MOECTF2023
目录
reverse入门指北
直接搜索字符串
flag
moectf{F1rst_St3p_1s_D0ne}
base_64
pycdc反汇编是换表base64
flag
moectf{pYc_And_Base64~}
UPX!
upx -d脱壳之后就是一个异或
exp
enc =[
0x0A, 0x08, 0x02, 0x04, 0x13, 0x01, 0x1C, 0x57, 0x0F, 0x38,
0x1E, 0x57, 0x12, 0x38, 0x2C, 0x09, 0x57, 0x10, 0x38, 0x2F,
0x57, 0x10, 0x38, 0x13, 0x08, 0x38, 0x35, 0x02, 0x11, 0x54,
0x15, 0x14, 0x02, 0x38, 0x32, 0x37, 0x3F, 0x46, 0x46, 0x46,
0x1A]
flag = ''
for i in enc:
i ^= 0x67
flag += chr(i)
print(flag)
#moectf{0h_y0u_Kn0w_H0w_to_Rev3rse_UPX!!!}
flag
moectf{0h_y0u_Kn0w_H0w_to_Rev3rse_UPX!!!}
Xor
还是异或
exp
enc = [
0x54, 0x56, 0x5C, 0x5A, 0x4D, 0x5F, 0x42, 0x60, 0x56, 0x4C,
0x66, 0x52, 0x57, 0x09, 0x4E, 0x66, 0x51, 0x09, 0x4E, 0x66,
0x4D, 0x09, 0x66, 0x61, 0x09, 0x6B, 0x18, 0x44]
flag = ''
for i in enc:
i ^= 0x39
flag += chr(i)
print(flag)
#moectf{You_kn0w_h0w_t0_X0R!}
flag
moectf{You_kn0w_h0w_t0_X0R!}
ANDROID
模拟器运行一下提示 长度不对哦
jadx-gui打开搜索长度
定位到com.doctor3.basicandroid.MainActivity
循环异或
exp
enc = [25, 7, 0, 14, 27, 3, 16, '/', 24, 2, '\t', ':', 4, 1, ':', '*', 11, 29, 6, 7, '\f', '\t', '0', 'T', 24, ':', 28, 21, 27, 28, 16]
key = ['t', 'h', 'e', 'm', 'o', 'e', 'k', 'e', 'y']
key_ascii = [ord(char) for char in key]
flag = ""
for i, value in enumerate(enc):
key_value = key_ascii[i % len(key_ascii)]
if isinstance(value, int):
xor_result = value ^ key_value
elif isinstance(value, str):
xor_result = ord(value) ^ key_value
flag += chr(xor_result)
print(flag)
#moectf{Java_in_Android_1s_easy}
flag
moectf{Java_in_Android_1s_easy}
EQUATION
IDA修改v4为char v4[31],30个方程解31个未知数,再加一个v4[30]==125('}')
Z3梭,注意其中有几个位移<<,手动改成*
exp
太长了,点击查看
from z3 import *
solver = Solver()
v4 = [Int(f"v4_{i}") for i in range(31)]
equations = [
334 * v4[28]
+ 100 * v4[27]
+ 369 * v4[26]
+ 124 * v4[25]
+ 278 * v4[24]
+ 158 * v4[23]
+ 162 * v4[22]
+ 145 * v4[19]
+ 27 * v4[17]
+ 91 * v4[15]
+ 195 * v4[14]
+ 342 * v4[13]
+ 391 * v4[10]
+ 204 * v4[9]
+ 302 * v4[8]
+ 153 * v4[7]
+ 292 * v4[6]
+ 382 * v4[5]
+ 221 * v4[4]
+ 316 * v4[3]
+ 118 * v4[2]
+ 295 * v4[1]
+ 247 * v4[0]
+ 236 * v4[11]
+ 27 * v4[12]
+ 361 * v4[16]
+ 81 * v4[18]
+ 105 * v4[20]
+ 65 * v4[21]
+ 67 * v4[29]
+ 41 * v4[30] == 596119
, 371 * v4[29]
+ 338 * v4[28]
+ 269 * v4[27]
+ 312 * v4[26]
+ 67 * v4[25]
+ 299 * v4[24]
+ 235 * v4[23]
+ 294 * v4[22]
+ 303 * v4[21]
+ 211 * v4[20]
+ 122 * v4[19]
+ 333 * v4[18]
+ 341 * v4[15]
+ 111 * v4[14]
+ 253 * v4[13]
+ 68 * v4[12]
+ 347 * v4[11]
+ 44 * v4[10]
+ 262 * v4[9]
+ 357 * v4[8]
+ 323 * v4[5]
+ 141 * v4[4]
+ 329 * v4[3]
+ 378 * v4[2]
+ 316 * v4[1]
+ 235 * v4[0]
+ 59 * v4[6]
+ 37 * v4[7]
+ 264 * v4[16]
+ 73 * v4[17]
+ 126 * v4[30] == 634009
, 337 * v4[29]
+ 338 * v4[28]
+ 118 * v4[27]
+ 82 * v4[26]
+ 239 * v4[21]
+ 58 * v4[20]
+ 304 * v4[19]
+ 330 * v4[18]
+ 377 * v4[17]
+ 306 * v4[16]
+ 221 * v4[13]
+ 345 * v4[12]
+ 124 * v4[11]
+ 272 * v4[10]
+ 270 * v4[9]
+ 229 * v4[8]
+ 377 * v4[7]
+ 373 * v4[6]
+ 297 * v4[5]
+ 112 * v4[4]
+ 386 * v4[3]
+ 90 * v4[2]
+ 361 * v4[1]
+ 236 * v4[0]
+ 386 * v4[14]
+ 73 * v4[15]
+ 315 * v4[22]
+ 33 * v4[23]
+ 141 * v4[24]
+ 129 * v4[25]
+ 123 * v4[30] == 685705
, 367 * v4[29]
+ 55 * v4[28]
+ 374 * v4[27]
+ 150 * v4[24]
+ 350 * v4[23]
+ 141 * v4[22]
+ 124 * v4[21]
+ 366 * v4[20]
+ 230 * v4[19]
+ 307 * v4[18]
+ 191 * v4[17]
+ 153 * v4[12]
+ 383 * v4[11]
+ 145 * v4[10]
+ 109 * v4[9]
+ 209 * v4[8]
+ 158 * v4[7]
+ 221 * v4[6]
+ 188 * v4[5]
+ 22 * v4[4]
+ 146 * v4[3]
+ 306 * v4[2]
+ 230 * v4[1]
+ 13 * v4[0]
+ 287 * v4[13]
+ 257 * v4[14]
+ 137 * v4[15]
+ 7 * v4[16]
+ 52 * v4[25]
+ 31 * v4[26]
+ 355 * v4[30] == 557696
, 100 * v4[29]
+ 191 * v4[28]
+ 362 * v4[27]
+ 55 * v4[26]
+ 210 * v4[25]
+ 359 * v4[24]
+ 348 * v4[21]
+ 83 * v4[20]
+ 395 * v4[19]
+ 350 * v4[16]
+ 291 * v4[15]
+ 220 * v4[12]
+ 196 * v4[11]
+ 399 * v4[8]
+ 68 * v4[7]
+ 84 * v4[6]
+ 281 * v4[5]
+ 334 * v4[4]
+ 53 * v4[3]
+ 399 * v4[2]
+ 338 * v4[0]
+ 18 * v4[1]
+ 148 * v4[9]
+ 21 * v4[10]
+ 174 * v4[13]
+ 36 * v4[14]
+ 2 * v4[17]
+ 41 * v4[18]
+ 137 * v4[22]
+ 24 * v4[23]
+ 368 * v4[30] == 538535
, 188 * v4[29]
+ (v4[26] * 128)
+ 93 * v4[25]
+ 248 * v4[24]
+ 83 * v4[23]
+ 207 * v4[22]
+ 217 * v4[19]
+ 309 * v4[16]
+ 16 * v4[15]
+ 135 * v4[14]
+ 251 * v4[13]
+ 200 * v4[12]
+ 49 * v4[11]
+ 119 * v4[10]
+ 356 * v4[9]
+ 398 * v4[8]
+ 303 * v4[7]
+ 224 * v4[6]
+ 208 * v4[5]
+ 244 * v4[4]
+ 209 * v4[3]
+ 189 * v4[2]
+ 302 * v4[1]
+ 395 * v4[0]
+ 314 * v4[17]
+ 13 * v4[18]
+ 310 * v4[20]
+ 21 * v4[21]
+ 67 * v4[27]
+ 127 * v4[28]
+ 100 * v4[30] == 580384
, 293 * v4[29]
+ 343 * v4[28]
+ 123 * v4[27]
+ 387 * v4[26]
+ 114 * v4[25]
+ 303 * v4[24]
+ 248 * v4[23]
+ 258 * v4[21]
+ 218 * v4[20]
+ 180 * v4[19]
+ 196 * v4[18]
+ 398 * v4[17]
+ 398 * v4[14]
+ 138 * v4[9]
+ 292 * v4[8]
+ 38 * v4[7]
+ 179 * v4[6]
+ 190 * v4[5]
+ 57 * v4[4]
+ 358 * v4[3]
+ 191 * v4[2]
+ 215 * v4[1]
+ 88 * v4[0]
+ 22 * v4[10]
+ 72 * v4[11]
+ 357 * v4[12]
+ 9 * v4[13]
+ 389 * v4[15]
+ 81 * v4[16]
+ 85 * v4[30] == 529847
, 311 * v4[29]
+ 202 * v4[28]
+ 234 * v4[27]
+ 272 * v4[26]
+ 55 * v4[25]
+ 328 * v4[24]
+ 246 * v4[23]
+ 362 * v4[22]
+ 86 * v4[21]
+ 75 * v4[20]
+ 142 * v4[17]
+ 244 * v4[16]
+ 216 * v4[15]
+ 281 * v4[14]
+ 398 * v4[13]
+ 322 * v4[12]
+ 251 * v4[11]
+ 357 * v4[8]
+ 76 * v4[7]
+ 292 * v4[6]
+ 389 * v4[5]
+ 275 * v4[4]
+ 312 * v4[3]
+ 200 * v4[2]
+ 110 * v4[1]
+ 203 * v4[0]
+ 99 * v4[9]
+ 21 * v4[10]
+ 269 * v4[18]
+ 33 * v4[19]
+ 356 * v4[30] == 631652
, 261 * v4[29]
+ 189 * v4[26]
+ 55 * v4[25]
+ 23 * v4[24]
+ 202 * v4[23]
+ 185 * v4[22]
+ 182 * v4[21]
+ 285 * v4[20]
+ 217 * v4[17]
+ 157 * v4[16]
+ 232 * v4[15]
+ 132 * v4[14]
+ 169 * v4[13]
+ 154 * v4[12]
+ 121 * v4[11]
+ 389 * v4[10]
+ 376 * v4[9]
+ 292 * v4[6]
+ 225 * v4[5]
+ 155 * v4[4]
+ 234 * v4[3]
+ 149 * v4[2]
+ 241 * v4[1]
+ 312 * v4[0]
+ 368 * v4[7]
+ 129 * v4[8]
+ 226 * v4[18]
+ 288 * v4[19]
+ 201 * v4[27]
+ 288 * v4[28]
+ 69 * v4[30] == 614840
, 60 * v4[29]
+ 118 * v4[28]
+ 153 * v4[27]
+ 139 * v4[26]
+ 23 * v4[25]
+ 279 * v4[24]
+ 396 * v4[23]
+ 287 * v4[22]
+ 237 * v4[19]
+ 266 * v4[18]
+ 149 * v4[17]
+ 193 * v4[16]
+ 395 * v4[15]
+ 97 * v4[14]
+ 16 * v4[13]
+ 286 * v4[12]
+ 105 * v4[11]
+ 88 * v4[10]
+ 282 * v4[9]
+ 55 * v4[8]
+ 134 * v4[7]
+ 114 * v4[6]
+ 101 * v4[5]
+ 116 * v4[4]
+ 271 * v4[3]
+ 186 * v4[2]
+ 263 * v4[1]
+ 313 * v4[0]
+ 149 * v4[20]
+ 129 * v4[21]
+ 145 * v4[30] == 510398
, 385 * v4[29]
+ 53 * v4[28]
+ 112 * v4[27]
+ 8 * v4[26]
+ 232 * v4[25]
+ 145 * v4[24]
+ 313 * v4[23]
+ 156 * v4[22]
+ 321 * v4[21]
+ 358 * v4[20]
+ 46 * v4[19]
+ 382 * v4[18]
+ 144 * v4[16]
+ 222 * v4[14]
+ 329 * v4[13]
+ 161 * v4[12]
+ 335 * v4[11]
+ 50 * v4[10]
+ 373 * v4[9]
+ 66 * v4[8]
+ 44 * v4[7]
+ 59 * v4[6]
+ 292 * v4[5]
+ 39 * v4[4]
+ 53 * v4[3]
+ 310 * v4[0]
+ 154 * v4[1]
+ 24 * v4[2]
+ 396 * v4[15]
+ 81 * v4[17]
+ 355 * v4[30] == 558740
, 249 * v4[29]
+ 386 * v4[28]
+ 313 * v4[27]
+ 74 * v4[26]
+ 22 * v4[25]
+ 168 * v4[24]
+ 305 * v4[21]
+ 358 * v4[20]
+ 191 * v4[19]
+ 202 * v4[18]
+ 14 * v4[15]
+ 114 * v4[14]
+ 224 * v4[13]
+ 134 * v4[12]
+ 274 * v4[11]
+ 372 * v4[10]
+ 159 * v4[9]
+ 233 * v4[8]
+ 70 * v4[7]
+ 287 * v4[6]
+ 297 * v4[5]
+ 318 * v4[4]
+ 177 * v4[3]
+ 173 * v4[2]
+ 270 * v4[1]
+ 163 * v4[0]
+ 77 * v4[16]
+ 25 * v4[17]
+ 387 * v4[22]
+ 18 * v4[23]
+ 345 * v4[30] == 592365
, 392 * v4[29]
+ 385 * v4[28]
+ 302 * v4[27]
+ 13 * v4[25]
+ 27 * v4[24]
+ 99 * v4[22]
+ 343 * v4[19]
+ 324 * v4[18]
+ 223 * v4[17]
+ 372 * v4[16]
+ 261 * v4[15]
+ 181 * v4[14]
+ 203 * v4[13]
+ 232 * v4[12]
+ 305 * v4[11]
+ 393 * v4[10]
+ 325 * v4[9]
+ 231 * v4[8]
+ 92 * v4[7]
+ 142 * v4[6]
+ 22 * v4[5]
+ 86 * v4[4]
+ 264 * v4[3]
+ 300 * v4[2]
+ 387 * v4[1]
+ 360 * v4[0]
+ 225 * v4[20]
+ 127 * v4[21]
+ 2 * v4[23]
+ 80 * v4[26]
+ 268 * v4[30] == 619574
, 270 * v4[28]
+ 370 * v4[27]
+ 235 * v4[26]
+ 96 * v4[22]
+ 85 * v4[20]
+ 150 * v4[19]
+ 140 * v4[18]
+ 94 * v4[17]
+ 295 * v4[16]
+ 19 * v4[14]
+ 176 * v4[12]
+ 94 * v4[11]
+ 258 * v4[10]
+ 302 * v4[9]
+ 171 * v4[8]
+ 66 * v4[7]
+ 278 * v4[6]
+ 193 * v4[5]
+ 251 * v4[4]
+ 284 * v4[3]
+ 218 * v4[2]
+ (v4[1] * 64)
+ 319 * v4[0]
+ 125 * v4[13]
+ 24 * v4[15]
+ 267 * v4[21]
+ 160 * v4[23]
+ 111 * v4[24]
+ 33 * v4[25]
+ 174 * v4[29]
+ 13 * v4[30] == 480557
, 87 * v4[28]
+ 260 * v4[27]
+ 326 * v4[26]
+ 210 * v4[25]
+ 357 * v4[24]
+ 170 * v4[23]
+ 315 * v4[22]
+ 376 * v4[21]
+ 227 * v4[20]
+ 43 * v4[19]
+ 358 * v4[18]
+ 364 * v4[17]
+ 309 * v4[16]
+ 282 * v4[15]
+ 286 * v4[14]
+ 365 * v4[13]
+ 287 * v4[12]
+ 377 * v4[11]
+ 74 * v4[10]
+ 225 * v4[9]
+ 328 * v4[6]
+ 223 * v4[5]
+ 120 * v4[4]
+ 102 * v4[3]
+ 162 * v4[2]
+ 123 * v4[1]
+ 196 * v4[0]
+ 29 * v4[7]
+ 27 * v4[8]
+ 352 * v4[30] == 666967
, 61 * v4[29]
+ 195 * v4[28]
+ 125 * v4[27]
+ (v4[26] * 64)
+ 260 * v4[25]
+ 202 * v4[24]
+ 116 * v4[23]
+ 230 * v4[22]
+ 326 * v4[21]
+ 211 * v4[20]
+ 371 * v4[19]
+ 353 * v4[16]
+ 124 * v4[13]
+ 188 * v4[12]
+ 163 * v4[11]
+ 140 * v4[10]
+ 51 * v4[9]
+ 262 * v4[8]
+ 229 * v4[7]
+ 100 * v4[6]
+ 113 * v4[5]
+ 158 * v4[4]
+ 378 * v4[3]
+ 365 * v4[2]
+ 207 * v4[1]
+ 277 * v4[0]
+ 190 * v4[14]
+ 320 * v4[15]
+ 347 * v4[17]
+ 11 * v4[18]
+ 137 * v4[30] == 590534
, 39 * v4[28]
+ 303 * v4[27]
+ 360 * v4[26]
+ 157 * v4[25]
+ 324 * v4[24]
+ 77 * v4[23]
+ 308 * v4[22]
+ 313 * v4[21]
+ 87 * v4[20]
+ 201 * v4[19]
+ 50 * v4[18]
+ 60 * v4[17]
+ 28 * v4[16]
+ 193 * v4[15]
+ 184 * v4[14]
+ 205 * v4[13]
+ 140 * v4[12]
+ 311 * v4[11]
+ 304 * v4[10]
+ 35 * v4[9]
+ 356 * v4[8]
+ 23 * v4[5]
+ 85 * v4[4]
+ 156 * v4[3]
+ 16 * v4[2]
+ 26 * v4[1]
+ 157 * v4[0]
+ 150 * v4[6]
+ 72 * v4[7]
+ 58 * v4[29] == 429108
, 157 * v4[29]
+ 137 * v4[28]
+ 71 * v4[27]
+ 269 * v4[26]
+ 161 * v4[25]
+ 317 * v4[20]
+ 296 * v4[19]
+ 385 * v4[18]
+ 165 * v4[13]
+ 159 * v4[12]
+ 132 * v4[11]
+ 296 * v4[10]
+ 162 * v4[7]
+ 254 * v4[4]
+ 172 * v4[3]
+ 132 * v4[0]
+ 369 * v4[1]
+ 257 * v4[2]
+ 134 * v4[5]
+ 384 * v4[6]
+ 53 * v4[8]
+ 255 * v4[9]
+ 229 * v4[14]
+ 129 * v4[15]
+ 23 * v4[16]
+ 41 * v4[17]
+ 112 * v4[21]
+ 17 * v4[22]
+ 222 * v4[23]
+ 96 * v4[24]
+ 126 * v4[30] == 563521
, 207 * v4[29]
+ 83 * v4[28]
+ 111 * v4[27]
+ 35 * v4[26]
+ 67 * v4[25]
+ 138 * v4[22]
+ 223 * v4[21]
+ 142 * v4[20]
+ 154 * v4[19]
+ 111 * v4[18]
+ 341 * v4[17]
+ 175 * v4[16]
+ 259 * v4[15]
+ 225 * v4[14]
+ 26 * v4[11]
+ 334 * v4[10]
+ 250 * v4[7]
+ 198 * v4[6]
+ 279 * v4[5]
+ 301 * v4[4]
+ 193 * v4[3]
+ 334 * v4[2]
+ 134 * v4[0]
+ 37 * v4[1]
+ 183 * v4[8]
+ 5 * v4[9]
+ 270 * v4[12]
+ 21 * v4[13]
+ 275 * v4[23]
+ 48 * v4[24]
+ 163 * v4[30] == 493999
, 393 * v4[29]
+ 176 * v4[28]
+ 105 * v4[27]
+ 162 * v4[26]
+ 148 * v4[25]
+ 281 * v4[24]
+ 300 * v4[23]
+ 342 * v4[18]
+ 262 * v4[17]
+ 152 * v4[12]
+ 43 * v4[11]
+ 296 * v4[10]
+ 273 * v4[9]
+ 75 * v4[6]
+ 18 * v4[4]
+ 217 * v4[2]
+ 132 * v4[1]
+ 112 * v4[0]
+ 210 * v4[3]
+ 72 * v4[5]
+ 113 * v4[7]
+ 40 * v4[8]
+ 278 * v4[13]
+ 24 * v4[14]
+ 77 * v4[15]
+ 11 * v4[16]
+ 55 * v4[19]
+ 255 * v4[20]
+ 241 * v4[21]
+ 13 * v4[22]
+ 356 * v4[30] == 470065
, 369 * v4[29]
+ 231 * v4[28]
+ 285 * v4[25]
+ 290 * v4[24]
+ 297 * v4[23]
+ 189 * v4[22]
+ 390 * v4[21]
+ 345 * v4[20]
+ 153 * v4[19]
+ 114 * v4[18]
+ 251 * v4[17]
+ 340 * v4[16]
+ 44 * v4[15]
+ 58 * v4[14]
+ 335 * v4[13]
+ 359 * v4[12]
+ 392 * v4[11]
+ 181 * v4[8]
+ 103 * v4[7]
+ 229 * v4[6]
+ 175 * v4[5]
+ 208 * v4[4]
+ 92 * v4[3]
+ 397 * v4[2]
+ 349 * v4[1]
+ 356 * v4[0]
+ (v4[9] * 64)
+ 5 * v4[10]
+ 88 * v4[26]
+ 40 * v4[27]
+ 295 * v4[30] == 661276
, 341 * v4[27]
+ 40 * v4[25]
+ 374 * v4[23]
+ 201 * v4[22]
+ 77 * v4[21]
+ 215 * v4[20]
+ 283 * v4[19]
+ 213 * v4[18]
+ 392 * v4[17]
+ 224 * v4[16]
+ v4[15]
+ 270 * v4[12]
+ 28 * v4[11]
+ 75 * v4[8]
+ 386 * v4[7]
+ 298 * v4[6]
+ 170 * v4[5]
+ 287 * v4[4]
+ 247 * v4[3]
+ 204 * v4[2]
+ 103 * v4[1]
+ 21 * v4[0]
+ 84 * v4[9]
+ 27 * v4[10]
+ 159 * v4[13]
+ 192 * v4[14]
+ 213 * v4[24]
+ 129 * v4[26]
+ 67 * v4[28]
+ 27 * v4[29]
+ 361 * v4[30] == 555288
, 106 * v4[29]
+ 363 * v4[28]
+ 210 * v4[27]
+ 171 * v4[26]
+ 289 * v4[25]
+ 240 * v4[24]
+ 164 * v4[23]
+ 342 * v4[22]
+ 391 * v4[19]
+ 304 * v4[18]
+ 218 * v4[17]
+ 32 * v4[16]
+ 350 * v4[15]
+ 339 * v4[12]
+ 303 * v4[11]
+ 222 * v4[10]
+ 298 * v4[9]
+ 47 * v4[8]
+ 48 * v4[6]
+ 264 * v4[4]
+ 113 * v4[3]
+ 275 * v4[2]
+ 345 * v4[1]
+ 312 * v4[0]
+ 171 * v4[5]
+ 384 * v4[7]
+ 175 * v4[13]
+ 5 * v4[14]
+ 113 * v4[20]
+ 19 * v4[21]
+ 263 * v4[30] == 637650
, 278 * v4[29]
+ 169 * v4[28]
+ 62 * v4[27]
+ 119 * v4[26]
+ 385 * v4[25]
+ 289 * v4[24]
+ 344 * v4[23]
+ 45 * v4[20]
+ 308 * v4[19]
+ 318 * v4[18]
+ 270 * v4[17]
+ v4[16]
+ 323 * v4[15]
+ 332 * v4[14]
+ 287 * v4[11]
+ 170 * v4[10]
+ 163 * v4[9]
+ 301 * v4[8]
+ 303 * v4[7]
+ 23 * v4[6]
+ 327 * v4[5]
+ 169 * v4[3]
+ 28 * v4[0]
+ 365 * v4[1]
+ 15 * v4[2]
+ 352 * v4[12]
+ 72 * v4[13]
+ 140 * v4[21]
+ 65 * v4[22]
+ 346 * v4[30] == 572609
, 147 * v4[29]
+ 88 * v4[28]
+ 143 * v4[27]
+ 237 * v4[26]
+ 63 * v4[24]
+ 281 * v4[22]
+ 388 * v4[21]
+ 142 * v4[20]
+ 208 * v4[19]
+ 60 * v4[18]
+ 354 * v4[15]
+ 88 * v4[14]
+ 146 * v4[13]
+ 290 * v4[12]
+ 349 * v4[11]
+ 43 * v4[10]
+ 230 * v4[9]
+ 267 * v4[6]
+ 136 * v4[5]
+ 383 * v4[4]
+ 35 * v4[3]
+ 226 * v4[2]
+ 385 * v4[1]
+ 238 * v4[0]
+ 348 * v4[7]
+ 20 * v4[8]
+ 158 * v4[16]
+ 21 * v4[17]
+ 249 * v4[23]
+ 9 * v4[25]
+ 343 * v4[30] == 603481
, 29 * v4[29]
+ 323 * v4[26]
+ 159 * v4[25]
+ 118 * v4[20]
+ 326 * v4[19]
+ 211 * v4[18]
+ 225 * v4[17]
+ 355 * v4[16]
+ 201 * v4[15]
+ 149 * v4[14]
+ 296 * v4[13]
+ 184 * v4[12]
+ 315 * v4[11]
+ 364 * v4[10]
+ 142 * v4[9]
+ 75 * v4[8]
+ 313 * v4[7]
+ 142 * v4[6]
+ 396 * v4[5]
+ 348 * v4[4]
+ 272 * v4[3]
+ 26 * v4[2]
+ 206 * v4[1]
+ 173 * v4[0]
+ 155 * v4[21]
+ 144 * v4[22]
+ 366 * v4[23]
+ 257 * v4[24]
+ 148 * v4[27]
+ 24 * v4[28]
+ 253 * v4[30] == 664504
, 4 * v4[29]
+ 305 * v4[28]
+ 226 * v4[27]
+ 212 * v4[26]
+ 175 * v4[25]
+ 93 * v4[24]
+ 165 * v4[23]
+ 341 * v4[20]
+ 14 * v4[19]
+ 394 * v4[18]
+ (v4[17] * 256)
+ 252 * v4[16]
+ 336 * v4[15]
+ 38 * v4[14]
+ 82 * v4[13]
+ 155 * v4[12]
+ 215 * v4[11]
+ 331 * v4[10]
+ 230 * v4[9]
+ 241 * v4[8]
+ 225 * v4[7]
+ 186 * v4[4]
+ 90 * v4[3]
+ 50 * v4[2]
+ 62 * v4[1]
+ 34 * v4[0]
+ 237 * v4[5]
+ 11 * v4[6]
+ 336 * v4[21]
+ 36 * v4[22]
+ 29 * v4[30] == 473092
, 353 * v4[29]
+ 216 * v4[28]
+ 252 * v4[27]
+ 8 * v4[26]
+ 62 * v4[25]
+ 233 * v4[24]
+ 254 * v4[23]
+ 303 * v4[22]
+ 234 * v4[21]
+ 303 * v4[20]
+ (v4[19] * 256)
+ 148 * v4[18]
+ 324 * v4[17]
+ 317 * v4[16]
+ 213 * v4[15]
+ 309 * v4[14]
+ 28 * v4[13]
+ 280 * v4[11]
+ 118 * v4[10]
+ 58 * v4[9]
+ 50 * v4[8]
+ 155 * v4[7]
+ 161 * v4[6]
+ (v4[5] * 64)
+ 303 * v4[4]
+ 76 * v4[3]
+ 43 * v4[2]
+ 109 * v4[1]
+ 102 * v4[0]
+ 93 * v4[30] == 497492
, 89 * v4[29]
+ 148 * v4[28]
+ 82 * v4[27]
+ 53 * v4[26]
+ 274 * v4[25]
+ 220 * v4[24]
+ 202 * v4[23]
+ 123 * v4[22]
+ 231 * v4[21]
+ 169 * v4[20]
+ 278 * v4[19]
+ 259 * v4[18]
+ 208 * v4[17]
+ 219 * v4[16]
+ 371 * v4[15]
+ 181 * v4[12]
+ 104 * v4[11]
+ 392 * v4[10]
+ 285 * v4[9]
+ 113 * v4[8]
+ 298 * v4[7]
+ 389 * v4[6]
+ 322 * v4[5]
+ 338 * v4[4]
+ 237 * v4[3]
+ 234 * v4[0]
+ 261 * v4[1]
+ 10 * v4[2]
+ 345 * v4[13]
+ 3 * v4[14]
+ 361 * v4[30] == 659149
, 361 * v4[29]
+ 359 * v4[28]
+ 93 * v4[27]
+ 315 * v4[26]
+ 69 * v4[25]
+ 137 * v4[24]
+ 69 * v4[23]
+ 58 * v4[22]
+ 300 * v4[21]
+ 371 * v4[20]
+ 264 * v4[19]
+ 317 * v4[18]
+ 215 * v4[17]
+ 155 * v4[16]
+ 215 * v4[15]
+ 330 * v4[14]
+ 239 * v4[13]
+ 212 * v4[12]
+ 88 * v4[11]
+ 82 * v4[10]
+ 354 * v4[9]
+ 85 * v4[8]
+ 310 * v4[7]
+ 84 * v4[6]
+ 374 * v4[5]
+ 380 * v4[4]
+ 215 * v4[3]
+ 351 * v4[2]
+ 141 * v4[1]
+ 115 * v4[0]
+ 108 * v4[30] == 629123,
v4[30] == 125
]
for equation in equations:
solver.add(equation)
if solver.check() == sat:
model = solver.model()
for var in v4:
print(chr(int(str(model[var]))),end='')
else:
print("No solution found")
提取系数矩阵
from sympy import symbols, Eq, solve
# 创建变量
v4 = symbols('v4[0] v4[1] v4[2] v4[3] v4[4] v4[5] v4[6] v4[7] v4[8] v4[9] v4[10] v4[11] v4[12] v4[13] v4[14] v4[15] v4[16] v4[17] v4[18] v4[19] v4[20] v4[21] v4[22] v4[23] v4[24] v4[25] v4[26] v4[27] v4[28] v4[29] v4[30]')
# 定义方程
equations = [
334 * v4[28] + 100 * v4[27] + 369 * v4[26] + 124 * v4[25] + 278 * v4[24] + 158 * v4[23] + 162 * v4[22] + 145 * v4[19] + 27 * v4[17] + 91 * v4[15] + 195 * v4[14] + 342 * v4[13] + 391 * v4[10] + 204 * v4[9] + 302 * v4[8] + 153 * v4[7] + 292 * v4[6] + 382 * v4[5] + 221 * v4[4] + 316 * v4[3] + 118 * v4[2] + 295 * v4[1] + 247 * v4[0] + 236 * v4[11] + 27 * v4[12] + 361 * v4[16] + 81 * v4[18] + 105 * v4[20] + 65 * v4[21] + 67 * v4[29] + 41 * v4[30] - 596119,
371 * v4[29] + 338 * v4[28] + 269 * v4[27] + 312 * v4[26] + 67 * v4[25] + 299 * v4[24] + 235 * v4[23] + 294 * v4[22] + 303 * v4[21] + 211 * v4[20] + 122 * v4[19] + 333 * v4[18] + 341 * v4[15] + 111 * v4[14] + 253 * v4[13] + 68 * v4[12] + 347 * v4[11] + 44 * v4[10] + 262 * v4[9] + 357 * v4[8] + 323 * v4[5] + 141 * v4[4] + 329 * v4[3] + 378 * v4[2] + 316 * v4[1] + 235 * v4[0] + 59 * v4[6] + 37 * v4[7] + 264 * v4[16] + 73 * v4[17] + 126 * v4[30] - 634009,
337 * v4[29] + 338 * v4[28] + 118 * v4[27] + 82 * v4[26] + 239 * v4[21] + 58 * v4[20] + 304 * v4[19] + 330 * v4[18] + 377 * v4[17] + 306 * v4[16] + 221 * v4[13] + 345 * v4[12] + 124 * v4[11] + 272 * v4[10] + 270 * v4[9] + 229 * v4[8] + 377 * v4[7] + 373 * v4[6] + 297 * v4[5] + 112 * v4[4] + 386 * v4[3] + 90 * v4[2] + 361 * v4[1] + 236 * v4[0] + 386 * v4[14] + 73 * v4[15] + 315 * v4[22] + 33 * v4[23] + 141 * v4[24] + 129 * v4[25] + 123 * v4[30] - 685705,
367 * v4[29] + 55 * v4[28] + 374 * v4[27] + 150 * v4[24] + 350 * v4[23] + 141 * v4[22] + 124 * v4[21] + 366 * v4[20] + 230 * v4[19] + 307 * v4[18] + 191 * v4[17] + 153 * v4[12] + 383 * v4[11] + 145 * v4[10] + 109 * v4[9] + 209 * v4[8] + 158 * v4[7] + 221 * v4[6] + 188 * v4[5] + 22 * v4[4] + 146 * v4[3] + 306 * v4[2] + 230 * v4[1] + 13 * v4[0] + 287 * v4[13] + 257 * v4[14] + 137 * v4[15] + 7 * v4[16] + 52 * v4[25] + 31 * v4[26] + 355 * v4[30] - 557696,
100 * v4[29] + 191 * v4[28] + 362 * v4[27] + 55 * v4[26] + 210 * v4[25] + 359 * v4[24] + 348 * v4[21] + 83 * v4[20] + 395 * v4[19] + 350 * v4[16] + 291 * v4[15] + 220 * v4[12] + 196 * v4[11] + 399 * v4[8] + 68 * v4[7] + 84 * v4[6] + 281 * v4[5] + 334 * v4[4] + 53 * v4[3] + 399 * v4[2] + 338 * v4[0] + 18 * v4[1] + 148 * v4[9] + 21 * v4[10] + 174 * v4[13] + 36 * v4[14] + 2 * v4[17] + 41 * v4[18] + 137 * v4[22] + 24 * v4[23] + 368 * v4[30] - 538535,
188 * v4[29] + 128 * v4[26] + 93 * v4[25] + 248 * v4[24] + 83 * v4[23] + 207 * v4[22] + 217 * v4[19] + 309 * v4[16] + 16 * v4[15] + 135 * v4[14] + 251 * v4[13] + 200 * v4[12] + 49 * v4[11] + 119 * v4[10] + 356 * v4[9] + 398 * v4[8] + 303 * v4[7] + 224 * v4[6] + 208 * v4[5] + 244 * v4[4] + 209 * v4[3] + 189 * v4[2] + 302 * v4[1] + 395 * v4[0] + 314 * v4[17] + 13 * v4[18] + 310 * v4[20] + 21 * v4[21] + 67 * v4[27] + 127 * v4[28] + 100 * v4[30] - 580384,
293 * v4[29] + 343 * v4[28] + 123 * v4[27] + 387 * v4[26] + 114 * v4[25] + 303 * v4[24] + 248 * v4[23] + 258 * v4[21] + 218 * v4[20] + 180 * v4[19] + 196 * v4[18] + 398 * v4[17] + 398 * v4[14] + 138 * v4[9] + 292 * v4[8] + 38 * v4[7] + 179 * v4[6] + 190 * v4[5] + 57 * v4[4] + 358 * v4[3] + 191 * v4[2] + 215 * v4[1] + 88 * v4[0] + 22 * v4[10] + 72 * v4[11] + 357 * v4[12] + 9 * v4[13] + 389 * v4[15] + 81 * v4[16] + 85 * v4[30] - 529847,
311 * v4[29] + 202 * v4[28] + 234 * v4[27] + 272 * v4[26] + 55 * v4[25] + 328 * v4[24] + 246 * v4[23] + 362 * v4[22] + 86 * v4[21] + 75 * v4[20] + 142 * v4[17] + 244 * v4[16] + 216 * v4[15] + 281 * v4[14] + 398 * v4[13] + 322 * v4[12] + 251 * v4[11] + 357 * v4[8] + 76 * v4[7] + 292 * v4[6] + 389 * v4[5] + 275 * v4[4] + 312 * v4[3] + 200 * v4[2] + 110 * v4[1] + 203 * v4[0] + 99 * v4[9] + 21 * v4[10] + 269 * v4[18] + 33 * v4[19] + 356 * v4[30] - 631652,
261 * v4[29] + 189 * v4[26] + 55 * v4[25] + 23 * v4[24] + 202 * v4[23] + 185 * v4[22] + 182 * v4[21] + 285 * v4[20] + 217 * v4[17] + 157 * v4[16] + 232 * v4[15] + 132 * v4[14] + 169 * v4[13] + 154 * v4[12] + 121 * v4[11] + 389 * v4[10] + 376 * v4[9] + 292 * v4[6] + 225 * v4[5] + 155 * v4[4] + 234 * v4[3] + 149 * v4[2] + 241 * v4[1] + 312 * v4[0] + 368 * v4[7] + 129 * v4[8] + 226 * v4[18] + 288 * v4[19] + 201 * v4[27] + 288 * v4[28] + 69 * v4[30] - 614840,
60 * v4[29] + 118 * v4[28] + 153 * v4[27] + 139 * v4[26] + 23 * v4[25] + 279 * v4[24] + 396 * v4[23] + 287 * v4[22] + 237 * v4[19] + 266 * v4[18] + 149 * v4[17] + 193 * v4[16] + 395 * v4[15] + 97 * v4[14] + 16 * v4[13] + 286 * v4[12] + 105 * v4[11] + 88 * v4[10] + 282 * v4[9] + 55 * v4[8] + 134 * v4[7] + 114 * v4[6] + 101 * v4[5] + 116 * v4[4] + 271 * v4[3] + 186 * v4[2] + 263 * v4[1] + 313 * v4[0] + 149 * v4[20] + 129 * v4[21] + 145 * v4[30] - 510398,
385 * v4[29] + 53 * v4[28] + 112 * v4[27] + 8 * v4[26] + 232 * v4[25] + 145 * v4[24] + 313 * v4[23] + 156 * v4[22] + 321 * v4[21] + 358 * v4[20] + 46 * v4[19] + 382 * v4[18] + 144 * v4[16] + 222 * v4[14] + 329 * v4[13] + 161 * v4[12] + 335 * v4[11] + 50 * v4[10] + 373 * v4[9] + 66 * v4[8] + 44 * v4[7] + 59 * v4[6] + 292 * v4[5] + 39 * v4[4] + 53 * v4[3] + 310 * v4[0] + 154 * v4[1] + 24 * v4[2] + 396 * v4[15] + 81 * v4[17] + 355 * v4[30] - 558740,
249 * v4[29] + 386 * v4[28] + 313 * v4[27] + 74 * v4[26] + 22 * v4[25] + 168 * v4[24] + 305 * v4[21] + 358 * v4[20] + 191 * v4[19] + 202 * v4[18] + 14 * v4[15] + 114 * v4[14] + 224 * v4[13] + 134 * v4[12] + 274 * v4[11] + 372 * v4[10] + 159 * v4[9] + 233 * v4[8] + 70 * v4[7] + 287 * v4[6] + 297 * v4[5] + 318 * v4[4] + 177 * v4[3] + 173 * v4[2] + 270 * v4[1] + 163 * v4[0] + 77 * v4[16] + 25 * v4[17] + 387 * v4[22] + 18 * v4[23] + 345 * v4[30] - 592365,
392 * v4[29] + 385 * v4[28] + 302 * v4[27] + 13 * v4[25] + 27 * v4[24] + 99 * v4[22] + 343 * v4[19] + 324 * v4[18] + 223 * v4[17] + 372 * v4[16] + 261 * v4[15] + 181 * v4[14] + 203 * v4[13] + 232 * v4[12] + 305 * v4[11] + 393 * v4[10] + 325 * v4[9] + 231 * v4[8] + 92 * v4[7] + 142 * v4[6] + 22 * v4[5] + 86 * v4[4] + 264 * v4[3] + 300 * v4[2] + 387 * v4[1] + 360 * v4[0] + 225 * v4[20] + 127 * v4[21] + 2 * v4[23] + 80 * v4[26] + 268 * v4[30] - 619574,
270 * v4[28] + 370 * v4[27] + 235 * v4[26] + 96 * v4[22] + 85 * v4[20] + 150 * v4[19] + 140 * v4[18] + 94 * v4[17] + 295 * v4[16] + 19 * v4[14] + 176 * v4[12] + 94 * v4[11] + 258 * v4[10] + 302 * v4[9] + 171 * v4[8] + 66 * v4[7] + 278 * v4[6] + 193 * v4[5] + 251 * v4[4] + 284 * v4[3] + 218 * v4[2] + 64 * v4[1] + 319 * v4[0] + 125 * v4[13] + 24 * v4[15] + 267 * v4[21] + 160 * v4[23] + 111 * v4[24] + 33 * v4[25] + 174 * v4[29] + 13 * v4[30] - 480557,
87 * v4[28] + 260 * v4[27] + 326 * v4[26] + 210 * v4[25] + 357 * v4[24] + 170 * v4[23] + 315 * v4[22] + 376 * v4[21] + 227 * v4[20] + 43 * v4[19] + 358 * v4[18] + 364 * v4[17] + 309 * v4[16] + 282 * v4[15] + 286 * v4[14] + 365 * v4[13] + 287 * v4[12] + 377 * v4[11] + 74 * v4[10] + 225 * v4[9] + 328 * v4[6] + 223 * v4[5] + 120 * v4[4] + 102 * v4[3] + 162 * v4[2] + 123 * v4[1] + 196 * v4[0] + 29 * v4[7] + 27 * v4[8] + 352 * v4[30] - 666967,
61 * v4[29] + 195 * v4[28] + 125 * v4[27] + 64 * v4[26] + 260 * v4[25] + 202 * v4[24] + 116 * v4[23] + 230 * v4[22] + 326 * v4[21] + 211 * v4[20] + 371 * v4[19] + 353 * v4[16] + 124 * v4[13] + 188 * v4[12] + 163 * v4[11] + 140 * v4[10] + 51 * v4[9] + 262 * v4[8] + 229 * v4[7] + 100 * v4[6] + 113 * v4[5] + 158 * v4[4] + 378 * v4[3] + 365 * v4[2] + 207 * v4[1] + 277 * v4[0] + 190 * v4[14] + 320 * v4[15] + 347 * v4[17] + 11 * v4[18] + 137 * v4[30] - 590534,
39 * v4[28] + 303 * v4[27] + 360 * v4[26] + 157 * v4[25] + 324 * v4[24] + 77 * v4[23] + 308 * v4[22] + 313 * v4[21] + 87 * v4[20] + 201 * v4[19] + 50 * v4[18] + 60 * v4[17] + 28 * v4[16] + 193 * v4[15] + 184 * v4[14] + 205 * v4[13] + 140 * v4[12] + 311 * v4[11] + 304 * v4[10] + 35 * v4[9] + 356 * v4[8] + 23 * v4[5] + 85 * v4[4] + 156 * v4[3] + 16 * v4[2] + 26 * v4[1] + 157 * v4[0] + 150 * v4[6] + 72 * v4[7] + 58 * v4[29] - 429108,
157 * v4[29] + 137 * v4[28] + 71 * v4[27] + 269 * v4[26] + 161 * v4[25] + 317 * v4[20] + 296 * v4[19] + 385 * v4[18] + 165 * v4[13] + 159 * v4[12] + 132 * v4[11] + 296 * v4[10] + 162 * v4[7] + 254 * v4[4] + 172 * v4[3] + 132 * v4[0] + 369 * v4[1] + 257 * v4[2] + 134 * v4[5] + 384 * v4[6] + 53 * v4[8] + 255 * v4[9] + 229 * v4[14] + 129 * v4[15] + 23 * v4[16] + 41 * v4[17] + 112 * v4[21] + 17 * v4[22] + 222 * v4[23] + 96 * v4[24] + 126 * v4[30] - 563521,
207 * v4[29] + 83 * v4[28] + 111 * v4[27] + 35 * v4[26] + 67 * v4[25] + 138 * v4[22] + 223 * v4[21] + 142 * v4[20] + 154 * v4[19] + 111 * v4[18] + 341 * v4[17] + 175 * v4[16] + 259 * v4[15] + 225 * v4[14] + 26 * v4[11] + 334 * v4[10] + 250 * v4[7] + 198 * v4[6] + 279 * v4[5] + 301 * v4[4] + 193 * v4[3] + 334 * v4[2] + 134 * v4[0] + 37 * v4[1] + 183 * v4[8] + 5 * v4[9] + 270 * v4[12] + 21 * v4[13] + 275 * v4[23] + 48 * v4[24] + 163 * v4[30] - 493999,
393 * v4[29] + 176 * v4[28] + 105 * v4[27] + 162 * v4[26] + 148 * v4[25] + 281 * v4[24] + 300 * v4[23] + 342 * v4[18] + 262 * v4[17] + 152 * v4[12] + 43 * v4[11] + 296 * v4[10] + 273 * v4[9] + 75 * v4[6] + 18 * v4[4] + 217 * v4[2] + 132 * v4[1] + 112 * v4[0] + 210 * v4[3] + 72 * v4[5] + 113 * v4[7] + 40 * v4[8] + 278 * v4[13] + 24 * v4[14] + 77 * v4[15] + 11 * v4[16] + 55 * v4[19] + 255 * v4[20] + 241 * v4[21] + 13 * v4[22] + 356 * v4[30] - 470065,
369 * v4[29] + 231 * v4[28] + 285 * v4[25] + 290 * v4[24] + 297 * v4[23] + 189 * v4[22] + 390 * v4[21] + 345 * v4[20] + 153 * v4[19] + 114 * v4[18] + 251 * v4[17] + 340 * v4[16] + 44 * v4[15] + 58 * v4[14] + 335 * v4[13] + 359 * v4[12] + 392 * v4[11] + 181 * v4[8] + 103 * v4[7] + 229 * v4[6] + 175 * v4[5] + 208 * v4[4] + 92 * v4[3] + 397 * v4[2] + 349 * v4[1] + 356 * v4[0] + 64 * v4[9] + 5 * v4[10] + 88 * v4[26] + 40 * v4[27] + 295 * v4[30] - 661276,
341 * v4[27] + 40 * v4[25] + 374 * v4[23] + 201 * v4[22] + 77 * v4[21] + 215 * v4[20] + 283 * v4[19] + 213 * v4[18] + 392 * v4[17] + 224 * v4[16] + v4[15] + 270 * v4[12] + 28 * v4[11] + 75 * v4[8] + 386 * v4[7] + 298 * v4[6] + 170 * v4[5] + 287 * v4[4] + 247 * v4[3] + 204 * v4[2] + 103 * v4[1] + 21 * v4[0] + 84 * v4[9] + 27 * v4[10] + 159 * v4[13] + 192 * v4[14] + 213 * v4[24] + 129 * v4[26] + 67 * v4[28] + 27 * v4[29] + 361 * v4[30] - 555288,
106 * v4[29] + 363 * v4[28] + 210 * v4[27] + 171 * v4[26] + 289 * v4[25] + 240 * v4[24] + 164 * v4[23] + 342 * v4[22] + 391 * v4[19] + 304 * v4[18] + 218 * v4[17] + 32 * v4[16] + 350 * v4[15] + 339 * v4[12] + 303 * v4[11] + 222 * v4[10] + 298 * v4[9] + 47 * v4[8] + 48 * v4[6] + 264 * v4[4] + 113 * v4[3] + 275 * v4[2] + 345 * v4[1] + 312 * v4[0] + 171 * v4[5] + 384 * v4[7] + 175 * v4[13] + 5 * v4[14] + 113 * v4[20] + 19 * v4[21] + 263 * v4[30] - 637650,
278 * v4[29] + 169 * v4[28] + 62 * v4[27] + 119 * v4[26] + 385 * v4[25] + 289 * v4[24] + 344 * v4[23] + 45 * v4[20] + 308 * v4[19] + 318 * v4[18] + 270 * v4[17] + v4[16] + 323 * v4[15] + 332 * v4[14] + 287 * v4[11] + 170 * v4[10] + 163 * v4[9] + 301 * v4[8] + 303 * v4[7] + 23 * v4[6] + 327 * v4[5] + 169 * v4[3] + 28 * v4[0] + 365 * v4[1] + 15 * v4[2] + 352 * v4[12] + 72 * v4[13] + 140 * v4[21] + 65 * v4[22] + 346 * v4[30] - 572609,
147 * v4[29] + 88 * v4[28] + 143 * v4[27] + 237 * v4[26] + 63 * v4[24] + 281 * v4[22] + 388 * v4[21] + 142 * v4[20] + 208 * v4[19] + 60 * v4[18] + 354 * v4[15] + 88 * v4[14] + 146 * v4[13] + 290 * v4[12] + 349 * v4[11] + 43 * v4[10] + 230 * v4[9] + 267 * v4[6] + 136 * v4[5] + 383 * v4[4] + 35 * v4[3] + 226 * v4[2] + 385 * v4[1] + 238 * v4[0] + 348 * v4[7] + 20 * v4[8] + 158 * v4[16] + 21 * v4[17] + 249 * v4[23] + 9 * v4[25] + 343 * v4[30] - 603481,
29 * v4[29] + 323 * v4[26] + 159 * v4[25] + 118 * v4[20] + 326 * v4[19] + 211 * v4[18] + 225 * v4[17] + 355 * v4[16] + 201 * v4[15] + 149 * v4[14] + 296 * v4[13] + 184 * v4[12] + 315 * v4[11] + 364 * v4[10] + 142 * v4[9] + 75 * v4[8] + 313 * v4[7] + 142 * v4[6] + 396 * v4[5] + 348 * v4[4] + 272 * v4[3] + 26 * v4[2] + 206 * v4[1] + 173 * v4[0] + 155 * v4[21] + 144 * v4[22] + 366 * v4[23] + 257 * v4[24] + 148 * v4[27] + 24 * v4[28] + 253 * v4[30] - 664504,
4 * v4[29] + 305 * v4[28] + 226 * v4[27] + 212 * v4[26] + 175 * v4[25] + 93 * v4[24] + 165 * v4[23] + 341 * v4[20] + 14 * v4[19] + 394 * v4[18] + 256 * v4[17] + 252 * v4[16] + 336 * v4[15] + 38 * v4[14] + 82 * v4[13] + 155 * v4[12] + 215 * v4[11] + 331 * v4[10] + 230 * v4[9] + 241 * v4[8] + 225 * v4[7] + 186 * v4[4] + 90 * v4[3] + 50 * v4[2] + 62 * v4[1] + 34 * v4[0] + 237 * v4[5] + 11 * v4[6] + 336 * v4[21] + 36 * v4[22] + 29 * v4[30] - 473092,
353 * v4[29] + 216 * v4[28] + 252 * v4[27] + 8 * v4[26] + 62 * v4[25] + 233 * v4[24] + 254 * v4[23] + 303 * v4[22] + 234 * v4[21] + 303 * v4[20] + 256 * v4[19] + 148 * v4[18] + 324 * v4[17] + 317 * v4[16] + 213 * v4[15] + 309 * v4[14] + 28 * v4[13] + 280 * v4[11] + 118 * v4[10] + 58 * v4[9] + 50 * v4[8] + 155 * v4[7] + 161 * v4[6] + 64 * v4[5] + 303 * v4[4] + 76 * v4[3] + 43 * v4[2] + 109 * v4[1] + 102 * v4[0] + 93 * v4[30] - 497492,
89 * v4[29] + 148 * v4[28] + 82 * v4[27] + 53 * v4[26] + 274 * v4[25] + 220 * v4[24] + 202 * v4[23] + 123 * v4[22] + 231 * v4[21] + 169 * v4[20] + 278 * v4[19] + 259 * v4[18] + 208 * v4[17] + 219 * v4[16] + 371 * v4[15] + 181 * v4[12] + 104 * v4[11] + 392 * v4[10] + 285 * v4[9] + 113 * v4[8] + 298 * v4[7] + 389 * v4[6] + 322 * v4[5] + 338 * v4[4] + 237 * v4[3] + 234 * v4[0] + 261 * v4[1] + 10 * v4[2] + 345 * v4[13] + 3 * v4[14] + 361 * v4[30] - 659149,
361 * v4[29] + 359 * v4[28] + 93 * v4[27] + 315 * v4[26] + 69 * v4[25] + 137 * v4[24] + 69 * v4[23] + 58 * v4[22] + 300 * v4[21] + 371 * v4[20] + 264 * v4[19] + 317 * v4[18] + 215 * v4[17] + 155 * v4[16] + 215 * v4[15] + 330 * v4[14] + 239 * v4[13] + 212 * v4[12] + 88 * v4[11] + 82 * v4[10] + 354 * v4[9] + 85 * v4[8] + 310 * v4[7] + 84 * v4[6] + 374 * v4[5] + 380 * v4[4] + 215 * v4[3] + 351 * v4[2] + 141 * v4[1] + 115 * v4[0] + 108 * v4[30] - 629123,
]
coefficients = [[0] * 31 for _ in range(len(equations))]
constants = [0] * len(equations)
for i, equation in enumerate(equations):
for j in range(31):
coefficients[i][j] = equation.coeff(v4[j])
for i in range(len(equations)):
print(coefficients[i],end=',\n')
numpy.np
import numpy as np
A = np.array([[247, 295, 118, 316, 221, 382, 292, 153, 302, 204, 391, 236, 27, 342, 195, 91, 361, 27, 81, 145, 105, 65, 162, 158, 278, 124, 369, 100, 334, 67, 41],
[235, 316, 378, 329, 141, 323, 59, 37, 357, 262, 44, 347, 68, 253, 111, 341, 264, 73, 333, 122, 211, 303, 294, 235, 299, 67, 312, 269, 338, 371, 126],
[236, 361, 90, 386, 112, 297, 373, 377, 229, 270, 272, 124, 345, 221, 386, 73, 306, 377, 330, 304, 58, 239, 315, 33, 141, 129, 82, 118, 338, 337, 123],
[13, 230, 306, 146, 22, 188, 221, 158, 209, 109, 145, 383, 153, 287, 257, 137, 7, 191, 307, 230, 366, 124, 141, 350, 150, 52, 31, 374, 55, 367, 355],
[338, 18, 399, 53, 334, 281, 84, 68, 399, 148, 21, 196, 220, 174, 36, 291, 350, 2, 41, 395, 83, 348, 137, 24, 359, 210, 55, 362, 191, 100, 368],
[395, 302, 189, 209, 244, 208, 224, 303, 398, 356, 119, 49, 200, 251, 135, 16, 309, 314, 13, 217, 310, 21, 207, 83, 248, 93, 128, 67, 127, 188, 100],
[88, 215, 191, 358, 57, 190, 179, 38, 292, 138, 22, 72, 357, 9, 398, 389, 81, 398, 196, 180, 218, 258, 0, 248, 303, 114, 387, 123, 343, 293, 85],
[203, 110, 200, 312, 275, 389, 292, 76, 357, 99, 21, 251, 322, 398, 281, 216, 244, 142, 269, 33, 75, 86, 362, 246, 328, 55, 272, 234, 202, 311, 356],
[312, 241, 149, 234, 155, 225, 292, 368, 129, 376, 389, 121, 154, 169, 132, 232, 157, 217, 226, 288, 285, 182, 185, 202, 23, 55, 189, 201, 288, 261, 69],
[313, 263, 186, 271, 116, 101, 114, 134, 55, 282, 88, 105, 286, 16, 97, 395, 193, 149, 266, 237, 149, 129, 287, 396, 279, 23, 139, 153, 118, 60, 145],
[310, 154, 24, 53, 39, 292, 59, 44, 66, 373, 50, 335, 161, 329, 222, 396, 144, 81, 382, 46, 358, 321, 156, 313, 145, 232, 8, 112, 53, 385, 355],
[163, 270, 173, 177, 318, 297, 287, 70, 233, 159, 372, 274, 134, 224, 114, 14, 77, 25, 202, 191, 358, 305, 387, 18, 168, 22, 74, 313, 386, 249, 345],
[360, 387, 300, 264, 86, 22, 142, 92, 231, 325, 393, 305, 232, 203, 181, 261, 372, 223, 324, 343, 225, 127, 99, 2, 27, 13, 80, 302, 385, 392, 268],
[319, 64, 218, 284, 251, 193, 278, 66, 171, 302, 258, 94, 176, 125, 19, 24, 295, 94, 140, 150, 85, 267, 96, 160, 111, 33, 235, 370, 270, 174, 13],
[196, 123, 162, 102, 120, 223, 328, 29, 27, 225, 74, 377, 287, 365, 286, 282, 309, 364, 358, 43, 227, 376, 315, 170, 357, 210, 326, 260, 87, 0, 352],
[277, 207, 365, 378, 158, 113, 100, 229, 262, 51, 140, 163, 188, 124, 190, 320, 353, 347, 11, 371, 211, 326, 230, 116, 202, 260, 64, 125, 195, 61, 137],
[157, 26, 16, 156, 85, 23, 150, 72, 356, 35, 304, 311, 140, 205, 184, 193, 28, 60, 50, 201, 87, 313, 308, 77, 324, 157, 360, 303, 39, 58, 0],
[132, 369, 257, 172, 254, 134, 384, 162, 53, 255, 296, 132, 159, 165, 229, 129, 23, 41, 385, 296, 317, 112, 17, 222, 96, 161, 269, 71, 137, 157, 126],
[134, 37, 334, 193, 301, 279, 198, 250, 183, 5, 334, 26, 270, 21, 225, 259, 175, 341, 111, 154, 142, 223, 138, 275, 48, 67, 35, 111, 83, 207, 163],
[112, 132, 217, 210, 18, 72, 75, 113, 40, 273, 296, 43, 152, 278, 24, 77, 11, 262, 342, 55, 255, 241, 13, 300, 281, 148, 162, 105, 176, 393, 356],
[356, 349, 397, 92, 208, 175, 229, 103, 181, 64, 5, 392, 359, 335, 58, 44, 340, 251, 114, 153, 345, 390, 189, 297, 290, 285, 88, 40, 231, 369, 295],
[21, 103, 204, 247, 287, 170, 298, 386, 75, 84, 27, 28, 270, 159, 192, 1, 224, 392, 213, 283, 215, 77, 201, 374, 213, 40, 129, 341, 67, 27, 361],
[312, 345, 275, 113, 264, 171, 48, 384, 47, 298, 222, 303, 339, 175, 5, 350, 32, 218, 304, 391, 113, 19, 342, 164, 240, 289, 171, 210, 363, 106, 263],
[28, 365, 15, 169, 0, 327, 23, 303, 301, 163, 170, 287, 352, 72, 332, 323, 1, 270, 318, 308, 45, 140, 65, 344, 289, 385, 119, 62, 169, 278, 346],
[238, 385, 226, 35, 383, 136, 267, 348, 20, 230, 43, 349, 290, 146, 88, 354, 158, 21, 60, 208, 142, 388, 281, 249, 63, 9, 237, 143, 88, 147, 343],
[173, 206, 26, 272, 348, 396, 142, 313, 75, 142, 364, 315, 184, 296, 149, 201, 355, 225, 211, 326, 118, 155, 144, 366, 257, 159, 323, 148, 24, 29, 253],
[34, 62, 50, 90, 186, 237, 11, 225, 241, 230, 331, 215, 155, 82, 38, 336, 252, 256, 394, 14, 341, 336, 36, 165, 93, 175, 212, 226, 305, 4, 29],
[102, 109, 43, 76, 303, 64, 161, 155, 50, 58, 118, 280, 0, 28, 309, 213, 317, 324, 148, 256, 303, 234, 303, 254, 233, 62, 8, 252, 216, 353, 93],
[234, 261, 10, 237, 338, 322, 389, 298, 113, 285, 392, 104, 181, 345, 3, 371, 219, 208, 259, 278, 169, 231, 123, 202, 220, 274, 53, 82, 148, 89, 361],
[115, 141, 351, 215, 380, 374, 84, 310, 85, 354, 82, 88, 212, 239, 330, 215, 155, 215, 317, 264, 371, 300, 58, 69, 137, 69, 315, 93, 359, 361, 108],
[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]])
b = np.array([596119,634009,685705,557696,538535,580384,529847,631652,614840,510398,558740,592365,619574,480557,666967,590534,429108,563521,493999,470065,661276,555288,637650,572609,603481,664504,473092,497492,659149,629123,125])
ans = np.linalg.solve(A, b)
for i in ans:
print(chr(round(i)),end='')
flag
moectf{y0u_s0lv3d_Equati0ns!!!}
RRRRRc4
通过字符串定位到关键函数,分析完结果如下
exp
from Crypto.Cipher import ARC4
key = b'moectf2023'
a = [
0x1B, 0x9B, 0xFB, 0x19, 0x06, 0x6A, 0xB5, 0x3B, 0x7C, 0xBA,
0x03, 0xF3, 0x91, 0xB8, 0xB6, 0x3D, 0x8A, 0xC1, 0x48, 0x2E,
0x50, 0x11, 0xE7, 0xC7, 0x4F, 0xB1, 0x27, 0xCF, 0xF3, 0xAE,
0x03, 0x09, 0xB2, 0x08, 0xFB, 0xDC, 0x22]
enc = b''.join([bytes([i]) for i in a])
rc4 = ARC4.new(key)
decrypted_data = rc4.decrypt(enc)
print(decrypted_data.decode('utf-8'))
#moectf{y0u_r3a11y_understand_rc4!!!!}
flag
moectf{y0u_r3a11y_understand_rc4!!!!}
SMC
看主函数,跟进一下sub_4011E0
典型的SMC
用idapython patch一下
addr = 0x4014D0
for i in range(122):
b = get_bytes(addr + i, 1)
idc.patch_byte(addr + i, ord(b) ^ 0x66)
选中4014D0-401550的内容按c转化为代码
然后从4014D0标红的地址都选中按P生成函数
F5反汇编得到加密函数,提一下byte_40A000写脚本解密
exp
enc = [
0x9F, 0x91, 0xA7, 0xA5, 0x94, 0xA6, 0x8D, 0xB5, 0xA7, 0x9C,
0xA6, 0xA1, 0xBF, 0x91, 0xA4, 0x53, 0xA6, 0x53, 0xA5, 0xA3,
0x94, 0x9B, 0x91, 0x9E, 0x8F]
flag = ''
for i in enc:
flag += chr((i ^ 0x39) - 57)
print(flag)
#moectf{Self_Mod1f1cation}
flag
moectf{Self_Mod1f1cation}
junk_code
定位到主函数,flag长度为36,前18位加密为sub_45A9A0,后18位加密为sub_459EBF,但是这两个函数都是一个标红的跳转,应该是有花指令
我们跟进到跳转的地址0x4605D0和0x460750查看汇编
首先这里有个异常跳转直接nop
nop完在0x4605D0处按p生成函数
0x460750处有个绝对跳转,然后跳转到一个异常的地方,也是nop掉
同样在0x460750处按p生成函数
0x4605D0加密前18位,每位ASCII码都-5,
0x460750加密后18位,每位异或0x66
exp
enc1 = 'hj`^oavt+pZm`h+q._'
flag = ''
for i in enc1:
flag += chr(ord(i) + 5)
enc2 = [
0x39, 0x12, 0x0E, 0x55, 0x39, 0x0C, 0x13, 0x08, 0x0D, 0x39,
0x05, 0x56, 0x02, 0x55, 0x47, 0x47, 0x47, 0x1B]
for i in enc2:
flag += chr(i ^ 0x66)
print(flag)
#moectf{y0u_rem0v3d_th3_junk_c0d3!!!}
flag
moectf{y0u_rem0v3d_th3_junk_c0d3!!!}
RUST
刚开始因为libc版本太低运行不了,找出题人反馈了一下,隔天就给我编译了一个低版本的
他真的我哭死😭
先运行看看回显
ida分析,前面一大串输入提示和判断长度是否为30
然后有一个长度为30数组的赋值
动调发现第一个while没啥用,v55每次把输入的flag取一位出来
然后第二个while,v33每次取一位v43,v28每次取一位输入的flag
v33和v28 xor 136比较
exp
enc = [
0xE5, 0xE7, 0xED, 0xEB, 0xFC, 0xEE, 0xF3, 0xDA, 0xFD, 0xFB,
0xFC, 0xD7, 0xFA, 0xED, 0xFE, 0xD7, 0xFF, 0xE1, 0xE4, 0xE4,
0xD7, 0xEA, 0xED, 0xD7, 0xE9, 0xFF, 0xEE, 0xFD, 0xB9, 0xF5
]
flag = ''
for i in enc:
flag += chr(i ^ 136)
print(flag)
#moectf{Rust_rev_will_be_awfu1}
flag
moectf{Rust_rev_will_be_awfu1}
ezandroid
jadx-gui打开定位到Mainactivity
调用了ezandroid里的check,flag长度为23
将apk文件改成zip,然后在\ezandroid\lib\x86_64里找到libezandroid.so文件
ida打开.so文件直接看JNI_OnLoad函数,得到迷宫
其他函数也有迷宫但都是假的
***************
***@***********
***.***********
*...****#..****
*.********.****
*.****.....****
*.****.********
*......********
***************
#ssaassssdddddwwddddwwaa
flag
moectf{ssaassssdddddwwddddwwaa}
GUI
先运行看看
ida打开查看winmain函数,没什么有价值信息,注意到有一个进程
跟进看看
加密函数如下,动调发现就是 (- 5 ) ^ 0x51
exp
enc = [
0x39, 0x3B, 0x31, 0x0F, 0x3E,
0x30, 0x27, 0x13, 0x01, 0x7D,
0x70, 0x70, 0x03, 0x7D, 0x38,
0x0E, 0x7A, 0x23, 0x7C, 0x0B,
0x1A, 0x3C, 0x7D, 0x39, 0x7F,
0x3C, 0x4D, 0x4D, 0x4D, 0x29]
flag = ''
for i in enc:
flag += chr((i ^ 0x51) + 5)
print(flag)
#moectf{GU1&&W1nd0w2_Pr1m3r!!!}
flag
moectf{GU1&&W1nd0w2_Pr1m3r!!!}
本文来自博客园,作者:{Tree_24},转载请注明原文链接:{https://www.cnblogs.com/Tree-24/}
