主函數,從內存給v4賦值,進行vm_operad操作
vm_operad函數,會根據v4每一int大小的值進行switch選擇操作,v4是傳入參數,這里的接受變量是a1為int型數組
v4在內存中所copy的對象是db型數據,大小為0x1c8即456
為方便獲取數據,進入內存數據16進制頁面
0x403040+0x1c8等於0x403208,所以將0x403040到0x403208的這段數據拷貝出來
0A 00 00 00 04 00 00 00 10 00 00 00 08 00 00 00 03 00 00 00 05 00 00 00 01 00 00 00 04 00 00 00 20 00 00 00 08 00 00 00 05 00 00 00 03 00 00 00 01 00 00 00 03 00 00 00 02 00 00 00 08 00 00 00 0B 00 00 00 01 00 00 00 0C 00 00 00 08 00 00 00 04 00 00 00 04 00 00 00 01 00 00 00 05 00 00 00 03 00 00 00 08 00 00 00 03 00 00 00 21 00 00 00 01 00 00 00 0B 00 00 00 08 00 00 00 0B 00 00 00 01 00 00 00 04 00 00 00 09 00 00 00 08 00 00 00 03 00 00 00 20 00 00 00 01 00 00 00 02 00 00 00 51 00 00 00 08 00 00 00 04 00 00 00 24 00 00 00 01 00 00 00 0C 00 00 00 08 00 00 00 0B 00 00 00 01 00 00 00 05 00 00 00 02 00 00 00 08 00 00 00 02 00 00 00 25 00 00 00 01 00 00 00 02 00 00 00 36 00 00 00 08 00 00 00 04 00 00 00 41 00 00 00 01 00 00 00 02 00 00 00 20 00 00 00 08 00 00 00 05 00 00 00 01 00 00 00 01 00 00 00 05 00 00 00 03 00 00 00 08 00 00 00 02 00 00 00 25 00 00 00 01 00 00 00 04 00 00 00 09 00 00 00 08 00 00 00 03 00 00 00 20 00 00 00 01 00 00 00 02 00 00 00 41 00 00 00 08 00 00 00 0C 00 00 00 01 00 00 00 07 00 00 00 22 00 00 00 07 00 00 00 3F 00 00 00 07 00 00 00 34 00 00 00 07 00 00 00 32 00 00 00 07 00 00 00 72 00 00 00 07 00 00 00 33 00 00 00 07 00 00 00 18 00 00 00 07 00 00 00 A7 FF FF FF 07 00 00 00 31 00 00 00 07 00 00 00 F1 FF FF FF 07 00 00 00 28 00 00 00 07 00 00 00 84 FF FF FF 07 00 00 00 C1 FF FF FF 07 00 00 00 1E 00 00 00 07 00 00 00 7A 00 00 00
4字節等於一個int,interl處理器是小端存儲,剛好a1數組的值就是三個00之前那十六進制
10, 4, 16, 8, 3, 5, 1, 4, 32, 8, 5, 3, 1, 3, 2, 8, 11, 1, 12, 8, 4, 4, 1, 5, 3, 8, 3, 33, 1, 11, 8, 11, 1, 4, 9, 8, 3, 32, 1, 2, 81, 8, 4, 36, 1, 12, 8, 11, 1, 5, 2, 8, 2, 37, 1, 2, 54, 8, 4, 65, 1, 2, 32, 8, 5, 1, 1, 5, 3, 8, 2, 37, 1, 4, 9, 8, 3, 32, 1, 2, 65, 8, 12, 1, 7, 34, 7, 63, 7, 52, 7, 50, 7, 114, 7, 51, 7, 24, 7, 167, 255, 255, 255, 7, 49, 7, 241, 255, 255, 255, 7, 40, 7, 132, 255, 255, 255, 7, 193, 255, 255, 255, 7, 30, 7, 122
vm_operad函數會根據a1數組的值進行switch操作,當值等於7時v4數組的值會與a1數組的下一位進行比較,相等繼續,不等報錯。7后面的數字就是正確輸入進行加密后需要與之比較的值,剛好7這個值在a1數組的最后,將這串值提取出來為34,63,52,50,114,51,24,167,49,241,40,132,193,30,122,為v4數組的值
#獲得v4數組 v4=[] s=[10, 4, 16, 8, 3, 5, 1, 4, 32, 8, 5, 3, 1, 3, 2, 8, 11, 1, 12, 8, 4, 4, 1, 5, 3, 8, 3, 33, 1, 11, 8, 11, 1, 4, 9, 8, 3, 32, 1, 2, 81, 8, 4, 36, 1, 12, 8, 11, 1, 5, 2, 8, 2, 37, 1, 2, 54, 8, 4, 65, 1, 2, 32, 8, 5, 1, 1, 5, 3, 8, 2, 37, 1, 4, 9, 8, 3, 32, 1, 2, 65, 8, 12, 1, 7, 34, 7, 63, 7, 52, 7, 50, 7, 114, 7, 51, 7, 24, 7, 167, 255, 255, 255, 7, 49, 7, 241, 255, 255, 255, 7, 40, 7, 132, 255, 255, 255, 7, 193, 255, 255, 255, 7, 30, 7, 122] for i in range(0,len(s)): if s[i]==7: v4.append(s[i+1])
根據v4數組的值,逆向switch的操作的計算得到需要輸入的正確flag
v4 = [34,63,52,50,114,51,24,167,49,241,40,132,193,30,122] v4.reverse() a=[10, 4, 16, 8, 3, 5, 1, 4, 32, 8, 5, 3, 1, 3, 2, 8, 11, 1, 12, 8, 4, 4, 1, 5, 3, 8, 3, 33, 1, 11, 8, 11, 1, 4, 9, 8, 3, 32, 1, 2, 81, 8, 4, 36, 1, 12, 8, 11, 1, 5, 2, 8, 2, 37, 1, 2, 54, 8, 4, 65, 1, 2, 32, 8, 5, 1, 1, 5, 3, 8, 2, 37, 1, 4, 9, 8, 3, 32, 1, 2, 65, 8, 12, 1] a.reverse() v9 = 0 us=0 v5=0 flag=[] for i in range(0,len(a)): if i ==len(a)-1: flag.append(us) if a[i]==1 and a[i-1]!=1: v5 = v4[v9] v9+=1 flag.append(us) if a[i]==2: if(a[i+1]!=3 and a[i+1]!=4 and a[i+1]!=5): us = v5 - a[i-1] #print(us,v5,a[i-1]) if a[i]==3: if(a[i+1]!=2 and a[i+1]!=4 and a[i+1]!=5): us = v5 + a[i-1] #LOBYTE是al有8位,參與運算的5、33、32是全值,所以LOBYTE可省略 if a[i]==4: if(a[i+1]!=3 and a[i+1]!=2 and a[i+1]!=5): us = v5^a[i-1] if a[i]==5: if(a[i+1]!=3 and a[i+1]!=4 and a[i+1]!=2): us = int(v5/a[i-1]) if a[i]==8: v5 = us if a[i]==11: us = v5 +1 if a[i]==12: us = v5 -1 #print("12:",us) flag.reverse() out='' for j in flag: out +=chr(j) print("flag{"+out+"}")
另外,LOBYTE這個函數做的時候我去百度了有說是取最右邊那位,有說右邊四位,這是ida的函數,但是怎么取都不對,這里我切換到匯編界面看了下LOBYTE取的是al的值,那么就是右邊8位。a1數組的值沒有大於8位二進制的,所以可以忽略這個函數。rax是64位寄存器,eax是32位寄存器,ax是16位寄存器,al是ax寄存器低8位,ah是ax寄存器高8位。
