当前位置:网站首页>[buuctf.reverse] 142_ [SUCTF2019]babyunic
[buuctf.reverse] 142_ [SUCTF2019]babyunic
2022-06-29 20:08:00 【Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi】
Attached are 4 File ,run.sh It should be a startup file ,babyunic Is the main program ,func A parameter is the data file he processes
LD_PRELOAD=./un.so.1 ./babyunic funcTo open the first babyunic, For the input flag use func Run the program in to compare the results , Used in uc_xxx yes unicorn The function of is to simulate the instructions of another architecture func Inside is the program .
int __fastcall sub_CBA(const char *a1, __int64 a2, const char *a3)
{
size_t v3; // rax
int v5; // [rsp+20h] [rbp-30h] BYREF
int v6; // [rsp+24h] [rbp-2Ch] BYREF
int v7; // [rsp+28h] [rbp-28h] BYREF
int v8; // [rsp+2Ch] [rbp-24h] BYREF
__int64 v9; // [rsp+30h] [rbp-20h] BYREF
FILE *stream; // [rsp+38h] [rbp-18h]
void *ptr; // [rsp+40h] [rbp-10h]
unsigned __int64 v12; // [rsp+48h] [rbp-8h]
v12 = __readfsqword(0x28u);
stream = fopen(a3, "rb");
ptr = malloc(0x7100uLL);
fread(ptr, 1uLL, 0x7100uLL, stream); // Read in func file
v5 = 0x101FFFC0;
v6 = 0x101FFFC0;
v7 = 0x101FFB00;
v8 = 0x101FFA00;
uc_open(3LL, 1073741828LL, (__int64)&v9); // Unicorn-CPU Simulation framework MIPS 32 Big end
uc_mem_map(v9, 0x400000LL, 0x200000LL, 7LL); // http://kabeor.cn/Unicorn-CPU%E6%A8%A1%E6%8B%9F%E6%A1%86%E6%9E%B6%E6%95%B0%E6%8D%AE%E7%B1%BB%E5%9E%8B%E5%8F%8AAPI%E5%88%86%E6%9E%90%E4%B8%8E%E7%A4%BA%E4%BE%8B(%E4%B8%89)/#uc-reg-write
uc_mem_map(v9, 0x10000000LL, 0x200000LL, 7LL);
v3 = strlen(a1);
uc_mem_write(v9, 0x101FFB00LL, a1, v3); // @uc: uc_open() Handle returned
// @address: Write the starting address of the byte
// @bytes: Pointer to a pointer containing the data to be written to memory
// @size: Size of memory to be written .
// Be careful : @bytes Must be large enough to contain @size byte .
uc_mem_write(v9, 0x400000LL, ptr, 28928LL);
uc_reg_write(v9, 31LL, &v5); // @uc: uc_open() Handle returned
// @regid: Register to be modified ID
// @value: Pointer to the value to which the register will be modified
uc_reg_write(v9, 32LL, &v6);
uc_reg_write(v9, 7LL, &v8);
uc_reg_write(v9, 6LL, &v7);
uc_emu_start(v9, 0x400000LL, 0x40706CLL, 0LL, 0LL);// @uc: uc_open() Handle returned
// @begin: Start simulation address
// @until: Address of simulation stop ( When the address is reached )
// @timeout: Simulate the duration of the code ( In microseconds ). When the value is 0 when , The code will be simulated in infinite time , Until the code is complete .
// @count: Number of instructions to emulate . When the value is 0 when , All available code will be emulated , Until the code is complete
uc_mem_read(v9, 0x101FFA00LL, a2, 200LL);
uc_close(v9);
return fclose(stream);
}according to uc_open(3LL, 0x40000004LL, (__int64)&v9); Parameters of , check python Of unicorn Library query definitions
C:\Python\Lib\site-packages\unicorn\unicorn_const.pyThe resulting architecture is MIPS 32 Big end
UC_ARCH_MIPS = 3 # <---- Code CPU framework
UC_MODE_BIG_ENDIAN = 1073741824 # Big end
UC_MODE_MIPS32 = 4 #32 position Once you know the architecture, you can use ida open func The file , First in the compilation c Turn it into code and create the function header , Then you can f5 了
There are a lot of programs , But the content is simple , First, then 5 front 3 Bit exchange and sequence number XOR . Then there are simple character by character addition and subtraction
for ( i = 0; a1[i]; ++i )
;
for ( j = 0; j < i; ++j )
a1[j] = ((8 * a1[j]) | (a1[j] >> 5)) ^ j; // after 5+ front 3 Exclusive or Serial number
v2 = *a1
+ a1[1] + a1[2] - a1[3] + a1[4] - a1[5] - a1[6] - a1[7] - a1[8] + a1[9] + a1[10]
- a1[11] + a1[12] - a1[13] - a1[14] + a1[15] - a1[16] - a1[17] + a1[18] + a1[19] - a1[20]
+ a1[21] + a1[22] + a1[23] + a1[24] - a1[25] + a1[26] - a1[27] + a1[28] + a1[29] - a1[30] - a1[31];
*a2 = v2 + a1[32] - a1[33] + a1[34] + a1[35] - a1[36] - a1[37] + a1[38] - a1[39] + a1[40] + a1[41];
Copy this program and make a batch replacement first , cause to become z3 Processing style , Then the result will come out
# -*- coding: UTF-8 -*-
#unicorn Simulation framework
#uc_open(3LL, 0x40000004LL, (__int64)&v9);
##C:\Python\Lib\site-packages\unicorn\unicorn_const.py
#UC_ARCH_MIPS = 3 <---- Code CPU framework
#UC_MODE_BIG_ENDIAN = 1073741824 Big end ,32 position
#UC_MODE_MIPS32 = 4
# use ida open func file ,CPU Architecture first MIPS /big endian / 32 position
# Open and assemble c Convert to code g Create a function and f5 Decompile
#
#
#1 Encryption preprocessing
# for ( j = 0; j < i; ++j )a1[j] = ((8 * a1[j]) | (a1[j] >> 5)) ^ j; // after 5+ front 3 Exclusive or Serial number
from z3 import *
from pwn import u32
data = open('./babyunic/babyunic', 'rb').read()
a2 = [0]*42
for i in range(42):
v = u32(data[0x2020+ i*4: 0x2020+ i*4 + 4][::-1]) # Big end 32 position
if v&0x80000000 != 0:
v = v - 0x100000000
a2[i] = v
print(a2)
a1 = [Int(f'a1_{i}') for i in range(42)]
s= Solver()
v2 = a1[0] + a1[1] + a1[2] - a1[3] + a1[4] - a1[5] - a1[6] - a1[7] - a1[8] + a1[9] + a1[10] - a1[11] + a1[12] - a1[13] - a1[14] + a1[15] - a1[16] - a1[17] + a1[18] + a1[19] - a1[20] + a1[21] + a1[22] + a1[23] + a1[24] - a1[25] + a1[26] - a1[27] + a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[0] == v2 + a1[32] - a1[33] + a1[34] + a1[35] - a1[36] - a1[37] + a1[38] - a1[39] + a1[40] + a1[41])
v3 = a1[0] - a1[1] + a1[2] - a1[3] - a1[4] + a1[5] - a1[6] - a1[7] - a1[8] - a1[9] + a1[10] - a1[11] + a1[12] - a1[13] - a1[14] + a1[15] - a1[16] - a1[17] + a1[18] - a1[19] + a1[20] + a1[21] - a1[22] - a1[23] - a1[24] + a1[25] - a1[26] + a1[27] - a1[28] - a1[29] + a1[30] + a1[31];
s.add(a2[1] == v3 + a1[32] + a1[33] + a1[34] + a1[35] - a1[36] - a1[37] - a1[38] - a1[39] - a1[40] + a1[41])
v4 = a1[0] - a1[1] + a1[2] + a1[3] - a1[4] + a1[5] - a1[6] - a1[7] + a1[8] - a1[9] - a1[10] - a1[11] - a1[12] - a1[13] + a1[14] - a1[15] - a1[16] + a1[17] + a1[18] + a1[19] + a1[20] + a1[21] - a1[22] + a1[23] + a1[24] + a1[25] + a1[26] - a1[27] + a1[28] - a1[29] + a1[30] - a1[31];
s.add(a2[2] == v4 + a1[32] + a1[33] - a1[34] - a1[35] + a1[36] + a1[37] + a1[38] - a1[39] + a1[40] - a1[41])
v5 = a1[0] - a1[1] - a1[2] - a1[3] - a1[4] - a1[5] + a1[6] + a1[7] - a1[8] - a1[9] - a1[10] - a1[11] + a1[12] - a1[13] + a1[14] - a1[15] + a1[16] - a1[17] + a1[18] + a1[19] + a1[20] - a1[21] + a1[22] + a1[23] + a1[24] - a1[25] - a1[26] + a1[27] - a1[28] + a1[29] + a1[30] - a1[31];
s.add(a2[3] == v5 - a1[32] - a1[33] + a1[34] - a1[35] + a1[36] + a1[37] + a1[38] - a1[39] + a1[40] + a1[41])
v6 = a1[0] - a1[1] - a1[2] + a1[3] - a1[4] - a1[5] + a1[6] + a1[7] + a1[8] + a1[9] - a1[10] + a1[11] + a1[12] - a1[13] + a1[14] - a1[15] + a1[16] + a1[17] - a1[18] + a1[19] - a1[20] + a1[21] - a1[22] - a1[23] - a1[24] + a1[25] - a1[26] - a1[27] - a1[28] + a1[29] + a1[30] + a1[31];
s.add(a2[4] == v6 - a1[32] + a1[33] - a1[34] - a1[35] + a1[36] - a1[37] + a1[38] - a1[39] - a1[40] - a1[41])
v7 = a1[0] + a1[1] + a1[2] + a1[3] + a1[4] + a1[5] + a1[6] + a1[7] + a1[8] - a1[9] - a1[10] - a1[11] - a1[12] - a1[13] - a1[14] + a1[15] - a1[16] + a1[17] - a1[18] + a1[19] + a1[20] - a1[21] + a1[22] - a1[23] + a1[24] - a1[25] + a1[26] + a1[27] - a1[28] + a1[29] - a1[30] + a1[31];
s.add(a2[5] == v7 + a1[32] + a1[33] - a1[34] - a1[35] - a1[36] + a1[37] - a1[38] - a1[39] + a1[40] + a1[41])
v8 = a1[0] - a1[1] + a1[2] + a1[3] + a1[4] - a1[5] + a1[6] + a1[7] + a1[8] + a1[9] - a1[10] + a1[11] + a1[12] - a1[13] + a1[14] + a1[15] + a1[16] + a1[17] - a1[18] - a1[19] - a1[20] - a1[21] - a1[22] - a1[23] + a1[24] + a1[25] - a1[26] + a1[27] + a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[6] == v8 - a1[32] - a1[33] - a1[34] - a1[35] + a1[36] + a1[37] - a1[38] - a1[39] + a1[40] - a1[41])
v9 = a1[0] + a1[1] - a1[2] - a1[3] - a1[4] + a1[5] + a1[6] - a1[7] + a1[8] + a1[9] - a1[10] + a1[11] - a1[12] + a1[13] - a1[14] + a1[15] - a1[16] + a1[17] - a1[18] - a1[19] + a1[20] - a1[21] + a1[22] - a1[23] - a1[24] + a1[25] - a1[26] + a1[27] + a1[28] + a1[29] + a1[30] + a1[31];
s.add(a2[7] == v9 + a1[32] - a1[33] + a1[34] - a1[35] + a1[36] + a1[37] + a1[38] + a1[39] - a1[40] - a1[41])
v10 = a1[0] - a1[1] - a1[2] + a1[3] + a1[4] - a1[5] + a1[6] + a1[7] + a1[8] + a1[9] + a1[10] - a1[11] - a1[12] + a1[13] - a1[14] + a1[15] + a1[16] + a1[17] + a1[18] - a1[19] + a1[20] + a1[21] - a1[22] - a1[23] + a1[24] + a1[25] + a1[26] - a1[27] + a1[28] - a1[29] - a1[30] - a1[31];
s.add(a2[8] == v10 - a1[32] - a1[33] + a1[34] - a1[35] - a1[36] + a1[37] - a1[38] - a1[39] + a1[40] - a1[41])
v11 = a1[0] + a1[1] + a1[2] - a1[3] + a1[4] + a1[5] + a1[6] - a1[7] - a1[8] - a1[9] - a1[10] + a1[11] + a1[12] + a1[13] - a1[14] + a1[15] + a1[16] - a1[17] - a1[18] + a1[19] + a1[20] - a1[21] - a1[22] - a1[23] + a1[24] - a1[25] - a1[26] - a1[27] + a1[28] + a1[29] + a1[30] - a1[31];
s.add(a2[9] == v11 + a1[32] + a1[33] - a1[34] - a1[35] - a1[36] - a1[37] + a1[38] - a1[39] + a1[40] + a1[41])
v12 = a1[0] - a1[1] + a1[2] + a1[3] - a1[4] - a1[5] + a1[6] + a1[7] - a1[8] - a1[9] - a1[10] - a1[11] + a1[12] + a1[13] + a1[14] - a1[15] + a1[16] - a1[17] + a1[18] + a1[19] + a1[20] - a1[21] + a1[22] - a1[23] - a1[24] - a1[25] + a1[26] - a1[27] - a1[28] + a1[29] - a1[30] + a1[31];
s.add(a2[10] == v12 + a1[32] - a1[33] - a1[34] + a1[35] - a1[36] - a1[37] + a1[38] - a1[39] + a1[40] + a1[41])
v13 = a1[0] - a1[1] + a1[2] + a1[3] + a1[4] - a1[5] + a1[6] + a1[7] - a1[8] + a1[9] + a1[10] - a1[11] - a1[12] - a1[13] - a1[14] + a1[15] - a1[16] - a1[17] - a1[18] + a1[19] + a1[20] - a1[21] + a1[22] - a1[23] + a1[24] + a1[25] + a1[26] + a1[27] - a1[28] + a1[29] + a1[30] - a1[31];
s.add(a2[11] == v13 - a1[32] - a1[33] - a1[34] - a1[35] + a1[36] + a1[37] - a1[38] - a1[39] - a1[40] - a1[41])
v14 = a1[0] - a1[1] - a1[2] - a1[3] + a1[4] - a1[5] - a1[6] + a1[7] + a1[8] - a1[9] + a1[10] - a1[11] - a1[12] - a1[13] + a1[14] - a1[15] + a1[16] - a1[17] + a1[18] - a1[19] - a1[20] - a1[21] - a1[22] + a1[23] - a1[24] + a1[25] - a1[26] + a1[27] - a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[12] == v14 + a1[32] + a1[33] + a1[34] - a1[35] - a1[36] - a1[37] - a1[38] + a1[39] - a1[40] - a1[41])
v15 = a1[0] - a1[1] + a1[2] - a1[3] + a1[4] - a1[5] + a1[6] - a1[7] + a1[8] - a1[9] + a1[10] - a1[11] + a1[12] + a1[13] + a1[14] + a1[15] - a1[16] - a1[17] - a1[18] + a1[19] + a1[20] + a1[21] - a1[22] - a1[23] + a1[24] + a1[25] - a1[26] - a1[27] + a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[13] == v15 - a1[32] + a1[33] - a1[34] - a1[35] + a1[36] - a1[37] - a1[38] - a1[39] + a1[40] - a1[41])
v16 = a1[0] + a1[1] + a1[2] - a1[3] - a1[4] - a1[5] + a1[6] - a1[7] + a1[8] + a1[9] + a1[10] - a1[11] + a1[12] - a1[13] - a1[14] + a1[15] + a1[16] + a1[17] - a1[18] - a1[19] - a1[20] - a1[21] + a1[22] + a1[23] + a1[24] - a1[25] + a1[26] + a1[27] + a1[28] - a1[29] - a1[30] - a1[31];
s.add(a2[14] == v16 + a1[32] + a1[33] + a1[34] + a1[35] + a1[36] + a1[37] + a1[38] - a1[39] - a1[40] - a1[41])
v17 = a1[0] - a1[1] + a1[2] + a1[3] + a1[4] + a1[5] - a1[6] + a1[7] - a1[8] - a1[9] - a1[10] + a1[11] + a1[12] + a1[13] - a1[14] - a1[15] - a1[16] + a1[17] - a1[18] - a1[19] - a1[20] - a1[21] + a1[22] + a1[23] + a1[24] + a1[25] + a1[26] + a1[27] - a1[28] - a1[29] - a1[30] - a1[31];
s.add(a2[15] == v17 + a1[32] - a1[33] + a1[34] + a1[35] + a1[36] + a1[37] - a1[38] + a1[39] + a1[40] - a1[41])
v18 = a1[0] - a1[1] + a1[2] + a1[3] - a1[4] - a1[5] + a1[6] + a1[7] + a1[8] + a1[9] + a1[10] - a1[11] + a1[12] - a1[13] + a1[14] + a1[15] + a1[16] - a1[17] + a1[18] - a1[19] + a1[20] - a1[21] - a1[22] - a1[23] - a1[24] - a1[25] + a1[26] + a1[27] + a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[16] == v18 + a1[32] - a1[33] - a1[34] + a1[35] - a1[36] + a1[37] - a1[38] + a1[39] - a1[40] + a1[41])
v19 = a1[0] + a1[1] + a1[2] + a1[3] + a1[4] - a1[5] + a1[6] + a1[7] + a1[8] - a1[9] - a1[10] + a1[11] - a1[12] + a1[13] + a1[14] + a1[15] - a1[16] + a1[17] - a1[18] - a1[19] + a1[20] - a1[21] + a1[22] - a1[23] - a1[24] + a1[25] - a1[26] + a1[27] - a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[17] == v19 + a1[32] - a1[33] - a1[34] + a1[35] - a1[36] + a1[37] - a1[38] + a1[39] + a1[40] - a1[41])
v20 = a1[0] - a1[1] - a1[2] - a1[3] + a1[4] + a1[5] - a1[6] + a1[7] - a1[8] + a1[9] + a1[10] - a1[11] - a1[12] - a1[13] + a1[14] - a1[15] - a1[16] + a1[17] + a1[18] + a1[19] - a1[20] - a1[21] - a1[22] - a1[23] - a1[24] - a1[25] - a1[26] - a1[27] + a1[28] + a1[29] + a1[30] - a1[31];
s.add(a2[18] == v20 - a1[32] - a1[33] + a1[34] - a1[35] - a1[36] - a1[37] - a1[38] - a1[39] - a1[40] + a1[41])
v21 = a1[0] + a1[1] + a1[2] + a1[3] - a1[4] - a1[5] + a1[6] - a1[7] - a1[8] - a1[9] - a1[10] - a1[11] - a1[12] - a1[13] + a1[14] + a1[15] + a1[16] - a1[17] + a1[18] + a1[19] + a1[20] + a1[21] - a1[22] + a1[23] + a1[24] - a1[25] + a1[26] + a1[27] - a1[28] + a1[29] + a1[30] + a1[31];
s.add(a2[19] == v21 + a1[32] + a1[33] - a1[34] + a1[35] - a1[36] - a1[37] - a1[38] + a1[39] + a1[40] - a1[41])
v22 = a1[0] + a1[1] - a1[2] - a1[3] - a1[4] + a1[5] - a1[6] + a1[7] - a1[8] - a1[9] + a1[10] + a1[11] - a1[12] - a1[13] + a1[14] - a1[15] - a1[16] + a1[17] - a1[18] - a1[19] + a1[20] + a1[21] - a1[22] + a1[23] + a1[24] - a1[25] - a1[26] - a1[27] - a1[28] - a1[29] - a1[30] - a1[31];
s.add(a2[20] == v22 - a1[32] + a1[33] - a1[34] + a1[35] + a1[36] - a1[37] + a1[38] - a1[39] + a1[40] - a1[41])
v23 = a1[0] - a1[1] - a1[2] - a1[3] + a1[4] + a1[5] + a1[6] + a1[7] - a1[8] - a1[9] - a1[10] - a1[11] - a1[12] - a1[13] - a1[14] - a1[15] - a1[16] + a1[17] - a1[18] - a1[19] + a1[20] - a1[21] + a1[22] + a1[23] + a1[24] - a1[25] - a1[26] + a1[27] - a1[28] - a1[29] - a1[30] - a1[31];
s.add(a2[21] == v23 - a1[32] - a1[33] - a1[34] - a1[35] - a1[36] + a1[37] - a1[38] - a1[39] - a1[40] + a1[41])
v24 = a1[0] + a1[1] + a1[2] + a1[3] + a1[4] + a1[5] + a1[6] + a1[7] - a1[8] + a1[9] - a1[10] + a1[11] - a1[12] + a1[13] + a1[14] + a1[15] - a1[16] + a1[17] + a1[18] - a1[19] - a1[20] + a1[21] + a1[22] - a1[23] + a1[24] - a1[25] - a1[26] + a1[27] - a1[28] + a1[29] + a1[30] + a1[31];
s.add(a2[22] == v24 - a1[32] + a1[33] - a1[34] - a1[35] - a1[36] - a1[37] + a1[38] - a1[39] + a1[40] + a1[41])
v25 = a1[0] - a1[1] + a1[2] + a1[3] - a1[4] - a1[5] - a1[6] - a1[7] + a1[8] - a1[9] - a1[10] + a1[11] + a1[12] - a1[13] - a1[14] + a1[15] - a1[16] - a1[17] + a1[18] + a1[19] - a1[20] - a1[21] + a1[22] - a1[23] + a1[24] + a1[25] - a1[26] + a1[27] - a1[28] + a1[29] + a1[30] - a1[31];
s.add(a2[23] == v25 - a1[32] - a1[33] - a1[34] - a1[35] - a1[36] - a1[37] + a1[38] - a1[39] - a1[40] - a1[41])
v26 = a1[0] + a1[1] - a1[2] + a1[3] + a1[4] - a1[5] + a1[6] + a1[7] - a1[8] + a1[9] + a1[10] - a1[11] - a1[12] - a1[13] - a1[14] + a1[15] + a1[16] + a1[17] - a1[18] + a1[19] + a1[20] + a1[21] + a1[22] + a1[23] + a1[24] + a1[25] - a1[26] - a1[27] - a1[28] + a1[29] + a1[30] - a1[31];
s.add(a2[24] == v26 + a1[32] + a1[33] + a1[34] - a1[35] - a1[36] - a1[37] - a1[38] + a1[39] + a1[40] - a1[41])
v27 = a1[0] - a1[1] + a1[2] + a1[3] - a1[4] + a1[5] + a1[6] - a1[7] + a1[8] + a1[9] + a1[10] - a1[11] - a1[12] + a1[13] - a1[14] + a1[15] - a1[16] + a1[17] + a1[18] + a1[19] - a1[20] - a1[21] + a1[22] + a1[23] - a1[24] - a1[25] + a1[26] - a1[27] + a1[28] - a1[29] + a1[30] - a1[31];
s.add(a2[25] == v27 - a1[32] + a1[33] - a1[34] - a1[35] - a1[36] - a1[37] + a1[38] - a1[39] + a1[40] + a1[41])
v28 = a1[0] + a1[1] + a1[2] + a1[3] + a1[4] - a1[5] - a1[6] + a1[7] - a1[8] - a1[9] - a1[10] - a1[11] + a1[12] - a1[13] + a1[14] - a1[15] + a1[16] - a1[17] + a1[18] - a1[19] - a1[20] + a1[21] + a1[22] + a1[23] + a1[24] + a1[25] - a1[26] - a1[27] - a1[28] - a1[29] + a1[30] + a1[31];
s.add(a2[26] == v28 - a1[32] - a1[33] - a1[34] + a1[35] + a1[36] - a1[37] - a1[38] + a1[39] + a1[40] + a1[41])
v29 = a1[0] - a1[1] + a1[2] - a1[3] + a1[4] - a1[5] - a1[6] - a1[7] - a1[8] - a1[9] - a1[10] - a1[11] + a1[12] + a1[13] - a1[14] + a1[15] + a1[16] + a1[17] + a1[18] + a1[19] - a1[20] - a1[21] - a1[22] - a1[23] + a1[24] + a1[25] + a1[26] - a1[27] + a1[28] + a1[29] + a1[30] - a1[31];
s.add(a2[27] == v29 - a1[32] - a1[33] - a1[34] + a1[35] - a1[36] - a1[37] - a1[38] - a1[39] - a1[40] - a1[41])
v30 = a1[0] - a1[1] + a1[2] + a1[3] + a1[4] - a1[5] + a1[6] + a1[7] - a1[8] - a1[9] + a1[10] + a1[11] - a1[12] + a1[13] - a1[14] + a1[15] - a1[16] + a1[17] + a1[18] + a1[19] - a1[20] - a1[21] + a1[22] - a1[23] - a1[24] - a1[25] - a1[26] + a1[27] - a1[28] - a1[29] - a1[30] + a1[31];
s.add(a2[28] == v30 - a1[32] - a1[33] + a1[34] + a1[35] + a1[36] - a1[37] - a1[38] + a1[39] + a1[40] + a1[41])
v31 = a1[0] + a1[1] - a1[2] - a1[3] - a1[4] + a1[5] + a1[6] + a1[7] - a1[8] + a1[9] - a1[10] - a1[11] + a1[12] - a1[13] + a1[14] + a1[15] - a1[16] + a1[17] + a1[18] - a1[19] + a1[20] + a1[21] + a1[22] + a1[23] - a1[24] + a1[25] + a1[26] - a1[27] + a1[28] + a1[29] + a1[30] + a1[31];
s.add(a2[29] == v31 + a1[32] - a1[33] - a1[34] + a1[35] + a1[36] - a1[37] + a1[38] + a1[39] - a1[40] + a1[41])
v32 = a1[0] + a1[1] + a1[2] + a1[3] - a1[4] - a1[5] - a1[6] - a1[7] + a1[8] + a1[9] - a1[10] - a1[11] - a1[12] + a1[13] - a1[14] - a1[15] + a1[16] - a1[17] - a1[18] - a1[19] + a1[20] - a1[21] - a1[22] + a1[23] + a1[24] - a1[25] - a1[26] + a1[27] - a1[28] - a1[29] - a1[30] - a1[31];
s.add(a2[30] == v32 - a1[32] - a1[33] - a1[34] + a1[35] + a1[36] + a1[37] - a1[38] + a1[39] + a1[40] + a1[41])
v33 = a1[0] + a1[1] - a1[2] + a1[3] + a1[4] - a1[5] - a1[6] + a1[7] + a1[8] + a1[9] + a1[10] + a1[11] + a1[12] - a1[13] - a1[14] - a1[15] + a1[16] + a1[17] + a1[18] + a1[19] - a1[20] + a1[21] - a1[22] + a1[23] - a1[24] - a1[25] + a1[26] + a1[27] - a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[31] == v33 - a1[32] + a1[33] - a1[34] + a1[35] - a1[36] + a1[37] - a1[38] + a1[39] - a1[40] - a1[41])
v34 = a1[0] - a1[1] + a1[2] + a1[3] - a1[4] + a1[5] + a1[6] + a1[7] + a1[8] - a1[9] + a1[10] + a1[11] - a1[12] + a1[13] + a1[14] - a1[15] + a1[16] - a1[17] + a1[18] + a1[19] + a1[20] - a1[21] - a1[22] + a1[23] - a1[24] + a1[25] + a1[26] + a1[27] - a1[28] - a1[29] - a1[30] - a1[31];
s.add(a2[32] == v34 - a1[32] - a1[33] + a1[34] + a1[35] + a1[36] + a1[37] - a1[38] + a1[39] - a1[40] + a1[41])
v35 = a1[0] - a1[1] - a1[2] + a1[3] + a1[4] + a1[5] + a1[6] - a1[7] - a1[8] + a1[9] + a1[10] + a1[11] - a1[12] - a1[13] + a1[14] + a1[15] - a1[16] + a1[17] - a1[18] + a1[19] - a1[20] + a1[21] + a1[22] + a1[23] - a1[24] - a1[25] + a1[26] + a1[27] - a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[33] == v35 - a1[32] - a1[33] - a1[34] - a1[35] + a1[36] - a1[37] + a1[38] - a1[39] - a1[40] - a1[41])
v36 = a1[0] + a1[1] - a1[2] + a1[3] - a1[4] - a1[5] - a1[6] + a1[7] + a1[8] + a1[9] + a1[10] + a1[11] - a1[12] - a1[13] - a1[14] + a1[15] - a1[16] + a1[17] - a1[18] + a1[19] - a1[20] - a1[21] + a1[22] + a1[23] - a1[24] - a1[25] + a1[26] + a1[27] + a1[28] + a1[29] - a1[30] - a1[31];
s.add(a2[34] == v36 - a1[32] - a1[33] - a1[34] - a1[35] - a1[36] + a1[37] + a1[38] + a1[39] - a1[40] - a1[41])
v37 = a1[0] - a1[1] + a1[2] + a1[3] + a1[4] - a1[5] - a1[6] + a1[7] + a1[8] - a1[9] - a1[10] + a1[11] + a1[12] + a1[13] - a1[14] - a1[15] + a1[16] - a1[17] + a1[18] + a1[19] - a1[20] - a1[21] - a1[22] + a1[23] + a1[24] - a1[25] - a1[26] + a1[27] + a1[28] - a1[29] - a1[30] + a1[31];
s.add(a2[35] == v37 + a1[32] - a1[33] + a1[34] + a1[35] + a1[36] + a1[37] + a1[38] + a1[39] - a1[40] - a1[41])
v38 = a1[0] + a1[1] + a1[2] - a1[3] - a1[4] - a1[5] - a1[6] + a1[7] + a1[8] + a1[9] - a1[10] + a1[11] + a1[12] - a1[13] + a1[14] + a1[15] + a1[16] + a1[17] + a1[18] + a1[19] + a1[20] + a1[21] - a1[22] - a1[23] + a1[24] - a1[25] - a1[26] - a1[27] - a1[28] + a1[29] + a1[30] + a1[31];
s.add(a2[36] == v38 + a1[32] - a1[33] - a1[34] - a1[35] - a1[36] + a1[37] - a1[38] + a1[39] + a1[40] - a1[41])
v39 = a1[0] - a1[1] - a1[2] + a1[3] - a1[4] + a1[5] - a1[6] - a1[7] - a1[8] - a1[9] + a1[10] - a1[11] - a1[12] - a1[13] - a1[14] - a1[15] - a1[16] + a1[17] + a1[18] - a1[19] - a1[20] - a1[21] + a1[22] - a1[23] + a1[24] - a1[25] - a1[26] + a1[27] - a1[28] - a1[29] + a1[30] + a1[31];
s.add(a2[37] == v39 - a1[32] + a1[33] - a1[34] + a1[35] - a1[36] - a1[37] + a1[38] - a1[39] - a1[40] - a1[41])
v40 = a1[0] + a1[1] + a1[2] + a1[3] - a1[4] + a1[5] + a1[6] + a1[7] - a1[8] - a1[9] - a1[10] + a1[11] + a1[12] + a1[13] - a1[14] - a1[15] - a1[16] - a1[17] - a1[18] - a1[19] + a1[20] + a1[21] - a1[22] + a1[23] + a1[24] + a1[25] + a1[26] + a1[27] - a1[28] - a1[29] + a1[30] + a1[31];
s.add(a2[38] == v40 - a1[32] - a1[33] + a1[34] - a1[35] - a1[36] - a1[37] + a1[38] + a1[39] + a1[40] - a1[41])
v41 = a1[0] - a1[1] - a1[2] - a1[3] - a1[4] + a1[5] - a1[6] - a1[7] - a1[8] + a1[9] - a1[10] + a1[11] - a1[12] + a1[13] + a1[14] - a1[15] - a1[16] - a1[17] + a1[18] + a1[19] + a1[20] + a1[21] + a1[22] - a1[23] + a1[24] + a1[25] + a1[26] + a1[27] + a1[28] - a1[29] + a1[30] + a1[31];
s.add(a2[39] == v41 + a1[32] + a1[33] + a1[34] - a1[35] - a1[36] + a1[37] + a1[38] + a1[39] - a1[40] + a1[41])
v42 = a1[0] - a1[1] - a1[2] - a1[3] + a1[4] + a1[5] + a1[6] - a1[7] + a1[8] + a1[9] - a1[10] + a1[11] - a1[12] - a1[13] - a1[14] + a1[15] + a1[16] + a1[17] + a1[18] + a1[19] + a1[20] + a1[21] + a1[22] - a1[23] + a1[24] + a1[25] - a1[26] + a1[27] + a1[28] - a1[29] + a1[30] + a1[31];
s.add(a2[40] == v42 + a1[32] - a1[33] - a1[34] + a1[35] + a1[36] - a1[37] + a1[38] + a1[39] + a1[40] + a1[41])
v44 = a1[0] + a1[1] + a1[2] + a1[3] + a1[4] + a1[5] + a1[6] - a1[7] - a1[8] - a1[9] + a1[10] + a1[11] - a1[12] + a1[13] - a1[14] - a1[15] - a1[16] - a1[17] - a1[18] - a1[19] + a1[20] - a1[21] + a1[22] - a1[23] - a1[24] + a1[25] + a1[26] + a1[27] + a1[28] - a1[29] - a1[30] - a1[31];
s.add(a2[41] == v44 - a1[32] - a1[33] - a1[34] - a1[35] - a1[36] - a1[37] - a1[38] - a1[39] - a1[40] + a1[41])
s.check()
d = s.model()
print(d)
b =[0]*42
for i in range(42):
v = d[a1[i]].as_long()^i
b[i] = ((v>>3)|((v<<5)&0xff))
print(b)
print(bytes(b))
#SUCTF{[email protected]_P0wer7ul_TO0ls!}
#flag{[email protected]_P0wer7ul_TO0ls!}边栏推荐
- Hangfire详解
- Flutter calls Baidu map app to realize location search and route planning
- freemarker模板框架生成图片
- 苹果iPhone手机升级系统内存空间变小不够如何解决?
- [notes] take notes again -- learn by doing Verilog HDL – 008
- Notepad++--宏(记录操作过程)
- 一个mysql里有3306端口下,一个mysql有20多个数据库,怎么一键备份20多个数据库,做系统备份,防止数据误删除?
- 剑指 Offer 59 - I. 滑动窗口的最大值
- [observation] softcom power liutianwen: embrace change and "follow the trend" to become an "enabler" of China's digital economy
- ETCD数据库源码分析——服务端PUT流程
猜你喜欢
Jmeter之BeanShell详解和夸线程调用
JMeter BeanShell explanation and thread calling
La collection numérique Meng xiangshun, artiste national du tigre peint, est disponible en quantité limitée et est offerte avec Maotai de l'année du tigre
3-2 host discovery - layer 3 discovery
npm ERR! fatal: early EOF npm ERR! fatal: index-pack failed
File contains vulnerability
Flume configuration 1 - basic case
idea中方法上没有小绿色三角
Flume配置2——监控之Ganglia
童年经典蓝精灵之百变蓝爸爸数字藏品中奖名单公布
随机推荐
[compilation principle] semantic analysis
Command execution (RCE) vulnerability
Linux安装MySQL8
Linux安装MySQL5
ETCD数据库源码分析——服务端PUT流程
剑指 Offer 59 - II. 队列的最大值
剑指 Offer 66. 构建乘积数组
社区访谈丨一个IT新人眼中的JumpServer开源堡垒机
如何设置 Pod 到指定节点运行
wangeditor富文本编辑器使用(详细)
Dynamics crm: among locally deployed servers, sandbox, unzip, VSS, asynchronous and monitor services
Detailed description of gaussdb (DWS) complex and diverse resource load management methods
[notes] take notes again -- learn by doing Verilog HDL – 014
Flume配置4——自定义Source+Sink
Spark存储体系底层架构剖析-Spark商业环境实战
Performance improvement at the cost of other components is not good
14.04 million! Sichuan provincial human resources and social security department relational database and middleware software system upgrade procurement bidding!
As the "only" privacy computing provider, insight technology is the "first" to settle in the Yangtze River Delta data element circulation service platform
Oracle保留字查询
2021 CCPC 哈尔滨 E. Power and Modulo (思维题)