buu-GUET-CTF2019-re

本文最后更新于:2021年3月26日 晚上

初识

拿到题目后先拉入PEiD检测,是64位程序,并且有一个upx壳,用upxshell脱壳后拖入IDA打开进行代码分析

熟悉

脱壳后看函数列表有start函数,打开反编译后发现没有什么内容,应该是假入口,于是更换思路,直接去查看字符串

img

找到了关于flag判定的提示,转到correct字符串,然后回溯使用了它的函数(其他字符串也可以)

img

很明显这个sub_4009AE所进行的判断就是我们要求的结果,直接回溯上去:

img

到这一步就很明显了…z3解方程,直接上python,要注意这里少了一个a[6]

整活

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
from z3 import *
s = Solver()
a1 = [0]*32
for i in range(32):
a1[i] = Int('a1['+str(i)+']')

s.add( 1629056 * a1[0] == 166163712 )
s.add( 6771600 * a1[1] == 731332800 )
s.add( 3682944 * a1[2] == 357245568 )
s.add( 10431000 * a1[3] == 1074393000 )
s.add( 3977328 * a1[4] == 489211344 )
s.add( 5138336 * a1[5] == 518971936 )
s.add( 7532250 * a1[7] == 406741500 )
s.add( 5551632 * a1[8] == 294236496 )
s.add( 3409728 * a1[9] == 177305856 )
s.add( 13013670 * a1[10] == 650683500 )
s.add( 6088797 * a1[11] == 298351053 )
s.add( 7884663 * a1[12] == 386348487 )
s.add( 8944053 * a1[13] == 438258597 )
s.add( 5198490 * a1[14] == 249527520 )
s.add( 4544518 * a1[15] == 445362764 )
s.add( 3645600 * a1[17] == 174988800 )
s.add( 10115280 * a1[16] == 981182160 )
s.add( 9667504 * a1[18] == 493042704 )
s.add( 5364450 * a1[19] == 257493600 )
s.add( 13464540 * a1[20] == 767478780 )
s.add( 5488432 * a1[21] == 312840624 )
s.add( 14479500 * a1[22] == 1404511500 )
s.add( 6451830 * a1[23] == 316139670 )
s.add( 6252576 * a1[24] == 619005024 )
s.add( 7763364 * a1[25] == 372641472 )
s.add( 7327320 * a1[26] == 373693320 )
s.add( 8741520 * a1[27] == 498266640 )
s.add( 8871876 * a1[28] == 452465676 )
s.add( 4086720 * a1[29] == 208422720 )
s.add( 9374400 * a1[30] == 515592000 )
s.add(5759124 * a1[31] == 719890500)
s.check()
print(s.model())

解出结果如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[a1[31] = 125,
a1[30] = 55,
a1[29] = 51,
a1[28] = 51,
a1[27] = 57,
a1[26] = 51,
a1[25] = 48,
a1[24] = 99,
a1[23] = 49,
a1[22] = 97,
a1[21] = 57,
a1[20] = 57,
a1[19] = 48,
a1[18] = 51,
a1[16] = 97,
a1[17] = 48,
a1[15] = 98,
a1[14] = 48,
a1[13] = 49,
a1[12] = 49,
a1[11] = 49,
a1[10] = 50,
a1[9] = 52,
a1[8] = 53,
a1[7] = 54,
a1[5] = 101,
a1[4] = 123,
a1[3] = 103,
a1[2] = 97,
a1[1] = 108,
a1[0] = 102]

接着拿着这些结果继续求出他们所对应的字符输出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
a1 = [0]*32
a1[31] = 125
a1[30] = 55
a1[29] = 51
a1[28] = 51
a1[27] = 57
a1[26] = 51
a1[25] = 48
a1[24] = 99
a1[23] = 49
a1[22] = 97
a1[21] = 57
a1[20] = 57
a1[19] = 48
a1[18] = 51
a1[16] = 97
a1[17] = 48
a1[15] = 98
a1[14] = 48
a1[13] = 49
a1[12] = 49
a1[11] = 49
a1[10] = 50
a1[9] = 52
a1[8] = 53
a1[7] = 54
a1[5] = 101
a1[4] = 123
a1[3] = 103
a1[2] = 97
a1[1] = 108
a1[0] = 102
for i in range(32):
if i == 6:
print(1)
continue
print(chr(a1[i]), end="")

得出最终结果

1
2
flag{e1
65421110ba03099a1c039337}

其中加了1的那一位具体数字是多少目前不清楚,题目里面也没有明确的提示,因此只能爆破,依次尝试,但是很幸运,上手一个1就直接通过了,因此本题得解flag{e165421110ba03099a1c039337}


本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!