2019XNUCA Reverse 部分Writeup

目前遇到最难的一场比赛了,Crypto打不动,只做了比较简单的RE还好苟进了决赛~(200多支队伍,几十支顺利签到

RE Clever Bird

1
00401D0E  |.  66:0F6E45 8C  movd mm0,[local.29]

get score

1
2
3
4
5
6
7
8
9
10
11
12
13
00401D13  |.  B9 D859375F   mov ecx,0x5F3759D8
00401D18 |. 0f5bc0 cvtdq2ps xmm0,xmm0
00401D1B |. F3:0F1185 5CF>movss [local.41],xmm0
00401D23 |. 0F28C8 movaps xmm1,xmm0
00401D26 |. 8B85 5CFFFFFF mov eax,[local.41]
00401D2C |. F3:0F590D 884>mulss xmm1,dword ptr ds:[0x404388]
00401D34 |. D1F8 sar eax,1
00401D36 |. 2BC8 sub ecx,eax
00401D38 |. 898D 5CFFFFFF mov [local.41],ecx
00401D3E |. F3:0F114D C4 movss [local.15],xmm1
00401D43 |. 74 09 je short Clever_B.00401D4E
00401D45 |. 83C1 07 add ecx,0x7
00401D48 |. 898D 5CFFFFFF mov [local.41],ecx

得到一个受score约束的值,公式如下,涉及单精度浮点数转换

0x5F3759D8 - (score >> 1) + 7

1
2
3
4
5
6
7
8
9
10
11
12
00401D65  |> \F3:0F108D 5CF>movss xmm1,[local.41]
00401D6D |. F3:0F1015 8C4>movss xmm2,dword ptr ds:[0x40438C]
00401D75 |. 0F28C1 movaps xmm0,xmm1
00401D78 |. F3:0F5945 C4 mulss xmm0,[local.15]
00401D7D |. F3:0F59C1 mulss xmm0,xmm1
00401D81 |. F3:0F5CD0 subss xmm2,xmm0
00401D85 |. F3:0F59D1 mulss xmm2,xmm1
00401D89 |. F3:0F5915 984>mulss xmm2,dword ptr ds:[0x404398]
00401D91 |. F3:0F5915 944>mulss xmm2,dword ptr ds:[0x404394]
00401D99 |. F3:0F5815 904>addss xmm2,dword ptr ds:[0x404390]
00401DA1 |. F3:0F5E15 944>divss xmm2,dword ptr ds:[0x404394]
00401DA9 |. F3:0F2CFA cvttss2si edi,xmm2

浮点数运算,其中两个变量分别是a=score/2以及前面得到的一个值b

res = ((1.5a-aaab)*1000000000+5)/10

00401DCA |. 81FF AE360400 cmp edi,0x436AE

check res == 0x436ae

得到一条函数式 ((1.5a-aaab)*1000000000+5)/10=0x436ae

b受a约束,且函数应该单调递减,缩小区间后爆score

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
00401E40  |> /8BD6          /mov edx,esi
00401E42 |. |81E2 01000080 |and edx,0x80000001
00401E48 |. |79 05 |jns short Clever_B.00401E4F
00401E4A |. |4A |dec edx
00401E4B |. |83CA FE |or edx,-0x2
00401E4E |. |42 |inc edx
00401E4F |> |0FBE0F |movsx ecx,byte ptr ds:[edi]
00401E52 |. |83C2 30 |add edx,0x30
00401E55 |. |47 |inc edi ; kernel32.GetStdHandle
00401E56 |. |3BCA |cmp ecx,edx
00401E58 |. |75 6D |jnz short Clever_B.00401EC7
00401E5A |. |8BC6 |mov eax,esi
00401E5C |. |99 |cdq
00401E5D |. |2BC2 |sub eax,edx
00401E5F |. |8BF0 |mov esi,eax
00401E61 |. |D1FE |sar esi,1
00401E63 |.^\75 DB \jnz short Clever_B.00401E40

以score的二进制串依次逆序与*key+4开始比对

1
2
3
4
5
6
7
8
9
10
11
12
00401E80  |> /0FBE5435 C8   /movsx edx,byte ptr ss:[ebp+esi-0x38]
00401E85 |. |8BC3 |mov eax,ebx
00401E87 |. |D3F8 |sar eax,cl
00401E89 |. |83EA 30 |sub edx,0x30
00401E8C |. |0FB6C0 |movzx eax,al
00401E8F |. |33D0 |xor edx,eax
00401E91 |. |3954B5 B8 |cmp dword ptr ss:[ebp+esi*4-0x48],edx
00401E95 |. |75 30 |jnz short Clever_B.00401EC7
00401E97 |. |83C1 08 |add ecx,0x8
00401E9A |. |46 |inc esi
00401E9B |. |83F9 20 |cmp ecx,0x20
00401E9E |.^\7C E0 \jl short Clever_B.00401E80

比对key的前四位,这里是常量,前四位为B1RD

即key为’B1RD’ + reversed(bin(score))

求解代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
import struct


def fun(a, b):
res = ((1.5*a-a*a*a*b)*1000000000+5)/10
return int(res)


def float_to_bin(num):
bits, = struct.unpack('!I', struct.pack('!f', num))
return bits


def bin_to_float(num):
nums, = struct.unpack('!f', struct.pack('!I', num))
return nums


def run(score):
v1 = float_to_bin(score)
v2 = 0x5F3759D8 - (v1 >> 1) + 7
v3 = bin_to_float(v2)
return fun(v3, score/2.0)
# print run(135000)
# print run(130000)


def crack(a, b):
for i in range(a, b):
if run(i) == 0x436ae:
return i


post = crack(130000, 135000)
post = bin(post)[2:][::-1]
print(post)

a = 0xA991E504
b = 0xbdb3e416
pre = hex((a ^ b)+0x30303030)[2:].decode('hex')[::-1]
print(pre)

print('flag{%s}'%(pre+post))

get flag

flag{B1RD010000000000000001}

ooollvm

ollvm混淆的题目,pintools大法可以跑出来,听说angr也可以

https://github.com/wagiro/pintool

脚本好像有点小问题

1
2
3
4
5
6
password = tempassword[:i-1] + '\\'+**char** + tempassword[i:]
改成
password = initpass+'\\'+**char**+tempassword[i+1:]
另外
if passlen > 64:
改大点

log

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
➜  pintool-master python pintool.py -c 1,2,3 -b {_} -l 80 -a 64 -d '=> ' -i 'flag{' -d '=> 260' -s - ooollvm
flag{t-------------------------------------------------------------------------- = 184155 difference 286 instructions
flag{th------------------------------------------------------------------------- = 184428 difference 273 instructions
flag{thi------------------------------------------------------------------------ = 184727 difference 299 instructions
flag{thii----------------------------------------------------------------------- = 185042 difference 315 instructions
flag{thiii---------------------------------------------------------------------- = 185354 difference 312 instructions
flag{thiiii--------------------------------------------------------------------- = 185666 difference 312 instructions
flag{thiiiis-------------------------------------------------------------------- = 185978 difference 312 instructions
flag{thiiiis_------------------------------------------------------------------- = 186290 difference 312 instructions
flag{thiiiis_a------------------------------------------------------------------ = 186605 difference 315 instructions
flag{thiiiis_aa----------------------------------------------------------------- = 186920 difference 315 instructions
flag{thiiiis_aaa---------------------------------------------------------------- = 187238 difference 318 instructions
flag{thiiiis_aaaa--------------------------------------------------------------- = 187558 difference 320 instructions
flag{thiiiis_aaaai-------------------------------------------------------------- = 187876 difference 318 instructions
flag{thiiiis_aaaaiv------------------------------------------------------------- = 188164 difference 288 instructions
flag{thiiiis_aaaaive------------------------------------------------------------ = 188466 difference 302 instructions
flag{thiiiis_aaaaive_----------------------------------------------------------- = 188784 difference 318 instructions
flag{thiiiis_aaaaive_b---------------------------------------------------------- = 189070 difference 286 instructions
flag{thiiiis_aaaaive_bu--------------------------------------------------------- = 189372 difference 302 instructions
flag{thiiiis_aaaaive_but-------------------------------------------------------- = 189658 difference 286 instructions
flag{thiiiis_aaaaive_but_------------------------------------------------------- = 189960 difference 302 instructions
flag{thiiiis_aaaaive_but_h------------------------------------------------------ = 190246 difference 286 instructions
flag{thiiiis_aaaaive_but_ha----------------------------------------------------- = 190545 difference 299 instructions
flag{thiiiis_aaaaive_but_har---------------------------------------------------- = 190831 difference 286 instructions
flag{thiiiis_aaaaive_but_hard--------------------------------------------------- = 191104 difference 273 instructions
flag{thiiiis_aaaaive_but_hard_-------------------------------------------------- = 191406 difference 302 instructions
flag{thiiiis_aaaaive_but_hard_o------------------------------------------------- = 191721 difference 315 instructions
flag{thiiiis_aaaaive_but_hard_ob------------------------------------------------ = 192007 difference 286 instructions
flag{thiiiis_aaaaive_but_hard_obf----------------------------------------------- = 192280 difference 273 instructions
flag{thiiiis_aaaaive_but_hard_obfu---------------------------------------------- = 192579 difference 299 instructions
flag{thiiiis_aaaaive_but_hard_obfus--------------------------------------------- = 192894 difference 315 instructions
flag{thiiiis_aaaaive_but_hard_obfusc-------------------------------------------- = 193209 difference 315 instructions
flag{thiiiis_aaaaive_but_hard_obfusca------------------------------------------- = 193524 difference 315 instructions
flag{thiiiis_aaaaive_but_hard_obfuscat------------------------------------------ = 193810 difference 286 instructions
flag{thiiiis_aaaaive_but_hard_obfuscate----------------------------------------- = 194112 difference 302 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated---------------------------------------- = 194398 difference 286 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_--------------------------------------- = 194697 difference 299 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_p-------------------------------------- = 194983 difference 286 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_pr------------------------------------- = 195256 difference 273 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_pro------------------------------------ = 195558 difference 302 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_prog----------------------------------- = 195876 difference 318 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_progr---------------------------------- = 196164 difference 288 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_progra--------------------------------- = 196463 difference 299 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program-------------------------------- = 196758 difference 295 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program}------------------------------- = 196758 difference 0 instructionsns

Password not found, try to change charset...

➜ pintool-master
➜ pintool-master python pintool.py -c 1,2,3 -b {_} -l 80 -a 64 -d '=> ' -i 'flag{thiiiis_aaaaive_but_hard_obfuscated_program' -d '=> 200' -s - ooollvm
flag{thiiiis_aaaaive_but_hard_obfuscated_program_------------------------------- = 196987 difference 229 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_}------------------------------ = 196987 difference 0 instructionsss

Password not found, try to change charset...

➜ pintool-master python pintool.py -c 1,2,3 -b {_} -l 80 -a 64 -d '=> ' -i 'flag{thiiiis_aaaaive_but_hard_obfuscated_program_' -d '=> 160' -s - ooollvm
flag{thiiiis_aaaaive_but_hard_obfuscated_program_}------------------------------ = 196987 difference 0 instructionsss

Password not found, try to change charset...

➜ pintool-master python pintool.py -c 1,2,3 -b {_} -l 80 -a 64 -d '=> ' -i 'flag{thiiiis_aaaaive_but_hard_obfuscated_program_' -d '=> 140' -s - ooollvm
flag{thiiiis_aaaaive_but_hard_obfuscated_program_c------------------------------ = 197140 difference 153 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_co----------------------------- = 197293 difference 153 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_com---------------------------- = 197446 difference 153 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_comp--------------------------- = 197591 difference 145 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compi-------------------------- = 197740 difference 149 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compil------------------------- = 197885 difference 145 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compile------------------------ = 198034 difference 149 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled----------------------- = 198179 difference 145 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_---------------------- = 198328 difference 149 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_b--------------------- = 198473 difference 145 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by-------------------- = 198622 difference 149 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_------------------- = 198775 difference 153 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_l------------------ = 198920 difference 145 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_ll----------------- = 199061 difference 141 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llv---------------- = 199202 difference 141 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm--------------- = 199351 difference 149 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_-------------- = 199502 difference 151 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_p------------- = 199649 difference 145 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pa------------ = 199798 difference 149 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pas----------- = 199951 difference 153 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pas}---------- = 199951 difference 0 instructionss

Password not found, try to change charset...

➜ pintool-master python pintool.py -c 1,2,3 -b {_} -l 80 -a 64 -d '=> ' -i 'flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pas' -d '=> 100' -s - ooollvm
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pas}---------- = 199951 difference 0 instructionss

Password not found, try to change charset...

➜ pintool-master python pintool.py -c 1,2,3 -b {_} -l 80 -a 64 -d '=> ' -i 'flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pas' -d '=> 60' -s - ooollvm
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pasa---------- = 200020 difference 69 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pasas--------- = 200104 difference 84 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pasas}-------- = 200104 difference 0 instructionss

Password not found, try to change charset...

➜ pintool-master python pintool.py -c 1,2,3 -b {_} -l 80 -a 64 -d '=> ' -i 'flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pass' -d '=> 60' -s - ooollvm
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_passs--------- = 200089 difference 69 instructions
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_passs}-------- = 200089 difference 0 instructionss

Password not found, try to change charset...

➜ pintool-master python pintool.py -c 1,2,3 -b {_} -l 80 -a 64 -d '=> ' -i 'flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pass' -d '=> 100' -s - ooollvm
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pass}--------- = 200089 difference 69 instructions

Password not found, try to change charset...

➜ pintool-master ./ooollvm
flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pass}
Success!
➜ pintool-master

get flag

flag{thiiiis_aaaaive_but_hard_obfuscated_program_compiled_by_llvm_pass}

题目多解,提交

flag{this_is_a_naive_but_hard_obfuscated_program_compiled_by_llvm_pass}

才判对

0%