当前位置:网站首页>[buuctf.reverse] 142_ [SUCTF2019]babyunic
[buuctf.reverse] 142_ [SUCTF2019]babyunic
2022-06-29 20:08:00 【Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi】
Attached are 4 File ,run.sh It should be a startup file ,babyunic Is the main program ,func A parameter is the data file he processes
LD_PRELOAD=./un.so.1 ./babyunic funcTo open the first babyunic, For the input flag use func Run the program in to compare the results , Used in uc_xxx yes unicorn The function of is to simulate the instructions of another architecture func Inside is the program .
int __fastcall sub_CBA(const char *a1, __int64 a2, const char *a3)
{
size_t v3; // rax
int v5; // [rsp+20h] [rbp-30h] BYREF
int v6; // [rsp+24h] [rbp-2Ch] BYREF
int v7; // [rsp+28h] [rbp-28h] BYREF
int v8; // [rsp+2Ch] [rbp-24h] BYREF
__int64 v9; // [rsp+30h] [rbp-20h] BYREF
FILE *stream; // [rsp+38h] [rbp-18h]
void *ptr; // [rsp+40h] [rbp-10h]
unsigned __int64 v12; // [rsp+48h] [rbp-8h]
v12 = __readfsqword(0x28u);
stream = fopen(a3, "rb");
ptr = malloc(0x7100uLL);
fread(ptr, 1uLL, 0x7100uLL, stream); // Read in func file
v5 = 0x101FFFC0;
v6 = 0x101FFFC0;
v7 = 0x101FFB00;
v8 = 0x101FFA00;
uc_open(3LL, 1073741828LL, (__int64)&v9); // Unicorn-CPU Simulation framework MIPS 32 Big end
uc_mem_map(v9, 0x400000LL, 0x200000LL, 7LL); // http://kabeor.cn/Unicorn-CPU%E6%A8%A1%E6%8B%9F%E6%A1%86%E6%9E%B6%E6%95%B0%E6%8D%AE%E7%B1%BB%E5%9E%8B%E5%8F%8AAPI%E5%88%86%E6%9E%90%E4%B8%8E%E7%A4%BA%E4%BE%8B(%E4%B8%89)/#uc-reg-write
uc_mem_map(v9, 0x10000000LL, 0x200000LL, 7LL);
v3 = strlen(a1);
uc_mem_write(v9, 0x101FFB00LL, a1, v3); // @uc: uc_open() Handle returned
// @address: Write the starting address of the byte
// @bytes: Pointer to a pointer containing the data to be written to memory
// @size: Size of memory to be written .
// Be careful : @bytes Must be large enough to contain @size byte .
uc_mem_write(v9, 0x400000LL, ptr, 28928LL);
uc_reg_write(v9, 31LL, &v5); // @uc: uc_open() Handle returned
// @regid: Register to be modified ID
// @value: Pointer to the value to which the register will be modified
uc_reg_write(v9, 32LL, &v6);
uc_reg_write(v9, 7LL, &v8);
uc_reg_write(v9, 6LL, &v7);
uc_emu_start(v9, 0x400000LL, 0x40706CLL, 0LL, 0LL);// @uc: uc_open() Handle returned
// @begin: Start simulation address
// @until: Address of simulation stop ( When the address is reached )
// @timeout: Simulate the duration of the code ( In microseconds ). When the value is 0 when , The code will be simulated in infinite time , Until the code is complete .
// @count: Number of instructions to emulate . When the value is 0 when , All available code will be emulated , Until the code is complete
uc_mem_read(v9, 0x101FFA00LL, a2, 200LL);
uc_close(v9);
return fclose(stream);
}according to uc_open(3LL, 0x40000004LL, (__int64)&v9); Parameters of , check python Of unicorn Library query definitions
C:\Python\Lib\site-packages\unicorn\unicorn_const.pyThe resulting architecture is MIPS 32 Big end
UC_ARCH_MIPS = 3 # <---- Code CPU framework
UC_MODE_BIG_ENDIAN = 1073741824 # Big end
UC_MODE_MIPS32 = 4 #32 position Once you know the architecture, you can use ida open func The file , First in the compilation c Turn it into code and create the function header , Then you can f5 了
There are a lot of programs , But the content is simple , First, then 5 front 3 Bit exchange and sequence number XOR . Then there are simple character by character addition and subtraction
for ( i = 0; a1[i]; ++i )
;
for ( j = 0; j < i; ++j )
a1[j] = ((8 * a1[j]) | (a1[j] >> 5)) ^ j; // after 5+ front 3 Exclusive or Serial number
v2 = *a1
+ a1[1] + a1[2] - a1[3] + a1[4] - a1[5] - a1[6] - a1[7] - a1[8] + a1[9] + a1[10]
- a1[11] + a1[12] - a1[13] - a1[14] + a1[15] - a1[16] - a1[17] + a1[18] + a1[19] - a1[20]
+ a1[21] + a1[22] + a1[23] + a1[24] - a1[25] + a1[26] - a1[27] + a1[28] + a1[29] - a1[30] - a1[31];
*a2 = v2 + a1[32] - a1[33] + a1[34] + a1[35] - a1[36] - a1[37] + a1[38] - a1[39] + a1[40] + a1[41];
Copy this program and make a batch replacement first , cause to become z3 Processing style , Then the result will come out
# -*- coding: UTF-8 -*-
#unicorn Simulation framework
#uc_open(3LL, 0x40000004LL, (__int64)&v9);
##C:\Python\Lib\site-packages\unicorn\unicorn_const.py
#UC_ARCH_MIPS = 3 <---- Code CPU framework
#UC_MODE_BIG_ENDIAN = 1073741824 Big end ,32 position
#UC_MODE_MIPS32 = 4
# use ida open func file ,CPU Architecture first MIPS /big endian / 32 position
# Open and assemble c Convert to code g Create a function and f5 Decompile
#
#
#1 Encryption preprocessing
# for ( j = 0; j < i; ++j )a1[j] = ((8 * a1[j]) | (a1[j] >> 5)) ^ j; // after 5+ front 3 Exclusive or Serial number
from z3 import *
from pwn import u32
data = open('./babyunic/babyunic', 'rb').read()
a2 = [0]*42
for i in range(42):
v = u32(data[0x2020+ i*4: 0x2020+ i*4 + 4][::-1]) # Big end 32 position
if v&0x80000000 != 0:
v = v - 0x100000000
a2[i] = v
print(a2)
a1 = [Int(f'a1_{i}') for i in range(42)]
s= Solver()
v2 = a1[0] + a1[1] + a1[2] - a1[3] + a1[4] - a1[5] - a1[6] - a1[7] - a1[8] + a1[9] + a1[10] - a1[11] + a1[12] - a1[13] - a1[14] + a1[15] - a1[16] - a1[17] + a1[18] + a1[19] - a1[20] + a1[21] + a1[22] + a1[23] + a1[24] - a1[25] + a1[26] - a1[27] + a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[0] == v2 + a1[32] - a1[33] + a1[34] + a1[35] - a1[36] - a1[37] + a1[38] - a1[39] + a1[40] + a1[41])
v3 = a1[0] - a1[1] + a1[2] - a1[3] - a1[4] + a1[5] - a1[6] - a1[7] - a1[8] - a1[9] + a1[10] - a1[11] + a1[12] - a1[13] - a1[14] + a1[15] - a1[16] - a1[17] + a1[18] - a1[19] + a1[20] + a1[21] - a1[22] - a1[23] - a1[24] + a1[25] - a1[26] + a1[27] - a1[28] - a1[29] + a1[30] + a1[31];
s.add(a2[1] == v3 + a1[32] + a1[33] + a1[34] + a1[35] - a1[36] - a1[37] - a1[38] - a1[39] - a1[40] + a1[41])
v4 = a1[0] - a1[1] + a1[2] + a1[3] - a1[4] + a1[5] - a1[6] - a1[7] + a1[8] - a1[9] - a1[10] - a1[11] - a1[12] - a1[13] + a1[14] - a1[15] - a1[16] + a1[17] + a1[18] + a1[19] + a1[20] + a1[21] - a1[22] + a1[23] + a1[24] + a1[25] + a1[26] - a1[27] + a1[28] - a1[29] + a1[30] - a1[31];
s.add(a2[2] == v4 + a1[32] + a1[33] - a1[34] - a1[35] + a1[36] + a1[37] + a1[38] - a1[39] + a1[40] - a1[41])
v5 = a1[0] - a1[1] - a1[2] - a1[3] - a1[4] - a1[5] + a1[6] + a1[7] - a1[8] - a1[9] - a1[10] - a1[11] + a1[12] - a1[13] + a1[14] - a1[15] + a1[16] - a1[17] + a1[18] + a1[19] + a1[20] - a1[21] + a1[22] + a1[23] + a1[24] - a1[25] - a1[26] + a1[27] - a1[28] + a1[29] + a1[30] - a1[31];
s.add(a2[3] == v5 - a1[32] - a1[33] + a1[34] - a1[35] + a1[36] + a1[37] + a1[38] - a1[39] + a1[40] + a1[41])
v6 = a1[0] - a1[1] - a1[2] + a1[3] - a1[4] - a1[5] + a1[6] + a1[7] + a1[8] + a1[9] - a1[10] + a1[11] + a1[12] - a1[13] + a1[14] - a1[15] + a1[16] + a1[17] - a1[18] + a1[19] - a1[20] + a1[21] - a1[22] - a1[23] - a1[24] + a1[25] - a1[26] - a1[27] - a1[28] + a1[29] + a1[30] + a1[31];
s.add(a2[4] == v6 - a1[32] + a1[33] - a1[34] - a1[35] + a1[36] - a1[37] + a1[38] - a1[39] - a1[40] - a1[41])
v7 = a1[0] + a1[1] + a1[2] + a1[3] + a1[4] + a1[5] + a1[6] + a1[7] + a1[8] - a1[9] - a1[10] - a1[11] - a1[12] - a1[13] - a1[14] + a1[15] - a1[16] + a1[17] - a1[18] + a1[19] + a1[20] - a1[21] + a1[22] - a1[23] + a1[24] - a1[25] + a1[26] + a1[27] - a1[28] + a1[29] - a1[30] + a1[31];
s.add(a2[5] == v7 + a1[32] + a1[33] - a1[34] - a1[35] - a1[36] + a1[37] - a1[38] - a1[39] + a1[40] + a1[41])
v8 = a1[0] - a1[1] + a1[2] + a1[3] + a1[4] - a1[5] + a1[6] + a1[7] + a1[8] + a1[9] - a1[10] + a1[11] + a1[12] - a1[13] + a1[14] + a1[15] + a1[16] + a1[17] - a1[18] - a1[19] - a1[20] - a1[21] - a1[22] - a1[23] + a1[24] + a1[25] - a1[26] + a1[27] + a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[6] == v8 - a1[32] - a1[33] - a1[34] - a1[35] + a1[36] + a1[37] - a1[38] - a1[39] + a1[40] - a1[41])
v9 = a1[0] + a1[1] - a1[2] - a1[3] - a1[4] + a1[5] + a1[6] - a1[7] + a1[8] + a1[9] - a1[10] + a1[11] - a1[12] + a1[13] - a1[14] + a1[15] - a1[16] + a1[17] - a1[18] - a1[19] + a1[20] - a1[21] + a1[22] - a1[23] - a1[24] + a1[25] - a1[26] + a1[27] + a1[28] + a1[29] + a1[30] + a1[31];
s.add(a2[7] == v9 + a1[32] - a1[33] + a1[34] - a1[35] + a1[36] + a1[37] + a1[38] + a1[39] - a1[40] - a1[41])
v10 = a1[0] - a1[1] - a1[2] + a1[3] + a1[4] - a1[5] + a1[6] + a1[7] + a1[8] + a1[9] + a1[10] - a1[11] - a1[12] + a1[13] - a1[14] + a1[15] + a1[16] + a1[17] + a1[18] - a1[19] + a1[20] + a1[21] - a1[22] - a1[23] + a1[24] + a1[25] + a1[26] - a1[27] + a1[28] - a1[29] - a1[30] - a1[31];
s.add(a2[8] == v10 - a1[32] - a1[33] + a1[34] - a1[35] - a1[36] + a1[37] - a1[38] - a1[39] + a1[40] - a1[41])
v11 = a1[0] + a1[1] + a1[2] - a1[3] + a1[4] + a1[5] + a1[6] - a1[7] - a1[8] - a1[9] - a1[10] + a1[11] + a1[12] + a1[13] - a1[14] + a1[15] + a1[16] - a1[17] - a1[18] + a1[19] + a1[20] - a1[21] - a1[22] - a1[23] + a1[24] - a1[25] - a1[26] - a1[27] + a1[28] + a1[29] + a1[30] - a1[31];
s.add(a2[9] == v11 + a1[32] + a1[33] - a1[34] - a1[35] - a1[36] - a1[37] + a1[38] - a1[39] + a1[40] + a1[41])
v12 = a1[0] - a1[1] + a1[2] + a1[3] - a1[4] - a1[5] + a1[6] + a1[7] - a1[8] - a1[9] - a1[10] - a1[11] + a1[12] + a1[13] + a1[14] - a1[15] + a1[16] - a1[17] + a1[18] + a1[19] + a1[20] - a1[21] + a1[22] - a1[23] - a1[24] - a1[25] + a1[26] - a1[27] - a1[28] + a1[29] - a1[30] + a1[31];
s.add(a2[10] == v12 + a1[32] - a1[33] - a1[34] + a1[35] - a1[36] - a1[37] + a1[38] - a1[39] + a1[40] + a1[41])
v13 = a1[0] - a1[1] + a1[2] + a1[3] + a1[4] - a1[5] + a1[6] + a1[7] - a1[8] + a1[9] + a1[10] - a1[11] - a1[12] - a1[13] - a1[14] + a1[15] - a1[16] - a1[17] - a1[18] + a1[19] + a1[20] - a1[21] + a1[22] - a1[23] + a1[24] + a1[25] + a1[26] + a1[27] - a1[28] + a1[29] + a1[30] - a1[31];
s.add(a2[11] == v13 - a1[32] - a1[33] - a1[34] - a1[35] + a1[36] + a1[37] - a1[38] - a1[39] - a1[40] - a1[41])
v14 = a1[0] - a1[1] - a1[2] - a1[3] + a1[4] - a1[5] - a1[6] + a1[7] + a1[8] - a1[9] + a1[10] - a1[11] - a1[12] - a1[13] + a1[14] - a1[15] + a1[16] - a1[17] + a1[18] - a1[19] - a1[20] - a1[21] - a1[22] + a1[23] - a1[24] + a1[25] - a1[26] + a1[27] - a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[12] == v14 + a1[32] + a1[33] + a1[34] - a1[35] - a1[36] - a1[37] - a1[38] + a1[39] - a1[40] - a1[41])
v15 = a1[0] - a1[1] + a1[2] - a1[3] + a1[4] - a1[5] + a1[6] - a1[7] + a1[8] - a1[9] + a1[10] - a1[11] + a1[12] + a1[13] + a1[14] + a1[15] - a1[16] - a1[17] - a1[18] + a1[19] + a1[20] + a1[21] - a1[22] - a1[23] + a1[24] + a1[25] - a1[26] - a1[27] + a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[13] == v15 - a1[32] + a1[33] - a1[34] - a1[35] + a1[36] - a1[37] - a1[38] - a1[39] + a1[40] - a1[41])
v16 = a1[0] + a1[1] + a1[2] - a1[3] - a1[4] - a1[5] + a1[6] - a1[7] + a1[8] + a1[9] + a1[10] - a1[11] + a1[12] - a1[13] - a1[14] + a1[15] + a1[16] + a1[17] - a1[18] - a1[19] - a1[20] - a1[21] + a1[22] + a1[23] + a1[24] - a1[25] + a1[26] + a1[27] + a1[28] - a1[29] - a1[30] - a1[31];
s.add(a2[14] == v16 + a1[32] + a1[33] + a1[34] + a1[35] + a1[36] + a1[37] + a1[38] - a1[39] - a1[40] - a1[41])
v17 = a1[0] - a1[1] + a1[2] + a1[3] + a1[4] + a1[5] - a1[6] + a1[7] - a1[8] - a1[9] - a1[10] + a1[11] + a1[12] + a1[13] - a1[14] - a1[15] - a1[16] + a1[17] - a1[18] - a1[19] - a1[20] - a1[21] + a1[22] + a1[23] + a1[24] + a1[25] + a1[26] + a1[27] - a1[28] - a1[29] - a1[30] - a1[31];
s.add(a2[15] == v17 + a1[32] - a1[33] + a1[34] + a1[35] + a1[36] + a1[37] - a1[38] + a1[39] + a1[40] - a1[41])
v18 = a1[0] - a1[1] + a1[2] + a1[3] - a1[4] - a1[5] + a1[6] + a1[7] + a1[8] + a1[9] + a1[10] - a1[11] + a1[12] - a1[13] + a1[14] + a1[15] + a1[16] - a1[17] + a1[18] - a1[19] + a1[20] - a1[21] - a1[22] - a1[23] - a1[24] - a1[25] + a1[26] + a1[27] + a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[16] == v18 + a1[32] - a1[33] - a1[34] + a1[35] - a1[36] + a1[37] - a1[38] + a1[39] - a1[40] + a1[41])
v19 = a1[0] + a1[1] + a1[2] + a1[3] + a1[4] - a1[5] + a1[6] + a1[7] + a1[8] - a1[9] - a1[10] + a1[11] - a1[12] + a1[13] + a1[14] + a1[15] - a1[16] + a1[17] - a1[18] - a1[19] + a1[20] - a1[21] + a1[22] - a1[23] - a1[24] + a1[25] - a1[26] + a1[27] - a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[17] == v19 + a1[32] - a1[33] - a1[34] + a1[35] - a1[36] + a1[37] - a1[38] + a1[39] + a1[40] - a1[41])
v20 = a1[0] - a1[1] - a1[2] - a1[3] + a1[4] + a1[5] - a1[6] + a1[7] - a1[8] + a1[9] + a1[10] - a1[11] - a1[12] - a1[13] + a1[14] - a1[15] - a1[16] + a1[17] + a1[18] + a1[19] - a1[20] - a1[21] - a1[22] - a1[23] - a1[24] - a1[25] - a1[26] - a1[27] + a1[28] + a1[29] + a1[30] - a1[31];
s.add(a2[18] == v20 - a1[32] - a1[33] + a1[34] - a1[35] - a1[36] - a1[37] - a1[38] - a1[39] - a1[40] + a1[41])
v21 = a1[0] + a1[1] + a1[2] + a1[3] - a1[4] - a1[5] + a1[6] - a1[7] - a1[8] - a1[9] - a1[10] - a1[11] - a1[12] - a1[13] + a1[14] + a1[15] + a1[16] - a1[17] + a1[18] + a1[19] + a1[20] + a1[21] - a1[22] + a1[23] + a1[24] - a1[25] + a1[26] + a1[27] - a1[28] + a1[29] + a1[30] + a1[31];
s.add(a2[19] == v21 + a1[32] + a1[33] - a1[34] + a1[35] - a1[36] - a1[37] - a1[38] + a1[39] + a1[40] - a1[41])
v22 = a1[0] + a1[1] - a1[2] - a1[3] - a1[4] + a1[5] - a1[6] + a1[7] - a1[8] - a1[9] + a1[10] + a1[11] - a1[12] - a1[13] + a1[14] - a1[15] - a1[16] + a1[17] - a1[18] - a1[19] + a1[20] + a1[21] - a1[22] + a1[23] + a1[24] - a1[25] - a1[26] - a1[27] - a1[28] - a1[29] - a1[30] - a1[31];
s.add(a2[20] == v22 - a1[32] + a1[33] - a1[34] + a1[35] + a1[36] - a1[37] + a1[38] - a1[39] + a1[40] - a1[41])
v23 = a1[0] - a1[1] - a1[2] - a1[3] + a1[4] + a1[5] + a1[6] + a1[7] - a1[8] - a1[9] - a1[10] - a1[11] - a1[12] - a1[13] - a1[14] - a1[15] - a1[16] + a1[17] - a1[18] - a1[19] + a1[20] - a1[21] + a1[22] + a1[23] + a1[24] - a1[25] - a1[26] + a1[27] - a1[28] - a1[29] - a1[30] - a1[31];
s.add(a2[21] == v23 - a1[32] - a1[33] - a1[34] - a1[35] - a1[36] + a1[37] - a1[38] - a1[39] - a1[40] + a1[41])
v24 = a1[0] + a1[1] + a1[2] + a1[3] + a1[4] + a1[5] + a1[6] + a1[7] - a1[8] + a1[9] - a1[10] + a1[11] - a1[12] + a1[13] + a1[14] + a1[15] - a1[16] + a1[17] + a1[18] - a1[19] - a1[20] + a1[21] + a1[22] - a1[23] + a1[24] - a1[25] - a1[26] + a1[27] - a1[28] + a1[29] + a1[30] + a1[31];
s.add(a2[22] == v24 - a1[32] + a1[33] - a1[34] - a1[35] - a1[36] - a1[37] + a1[38] - a1[39] + a1[40] + a1[41])
v25 = a1[0] - a1[1] + a1[2] + a1[3] - a1[4] - a1[5] - a1[6] - a1[7] + a1[8] - a1[9] - a1[10] + a1[11] + a1[12] - a1[13] - a1[14] + a1[15] - a1[16] - a1[17] + a1[18] + a1[19] - a1[20] - a1[21] + a1[22] - a1[23] + a1[24] + a1[25] - a1[26] + a1[27] - a1[28] + a1[29] + a1[30] - a1[31];
s.add(a2[23] == v25 - a1[32] - a1[33] - a1[34] - a1[35] - a1[36] - a1[37] + a1[38] - a1[39] - a1[40] - a1[41])
v26 = a1[0] + a1[1] - a1[2] + a1[3] + a1[4] - a1[5] + a1[6] + a1[7] - a1[8] + a1[9] + a1[10] - a1[11] - a1[12] - a1[13] - a1[14] + a1[15] + a1[16] + a1[17] - a1[18] + a1[19] + a1[20] + a1[21] + a1[22] + a1[23] + a1[24] + a1[25] - a1[26] - a1[27] - a1[28] + a1[29] + a1[30] - a1[31];
s.add(a2[24] == v26 + a1[32] + a1[33] + a1[34] - a1[35] - a1[36] - a1[37] - a1[38] + a1[39] + a1[40] - a1[41])
v27 = a1[0] - a1[1] + a1[2] + a1[3] - a1[4] + a1[5] + a1[6] - a1[7] + a1[8] + a1[9] + a1[10] - a1[11] - a1[12] + a1[13] - a1[14] + a1[15] - a1[16] + a1[17] + a1[18] + a1[19] - a1[20] - a1[21] + a1[22] + a1[23] - a1[24] - a1[25] + a1[26] - a1[27] + a1[28] - a1[29] + a1[30] - a1[31];
s.add(a2[25] == v27 - a1[32] + a1[33] - a1[34] - a1[35] - a1[36] - a1[37] + a1[38] - a1[39] + a1[40] + a1[41])
v28 = a1[0] + a1[1] + a1[2] + a1[3] + a1[4] - a1[5] - a1[6] + a1[7] - a1[8] - a1[9] - a1[10] - a1[11] + a1[12] - a1[13] + a1[14] - a1[15] + a1[16] - a1[17] + a1[18] - a1[19] - a1[20] + a1[21] + a1[22] + a1[23] + a1[24] + a1[25] - a1[26] - a1[27] - a1[28] - a1[29] + a1[30] + a1[31];
s.add(a2[26] == v28 - a1[32] - a1[33] - a1[34] + a1[35] + a1[36] - a1[37] - a1[38] + a1[39] + a1[40] + a1[41])
v29 = a1[0] - a1[1] + a1[2] - a1[3] + a1[4] - a1[5] - a1[6] - a1[7] - a1[8] - a1[9] - a1[10] - a1[11] + a1[12] + a1[13] - a1[14] + a1[15] + a1[16] + a1[17] + a1[18] + a1[19] - a1[20] - a1[21] - a1[22] - a1[23] + a1[24] + a1[25] + a1[26] - a1[27] + a1[28] + a1[29] + a1[30] - a1[31];
s.add(a2[27] == v29 - a1[32] - a1[33] - a1[34] + a1[35] - a1[36] - a1[37] - a1[38] - a1[39] - a1[40] - a1[41])
v30 = a1[0] - a1[1] + a1[2] + a1[3] + a1[4] - a1[5] + a1[6] + a1[7] - a1[8] - a1[9] + a1[10] + a1[11] - a1[12] + a1[13] - a1[14] + a1[15] - a1[16] + a1[17] + a1[18] + a1[19] - a1[20] - a1[21] + a1[22] - a1[23] - a1[24] - a1[25] - a1[26] + a1[27] - a1[28] - a1[29] - a1[30] + a1[31];
s.add(a2[28] == v30 - a1[32] - a1[33] + a1[34] + a1[35] + a1[36] - a1[37] - a1[38] + a1[39] + a1[40] + a1[41])
v31 = a1[0] + a1[1] - a1[2] - a1[3] - a1[4] + a1[5] + a1[6] + a1[7] - a1[8] + a1[9] - a1[10] - a1[11] + a1[12] - a1[13] + a1[14] + a1[15] - a1[16] + a1[17] + a1[18] - a1[19] + a1[20] + a1[21] + a1[22] + a1[23] - a1[24] + a1[25] + a1[26] - a1[27] + a1[28] + a1[29] + a1[30] + a1[31];
s.add(a2[29] == v31 + a1[32] - a1[33] - a1[34] + a1[35] + a1[36] - a1[37] + a1[38] + a1[39] - a1[40] + a1[41])
v32 = a1[0] + a1[1] + a1[2] + a1[3] - a1[4] - a1[5] - a1[6] - a1[7] + a1[8] + a1[9] - a1[10] - a1[11] - a1[12] + a1[13] - a1[14] - a1[15] + a1[16] - a1[17] - a1[18] - a1[19] + a1[20] - a1[21] - a1[22] + a1[23] + a1[24] - a1[25] - a1[26] + a1[27] - a1[28] - a1[29] - a1[30] - a1[31];
s.add(a2[30] == v32 - a1[32] - a1[33] - a1[34] + a1[35] + a1[36] + a1[37] - a1[38] + a1[39] + a1[40] + a1[41])
v33 = a1[0] + a1[1] - a1[2] + a1[3] + a1[4] - a1[5] - a1[6] + a1[7] + a1[8] + a1[9] + a1[10] + a1[11] + a1[12] - a1[13] - a1[14] - a1[15] + a1[16] + a1[17] + a1[18] + a1[19] - a1[20] + a1[21] - a1[22] + a1[23] - a1[24] - a1[25] + a1[26] + a1[27] - a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[31] == v33 - a1[32] + a1[33] - a1[34] + a1[35] - a1[36] + a1[37] - a1[38] + a1[39] - a1[40] - a1[41])
v34 = a1[0] - a1[1] + a1[2] + a1[3] - a1[4] + a1[5] + a1[6] + a1[7] + a1[8] - a1[9] + a1[10] + a1[11] - a1[12] + a1[13] + a1[14] - a1[15] + a1[16] - a1[17] + a1[18] + a1[19] + a1[20] - a1[21] - a1[22] + a1[23] - a1[24] + a1[25] + a1[26] + a1[27] - a1[28] - a1[29] - a1[30] - a1[31];
s.add(a2[32] == v34 - a1[32] - a1[33] + a1[34] + a1[35] + a1[36] + a1[37] - a1[38] + a1[39] - a1[40] + a1[41])
v35 = a1[0] - a1[1] - a1[2] + a1[3] + a1[4] + a1[5] + a1[6] - a1[7] - a1[8] + a1[9] + a1[10] + a1[11] - a1[12] - a1[13] + a1[14] + a1[15] - a1[16] + a1[17] - a1[18] + a1[19] - a1[20] + a1[21] + a1[22] + a1[23] - a1[24] - a1[25] + a1[26] + a1[27] - a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[33] == v35 - a1[32] - a1[33] - a1[34] - a1[35] + a1[36] - a1[37] + a1[38] - a1[39] - a1[40] - a1[41])
v36 = a1[0] + a1[1] - a1[2] + a1[3] - a1[4] - a1[5] - a1[6] + a1[7] + a1[8] + a1[9] + a1[10] + a1[11] - a1[12] - a1[13] - a1[14] + a1[15] - a1[16] + a1[17] - a1[18] + a1[19] - a1[20] - a1[21] + a1[22] + a1[23] - a1[24] - a1[25] + a1[26] + a1[27] + a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[34] == v36 - a1[32] - a1[33] - a1[34] - a1[35] - a1[36] + a1[37] + a1[38] + a1[39] - a1[40] - a1[41])
v37 = a1[0] - a1[1] + a1[2] + a1[3] + a1[4] - a1[5] - a1[6] + a1[7] + a1[8] - a1[9] - a1[10] + a1[11] + a1[12] + a1[13] - a1[14] - a1[15] + a1[16] - a1[17] + a1[18] + a1[19] - a1[20] - a1[21] - a1[22] + a1[23] + a1[24] - a1[25] - a1[26] + a1[27] + a1[28] - a1[29] - a1[30] + a1[31];
s.add(a2[35] == v37 + a1[32] - a1[33] + a1[34] + a1[35] + a1[36] + a1[37] + a1[38] + a1[39] - a1[40] - a1[41])
v38 = a1[0] + a1[1] + a1[2] - a1[3] - a1[4] - a1[5] - a1[6] + a1[7] + a1[8] + a1[9] - a1[10] + a1[11] + a1[12] - a1[13] + a1[14] + a1[15] + a1[16] + a1[17] + a1[18] + a1[19] + a1[20] + a1[21] - a1[22] - a1[23] + a1[24] - a1[25] - a1[26] - a1[27] - a1[28] + a1[29] + a1[30] + a1[31];
s.add(a2[36] == v38 + a1[32] - a1[33] - a1[34] - a1[35] - a1[36] + a1[37] - a1[38] + a1[39] + a1[40] - a1[41])
v39 = a1[0] - a1[1] - a1[2] + a1[3] - a1[4] + a1[5] - a1[6] - a1[7] - a1[8] - a1[9] + a1[10] - a1[11] - a1[12] - a1[13] - a1[14] - a1[15] - a1[16] + a1[17] + a1[18] - a1[19] - a1[20] - a1[21] + a1[22] - a1[23] + a1[24] - a1[25] - a1[26] + a1[27] - a1[28] - a1[29] + a1[30] + a1[31];
s.add(a2[37] == v39 - a1[32] + a1[33] - a1[34] + a1[35] - a1[36] - a1[37] + a1[38] - a1[39] - a1[40] - a1[41])
v40 = a1[0] + a1[1] + a1[2] + a1[3] - a1[4] + a1[5] + a1[6] + a1[7] - a1[8] - a1[9] - a1[10] + a1[11] + a1[12] + a1[13] - a1[14] - a1[15] - a1[16] - a1[17] - a1[18] - a1[19] + a1[20] + a1[21] - a1[22] + a1[23] + a1[24] + a1[25] + a1[26] + a1[27] - a1[28] - a1[29] + a1[30] + a1[31];
s.add(a2[38] == v40 - a1[32] - a1[33] + a1[34] - a1[35] - a1[36] - a1[37] + a1[38] + a1[39] + a1[40] - a1[41])
v41 = a1[0] - a1[1] - a1[2] - a1[3] - a1[4] + a1[5] - a1[6] - a1[7] - a1[8] + a1[9] - a1[10] + a1[11] - a1[12] + a1[13] + a1[14] - a1[15] - a1[16] - a1[17] + a1[18] + a1[19] + a1[20] + a1[21] + a1[22] - a1[23] + a1[24] + a1[25] + a1[26] + a1[27] + a1[28] - a1[29] + a1[30] + a1[31];
s.add(a2[39] == v41 + a1[32] + a1[33] + a1[34] - a1[35] - a1[36] + a1[37] + a1[38] + a1[39] - a1[40] + a1[41])
v42 = a1[0] - a1[1] - a1[2] - a1[3] + a1[4] + a1[5] + a1[6] - a1[7] + a1[8] + a1[9] - a1[10] + a1[11] - a1[12] - a1[13] - a1[14] + a1[15] + a1[16] + a1[17] + a1[18] + a1[19] + a1[20] + a1[21] + a1[22] - a1[23] + a1[24] + a1[25] - a1[26] + a1[27] + a1[28] - a1[29] + a1[30] + a1[31];
s.add(a2[40] == v42 + a1[32] - a1[33] - a1[34] + a1[35] + a1[36] - a1[37] + a1[38] + a1[39] + a1[40] + a1[41])
v44 = a1[0] + a1[1] + a1[2] + a1[3] + a1[4] + a1[5] + a1[6] - a1[7] - a1[8] - a1[9] + a1[10] + a1[11] - a1[12] + a1[13] - a1[14] - a1[15] - a1[16] - a1[17] - a1[18] - a1[19] + a1[20] - a1[21] + a1[22] - a1[23] - a1[24] + a1[25] + a1[26] + a1[27] + a1[28] - a1[29] - a1[30] - a1[31];
s.add(a2[41] == v44 - a1[32] - a1[33] - a1[34] - a1[35] - a1[36] - a1[37] - a1[38] - a1[39] - a1[40] + a1[41])
s.check()
d = s.model()
print(d)
b =[0]*42
for i in range(42):
v = d[a1[i]].as_long()^i
b[i] = ((v>>3)|((v<<5)&0xff))
print(b)
print(bytes(b))
#SUCTF{[email protected]_P0wer7ul_TO0ls!}
#flag{[email protected]_P0wer7ul_TO0ls!}边栏推荐
- What is a database? Database detailed notes! Take you into the database ~ you want to know everything here!
- Snowflake ID, distributed unique ID
- Flume configuration 1 - basic case
- Flume配置2——监控之Ganglia
- 剑指 Offer 59 - II. 队列的最大值
- Koa source code analysis
- XSS漏洞
- Flume-ng配置
- Flume configuration 2 - ganglia for monitoring
- Summary of swift optional values
猜你喜欢
![[USB flash disk test] in order to transfer the data at the bottom of the pressure box, I bought a 2T USB flash disk, and the test result is only 47g~](/img/c3/e0637385d35943f1914477bb9f2b54.png)
[USB flash disk test] in order to transfer the data at the bottom of the pressure box, I bought a 2T USB flash disk, and the test result is only 47g~
Deficiencies and optimization schemes in Dao
lock4j--分布式锁中间件--自定义获取锁失败的逻辑
Koa 源码剖析
Flume配置4——自定义Source+Sink
data link layer
Flume configuration 4 - Custom source+sink
苹果iPhone手机升级系统内存空间变小不够如何解决?
The list of winners in the classic Smurfs of childhood: bluedad's digital collection was announced
![[network orientation training] - Enterprise Park Network Design - [had done]](/img/12/17f95378fcc6d0fef15feb99cc4f49.png)
[network orientation training] - Enterprise Park Network Design - [had done]
随机推荐
【Try to Hack】vulnhub narak
A keepalived high availability accident made me learn it again!
Flume配置4——自定义Source+Sink
SSH command and instructions
Dynamics crm: among locally deployed servers, sandbox, unzip, VSS, asynchronous and monitor services
thinkphp5中的配置如何使用
Luoqingqi: has high-end household appliances become a red sea? Casati took the lead in breaking the game
Withdrawal of user curve in qualified currency means loss
通过MeterSphere和DataEase实现项目Bug处理进展实时跟进
Linux安装MySQL5
[compilation principle] syntax analysis
MySQL remote connection
How to use the configuration in thinkphp5
XSS vulnerability
Sword finger offer 59 - I. maximum value of sliding window
Oracle11.2.0.4-rac cluster hang analysis record
Linux安装MySQL8
画虎国手孟祥顺数字藏品限量发售,随赠虎年茅台
社区访谈丨一个IT新人眼中的JumpServer开源堡垒机
【剑指Offer】51. 数组中的逆序对