-
-
Save st98/c5592d0b6e4eda1078df84b3ea13abed to your computer and use it in GitHub Desktop.
WhiteHat Contest 13 - [Reverse Engineering 100] Tuy Hoa
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| from z3 import * | |
| funcs = ''' | |
| push rbp | |
| mov rbp,rsp | |
| sub rsp,0x10 | |
| mov eax,DWORD PTR [rip+0x201823] # 6021c8 <key+0x8> | |
| mov ecx,DWORD PTR [rip+0x201831] # 6021dc <key+0x1c> | |
| mov edx,DWORD PTR [rip+0x201813] # 6021c4 <key+0x4> | |
| add edx,ecx | |
| xor eax,edx | |
| sub eax,0x7cd54cbf | |
| mov eax,eax | |
| mov QWORD PTR [rbp-0x8],rax | |
| mov eax,DWORD PTR [rip+0x2017fa] # 6021c0 <key> | |
| mov edx,DWORD PTR [rip+0x2017fc] # 6021c8 <key+0x8> | |
| mov esi,DWORD PTR [rip+0x20180a] # 6021dc <key+0x1c> | |
| mov ecx,DWORD PTR [rip+0x2017ec] # 6021c4 <key+0x4> | |
| add ecx,esi | |
| xor edx,ecx | |
| sub edx,0x7cd54cbf | |
| cmp eax,edx | |
| je 4009eb <_Z5func0v+0x54> | |
| call 40096d <_Z14wrong_passwordv> | |
| mov rax,QWORD PTR [rbp-0x8] | |
| leave | |
| ret | |
| push rbp | |
| mov rbp,rsp | |
| sub rsp,0x10 | |
| mov edx,DWORD PTR [rip+0x2017c1] # 6021c0 <key> | |
| mov eax,DWORD PTR [rip+0x2017df] # 6021e4 <key+0x24> | |
| add edx,eax | |
| mov eax,DWORD PTR [rip+0x2017b3] # 6021c0 <key> | |
| sub edx,eax | |
| mov eax,edx | |
| add eax,0x6102312f | |
| mov eax,eax | |
| mov QWORD PTR [rbp-0x8],rax | |
| mov eax,DWORD PTR [rip+0x2017a2] # 6021c4 <key+0x4> | |
| mov ecx,DWORD PTR [rip+0x201798] # 6021c0 <key> | |
| mov edx,DWORD PTR [rip+0x2017b6] # 6021e4 <key+0x24> | |
| add ecx,edx | |
| mov edx,DWORD PTR [rip+0x20178a] # 6021c0 <key> | |
| sub ecx,edx | |
| mov edx,ecx | |
| add edx,0x6102312f | |
| cmp eax,edx | |
| je 400a49 <_Z5func1v+0x58> | |
| call 40096d <_Z14wrong_passwordv> | |
| mov rax,QWORD PTR [rbp-0x8] | |
| leave | |
| ret | |
| push rbp | |
| mov rbp,rsp | |
| sub rsp,0x10 | |
| mov eax,DWORD PTR [rip+0x20176f] # 6021cc <key+0xc> | |
| mov ecx,DWORD PTR [rip+0x20177d] # 6021e0 <key+0x20> | |
| mov edx,DWORD PTR [rip+0x201773] # 6021dc <key+0x1c> | |
| add edx,ecx | |
| sub eax,edx | |
| mov edx,eax | |
| mov eax,DWORD PTR [rip+0x20174f] # 6021c4 <key+0x4> | |
| xor eax,edx | |
| sub eax,0x6d6460c8 | |
| mov eax,eax | |
| mov QWORD PTR [rbp-0x8],rax | |
| mov eax,DWORD PTR [rip+0x201740] # 6021c8 <key+0x8> | |
| mov edx,DWORD PTR [rip+0x20173e] # 6021cc <key+0xc> | |
| mov esi,DWORD PTR [rip+0x20174c] # 6021e0 <key+0x20> | |
| mov ecx,DWORD PTR [rip+0x201742] # 6021dc <key+0x1c> | |
| add ecx,esi | |
| sub edx,ecx | |
| mov ecx,edx | |
| mov edx,DWORD PTR [rip+0x20171e] # 6021c4 <key+0x4> | |
| xor edx,ecx | |
| sub edx,0x6d6460c8 | |
| cmp eax,edx | |
| je 400ab7 <_Z5func2v+0x68> | |
| call 40096d <_Z14wrong_passwordv> | |
| mov rax,QWORD PTR [rbp-0x8] | |
| leave | |
| ret | |
| push rbp | |
| mov rbp,rsp | |
| sub rsp,0x10 | |
| mov edx,DWORD PTR [rip+0x2016f5] # 6021c0 <key> | |
| mov eax,DWORD PTR [rip+0x201707] # 6021d8 <key+0x18> | |
| xor edx,eax | |
| mov eax,DWORD PTR [rip+0x2016f3] # 6021cc <key+0xc> | |
| xor edx,eax | |
| mov eax,DWORD PTR [rip+0x201703] # 6021e4 <key+0x24> | |
| sub edx,eax | |
| mov eax,DWORD PTR [rip+0x2016df] # 6021c8 <key+0x8> | |
| add eax,edx | |
| sub eax,0x37fafffd | |
| mov eax,eax | |
| mov QWORD PTR [rbp-0x8],rax | |
| mov eax,DWORD PTR [rip+0x2016d0] # 6021cc <key+0xc> | |
| mov ecx,DWORD PTR [rip+0x2016be] # 6021c0 <key> | |
| mov edx,DWORD PTR [rip+0x2016d0] # 6021d8 <key+0x18> | |
| xor ecx,edx | |
| mov edx,DWORD PTR [rip+0x2016bc] # 6021cc <key+0xc> | |
| xor ecx,edx | |
| mov edx,DWORD PTR [rip+0x2016cc] # 6021e4 <key+0x24> | |
| sub ecx,edx | |
| mov edx,DWORD PTR [rip+0x2016a8] # 6021c8 <key+0x8> | |
| add edx,ecx | |
| sub edx,0x37fafffd | |
| cmp eax,edx | |
| je 400b31 <_Z5func3v+0x74> | |
| call 40096d <_Z14wrong_passwordv> | |
| mov rax,QWORD PTR [rbp-0x8] | |
| leave | |
| ret | |
| push rbp | |
| mov rbp,rsp | |
| sub rsp,0x10 | |
| mov edx,DWORD PTR [rip+0x201693] # 6021d8 <key+0x18> | |
| mov eax,DWORD PTR [rip+0x201681] # 6021cc <key+0xc> | |
| sub edx,eax | |
| mov eax,DWORD PTR [rip+0x201689] # 6021dc <key+0x1c> | |
| add edx,eax | |
| mov eax,DWORD PTR [rip+0x201675] # 6021d0 <key+0x10> | |
| xor eax,edx | |
| add eax,0x2a312dd3 | |
| mov eax,eax | |
| mov QWORD PTR [rbp-0x8],rax | |
| mov eax,DWORD PTR [rip+0x201662] # 6021d0 <key+0x10> | |
| mov ecx,DWORD PTR [rip+0x201664] # 6021d8 <key+0x18> | |
| mov edx,DWORD PTR [rip+0x201652] # 6021cc <key+0xc> | |
| sub ecx,edx | |
| mov edx,DWORD PTR [rip+0x20165a] # 6021dc <key+0x1c> | |
| add ecx,edx | |
| mov edx,DWORD PTR [rip+0x201646] # 6021d0 <key+0x10> | |
| xor edx,ecx | |
| add edx,0x2a312dd3 | |
| cmp eax,edx | |
| je 400b9b <_Z5func4v+0x64> | |
| call 40096d <_Z14wrong_passwordv> | |
| mov rax,QWORD PTR [rbp-0x8] | |
| leave | |
| ret | |
| push rbp | |
| mov rbp,rsp | |
| sub rsp,0x10 | |
| mov edx,DWORD PTR [rip+0x201619] # 6021c8 <key+0x8> | |
| mov eax,DWORD PTR [rip+0x20162b] # 6021e0 <key+0x20> | |
| sub edx,eax | |
| mov eax,DWORD PTR [rip+0x201607] # 6021c4 <key+0x4> | |
| xor edx,eax | |
| mov eax,DWORD PTR [rip+0x20161f] # 6021e4 <key+0x24> | |
| xor eax,edx | |
| sub eax,0x3dea7877 | |
| mov eax,eax | |
| mov QWORD PTR [rbp-0x8],rax | |
| mov eax,DWORD PTR [rip+0x2015fc] # 6021d4 <key+0x14> | |
| mov ecx,DWORD PTR [rip+0x2015ea] # 6021c8 <key+0x8> | |
| mov edx,DWORD PTR [rip+0x2015fc] # 6021e0 <key+0x20> | |
| sub ecx,edx | |
| mov edx,DWORD PTR [rip+0x2015d8] # 6021c4 <key+0x4> | |
| xor ecx,edx | |
| mov edx,DWORD PTR [rip+0x2015f0] # 6021e4 <key+0x24> | |
| xor edx,ecx | |
| sub edx,0x3dea7877 | |
| cmp eax,edx | |
| je 400c05 <_Z5func5v+0x64> | |
| call 40096d <_Z14wrong_passwordv> | |
| mov rax,QWORD PTR [rbp-0x8] | |
| leave | |
| ret | |
| push rbp | |
| mov rbp,rsp | |
| sub rsp,0x10 | |
| mov eax,DWORD PTR [rip+0x2015b3] # 6021cc <key+0xc> | |
| mov edx,DWORD PTR [rip+0x2015c1] # 6021e0 <key+0x20> | |
| mov esi,DWORD PTR [rip+0x2015ab] # 6021d0 <key+0x10> | |
| mov ecx,DWORD PTR [rip+0x201599] # 6021c4 <key+0x4> | |
| add ecx,esi | |
| sub edx,ecx | |
| add edx,eax | |
| mov eax,DWORD PTR [rip+0x20159d] # 6021d4 <key+0x14> | |
| sub edx,eax | |
| mov eax,DWORD PTR [rip+0x20159d] # 6021dc <key+0x1c> | |
| xor edx,eax | |
| mov eax,DWORD PTR [rip+0x201581] # 6021c8 <key+0x8> | |
| add eax,edx | |
| sub eax,0x45bdbb01 | |
| mov eax,eax | |
| mov QWORD PTR [rbp-0x8],rax | |
| mov eax,DWORD PTR [rip+0x20157e] # 6021d8 <key+0x18> | |
| mov edx,DWORD PTR [rip+0x20156c] # 6021cc <key+0xc> | |
| mov ecx,DWORD PTR [rip+0x20157a] # 6021e0 <key+0x20> | |
| mov edi,DWORD PTR [rip+0x201564] # 6021d0 <key+0x10> | |
| mov esi,DWORD PTR [rip+0x201552] # 6021c4 <key+0x4> | |
| add esi,edi | |
| sub ecx,esi | |
| add ecx,edx | |
| mov edx,DWORD PTR [rip+0x201556] # 6021d4 <key+0x14> | |
| sub ecx,edx | |
| mov edx,DWORD PTR [rip+0x201556] # 6021dc <key+0x1c> | |
| xor ecx,edx | |
| mov edx,DWORD PTR [rip+0x20153a] # 6021c8 <key+0x8> | |
| add edx,ecx | |
| sub edx,0x45bdbb01 | |
| cmp eax,edx | |
| je 400c9f <_Z5func6v+0x94> | |
| call 40096d <_Z14wrong_passwordv> | |
| mov rax,QWORD PTR [rbp-0x8] | |
| leave | |
| ret | |
| push rbp | |
| mov rbp,rsp | |
| sub rsp,0x10 | |
| mov edx,DWORD PTR [rip+0x201511] # 6021c4 <key+0x4> | |
| mov eax,DWORD PTR [rip+0x20150f] # 6021c8 <key+0x8> | |
| add edx,eax | |
| mov eax,DWORD PTR [rip+0x201523] # 6021e4 <key+0x24> | |
| sub edx,eax | |
| mov eax,edx | |
| sub eax,0x5d342bfc | |
| mov eax,eax | |
| mov QWORD PTR [rbp-0x8],rax | |
| mov eax,DWORD PTR [rip+0x201506] # 6021dc <key+0x1c> | |
| mov ecx,DWORD PTR [rip+0x2014e8] # 6021c4 <key+0x4> | |
| mov edx,DWORD PTR [rip+0x2014e6] # 6021c8 <key+0x8> | |
| add ecx,edx | |
| mov edx,DWORD PTR [rip+0x2014fa] # 6021e4 <key+0x24> | |
| sub ecx,edx | |
| mov edx,ecx | |
| sub edx,0x5d342bfc | |
| cmp eax,edx | |
| je 400cfd <_Z5func7v+0x58> | |
| call 40096d <_Z14wrong_passwordv> | |
| mov rax,QWORD PTR [rbp-0x8] | |
| leave | |
| ret | |
| push rbp | |
| mov rbp,rsp | |
| sub rsp,0x10 | |
| mov eax,DWORD PTR [rip+0x2014af] # 6021c0 <key> | |
| mov ecx,DWORD PTR [rip+0x2014c5] # 6021dc <key+0x1c> | |
| mov edx,DWORD PTR [rip+0x2014bb] # 6021d8 <key+0x18> | |
| xor ecx,edx | |
| mov edx,DWORD PTR [rip+0x20149f] # 6021c4 <key+0x4> | |
| xor edx,ecx | |
| add edx,eax | |
| mov eax,DWORD PTR [rip+0x2014ad] # 6021dc <key+0x1c> | |
| sub edx,eax | |
| mov eax,edx | |
| sub eax,0x2b402ece | |
| mov eax,eax | |
| mov QWORD PTR [rbp-0x8],rax | |
| mov eax,DWORD PTR [rip+0x20149c] # 6021e0 <key+0x20> | |
| mov edx,DWORD PTR [rip+0x201476] # 6021c0 <key> | |
| mov esi,DWORD PTR [rip+0x20148c] # 6021dc <key+0x1c> | |
| mov ecx,DWORD PTR [rip+0x201482] # 6021d8 <key+0x18> | |
| xor esi,ecx | |
| mov ecx,DWORD PTR [rip+0x201466] # 6021c4 <key+0x4> | |
| xor ecx,esi | |
| add ecx,edx | |
| mov edx,DWORD PTR [rip+0x201474] # 6021dc <key+0x1c> | |
| sub ecx,edx | |
| mov edx,ecx | |
| sub edx,0x2b402ece | |
| cmp eax,edx | |
| je 400d7b <_Z5func8v+0x78> | |
| call 40096d <_Z14wrong_passwordv> | |
| mov rax,QWORD PTR [rbp-0x8] | |
| leave | |
| ret | |
| push rbp | |
| mov rbp,rsp | |
| sub rsp,0x10 | |
| mov edx,DWORD PTR [rip+0x201435] # 6021c4 <key+0x4> | |
| mov eax,DWORD PTR [rip+0x20143b] # 6021d0 <key+0x10> | |
| imul eax,edx | |
| mov esi,DWORD PTR [rip+0x201442] # 6021e0 <key+0x20> | |
| mov edx,0x0 | |
| div esi | |
| mov edx,eax | |
| mov eax,DWORD PTR [rip+0x20141b] # 6021c8 <key+0x8> | |
| xor eax,edx | |
| sub eax,0x352afe01 | |
| mov eax,eax | |
| mov QWORD PTR [rbp-0x8],rax | |
| mov ecx,DWORD PTR [rip+0x201424] # 6021e4 <key+0x24> | |
| mov edx,DWORD PTR [rip+0x2013fe] # 6021c4 <key+0x4> | |
| mov eax,DWORD PTR [rip+0x201404] # 6021d0 <key+0x10> | |
| imul eax,edx | |
| mov edi,DWORD PTR [rip+0x20140b] # 6021e0 <key+0x20> | |
| mov edx,0x0 | |
| div edi | |
| mov edx,eax | |
| mov eax,DWORD PTR [rip+0x2013e4] # 6021c8 <key+0x8> | |
| xor eax,edx | |
| sub eax,0x352afe01 | |
| cmp ecx,eax | |
| je 400df4 <_Z5func9v+0x73> | |
| call 40096d <_Z14wrong_passwordv> | |
| mov rax,QWORD PTR [rbp-0x8] | |
| leave | |
| ret | |
| push rbp | |
| mov rbp,rsp | |
| sub rsp,0x10 | |
| mov edx,DWORD PTR [rip+0x2013bc] # 6021c4 <key+0x4> | |
| mov eax,DWORD PTR [rip+0x2013c6] # 6021d4 <key+0x14> | |
| add edx,eax | |
| mov eax,DWORD PTR [rip+0x2013c6] # 6021dc <key+0x1c> | |
| sub edx,eax | |
| mov eax,edx | |
| mov eax,eax | |
| mov QWORD PTR [rbp-0x8],rax | |
| mov edx,DWORD PTR [rip+0x20139e] # 6021c4 <key+0x4> | |
| mov eax,DWORD PTR [rip+0x2013a8] # 6021d4 <key+0x14> | |
| add edx,eax | |
| mov eax,DWORD PTR [rip+0x2013a8] # 6021dc <key+0x1c> | |
| sub edx,eax | |
| mov eax,edx | |
| cmp eax,0x89415e34 | |
| je 400e44 <_Z6func10v+0x4a> | |
| call 40096d <_Z14wrong_passwordv> | |
| mov rax,QWORD PTR [rbp-0x8] | |
| leave | |
| ret | |
| '''.strip().split('\n\n') | |
| regs = { | |
| 'eax': 0, | |
| 'ecx': 0, | |
| 'edx': 0, | |
| 'edi': 0, | |
| 'esi': 0, | |
| } | |
| def get_value(v): | |
| if v in ['eax', 'ecx', 'edx', 'edi', 'esi']: | |
| return regs[v] | |
| if v.startswith('0x'): | |
| return int(v, 16) | |
| raise Exception(v) | |
| key = [BitVec('key_%x' % x, 32) for x in range(0, 0x24+1, 4)] | |
| s = Solver() | |
| for func in funcs: | |
| for line in func.splitlines(): | |
| t = line.split() | |
| if t[0] == 'add': | |
| a, b = t[1].split(',') | |
| regs[a] = get_value(a) + get_value(b) | |
| elif t[0] == 'sub': | |
| if 'rsp' in t[1]: | |
| continue | |
| a, b = t[1].split(',') | |
| regs[a] = get_value(a) - get_value(b) | |
| elif t[0] == 'xor': | |
| a, b = t[1].split(',') | |
| regs[a] = get_value(a) ^ get_value(b) | |
| elif t[0] == 'div': | |
| a = get_value(t[1]) | |
| b, c = get_value('eax') / a, get_value('eax') % a | |
| regs['eax'] = b | |
| regs['edx'] = c | |
| elif t[0] == 'imul': | |
| a, b = t[1].split(',') | |
| regs[a] = get_value(a) * get_value(b) | |
| elif t[0] == 'mov': | |
| if 'QWORD' in t[1] or 'rbp' in t[1]: | |
| continue | |
| if len(t) == 7: | |
| m = re.findall(r'key\+?(.*).', t[-1])[0] | |
| m = (0 if m == '' else int(m, 16)) / 4 | |
| a, _ = t[1].split(',') | |
| regs[a] = key[m] | |
| else: | |
| a, b = t[1].split(',') | |
| regs[a] = get_value(b) | |
| elif t[0] == 'cmp': | |
| a, b = t[1].split(',') | |
| a = get_value(a) | |
| b = get_value(b) | |
| s.add(a == b) | |
| r = s.check() | |
| m = s.model() | |
| res = '' | |
| for k in key: | |
| h = hex(m[k].as_long())[2:] | |
| res += ''.join(reversed(re.findall(r'.{2}', h))) | |
| print res.decode('hex') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment