3.elf z3暴力破解

尝试对3.elf进行动态调试

寄，我的glibc库版本低了

但根据2.elf的经验，其存储顺序应该是按上到下的顺序存储的，从低位到高位存储的

同时这个每两位就代表了一个字符刚好就有42个字符符合校验的字符个数

所以z3破解代码为

from z3 import *    
DataCmp=[		
0x66,0x4E,0XA9,0XFD,0X3C,0X55,0X90,0X24,
0X57,0XF6,0X5D,0XB1,0X01,0X20,0X81,0XFD,
0X36,0XA9,0X1F,0XA1,0X0E,0X0D,0X80,0X8F,
0XCE,0X77,
0XE8,0X23,0X9E,0X27,0X60,0X2F,0XA5,0XCF,
0X1B,0XBD,0X32,0XDB,0XFF,0X28,0XA4,0X5D]
flag = [BitVec('flag[%2d]' % i, 8) for i in range(42)]  #初始化序列
out=[0]*42
for i in range(42):
    out[i]=flag[i]
v11 = 0
v10 = 0
i = 0
j = 0
v9 = 0 
v1 =0 
f = Solver()#创建约束求解器
for i in range(7):
    for j in range(6):
        v9=6*i+j
        v11=flag[v9]
        v10=flag[v9]
        v11 = ~v11
        v11 &= i * (j + 2)
        v10 = v10 & ~(i * (j + 2)) | v11
        v9 = 7 * j + i
        out[v9] = v10
for i in range(41):
    if (i+1)%2==1:
        out[i+1]*=107
    else:
        out[i+1]+=out[i]
for i in range(42):
    f.add(out[i]==DataCmp[i])
while(f.check()==sat):
    condition = []
    m = f.model()
    p=""
    for i in range(42):
        p+=chr(int("%s" % (m[flag[i]])))
        condition.append(flag[i]!=int("%s" % (m[flag[i]])))
    print(p)
    f.add(Or(condition))

求出其flag为

flag{wh03v3r_d1g5_1n70_17_f1nd5_7h3_7ru7h}

我逐渐知道z3的好用了 欸嘿嘿嘿嘿嘿嘿嘿