re1
ibm s/390 看逻辑就是个解方程,z3试一下,原本用bitvec,发现看上去就不怎么对,用int 就好了,真奇怪
| 指令 | 意思 |
|---|---|
| larl a1 a2 | 存地址到a1 |
| brasl a1 a2 | call a2 |
| aghik a1 ,a2,a3 | a1 = a2+a3 |
| lgr a1 a2 | load |
| lar; a1 ,a2 | load address long |
| ltr a1 ,a2 | load and test |
| ldgr | 和load差不多 |
| lay | load an address |
| mvhi a1 a2 | move a1 = a2 |
| lgf | load |
| ag | add |
| larl | load |
from z3 import *
table = [0x00, 0x00, 0xB2, 0xB0, 0x00, 0x00, 0x6E, 0x72, 0x00, 0x00, 0x60, 0x61, 0x00, 0x00, 0x56, 0x5D, 0x00, 0x00, 0x94, 0x2D, 0x00, 0x00, 0xAC, 0x79, 0x00, 0x00, 0x39, 0x1C, 0x00, 0x00, 0x64, 0x3D, 0x00, 0x00, 0xEC, 0x3F, 0x00, 0x00, 0xBD, 0x10, 0x00, 0x00, 0xC4, 0x3E, 0x00, 0x00, 0x7A, 0x65, 0x00, 0x00, 0x18, 0x4B, 0x00, 0x00, 0xEF, 0x5B, 0x00, 0x00, 0x5A, 0x06, 0x00, 0x00, 0xA8, 0xC0, 0x00, 0x00, 0xF6, 0x4B, 0x00, 0x00, 0xC7, 0x74, 0x00, 0x00, 0x02, 0xFF, 0x00, 0x00, 0x8E, 0x57, 0x00, 0x00, 0xAE, 0xD9, 0x00, 0x00, 0xD8, 0xA9, 0x00, 0x00, 0x23, 0x0C, 0x00, 0x00, 0x74, 0xE8, 0x00, 0x00, 0xC2, 0xA6, 0x00, 0x00, 0x88, 0xB3, 0x00, 0x00, 0xAF, 0x2A, 0x00, 0x00, 0x9E, 0xA7, 0x00, 0x00, 0xCE, 0x8A, 0x00, 0x00, 0x59, 0x24, 0x00, 0x00, 0xD2, 0x76, 0x00, 0x00, 0x56, 0xD4, 0x00, 0x00, 0x77, 0xD7, 0x00, 0x00, 0x99, 0x0E, 0x00, 0x00, 0xB5, 0x85, 0x00, 0x00, 0x4B, 0xCD, 0x00, 0x00, 0x52, 0x77, 0x00, 0x00, 0x1A, 0xFC, 0x00, 0x00, 0x8C, 0x8A, 0x00, 0x00, 0xCD, 0xB5, 0x00, 0x00, 0x6E, 0x26, 0x00, 0x00, 0x4C, 0x22, 0x00, 0x00, 0x67, 0x3F, 0x00, 0x00, 0xDA, 0xFF, 0x00, 0x00, 0x0F, 0xAC, 0x00, 0x00, 0x86, 0xC7, 0x00, 0x00, 0xE0, 0x48, 0x00, 0x00, 0xC4, 0x83, 0x00, 0x00, 0x85, 0xD3, 0x00, 0x00, 0x22, 0x04, 0x00, 0x00, 0xC2, 0xEE, 0x00, 0x00, 0xE0, 0x7F, 0x00, 0x00, 0x0C, 0xAF, 0x00, 0x00, 0xBF, 0x76, 0x00, 0x00, 0x63, 0xFE, 0x00, 0x00, 0xBF, 0xFB, 0x00, 0x00, 0x4B, 0x09, 0x00, 0x00, 0xE5, 0xB3, 0x00, 0x00, 0x8B, 0xDA, 0x00, 0x00, 0x96, 0xDF, 0x00, 0x00, 0x86, 0x6D, 0x00, 0x00, 0x17, 0x19, 0x00, 0x00, 0x6B, 0xCF, 0x00, 0x00, 0xAD, 0xCC, 0x00, 0x00, 0x0F, 0x2B, 0x00, 0x00, 0x51, 0xCE, 0x00, 0x00, 0x15, 0x49, 0x00, 0x00, 0x20, 0xC1, 0x00, 0x00, 0x3A, 0x8D, 0x00, 0x00, 0x05, 0xF5, 0x00, 0x00, 0x54, 0x03, 0x00, 0x00, 0x11, 0x25, 0x00, 0x00, 0x91, 0x61, 0x00, 0x00, 0xE2, 0xA5, 0x00, 0x00, 0x51, 0x96, 0x00, 0x00, 0xD8, 0xD2, 0x00, 0x00, 0xD6, 0x44, 0x00, 0x00, 0xEE, 0x86, 0x00, 0x00, 0x38, 0x96, 0x00, 0x00, 0x2E, 0x71, 0x00, 0x00, 0xA6, 0xF1, 0x00, 0x00, 0xDF, 0xCF, 0x00, 0x00, 0x3E, 0xCE, 0x00, 0x00, 0x7D, 0x49, 0x00, 0x00, 0xC2, 0x4D, 0x00, 0x00, 0x23, 0x7E, 0x00, 0x00, 0x93, 0x52, 0x00, 0x00, 0x7A, 0x97, 0x00, 0x00, 0x7B, 0xFA, 0x00, 0x00, 0xCB, 0xAA, 0x00, 0x00, 0x10, 0xDC, 0x00, 0x00, 0x3B, 0xD9, 0x00, 0x00, 0x7D, 0x7B, 0x00, 0x00, 0x3B, 0x88, 0x00, 0x00, 0xB0, 0xD0, 0x00, 0x00, 0xE8, 0xBC]
result = [0x8A73233,0x116DB0F6,0xE654937,0x3C374A7,0x16BC8ED9,0x846B755,0x8949F47,0x4A13C27,0x976CF0A,0x7461189,0x1E1A5C12,0x11E64D96,0x3CF09B3,0x93CB610,0xD41EA64,0x7648050,0x92039BF,0x8E7F1F7,0x4D871F,0x1680F823,0x6F3C3EB,0x2205134D,0x15C6A7C,0x11C67ED0,0x817B32E,0x6BD9B92,0x8806B0C,0x6AAA515,0x205B9F76,0xDE963E9,0x2194E8E2,0x47593BC]
table_1 = []
for i in range(0, len(table), 4):
num = (table[i] << 24) + (table[i + 1] << 16) + (table[i + 2] << 8) + table[i + 3]
table_1.append(num)
flag = [Int("a%d" % i) for i in range(32)]
s = Solver()
for i in range(32):
s.add(flag[i] * flag[i] * table_1[i] + flag[i] * table_1[0x20 + i] + table_1[0x40 + i] == result[i])
for i in range(32):
s.add(flag[i]>=0x30 ,flag[i]<0x7f)
if s.check()==sat:
m = s.model()
Str = [chr(m[flag[i]].as_long().real) for i in range(32)]
print("".join(Str))
re2
比较简单
加密算法换成python 语言就是
tmp = a[0] &0xe0
for i in range(len(a)-1):
a[i] = ((a[i]<<3)|(a[i+1]>>5))&0xff
a[i] = a[i] ^i
a[23] = (a[23]<<3)|(tmp>>5)
原本想从后往前爆破,发现情况太多就用z3l
from z3 import *
flag = [BitVec('x%d'%i,8) for i in range(0x28)]
s = Solver()
b = [0x2B, 0x08, 0xA9, 0xC8, 0x97, 0x2F, 0xFF, 0x8C, 0x92, 0xF0,
0xA3, 0x89, 0xF7, 0x26, 0x07, 0xA4, 0xDA, 0xEA, 0xB3, 0x91,
0xEF, 0xDC, 0x95, 0xAB]
for i in range(23):
s.add((((flag[i]<<3)|(flag[i+1]>>5))&0xff) ^i==b[i])
s.add(((flag[23]<<3)|((flag[0]&0xe0)>>5))&0xff==b[23])
if s.check() == sat:
m = s.model()
Str = [chr(m[flag[i]].as_long().real) for i in range(24)]
print("".join(Str))
re3
又是个python打包的exe(都出烂了。。。)
源码
# uncompyle6 version 3.7.2
# Python bytecode 3.7 (3394)
# Decompiled from: Python 3.6.0 (v3.6.0:41df79263a11, Dec 23 2016, 08:06:12) [MSC v.1900 64 bit (AMD64)]
# Embedded file name: ReMe.py
# Compiled at: 1995-09-28 00:18:56
# Size of source mod 2**32: 272 bytes
import sys, hashlib
check = [
'e5438e78ec1de10a2693f9cffb930d23',
'08e8e8855af8ea652df54845d21b9d67',
'a905095f0d801abd5865d649a646b397',
'bac8510b0902185146c838cdf8ead8e0',
'f26f009a6dc171e0ca7a4a770fecd326',
'cffd0b9d37e7187483dc8dd19f4a8fa8',
'4cb467175ab6763a9867b9ed694a2780',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'cffd0b9d37e7187483dc8dd19f4a8fa8',
'fd311e9877c3db59027597352999e91f',
'49733de19d912d4ad559736b1ae418a7',
'7fb523b42413495cc4e610456d1f1c84',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'acb465dc618e6754de2193bf0410aafe',
'bc52c927138231e29e0b05419e741902',
'515b7eceeb8f22b53575afec4123e878',
'451660d67c64da6de6fadc66079e1d8a',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'fe86104ce1853cb140b7ec0412d93837',
'acb465dc618e6754de2193bf0410aafe',
'c2bab7ea31577b955e2c2cac680fb2f4',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'f077b3a47c09b44d7077877a5aff3699',
'620741f57e7fafe43216d6aa51666f1d',
'9e3b206e50925792c3234036de6a25ab',
'49733de19d912d4ad559736b1ae418a7',
'874992ac91866ce1430687aa9f7121fc']
def func(num):
result = []
while num != 1:
num = num * 3 + 1 if num % 2 else num // 2
result.append(num)
return result
if __name__ == '__main__':
print('Your input is not the FLAG!')
inp = input()
if len(inp) != 27:
print('length error!')
sys.exit(-1)
for i, ch in enumerate(inp):
ret_list = func(ord(ch))
s = ''
for idx in range(len(ret_list)):
s += str(ret_list[idx])
s += str(ret_list[(len(ret_list) - idx - 1)])
md5 = hashlib.md5()
md5.update(s.encode('utf-8'))
if md5.hexdigest() != check[i]:
sys.exit(i)
md5 = hashlib.md5()
md5.update(inp.encode('utf-8'))
print('You win!')
print('flag{' + md5.hexdigest() + '}')
爆破就行
check = [
'e5438e78ec1de10a2693f9cffb930d23',
'08e8e8855af8ea652df54845d21b9d67',
'a905095f0d801abd5865d649a646b397',
'bac8510b0902185146c838cdf8ead8e0',
'f26f009a6dc171e0ca7a4a770fecd326',
'cffd0b9d37e7187483dc8dd19f4a8fa8',
'4cb467175ab6763a9867b9ed694a2780',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'cffd0b9d37e7187483dc8dd19f4a8fa8',
'fd311e9877c3db59027597352999e91f',
'49733de19d912d4ad559736b1ae418a7',
'7fb523b42413495cc4e610456d1f1c84',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'acb465dc618e6754de2193bf0410aafe',
'bc52c927138231e29e0b05419e741902',
'515b7eceeb8f22b53575afec4123e878',
'451660d67c64da6de6fadc66079e1d8a',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'fe86104ce1853cb140b7ec0412d93837',
'acb465dc618e6754de2193bf0410aafe',
'c2bab7ea31577b955e2c2cac680fb2f4',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'f077b3a47c09b44d7077877a5aff3699',
'620741f57e7fafe43216d6aa51666f1d',
'9e3b206e50925792c3234036de6a25ab',
'49733de19d912d4ad559736b1ae418a7',
'874992ac91866ce1430687aa9f7121fc']
import sys, hashlib
def func(num):
result = []
while num != 1:
num = num * 3 + 1 if num % 2 else num // 2
result.append(num)
return result
tmp = ''
for j in range(27):
for i in range(0x20,0x7f):
ret_list = func(i)
s = ''
for idx in range(len(ret_list)):
s += str(ret_list[idx])
s += str(ret_list[(len(ret_list) - idx - 1)])
md5 = hashlib.md5()
md5.update(s.encode('utf-8'))
if md5.hexdigest() == check[j]:
tmp += chr(i)
break
print(tmp)
re4就一个xor
a = '7d21e<e3<:3;9;ji t r#w\"$*{*+*$|,'
s = ""
for i in range(len(a)):
s+=chr(ord(a[i]) ^i)
print(s)
