BeginCTF-Re-xor
z3模拟运算代码
from z3 import *
flag = [BitVec('u%d'%i,8) for i in range(0,32)]
table1 = "63290794207715587679621386735000"
byte1 = "6329079420771558"
byte2 = "7679621386735000"
table = "41803873625901363092606632787947"
byte11 = "4180387362590136"
byte22 = "3092606632787947"
enc = "`agh{^bvuwTooahlYocPtmyiijj|ek\'p"
enc1 = [0x60, 0x61, 0x67, 0x68, 0x7B, 0x5E, 0x62, 0x76, 0x75, 0x77, 0x54, 0x6F, 0x6F, 0x61, 0x68, 0x6C, 0x59, 0x6F, 0x63, 0x50, 0x74, 0x6D, 0x79, 0x69, 0x69, 0x6A, 0x6A, 0x7C, 0x65, 0x6B, 0x27, 0x70]
print(enc)
tmp1 = [0]*16
tmp2 = [0]*16
tmp11 = [0]*16
tmp22 = [0]*32
tmp22_0 = [0]*16
tmp22_1 = [0]*16
byte_14001D7C0 = [0]*32
'''
赋值
'''
for i in range(16):
tmp1[i] = flag[i]
for j in range(16):
tmp2[j] = flag[j+16]
'''
xor
'''
for i in range(16):
tmp1[i]^= ord(byte2[i])
tmp1[i] = tmp1[i] & 0xff
for i in range(16):
tmp2[i]^= ord(byte1[i])
tmp2[i] = tmp2[i]&0xff
for i in range(16):
tmp1[i]^= ord(byte1[i])
tmp1[i] = tmp1[i] & 0xff
for i in range(16):
tmp2[i]^= ord(byte2[i])
'''
xor_re
'''
for i in range(1,16):
tmp1[i]^=ord(byte2[16-i])
for i in range(1,16):
tmp2[i]^=ord(byte1[16-i])
for i in range(1,16):
tmp1[i]^=ord(byte1[16-i])
for i in range(1,16):
tmp2[i]^=ord(byte2[16-i])
'''
fuzhi2
'''
for i in range(16):
tmp22[i] = tmp2[i]
for i in range(16):
tmp22[i+16] = tmp1[i]
'''
'''
for i in range(16):
tmp22_0[i] = tmp22[i]
for i in range(16):
tmp22_1[i] = tmp22[i+16]
'''
xor
'''
for i in range(16):
tmp22_0[i] ^= byte22[i]
for i in range(16):
tmp22_1[i] ^= byte11[i]
'''
'''
for i in range(16):
tmp22_0[i] ^= byte11[i]
for i in range(16):
tmp22_1[i] ^= byte22[i]
for i in range(1,16):
tmp22_0[i] ^= byte22[16 - i]
for i in range(1,16):
tmp22_1[i] ^= byte11[16 - i]
'''
'''
for i in range(1,16):
tmp22_0[i] ^= byte11[16 - i]
for i in range(1,16):
tmp22_1[i] ^= byte22[16 - i]
for i in range(16):
byte_14001D7C0[i] = tmp22_1[i]
for i in range(16):
byte_14001D7C0[i + 16] = tmp22_0[i]
s = Solver()
for i in range(32):
s.add(byte_14001D7C0[i]==enc1[i])
print(s.check())
result = s.model()
print(result)
flag1 = ''
for i in range(0,32):
flag1 += chr(result[flag[i]].as_long().real)
print(flag1)
注意下面基础的下标,与伪代码要稍加改动。这地方卡了好久(菜鸡崩溃)。