pwn.college Reverse Engineering level22.1

0x01

终于通关了pwn.college Reverse Engineering 用刚从外国人那里学到的一个词总结: Type 2 Fun!

0x02

先搞清楚指令的格式

首先先放到反编译器里看一看，我用的ghidra 其他的大同小异 通过分析代码可以得出代码的格式为: op arg1 arg2

这里我的题目顺序是: arg2 arg1 op 具体的顺序 看具体环境

0x03 小试牛刀

题目说了“Is there maybe a clever side channel you can utilize?” 就是侧信道呗

那么就一点点用程序的崩溃信息，退出，是否卡死来寻找蛛丝马迹

这里先写一个爆破脚步 试一试

import subprocess

command= ['/challenge/babyrev_level22.1']

data = bytearray()

with open('res.txt', 'w') as file:
    file.write('')

values = [0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80]
for i in values:
    data.append(0x31) #用崩溃寄存器
    for j in values:
        data.append(j)
        data.append(i)
        print(data)
        try:
            res = subprocess.run(command,input=data,stdout=subprocess.PIPE, stderr=subprocess.PIPE,timeout=2)
            with open('res.txt','ab') as file:
                file.write(bytes(str(j)+str(i),encoding='ascii'))
                file.write(res.stdout[1074:])
        except subprocess.TimeoutExpired:
                print("timeout",data)
        data.pop()
        data.pop()
    data.clear()

查看程序输出和res.txt 寻找可用信息

发现res.txt有一行直接退出了，没有崩溃信息

option 22.1的原始res找不到, 拿22.0的举个例子如下

0x200x40[+] Starting interpreter loop! Good luck!
Machine CRASHED due to: unknown register
0x400x40[+] Starting interpreter loop! Good luck!
0x800x40[+] Starting interpreter loop! Good luck!
Machine CRASHED due to: unknown register

这里就知道了[SYS]对应的OP, 已经exit对应的arg1

查看程序输出信息，发现[SYS]对应的测试组里有两个time out了，仔细分析不难发现，这就是不存在的那两个系统调用，因为arg1总共8个，系统调用只有6个，所以这两个直接pass

总结一下，现在的已知信息

[SYS] 80
arg1    [open] 01 02 04 80
        [read] 01 02 04 80
        [write] 01 02 04 80
        [exit] 40
        [sleep] 01 02 04 80

0x04 横向对比

再次仔细分析程序的输出信息，发现有的[op]组有崩溃信息，有的全部超时，有的没有崩溃信息，有的一个没有超时，我们可以利用这些信息来获取进一步信息。

首先22.0 22.1的[op]崩溃信息大致相同([SYS]有细微的差别，仔细看代码，不过[SYS]我们已经知道了 可以不管 别问 问就是 钻进去了)

22.0的程序输出和res如下

0x10x2[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x2 arg1:0x1 arg2:0x31
[s] CMP c ?
Machine CRASHED due to: unknown register
0x20x2[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x2 arg1:0x2 arg2:0x31
[s] CMP ? ?
Machine CRASHED due to: unknown register
0x40x2[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x2 arg1:0x4 arg2:0x31
[s] CMP f ?
Machine CRASHED due to: unknown register
0x80x2[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x2 arg1:0x8 arg2:0x31
[s] CMP d ?
Machine CRASHED due to: unknown register
0x100x2[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x2 arg1:0x10 arg2:0x31
[s] CMP i ?
Machine CRASHED due to: unknown register
0x200x2[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x2 arg1:0x20 arg2:0x31
[s] CMP s ?
Machine CRASHED due to: unknown register
0x400x2[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x2 arg1:0x40 arg2:0x31
[s] CMP b ?
Machine CRASHED due to: unknown register
0x800x2[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x2 arg1:0x80 arg2:0x31
[s] CMP a ?
Machine CRASHED due to: unknown register
0x10x4[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x4 arg1:0x1 arg2:0x31
[s] ADD c ?
Machine CRASHED due to: unknown register
0x20x4[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x4 arg1:0x2 arg2:0x31
[s] ADD ? ?
Machine CRASHED due to: unknown register
0x40x4[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x4 arg1:0x4 arg2:0x31
[s] ADD f ?
Machine CRASHED due to: unknown register
0x80x4[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x4 arg1:0x8 arg2:0x31
[s] ADD d ?
Machine CRASHED due to: unknown register
0x100x4[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x4 arg1:0x10 arg2:0x31
[s] ADD i ?
Machine CRASHED due to: unknown register
0x200x4[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x4 arg1:0x20 arg2:0x31
[s] ADD s ?
Machine CRASHED due to: unknown register
0x400x4[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x4 arg1:0x40 arg2:0x31
[s] ADD b ?
Machine CRASHED due to: unknown register
0x800x4[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x4 arg1:0x80 arg2:0x31
[s] ADD a ?
Machine CRASHED due to: unknown register
0x20x8[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x8 arg1:0x2 arg2:0x31
[s] IMM ? = 0x31
Machine CRASHED due to: unknown register
0x10x10[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x10 arg1:0x1 arg2:0x31
[s] LDM c = *?
Machine CRASHED due to: unknown register
0x20x10[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x10 arg1:0x2 arg2:0x31
[s] LDM ? = *?
Machine CRASHED due to: unknown register
0x40x10[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x10 arg1:0x4 arg2:0x31
[s] LDM f = *?
Machine CRASHED due to: unknown register
0x80x10[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x10 arg1:0x8 arg2:0x31
[s] LDM d = *?
Machine CRASHED due to: unknown register
0x100x10[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x10 arg1:0x10 arg2:0x31
[s] LDM i = *?
Machine CRASHED due to: unknown register
0x200x10[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x10 arg1:0x20 arg2:0x31
[s] LDM s = *?
Machine CRASHED due to: unknown register
0x400x10[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x10 arg1:0x40 arg2:0x31
[s] LDM b = *?
Machine CRASHED due to: unknown register
0x800x10[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x10 arg1:0x80 arg2:0x31
[s] LDM a = *?
Machine CRASHED due to: unknown register
0x10x20[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x20 arg1:0x1 arg2:0x31
[s] STM *c = ?
Machine CRASHED due to: unknown register
0x20x20[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x20 arg1:0x2 arg2:0x31
[s] STM *? = ?
Machine CRASHED due to: unknown register
0x40x20[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x20 arg1:0x4 arg2:0x31
[s] STM *f = ?
Machine CRASHED due to: unknown register
0x80x20[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x20 arg1:0x8 arg2:0x31
[s] STM *d = ?
Machine CRASHED due to: unknown register
0x100x20[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x20 arg1:0x10 arg2:0x31
[s] STM *i = ?
Machine CRASHED due to: unknown register
0x200x20[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x20 arg1:0x20 arg2:0x31
[s] STM *s = ?
Machine CRASHED due to: unknown register
0x400x20[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x20 arg1:0x40 arg2:0x31
[s] STM *b = ?
Machine CRASHED due to: unknown register
0x800x20[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x20 arg1:0x80 arg2:0x31
[s] STM *a = ?
Machine CRASHED due to: unknown register
0x10x40[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x40 arg1:0x1 arg2:0x31
[s] SYS 0x1 ?
Machine CRASHED due to: unknown register
0x20x40[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x40 arg1:0x2 arg2:0x31
[s] SYS 0x2 ?
[s] ... sleep
Machine CRASHED due to: unknown register
0x40x40[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x40 arg1:0x4 arg2:0x31
[s] SYS 0x4 ?
Machine CRASHED due to: unknown register
0x80x40[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x40 arg1:0x8 arg2:0x31
[s] SYS 0x8 ?
[s] ... write
Machine CRASHED due to: unknown register
0x100x40[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x40 arg1:0x10 arg2:0x31
[s] SYS 0x10 ?
[s] ... read_memory
Machine CRASHED due to: unknown register
0x200x40[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x40 arg1:0x20 arg2:0x31
[s] SYS 0x20 ?
[s] ... read_code
Machine CRASHED due to: unknown register
0x400x40[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x40 arg1:0x40 arg2:0x31
[s] SYS 0x40 ?
[s] ... exit
0x800x40[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x40 arg1:0x80 arg2:0x31
[s] SYS 0x80 ?
[s] ... open
Machine CRASHED due to: unknown register
0x10x80[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x80 arg1:0x1 arg2:0x31
[s] STK c ?
[s] ... pushing ?
Machine CRASHED due to: unknown register
0x20x80[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x80 arg1:0x2 arg2:0x31
[s] STK ? ?
[s] ... pushing ?
Machine CRASHED due to: unknown register
0x40x80[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x80 arg1:0x4 arg2:0x31
[s] STK f ?
[s] ... pushing ?
Machine CRASHED due to: unknown register
0x80x80[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x80 arg1:0x8 arg2:0x31
[s] STK d ?
[s] ... pushing ?
Machine CRASHED due to: unknown register
0x100x80[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x80 arg1:0x10 arg2:0x31
[s] STK i ?
[s] ... pushing ?
Machine CRASHED due to: unknown register
0x200x80[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x80 arg1:0x20 arg2:0x31
[s] STK s ?
[s] ... pushing ?
Machine CRASHED due to: unknown register
0x400x80[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x80 arg1:0x40 arg2:0x31
[s] STK b ?
[s] ... pushing ?
Machine CRASHED due to: unknown register
0x800x80[+] Starting interpreter loop! Good luck!
[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x80 arg1:0x80 arg2:0x31
[s] STK a ?
[s] ... pushing ?
Machine CRASHED due to: unknown register


bytearray(b'\x011\x01')      JMP
timeout bytearray(b'\x011\x01')
bytearray(b'\x021\x01')
timeout bytearray(b'\x021\x01')
bytearray(b'\x041\x01')
timeout bytearray(b'\x041\x01')
bytearray(b'\x081\x01')
timeout bytearray(b'\x081\x01')
bytearray(b'\x101\x01')
timeout bytearray(b'\x101\x01')
bytearray(b' 1\x01')
timeout bytearray(b' 1\x01')
bytearray(b'@1\x01')
timeout bytearray(b'@1\x01')
bytearray(b'\x801\x01')
timeout bytearray(b'\x801\x01')

bytearray(b'\x011\x02') CMP
bytearray(b'\x021\x02')
bytearray(b'\x041\x02')
bytearray(b'\x081\x02')
bytearray(b'\x101\x02')
bytearray(b' 1\x02')
bytearray(b'@1\x02')
bytearray(b'\x801\x02')

bytearray(b'\x011\x04') ADD
bytearray(b'\x021\x04')
bytearray(b'\x041\x04')
bytearray(b'\x081\x04')
bytearray(b'\x101\x04')
bytearray(b' 1\x04')
bytearray(b'@1\x04')
bytearray(b'\x801\x04')

bytearray(b'\x011\x08')         IMM
timeout bytearray(b'\x011\x08')
bytearray(b'\x021\x08')
bytearray(b'\x041\x08')
timeout bytearray(b'\x041\x08')
bytearray(b'\x081\x08')
timeout bytearray(b'\x081\x08')
bytearray(b'\x101\x08')
timeout bytearray(b'\x101\x08')
bytearray(b' 1\x08')
timeout bytearray(b' 1\x08')
bytearray(b'@1\x08')
timeout bytearray(b'@1\x08')
bytearray(b'\x801\x08')
timeout bytearray(b'\x801\x08')

bytearray(b'\x011\x10') LDM
bytearray(b'\x021\x10')
bytearray(b'\x041\x10')
bytearray(b'\x081\x10')
bytearray(b'\x101\x10')
bytearray(b' 1\x10')
bytearray(b'@1\x10')
bytearray(b'\x801\x10')

bytearray(b'\x011 ') STM
bytearray(b'\x021 ')
bytearray(b'\x041 ')
bytearray(b'\x081 ')
bytearray(b'\x101 ')
bytearray(b' 1 ')
bytearray(b'@1 ')
bytearray(b'\x801 ')


bytearray(b'\x011@') SYS
bytearray(b'\x021@')
bytearray(b'\x041@')
bytearray(b'\x081@')
bytearray(b'\x101@')
bytearray(b' 1@')
bytearray(b'@1@')  exit
bytearray(b'\x801@')


bytearray(b'\x011\x80') STK
bytearray(b'\x021\x80')
bytearray(b'\x041\x80')
bytearray(b'\x081\x80')
bytearray(b'\x101\x80')
bytearray(b' 1\x80')
bytearray(b'@1\x80')
bytearray(b'\x801\x80')

可以发现的规律是:

1. JMP IMM 全部超时
2. CMP ADD LDM STM STK 全部没有超时

先从简单的入手,如何分辨IMM和JMP

测试思路:

IMM|JMP + exit

因为没有CMP，所以JMP所以测试都不会超时，但是IMM当IMM i 0x31的时候，会超时

这样就知道[IMM] [JMP] [reg_i] 一箭三雕

总结一下，现在的已知信息：

[op]
    [SYS] 80
    [IMM] 20
    [JMP] 40

[reg]
a 
b 
c 
d
s
i 02
f 

not 08

[SYS]
arg1    [open] 04
        [read] 01 80 
        [write] 10
        [exit] 40
        [sleep] 02
        20
[JMP]
arg1    [E] 

0x05 终极考验

要想获得flag, 必须知道STM 但是现在STM有5种可能,怎么才能让STM中CMP ADD LDM STK中脱颖而出呢？ 可以发现STM CMP(没有JMP)是无论如何都无法改变执行流的 其他的ADD STK LDM只要操作到reg_i(0x31 只要跳过exit就行)就会卡死

测试思路：想办法改变reg_i的值，然后没有超时的那两组就是CMP和STM

IMM other_reg 0x31
ADD i  other_reg | CMP i other_reg | LDM i other_reg| STK i other_reg| STM i other_reg
exit

总结一下:

[op]
    [SYS] 80
    [STM] 02 | 04
    [IMM] 20
    [CMP] 02 | 04
    [JMP] 40

下面的任务就是辨别STM CMP,因为STM无法改变执行流，所以只能利用CMP+JMP 测试思路：

[V] a:0 b:0 c:0 d:0 s:0 i:0x1 f:0
[I] op:0x8 arg1:0x80 arg2:0x31
[s] IMM a = 0x31
[V] a:0x31 b:0 c:0 d:0 s:0 i:0x2 f:0
[I] op:0x2 arg1:0x10 arg2:0x10
[s] CMP i i
[V] a:0x31 b:0 c:0 d:0 s:0 i:0x3 f:0x80
[I] op:0x1 arg1:0x80 arg2:0x80
[j] JMP E a
[j] ... TAKEN
+ exit

因为当前页也不知道[JMP_E]对应的arg1， 所以要一起测试，需要同时测试[CMP|STM],[JMP_E] 利用上面的脚本 稍微改一下 即可

只有CMP i i + jmp E a 才能超时，其他的都不会超时 这样我们就知道了[CMP], [JMP_E], [STM] 一箭三雕

总结一下：

[op]
    [SYS] 80
    [STM] 02
    [IMM] 20
    [CMP] 04
    [JMP] 40

[SYS]
arg1    [open] 
        [read] 
        [write] 
        [exit] 40
        [sleep] 

[JMP]
arg1    [E] 01

0x06 渐入佳境

现在还差[reg_a], [reg_c]，[open] [read] [write]不知道 知道这些 我们就可以写shellcode 获取flag了

现在我们掌握的信息已经足够多了，但是如何利用这些信息进一步获取信息呢

聪明的你一定可以发现只用[sleep]和[exit]只接受一个参数，也就是[reg_a], 所以只需要

IMM a 0x10(稍微长一点)
sleep ｜ open ｜ write ｜ read_code | read_mem
exit

这里已经很明显了 指定秒数退出的那个就是 sleep, 并且我们还知道了[reg_a] 好事成双

总结一下：

[op]
    [SYS] 80
    [STM] 02
    [IMM] 20
    [CMP] 04
    [JMP] 40

[reg]
a 04
b 
c ?
d
s
i 02
f 

not 08

[SYS]
arg1    [open] ?
        [read] ?
        [write] ?
        [exit] 40
        [sleep] 02
        20
[JMP]
arg1    [E] 01

0x07 轻舟已过万重山

现在就差[reg_c]和[open] [read] [write]了 聪明的你一定可以想到 可以利用[reg_c] 和 [read] 看看下一个shell的剩余字符的情况 便可知晓 测试思路：

IMM c 0x01
read_mem | read_write | write | open
exit

同样的需要同时测试[reg_c]和[read] 如果输入1234 如何shell得一个回话返回234

那么就说明是[reg_c]和[read]

总结一下：

[op]
    [SYS] 80
    [STM] 02
    [IMM] 20
    [CMP] 04
    [JMP] 40

[reg]
a 04
b 
c 80
d
s
i 02
f 

not 08

[SYS]
arg1    [open] 
        [read] 01 80 
        [write] 
        [exit] 40
        [sleep] 02
        20
[JMP]
arg1    [E] 01

0x08 就差一点

现在就需要知道[open] [write]就行了 测试思路：

IMM a 0x31
STM *b a 
IMM a 0x01
IMM c 0x01
write | open
exit

哪个输出了1，哪个就是write

总结一下：

[SYS]
arg1    [open] 04
        [read] 01 80 
        [write] 10
        [exit] 40
        [sleep] 02
        20

0x09 剑指flag

总结一下现在已知的所有信息:

[op]
    [SYS] 80
    [STM] 02
    [IMM] 20
    [CMP] 04
    [JMP] 40

[reg]
a 04
b 01 10 20 40
c 80
d
s
i 02
f 

not 08

[SYS]
arg1    [open] 04
        [read] 01 80 
        [write] 10
        [exit] 40
        [sleep] 02
        20
[JMP]
arg1    [E] 01

好了 shellcode 启动：

[IMM] a = 0x30
30 04 20
[IMM] c = 0x2f
2f 80 20
[STM] *a = c
80 04 02
[IMM] a = 0x31
31 04 20
[IMM] c = 0x66
66 80 20
[STM] *a = c
80 04 02
[IMM] a = 0x32
32 04 20
[IMM] c = 0x6c
6c 80 20
[STM] *a = c
80 04 02
[IMM] a = 0x33
33 04 20
[IMM] c = 0x61
61 80 20
[STM] *a = c
80 04 02
[IMM] a = 0x34
34 04 20
[IMM] c = 0x67
67 80 20
[STM] *a = c
80 04 02
[IMM] a = 0x30
30 04 20
[IMM] c = 0x1c
1c 80 20
[SYS] open(a,b,c) arg2 a
04 04 80
[IMM] c = 0xff
ff 80 20
[SYS] read(a,b,c) arg2 c
80 80 80
[IMM] a = 1
01 04 20
[SYS] write(a,b,c)
04 10 80
[SYS] exit()
04 40 80

read_mem 和 read_code一个会输出真正的flag 一个会输出’\flag’ 至于为什么 rea_code 输出’\flag’ 请读者思考

好了直接上脚本：

str = r"""
[IMM] a = 0x30
30 04 20
[IMM] c = 0x2f
2f 80 20
[STM] *a = c
80 04 02
[IMM] a = 0x31
31 04 20
[IMM] c = 0x66
66 80 20
[STM] *a = c
80 04 02
[IMM] a = 0x32
32 04 20
[IMM] c = 0x6c
6c 80 20
[STM] *a = c
80 04 02
[IMM] a = 0x33
33 04 20
[IMM] c = 0x61
61 80 20
[STM] *a = c
80 04 02
[IMM] a = 0x34
34 04 20
[IMM] c = 0x67
67 80 20
[STM] *a = c
80 04 02
[IMM] a = 0x30
30 04 20
[IMM] c = 0x1c
1c 80 20
[SYS] open(a,b,c) arg2 a
04 04 80
[IMM] c = 0xff
ff 80 20
[SYS] read(a,b,c) arg2 c
80 80 80
[IMM] a = 1
01 04 20
[SYS] write(a,b,c)
04 10 80
[SYS] exit()
04 40 80
"""

str = str.split('\n');
f_line = [line for line in str if not line.startswith('[')]
f_line = f_line[1:-1]


bytecode = bytearray()

for line in f_line:
    for num in line.split(' '):
        bytecode.append(int(num,16))


import IPython
IPython.embed()

0x0a 我TM来了

ehco -ne “bytecode” | /challenge/level22.1 就可以获得flag 祝你成功！！