HKCERT24逆向题目解析：bashed与MBTI Radar<\/h1>

bashed题目解析<\/h2>

题目概述<\/h3>

提供一个名为❤️.sh的bash脚本文件<\/li>
脚本接受一个87字符长度的flag作为参数<\/li>
使用大量emoji进行数据处理和流程控制<\/li>

最终检查标志位GALF是否为0来验证flag<\/li> <\/ul>

Bash关键特性分析<\/h3>

特性一：不严格的函数定义<\/h4>

Bash中变量和函数可以同名，函数优先执行<\/li>
当函数名作为参数传递时，会被当作字符串处理<\/li>

题目中emoji同时作为函数名和参数使用<\/li> <\/ul>

特性二：动态更新与执行顺序<\/h4>

脚本使用wget动态更新自身内容<\/li>
Bash执行时会一次性读入脚本内容到内存<\/li>

行末的

\<\/code>会影响PC(程序计数器)的移动规则：

执行完带\<\/code>的行后，会跳过后续连续带\<\/code>的行<\/li>
动态修改后，以新文件内容重新判断\<\/code>的影响<\/li>
<\/ul>
<\/li>
<\/ul>
特性三：整数溢出<\/h4>

Bash使用64位整数运算<\/li>
连续乘法会导致高位溢出，最终可能得到0<\/li>
题目利用此特性进行最终验证<\/li>
<\/ul>
题目逻辑解析<\/h3>


emoji_table结构<\/strong>：<\/p>

256行emoji_line组成<\/li>
每行第一个emoji定义函数，其余为参数<\/li>
共88个不同的emoji_table文件<\/li>
<\/ul>
<\/li>

执行流程<\/strong>：<\/p>

emoji_line[0]函数将emoji_line[1:8]重排序<\/li>
检查flag子串的sha1值(emoji_line[1:3])<\/li>
根据检查结果：

成功：GALF *= emoji_line[6]，跳转emoji_line[4]<\/li>
失败：GALF *= emoji_line[7]，跳转emoji_line[5]<\/li>
<\/ul>
<\/li>
行号idx根据\<\/code>规则递增<\/li>
<\/ul>
<\/li>

算法模型<\/strong>：<\/p>

88张emoji_table，每张256行<\/li>
根据flag子串sha1值决定跳转路径<\/li>
最终要求GALF溢出为0<\/li>
<\/ul>
<\/li>
<\/ol>
解题步骤<\/h3>
1. 深度遍历搜索<\/h4>
def<\/span> calc_next_idx<\/span>(emoji_filename, idx):
<\/span><\/span>    table =<\/span> g_emoji_table[emoji_filename]
<\/span><\/span>    line =<\/span> table[idx]
<\/span><\/span>    while<\/span> line[-<\/span>1<\/span>] ==<\/span> "<\/span>\\<\/span>"<\/span>:
<\/span><\/span>        idx +=<\/span> 1<\/span>
<\/span><\/span>        line =<\/span> table[idx]
<\/span><\/span>    return<\/span> idx +<\/span> 1<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> search_correct<\/span>(emoji_filename, emoji_line, GALF, idx):
<\/span><\/span>    start =<\/span> ord(emoji_line[0<\/span>]) -<\/span> ord('ear'<\/span>) 
<\/span><\/span>    length =<\/span> ord(emoji_line[1<\/span>]) -<\/span> ord('ear'<\/span>)
<\/span><\/span>    c_1 =<\/span> hex(ord(emoji_line[2<\/span>]) -<\/span> ord('ear'<\/span>)[2<\/span>:]
<\/span><\/span>    
<\/span><\/span>    if<\/span> GALF*<\/span>ord(emoji_line[5<\/span>]) &<\/span> 0xffffffffffffffff<\/span> !=<\/span> 0<\/span> and<\/span> len(c_1) ==<\/span> 1<\/span>:
<\/span><\/span>        GALF *=<\/span> ord(emoji_line[5<\/span>])
<\/span><\/span>        GALF &=<\/span> 0xffffffffffffffff<\/span>
<\/span><\/span>        target =<\/span> emoji_line[3<\/span>]
<\/span><\/span>        idx =<\/span> calc_next_idx(emoji_filename, idx)
<\/span><\/span>        if<\/span> len(g_emoji_table[target]) <<\/span> idx or<\/span> idx >=<\/span> 256<\/span>:
<\/span><\/span>            return<\/span> True<\/span>
<\/span><\/span>        new_line =<\/span> g_emoji_table[target][idx]
<\/span><\/span>        g_result[idx]=<\/span>(start, start+<\/span>length, True<\/span>, c_1)
<\/span><\/span>        new_line =<\/span> mapping_emojis(new_line[0<\/span>], new_line, g_emoji_mapping)
<\/span><\/span>        search_correct(target, new_line, GALF, idx)
<\/span><\/span>    
<\/span><\/span>    if<\/span> GALF*<\/span>ord(emoji_line[6<\/span>]) &<\/span> 0xffffffffffffffff<\/span> !=<\/span> 0<\/span>:
<\/span><\/span>        target =<\/span> emoji_line[4<\/span>]
<\/span><\/span>        GALF *=<\/span> ord(emoji_line[6<\/span>])
<\/span><\/span>        GALF &=<\/span> 0xffffffffffffffff<\/span>
<\/span><\/span>        idx =<\/span> calc_next_idx(emoji_filename, idx)
<\/span><\/span>        if<\/span> len(g_emoji_table[target]) <<\/span> idx or<\/span> idx >=<\/span> 256<\/span>:
<\/span><\/span>            return<\/span> True<\/span>
<\/span><\/span>        new_line =<\/span> g_emoji_table[target][idx]
<\/span><\/span>        g_result[idx]=<\/span>(start, start+<\/span>length, False<\/span>, c_1)
<\/span><\/span>        new_line =<\/span> mapping_emojis(new_line[0<\/span>], new_line, g_emoji_mapping)
<\/span><\/span>        search_correct(target, new_line, GALF, idx)
<\/span><\/span><\/code><\/pre>2. 回溯搜索flag<\/h4>
from<\/span> hashlib import<\/span> sha1
<\/span><\/span>
<\/span><\/span>def<\/span> get_sha1_second_char<\/span>(s):
<\/span><\/span>    return<\/span> sha1(s.<\/span>encode()).<\/span>hexdigest()[1<\/span>]
<\/span><\/span>
<\/span><\/span>def<\/span> backtrack<\/span>(current_string, n, constraints, index_constraints):
<\/span><\/span>    if<\/span> len(current_string) ==<\/span> n:
<\/span><\/span>        return<\/span> current_string
<\/span><\/span>
<\/span><\/span>    for<\/span> c in<\/span> "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_<\/span>{}<\/span>"<\/span>:
<\/span><\/span>        current_string +=<\/span> c
<\/span><\/span>        valid =<\/span> True<\/span>
<\/span><\/span>        for<\/span> (start, end, target_char) in<\/span> index_constraints.<\/span>get(len(current_string), []):
<\/span><\/span>            substring =<\/span> current_string[start:end]
<\/span><\/span>            if<\/span> get_sha1_second_char(substring) !=<\/span> target_char:
<\/span><\/span>                valid =<\/span> False<\/span>
<\/span><\/span>                break<\/span>
<\/span><\/span>
<\/span><\/span>        if<\/span> valid:
<\/span><\/span>            result =<\/span> backtrack(current_string, n, constraints, index_constraints)
<\/span><\/span>            if<\/span> result:
<\/span><\/span>                return<\/span> result
<\/span><\/span>        current_string =<\/span> current_string[:-<\/span>1<\/span>]
<\/span><\/span>
<\/span><\/span>    return<\/span> None<\/span>
<\/span><\/span><\/code><\/pre>MBTI Radar题目解析<\/h2>
题目概述<\/h3>

Unity游戏程序，使用IL2CPP编译<\/li>
输入1-6字符的名字，生成MBTI类型序列<\/li>
需要预测随机数生成结果匹配目标序列<\/li>
<\/ul>
关键逻辑分析<\/h3>


初始化阶段<\/strong>：<\/p>

输入字符映射到0123456789abcdefghijklmnopqrstuvwxyz<\/code>的下标<\/li>
转换为36进制整数作为随机数种子<\/li>
<\/ul>
<\/li>

随机数生成<\/strong>：<\/p>

使用类似MT算法的伪随机数生成器<\/li>
生成浮点数范围在0-1之间<\/li>
乘以201后映射到MBTI类型<\/li>
<\/ul>
<\/li>

验证逻辑<\/strong>：<\/p>

共6个阶段，输入长度1-6的字符<\/li>
生成的MBTI序列与目标比较<\/li>
完全匹配则记录flag部分<\/li>
<\/ul>
<\/li>
<\/ol>
解题步骤<\/h3>
1. 实现随机数生成器<\/h4>
class<\/span> MyRandom<\/span>(object):
<\/span><\/span>    def<\/span> __init__(self):
<\/span><\/span>        self.<\/span>random_num =<\/span> [0<\/span>] *<\/span> 8<\/span>
<\/span><\/span>        self.<\/span>table =<\/span> "0123456789abcdefghijklmnopqrstuvwxyz"<\/span>
<\/span><\/span>
<\/span><\/span>    def<\/span> random_seed<\/span>(self, seed):
<\/span><\/span>        self.<\/span>random_num[0<\/span>] =<\/span> seed
<\/span><\/span>        for<\/span> i in<\/span> range(1<\/span>,4<\/span>,1<\/span>):
<\/span><\/span>            self.<\/span>random_num[i] =<\/span> (self.<\/span>random_num[i-<\/span>1<\/span>] *<\/span> 0x6C078965<\/span> +<\/span> 1<\/span>)&<\/span>0xffffffff<\/span>
<\/span><\/span>
<\/span><\/span>    def<\/span> get_random_seed<\/span>(self):
<\/span><\/span>        v1 =<\/span> self.<\/span>random_num[0<\/span>] ^<\/span> ((self.<\/span>random_num[0<\/span>] <<<\/span> 11<\/span>)&<\/span>0xffffffff<\/span>)
<\/span><\/span>        self.<\/span>random_num[0<\/span>] =<\/span> self.<\/span>random_num[1<\/span>]
<\/span><\/span>        self.<\/span>random_num[1<\/span>] =<\/span> self.<\/span>random_num[2<\/span>]
<\/span><\/span>        v2 =<\/span> self.<\/span>random_num[3<\/span>]
<\/span><\/span>        self.<\/span>random_num[2<\/span>] =<\/span> self.<\/span>random_num[3<\/span>]
<\/span><\/span>        self.<\/span>random_num[3<\/span>] =<\/span> v1 ^<\/span> v2 ^<\/span> ((v1 ^<\/span> (v2 >><\/span> 11<\/span>)) >><\/span> 8<\/span>)
<\/span><\/span>        n =<\/span> (self.<\/span>random_num[3<\/span>] &<\/span> 0x7FFFFF<\/span>)
<\/span><\/span>        return<\/span> n *<\/span> 0.0000001192093<\/span>
<\/span><\/span><\/code><\/pre>2. MBTI类型映射<\/h4>
def<\/span> get_ans<\/span>(n):
<\/span><\/span>    if<\/span> n <<\/span> 54.0<\/span>:
<\/span><\/span>        if<\/span> n <<\/span> 33.0<\/span>:
<\/span><\/span>            if<\/span> n <<\/span> 12.0<\/span>:
<\/span><\/span>                StrTagObj =<\/span> "INFJ"<\/span>
<\/span><\/span>                if<\/span> n >=<\/span>3.0<\/span>: StrTagObj =<\/span> "INFP"<\/span>
<\/span><\/span>            else<\/span>:
<\/span><\/span>                StrTagObj =<\/span> "ENFP"<\/span>
<\/span><\/span>                if<\/span> n >=<\/span> 28.0<\/span>: StrTagObj =<\/span> "ENFJ"<\/span>
<\/span><\/span>        elif<\/span> n <<\/span>44.0<\/span>:
<\/span><\/span>            StrTagObj =<\/span> "INTJ"<\/span>
<\/span><\/span>            if<\/span> n >=<\/span> 37.0<\/span>: StrTagObj =<\/span> "INTP"<\/span>
<\/span><\/span>        else<\/span>:
<\/span><\/span>            StrTagObj =<\/span> "ENTP"<\/span>
<\/span><\/span>            if<\/span> n >=<\/span> 50.0<\/span>: StrTagObj =<\/span> "ENTJ"<\/span>
<\/span><\/span>    elif<\/span> n <<\/span>147.0<\/span>:
<\/span><\/span>        if<\/span> n <<\/span>105.0<\/span>:
<\/span><\/span>            StrTagObj =<\/span> "ISTJ"<\/span>
<\/span><\/span>            if<\/span> n ><\/span> 77.0<\/span>: StrTagObj =<\/span> "ISFJ"<\/span>
<\/span><\/span>        else<\/span>:
<\/span><\/span>            StrTagObj =<\/span> "ESTJ"<\/span>
<\/span><\/span>            if<\/span> n >=<\/span> 122.0<\/span>: StrTagObj =<\/span> "ESFJ"<\/span>
<\/span><\/span>    elif<\/span> n <<\/span> 176.0<\/span>:
<\/span><\/span>        StrTagObj =<\/span> "ISTP"<\/span>
<\/span><\/span>        if<\/span> n >=<\/span> 158.0<\/span>: StrTagObj =<\/span> "ISFP"<\/span>
<\/span><\/span>    else<\/span>:
<\/span><\/span>        StrTagObj =<\/span> "ESTP"<\/span>
<\/span><\/span>        if<\/span> n ><\/span> 184.0<\/span>: StrTagObj =<\/span> "ESFP"<\/span>
<\/span><\/span>    return<\/span> StrTagObj
<\/span><\/span><\/code><\/pre>3. 爆破搜索<\/h4>
stage =<\/span> 5<\/span>
<\/span><\/span>target =<\/span> mbti[stage].<\/span>split(' '<\/span>)
<\/span><\/span>
<\/span><\/span>for<\/span> seed in<\/span> range(36<\/span>**<\/span>stage,36<\/span>**<\/span>(stage+<\/span>1<\/span>)):
<\/span><\/span>    mr =<\/span> MyRandom()
<\/span><\/span>    mr.<\/span>random_seed(seed)
<\/span><\/span>    res =<\/span> []
<\/span><\/span>    for<\/span> i in<\/span> range(50<\/span>):
<\/span><\/span>        n =<\/span> mr.<\/span>get_random_seed()
<\/span><\/span>        each_mbti =<\/span> get_ans(n*<\/span>201.0<\/span>)
<\/span><\/span>        if<\/span> each_mbti !=<\/span> target[i]: break<\/span>
<\/span><\/span>        res.<\/span>append(each_mbti)
<\/span><\/span>    if<\/span> len(res) ==<\/span> 50<\/span>:
<\/span><\/span>        ans =<\/span> ''<\/span>
<\/span><\/span>        while<\/span> seed ><\/span> 0<\/span>:
<\/span><\/span>            ans =<\/span> mr.<\/span>table[seed %<\/span> 36<\/span>] +<\/span> ans
<\/span><\/span>            seed \/\/=<\/span> 36<\/span>
<\/span><\/span>        print(ans)
<\/span><\/span>        exit(0<\/span>)
<\/span><\/span><\/code><\/pre>总结与技巧<\/h2>
bashed题目关键点<\/h3>

理解bash中函数和变量的同名机制<\/li>
掌握动态脚本修改对执行流程的影响<\/li>
利用整数溢出特性进行最终验证<\/li>
将复杂bash逻辑转化为可搜索的算法模型<\/li>
<\/ol>
MBTI Radar题目关键点<\/h3>

识别IL2CPP编译的Unity程序结构<\/li>
分析随机数生成算法并实现等效版本<\/li>
理解种子生成机制(36进制转换)<\/li>
使用爆破方法搜索符合条件的输入<\/li>
<\/ol>
通用逆向技巧<\/h3>

对于混淆代码，编写小型测试程序验证猜测<\/li>
动态调试与静态分析结合<\/li>
将复杂逻辑分解为可管理的部分<\/li>
注意数据类型的转换和边界条件<\/li>
<\/ol>

HKCERT24逆向题目解析：bashed与MBTI Radar<\/h1>

bashed题目解析<\/h2>

Bash关键特性分析<\/h3>

解题步骤<\/h3>

MBTI Radar题目解析<\/h2>

解题步骤<\/h3>

总结与技巧<\/h2>

通用逆向技巧<\/h3> 对于混淆代码，编写小型测试程序验证猜测<\/li> 动态调试与静态分析结合<\/li> 将复杂逻辑分解为可管理的部分<\/li> 注意数据类型的转换和边界条件<\/li> <\/ol>

通用逆向技巧<\/h3>

对于混淆代码，编写小型测试程序验证猜测<\/li>
动态调试与静态分析结合<\/li>
将复杂逻辑分解为可管理的部分<\/li>
注意数据类型的转换和边界条件<\/li> <\/ol>