buu_[b01lers2020]chugga_chugga

0x01查壳

buu_[b01lers2020]chugga_chugga_第1张图片
无壳,x64

0x02 祭出ida

// main.main
void __cdecl __noreturn main_main()
{
  __int64 i; // rcx
  unsigned __int64 v1; // rcx
  _BYTE *v2; // rdx
  __int64 v3; // rax
  unsigned __int8 v4; // r9
  char v5; // bl
  char v6; // si
  char v7; // r10
  char v8; // r8
  char v9; // r11
  char v10; // r12
  char v11; // r13
  char v12; // r13
  char v13; // r14
  char v14; // cl
  char v15; // r14
  char v16; // cl
  unsigned __int8 v17; // r13
  char v18; // r11
  __int64 v19; // [rsp+8h] [rbp-A0h]
  __int64 v20; // [rsp+40h] [rbp-68h]
  __int64 v21; // [rsp+48h] [rbp-60h]
  __int64 v22[2]; // [rsp+50h] [rbp-58h] BYREF
  __int64 v23[2]; // [rsp+60h] [rbp-48h] BYREF
  __int64 v24[2]; // [rsp+70h] [rbp-38h] BYREF
  __int64 v25[2]; // [rsp+80h] [rbp-28h] BYREF
  const __int64 *v26; // [rsp+90h] [rbp-18h]
  __int64 v27; // [rsp+98h] [rbp-10h]

  v21 = runtime_newobject((__int64)&RTYPE_string);
  for ( i = 0LL; ; i = v3 )
  {
    v20 = i;
    v19 = runtime_convT64(i);
    v25[0] = (__int64)&RTYPE_string;
    v25[1] = (__int64)&main_statictmp_2;
    v26 = &RTYPE_int;
    v27 = v19;
    fmt_Fprintln((__int64)&go_itab__ptr_os_File_comma_io_Writer, os_Stdout, (__int64)v25, 2LL, 2LL);
    v24[0] = (__int64)&RTYPE_string;
    v24[1] = (__int64)&main_statictmp_3;
    fmt_Fprintln((__int64)&go_itab__ptr_os_File_comma_io_Writer, os_Stdout, (__int64)v24, 1LL, 1LL);
    v23[0] = (__int64)&RTYPE__ptr_string;
    v23[1] = v21;
    fmt_Fscan((__int64)&go_itab__ptr_os_File_comma_io_Reader, os_Stdin, (__int64)v23, 1LL, 1LL);
    v1 = *(_QWORD *)(v21 + 8);
    v2 = *(_BYTE **)v21;
    if ( v1 <= 2 )
      break;
    if ( v2[2] != 't' )
      goto LABEL_5;
    if ( v1 <= 9 )
      break;
    if ( v2[9] != 'c' )
      goto LABEL_5;
    if ( v1 <= 0x10 )
      break;
    if ( v2[16] != 110 )
      goto LABEL_5;
    if ( v1 <= 0x15 )
      break;
    if ( v2[21] != 122 )
      goto LABEL_5;
    if ( v1 <= 0x16 )
      break;
    if ( v2[22] != 125 )
      goto LABEL_5;
    v4 = v2[5];
    if ( v4 != 115 )
      goto LABEL_5;
    if ( (v2[3] ^ 't') != 18 )
      goto LABEL_5;
    v5 = v2[1];
    if ( v5 != 'c' )
      goto LABEL_5;
    v6 = v2[7];
    if ( v6 != 100 )
      goto LABEL_5;
    v7 = v2[13];
    if ( v2[12] != v7 )
      goto LABEL_5;
    if ( v2[19] != 0x7A )
      goto LABEL_5;
    v8 = v2[14];
    v9 = v2[6];
    if ( v9 + v8 != 104 )
      goto LABEL_5;
    v10 = v2[4];
    if ( v10 != 123 )
      goto LABEL_5;
    v11 = v2[8];
    if ( v2[15] != v11 )
      goto LABEL_5;
    if ( v11 + 4 == v5
      && (v12 = v2[17], v13 = v2[11], 125 - v12 + 40 == v13)
      && (v14 = v2[18], v15 = v12 + v13 - v4 - v14, v16 = v14 - v12, v15 == v16)
      && (v17 = v9 - v12, *v2 == v16 * (v17 >> 1) + 110)
      && (v18 = v2[10], v7 + 1 == v18)
      && v17 + 2 * v17 + 4 * (v10 - v6) == v18
      && v2[20] - v5 == 2 * v16
      && (v4 ^ 0x6E) == 29
      && v17 == 4 * v16
      && v2[6] == v8 )
    {
      main_win();
      v3 = v20;
    }
    else
    {
LABEL_5:
      v22[0] = (__int64)&RTYPE_string;
      v22[1] = (__int64)&main_statictmp_4;
      fmt_Fprintln((__int64)&go_itab__ptr_os_File_comma_io_Writer, os_Stdout, (__int64)v22, 1LL, 1LL);
      v3 = v20 + 1;
    }
  }
  runtime_panicindex();
}

学习下

https://blog.csdn.net/shadow20080578/article/details/121174785

fmt_Fscan 读入flag
v1 = *(_QWORD *)(v21 + 8);
v2 = *(_BYTE **)v21;
v1 代表flag的length
然后接下来就是很多线性判断,改写代码后用z3解出即可

0x03 exp

# !/usr/bin/env python
# -*- coding: utf-8 -*-

# @author: yjp
# @software: PyCharm
# @file: exp.py
# @time: 2022-08-19 6:32
from z3 import *

s = Solver()
x = [BitVec('x%d' % i, 9) for i in range(23)]
print(x)

s.add(x[2] == ord('t'))
s.add(x[9] == ord('c'))
s.add(x[16] == 110)
s.add(x[21] == 122)
s.add(x[22] == 125)
v4 = x[5]
s.add(v4 == 115)
s.add((x[3] ^ ord('t')) == 18)
v5 = x[1]
s.add(v5 == ord('c'))
v6 = x[7]
s.add(v6 == 100)
v7 = x[13]
s.add(x[12] == v7)
s.add(x[19] == 0x7A)
v8 = x[14]
v9 = x[6]
s.add(v9 + v8 == 104)
v10 = x[4]
s.add(v10 == 123)
v11 = x[8]
s.add(x[15] == v11)
s.add(v11 + 4 == v5)
v12 = x[17]
v13 = x[11]
s.add(125 - v12 + 40 == v13)
v14 = x[18]
v15 = v12 + v13 - v4 - v14
v16 = v14 - v12
s.add(v15 == v16)
v17 = v9 - v12
s.add(x[0] == v16 * (v17 >> 1) + 110)

v18 = x[10]
s.add(v7 + 1 == v18)
s.add(v17 + 2 * v17 + 4 * (v10 - v6) == v18)
s.add(x[20] - v5 == 2 * v16)
s.add((v4 ^ 0x6E) == 29)
s.add(v17 == 4 * v16)
s.add(x[6] == v8)
assert s.check() == sat
m = s.model()
print(m)
flag = []
for i in x:
    flag.append(m[i].as_long())
print(bytes(flag))

0x04结语

go语言逆向;使用z3方便快捷地解决线性约束问题

你可能感兴趣的:(Go,reverse,逆向,reverse,z3)