easyZ

一点都不简单好吗,框架(S390)都看不出来🤪

先用ida打开发现不能反汇编

用linux的objdump看看框架

image-20201117195652477

好像没有S390

在kali中装上qemu来模拟程序运行发现

image-20201117175913716

发现可以搜索的关键字符串

在hex.txt中查找到相应字符串及它的地址

image-20201117180221169

去dis.txt中搜索有那些有用到1071060左右地址的行,找到函数主体

image-20201117202007252

开始分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
1000b38:	eb bf f0 58 00 24 	stmg	%r11,%r15,88(%r15)//主函数
1000b3e:	e3 f0 ff 20 ff 71 	lay	%r15,-224(%r15)
1000b44:	b9 04 00 bf       	lgr	%r11,%r15
1000b48:	b2 4f 00 10       	ear	%r1,%a0
1000b4c:	eb 11 00 20 00 0d 	sllg	%r1,%r1,32
1000b52:	b2 4f 00 11       	ear	%r1,%a1
1000b56:	d2 07 b0 d8 10 28 	mvc	216(8,%r11),40(%r1)
1000b5c:	c0 20 00 03 82 84 	larl	%r2,0x1071064  //Please input your string:
1000b62:	c0 e5 00 00 40 43 	brasl	%r14,0x1008be8 //加载函数地址0x1008be8 (printf)
1000b68:	ec 1b 00 a6 00 d9 	aghik	%r1,%r11,166
1000b6e:	b9 04 00 31       	lgr	%r3,%r1
1000b72:	c0 20 00 03 82 87 	larl	%r2,0x1071080  //准备读取输入字符串
1000b78:	c0 e5 00 00 3a 5c 	brasl	%r14,0x1008030 //调用输入函数(scanf)
1000b7e:	ec 1b 00 a6 00 d9 	aghik	%r1,%r11,166
1000b84:	b9 04 00 21       	lgr	%r2,%r1          //store r2,r1  将r2存到后面的r1里
1000b88:	c0 e5 ff ff fe c4 	brasl	%r14,0x1000910 //加载函数地址0x1000910(函数1)
1000b8e:	b9 04 00 12       	lgr	%r1,%r2
1000b92:	12 11             	ltr	%r1,%r1
1000b94:	a7 84 00 17       	je	0x1000bc2
1000b98:	ec 1b 00 a6 00 d9 	aghik	%r1,%r11,166
1000b9e:	b9 04 00 21       	lgr	%r2,%r1
1000ba2:	c0 e5 ff ff ff 33 	brasl	%r14,0x1000a08 //加载函数地址0x1000a08(函数2)
1000ba8:	b9 04 00 12       	lgr	%r1,%r2
1000bac:	12 11             	ltr	%r1,%r1
1000bae:	a7 84 00 0a       	je	0x1000bc2
1000bb2:	c0 20 00 03 82 69 	larl	%r2,0x1071084 //you win
1000bb8:	c0 e5 00 00 40 18 	brasl	%r14,0x1008be8//加载函数地址0x1008be8 (printf)
1000bbe:	a7 f4 00 08       	j	0x1000bce
1000bc2:	c0 20 00 03 82 66 	larl	%r2,0x107108e //you lose
1000bc8:	c0 e5 00 00 40 10 	brasl	%r14,0x1008be8//加载函数地址0x1008be8 (printf)
1000bce:	a7 18 00 00       	lhi	%r1,0
1000bd2:	b9 14 00 11       	lgfr	%r1,%r1
1000bd6:	b9 04 00 21       	lgr	%r2,%r1
1000bda:	b2 4f 00 10       	ear	%r1,%a0
1000bde:	eb 11 00 20 00 0d 	sllg	%r1,%r1,32
1000be4:	b2 4f 00 11       	ear	%r1,%a1
1000be8:	d5 07 b0 d8 10 28 	clc	216(8,%r11),40(%r1)
1000bee:	a7 84 00 05       	je	0x1000bf8
1000bf2:	c0 e5 00 00 e5 2b 	brasl	%r14,0x101d648
1000bf8:	e3 40 b1 50 00 04 	lg	%r4,336(%r11)
1000bfe:	eb bf b1 38 00 04 	lmg	%r11,%r15,312(%r11)
1000c04:	07 f4             	br	%r4		 
1000c06:	07 07             	nopr	%r7   //无操作

可以看出用了两个函数在里面一个地址0x1000910,另一个地址0x1000a08

先看地址0x1000910得函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
1000910:	eb bf f0 58 00 24 	stmg	%r11,%r15,88(%r15)
 1000916:	e3 f0 ff 50 ff 71 	lay	%r15,-176(%r15)
 100091c:	b9 04 00 bf       	lgr	%r11,%r15
 1000920:	e3 20 b0 a0 00 24 	stg	%r2,160(%r11)
 1000926:	e3 20 b0 a0 00 04 	lg	%r2,160(%r11)
 100092c:	c0 e5 ff ff ff 02 	brasl	%r14,0x1000730//加载函数地址0x1000730 (strlen)
 1000932:	b9 04 00 12       	lgr	%r1,%r2
 1000936:	a7 1f 00 20       	cghi	%r1,32  //cmp len(input),32
 100093a:	a7 84 00 06       	je	0x1000946
 100093e:	a7 18 00 00       	lhi	%r1,0
 1000942:	a7 f4 00 56       	j	0x10009ee
 1000946:	e5 4c b0 ac 00 00 	mvhi	172(%r11),0
 100094c:	a7 f4 00 49       	j	0x10009de
 1000950:	e3 10 b0 ac 00 14 	lgf	%r1,172(%r11)
 1000956:	e3 10 b0 a0 00 08 	ag	%r1,160(%r11)
 100095c:	43 10 10 00       	ic	%r1,0(%r1)
 1000960:	b9 94 00 11       	llcr	%r1,%r1
 1000964:	c2 1f 00 00 00 2f 	clfi	%r1,47   //(0) 
 100096a:	a7 c4 00 11       	jle	0x100098c    
 100096e:	e3 10 b0 ac 00 14 	lgf	%r1,172(%r11)
 1000974:	e3 10 b0 a0 00 08 	ag	%r1,160(%r11)
 100097a:	43 10 10 00       	ic	%r1,0(%r1)
 100097e:	b9 94 00 11       	llcr	%r1,%r1
 1000982:	c2 1f 00 00 00 39 	clfi	%r1,57    //(9)
 1000988:	a7 c4 00 24       	jle	0x10009d0
 100098c:	e3 10 b0 ac 00 14 	lgf	%r1,172(%r11)
 1000992:	e3 10 b0 a0 00 08 	ag	%r1,160(%r11)
 1000998:	43 10 10 00       	ic	%r1,0(%r1)
 100099c:	b9 94 00 11       	llcr	%r1,%r1
 10009a0:	c2 1f 00 00 00 60 	clfi	%r1,96    //(a)
 10009a6:	a7 c4 00 11       	jle	0x10009c8
 10009aa:	e3 10 b0 ac 00 14 	lgf	%r1,172(%r11)
 10009b0:	e3 10 b0 a0 00 08 	ag	%r1,160(%r11)
 10009b6:	43 10 10 00       	ic	%r1,0(%r1)
 10009ba:	b9 94 00 11       	llcr	%r1,%r1
 10009be:	c2 1f 00 00 00 66 	clfi	%r1,102   //(f)
 10009c4:	a7 c4 00 09       	jle	0x10009d6
 10009c8:	a7 18 00 00       	lhi	%r1,0
 10009cc:	a7 f4 00 11       	j	0x10009ee
 10009d0:	18 00             	lr	%r0,%r0
 10009d2:	a7 f4 00 03       	j	0x10009d8
 10009d6:	18 00             	lr	%r0,%r0
 10009d8:	eb 01 b0 ac 00 6a 	asi	172(%r11),1
 10009de:	58 10 b0 ac       	l	%r1,172(%r11)
 10009e2:	a7 1e 00 1f       	chi	%r1,31        //循环判断是否超过input[31]
 10009e6:	a7 c4 ff b5       	jle	0x1000950
 10009ea:	a7 18 00 01       	lhi	%r1,1
 10009ee:	b9 14 00 11       	lgfr	%r1,%r1
 10009f2:	b9 04 00 21       	lgr	%r2,%r1
 10009f6:	e3 40 b1 20 00 04 	lg	%r4,288(%r11)
 10009fc:	eb bf b1 08 00 04 	lmg	%r11,%r15,264(%r11)
 1000a02:	07 f4             	br	%r4
 1000a04:	07 07             	nopr	%r7
 1000a06:	07 07             	nopr	%r7

可以看出这是一个循环,flag的长度为32,而且是09,af之间的字符

看第二个地址0x1000a08的函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
1000a08:	b3 c1 00 2b       	ldgr	%f2,%r11
 1000a0c:	b3 c1 00 0f       	ldgr	%f0,%r15
 1000a10:	e3 f0 ff 48 ff 71 	lay	%r15,-184(%r15)
 1000a16:	b9 04 00 bf       	lgr	%r11,%r15
 1000a1a:	e3 20 b0 a0 00 24 	stg	%r2,160(%r11)    
 1000a20:	e5 4c b0 a8 00 00 	mvhi	168(%r11),0
 1000a26:	a7 f4 00 4b       	j	0x1000abc
 1000a2a:	e3 10 b0 a8 00 14 	lgf	%r1,168(%r11)
 1000a30:	e3 10 b0 a0 00 08 	ag	%r1,160(%r11)   //r1 = input[i]
 1000a36:	43 10 10 00       	ic	%r1,0(%r1)
 1000a3a:	b9 94 00 11       	llcr	%r1,%r1
 1000a3e:	50 10 b0 b4       	st	%r1,180(%r11)   //r11[180] = r1
 1000a42:	58 30 b0 b4       	l	%r3,180(%r11)   //r3 = r1 (r3 = input)
 1000a46:	71 30 b0 b4       	ms	%r3,180(%r11)   //r3*r3   (input*input)
 1000a4a:	c0 10 00 04 d3 ef 	larl	%r1,0x109b228
 1000a50:	e3 20 b0 a8 00 14 	lgf	%r2,168(%r11)
 1000a56:	eb 22 00 02 00 0d 	sllg	%r2,%r2,2  // << 2 (相当于*4)
 1000a5c:	58 12 10 00       	l	%r1,0(%r2,%r1) //0x109b228[i<<2]
 1000a60:	b2 52 00 31       	msr	%r3,%r1        //0x109b228[i<<2]*r3[i]*r3[i](r3变化)
 												   //(0x109b228[i<<2]*input[i]*input[i])
 1000a64:	c0 10 00 04 d3 e2 	larl	%r1,0x109b228
 1000a6a:	e3 20 b0 a8 00 14 	lgf	%r2,168(%r11)
 1000a70:	a7 2b 00 20       	aghi	%r2,32
 1000a74:	eb 22 00 02 00 0d 	sllg	%r2,%r2,2  //r2 = r2 << 2
 1000a7a:	58 12 10 00       	l	%r1,0(%r2,%r1) //0x109b228[(i+32)<<2]
 1000a7e:	71 10 b0 b4       	ms	%r1,180(%r11)  //0x109b228[(i+32)<<2]*input[i](r1变化)
 1000a82:	1a 31             	ar	%r3,%r1        //0x109b228[i<<2]*input[i]*input[i] + 0x109b228[(i+32)<<2]*input[i]
 1000a84:	c0 10 00 04 d3 d2 	larl	%r1,0x109b228
 1000a8a:	e3 20 b0 a8 00 14 	lgf	%r2,168(%r11)  //i
 1000a90:	a7 2b 00 40       	aghi	%r2,64     //i+64
 1000a94:	eb 22 00 02 00 0d 	sllg	%r2,%r2,2  //(i+64) << 2
 1000a9a:	58 12 10 00       	l	%r1,0(%r2,%r1) //r1 = 0x109b228[(i+64) << 2]
 1000a9e:	1a 31             	ar	%r3,%r1        //add r3 + 0x109b228[(i+64) << 2]
 1000aa0:	c4 18 00 04 d3 68 	lgrl	%r1,0x109b170
 1000aa6:	e3 20 b0 a8 00 14 	lgf	%r2,168(%r11)  //i
 1000aac:	eb 22 00 02 00 0d 	sllg	%r2,%r2,2  // i << 2  
 1000ab2:	50 32 10 00       	st	%r3,0(%r2,%r1) //r1[r2] = r3
 1000ab6:	eb 01 b0 a8 00 6a 	asi	168(%r11),1    //i++;
 1000abc:	58 10 b0 a8       	l	%r1,168(%r11)
 1000ac0:	a7 1e 00 1f       	chi	%r1,31
 1000ac4:	a7 c4 ff b3       	jle	0x1000a2a	   //cmp
 1000ac8:	e5 4c b0 ac 00 01 	mvhi	172(%r11),1
 1000ace:	e5 4c b0 b0 00 00 	mvhi	176(%r11),0
 1000ad4:	a7 f4 00 21       	j	0x1000b16
 1000ad8:	c4 18 00 04 d3 4c 	lgrl	%r1,0x109b170 //循环判断
 1000ade:	e3 20 b0 b0 00 14 	lgf	%r2,176(%r11)
 1000ae4:	eb 22 00 02 00 0d 	sllg	%r2,%r2,2
 1000aea:	58 32 10 00       	l	%r3,0(%r2,%r1)
 1000aee:	c0 10 00 04 d3 5d 	larl	%r1,0x109b1a8
 1000af4:	e3 20 b0 b0 00 14 	lgf	%r2,176(%r11)
 1000afa:	eb 22 00 02 00 0d 	sllg	%r2,%r2,2
 1000b00:	58 12 10 00       	l	%r1,0(%r2,%r1)
 1000b04:	19 31             	cr	%r3,%r1
 1000b06:	a7 84 00 05       	je	0x1000b10
 1000b0a:	e5 4c b0 ac 00 00 	mvhi	172(%r11),0
 1000b10:	eb 01 b0 b0 00 6a 	asi	176(%r11),1
 1000b16:	58 10 b0 b0       	l	%r1,176(%r11)
 1000b1a:	a7 1e 00 1f       	chi	%r1,31			//cmp
 1000b1e:	a7 c4 ff dd       	jle	0x1000ad8
 1000b22:	58 10 b0 ac       	l	%r1,172(%r11)
 1000b26:	b9 14 00 11       	lgfr	%r1,%r1
 1000b2a:	b9 04 00 21       	lgr	%r2,%r1
 1000b2e:	b3 cd 00 b2       	lgdr	%r11,%f2
 1000b32:	b3 cd 00 f0       	lgdr	%r15,%f0
 1000b36:	07 fe             	br	%r14

可以看出地址0x1000a08的函数将0x109b228的值与0x109b1a8中的值做比较,提取数据可以直接爆破了

image-20201122212606748

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# -*- coding:utf-8 -*-
from __future__ import print_function
data=    [0x0000b2b0, 0x00006e72, 0x00006061, 0x0000565d,
          0x0000942d, 0x0000ac79, 0x0000391c, 0x0000643d,
          0x0000ec3f, 0x0000bd10, 0x0000c43e, 0x00007a65,
          0x0000184b, 0x0000ef5b, 0x00005a06, 0x0000a8c0,
          0x0000f64b, 0x0000c774, 0x000002ff, 0x00008e57,
          0x0000aed9, 0x0000d8a9, 0x0000230c, 0x000074e8,
          0x0000c2a6, 0x000088b3, 0x0000af2a, 0x00009ea7,
          0x0000ce8a, 0x00005924, 0x0000d276, 0x000056d4,
          0x000077d7, 0x0000990e, 0x0000b585, 0x00004bcd,
          0x00005277, 0x00001afc, 0x00008c8a, 0x0000cdb5,
          0x00006e26, 0x00004c22, 0x0000673f, 0x0000daff,
          0x00000fac, 0x000086c7, 0x0000e048, 0x0000c483,
          0x000085d3, 0x00002204, 0x0000c2ee, 0x0000e07f,
          0x00000caf, 0x0000bf76, 0x000063fe, 0x0000bffb,
          0x00004b09, 0x0000e5b3, 0x00008bda, 0x000096df,
          0x0000866d, 0x00001719, 0x00006bcf, 0x0000adcc,
          0x00000f2b, 0x000051ce, 0x00001549, 0x000020c1,
          0x00003a8d, 0x000005f5, 0x00005403, 0x00001125,
          0x00009161, 0x0000e2a5, 0x00005196, 0x0000d8d2,
          0x0000d644, 0x0000ee86, 0x00003896, 0x00002e71,
          0x0000a6f1, 0x0000dfcf, 0x00003ece, 0x00007d49,
          0x0000c24d, 0x0000237e, 0x00009352, 0x00007a97,
          0x00007bfa, 0x0000cbaa, 0x000010dc, 0x00003bd9,
          0x00007d7b, 0x00003b88, 0x0000b0d0, 0x0000e8bc]
result = [0x08a73233, 0x116db0f6, 0x0e654937, 0x03c374a7,
          0x16bc8ed9, 0x0846b755, 0x08949f47, 0x04a13c27,
          0x0976cf0a, 0x07461189, 0x1e1a5c12, 0x11e64d96,
          0x03cf09b3, 0x093cb610, 0x0d41ea64, 0x07648050,
          0x092039bf, 0x08e7f1f7, 0x004d871f, 0x1680f823,
          0x06f3c3eb, 0x2205134d, 0x015c6a7c, 0x11c67ed0,
          0x0817b32e, 0x06bd9b92, 0x08806b0c, 0x06aaa515,
          0x205b9f76, 0x0de963e9, 0x2194e8e2, 0x047593bc]
a = 0
for i in range(32):
    for input in range(0x20,0x7e,1):
        a = input * input * data[i]+ data[i + 32] * input+ data[i + 64]
        if a == result[i]:
            print(chr(input),end="")
            break