[GWCTF 2019]xxor

IDA分析

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  int i; // [rsp+8h] [rbp-68h]
  int j; // [rsp+Ch] [rbp-64h]
  __int64 v6[6]; // [rsp+10h] [rbp-60h] BYREF
  __int64 v7[6]; // [rsp+40h] [rbp-30h] BYREF

  v7[5] = __readfsqword(0x28u);
  puts("Let us play a game?");
  puts("you have six chances to input");
  puts("Come on!");
  v6[0] = 0LL;
  v6[1] = 0LL;
  v6[2] = 0LL;
  v6[3] = 0LL;
  v6[4] = 0LL;
  for ( i = 0; i <= 5; ++i )
  {
    printf("%s", "input: ");
    __isoc99_scanf("%d", (char *)v6 + 4 * i);
  }
  v7[0] = 0LL;
  v7[1] = 0LL;
  v7[2] = 0LL;
  v7[3] = 0LL;
  v7[4] = 0LL;
  for ( j = 0; j <= 2; ++j )
  {
    dword_601078 = v6[j];
    dword_60107C = HIDWORD(v6[j]);
    sub_400686((unsigned int *)&dword_601078, dword_601060);
    LODWORD(v7[j]) = dword_601078;
    HIDWORD(v7[j]) = dword_60107C;
  }
  if ( (unsigned int)sub_400770(v7) != 1 )
  {
    puts("NO NO NO~ ");
    exit(0);
  }
  puts("Congratulation!\n");
  puts("You seccess half\n");
  puts("Do not forget to change input to hex and combine~\n");
  puts("ByeBye");
  return 0LL;
}

首先查看最后的判断 sub_400770 函数

__int64 __fastcall sub_400770(_DWORD *a1)
{
  __int64 result; // rax

  if ( a1[2] - a1[3] == 2225223423LL
    && a1[3] + a1[4] == 4201428739LL
    && a1[2] - a1[4] == 1121399208LL
    && *a1 == 0xDF48EF7E
    && a1[5] == -2064448480
    && a1[1] == 550153460 )
  {
    puts("good!");
    result = 1LL;
  }
  else
  {
    puts("Wrong!");
    result = 0LL;
  }
  return result;
}

这不是直接写z3

from z3 import *
a1 = [Int("%d" % i)for i in range(6)]
s = Solver()
s.add(a1[2] - a1[3] == 0x84A236FF)
s.add(a1[3] + a1[4] == 0xFA6CB703)
s.add(a1[2] - a1[4] == 0x42D731A8)
s.add(a1[0] == 0xDF48EF7E)
s.add(a1[5] == 0x84F30420)
s.add(a1[1] == 0x20CAACF4)
if s.check() == sat:
    m = s.model()
    for i in range(6):
        print(m[a1[i]])
# 3746099070      0
# 550153460       1
# 3774025685      2
# 1548802262      3
# 2652626477      4
# 2230518816      5

然后看sub_400686外面的for循环

__int64 __fastcall sub_400686(unsigned int *a1, _DWORD *a2)
{
  __int64 result; // rax
  unsigned int v3; // [rsp+1Ch] [rbp-24h]
  unsigned int v4; // [rsp+20h] [rbp-20h]
  int v5; // [rsp+24h] [rbp-1Ch]
  unsigned int i; // [rsp+28h] [rbp-18h]

  v3 = *a1;
  v4 = a1[1];
  v5 = 0;
  for ( i = 0; i <= 0x3F; ++i )
  {
    v5 += 0x458BCD42;
    v3 += (v4 + v5 + 11) ^ ((v4 << 6) + *a2) ^ ((v4 >> 9) + a2[1]) ^ 0x20;
    v4 += (v3 + v5 + 20) ^ ((v3 << 6) + a2[2]) ^ ((v3 >> 9) + a2[3]) ^ 0x10;
  }
  *a1 = v3;
  result = v4;
  a1[1] = v4;
  return result;
}

我们只需对上述的异或操作逆向即可(+/-)

for ( j = 0; j <= 2; ++j )
  {
    dword_601078 = v6[j];
    dword_60107C = HIDWORD(v6[j]);
    sub_400686((unsigned int *)&dword_601078, dword_601060);
    LODWORD(v7[j]) = dword_601078;
    HIDWORD(v7[j]) = dword_60107C;
  }
// dword_601060 是 2,2,3,4

脚本

// # define HIDWORD(x)  (*((_DWORD*)&(x)+1))
#include <iostream>
using namespace std;
int main()
{
    __int64 a[6] = {3746099070, 550153460, 3774025685, 1548802262, 2652626477, 2230518816};
    int a2[] = {2, 2, 3, 4};
    unsigned int v3, v4;
    int v5;
    for (int j = 0; j <= 4; j += 2)
    {
        v3 = a[j];
        v4 = a[j + 1];
        v5 = (0x458BCD42) * 0x40;
        for (int i = 0; i <= 0x3F; ++i)
        {

            v4 -= (v3 + v5 + 20) ^ ((v3 << 6) + a2[2]) ^ ((v3 >> 9) + a2[3]) ^ 0x10;
            v3 -= (v4 + v5 + 11) ^ ((v4 << 6) + *a2) ^ ((v4 >> 9) + a2[1]) ^ 0x20;
            v5 -= 0x458BCD42;
        }
        a[j] = v3;
        a[j + 1] = v4;
    }
    // 将整型数组作为字符输出,注意计算机小端排序
    // for (int i = 0; i < 6; ++i)
    // {
    //     cout << *((char *)&a[i] + 2) << *((char *)&a[i] + 1) << *((char *)&a[i]);
    // }
    for (int i = 0; i < 6; ++i)
    {
        printf("%x ", a[i]); // 或者将输出的16进制转为字符
    }
}
// flag{re_is_great!}