2019XNUCA Reverse 部分Writeup

目前遇到最难的一场比赛了,Crypto打不动,只做了比较简单的RE还好苟进了决赛~(200多支队伍，几十支顺利签到

RE Clever Bird

00401D0E  |.  66:0F6E45 8C  movd mm0,[local.29]

get score

00401D13  |.  B9 D859375F   mov ecx,0x5F3759D8
00401D18  |.  0f5bc0        cvtdq2ps xmm0,xmm0
00401D1B  |.  F3:0F1185 5CF>movss [local.41],xmm0
00401D23  |.  0F28C8        movaps xmm1,xmm0
00401D26  |.  8B85 5CFFFFFF mov eax,[local.41]
00401D2C  |.  F3:0F590D 884>mulss xmm1,dword ptr ds:[0x404388]
00401D34  |.  D1F8          sar eax,1
00401D36  |.  2BC8          sub ecx,eax
00401D38  |.  898D 5CFFFFFF mov [local.41],ecx
00401D3E  |.  F3:0F114D C4  movss [local.15],xmm1
00401D43  |.  74 09         je short Clever_B.00401D4E
00401D45  |.  83C1 07       add ecx,0x7
00401D48  |.  898D 5CFFFFFF mov [local.41],ecx

得到一个受score约束的值，公式如下，涉及单精度浮点数转换

0x5F3759D8 - (score >> 1) + 7

00401D65  |> \F3:0F108D 5CF>movss xmm1,[local.41]
00401D6D  |.  F3:0F1015 8C4>movss xmm2,dword ptr ds:[0x40438C]
00401D75  |.  0F28C1        movaps xmm0,xmm1
00401D78  |.  F3:0F5945 C4  mulss xmm0,[local.15]
00401D7D  |.  F3:0F59C1     mulss xmm0,xmm1
00401D81  |.  F3:0F5CD0     subss xmm2,xmm0
00401D85  |.  F3:0F59D1     mulss xmm2,xmm1
00401D89  |.  F3:0F5915 984>mulss xmm2,dword ptr ds:[0x404398]
00401D91  |.  F3:0F5915 944>mulss xmm2,dword ptr ds:[0x404394]
00401D99  |.  F3:0F5815 904>addss xmm2,dword ptr ds:[0x404390]
00401DA1  |.  F3:0F5E15 944>divss xmm2,dword ptr ds:[0x404394]
00401DA9  |.  F3:0F2CFA     cvttss2si edi,xmm2

浮点数运算，其中两个变量分别是a=score/2以及前面得到的一个值b

res = ((1.5a-aaab)*1000000000+5)/10

00401DCA |. 81FF AE360400 cmp edi,0x436AE

check res == 0x436ae

得到一条函数式 ((1.5a-aaab)*1000000000+5)/10=0x436ae

b受a约束，且函数应该单调递减，缩小区间后爆score

00401E40  |> /8BD6          /mov edx,esi
00401E42  |. |81E2 01000080 |and edx,0x80000001
00401E48  |. |79 05         |jns short Clever_B.00401E4F
00401E4A  |. |4A            |dec edx
00401E4B  |. |83CA FE       |or edx,-0x2
00401E4E  |. |42            |inc edx
00401E4F  |> |0FBE0F        |movsx ecx,byte ptr ds:[edi]
00401E52  |. |83C2 30       |add edx,0x30
00401E55  |. |47            |inc edi                                 ;  kernel32.GetStdHandle
00401E56  |. |3BCA          |cmp ecx,edx
00401E58  |. |75 6D         |jnz short Clever_B.00401EC7
00401E5A  |. |8BC6          |mov eax,esi
00401E5C  |. |99            |cdq
00401E5D  |. |2BC2          |sub eax,edx
00401E5F  |. |8BF0          |mov esi,eax
00401E61  |. |D1FE          |sar esi,1
00401E63  |.^\75 DB         \jnz short Clever_B.00401E40

以score的二进制串依次逆序与*key+4开始比对

00401E80  |> /0FBE5435 C8   /movsx edx,byte ptr ss:[ebp+esi-0x38]
00401E85  |. |8BC3          |mov eax,ebx
00401E87  |. |D3F8          |sar eax,cl
00401E89  |. |83EA 30       |sub edx,0x30
00401E8C  |. |0FB6C0        |movzx eax,al
00401E8F  |. |33D0          |xor edx,eax
00401E91  |. |3954B5 B8     |cmp dword ptr ss:[ebp+esi*4-0x48],edx
00401E95  |. |75 30         |jnz short Clever_B.00401EC7
00401E97  |. |83C1 08       |add ecx,0x8
00401E9A  |. |46            |inc esi
00401E9B  |. |83F9 20       |cmp ecx,0x20
00401E9E  |.^\7C E0         \jl short Clever_B.00401E80

比对key的前四位，这里是常量，前四位为B1RD

即key为’B1RD’ + reversed(bin(score))

求解代码

import struct


def fun(a, b):
    res = ((1.5*a-a*a*a*b)*1000000000+5)/10
    return int(res)


def float_to_bin(num):
    bits, = struct.unpack('!I', struct.pack('!f', num))
    return bits


def bin_to_float(num):
    nums, = struct.unpack('!f', struct.pack('!I', num))
    return nums


def run(score):
    v1 = float_to_bin(score)
    v2 = 0x5F3759D8 - (v1 >> 1) + 7
    v3 = bin_to_float(v2)
    return fun(v3, score/2.0)
# print run(135000)
# print run(130000)


def crack(a, b):
    for i in range(a, b):
        if run(i) == 0x436ae:
            return i


post = crack(130000, 135000)
post = bin(post)[2:][::-1]
print(post)

a = 0xA991E504
b = 0xbdb3e416
pre = hex((a ^ b)+0x30303030)[2:].decode('hex')[::-1]
print(pre)

print('flag{%s}'%(pre+post))

get flag

flag{B1RD010000000000000001}

ooollvm

ollvm混淆的题目，pintools大法可以跑出来，听说angr也可以

https://github.com/wagiro/pintool

脚本好像有点小问题

password = tempassword[:i-1] + '\\'+**char** + tempassword[i:]
改成
password = initpass+'\\'+**char**+tempassword[i+1:]
另外
if passlen > 64:
改大点

log

➜  pintool-master python pintool.py -c 1,2,3 -b {_} -l 80 -a 64 -d '=> ' -i 'flag{' -d '=> 260' -s - ooollvm
flag{t-------------------------------------------------------------------------- = 184155 difference 286 instructions
flag{th------------------------------------------------------------------------- = 184428 difference 273 instructions
flag{thi------------------------------------------------------------------------ = 184727 difference 299 instructions
flag{thii----------------------------------------------------------------------- = 185042 difference 315 instructions
flag{thiii---------------------------------------------------------------------- = 185354 difference 312 instructions
flag{thiiii--------------------------------------------------------------------- = 185666 difference 312 instructions
flag{thiiiis-------------------------------------------------------------------- = 185978 difference 312 instructions
flag{thiiiis_------------------------------------------------------------------- = 186290 difference 312 instructions
flag{thiiiis_a------------------------------------------------------------------ = 186605 difference 315 instructions
flag{thiiiis_aa----------------------------------------------------------------- = 186920 difference 315 instructions
flag{thiiiis_aaa---------------------------------------------------------------- = 187238 difference 318 instructions
flag{thiiiis_aaaa--------------------------------------------------------------- = 187558 difference 320 instructions
flag{thiiiis_aaaai-------------------------------------------------------------- = 187876 difference 318 instructions
flag{thiiiis_aaaaiv------------------------------------------------------------- = 188164 difference 288 instructions
flag{thiiiis_aaaaive------------------------------------------------------------ = 188466 difference 302 instructions
flag{thiiiis_aaaaive_----------------------------------------------------------- = 188784 difference 318 instructions
flag{thiiiis_aaaaive_b---------------------------------------------------------- = 189070 difference 286 instructions
flag{thiiiis_aaaaive_bu--------------------------------------------------------- = 189372 difference 302 instructions
flag{thiiiis_aaaaive_but-------------------------------------------------------- = 189658 difference 286 instructions
flag{thiiiis_aaaaive_but_------------------------------------------------------- = 189960 difference 302 instructions
flag{thiiiis_aaaaive_but_h------------------------------------------------------ = 190246 difference 286 instructions
flag{thiiiis_aaaaive_but_ha----------------------------------------------------- = 190545 difference 299 instructions
flag{thiiiis_aaaaive_but_har---------------------------------------------------- = 190831 difference 286 instructions
flag{thiiiis_aaaaive_but_hard--------------------------------------------------- = 191104 difference 273 instructions
flag{thiiiis_aaaaive_but_hard_-------------------------------------------------- = 191406 difference 302 instructions
flag{thiiiis_aaaaive_but_hard_o------------------------------------------------- = 191721 difference 315 instructions
flag{thiiiis_aaaaive_but_hard_ob------------------------------------------------ = 192007 difference 286 instructions
flag{thiiiis_aaaaive_but_hard_obf----------------------------------------------- = 192280 difference 273 instructions
flag{thiiiis_aaaaive_but_hard_obfu---------------------------------------------- = 192579 difference 299 instructions
flag{thiiiis_aaaaive_but_hard_obfus--------------------------------------------- = 192894 difference 315 instructions
flag{thiiiis_aaaaive_but_hard_obfusc-------------------------------------------- = 193209 difference 315 instructions
flag{thiiiis_aaaaive_but_hard_obfusca------------------------------------------- = 193524 difference 315 instructions
flag{thiiiis_aaaaive_but_hard_obfuscat------------------------------------------ = 193810 difference 286 instructions
flag{thiiiis_aaaaive_but_hard_obfuscate----------------------------------------- = 194112 difference 302 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated---------------------------------------- = 194398 difference 286 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_--------------------------------------- = 194697 difference 299 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_p-------------------------------------- = 194983 difference 286 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_pr------------------------------------- = 195256 difference 273 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_pro------------------------------------ = 195558 difference 302 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_prog----------------------------------- = 195876 difference 318 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_progr---------------------------------- = 196164 difference 288 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_progra--------------------------------- = 196463 difference 299 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program-------------------------------- = 196758 difference 295 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program}------------------------------- = 196758 difference 0 instructionsns

Password not found, try to change charset...

➜  pintool-master 
➜  pintool-master python pintool.py -c 1,2,3 -b {_} -l 80 -a 64 -d '=> ' -i 'flag{thiiiis_aaaaive_but_hard_obfuscated_program' -d '=> 200' -s - ooollvm
flag{thiiiis_aaaaive_but_hard_obfuscated_program_------------------------------- = 196987 difference 229 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_}------------------------------ = 196987 difference 0 instructionsss

Password not found, try to change charset...

➜  pintool-master python pintool.py -c 1,2,3 -b {_} -l 80 -a 64 -d '=> ' -i 'flag{thiiiis_aaaaive_but_hard_obfuscated_program_' -d '=> 160' -s - ooollvm
flag{thiiiis_aaaaive_but_hard_obfuscated_program_}------------------------------ = 196987 difference 0 instructionsss

Password not found, try to change charset...

➜  pintool-master python pintool.py -c 1,2,3 -b {_} -l 80 -a 64 -d '=> ' -i 'flag{thiiiis_aaaaive_but_hard_obfuscated_program_' -d '=> 140' -s - ooollvm
flag{thiiiis_aaaaive_but_hard_obfuscated_program_c------------------------------ = 197140 difference 153 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_co----------------------------- = 197293 difference 153 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_com---------------------------- = 197446 difference 153 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_comp--------------------------- = 197591 difference 145 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compi-------------------------- = 197740 difference 149 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compil------------------------- = 197885 difference 145 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compile------------------------ = 198034 difference 149 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled----------------------- = 198179 difference 145 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_---------------------- = 198328 difference 149 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_b--------------------- = 198473 difference 145 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by-------------------- = 198622 difference 149 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_------------------- = 198775 difference 153 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_l------------------ = 198920 difference 145 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_ll----------------- = 199061 difference 141 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llv---------------- = 199202 difference 141 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm--------------- = 199351 difference 149 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_-------------- = 199502 difference 151 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_p------------- = 199649 difference 145 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pa------------ = 199798 difference 149 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pas----------- = 199951 difference 153 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pas}---------- = 199951 difference 0 instructionss

Password not found, try to change charset...

➜  pintool-master python pintool.py -c 1,2,3 -b {_} -l 80 -a 64 -d '=> ' -i 'flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pas' -d '=> 100' -s - ooollvm
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pas}---------- = 199951 difference 0 instructionss

Password not found, try to change charset...

➜  pintool-master python pintool.py -c 1,2,3 -b {_} -l 80 -a 64 -d '=> ' -i 'flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pas' -d '=> 60' -s - ooollvm
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pasa---------- = 200020 difference 69 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pasas--------- = 200104 difference 84 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pasas}-------- = 200104 difference 0 instructionss

Password not found, try to change charset...

➜  pintool-master python pintool.py -c 1,2,3 -b {_} -l 80 -a 64 -d '=> ' -i 'flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pass' -d '=> 60' -s - ooollvm
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_passs--------- = 200089 difference 69 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_passs}-------- = 200089 difference 0 instructionss

Password not found, try to change charset...

➜  pintool-master python pintool.py -c 1,2,3 -b {_} -l 80 -a 64 -d '=> ' -i 'flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pass' -d '=> 100' -s - ooollvm
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pass}--------- = 200089 difference 69 instructions

Password not found, try to change charset...

➜  pintool-master ./ooollvm 
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pass}
Success!
➜  pintool-master

get flag

flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pass}

题目多解，提交

flag{this_is_a_naive_but_hard_obfuscated_program_compiled_by_llvm_pass}

才判对