CTFlearn: Bite-code
题目来源:https://ctflearn.com/index.php?action=find_problem_details&problem_id=368
原题:
Bite-code
I dunno what bytecode is. Could you tell me what input of 'checkNum' will return true? The flag is just a 32-bit signed integer as a decimal (nothing else.) https://mega.nz/#!1qoFgBoS!zaTNExq3Bm1MjJnePjTGQyvnvLX_xZxhbGaMv_ypaxo
打开链接是一个文本文件,文件原文如下:
public static boolean checkNum(int);
descriptor: (I)Z
flags: ACC_PUBLIC, ACC_STATIC
Code:
stack=2, locals=3, args_size=1
0: iload_0
1: iconst_3
2: ishl
3: istore_1
4: iload_0
5: ldc #2 // int 525024598
7: ixor
8: istore_2
9: iload_1
10: iload_2
11: ixor
12: ldc #3 // int -889275714
14: if_icmpne 21
17: iconst_1
18: goto 22
21: iconst_0
22: ireturn
LineNumberTable:
line 3: 0
line 4: 4
line 5: 9
StackMapTable: number_of_entries = 2
frame_type = 253 /* append */
offset_delta = 21
locals = [ int, int ]
frame_type = 64 /* same_locals_1_stack_item */
stack = [ int ]
根据题目提示和文件的格式,我们可以知道这是java 的字节码。在网上查阅了字节码的命令之后我写了如下注入:
public static boolean checkNum(int);
descriptor: (I)Z //接收一个int参数返回布尔值
flags: ACC_PUBLIC, ACC_STATIC
Code:
stack=2, locals=3, args_size=1 //stack:最大操作数栈,这里操作栈深度为2;locals:局部变量所需的存储空间;args_size:方法参数个数
0: iload_0 从局部变量0中装载int类型值
1: iconst_3 将int类型常量3压入栈,栈顶=3
2: ishl 执行int类型的向左移位操作
3: istore_1 将long类型值存入局部变量1
4: iload_0 从局部变量0中装载int类型值
5: ldc #2 // int 525024598 把常量池中的项压入栈
7: ixor 对int类型值进行“逻辑异或”操作
8: istore_2 将int类型值存入局部变量2
9: iload_1 从局部变量1中装载int类型值
10: iload_2 从局部变量2中装载int类型值
11: ixor 对int类型值进行“逻辑异或”操作
12: ldc #3 // int -889275714 把常量池中的项压入栈
14: if_icmpne 21 如果两个int类型值不相等,则跳转
17: iconst_1 将int类型常量1压入栈
18: goto 22
21: iconst_0 将int类型常量0压入栈
22: ireturn 从方法中返回int类型的数据
LineNumberTable:
line 3: 0
line 4: 4
line 5: 9
StackMapTable: number_of_entries = 2
frame_type = 253 /* append */
offset_delta = 21
locals = [ int, int ]
frame_type = 64 /* same_locals_1_stack_item */
stack = [ int ]
可以看出来这个函数将整型形参x向左移动移动三位存入第一个整型变量n1。再将x与常量n2做异或得到的值存入n2。判断n1异或n2的值是否与常量n3相等,如果相等则返回true,否则返回false。这个函数写成C语言将会是这个的:
我们可以写一个程序来暴力破解出答案,经过计算得到正确的值为-1352854872
Flag值就是这个数值。
