NSSCTF [suctf 2019]hardcpp WP 控制流混淆

下载文件，64位主函数非常多循环

去控制流混淆，脚本下载deflat
用法

python 脚本名 文件名 起始地址

例如主函数地址是0x4007E0

python deflat.py hardCpp 0x4007E0

然后就生成了去混淆的文件
主函数非常大，开始分析逻辑
puts("func(?)=\"01abfc750a0c942167651c40d088531d\"?");
输出01abfc750a0c942167651c40d088531d"?

s = getchar();
fgets(v24, 21, stdin);

然后输入字符串，其中第一个值给s，然后再给v24。

if ( y >= 10 && ((((_BYTE)x - 1) * (_BYTE)x) & 1) != 0 )goto LABEL_13;while ( 1 ){v20 = strlen(&s);v34 = v20 != 21;if ( y < 10 || ((((_BYTE)x - 1) * (_BYTE)x) & 1) == 0 )break;
LABEL_13:v20 = strlen(&s);}

这里是个混淆，无论if跳不跳转，v20都等于s长度，注意s前面加了地址符&，
说明是地址，而s和v24的地址是连续的。所以v20本来应该为1，其实为21，不过v20的作用不大。，v34作用不大忽略

while ( 1 ){v19 = 1;if ( y < 10 || ((((_BYTE)x - 1) * (_BYTE)x) & 1) == 0 )break;v19 = 1;}

这里也有混淆，v19就是1

hile ( v19 < 21 ){if ( y >= 10 && ((((_BYTE)x - 1) * (_BYTE)x) & 1) != 0 ){v18 = v21 ^ v24[v19 - 1];v17[0] = main::$_0::operator()(v27, (unsigned int)v18);v16[0] = main::$_1::operator()(v25, (unsigned int)*(&s + v21 + v19 - 1));v8 = main::$_1::operator() const(char)::{lambda(int)#1}::operator()(v16, 7LL);v18 = main::$_0::operator() const(char)::{lambda(char)#1}::operator()(v17, (unsigned int)v8);v15[0] = main::$_2::operator()(v28, (unsigned int)v18);v14[0] = main::$_2::operator()(v28, (unsigned int)*(&s + v21 + v19 - 1));v9 = main::$_2::operator() const(char)::{lambda(char)#1}::operator()(v14, 18LL);v13[0] = main::$_3::operator()(v26, (unsigned int)v9);v10 = main::$_3::operator() const(char)::{lambda(char)#1}::operator()(v13, 3LL);v12[0] = main::$_0::operator()(v27, (unsigned int)v10);v11 = main::$_0::operator() const(char)::{lambda(char)#1}::operator()(v12, 2LL);v18 = main::$_2::operator() const(char)::{lambda(char)#1}::operator()(v15, (unsigned int)v11);}do{v18 = v21 ^ v24[v19 - 1];v17[0] = main::$_0::operator()(v27, (unsigned int)v18);v16[0] = main::$_1::operator()(v25, (unsigned int)*(&s + v21 + v19 - 1));v3 = main::$_1::operator() const(char)::{lambda(int)#1}::operator()(v16, 7LL);v18 = main::$_0::operator() const(char)::{lambda(char)#1}::operator()(v17, (unsigned int)v3);v15[0] = main::$_2::operator()(v28, (unsigned int)v18);v14[0] = main::$_2::operator()(v28, (unsigned int)*(&s + v21 + v19 - 1));v4 = main::$_2::operator() const(char)::{lambda(char)#1}::operator()(v14, 18LL);v13[0] = main::$_3::operator()(v26, (unsigned int)v4);v5 = main::$_3::operator() const(char)::{lambda(char)#1}::operator()(v13, 3LL);v12[0] = main::$_0::operator()(v27, (unsigned int)v5);v6 = main::$_0::operator() const(char)::{lambda(char)#1}::operator()(v12, 2LL);v18 = main::$_2::operator() const(char)::{lambda(char)#1}::operator()(v15, (unsigned int)v6);}while ( enc[v19 - 1] != v18 );while ( y >= 10 && ((((_BYTE)x - 1) * (_BYTE)x) & 1) != 0 );++v19;}

接下来来到了重头戏了，共六个函数一个一个分析

main::$_0::operator()

char __fastcall main::$_0::operator()(__int64 a1, char a2)
{return a2;
}

就是返回a2，我们把函数重命名为return_a2方便后续分析

main::$_1::operator() const(char)::{lambda(int)#1}::operator()

__int64 __fastcall main::$_1::operator() const(char)::{lambda(int)#1}::operator()(char *a1, int a2)
{return (unsigned int)(*a1 % a2);
}

返回a1%a2,这里a2是常数7，命名为return_a1_mod_7

main::$_0::operator() const(char)::{lambda(char)#1}::operator()

__int64 __fastcall main::$_0::operator() const(char)::{lambda(char)#1}::operator()(__int64 a1, char a2)
{int v2; // eaxint v3; // eaxchar *v5; // [rsp+0h] [rbp-40h]int v6; // [rsp+8h] [rbp-38h]int v7; // [rsp+Ch] [rbp-34h]int v8; // [rsp+10h] [rbp-30h]int v9; // [rsp+14h] [rbp-2Ch]char *v10; // [rsp+18h] [rbp-28h]char v11; // [rsp+23h] [rbp-1Dh]int v12; // [rsp+24h] [rbp-1Ch]bool v13; // [rsp+2Ah] [rbp-16h]bool v14; // [rsp+2Bh] [rbp-15h]unsigned int v15; // [rsp+2Ch] [rbp-14h]v13 = ((((_BYTE)x_5 - 1) * (_BYTE)x_5) & 1) == 0;v14 = y_6 < 10;v12 = 1023500310;v11 = a2;v10 = (char *)a1;do{while ( 1 ){while ( 1 ){while ( 1 ){v9 = v12;v8 = v12 + 2037067308;if ( v12 != -2037067308 )break;v5 = v10;*((_BYTE *)&v5 - 16) = v11;v12 = -1418698808;}v7 = v9 + 1418698808;if ( v9 != -1418698808 )break;v3 = -2037067308;v5 = v10;*((_BYTE *)&v5 - 16) = v11;v15 = *((char *)&v5 - 16) + *v5;if ( y_6 < 10 || ((((_BYTE)x_5 - 1) * (_BYTE)x_5) & 1) == 0 )v3 = 1456142001;v12 = v3;}v6 = v9 - 1023500310;if ( v9 != 1023500310 )break;v2 = -2037067308;if ( v14 || v13 )v2 = -1418698808;v12 = v2;}HIDWORD(v5) = v9 - 1456142001;}while ( v9 != 1456142001 );return v15;

核心部分

 v11 = a2;v10 = (char *)a1;
v5 = v10;
*((_BYTE *)&v5 - 16) = v11;
v15 = *((char *)&v5 - 16) + *v5;
return v15;

就是返回a1+a2，命名return_a1_add_a2

main::$_2::operator()

核心部分

v12 = a2;
*((_BYTE *)&v5 - 16) = v12;
LOBYTE(v5) = *((_BYTE *)&v5 - 16);
v16 = v5;
return v16;

就是返回v5低位，就是a2re_a22

main::$_2::operator() const(char)::{lambda(char)#1}::operator()

return (unsigned int)(char)(a2 ^ *a1);

命名return_a1_XOR_a2

main::$_3::operator()

v12 = a2;
*((_BYTE *)&v5 - 16) = v12;
LOBYTE(v5) = *((_BYTE *)&v5 - 16);
v16 = v5;
return v16;

命名re_a2222

main::$_3::operator() const(char)::{lambda(char)#1}::operator()

return (unsigned int)(a2 * *a1);

return_a1_x_a2
六个大爹干完了，然后再对逻辑进行分析，就是一直变换，就是解方程

v18=v24[v19-1];v17[0]=v18;//v17[0]=v24[v19-1];v16[0]=s[v19-1];v8=v16%7;//v8=s[v19-1]%7;v18=v17+v8;//v18=v24[v19-1]+s[v19-1]%7;v15[0]=v18;//v15[0]=v24[v19-1]+(s[v19-1]%7);v14[0]=s[v19-1];v9=v14^18;//v9=s[v19-1]^18;v13[0]=v9;//v13[0]=s[v19-1]^18;v10=v13*3;//v10=s[v19-1]^18*3;v12[0]=v10;v11=v12+2;//v11=s[v19-1]^18*3+2;v18=v15^v11;//v18={v24[v19-1]+(s[v19-1]%7)}^{s[v19-1]^18*3+2}

一层一层代入就得到了v18={v24[v19-1]+(s[v19-1]%7)}^{(s[v19-1]^18)*3+2}
然后再与enc[v19 - 1]比较，然后v19加1。继续上述循环。
然后逆过去解方程

v24[v19-1]+(s[v19-1]%7)=v18^(s[v19-1]^18*3+2)
v24[v19-1]=(v18^(s[v19-1]^18*3+2))-(s[v19-1]%7)

这样就能得到每一位了。现在看开头

puts("func(?)=\"01abfc750a0c942167651c40d088531d\"?");

32位，盲猜md5加密，去进行解密，得到符号#，说明第一个字符是#，即知道了s[v19-1]，v19=1;.又知道了v18即enc，我们就可以求出第二位，同理得到所有，脚本如下

enc=[0xF3, 0x2E, 0x18, 0x36, 0xE1, 0x4C, 0x22, 0xD1, 0xF9, 0x8C,0x40, 0x76, 0xF4, 0x0E, 0x00, 0x05, 0xA3, 0x90, 0x0E, 0xA5]
lst=[35]
for i in range(len(enc)):lst.append((((enc[i]^((lst[i]^18)*3+2)))-((lst[i]%7)))&0xff)print(lst)
for i in lst:print(chr(i),end='')

这里有个&0xff运算，防止数字溢出
得到flag

#flag{mY-CurR1ed_Fns}