-
-
[原创]看雪.深信服 2021 KCTF 春季赛 第六题 寻回宝剑
-
2021-5-19 00:15 6726
-
IDA打开,发现代码加了混淆,但规律性很强。
解混淆是一个迭代的过程:
首先注意到一个反复出现的代码片段:
123456789push raxpush raxpushfcall $+5pop raxxor rax,XXXXXXXXmov QWORD PTR [rsp+0x10],raxpopfpop rax这段代码的效果等同于push一个地址,其值等于
pop rax指令的地址异或上xor指令里的常量,是一个能够静态计算出来的确定的值。(注意文件头的IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE没有置位,程序没有开启动态基址,因此xor运算后的地址才有效)
这样的代码片段可以统一替换为VIRTUAL push XXXXYYYY(VIRTUAL前缀是人为加的,为了区分程序里真实的push指令)替换之后,程序里出现大量的
12VIRTUAL push XXXXYYYYret等同于一条无条件跳转指令
VIRTUAL jmp XXXXYYYY对同一个寄存器连续的push和pop,可以直接去除
12push AAApop AAA1234push AAApush BBBpop BBBpop AAA对
VIRTUAL jmp连接的代码块重新排序让它们顺序连在一起,从而省略掉无用的VIRTUAL jmp指令。在完成这一步后,重做第3步。出现了一个新的模式(这个模式只有在前4步都做完之后才能看出来,因为这些指令在源程序中并不是连续的)
123456789push raxpush raxpushfVIRTUAL push XXXXXXXXpop raxadd rax,YYYYYYYYmov QWORD PTR [rsp+0x10],raxpopfpop rax与第1步类似,整个片段等价为push一个常量。可以将整个片段替换为
VIRTUAL push XXXXYYYY,然后重做第2步反复迭代以上的步骤,重点是指令块的重新排序(第4步),每次重新排序后再次搜索第1、2、3、5步的代码模式做替换。直到代码不再能化简,打印输出即可。
由于混淆模式非常固定,所以先用objdump工具获得反汇编:objdump -d -M intel KCTF.exe > KCTF_objdump.txt,然后对字符串做操作。
(更好的方法应该使用Capstone这样的反汇编引擎,可惜不太熟悉)
代码如下:(与上面的步骤描述有少许不同,但主要思路是一致的)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 | class Instruction: __slots__ = ["va", "s"] def __init__(self, va, s): self.va = va self.s = s def __str__(self): return hex(self.va)+"\t"+self.sclass Block: __slots__ = ["startva", "jmpva", "insts"] def __init__(self): self.startva = None self.jmpva = None self.insts = [] def __str__(self): r = "" r += f"; {hex(self.startva)}, {hex(self.jmpva) if self.jmpva else None}:\n" for inst in self.insts: r += str(inst)+"\n" return r def simplify1(self): i = 0 while (i < len(self.insts)): tmp = self.insts[i].s i += 1 if tmp.split()[0] == "push" and i < len(self.insts): tmp2 = self.insts[i].s i += 1 if tmp2.split()[0] == "pop" and tmp2.split()[1] == tmp.split()[1]: "push xxx ; pop xxx" i -= 2 if self.startva == 0x14007def2: print("xxx", self.insts[i]) self.insts.pop(i) self.insts.pop(i) else: i -= 1 def simplify2(self): i = 0 while i+8 < len(self.insts): if self.insts[i].s.startswith("push rax") \ and self.insts[i+1].s.startswith("push rax") \ and self.insts[i+2].s.startswith("pushf") \ and self.insts[i+3].s.startswith("call") \ and self.insts[i+4].s.startswith("pop rax") \ and self.insts[i+5].s.startswith("xor rax,") \ and self.insts[i+6].s.startswith("mov QWORD PTR [rsp+0x10],rax") \ and self.insts[i+7].s.startswith("popf") \ and self.insts[i+8].s.startswith("pop rax"): const1 = self.insts[i+4].va tmp1 = self.insts[i+3].s assert(int(tmp1.split()[1],16) == const1) tmp2 = self.insts[i+5].s const2 = int(tmp2[tmp2.index(",")+1:], 16) newinst = Instruction(self.insts[i].va, f"VIRTUAL push {hex(const1^const2)}") for _ in range(9): self.insts.pop(i) self.insts.insert(i, newinst) i += 1 def simplify3(self): i = 0 while i+8 < len(self.insts): if self.insts[i].s.startswith("push rax") \ and self.insts[i+1].s.startswith("push rax") \ and self.insts[i+2].s.startswith("pushf") \ and self.insts[i+3].s.startswith("VIRTUAL push") \ and self.insts[i+4].s.startswith("pop rax") \ and self.insts[i+5].s.startswith("add rax,") \ and self.insts[i+6].s.startswith("mov QWORD PTR [rsp+0x10],rax") \ and self.insts[i+7].s.startswith("popf") \ and self.insts[i+8].s.startswith("pop rax"): tmp1 = self.insts[i+3].s const1 = int(tmp1.split()[2],16) tmp2 = self.insts[i+5].s const2 = int(tmp2[tmp2.index(",")+1:], 16) newinst = Instruction(self.insts[i].va, f"VIRTUAL push {hex((const1+const2) & 0xffffffffffffffff)}") for _ in range(9): self.insts.pop(i) self.insts.insert(i, newinst) i += 1 def simplify4(self): if len(self.insts) >= 2: if self.insts[-2].s.startswith("VIRTUAL push") \ and self.insts[-1].s.startswith("ret"): tmp1 = self.insts[-2].s self.jmpva = int(tmp1.split()[2], 16) self.insts.pop(-1) self.insts.pop(-1) def simplify(self): lastlen = 0x7fffffff while len(self.insts) < lastlen: #print("aa", len(self.insts), lastlen) lastlen = len(self.insts) self.simplify1() self.simplify1() self.simplify2() self.simplify3() self.simplify4()with open("KCTF_objdump.txt", "r") as f: lines = f.readlines()allinsts = []instaddr2index = {}def initialize(): global allinsts global instaddr2index for line in lines: tokens = line.split("\t") if len(tokens) == 3: va = int(tokens[0].rstrip(":"), 16) s = tokens[2].strip() if s != "int3": #print(hex(addr), s) inst = Instruction(va, s) allinsts.append(inst) instaddr2index[va] = len(allinsts)-1def searchblock(va): global allinsts global instaddr2index bb = Block() bb.startva = va i = instaddr2index[va] while True: inst = allinsts[i] tokens = inst.s.split() bb.insts.append(inst) if (tokens[0] == "ret"): break i += 1 return bbdef mergeblocklist(blocklist): bbb = Block() bbb.startva = blocklist[0].startva bbb.jmpva = blocklist[-1].jmpva bbb.insts = [] for i in range(len(blocklist)): bb = blocklist[i] bbb.insts.extend(bb.insts) return bbbdef deobfuscation1(nextva): blocklist = [] seenva = set() while nextva and nextva not in seenva: seenva.add(nextva) #print(hex(nextva)) bb = searchblock(nextva) bb.simplify() #print(bb) blocklist.append(bb) nextva = bb.jmpva bbb = mergeblocklist(blocklist)# print(bbb) bbb.simplify()# print(bbb) return bbb # mostly single instructiondef deobfuscation2(nextva): blocklist = [] seenva = set() while nextva and nextva not in seenva: seenva.add(nextva) bbb = deobfuscation1(nextva) blocklist.append(bbb) nextva = bbb.jmpva bbbb = mergeblocklist(blocklist)# print(bbbb) return bbbb # mostly deep first block instructionsdef recognize_function(va): # notice: must do block.simplify4 before do this blocklist = [] seenva = set() while va and va not in seenva: #print(hex(va)) seenva.add(va) block = deobfuscation2(va) newblock = Block() newblock.startva = block.startva newblock.jmpva = block.jmpva newblock.insts = [] i = 0 while i < len(block.insts): #print(i) inst = block.insts[i] if inst.s.startswith("VIRTUAL push"): const1 = int(inst.s.split()[2],16) newblock.insts.append(Instruction(inst.va,f"VIRTUAL call {hex(block.insts[i+1].va)}")) newblock.jmpva = const1 break else: newblock.insts.append(inst) i += 1 #print("newblock:", newblock) blocklist.append(newblock) va = newblock.jmpva bbbbb = mergeblocklist(blocklist) print(bbbbb) return bbbbbinitialize()#deobfuscation2(0x14005FE4C) # start#recognize_function(0x14005FE4C) # start:part1#recognize_function(0x1400bf93f) # start:part2#recognize_function(0x140083814) # main |
简单解释一下代码:
- Instruction类:对应一句汇编指令
- Block类:对应一个“块”(不同于通常意义的“基本块”,这里的“块”指的是
VIRTUAL jmp XXXXYYYY结束的一组指令序列) - searchblock(va)函数:给定一个虚拟地址,搜索以该地址为起点、以ret指令为终点的、在原程序中顺序排布的所有语句序列。一组语句序列构成了一个Block。
- mergeblocklist函数:将“连续”的“块”合并为一个(“连续”定义为前一个块末尾的跳转目标等于后一个块的开头)
- deobfuscation1函数:迭代前面的解混淆逻辑,主要针对在在原程序里真实连续的指令序列
- deobfuscation2函数:迭代前面的解混淆逻辑,主要针对“块”合并后的“连续”指令序列
- recognize_function(va)函数:给定一个虚拟地址,识别出从这里开始的一个函数
其实deobfuscation2之后得到的代码就已经完全没有了混淆,但是注意到里面出现了孤立的VIRTUAL push XXXXXXXX指令,且若干条指令之后一定会在栈平衡的情况下出现一个ret指令。
这种模式其实是函数调用,其中VIRTUAL push XXXXXXXX的常量是压栈的返回地址,即在原始函数中的真实的下一条指令。
deobfuscation2的输出结果是深入调用函数内部后的指令序列;recognize_function函数对这种情况进行了处理,从而恢复出“完整”的原始函数。(缺陷是,由于Block不是真正意义上的基本块,所以原始程序里的条件分支只能看到一条路径,不过问题不大,对另一条路径的起始地址也调用一次该函数即可)
有了解混淆脚本,现在可以分析程序逻辑了
从start函数开始(recognize_function(0x14005FE4C)),找出真正的main函数位于0x140083814
(可以自己写一个小程序再反汇编与之对比)
(在deobfuscation2(0x14005FE4C)的输出中看到调用了很多反调试函数,应该是在main之前的initterm中调用的。从后面的算法看,本题无需动态调试。如果需要调试,只要程序启动后再附加调试器即可)
main函数很长,截取若干个片段如下:(recognize_function的输出)
片段1
1234567891011121314150x14000f17cVIRTUAL call0x140026de8# call std::cin0x14001eb47lea rcx,[rsp+0x1010]0x14003a798lea rdx,[rip+0xfffffffffffc9ddf]# *** 0x14000457e, char[] "1743"0x1400beaabmov QWORD PTR [rsp+0x50],rax0x140002c25VIRTUAL call0x1400d4a33# *** 140004C88, strcmp with "1743" # 0x1400d4a330x1400f1ddamovsxd rcx,eax0x14009f9b9cmprcx,0x00x1400a988ajne0x1400a98a3# 0x1400dab0e0x14009954alea rcx,[rip+0xfffffffffff6af6d]# 0x1400044be # " >>> 阁下的数学功底十分扎实,只可惜与在下的绝世武学无缘,请回吧。"0x14002587cVIRTUAL call0x1400cd4820x1400dab0elea rcx,[rsp+0x1010]0x14008475aVIRTUAL call0x140050476# get input string length0x140083333cmprax,0x54# 840x140035698je0x1400356b10x140048e00lea rcx,[rip+0xfffffffffffbb695]# 0x14000449c # " >>> 阁下的数学成绩堪忧,请回吧。"可以看出,真正的输入长度为84,下一阶段的检查逻辑在0x1400356b1
片段2
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253;0x1400877ad,None:0x1400877adpush rax0x1400da463mov BYTE PTR [rsp+0x7],cl0x1400254a5movsx eax,BYTE PTR [rsp+0x7]0x140027b39cmpeax,0x300x140087cebjl0x140087d04# 0x1400450360x1400d1b0fmovsx eax,BYTE PTR [rsp+0x7]0x1400cbfadcmpeax,0x390x140032877mov cl,0x10x14004cbd4mov BYTE PTR [rsp+0x6],cl0x14005134fjle0x1400513680x140045036movsx eax,BYTE PTR [rsp+0x7]0x1400a27a9cmpeax,0x410x1400db7dbjl0x1400db7f40x1400dabedmovsx eax,BYTE PTR [rsp+0x7]0x1400a07d9cmpeax,0x5a0x1400ed537mov cl,0x10x140025eadmov BYTE PTR [rsp+0x6],cl0x140032adajle0x140032af3# 0x14005e3af0x1400388famovsx eax,BYTE PTR [rsp+0x7]0x140045713cmpeax,0x2b0x1400779b8mov cl,0x10x1400ca53amov BYTE PTR [rsp+0x6],cl0x1400bdc5aje0x1400bdc73# 0x14005e3af0x1400b40d3movsx eax,BYTE PTR [rsp+0x7]0x140071b51cmpeax,0x2d0x140031fa6mov cl,0x10x1400a85c9mov BYTE PTR [rsp+0x6],cl0x140021689je0x1400216a20x140059269movsx eax,BYTE PTR [rsp+0x7]0x1400f5da9cmpeax,0x2a0x140067a65mov cl,0x10x1400477a2mov BYTE PTR [rsp+0x6],cl0x14005d81bje0x14005d8340x140082dccmovsx eax,BYTE PTR [rsp+0x7]0x140014c52cmpeax,0x2f0x1400afc6dmov cl,0x10x14006091fmov BYTE PTR [rsp+0x6],cl0x1400020ecje0x1400021050x1400dde99movsx eax,BYTE PTR [rsp+0x7]0x140081c7acmpeax,0x250x1400f43b2mov cl,0x10x1400200b9mov BYTE PTR [rsp+0x6],cl0x1400819acje0x1400819c50x140085a98movsx eax,BYTE PTR [rsp+0x7]0x140003a93cmpeax,0x3d0x1400f9bacsete cl0x140080797mov BYTE PTR [rsp+0x6],cl0x14005e3afmov al,BYTE PTR [rsp+0x6]0x14006e388andal,0x10x1400bd7f2movzx eax,al0x1400d73bfpop rcx0x140095d39ret合法的输入字符有42种:
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ+-*/%=片段3
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374;0x14005828f,None:0x14005828fsub rsp,0x380x1400ab750mov QWORD PTR [rsp+0x30],rcx0x1400466c5mov rax,QWORD PTR [rsp+0x30]0x14003423amov cl,BYTE PTR [rax]0x1400158bfVIRTUAL call0x1400d5e040x1400ba991imul rax,rax,0x2a0x1400ea00dmov rdx,QWORD PTR [rsp+0x30]0x140039bc9mov cl,BYTE PTR [rdx+0x1]0x14005c2d0mov QWORD PTR [rsp+0x28],rax0x140063827VIRTUAL call0x1400d5e040x140037cf1mov rdx,QWORD PTR [rsp+0x28]0x1400a7df8add rdx,rax0x1400d4395mov rax,rdx0x140057c71add rsp,0x380x1400da66eret#;0x1400d5e04,None:0x1400d5e04sub rsp,0x100x1400731d7mov BYTE PTR [rsp+0x7],cl0x1400882camovsx eax,BYTE PTR [rsp+0x7]0x1400938d7cmpeax,0x300x14009a8bfjl0x14009a8d80x1400b54f4movsx eax,BYTE PTR [rsp+0x7]0x14001a372cmpeax,0x390x1400794c2jg0x1400794db0x140043279movsx rax,BYTE PTR [rsp+0x7]0x140069cabsub rax,0x300x14002e028mov QWORD PTR [rsp+0x8],rax0x14008bbccmov rax,QWORD PTR [rsp+0x8]0x1400831f7add rsp,0x100x14002974fret;0x1400794db,None:0x140084ba0movsx eax,BYTE PTR [rsp+0x7]0x14000224dcmpeax,0x410x14002e600jl0x14002e6190x14000ddd0movsx eax,BYTE PTR [rsp+0x7]0x1400b2dc9cmpeax,0x5a0x14001e7d0jg0x14001e7e90x1400ded3fmovsx rax,BYTE PTR [rsp+0x7]0x14004b966sub rax,0x410x140094d9cadd rax,0xa0x1400dbb0cmov QWORD PTR [rsp+0x8],raxjmp0x14008bbcc;0x14001e7e9,None:0x14004a292movsx eax,BYTE PTR [rsp+0x7]0x1400f5a62cmpeax,0x2b0x1400d174fjne0x1400d17680x140003a25mov QWORD PTR [rsp+0x8],0x24;0x1400d1768,None:0x14003c4femovsx eax,BYTE PTR [rsp+0x7]0x140096d4fcmpeax,0x2d0x140086754jne0x14008676d0x1400528a1mov QWORD PTR [rsp+0x8],0x25;0x14008676d,None:0x1400d50cfmovsx eax,BYTE PTR [rsp+0x7]0x14001e900cmpeax,0x2a0x1400301dbjne0x1400301f40x14005337emov QWORD PTR [rsp+0x8],0x26;0x1400301f4,None:0x140082b7cmovsx eax,BYTE PTR [rsp+0x7]0x1400f3d8ecmpeax,0x2f0x140068739jne0x1400687520x14000c5famov QWORD PTR [rsp+0x8],0x27;0x140068752,None:0x14005d795movsx eax,BYTE PTR [rsp+0x7]0x140064edfcmpeax,0x250x1400706d1jne0x1400706ea0x1400aef1cmov QWORD PTR [rsp+0x8],0x28;0x1400706ea,None:0x14003deb0movsx eax,BYTE PTR [rsp+0x7]0x1400c9de1cmpeax,0x3d0x1400237d8jne0x1400237f10x14007b859mov QWORD PTR [rsp+0x8],0x29输入的2个字符被转换为1个字符,转换方式是先转为[0,41]的数字(对应前面的合法字符列表的索引),然后第一个数字*42再加第二个数字
片段4
1234567891011120x14007c870VIRTUAL call0x14005828f# 片段30x140014accmov rcx,QWORD PTR [rsp+0xa8]0x1400787femov QWORD PTR [rsp+rcx*8+0xec0],rax0x1400afe42cmpQWORD PTR [rsp+0xa8],0x00x140022c16je0x140022c2f# 0x1400297ba0x1400cd021mov rax,QWORD PTR [rsp+0xa8]0x1400ea72cmov rax,QWORD PTR [rsp+rax*8+0xec0]0x1400abe1cmov rcx,QWORD PTR [rsp+0xa8]0x1400e81e3sub rcx,0x10x1400906dbcmprax,QWORD PTR [rsp+rcx*8+0xec0]0x1400a9b93jg0x1400a9bac# 0x1400297ba0x140059bablea rcx,[rip+0xfffffffffffaa8ea]# 0x14000449c # " >>> 阁下的数学成绩堪忧,请回吧。"把输入的84个字符转换为42个整数,要求严格单调递增
片段5
1234567891011121314151617181920212223242526272829303132333435363738394041424344;0x140016058,0x1400e1e42:0x140001a0axor eax,eax0x1400ccbf8lea rcx,[rsp+0xe90]0x14004662emov edx,eax0x14004a3b8mov r8d,0x2a0x14006ea24mov QWORD PTR [rsp+0x48],r80x140098b05mov DWORD PTR [rsp+0x44],eax0x1400c9eb2VIRTUAL call0x1400c9bcf0x1400930c5lea rcx,[rsp+0xe60]0x1400ee6c6mov edx,DWORD PTR [rsp+0x44]0x1400450f9mov r8,QWORD PTR [rsp+0x48]0x1400311f7VIRTUAL call0x1400c9bcf0x14007d9d5mov QWORD PTR [rsp+0xa0],0x0#0x140002310cmpQWORD PTR [rsp+0xa0],0x2a0x140003980jge0x140003999#0x140001f98mov rax,QWORD PTR [rsp+0xa0]0x14002d5acmov rax,QWORD PTR [rsp+rax*8+0xec0]0x140046c25cqo0x140073e00mov ecx,0x2a0x14009ea4fidiv rcx0x14006ec35mov QWORD PTR [rsp+0x98],rdx0x140060863mov rdx,QWORD PTR [rsp+0xa0]0x140063300mov rdx,QWORD PTR [rsp+rdx*8+0xec0]0x140017083mov rax,rdx0x1400c5cffcqo0x1400bcf6cidiv rcx0x14008cce3mov QWORD PTR [rsp+0x90],rax0x1400bf3efmov rax,QWORD PTR [rsp+0x98]0x14004b8f8test BYTE PTR [rsp+rax*1+0xe90],0x10x1400ece6ajne0x1400ece830x14005224cmov rax,QWORD PTR [rsp+0x90]0x140015f89test BYTE PTR [rsp+rax*1+0xe60],0x10x14006633fje0x1400663580x1400cd302lea rcx,[rip+0xfffffffffff37193]# 0x14000449c0x140045e9bVIRTUAL call0x1400cd4820x140027acemov rax,QWORD PTR [rsp+0x98]0x1400e4c50mov BYTE PTR [rsp+rax*1+0xe90],0x10x1400ac622mov rax,QWORD PTR [rsp+0x90]0x1400b5248mov BYTE PTR [rsp+rax*1+0xe60],0x10x140037cd0mov rax,QWORD PTR [rsp+0xa0]0x140026abbadd rax,0x10x1400258e6mov QWORD PTR [rsp+0xa0],raxjmp0x140002310前面得到的42个整数,分别除以42,取整作为横坐标,取余作为纵坐标,要求横纵坐标分别都没有重复(从这里看出,输入的84个字符其实是42个坐标,横纵交替)
片段6
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081;0x140003999,0x1400f9bfa:0x14006b00fxor edx,edx0x140088714lea rax,[rsp+0xc0]0x1400ca071mov rcx,rax0x140062801mov r8d,0xd9e0x1400a6a82VIRTUAL call0x1400c9bcf0x1400c86f5mov QWORD PTR [rsp+0x88],0x0# [rsp+0x88]: i: [0, 42)#0x1400d320ecmpQWORD PTR [rsp+0x88],0x2a0x140056b2fjge0x140056b480x1400cbe10mov rax,QWORD PTR [rsp+0x88]0x140052e9dadd rax,0x10x140078f7fmov QWORD PTR [rsp+0x80],rax# [rsp+0x80]: j: [1,42)#0x1400286dbcmpQWORD PTR [rsp+0x80],0x2a0x14000d91ajge0x14000d933#0x1400f755cmov rax,QWORD PTR [rsp+0x88]# i0x140098656mov rax,QWORD PTR [rsp+rax*8+0xec0]# 42*row+col0x140001584cqo0x1400a4adcmov ecx,0x2a0x14001f9e4idiv rcx0x14009d9eamov r8,QWORD PTR [rsp+0x80]# j0x1400eda1emov r8,QWORD PTR [rsp+r8*8+0xec0]# 42*row+col0x14000ea19mov rax,r80x1400a04c3mov QWORD PTR [rsp+0x38],rdx# rdx是余数0x140037898cqo0x14008a550idiv rcx0x1400399f2mov r8,QWORD PTR [rsp+0x38]0x1400d4106sub r8,rdx# col[i] - col[j]0x1400901f7mov QWORD PTR [rsp+0x78],r8# col[i] - col[j]0x14009daadmov rdx,QWORD PTR [rsp+0x88]0x14000e4e3mov rdx,QWORD PTR [rsp+rdx*8+0xec0]0x1400ee409mov rax,rdx0x1400c5ee9cqo0x140020832idiv rcx0x14008c074mov r8,QWORD PTR [rsp+0x80]0x14006079fmov r8,QWORD PTR [rsp+r8*8+0xec0]0x140013395mov QWORD PTR [rsp+0x30],rax0x1400c5ce1mov rax,r80x14002fff8cqo0x14007539eidiv rcx0x14006bf8amov rcx,QWORD PTR [rsp+0x30]0x1400db4a6sub rcx,rax# row[i]-row[j]0x1400e127dmov QWORD PTR [rsp+0x70],rcx0x140073b88cmpQWORD PTR [rsp+0x78],0x0# col[i] - col[j]0x14006437ejge0x140064397# 0x1400b368c0x1400bff7exor eax,eax0x1400eacb4mov ecx,eax0x140080a4amov rdx,rcx0x1400a7967sub rdx,QWORD PTR [rsp+0x78]0x1400517acmov QWORD PTR [rsp+0x78],rdx# col[j]-col[i]0x14000b3c6sub rcx,QWORD PTR [rsp+0x70]0x14008da3amov QWORD PTR [rsp+0x70],rcx# row[j]-row[i]#0x1400b368cmov rax,QWORD PTR [rsp+0x70]0x140079e70add rax,0x290x1400de855mov QWORD PTR [rsp+0x70],rax# 41+(row[i]-row[j]) / 41+(row[j]-row[i])0x14007c0c8imul rax,QWORD PTR [rsp+0x70],0x2a0x1400dc9b8lea rcx,[rsp+0xc0]0x140038fe8add rcx,rax0x140067202mov rax,QWORD PTR [rsp+0x78]# col[i]-col[j] / col[j]-col[i]0x14008b8fdtest BYTE PTR [rcx+rax*1],0x10x140063b11je0x140063b2a0x1400999f4lea rcx,[rip+0xfffffffffff6aaa1]# 0x14000449c0x1400d80beVIRTUAL call0x1400cd4820x1400f9bfcimul rax,QWORD PTR [rsp+0x70],0x2a0x14007f148lea rcx,[rsp+0xc0]0x1400eb582add rcx,rax0x140065e6fmov rax,QWORD PTR [rsp+0x78]0x1400f535fmov BYTE PTR [rcx+rax*1],0x10x140013fc1mov rax,QWORD PTR [rsp+0x80]0x140073e8dadd rax,0x10x1400b9738mov QWORD PTR [rsp+0x80],raxjmp0x1400286db#;0x14000d933,0x1400f9bfa:0x14001811bmov rax,QWORD PTR [rsp+0x88]0x1400aa05aadd rax,0x10x1400df403mov QWORD PTR [rsp+0x88],raxjmp0x1400d320e最复杂的检查,二重循环遍历点对,计算纵坐标之差和横坐标之差(如果纵坐标之差为负则两个值都取反),然后计算后者*42+前者,要求这个值不重复(实际上是要求,不存在位置相对值一样的点对)
片段7
12345678;0x140056b48,None:0x140039540lea rcx,[rsp+0x1010]0x1400ce591lea rdx,[rip+0xfffffffffff35f89]# 0x140004521 # "02152S3X4Z5Q6C7T819/ADB%C*DL"0x14004cacfmov r8d,0x1c0x14004fed9call QWORD PTR [rip+0xfffffffffffb4db9]# 0x140004c98 # strncmp0x140025175movsxd rcx,eax0x140021803cmprcx,0x00x1400b7446je0x1400b745f最后一处检查,限定了输入的前28个字符(其实依次是42*42棋盘的前14行的点的坐标,每行一个)
检查逻辑有点像N皇后,只不过斜线规则改成了更复杂的点对相对位置检查
求解:回溯法爆破(参考了网上的一段代码),修改了验证规则
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 | QUEEN = 42q = [-10000]*42checkmap = [0]*83*42def updatecheckmap(row, col): for i in range(row): x = i-row y = q[i]-col if y < 0: x, y = -x, -y x += 41 #print(x, y) if checkmap[42*x+y]: return False for i in range(row): x = i-row y = q[i]-col if y < 0: x, y = -x, -y x += 41 #print(x, y) checkmap[42*x+y] += 1 return Truedef unupdatecheckmap(row, col): for i in range(row): x = i-row y = q[i]-col if y < 0: x, y = -x, -y x += 41 #print(x, y) if checkmap[42*x+y]: checkmap[42*x+y] -= 1 else: assert(0)def valid(row, col): tmp = [False]*84*42 for i in range(row): if q[i]==col: # or abs(i-row)==abs(q[i]-col): return False return True# https://blog.csdn.net/Hackbuteer1/article/details/6657109def queen(): global q for i in range(14): r = updatecheckmap(i, q[i]) assert(r) i = 14 j = 0 while i < QUEEN: #print(i) while j < QUEEN: if valid(i,j) and updatecheckmap(i,j): q[i] = j j = 0 break else: j += 1 if q[i] == -10000: if i == 13: break else: i -= 1 unupdatecheckmap(i, q[i]) j = q[i]+1 q[i] = -10000 continue if i == QUEEN-1: return i += 1chartable = '0123456789'+'ABCDEFGHIJKLMNOPQRSTUVWXYZ'+"".join(map(chr,[0x2b,0x2d,0x2a,0x2f,0x25,0x3d]))partial = "02152S3X4Z5Q6C7T819/ADB%C*DL"for i in range(14): q[i] = chartable.index(partial[2*i+1])queen()print(q)answer = ""for i in range(42): answer += chartable[i] answer += chartable[q[i]]print(answer) |
算法性能不高,cpython跑不出来,换用pypy3跑了17分钟才出答案
最终答案:
02152S3X4Z5Q6C7T819/ADB%C*DLEIFUG3HRIHJ6K7L0MBNKOJPPQ=RNS+TEUOVWWGXYYMZ9+4-8*F/-%V=A
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
最后于 2021-5-19 00:30
被mb_mgodlfyn编辑
,原因:
赞赏
|
|
|---|---|
|
|
他的文章
