buuctf 两道GXYCTF逆向

Posted 2021-03-09 Harmonica11

1，luck_guy

ida打开，很简单

 

 

#include<stdio.h>
int main() {
        char f1[] = "GXY{do_not_";
        char f2[] = "icug`of";
        char temp[7];

        for (int j = 0; j < 7; ++j)
        {
                if (j % 2 == 1)
                        temp[j] = f2[j] - 2;
                else
                        temp[j] = f2[j] - 1;
                f2[j] = temp[j];
        }
        printf("%s%s}",f1,f2);
}

得到flag

2,simplecpp

拖进ida，找到关键函数

 

 

 可以分析出逻辑

v24=v19[2]&~v19[0]
v24==1176889593874

v31 = (v19[2] & ~v19[1]) & v19[0] | v19[2] & ((v19[1] & v19[0]) | v19[1] & ~v19[0] | ~(v19[1] | v19[0]))
v31 == 577031497978884115

v28 = v19[2] & ~v19[0] | v19[1] & v19[0] | v19[2] & ~v19[1] | v19[0] & ~v19[1]
v28 = 4483974544037412639
(v28 ^ v19[3]) == 4483974543195470111

((v19[2]&~v19[0]) | (v19[0] & v19[1]) | v19[1] & v19[2]) != (~v19[0] & v19[2] | 0xC00020130082C0C)

用z3

from z3 import *

x0,x1,x2,x3=BitVecs(\'x0 x1 x2 x3\',64)
f=Solver()

f.add(((x2&~x1)&x0|x2&((x1&x0)|x1&~x0|~(x1|x0)))==577031497978884115)
f.add((4483974544037412639^x3)==4483974543195470111)
f.add(x2&~x0==1176889593874)
f.add((x2&~x0|x1&x0|x2&~x1|x0&~x1)==4483974544037412639)

if f.check() == sat:
    print f.model()

[x3 = 842073600,
 x1 = 2452209997103237128,
 x0 = 4483973367147818765,
 x2 = 577031497978884115]

再看

 

 将得出来的数与dst异或

Dst = \'i_will_check_is_debug_or_noi_wil\'
flag = [0x3E,0x3A,0x46,0x05,0x33,0x28,0x6F,0x0D,0x36,0x38,0x40,0x00,0x22,0x00,0x4f,0x08,0x08,0x02,0x07,0x17,0x15,0x3E,0x30,0x13,0x32,0x31,0x06]
for i in range(len(flag)):
    print(chr(ord(Dst[i]) ^ flag[i]),end=\'\')

得到：We1l_D0n^]#k}i<Wlgebra_am_i，但是不对

之后看了看别人的wp，发现原来在比赛时发公告给了第二部分为e!P0or_a

3，第三道卡住了，做出来再写