知识要点:
Z3和tea
__int64 __fastcall main(int a1, char **a2, char **a3)
{
int i; // [rsp+8h] [rbp-68h]
int j; // [rsp+Ch] [rbp-64h]
__int64 v6[6]; // [rsp+10h] [rbp-60h] BYREF
__int64 v7[6]; // [rsp+40h] [rbp-30h] BYREF
v7[5] = __readfsqword(0x28u);
puts("Let us play a game?");
puts("you have six chances to input");
puts("Come on!");
memset(v6, 0, 40);
for ( i = 0; i <= 5; ++i )
{
printf("%s", "input: ");
a2 = (v6 + 4 * i);
__isoc99_scanf("%d", a2);
}
memset(v7, 0, 40);
for ( j = 0; j <= 2; ++j )
{
v0 = v6[j];
v1 = HIDWORD(v6[j]);
a2 = &key;
sub_400686(&v0, &key);
LODWORD(v7[j]) = v0;
HIDWORD(v7[j]) = v1;
}
if ( sub_400770(v7, a2) != 1 )
{
puts("NO NO NO~ ");
exit(0);
}
puts("Congratulation!\n");
puts("You seccess half\n");
puts("Do not forget to change input to hex and combine~\n");
puts("ByeBye");
return 0LL;
}
这段代码这么简单,应该没什么讲的吧
这tea加密的key
这里是Z3
tea
脚本——
from z3 import *
# 初始化求解器
s = Solver()
# 定义6个未知数
n = 6
a1 = [Int('a' + str(i)) for i in range(n)]
# 添加给定的线性方程
s.add(a1[2] - a1[3] == 2225223423)
s.add(a1[3] + a1[4] == 4201428739)
s.add(a1[2] - a1[4] == 1121399208)
s.add(a1[0] == -548868226)
s.add(a1[5] == -2064448480)
s.add(a1[1] == 550153460)
# 检查是否存在满足条件的解
if s.check() == sat:
# 输出模型(解)
print(s.model())
# 提取有序解并转换为整数列表
m = s.model()
ordered_solution = [m[a1[i]].as_long() for i in range(n)]
print("按顺序排列的解:", ordered_solution)
from ctypes import *
import libnum
#-------------------------------------------------------------------
def decrypt(v, key):
v0 = c_uint32(v[0])
v1 = c_uint32(v[1])
delta = 1166789954
sum = c_uint32(delta * 64)
for i in range(64):
v1.value -= (v0.value + sum.value + 20) ^ ((v0.value << 6) + key[2]) ^ ((v0.value >> 9) + key[3]) ^ 0x10
v0.value -= (v1.value + sum.value + 11) ^ ((v1.value << 6) + key[0]) ^ ((v1.value >> 9) + key[1]) ^ 0x20
sum.value -= delta
return v0.value, v1.value
if __name__ == '__main__':
a = [[-548868226, 550153460, ], [3774025685, 1548802262, ], [2652626477, -2064448480]]
k = [2, 2, 3, 4]
flag = ''
ans = []
for i in a:
t = decrypt(i, k)
ans.append(t[0])
ans.append(t[1])
flag = ''
for i in ans:
flag+=libnum.n2s(i).decode(encoding='utf-8')
print(flag)