先用GDB运行一下,运行到用户输入后用bt指令查看堆栈情况,得知main函数位置,同时可以得知使用的语言是GO
谷歌后得知GHIDRA有GO语言的反编译插件(https://github.com/felberj/gotools),安装后进入main.main函数,反编译结果如下图所示:
函数逻辑比较清晰,直接上Z3求解一把梭
# -*- coding: UTF-8 -*-
from z3 import *
s = Solver()
flag = []
for i in range(23):
name = "c" + str(i)
iniEq = "{0} = BitVec(\"{0}\",7)".format(name)
print(iniEq)
exec(iniEq)
flag.append(eval(name))
s.check()
s.add(flag[2] == ord('t'))
s.add(flag[5] == ord('s'))
s.add(flag[9] == ord('c'))
s.add(flag[0x10] == ord('n'))
s.add(flag[0x15] == ord('z'))
s.add(flag[0x16] == ord('}'))
s.add(flag[3] == ord('f'))
s.add(flag[1] == ord('c'))
s.add(flag[7] == ord('d'))
s.add(flag[0xc] == flag[0xd])
s.add(flag[0x13] == ord('z'))
cVar2 = flag[6]
s.add(cVar2 + flag[0xe] == ord('h'))
s.add(flag[4] == ord('{'))
s.add(flag[0xf] == flag[8])
s.add(flag[8] == ord('_'))
cVar3 = flag[0x11]
s.add((-0x5b - cVar3) == flag[0xb])
cVar5 = flag[0x12] - cVar3
s.add(flag[0xb] + -0x73 - flag[0x12] + cVar3 == cVar5)
bVar6 = cVar2 - cVar3
s.add(flag[0xd] + 0x01 == flag[10])
s.add(bVar6 *3 + ord('\\') == flag[10])
s.add(flag[0x14] + -99 == cVar5*2)
s.add(flag[0] == (bVar6 / 2) * cVar5 + ord('n'))
s.add((flag[0x14] + -99) == (cVar5 * 2))
s.add( cVar2 == flag[0xe])
s.add( bVar6 == cVar5 * 4)
# goto)
s.check()
m = s.model()
print(m)
for i in flag:
val = m.evaluate(i).__str__()
print(chr(int(val)),end="")