DiceCTF逆向题目"Scrambled-up"深度解析<\/h1>

题目概述<\/h2>
"Scrambled-up"是DiceCTF中的一个逆向题目，采用了数据流混淆技术而非传统的执行流混淆。题目使用了一种类似Lisp的函数式编程风格，通过数据流而非控制流来组织程序逻辑。<\/p>

程序结构分析<\/h2>

主要数据结构<\/h3>

程序使用了三种核心数据结构：<\/p>

Inst结构体<\/strong>：表示指令的基本信息<\/li> <\/ol>
struct<\/span> Inst { <\/span><\/span> Block *<\/span>next_call; <\/span><\/span> __int64<\/span> line; <\/span><\/span> __int64<\/span> argc; <\/span><\/span> __int64<\/span> slot_cnt; <\/span><\/span> __int64<\/span> exec_type; <\/span><\/span> Var var; <\/span><\/span>}; <\/span><\/span><\/code><\/pre> Edge结构体<\/strong>：表示块之间的连接关系<\/li> <\/ol> struct<\/span> Edge { <\/span><\/span> Edge *<\/span>next_cond; <\/span><\/span> __int64<\/span> dst_line; <\/span><\/span> __int64<\/span> src_line; <\/span><\/span>}; <\/span><\/span><\/code><\/pre> Block结构体<\/strong>：表示内存中的程序块<\/li> <\/ol> struct<\/span> Block { <\/span><\/span> __int64<\/span> line; <\/span><\/span> int<\/span> exec_type; <\/span><\/span> int<\/span> field_C; <\/span><\/span> __int64<\/span> argc; <\/span><\/span> Var *<\/span>argv; <\/span><\/span> __int64<\/span> slot_cnt; <\/span><\/span> Var *<\/span>slot_buffer; <\/span><\/span> Var value; <\/span><\/span>}; <\/span><\/span><\/code><\/pre>变量表示<\/h3> 程序使用Var结构表示变量：<\/p> struct<\/span> Var { <\/span><\/span> __int64<\/span> var_type; \/\/ 1=指针，2=值，0=无效 <\/span><\/span><\/span><\/span> __int64<\/span> var_or_ptr; <\/span><\/span> __int64<\/span> var_length; \/\/ 指针指向内容的长度 <\/span><\/span><\/span><\/span>}; <\/span><\/span><\/code><\/pre>程序执行流程<\/h2> 初始化阶段<\/h3> 信号处理<\/strong>：注册SIGSEGV信号处理函数<\/li> 输入处理<\/strong>：读取用户输入的flag<\/li> 内存映射<\/strong>：使用mmap分配大块内存(0xF00000字节)<\/li> 指令读取<\/strong>：从全局变量inst_edge和inst_code读取数据初始化Block<\/li> <\/ol> 执行阶段<\/h3> 程序执行分为两部分：<\/p> 初始化Block和Edge<\/strong>：通过read_inst函数完成<\/li> 执行指令<\/strong>：通过parser_inst函数完成<\/li> <\/ol> 执行逻辑特点：<\/p> 线性执行所有逻辑块<\/li> 输入变量恒定不变，修改通过输出到其他块实现<\/li> 条件判断只有0和非0两种情况<\/li> <\/ul> 关键函数分析<\/h2> exec_inst函数<\/h3> 该函数包含11个不同类型的执行函数：<\/p> 类型<\/th> 函数作用<\/th> <\/tr> <\/thead> 1<\/td> 所有argv相加，结果赋值<\/td> <\/tr> 2<\/td> 所有argv相乘，结果赋值<\/td> <\/tr> 3<\/td> 将var位置的block赋值<\/td> <\/tr> 4<\/td> 调用函数指针并将结果赋值<\/td> <\/tr> 5<\/td> 条件赋值：argv[0]==0则用argv[1]，否则用argv[2]<\/td> <\/tr> 8<\/td> 检查flag是否正确<\/td> <\/tr> 9<\/td> 调用read函数读取flag到全局变量<\/td> <\/tr> 10<\/td> 合并两个指针指向的内存到新内存<\/td> <\/tr> 11<\/td> 获取argv[0][argv[1]]的值并赋值<\/td> <\/tr> <\/tbody> <\/table> 类型4函数(CallFunc)<\/h3> 这些是被调用的函数指针：<\/p> 函数名<\/th> 作用<\/th> <\/tr> <\/thead> xor_all_argv<\/td> 所有参数异或<\/td> <\/tr> or_all_argv<\/td> 所有参数或<\/td> <\/tr> and_all_argv<\/td> 所有参数相与<\/td> <\/tr> check_if_zero<\/td> 检查第二个参数是否为0<\/td> <\/tr> get_index_from_input<\/td> 获取输入的第index参数<\/td> <\/tr> reorder<\/td> 按指定顺序重构输入(16字节)<\/td> <\/tr> maze_step<\/td> 走迷宫函数<\/td> <\/tr> <\/tbody> <\/table> 解题过程<\/h2> 第一阶段：数据流dump<\/h3> 在ExecFunc8(flag检查函数)处下断点<\/li> 获取Block和Edge的内存布局<\/li> 编写脚本解析数据结构关系<\/li> <\/ol> 第二阶段：flag有效性检查<\/h3> 发现多个检查逻辑：<\/p> 长度检查<\/strong>：flag长度必须为0x26(38)字节<\/li> 格式检查<\/strong>：必须以"dice{"开头，"}"结尾<\/li> 复杂校验<\/strong>：多轮异或、乘法和加法运算校验<\/li> 迷宫校验<\/strong>：通过flag值控制迷宫行走路径<\/li> <\/ol> 第三阶段：迷宫分析<\/h3> 迷宫特点：<\/p> 起点：(0x40, 0x40)<\/li> 终点：(0x45, 0x8)<\/li> 每个flag字符控制3步移动<\/li> 必须在96步内完成<\/li> 不能碰到障碍(-1)<\/li> <\/ul> 迷宫移动有9种方向：<\/p> 常规4方向<\/li> 4个斜方向<\/li> 原地不动<\/li> <\/ul> 解题脚本关键部分<\/h2> Z3约束求解<\/h3> from<\/span> z3 import<\/span> *<\/span> <\/span><\/span> <\/span><\/span>BITS =<\/span> 8<\/span> <\/span><\/span>solver =<\/span> Solver() <\/span><\/span>flags =<\/span> [] <\/span><\/span> <\/span><\/span># 初始化flag变量<\/span> <\/span><\/span>for<\/span> i in<\/span> range(0x20<\/span>): <\/span><\/span> each_flag =<\/span> BitVec("flag<\/span>%d<\/span>"<\/span>%<\/span>i ,BITS) <\/span><\/span> flags.<\/span>append(each_flag) <\/span><\/span> solver.<\/span>add(each_flag <=<\/span> 0x7f<\/span>) <\/span><\/span> solver.<\/span>add(each_flag >=<\/span> 0x10<\/span>) <\/span><\/span> <\/span><\/span># 添加已知字符约束<\/span> <\/span><\/span>solver.<\/span>add(flags[2<\/span>] ==<\/span> ord('w'<\/span>)) <\/span><\/span>solver.<\/span>add(flags[6<\/span>] ==<\/span> ord('e'<\/span>)) <\/span><\/span># ... 其他已知字符约束<\/span> <\/span><\/span> <\/span><\/span># 添加校验约束<\/span> <\/span><\/span>res =<\/span> 0<\/span> <\/span><\/span>for<\/span> i in<\/span> range(len(total_flag)-<\/span>1<\/span>): <\/span><\/span> res =<\/span> res ^<\/span> i ^<\/span> total_flag[i] ^<\/span> (total_flag[i]*<\/span>0xe<\/span>+<\/span>total_flag[i+<\/span>1<\/span>]) <\/span><\/span>res =<\/span> res +<\/span> total_flag[len(total_flag)-<\/span>1<\/span>]*<\/span>7<\/span> <\/span><\/span>solver.<\/span>add(res ==<\/span> 0x784<\/span>) <\/span><\/span> <\/span><\/span># 求解<\/span> <\/span><\/span>while<\/span> solver.<\/span>check() ==<\/span> sat: <\/span><\/span> model =<\/span> solver.<\/span>model() <\/span><\/span> flag =<\/span> ""<\/span> <\/span><\/span> for<\/span> each_flag in<\/span> flags: <\/span><\/span> flag +=<\/span> chr(model[each_flag].<\/span>as_long()) <\/span><\/span> print(flag) <\/span><\/span> solver.<\/span>add(Or([ model[v]!=<\/span>v for<\/span> v in<\/span> flags])) <\/span><\/span><\/code><\/pre>总结<\/h2> 数据流编程特点<\/strong>：<\/p> 所有逻辑都会被执行<\/li> 只有输入和输出变量，输入不变<\/li> 条件判断简单(只有0和非0)<\/li> <\/ul> <\/li> 与传统执行流编程对比<\/strong>：<\/p> <\/li> <\/ol> 特点<\/th> 执行流编程<\/th> 数据流编程<\/th> <\/tr> <\/thead> 执行范围<\/td> 部分逻辑执行<\/td> 所有逻辑执行<\/td> <\/tr> 变量修改<\/td> 变量可能被修改<\/td> 输入变量不变<\/td> <\/tr> 条件判断<\/td> 丰富多样<\/td> 只有0和非0<\/td> <\/tr> <\/tbody> <\/table> 解题关键<\/strong>：理解数据流传递关系<\/li> 在程序结尾处dump完整状态<\/li> 分析变量间的约束关系<\/li> 结合动态分析和静态分析<\/li> <\/ul> <\/li> <\/ol> 这个题目展示了数据流混淆在逆向题目中的应用，解题需要从传统的控制流分析转向数据流分析，理解变量如何在不同块之间传递和转换。<\/p>

DiceCTF逆向题目"Scrambled-up"深度解析<\/h1>

题目概述<\/h2> "Scrambled-up"是DiceCTF中的一个逆向题目，采用了数据流混淆技术而非传统的执行流混淆。题目使用了一种类似Lisp的函数式编程风格，通过数据流而非控制流来组织程序逻辑。<\/p>

程序结构分析<\/h2>

程序执行流程<\/h2>

关键函数分析<\/h2>

解题过程<\/h2>

解题脚本关键部分<\/h2>

题目概述<\/h2>
"Scrambled-up"是DiceCTF中的一个逆向题目，采用了数据流混淆技术而非传统的执行流混淆。题目使用了一种类似Lisp的函数式编程风格，通过数据流而非控制流来组织程序逻辑。<\/p>