1
2
3
4
5
6
7

mov     dword ptr [ebp+flag], 0C881E8F1h
mov     dword ptr [ebp+flag+4], 0CECF81D2h
mov     dword ptr [ebp+flag+8], 81C081D5h
mov     dword ptr [ebp+flag+0Ch], 0C8D5C0D3h
mov     dword ptr [ebp+flag+10h], 0CDC0CFCEh
mov     dword ptr [ebp+flag+14h], 0CCD4CF81h
mov     dword ptr [ebp+flag+18h], 8FD3C4C3h

1
2
3
4

add     esp, 10h
mov     eax, [ebp+n]
cmp     eax, 12B9B0A1h
jnz     short loc_804852D

1
2
3
4
5
6
7
8
9
10
11
12

lea     edx, [ebp+flag]
mov     eax, [ebp+i]
add     eax, edx
movzx   edx, byte ptr [eax]
mov     eax, [ebp+n]
mov     ecx, edx
xor     ecx, eax
lea     edx, [ebp+flag]
mov     eax, [ebp+i]
add     eax, edx
mov     [eax], cl
add     [ebp+i], 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

from struct import pack
def p32(i):return pack("<I", i)a = [0xC881E8F1,
0xCECF81D2,
0x81C081D5,
0xC8D5C0D3,
0xCDC0CFCE,
0xCCD4CF81,
0x8FD3C4C3]t = ""for i in a:t += p32(i)flag = ""for i in range(len(t)):flag += chr(ord(t[i])^0xa1)print flag

1
2
3
4
5

a = [ord(i) - 1 for i in "UIJT.JT.ZPVS.GMBH"]
flag = ""
for i in a:flag += chr(i)
print flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

import angr
import claripyp = angr.Project("./bitx",auto_load_libs=False)
arg1 = claripy.BVS('arg1', 50*8)
args = [p.filename,arg1]
s = p.factory.entry_state(args=args)for byte in arg1.chop(8):s.add_constraints(byte != '\x00') s.add_constraints(byte >= ' ') s.add_constraints(byte <= '~') simgr = p.factory.simgr(s)
simgr.explore(find = 0x8048508,avoid = 0x804851A)print simgr.found[0].solver.eval(args[1], cast_to=str)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

import string
import binasciiflag = ""
flagenc = [0x1A, 0x8B, 0x24, 0x28, 0x58, 0x37, 0xAC, 0x52, 0x53, 0xB5, 0x1E, 0x3E, 0x4A, 0x25, 0x4A, 0x27, 0x6B, 0xB2, 0x17, 0x01, 0x03, 0x0B, 0xF4, 0x14, 0x00, 0xF1, 0x61, 0x70, 0x0C, 0x55, 0x20, 0x7A]
pbData = [0x34, 0xAF, 0x0D, 0x07, 0x4B, 0x17, 0xF4, 0x4D, 0x1B, 0xB9, 0x39, 0x76, 0x5B, 0x02, 0x77, 0x6F]for i in string.printable:a = ord(i)flag = ""for a1 in range(0,0x20):flag += chr(a ^ flagenc[a1] ^ pbData[a1&0xf])if not flag.find("FLAG"):print flag

1
2
3
4
5
6
7
8
9
10

from z3 import *
a = BitVec("a",32)
b = BitVec("b",32)
s = Solver()
s.add(a*b==0xDDC34132)
s.add((a ^ 0x7E) * (b + 16) == 0x732092BE )
s.add((a - b)&0xfff == 0xcdf)
if s.check():print s.model()[a].as_long()print s.model()[b].as_long()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

#include <stdio.h>
#include <string.h>
#include "ida.h"
unsigned char junk_data[] ={省略大量数据};
void __cdecl decrypt_flag(unsigned int a1, unsigned int a2, unsigned int a3)
{signed int v3; // eaxsigned int v5; // [esp+Ch] [ebp-3Ch]char flag[40]; // [esp+14h] [ebp-34h]int a9;v5 = 4;a9 = a3;a3 = 1234567890*a3+1;memset(flag, 0, sizeof(flag));*(_DWORD *)flag = 0x8B9551FA * a3;while ( a2 ){v3 = v5++;flag[v3] = junk_data[a1 & 0xFFF] ^ a2;a1 *= 77777;a2 = a3 ^ (a2 >> 1);a3 >>= 1;}flag[v5] = 0;if(!strncmp("flag",flag,4) || !strncmp("FLAG",flag,4))printf("[%d]:%s\n",a9,flag);
}
int main(){int i;for(i=0;i<9999999;i++)decrypt_flag(2136772529,1234567890,i);
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

#include <stdio.h>
#include <string.h>
#include "ida.h"
#include <time.h>
char byte_6CB09F[] = {0x00, 0xA4, 0x4B, 0x41, 0x47, 0x7A, 0x49, 0xFF, 0xEE, 0x63, 0x6E, 0xD1, 0x12, 0xFB, 0xE9, 0xBE, 0xC7, 0x65, 0x1B, 0x3B, 0x7A, 0x32, 0x30, 0x31, 0x38, 0xCE, 0x27, 0x4B, 0x65, 0x64, 0x71, 0xBE, 0xD6, 0x72, 0x74, 0x9A, 0x35, 0xF0, 0xF9, 0xBE, 0xDB, 0x76, 0x1F, 0x3B, 0x23, 0x20, 0x44, 0x61, 0x79, 0xC3, 0x7A};
char * flag = byte_6CB09F + 1;
unsigned long long int qword_6CDE20[]={0x9E9E9E9E9E9E9E9E,0x9E9E9E9E9E9E9E9E,1514764800};
__int64 sub_400B60()
{char v0; // siunsigned __int64 i; // rcxunsigned __int64 v2; // rax__int64 v3; // rdxLODWORD(qword_6CDE20) = 2018;BYTE4(qword_6CDE20) = 1;BYTE5(qword_6CDE20) = 1;LODWORD(qword_6CDE20[1]) = 1559303955;v0 = flag[0];if ( flag[0] ){i = 0LL;do{v2 = 3 * ((unsigned __int64)(0xAAAAAAAAAAAAAAABLL * (unsigned __int128)i >> 64) >> 4);v3 = i++;byte_6CB09F[i] = *((_BYTE *)&qword_6CDE20 + v3 - 8 * v2) ^ v0;v0 = flag[i];}while ( v0 );}return printf("The flag is %s\n", flag);
}int main(){sub_400B60();
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

import binascii
import stringa=[3594606959,2158225808,3381484699,218476463,326279469,1566511483,1073871869,2815612267,2097478526,776112478,1640595123,2225816515,2680236509,4099485517,]print len(a)
flag = ""s = string.printablefor i in a:for i1 in s:for i2 in s:for i3 in s:t = i1 + i2 + i3if binascii.crc32(flag + t)&0xffffffff == i:flag += tprint flagbreak

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char array[] = {164,25,4,130,126,158,91,199,173,252,239,143,150,251,126,39,104,104,146,208,249,9,219,208,101,182,62,92,6,27,5,46};
int main(){unsigned int i;unsigned char text[32]={0};unsigned int num ;unsigned int num2;unsigned char c;unsigned int b;unsigned int j;for(i=2131407842;i<0xffffffff;i++){num = i;num2 = 0;b = 0;j = 0;while(num != 0 ){c = array[num2] ^ (num&0xff) ^ b;text [j]= c;b ^= array[num2];num2 += 1;num >>= 1;j ++ ;}if(!strncmp("FLAG{DO YOU KNOW ",text,17)){printf("[%d] %s\n",i,text);}}
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

import popen2,stringINFILE = "test"
CMD = "~/Desktop/pin/pin -t ~/Desktop/pin/source/tools/ManualExamples/obj-ia32/inscount1.so -- ~/Desktop/mov <" + INFILE
choices = " 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!#$%&'()*+,-./:;<=>?@[\]^_`{|}~"def execlCommand(command):global ffin,fout = popen2.popen2(command)result1 = fin.readline()print result1result2 = fin.readline()fin.close()def writefile(data):fi = open(INFILE,'w')fi.write(data)fi.close()flag = ''
f = 1
while(f):l = 0for i in choices:key = flag + iprint ">",keywritefile(key)execlCommand(CMD)fi = open('./inscount.out', 'r')while(1):try:n = int(fi.read().split(' ')[1], 10)breakexcept IndexError:continuefi.close()print nif(l - n> 100 and l):flag += iprint flagbreakelse:l = n
print flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

__import__('sys').setrecursionlimit(1048576)
data = 'Tt1PJbKTTP+nCqHvVwojv9K8AmPWx1q1UCC7yAxMRIpddAlH+oIHgTET7KHS1SIZshfo2DOu8dUt6wORBvNVBpUSsuHa0S78KG+SCQtB2lr4c1RPbMf0nR9SeSm1ptEY37y310SJMY28u6m4Y44qniGTi39ToHRTyxwsbHVuEjf480eeYAfSVvpWvS8Oy2bjvy0QMVEMSkyJ9p1QlGgyg3mUnNCpSb96VgCaUe4aFu4YbOnOV3HUgYcgXs7IcCELyUeUci7mN8HSvNc93sST6mKl5SDryngxuURkmqLB3azioL6MLWZTg69j6dflQIhr8RvOLNwRURYRKa1g7CKkmhN4RytXn4nyK2UM/SoR+ntja1scBJTUo0I31x1wBJpT4HjDN47FLQWIkRW+2wnB3eEwO5+uSiQpzA8VaH7VGRrlU/BFW4GqbaepzKPLdXQFBkNyBKzqzR/zA2GIrYbLIVScWJ19DqJCOyVLGeVIVXyzN1y327orYL2Ee3lRITnE3FouicRStaznIcw8xmxvukwVMRZIJ/vTu8Zc1WQIYEIFXMHozGuvzZgROZTyFihWNRCBBtoP9DJJALJb0pA1IKIb2zLh+pwGF40Y6y93D6weKejGPO+A0DBXH9vuLcCcCIvr/XPQhO3jLKCBN+h9unuJKW3dyWxyaVPdR2V+BTw10VXolo7yaTH1GbR4TiVSB308mBOMwfchwihEe7RdMXvmXgaGarKkJe0NLUCd8jwhYII+WymjxO/xOz/ppOvNfAyIQksW0sggRPQTlgXSZ7MIVA1h66sGNljJ833MoFzWof3azLabaz1OrAJFqYXBg/myDsy1tV6rULSQ82hVR/TNnSmBGvyEDJTrLSwHyj78NOrW4mUnlLGBnAgWfw6pW2lRK2jkNX9NM6DfLsRK8lwl85UP8CZSuNdcLmLwHTVMZGm/cNkZCtWRBlZqEggxGdIO44D+f4y6ysnAk5/QzEwjIuecxEOb0jyV6dFui8g0c3Oxlhzcli0X8ToJFyeQRv1N9nokYZ07tFlG6m18kCToKz1qiH1U7kljXa6SvdORur5dWYLQ//gwhwppe7JlNda/cEoh92h96wRZDv1dSK/f1vz+mUeUyUlFY0iMjfw5eBXWZppNZi3ZtJcq5kllM2ACVFcxQWI3azM3ArOcqjosoiPjNoDYgKh7w4k2Cd0kLYEHscz/njtJ1KEcwLtqs4nJ+gB2r4V9g03YgvY5E8JJtfJMKdaTedjtvEuif8FNlCK9DMnL1iLpWptJbdfO83Y7Y46XCqjZFBI5o9Qtb78nLhMEM5/YTaNOM/wE/oJl5HI/i1X6kW3PKCsVubRkOkc2xawl6NYdLETjLvmrGhhI'
a = 138429774382724799266162638867586769792748493609302140496533867008095173455879947894779596310639574974753192434052788523153034589364467968354251594963074151184337695885797721664543377136576728391441971163150867881230659356864392306243566560400813331657921013491282868612767612765572674016169587707802180184907L
b = 166973306488837616386657525560867472072892600582336170876582087259745204609621953127155704341986656998388476384268944991674622137321564169015892277394676111821625785660520124854949115848029992901570017003426516060587542151508457828993393269285811192061921777841414081024007246548176106270807755753959299347499L
c = 139406975904616010993781070968929386959137770161716276206009304788138064464003872600873092175794194742278065731836036319691820923110824297438873852431436552084682500678960815829913952504299121961851611486307770895268480972697776808108762998982519628673363727353417882436601914441385329576073198101416778820619L
d = 120247815040203971878156401336064195859617475109255488973983177090503841094270099798091750950310387020985631462241773194856928204176366565203099326711551950860726971729471331094591029476222036323301387584932169743858328653144427714133805588252752063520123349229781762269259290641902996030408389845608487018053L
e = 104267926052681232399022097693567945566792104266393042997592419084595590842792587289837162127972340402399483206179123720857893336658554734721858861632513815134558092263747423069663471743032485002524258053046479965386191422139115548526476836214275044776929064607168983831792995196973781849976905066967868513707L
F = (a, b, c, d, e)
m = 8804961678093749244362737710317041066205860704668932527558424153061050650933657852195829452594083176433024286784373401822915616916582813941258471733233011L
g = 67051725181167609293818569777421162357707866659797065037224862389521658445401L
z = []
for i, f in enumerate(F):n = pow(f, m, g)this_is = 'Y-Combinator'l = (lambda f: (lambda x: x(x))(lambda y: f(lambda *args: y(y)(*args))))(lambda f: lambda x: 1 if x < 2 else f(x - 1) * x % n)(g % 27777)z.append(l)print lz.sort()
gg = '(flaSg\'7 \\h#GiQwt~66\x0csxCN]4sT{? Zx YCf6S>|~`\x0c$/}\'\r:4DjJFvm]([sP%FMY"@=YS;CQ7T#zx42#$S_j0\\Lu^N31=r\x0b\t\tjVhhb_KM$|6]\nl!:V\rx8P[0m ;ho_\rR(0/~9HgE8!ec*AsGd[e|2&h!}GLGt\'=$\x0cbKFMnbez-q\\`I~];@$y#bj9K0xmI2#8 sl^gBNL@fUL\x0b\\9Ohf]c>Vj/>rnWXgLP#<+4$BG@,\'n a_7C:-}f(WO8Y\x0c2|(nTP!\'\\>^\'}-7+AwBV!w7KUq4Qpg\tf.}Z7_!m+ypy=`3#\\=?9B4=?^}&\'~ Z@OH8\n0=6\x0b\tv\nl!G\'y4dQW5!~g~I*f"rz1{qQH{G9\x0c\'b\x0cp\x0bdu!2/\\@i4eG"If0A{-)N=6GMC<U5/ds\rG&z>P1\nsq=5>dFZUWtjv\tX~^?9?Irwx\\5A!32N\x0bcVkx!f)sVY Men\x0c\'ujN<"LJ\x0c5R4"\\\\XPVA\'m$~tj)Br}C}&kX2<|\np3XtaHB.P\'(E 4$dm!uDyC%u ["x[VYw=1aDJ (8V/a!J?`_r:n7J88!a25AZ]#,ab?{%e\x0b]wN_}*Q:mh>@]u\t&6:Z*Fmr?U`cOHbAf7s@&5~L ,\tQ18 -Hg q2nz%\x0ccUm=dz&h1(ozoZ)mrA=`HKo\n\'rXm}Z-l3]WgN\\NW<{o=)[V({7<N1.-A8S"=;3sderb\tOZ$K\r0o/5\x0bMc76EGCWJ3IQpr7!QhbgzX8uGe3<w-g\'/j\'\tM4|9l?i&tm_\n57X0B2rOpuB@H@%L_\r)&/q=LZa(%}""#if#Kq74xK?`jGFOn"8&^3Q-\r#]E$=!b^In0:$4VKPXP0UK=IK)Y\rstOT40=?DyHor8j7O\\r/~ncJ5];cCT)c?OS0EM5m#V(-%"Tu:!UsE],0Dp  s@HErS]J{%oH54B&(zE.(@5#2k\tJnNlnUEij\\.q/3HBpJNk*X(k5;DlqK\'\'fX\r}EBk_7\x0b:>8~\t+M@WJx.PO({/U}1}#TqjreG\nN{\rX>4EsJr0Pn\\Z\\aL/-U<<{,Q;j\tF=7f\')+wH:p{G=_.s\\t-\x0bI\x0c*y\t1P:Y|/2xE<uo]~$>5k]FW+>fR<QA"(Fj[LL(hzfQo#PJ;:*0kB~3]9uL[o.xue:VQ\t;9-Tu\tq|mzzhV_okP\t,d\rQ`]5Gf\x0c#gXB\x0cAH|)NI|K=KW-&p-<b"3e.rO\x0cuK=\x0c^\r+MuLxCJ`UKaD\x0bBH&n+YVajZ(U7pwWtto3T10VLHwSJ\rK\t}\'F$l1:b2Bd\na=#t0iq}#!{1_)w$}<Dp(borC\'\t?r6;,+k;a(Q3@B?RCWYEDrjZe![x=n_%S]rl{&fLr*mgCD;92/nNsaxKy/;\nr]sPK=`+YP>MmfB\n8O4/"}nE7r*=41f2\t37>K\'s$wpl;qS[`qzu\x0b\t\nuaU|b,C`4& dRN~]7DnuTb2FhNHV!#Z2Hho\x0b[%.{O\t$q0\x0ch_@?w@b8[I^{JL|O8]i8{p)A.w)14qK3JoyF%licZ~ga\rW[L:W\rtIvfWJjZUOvB\rS.Beav3!-@bw|PexJ Pcw1\ry6!63B}]J])6fak/3r]W\tMeXt[uc(1_U lys{a1X\r%)[wwP3rhgNW{*d~_E%Q2htCt5ha@l0^0=\x0bwT\ni4/V;_\nM1rb?w~Q)Dli4u\n`}1+D8"\t`@V~$9l$Uy**VnI (@Ga0<RxfmoNgJTtE-aLH\rE5fMy7rk$)V\rL2Fv/AivOa"\nuX|70Xrw^D]%i%JyT\x0cc%cwZ/Wbp=IiY;/@nFEe>3=tM;K*`fReGoc5V/Ri?nXZ-RW)\'\t<\x0cV>@X@-Ei4%sO%},B_pjc`s"@oKCmdgDhjUZT@?mb\'?Q:F\x0bLJkPgjaFAc=rbrjAz$Zz\x0cq0GU!")xFOEF(x!3M\t:l83|}}HgGJJ#eT/I\x0b[|lK_n+;Wi/N^B4LzL.a(gVWq,zO6\'S|tb>RX` ca*CO<w\x0ci =wc1,M~\x0bc`FYEs\r){+Ll8[I9-88m\t\\iK/\\hno-C[vX*3Hx:%:K\rt\x0cW!tj\'SOhqxP|k7cw Hm?I@?P\'HmapG7$0#T(Auz]sjmd#\rFP/}53@-Kvmi(d%dZKLZ2LK\'e_E\x0bQmR 5/(irq4-EUyp<hB?[\tnU:p*xuzASM'
print ('').join((gg[(lambda f: (lambda x: x(x))(lambda y: f(lambda *args: y(y)(*args))))(lambda f: lambda n: 1 if n < 3 else f(n - 1) + f(n - 2))(i + 2)] for i in range(16))) % ('').join((data[pow((__import__('fractions').gcd(z[i % 5], z[(i + 1) % 5]) * 2 + 1) * g, F[i % 5] * (i * 2 + 1), len(data))] for i in range(32)))