2023年3月16日02:17:54评论11 views字数 35634阅读118分46秒阅读模式

C++异常处理控制流下的OLLVM混淆

本文为看雪论坛精华文章

看雪论坛作者ID：P.Z

Inflated!!!

C++异常化处理
OLLVM-控制流平坦化
Two Puzzles

Exception

一般碰到C++异常逆向，确定了异常分发、处理部分，直接把call throw改为jmp catch块，再F5即可。

PS: 多个catch块根据rdx来当为异常处理数值决定哪个为对应的catch块。

关于以上，这篇讲的很详细：

https://4nsw3r.top/2022/02/03/SCTF-REVERSE-CplusExceptionEncrypt-%E8%B5%9B%E5%90%8E%E5%A4%8D%E7%8E%B0/#Clang-x64

然而，这题没这么简单，套了个ollvm！？基于异常处理的ollvm，无论从哪个角度都没法使用之前的老套路。

耐心看完这两篇文章就会有所收获，对于此题的被异常处理搞乱掉的cfg就会有所理解。

https://www.cnblogs.com/catch/p/3604516.html

https://www.cnblogs.com/catch/p/3619379.html

OLLVM

要是平常的ollvm都可以按照这篇来解决：

https://bluesadi.github.io/0x401RevTrain-Tools/angr/10_%E5%88%A9%E7%94%A8angr%E7%AC%A6%E5%8F%B7%E6%89%A7%E8%A1%8C%E5%8E%BB%E9%99%A4%E6%8E%A7%E5%88%B6%E6%B5%81%E5%B9%B3%E5%9D%A6%E5%8C%96/

其他的原理讲的非常好，问题是这题并不是那么简单，但为了去ollvm我们的思路也是一样的，所以要对ollvm的cfg熟悉，并懂得我们该如何恢复一个被ollvm混淆后的代码。

现在就开始写我对这题的看法！

参考Write up:

https://github.com/Lnkvct/CTF-for-Fun/blob/main/Challenges/Inflated-ACTF2022/writeup.md

https://www.cnblogs.com/FW-ltlly/p/16472171.html

lchild师傅的Write up（pdf所以没法给链接）

0x00 日常查壳

（感觉好久没写wp了）

无壳64位

0x01 CFG

GETC

在讲这题ollvm与异常处理之前，有必要先搞懂我们到底是怎么输入的。

一共有三处getc处理我们第一段输入的地方。

40762940553A（专门用来处理箭头）405676（专门用来处理箭头）

程序最先开始运行的是 407629，这里我们可以输入上下左右箭头与特定的数字。

如果是数字，程序读取加密进行存放
如果是箭头，会继续进行处理

（同时我们的输入还会决定异常类型）

Official Write up: The value of the first field of the thrown StdObfException object comes from the second input passed to the construct of StdObfException.

那么异常处理先不深究，继续回来箭头如何处理这个问题。那么箭头其实为三字节码，上下左右箭头分别对应 ^[[A ^[[B ^[[C ^[[D。此时开始动调，我第一次输入为上箭头，同时注意RAX。

那么在 407629 第一次处理箭头会读取为1B。

随后到 40553A 读取为5B。

最后到达 405676 可以发现我们的上箭头代码所对应的字符为A。

以上就解释了第一段输入的处理，等到最后解密第一段输入就会用到此。

OLLVM

引用这张图，想要去掉ollvm最基本的是要认识这几个块。

https://security.tencent.com/index.php/blog/msg/112

先抛去原题，来认识一下这些名词：

函数的开始地址为序言（Prologue）的地址
序言的后继为主分发器（Main dispatcher）
后继为主分发器的块为预处理器（Predispatcher）
后继为预处理器的块为真实块（Relevant blocks）
无后继的块为retn块
剩下的为无用块与子分发器（Sub dispatchers）

那参考文章，总结来说，利用angr符号执行去除控制流平坦化的步骤可以归结为三个步骤：

静态分析CFG得到序言/入口块（Prologue）、主分发器（Main dis。
patcher）、子分发器/无用块（Sub dispatchers）、真实块（Relevant blocks）、预分发器（Predispatcher）和返回块（Return）。
利用符号执行恢复真实块的前后关系，重建控制流。
根据第二步重建的控制流Patch程序，输出恢复后的可执行文件。

简单来说就是获取所有的块，利用angr符号执行我们的真实块，查看真实块之间的流程，再抛去我们不要的块，patch程序，完成！

（那么具体的实现看文章）

https://bluesadi.github.io/0x401RevTrain-Tools/angr/10_%E5%88%A9%E7%94%A8angr%E7%AC%A6%E5%8F%B7%E6%89%A7%E8%A1%8C%E5%8E%BB%E9%99%A4%E6%8E%A7%E5%88%B6%E6%B5%81%E5%B9%B3%E5%9D%A6%E5%8C%96/

然而这题根本不像啊！可以看出这题的CFG根本看不懂，不像单单ollvm混淆过的cfg那么漂亮。

Exception

为了搞懂CFG为什么成这样了，得先了解下异常的原理，参考原文：

https://www.cnblogs.com/catch/p/3604516.html

对于最基本的thown catch不再赘述，这篇讲到很清楚：

https://4nsw3r.top/2022/02/03/SCTF-REVERSE-CplusExceptionEncrypt-%E8%B5%9B%E5%90%8E%E5%A4%8D%E7%8E%B0/#Clang-x64

异常抛出后，发生了什么事情？

1、如果当前函数没有catch，就沿着函数的调用链继续往上抛，然后出现两种情况：

在某个函数中找到相应的catch；

没找到相应的catch，调用 std::terminate() （这个函数是把程序abort）。

2、如果想找到了相应的catch，执行相应的操作。

程序中catch的代码块有个专有名词：Landing pad

3、从抛异常到开始 -> 执行Landing pad代码这整个过程叫作Stack unwind。

Stack unwind

从抛异常函数开始，对调用链上的函数逐个往前查找Landing pad。

如果没有找到Landing pad则把程序abort，如果找到则记下Landing pad的位置，再重新回到抛异常的函数那里开始，一帧一帧地清理调用链上各个函数内部的局部变量，直到 landing pad 所在的函数为止。

void func1(){  cs a; // stack unwind时被析构。  throw 3;}
void func2(){  cs b;  func1();}
void func3(){  cs c;  try  {    func2();  }  catch (int)  {    //进入这里之前， func1, func2已经被unwind.  }}

stack unwind的过程可以简单看成函数调用的逆过程，这个过程在实现上由一个专门的stack unwind库来实现。

stack unwind库在intel平台上
属于Itanium ABI 接口中的一部分
与具体的语言无关，由系统实现
任何上层语言都可以通过这个接口的基础实现各自的异常处理
GCC就是通过这个接口实现C++的异常处理

Itanium C++ ABI

ltanium C++ ABI定义了一系列函数以及数据结构来建立整个异常处理的流程及框架，主要函数包括以下列：

_Unwind_RaiseException,_Unwind_Resume,_Unwind_DeleteException,_Unwind_GetGR,_Unwind_SetGR,_Unwind_GetIP,_Unwind_SetIP,_Unwind_GetRegionStart,_Unwind_GetLanguageSpecificData,_Unwind_ForcedUnwind

其中 _Unwind_RaiseException() 函数进行stack unwind，它在用户执行throw的时被调用。

主要功能：

从当前函数开始，对调用链上的每一个函数都调用一个叫做 personality routine 的函数（__gxx_personality_v0）。

personality routine 该函数由上层的语言定义及提供实现。

_Unwind_RaiseException() 会在内部把函数栈调用现场重现，然后传给 personality routine，该函数主要做两件事情：

1、检查当前函数是否有相对应的catch；

2、清理调用栈上的局部变量。

那么稍稍总结一下，就是当程序抛出异常就要进行 stack unwind 操作。

而这个操作具体是 _Unwind_RaiseException() 中的 personality routine() 实现了检查catch和清理栈上的局部变量。

C++ ABI

基于前面介绍的 ltanium ABI，编译器层面也定义了一系列 ABI 与之交互。

当我们在代码中写下 throw xxx，编译器会分配一个数据结构 __cxa_exception 来表示该异常，该异常也有一个头部，定义如下：

struct __cxa_exception{  std::type_info *    exceptionType;  void (*exceptionDestructor) (void *);  unexpected_handler    unexpectedHandler;  terminate_handler    terminateHandler;  __cxa_exception *    nextException;
  int     handlerCount;  int     handlerSwitchValue;  const char *     actionRecord;  const char *     languageSpecificData;  void *     catchTemp;  void *     adjustedPtr;
  _Unwind_Exception    unwindHeader;};

当用户 throw 一个异常时，编译器会帮我们调用相应的函数分配出如下的结构：

其中 __cxa_exception 就是头部，exception_obj 则是 "throw xxx" 中的 xxx，这两部分在内存中是连续的。

异常对象由函数 __cxa_allocate_exception() 进行创建
最后由 __cxa_free_exception() 进行销毁

当我们在程序里执行了抛出异常的操作，编译器为我们做了如下的事情：

1、调用 cxa_allocate_exception 函数，分配一个异常对象（cxa_exception，数据结构如上）。

2、调用 __cxa_throw 函数，这个函数会将异常对象做一些初始化。

3、__cxa_throw() 调用 Itanium ABI 里的 _Unwind_RaiseException() 从而开始 unwind。

4、_Unwind_RaiseException() 对调用链上的函数进行 unwind 时，调用 personality routine()。

5、该异常如能被处理(有相应的 catch)，则 personality routine 会依次对调用链上的函数进行清理。

6、_Unwind_RaiseException() 将控制权转到相应的catch代码。

7、unwind 完成，用户代码继续执行。

总结太Bravo了！

再看异常处理

有了这些前置知识，再看题目中的异常，由前面描述可知实现 unwind stack 的具体过程是通过 __gxx_personality_v0（即personality routine）实现。

这时候我们再去IDA里调整此函数。

_Unwind_Reason_Code __fastcall _gxx_personality_v0(        int Version,        _Unwind_Action actions,        __int64 exceptionClass,        _Unwind_Exception *exceptionObject,        _Unwind_Context *context)

光标在函数，按Y修改类型。

scan_eh_tab

回忆__gxx_personality_v0函数功能：

检查当前函数是否有相应的 catch 语句。
清理当前函数中的局部变量。

在personality routine()下的 scan_eh_tab() 该函数有我们最关心的两个值，同时也是魔改处。

与源码对比：https://code.woboq.org/llvm/libcxxabi/src/cxa_personality.cpp.html#__cxxabiv1::scan_eh_tab

Shfit + F1 -> INS 导入结构体。

struct scan_results{int64_t ttypeIndex;const uint8_t* actionRecord;const uint8_t* languageSpecificData;uintptr_t landingPad;void* adjustedPtr;_Unwind_Reason_Code reason;};

光标在scan_eh_tab函数上按Y修改。

void scan_eh_tab(scan_results *results, _Unwind_Action actions, bool native_exception, _Unwind_Exception *unwind_exception, _Unwind_Context *context)

Landing pad

Landing pad（指向catch块的分发处，只单单拿到landing pad还不够，这时候还缺少一个对应异常类型ttypeIndex）。

ttypeIndex

首先要求父类为StdObfException的异常。

最后的ttypeIndex由 thrown_object_ptr（由我们的第一段输入所决定的thrown_object_ptr）和原始固定固定typeIndex 决定。

Official Write up: And we have figured out that the ttypeIndex is determined by the first field of the thrown StdObfException object and the lptinfo passed to __cxa_throw. The value of the first field of the thrown StdObfException object comes from the second input passed to the construct of StdObfException.

那么这两个值到底具体指的是什么？？

其实上面已经给出了答案，反复调试可知，可以发现我们的第一段输入设置了父类StdObfException。

the first field of the thrown StdObfException object 指的就是我们的输入。

the lptinfo passed to __cxa_throw 指的就是当 ___cxa_allocate_exception 创建的异常，也就是固定的。

现在知道了魔改后的流程是从哪里来到哪里去，人工方式就是跳到landing pad再设置rdx为ttypeIndex就可以到达我们所对应的catch块。

什么叫CFG！

那么现在知道了routine personality 中的 scan_eh_tab被修改了，而IDA平常能识别throw catch这些块的原因就是这些正常的源码。

然而landingpad与ttypeIndex都被修改了，所以导致了IDA识别的CFG成了这个样子。

我们根本没法用肉眼知道throw的块在哪，只有通过动调才能确定，然而这就导致了原先的deflat脚本都不不行了。

原因主要为两点：

1、无法确定throw后的块；

2、throw可能对着多个catch块，这时候就通过rdi（ttypeIndex）进行catch块分发（landingPad）。

原因还有种种就不一一举例，就无法正常原先deflat所需要的CFG块。

以下开始就是跟着官方脚本复现。我们再回忆一下正常的ollvm的执行流程：

Prologue（入口块）-> Main dispatcher（主分发器）-> Sub dispathers（子分发器）-> Relevant blocks（真实块）-> Predispather（预分发器）-> Main dispatcher（主分发器）...

总结一下这道题的CFG。

我们的下一个真实块取决于系统生产的lptinfo和我们的第一段输入所导致的StdObfException，在每个真实块的结束，我们不只是跳往与预分发器，而是调用 __cxa_throw 进行第二次调度，我们称二次调用为 second dispatch。

所以我们的执行流就是：

... -> main dispatcher -> sub dispatchers -> relevant block -> throw StdObfException exception -> Secondary dispatchers -> pre-dispatcher -> main dispatcher -> ...

除此之外，程序还抛出了一些真正的异常，对于这些异常，第二次调用发生于Landing pad末尾。

... -> main dispatcher -> sub dispatchers -> relevant block that throws real exceptions -> the according real LandingPad block -> throw StdObfException exception -> Secondary dispatchers -> pre-dispatcher -> main dispatcher -> ...

0x02 Deflat Solution

去该平坦化控制流，有两个步骤：

找到所有的真实块
找到真实块之间的关系

Find all relevant blocks

我们可以从主分发器开始寻找，找到所有子分发器的后继者，这些后继者本身不是子分发器。

官方WP中一眼丁真发现子分发器由该指令格式组成。

sub dispathers such as:cmpjx

于是由此区别出来：

isCmpRI = lambda instr: instr.mnemonic == "cmp" and  hasattr(instr.operands[0], "_X86RegisterOperand__key") and  hasattr(instr.operands[1], "_X86ImmediateOperand__key")isCJmp = lambda instr: instr.mnemonic.startswith("j") and   instr.mnemonic != "jmp"isSubDispatcher = lambda bb: (len(bb.instrs) == 2) and   isCmpRI(bb.instrs[0]) and isCJmp(bb.instrs[1])

首先判断是否为子分发器，然后排除法找到所有真实块。

class PatchHelper:  ## ......  # To get all cfgs  def block(self, addr):    bb = self.cfg.find_basic_block(addr)    if bb is None:      bb = barf.bb_builder.strategy._disassemble_bb(addr, barf.binary.ea_end, {})    return bb def get_relevant_blocks(cfg, patch_helper, main_dispatcher):  isCmpRI = lambda instr: instr.mnemonic == "cmp" and    hasattr(instr.operands[0], "_X86RegisterOperand__key") and    hasattr(instr.operands[1], "_X86ImmediateOperand__key")  isCJmp = lambda instr: instr.mnemonic.startswith("j") and     instr.mnemonic != "jmp"  isSubDispatcher = lambda bb: (len(bb.instrs) == 2) and     isCmpRI(bb.instrs[0]) and isCJmp(bb.instrs[1])  relevant_blocks = []  visited = set()  q = SimpleQueue()  q.put(patch_helper.block(main_dispatcher))  while not q.empty():    bb = q.get()    # Either Sub Patchers or Relevant blocks?    if isSubDispatcher(bb):      for succ, cond in bb.branches:        if succ in visited:          continue        q.put(patch_helper.block(succ))        visited.add(succ)    else:      relevant_blocks.append(bb)  return relevant_blocks

Relevant blocks:

*******************relevant blocks************************main_dispatcher:0x404a80relevant_blocks: ['0x409437', '0x406443', '0x404ab8', '0x408031', '0x407842', '0x407d31', '0x407437', '0x407f4f', '0x4076bd', '0x407a6b', '0x40723e', '0x407fc4', '0x409458', '0x407bc7', '0x40732f', '0x407ebc', '0x407566', '0x407960', '0x4070fa', '0x405e7a', '0x4078e3', '0x407e5a', '0x4074ca', '0x405c87', '0x407741', '0x407af5', '0x4072b4', '0x405ded', '0x4077b6', '0x407c6b', '0x4073a4', '0x405b29', '0x4075f9', '0x407a06', '0x4071aa', '0x406cfe', '0x406c94', '0x406ef0', '0x406859', '0x40707d', '0x406b62', '0x406f5f', '0x4065c9', '0x406e5d', '0x406a72', '0x406d7b', '0x406704', '0x406def', '0x406964', '0x40944b', '0x4064a5', '0x405469', '0x405a5f', '0x404fae', '0x40532c', '0x40589c', '0x404d58', '0x4053d3', '0x405923', '0x404ec5', '0x40529a', '0x4057b8', '0x404bc4', '0x405f2a', '0x4056f0', '0x406299', '0x4068f0', '0x4063b0', '0x406bf9', '0x406323', '0x406646', '0x40620f', '0x406b00', '0x4060e7', '0x4067bb', '0x40617c', '0x4069e3', '0x40606d', '0x406521', '0x4051fe', '0x405647', '0x404e14', '0x4055b5', '0x4050cc', '0x40550b', '0x404ca4']

Find the flow

官网WP指出抽象出来，留个坑，以后熟了试试。

Official Write up: A good idea is to abstract the throw StdObfException -> catch process and do the one basic block symbolic execution (You can refer to Deobfuscation: recovering an OLLVM-protected program（https://blog.quarkslab.com/deobfuscation-recovering-an-ollvm-protected-program.html） or 利用符号执行去除控制流平坦化（https://security.tencent.com/index.php/blog/msg/112） for more information).

于是官网WP又给了个更有趣的方法，GDB脚本！

为了找到真实块之间的流程，通过普通的执行然后打印真实块需要的信息！

但是我们不一样能得到所有的流程因为部分可能没执行到，但是我们依然可以利用提取出来的信息去恢复部分控制流，并弄清楚如何输入可以恢复更多流程。（怎么好像梦到过我在这写wp...）

生成GDB的脚本如下：

40A3D4为我们catch块地址
_ZN18StdSubObfExceptionC2Ec为了打印异常类型

cmds = """set pagination off b *0x40A3D4commands  silent  printf "landingPad: %x\n", $rdx  continueend b _ZN18StdSubObfExceptionC2Eccommands  silent  printf "selector: %x\n", $rsi  continueend define mytrace  break $arg0  commands    silent    printf "%x\n", $pc    python gdb.execute('continue')  endend"""for bb in relevant_blocks:    cmds += (f"mytrace *{hex(bb.address)} n")cmds += "runn"with open("test.gdb", "w") as f:    f.write(cmds)

cat teatin0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef gdb inflated -x test.gdb --batch < testin > testout

于是可以获取真实块接下来的landing pad与异常类型。

Breakpoint 1 at 0x40a3d4......Breakpoint 88 at 0x404ca44075f9selector: 0landingPad: 4089bf4072b4selector: 0landingPad: 4085034075f9selector: 2landingPad: 4089bf4060e7selector: 0......40617cselector: 0landingPad: 409100409437[Inferior 1 (process 13732) exited normally]

然后就写个PARSER分析。

def parse_logs(logfn, prologue, patch_helper):  with open(logfn, "r") as f:    t = f.readlines()  i = 0  selector_s = "selector: "  landingpad_s = "landingPad: "  relations = set()  laddr = prologue  lselector = 0  landingpad = 0  while i < len(t):    try:      addr = int(t[i], 16)    except:      i += 1      continue    if not laddr is None:      relations.add((laddr, lselector, addr))    if t[i+1].startswith(selector_s):      selector = int(t[i+1][len(selector_s):], 16)      i += 2    elif t[i+1].startswith(landingpad_s):      landingpad = int(t[i+1][len(landingpad_s):], 16)      relations.add((addr, -1, landingpad))      addr = landingpad      while not patch_helper.is_unreachable(patch_helper.block(addr).direct_branch):        addr = patch_helper.block(addr).direct_branch      if t[i+2].startswith(selector_s):        selector = int(t[i+2][len(selector_s):], 16)      i += 3    elif t[i+1].startswith("[Inferior "):      i += 1    else:      print("Warning: %x doesn't have selector. "%addr)      exit(0)    laddr = addr    lselector = selector  return list(relations) print('************************flow******************************')relations = parse_logs(sys.argv[3], prologue, patch_helper)relations.sort(key = lambda x:x)flow = {}for bb, selector, child in relations:  if bb in flow:    while len(flow[bb]) < selector:      flow[bb].append(-1)    flow[bb].append(child)    assert(len(flow[bb]) == selector+1)  else:    flow[bb] = [child]for (k, v) in list(flow.items()):    print('%#x:' % k, [hex(child) for child in v])

Flows:

************************flow******************************0x404820: ['0x4075f9']0x404ab8: ['0x404ab8', '0x406c94']0x404bc4: ['0x407bc7']0x404ca4: ['0x406bf9']0x404ec5: ['0x4053d3']0x404fae: ['0x406b00']0x4051fe: ['0x40707d']0x4053d3: ['0x406521']0x405469: ['0x407d31']0x4056f0: ['0x405a5f', '0x4056f0']0x4057b8: ['0x404ab8']0x405923: ['0x405923', '0x406e5d']0x405a5f: ['0x4067bb']0x405b29: ['0x406964', '0x406646']0x405c87: ['0x405c87', '0x407437']0x405f2a: ['0x405f2a', '0x4063b0']0x4060e7: ['0x40723e']0x40617c: ['0x409437']0x40620f: ['0x405f2a']0x406299: ['0x404bc4', '0x4057b8']0x4063b0: ['0x4063b0', '0x405469']0x4064a5: ['0x406704', '0x40620f']0x406521: ['0x4074ca', '0x404bc4']0x4065c9: ['0x40723e']0x406646: ['0x406964']0x406704: ['0x405c87']0x4067bb: ['0x4082b6']0x406964: ['0x405b29', '0x404ca4']0x4069e3: ['0x408281']0x406a72: ['0x404fae']0x406b00: ['0x406299']0x406bf9: ['0x405923']0x406c94: ['0x4074ca']0x406cfe: ['0x40723e']0x406e5d: ['0x406e5d', '0x4077b6']0x406f5f: ['0x406f5f', '0x407566']0x40707d: ['0x40707d', '0x407960']0x4070fa: ['0x406f5f']0x4071aa: ['0x4056f0']0x40723e: ['0x4072b4']0x4072b4: ['0x4075f9', '0x4071aa']0x407437: ['0x407437', '0x4064a5']0x4074ca: ['0x404ec5', '0x407c6b']0x407566: ['0x407566', '0x407a6b']0x4075f9: ['0x4072b4', '-0x1', '0x4060e7', '0x406cfe', '0x4078e3', '0x4065c9']0x4076bd: ['0x404ec5']0x4077b6: ['0x406bf9', '0x4070fa']0x4078e3: ['0x40723e']0x407960: ['0x4081f5']0x407a6b: ['0x4070fa', '0x406704']0x407bc7: ['0x406a72', '0x407bc7']0x407c6b: ['0x4069e3']0x407d31: ['0x407d31', '0x407ebc']0x407ebc: ['0x407ebc', '0x40617c']0x4081f5: ['0x405b29']0x408281: ['0x4051fe']0x4082b6: ['0x4076bd']

Patch

修复程序环节！当我们已经确定了执行流程，像抛异常子分发器什么都是多余的了，统统patch掉。

对于后继块只有一个的真实块，只需要jmp过去。

对于有多个后继块的，需要通过esi（也就是异常类型）来改成cmp esi, ... jz即可。

def patch_branches(self, bb, va_targets):  va_start, size = self.get_patchable_from_relblk(bb)  if size < PatchHelper.JMP_SIZE:    print("[Warning] patch_jmp at block %x may fail. size: %d."%(bb.address, size))  org_start = va_start  print(f"va_start: {hex(va_start)}, bb addr: {hex(bb.address)}, size: {size}")  ## `cmp esi, v` instr takes 3 bytes while `je xxx` takes 6 bytes  ## And the last jmp instr takes 5 bytes.  total_size = 9 * len(va_targets) - 4  if size < total_size:    ## If the nop block at the end of current block is not large enough,       ## try to find another nop block and then jump to it.    nx_va_start, nx_size = self.get_nop_by_size(total_size)    if nx_size == 0:      print("[Error] `patch_branches` needs a nop block with size larger than %d."%(total_size))    self.patch_jmp(va_start, nx_va_start)    va_start, size = nx_va_start, nx_size   for i, t in enumerate(va_targets[:-1]):    cmp_instr = bytes([0x83,0xfe,i])    self.do_patch(va_start, cmp_instr)    va_start += len(cmp_instr)    cj_instr = bytes([PatchHelper.opcode['j'],PatchHelper.opcode['e']])    if t == -1:      ## -1 represent that we do not know the flow for this selector value for now.      cj_instr += struct.pack('<i', self.func_terminate-va_start-6)      # cj_instr = asm(f"je {hex(self.func_terminate)}", vma=va_start)    else:      cj_instr += struct.pack('<i', t-va_start-6)      # cj_instr = asm(f"je {hex(t)}", vma=va_start)    self.do_patch(va_start, cj_instr)    va_start += len(cj_instr)  va_start += self.patch_jmp(va_start, va_targets[-1])  if va_start > org_start+size:    print("[Warning] patches at (%x, %x) overlaps next blk. "%(org_start, va_start))

官方完整脚本：

## filename: deflat.pyfrom ast import Tuplefrom xmlrpc.client import Booleanfrom barf.barf import BARFimport angrimport structimport sysfrom pwnlib import elffrom queue import SimpleQueue# from pwn import * class PatchHelper:  opcode = {'a' :0x87, 'ae':0x83, 'b' :0x82, 'be':0x86, 'c' :0x82, 'e' :0x84, 'z' :0x84, 'g' :0x8F,            'ge':0x8D, 'l' :0x8C, 'le':0x8E, 'na':0x86, 'nae':0x82,'nb':0x83, 'nbe':0x87,'nc':0x83,            'ne':0x85, 'ng':0x8E, 'nge':0x8C,'nl':0x8D, 'nle':0x8F,'no':0x81, 'np':0x8B, 'ns':0x89,            'nz':0x85, 'o' :0x80, 'p' :0x8A, 'pe':0x8A, 'po':0x8B, 's' :0x88, 'nop':0x90,'jmp':0xE9, 'j':0x0F}  JMP_SIZE = 5   def is_unreachable(self, bb):    if isinstance(bb, int):      bb = self.block(bb)    for i in range(len(bb.instrs)):      if bb.instrs[i].mnemonic != "call":        continue      target = bb.instrs[i].operands[0].immediate      if target == self.func_terminate:        return True   def block(self, addr):    bb = self.cfg.find_basic_block(addr)    if bb is None:      bb = barf.bb_builder.strategy._disassemble_bb(addr, barf.binary.ea_end, {})    return bb   @staticmethod  def is_imm(operand):    return (hasattr(operand, "_X86ImmediateOperand__key"))   @staticmethod  def is_reg(operand):    return (hasattr(operand, "_X86RegisterOperand__key"))   def is_call_throw(self, instr):    return instr.mnemonic == "call" and         self.is_imm(instr.operands[0]) and        instr.operands[0].immediate == self.func_throw   def is_call_allocate_exception(self, instr):    return instr.mnemonic == "call" and         self.is_imm(instr.operands[0]) and        instr.operands[0].immediate == self.func_allocate_exception   def is_call_obf_exception(self, instr):    return instr.mnemonic == "call" and         self.is_imm(instr.operands[0]) and        instr.operands[0].immediate == self.func_obf_exception    def skip_call_args(self, bb, i):    while ((bb.instrs[i].mnemonic in ["xor","mov","lea"]) and      (len(bb.instrs[i].operands) > 0) and (self.is_reg(bb.instrs[i].operands[0])) and      (bb.instrs[i].operands[0].name in ["edx", "rdx", "esi", "rsi", "edi", "rdi"])) or       bb.instrs[i].mnemonic == "nop":      i -= 1    return i   def get_patchable_from_relblk(self, bb):    i = 0    end = bb.start_address + bb.size    while i < len(bb.instrs) and not self.is_call_throw(bb.instrs[i]):      i += 1    i = self.skip_call_args(bb, i-1)    if i == len(bb.instrs) - 1:      start = end    else:      start = bb.instrs[i+1].address    self.fill_nops(start, end)    return (start, end-start)   def __init__(self, proj, elf, barf, cfg) -> None:    self.p = proj    obj = proj.loader.main_object    self.func_terminate = obj.symbols_by_name["__clang_call_terminate"].rebased_addr    self.func_throw = obj.plt["__cxa_throw"]    self.func_allocate_exception = obj.plt["__cxa_allocate_exception"]    self.func_obf_exception = obj.symbols_by_name["_ZN18StdSubObfExceptionC2Ec"].rebased_addr    self.elf = elf    self.elfData = bytearray(self.elf.data)    self.barf = barf    self.cfg = cfg    self.nops = []   def append_nop(self, nopblk):    if nopblk[1] > 0:      self.nops.append(nopblk)   def finalize(self):    self.nops.sort()    idx = 0    while idx < len(self.nops) - 1:      if self.nops[idx][0] + self.nops[idx][1] != self.nops[idx+1][0]:        idx += 1        continue      self.nops[idx]=(self.nops[idx][0], self.nops[idx][1]+self.nops[idx+1][1])      del self.nops[idx+1]   def fill_nops(self, va_start, va_end):    assert not self.elf is None    start = self.elf.vaddr_to_offset(va_start)    end   = self.elf.vaddr_to_offset(va_end)    for i in range(start, end):      self.elfData[i] = PatchHelper.opcode['nop']   def get_nop_by_size(self, min_size):    for idx, nop in enumerate(self.nops):      if nop[1] > min_size:        del self.nops[idx]        return nop    return (-1, 0)   def do_patch(self, va_start, codes):    start = self.elf.vaddr_to_offset(va_start)    for i in range(len(codes)):      self.elfData[start+i] = codes[i]   def patch_jmp(self, va_start, va_target):    offset = va_target - va_start - PatchHelper.JMP_SIZE    jmp = bytes([PatchHelper.opcode['jmp']])+struct.pack('<i', offset)    self.do_patch(va_start, jmp)    return PatchHelper.JMP_SIZE   def patch_branches(self, bb, va_targets):    va_start, size = self.get_patchable_from_relblk(bb)    if size < PatchHelper.JMP_SIZE:      print("[Warning] patch_jmp at block %x may fail. size: %d."%(bb.address, size))    org_start = va_start    print(f"va_start: {hex(va_start)}, bb addr: {hex(bb.address)}, size: {size}")    ## `cmp esi, v` instr takes 3 bytes while `je xxx` takes 6 bytes    ## And the last jmp instr takes 5 bytes.    total_size = (3+6) * len(va_targets) - 4    if size < total_size:      ## If the nop block at the end of current block is not large enough,         ## try to find another nop block and then jump to it.      nx_va_start, nx_size = self.get_nop_by_size(total_size)      if nx_size == 0:        print("33[31m[Error]33[0m `patch_branches` needs a nop block with size larger than %d."%(total_size))      self.patch_jmp(va_start, nx_va_start)      va_start, size = nx_va_start, nx_size    for i, t in enumerate(va_targets[:-1]):      cmp_instr = bytes([0x83,0xfe,i])      self.do_patch(va_start, cmp_instr)      va_start += len(cmp_instr)      cj_instr = bytes([PatchHelper.opcode['j'],PatchHelper.opcode['e']])      if t == -1:        ## -1 represent that we do not know the flow for this selector value for now.        cj_instr += struct.pack('<i', self.func_terminate-va_start-6)        # cj_instr = asm(f"je {hex(self.func_terminate)}", vma=va_start)      else:        cj_instr += struct.pack('<i', t-va_start-6)        # cj_instr = asm(f"je {hex(t)}", vma=va_start)      self.do_patch(va_start, cj_instr)      va_start += len(cj_instr)    va_start += self.patch_jmp(va_start, va_targets[-1])    if va_start > org_start+size:      print("[Warning] patches at (%x, %x) overlaps next blk. "%(org_start, va_start)) def get_relevant_blocks(cfg, patch_helper, main_dispatcher):  isCmpRI = lambda instr: instr.mnemonic == "cmp" and    hasattr(instr.operands[0], "_X86RegisterOperand__key") and    hasattr(instr.operands[1], "_X86ImmediateOperand__key")  isCJmp = lambda instr: instr.mnemonic.startswith("j") and     instr.mnemonic != "jmp"  isSubDispatcher = lambda bb: (len(bb.instrs) == 2) and     isCmpRI(bb.instrs[0]) and isCJmp(bb.instrs[1])  relevant_blocks = []  visited = set()  q = SimpleQueue()  q.put(patch_helper.block(main_dispatcher))  while not q.empty():    bb = q.get()    if isSubDispatcher(bb):      patch_helper.append_nop((bb.start_address, bb.size))      for succ, cond in bb.branches:        if succ in visited:          continue        q.put(patch_helper.block(succ))        visited.add(succ)    else:      relevant_blocks.append(bb)  return relevant_blocks  def parse_logs(logfn, prologue, patch_helper):  with open(logfn, "r") as f:    t = f.readlines()  i = 0  selector_s = "selector: "  landingpad_s = "landingPad: "  relations = set()  laddr = prologue  lselector = 0  landingpad = 0  while i < len(t):    try:      addr = int(t[i], 16)    except:      i += 1      continue    if not laddr is None:      relations.add((laddr, lselector, addr))    if t[i+1].startswith(selector_s):      selector = int(t[i+1][len(selector_s):], 16)      i += 2    elif t[i+1].startswith(landingpad_s):      landingpad = int(t[i+1][len(landingpad_s):], 16)      relations.add((addr, -1, landingpad))      addr = landingpad      while not patch_helper.is_unreachable(patch_helper.block(addr).direct_branch):        addr = patch_helper.block(addr).direct_branch      if t[i+2].startswith(selector_s):        selector = int(t[i+2][len(selector_s):], 16)      i += 3    elif t[i+1].startswith("[Inferior "):      i += 1    else:      print("Warning: %x doesn't have selector. "%addr)      exit(0)    laddr = addr    lselector = selector  return list(relations)  def generate_gdb_script(relevant_blocks):  cmds = """set pagination off b *0x40A3D4commands  silent  printf "landingPad: %xn", $rdx  continueend b _ZN18StdSubObfExceptionC2Eccommands  silent  printf "selector: %xn", $rsi  continueend define mytrace  break $arg0  commands    silent    printf "%x\n", $pc    python gdb.execute('continue')  endend"""  for bb in relevant_blocks:    cmds += (f"mytrace *{hex(bb.address)} n")  cmds += "runn"  with open("test.gdb", "w") as f:    f.write(cmds)  if __name__ == '__main__':    if len(sys.argv) < 3:        print('Usage: python deflat.py filename function_address(hex) [logfile]')        exit(0)     # context.arch = "amd64"    # context.os = "linux"    # context.endian = "little"     filename = sys.argv[1]    start = int(sys.argv[2], 16)     origin = elf.ELF(filename)    b = angr.Project(filename, load_options={'auto_load_libs': False, 'main_opts':{'custom_base_addr': 0}})    barf = BARF(filename)    cfg = barf.recover_cfg(start=start)    patch_helper = PatchHelper(b, origin, barf, cfg)    blocks = cfg.basic_blocks     prologue = start    main_dispatcher = patch_helper.block(prologue).direct_branch    relevant_blocks = get_relevant_blocks(cfg, patch_helper, main_dispatcher)    nop = patch_helper.get_patchable_from_relblk(patch_helper.block(prologue))    patch_helper.append_nop(nop)     print('*******************relevant blocks************************')    print('main_dispatcher:%#x' % main_dispatcher)    print('relevant_blocks:', [hex(bb.address) for bb in relevant_blocks])      if len(sys.argv) < 4:      generate_gdb_script(relevant_blocks)      exit(0)     print('************************flow******************************')    relations = parse_logs(sys.argv[3], prologue, patch_helper)    relations.sort(key = lambda x:x)    flow = {}    for bb, selector, child in relations:      if bb in flow:        while len(flow[bb]) < selector:          flow[bb].append(-1)        flow[bb].append(child)        assert(len(flow[bb]) == selector+1)      else:        flow[bb] = [child]    for (k, v) in list(flow.items()):        print('%#x:' % k, [hex(child) for child in v])     print('************************patch*****************************')    patch_helper.finalize()    for (parent, childs) in list(flow.items()):      ## Patch jmps      blk = patch_helper.block(parent)      patch_helper.patch_branches(blk, childs)      ## Nop call allocate_exception and call obf_exception      for idx, instr in enumerate(blk.instrs):        if patch_helper.is_call_allocate_exception(instr) or          patch_helper.is_call_obf_exception(instr):          # si = patch_helper.skip_call_args(blk, idx-1)+1          # start = blk.instrs[si].address          start = instr.address          end = instr.address + instr.size          patch_helper.fill_nops(start, end)     with open(filename + '.recovered', 'wb') as f:        f.write(bytes(patch_helper.elfData))    print('Successful! The recovered file: %s' % (filename + '.recovered'))

Work flow:

$ python deflat.py inflated 0x404820$ gdb inflated -x test.gdb --batch < testin > testout$ python deflat.py inflated 0x404820 testout

按照以上流程，test.gdb可能会报个错，程序把本身有个n是脚本中需要打印的，但直接转义成真换行了需要手动恢复。

观看修复后的流程：

int __cdecl main(int argc, const char **argv, const char **envp){  ......  v3 = fileno(stdin);  tcgetattr(v3, &intermiosBufBackup);  cfmakeraw(&intermiosBuf);  tcsetattr(v3, 0, &intermiosBuf);  *(_OWORD *)v196 = 0LL;  v195 = 0LL;  *(_OWORD *)s = 0LL;  *(_QWORD *)&v196[13] = 0LL;  v124 = &v168;  v123 = &v167;  v164 = v199;  v187 = &v198;  v186 = &v96;  v185 = &v97;  v184 = &v100;  v122 = &s[12];  v108 = v103;  v163 = &v197;  v183 = &v99;  v162 = &v166;  ......  v5 = 0LL;  do  {    v72 = v4;    v98 = getc(stdin);    v73 = v98 << 24;    v74 = v98 << 24 == 0x1B000000;    if ( v98 << 24 == 0x31000000 )      v74 = 2;    if ( v73 == 0x37000000 )      v74 = 3;    if ( v73 == 0x33000000 )      v74 = 4;    if ( v73 == 0x34000000 )      v74 = 5;    v101 = v5;    v102 = v72;    v119 = v72;    if ( v74 )    {      if ( v74 == 1 )        _clang_call_terminate(5LL);      if ( v74 == 2 )      {        v107 = v102 + (4LL << (3 * (unsigned __int8)v101));        v85 = v98;      }      else if ( v74 == 3 )      {        v107 = v102 + (5LL << (3 * (unsigned __int8)v101));        v85 = v98;      }      else      {        if ( v74 == 4 )          v107 = v102 + (6LL << (3 * (unsigned __int8)v101));        else          v107 = v102 + (7LL << (3 * (unsigned __int8)v101));        v85 = v98;      }      s[v101] = v85;      v119 = v107;    }    v5 = v101 + 1;    v174 = v119;  }  while ( v101 != 11 );  s[12] = 0;  v69 = fileno(stdin);  tcsetattr(v69, 0, &intermiosBufBackup);  for ( i = 0LL; i < 5; ++i )    *((_BYTE *)v136 + i) = byte_40E0F3[i] - byte_40E0F8[i];  v188 = &v190;  v190 = v136[0];  v189 = 4LL;  v191 = 0;  __isoc99_scanf(&v190, v122);  v26 = v188;  v175 = v188;  *(_OWORD *)v188 = xmmword_40E040;  v26[4] = 639210836;  *((_BYTE *)v26 + 20) = 16;  *(_QWORD *)((char *)v26 + 34) = 0x1005E763241AA6B1LL;  *(_OWORD *)((char *)v26 + 21) = xmmword_40E148;  __cxa_begin_catch(v26);  v155 = strlen(v122);  v128 = 0LL;  v113 = 0;  v125 = v155;  v147 = 0LL;  do  {    v133 = v125 - 1;    v86 = v122[v147];    v160 = v128;    v110 = v113;    v176 = v147;    isalnum(v86);    v50 = (unsigned int)(v160 + 1);    *(&v95 + (int)v160) = v86;    v181 = v176 + 1;    v130 = v50;    v112 = v110;    v146 = 0LL;    if ( (_DWORD)v50 == 4 )    {      do      {        v106 = 0LL;        v149 = v146;        do        {          v199[v106 + 16] = byte_40E071[v106] - byte_40E0B2[v106];          ++v106;        }        while ( v106 < 0x41 );        v56 = v163;        *(_QWORD *)v163 = v164;        v165 = 64LL;        v169 = (_OWORD *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::_M_create(                           v56,                           &v165,                           0LL);        v9 = (void **)v163;        v10 = v169;        *(_QWORD *)v163 = v169;        v11 = v165;        *(_QWORD *)v164 = v165;        v12 = MEMORY[5];        v13 = MEMORY[0x15];        v14 = MEMORY[0x25];        v10[3] = MEMORY[0x35];        v10[2] = v14;        v10[1] = v13;        *v10 = v12;        *(_QWORD *)v187 = v11;        *((_BYTE *)v10 + v11) = 0;        v15 = v149;        *(&v95 + v15) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::find(                          v9,                          (unsigned int)*(&v95 + v149),                          0LL);        v177 = *v9;        operator delete(v177);        v146 = v149 + 1;      }      while ( v149 != 3 );      v17 = *v186;      *v183 = (4 * *v57) | ((unsigned __int8)*v186 >> 4) & 3;      v18 = *v185;      *v59 = (16 * v17) | ((unsigned __int8)*v185 >> 2) & 0xF;      *v184 = *v58 + (v18 << 6);      v152 = v110;      v151 = 0LL;      do      {        v6 = v151;        v7 = (unsigned __int8)*(&v99 + v151) / 0xAu;        v8 = v152;        v199[v152 + 96] = (unsigned __int8)*(&v99 + v151) % 0xAu;        v199[v8 + 97] = v7;        v151 = v6 + 1;        v152 = v8 + 2;        v182 = v8 + 2;      }      while ( v6 != 2 );      v130 = 0LL;      v112 = v182;    }    v128 = v130;    v113 = v112;    v125 = v133;    v147 = v181;  }  while ( v133 );  __cxa_end_catch();  v193 = 152788034LL;  v192[3] = xmmword_40E130;  v192[2] = xmmword_40E120;  v192[1] = xmmword_40E110;  v192[0] = xmmword_40E100;  v138 = 152788034LL;  cipher_helper<12037464u,StList<0ul,1ul,2ul,3ul,4ul,5ul,6ul,7ul,8ul,9ul,10ul,11ul,12ul,13ul,14ul,15ul,16ul,17ul,18ul,19ul,20ul,21ul,22ul,23ul,24ul,25ul,26ul,27ul,28ul,29ul,30ul,31ul,32ul,33ul,34ul,35ul,36ul,37ul,38ul,39ul>>::get_array(    152788034LL,    "Knows the futility yet does it anyway. ");  v55 = v138;  *(_OWORD *)(v138 + 56) = xmmword_40E16D;  *(_OWORD *)(v55 + 40) = xmmword_40E15D;  *(_QWORD *)(v55 + 72) = 0x6FF0E70B5B3F60A4LL;  v137 = (void *)0x6FF0E70B5B3F60A4LL;  __cxa_begin_catch((void *)0x6FF0E70B5B3F60A4LL);  v145 = 0LL;  do  {    v67 = v145;    *((_DWORD *)v192 + 2 * v145) ^= 0x9005408u;    v145 = v67 + 1;  }  while ( v67 != 8 );  __cxa_end_catch();  *(_OWORD *)v75 = xmmword_40E030;  *((_QWORD *)v75 + 2) = 0x48D1556A814FF991LL;  *((_QWORD *)v75 + 5) = 0x48B0E10161EA8322LL;  v25 = -2.526699287193993e95;  *(_OWORD *)(v75 + 24) = xmmword_40E185;  __cxa_begin_catch(v75);  v121 = 0LL;  v109 = 0;  do  {    v27 = v121;    v179 = (unsigned __int64 *)v192 + (unsigned int)v121 / 9uLL;    v28 = *v179;    v29 = (unsigned int)v121 % 9;    v30 = pow(v25, (double)(int)((unsigned int)v121 % 9 + 1));    v178 = v28;    v31 = v28 % (unsigned int)(int)(v30 + 0.5);    y = (double)v29;    v32 = pow(11.0, (double)v29) + 0.5;    v33 = (unsigned int)(int)v32;    v25 = v32 - 9.223372036854776e18;    v158 = v27;    v157 = v109;    v111 = v109;    if ( v31 < v33 )    {      v111 = v157 + 1;      v51 = v199[(int)v157 + 96];      v52 = pow(v25, y) + 0.5;      v53 = (unsigned int)(int)v52;      v25 = v52 - 9.223372036854776e18;      *v179 = v178 + v51 * v53;    }    v121 = (unsigned int)(v158 + 1);    v109 = v111;  }  while ( (_DWORD)v158 != 80 );  __cxa_end_catch();  v88 = 1;  v140 = 0LL;  do  {    v60 = v108;    v108[8] = 0;    *(_QWORD *)v60 = 0LL;    v171 = *((_QWORD *)v192 + v140);    v126 = 0LL;    v170 = v140;    do    {      v19 = v126;      v20 = v126 + 1;      v21 = pow(v25, (double)((int)v126 + 1));      v22 = v171 % (unsigned int)(int)(v21 + 0.5);      v23 = pow(11.0, (double)v19) + 0.5;      v24 = (unsigned int)(int)v23;      v25 = v23 - 9.223372036854776e18;      v103[v22 / v24] = 1;      v141 = 1LL;      v89 = v88;      v126 = v20;    }    while ( v20 != 9 );    do    {      v61 = v89;      if ( !v103[v141] )        v61 = 0;      ++v141;      v115 = v61;      v89 = v61;    }    while ( v141 != 10 );    v140 = v170 + 1;    v131 = 0LL;    v87 = v115;    v88 = v115;  }  while ( v170 != 8 );  do  {    v68 = v108;    v108[8] = 0;    *(_QWORD *)v68 = 0LL;    v172 = (double)((int)v131 + 1);    v40 = (double)(int)v131;    v173 = (double)(int)v131;    v161 = (unsigned int)v131;    v142 = 0LL;    do    {      v62 = v142;      v63 = *((_QWORD *)v192 + v142);      v64 = v63 % (unsigned int)(int)(pow(v40, v172) + 0.5);      v65 = pow(11.0, v173) + 0.5;      v66 = (unsigned int)(int)v65;      v40 = v65 - 9.223372036854776e18;      v103[v64 / v66] = 1;      v142 = v62 + 1;      v144 = 1LL;      v90 = v87;    }    while ( v62 != 8 );    do    {      v71 = v90;      if ( !v103[v144] )        v71 = 0;      ++v144;      v116 = v71;      v90 = v71;    }    while ( v144 != 10 );    v131 = (unsigned int)(v161 + 1);    v132 = 0LL;    v92 = v116;    v87 = v116;  }  while ( (_DWORD)v131 != 9 );  do  {    v54 = v108;    v108[8] = 0;    *(_QWORD *)v54 = 0LL;    v135 = 3 * ((unsigned int)v132 / 3);    v134 = 3 * ((unsigned int)v132 % 3) + 1;    v129 = 0LL;    v159 = (unsigned int)v132;    do    {      v34 = v129;      v35 = *((_QWORD *)v192 + (int)(v135 + (unsigned int)v129 / 3));      v36 = (v134 + (unsigned int)v129 % 3) % 9;      v37 = v35 % (unsigned int)(int)(pow(v40, (double)(v36 + 1)) + 0.5);      v38 = pow(11.0, (double)v36) + 0.5;      v39 = (unsigned int)(int)v38;      v40 = v38 - 9.223372036854776e18;      v103[v37 / v39] = 1;      v129 = (unsigned int)(v34 + 1);      v150 = 1LL;      v94 = v92;    }    while ( v34 != 8 );    do    {      v70 = v94;      if ( !v103[v150] )        v70 = 0;      ++v150;      v104 = v70;      v94 = v70;    }    while ( v150 != 10 );    v132 = (unsigned int)(v159 + 1);    v92 = v104;  }  while ( (_DWORD)v159 != 8 );  v48 = v108;  v108[8] = 0;  *(_QWORD *)v48 = 0LL;  v127 = 0LL;  do  {    v41 = v127;    v42 = 9 - v127;    if ( !(_DWORD)v127 )      v42 = 0;    v43 = *((_QWORD *)v192 + v42);    v44 = v127 + 1;    v45 = v43 % (unsigned int)(int)(pow(v40, (double)((int)v127 + 1)) + 0.5);    v46 = pow(11.0, (double)v41) + 0.5;    v47 = (unsigned int)(int)v46;    v40 = v46 - 9.223372036854776e18;    v103[v45 / v47] = 1;    v143 = 1LL;    v91 = v104;    v127 = v44;  }  while ( v44 != 9 );  do  {    v49 = v91;    if ( !v103[v143] )      v49 = 0;    ++v143;    v117 = v49;    v91 = v49;  }  while ( v143 != 10 );  v16 = v108;  v108[8] = 0;  *(_QWORD *)v16 = 0LL;  v139 = 0LL;  do  {    v76 = v139 + 1;    v77 = v139 == 8;    v78 = v139 + 1;    if ( v139 == 8 )      v78 = 0;    v79 = *((_QWORD *)v192 + v139);    v80 = v79 % (unsigned int)(int)(pow(v40, (double)(v78 + 1)) + 0.5);    v81 = pow(11.0, (double)v78) + 0.5;    v82 = (unsigned int)(int)v81;    v40 = v81 - 9.223372036854776e18;    v103[v80 / v82] = 1;    v148 = 1LL;    v93 = v117;    v139 = v76;  }  while ( !v77 );  do  {    v83 = v93;    if ( !v103[v148] )      v83 = 0;    ++v148;    v118 = v83;    v93 = v83;  }  while ( v148 != 10 );  return 0;}

0x03 Solve the Puzzles

PART ONE

之前也提到过，由于我们的输入部分流可能执行不到，很明显我们刚刚根本没有输入上下左右箭头啥的。

所以关于处理上下左右箭头的代码无了。

do {   v72 = v4;   input1 = getc(stdin);   v73 = input1 << 24;   shift_input1 = input1 << 24 == 0x1B000000;   if ( input1 << 24 == 0x31000000 )     shift_input1 = 2;   if ( v73 == 0x37000000 )     shift_input1 = 3;   if ( v73 == 0x33000000 )     shift_input1 = 4;   if ( v73 == 0x34000000 )     shift_input1 = 5;   count = v5;   v102 = v72;   v119 = v72;   if ( shift_input1 )   {     if ( shift_input1 == 1 )       _clang_call_terminate((void *)5);     if ( shift_input1 == 2 )     {       v107 = v102 + (4LL << (3 * (unsigned __int8)count));       org_input = input1;     }     else if ( shift_input1 == 3 )     {       v107 = v102 + (5LL << (3 * (unsigned __int8)count));       org_input = input1;     }     else     {       if ( shift_input1 == 4 )         v107 = v102 + (6LL << (3 * (unsigned __int8)count));       else         v107 = v102 + (7LL << (3 * (unsigned __int8)count));       org_input = input1;     }     s[count] = org_input;     v119 = v107;   }   v5 = count + 1;   v174 = v119; } while ( count != 11 );

这个时候就可以更改我们的输入（指的是输入箭头再输入字符）再来一遍。

成功解析出我们的第一段输入。

由于两个文件分析过程不贴了，可以直接看官方WP给出的源码。

int part1_size = 12;while(count < part1_size) {  char a = getchar();  if (a == 27) {    if (getchar() == 91) {      char c = getchar();      try {        rmCjJ0(true, c);      } catch(Le3KW5 &cc) {        char c = cc.state;        if (c == 65) {          state += 0ull << (3 * count);        } else if (c==66) {          state += 2ull << (3 * count);        } else if (c==67) {          state += 1ull << (3 * count);        } else if (c==68) {          state += 3ull << (3 * count);        }      }      flag[count] = c;    }  } else if (a=='1') {    state += 4ull << (3 * count);    flag[count] = a;  } else if (a=='7') {    state += 5ull << (3 * count);    flag[count] = a;  } else if (a=='3') {    state += 6ull << (3 * count);    flag[count] = a;  } else if (a=='4') {    state += 7ull << (3 * count);    flag[count] = a;  }  count += 1;}// ... Second Part ...// Check Partif (... && state == 0xb3e659480) {  std::cout << LIT("Congratulation! n") << LIT("Your flag is ACTF{") << flag << LIT("_amazing!}") << std::endl;}

PART TWO

这个部分完全跟着lchild的分析来了。

接着就是第二段输入。首先是经过一段Base64解码操作，再经过取模除十操作得到一个数组。

  if ( (_DWORD)v50 == 4 )  {    do    {      v106 = 0LL;      v149 = v146;      do      {        baseTable[v106 + 16] = byte_40E071[v106] - byte_40E0B2[v106];// baseTable        ++v106;      }      while ( v106 < 0x41 );      v56 = (__int64)v163;      *(_QWORD *)v163 = v164;      v165 = 64LL;      v169 = (_OWORD *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::_M_create(                         v56,                         &v165,                         0LL);      v9 = (void **)v163;      v10 = v169;      *(_QWORD *)v163 = v169;      v11 = v165;      *(_QWORD *)v164 = v165;      v12 = MEMORY[5];      v13 = MEMORY[0x15];      v14 = MEMORY[0x25];      v10[3] = MEMORY[0x35];      v10[2] = v14;      v10[1] = v13;      *v10 = v12;      *(_QWORD *)v187 = v11;      *((_BYTE *)v10 + v11) = 0;      v15 = v149;      *(&copy_input1 + v15) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::find(                                v9,                                (unsigned int)*(&copy_input1 + v149),                                0LL);      v177 = *v9;      operator delete(v177);      v146 = v149 + 1;    }    while ( v149 != 3 );    v17 = *v186;    *v183 = (4 * *v57) | ((unsigned __int8)*v186 >> 4) & 3;    v18 = *v185;    *v59 = (16 * v17) | ((unsigned __int8)*v185 >> 2) & 0xF;    *v184 = *v58 + (v18 << 6);    v152 = v110;    v151 = 0LL;    do    {                                         // 对输入进行操作分值操作      v6 = v151;      v7 = (unsigned __int8)*(&v99 + v151) / 0xAu;      v8 = v152;      baseTable[v152 + 96] = (unsigned __int8)*(&v99 + v151) % 0xAu;      baseTable[v8 + 97] = v7;      v151 = v6 + 1;      v152 = v8 + 2;      v182 = v8 + 2;    }    while ( v6 != 2 );    v130 = 0LL;    v112 = v182;  }  v128 = v130;  v113 = v112;  copy_len = v133;  v147 = v181;}while ( v133 );                               // 以上是对input进行了base64解码

之后计算了九个数值，和一堆pang臭的代码，不过干的事情不是很复杂。

第一个循环是复制，后两个循环判断行列，不难发现这是个数独，拿网站一把梭了。

具体参考lchild师傅的Write up

# https://sudoku.vip/sudoku-x-solver/

0x04 GetFlag!!

第一个解密就直接移回去即可。

第二个解密出数独的值，列移动，取出值恢复原权位值，最后Base64即可！

s = []t = 0xB3E659480# 每3个字节为一次输入for i in range(12):    s.append(t & 0x7)    t >>= 3 assert t == 0key = ''for i in s:    if i == 0: key += '↑'    elif i == 1: key += '→'    elif i == 2: key += '↓'    elif i == 3: key += '←'    elif i == 4: key += '1'    elif i == 5: key += '7'    elif i == 6: key += '3'    elif i == 7: key += '4'print(key) # ??↓↓→←→←3417  values = [0x00000000331b6d84, 0x0000000054cab29a, 0x000000000cd0afcd,0x000000006636db08, 0x0000000000021528, 0x0000000005d62020, 0x00000000070bc7c1,0x00000000006739bd, 0x00000000001b084a]table = []for i in values:    table.append([])    s = ''    value = i    for j in range(9):        table[-1].append(int(value % 11))        s += "%2d" % (value % 11)        value /= 11 #   print(s[2: ] + s[: 2])''' 0 0 0 0 0 0 0 4 0 0 0 5 0 0 0 7 6 0 0 0 0 0 4 0 0 1 0 0 0 0 0 0 0 0 8 0 0 6 3 9 0 0 0 0 0 0 0 0 0 3 0 5 0 0 2 9 0 0 8 0 6 0 0 0 7 0 0 9 3 0 0 0 3 0 0 0 0 1 0 0 0''' # print(sum(table, []).count(0))# https://sudoku.vip/sudoku-x-solver/ solves = [[8, 1, 6, 7, 5, 2, 3, 4, 9],[4, 3, 5, 8, 1, 9, 7, 6, 2],[7, 2, 9, 3, 4, 6, 8, 1, 5],[9, 4, 7, 1, 6, 5, 2, 8, 3],[5, 6, 3, 9, 2, 8, 4, 7, 1],[1, 8, 2, 4, 3, 7, 5, 9, 6],[2, 9, 1, 5, 8, 4, 6, 3, 7],[6, 7, 4, 2, 9, 3, 1, 5, 8],[3, 5, 8, 6, 7, 1, 9, 2, 4]] # 数独列右移for i in range(9):    solves[i] = [solves[i][-1]] + solves[i][: -1]#    print(solves[i]) numbers = []for y in range(9):    for x in range(9):            if table[y][x] == 0:#                print(table[y][x])                numbers.append(solves[y][x]) assert len(numbers) % 2 == 0 flag = ''for i in range(0, len(numbers), 2):    flag += chr(numbers[i] + 10 * numbers[i + 1]) import base64# print(flag)print(base64.b64encode(str.encode(flag))) # ↑↑↓↓→←→←3417# WT05ICpTW0tcPyYxETgMGTBDUSphES1TLgwtVUwd