GFCTF2024

Re

prese

D810

~ ^可能在进行某种操作,先猜一下异或

1
DASCTF{good_the_re_is_easyhhhh}

ezVM

两位十进制数转成一个16进制数

44位flag,加载dll中的check函数

只有异或运算,那么可以根据前16位推出key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
a=[13,8,26,10,29,15]
s1='2x*{*{|}qdz,{}d(}q,dxx}zd(z}p'
s2='(z+~}yy4'
flag=''
for i in range(len(a)):
    flag+=chr(a[i]^0x49)
for i in range(len(s1)):
    flag+=chr(ord(s1[i])^0x49)
flag+=chr(0x7f^0x49)
for i in range(len(s2)):
    flag+=chr(ord(s2[i])^0x49)
print(len(flag))
print(flag)
#DASCTF{1c2c2548-3e24-a48e-1143-a3496a3b7400}

当然,正常思路是vm,op+两个参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
vm = [0x000000A2, 0x00000000, 0x00000084, 0x000000A3, 0x00000008, 0x00000000, 0x000000A3, 0x00000008, 0x00000001,
      0x000000B0, 0x00000008, 0x0000013C, 0x000000B2, 0x000000A3, 0x00000009, 0x00000001, 0x000000A3, 0x00000009,
      0x00000002, 0x000000A3, 0x00000009, 0x00000003, 0x000000B0, 0x00000009, 0x0000009E, 0x000000B2, 0x000000A6,
      0x00000004, 0x00000016, 0x000000A3, 0x00000000, 0x00000004, 0x000000B0, 0x00000000, 0x00000379, 0x000000B2,
      0x000000A4, 0x00000005, 0x0000000B, 0x000000A1, 0x00000008, 0x00000005, 0x000000A3, 0x00000008, 0x00000006,
      0x000000B0,
      0x00000008, 0x00000026, 0x000000B2, 0x000000A3, 0x00000007, 0x00000006, 0x000000B0, 0x00000007, 0x00000060,
      0x000000B2, 0x000000A1, 0x00000009, 0x00000001, 0x000000A3, 0x00000009, 0x00000002, 0x000000A5, 0x00000009,
      0x00000005, 0x000000B0, 0x00000009, 0x0000006F, 0x000000B2, 0x000000A6, 0x00000005, 0x00000007, 0x000000A1,
      0x00000008, 0x00000000, 0x000000A5, 0x00000008, 0x00000006, 0x000000A3, 0x00000008, 0x00000005, 0x000000B0,
      0x00000008, 0x0000035B, 0x000000B2, 0x000000A3, 0x00000003, 0x00000004, 0x000000B0, 0x00000003, 0x000002C2,
      0x000000B2, 0x000000C0]

i = 0
while vm[i] != 192:
    op = vm[i]
    if op < 178:
        arg1 = vm[i + 1]
        arg2 = vm[i + 2]
    if op == 160:
        print("mov key[" + str(arg1) + "] ," + str(arg2))
    if op == 161:
        print("mov key[" + str(arg1) + "] ,key[" + str(arg2) + "]")
    if op == 162:
        print("add key[" + str(arg1) + "] ," + str(arg2))
    if op == 163:
        print("add key[" + str(arg1) + "] ,key[" + str(arg2) + "]")
    if op == 164:
        print("sub key[" + str(arg1) + "] ," + str(arg2))
    if op == 165:
        print("sub key[" + str(arg1) + "] ,key[" + str(arg2) + "]")
    if op == 166:
        print("mul key[" + str(arg1) + "] ," + str(arg2))
    if op == 167:
        print("mul key[" + str(arg1) + "] ,key[" + str(arg2) + "]")
    if op == 176:
        print("cmp key[" + str(arg1) + "] ," + str(arg2))
    if op == 177:
        print("cmp key[" + str(arg1) + "] , key[" + str(arg2) + "]")
    if op == 178:
        print("jz out")
        i += 1
        continue
    i += 3

用z3得到key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from z3 import *
#求解key
k = [Int("%d" % i) for i in range(8)]
constraints = []
constraints.append(k[0]+k[1]+132==316)
constraints.append(k[1]+k[2]+k[3]==158)
constraints.append(k[0]+132 + k[4]*22==889)
constraints.append(k[6]+k[5]-11==38)
constraints.append(k[6]+k[7]==96)
constraints.append(k[1]+k[2]-k[5]+11==111)
constraints.append(k[0]+132 + k[4]*22 - k[6] + (k[5]-11)*7 == 859)
constraints.append(k[3]+k[4]*22==706)
solver = Solver()
solver.add(constraints)
if solver.check() == sat:
    res = solver.model()
    print(solver.model())
比赛wp
GFCTF2024
https://j1ya-22.github.io/2024/08/01/GFCTF2024/
作者
j1ya
发布于
2024年8月1日
许可协议