-
-
[原创]第五题 紧急救援 by k1ee
-
2020-11-28 03:21
-
紧急救援
我真的没做过虚拟机题,这题套了4层虚拟机,属实给力,不能再用以前的手打虚拟机方法了,必须程序化。首先拖入IDA分析。
输入一段Hex Text,转为Hex Bytes。
建立缓冲区,复制虚拟机指令到如图位置。随后按以下结构体构造了虚拟机的参数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | struct vm_sub{ int param1; //6, 6, 6, 3 int param2; //ins1, ins2, ins3, input_hex char* vm_ins; int size; int idk_0; int id; int idk7; int idk8;};struct vm_fin{ unsigned char* input_hex; int* len_buf; vm_sub* vmsub;};struct vm_context{ vm_sub subs[4]; vm_fin fin;}; |
随后传入第一个虚拟机上下文参数(vm_sub)开始执行虚拟机,并由结果进行输出。
进入虚拟机函数,废话和弯路我就不多说了,直接分析可知
这是典型的压栈,再看后续指令
基本都是通过堆栈进行计算。经过两天的弯路后,我最终决定通过KeyStone还原各层虚拟机的源码。由于1,2,3层虚拟机的指令仅仅是替换而已,因此这里只分析第1层。(Butterfly为第0层,三个Buffer分别是1、2、3层,最后一层是关键代码)
只需要模仿通常静态分析手段扫过去就行了,然后按照对应OpCode生成汇编,然后再进行编译,贴上源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 | #include <keystone/keystone.h>...void disassembly_vm1(vm_sub* ctx) { char* eip = ctx->vm_ins; char* esp = eip + 2 * ctx->size; ks_engine* ks; ks_err err; err = ks_open(KS_ARCH_X86, KS_MODE_32, &ks); if (err != KS_ERR_OK) { cout << "Keystone open error." << endl; return; } ostringstream dasm = ostringstream(); dasm << "push 6;" << endl; dasm << "push 0x20000;" << endl; dasm << "call vmins_0;" << endl; dasm << "jmp vmins_ret;" << endl; while (eip < ctx->vm_ins + 0x792) { int vm_offset = eip - ctx->vm_ins; dasm << "vmins_" << vm_offset << ":" << endl; int ins = *eip++; switch (ins) { case 17: { dasm << "push ebx;" << endl; break; } case 1: { uint8_t off = (uint8_t)*eip++; dasm << "xor eax, eax;" << endl; dasm << "mov al, " << (int)off << ";" << endl; dasm << "lea ebx, [ebp+eax*4-400h];" << endl; break; } case 13: { dasm << "mov ebx, [ebx];" << endl; break; } case 3: { ecx = (uint8_t)*eip++; dasm << "mov ebx, " << (int)ecx << ";" << endl; break; } case 8: { uint32_t off = *(uint32_t*)eip; dasm << "test ebx, ebx;" << endl; dasm << "jz vmins_" << (int)(vm_offset + 1 + off) << ";" << endl; dasm << "jmp vmins_" << (int)(vm_offset + 1 + 4) << ";" << endl; eip += 4; break; } case 21: { dasm << "pop ecx;" << endl; dasm << "cmp ecx, ebx;" << endl; dasm << "jnz vmins_" << vm_offset << "set0;" << endl; dasm << "mov ebx, 1;" << endl; dasm << "jmp vmins_" << vm_offset + 1 << ";" << endl; dasm << "vmins_" << vm_offset << "set0:" << endl; dasm << "mov ebx, 0;" << endl; break; } case 15: { dasm << "pop edx;" << endl; dasm << "mov [edx], ebx;" << endl; break; } case 6: { uint32_t off = *(uint32_t*)eip; //In disassembly mode we do not jump, but skip this instruction. //eip += off; if (off != 4) dasm << "jmp vmins_" << (int)(vm_offset + 1 + off) << ";" << endl; eip += 4; break; } case 29: { dasm << "pop ecx;" << endl; dasm << "add ebx, ecx;" << endl; break; } case 30: { dasm << "pop eax;" << endl; dasm << "sub eax, ebx;" << endl; dasm << "mov ebx, eax;" << endl; break; } case 14: { dasm << "xor ecx, ecx;" << endl; dasm << "mov cl, [ebx];" << endl; dasm << "mov ebx, ecx;" << endl; break; } case 31: { dasm << "pop edx;" << endl; dasm << "imul ebx, edx;" << endl; break; } case 16: { dasm << "pop eax;" << endl; dasm << "mov [eax], bl;" << endl; dasm << "movsx ebx, bl;" << endl; break; } case 33: { dasm << "pop eax;" << endl; dasm << "xor edx, edx;" << endl; dasm << "div ebx;" << endl; dasm << "mov ebx, edx;" << endl; break; } case 23: { dasm << "pop ecx;" << endl; dasm << "cmp ecx, ebx;" << endl; dasm << "jnb vmins_" << vm_offset << "set0;" << endl; dasm << "mov ebx, 1;" << endl; dasm << "jmp vmins_" << vm_offset + 1 << ";" << endl; dasm << "vmins_" << vm_offset << "set0:" << endl; dasm << "mov ebx, 0;" << endl; break; } case 32: { dasm << "pop eax;" << endl; dasm << "xor edx, edx;" << endl; dasm << "div ebx;" << endl; dasm << "mov ebx, eax;" << endl; break; } case 24: { dasm << "pop edx;" << endl; dasm << "cmp edx, ebx;" << endl; dasm << "jbe vmins_" << vm_offset << "set0;" << endl; dasm << "mov ebx, 1;" << endl; dasm << "jmp vmins_" << vm_offset + 1 << ";" << endl; dasm << "vmins_" << vm_offset << "set0:" << endl; dasm << "mov ebx, 0;" << endl; break; } case 18: { dasm << "pop ecx;" << endl; dasm << "or ebx, ecx;" << endl; break; } case 28: { dasm << "pop eax;" << endl; dasm << "mov ecx, ebx;" << endl; dasm << "shr eax, cl;" << endl; dasm << "mov ebx, eax;" << endl; break; } case 20: { dasm << "pop ecx;" << endl; dasm << "and ebx, ecx;" << endl; break; } case 19: { dasm << "pop ecx;" << endl; dasm << "xor ebx, ecx;" << endl; break; } case 27: { dasm << "pop edx;" << endl; dasm << "mov ecx, ebx;" << endl; dasm << "shl edx, cl;" << endl; dasm << "mov ebx, edx;" << endl; break; } case 22: { dasm << "pop eax;" << endl; dasm << "cmp eax, ebx;" << endl; dasm << "jz vmins_" << vm_offset << "set0;" << endl; dasm << "mov ebx, 1;" << endl; dasm << "jmp vmins_" << vm_offset + 1 << ";" << endl; dasm << "vmins_" << vm_offset << "set0:" << endl; dasm << "mov ebx, 0;" << endl; break; } case 26: { dasm << "pop ecx;" << endl; dasm << "cmp ecx, ebx;" << endl; dasm << "jb vmins_" << vm_offset << "set0;" << endl; dasm << "mov ebx, 1;" << endl; dasm << "jmp vmins_" << vm_offset + 1 << ";" << endl; dasm << "vmins_" << vm_offset << "set0:" << endl; dasm << "mov ebx, 0;" << endl; break; } case 0: { uint8_t off = (uint8_t)*eip++; //ecx = (uint32_t)&eax[4 * off]; dasm << "xor edx, edx;" << endl; dasm << "mov dl, " << (int)off << ";" << endl; dasm << "lea ebx, [ebp+edx*4];" << endl; break; } case 11: { uint32_t off = *(uint32_t*)eip; //esp += 4 * off; dasm << "mov eax, " << (int)(off * 4) << ";" << endl; dasm << "add esp, eax;" << endl; eip += 4; break; } case 4: { ecx = *(uint32_t*)eip; eip += 4; dasm << "mov ebx, " << (int)ecx << ";" << endl; break; } case 40: { //We do not execute //char* buf = (char*)*((uint32_t*)esp + 2); //uint32_t size = *(uint32_t*)esp; //ecx = (uint32_t)buf; //memset(buf, esp[4], size + (size & 3)); //eax = ebx; dasm << "mov ecx, [esp+0];" << endl; dasm << "xor eax, eax;" << endl; dasm << "mov al, [esp+4];" << endl; dasm << "mov edi, [esp+8];" << endl; dasm << "mov ebx, edi;" << endl; dasm << "rep stosb;" << endl; break; } case 42: { //We do not execute //ecx = (uint32_t) * ((uint32_t*)esp + 2); //memcpy((void*)*((uint32_t*)esp + 2), (void*)*((uint32_t*)esp + 1), *((uint32_t*)esp)); //eax = ebx; dasm << "mov ecx, [esp+0];" << endl; dasm << "mov edi, [esp+8];" << endl; dasm << "mov esi, [esp+4];" << endl; dasm << "mov ebx, edi;" << endl; dasm << "rep movsb;" << endl; break; } case 9: { uint32_t off = *(uint32_t*)eip; dasm << "test ebx, ebx;" << endl; dasm << "jz vmins_" << (int)(vm_offset + 1 + 4) << ";" << endl; dasm << "jmp vmins_" << (int)(vm_offset + 1 + off) << ";" << endl; eip += 4; break; } case 2: { uint32_t off = *(uint32_t*)eip; //ecx = (uint32_t)&eax[4 * off]; eip += 4; dasm << "mov ecx, " << (int)off << ";" << endl; dasm << "lea ebx, [ebp+ecx*4];" << endl; break; } case 7: { uint32_t off = *(uint32_t*)eip; //push(esp, (uint32_t)eip + 4); //In disassembly mode we do not jump, but skip this instruction. //eip += off; dasm << "call vmins_" << (int)(vm_offset + 1 + off) << ";" << endl; dasm << "mov ebx, eax;" << endl; eip += 4; break; } case 10: { uint32_t off = *(uint32_t*)eip; dasm << "push ebp;" << endl; dasm << "mov ebp, esp;" << endl; dasm << "sub esp, " << off * 4 << ";" << endl; eip += 4; break; } case 12: // return { dasm << "mov eax, ebx;" << endl; dasm << "mov esp, ebp;" << endl; dasm << "pop ebp;" << endl; dasm << "ret;" << endl; break; } case 43: { dasm << "mov eax, [esp];" << endl; dasm << "ret;" << endl; goto finished; } default: { cout << "Error"; break; } } }finished: dasm << "vmins_ret:" << endl; dasm << "push ebx;" << endl; dasm << "mov eax, [esp];" << endl; dasm << "ret;" << endl; unsigned char* output; size_t outlen = 0; size_t outcnt = 0; string disasm = dasm.str(); ofstream fout = ofstream("./disasm_vm1.txt", ios_base::ate); fout << disasm; fout.flush(); fout.close(); const char* code = disasm.c_str(); if (ks_asm(ks, code, 0, &output, &outlen, &outcnt) != KS_ERR_OK) { ks_err err = ks_errno(ks); cout << err; } fout = ofstream("./disasm_vm1.bin", ios_base::ate | ios_base::binary); fout.write((const char*)output, outlen); fout.flush(); fout.close(); ks_free(output); ks_close(ks);} |
需要注意的是,除了第1层的40和42,以及后续层的这两个位置的指令,其他各层都相同,因此分析后面的只需要改一下case就行了。额外,第2、3层的这两个指令加了不少其他代码,但是我发现不对增加的代码进行增补也可以解题,后面细说。除此之外,还需要注意把lea esp的地方改为add/sub esp,不然IDA不认(非标准
分析完4层指令后,贴上关键的反编译函数。
第1层
第2层
第3层
最终分析目标函数(第4层)
首先获取了前面几层的指令指针
这里其实调用了memcpy系列函数,不过被优化了,由于我偷懒,并没有为每层更改memcpy,memset系列函数的实现,因此看到这个指令,就可以认为调用了Host的那个地方的函数,转而看前面层的代码就可以了。在这里,经过提取分析,得到这里memcpy对前4字节的CRC32
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | int vm3_memcpy(char* dst, char* src, int len) { vm_fin* v18 = &ctx.fin; unsigned char * v17 = v18->input_hex; int* v16 = new int[10]; v16[2] = 0xDEC0CCAE; *(v16 + 2) = crc32(0xFFFFFFFF, v16 + 2); *(v16 + 2) = crc32(0xFFFFFFFF, v16 + 2); *(v16 + 2) = crc32(0xFFFFFFFF, v16 + 2); *(v16 + 2) = crc32(0xFFFFFFFF, v16 + 2); *(v16 + 2) = crc32(0xFFFFFFFF, v16 + 2); *(v16 + 2) = crc32(0xFFFFFFFF, v16 + 2); *(v16 + 2) = crc32(0xFFFFFFFF, v16 + 2); *(v16 + 2) = crc32(0xFFFFFFFF, v16 + 2); if (*(v16 + 2) == 0xDE05629C) return 1; return 0;} |
经过爆破,可以得出前4字节为AE CC C0 DE。
1 2 3 4 5 6 7 8 9 | result = d54b1112 target = de05629cresult = 5ba49ea3 target = d54b1112result = f16f3846 target = 5ba49ea3result = 84b4f299 target = f16f3846result = 3731ce56 target = 84b4f299result = 74f3e321 target = 3731ce56result = 20558f1 target = 74f3e321result = dec0ccae target = 20558f1result = f812fce7 target = dec0ccae |
随后分析下一个函数
这里修改了上层Host的指令,可以看出是修改了一些立即数(前后对照),因此在还原函数的时候稍加注意即可,对于第一个memset,提炼出关键校验函数有:
1 2 3 4 5 6 7 8 9 10 11 12 13 | int vm3_memset_1(char* dst, char val, int len){ vm_fin* v18 = &ctx.fin; char* hex = (char *)v18->input_hex; int* v16 = v18->len_buf; int* v6 = v16 + 4; *v6 = sub_E21(hex); // equals D540 v6 = v16 + 2; *v6 = sub_109A(hex + 4, (char*)v16 + 256); memset(v16 + 1024, 1, 100); sub_1517((char*)v16 + 256, (char*)v16 + 4096); return 0;} |
sub_E21完成了某种变换,可以通过爆破还原,并计算了一个值(D540)避免多解,随后由于前4字节已经计算出,带偏移传入sub_109A
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | unsigned int __cdecl sub_109A(char* a1, char* a2){ int v3; // [esp+3ECh] [ebp-14h] char* v4; // [esp+3F0h] [ebp-10h] unsigned __int8 v5; // [esp+3F4h] [ebp-Ch] unsigned int v6; // [esp+3F8h] [ebp-8h] unsigned int v7; // [esp+3FCh] [ebp-4h] v4 = a2; v7 = 0; v3 = 0; while (v7 < 15) { v6 = 0; v5 = a1[v7]; v3 <<= 1; v3 |= (unsigned int)v5 >> 7; while (v6 < 7) { *v4 = v5 & 1; v5 >>= 1; ++v4; ++v6; } ++v7; } return (((v3 << 8) + ((unsigned int)(unsigned __int8)a1[14] >> 2)) << 8) + (unsigned __int8)a1[15];} |
前14个字节以及15字节的低2位变成10*10矩阵,随后初始化棋盘,使用sub_1517进行解密。
完成的是根据输入,从左上角依次访问棋盘,并对访问位置及其相邻的元素进行异或,最终使得全1变为全0。这里算法不多说,可以去看文章。完成求解
此时根据这里的防止多解,完成前8个int的求解
1 | AE CC C0 DE 0C 32 56 F7 5E 37 A6 BF A2 27 A2 ED 3D 54 AC 96 4B 43 54 46 32 30 32 30 46 6C 61 67 |
最后分析最后6个int,和前面棋盘大同小异,192比特的前190比特以三角形的方式放入矩阵,并将三角形复制8次填满矩阵,然后求解使得棋盘翻转。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | int vm3_memset_2(char* dst, char val, int len){ vm_fin* v18 = &ctx.fin; char* v17 = (char *)v18->input_hex; int* v16 = v18->len_buf; int* v6 = v16 + 2; *v6 = sub_179A(v17 + 32, (char *)v16 + 64*4); if (*v6 == 2) { memset(v16 + 1024, 1, 1600); sub_2FB9((char*)v16 + 4*64, (char*)v16 + 4*1024); } return 0;} |
*v6 == 2指的是剩余2比特(高2位),因此求解该矩阵
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | uint32_t limit = pow(2, 20) - 1;for (uint32_t val = 0; val <= limit; ++val){ for (int i = 0; i < 20; ++i) { uint8_t bit = (val >> i) & 0b1; mat[0][i] = bit; mat[0][39 - i] = bit; } memset(table, 1, sizeof(table)); for (int i = 0; i < 40; ++i) { for (int k = 0; k < 40; ++k) { uint8_t bit = mat[i][k]; table[i][k] ^= bit; if (i > 0) table[i - 1][k] ^= bit; if (i < 39) table[i + 1][k] ^= bit; if (k > 0) table[i][k - 1] ^= bit; if (k < 39) table[i][k + 1] ^= bit; } if (i != 39) { for (int k = 0; k < 40; ++k) { mat[i + 1][k] = table[i][k]; } } } if (memcmp(table, truth, sizeof(truth)) == 0) { printf("Result\n"); printf("arr = []\n"); for (int i = 0; i < 40; ++i) { printf("arr.append(["); for (int k = 0; k < 40; ++k) { printf("%d%s", mat[i][k], k == 39 ? "" : ", "); } printf("]\n"); } }} |
最终完成求解
拿脚本解出来
因此最终Flag为
1 | AECCC0DE0C3256F75E37A6BFA227A2ED3D54AC964B43544632303230466C6167826B49EB0A305A72C2E92C18A0901280F47791BAE00932B0 |
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
最后于 2020-11-28 18:08
被k1ee编辑
,原因: 修正描述错误
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
 吊
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
