动画制作软件下载中文版免费版南昌seo公司

分析

• 直接在IDA中打开，找到 main 函数
  

• 程序一开始需要我们输入一串 10 位长的密码，然后拼接字符串成 “flag-****.txt” 的形式，然后打开这个文件，读入数据到内存。实际上这个就是 flag 文件，只有当满足后续条件时，程序就会打印出来。这个条件就是输入一段passcode，让程序输出 “Binggo” 。

• 大致看上去，后面的这几个函数是与虚拟机有关的。作者自己编写了一套简易的虚拟机，用户输入的 passcode 就是虚拟机执行的代码。我已经重定义了部分函数名，现在重点关注Dispatcher 这个函数。
  

• 这是虚拟机的 分派函数 ，主要工作就是根据输入的操作码跳转到对应的 操作函数 里执行。观察第二个 for 循环，可以猜测出一共有 9 种 操作函数。现在我们想要知道哪一种字符对应哪一种操作。先动态调试，然后找出 *(a1 + *(a1 + 4 * (j + 72LL) + 8) + 408) ，j 从 0 变化到 8 的所有数据，然后再找到所有满足条件的 v2 的取值。

• 这一步的 IDC脚本 为

    auto j;auto a1=0x18d8440;for(j=0;j<=8;j++){Message("0x%x,",Byte(a1+Byte(a1+4*(j+72)+8)+408));}
  

• 再将 byte_603900 的数据也 dump 下来，转用python处理。 python脚本 为

    data=[0x2,0x0,0x0,0xe,0x16,0x54,0x20,0x18,0x11,0x45,0x50,0x59,0x58,0x53,0x0,0x8,0x44,0x2d,0x46,0x39,0x0,0x54,0x42,0x1,0x3c,0xf,0x0,0x7,0x17,0x0,0x56,0x21,0x0,0x37,0x6d,0x2b,0x2a,0x6e,0x59,0x5d,0x47,0x3a,0x4a,0x34,0x44,0x48,0x43,0x6c,0x3f,0x59,0x25,0x33,0x55,0x2f,0x31,0x68,0x27,0x34,0x7c,0x28,0x67,0x59,0x0,0x52,0x0,0x26,0x0,0x3e,0x56,0x4e,0x33,0x21,0x45,0x6d,0x60,0x39,0x46,0x72,0x6d,0x4d,0x54,0x40,0x0,0x74,0x57,0x73,0x72,0x7a,0x47,0x45,0x0,0x71,0x0,0x4a,0x35,0x70,0x3b,0x36,0x2e,0x26,0x2c,0x6c,0x4a,0x0,0x7c,0x63,0x35,0x57,0x4d,0x41,0x43,0x62,0x0,0x68,0x37,0x0,0x5a,0x6a,0x6b,0x7c,0x29,0x69,0x4c,0x70,0x50,0x71,0x26,0x36,0x3c,0x6,0x1b,0x0,0x3c,0x30,0x0,0x0,0x0,0x4c,0xb,0x4b,0x48,0x8,0x54,0x47,0x12,0x9,0x24,0x0,0x0,0x24,0x40,0xd,0x39,0x6,0x5c,0x2c,0x1a,0x2d,0xa,0x38,0x35,0x37,0x16,0x3b,0x0,0x24,0x48,0x0,0x49,0x0,0x37,0x8,0x1f,0x24,0x45,0x1d,0x11,0x40,0x2f,0x4a,0x8,0x15,0x0,0x11,0x0,0x1a,0x22,0x41,0x52,0x5b,0xb,0x45,0x31,0x19,0x43,0x19,0x1e,0xa,0x21,0x5,0x4d,0x59,0x38,0x34,0x9,0x36,0x2f,0x43,0x2,0x53,0x12,0x2f,0x4c,0x21,0xd,0x3c,0x31,0x2e,0x37,0x8,0x30,0x29,0x32,0x2f,0x0,0x1a,0x14,0x41,0x53,0x15,0x21,0x0,0x8,0x13,0x38,0x5c,0x36,0x3b,0x50,0x0,0x2f,0x1e,0x57,0x0,0x30,0x2e,0xc,0x2e,0x37,0x52,0x1c,0x33,0x34,0x11,0x38,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0]inpt=[0x2a,0x27,0x3e,0x5a,0x3f,0x4e,0x6a,0x2b,0x28]indx=[]for ch in inpt:indx.append(chr(data.index(ch)))print indx
  

• 得到调用相关操作函数的字符串有
  [’$’, ‘8’, ‘C’, ‘t’, ‘0’, ‘E’, ‘u’, ‘#’, ‘;’]

• 动态调试中，发现

     *(a1 + 672) = *(a1 + 8 * (*(a1 + 4 * (j + 72LL) + 8) + 84LL) + 8);(*(a1 + 672))(a1);
  

• 先修改函数地址的最低一个字节，然后调用该地址。到这里有两种方法可以找出这9个操作函数：

1.回到 main 函数中，对 correct 变量进行交叉引用，就时会来到修改它的函数中，再对该函数进行一次交叉引用就来到了函数列表中。
2.重新调试，输入上面得到的9个字符，动态跟踪也行

• 函数列表
  

• 结合动态分析可以得出字符与操作函数的对应关系：

    $->sub_400DC18->sub_400E7AC->sub_400F3At->sub_4010640->sub_4011C9E->sub_40133Du->sub_4012F3#->sub_4014B9;->sub_400CF1
  

• 审计一下这些函数，为了方便阅读。令

    a1+288=indexa1+292=index_max*(_BYTE *)(*(_QWORD *)(a1 + 280) + *(signed int *)(a1 + 288) + *(_QWORD *)a1)=data[index]*(char *)(a1 + 664)=input[i]*(_BYTE *)(a1 + 665) =tmp*(*(a1 + 8) + *(a1 + 288))=data[index]
  

• 这些都可以通过动态调试得到他们的对应关系，这样我们就可以清晰地了解这9个操作函数的作用了，分别是

    $->sub_400DC1:tmp=data[index]8->sub_400E7A:data[index]=tmpC->sub_400F3A:tmp+=input[i]-33t->sub_401064:tmp-=input[i]+330->sub_4011C9:++indexE->sub_40133D:checku->sub_4012F3:--index#->sub_4014B9:data[index]=input[index+input[i]-48]-49;->sub_400CF1:for(int j=0;j<input[i];j++)++indexdata[index]=input[index+input[i]-48]-49
  

• 从 sub_40133D 这个函数中，可以知道我们要使程序将 “data[20]= ‘PaF0!&Prv}H{ojDQ#7v=’ ” 变为 “Binggo” 才能得到flag。

• 我是从头开始构造passcode的，过程如下：
  首先是 $,使得 tmp=data[index]，此时 index=0 ，就会得到 tmp=‘P’ 。此时我们观察 P的 ASCII 是 80 ， B 的 ASCII 是 66 ， P > B ，选择 t 操作。此时，再来计算一下这个方程：
  80-input[i]+33=66 ，得到 input[i]=‘/’ ，所以将 P 转为 B 的 passcode：$t/80

• 同理得到

    a -> i: $C)80F->n:$CI800->g:$CX80!->g:$Cg80&->o:$Cj80
  

• 注意字符串末尾是 NULL ，但不能用前面的构造方式，因为 sub_400F3A 得到的是不可见字符，而 sub_401064 有 NULL 的检查
  

• 只能选用 sub_4014B9 操作，所以完整的passcode如下：

    $t/80$C)80$CI80$CX80$Cg80$Cj80#J1uuuuuuEs
  

总结

• VM 的运作流程：分派器（dispatcher）解析字节码（bytecode），调用对应的操作函数（handler）。
• VM 一般的结构包含：寄存器，堆栈，操作函数，字节码
• 逆向 VM 时，先要整体感知其结构，明确字节码对应的操作，以及每个操作都做些什么，这常常需要多多调试。所以可见VM 逆向是非常磨人的 orz ヽ(´¬`)ノ