Hgame Ctf write up (3&4)
本帖最后由 yechen123 于 2019-3-9 21:06 编辑这是第三周和第四周的逆向题
好像没有师傅写wp
恰巧第一次碰到webassembly 想记录一下
第三周
0x00 easy_math
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rax
__int64 v4; // rdx
unsigned int v5; // ebx
__int64 v6; // rdx
__int64 v7; // rax
__int64 v8; // rax
__int64 v9; // rdx
__int64 v10; // rax
__int64 v11; // rax
__int64 v12; // rdx
__int64 v13; // rax
__int64 v14; // rdx
__int64 v15; // rax
__int64 v16; // rax
__int64 v17; // rdx
__int64 v18; // rax
unsigned int input; //
unsigned int v21; //
__int64 flags; //
unsigned __int64 v23; //
v23 = __readfsqword(0x28u);
v3 = std::operator<<<std::char_traits<char>>(
(__int64)&std::cout,
(__int64)"to continue, you have to guess the value of my dice first!",
(__int64)envp);
std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);
v21 = rolling_dice();
std::operator<<<std::char_traits<char>>(
(__int64)&std::cout,
(__int64)"now the dice have been rolled, guess what it is: ",
v4);
std::istream::operator>>(&std::cin, &input);
v5 = input;
v7 = std::operator<<<std::char_traits<char>>((__int64)&std::cout, (__int64)"expected: ", v6);
v8 = std::ostream::operator<<(v7, v21);
v10 = std::operator<<<std::char_traits<char>>(v8, (__int64)", guess: ", v9);
v11 = std::ostream::operator<<(v10, v5);
std::ostream::operator<<(v11, &std::endl<char,std::char_traits<char>>);
if ( input != v21 )
{
v13 = std::operator<<<std::char_traits<char>>((__int64)&std::cout, (__int64)"you are bad at guessing dice", v12);
std::ostream::operator<<(v13, &std::endl<char,std::char_traits<char>>);
exit(0);
}
std::operator<<<std::char_traits<char>>(
(__int64)&std::cout,
(__int64)"wow, you are good at dice-guessing, now give me your flag: ",
v12);
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(&flags);
std::operator>><char,std::char_traits<char>,std::allocator<char>>(&std::cin, &flags);
if ( std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length(&flags) != 32 )
{
v15 = std::operator<<<std::char_traits<char>>((__int64)&std::cout, (__int64)"assert len(flag) == 32", v14);
std::ostream::operator<<(v15, &std::endl<char,std::char_traits<char>>);
exit(0);
}
v16 = std::operator<<<std::char_traits<char>>((__int64)&std::cout, (__int64)"now the math part...", v14);
std::ostream::operator<<(v16, &std::endl<char,std::char_traits<char>>);
if ( (unsigned __int8)math_part((__int64)&flags) )
v18 = std::operator<<<std::char_traits<char>>(
(__int64)&std::cout,
(__int64)"wow, you are good at doing math too, you deserve to have the flag, just submit it!",
v17);
else
v18 = std::operator<<<std::char_traits<char>>((__int64)&std::cout, (__int64)"you are bad at doing math", v17);
std::ostream::operator<<(v18, &std::endl<char,std::char_traits<char>>);
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&flags);
return 0;
}
提示用户先输入一个数字,要与rolling_dice函数返回的数值相同才能进行下一步
由于不涉及到flag 所以可以不理
当用户输入flag后会进入核心函数math_part()
signed __int64 __fastcall math_part(__int64 flag_s)
{
int v1; // et1
int v2; // edx
int v3; // ecx
int v4; // et1
int v5; // et1
int v6; // et1
int v7; // edx
int v8; // edx
int v9; // et1
int v10; // ecx
int v11; // edx
int v12; // et1
int v13; // edx
int v14; // edx
int v15; // ecx
int v16; // edx
int v17; // et1
int v18; // edx
int v19; // et1
int v20; // ecx
int v21; // edx
int v22; // ecx
int v23; // et1
int v24; // edx
int v25; // edx
int v26; // ecx
int v27; // ecx
int v28; // ecx
int v29; // et1
int v30; // ecx
int v31; // ecx
int v32; // edx
signed __int64 result; // rax
char *flag; //
flag = (char *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::c_str(flag_s);
v1 = 76 * flag
+ 31 * flag
+ 87 * flag
+ 54 * flag
+ 74 * flag
+ 99 * flag
+ 94 * flag
+ 84 * flag
+ 32 * flag
+ 90 * flag
+ 16 * flag
+ 19 * flag
+ 33 * flag
+ 35 * flag
+ 65 * flag
+ 47 * flag
+ 3 * flag
+ 57 * flag
+ 5 * flag
+ 70 * flag
+ 28 * flag
+ 79 * flag
+ 63 * flag
+ 66 * flag
+ 28 * flag
+ flag;
if ( 82 * flag + 58 * flag + v1 + 81 * flag + 61 * flag + 31 * flag + 71 * *flag != 0x237F5 )
goto LABEL_37;
v2 = 55 * flag
+ 38 * flag
+ 39 * flag
+ 73 * flag
+ 86 * flag
+ 18 * flag
+ 40 * flag
+ 40 * flag
+ 54 * flag
+ 81 * flag
+ 71 * flag
+ 20 * flag
+ 16 * flag
+ 65 * flag
+ 87 * flag
+ 14 * flag
+ flag
+ 41 * *flag
+ 58 * flag
+ 73 * flag
+ 46 * flag
+ 7 * flag
+ 89 * flag
+ 65 * flag
+ 43 * flag
+ 6 * flag;
if ( v2 + 60 * flag + 40 * flag + 57 * flag + 40 * flag + 30 * flag + 63 * flag != 0x1F21D )
goto LABEL_37;
v3 = 53 * flag
+ 82 * flag
+ 70 * flag
+ 84 * flag
+ 57 * flag
+ 92 * flag
+ 57 * flag
+ 77 * flag
+ 49 * flag
+ 62 * flag
+ 97 * flag
+ 47 * flag
+ 30 * flag
+ 45 * flag
+ 94 * flag
+ 6 * flag
+ 83 * flag
+ 18 * flag
+ 97 * flag
+ 11 * flag
+ 35 * flag
+ 81 * flag
+ 67 * flag
+ 11 * flag
+ 84 * flag;
if ( 28 * flag + 17 * flag + 18 * flag + v3 + 63 * flag + 61 * flag != 0x22863 )
goto LABEL_37;
v4 = 14 * flag
+ 46 * flag
+ 56 * flag
+ 13 * flag
+ 82 * flag
+ 49 * flag
+ 97 * flag
+ 50 * flag
+ 83 * flag
+ 38 * flag
+ 49 * flag
+ 9 * flag
+ 91 * flag
+ 33 * flag
+ 4 * flag
+ 5 * flag
+ 61 * flag
+ 65 * flag
+ 68 * flag
+ 6 * flag
+ (flag << 6)
+ 56 * flag
+ 67 * flag
+ 5 * flag
+ flag
+ 10 * flag;
if ( 86 * flag + 52 * flag + v4 + 83 * flag + 37 * flag + 85 * *flag != 0x1CA87 )
goto LABEL_37;
v5 = 9 * flag
+ 63 * flag
+ 20 * flag
+ 96 * flag
+ 39 * flag
+ 91 * flag
+ 40 * flag
+ 85 * flag
+ 62 * flag
+ 95 * flag
+ 34 * flag
+ 67 * flag
+ 51 * flag
+ 45 * flag
+ 92 * flag
+ 91 * flag
+ 85 * flag
+ 12 * flag
+ 26 * flag
+ 56 * flag
+ 82 * flag
+ 72 * flag
+ 54 * flag
+ 17 * flag
+ 84 * flag
+ 17 * *flag;
if ( 53 * flag + 91 * flag + 57 * flag + 66 * flag + v5 + 8 * flag + 63 * flag != 0x261F8 )
goto LABEL_37;
v6 = 88 * flag
+ 48 * flag
+ 83 * flag
+ 66 * flag
+ 60 * flag
+ 57 * flag
+ 85 * flag
+ 71 * flag
+ 98 * flag
+ 83 * flag
+ 12 * flag
+ 72 * flag
+ 12 * flag
+ 80 * flag
+ 15 * flag
+ 81 * flag
+ 87 * *flag
+ 37 * flag
+ 4 * flag
+ 41 * flag
+ 84 * flag
+ 56 * flag
+ 84 * flag
+ 41 * flag
+ 98 * flag
+ 18 * flag;
if ( 55 * flag + v6 + 95 * flag + 33 * flag + 66 * flag != 0x245E3 )
goto LABEL_37;
v7 = 57 * flag
+ 63 * flag
+ 4 * flag
+ 59 * flag
+ 15 * flag
+ 12 * flag
+ 58 * flag
+ 40 * flag
+ 26 * flag
+ 8 * flag
+ 25 * flag
+ 97 * flag
+ 12 * flag
+ 74 * flag
+ 65 * flag
+ 93 * flag
+ 18 * flag
+ 84 * flag
+ 7 * flag
+ 22 * flag
+ 9 * flag
+ 89 * flag
+ 72 * flag
+ 47 * flag
+ 7 * flag;
if ( 43 * flag + 47 * *flag + 53 * flag + 75 * flag + v7 + 8 * flag + 24 * flag + 75 * flag != 121517 )
goto LABEL_37;
v8 = 86 * flag
+ 74 * *flag
+ 72 * flag
+ 27 * flag
+ 88 * flag
+ (flag << 6)
+ 52 * flag
+ 4 * flag
+ 8 * flag
+ 16 * flag
+ 54 * flag
+ 8 * flag
+ 52 * flag
+ 14 * flag
+ 88 * flag
+ 33 * flag
+ 99 * flag
+ 65 * flag
+ 66 * flag
+ 36 * flag
+ 58 * flag
+ 63 * flag
+ 93 * flag
+ 96 * flag
+ 26 * flag
+ 65 * flag;
if ( 77 * flag + 89 * flag + 55 * flag + v8 + 42 * flag + 14 * flag + 57 * flag != 0x24F96 )
goto LABEL_37;
v9 = 51 * flag
+ 42 * flag
+ 78 * flag
+ 45 * flag
+ 63 * flag
+ 85 * flag
+ 30 * flag
+ 83 * flag
+ 62 * flag
+ 71 * flag
+ 45 * flag
+ (flag << 6)
+ 87 * flag
+ 49 * flag
+ 14 * *flag
+ 4 * flag
+ 63 * flag
+ 53 * flag
+ 19 * flag
+ 44 * flag
+ 5 * flag
+ 74 * flag
+ 19 * flag
+ 89 * flag
+ 11 * flag
+ 34 * flag;
if ( 53 * flag + 95 * flag + v9 + 14 * flag + 87 * flag + 63 * flag + 70 * flag != 142830 )
goto LABEL_37;
v10 = 13 * flag
+ 11 * flag
+ 41 * flag
+ 38 * flag
+ 90 * flag
+ 68 * flag
+ 56 * flag
+ 4 * flag
+ 66 * flag
+ 28 * flag
+ 6 * flag
+ 91 * flag
+ 59 * flag
+ 81 * flag
+ 44 * flag
+ 33 * flag
+ 34 * flag
+ 17 * flag
+ 77 * flag
+ 25 * flag
+ 8 * flag
+ 10 * flag
+ 66 * flag;
if ( 69 * *flag
+ 67 * flag
+ 57 * flag
+ 77 * flag
+ 67 * flag
+ 94 * flag
+ v10
+ 41 * flag
+ 29 * flag != 0x1DED9 )
goto LABEL_37;
v11 = 23 * flag
+ 32 * flag
+ 72 * flag
+ 41 * flag
+ 33 * flag
+ 82 * flag
+ 20 * *flag
+ 7 * flag
+ 25 * flag
+ 39 * flag
+ 57 * flag
+ 14 * flag
+ 24 * flag
+ 37 * flag
+ 71 * flag
+ 65 * flag
+ 46 * flag
+ 40 * flag
+ 77 * flag
+ 80 * flag
+ 88 * flag
+ 20 * flag
+ 83 * flag
+ 73 * flag
+ 8 * flag
+ 15 * flag;
if ( 31 * flag + 17 * flag + 6 * flag + v11 + 70 * flag + 24 * flag + 16 * flag != 0x19B4D )
goto LABEL_37;
v12 = 41 * flag
+ 45 * flag
+ 82 * flag
+ 86 * flag
+ 99 * flag
+ 96 * flag
+ 85 * flag
+ 70 * flag
+ 77 * flag
+ 80 * flag
+ 40 * flag
+ 66 * flag
+ 12 * flag
+ 77 * flag
+ 72 * flag
+ 42 * flag
+ 81 * flag
+ 90 * flag
+ 37 * flag
+ 29 * flag
+ 20 * flag
+ 85 * flag
+ 6 * flag
+ 2 * *flag
+ 72 * flag
+ 75 * flag;
if ( 25 * flag + 79 * flag + v12 + 40 * flag + 29 * flag + 25 * flag != 0x2519A )
goto LABEL_37;
v13 = 42 * flag
+ 95 * flag
+ 58 * flag
+ 47 * flag
+ 65 * flag
+ 24 * flag
+ 97 * flag
+ 24 * flag
+ 28 * *flag
+ 77 * flag
+ 97 * flag
+ 24 * flag
+ 32 * flag
+ 5 * flag
+ 55 * flag
+ 9 * flag
+ 85 * flag
+ 6 * flag
+ 61 * flag
+ 12 * flag
+ 76 * flag
+ 36 * flag
+ 77 * flag
+ 24 * flag
+ 67 * flag
+ 19 * flag;
if ( 83 * flag + 75 * flag + v13 + 47 * flag + 13 * flag != 125609 )
goto LABEL_37;
v14 = flag
+ 88 * flag
+ 90 * *flag
+ 4 * flag
+ 46 * flag
+ 54 * flag
+ 16 * flag
+ 89 * flag
+ 76 * flag
+ 38 * flag
+ 3 * flag
+ 70 * flag
+ 3 * flag
+ 24 * flag
+ 54 * flag
+ 20 * flag
+ 83 * flag
+ 21 * flag
+ 77 * flag
+ 31 * flag
+ 59 * flag
+ 33 * flag
+ 84 * flag
+ 19 * flag
+ 38 * flag
+ 63 * flag;
if ( 30 * flag + 41 * flag + 65 * flag + v14 + 16 * flag + 15 * flag + 39 * flag != 123069 )
goto LABEL_37;
v15 = 27 * flag
+ 48 * flag
+ 13 * flag
+ 44 * flag
+ 70 * flag
+ 44 * flag
+ 22 * flag
+ 55 * flag
+ 73 * flag
+ 55 * flag
+ 58 * flag
+ 31 * flag
+ 78 * flag
+ 19 * flag
+ 52 * flag
+ 27 * flag
+ 38 * flag
+ 40 * flag
+ 35 * flag
+ 48 * flag
+ 71 * flag
+ 24 * flag
+ 89 * flag
+ 37 * flag
+ 78 * flag;
if ( 6 * flag + 19 * flag + v15 + 3 * flag + 52 * flag + 40 * flag != 113842 )
goto LABEL_37;
v16 = 31 * flag
+ 35 * flag
+ 54 * flag
+ 26 * flag
+ 29 * flag
+ 2 * flag
+ 46 * *flag
+ 30 * flag
+ 56 * flag
+ 100 * flag
+ 43 * flag
+ 15 * flag
+ 79 * flag
+ 12 * flag
+ 38 * flag
+ 3 * flag
+ 16 * flag
+ 19 * flag
+ 67 * flag
+ 37 * flag
+ flag
+ 73 * flag
+ 85 * flag
+ 17 * flag
+ 90 * flag
+ 15 * flag;
if ( 95 * flag + 92 * flag + 84 * flag + v16 + 43 * flag + 96 * flag != 119824 )
goto LABEL_37;
v17 = 92 * flag
+ 43 * flag
+ 16 * flag
+ 92 * flag
+ 49 * flag
+ 44 * flag
+ 26 * flag
+ (flag << 6)
+ 45 * flag
+ 99 * flag
+ 43 * flag
+ 75 * flag
+ 53 * flag
+ 18 * flag
+ 11 * flag
+ 52 * *flag
+ 16 * flag
+ 9 * flag
+ 77 * flag
+ 33 * flag
+ 86 * flag
+ 33 * flag
+ 29 * flag
+ 6 * flag
+ 91 * flag
+ 36 * flag;
if ( 36 * flag + 69 * flag + 77 * flag + v17 + 94 * flag + 13 * flag + 89 * flag != 135873 )
goto LABEL_37;
v18 = 68 * flag
+ 83 * flag
+ 47 * flag
+ 85 * flag
+ 22 * flag
+ 92 * flag
+ 75 * flag
+ 43 * flag
+ 29 * flag
+ 92 * *flag
+ 54 * flag
+ 17 * flag
+ 78 * flag
+ 7 * flag
+ 69 * flag
+ 63 * flag
+ 71 * flag
+ 10 * flag
+ 66 * flag
+ 25 * flag
+ 32 * flag
+ 48 * flag
+ 86 * flag
+ 20 * flag
+ 78 * flag
+ 25 * flag;
if ( 16 * flag + flag + 82 * flag + 60 * flag + v18 + 76 * flag + 13 * flag != 142509 )
goto LABEL_37;
v19 = 77 * flag
+ 56 * flag
+ 79 * flag
+ 71 * flag
+ 95 * flag
+ 87 * flag
+ 62 * flag
+ 85 * flag
+ 43 * flag
+ 67 * flag
+ 97 * flag
+ 80 * *flag
+ 23 * flag
+ 95 * flag
+ 82 * flag
+ 66 * flag
+ 5 * flag
+ 66 * flag
+ 25 * flag
+ 4 * flag
+ 12 * flag
+ 85 * flag
+ 10 * flag
+ 45 * flag
+ 28 * flag
+ 26 * flag;
if ( 88 * flag + 23 * flag + 18 * flag + v19 + 48 * flag + 45 * flag != 148888 )
goto LABEL_37;
v20 = 81 * flag
+ 21 * flag
+ 72 * flag
+ 48 * flag
+ 2 * flag
+ 42 * flag
+ 22 * flag
+ 99 * flag
+ 78 * flag
+ 83 * flag
+ 60 * flag
+ 59 * flag
+ 15 * flag
+ 25 * flag
+ 43 * flag
+ 56 * flag
+ 33 * flag
+ 71 * flag
+ 31 * *flag
+ 95 * flag
+ 73 * flag
+ 86 * flag
+ 15 * flag
+ 61 * flag
+ 12 * flag
+ 95 * flag;
if ( 25 * flag + v20 + 13 * flag + 100 * flag + 11 * flag + 79 * flag != 138023 )
goto LABEL_37;
v21 = 53 * flag
+ 52 * flag
+ 70 * flag
+ 35 * flag
+ 50 * flag
+ 59 * flag
+ 75 * flag
+ 55 * flag
+ 23 * *flag
+ 52 * flag
+ 47 * flag
+ 91 * flag
+ 46 * flag
+ 42 * flag
+ 79 * flag
+ 87 * flag
+ 30 * flag
+ 26 * flag
+ 57 * flag
+ 33 * flag
+ 51 * flag
+ 56 * flag
+ 59 * flag
+ 36 * flag
+ 88 * flag
+ 28 * flag;
if ( 37 * flag + 62 * flag + 42 * flag + v21 + 44 * flag + 19 * flag + 74 * flag != 142299 )
goto LABEL_37;
v22 = 80 * flag
+ 43 * flag
+ 67 * flag
+ 55 * flag
+ 95 * flag
+ 46 * flag
+ 93 * flag
+ 75 * flag
+ 14 * flag
+ 24 * flag
+ 50 * flag
+ 70 * flag
+ 63 * flag
+ 77 * flag
+ 96 * flag
+ 66 * flag
+ 72 * flag
+ 94 * flag
+ 63 * flag
+ 69 * flag
+ 73 * flag
+ 60 * flag
+ 9 * flag
+ 39 * flag
+ 25 * *flag
+ 49 * flag;
if ( v22 + 48 * flag + 86 * flag + 72 * flag + 23 * flag + 21 * flag != 155777 )
goto LABEL_37;
v23 = 27 * flag
+ 40 * flag
+ 53 * flag
+ 40 * flag
+ 56 * flag
+ 2 * flag
+ 32 * flag
+ 90 * flag
+ 54 * flag
+ 20 * flag
+ 86 * flag
+ 82 * flag
+ 43 * flag
+ 43 * flag
+ 86 * flag
+ 17 * *flag
+ (flag << 6)
+ 6 * flag
+ 86 * flag
+ 15 * flag
+ 46 * flag
+ 21 * flag
+ 90 * flag
+ 19 * flag
+ 93 * flag
+ 31 * flag;
if ( 25 * flag + 11 * flag + v23 + 62 * flag + 21 * flag + 42 * flag != 117687 )
goto LABEL_37;
v24 = flag
+ 66 * flag
+ 40 * flag
+ 17 * *flag
+ 27 * flag
+ 26 * flag
+ 57 * flag
+ 35 * flag
+ 80 * flag
+ 67 * flag
+ 85 * flag
+ 7 * flag
+ 93 * flag
+ 3 * flag
+ 77 * flag
+ 12 * flag
+ 4 * flag
+ 27 * flag
+ 53 * flag
+ 37 * flag
+ 43 * flag
+ 33 * flag
+ 39 * flag
+ 7 * flag
+ 75 * flag
+ 15 * flag;
if ( 89 * flag + 100 * flag + v24 + 45 * flag + 36 * flag + 78 * flag + 31 * flag != 117383 )
goto LABEL_37;
v25 = 71 * flag
+ 4 * flag
+ 77 * flag
+ 83 * flag
+ 11 * flag
+ 53 * flag
+ 85 * flag
+ 67 * flag
+ 39 * flag
+ 45 * flag
+ 84 * flag
+ 99 * flag
+ 38 * flag
+ 29 * flag
+ 90 * flag
+ 61 * flag
+ 40 * flag
+ (flag << 6)
+ 9 * flag
+ 86 * flag
+ 80 * flag
+ 4 * flag
+ 96 * flag
+ 99 * flag
+ 40 * flag;
if ( 73 * flag + 16 * flag + 100 * flag + 71 * flag + v25 + 4 * *flag + 56 * flag != 155741
|| (v26 = 87 * flag
+ 86 * flag
+ 76 * flag
+ 38 * flag
+ 85 * flag
+ 71 * flag
+ 42 * flag
+ 85 * flag
+ 14 * flag
+ 17 * flag
+ 42 * flag
+ 11 * flag
+ 44 * flag
+ 21 * flag
+ 60 * flag
+ 28 * flag
+ 46 * flag
+ 25 * flag
+ 77 * flag
+ 21 * flag
+ 85 * flag
+ 36 * flag
+ 91 * flag
+ 21 * flag
+ 38 * flag,
(flag << 6) + 76 * *flag + 5 * flag + v26 + 3 * flag + 61 * flag + 15 * flag + 32 * flag != 132804)
|| (v27 = 36 * flag
+ 60 * flag
+ 84 * flag
+ 19 * flag
+ 76 * flag
+ 86 * flag
+ 92 * flag
+ 96 * flag
+ 60 * flag
+ 23 * flag
+ 60 * flag
+ 50 * flag
+ 78 * flag
+ 45 * flag
+ 42 * flag
+ 10 * flag
+ 60 * flag
+ 24 * flag
+ 77 * flag
+ 41 * flag
+ 29 * flag
+ 33 * flag
+ 2 * flag
+ 33 * flag
+ 39 * flag,
95 * flag + 75 * flag + 3 * flag + v27 + 41 * flag + 100 * flag + 9 * flag + 79 * *flag != 145568)
|| (v28 = 25 * flag
+ 98 * flag
+ 15 * flag
+ 50 * flag
+ 88 * flag
+ 74 * flag
+ 83 * flag
+ 86 * flag
+ 52 * flag
+ 39 * flag
+ 40 * flag
+ 82 * flag
+ 37 * flag
+ 45 * *flag
+ 18 * flag
+ 2 * flag
+ 6 * flag
+ 78 * flag
+ 37 * flag
+ 57 * flag
+ 3 * flag
+ 59 * flag
+ 73 * flag
+ flag
+ 18 * flag
+ 35 * flag,
68 * flag + 98 * flag + 98 * flag + 10 * flag + v28 + 20 * flag + 54 * flag != 130175)
|| (v29 = 68 * flag
+ 60 * flag
+ 93 * flag
+ 100 * flag
+ 98 * flag
+ 32 * flag
+ 15 * flag
+ 79 * *flag
+ 6 * flag
+ 62 * flag
+ 96 * flag
+ 68 * flag
+ 9 * flag
+ 88 * flag
+ 18 * flag
+ 70 * flag
+ 96 * flag
+ 89 * flag
+ 14 * flag
+ 83 * flag
+ 19 * flag
+ 44 * flag
+ 96 * flag
+ 87 * flag
+ 48 * flag
+ 95 * flag,
60 * flag + 50 * flag + 30 * flag + 90 * flag + v29 + 73 * flag + 92 * flag != 171986)
|| (v30 = 86 * flag
+ 20 * flag
+ 29 * flag
+ 31 * flag
+ 83 * flag
+ 11 * flag
+ 29 * flag
+ 82 * flag
+ 84 * flag
+ 70 * flag
+ 52 * flag
+ 40 * flag
+ 91 * flag
+ 6 * flag
+ 77 * flag
+ 56 * flag
+ 86 * flag
+ 63 * flag
+ 26 * flag
+ 19 * flag
+ 50 * flag
+ 15 * flag
+ 67 * flag
+ 37 * flag
+ 84 * flag,
53 * flag + 87 * flag + 23 * flag + 80 * flag + v30 + 81 * flag + 93 * *flag != 151676)
|| (v31 = 12 * flag
+ 82 * flag
+ 100 * flag
+ 29 * flag
+ 97 * flag
+ 32 * flag
+ 26 * flag
+ 46 * flag
+ 8 * (flag + 9 * *flag + 2 * flag)
+ 63 * flag
+ 39 * flag
+ 81 * flag
+ 51 * flag
+ 31 * flag
+ 49 * flag
+ 3 * flag
+ 26 * flag
+ 15 * flag
+ 89 * flag
+ 5 * flag
+ 47 * flag
+ 19 * flag
+ 98 * flag,
29 * flag + 93 * flag + 67 * flag + v31 + 15 * flag + 49 * flag != 128223)
|| (v32 = 84 * flag
+ 91 * flag
+ 67 * flag
+ 77 * flag
+ 23 * flag
+ 38 * flag
+ 3 * flag
+ 76 * flag
+ 50 * *flag
+ 74 * flag
+ 45 * flag
+ 58 * flag
+ 39 * flag
+ 95 * flag
+ 26 * flag
+ 23 * flag
+ 28 * flag
+ 89 * flag
+ 88 * flag
+ 3 * flag
+ 59 * flag
+ 80 * flag
+ 49 * flag
+ 56 * flag
+ 32 * flag
+ 24 * flag,
13 * flag + 73 * flag + 99 * flag + 76 * flag + v32 + 77 * flag + 18 * flag != 138403) )
{
LABEL_37:
result = 0LL;
}
else
{
result = 1LL;
}
return result;
}
因为z3这个库的类型问题 可以公式里边的<<6 改成*64
判断flag的 可以用z3来解得到flag
from z3 import *
x = Solver()
flag =
x.add((82 * flag + 58 * flag + 76 * flag + 31 * flag+ 87 * flag+ 54 * flag+ 74 * flag+ 99 * flag+ 94 * flag+ 84 * flag+ 32 * flag+ 90 * flag+ 16 * flag+ 19 * flag+ 33 * flag+ 35 * flag+ 65 * flag+ 47 * flag+ 3 * flag+ 57 * flag+ 5 * flag+ 70 * flag+ 28 * flag+ 79 * flag+ 63 * flag+ 66 * flag+ 28 * flag+ flag + 81 * flag + 61 * flag + 31 * flag + 71 * flag) == 0x237F5)
x.add((55 * flag+ 38 * flag+ 39 * flag+ 73 * flag+ 86 * flag+ 18 * flag+ 40 * flag+ 40 * flag+ 54 * flag+ 81 * flag+ 71 * flag+ 20 * flag+ 16 * flag+ 65 * flag+ 87 * flag+ 14 * flag+ flag+ 41 * flag+ 58 * flag+ 73 * flag+ 46 * flag+ 7 * flag+ 89 * flag+ 65 * flag+ 43 * flag+ 6 * flag + 60 * flag + 40 * flag + 57 * flag + 40 * flag + 30 * flag + 63 * flag) == 0x1F21D)
x.add((28 * flag + 17 * flag + 18 * flag + 53 * flag+ 82 * flag+ 70 * flag+ 84 * flag+ 57 * flag+ 92 * flag+ 57 * flag+ 77 * flag+ 49 * flag+ 62 * flag+ 97 * flag+ 47 * flag+ 30 * flag+ 45 * flag+ 94 * flag+ 6 * flag+ 83 * flag+ 18 * flag+ 97 * flag+ 11 * flag+ 35 * flag+ 81 * flag+ 67 * flag+ 11 * flag+ 84 * flag + 63 * flag + 61 * flag) == 0x22863)
x.add((86 * flag + 52 * flag + 14 * flag+ 46 * flag+ 56 * flag+ 13 * flag+ 82 * flag+ 49 * flag+ 97 * flag+ 50 * flag+ 83 * flag+ 38 * flag+ 49 * flag+ 9 * flag+ 91 * flag+ 33 * flag+ 4 * flag+ 5 * flag+ 61 * flag+ 65 * flag+ 68 * flag+ 6 * flag+ (flag * 64)+ 56 * flag+ 67 * flag+ 5 * flag+ flag+ 10 * flag + 83 * flag + 37 * flag + 85 * flag) == 0x1CA87)
x.add( 53 * flag + 91 * flag + 57 * flag + 66 * flag + 9 * flag+ 63 * flag+ 20 * flag+ 96 * flag+ 39 * flag+ 91 * flag+ 40 * flag+ 85 * flag+ 62 * flag+ 95 * flag+ 34 * flag+ 67 * flag+ 51 * flag+ 45 * flag+ 92 * flag+ 91 * flag+ 85 * flag+ 12 * flag+ 26 * flag+ 56 * flag+ 82 * flag+ 72 * flag+ 54 * flag+ 17 * flag+ 84 * flag+ 17 * flag + 8 * flag + 63 * flag == 0x261F8 )
x.add( 55 * flag + 88 * flag+ 48 * flag+ 83 * flag+ 66 * flag+ 60 * flag+ 57 * flag+ 85 * flag+ 71 * flag+ 98 * flag+ 83 * flag+ 12 * flag+ 72 * flag+ 12 * flag+ 80 * flag+ 15 * flag+ 81 * flag+ 87 * flag+ 37 * flag+ 4 * flag+ 41 * flag+ 84 * flag+ 56 * flag+ 84 * flag+ 41 * flag+ 98 * flag+ 18 * flag + 95 * flag + 33 * flag + 66 * flag == 0x245E3 )
x.add( 43 * flag + 47 * flag + 53 * flag + 75 * flag + 57 * flag+ 63 * flag+ 4 * flag+ 59 * flag+ 15 * flag+ 12 * flag+ 58 * flag+ 40 * flag+ 26 * flag+ 8 * flag+ 25 * flag+ 97 * flag+ 12 * flag+ 74 * flag+ 65 * flag+ 93 * flag+ 18 * flag+ 84 * flag+ 7 * flag+ 22 * flag+ 9 * flag+ 89 * flag+ 72 * flag+ 47 * flag+ 7 * flag + 8 * flag + 24 * flag + 75 * flag == 121517 )
x.add( 77 * flag + 89 * flag + 55 * flag + 86 * flag+ 74 * flag+ 72 * flag+ 27 * flag+ 88 * flag+ (flag * 64)+ 52 * flag+ 4 * flag+ 8 * flag+ 16 * flag+ 54 * flag+ 8 * flag+ 52 * flag+ 14 * flag+ 88 * flag+ 33 * flag+ 99 * flag+ 65 * flag+ 66 * flag+ 36 * flag+ 58 * flag+ 63 * flag+ 93 * flag+ 96 * flag+ 26 * flag+ 65 * flag + 42 * flag + 14 * flag + 57 * flag == 0x24F96 )
x.add( 53 * flag + 95 * flag + 51 * flag+ 42 * flag+ 78 * flag+ 45 * flag+ 63 * flag+ 85 * flag+ 30 * flag+ 83 * flag+ 62 * flag+ 71 * flag+ 45 * flag+ (flag * 64)+ 87 * flag+ 49 * flag+ 14 * flag+ 4 * flag+ 63 * flag+ 53 * flag+ 19 * flag+ 44 * flag+ 5 * flag+ 74 * flag+ 19 * flag+ 89 * flag+ 11 * flag+ 34 * flag + 14 * flag + 87 * flag + 63 * flag + 70 * flag == 142830 )
x.add( 69 * flag+ 67 * flag+ 57 * flag+ 77 * flag+ 67 * flag+ 94 * flag+ 13 * flag+ 11 * flag+ 41 * flag+ 38 * flag+ 90 * flag+ 68 * flag+ 56 * flag+ 4 * flag+ 66 * flag+ 28 * flag+ 6 * flag+ 91 * flag+ 59 * flag+ 81 * flag+ 44 * flag+ 33 * flag+ 34 * flag+ 17 * flag+ 77 * flag+ 25 * flag+ 8 * flag+ 10 * flag+ 66 * flag+ 41 * flag+ 29 * flag == 0x1DED9 )
x.add( 31 * flag + 17 * flag + 6 * flag + 23 * flag+ 32 * flag+ 72 * flag+ 41 * flag+ 33 * flag+ 82 * flag+ 20 * flag+ 7 * flag+ 25 * flag+ 39 * flag+ 57 * flag+ 14 * flag+ 24 * flag+ 37 * flag+ 71 * flag+ 65 * flag+ 46 * flag+ 40 * flag+ 77 * flag+ 80 * flag+ 88 * flag+ 20 * flag+ 83 * flag+ 73 * flag+ 8 * flag+ 15 * flag + 70 * flag + 24 * flag + 16 * flag == 0x19B4D )
x.add( 25 * flag + 79 * flag + 41 * flag+ 45 * flag+ 82 * flag+ 86 * flag+ 99 * flag+ 96 * flag+ 85 * flag+ 70 * flag+ 77 * flag+ 80 * flag+ 40 * flag+ 66 * flag+ 12 * flag+ 77 * flag+ 72 * flag+ 42 * flag+ 81 * flag+ 90 * flag+ 37 * flag+ 29 * flag+ 20 * flag+ 85 * flag+ 6 * flag+ 2 * flag+ 72 * flag+ 75 * flag + 40 * flag + 29 * flag + 25 * flag == 0x2519A )
x.add( 83 * flag + 75 * flag + 42 * flag+ 95 * flag+ 58 * flag+ 47 * flag+ 65 * flag+ 24 * flag+ 97 * flag+ 24 * flag+ 28 * flag+ 77 * flag+ 97 * flag+ 24 * flag+ 32 * flag+ 5 * flag+ 55 * flag+ 9 * flag+ 85 * flag+ 6 * flag+ 61 * flag+ 12 * flag+ 76 * flag+ 36 * flag+ 77 * flag+ 24 * flag+ 67 * flag+ 19 * flag + 47 * flag + 13 * flag == 125609 )
x.add( 30 * flag + 41 * flag + 65 * flag + flag+ 88 * flag+ 90 * flag+ 4 * flag+ 46 * flag+ 54 * flag+ 16 * flag+ 89 * flag+ 76 * flag+ 38 * flag+ 3 * flag+ 70 * flag+ 3 * flag+ 24 * flag+ 54 * flag+ 20 * flag+ 83 * flag+ 21 * flag+ 77 * flag+ 31 * flag+ 59 * flag+ 33 * flag+ 84 * flag+ 19 * flag+ 38 * flag+ 63 * flag + 16 * flag + 15 * flag + 39 * flag == 123069 )
x.add( 6 * flag + 19 * flag + 27 * flag+ 48 * flag+ 13 * flag+ 44 * flag+ 70 * flag+ 44 * flag+ 22 * flag+ 55 * flag+ 73 * flag+ 55 * flag+ 58 * flag+ 31 * flag+ 78 * flag+ 19 * flag+ 52 * flag+ 27 * flag+ 38 * flag+ 40 * flag+ 35 * flag+ 48 * flag+ 71 * flag+ 24 * flag+ 89 * flag+ 37 * flag+ 78 * flag + 3 * flag + 52 * flag + 40 * flag == 113842 )
x.add( 95 * flag + 92 * flag + 84 * flag + 31 * flag+ 35 * flag+ 54 * flag+ 26 * flag+ 29 * flag+ 2 * flag+ 46 * flag+ 30 * flag+ 56 * flag+ 100 * flag+ 43 * flag+ 15 * flag+ 79 * flag+ 12 * flag+ 38 * flag+ 3 * flag+ 16 * flag+ 19 * flag+ 67 * flag+ 37 * flag+ flag+ 73 * flag+ 85 * flag+ 17 * flag+ 90 * flag+ 15 * flag + 43 * flag + 96 * flag == 119824 )
x.add( 36 * flag + 69 * flag + 77 * flag + 92 * flag+ 43 * flag+ 16 * flag+ 92 * flag+ 49 * flag+ 44 * flag+ 26 * flag+ (flag * 64)+ 45 * flag+ 99 * flag+ 43 * flag+ 75 * flag+ 53 * flag+ 18 * flag+ 11 * flag+ 52 * flag+ 16 * flag+ 9 * flag+ 77 * flag+ 33 * flag+ 86 * flag+ 33 * flag+ 29 * flag+ 6 * flag+ 91 * flag+ 36 * flag + 94 * flag + 13 * flag + 89 * flag == 135873 )
x.add( 16 * flag + flag + 82 * flag + 60 * flag + 68 * flag+ 83 * flag+ 47 * flag+ 85 * flag+ 22 * flag+ 92 * flag+ 75 * flag+ 43 * flag+ 29 * flag+ 92 * flag+ 54 * flag+ 17 * flag+ 78 * flag+ 7 * flag+ 69 * flag+ 63 * flag+ 71 * flag+ 10 * flag+ 66 * flag+ 25 * flag+ 32 * flag+ 48 * flag+ 86 * flag+ 20 * flag+ 78 * flag+ 25 * flag + 76 * flag + 13 * flag == 142509 )
x.add( 88 * flag + 23 * flag + 18 * flag + 77 * flag+ 56 * flag+ 79 * flag+ 71 * flag+ 95 * flag+ 87 * flag+ 62 * flag+ 85 * flag+ 43 * flag+ 67 * flag+ 97 * flag+ 80 * flag+ 23 * flag+ 95 * flag+ 82 * flag+ 66 * flag+ 5 * flag+ 66 * flag+ 25 * flag+ 4 * flag+ 12 * flag+ 85 * flag+ 10 * flag+ 45 * flag+ 28 * flag+ 26 * flag + 48 * flag + 45 * flag == 148888 )
x.add( 25 * flag + 81 * flag+ 21 * flag+ 72 * flag+ 48 * flag+ 2 * flag+ 42 * flag+ 22 * flag+ 99 * flag+ 78 * flag+ 83 * flag+ 60 * flag+ 59 * flag+ 15 * flag+ 25 * flag+ 43 * flag+ 56 * flag+ 33 * flag+ 71 * flag+ 31 * flag+ 95 * flag+ 73 * flag+ 86 * flag+ 15 * flag+ 61 * flag+ 12 * flag+ 95 * flag + 13 * flag + 100 * flag + 11 * flag + 79 * flag == 138023 )
x.add( 37 * flag + 62 * flag + 42 * flag + 53 * flag+ 52 * flag+ 70 * flag+ 35 * flag+ 50 * flag+ 59 * flag+ 75 * flag+ 55 * flag+ 23 * flag+ 52 * flag+ 47 * flag+ 91 * flag+ 46 * flag+ 42 * flag+ 79 * flag+ 87 * flag+ 30 * flag+ 26 * flag+ 57 * flag+ 33 * flag+ 51 * flag+ 56 * flag+ 59 * flag+ 36 * flag+ 88 * flag+ 28 * flag + 44 * flag + 19 * flag + 74 * flag == 142299 )
x.add( 80 * flag+ 43 * flag+ 67 * flag+ 55 * flag+ 95 * flag+ 46 * flag+ 93 * flag+ 75 * flag+ 14 * flag+ 24 * flag+ 50 * flag+ 70 * flag+ 63 * flag+ 77 * flag+ 96 * flag+ 66 * flag+ 72 * flag+ 94 * flag+ 63 * flag+ 69 * flag+ 73 * flag+ 60 * flag+ 9 * flag+ 39 * flag+ 25 * flag+ 49 * flag + 48 * flag + 86 * flag + 72 * flag + 23 * flag + 21 * flag == 155777 )
x.add( 25 * flag + 11 * flag + 27 * flag+ 40 * flag+ 53 * flag+ 40 * flag+ 56 * flag+ 2 * flag+ 32 * flag+ 90 * flag+ 54 * flag+ 20 * flag+ 86 * flag+ 82 * flag+ 43 * flag+ 43 * flag+ 86 * flag+ 17 * flag+ (flag * 64)+ 6 * flag+ 86 * flag+ 15 * flag+ 46 * flag+ 21 * flag+ 90 * flag+ 19 * flag+ 93 * flag+ 31 * flag + 62 * flag + 21 * flag + 42 * flag == 117687 )
x.add( 89 * flag + 100 * flag + flag+ 66 * flag+ 40 * flag+ 17 * flag+ 27 * flag+ 26 * flag+ 57 * flag+ 35 * flag+ 80 * flag+ 67 * flag+ 85 * flag+ 7 * flag+ 93 * flag+ 3 * flag+ 77 * flag+ 12 * flag+ 4 * flag+ 27 * flag+ 53 * flag+ 37 * flag+ 43 * flag+ 33 * flag+ 39 * flag+ 7 * flag+ 75 * flag+ 15 * flag + 45 * flag + 36 * flag + 78 * flag + 31 * flag == 117383 )
x.add( 73 * flag + 16 * flag + 100 * flag + 71 * flag + 71 * flag+ 4 * flag+ 77 * flag+ 83 * flag+ 11 * flag+ 53 * flag+ 85 * flag+ 67 * flag+ 39 * flag+ 45 * flag+ 84 * flag+ 99 * flag+ 38 * flag+ 29 * flag+ 90 * flag+ 61 * flag+ 40 * flag+ (flag * 64)+ 9 * flag+ 86 * flag+ 80 * flag+ 4 * flag+ 96 * flag+ 99 * flag+ 40 * flag + 4 * flag + 56 * flag == 155741)
x.add((flag * 64) + 76 * flag + 5 * flag + 87 * flag+ 86 * flag+ 76 * flag+ 38 * flag+ 85 * flag+ 71 * flag+ 42 * flag+ 85 * flag+ 14 * flag+ 17 * flag+ 42 * flag+ 11 * flag+ 44 * flag+ 21 * flag+ 60 * flag+ 28 * flag+ 46 * flag+ 25 * flag+ 77 * flag+ 21 * flag+ 85 * flag+ 36 * flag+ 91 * flag+ 21 * flag+ 38 * flag + 3 * flag + 61 * flag + 15 * flag + 32 * flag == 132804)
x.add(95 * flag + 75 * flag + 3 * flag + 36 * flag+ 60 * flag+ 84 * flag+ 19 * flag+ 76 * flag+ 86 * flag+ 92 * flag+ 96 * flag+ 60 * flag+ 23 * flag+ 60 * flag+ 50 * flag+ 78 * flag+ 45 * flag+ 42 * flag+ 10 * flag+ 60 * flag+ 24 * flag+ 77 * flag+ 41 * flag+ 29 * flag+ 33 * flag+ 2 * flag+ 33 * flag+ 39 * flag + 41 * flag + 100 * flag + 9 * flag + 79 * flag == 145568)
x.add(68 * flag + 98 * flag + 98 * flag + 10 * flag + 25 * flag+ 98 * flag+ 15 * flag+ 50 * flag+ 88 * flag+ 74 * flag+ 83 * flag+ 86 * flag+ 52 * flag+ 39 * flag+ 40 * flag+ 82 * flag+ 37 * flag+ 45 * flag+ 18 * flag+ 2 * flag+ 6 * flag+ 78 * flag+ 37 * flag+ 57 * flag+ 3 * flag+ 59 * flag+ 73 * flag+ flag+ 18 * flag+ 35 * flag + 20 * flag + 54 * flag == 130175)
x.add(60 * flag + 50 * flag + 30 * flag + 90 * flag + 68 * flag+ 60 * flag+ 93 * flag+ 100 * flag+ 98 * flag+ 32 * flag+ 15 * flag+ 79 * flag+ 6 * flag+ 62 * flag+ 96 * flag+ 68 * flag+ 9 * flag+ 88 * flag+ 18 * flag+ 70 * flag+ 96 * flag+ 89 * flag+ 14 * flag+ 83 * flag+ 19 * flag+ 44 * flag+ 96 * flag+ 87 * flag+ 48 * flag+ 95 * flag + 73 * flag + 92 * flag == 171986)
x.add(53 * flag + 87 * flag + 23 * flag + 80 * flag + 86 * flag+ 20 * flag+ 29 * flag+ 31 * flag+ 83 * flag+ 11 * flag+ 29 * flag+ 82 * flag+ 84 * flag+ 70 * flag+ 52 * flag+ 40 * flag+ 91 * flag+ 6 * flag+ 77 * flag+ 56 * flag+ 86 * flag+ 63 * flag+ 26 * flag+ 19 * flag+ 50 * flag+ 15 * flag+ 67 * flag+ 37 * flag+ 84 * flag + 81 * flag + 93 * flag == 151676)
x.add(29 * flag + 93 * flag + 67 * flag + 12 * flag+ 82 * flag+ 100 * flag+ 29 * flag+ 97 * flag+ 32 * flag+ 26 * flag+ 46 * flag+ 8 * (flag + 9 * flag + 2 * flag)+ 63 * flag+ 39 * flag+ 81 * flag+ 51 * flag+ 31 * flag+ 49 * flag+ 3 * flag+ 26 * flag+ 15 * flag+ 89 * flag+ 5 * flag+ 47 * flag+ 19 * flag+ 98 * flag + 15 * flag + 49 * flag == 128223)
x.add(13 * flag + 73 * flag + 99 * flag + 76 * flag + 84 * flag+ 91 * flag+ 67 * flag+ 77 * flag+ 23 * flag+ 38 * flag+ 3 * flag+ 76 * flag+ 50 * flag+ 74 * flag+ 45 * flag+ 58 * flag+ 39 * flag+ 95 * flag+ 26 * flag+ 23 * flag+ 28 * flag+ 89 * flag+ 88 * flag+ 3 * flag+ 59 * flag+ 80 * flag+ 49 * flag+ 56 * flag+ 32 * flag+ 24 * flag + 77 * flag + 18 * flag == 138403)
print x.check()
print x.model()
得到flag
hgame{H4ppY#n3w@Y3AR%fr0M-oDiDi}
0x01 Say-Muggle-Code a.k.a. SMC
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rax
char v4; // r12
bool v5; // r13
__int64 v6; // rax
__int64 v7; // rbx
bool v8; // al
__int64 v9; // rax
signed int i; //
char v12; //
char v13; //
char v14; //
char v15; //
char v16; //
__int64 v17; //
__int64 v18; //
unsigned __int64 v19; //
v19 = __readfsqword(0x28u);
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(&v12, argv, envp);
std::operator<<<std::char_traits<char>>(&std::cout, "hello muggle, please give me your flag: ");
std::operator>><char,std::char_traits<char>,std::allocator<char>>(&edata, &v12);
if ( std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length(&v12) != 39 )
{
v3 = std::operator<<<std::char_traits<char>>(&std::cout, "your flag has a wrong length, muggle!");
std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);
exit(0);
}
v4 = 0;
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::substr(&v13, &v12, 0LL, 6LL);
v5 = 1;
if ( !(unsigned __int8)std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&v13, "hgame{") )
{
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::substr(&v14, &v12, 38LL, -1LL);
v4 = 1;
if ( !(unsigned __int8)std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&v14, "}") )
v5 = 0;
}
if ( v4 )
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v14);
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v13);
if ( v5 )
{
v6 = std::operator<<<std::char_traits<char>>(&std::cout, "it's not even a valid flag, muggle!");
std::ostream::operator<<(v6, &std::endl<char,std::char_traits<char>>);
}
else
{
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::substr(&v15, &v12, 6LL, 16LL);
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::substr(&v16, &v12, 22LL, 16LL);
v17 = 0LL;
v18 = 0LL;
v17 = *(unsigned __int8 *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](
&v15,
0LL);
for ( i = 1; i <= 15; ++i )
{
v7 = *(unsigned __int8 *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](
&v15,
i - 1);
*((_BYTE *)&v17 + i) = *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](
&v15,
i) ^ v7;
}
v8 = (unsigned __int8)check1(&v15) ^ 1 || (unsigned __int8)check2(&v16, &v17) ^ 1;
if ( v8 )
v9 = std::operator<<<std::char_traits<char>>(&std::cout, "your flag is good, but mine is better, muggle!");
else
v9 = std::operator<<<std::char_traits<char>>(
&std::cout,
"wow, your flag is exactly the same as mine, congratulations, just submit it!");
std::ostream::operator<<(v9, &std::endl<char,std::char_traits<char>>);
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v16);
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v15);
}
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v12);
return 0;
}
先判断长度是不是39位 后边还判断了"hgame{"和"}"
随后是切割 把6-22位送入check1函数
signed __int64 __fastcall check1(__int64 a1)
{
int v1; // eax
int i; //
for ( i = 0;
i < (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length(a1);
++i )
{
v1 = *(char *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](a1, i);
LOBYTE(v1) = v1 ^ 0xE9;
if ( v1 != (unsigned __int8)data1 )
return 0LL;
}
return 1LL;
}
异或比较那么可以得出6-22位是781ef0676e13e541
再看check2函数
bool __fastcall check2(__int64 a1, __int64 a2)
{
const char *v2; // rax
char dest; //
__int64 v5; //
char v6; //
unsigned __int64 v7; //
v7 = __readfsqword(0x28u);
*(_QWORD *)dest = 0LL;
v5 = 0LL;
v6 = 0;
v2 = (const char *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::c_str(a1);
strcpy(dest, v2);
mprotect(&encrypt, 0x200uLL, 7);
modify(&encrypt, 0x200uLL);
((void (__fastcall *)(char *, __int64))encrypt)(dest, a2);
return strcmp(dest, data2) == 0;
}
mprotect 函数修改属性
modify修改数值 就是SMC了
直接上IDC脚本
#include <idc.idc>
static dec(from) {
auto i, x;
auto q=123;
for ( i=0; i <= 0x200; i=i+1 ) {
x = Byte(from+i);
x = (x^q);
q=q+1;
PatchByte(from+i,x);
}
}
得到加密函数
_DWORD *__fastcall encrypt(__int64 a1, _DWORD *a2)
{
_DWORD *result; // rax
int v3; //
signed int i; //
signed int j; //
v3 = 0;
for ( i = 0; i <= 31; ++i )
{
result = (_DWORD *)2654435769LL;
v3 -= 1640531527;
for ( j = 0; j <= 3; j += 2 )
{
*(_DWORD *)(a1 + 4LL * j) = *(_DWORD *)(4LL * j + a1)
+ ((*(_DWORD *)(4 * (j + 1LL) + a1) + v3) ^ (16 * *(_DWORD *)(4 * (j + 1LL) + a1) + *a2) ^ ((*(_DWORD *)(4 * (j + 1LL) + a1) >> 5) + a2));
result = (_DWORD *)(4 * (j + 1LL) + a1);
*result += (*(_DWORD *)(4LL * j + a1) + v3) ^ (16 * *(_DWORD *)(4LL * j + a1) + a2) ^ ((*(_DWORD *)(4LL * j + a1) >> 5)
+ a2);
}
}
return result;
}
捉重点
result = (_DWORD *)2654435769LL;
v3 -= 1640531527;
目测是TEA加密
在看看前面的参数
发现是用原来的6-22位异或之后当做密钥 然后使用TEA算法加密22-38位 再比较
直接上脚本就行 这里修改了一位师傅的脚本
https://sh1rker.github.io/2019/02/12/HGAME2019-Say-Muggle-Code-a-k-a-SMC/
#include <stdio.h>
#include<windows.h>
void decrypt (DWORD* v, DWORD* k) {
DWORD v0=v, v1=v, v2=v,v3=v, sum=0xC6EF3720, i;
DWORD delta=0x9e3779b9;
DWORD k0=k, k1=k, k2=k, k3=k;
for (i=0; i<32; i++) {
v3 -= ((v2*16) + k2) ^ (v2 + sum) ^ ((v2>>5) + k3);
v2 -= ((v3*16) + k0) ^ (v3 + sum) ^ ((v3>>5) + k1);
v1 -= ((v0*16) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
v0 -= ((v1*16) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
sum -= delta;
}
v=v0; v=v1; v=v2; v=v3;
}
int main(void)
{
DWORD key = {0x54090f37,0x01065603, 0x02545301, 0x05015056};
DWORD flags ={0xd240f52f,0x728cca9d,0xb6379fd3, 0xfba1a736};
//TEA_Decrypt(flags, key);
decrypt(flags, key);
for(int i=0; i<4; ++i)
{
printf("%x ", flags);
}
return 0;
}
注意大小端问题后可以得到flag
hgame{781ef0676e13e541d91debef62c1946f}
0x02 helloweb
题目下载下来后发现有三个文件 hello.js hello.html hello.wasm
第一次遇到 百度了wasm
发现是
WebAssembly是一种运行在现代网络浏览器中的新型代码并且提供新的性能特性和效果。
它设计的目的不是为了手写代码而是为诸如C、C++和Rust等低级源语言提供一个高效的编译目标。
WebAssembly是一门低级的类汇编语言。
它有一种紧凑的二进制格式,使其能够以接近原生性能的速度运行并且为诸如C++和Rust等拥有低级的内存模型语言提供了一个编译目标以便它们能够在网络上运行。
也就是说 你可以用C/C++来写网页
网上对于这方面逆向不是很多 即使用wabt翻译成c代码或者是wat文件格式阅读起来都非常麻烦
然后我决定自己来写一个类似的逆一下
先上官网安装好环境https://emscripten.org/
写一个C文件
#include <stdio.h>
#include <string.h>
int main()
{
char s;
printf("Input your flag:");
scanf("%s", s);
if(strcmp(s, "flag{aaa}}")==0)
{
printf("good\n");
}
else
{
printf("wrong!\n");
}
return 0;
}
然后生成网页
emcc hellos.c -s WASM=1 -o test.html
打开后发现界面简直跟原来题目一毛一样 而且html和js里边的代码其实差不多
现在试一下逆自己写的代码
直接在浏览器里边调试 用wabt反汇编出来的.wat文件阅读代码中发现(export "_main" (func 19))
也就是说(func (;19;) (type 4) (result i32) 其实就是main函数 在这里下断点
看一下代码
(func (;19;) (type 4) (result i32)
(local i32 i32 i32 i32 i32 i32 i32 i32 i32 i32)
global.get 18
local.set 9
global.get 18
i32.const 64
i32.add
global.set 18
global.get 18
global.get 19
i32.ge_s
if;; label = @1
i32.const 64
call 0
end
local.get 9
i32.const 48
i32.add
local.set 7
local.get 9
i32.const 40
i32.add
local.set 6
local.get 9
i32.const 32
i32.add
local.set 5
local.get 9
i32.const 24
i32.add
local.set 4
local.get 9
local.set 1
i32.const 0
local.set 0
i32.const 2528
local.get 4
call 86
drop
local.get 5
local.get 1
i32.store
i32.const 2545
local.get 5
call 85
drop
local.get 1
i32.const 2548
call 84
local.set 2
local.get 2
i32.const 0
i32.eq
local.set 3
local.get 3
if;; label = @1
i32.const 2559
local.get 6
call 86
drop
local.get 9
global.set 18
i32.const 0
return
else
i32.const 2565
local.get 7
call 86
drop
local.get 9
global.set 18
i32.const 0
return
end
动态调试可以发现
call $func86 应该就是printf了
call $func85 应该就是scanf函数
call $func84 应该就是strcmp函数了
还有一些有意思的代码
get_local $var1
i32.const 2548
call $func84
const 2548 应该就是和输入的字符串对比的字符了 2548就是偏移了
是字符串"flag{aaa}}"
好了 按照刚才我的思路去逆题目
先简单看看反汇编的C代码
static u32 _main(void) {
u32 l0 = 0, l1 = 0, l2 = 0, l3 = 0, l4 = 0, l5 = 0, l6 = 0, l7 = 0,
l8 = 0, l9 = 0, l10 = 0, l11 = 0, l12 = 0, l13 = 0, l14 = 0, l15 = 0,
l16 = 0, l17 = 0, l18 = 0, l19 = 0, l20 = 0, l21 = 0, l22 = 0;
FUNC_PROLOGUE;
u32 i0, i1, i2;
u64 j1;
i0 = g18;
l22 = i0;
i0 = g18;//6128u
i1 = 80u;
i0 += i1;
g18 = i0;
i0 = g18;
i1 = g19;
i0 = (u32)((s32)i0 >= (s32)i1);
if (i0) {
i0 = 80u;
(*Z_envZ_abortStackOverflowZ_vi)(i0);
}
i0 = l22;
i1 = 64u;
i0 += i1;
l20 = i0;
i0 = l22;
i1 = 32u;
i0 += i1;
l1 = i0;
i0 = l22;
l12 = i0;
i0 = 0u;
l0 = i0;
i0 = 2107u;
i0 = f71(i0);//printf("Input your flag")
i0 = l20;
i1 = l1;
i32_store(Z_envZ_memory, (u64)(i0), i1);
i0 = 2130u;
i1 = l20;
i0 = f72(i0, i1);//Input
i0 = l12;
i1 = 1024u;
j1 = i64_load(Z_envZ_memory, (u64)(i1));
i64_store(Z_envZ_memory, (u64)(i0), j1);
i0 = l12;
i1 = 8u;
i0 += i1;
i1 = 1024u;
i2 = 8u;
i1 += i2;
j1 = i64_load(Z_envZ_memory, (u64)(i1));
i64_store(Z_envZ_memory, (u64)(i0), j1);
i0 = l12;
i1 = 16u;
i0 += i1;
i1 = 1024u;
i2 = 16u;
i1 += i2;
j1 = i64_load(Z_envZ_memory, (u64)(i1));
i64_store(Z_envZ_memory, (u64)(i0), j1);
i0 = l12;
i1 = 24u;
i0 += i1;
i1 = 1024u;
i2 = 24u;
i1 += i2;
i1 = i32_load16_s(Z_envZ_memory, (u64)(i1));
i32_store16(Z_envZ_memory, (u64)(i0), i1);
i0 = l12;
i1 = 26u;
i0 += i1;
i1 = 1024u;
i2 = 26u;
i1 += i2;
i1 = i32_load8_s(Z_envZ_memory, (u64)(i1));
i32_store8(Z_envZ_memory, (u64)(i0), i1);
i0 = 0u;
l13 = i0;
L1:
i0 = l13;
l14 = i0;
i0 = l14;
i1 = 26u;
i0 = (u32)((s32)i0 < (s32)i1);//长度判断
l15 = i0;
i0 = l15;
i0 = !(i0);
if (i0) {//超过长度就跳转
goto B2;
}
i0 = l13;//计数器
l16 = i0;
i0 = 2080u;
i1 = l16;
i0 += i1;
l17 = i0;
i0 = l17;
i0 = i32_load8_s(Z_envZ_memory, (u64)(i0));//弹出栈顶的值
l18 = i0;
i0 = l18;
i1 = 24u;
i0 <<= (i1 & 31);
i1 = 24u;
i0 = (u32)((s32)i0 >> (i1 & 31));
l19 = i0;
i0 = l13;//计数器
l2 = i0;
i0 = l1;
i1 = l2;
i0 += i1;
l3 = i0;
i0 = l3;
i0 = i32_load8_s(Z_envZ_memory, (u64)(i0));
l4 = i0;
i0 = l4;
i1 = 24u;
i0 <<= (i1 & 31);
i1 = 24u;
i0 = (u32)((s32)i0 >> (i1 & 31));
l5 = i0;
i0 = l5;
i1 = l19;
i0 ^= i1;
l6 = i0;
i0 = l6;
i1 = 255u;
i0 &= i1;
l7 = i0;
i0 = l3;
i1 = l7;
i32_store8(Z_envZ_memory, (u64)(i0), i1);
i0 = l13;
l8 = i0;
i0 = l8;
i1 = 1u;
i0 += i1;
l9 = i0;
i0 = l9;
l13 = i0;
goto L1;
B2:;
i0 = l1;
i1 = l12;
i0 = f34(i0, i1);
l10 = i0;
i0 = l10;
i1 = 0u;
i0 = i0 != i1;
l11 = i0;
i0 = l11;
if (i0) {
i0 = 2144u;
i0 = f71(i0);//printf
i0 = l22;
g18 = i0;
i0 = 0u;
goto Bfunc;
} else {
i0 = 2135u;
i0 = f71(i0);//printf
i0 = l22;
g18 = i0;
i0 = 0u;
goto Bfunc;
}
UNREACHABLE;
Bfunc:;
FUNC_EPILOGUE;
return i0;
}
通过调试 可以发现f71是printf函数
f72是input函数
f34是strcmp函数
从整体来看 应该是输入字符串 然后跟什么东西异或再比较
在循环体中 发现了i0 = 2080u;等字眼 猜测2080存在异或需要的东西
上面说过f34是strcmp函数那么可以在这个函数前面下断点 当他们参数入栈的时候截取到字符地址 反推得到flag
最终得到
第四周
0x00 real
题目提示real 还有main有个加密很复杂
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
__int64 v3; // r14
__int64 v4; // rcx
__int64 v5; // rdx
char flag; //
unsigned __int64 v8; //
v8 = __readfsqword(0x28u);
memset(&flag, 0, 0x80uLL);
puts("Hello!");
puts("Please input your flag:");
fgets(&flag, 50, stdin);
v3 = atoll(&flag);
v4 = sub_400C5C(0x3737373737373737uLL, v3, v3 >> 63, 0xF78D5C4752F8CCDBLL, -1LL);
if ( v5 | v4 ^ 0x169A25615637D3A4LL )
printf("failed", 0xF78D5C4752F8CCDBLL, -1LL);
else
printf("success!", 0xF78D5C4752F8CCDBLL, -1LL);
return 0LL;
}核心代码应该不在这里
查找init函数 调用main函数之前会先调用这个函数
发现init调用的函数中 有一个很可疑
unsigned __int64 sub_400976()
{
int v0; // eax
FILE *stream; //
FILE *v3; //
char modes; //
char v5; //
char v6; //
char v7; //
char v8; //
char name; //
char v10; //
char v11; //
char v12; //
char v13; //
char v14; //
char v15; //
char v16; //
char v17; //
char v18; //
char v19; //
char path; //
char v21; //
char v22; //
char v23; //
char v24; //
char v25; //
char v26; //
char v27; //
char v28; //
char v29; //
char v30; //
char v31; //
char v32; //
char v33; //
char v34; //
char command; //
char v36; //
char v37; //
char v38; //
char v39; //
char v40; //
char v41; //
char v42; //
char v43; //
char v44; //
char v45; //
char v46; //
char v47; //
char v48; //
char v49; //
char v50; //
char v51; //
char v52; //
char v53; //
char v54; //
char v55; //
char v56; //
char v57; //
char v58; //
char v59; //
char v60; //
char v61; //
char v62; //
char v63; //
char buf; //
unsigned __int64 v65; //
v65 = __readfsqword(0x28u);
modes = 114;
modes = 98;
modes = 0;
name = 46;
v10 = 47;
v11 = 46;
v12 = 114;
v13 = 101;
v14 = 97;
v15 = 108;
v16 = 46;
v17 = 115;
v18 = 111;
v19 = 0;
v5 = 119;
v6 = 98;
v7 = 43;
v8 = 0;
command = 76;
v36 = 68;
v37 = 95;
v38 = 80;
v39 = 82;
v40 = 69;
v41 = 76;
v42 = 79;
v43 = 65;
v44 = 68;
v45 = 61;
v46 = 46;
v47 = 47;
v48 = 46;
v49 = 114;
v50 = 101;
v51 = 97;
v52 = 108;
v53 = 46;
v54 = 115;
v55 = 111;
v56 = 32;
v57 = 46;
v58 = 47;
v59 = 114;
v60 = 101;
v61 = 97;
v62 = 108;
v63 = 0;
path = 47;
v21 = 112;
v22 = 114;
v23 = 111;
v24 = 99;
v25 = 47;
v26 = 115;
v27 = 101;
v28 = 108;
v29 = 102;
v30 = 47;
v31 = 101;
v32 = 120;
v33 = 101;
v34 = 0;
if ( access(&name, 0) )
{
readlink(&path, &buf, 0x1000uLL);
stream = fopen(&buf, modes);
fseek(stream, -12936LL, 2); // 取出.so库
v3 = fopen(&name, &v5);
while ( !feof(stream) )
{
v0 = fgetc(stream);
fputc(v0, v3);
}
fclose(stream);
fclose(v3);
system(&command);
exit(0);
}
return __readfsqword(0x28u) ^ v65;
}这代码的意思是
从源文件读取倒数12936个字节出来当作文件运行
也就是说 源文件可能有两个elf文件用winhex一查果然如此
用winhex抠出来在分析
puts函数很可疑
unsigned __int64 puts()
{
char *v0; // rax
int i; //
char buf; //
unsigned __int64 v4; //
v4 = __readfsqword(0x28u);
if ( aaaaa )
{
printf("Please input your flag:");
putchar(10);
j_encrypt(10LL);
exit(0);
}
memset(buf, 0, 0x1000uLL);
getcwd(buf, 0x1000uLL);
v0 = &buf;
*(_QWORD *)v0 = 8299690328860012079LL;
*((_WORD *)v0 + 4) = 111;
unlink(buf);
printf("Hello!");
putchar(10);
mprotect(&dword_0, 0x1000uLL, 7);
for ( i = 0; i <= 309; ++i )
*((_BYTE *)encrypt + i + 20) ^= i;
aaaaa = 1;
return __readfsqword(0x28u) ^ v4;
}
又是smc 可以修改上面的代码拿来用
查看解密后的encrypt代码
unsigned __int64 encrypt()
{
void *v0; // ST00_8
unsigned int v1; // eax
__int64 v2; // ST00_8
unsigned int v3; // eax
char s1; //
char v6; //
char s2; //
unsigned __int64 v8; //
v8 = __readfsqword(0x28u);
v0 = malloc(0x100uLL);
memset(s1, 0, sizeof(s1));
s1 = 67;
s1 = 36;
s1 = 229;
s1 = 161;
s1 = 197;
s1 = 29;
s1 = 114;
s1 = 210;
s1 = 40;
s1 = 239;
s1 = 190;
s1 = 234;
s1 = 165;
s1 = 151;
s1 = 68;
s1 = 96;
s1 = 217;
s1 = 15;
s1 = 44;
s1 = 111;
s1 = 94;
s1 = 38;
s1 = 179;
s1 = 10;
s1 = 252;
s1 = 212;
s1 = 179;
memset(&v6, 0, 0x80uLL);
memset(&s2, 0, 0x80uLL);
scanf("%50s", &v6, &s2, v0);
v1 = strlen("hgame!@#");
unk_EB1(v2, "hgame!@#", v1);
v3 = strlen(&v6);
unk_F91(v2, (__int64)&v6, v3, (__int64)&s2);
if ( !strcmp(s1, &s2) )
printf("success!", &s2);
else
printf("failed", &s2);
putchar(10);
return __readfsqword(0x28u) ^ v8;
}
再看unk_EB1函数
__int64 __fastcall sub_EB1(__int64 a1, __int64 a2, int a3)
{
__int64 result; // rax
unsigned int v4; // eax
char v5; // ST24_1
signed int i; //
signed int j; //
int v8; //
for ( i = 0; i <= 255; ++i )
{
result = i;
*(_BYTE *)(a1 + i) = i;
}
v8 = 0;
for ( j = 0; j <= 255; ++j )
{
v4 = (unsigned int)((*(unsigned __int8 *)(a1 + j) + v8 + *(unsigned __int8 *)(j % a3 + a2)) >> 31) >> 24;
v8 = (unsigned __int8)(v4 + *(_BYTE *)(a1 + j) + v8 + *(_BYTE *)(j % a3 + a2)) - v4;
v5 = *(_BYTE *)(a1 + j);
*(_BYTE *)(a1 + j) = *(_BYTE *)(a1 + v8);
result = v8;
*(_BYTE *)(a1 + v8) = v5;
}
return result;
}
很明显了RC4加密 密钥是"hgame!@#"
s字符串提取出来 base64加密后直接在线解密
直接反推得到flag
0x01 happyVM
不懂咋讲 跟着流程图发现规律
印象中这道题也就两层异或然后比较
代码
i = [0x84, 0x83, 0x9D, 0x91, 0x81, 0x97, 0xD7, 0xBE,0x43, 0x72, 0x61, 0x73, 0x73, 0x0C, 0x6A, 0x70
,0x73, 0x11, 0x48, 0x2C, 0x34, 0x33, 0x31, 0x36,0x23, 0x34, 0x3E, 0x5C, 0x23, 0x4E, 0x17, 0x11,0x19, 0x59]
flag = ""
flags = ""
cout = 0x32
i = i[::-1]
for q in i:
flag += chr(q^cout)
cout += 3
cout = 0x16
for q in flag:
flags+=chr(ord(q)^cout)
cout += 3
print flags[::-1]
hgame{3Z_VM_W0NT_5T0P_UR_PR0GR355} 有多少人是被Hgame吸引进来,然后一脸懵逼默默右上角X出去的~~~ 被标题吓进来的
什么时候Hgame也能做CTF了
看了一眼原来如此
不过那个编译一份再对比确实是面对陌生东西的好方法 写的很好 支持一下 师傅,TQL lihaohua 发表于 2019-3-7 19:06
师傅,TQL
太菜了。 一脸兴奋的进来,一脸蒙蔽的出去 虽然看不懂,但潜意识觉得楼主是个牛逼人物。
虽然看不懂,但潜意识觉得楼主是个牛逼人物 比赛网址多少?