手扣字节码
原来扣过一次,大概明白是怎么回事了。字节码用栈实现逆波兰式的方式运算,比如load a,load 38, op < 就是a<38 (符号在后,遇到符号就pop然后结果push)
13 143 LOAD_NAME 6 (a)
146 LOAD_CONST 30 (38)
149 COMPARE_OP 0 (<)
慢慢扣完大致程序也就出来了
en = [3, 37, 72, 9, 6, 132]
output = [101, 96, 23, 68, 112, 42, 107, 62, 96, 53, 176, 179, 98, 53, 67, 29, 41, 120, 60, 106, 51, 101, 178, 189, 101, 48]
'''
print('welcome to GWHT2020')
flag = raw_input('please input your flag:')
str = flag
a = len(str)
if a < 38:
print('lenth wrong!')
exit(0)
if (((ord(str[0]) * 2020 + ord(str[1]))*2020 + ord(str[2]))*2020 + ord(str[3]))*2020 + ord(str[4]) == 1182843538814603 :
print('good!continue')
else:
print(('bye~')
exit(0)
'''
#GWHT{
'''
x=[]
k=5
for i in range(13): #315
b = ord(str[k])
c = ord(str[k + 1 ])
a11 = c ^ en[i%6]
a22 = b ^ en[i%6]
a.append(a11)
a.append(a22)
k = k + 2
if x == output:
print('good')
else:
exit(0)
'''
for i in range(13):
a22 = output[i*2]^en[i%6]
a11 = output[i*2+1]^en[i%6]
print(chr(a11)+chr(a22), end='')
#cfa2b87b3f746a8f0ac5c5963f
'''
l = len(str)
a1 = ord(str[l-7])
a2 = ord(str[l-6])
a3 = ord(str[l-5])
a4 = ord(str[l-4])
a5 = ord(str[l-3])
a6 = ord(str[l-2])
if a1*3 + a2*2 + a3*5 == 1003 and a1*4 + a2*7 + a3*9 == 2013 and a1 + a2*8 + a3*2 == 1109
and a4*3 + a5*2 + a6*5 == 671 and a4*4 + a5*7 + a6*9 == 1252 and a4 + a5*8 + a6*2 == 644:
print('ok')
else:
exit(0)
'''
#aeff73
#GWHT{cfa2b87b3f746a8f0ac5c5963faeff73}
#flag{cfa2b87b3f746a8f0ac5c5963faeff73}
第1段是个运算因为字符都在256以后,模2020就得到最后一个字符,一步步得到flag{头
第2段每两个字符与en依次异或,然后交换后存入与与output比较
第3段是几个if算式,我放到一起了这块用z3解
>>> from z3 import *
>>> s = Solver()
>>> a1,a2,a3,a4,a5,a6 = Int('a1'),Int('a2'),Int('a3'),Int('a4'),Int('a5'),Int('a6')
>>> s.add(a1*3 + a2*2 + a3*5 == 1003)
>>> s.add(a1*4 + a2*7 + a3*9 == 2013)
>>> s.add(a1 + a2*8 + a3*2 == 1109)
>>> s.add(a4*3 + a5*2 + a6*5 == 671)
>>> s.add(a4*4 + a5*7 + a6*9 == 1252)
>>> s.add(a4 + a5*8 + a6*2 == 644)
>>> s.add(a1>0x20)
>>> s.add(a1<0x7f)
......
>>> s.check()
sat
>>> d = s.model()
>>> d
[a5 = 55, a2 = 101, a6 = 51, a3 = 102, a4 = 102, a1 = 97]
>>> print(bytes([97,101,102,102,55,51]))
b'aeff73'