warmup - cr3 2024
#cr3_2024 #crackme #Linux
enter命令などが含まれており、GhidraやIDAではデコンパイルできない
Binary Ninjaだとできたのでこで調べる
ifの繰り返しでフラグが正しいかを判定しているので、逆算する
code: solve.py
s = '''
if (sx.d(s0) - adc.d(0xffffffe9, 0x1c, true) != adc.d(0x49, 0x13, true))
if ((sx.d(s0) ^ (sx.d(s1) - adc.d(3, 6, true))) != adc.d(4, 6, true))
if ((sx.d(s1) ^ (sx.d(s2) - adc.d(1, 0x17, true))) != adc.d(0x4f, 0x18, true))
if ((sx.d(s2) ^ (sx.d(s3) - adc.d(0xfffffff3, 0x19, true))) != adc.d(0x4b, 0x11, true))
if ((sx.d(s3) ^ (sx.d(s4) - adc.d(1, 0xa, true))) != adc.d(8, 0x1a, true))
if ((sx.d(s4) ^ (sx.d(s5) - adc.d(0xfffffff3, 0x1c, true))) != adc.d(0x27, 0x1c, true))
if ((sx.d(s5) ^ (sx.d(s6) - adc.d(0x10, 0xd, true))) != adc.d(0x54, 0xb, true))
if ((sx.d(s6) ^ (sx.d(s7) - adc.d(0xfffffff6, 0xf, true))) != adc.d(0xffffffe5, 0x1a, true))
if ((sx.d(s7) ^ (sx.d(s8) - adc.d(0xfffffffa, 0xe, true))) != adc.d(0x16, 0xb, true))
if ((sx.d(s8) ^ (sx.d(s9) - adc.d(0xfffffffb, 9, true))) != adc.d(0x27, 8, true))
if ((sx.d(s9) ^ (sx.d(s0xa) - adc.d(0xf, 0xc, true))) != adc.d(0x18, 9, true))
if ((sx.d(s0xa) ^ (sx.d(s0xb) - adc.d(0xffffffea, 0x1b, true))) != adc.d(0x34, 8, true))
if ((sx.d(s0xb) ^ (sx.d(s0xc) - adc.d(0xfffffff3, 0x14, true))) != adc.d(0x6c, 0xb, true))
if ((sx.d(s0xc) ^ (sx.d(s0xd) - adc.d(9, 0xd, true))) != adc.d(0x60, 7, true))
if ((sx.d(s0xd) ^ (sx.d(s0xe) - adc.d(0xfffffffe, 6, true))) != adc.d(0x19, 0x14, true))
if ((sx.d(s0xe) ^ (sx.d(s0xf) - adc.d(0xfffffffa, 0xf, true))) != adc.d(0x5b, 9, true))
if ((sx.d(s0xf) ^ (sx.d(s0x10) - adc.d(0x12, 6, true))) != adc.d(0x4f, 0xe, true))
if ((sx.d(s0x10) ^ (sx.d(s0x11) - adc.d(0xe, 8, true))) != adc.d(0x6b, 0x13, true))
if ((sx.d(s0x11) ^ (sx.d(s0x12) - adc.d(0xfffffff6, 0x1b, true))) != adc.d(0x72, 0xa, true))
if ((sx.d(s0x12) ^ (sx.d(s0x13) - adc.d(7, 0xa, true))) != adc.d(0x4c, 0x1e, true))
if ((sx.d(s0x13) ^ (sx.d(s0x14) - adc.d(0xfffffff7, 0x19, true))) != adc.d(0x1d, 0x14, true))
if ((sx.d(s0x14) ^ (sx.d(s0x15) - adc.d(0xd, 7, true))) != adc.d(0x63, 8, true))
if ((sx.d(s0x15) ^ (sx.d(s0x16) - adc.d(0xffffffeb, 0x1e, true))) != adc.d(0x55, 0x1d, true))
if ((sx.d(s0x16) ^ (sx.d(s0x17) - adc.d(0xf, 7, true))) != adc.d(0x4a, 5, true))
if ((sx.d(s0x17) ^ (sx.d(s0x18) - adc.d(4, 0x19, true))) != adc.d(0x5b, 0xb, true))
if ((sx.d(s0x18) ^ (sx.d(s0x19) - adc.d(0xfffffffd, 0x1c, true))) != adc.d(0x23, 7, true))
if ((sx.d(s0x19) ^ (sx.d(s0x1a) - adc.d(0x14, 6, true))) != adc.d(0x18, 0x1e, true))
if ((sx.d(s0x1a) ^ (sx.d(s0x1b) - adc.d(0xfffffff5, 0x12, true))) != adc.d(0x1a, 0x18, true))
if ((sx.d(s0x1b) ^ (sx.d(s0x1c) - adc.d(0xe, 8, true))) != adc.d(0x67, 5, true))
if ((sx.d(s0x1c) ^ (sx.d(s0x1d) - adc.d(1, 0x13, true))) != adc.d(0x53, 0x16, true))
if ((sx.d(s0x1d) ^ (sx.d(s0x1e) - adc.d(7, 0xb, true))) != adc.d(0x18, 0xa, true))
if ((sx.d(s0x1e) ^ (sx.d(s0x1f) - adc.d(0xfffffff8, 0x15, true))) != adc.d(0xffffffe8, 0x17, true))
if ((sx.d(s0x1f) ^ (sx.d(s0x20) - adc.d(0xfffffffa, 0x10, true))) != adc.d(0xfffffff6, 0x10, true))
if ((sx.d(s0x20) ^ (sx.d(s0x21) - adc.d(0x12, 0xb, true))) != adc.d(0x36, 0x19, true))
if ((sx.d(s0x21) ^ (sx.d(s0x22) - adc.d(9, 0xd, true))) != adc.d(0xfffffff8, 0x19, true))
if ((sx.d(s0x22) ^ (sx.d(s0x23) - adc.d(2, 7, true))) != adc.d(0x11, 9, true))
'''
import re
s2 = s
consts = []
RE_ADC = re.compile(r'adc.d\((0-9a-fx+), (0-9a-fx+), true\)')
while (match := RE_ADC.search(s2)) is not None:
a = int(match.group(1), 16) if 'x' in match.group(1) else int(match.group(1))
if a > 0x80000000:
a = -0x100000000 + a
b = int(match.group(2), 16) if 'x' in match.group(2) else int(match.group(2))
if b > 0x80000000:
b = -0x100000000 + b
consts.append(a + b + 1)
s2 = s2.replace(match.group(0), str(a + b + 1), 1)
print(s2)
print(consts)
print(len(consts))
flag = []
for i in range(0x23):
if i == 0:
flag.append(constsi*2+1 + constsi*2)
else:
print(constsi*2+1, '^', flagi-1, '+', constsi*2)
flag.append((constsi*2+1 ^ flagi-1) + constsi*2)
print(flag)
''.join(chr(i) for i in flag)