0x13 HomuraVM

Author Avatar
张Mini Nov 18, 2018
  • Read this article on other devices

HomuraVM

  • 第一次接触解释器逆向。。。。。发现就是输入flag变换后进行检查。其中sub_8DC是就是解释器,sub_8AA是反调试,把一大段的字节码解析实现一些操作
    h[ur]ovMCh{mG}
    hv{aG}[ur]ovaaaMCh{mG}
    hv{aG}[ur]ovrrMCh{mG}
    hv{aG}[ur]ovrararaMCh{mG}
    hv{aG}[ur]ovrararrrMCh{mG}
    hv{aG}[ur]ovararaaMCh{mG}
    hv{aG}[ur]ovrararraraMCh{mG}
    hv{aG}[ur]ovrrrarrrMCh{mG}
    hv{aG}[ur]ovaarrarrMCh{mG}
    hv{aG}[ur]ovaaarrarMCh{mG}
    hv{aG}[ur]ovrrrarrMCh{mG}
    hv{aG}[ur]ovaarrraaMCh{mG}
    hv{aG}[ur]ovarraarMCh{mG}
    hv{aG}[ur]ovrrraaarrMCh{mG}
    hv{aG}[ur]ovaaarrrrarrMCh{mG}
    hv{aG}[ur]ovrrrraarrarrMCh{mG}
    hv{aG}[ur]ovrrarraMCh{mG}
    hv{aG}[ur]ovaaraarMCh{mG}
    hv{aG}[ur]ovrrarraMCh{mG}
    hv{aG}[ur]ovaarrrarMCh{mG}
    hv{aG}[ur]ovrraarraMCh{mG}
    hv{aG}[ur]ovrrarMCh{mG}
    hv{aG}[ur]ovaarrarMCh{mG}
    hv{aG}[ur]ovrrraarMCh{mG}
    hv{aG}[ur]ovrrrraaMCh{mG}
    hv{aG}[ur]ovrrarraMCh{mG}
    hv{aG}[ur]ovrrrrrrMCh{mG}
    hv{aG}[ur]ovaaaarMCh{mG}
    hv{aG}[ur]ovrraaaMCh{mG}
    hv{aG}[ur]ovaarraMCh{mG}
    hv{aG}[ur]ovrrarMCh{mG}
    hv{aG}[ur]ovaarraaMCh{mG}
    hv{aG}[ur]ovaarraraMCh{mG}
    hv{aG}[ur]ovaarrararMCh{mG}
    
C   n2-=2*(n1&input[i]);a++;
G   n2-=1;a++;
M   n2=n1+input[i];a++;
T   n2++;a++;
a   n1--;a++;
h   input[i++];a++;
m   input[i]+=1;a++;
o   input[i--];a++;
r   n1++;a++;
u   input[i]-=1;a++;
v   n2=n1;a++;
[ur]    n1+=input[i];input[i]=0
{mG}    input[i]+=n2;n2=0
{aG}    n1-=n2;n2=0
  • 其中[]、{}的作用可以看作是一个循环,input[i]!=0时执行括号内的指令
  • 分析后发现每一句实现的功能大致如下

input[i]=(input[i-1]+(input[i]+x))-2*(input[i-1]&(input[i]+x))

  • 其中x的取值是由每一行字节码中r和a的数目决定的

  • 后来在尝试爆破的时候发现上述的式子和

input[i]=(input[i]+x)^input[i-1]

  • 是等价的
  • 于是就可以逆运算得出
    flag_en=[27,114,17,118,8,74,126,5,55,124,31,88,104,7,112,7,49,108,4,47,4,105,54,77,127,8,80,12,109,28,127,80,29,96]
    # with open("1.txt","r") as f1:
    #     list1=f1.readlines()
    # off=[]    
    # for i in range(len(list1)):
    #     list=str(list1[i])    
    #     n=(list.count("r")-1)-(list.count("a")-1)
    #     off.append(n)
    # print(off)    
    off=[0, -3, 2, 0, 3, -2, 1, 5, 1, -1, 4, -1, 0, 2, 2, 5, 2, -2, 2, 1, 1, 2, 0, 2, 2, 2, 6, -3, -1, -1, 2, -2, -1, 0]
    flag=""
    for i in range(-1,33):
      flag+=chr((flag_en[i]^flag_en[i+1])-off[i+1])
    print(flag)