2024 MiniLCTF Reverse

2024 MiniLCTF Reverse

2024年05月01日 4.3k 字 大概 26 分钟

好多比赛,随便做做(就第一天有空

Bigbanana

打开可以发现很明显的Vm题,操作稍微有些复杂。阅读代码并将其翻译成Python语言

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
from ctypes import *

vm_code = [0x000000F6, 0x0000006C, 0x000000F6, 0x00000066, 0x000000F6, 0x00000047, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000D, 0x000000F6, 0x00000066, 0x000000F6, 0x00000005, 0x000000F6, 0x00000066, 0x000000F6, 0x00000013, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000A, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000002, 0x000000F6, 0x00000066, 0x000000F6, 0x00000009, 0x000000F6, 0x00000066, 0x000000F6, 0x00000009, 0x000000F6, 0x00000066, 0x000000F6, 0x00000001, 0x000000F6, 0x00000066, 0x000000F6, 0x0000004A, 0x000000F6, 0x00000066, 0x000000F6, 0x00000015, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x00000012, 0x000000F6, 0x00000066, 0x000000F6, 0x00000013, 0x000000F6, 0x00000066, 0x000000F6, 0x00000008, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000F, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000B, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x00000014, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000E, 0x000000F6, 0x00000066, 0x000000F6, 0x00000012, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000014, 0x000000F6, 0x00000066, 0x000000F6, 0x00000009, 0x000000F6, 0x00000066, 0x000000F6, 0x00000000, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000002, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x00000015, 0x000000F6, 0x00000066, 0x000000F6, 0x00000015, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x00000014, 0x000000F6, 0x00000066, 0x000000F6, 0x00000016, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000002, 0x000000F6, 0x00000066, 0x000000F6, 0x00000014, 0x000000F6, 0x00000066, 0x000000F6, 0x00000007, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000E, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x00000004, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000A, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000A, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000F, 0x000000F6, 0x00000066, 0x000000F6, 0x00000011, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000013, 0x000000F6, 0x00000066, 0x000000F6, 0x00000009, 0x000000F6, 0x00000066, 0x000000F6, 0x0000001F, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x0000004A, 0x000000F6, 0x00000066, 0x000000F6, 0x0000001F, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000A, 0x000000F6, 0x00000066, 0x000000F6, 0x00000012, 0x000000F6, 0x00000066, 0x000000F6, 0x00000005, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x00000014, 0x000000F6, 0x00000066, 0x000000F6, 0x00000014, 0x000000F6, 0x00000066, 0x000000F6, 0x00000009, 0x000000F6, 0x00000066, 0x000000F6, 0x00000005, 0x000000F6, 0x00000066, 0x000000F6, 0x00000008, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000F, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000001, 0x000000F6, 0x00000066, 0x000000F6, 0x00000007, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000A, 0x000000F6, 0x00000066, 0x000000F6, 0x00000000, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000E, 0x000000F6, 0x00000066, 0x000000F6, 0x00000012, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000014, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x00000011, 0x000000F6, 0x00000066, 0x000000F6, 0x00000015, 0x000000F6, 0x00000066, 0x000000F6, 0x00000008, 0x000000F6, 0x00000066, 0x000000F6, 0x00000007, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000013, 0x000000F6, 0x00000066, 0x000000F6, 0x00000009, 0x000000F6, 0x00000066, 0x000000F6, 0x0000001F, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000000, 0x000000F6, 0x00000066, 0x000000F6, 0x0000002F, 0x000000F6, 0x00000066, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x00000010, 0x00000010, 0x000000F8, 0x000000F7, 0x000000F4, 0x694E694D, 0x00000001, 0x74632D4C, 0x000000F4, 0x00000000, 0x000000F3, 0x000000F2, 0x1D2D440F, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x00114514, 0x000000F3, 0x000000F2, 0x74747250, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x00228A28, 0x000000F3, 0x000000F2, 0x00228A4D, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x0033CF3C, 0x000000F3, 0x000000F2, 0x0033CFAA, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x00451450, 0x000000F3, 0x000000F2, 0x004514CB, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x00565964, 0x000000F3, 0x000000F2, 0x00565966, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x00679E78, 0x000000F3, 0x000000F2, 0x00679FBC, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x0078E38C, 0x000000F3, 0x000000F2, 0x0078E4CC, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x008A28A0, 0x000000F3, 0x000000F2, 0x008A2949, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x009B6DB4, 0x000000F3, 0x000000F2, 0x009B6EC8, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x00ACB2C8, 0x000000F3, 0x000000F2, 0x00ACB3E0, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x00BDF7DC, 0x000000F3, 0x000000F2, 0x00BDF8F6, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x00CF3CF0, 0x000000F3, 0x000000F2, 0x00CF3D22, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x00E08204, 0x000000F3, 0x000000F2, 0x00E082EB, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x00F1C718, 0x000000F3, 0x000000F2, 0x00F1C745, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x01030C2C, 0x000000F3, 0x000000F2, 0x01030C9C, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x01145140, 0x000000F3, 0x000000F2, 0x0114518E, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x01259654, 0x000000F3, 0x000000F2, 0x01259634, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x0136DB68, 0x000000F3, 0x000000F2, 0x0136DC9C, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x0148207C, 0x000000F3, 0x000000F2, 0x0148217D, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x01596590, 0x000000F3, 0x000000F2, 0x015965AE, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x016AAAA4, 0x000000F3, 0x000000F2, 0x016AABB8, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x017BEFB8, 0x000000F3, 0x000000F2, 0x017BF02F, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x018D34CC, 0x000000F3, 0x000000F2, 0x018D352A, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x019E79E0, 0x000000F3, 0x000000F2, 0x019E7AE7, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x01AFBEF4, 0x000000F3, 0x000000F2, 0x01AFBF19, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x01C10408, 0x000000F3, 0x000000F2, 0x01C1043C, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x01D2491C, 0x000000F3, 0x000000F2, 0x01D249A4, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x01E38E30, 0x000000F3, 0x000000F2, 0x01E38E3E, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x01F4D344, 0x000000F3, 0x000000F2, 0x01F4D3B0, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x02061858, 0x000000F3, 0x000000F2, 0x02061853, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x02175D6C, 0x000000F3, 0x000000F2, 0x02175E76, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x0228A280, 0x000000F3, 0x000000F2, 0x0228A241, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x0239E794, 0x000000F3, 0x000000F2, 0x0239E866, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x024B2CA8, 0x000000F3, 0x000000F2, 0x024B2D81, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x025C71BC, 0x000000F3, 0x000000F2, 0x025C72F0, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x026DB6D0, 0x000000F3, 0x000000F2, 0x026DB738, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x027EFBE4, 0x000000F3, 0x000000F2, 0x027EFCFC, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x029040F8, 0x000000F3, 0x000000F2, 0x029041F1, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x02A1860C, 0x000000F3, 0x000000F2, 0x02A186E7, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x02B2CB20, 0x000000F3, 0x000000F2, 0x02B2CBE3, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x02C41034, 0x000000F3, 0x000000F2, 0x02C4105D, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x02D55548, 0x000000F3, 0x000000F2, 0x02D55595, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x02E69A5C, 0x000000F3, 0x000000F2, 0x02E69A7B, 0x000000FE, 0x00000066, 0x000000F0]

input_index = 0
vm_code_index = 0
is_equal = 0
is_smaller = 0
r = [0, 0, 0, 0, 0, 0]
input_data = [0 for i in range(200)]


def save_value(value):
    global input_index
    input_data[input_index] = value
    input_index += 1

def get_value(save_to):
    global input_index
    input_index -= 1
    r[save_to] = input_data[input_index]
    input_data[input_index] = 0
    print('mov r%s, stack[%s]' % (save_to, input_index))
    print('mov stack[%s], 0' % input_index)

def case_0():
    global vm_code_index
    r[2] += vm_code[vm_code_index + 1]
    print('add r2, %s' % vm_code[vm_code_index + 1])
    vm_code_index += 2

def case_15():
    global vm_code_index
    global input_index
    r[5] = 0
    r[5] = ord(input(''))
    save_value(r[5])
    print('mov r5, %s' % r[5])
    print('mov stack[%s], r5' % (input_index-1))
    vm_code_index += 1

def case_16():
    global vm_code_index
    # print(chr(r[1]), end='')
    print('print: ', chr(r[1]))
    vm_code_index += 1

def case_239():
    global vm_code_index
    r[1] = r[2]
    print('mov r1, r2')
    vm_code_index += 1

def case_240():
    global vm_code_index
    r[4] = r[2]
    print('mov r4, r2')
    vm_code_index += 1

def case_241():
    global is_equal
    global is_smaller
    global vm_code_index
    a1 = r[1]
    a2 = vm_code[vm_code_index + 1]
    print('cmp r1, %s' % a2)
    if a1 == a2:
        print('r1 == %s' % a2)
        is_equal = 1
        is_smaller = 0
    elif a1 - a2 < 0:
        print('Smaller')
        is_equal = 0
        is_smaller = 1
    else:
        print('Bigger')
        is_equal = 0
        is_smaller = 0
    vm_code_index += 2

def case_242():
    global vm_code_index
    r[1] ^= r[2]
    print('xor r1, r2')
    vm_code_index += 1

def case_243():
    global vm_code_index
    r[1] += vm_code[vm_code_index + 1]
    print('add r1, %s' % vm_code[vm_code_index + 1])
    vm_code_index += 2

def case_244():
    global vm_code_index
    vm_code[vm_code_index + 1] -= vm_code[vm_code_index + 2]
    print('sub %s, %s' % (vm_code[vm_code_index + 1], vm_code[vm_code_index + 2]))
    vm_code_index += 3

def case_245():
    global vm_code_index
    save_value(vm_code[vm_code_index + 1])
    print('mov stack[%s], %s' % (input_index-1, vm_code[vm_code_index + 1]))
    vm_code_index += 2

def case_246():
    global vm_code_index
    get_value(1)
    vm_code_index += 1

def case_247():
    global vm_code_index
    get_value(2)
    vm_code_index += 1

def case_248():
    global vm_code_index
    get_value(3)
    vm_code_index += 1

def case_249():
    global vm_code_index
    get_value(4)
    vm_code_index += 1

def case_253():
    global is_equal
    global vm_code_index
    if is_equal == 0:
        print('Wrong')
        exit()
    vm_code_index += 2

def case_254():
    global vm_code_index
    global is_equal
    if is_equal == 1:
        vm_code_index += vm_code[vm_code_index + 1]
        print('jmp %s' % vm_code[vm_code_index + 1])
    vm_code_index += 2

while vm_code[vm_code_index]:
    opcode = c_uint8(vm_code[vm_code_index] - 1).value
    if opcode == 0:
        case_0()
    elif opcode == 15:
        case_15()
    elif opcode == 16:
        case_16()
    elif opcode == 239:
        case_239()
    elif opcode == 240:
        case_240()
    elif opcode == 241:
        case_241()
    elif opcode == 242:
        case_242()
    elif opcode == 243:
        case_243()
    elif opcode == 244:
        case_244()
    elif opcode == 245:
        case_245()
    elif opcode == 246:
        case_246()
    elif opcode == 247:
        case_247()
    elif opcode == 248:
        case_248()
    elif opcode == 249:
        case_249()
    elif opcode == 253:
        case_253()
    elif opcode == 254:
        case_254()
    else:
        print('UNKNOWN OPCODE')
        exit()

print('Correct')

即可跑起来跟程序一样的效果

运行过程输出一大串,上面打印的不重要,可以留意到输入后下面加密运算部分

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
m
mov r5, 109
mov stack[0], r5
i
mov r5, 105
mov stack[1], r5
mov r2, stack[1]
mov stack[1], 0
mov r1, stack[0]
mov stack[0], 0
add r1, 1766746445
add r2, 1952656716
add r1, 0
xor r1, r2
cmp r1, 489505807
r1 == 489505807
mov r1, r2
n
mov r5, 110
mov stack[0], r5
mov r2, stack[0]
mov stack[0], 0
add r1, 22
add r2, 33
add r1, 1131796
xor r1, r2
cmp r1, 1953788496
r1 == 1953788496
mov r1, r2
I
mov r5, 73
mov stack[0], r5
mov r2, stack[0]
mov stack[0], 0
add r1, 33
add r2, 44
add r1, 2263592
xor r1, r2
cmp r1, 2263629
Bigger
Wrong

可以发现是逐个字符加密比较。因此我们也不必纠结运算过程中加什么异或什么,可以直接写脚本爆破。把上面翻译过来的内容稍微改一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
import sys
from ctypes import *

vm_code = [0x000000F6, 0x0000006C, 0x000000F6, 0x00000066, 0x000000F6, 0x00000047, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000D, 0x000000F6, 0x00000066, 0x000000F6, 0x00000005, 0x000000F6, 0x00000066, 0x000000F6, 0x00000013, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000A, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000002, 0x000000F6, 0x00000066, 0x000000F6, 0x00000009, 0x000000F6, 0x00000066, 0x000000F6, 0x00000009, 0x000000F6, 0x00000066, 0x000000F6, 0x00000001, 0x000000F6, 0x00000066, 0x000000F6, 0x0000004A, 0x000000F6, 0x00000066, 0x000000F6, 0x00000015, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x00000012, 0x000000F6, 0x00000066, 0x000000F6, 0x00000013, 0x000000F6, 0x00000066, 0x000000F6, 0x00000008, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000F, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000B, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x00000014, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000E, 0x000000F6, 0x00000066, 0x000000F6, 0x00000012, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000014, 0x000000F6, 0x00000066, 0x000000F6, 0x00000009, 0x000000F6, 0x00000066, 0x000000F6, 0x00000000, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000002, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x00000015, 0x000000F6, 0x00000066, 0x000000F6, 0x00000015, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x00000014, 0x000000F6, 0x00000066, 0x000000F6, 0x00000016, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000002, 0x000000F6, 0x00000066, 0x000000F6, 0x00000014, 0x000000F6, 0x00000066, 0x000000F6, 0x00000007, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000E, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x00000004, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000A, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000A, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000F, 0x000000F6, 0x00000066, 0x000000F6, 0x00000011, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000013, 0x000000F6, 0x00000066, 0x000000F6, 0x00000009, 0x000000F6, 0x00000066, 0x000000F6, 0x0000001F, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x0000004A, 0x000000F6, 0x00000066, 0x000000F6, 0x0000001F, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000A, 0x000000F6, 0x00000066, 0x000000F6, 0x00000012, 0x000000F6, 0x00000066, 0x000000F6, 0x00000005, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x00000014, 0x000000F6, 0x00000066, 0x000000F6, 0x00000014, 0x000000F6, 0x00000066, 0x000000F6, 0x00000009, 0x000000F6, 0x00000066, 0x000000F6, 0x00000005, 0x000000F6, 0x00000066, 0x000000F6, 0x00000008, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000F, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000001, 0x000000F6, 0x00000066, 0x000000F6, 0x00000007, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000A, 0x000000F6, 0x00000066, 0x000000F6, 0x00000000, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x0000000E, 0x000000F6, 0x00000066, 0x000000F6, 0x00000012, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000014, 0x000000F6, 0x00000066, 0x000000F6, 0x00000003, 0x000000F6, 0x00000066, 0x000000F6, 0x00000011, 0x000000F6, 0x00000066, 0x000000F6, 0x00000015, 0x000000F6, 0x00000066, 0x000000F6, 0x00000008, 0x000000F6, 0x00000066, 0x000000F6, 0x00000007, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000013, 0x000000F6, 0x00000066, 0x000000F6, 0x00000009, 0x000000F6, 0x00000066, 0x000000F6, 0x0000001F, 0x000000F6, 0x00000066, 0x000000F6, 0x00000046, 0x000000F6, 0x00000066, 0x000000F6, 0x00000000, 0x000000F6, 0x00000066, 0x000000F6, 0x0000002F, 0x000000F6, 0x00000066, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x000000F7, 0x000000F8, 0x000000F3, 0x00000011, 0x00000010, 0x00000010, 0x000000F8, 0x000000F7, 0x000000F4, 0x694E694D, 0x00000001, 0x74632D4C, 0x000000F4, 0x00000000, 0x000000F3, 0x000000F2, 0x1D2D440F, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x00114514, 0x000000F3, 0x000000F2, 0x74747250, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x00228A28, 0x000000F3, 0x000000F2, 0x00228A4D, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x0033CF3C, 0x000000F3, 0x000000F2, 0x0033CFAA, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x00451450, 0x000000F3, 0x000000F2, 0x004514CB, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x00565964, 0x000000F3, 0x000000F2, 0x00565966, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x00679E78, 0x000000F3, 0x000000F2, 0x00679FBC, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x0078E38C, 0x000000F3, 0x000000F2, 0x0078E4CC, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x008A28A0, 0x000000F3, 0x000000F2, 0x008A2949, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x009B6DB4, 0x000000F3, 0x000000F2, 0x009B6EC8, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x00ACB2C8, 0x000000F3, 0x000000F2, 0x00ACB3E0, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x00BDF7DC, 0x000000F3, 0x000000F2, 0x00BDF8F6, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x00CF3CF0, 0x000000F3, 0x000000F2, 0x00CF3D22, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x00E08204, 0x000000F3, 0x000000F2, 0x00E082EB, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x00F1C718, 0x000000F3, 0x000000F2, 0x00F1C745, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x01030C2C, 0x000000F3, 0x000000F2, 0x01030C9C, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x01145140, 0x000000F3, 0x000000F2, 0x0114518E, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x01259654, 0x000000F3, 0x000000F2, 0x01259634, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x0136DB68, 0x000000F3, 0x000000F2, 0x0136DC9C, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x0148207C, 0x000000F3, 0x000000F2, 0x0148217D, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x01596590, 0x000000F3, 0x000000F2, 0x015965AE, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x016AAAA4, 0x000000F3, 0x000000F2, 0x016AABB8, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x017BEFB8, 0x000000F3, 0x000000F2, 0x017BF02F, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x018D34CC, 0x000000F3, 0x000000F2, 0x018D352A, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x019E79E0, 0x000000F3, 0x000000F2, 0x019E7AE7, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x01AFBEF4, 0x000000F3, 0x000000F2, 0x01AFBF19, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x01C10408, 0x000000F3, 0x000000F2, 0x01C1043C, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x01D2491C, 0x000000F3, 0x000000F2, 0x01D249A4, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x01E38E30, 0x000000F3, 0x000000F2, 0x01E38E3E, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x01F4D344, 0x000000F3, 0x000000F2, 0x01F4D3B0, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x02061858, 0x000000F3, 0x000000F2, 0x02061853, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x02175D6C, 0x000000F3, 0x000000F2, 0x02175E76, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x0228A280, 0x000000F3, 0x000000F2, 0x0228A241, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x0239E794, 0x000000F3, 0x000000F2, 0x0239E866, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x024B2CA8, 0x000000F3, 0x000000F2, 0x024B2D81, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x025C71BC, 0x000000F3, 0x000000F2, 0x025C72F0, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x026DB6D0, 0x000000F3, 0x000000F2, 0x026DB738, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x027EFBE4, 0x000000F3, 0x000000F2, 0x027EFCFC, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x029040F8, 0x000000F3, 0x000000F2, 0x029041F1, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x02A1860C, 0x000000F3, 0x000000F2, 0x02A186E7, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000000B, 0x00000001, 0x00000016, 0x000000F4, 0x02B2CB20, 0x000000F3, 0x000000F2, 0x02B2CBE3, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000016, 0x00000001, 0x00000021, 0x000000F4, 0x02C41034, 0x000000F3, 0x000000F2, 0x02C4105D, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x00000021, 0x00000001, 0x0000002C, 0x000000F4, 0x02D55548, 0x000000F3, 0x000000F2, 0x02D55595, 0x000000FE, 0x00000066, 0x000000F0, 0x00000010, 0x000000F8, 0x000000F4, 0x0000002C, 0x00000001, 0x0000000B, 0x000000F4, 0x02E69A5C, 0x000000F3, 0x000000F2, 0x02E69A7B, 0x000000FE, 0x00000066, 0x000000F0]

input_index = 0
vm_code_index = 0
is_equal = 0
is_smaller = 0
r = [0, 0, 0, 0, 0, 0]
input_data = [0 for i in range(1000)]

# user_input = 'miniLctf{bigb4nan4_i5_v3ry_int3r5t1ng_r1ght?}'
user_input = sys.argv[1]
user_input_index = 0
correct_count = 1


def save_value(value):
    global input_index
    input_data[input_index] = value
    input_index += 1

def get_value(save_to):
    global input_index
    input_index -= 1
    r[save_to] = input_data[input_index]
    input_data[input_index] = 0
    # print('mov r%s, stack[%s]' % (save_to, input_index))
    # print('mov stack[%s], 0' % input_index)


def case_0():
    global vm_code_index
    r[2] += vm_code[vm_code_index + 1]
    # print('add r2, %s' % vm_code[vm_code_index + 1])
    vm_code_index += 2

def case_15():
    global vm_code_index
    global input_index
    global user_input_index
    global user_input
    r[5] = 0
    r[5] = ord(user_input[user_input_index])
    user_input_index += 1
    save_value(r[5])
    # print('mov r5, %s' % r[5])
    # print('mov stack[%s], r5' % (input_index-1))
    vm_code_index += 1

def case_16():
    global vm_code_index
    # print(chr(r[1]), end='')
    # print('print: ', chr(r[1]))
    vm_code_index += 1

def case_239():
    global vm_code_index
    r[1] = r[2]
    # print('mov r1, r2')
    vm_code_index += 1

def case_240():
    global vm_code_index
    r[4] = r[2]
    # print('mov r4, r2')
    vm_code_index += 1

def case_241():
    global is_equal
    global is_smaller
    global vm_code_index
    global correct_count
    a1 = r[1]
    a2 = vm_code[vm_code_index + 1]
    # print('cmp r1, %s' % a2)
    if a1 == a2:
        # print('r1 == %s' % a2)
        correct_count += 1
        is_equal = 1
        is_smaller = 0
    elif a1 - a2 < 0:
        # print('Smaller')
        is_equal = 0
        is_smaller = 1
    else:
        # print('Bigger')
        is_equal = 0
        is_smaller = 0
    vm_code_index += 2

def case_242():
    global vm_code_index
    r[1] ^= r[2]
    # print('xor r1, r2')
    vm_code_index += 1

def case_243():
    global vm_code_index
    r[1] += vm_code[vm_code_index + 1]
    # print('add r1, %s' % vm_code[vm_code_index + 1])
    vm_code_index += 2

def case_244():
    global vm_code_index
    vm_code[vm_code_index + 1] -= vm_code[vm_code_index + 2]
    # print('sub %s, %s' % (vm_code[vm_code_index + 1], vm_code[vm_code_index + 2]))
    vm_code_index += 3

def case_245():
    global vm_code_index
    save_value(vm_code[vm_code_index + 1])
    # print('mov stack[%s], %s' % (input_index-1, vm_code[vm_code_index + 1]))
    vm_code_index += 2

def case_246():
    global vm_code_index
    get_value(1)
    vm_code_index += 1

def case_247():
    global vm_code_index
    get_value(2)
    vm_code_index += 1

def case_248():
    global vm_code_index
    get_value(3)
    vm_code_index += 1

def case_249():
    global vm_code_index
    get_value(4)
    vm_code_index += 1

def case_253():
    global is_equal
    global vm_code_index
    if is_equal == 0:
        print('Wrong')
        exit()
    vm_code_index += 2

def case_254():
    global vm_code_index
    global is_equal
    if is_equal == 1:
        vm_code_index += vm_code[vm_code_index + 1]
        # print('jmp %s' % vm_code[vm_code_index + 1])
    vm_code_index += 2

while vm_code[vm_code_index]:
    opcode = c_uint8(vm_code[vm_code_index] - 1).value
    if opcode == 0:
        case_0()
    elif opcode == 15:
        case_15()
    elif opcode == 16:
        case_16()
    elif opcode == 239:
        case_239()
    elif opcode == 240:
        case_240()
    elif opcode == 241:
        case_241()
    elif opcode == 242:
        case_242()
    elif opcode == 243:
        case_243()
    elif opcode == 244:
        case_244()
    elif opcode == 245:
        case_245()
    elif opcode == 246:
        case_246()
    elif opcode == 247:
        case_247()
    elif opcode == 248:
        case_248()
    elif opcode == 249:
        case_249()
    elif opcode == 253:
        case_253()
    elif opcode == 254:
        case_254()
    else:
        print('UNKNOWN OPCODE')
        exit()

    if correct_count == len(user_input):
        print('Correct')
        exit()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import subprocess

available_chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!#$%&@_`?{|}~'

flag = 'miniLctf{'
for i in range(50):
    for ch in available_chars:
        flag_tmp = flag + ch
        cmd = 'python bigbanana_burp.py "' + flag_tmp + '"'
        # print(cmd)
        p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
        p.wait()
        out = p.stdout.read()
        p.kill()
        if b'Correct' in out:
            flag = flag_tmp
            print(flag)
            break

即可爆出flagimage-20240501002251924

Long long call

拖进ida观察发现每个函数中要call的函数其实就在下面,再仔细观察汇编即可发现程序运行的关键内容被popfqpushfq包着,因此只需要将这外面的汇编代码nop掉,即可正常F5查看代码。照理来说写脚本patch会更快,但我这里偷懒手动一个个去patch了

patch完的三个主要函数

1
2
3
4
5
6
7
8
9
10
11
12
13
__int64 __fastcall __noreturn sub_1C3A(__int64 a1, char **a2, char **a3)
{
  char a1a[56]; // [rsp+0h] [rbp-40h] BYREF
  unsigned __int64 v4; // [rsp+38h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  puts("input your flag:");
  __isoc99_scanf("%44s", a1a);
  puts("ok, let's go");
  __readeflags();
  sub_15EC(a1a);
  sub_1998(a1a);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
unsigned __int64 __fastcall sub_15EC(char a1[])
{
  char v2; // [rsp+1Bh] [rbp-D5h]
  int i; // [rsp+1Ch] [rbp-D4h]
  unsigned __int64 v4; // [rsp+E8h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  for ( i = 0; i <= 43; i += 2 )
  {
    v2 = a1[i] + a1[i + 1];
    a1[i] ^= v2;
    a1[i + 1] ^= v2;
  }
  return v4 - __readfsqword(0x28u);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
void __fastcall __noreturn sub_1998(char a1[])
{
  int i; // [rsp+1Ch] [rbp-D4h]

  for ( i = 0; i <= 43; ++i )
  {
    puts("checking...");
    sleep(2 * i);
    if ( a1[i] != byte_4080[i] )
    {
      puts("Wrong!");
      exit(1);
    }
  }
  puts("Right");
  exit(0);
}

写出爆破脚本

1
2
3
4
5
6
7
8
9
10
11
12
encode = [0xBB, 0xBF, 0xB9, 0xBE, 0xC3, 0xCC, 0xCE, 0xDC, 0x9E, 0x8F, 0x9D, 0x9B, 0xA7, 0x8C, 0xD7, 0x95, 0xB0, 0xAD, 0xBD, 0xB4, 0x88, 0xAF, 0x92, 0xD0, 0xCF, 0xA1, 0xA3, 0x92, 0xB7, 0xB4, 0xC9, 0x9E, 0x94, 0xA7, 0xAE, 0xF0, 0xA1, 0x99, 0xC0, 0xE3, 0xB4, 0xB4, 0xBF, 0xE3]

for i in range(0, len(encode), 2):
    for a1 in range(256):
        for a2 in range(256):
            v2 = (a1 + a2) & 0xFF
            encode1 = a1 ^ v2
            encode2 = a2 ^ v2
            if encode1 == encode[i] and encode2 == encode[i+1]:
                print(chr(a1), end='')
                print(chr(a2), end='')
# miniLCTF{just_s1mple_x0r_1n_lon9_l0ng_c@ll!}
本文作者:lrhtony
本文链接:https://lrhtony.cn/2024/04/30/2024MiniLCTF/
版权声明:本文采用 CC BY-NC-SA 4.0 协议进行许可
技术