3.elf

根据下列的校验过程，应该需要长度为42的字符串，

for ( i = 0; i <= 41; ++i )
    {
      if ( *((_BYTE *)v6 + i) != v4[i] )
      {
        printf("wrong2 wrong2");
        return 0;
      }
    }
    printf("woc,you got it,flag is your input");
    return 0;

但如下数据如果看成字符，也仅有24个字符

合理外推此处的也是校验所用的字符串

长度刚好为42
加密字段如下

  if ( strlen(s) == 42 )
  {
    for ( i = 0; i <= 6; ++i )
    {
      for ( j = 0; j <= 5; ++j )
      {
        v9 = 6 * i + j;
        v11 = s[v9];
        v10 = s[v9];
        v11 = ~v11;
        v11 &= i * (j + 2);
        v10 = v10 & ~(i * (j + 2)) | v11;
        v9 = 7 * j + i;
        v4[v9] = v10;
      }
    }
    for ( i = 1; i <= 41; ++i )
    {
      if ( i % 2 == 1 )
        v4[i] *= 107;
      else
        v4[i] += v4[i - 1];
    }

s为自己输入的内容
v4为加密后的内容
尝试通过z3破解

from z3 import *    
DataCmp=[		
0x24,0x90,0x55,0x3C,0xFD,0xA9,0x4E,0x66,
0xFD,0x81,0x20,0x01,0xB1,0x5D,0xF6,0x57,
0x8F,0x80,0x0D,0x0E,0xA1,0x1F,0xA9,0x36,
0x77,0xce,0xCF,0xA5,0x2F,0x60,0x27,0x9E,
0x23,0xE8,0x5D,0xA4,0x28,0xFF,0xDB,0x32,
0xBD,0x1B]
flag = [BitVec('flag[%2d]' % i, 8) for i in range(42)]  #初始化序列
out=[0]*42
v11 = 0
v10 = 0
i = 0
j = 0
v9 = 0  
f = Solver()#创建约束求解器
for i in range(6):
    for j in range(5):
        v9 = 6 * i + j
        v11 = flag[v9]
        v10 = flag[v9]
        v11 = ~v11
        v11 &= i * (j + 2)
        v10 = v10 & ~(i * (j + 2)) | v11
        v9 = 7 * j + i
        out[v9] = v10
for i in range(40):
    if (i+1)%2==1:
        out[i+1]*=107
    else:
        out[i+1]+=out[i]
for i in range(41):
    f.add(out[i]==DataCmp[i])
if f.check()==sat:
    print("yes")
else:
    print("error")

先判断下是否有解

输出如下

寄