sus-gccc

.net程序,dnspy反编译一波:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
// Token: 0x02000002 RID: 2
public class GrayCCC
{
// Token: 0x06000002 RID: 2 RVA: 0x00002058 File Offset: 0x00000458
public static void Main()
{
Console.Write("Input the key: ");
uint num;
if (!uint.TryParse(Console.ReadLine().Trim(), out num))
{
Console.WriteLine("Invalid key");
return;
}
string text = "";
string text2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ{} ";
int num2 = 0;
byte[] array = new byte[]
{
164,
25,
4,
130,
126,
158,
91,
199,
173,
252,
239,
143,
150,
251,
126,
39,
104,
104,
146,
208,
249,
9,
219,
208,
101,
182,
62,
92,
6,
27,
5,
46
};
byte b = 0;
while (num != 0u)
{
char c = (char)(array[num2] ^ (byte)num ^ b);
if (!text2.Contains(new string(c, 1)))
{
Console.WriteLine("Invalid key");
return;
}
text += c;
b ^= array[num2++];
num >>= 1;
}
if (text.Substring(0, 5) != "FLAG{" || text.Substring(31, 1) != "}")
{
Console.WriteLine("Invalid key");
return;
}
Console.WriteLine("Your flag is: " + text);
}
}

定义了uint类型变量num,text[i]=array[i]^(num&0xff)^bb=array[0]^...^array[i],最后要求text的前五位为FLAG{,最后一位为},并且每一位都是大写字母,题目推荐使用z3求解。
脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
from z3 import *
num=BitVec("num",33)
array=[
164,
25,
4,
130,
126,
158,
91,
199,
173,
252,
239,
143,
150,
251,
126,
39,
104,
104,
146,
208,
249,
9,
219,
208,
101,
182,
62,
92,
6,
27,
5,
46]
b=range(32)
for i in range(32):
temp=0
for j in range(i):
temp^=array[j]
b[i]=temp
solver=Solver()
solver.add(array[0]^(num&0xff)^b[0]==ord('F'))
solver.add(array[1]^((num>>1)&0xff)^b[1]==ord('L'))
solver.add(array[2]^((num>>2)&0xff)^b[2]==ord('A'))
solver.add(array[3]^((num>>3)&0xff)^b[3]==ord('G'))
solver.add(array[4]^((num>>4)&0xff)^b[4]==ord('{'))
for i in range(5,31):
solver.add(array[i]^((num>>i)&0xff)^b[i]<=126)
solver.add(array[i]^((num>>i)&0xff)^b[i]>=32)
solver.add(array[31]^((num>>31)&0xff)^b[31]==ord('}'))
if solver.check()==sat :
print solver.model()
right_num=3658134498
flag=""
for i in range(32):
flag+=chr(array[i]^((right_num>>i)&0xff)^b[i])
print flag
文章目录
|