Triple Language
题目名称的意思是三个语言,本题还确实就是三个语言。
看到题目给到的文件:
其中的 unicorn.dll 是很明显的,其实本题就是使用unicorn来模拟执行了关键的代码。
ida反编译看到main函数:两个判断函数分别使用unicorn来模拟执行了Mips32和arm架构的机器码。
mips
先看到模拟执行的mips32代码:因为符号表没有去除的,所以网上找一份unicorn模拟执行的代码对比分析即可。https://www.unicorn-engine.org/docs/tutorial.html
看到上面的 uc_open(3i64, 4i64, &v10),这里的第一个和第二个参数表示模拟执行代码的架构和模式。
通过下载unicorn的源码在其头文件中找到这些数字代表的宏。所以上面的即表示模拟执行mips32结构的代码。
// Architecture type
typedef enum uc_arch {
UC_ARCH_ARM = 1, // ARM architecture (including Thumb, THUMB-2)
UC_ARCH_ARM64, // ARM-64, also called AArch64
UC_ARCH_MIPS, // Mips architecture
UC_ARCH_X86, // X86 architecture (including x86 & x86-64)
UC_ARCH_PPC, // PowerPC architecture (currently unsupported)
UC_ARCH_SPARC, // Sparc architecture
UC_ARCH_M68K, // M68K architecture
UC_ARCH_MAX,
} uc_arch;
// Mode type
typedef enum uc_mode {
UC_MODE_LITTLE_ENDIAN = 0, // little-endian mode (default mode)
UC_MODE_BIG_ENDIAN = 1 << 30, // big-endian mode
// arm / arm64
UC_MODE_ARM = 0, // ARM mode
UC_MODE_THUMB = 1 << 4, // THUMB mode (including Thumb-2)
UC_MODE_MCLASS = 1 << 5, // ARMs Cortex-M series (currently unsupported)
UC_MODE_V8 = 1 << 6, // ARMv8 A32 encodings for ARM (currently unsupported)
// arm (32bit) cpu types
UC_MODE_ARM926 = 1 << 7, // ARM926 CPU type
UC_MODE_ARM946 = 1 << 8, // ARM946 CPU type
UC_MODE_ARM1176 = 1 << 9, // ARM1176 CPU type
// ARM BE8
UC_MODE_ARMBE8 = 1 << 10, // Big-endian data and Little-endian code
// mips
UC_MODE_MICRO = 1 << 4, // MicroMips mode (currently unsupported)
UC_MODE_MIPS3 = 1 << 5, // Mips III ISA (currently unsupported)
UC_MODE_MIPS32R6 = 1 << 6, // Mips32r6 ISA (currently unsupported)
UC_MODE_MIPS32 = 1 << 2, // Mips32 ISA
UC_MODE_MIPS64 = 1 << 3, // Mips64 ISA
// x86 / x64
UC_MODE_16 = 1 << 1, // 16-bit mode
UC_MODE_32 = 1 << 2, // 32-bit mode
UC_MODE_64 = 1 << 3, // 64-bit mode
// PPC
UC_MODE_PPC32 = 1 << 2, // 32-bit mode (currently unsupported)
UC_MODE_PPC64 = 1 << 3, // 64-bit mode (currently unsupported)
UC_MODE_QPX = 1 << 4, // Quad Processing eXtensions mode (currently unsupported)
// sparc
UC_MODE_SPARC32 = 1 << 2, // 32-bit mode
UC_MODE_SPARC64 = 1 << 3, // 64-bit mode
UC_MODE_V9 = 1 << 4, // SparcV9 mode (currently unsupported)
// m68k
} uc_mode;
再看到 uc_hook_add 这个函数,为UC_HOOK_CODE事件注册了钩子回调函数。这其实就好比一个调试指令,每当一条要模拟的指令得到执行前都会跳到uc_hook_add 设置的回调函数去执行。
这样仅凭程序中的代码是分析不到关键代码的,因为关键代码都是unicorn去模拟执行的,对于我们像是一个黑盒子一样,我们只知道输入和输出。
这里通过把要模拟执行的机器码dump出来,然后使用 capstone 模块以unicorn模拟执行架构和位数来对这些机器码进行一个反汇编。
from capstone import *
from capstone.arm import *
CODE = bytes([0x01, 0x00, 0x08, 0x3C, 0x00, 0x10, 0x08, 0x35, 0x00, 0x00, 0x08, 0x81, 0x02, 0x48, 0x28, 0x71, 0x01, 0x00, 0x08, 0x3C, 0x00, 0x10, 0x08, 0x35, 0x01, 0x00, 0x08, 0x81, 0x02, 0x50, 0x48, 0x71, 0x01, 0x00, 0x08, 0x3C, 0x00, 0x10, 0x08, 0x35, 0x02, 0x00, 0x08, 0x81, 0x02, 0x58, 0x68, 0x71, 0x01, 0x00, 0x08, 0x3C, 0x00, 0x10, 0x08, 0x35, 0x03, 0x00, 0x08, 0x81, 0x02, 0x60, 0x88, 0x71, 0x01, 0x00, 0x08, 0x3C, 0x00, 0x10, 0x08, 0x35, 0x04, 0x00, 0x08, 0x81, 0x02, 0x68, 0xA8, 0x71, 0x01, 0x00, 0x08, 0x3C, 0x00, 0x10, 0x08, 0x35, 0x05, 0x00, 0x08, 0x81, 0x02, 0x70, 0xC8, 0x71, 0x01, 0x00, 0x10, 0x3C, 0x00, 0x20, 0x10, 0x36, 0x01, 0x00, 0x11, 0x3C, 0x00, 0x30, 0x31, 0x36, 0x00, 0x00, 0x09, 0x82, 0x00, 0x00, 0x39, 0x82, 0x20, 0x48, 0x39, 0x01, 0x01, 0x00, 0x10, 0x26, 0x01, 0x00, 0x31, 0x26, 0x00, 0x00, 0x0A, 0x82, 0x00, 0x00, 0x39, 0x82, 0x20, 0x50, 0x59, 0x01, 0x01, 0x00, 0x10, 0x26, 0x01, 0x00, 0x31, 0x26, 0x00, 0x00, 0x0B, 0x82, 0x00, 0x00, 0x39, 0x82, 0x20, 0x58, 0x79, 0x01, 0x01, 0x00, 0x10, 0x26, 0x01, 0x00, 0x31, 0x26, 0x00, 0x00, 0x0C, 0x82, 0x00, 0x00, 0x39, 0x82, 0x20, 0x60, 0x99, 0x01, 0x01, 0x00, 0x10, 0x26, 0x01, 0x00, 0x31, 0x26, 0x00, 0x00, 0x0D, 0x82, 0x00, 0x00, 0x39, 0x82, 0x20, 0x68, 0xB9, 0x01, 0x01, 0x00, 0x10, 0x26, 0x01, 0x00, 0x31, 0x26, 0x00, 0x00, 0x0E, 0x82, 0x00, 0x00, 0x39, 0x82, 0x20, 0x70, 0xD9, 0x01, 0x01, 0x00, 0x10, 0x26, 0x01, 0x00, 0x31, 0x26, 0x00, 0x00, 0x0F, 0x82, 0x00, 0x00, 0x39, 0x82, 0x20, 0x78, 0xF9, 0x01, 0x01, 0x00, 0x10, 0x26, 0x01, 0x00, 0x31, 0x26, 0x00, 0x00, 0x18, 0x82, 0x00, 0x00, 0x39, 0x82, 0x20, 0xC0, 0x19, 0x03, 0x01, 0x00, 0x10, 0x26, 0x01, 0x00, 0x31, 0x26])
md = Cs(CS_ARCH_MIPS, CS_MODE_32)
for i in md.disasm(CODE, 0x10000):
ins = "0x%x: %s %s" % (i.address, i.mnemonic, i.op_str)
print(ins)
得到:
0x10000: lui $t0, 1
0x10004: ori $t0, $t0, 0x1000
0x10008: lb $t0, ($t0)
0x1000c: mul $t1, $t1, $t0
0x10010: lui $t0, 1
0x10014: ori $t0, $t0, 0x1000
0x10018: lb $t0, 1($t0)
0x1001c: mul $t2, $t2, $t0
0x10020: lui $t0, 1
0x10024: ori $t0, $t0, 0x1000
0x10028: lb $t0, 2($t0)
0x1002c: mul $t3, $t3, $t0
0x10030: lui $t0, 1
0x10034: ori $t0, $t0, 0x1000
0x10038: lb $t0, 3($t0)
0x1003c: mul $t4, $t4, $t0
0x10040: lui $t0, 1
0x10044: ori $t0, $t0, 0x1000
0x10048: lb $t0, 4($t0)
0x1004c: mul $t5, $t5, $t0
0x10050: lui $t0, 1
0x10054: ori $t0, $t0, 0x1000
0x10058: lb $t0, 5($t0)
0x1005c: mul $t6, $t6, $t0
0x10060: lui $s0, 1
0x10064: ori $s0, $s0, 0x2000
0x10068: lui $s1, 1
0x1006c: ori $s1, $s1, 0x3000
0x10070: lb $t1, ($s0)
0x10074: lb $t9, ($s1)
0x10078: add $t1, $t1, $t9
0x1007c: addiu $s0, $s0, 1
0x10080: addiu $s1, $s1, 1
0x10084: lb $t2, ($s0)
0x10088: lb $t9, ($s1)
0x1008c: add $t2, $t2, $t9
0x10090: addiu $s0, $s0, 1
0x10094: addiu $s1, $s1, 1
0x10098: lb $t3, ($s0)
0x1009c: lb $t9, ($s1)
0x100a0: add $t3, $t3, $t9
0x100a4: addiu $s0, $s0, 1
0x100a8: addiu $s1, $s1, 1
0x100ac: lb $t4, ($s0)
0x100b0: lb $t9, ($s1)
0x100b4: add $t4, $t4, $t9
0x100b8: addiu $s0, $s0, 1
0x100bc: addiu $s1, $s1, 1
0x100c0: lb $t5, ($s0)
0x100c4: lb $t9, ($s1)
0x100c8: add $t5, $t5, $t9
0x100cc: addiu $s0, $s0, 1
0x100d0: addiu $s1, $s1, 1
0x100d4: lb $t6, ($s0)
0x100d8: lb $t9, ($s1)
0x100dc: add $t6, $t6, $t9
0x100e0: addiu $s0, $s0, 1
0x100e4: addiu $s1, $s1, 1
0x100e8: lb $t7, ($s0)
0x100ec: lb $t9, ($s1)
0x100f0: add $t7, $t7, $t9
0x100f4: addiu $s0, $s0, 1
0x100f8: addiu $s1, $s1, 1
0x100fc: lb $t8, ($s0)
0x10100: lb $t9, ($s1)
0x10104: add $t8, $t8, $t9
0x10108: addiu $s0, $s0, 1
0x1010c: addiu $s1, $s1, 1
到这篇文章查mips常见指令的含义:https://www.cnblogs.com/glodears/p/9762615.html
结合每条指令执行前调用的callback函数分析这些机器码:
看到上面是每隔0x10的机器码就有一个判断,所以我们也按照这个分块分析mips指令。
总结就是先把前6个字符与 “zjgcjy” 单字节依次相乘然后在回调函数对比乘积结果。
后面就是输入的[6, 14]与[14, 22]分别相加,而在模拟执行代码之前有他们分别相减的结果对比,因此解这一部分就是解8个二元一次方程,使用z3即可处理。
本部分总的解密脚本:
from z3 import *
enc_mul = [0x2F2E, 0x282A, 0x2C42, 0x2A8A, 0x13E0, 0x36D4]
s = "zjgcjy"
p1 = [enc_mul[i]//ord(s[i]) for i in range(6)]
s = Solver()
p2 = [BitVec(x%d%i, 8) for i in range(16)]
enc_add = [194, 195, 215, 196, 218, 165, 160, 190]
enc_sub = 0x3EBB0EFAF301FC
enc_sub = enc_sub.to_bytes(8, "little")
#print(enc_sub)
for i in range(8):
s.add(((p2[i]-p2[i 8])&0xff) == enc_sub[i])
s.add(p2[i] p2[i 8] == enc_add[i])
if s.check() == sat:
m = s.model()
p2 = [m[i].as_long() for i in p2]
else:
print(Not Found!)
p = p1 p2
print(bytes(p))
#cann0t_be_t0o_carefu1_
arm
接着是第二部分的arm代码的模拟执行:这一部分相比上一部分就复杂的多了,从要模拟执行的机器码数量也能看出来,另外此部分还单独映射了一部内存内存作为栈空间。!(unsigned int)uc_mem_map(v3, 0x10000i64, 0x1000i64, 7i64)// 栈空间
做法同样可以使用 capstone 来反汇编机器码:
from capstone import *
from capstone.arm import *
CODE = bytes([0x04, 0xB0, 0x2D, 0xE5, 0x00, 0xB0, 0x8D, 0xE2, 0x8C, 0xD0, 0x4D, 0xE2, 0x29, 0x30, 0xA0, 0xE3, 0x28, 0x30, 0x4B, 0xE5, 0x38, 0x30, 0xA0, 0xE3, 0x27, 0x30, 0x4B, 0xE5, 0x46, 0x30, 0xA0, 0xE3, 0x26, 0x30, 0x4B, 0xE5, 0x50, 0x30, 0xA0, 0xE3, 0x25, 0x30, 0x4B, 0xE5, 0x3E, 0x30, 0xA0, 0xE3, 0x24, 0x30, 0x4B, 0xE5, 0x36, 0x30, 0xA0, 0xE3, 0x23, 0x30, 0x4B, 0xE5, 0x5E, 0x30, 0xA0, 0xE3, 0x22, 0x30, 0x4B, 0xE5, 0x42, 0x30, 0xA0, 0xE3, 0x21, 0x30, 0x4B, 0xE5, 0x3D, 0x30, 0xA0, 0xE3, 0x20, 0x30, 0x4B, 0xE5, 0x47, 0x30, 0xA0, 0xE3, 0x1F, 0x30, 0x4B, 0xE5, 0x36, 0x30, 0xA0, 0xE3, 0x1E, 0x30, 0x4B, 0xE5, 0x40, 0x30, 0xA0, 0xE3, 0x1D, 0x30, 0x4B, 0xE5, 0x3E, 0x30, 0xA0, 0xE3, 0x1C, 0x30, 0x4B, 0xE5, 0x58, 0x30, 0xA0, 0xE3, 0x1B, 0x30, 0x4B, 0xE5, 0x2A, 0x30, 0xA0, 0xE3, 0x1A, 0x30, 0x4B, 0xE5, 0x50, 0x30, 0xA0, 0xE3, 0x19, 0x30, 0x4B, 0xE5, 0x3C, 0x30, 0xA0, 0xE3, 0x18, 0x30, 0x4B, 0xE5, 0x47, 0x30, 0xA0, 0xE3, 0x17, 0x30, 0x4B, 0xE5, 0x3D, 0x30, 0xA0, 0xE3, 0x16, 0x30, 0x4B, 0xE5, 0x42, 0x30, 0xA0, 0xE3, 0x15, 0x30, 0x4B, 0xE5, 0x29, 0x30, 0xA0, 0xE3, 0x14, 0x30, 0x4B, 0xE5, 0x31, 0x30, 0xA0, 0xE3, 0x13, 0x30, 0x4B, 0xE5, 0x20, 0x30, 0xA0, 0xE3, 0x12, 0x30, 0x4B, 0xE5, 0x20, 0x30, 0xA0, 0xE3, 0x11, 0x30, 0x4B, 0xE5, 0x8C, 0x30, 0x4B, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x00, 0x30, 0xA0, 0xE3, 0x0C, 0x30, 0x0B, 0xE5, 0x50, 0x00, 0x00, 0xEA, 0x08, 0x20, 0x1B, 0xE5, 0x01, 0x30, 0x82, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x0C, 0x10, 0x1B, 0xE5, 0x01, 0x30, 0x83, 0xE0, 0x00, 0x30, 0xD3, 0xE5, 0x23, 0x31, 0xA0, 0xE1, 0x73, 0x30, 0xEF, 0xE6, 0x21, 0x30, 0x83, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x00, 0x30, 0xC2, 0xE5, 0x08, 0x20, 0x1B, 0xE5, 0x01, 0x30, 0x82, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x0C, 0x10, 0x1B, 0xE5, 0x01, 0x30, 0x83, 0xE0, 0x00, 0x30, 0xD3, 0xE5, 0x03, 0x32, 0xA0, 0xE1, 0x73, 0x30, 0xAF, 0xE6, 0x30, 0x30, 0x03, 0xE2, 0x73, 0x10, 0xAF, 0xE6, 0x0C, 0x30, 0x1B, 0xE5, 0x01, 0x00, 0x83, 0xE2, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x00, 0x30, 0xD3, 0xE7, 0x23, 0x32, 0xA0, 0xE1, 0x73, 0x30, 0xEF, 0xE6, 0x73, 0x30, 0xAF, 0xE6, 0x03, 0x30, 0x81, 0xE1, 0x73, 0x30, 0xAF, 0xE6, 0x73, 0x30, 0xEF, 0xE6, 0x21, 0x30, 0x83, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x00, 0x30, 0xC2, 0xE5, 0x08, 0x20, 0x1B, 0xE5, 0x01, 0x30, 0x82, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x0C, 0x30, 0x1B, 0xE5, 0x01, 0x10, 0x83, 0xE2, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x01, 0x30, 0xD3, 0xE7, 0x03, 0x31, 0xA0, 0xE1, 0x73, 0x30, 0xAF, 0xE6, 0x3C, 0x30, 0x03, 0xE2, 0x73, 0x10, 0xAF, 0xE6, 0x0C, 0x30, 0x1B, 0xE5, 0x02, 0x00, 0x83, 0xE2, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x00, 0x30, 0xD3, 0xE7, 0x23, 0x33, 0xA0, 0xE1, 0x73, 0x30, 0xEF, 0xE6, 0x73, 0x30, 0xAF, 0xE6, 0x03, 0x30, 0x81, 0xE1, 0x73, 0x30, 0xAF, 0xE6, 0x73, 0x30, 0xEF, 0xE6, 0x21, 0x30, 0x83, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x00, 0x30, 0xC2, 0xE5, 0x08, 0x20, 0x1B, 0xE5, 0x01, 0x30, 0x82, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x0C, 0x30, 0x1B, 0xE5, 0x02, 0x10, 0x83, 0xE2, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x01, 0x30, 0xD3, 0xE7, 0x3F, 0x30, 0x03, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x21, 0x30, 0x83, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x00, 0x30, 0xC2, 0xE5, 0x0C, 0x30, 0x1B, 0xE5, 0x03, 0x30, 0x83, 0xE2, 0x0C, 0x30, 0x0B, 0xE5, 0x0C, 0x30, 0x1B, 0xE5, 0x0D, 0x00, 0x53, 0xE3, 0xAB, 0xFF, 0xFF, 0xDA, 0x0C, 0x30, 0x1B, 0xE5, 0x0F, 0x00, 0x53, 0xE3, 0x52, 0x00, 0x00, 0xCA, 0x08, 0x20, 0x1B, 0xE5, 0x01, 0x30, 0x82, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x0C, 0x10, 0x1B, 0xE5, 0x01, 0x30, 0x83, 0xE0, 0x00, 0x30, 0xD3, 0xE5, 0x23, 0x31, 0xA0, 0xE1, 0x73, 0x30, 0xEF, 0xE6, 0x21, 0x30, 0x83, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x00, 0x30, 0xC2, 0xE5, 0x0C, 0x30, 0x1B, 0xE5, 0x0F, 0x00, 0x53, 0xE3, 0x14, 0x00, 0x00, 0x1A, 0x08, 0x20, 0x1B, 0xE5, 0x01, 0x30, 0x82, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x0C, 0x10, 0x1B, 0xE5, 0x01, 0x30, 0x83, 0xE0, 0x00, 0x30, 0xD3, 0xE5, 0x03, 0x32, 0xA0, 0xE1, 0x73, 0x30, 0xEF, 0xE6, 0x30, 0x30, 0x03, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x21, 0x30, 0x83, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x00, 0x30, 0xC2, 0xE5, 0x08, 0x30, 0x1B, 0xE5, 0x01, 0x20, 0x83, 0xE2, 0x08, 0x20, 0x0B, 0xE5, 0x20, 0x20, 0xA0, 0xE3, 0x00, 0x20, 0xC3, 0xE5, 0x28, 0x00, 0x00, 0xEA, 0x08, 0x20, 0x1B, 0xE5, 0x01, 0x30, 0x82, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x0C, 0x10, 0x1B, 0xE5, 0x01, 0x30, 0x83, 0xE0, 0x00, 0x30, 0xD3, 0xE5, 0x03, 0x32, 0xA0, 0xE1, 0x73, 0x30, 0xAF, 0xE6, 0x30, 0x30, 0x03, 0xE2, 0x73, 0x10, 0xAF, 0xE6, 0x0C, 0x30, 0x1B, 0xE5, 0x01, 0x00, 0x83, 0xE2, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x00, 0x30, 0xD3, 0xE7, 0x23, 0x32, 0xA0, 0xE1, 0x73, 0x30, 0xEF, 0xE6, 0x73, 0x30, 0xAF, 0xE6, 0x03, 0x30, 0x81, 0xE1, 0x73, 0x30, 0xAF, 0xE6, 0x73, 0x30, 0xEF, 0xE6, 0x21, 0x30, 0x83, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x00, 0x30, 0xC2, 0xE5, 0x08, 0x20, 0x1B, 0xE5, 0x01, 0x30, 0x82, 0xE2, 0x08, 0x30, 0x0B, 0xE5, 0x0C, 0x30, 0x1B, 0xE5, 0x01, 0x10, 0x83, 0xE2, 0x24, 0x30, 0x01, 0xE3, 0x02, 0x30, 0x40, 0xE3, 0x01, 0x30, 0xD3, 0xE7, 0x03, 0x31, 0xA0, 0xE1, 0x73, 0x30, 0xEF, 0xE6, 0x3C, 0x30, 0x03, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x21, 0x30, 0x83, 0xE2, 0x73, 0x30, 0xEF, 0xE6, 0x00, 0x30, 0xC2, 0xE5, 0x08, 0x30, 0x1B, 0xE5, 0x01, 0x20, 0x83, 0xE2, 0x08, 0x20, 0x0B, 0xE5, 0x20, 0x20, 0xA0, 0xE3, 0x00, 0x20, 0xC3, 0xE5, 0x08, 0x30, 0x1B, 0xE5, 0x01, 0x20, 0x83, 0xE2, 0x08, 0x20, 0x0B, 0xE5, 0x00, 0x20, 0xA0, 0xE3, 0x00, 0x20, 0xC3, 0xE5, 0x00, 0x30, 0xA0, 0xE3, 0x0C, 0x30, 0x0B, 0xE5, 0x0E, 0x00, 0x00, 0xEA, 0x8C, 0x20, 0x4B, 0xE2, 0x0C, 0x30, 0x1B, 0xE5, 0x03, 0x30, 0x82, 0xE0, 0x00, 0x20, 0xD3, 0xE5, 0x28, 0x10, 0x4B, 0xE2, 0x0C, 0x30, 0x1B, 0xE5, 0x03, 0x30, 0x81, 0xE0, 0x00, 0x30, 0xD3, 0xE5, 0x03, 0x00, 0x52, 0xE1, 0x01, 0x00, 0x00, 0x0A, 0x00, 0x30, 0xA0, 0xE3, 0x06, 0x00, 0x00, 0xEA, 0x0C, 0x30, 0x1B, 0xE5, 0x01, 0x30, 0x83, 0xE2, 0x0C, 0x30, 0x0B, 0xE5, 0x0C, 0x30, 0x1B, 0xE5, 0x17, 0x00, 0x53, 0xE3, 0xED, 0xFF, 0xFF, 0xDA, 0x01, 0x30, 0xA0, 0xE3, 0x03, 0x00, 0xA0, 0xE1, 0x00, 0xD0, 0x8B, 0xE2, 0x04, 0xB0, 0x9D, 0xE4])
md = Cs(CS_ARCH_ARM, CS_MODE_ARM)
for i in md.disasm(CODE, 0x200000):
ins = "0x%x: %s %s" % (i.address, i.mnemonic, i.op_str)
print(ins)
0x200000: str fp, [sp, #-4]!
0x200004: add fp, sp, #0
0x200008: sub sp, sp, #0x8c
0x20000c: mov r3, #0x29
0x200010: strb r3, [fp, #-0x28]
0x200014: mov r3, #0x38
0x200018: strb r3, [fp, #-0x27]
0x20001c: mov r3, #0x46
0x200020: strb r3, [fp, #-0x26]
0x200024: mov r3, #0x50
0x200028: strb r3, [fp, #-0x25]
0x20002c: mov r3, #0x3e
0x200030: strb r3, [fp, #-0x24]
0x200034: mov r3, #0x36
0x200038: strb r3, [fp, #-0x23]
0x20003c: mov r3, #0x5e
0x200040: strb r3, [fp, #-0x22]
0x200044: mov r3, #0x42
0x200048: strb r3, [fp, #-0x21]
0x20004c: mov r3, #0x3d
0x200050: strb r3, [fp, #-0x20]
0x200054: mov r3, #0x47
0x200058: strb r3, [fp, #-0x1f]
0x20005c: mov r3, #0x36
0x200060: strb r3, [fp, #-0x1e]
0x200064: mov r3, #0x40
0x200068: strb r3, [fp, #-0x1d]
0x20006c: mov r3, #0x3e
0x200070: strb r3, [fp, #-0x1c]
0x200074: mov r3, #0x58
0x200078: strb r3, [fp, #-0x1b]
0x20007c: mov r3, #0x2a
0x200080: strb r3, [fp, #-0x1a]
0x200084: mov r3, #0x50
0x200088: strb r3, [fp, #-0x19]
0x20008c: mov r3, #0x3c
0x200090: strb r3, [fp, #-0x18]
0x200094: mov r3, #0x47
0x200098: strb r3, [fp, #-0x17]
0x20009c: mov r3, #0x3d
0x2000a0: strb r3, [fp, #-0x16]
0x2000a4: mov r3, #0x42
0x2000a8: strb r3, [fp, #-0x15]
0x2000ac: mov r3, #0x29
0x2000b0: strb r3, [fp, #-0x14]
0x2000b4: mov r3, #0x31
0x2000b8: strb r3, [fp, #-0x13]
0x2000bc: mov r3, #0x20
0x2000c0: strb r3, [fp, #-0x12]
0x2000c4: mov r3, #0x20
0x2000c8: strb r3, [fp, #-0x11]
0x2000cc: sub r3, fp, #0x8c
0x2000d0: str r3, [fp, #-8]
0x2000d4: mov r3, #0
0x2000d8: str r3, [fp, #-0xc]
0x2000dc: b #0x200224
0x2000e0: ldr r2, [fp, #-8]
0x2000e4: add r3, r2, #1
0x2000e8: str r3, [fp, #-8]
0x2000ec: movw r3, #0x1024
0x2000f0: movt r3, #2
0x2000f4: ldr r1, [fp, #-0xc]
0x2000f8: add r3, r3, r1
0x2000fc: ldrb r3, [r3]
0x200100: lsr r3, r3, #2
0x200104: uxtb r3, r3
0x200108: add r3, r3, #0x21
0x20010c: uxtb r3, r3
0x200110: strb r3, [r2]
0x200114: ldr r2, [fp, #-8]
0x200118: add r3, r2, #1
0x20011c: str r3, [fp, #-8]
0x200120: movw r3, #0x1024
0x200124: movt r3, #2
0x200128: ldr r1, [fp, #-0xc]
0x20012c: add r3, r3, r1
0x200130: ldrb r3, [r3]
0x200134: lsl r3, r3, #4
0x200138: sxtb r3, r3
0x20013c: and r3, r3, #0x30
0x200140: sxtb r1, r3
0x200144: ldr r3, [fp, #-0xc]
0x200148: add r0, r3, #1
0x20014c: movw r3, #0x1024
0x200150: movt r3, #2
0x200154: ldrb r3, [r3, r0]
0x200158: lsr r3, r3, #4
0x20015c: uxtb r3, r3
0x200160: sxtb r3, r3
0x200164: orr r3, r1, r3
0x200168: sxtb r3, r3
0x20016c: uxtb r3, r3
0x200170: add r3, r3, #0x21
0x200174: uxtb r3, r3
0x200178: strb r3, [r2]
0x20017c: ldr r2, [fp, #-8]
0x200180: add r3, r2, #1
0x200184: str r3, [fp, #-8]
0x200188: ldr r3, [fp, #-0xc]
0x20018c: add r1, r3, #1
0x200190: movw r3, #0x1024
0x200194: movt r3, #2
0x200198: ldrb r3, [r3, r1]
0x20019c: lsl r3, r3, #2
0x2001a0: sxtb r3, r3
0x2001a4: and r3, r3, #0x3c
0x2001a8: sxtb r1, r3
0x2001ac: ldr r3, [fp, #-0xc]
0x2001b0: add r0, r3, #2
0x2001b4: movw r3, #0x1024
0x2001b8: movt r3, #2
0x2001bc: ldrb r3, [r3, r0]
0x2001c0: lsr r3, r3, #6
0x2001c4: uxtb r3, r3
0x2001c8: sxtb r3, r3
0x2001cc: orr r3, r1, r3
0x2001d0: sxtb r3, r3
0x2001d4: uxtb r3, r3
0x2001d8: add r3, r3, #0x21
0x2001dc: uxtb r3, r3
0x2001e0: strb r3, [r2]
0x2001e4: ldr r2, [fp, #-8]
0x2001e8: add r3, r2, #1
0x2001ec: str r3, [fp, #-8]
0x2001f0: ldr r3, [fp, #-0xc]
0x2001f4: add r1, r3, #2
0x2001f8: movw r3, #0x1024
0x2001fc: movt r3, #2
0x200200: ldrb r3, [r3, r1]
0x200204: and r3, r3, #0x3f
0x200208: uxtb r3, r3
0x20020c: add r3, r3, #0x21
0x200210: uxtb r3, r3
0x200214: strb r3, [r2]
0x200218: ldr r3, [fp, #-0xc]
0x20021c: add r3, r3, #3
0x200220: str r3, [fp, #-0xc]
0x200224: ldr r3, [fp, #-0xc]
0x200228: cmp r3, #0xd
0x20022c: ble #0x2000e0
0x200230: ldr r3, [fp, #-0xc]
0x200234: cmp r3, #0xf
0x200238: bgt #0x200388
0x20023c: ldr r2, [fp, #-8]
0x200240: add r3, r2, #1
0x200244: str r3, [fp, #-8]
0x200248: movw r3, #0x1024
0x20024c: movt r3, #2
0x200250: ldr r1, [fp, #-0xc]
0x200254: add r3, r3, r1
0x200258: ldrb r3, [r3]
0x20025c: lsr r3, r3, #2
0x200260: uxtb r3, r3
0x200264: add r3, r3, #0x21
0x200268: uxtb r3, r3
0x20026c: strb r3, [r2]
0x200270: ldr r3, [fp, #-0xc]
0x200274: cmp r3, #0xf
0x200278: bne #0x2002d0
0x20027c: ldr r2, [fp, #-8]
0x200280: add r3, r2, #1
0x200284: str r3, [fp, #-8]
0x200288: movw r3, #0x1024
0x20028c: movt r3, #2
0x200290: ldr r1, [fp, #-0xc]
0x200294: add r3, r3, r1
0x200298: ldrb r3, [r3]
0x20029c: lsl r3, r3, #4
0x2002a0: uxtb r3, r3
0x2002a4: and r3, r3, #0x30
0x2002a8: uxtb r3, r3
0x2002ac: add r3, r3, #0x21
0x2002b0: uxtb r3, r3
0x2002b4: strb r3, [r2]
0x2002b8: ldr r3, [fp, #-8]
0x2002bc: add r2, r3, #1
0x2002c0: str r2, [fp, #-8]
0x2002c4: mov r2, #0x20
0x2002c8: strb r2, [r3]
0x2002cc: b #0x200374
0x2002d0: ldr r2, [fp, #-8]
0x2002d4: add r3, r2, #1
0x2002d8: str r3, [fp, #-8]
0x2002dc: movw r3, #0x1024
0x2002e0: movt r3, #2
0x2002e4: ldr r1, [fp, #-0xc]
0x2002e8: add r3, r3, r1
0x2002ec: ldrb r3, [r3]
0x2002f0: lsl r3, r3, #4
0x2002f4: sxtb r3, r3
0x2002f8: and r3, r3, #0x30
0x2002fc: sxtb r1, r3
0x200300: ldr r3, [fp, #-0xc]
0x200304: add r0, r3, #1
0x200308: movw r3, #0x1024
0x20030c: movt r3, #2
0x200310: ldrb r3, [r3, r0]
0x200314: lsr r3, r3, #4
0x200318: uxtb r3, r3
0x20031c: sxtb r3, r3
0x200320: orr r3, r1, r3
0x200324: sxtb r3, r3
0x200328: uxtb r3, r3
0x20032c: add r3, r3, #0x21
0x200330: uxtb r3, r3
0x200334: strb r3, [r2]
0x200338: ldr r2, [fp, #-8]
0x20033c: add r3, r2, #1
0x200340: str r3, [fp, #-8]
0x200344: ldr r3, [fp, #-0xc]
0x200348: add r1, r3, #1
0x20034c: movw r3, #0x1024
0x200350: movt r3, #2
0x200354: ldrb r3, [r3, r1]
0x200358: lsl r3, r3, #2
0x20035c: uxtb r3, r3
0x200360: and r3, r3, #0x3c
0x200364: uxtb r3, r3
0x200368: add r3, r3, #0x21
0x20036c: uxtb r3, r3
0x200370: strb r3, [r2]
0x200374: ldr r3, [fp, #-8]
0x200378: add r2, r3, #1
0x20037c: str r2, [fp, #-8]
0x200380: mov r2, #0x20
0x200384: strb r2, [r3]
0x200388: ldr r3, [fp, #-8]
0x20038c: add r2, r3, #1
0x200390: str r2, [fp, #-8]
0x200394: mov r2, #0
0x200398: strb r2, [r3]
0x20039c: mov r3, #0
0x2003a0: str r3, [fp, #-0xc]
0x2003a4: b #0x2003e4
0x2003a8: sub r2, fp, #0x8c
0x2003ac: ldr r3, [fp, #-0xc]
0x2003b0: add r3, r2, r3
0x2003b4: ldrb r2, [r3]
0x2003b8: sub r1, fp, #0x28
0x2003bc: ldr r3, [fp, #-0xc]
0x2003c0: add r3, r1, r3
0x2003c4: ldrb r3, [r3]
0x2003c8: cmp r2, r3
0x2003cc: beq #0x2003d8
0x2003d0: mov r3, #0
0x2003d4: b #0x2003f4
0x2003d8: ldr r3, [fp, #-0xc]
0x2003dc: add r3, r3, #1
0x2003e0: str r3, [fp, #-0xc]
0x2003e4: ldr r3, [fp, #-0xc]
0x2003e8: cmp r3, #0x17
0x2003ec: ble #0x2003a8
0x2003f0: mov r3, #1
0x2003f4: mov r0, r3
0x2003f8: add sp, fp, #0
0x2003fc: pop {fp}
但这样继续手撸arm指令确实太麻烦了,想到 ida 本就有这个功能,还能反编译呢。所以复制机器码到一个文件,ida打开,设置好架构和基地址,得到反编译后的关键函数:
不难发现这个关键加密算法其实就类似base64,但把码表改成了加 33 ,直接解了一下得到:!you_are_wrong!!
后面才发现这其实是错的,原因是密文被变换过的,在UC_HOOK_CODE事件注册的钩子回调函数:这里的69代表r3寄存器。
按照同样的逻辑修改密文:
>>> s = [41, 56, 70, 80, 62, 54, 94, 66, 61, 71, 54, 64, 62, 88, 42, 80, 60, 71, 61, 66, 41, 49]
>>> s[0] = 15
>>> s[(0x58-0x10)//8] = 15
>>> s[(0x18-0x10)//8] ^= 0x6f
>>> s[(0x20-0x10)//8] -= 12
>>> s[(0x40-0x10)//8] -= 12
>>> s[(0x28-0x10)//8] ^= 0x12
>>> s[(0x30-0x10)//8] -= 5
>>> s[(0x70-0x10)//8] -= 5
>>> s[(0x38-0x10)//8] = 33
>>> s[(0x48-0x10)//8] ^= 0xd
>>> s[(0x50-0x10)//8] -= 3
>>> s[(0x60-0x10)//8] ^= 0x68
>>> s[(0x68-0x10)//8] ^= 0xa
>>> s[(0x78-0x10)//8] -= 33
>>> s[(0x80-0x10)//8] = 48
>>> s[(0x88-0x10)//8] ^= 0x18
>>> s[(0x90-0x10)//8] = 2
>>> s[(0x98-0x10)//8] -= 16
>>> s[(0xa0-0x10)//8] ^= 0x1b
>>> s[(0xa8-0x10)//8] = 6
>>> s[(0xb0-0x10)//8] ^= 0x13
>>> bytes(s)
b8W:B9WRO:V^J97ZH>7&H:1
得到正确密文:8W:B9WRO:V^J97ZH>7&H:1,解密得到:_faclng_ianguage
最后还有开始的4字节,一个crc类算法,应该魔改过,结果要等于 0xCAFABCBC
解这里爆破即可。
本部分总的解密脚本:
crc = [0x00000000, 0xF26B8303, 0xE13B70F7, 0x1350F3F4, 0xC79A971F, 0x35F1141C, 0x26A1E7E8, 0xD4CA64EB, 0x8AD958CF, 0x78B2DBCC, 0x6BE22838, 0x9989AB3B, 0x4D43CFD0, 0xBF284CD3, 0xAC78BF27, 0x5E133C24, 0x105EC76F, 0xE235446C, 0xF165B798, 0x030E349B, 0xD7C45070, 0x25AFD373, 0x36FF2087, 0xC494A384, 0x9A879FA0, 0x68EC1CA3, 0x7BBCEF57, 0x89D76C54, 0x5D1D08BF, 0xAF768BBC, 0xBC267848, 0x4E4DFB4B, 0x20BD8EDE, 0xD2D60DDD, 0xC186FE29, 0x33ED7D2A, 0xE72719C1, 0x154C9AC2, 0x061C6936, 0xF477EA35, 0xAA64D611, 0x580F5512, 0x4B5FA6E6, 0xB93425E5, 0x6DFE410E, 0x9F95C20D, 0x8CC531F9, 0x7EAEB2FA, 0x30E349B1, 0xC288CAB2, 0xD1D83946, 0x23B3BA45, 0xF779DEAE, 0x05125DAD, 0x1642AE59, 0xE4292D5A, 0xBA3A117E, 0x4851927D, 0x5B016189, 0xA96AE28A, 0x7DA08661, 0x8FCB0562, 0x9C9BF696, 0x6EF07595, 0x417B1DBC, 0xB3109EBF, 0xA0406D4B, 0x522BEE48, 0x86E18AA3, 0x748A09A0, 0x67DAFA54, 0x95B17957, 0xCBA24573, 0x39C9C670, 0x2A993584, 0xD8F2B687, 0x0C38D26C, 0xFE53516F, 0xED03A29B, 0x1F682198, 0x5125DAD3, 0xA34E59D0, 0xB01EAA24, 0x42752927, 0x96BF4DCC, 0x64D4CECF, 0x77843D3B, 0x85EFBE38, 0xDBFC821C, 0x2997011F, 0x3AC7F2EB, 0xC8AC71E8, 0x1C661503, 0xEE0D9600, 0xFD5D65F4, 0x0F36E6F7, 0x61C69362, 0x93AD1061, 0x80FDE395, 0x72966096, 0xA65C047D, 0x5437877E, 0x4767748A, 0xB50CF789, 0xEB1FCBAD, 0x197448AE, 0x0A24BB5A, 0xF84F3859, 0x2C855CB2, 0xDEEEDFB1, 0xCDBE2C45, 0x3FD5AF46, 0x7198540D, 0x83F3D70E, 0x90A324FA, 0x62C8A7F9, 0xB602C312, 0x44694011, 0x5739B3E5, 0xA55230E6, 0xFB410CC2, 0x092A8FC1, 0x1A7A7C35, 0xE811FF36, 0x3CDB9BDD, 0xCEB018DE, 0xDDE0EB2A, 0x2F8B6829, 0x82F63B78, 0x709DB87B, 0x63CD4B8F, 0x91A6C88C, 0x456CAC67, 0xB7072F64, 0xA457DC90, 0x563C5F93, 0x082F63B7, 0xFA44E0B4, 0xE9141340, 0x1B7F9043, 0xCFB5F4A8, 0x3DDE77AB, 0x2E8E845F, 0xDCE5075C, 0x92A8FC17, 0x60C37F14, 0x73938CE0, 0x81F80FE3, 0x55326B08, 0xA759E80B, 0xB4091BFF, 0x466298FC, 0x1871A4D8, 0xEA1A27DB, 0xF94AD42F, 0x0B21572C, 0xDFEB33C7, 0x2D80B0C4, 0x3ED04330, 0xCCBBC033, 0xA24BB5A6, 0x502036A5, 0x4370C551, 0xB11B4652, 0x65D122B9, 0x97BAA1BA, 0x84EA524E, 0x7681D14D, 0x2892ED69, 0xDAF96E6A, 0xC9A99D9E, 0x3BC21E9D, 0xEF087A76, 0x1D63F975, 0x0E330A81, 0xFC588982, 0xB21572C9, 0x407EF1CA, 0x532E023E, 0xA145813D, 0x758FE5D6, 0x87E466D5, 0x94B49521, 0x66DF1622, 0x38CC2A06, 0xCAA7A905, 0xD9F75AF1, 0x2B9CD9F2, 0xFF56BD19, 0x0D3D3E1A, 0x1E6DCDEE, 0xEC064EED, 0xC38D26C4, 0x31E6A5C7, 0x22B65633, 0xD0DDD530, 0x0417B1DB, 0xF67C32D8, 0xE52CC12C, 0x1747422F, 0x49547E0B, 0xBB3FFD08, 0xA86F0EFC, 0x5A048DFF, 0x8ECEE914, 0x7CA56A17, 0x6FF599E3, 0x9D9E1AE0, 0xD3D3E1AB, 0x21B862A8, 0x32E8915C, 0xC083125F, 0x144976B4, 0xE622F5B7, 0xF5720643, 0x07198540, 0x590AB964, 0xAB613A67, 0xB831C993, 0x4A5A4A90, 0x9E902E7B, 0x6CFBAD78, 0x7FAB5E8C, 0x8DC0DD8F, 0xE330A81A, 0x115B2B19, 0x020BD8ED, 0xF0605BEE, 0x24AA3F05, 0xD6C1BC06, 0xC5914FF2, 0x37FACCF1, 0x69E9F0D5, 0x9B8273D6, 0x88D28022, 0x7AB90321, 0xAE7367CA, 0x5C18E4C9, 0x4F48173D, 0xBD23943E, 0xF36E6F75, 0x0105EC76, 0x12551F82, 0xE03E9C81, 0x34F4F86A, 0xC69F7B69, 0xD5CF889D, 0x27A40B9E, 0x79B737BA, 0x8BDCB4B9, 0x988C474D, 0x6AE7C44E, 0xBE2DA0A5, 0x4C4623A6, 0x5F16D052, 0xAD7D5351, 0xD76AA478]
class Getoutofloop(Exception):
pass
try:
for i in range(0x20, 0x7b):
for j in range(0x20, 0x7b):
for k in range(0x20, 0x7b):
for l in range(0x20, 0x7b):
v1 = -1
v1 &= 0xffffffff
p1 = [i, j, k, l]
for m in p1:
v1 = (v1 >> 8) ^ crc[(m ^ v1)&0xff]
v1 &= 0xffffffff
if ((~v1)&0xffffffff) == 0xCAFABCBC:
print(bytes(p1))
raise Getoutofloop()
except Getoutofloop:
pass
#enc = )8FP>6^B=G6@>X*P<G=B)1
enc = 8W:B9WRO:V^J97ZH>7&H:1
data = [ord(enc[i])-33 for i in range(len(enc))]
#print(data)
ans = .join([bin(i)[2:].rjust(6, 0) for i in data])
p2 = []
#print(ans)
for i in range(len(ans)//8):
p2 = [int(ans[8*i:8*(i 1)], 2)]
print(bytes(p1 p2))
#when_faclng_ianguage
结束
最后两部分输入程序得到flag。
Enter input1 :
cann0t_be_t0o_carefu1_
Part 1 completed! Congratulations! Just keep alive.
Enter input2 :when_faclng_ianguage
Good Work!
You survived!
Flag is flag{0e84fe424762de65491829fdf7b75cec}
crackPYC
因为所给python字节码简单且少,根据所给字节码还原出对应的python代码。
def keyinit(key):
num = 0
for i in range(8):
num -= 7508399208111569251
num %= 4294967295
key.append(num >> 24)
if __name__ == __main__:
print(Can you crack pyc?)
str = input(Plz give me your flag:)
text = [108, 17, 42, 226, 158, 180, 96, 115, 64, 24, 38, 236, 179, 173, 34, 22, 81, 113, 38, 215, 165, 135, 68, 7, 119, 97, 45, 254, 250, 172, 43, 62]
if str[0:7] == DASCTF{ and str[31] == }:
key = []
keyinit(key)
st = list(str)
for i in range(len(str)):
st = [ord(str[i])^key[i%len(key)]]
if st == text:
print(Congratulations and you are good at PYC!)
else:
print(Sorry,plz learn more about pyc.)
else:
print(Bye bye~~)
接着再逆向一下加密算法即可。
>>> a
[108, 17, 42, 226, 158, 180, 96, 115, 64, 24, 38, 236, 179, 173, 34, 22, 81, 113, 38, 215, 165, 135, 68, 7, 119, 97, 45, 254, 250, 172, 43, 62]
>>> flag = [a[i]^key[i%len(key)] for i in range(len(a))]
>>> flag
[252, 48, 152, 160, 77, 208, 148, 246, 208, 57, 148, 174, 96, 201, 214, 147, 193, 80, 148, 149, 118, 227, 176, 130, 231, 64, 159, 188, 41, 200, 223, 187]
>>> key = []
>>> num = 0
>>> for i in range(8):
... num -= 7508399208111569251
... num %= 4294967295
... key.append(num >> 24)
...
>>> key
[40, 80, 121, 161, 202, 242, 27, 67]
>>> a
[108, 17, 42, 226, 158, 180, 96, 115, 64, 24, 38, 236, 179, 173, 34, 22, 81, 113, 38, 215, 165, 135, 68, 7, 119, 97, 45, 254, 250, 172, 43, 62]
>>> flag = [a[i]^key[i%len(key)] for i in range(len(a))]
>>> flag
[68, 65, 83, 67, 84, 70, 123, 48, 104, 72, 95, 77, 121, 95, 57, 85, 121, 33, 95, 118, 111, 117, 95, 68, 95, 49, 84, 95, 48, 94, 48, 125]
>>> bytes(flag)
bDASCTF{0hH_My_9Uy!_vou_D_1T_0^0}
DASCTF{0hH_My_9Uy!_vou_D_1T_0^0}
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容, 请发送邮件至123456@qq.com 举报,一经查实,本站将立刻删除。
