0x00, 
0xF1, 0xE5, 0x0C, 0x00, 0x00, 0x00, 
0xF6, 
0xF7, 
0xF1, 0xE4, 0x07, 0x00, 0x00, 0x00, #flag[7] = (3*flag[7] + 2*flag[8]+flag[9])*flag[0xC]

0xF1, 0xE1, 0x08, 0x00, 0x00, 0x00, 
0xF1, 0xE2, 0x09, 0x00, 0x00, 0x00, 
0xF1, 0xE3, 0x0A, 0x00, 0x00, 0x00, 
0xF1, 0xE5, 0x0C, 0x00, 0x00, 0x00, 
0xF6, 
0xF7, 
0xF1, 0xE4, 0x08, 0x00, 0x00, 0x00, 
#flag[8] = (3*flag[8] + 2*flag[9]+flag[A])*flag[0xC]
0xF1, 0xE1, 0x0D, 0x00, 0x00, 0x00, #r1=flag[0xD]
0xF1, 0xE2, 0x13, 0x00, 0x00, 0x00, #r2=flag[0x13]
0xF8, #xchg  r1,r2
0xF1, 0xE4, 0x0D, 0x00, 0x00, 0x00, #flag[0xD]=r1
0xF1, 0xE7, 0x13, 0x00, 0x00, 0x00, #flag[0x13]=r2

0xF1, 0xE1, 0x0E, 0x00, 0x00, 0x00, 
0xF1, 0xE2, 0x12, 0x00, 0x00, 0x00, 
0xF8, 
0xF1, 0xE4, 0x0E, 0x00, 0x00, 0x00, 
0xF1, 0xE7, 0x12, 0x00, 0x00, 0x00, 
# xchg flag[0xE],flag[0x12]

0xF1, 0xE1, 0x0F, 0x00, 0x00, 0x00, 
0xF1, 0xE2, 0x11, 0x00, 0x00, 0x00, 
0xF8, 
0xF1, 0xE4, 0x0F, 0x00, 0x00, 0x00, 
0xF1, 0xE7, 0x11, 0x00, 0x00, 0x00
# xchg flag[0xF],flag[0x11]
0xF4

逆完vm了,不干了

1
code = [0x69, 0x45, 0x2A, 0x37, 0x09, 0x17, 0xC5, 0x0B, 0x5C, 0x72, 0x33, 0x76, 0x33, 0x21, 0x74, 0x31, 0x5F, 0x33, 0x73, 0x72]

接下来干pwn2的 vm

本文作者:NoOne
本文地址https://noonegroup.xyz/posts/124e352e/
版权声明:转载请注明出处!