BUU-simple CPP

 一道用z3约束器求解的题目

 

 

 

 

 

 

 

 

 

这里赋值 弄过来弄过去  可以化解成如下

s.add((ss3 & ~ss2) & ss1 | ss3 & (((ss2 & ss1) | ss2 & ~ss1 | ~(ss2 | ss1))) == 577031497978884115)
s.add(4483974544037412639 ^ ss4 == 4483974543195470111)
s.add((ss3 & ~ss1) == 1176889593874)
s.add(4483974544037412639 == (ss3 & ~ss1) | (ss2 & ss1) | (ss3 & ~ss2) | (ss1 & ~ss2))

尝试后多解 百度后发现给出了hint 第二位的值为  e!P0or_a     写脚本加条件

b = 'i_will_check_is_debug_or_noi_wil'
c = 'e!P0or_a'
d = 0
for i in range(8):
    d = (d << 8) + (ord(c[i]) ^ ord(b[i+8]))
s.add(ss2 == d) 

最后出来只有一个解 得到答案 

import z3




ss1 = z3.BitVec('ss1',64)
ss2 = z3.BitVec('ss2',64)
ss3 = z3.BitVec('ss3',64)
ss4 = z3.BitVec('ss4',64)

s = z3.Solver()
s.add((ss3 & ~ss2) & ss1 | ss3 & (((ss2 & ss1) | ss2 & ~ss1 | ~(ss2 | ss1))) == 577031497978884115)
s.add(4483974544037412639 ^ ss4 == 4483974543195470111)
s.add((ss3 & ~ss1) == 1176889593874)
s.add(4483974544037412639 == (ss3 & ~ss1) | (ss2 & ss1) | (ss3 & ~ss2) | (ss1 & ~ss2))

b = 'i_will_check_is_debug_or_noi_wil'
c = 'e!P0or_a'
d = 0
for i in range(8):
    d = (d << 8) + (ord(c[i]) ^ ord(b[i+8]))
s.add(ss2 == d) 



while s.check() == z3.sat:
    m = s.model()
    print hex(m[ss1].as_long())
    print hex(m[ss2].as_long())
    print hex(m[ss3].as_long())
    print hex(m[ss4].as_long())
    print '___________________'
    s.add(z3.Or(ss1 != m[ss1], ss2 != m[ss2], ss3 != m[ss3], ss4 != m[ss4]))

k = [0x3e,0x3a,0x46,0x05,0x33,0x28,0x6f,0x0d,0x0d,0x44,0x33,0x5b,0x30,0x1b,0x2c,0x3e,0x08,0x02,0x07,0x17,0x15,0x3e,0x30,0x13,0x32,0x31,0x06,0x00]
flag = 'flag{'
for i in range(len(k)-1):
    flag += chr(ord(b[i]) ^ k[i])
flag += '}'
print flag
# flag{We1l_D0ne!P0or_algebra_am_i}