mini-L

mini-L 部分题目(longlongcall,bigbanana)

longlongcall

分析

64位 ELF 无壳

ida
有大量类似这样反汇编失败的函数,是一个call&ret类型的花指令,可以看出popfq和pushfq中间的才是有用的指令。

exp

将无关的指令nop掉

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
import idaapi
import idc
import idautils


# Function to search for a byte pattern and return a list of addresses where the pattern is found
def find_pattern(pattern):
    ea = 0x11D9
    end_ea = 0x1E35
    addresses = []

    while ea != idc.BADADDR:
        ea = idc.find_binary(ea, end_ea, pattern, 16, idc.SEARCH_DOWN)
        if ea != idc.BADADDR:
            addresses.append(ea)
            ea += len(pattern.split())  # Move to the next position after the pattern length
    return addresses


# Function to replace a range of bytes with NOP (0x90)
def nop_bytes(start_addr, length):
    for i in range(length):
        idc.patch_byte(start_addr + i, 0x90)  # Replace with NOP


# Example usage
binary_pattern1 = "E8 02 00 00 00 "  # Example pattern to search (adjust this pattern as needed)

binary_pattern5 = "C9 C3"
binary_pattern2 = "48 83 C4 08"
binary_pattern3= "9C"
binary_pattern4 = "9D"


# Search for the binary pattern
addresses = find_pattern(binary_pattern1)
print(addresses)
pattern_length = len(binary_pattern1.split())
for addr in addresses:
    nop_bytes(addr, pattern_length)

addresses = find_pattern(binary_pattern2)
print(addresses)
pattern_length = len(binary_pattern1.split())
for addr in addresses:
    nop_bytes(addr, pattern_length)

addresses = find_pattern(binary_pattern3)
print(addresses)
pattern_length = len(binary_pattern1.split())
for addr in addresses:
    nop_bytes(addr, pattern_length)

addresses = find_pattern(binary_pattern4)
print(addresses)
pattern_length = len(binary_pattern1.split())
for addr in addresses:
    nop_bytes(addr, pattern_length)

addresses = find_pattern(binary_pattern5)
print(addresses)
pattern_length = len(binary_pattern1.split())
for addr in addresses:
    nop_bytes(addr, pattern_length)


reanalysis

脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#include <iostream>
#include <string>
using namespace std;

char ida_chars[44] =
{
  -69,
  -65,
  -71,
  -66,
  -61,
  -52,
  -50,
  -36,
  -98,
  -113,
  -112,
  -112,
  -112,
  -112,
  -112,
  -107,
  -80,
  -83,
  -67,
  -76,
  -120,
  -81,
  -110,
  -48,
  -49,
  -95,
  -93,
  -110,
  -73,
  -76,
  -55,
  -98,
  -108,
  -89,
  -82,
  -16,
  -95,
  -103,
  -64,
  -29,
  -76,
  -76,
  -65,
  -29
};

int main(){
    string flag = "";    
    for (int i = 0; i < sizeof(ida_chars); i+=2){
        for (char a = 33; a < 127; a++){
            for (char b = 33; b < 127; b++){
                char v2 = a+b;
                if((a ^ v2) == ida_chars[i] && (b^v2) == ida_chars[i+1]){
                    flag += a;
                    flag += b;
                   
                }
    
            }
        }

    }
    cout << flag << endl;
    return 0;

}


补充一下Z3脚本
参考:https://github.com/XDSEC/miniLCTF_2024/blob/main/Writeups/maet%20radiv%20-%20Writeup%20-%20Mini%20L-CTF%202024.pdf
Z3是由微软公司开发的一个优秀的SMT求解器,它能够检查逻辑表达式的可满足性。可以理解为解方程的工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
import typing
import z3
from z3 import *

ida_chars =[
  -69,
  -65,
  -71,
  -66,
  -61,
  -52,
  -50,
  -36,
  -98,
  -113,
  -112,
  -112,
  -112,
  -112,
  -112,
  -107,
  -80,
  -83,
  -67,
  -76,
  -120,
  -81,
  -110,
  -48,
  -49,
  -95,
  -93,
  -110,
  -73,
  -76,
  -55,
  -98,
  -108,
  -89,
  -82,
  -16,
  -95,
  -103,
  -64,
  -29,
  -76,
  -76,
  -65,
  -29
]

def solve():
    s = Solver()
    x = [z3.BitVec(f"x{i}",8) for i in range(ida_chars.__len__())]  #解向量

    for i in range(0, 44, 2):
      v1 = x[i] + x[i + 1]
      x[i] ^= v1
      x[i + 1] ^= v1

    for i,v in enumerate(ida_chars):
      s.add(v == x[i])     //条件

    if s.check() == sat:
      m = s.model()

    result:typing.Any = [0] * 44
    for d in m.decls():
      result[int(d.name()[1:])] = m[d].as_long()

    print(result)

    flag = ""
    for i in range(44):
      flag += chr(result[i])
    print(flag)

if __name__ == '__main__':
    solve()




bigbanana

分析

64位 无壳

ida
很明显是一个VM的题目,先将指令都翻译成汇编指令,然后根据
op把指令提取出来。这里的op要改成dd的形式导出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
int instrction[] =
{
   246, 108, 246, 102, 246, 71, 246, 102, 246, 13, 246
,102, 246, 5, 246, 102, 246, 19, 246, 102, 246, 10, 246
,102, 246, 70, 246, 102, 246, 2, 246, 102, 246, 9, 246
,102, 246, 9, 246, 102, 246, 1, 246, 102, 246, 74, 246
,102, 246, 21, 246, 102, 246, 3, 246, 102, 246, 18, 246
,102, 246, 19, 246, 102, 246, 8, 246, 102, 246, 15, 246
,102, 246, 11, 246, 102, 246, 70, 246, 102, 246, 3, 246
,102, 246, 3, 246, 102, 246, 20, 246, 102, 246, 14, 246
,102, 246, 18, 246, 102, 246, 70, 246, 102, 246, 20
,246, 102, 246, 9, 246, 102, 246, 0, 246, 102, 246, 70
,246, 102, 246, 2, 246, 102, 246, 3, 246, 102, 246, 21
,246, 102, 246, 21, 246, 102, 246, 3, 246, 102, 246
,20, 246, 102, 246, 22, 246, 102, 246, 70, 246, 102
,246, 2, 246, 102, 246, 20, 246, 102, 246, 7, 246, 102
,246, 14, 246, 102, 246, 70, 246, 102, 246, 3, 246, 102
,246, 4, 246, 102, 246, 70, 246, 102, 246, 10, 246, 102
,246, 10, 246, 102, 246, 15, 246, 102, 246, 17, 246
,102, 246, 70, 246, 102, 246, 19, 246, 102, 246, 9, 246
,102, 246, 31, 246, 102, 246, 70, 246, 102, 246, 74
,246, 102, 246, 31, 246, 102, 246, 10, 246, 102, 246
,18, 246, 102, 246, 5, 246, 102, 246, 3, 246, 102, 246
,20, 246, 102, 246, 20, 246, 102, 246, 9, 246, 102, 246
,5, 246, 102, 246, 8, 246, 102, 246, 15, 246, 102, 246
,70, 246, 102, 246, 1, 246, 102, 246, 7, 246, 102, 246
,10, 246, 102, 246, 0, 246, 102, 246, 70, 246, 102, 246
,3, 246, 102, 246, 14, 246, 102, 246, 18, 246, 102, 246
,70, 246, 102, 246, 20, 246, 102, 246, 3, 246, 102, 246
,17, 246, 102, 246, 21, 246, 102, 246, 8, 246, 102, 246
,7, 246, 102, 246, 70, 246, 102, 246, 19, 246, 102, 246
,9, 246, 102, 246, 31, 246, 102, 246, 70, 246, 102, 246
,0, 246, 102, 246, 47, 246, 102, 247, 248, 243, 17, 247
,248, 243, 17, 247, 248, 243, 17, 247, 248, 243, 17
,247, 248, 243, 17, 247, 248, 243, 17, 247, 248, 243
,17, 247, 248, 243, 17, 247, 248, 243, 17, 247, 248
,243, 17, 247, 248, 243, 17, 247, 248, 243, 17, 247
,248, 243, 17, 247, 248, 243, 17, 247, 248, 243, 17
,247, 248, 243, 17, 247, 248, 243, 17, 247, 248, 243
,17, 247, 248, 243, 17, 247, 248, 243, 17, 247, 248
,243, 17, 247, 248, 243, 17, 247, 248, 243, 17, 247
,248, 243, 17, 247, 248, 243, 17, 247, 248, 243, 17
,247, 248, 243, 17, 247, 248, 243, 17, 247, 248, 243
,17, 247, 248, 243, 17, 247, 248, 243, 17, 247, 248
,243, 17, 247, 248, 243, 17, 247, 248, 243, 17, 247
,248, 243, 17, 247, 248, 243, 17, 247, 248, 243, 17
,247, 248, 243, 17, 247, 248, 243, 17, 247, 248, 243
,17, 247, 248, 243, 17, 247, 248, 243, 17, 247, 248
,243, 17, 247, 248, 243, 17, 247, 248, 243, 17, 247
,248, 243, 17, 247, 248, 243, 17, 247, 248, 243, 17
,247, 248, 243, 17, 247, 248, 243, 17, 247, 248, 243
,17, 247, 248, 243, 17, 247, 248, 243, 17, 247, 248
,243, 17, 247, 248, 243, 17, 247, 248, 243, 17, 247
,248, 243, 17, 247, 248, 243, 17, 247, 248, 243, 17
,247, 248, 243, 17, 247, 248, 243, 17, 247, 248, 243
,17, 247, 248, 243, 17, 247, 248, 243, 17, 247, 248
,243, 17, 247, 248, 243, 17, 247, 248, 243, 17, 247
,248, 243, 17, 247, 248, 243, 17, 247, 248, 243, 17
,247, 248, 243, 17, 247, 248, 243, 17, 247, 248, 243
,17, 247, 248, 243, 17, 247, 248, 243, 17, 247, 248
,243, 17, 247, 248, 243, 17, 247, 248, 243, 17, 247
,248, 243, 17, 247, 248, 243, 17, 247, 248, 243, 17
,247, 248, 243, 17, 247, 248, 243, 17, 247, 248, 243
,17, 247, 248, 243, 17, 247, 248, 243, 17, 247, 248
,243, 17, 247, 248, 243, 17, 247, 248, 243, 17, 247
,248, 243, 17, 16, 16, 248, 247, 244, 1766746445, 1
,1952656716, 244, 0, 243, 242, 489505807, 254, 102, 240
,16, 248, 244, 22, 1, 33, 244, 1131796, 243, 242, 1953788496
,254, 102, 240, 16, 248, 244, 33, 1, 44, 244, 2263592
,243, 242, 2263629, 254, 102, 240, 16, 248, 244, 44
,1, 11, 244, 3395388, 243, 242, 3395498, 254, 102, 240
,16, 248, 244, 11, 1, 22, 244, 4527184, 243, 242, 4527307
,254, 102, 240, 16, 248, 244, 22, 1, 33, 244, 5658980
,243, 242, 5658982, 254, 102, 240, 16, 248, 244, 33
,1, 44, 244, 6790776, 243, 242, 6791100, 254, 102, 240
,16, 248, 244, 44, 1, 11, 244, 7922572, 243, 242, 7922892
,254, 102, 240, 16, 248, 244, 11, 1, 22, 244, 9054368
,243, 242, 9054537, 254, 102, 240, 16, 248, 244, 22
,1, 33, 244, 10186164, 243, 242, 10186440, 254, 102
,240, 16, 248, 244, 33, 1, 44, 244, 11317960, 243, 242
,11318240, 254, 102, 240, 16, 248, 244, 44, 1, 11, 244
,12449756, 243, 242, 12450038, 254, 102, 240, 16, 248
,244, 11, 1, 22, 244, 13581552, 243, 242, 13581602, 254
,102, 240, 16, 248, 244, 22, 1, 33, 244, 14713348, 243
,242, 14713579, 254, 102, 240, 16, 248, 244, 33, 1, 44
,244, 15845144, 243, 242, 15845189, 254, 102, 240, 16
,248, 244, 44, 1, 11, 244, 16976940, 243, 242, 16977052
,254, 102, 240, 16, 248, 244, 11, 1, 22, 244, 18108736
,243, 242, 18108814, 254, 102, 240, 16, 248, 244, 22
,1, 33, 244, 19240532, 243, 242, 19240500, 254, 102
,240, 16, 248, 244, 33, 1, 44, 244, 20372328, 243, 242
,20372636, 254, 102, 240, 16, 248, 244, 44, 1, 11, 244
,21504124, 243, 242, 21504381, 254, 102, 240, 16, 248
,244, 11, 1, 22, 244, 22635920, 243, 242, 22635950, 254
,102, 240, 16, 248, 244, 22, 1, 33, 244, 23767716, 243
,242, 23767992, 254, 102, 240, 16, 248, 244, 33, 1, 44
,244, 24899512, 243, 242, 24899631, 254, 102, 240, 16
,248, 244, 44, 1, 11, 244, 26031308, 243, 242, 26031402
,254, 102, 240, 16, 248, 244, 11, 1, 22, 244, 27163104
,243, 242, 27163367, 254, 102, 240, 16, 248, 244, 22
,1, 33, 244, 28294900, 243, 242, 28294937, 254, 102
,240, 16, 248, 244, 33, 1, 44, 244, 29426696, 243, 242
,29426748, 254, 102, 240, 16, 248, 244, 44, 1, 11, 244
,30558492, 243, 242, 30558628, 254, 102, 240, 16, 248
,244, 11, 1, 22, 244, 31690288, 243, 242, 31690302, 254
,102, 240, 16, 248, 244, 22, 1, 33, 244, 32822084, 243
,242, 32822192, 254, 102, 240, 16, 248, 244, 33, 1, 44
,244, 33953880, 243, 242, 33953875, 254, 102, 240, 16
,248, 244, 44, 1, 11, 244, 35085676, 243, 242, 35085942
,254, 102, 240, 16, 248, 244, 11, 1, 22, 244, 36217472
,243, 242, 36217409, 254, 102, 240, 16, 248, 244, 22
,1, 33, 244, 37349268, 243, 242, 37349478, 254, 102
,240, 16, 248, 244, 33, 1, 44, 244, 38481064, 243, 242
,38481281, 254, 102, 240, 16, 248, 244, 44, 1, 11, 244
,39612860, 243, 242, 39613168, 254, 102, 240, 16, 248
,244, 11, 1, 22, 244, 40744656, 243, 242, 40744760, 254
,102, 240, 16, 248, 244, 22, 1, 33, 244, 41876452, 243
,242, 41876732, 254, 102, 240, 16, 248, 244, 33, 1, 44
,244, 43008248, 243, 242, 43008497, 254, 102, 240, 16
,248, 244, 44, 1, 11, 244, 44140044, 243, 242, 44140263
,254, 102, 240, 16, 248, 244, 11, 1, 22, 244, 45271840
,243, 242, 45272035, 254, 102, 240, 16, 248, 244, 22
,1, 33, 244, 46403636, 243, 242, 46403677, 254, 102
,240, 16, 248, 244, 33, 1, 44, 244, 47535432, 243, 242
,47535509, 254, 102, 240, 16, 248, 244, 44, 1, 11, 244
,48667228, 243, 242, 48667259, 254, 102, 240, 0
};

翻译脚本(这个把ida复制过来稍微改一改就行)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
void trans(){
    int* op = instrction;
    while(*op){
        NEXT:
            
            
            int v11 = *op;
            int i;
            switch(--v11){
                case 0:
                    i = *(op + 1);
                    
                    
                    cout << "add v6 " << i << endl;
                    op += 2;
                    break;
                case 15:
                   
                    puts("push gatchar()");
                    op += 1;
                    break;
                case 16:
                    puts("printf()");
                    op += 1;
                    break;
                case 239:
                    puts("mov v5 v6");
                    op += 1;
                    break;
                case 240:
                    
                    puts("mov v8 v6");
                    op += 1;
                    break;
                case 241:
                    
                    
                    i = *(op + 1);
                    
                    
                    cout << "cmp v5 " << i << endl;
                    op += 2;
                    break;
                case 242:
                    
                    puts("xor v5 v6");
                    op += 1;
                    break;
                case 243:
                    
                    
                    
                    
                    
                    cout << "add v5 " << *(op + 1)<< endl;
                    op += 2;
                    break;
                case 244:
                    
                    
                    cout << "add v5 " << *(op + 1)  << *(op+2) <<endl;
                    op += 12;
                    break;
                case 245:
                    
                    
                    cout << "push" << *(op + 1)<< endl;
                    op += 2;
                    break;
                case 246:
                    
                    puts("pop v5");
                    op += 1;
                    break;
                case 247:
                    
                    puts("pop v6");
                    op += 1;
                    break;
                case 248:
                    puts("pop v7");
                    op += 1;
                    break;
                case 249:
                    puts("pop v8");
                    op += 1;
                    break;
                case 253:
                    
                    puts("big启动");
                    op += 2;
                    break;
                case 254:
                    puts("je op+ $0");
                    
                    op += 2;
                    break;
                default:
                    goto NEXT;
            }

    }
}

int main(){
    trans();
    return 0;
}

提取出来的汇编
前面一大堆push和pop不用管
除了前两个字符不太一样,后面的都是一样的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
push gatchar()
push gatchar()
pop v6
pop v5
add v5 1766746445
add v6 1952656716
add v5 0
xor v5 v6
cmp v5 489505807
big启动

mov v5 v6
push gatchar()
pop v6
add v5 22
add v6 33
add v5 1131796
xor v5 v6
cmp v5 1953788496
big启动

可以先用‘m’ 和 ‘i’ 验证一下,然后把数据提取出来爆破就行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
/*
add v5 1766746445
add v6 1952656716
add v5 0
xor v5 v6
cmp v5 489505807
big启动
*/

#include <iostream>
#include <vector>

using namespace std;

vector<vector<int>> data_ = {
         {22, 33, 1131796, 1953788496},
        {33, 44, 2263592, 2263629},
        {44, 11, 3395388, 3395498},
        {11, 22, 4527184, 4527307},
        {22, 33, 5658980, 5658982},
        {33, 44, 6790776, 6791100},
        {44, 11, 7922572, 7922892},
        {11, 22, 9054368, 9054537},
        {22, 33, 10186164, 10186440},
        {33, 44, 11317960, 11318240},
        {44, 11, 12449756, 12450038},
        {11, 22, 13581552, 13581602},
        {22, 33, 14713348, 14713579},
        {33, 44, 15845144, 15845189},
        {44, 11, 16976940, 16977052},
        {11, 22, 18108736, 18108814},
        {22, 33, 19240532, 19240500},
        {33, 44, 20372328, 20372636},
        {44, 11, 21504124, 21504381},
        {11, 22, 22635920, 22635950},
        {22, 33, 23767716, 23767992},
        {33, 44, 24899512, 24899631},
        {44, 11, 26031308, 26031402},
        {11, 22, 27163104, 27163367},
        {22, 33, 28294900, 28294937},
        {33, 44, 29426696, 29426748},
        {44, 11, 30558492, 30558628},
        {11, 22, 31690288, 31690302},
        {22, 33, 32822084, 32822192},
        {33, 44, 33953880, 33953875},
        {44, 11, 35085676, 35085942},
        {11, 22, 36217472, 36217409},
        {22, 33, 37349268, 37349478},
        {33, 44, 38481064, 38481281},
        {44, 11, 39612860, 39613168},
        {11, 22, 40744656, 40744760},
        {22, 33, 41876452, 41876732},
        {33, 44, 43008248, 43008497},
        {44, 11, 44140044, 44140263},
        {11, 22, 45271840, 45272035},
        {22, 33, 46403636, 46403677},
        {33, 44, 47535432, 47535509},
        {44, 11, 48667228, 48667259}
    };

int main()
{
    int v5;
    int v6;
     v5 = 'm';
     v6 = 'i';
     
     v5 += 1766746445;
     v6 += 1952656716;
   
    v5 = v5 ^ v6;
    v5 = v6;

    cout << "mi";

    for(int i = 0; i < data_.size(); i++){

        for(int j = 33;j <127;j++){
            v6 = j;
            int v5_temp = v5;
            v5_temp += data_[i][0];
            v6 += data_[i][1];
            v5_temp += data_[i][2];
            if((v5_temp ^ v6) == data_[i][3]){
                cout << char(j) ; 
                v5 = v6;
                break;
            }
            
        }
        

    }
    
    

}

剩下的题目之后再写

RE
mini-L
https://lafdrew.github.io/2024/06/19/mini-L/
Author
John Doe
Posted on
June 19, 2024
Licensed under