• 2020第十三届全国大学生信息安全创新实践大赛 z3


    2020第十三届全国大学生信息安全创新实践大赛 z3

    http://ethereal.prohitime.top/demo/


    其实根据题目名字的提示(直接百度这道题的题目,会发现z3是一种解方程的工具)

    // local variable allocation has failed, the output may be wrong!
    int __cdecl main(int argc, const char **argv, const char **envp)
    {
      int v4; // [rsp+20h] [rbp-60h]
      int v5; // [rsp+24h] [rbp-5Ch]
      int v6; // [rsp+28h] [rbp-58h]
      int v7; // [rsp+2Ch] [rbp-54h]
      int v8; // [rsp+30h] [rbp-50h]
      int v9; // [rsp+34h] [rbp-4Ch]
      int v10; // [rsp+38h] [rbp-48h]
      int v11; // [rsp+3Ch] [rbp-44h]
      int v12; // [rsp+40h] [rbp-40h]
      int v13; // [rsp+44h] [rbp-3Ch]
      int v14; // [rsp+48h] [rbp-38h]
      int v15; // [rsp+4Ch] [rbp-34h]
      int v16; // [rsp+50h] [rbp-30h]
      int v17; // [rsp+54h] [rbp-2Ch]
      int v18; // [rsp+58h] [rbp-28h]
      int v19; // [rsp+5Ch] [rbp-24h]
      int v20; // [rsp+60h] [rbp-20h]
      int v21; // [rsp+64h] [rbp-1Ch]
      int v22; // [rsp+68h] [rbp-18h]
      int v23; // [rsp+6Ch] [rbp-14h]
      int v24; // [rsp+70h] [rbp-10h]
      int v25; // [rsp+74h] [rbp-Ch]
      int v26; // [rsp+78h] [rbp-8h]
      int v27; // [rsp+7Ch] [rbp-4h]
      int v28; // [rsp+80h] [rbp+0h]
      int v29; // [rsp+84h] [rbp+4h]
      int v30; // [rsp+88h] [rbp+8h]
      int v31; // [rsp+8Ch] [rbp+Ch]
      int v32; // [rsp+90h] [rbp+10h]
      int v33; // [rsp+94h] [rbp+14h]
      int v34; // [rsp+98h] [rbp+18h]
      int v35; // [rsp+9Ch] [rbp+1Ch]
      int v36; // [rsp+A0h] [rbp+20h]
      int v37; // [rsp+A4h] [rbp+24h]
      int v38; // [rsp+A8h] [rbp+28h]
      int v39; // [rsp+ACh] [rbp+2Ch]
      int v40; // [rsp+B0h] [rbp+30h]
      int v41; // [rsp+B4h] [rbp+34h]
      int v42; // [rsp+B8h] [rbp+38h]
      int v43; // [rsp+BCh] [rbp+3Ch]
      int v44; // [rsp+C0h] [rbp+40h]
      int v45; // [rsp+C4h] [rbp+44h]
      unsigned __int8 v46; // [rsp+D0h] [rbp+50h]
      unsigned __int8 v47; // [rsp+D1h] [rbp+51h]
      unsigned __int8 v48; // [rsp+D2h] [rbp+52h]
      unsigned __int8 v49; // [rsp+D3h] [rbp+53h]
      unsigned __int8 v50; // [rsp+D4h] [rbp+54h]
      unsigned __int8 v51; // [rsp+D5h] [rbp+55h]
      unsigned __int8 v52; // [rsp+D6h] [rbp+56h]
      unsigned __int8 v53; // [rsp+D7h] [rbp+57h]
      unsigned __int8 v54; // [rsp+D8h] [rbp+58h]
      unsigned __int8 v55; // [rsp+D9h] [rbp+59h]
      unsigned __int8 v56; // [rsp+DAh] [rbp+5Ah]
      unsigned __int8 v57; // [rsp+DBh] [rbp+5Bh]
      unsigned __int8 v58; // [rsp+DCh] [rbp+5Ch]
      unsigned __int8 v59; // [rsp+DDh] [rbp+5Dh]
      unsigned __int8 v60; // [rsp+DEh] [rbp+5Eh]
      unsigned __int8 v61; // [rsp+DFh] [rbp+5Fh]
      unsigned __int8 v62; // [rsp+E0h] [rbp+60h]
      unsigned __int8 v63; // [rsp+E1h] [rbp+61h]
      unsigned __int8 v64; // [rsp+E2h] [rbp+62h]
      unsigned __int8 v65; // [rsp+E3h] [rbp+63h]
      unsigned __int8 v66; // [rsp+E4h] [rbp+64h]
      unsigned __int8 v67; // [rsp+E5h] [rbp+65h]
      unsigned __int8 v68; // [rsp+E6h] [rbp+66h]
      unsigned __int8 v69; // [rsp+E7h] [rbp+67h]
      unsigned __int8 v70; // [rsp+E8h] [rbp+68h]
      unsigned __int8 v71; // [rsp+E9h] [rbp+69h]
      unsigned __int8 v72; // [rsp+EAh] [rbp+6Ah]
      unsigned __int8 v73; // [rsp+EBh] [rbp+6Bh]
      unsigned __int8 v74; // [rsp+ECh] [rbp+6Ch]
      unsigned __int8 v75; // [rsp+EDh] [rbp+6Dh]
      unsigned __int8 v76; // [rsp+EEh] [rbp+6Eh]
      unsigned __int8 v77; // [rsp+EFh] [rbp+6Fh]
      unsigned __int8 v78; // [rsp+F0h] [rbp+70h]
      unsigned __int8 v79; // [rsp+F1h] [rbp+71h]
      unsigned __int8 v80; // [rsp+F2h] [rbp+72h]
      unsigned __int8 v81; // [rsp+F3h] [rbp+73h]
      unsigned __int8 v82; // [rsp+F4h] [rbp+74h]
      unsigned __int8 v83; // [rsp+F5h] [rbp+75h]
      unsigned __int8 v84; // [rsp+F6h] [rbp+76h]
      unsigned __int8 v85; // [rsp+F7h] [rbp+77h]
      unsigned __int8 v86; // [rsp+F8h] [rbp+78h]
      unsigned __int8 v87; // [rsp+F9h] [rbp+79h]
      int Dst[43]; // [rsp+110h] [rbp+90h]
      int i; // [rsp+1BCh] [rbp+13Ch]
    
      _main(*(_QWORD *)&argc, argv, envp);
      memcpy(Dst, &unk_404020, 0xA8ui64);
      printf("plz input your flag:");
      scanf("%42s", &v46);
      v4 = 34 * v49 + 12 * v46 + 53 * v47 + 6 * v48 + 58 * v50 + 36 * v51 + v52;
      v5 = 27 * v50 + 73 * v49 + 12 * v48 + 83 * v46 + 85 * v47 + 96 * v51 + 52 * v52;
      v6 = 24 * v48 + 78 * v46 + 53 * v47 + 36 * v49 + 86 * v50 + 25 * v51 + 46 * v52;
      v7 = 78 * v47 + 39 * v46 + 52 * v48 + 9 * v49 + 62 * v50 + 37 * v51 + 84 * v52;
      v8 = 48 * v50 + 14 * v48 + 23 * v46 + 6 * v47 + 74 * v49 + 12 * v51 + 83 * v52;
      v9 = 15 * v51 + 48 * v50 + 92 * v48 + 85 * v47 + 27 * v46 + 42 * v49 + 72 * v52;
      v10 = 26 * v51 + 67 * v49 + 6 * v47 + 4 * v46 + 3 * v48 + 68 * v52;
      v11 = 34 * v56 + 12 * v53 + 53 * v54 + 6 * v55 + 58 * v57 + 36 * v58 + v59;
      v12 = 27 * v57 + 73 * v56 + 12 * v55 + 83 * v53 + 85 * v54 + 96 * v58 + 52 * v59;
      v13 = 24 * v55 + 78 * v53 + 53 * v54 + 36 * v56 + 86 * v57 + 25 * v58 + 46 * v59;
      v14 = 78 * v54 + 39 * v53 + 52 * v55 + 9 * v56 + 62 * v57 + 37 * v58 + 84 * v59;
      v15 = 48 * v57 + 14 * v55 + 23 * v53 + 6 * v54 + 74 * v56 + 12 * v58 + 83 * v59;
      v16 = 15 * v58 + 48 * v57 + 92 * v55 + 85 * v54 + 27 * v53 + 42 * v56 + 72 * v59;
      v17 = 26 * v58 + 67 * v56 + 6 * v54 + 4 * v53 + 3 * v55 + 68 * v59;
      v18 = 34 * v63 + 12 * v60 + 53 * v61 + 6 * v62 + 58 * v64 + 36 * v65 + v66;
      v19 = 27 * v64 + 73 * v63 + 12 * v62 + 83 * v60 + 85 * v61 + 96 * v65 + 52 * v66;
      v20 = 24 * v62 + 78 * v60 + 53 * v61 + 36 * v63 + 86 * v64 + 25 * v65 + 46 * v66;
      v21 = 78 * v61 + 39 * v60 + 52 * v62 + 9 * v63 + 62 * v64 + 37 * v65 + 84 * v66;
      v22 = 48 * v64 + 14 * v62 + 23 * v60 + 6 * v61 + 74 * v63 + 12 * v65 + 83 * v66;
      v23 = 15 * v65 + 48 * v64 + 92 * v62 + 85 * v61 + 27 * v60 + 42 * v63 + 72 * v66;
      v24 = 26 * v65 + 67 * v63 + 6 * v61 + 4 * v60 + 3 * v62 + 68 * v66;
      v25 = 34 * v70 + 12 * v67 + 53 * v68 + 6 * v69 + 58 * v71 + 36 * v72 + v73;
      v26 = 27 * v71 + 73 * v70 + 12 * v69 + 83 * v67 + 85 * v68 + 96 * v72 + 52 * v73;
      v27 = 24 * v69 + 78 * v67 + 53 * v68 + 36 * v70 + 86 * v71 + 25 * v72 + 46 * v73;
      v28 = 78 * v68 + 39 * v67 + 52 * v69 + 9 * v70 + 62 * v71 + 37 * v72 + 84 * v73;
      v29 = 48 * v71 + 14 * v69 + 23 * v67 + 6 * v68 + 74 * v70 + 12 * v72 + 83 * v73;
      v30 = 15 * v72 + 48 * v71 + 92 * v69 + 85 * v68 + 27 * v67 + 42 * v70 + 72 * v73;
      v31 = 26 * v72 + 67 * v70 + 6 * v68 + 4 * v67 + 3 * v69 + 68 * v73;
      v32 = 34 * v77 + 12 * v74 + 53 * v75 + 6 * v76 + 58 * v78 + 36 * v79 + v80;
      v33 = 27 * v78 + 73 * v77 + 12 * v76 + 83 * v74 + 85 * v75 + 96 * v79 + 52 * v80;
      v34 = 24 * v76 + 78 * v74 + 53 * v75 + 36 * v77 + 86 * v78 + 25 * v79 + 46 * v80;
      v35 = 78 * v75 + 39 * v74 + 52 * v76 + 9 * v77 + 62 * v78 + 37 * v79 + 84 * v80;
      v36 = 48 * v78 + 14 * v76 + 23 * v74 + 6 * v75 + 74 * v77 + 12 * v79 + 83 * v80;
      v37 = 15 * v79 + 48 * v78 + 92 * v76 + 85 * v75 + 27 * v74 + 42 * v77 + 72 * v80;
      v38 = 26 * v79 + 67 * v77 + 6 * v75 + 4 * v74 + 3 * v76 + 68 * v80;
      v39 = 34 * v84 + 12 * v81 + 53 * v82 + 6 * v83 + 58 * v85 + 36 * v86 + v87;
      v40 = 27 * v85 + 73 * v84 + 12 * v83 + 83 * v81 + 85 * v82 + 96 * v86 + 52 * v87;
      v41 = 24 * v83 + 78 * v81 + 53 * v82 + 36 * v84 + 86 * v85 + 25 * v86 + 46 * v87;
      v42 = 78 * v82 + 39 * v81 + 52 * v83 + 9 * v84 + 62 * v85 + 37 * v86 + 84 * v87;
      v43 = 48 * v85 + 14 * v83 + 23 * v81 + 6 * v82 + 74 * v84 + 12 * v86 + 83 * v87;
      v44 = 15 * v86 + 48 * v85 + 92 * v83 + 85 * v82 + 27 * v81 + 42 * v84 + 72 * v87;
      v45 = 26 * v86 + 67 * v84 + 6 * v82 + 4 * v81 + 3 * v83 + 68 * v87;
      for ( i = 0; i <= 41; ++i )
      {
        if ( *(&v4 + i) != Dst[i] )
        {
          printf("error");
          exit(0);
        }
      }
      printf("win");
      return 0;
    }
    

    这道题对我来说有两个问题:
    一个是当时我不知道z3是什么东西
    第二个是我没看懂这段到底什么意思
    现在分析一下,这42个方程的未知数是以v46开始的,而scanf("%42s", &v46),自己输入的就是v46,所以相当于v46,v47,就是自己输入的字符串的每一位
    然后用z3解这个方程,但是安装z3其实挺麻烦,我在windows上没装好,然后到了kali上装的
    提供一个解方程的网址: https://www.buildenvi.com/gongju/formula/3lck4
    正规方法:z3
    这个其实很好用,但是不知道为什么我比赛的时候总是报错

    root@kali:~/z3/build/python# python z3.py
    [v85 = 52,
     v65 = 52,
     v63 = 57,
     v74 = 45,
     v47 = 108,
     v62 = 98,
     v81 = 97,
     v64 = 45,
     v48 = 97,
     v51 = 55,
     v58 = 51,
     v53 = 49,
     v49 = 103,
     v55 = 49,
     v57 = 52,
     v67 = 49,
     v54 = 55,
     v70 = 57,
     v69 = 45,
     v56 = 100,
     v86 = 56,
     v72 = 48,
     v60 = 54,
     v78 = 52,
     v68 = 56,
     v79 = 99,
     v75 = 54,
     v46 = 102,
     v77 = 49,
     v76 = 101,
     v50 = 123,
     v61 = 51,
     v71 = 57,
     v82 = 102,
     v83 = 101,
     v84 = 54,
     v87 = 125,
     v80 = 50,
     v73 = 101,
     v66 = 101,
     v59 = 45,
     v52 = 101]
    # 转成字符
    v84 = 54
    v65 = 52
    v63 = 57
    v74 = 45
    v47 = 108
    v62 = 98
    v81 = 97
    v64 = 45
    v48 = 97
    v51 = 55
    v58 = 51
    v53 = 49
    v49 = 103
    v55 = 49
    v57 = 52
    v67 = 49
    v54 = 55
    v70 = 57
    v69 = 45
    v56 = 100
    v86 = 56
    v72 = 48
    v60 = 54
    v78 = 52
    v68 = 56
    v79 = 99
    v75 = 54
    v46 = 102
    v77 = 49
    v76 = 101
    v50 = 123
    v61 = 51
    v71 = 57
    v82 = 102
    v83 = 101
    v85 = 52
    v87 = 125
    v80 = 50
    v73 = 101
    v66 = 101
    v59 = 45
    v52 = 101
     
    print(chr(v46)+
          chr(v47)+
          chr(v48)+
          chr(v49)+
          chr(v50)+
          chr(v51)+
          chr(v52)+
          chr(v53)+
          chr(v54)+
          chr(v55)+
          chr(v56)+
          chr(v57)+
          chr(v58)+
          chr(v59)+
          chr(v60)+
          chr(v61)+
          chr(v62)+
          chr(v63)+
          chr(v64)+
          chr(v65)+
          chr(v66)+
          chr(v67)+
          chr(v68)+
          chr(v69)+
          chr(v70)+
          chr(v71)+
          chr(v72)+
          chr(v73)+
          chr(v74)+
          chr(v75)+
          chr(v76)+
          chr(v77)+
          chr(v78)+
          chr(v79)+
          chr(v80)+
          chr(v81)+
          chr(v82)+
          chr(v83)+
          chr(v84)+
          chr(v85)+
          chr(v86)+
          chr(v87))
    

    flag{7e171d43-63b9-4e18-990e-6e14c2afe648}
    http://ethereal.prohitime.top/demo/

  • 相关阅读:
    Log4Net 自定义级别,分别记录到不同的文件中
    带着忧伤,寻觅快乐
    程序员进阶学习书籍
    PHP编码技巧
    PHP精度问题
    Laravel5 构造器高级查询条件写法
    正则表达式 /i /g /m /ig /gi
    MySQL运算符的优先级
    PHP获取当前页面完整路径URL
    使用ssl模块配置同时支持http和https并存
  • 原文地址:https://www.cnblogs.com/serendipity-my/p/13685143.html
Copyright © 2020-2023  润新知