CTF逆向：基础VM的三大解法剖析<\/h1>

一、VM核心原理速览<\/h2>

VM题型简介<\/h3>

VM（Virtual Machine）类题目在CTF逆向中常见，其特点如下：<\/p>

程序通常有自己一套循环的执行程序流<\/li>
核心结构包含虚拟指令分发器(opcode)和加密逻辑<\/li>

opcode由操作数和操作组成的大串数据（通常由成百上千个byte组成）<\/li> <\/ul>

破局思路<\/h3>

关键定位<\/strong>：找到虚拟指令分发器(opcode)<\/li>
加密逻辑<\/strong>：分析循环加密过程<\/li>

模拟重建<\/strong>：模拟执行流进行爆破或解密<\/li> <\/ol>
二、三种解法概述<\/h2>
解法一：传统手撕<\/h3>

保存整个执行流程<\/li>
逆向操作，从加密结果倒推flag<\/li> <\/ul>
解法二：正向Z3约束求解<\/h3>

模拟加密过程<\/li>
使用Z3约束求解得到flag<\/li> <\/ul>
解法三：插桩爆破<\/h3>

利用gbd或frida插桩<\/li>
针对单字节或双字节进行爆破<\/li> <\/ul>
三、解题实战（以isctf2022为例）<\/h2>
1. 提取opcode<\/h3>

在IDA中定位到opcode变量（示例中为v8）<\/li>
提取方法：

手动提取：选择变量，使用shift+8提取（24个变量，每个16 byte）<\/li>
IDAPython脚本提取（示例未展示具体脚本）<\/li> <\/ul> <\/li> <\/ol>
2. 复现执行流<\/h3>

注意坑点：某些操作的实际实现可能与表面不同（如[i-1]而非[1]）<\/li>
需要仔细对照汇编代码<\/li> <\/ul>
3. 具体解法实现<\/h3>
解法一：逆向手撕<\/h4>
# 示例exp思路<\/span> <\/span><\/span>opcode =<\/span> [...<\/span>] # 存储提取的opcode<\/span> <\/span><\/span>enc =<\/span> [...<\/span>] # 加密结果<\/span> <\/span><\/span> <\/span><\/span># 从后往前解密<\/span> <\/span><\/span>for<\/span> i in<\/span> range(len(opcode)-<\/span>1<\/span>, -<\/span>1<\/span>, -<\/span>1<\/span>): <\/span><\/span> # 逆向操作：+变-，-变+，^保持不变<\/span> <\/span><\/span> # 注意异或优先级问题<\/span> <\/span><\/span> pass<\/span> <\/span><\/span><\/code><\/pre>解法二：Z3约束求解<\/h4> 关键点：<\/p> 必须创建flag副本进行encode操作<\/li> 避免符号变量导致的优先级混乱<\/li> <\/ul> from<\/span> z3 import<\/span> *<\/span> <\/span><\/span> <\/span><\/span>def<\/span> encode<\/span>(flag, opcode): <\/span><\/span> # 实现正向加密过程<\/span> <\/span><\/span> pass<\/span> <\/span><\/span> <\/span><\/span>solver =<\/span> Solver() <\/span><\/span>flag =<\/span> [BitVec(f<\/span>'flag_<\/span>{<\/span>i}<\/span>'<\/span>, 8<\/span>) for<\/span> i in<\/span> range(len(enc))] <\/span><\/span>encoded_flag =<\/span> encode(flag.<\/span>copy(), opcode) # 必须使用副本<\/span> <\/span><\/span> <\/span><\/span>for<\/span> i in<\/span> range(len(enc)): <\/span><\/span> solver.<\/span>add(encoded_flag[i] ==<\/span> enc[i]) <\/span><\/span> <\/span><\/span>if<\/span> solver.<\/span>check() ==<\/span> sat: <\/span><\/span> model =<\/span> solver.<\/span>model() <\/span><\/span> # 提取flag<\/span> <\/span><\/span><\/code><\/pre>解法三：frida插桩爆破<\/h4> \/\/ frida脚本示例 <\/span><\/span><\/span><\/span>Interceptor<\/span>.attach<\/span>(target_function<\/span>, { <\/span><\/span> onEnter<\/span>:<\/span> function<\/span>(args<\/span>) { <\/span><\/span> \/\/ 修改参数进行爆破 <\/span><\/span><\/span><\/span> }, <\/span><\/span> onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) { <\/span><\/span> \/\/ 检查结果 <\/span><\/span><\/span><\/span> } <\/span><\/span>}); <\/span><\/span><\/code><\/pre>四、高难度VM应对策略<\/h2> 对于2024年强网杯等高难度VM题目：<\/p> 当找不到opcode和中间执行流时<\/li> 当前思路主要是无脑爆破<\/li> 需要提升静态分析能力（大佬可以手撕）<\/li> <\/ol> 五、总结<\/h2> 基础VM<\/strong>：三种解法各有优劣，Z3约束求解最通用<\/li> 关键点<\/strong>：准确提取opcode<\/li> 正确复现执行流<\/li> 注意操作优先级和边界条件<\/li> <\/ul> <\/li> 进阶<\/strong>：需要积累更多VM分析经验，提升静态分析能力<\/li> <\/ol> 六、参考资料<\/h2> 示例题目：isctf2022基础VM题<\/li> 推荐博客：swdd的VM分析文章（原文中提到但未具体说明）<\/li> 强网杯2024 VM题目（高难度示例）<\/li> <\/ol>