re学习笔记（39）BUUCTF-re-[GWCTF 2019]xxor

新手一枚，如有错误（不足）请指正，谢谢！！
个人博客：点击进入
题目链接：[GWCTF 2019]xxor

IDA载入，主要函数代码

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  signed int i; // [rsp+8h] [rbp-68h]
  signed int j; // [rsp+Ch] [rbp-64h]
  int v6[10]; // [rsp+10h] [rbp-60h]
  int v7[10]; // [rsp+40h] [rbp-30h]
  unsigned __int64 v8; // [rsp+68h] [rbp-8h]

  v8 = __readfsqword(0x28u);
  puts("Let us play a game?");
  puts("you have six chances to input");
  puts("Come on!");
  *(_QWORD *)v6 = 0LL;
  *(_QWORD *)&v6[2] = 0LL;
  *(_QWORD *)&v6[4] = 0LL;
  *(_QWORD *)&v6[6] = 0LL;
  *(_QWORD *)&v6[8] = 0LL;
  for ( i = 0; i <= 5; ++i )
  {
    printf("%s", "input: ", (unsigned int)i);
    __isoc99_scanf("%d", &v6[i]);
  }
  *(_QWORD *)v7 = 0LL;
  *(_QWORD *)&v7[2] = 0LL;
  *(_QWORD *)&v7[4] = 0LL;
  *(_QWORD *)&v7[6] = 0LL;
  *(_QWORD *)&v7[8] = 0LL;
  for ( j = 0; j <= 4; j += 2 )
  {
    y = v6[j];
    x = v6[j + 1];
    sub_400686((unsigned int *)&y, dword_601060);
    v7[j] = y;
    v7[j + 1] = x;
  }
  if ( (unsigned int)sub_400770(v7) != 1 )
  {
    puts("NO NO NO~ ");
    exit(0);
  }
  puts("Congratulation!\n");
  puts("You seccess half\n");
  puts("Do not forget to change input to hex and combine~\n");
  puts("ByeBye");
  return 0LL;
}

输入6个数，然后每两个数进入sub_400686()函数进行变换，
之后sub_400770()函数来验证是否成功

先看sub_400770()函数

只要这些条件满足就会返回1了，一个数学方程组，懒惰的我直接丢给Z3来解了。

xorm[0] = 3746099070,
xorm[1] = 550153460,
xorm[2] = 3774025685,
xorm[3] = 1548802262,
xorm[4] = 2652626477,
xorm[5] = 2230518816

之后看一下sub_400686()函数

写脚本来解密，得到flag

#include 
int main()
{
	unsigned int xorm[6];
	xorm[0] = 3746099070;
	xorm[1] = 550153460;
	xorm[2] = 3774025685;
	xorm[3] = 1548802262;
	xorm[4] = 2652626477;
	xorm[5] = 2230518816;
	int i = 0,j=0,sum;
	unsigned int temp[2] = {0};
	unsigned int data[4] = { 2,2,3,4 };
	for (i = 0; i < 5; i += 2)
	{
		temp[0] = xorm[i];
		temp[1] = xorm[i + 1];

		sum = 0x458BCD42 * 64;
		for (j = 0; j < 64; j++)
		{
			temp[1] -= (temp[0] + sum + 20) ^ ((temp[0] << 6) + 3) ^ ((temp[0] >> 9) + 4) ^ 0x10;
			temp[0] -= (temp[1] + sum + 11) ^ ((temp[1] << 6) + 2) ^ ((temp[1] >> 9) + 2) ^ 0x20;
			sum -= 0x458BCD42;
		}
		xorm[i] = temp[0];
		xorm[i + 1] = temp[1];
	}
	for (i = 0; i < 6; i++)
		printf("%c%c%c", *((char*)&xorm[i]+2), *((char*)&xorm[i] + 1), *(char*)&xorm[i]);
}

最后得到flag为flag{re_is_great!}