解题思路:
先拖入exeinfope中查看,是64为并且有upx壳,那么先脱壳
upx -d re
之后回来在查看一下,发现壳被脱掉了。
拖入64位ida中,观察,看到了一大串,但是没有main函数,我们直接shitf+F12查看字符串
我们找到了'correct!'&'Wrong'
__int64 sub_400E28()
{
const char *v0; // rdi
__int64 result; // rax
__int64 v2; // rdx
unsigned __int64 v3; // rt1
__int64 v4; // [rsp+0h] [rbp-30h]
__int64 v5; // [rsp+8h] [rbp-28h]
__int64 v6; // [rsp+10h] [rbp-20h]
__int64 v7; // [rsp+18h] [rbp-18h]
unsigned __int64 v8; // [rsp+28h] [rbp-8h]
v8 = __readfsqword(0x28u);
v4 = 0LL;
v5 = 0LL;
v6 = 0LL;
v7 = 0LL;
sub_40F950((unsigned __int64)"input your flag:");
sub_40FA80((unsigned __int64)"%s");
if ( (unsigned int)sub_4009AE(&v4, &v4) )
{
v0 = "Correct!";
sub_410350("Correct!");
}
else
{
v0 = "Wrong!";
sub_410350("Wrong!");
}
result = 0LL;
v3 = __readfsqword(0x28u);
v2 = v3 ^ v8;
if ( v3 != v8 )
sub_443550(v0, &v4, v2);
return result;
}
首先‘in put your flag'到下面if判断,判断什么时候Correct,发现上面有个函数sub_4009AE,进入看看
_BOOL8 __fastcall sub_4009AE(char *a1)
{
if ( 1629056 * *a1 != 166163712 )
return 0LL;
if ( 6771600 * a1[1] != 731332800 )
return 0LL;
if ( 3682944 * a1[2] != 357245568 )
return 0LL;
if ( 10431000 * a1[3] != 1074393000 )
return 0LL;
if ( 3977328 * a1[4] != 489211344 )
return 0LL;
if ( 5138336 * a1[5] != 518971936 )
return 0LL;
if ( 7532250 * a1[7] != 406741500 )
return 0LL;
if ( 5551632 * a1[8] != 294236496 )
return 0LL;
if ( 3409728 * a1[9] != 177305856 )
return 0LL;
if ( 13013670 * a1[10] != 650683500 )
return 0LL;
if ( 6088797 * a1[11] != 298351053 )
return 0LL;
if ( 7884663 * a1[12] != 386348487 )
return 0LL;
if ( 8944053 * a1[13] != 438258597 )
return 0LL;
if ( 5198490 * a1[14] != 249527520 )
return 0LL;
if ( 4544518 * a1[15] != 445362764 )
return 0LL;
if ( 3645600 * a1[17] != 174988800 )
return 0LL;
if ( 10115280 * a1[16] != 981182160 )
return 0LL;
if ( 9667504 * a1[18] != 493042704 )
return 0LL;
if ( 5364450 * a1[19] != 257493600 )
return 0LL;
if ( 13464540 * a1[20] != 767478780 )
return 0LL;
if ( 5488432 * a1[21] != 312840624 )
return 0LL;
if ( 14479500 * a1[22] != 1404511500 )
return 0LL;
if ( 6451830 * a1[23] != 316139670 )
return 0LL;
if ( 6252576 * a1[24] != 619005024 )
return 0LL;
if ( 7763364 * a1[25] != 372641472 )
return 0LL;
if ( 7327320 * a1[26] != 373693320 )
return 0LL;
if ( 8741520 * a1[27] != 498266640 )
return 0LL;
if ( 8871876 * a1[28] != 452465676 )
return 0LL;
if ( 4086720 * a1[29] != 208422720 )
return 0LL;
if ( 9374400 * a1[30] == 515592000 )
return 5759124 * a1[31] == 719890500;
return 0LL;
}
其目的是为了将你输入的和这些chr之后的值进行比对,完全相等时则返回correct
典型z3约束器求解
脚本
#include<stdio.h>
#include<string.h>
#include<stdlib.h>
#include<stdint.h>
char a1[32] = { 0 };
int main() {
a1[0] = 166163712 / 1629056;
a1[1] = 731332800 / 6771600;
a1[2] = 357245568 / 3682944;
a1[3] = 1074393000 / 10431000;
a1[4] = 489211344/ 3977328;
a1[5] = 518971936 / 5138336;
a1[7] = 406741500 / 7532250;
a1[8] = 294236496 / 5551632;
a1[9] = 177305856 / 3409728;
a1[10] = 650683500 / 13013670;
a1[11] = 298351053 / 6088797;
a1[12] = 386348487 / 7884663;
a1[13] = 438258597 / 8944053;
a1[14] = 249527520 / 5198490;
a1[15] = 445362764 / 4544518;
a1[17] = 174988800 / 3645600;
a1[16] = 981182160 / 10115280;
a1[18] = 493042704 / 9667504;
a1[19] = 257493600 / 5364450;
a1[20] = 767478780 / 13464540;
a1[21] = 312840624 / 5488432;
a1[22] = 1404511500 / 14479500;
a1[23] = 316139670 / 6451830;
a1[24] = 619005024 / 6252576;
a1[25] = 372641472 / 7763364;
a1[26] = 373693320 / 7327320;
a1[27] = 498266640 / 8741520;
a1[28] = 452465676 / 8871876;
a1[29] = 208422720 / 4086720;
a1[30] = 515592000 / 9374400;
a1[31] = 719890500/ 5759124;
for (int i = 0; i < 32; i++) {
printf("%c", a1[i]);
}
return 0;
}
最后可以获得flag是flag{e65421110ba03099a1c039337},之后发现会缺一个,因为缺少一位,只能一点一点去实验,之后这个数为1,所以是flag{e165421110ba03099a1c039337}