prob-3
v4로 32바이트 받고, init_cpu를 호출한다.
init_cpu는 입력받은걸 v5로 복사해준다.
그다음 run_cpu가 호출된다.
이런식으로 opcode에 따라서 명령을 수행하는게 들어가있다.
여기를 조금 눈여겨봐야한다.
a1[16]과 a1[17]에 cmp 명령처럼 비교된 결과가 들어간다.
그리고 그 a1에 따라서 분기한다.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
|
from z3 import *
stub = [0x88, 0x01, 0x07, 0x20, 0x00, 0x00, 0x00, 0x88, 0x01, 0x08, 0x00, 0x00, 0x00, 0x00, 0xDA, 0x02, 0x0A, 0x8A, 0xD6, 0xBA, 0x0C, 0xE0, 0xE7, 0x12, 0x4C, 0x77, 0x02, 0x0A, 0x07, 0x05, 0x29, 0x3C, 0x36, 0x57, 0x27, 0x44, 0x04, 0x02, 0x0A, 0xF2, 0x4D, 0xE8, 0x6B, 0x35, 0xA9, 0x51, 0xE6, 0x25, 0x0A, 0x77, 0x00, 0x00, 0x0A, 0xDA, 0x02, 0x0B, 0x78, 0x8F, 0x59, 0x48, 0xC3, 0x01, 0xEC, 0xA0, 0x77, 0x02, 0x0B, 0x98, 0xEE, 0xCF, 0xA8, 0x5B, 0xCA, 0x13, 0xC5, 0x04, 0x02, 0x0B, 0xF9, 0x65, 0xEB, 0x45, 0x9A, 0x63, 0xC5, 0xF4, 0x25, 0x0B, 0x04, 0x00, 0x00, 0x0B, 0xDA, 0x02, 0x0C, 0xEE, 0x28, 0xC6, 0x2B, 0xCB, 0xDB, 0x80, 0x1E, 0x77, 0x02, 0x0C, 0x69, 0x6A, 0x7F, 0xBE, 0x39, 0xA1, 0x96, 0x56, 0x04, 0x02, 0x0C, 0xC3, 0x88, 0xFB, 0x35, 0x6B, 0x7C, 0x5F, 0xA1, 0x25, 0x0C, 0xDA, 0x00, 0x00, 0x0B, 0xDA, 0x02, 0x0A, 0x9E, 0x4B, 0x3C, 0x30, 0x6A, 0xBE, 0xFE, 0x83, 0x77, 0x02, 0x0A, 0x63, 0x8A, 0x7D, 0x7E, 0x41, 0xFD, 0xB4, 0xA9, 0x04, 0x02, 0x0A, 0xB1, 0x9A, 0x8A, 0x58, 0x9D, 0xBE, 0xA9, 0x9D, 0x25, 0x0A, 0x77, 0x00, 0x01, 0x0A, 0xDA, 0x02, 0x0B, 0x9A, 0x00, 0xC1, 0x6C, 0x4B, 0xA0, 0x16, 0x9E, 0x77, 0x02, 0x0B, 0x4E, 0xAC, 0x03, 0x7A, 0xB7, 0x8C, 0x84, 0x3F, 0x04, 0x02, 0x0B, 0xB8, 0x7D, 0x9D, 0xE5, 0x98, 0x9B, 0xD6, 0xEC, 0x25, 0x0B, 0x04, 0x00, 0x01, 0x0B, 0xDA, 0x02, 0x0C, 0xF8, 0xD3, 0x70, 0xDB, 0x32, 0xAB, 0xD9, 0x1C, 0x77, 0x02, 0x0C, 0x6A, 0xC9, 0x00, 0x92, 0xE0, 0xEF, 0x11, 0x29, 0x04, 0x02, 0x0C, 0xF5, 0xF3, 0xA4, 0x67, 0x9D, 0xE9, 0x8D, 0x94, 0x25, 0x0C, 0xDA, 0x00, 0x01, 0x0B, 0xDA, 0x02, 0x0A, 0x24, 0x54, 0x77, 0xBA, 0x22, 0xD3, 0x19, 0x14, 0x77, 0x02, 0x0A, 0xC9, 0xF7, 0xE7, 0x89, 0x6B, 0x83, 0x21, 0x0F, 0x04, 0x02, 0x0A, 0x48, 0xD1, 0x69, 0x61, 0x89, 0x5C, 0x1D, 0x3A, 0x25, 0x0A, 0x77, 0x00, 0x02, 0x0A, 0xDA, 0x02, 0x0B, 0x76, 0xC4, 0x87, 0x5A, 0xA9, 0xA5, 0x95, 0xEA, 0x77, 0x02, 0x0B, 0x26, 0xCD, 0x73, 0xCD, 0xAA, 0xAD, 0x5C, 0xCF, 0x04, 0x02, 0x0B, 0xF3, 0x1A, 0x8D, 0x49, 0x66, 0x12, 0xE4, 0x7C, 0x25, 0x0B, 0x04, 0x00, 0x02, 0x0B, 0xDA, 0x02, 0x0C, 0x90, 0xD3, 0xCE, 0xA1, 0xBB, 0x4C, 0x68, 0x07, 0x77, 0x02, 0x0C, 0xE2, 0xF8, 0x9D, 0x0C, 0xB7, 0xAC, 0x53, 0xBF, 0x04, 0x02, 0x0C, 0xDB, 0x3E, 0x89, 0xB6, 0x16, 0xAA, 0x4E, 0x9E, 0x25, 0x0C, 0xDA, 0x00, 0x02, 0x0B, 0xDA, 0x02, 0x0A, 0xDF, 0xB7, 0xED, 0x2F, 0xA7, 0xBF, 0x90, 0x30, 0x77, 0x02, 0x0A, 0x75, 0x75, 0x81, 0x4D, 0x2B, 0x45, 0x7C, 0x2F, 0x04, 0x02, 0x0A, 0x9E, 0x99, 0x4B, 0x4B, 0xA0, 0x71, 0xEB, 0xEB, 0x25, 0x0A, 0x77, 0x00, 0x03, 0x0A, 0xDA, 0x02, 0x0B, 0x57, 0x66, 0xA9, 0x7B, 0xCC, 0x0A, 0x5E, 0xB5, 0x77, 0x02, 0x0B, 0x75, 0xE2, 0x8E, 0x77, 0x49, 0xB7, 0x5E, 0xE6, 0x04, 0x02, 0x0B, 0x9F, 0xF6, 0xB4, 0x71, 0xD2, 0xE5, 0x48, 0xD7, 0x25, 0x0B, 0x04, 0x00, 0x03, 0x0B, 0xDA, 0x02, 0x0C, 0x9F, 0x04, 0x59, 0xA3, 0xC8, 0xB8, 0xA3, 0x7F, 0x77, 0x02, 0x0C, 0x08, 0xDB, 0x05, 0x60, 0xEB, 0x3F, 0xCF, 0xEB, 0x04, 0x02, 0x0C, 0xE5, 0x2B, 0xE3, 0xC1, 0x94, 0xAA, 0x48, 0xB1, 0x25, 0x0C, 0xDA, 0x00, 0x03, 0x0B, 0x04, 0x01, 0x08, 0x01, 0x00, 0x00, 0x00, 0xF4, 0x07, 0x08, 0x40, 0x02, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCC]
rip = 0
FLAG = [BitVec("FLAG_%d" %i, 64) for i in range(4)]
REG = [x for x in FLAG] + [0] * (18 - 4)
REG_num = 16
REG_bit = 64
bytedef = [0xCC, 0x88, 0x04, 0xDA, 0x1C, 0x4A, 0x25, 0x77, 0xF4, 0x40]
while True:
if stub[rip] == bytedef[0]: # RET
break
elif stub[rip] == bytedef[1]: # MOV
id = stub[rip + 1]
if id == 0:
src = stub[rip + 2]
dst = stub[rip + 3]
REG[src] = REG[dst]
REG[src] &= ((1 << REG_bit) - 1)
rip += 4
elif id == 1:
src = stub[rip + 2]
imm = int.from_bytes(stub[rip + 3:rip + 3 + 4], "little")
REG[src] = imm
REG[src] &= ((1 << REG_bit) - 1)
rip += 3 + 4
elif id == 2:
src = stub[rip + 2]
imm = int.from_bytes(stub[rip + 3:rip + 3 + 8], "little")
REG[src] = imm
REG[src] &= ((1 << REG_bit) - 1)
rip += 3 + 8
else:
raise Exception("EMULATE ERROR")
elif stub[rip] == bytedef[2]: # ADD
id = stub[rip + 1]
if id == 0:
src = stub[rip + 2]
dst = stub[rip + 3]
REG[src] += REG[dst]
REG[src] &= ((1 << REG_bit) - 1)
rip += 4
elif id == 1:
src = stub[rip + 2]
imm = int.from_bytes(stub[rip + 3:rip + 3 + 4], "little")
REG[src] += imm
REG[src] &= ((1 << REG_bit) - 1)
rip += 3 + 4
elif id == 2:
src = stub[rip + 2]
imm = int.from_bytes(stub[rip + 3:rip + 3 + 8], "little")
REG[src] += imm
REG[src] &= ((1 << REG_bit) - 1)
rip += 3 + 8
else:
raise Exception("EMULATE ERROR")
elif stub[rip] == bytedef[3]: # SUB
id = stub[rip + 1]
if id == 0:
src = stub[rip + 2]
dst = stub[rip + 3]
REG[src] -= REG[dst]
REG[src] &= ((1 << REG_bit) - 1)
rip += 4
elif id == 1:
src = stub[rip + 2]
imm = int.from_bytes(stub[rip + 3:rip + 3 + 4], "little")
REG[src] -= imm
REG[src] &= ((1 << REG_bit) - 1)
rip += 3 + 4
elif id == 2:
src = stub[rip + 2]
imm = int.from_bytes(stub[rip + 3:rip + 3 + 8], "little")
REG[src] -= imm
REG[src] &= ((1 << REG_bit) - 1)
rip += 3 + 8
else:
raise Exception("EMULATE ERROR")
elif stub[rip] == bytedef[4]: # AND
id = stub[rip + 1]
if id == 0:
src = stub[rip + 2]
dst = stub[rip + 3]
REG[src] &= REG[dst]
REG[src] &= ((1 << REG_bit) - 1)
rip += 4
elif id == 1:
src = stub[rip + 2]
imm = int.from_bytes(stub[rip + 3:rip + 3 + 4], "little")
REG[src] &= imm
REG[src] &= ((1 << REG_bit) - 1)
rip += 3 + 4
elif id == 2:
src = stub[rip + 2]
imm = int.from_bytes(stub[rip + 3:rip + 3 + 8], "little")
REG[src] &= imm
REG[src] &= ((1 << REG_bit) - 1)
rip += 3 + 8
else:
raise Exception("EMULATE ERROR")
elif stub[rip] == bytedef[5]: # OR
id = stub[rip + 1]
if id == 0:
src = stub[rip + 2]
dst = stub[rip + 3]
REG[src] |= REG[dst]
REG[src] &= ((1 << REG_bit) - 1)
rip += 4
elif id == 1:
src = stub[rip + 2]
imm = int.from_bytes(stub[rip + 3:rip + 3 + 4], "little")
REG[src] |= imm
REG[src] &= ((1 << REG_bit) - 1)
rip += 3 + 4
elif id == 2:
src = stub[rip + 2]
imm = int.from_bytes(stub[rip + 3:rip + 3 + 8], "little")
REG[src] |= imm
REG[src] &= ((1 << REG_bit) - 1)
rip += 3 + 8
else:
raise Exception("EMULATE ERROR")
elif stub[rip] == bytedef[6]: # NOT
src = stub[rip + 1]
REG[src] = ~REG[src]
REG[src] &= ((1 << REG_bit) - 1)
rip += 2
elif stub[rip] == bytedef[7]: # XOR
id = stub[rip + 1]
if id == 0:
src = stub[rip + 2]
dst = stub[rip + 3]
REG[src] ^= REG[dst]
REG[src] &= ((1 << REG_bit) - 1)
rip += 4
elif id == 1:
src = stub[rip + 2]
imm = int.from_bytes(stub[rip + 3:rip + 3 + 4], "little")
REG[src] ^= imm
REG[src] &= ((1 << REG_bit) - 1)
rip += 3 + 4
elif id == 2:
src = stub[rip + 2]
imm = int.from_bytes(stub[rip + 3:rip + 3 + 8], "little")
REG[src] ^= imm
REG[src] &= ((1 << REG_bit) - 1)
rip += 3 + 8
else:
raise Exception("EMULATE ERROR")
elif stub[rip] == bytedef[8]: # CMP
src = stub[rip + 1]
dst = stub[rip + 2]
REG[REG_num] = REG[src] == REG[dst]
REG[REG_num + 1] = src > dst
rip += 3
elif stub[rip] == bytedef[9]:
id = stub[rip + 1]
if id == 0:
dst = int.from_bytes(stub[rip + 2:rip + 2 + 8], "little")
rip = dst
elif id == 1:
dst = int.from_bytes(stub[rip + 2:rip + 2 + 8], "little")
if REG[REG_num] == True:
rip = dst
else:
rip += 2 + 8
elif id == 2:
dst = int.from_bytes(stub[rip + 2:rip + 2 + 8], "little")
if REG[REG_num] == False:
rip = dst
else:
rip += 2 + 8
else:
raise Exception("EMULATE ERROR")
else:
raise Exception("EMULATE ERROR")
s = Solver()
s.add(REG[0] == 0x4635CE5D1658B74C)
s.add(REG[1] == 0xE1EC52A29AF4B45F)
s.add(REG[2] == 0xBDF35F48B8974554)
s.add(REG[3] == 0xC42B5522A0596E41)
print(s.check())
m = s.model()
for f in FLAG:
print(m[f].as_long().to_bytes(8, "little").decode(), end="")
print()
|
cs |
opcode에 따른 처리가 다 구현된 코드이다.
prob-4
구조는 prob-4랑 비슷하다.
init_cpu에서 입력을 복사해준다.
run_cpu의 모습이다.
opcode에 따라서 다른 처리를 한다.
여기서 분기에 관한 부분을 처리한다.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
from z3 import *
data = [22, 1, 7, 128, 0, 0, 0, 22, 1, 8, 0, 0, 0, 0, 224, 2, 10, 124, 198, 76, 209, 83, 55, 119, 146, 93, 2, 10, 39, 72, 227, 48, 2, 21, 248, 200, 59, 0, 0, 10, 120, 10, 59, 2, 10, 191, 152, 31, 244, 140, 173, 184, 157, 224, 2, 10, 86, 254, 159, 114, 250, 181, 51, 199, 93, 2, 10, 13, 92, 191, 164, 24, 21, 158, 181, 59, 0, 1, 10, 120, 10, 59, 2, 10, 183, 176, 95, 91, 207, 254, 12, 104, 224, 2, 10, 173, 254, 97, 224, 26, 69, 98, 143, 93, 2, 10, 42, 188, 254, 175, 198, 115, 205, 201, 59, 0, 2, 10, 120, 10, 59, 2, 10, 174, 77, 139, 203, 27, 83, 182, 168, 224, 2, 10, 31, 51, 204, 97, 228, 25, 233, 141, 93, 2, 10, 199, 255, 6, 184, 157, 195, 184, 228, 59, 0, 3, 10, 120, 10, 59, 2, 10, 105, 107, 103, 192, 73, 71, 49, 85, 93, 1, 8, 1, 0, 0, 0, 179, 7, 8, 33, 2, 14, 0, 0, 0, 0, 0, 0, 0, 204]
cur = 0
FLAG = [BitVec('FLAG_%d'%i ,64) for i in range(4)]
REG = [i for i in FLAG] + [0] * 14
while True:
if(data[cur] == 0xcc):
break
elif(data[cur] == 0x16):
if(data[cur+1] == 1):
print('mov 1')
REG[data[cur+2]] = int.from_bytes(data[cur+3:cur+7],'little')
REG[data[cur+2]] &= 0xffffffffffffffff
cur += 7
# elif(data[cur+1] == 2):
# print('mov 2')
# cur += 11
# else:
# cur += 4
elif(data[cur] == 0x5d):
if(data[cur+1] == 1):
print('add 1')
REG[data[cur+2]] += int.from_bytes(data[cur+3:cur+7],'little')
REG[data[cur+2]] &= 0xffffffffffffffff
cur += 7
elif(data[cur+1] == 2):
print('add 2')
REG[data[cur+2]] += int.from_bytes(data[cur+3:cur+11],'little')
REG[data[cur+2]] &= 0xffffffffffffffff
cur += 11
# else:
# print('add 3')
# cur += 4
elif(data[cur] == 0xe0):
if(data[cur+1] == 2):
print('sub 2')
REG[data[cur+2]] -= int.from_bytes(data[cur+3:cur+11],'little')
REG[data[cur+2]] &= 0xffffffffffffffff
cur += 11
# elif(data[cur+1] == 1):
# print('sub 1')
# cur += 7
# else:
# print('sub 3')
# cur += 4
# elif(data[cur] == 0xb2):
# if(data[cur+1]==1):
# print('or 1')
# cur += 7
# elif(data[cur+1]==2):
# print('or 2')
# cur += 11
# else:
# print('or 3')
# cur += 4
elif(data[cur] == 0x78):
print('not')
REG[data[cur+1]] = ~REG[data[cur+1]]
REG[data[cur+1]] &= 0xffffffffffffffff
cur += 2
elif(data[cur] == 0x3b):
if(data[cur+1]==2):
print('xor 2')
REG[data[cur+2]] ^= int.from_bytes(data[cur+3:cur+11],'little')
REG[data[cur+2]] &= 0xffffffffffffffff
cur += 11
# elif(data[cur+1]==1):
# print('xor 1')
# cur += 7
else:
print('xor 3')
REG[data[cur+2]] ^= REG[data[cur+3]]
cur += 4
elif(data[cur] == 0xb3):
print('cmp')
REG[16] = REG[data[cur+1]] == REG[data[cur+2]]
REG[17] = data[cur+1] > data[cur+2]
cur += 3
elif(data[cur] == 0x21):
if(data[cur+1]==2):
print('jne')
if(REG[16]):
cur+=10
else:
cur = int.from_bytes(data[cur+2:cur+10],'little') & 0xff
# elif(data[cur+1] ==1):
# print('je')
# cur+=10
# else:
# print('jmp')
# cur += 10
# else:
# if(data[cur+1]== 1):
# print('and 1')
# cur += 7
# elif(data[cur+2] == 2):
# print('and 2')
# cur += 11
# else:
# print('and 3')
# cur += 4
s = Solver()
s.add(REG[0] == 0x7ECB527EEABB074C)
s.add(REG[1] == 0xE635AE1A1123CE4F)
s.add(REG[2] == 0x61467F6C95358D52)
s.add(REG[3] == 0x1FA186EA0DBF462E)
s.check()
m = s.model()
FLAG = FLAG[::-1]
flag = []
for i in FLAG:
flag.append(m[i].as_long().to_bytes(8,'little').decode())
print(''.join(flag[::-1]))
|
cs |
처음에는 레지스터들에 대해서 처리해주지 않았고, cur만 더해주면서 사용되는 명령어들을 확인했다.
사용되지 않는 명령어들을 찾기 위해서, cur을 더하면서 바이트 코드들을 읽었다.
다음 명령어로 계속 넘겨주면, 굳이 처리를 하지 않더라도 어떤 opcode가 쓰이는지 알 수 있다.
그리고 사용되지 않는 명령어들은 주석처리를 해줬다.
사용되는 명령들만 보고 구현을 했다.
그다음 방정식 풀고, flag를 출력해주면 된다.
'Layer7 동아리 과제' 카테고리의 다른 글
| 포너블 1차시 과제 (0) | 2022.09.18 |
|---|---|
| 포너블 1차시 실습 라업 (0) | 2022.09.14 |
| 리버싱 10차시 과제 (0) | 2022.08.23 |
| 리버싱 9차시 과제 (0) | 2022.08.16 |
| 리버싱 8차시 과제 (0) | 2022.08.10 |