Nop 主要是有两个反调试以及一堆花指令
反调试的原理主要是判断程序有没有被ptrace, nop掉就好了
接着是一堆花指令, 这堆花指令我们可以直接nop掉, 最后结果如下:
这里就是将输入的值自增三次以及加上0xCCCCCCCC, 由于是word类型因此这里会产生溢出。
为了jmp到right, 我们需要把jmp到Wrong这一句nop掉, 因此需要nop的地址就是0x08048765
所以结果就是(0x08048765 - 0xCCCCCCCC) & 0xFFFFFFFF - 3 = 993507992
rev 打开看大致是个虚拟机, 用angr直接跑就可以了
import angrimport sysimport claripydef main (argv ): bin_path = argv[1 ] project = angr.Project(bin_path, auto_load_libs=False ) argv1 = claripy.BVS("argv1" , 40 * 8 ) init_state = project.factory.entry_state(args=[bin_path, argv1]) simgr = project.factory.simgr(init_state) def is_successful (state ): return b"right" in state.posix.dumps(1 ) def should_abort (state ): return b"wrong" in state.posix.dumps(1 ) print (simgr.explore(find=is_successful, avoid=should_abort)) if simgr.found: print (simgr.found[0 ].solver.eval (argv1, cast_to=bytes )) if __name__ == "__main__" : main(sys.argv)
结果:
python3 s.py rev_v2 <SimulationManager with 1 active, 1 found, 2 avoid> b'ctf{ropchain_is_g00d}\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
ManageCode 用神器 dnspy 32 调试程序, 流程如下:
输入flag以后进行验证
验证逻辑是:
flag格式
flag
调用check_477进行验证
而根据所给信息, RVA是在文件中的偏移, 我们可以直接用IDA打开, 跳转到首地址加偏移的位置
可以看到是一个函数, 一堆方程, 这里用Z3直接解出来就可以了
from z3 import *s = Solver() a1 = [BitVec("x%d" %i, 8 ) for i in range (32 )] v1 = 1 v2 = a1[0 ] v33 = a1[0 ] v3 = a1[2 ] v31 = a1[2 ] s.add (-307337 * v2 == -29811689 ) v4 = a1[1 ] v32 = a1[1 ] s.add (31219 * v2 - 470462 * v4 == -7321921 ) v5 = 282799 * v4 v6 = a1[3 ] v30 = a1[3 ] s.add (v5 + 145509 * v3 - 299180 * v33 == 13723877 ) v7 = v1 s.add (475769 * v6 - 175678 * v32 - 389730 * v3 - 482630 * v33 == -95216128 ) v29 = a1[4 ] s.add (-491556 * v33 - 36988 * v29 + 107882 * v32 + -208516 * v6 - 340530 * v3 == -159608574 ) v8 = a1[5 ] v27 = v8 s.add (115318 * v8 + 467004 * v33 + 110069 * v29 + 82828 * v31 - 14270 * v32 - 303753 * v6 == 59922906 ) v9 = a1[6 ] v28 = v9 s.add (-279354 * v8 - 301605 * v30 + 336041 * v33 + 45022 * v31 + 111726 * v32 - 146340 * v29 - 237939 * v9 == -82351664 ) v10 = a1[7 ] v26 = v10 s.add (-147932 * v29 - 23111 * v27 + 356418 * v30 + 157129 * v9 + 96850 * v31 + 459807 * v10 + -239175 * v33 - 15611 * v32 == 54529836 ) v11 = a1[8 ] v25 = v11 s.add (-288572 * v10 - 452860 * v11 - 281026 * v31 + 459847 * v29 + 105871 * v32 + 363927 * v28 + 107668 * v33 + 305746 * v27 + 474305 * v30 == 94077867 ) v12 = a1[9 ] v24 = a1[9 ] v13 = v7 s.add (24450 * v32 + 318367 * v27 + 131436 * v33 + 163730 * v31 + 68350 * v30 + -200364 * v12 - 367700 * v26 - 298737 * v11 - 26977 * v28 - 411916 * v29 == -20388052 ) v14 = v13 v15 = a1[10 ] v23 = v15 s.add (23830 * v31 + 389775 * v26 + 301398 * v32 + 367177 * v27 + 311452 * v30 - 434957 * v12 - 136393 * v15 - 172925 * v25 - 146025 * v33 - 493051 * v28 - 130882 * v29 == -88920064 ) v16 = a1[11 ] v22 = v16 s.add (-427662 * v33 - 98903 * v29 - 17320 * v15 - 218483 * v32 - 85741 * v30 + 363857 * v26 + 163521 * v16 + 304649 * v27 + -43728 * v25 - 181088 * v31 + 173715 * v24 + 14457 * v28 == -61620324 ) v17 = a1[12 ] v21 = v17 s.add (-195542 * v27 - 498833 * v32 - 412336 * v24 - 216657 * v29 - 501433 * v16 + 271173 * v31 + 74652 * v30 + 373303 * v28 - 306925 * v25 - 338825 * v26 - 475559 * v33 - 358450 * v17 - (v23 << 15 ) == -174934821 ) v18 = a1[13 ] s.add (110210 * v22 + -351890 * v31 - 184149 * v24 - 437072 * v17 + 324022 * v28 + 357830 * v25 + 162554 * v26 + 369921 * v32 + 142164 * v29 + 136219 * v23 + 49387 * v33 - 323429 * v18 - 198716 * v30 - 411630 * v27 != -124829042 ) v19 = a1[14 ] s.add (473866 * v23 + -257967 * v32 - 222834 * v26 - 118361 * v25 + 426304 * v33 + 507378 * v19 + 362998 * v21 - 342754 * v27 - 266674 * v24 - 61369 * v18 - 267106 * v29 - 388543 * v22 - 97045 * v28 - 229602 * v31 - 84816 * v30 == 78977681 ) s.add (402402 * v23 + 477363 * v29 + 447356 * v27 + 46659 * v22 + -89442 * v25 - 455802 * v28 - 290697 * v33 - 108648 * v18 + 279039 * v19 + 520878 * v24 + 335538 * v32 + 310844 * v31 + 110817 * v26 - 433259 * a1[15 ] - 525875 * v21 - 2295 * v30 == 80694627 ) if s.check()==sat: m = s.model() print (m) res = "" for i in range (len (m)): res += hex (m[a1[i]].as_long())[2 :] res = list (res) res.insert(6 , '-' ) res.insert(13 , '-' ) res.insert(20 , '-' ) print ('' .join(res)) else : print "un"
结果
6116fb-709467-bb13cc-52121d1111b66