ciscn2020部分题目WP

看了两道题目,简单记录下

z3

首先看压缩包名字是Z3,猜测题目考察的是Z3解方程

载入IDA Pro发现果然如此

输入字符串 带入方程 如果解出来的42个字符与v47这个数组每一位一致就输出“win”

97行下断点 动态调试 就可以拿到这个字符串

image-20200821102357613

最终,脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#!/usr/bin/env python
# -*- coding:utf-8 -*-
# @Author :iqiqiya
# @Blog :iqiqiya.com
# @Time :2020/8/20
# @FileName :z3.py
from z3 import *
v4 = 0x4F17
v5 = 0x9CF6
v6 = 0x8DDB
v7 = 0x8EA6
v8 =0x6929
v9 =0x9911
v10 =0x40A2
v11 = 0x2F3E
v12 =0x62B6
v13 =0x4B82
v14 =0x486C
v15 =0x4002
v16 =0x52D7
v17 =0x2DEF
v18 =0x28DC
v19 =0x640D
v20 = 0x528F
v21 =0x613B
v22 = 0x4781
v23 =0x6B17
v24 = 0x3237
v25 =0x2A93
v26 =0x615F
v27 = 0x50BE
v28 =0x598E
v29 =0x4656
v30 =0x5B31
v31 =0x313A
v32 = 0x3010
v33 =0x67FE
v34 =0x4D5F
v35 =0x58DB
v36 =0x3799
v37 =0x60A0
v38 =0x2750
v39 =0x3759
v40 =0x8953
v41 =0x7122
v42 =0x81F9
v43 =0x5524
v44 =0x8971
v45 =0x3A1D
v46 = Int('v46')
v47 = Int('v47')
v48 = Int('v48')
v49 = Int('v49')
v50 = Int('v50')
v51 = Int('v51')
v52 = Int('v52')
v53 = Int('v53')
v54 = Int('v54')
v55 = Int('v55')
v56 = Int('v56')
v57 = Int('v57')
v58 = Int('v58')
v59 = Int('v59')
v60 = Int('v60')
v61 = Int('v61')
v62 = Int('v62')
v63 = Int('v63')
v64 = Int('v64')
v65 = Int('v65')
v66 = Int('v66')
v67 = Int('v67')
v68 = Int('v68')
v69 = Int('v69')
v70 = Int('v70')
v71 = Int('v71')
v72 = Int('v72')
v73 = Int('v73')
v74 = Int('v74')
v75 = Int('v75')
v76 = Int('v76')
v77 = Int('v77')
v78 = Int('v78')
v79 = Int('v79')
v80 = Int('v80')
v81 = Int('v81')
v82 = Int('v82')
v83 = Int('v83')
v84 = Int('v84')
v85 = Int('v85')
v86 = Int('v86')
v87 = Int('v87')
s = Solver()
s.add(v4 == 34 * v49 + 12 * v46 + 53 * v47 + 6 * v48 + 58 * v50 + 36 * v51 + v52)
s.add(v5 == 27 * v50 + 73 * v49 + 12 * v48 + 83 * v46 + 85 * v47 + 96 * v51 + 52 * v52)
s.add(v6 == 24 * v48 + 78 * v46 + 53 * v47 + 36 * v49 + 86 * v50 + 25 * v51 + 46 * v52)
s.add(v7 == 78 * v47 + 39 * v46 + 52 * v48 + 9 * v49 + 62 * v50 + 37 * v51 + 84 * v52)
s.add(v8 == 48 * v50 + 14 * v48 + 23 * v46 + 6 * v47 + 74 * v49 + 12 * v51 + 83 * v52)
s.add(v9 == 15 * v51 + 48 * v50 + 92 * v48 + 85 * v47 + 27 * v46 + 42 * v49 + 72 * v52)
s.add(v10 == 26 * v51 + 67 * v49 + 6 * v47 + 4 * v46 + 3 * v48 + 68 * v52)
s.add(v11 == 34 * v56 + 12 * v53 + 53 * v54 + 6 * v55 + 58 * v57 + 36 * v58 + v59)
s.add(v12 == 27 * v57 + 73 * v56 + 12 * v55 + 83 * v53 + 85 * v54 + 96 * v58 + 52 * v59)
s.add(v13 == 24 * v55 + 78 * v53 + 53 * v54 + 36 * v56 + 86 * v57 + 25 * v58 + 46 * v59)
s.add(v14 == 78 * v54 + 39 * v53 + 52 * v55 + 9 * v56 + 62 * v57 + 37 * v58 + 84 * v59)
s.add(v15 == 48 * v57 + 14 * v55 + 23 * v53 + 6 * v54 + 74 * v56 + 12 * v58 + 83 * v59)
s.add(v16 == 15 * v58 + 48 * v57 + 92 * v55 + 85 * v54 + 27 * v53 + 42 * v56 + 72 * v59)
s.add(v17 == 26 * v58 + 67 * v56 + 6 * v54 + 4 * v53 + 3 * v55 + 68 * v59)
s.add(v18 == 34 * v63 + 12 * v60 + 53 * v61 + 6 * v62 + 58 * v64 + 36 * v65 + v66)
s.add(v19 == 27 * v64 + 73 * v63 + 12 * v62 + 83 * v60 + 85 * v61 + 96 * v65 + 52 * v66)
s.add(v20 == 24 * v62 + 78 * v60 + 53 * v61 + 36 * v63 + 86 * v64 + 25 * v65 + 46 * v66)
s.add(v21 == 78 * v61 + 39 * v60 + 52 * v62 + 9 * v63 + 62 * v64 + 37 * v65 + 84 * v66)
s.add(v22 == 48 * v64 + 14 * v62 + 23 * v60 + 6 * v61 + 74 * v63 + 12 * v65 + 83 * v66)
s.add(v23 == 15 * v65 + 48 * v64 + 92 * v62 + 85 * v61 + 27 * v60 + 42 * v63 + 72 * v66)
s.add(v24 == 26 * v65 + 67 * v63 + 6 * v61 + 4 * v60 + 3 * v62 + 68 * v66)
s.add(v25 == 34 * v70 + 12 * v67 + 53 * v68 + 6 * v69 + 58 * v71 + 36 * v72 + v73)
s.add(v26 == 27 * v71 + 73 * v70 + 12 * v69 + 83 * v67 + 85 * v68 + 96 * v72 + 52 * v73)
s.add(v27 == 24 * v69 + 78 * v67 + 53 * v68 + 36 * v70 + 86 * v71 + 25 * v72 + 46 * v73)
s.add(v28 == 78 * v68 + 39 * v67 + 52 * v69 + 9 * v70 + 62 * v71 + 37 * v72 + 84 * v73)
s.add(v29 == 48 * v71 + 14 * v69 + 23 * v67 + 6 * v68 + 74 * v70 + 12 * v72 + 83 * v73)
s.add(v30 == 15 * v72 + 48 * v71 + 92 * v69 + 85 * v68 + 27 * v67 + 42 * v70 + 72 * v73)
s.add(v31 == 26 * v72 + 67 * v70 + 6 * v68 + 4 * v67 + 3 * v69 + 68 * v73)
s.add(v32 == 34 * v77 + 12 * v74 + 53 * v75 + 6 * v76 + 58 * v78 + 36 * v79 + v80
s.add(v33 == 27 * v78 + 73 * v77 + 12 * v76 + 83 * v74 + 85 * v75 + 96 * v79 + 52 * v80)
s.add(v34 == 24 * v76 + 78 * v74 + 53 * v75 + 36 * v77 + 86 * v78 + 25 * v79 + 46 * v80)
s.add(v35 == 78 * v75 + 39 * v74 + 52 * v76 + 9 * v77 + 62 * v78 + 37 * v79 + 84 * v80)
s.add(v36 == 48 * v78 + 14 * v76 + 23 * v74 + 6 * v75 + 74 * v77 + 12 * v79 + 83 * v80)
s.add(v37 == 15 * v79 + 48 * v78 + 92 * v76 + 85 * v75 + 27 * v74 + 42 * v77 + 72 * v80)
s.add(v38 == 26 * v79 + 67 * v77 + 6 * v75 + 4 * v74 + 3 * v76 + 68 * v80)
s.add(v39 == 34 * v84 + 12 * v81 + 53 * v82 + 6 * v83 + 58 * v85 + 36 * v86 + v87)
s.add(v40 == 27 * v85 + 73 * v84 + 12 * v83 + 83 * v81 + 85 * v82 + 96 * v86 + 52 * v87)
s.add(v41 == 24 * v83 + 78 * v81 + 53 * v82 + 36 * v84 + 86 * v85 + 25 * v86 + 46 * v87)
s.add(v42 == 78 * v82 + 39 * v81 + 52 * v83 + 9 * v84 + 62 * v85 + 37 * v86 + 84 * v87)
s.add(v43 == 48 * v85 + 14 * v83 + 23 * v81 + 6 * v82 + 74 * v84 + 12 * v86 + 83 * v87)
s.add(v44 == 15 * v86 + 48 * v85 + 92 * v83 + 85 * v82 + 27 * v81 + 42 * v84 + 72 * v87)
s.add(v45 == 26 * v86 + 67 * v84 + 6 * v82 + 4 * v81 + 3 * v83 + 68 * v87)

s.check()
result = s.model()
print(result)

得到乱序的字符,按顺序输出就好

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#!/usr/bin/env python
# -*- coding:utf-8 -*-
# @Author :iqiqiya
# @Blog :iqiqiya.com
# @Time :2020/8/20
# @FileName :77.py
v84 = 54
v65 = 52
v63 = 57
v74 = 45
v47 = 108
v62 = 98
v81 = 97
v64 = 45
v48 = 97
v51 = 55
v58 = 51
v53 = 49
v49 = 103
v55 = 49
v57 = 52
v67 = 49
v54 = 55
v70 = 57
v69 = 45
v56 = 100
v86 = 56
v72 = 48
v60 = 54
v78 = 52
v68 = 56
v79 = 99
v75 = 54
v46 = 102
v77 = 49
v76 = 101
v50 = 123
v61 = 51
v71 = 57
v82 = 102
v83 = 101
v85 = 52
v87 = 125
v80 = 50
v73 = 101
v66 = 101
v59 = 45
v52 = 101
print(chr(v46)+chr(v47)+chr(v48)+chr(v49)+chr(v50)+chr(v51)+chr(v52)+chr(v53)+
chr(v54)+chr(v55)+chr(v56)+chr(v57)+chr(v58)+chr(v59)+chr(v60)+chr(v61)
+chr(v62)+chr(v63)+chr(v64)+chr(v65)+chr(v66)+chr(v67)+chr(v68)+chr(v69)+
chr(v70) + chr(v71)
+ chr(v72) + chr(v73) + chr(v74) + chr(v75) + chr(v76) + chr(v77) + chr(v78) + chr(v79)
+chr(v80)+chr(v81)
+chr(v82)+chr(v83)+chr(v84)+chr(v85)+chr(v86)+chr(v87))

运行得到flag

image-20200821102453812

diskdump

使用binwalk -e disk_dump分离得到0.ext文件

可以继续分离,也可以挂载到文件系统

mount 0.ext /mnt

进入目录 得到misc01文件夹,里面有三个文件

img

分析demo 得到加密算法

img

真实加密后的flag还是在diskdump中(ps:这里就比较脑洞了)

十六进制搜索加密后的特征44 2A 03

img

图片打开提示flag已经被删除了,后来发现其实这里也可以使用**extundelete **恢复出flag.txt

1
2
3
4
5
apt-get install extundelete
extundelete disk_dump --restore-all
cd RECOVERED_FILES/
cd misc01/
cat flag.txt

编写脚本就可以得到flag,如下所示

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
flag = ''
fake_flag = [0x44, 0x2A, 0x03, 0xE5, 0x29, 0xBC, 0x96, 0x7F,
0x55, 0x35, 0x1B, 0xE1, 0xDD, 0xA4, 0x85, 0xA2, 0x1D,
0x0E, 0xEF, 0xD0, 0xA7, 0x6B]
real_flag = [0x44, 0x2A, 0x03, 0xE5, 0x29, 0xA3, 0xAF, 0x62, 0x05, 0x31, 0x4E, 0xF3,
0xD6, 0xEB, 0x90, 0x66, 0x24, 0x5C, 0xB7, 0x92, 0xF6, 0xD7, 0x4D, 0x0B,
0x6A, 0x41, 0xA3, 0x85, 0xEF, 0x90, 0x5A, 0x7E, 0x5B, 0xEC, 0xC1, 0xF0,
0xD4, 0x61, 0x12, 0x12, 0x45, 0xEB, 0xB8]
i = 0
v4 = 0x22
for j in range(len(real_flag)):
ff = (v4 ^ real_flag[j]) - i
print(hex(ff & 0xff))
flag += chr(ff & 0xff)
v4 += 0x22
i = (i + 2) & 0xF
print(flag)
#flag{e5d7c4ed-b8f6-4417-8317-b809fc26c047}