虎符2022RE复现

很痛苦，感觉自己是个废物

在反编译文件中找到特定的函数属于libbpf.h
然后就一直在看LLVM eBPF编程，经过队友的提示，需要把ebpf提取出，解方程即可。
发现在fpbe_bpf__create_skeleton可以看到初始化skeleton时也初始化了BPF字节码和BPF程序，所以BPF字节码在0x4F4018，长度为1648。
所以先binwalk提取binwalk -D=elf fpbe将ebpf字节码提取出，F4018多出好多东西，删一删，然后用llvm-objdump -d F4018反编译，但是不行
F4018: file format elf64-bpf
error: unable to get target for 'bpfel--', see --version and --triple.
类型不支持，好像是llvm需要加什么东西。。。LLVM 后端实践笔记 9：ELF 文件支持
手搓eBPF？
开玩笑怎么可能，最后在github上找到了eBPF_processor相当于支持IDA反编译ebpf，好牛。

uprobe_func:0000000000000008 uprobe:
uprobe_func:0000000000000008                 ldxdw          r2, [r1+0x68]
uprobe_func:0000000000000010                 lsh            r2, 0x20
uprobe_func:0000000000000018                 rsh            r2, 0x20
uprobe_func:0000000000000020                 ldxdw          r3, [r1+0x70]
uprobe_func:0000000000000028                 lsh            r3, 0x20
uprobe_func:0000000000000030                 rsh            r3, 0x20
uprobe_func:0000000000000038                 mov            r4, r3
uprobe_func:0000000000000040                 mul            r4, 28096
uprobe_func:0000000000000048                 mov            r5, r2
uprobe_func:0000000000000050                 mul            r5, 64392
uprobe_func:0000000000000058                 add            r5, r4
uprobe_func:0000000000000060                 ldxdw          r4, [r1+0x60]
uprobe_func:0000000000000068                 lsh            r4, 0x20
uprobe_func:0000000000000070                 rsh            r4, 0x20
uprobe_func:0000000000000078                 mov            r0, r4
uprobe_func:0000000000000080                 mul            r0, 29179
uprobe_func:0000000000000088                 add            r5, r0
uprobe_func:0000000000000090                 ldxdw          r1, [r1+0x58]
uprobe_func:0000000000000098                 mov            r0, 0
uprobe_func:00000000000000A0                 stxb           [r10-8], r0
uprobe_func:00000000000000A8                 stxdw          [r10-0x10], r0
uprobe_func:00000000000000B0                 stxdw          [r10-0x18], r0
uprobe_func:00000000000000B8                 lsh            r1, 0x20
uprobe_func:00000000000000C0                 rsh            r1, 0x20
uprobe_func:00000000000000C8                 mov            r0, r1
uprobe_func:00000000000000D0                 mul            r0, 0xCC8E
uprobe_func:00000000000000D8                 add            r5, r0
uprobe_func:00000000000000E0                 mov            r6, 1
uprobe_func:00000000000000E8                 lddw           r0, 0xBE18A1735995
uprobe_func:00000000000000F8                 jne            r5, r0, LBB0_5
uprobe_func:0000000000000100                 mov            r5, r3
uprobe_func:0000000000000108                 mul            r5, 0xF1BF
uprobe_func:0000000000000110                 mov            r0, r2
uprobe_func:0000000000000118                 mul            r0, 0x6AE5
uprobe_func:0000000000000120                 add            r0, r5
uprobe_func:0000000000000128                 mov            r5, r4
uprobe_func:0000000000000130                 mul            r5, 0xADD3
uprobe_func:0000000000000138                 add            r0, r5
uprobe_func:0000000000000140                 mov            r5, r1
uprobe_func:0000000000000148                 mul            r5, 0x9284
uprobe_func:0000000000000150                 add            r0, r5
uprobe_func:0000000000000158                 lddw           r5, 0xA556E5540340
uprobe_func:0000000000000168                 jne            r0, r5, LBB0_5
uprobe_func:0000000000000170                 mov            r5, r3
uprobe_func:0000000000000178                 mul            r5, 0xDD85
uprobe_func:0000000000000180                 mov            r0, r2
uprobe_func:0000000000000188                 mul            r0, 0x8028
uprobe_func:0000000000000190                 add            r0, r5
uprobe_func:0000000000000198                 mov            r5, r4
uprobe_func:00000000000001A0                 mul            r5, 0x652D
uprobe_func:00000000000001A8                 add            r0, r5
uprobe_func:00000000000001B0                 mov            r5, r1
uprobe_func:00000000000001B8                 mul            r5, 0xE712
uprobe_func:00000000000001C0                 add            r0, r5
uprobe_func:00000000000001C8                 lddw           r5, 0xA6F374484DA3
uprobe_func:00000000000001D8                 jne            r0, r5, LBB0_5
uprobe_func:00000000000001E0                 mov            r5, r3
uprobe_func:00000000000001E8                 mul            r5, 0x822C
uprobe_func:00000000000001F0                 mov            r0, r2
uprobe_func:00000000000001F8                 mul            r0, 0xCA43
uprobe_func:0000000000000200                 add            r0, r5
uprobe_func:0000000000000208                 mov            r5, r4
uprobe_func:0000000000000210                 mul            r5, 0x7C8E
uprobe_func:0000000000000218                 add            r0, r5
uprobe_func:0000000000000220                 mov            r5, r1
uprobe_func:0000000000000228                 mul            r5, 0xF23A
uprobe_func:0000000000000230                 add            r0, r5
uprobe_func:0000000000000238                 lddw           r5, 0xB99C485A7277
uprobe_func:0000000000000248                 jne            r0, r5, LBB0_5
uprobe_func:0000000000000250                 stxw           [r10-0xC], r1
uprobe_func:0000000000000258                 stxw           [r10-0x10], r4
uprobe_func:0000000000000260                 stxw           [r10-0x14], r2
uprobe_func:0000000000000268                 stxw           [r10-0x18], r3
uprobe_func:0000000000000270                 lddw           r1, 755886917287302211
uprobe_func:0000000000000280                 stxdw          [r10-0x28], r1
uprobe_func:0000000000000288                 lddw           r1, 5064333215653776454
uprobe_func:0000000000000298                 stxdw          [r10-0x30], r1
uprobe_func:00000000000002A0                 lddw           r1, 2329017756590022981
uprobe_func:00000000000002B0                 stxdw          [r10-0x38], r1
uprobe_func:00000000000002B8                 lddw           r1, 5642803763628229975
uprobe_func:00000000000002C8                 stxdw          [r10-0x40], r1
uprobe_func:00000000000002D0                 mov            r6, 0
uprobe_func:00000000000002D8                 stxb           [r10-0x20], r6
uprobe_func:00000000000002E0                 mov            r1, r10
uprobe_func:00000000000002E8                 add            r1, -0x40
uprobe_func:00000000000002F0                 mov            r3, r10
uprobe_func:00000000000002F8                 add            r3, -0x18
uprobe_func:0000000000000300                 mov            r2, 0x21
uprobe_func:0000000000000308                 call           6        ; long bpf_trace_printk(const char *fmt, __u32 fmt_size, ...)
uprobe_func:0000000000000310
uprobe_func:0000000000000310 LBB0_5:                                 ; CODE XREF: uprobe+F0↑j
uprobe_func:0000000000000310                                         ; uprobe+160↑j ...
uprobe_func:0000000000000310                 mov            r0, r6
uprobe_func:0000000000000318                 ret

uprobe_func函数r1,r2,r3,r4应当满足方程组
28096*r1+64392*r2+29179*r3+52366*r4 == 209012997183893
61887*r1+27365*r2+44499*r3+37508*r4 == 181792633258816
56709*r1+32808*r2+25901*r3+59154*r4 == 183564558159267
33324*r1+51779*r2+31886*r3+62010*r4 == 204080879923831

from z3 import *
from Crypto.Util.number import *
r1 = Int('r1')
r2 = Int('r2')
r3 = Int('r3')
r4 = Int('r4')
s = Solver()
s.add(28096*r1+64392*r2+29179*r3+52366*r4 == 209012997183893)
s.add(61887*r1+27365*r2+44499*r3+37508*r4 == 181792633258816)
s.add(56709*r1+32808*r2+25901*r3+59154*r4 == 183564558159267)
s.add(33324*r1+51779*r2+31886*r3+62010*r4 == 204080879923831)
if s.check() == sat:
	flag = b""
	m = s.model()
	for i in [r1, r2, r3, r4]:
		flag += long_to_bytes(m[i].as_long())[::-1]
	print(flag)
# 0vR3sAlbs8pD2h53

强壳 Themida ，TMD壳，看了好多不会脱。。。

2048，之后看