unholy Writeup

这周末和小伙伴们一起打BKPCTF，我一个web狗，竟然撸逆向停不下来。。。撸了两个晚上。。。终于撸出来了。。

unholy这题说是ruby+python，其实我觉得主要还是逆C。。

main.rb
require_relative 'unholy'
include UnHoly
python_hi
puts ruby_hi
puts "Programming Skills: PRIMARILY RUBY AND PYTHON BUT I CAN USE ANY TYPE OF GEM TO CONTROL ANY TYPE OF SNAKE"
puts "give me your flag"
flag = gets.chomp!
arr = flag.unpack("V*")
is_key_correct? arr

一个很简单的ruby脚本，不过这里需要装libruby2.1才能跑。。。（自己装装就知道了，国内装libruby2.1有点坑)
然后重点在于unholy.so，丢到ida中逆向看看，有几个重要的地方，主要是method_check_key函数，也就是ruby里的is_key_correct?
这个函数规定了只能传入长度为９的int型数组

mov     [rsp+13E8h+matrix+24h], 61735320h　；　matrix[9] = 0x61735320

形成长度为10的数组，然后经过如下算法

loc_BFC:                                ; CODE XREF: method_check_key+112j
.text:0000000000000BFC block = rdx                             ; uint32_t[2]
.text:0000000000000BFC                 mov     rax, [rbx+rdi]
.text:0000000000000C00 block = rax                             ; uint32_t[2]
.text:0000000000000C00                 xor     r8d, r8d
.text:0000000000000C03                 mov     edx, eax
.text:0000000000000C05                 shr     block, 20h
.text:0000000000000C09
loc_C09:                                ; CODE XREF: method_check_key+FDj
.text:0000000000000C09                 mov     ecx, r8d
.text:0000000000000C0C                 mov     esi, eax
.text:0000000000000C0E                 and     ecx, 3
.text:0000000000000C11                 shr     esi, 5
.text:0000000000000C14                 mov     r9d, [rsp+rcx*4+13E8h+key]
.text:0000000000000C19                 mov     ecx, eax
.text:0000000000000C1B                 shl     ecx, 4
.text:0000000000000C1E                 xor     esi, ecx
.text:0000000000000C20                 lea     ecx, [rsi+rax]
.text:0000000000000C23                 add     r9d, r8d
.text:0000000000000C26                 sub     r8d, 61C88647h
.text:0000000000000C2D                 xor     ecx, r9d
.text:0000000000000C30                 add     edx, ecx
.text:0000000000000C32                 mov     ecx, r8d
.text:0000000000000C35                 shr     ecx, 0Bh
.text:0000000000000C38                 mov     esi, edx
.text:0000000000000C3A                 and     ecx, 3
.text:0000000000000C3D                 shr     esi, 5
.text:0000000000000C40                 mov     r9d, [rsp+rcx*4+13E8h+key]
.text:0000000000000C45                 mov     ecx, edx
.text:0000000000000C47                 shl     ecx, 4
.text:0000000000000C4A                 xor     esi, ecx
.text:0000000000000C4C                 lea     ecx, [rsi+rdx]
.text:0000000000000C4F                 add     r9d, r8d
.text:0000000000000C52                 xor     ecx, r9d
.text:0000000000000C55                 add     eax, ecx
.text:0000000000000C57                 cmp     r8d, 0C6EF3720h
.text:0000000000000C5E                 jnz     short loc_C09
.text:0000000000000C60                 shl     rax, 20h
.text:0000000000000C64 block = rdx                             ; uint32_t[2]
.text:0000000000000C64                 or      rax, block
.text:0000000000000C67                 mov     [rbx+rdi], rax
.text:0000000000000C6B                 add     rdi, 8
.text:0000000000000C6F                 cmp     rdi, 28h
.text:0000000000000C73                 jnz     short loc_BFC

这个算法转换用python写是：

for i in xrange(0, 10, 2):
	flag = 0
	while flag != 0xC6EF3720:
		arry[i] += (flag + key[(flag)&3])^(arry[i+1] * 16 ^ (arry[i+1] / 32) + arry[i+1])
		flag = ctypes.c_uint32(flag - 0x61C88647).value
		arry[i+1] += (flag + key[(flag / 2048)&3])^(((arry[i] * 16) ^ (arry[i] / 32)) + arry[i]);

最后输出的数组

cmp     [rsp+13E8h+matrix+24h], 4DE3F9FDh ;           matrix[9] == 0x4DE3F9FD

如果第十个数的值为0x4DE3F9FD, 则把前9个值传入下面的python脚本

import struct
import sys
X=[
	[%d,%d,%d],
	[%d,%d,%d],
	[%d,%d,%d] 
]
Y = [
	[383212,38297,8201833],
	[382494 ,348234985,3492834886],
	[3842947 ,984328,38423942839]
]
n=[5034563854941868,252734795015555591,55088063485350767967,
-2770438152229037,142904135684288795,-33469734302639376803,
-3633507310795117,195138776204250759,-34639402662163370450]
y=[
	[0,0,0],
	[0,0,0],
	[0,0,0]
]
A=[0,0,0,0,0,0,0,0,0]
for i in range(3):
	for j in range(3):
		for k in range(3):
			y[i][j]+=X[i][k]*Y[k][j]
c=0
for r in y:
	for x in r:
		if x!=n[c]:
			print "dang..."
			sys.exit(47)
		c=c+1
print ":)"

然后算出X

X=[
	[-1304886577,722035088,1368334760],
	[1473172750,412774077,-908901225],
	[-490967005,563111828,-952589187] 
]

所以上面那个算法的输出要为:

matrix = [-1304886577,722035088,1368334760,1473172750,412774077,-908901225,-490967005,563111828,-952589187, 1306786301] 

然后逆向算法最后得出脚本

# reserve.py
#!/usr/bin/env python
#-*- coding:utf-8 -*-

import ctypes

arry =[-1304886577,722035088,1368334760, 1473172750,412774077,-908901225, -490967005,563111828,-952589187, 1306786301]
key = [1952540791, 1768908659, 1852794734, 1701995880]
for x in range(len(arry)):
	arry[x] = ctypes.c_uint32(arry[x]).value

for i in xrange(0, 10, 2):
	flag = 0xC6EF3720
	while flag != 0:
		v12 = flag + key[(flag / 2048)&3]
		ecx4 = ((arry[i] * 16) ^ (arry[i] / 32)) + arry[i]
		x = v12^ecx4
		arry[i+1] = arry[i+1] - x
		arry[i+1] = ctypes.c_uint32(arry[i+1]).value

		flag = ctypes.c_uint32(flag + 0x61C88647).value

		v11 = flag + key[flag&3]
		ecx2 = ((arry[i+1] * 16) ^ (arry[i+1] / 32)) + arry[i+1]
		y = v11^ecx2
		arry[i] = arry[i] - y
		arry[i] = ctypes.c_uint32(arry[i]).value

for x in range(len(arry)):
	arry[x] = ctypes.c_int32(arry[x]).value
print arry

这里有几个重要的地方，坑了我好久，一个是优先级的问题，比如x ^ y + z这个其实是 x ^ (y + z)
还有一个，就是python不需要定义变量类型，而matrix十个值为uint_32, 所以python 就要通过ctypes进行转换，还有flag也需要进行转换.

最后得出

[1129335618, 1752909396, 544042349, 2036889439, 1684628512, 1696622880, 544105846, 1948282724, 2104715624, 1634947872]

这个数组就是flag

flag = ""
for x in arry:
	tem_hex = hex(x)[2:]
	tem_list = []
	for y in xrange(0, len(tem_hex), 2):
		tem_list.append(chr(int(tem_hex[y:y+2], 16)))
	tem_list.reverse()
	flag += "".join(tem_list)

print flag
# BKPCTF{hmmm _why did i even do this}