首页 > 其他分享 >xctf-polyre

xctf-polyre

时间:2022-11-25 19:01:15浏览次数:59  
标签:10 polyre 603054 while v4 dword BYTE xctf

一道ollvm的题,主要是去平坦化

先查壳,64位elf,无壳

直接拖入ida,定位到main函数

 

发现是ollvm平坦化,我们用在linux中使用deflat进行平坦化

去除之后用ida打开

找到关键的算法

while ( 1 )
  {
    do
      v12 = v6;
    while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
    v13 = v12 < 64;
    while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 )
      ;
    if ( !v13 )
      break;
    v14 = input[v6];
    do
      v15 = v14;
    while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
    if ( v15 == 10 )
    {
      v16 = &input[v6];
      *v16 = 0;
      break;
    }
    v17 = v6 + 1;
    do
      v6 = v17;
    while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
  }
  for ( i = 0; ; ++i )
  {
    do
      v18 = i;
    while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
    do
      v19 = v18 < 6;
    while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
    if ( !v19 )
      break;
    do
      v20 = input;
    while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
    v4 = *(_QWORD *)&v20[8 * i];
    v7 = 0;
    while ( 1 )
    {
      v21 = v7;
      do
        v22 = v21 < 64;
      while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
      if ( !v22 )
        break;
      v23 = v4;
      v24 = v4 < 0;
      if ( v4 >= 0 )
      {
        v27 = v4;
        do
          v28 = 2 * v27;
        while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
        v4 = v28;
      }
      else
      {
        v25 = 2 * v4;
        do
          v26 = v25;
        while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
        v4 = v26 ^ 0xB0004B7679FA26B3LL;
      }
      v29 = v7;
      do
        v7 = v29 + 1;
      while ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 );
    }
    v30 = 8 * i;
    v31 = &s1[8 * i];
    if ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 )
LABEL_55:
      *(_QWORD *)v31 = v4;
    *(_QWORD *)v31 = v4;
    if ( dword_603058 >= 10 && ((((_BYTE)dword_603054 - 1) * (_BYTE)dword_603054) & 1) != 0 )
      goto LABEL_55;
    v32 = i + 1;
  }

此时还存在一些无用代码,将无用代码删除

while ( 1 )
  {
    v12 = v6;
    v13 = v12 < 64;
    if ( !v13 )
      break;
    v14 = s[v6];
    v15 = v14;
    if ( v15 == 10 )
    {
      v16 = &s[v6];
      *v16 = 0;
      break;
    }
    v17 = v6 + 1;
    v6 = v17;
  }
  for ( i = 0; ; ++i )
  {
    v18 = i;
    v19 = v18 < 6;
    if ( !v19 )
      break;
    
    v20 = s;
    v4 = *(_QWORD *)&v20[8 * i];
    v7 = 0;
    while ( 1 )
    {
      v21 = v7;
      v22 = v21 < 64;
      if ( !v22 )
        break;
      v23 = v4;
      v24 = v4 < 0;
      if ( v4 >= 0 )
      {
        v27 = v4;
        v28 = 2 * v27;
        v4 = v28;
      }
      else
      {
        v25 = 2 * v4;
        v26 = v25;
        v4 = v26 ^ 0xB0004B7679FA26B3LL;
      }
      v29 = v7;
      v7 = v29 + 1;
    }
    v30 = 8 * i;
    v31 = &s1[8 * i];
    *(_QWORD *)v31 = v4;
    v32 = i + 1;
  }
  v33 = memcmp(s1, &unk_402170, 0x30uLL);
  v34 = v33 != 0;

发现只是进行移位操作,直接把过程逆过来就可以

C++ exp

#include<iostream>
#include<stdio.h> 
#include<windows.h>

using namespace std;
unsigned  char l[] = {0x96,0x62,0x53,0x43,0x6d,0xf2,0x8f,0xbc,0x16,0xee,0x30,0x5,0x78,0x0,0x1,0x52,0xec,0x8,0x5f,0x93,0xea,0xb5,0xc0,0x4d,0x50,0xf4,0x53,0xd8,0xaf,0x90,0x2b,0x34,0x81,0x36,0x2c,0xaa,0xbc,0xe,0x25,0x8b,0xe4,0x8a,0xc6,0xa2,0x81,0x9f,0x75,0x55,0xb3,0x26,0xfa,0x79,0x76,0x4b,0x0,0xb0};
int main()
{
    __int64 v4;
    __int64 v23;
    for(int i = 0;i < 6;i++)
    {
        v4 = *(__int64 *)&l[8 * i];
        for(int j = 0;j < 64;j++){
            if (v4 &1)
            {
                v4 = (unsigned __int64)v4 ^ 0xB0004B7679FA26B3LL;
                v4 >>= 1;
                v4 |= 0x8000000000000000;
            }
            else
            {
                v4 = (unsigned __int64)v4 >> 1; 
            }
        }
        for(int i = 0;i < 8;i++)
        {
            printf("%c",(char)(v4&0xff));
            v4 >>= 8;
        }
    } 
}

 

标签:10,polyre,603054,while,v4,dword,BYTE,xctf
From: https://www.cnblogs.com/polang19/p/16926080.html

相关文章

  • XCTF---MISC---Check
    XCTF---MISC---Check flag:flag{h0w_4bouT_enc0de_4nd_pnG}解题思路:1、观察题目,下载附件。2、下载文件后是一个图片,使用Winhex或HxD没有发现有价值的信息,查看属......
  • XCTF---MISC---看雪看雪看雪
    XCTF---MISC---看雪看雪看雪 flag:flag{Sn0w_M@n!!!!!!!}解体思路:1、观察题目,下载附件。2、根据题目需求,下载附件,打开后发现有很多文件,如图所示。3、发现除了一张......
  • xctf-easyvm
    xctf的一道逆向,考的vm混淆先查壳,64位elf,无壳 直接拖进ida分析,定位到main函数先检测flag长度,然后检验内容动调跟进函数v3 跟进之后发现是vm混淆,混淆比较简单,经过......
  • XCTF---MISC---fakezip
    XCTF---MISC---fakezip flag:flag{39281de6-fe64-11ea-adc1-0242ac120002}解题思路:1、观察题目,下载附件。2、根据题目所需下载附件,发现是一个带加密的压缩包格式文件......
  • XCTF---MISC--- 凯撒大帝在培根里藏了什么
    XCTF---MISC---凯撒大帝在培根里藏了什么 flag:flag{HAVEFUNWITHCRYPTO}解题思路:1、观察题目,下载附件。2、打开文件后发现是一串由AB组成的编码密文,根据编码特点,判......
  • XCTF---MISC---简单的Base编码
    XCTF---MISC---简单的Base编码flag:flag{d0_y0u_l1ke_base92_!??!_by_Sh3n}解题思路:1、观察题目,下载附件。2、下载完成后打开,发现是一个base64编码的文本文档,数据量相......
  • XCTF---MISC---来自银河的信号
    XCTF---MISC---来自银河的信号 flag:flag{M00nc@ke_Fes7iva1_15_Coming!}解题步骤: 1、观察题目,下载附件,了解题目内容2、根据描述,是一段音频文件,有可能是音频隐写,把......