写了逆向方向5/7个题

Base64

改变过的base64,在base64 8 -> 6 寻址前加了个凯撒

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#include<stdio.h>
#include<stdint.h>
#include<string.h>
#include<stdlib.h>
void b64_decode(uint8_t* input, uint8_t* output) {
	uint32_t len = 0;
	while (input[len] != 0) len++;
	uint8_t flen = len / 4;
	uint32_t i;
	uint8_t basebox[] = "GLp/+Wn7uqX8FQ2JDR1c0M6U53sjBwyxglmrCVdSThAfEOvPHaYZNzo4ktK9iebI";
	uint8_t b64unbox[0x100] = { 0 };
	for (i = 0; i < 64; i++)
	{
		b64unbox[basebox[i]] = i;
	}
	b64unbox['='] = 0;
	unsigned char a[100] = { 0 };
	unsigned char* b = a;
	for (i = 0; i < len; i++)
	{
		a[i] = b64unbox[input[i]];
		a[i] = (a[i] + 40) % 64;
	}
	printf("i=%d\n", i);
	printf("flen=%d\n", flen);

	for (i = 0; i < flen; i++)
	{

		output[i * 3] = ((a[i * 4]) << 2) | ((a[i * 4 + 1]) >> 4);
		output[i * 3 + 1] = ((a[i * 4 + 1]) << 4) | (a[i * 4 + 2] >> 2);
		output[i * 3 + 2] = (a[i * 4 + 2] << 6) | (a[i * 4 + 3]);
	}
	output[i * 3 - 1] = 0;
}
int main() { 
	uint8_t* input = "AwLdOEVEhIWtajB2CbCWCbTRVsFFC8hirfiXC9gWH9HQayCJVbB8CIF=";
	uint8_t* intoutput = malloc(0x100);
	b64_decode(input, intoutput);
	printf("%s", intoutput);
	//HZNUCTF{ad162c-2d94-434d-9222-b65dc76a32}
	return;
}

XTEA

是xtea

1
2
3
4
5
6
srand(0x7E8u);
sub_7FF754A41181();
sub_7FF754A411A9("Welcome to HZNUCTF!!!\n");
sub_7FF754A411A9("Plz input the cipher:\n");
v10 = 0;
if ( sub_7FF754A41217("%d", &v10) == 1 )

开头让自己输入一个delta,根据这题提示misc?并且还有一个很奇怪的解压密码,能猜出来解压密码就是delta并且解压密码其实就是标准xtea的delta,key是随机数做出来的,随机数的srand就在开头,注意到这句代码下还有一个未知函数

1
2
3
4
5
6
void sub_7FF754A42130()
{
  sub_7FF754A413A2(&unk_7FF754A520A7);
  if ( isd() )
    srand(0x7E9u);
}

反调试改变key,那么就可以解密了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#include<stdio.h>
#include<stdint.h>
#include<string.h>
#include<stdlib.h>
void decipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4], unsigned int a1) {
	unsigned int* result; // rax
	unsigned int v5; // [rsp+24h] [rbp+4h]
	unsigned int v6; // [rsp+44h] [rbp+24h]
	unsigned int v7; // [rsp+64h] [rbp+44h]
	int i; // [rsp+84h] [rbp+64h]

	v5 = v[0];
	v6 = v[1];
	v7 = 0;
	for (i = 0; i < 32; i++)
	{
		v7 -= a1;
	}
	for (i = 0; i < 32; ++i)
	{
		v6 -= (key[(v7 >> 11) & 3] + v7) ^ (v5 + ((v5 >> 5) ^ (16 * v5)));
		v7 += a1;
		v5 -= (key[v7 & 3] + v7) ^ (v6 + ((v6 >> 5) ^ (16 * v6)));
	}
	v[0] = v5;
	v[1] = v6;
}
int main() {
	unsigned int flag[8] = {
		0x8CCB2324, 0x09A7741A, 0xFB3C678D, 0xF6083A79, 0xF1CC241B, 0x39FA59F2, 0xF2ABE1CC, 0x17189F72
	};
	unsigned int flag1[8] = {
		0x95645282, 0x73E66F8D, 0xDA948666, 0xEB4B1C9A, 0x6FC4FB97, 0xC787553D, 0xAA16C12B, 0x30138D36
	};
	srand(0x7e8);
	unsigned int key[4] = { 0 };
	for (int i = 0; i < 4; i++)
	{
		key[i] = rand();
	}

	unsigned int* pf;
	unsigned char a[33] = { 0 };
	int i = 0;

	for (i = 7; i > 0; i--)
	{
		pf = &flag[i];
		decipher(32, &flag[i - 1], key, 0x9E3779B9);
	}
	for (int k = 0; k < 8; k++) {
		a[k * 4] = (flag[k] >> 24);
		a[k * 4 + 1] = (flag[k] >> 16);
		a[k * 4 + 2] = (flag[k] >> 8);
		a[k * 4 + 3] = (flag[k]);
	}
	printf("%s\n", a);
	//HZNUCTF{ae6-9f57-4b74-b423-98eb}
	return;
}

水果忍者

unity游戏,可以在dnspy里看看Fruit Ninja_Data->Managed->Assembly-CSharp.dll用dnspy打开

在gamemanager中有一段代码在检测分数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
public void IncreaseScore(int points)
{
    this.score += points;
    this.scoreText.text = this.score.ToString();
    if (this.score >= 999999999)
    {
        byte[] cipherText = this.ConvertHexStringToByteArray(GameManager.encryptedHexData);
        string text = this.Decrypt(cipherText, GameManager.encryptionKey, GameManager.iv);
        if (this.decryptedTextDisplay != null)
        {
            this.decryptedTextDisplay.text = text;
        }
    }
    else if (this.decryptedTextDisplay != null)
    {
        this.decryptedTextDisplay.text = "";
    }
    float num = PlayerPrefs.GetFloat("hiscore", 0f);
    if ((float)this.score > num)
    {
        num = (float)this.score;
        PlayerPrefs.SetFloat("hiscore", num);
    }
}
private string Decrypt(byte[] cipherText, string key, string iv)
{
    string result;
    using (Aes aes = Aes.Create())
        // Token: 0x04000015 RID: 21
        private static readonly string encryptionKey = "HZNUHZNUHZNUHZNU";

    // Token: 0x04000016 RID: 22
    private static readonly string iv = "0202005503081501";

    // Token: 0x04000017 RID: 23
    private static readonly string encryptedHexData = "cecadff28e93aa5d6f65128ae33e734d3f47b4b8a050d326c534a732d51b96e2a6a80dca0d5a704a216c2e0c3cc6aaaf";

可以看到分数大于999999999会有自解密并且弹出,两个方法,1.ce改分数(我试过改了也没有弹不知为什么),2.自己解密,厨子一把锁HZNUCTF{de20-70dd-4e62-b8d0-06e}

蛇年的本名语言

python逆向

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# uncompyle6 version 3.9.2
# Python bytecode version base 3.8.0 (3413)
# Decompiled from: Python 3.8.8 (tags/v3.8.8:024d805, Feb 19 2021, 13:18:16) [MSC v.1928 64 bit (AMD64)]
# Embedded file name: output.py
from collections import Counter
print("Welcome to HZNUCTF!!!")
print("Plz input the flag:")
a1 = input()
a2 = Counter(a1)
O0o00 = "".join((str(a2[i]) for i in a1))
print("ans1: ", end="")
print(O0o00)
            #HZNUCTF{16                         }
if O0o00 != "111111116257645365477364777645752361":
    print("wrong_wrong!!!")
    exit(1)
iiIII = ""
for i in a1:
    if a2[i] > 0:
        iiIII += i + str(a2[i])
        a2[i] = 0
    else:
        flag = [ord(i) for i in iiIII]
        result = [
         7 * flag[0] == 504,
         9 * flag[0] - 5 * flag[1] == 403,
         2 * flag[0] - 5 * flag[1] + 10 * flag[2] == 799,
         3 * flag[0] + 8 * flag[1] + 15 * flag[2] + 20 * flag[3] == 2938,
         5 * flag[0] + 15 * flag[1] + 20 * flag[2] - 19 * flag[3] + 1 * flag[4] == 2042,
         7 * flag[0] + 1 * flag[1] + 9 * flag[2] - 11 * flag[3] + 2 * flag[4] + 5 * flag[5] == 1225,
         11 * flag[0] + 22 * flag[1] + 33 * flag[2] + 44 * flag[3] + 55 * flag[4] + 66 * flag[5] - 77 * flag[6] == 7975,
         21 * flag[0] + 23 * flag[1] + 3 * flag[2] + 24 * flag[3] - 55 * flag[4] + 6 * flag[5] - 7 * flag[6] + 15 * flag[7] == 229,
         2 * flag[0] + 26 * flag[1] + 13 * flag[2] + 0 * flag[3] - 65 * flag[4] + 15 * flag[5] + 29 * flag[6] + 1 * flag[7] + 20 * flag[8] == 2107,
         10 * flag[0] + 7 * flag[1] + -9 * flag[2] + 6 * flag[3] + 7 * flag[4] + 1 * flag[5] + 22 * flag[6] + 21 * flag[7] - 22 * flag[8] + 30 * flag[9] == 4037,
         15 * flag[0] + 59 * flag[1] + 56 * flag[2] + 66 * flag[3] + 7 * flag[4] + 1 * flag[5] - 122 * flag[6] + 21 * flag[7] + 32 * flag[8] + 3 * flag[9] - 10 * flag[10] == 4950,
         13 * flag[0] + 66 * flag[1] + 29 * flag[2] + 39 * flag[3] - 33 * flag[4] + 13 * flag[5] - 2 * flag[6] + 42 * flag[7] + 62 * flag[8] + 1 * flag[9] - 10 * flag[10] + 11 * flag[11] == 12544,
         23 * flag[0] + 6 * flag[1] + 29 * flag[2] + 3 * flag[3] - 3 * flag[4] + 63 * flag[5] - 25 * flag[6] + 2 * flag[7] + 32 * flag[8] + 1 * flag[9] - 10 * flag[10] + 11 * flag[11] - 12 * flag[12] == 6585,
         223 * flag[0] + 6 * flag[1] - 29 * flag[2] - 53 * flag[3] - 3 * flag[4] + 3 * flag[5] - 65 * flag[6] + 0 * flag[7] + 36 * flag[8] + 1 * flag[9] - 15 * flag[10] + 16 * flag[11] - 18 * flag[12] + 13 * flag[13] == 6893,
         29 * flag[0] + 13 * flag[1] - 9 * flag[2] - 93 * flag[3] + 33 * flag[4] + 6 * flag[5] + 65 * flag[6] + 1 * flag[7] - 36 * flag[8] + 0 * flag[9] - 16 * flag[10] + 96 * flag[11] - 68 * flag[12] + 33 * flag[13] - 14 * flag[14] == 1883,
         69 * flag[0] + 77 * flag[1] - 93 * flag[2] - 12 * flag[3] + 0 * flag[4] + 0 * flag[5] + 1 * flag[6] + 16 * flag[7] + 36 * flag[8] + 6 * flag[9] + 19 * flag[10] + 66 * flag[11] - 8 * flag[12] + 38 * flag[13] - 16 * flag[14] + 15 * flag[15] == 8257,
         23 * flag[0] + 2 * flag[1] - 3 * flag[2] - 11 * flag[3] + 12 * flag[4] + 24 * flag[5] + 1 * flag[6] + 6 * flag[7] + 14 * flag[8] - 0 * flag[9] + 1 * flag[10] + 68 * flag[11] - 18 * flag[12] + 68 * flag[13] - 26 * flag[14] + 15 * flag[15] - 16 * flag[16] == 5847,
         24 * flag[0] + 0 * flag[1] - 1 * flag[2] - 15 * flag[3] + 13 * flag[4] + 4 * flag[5] + 16 * flag[6] + 67 * flag[7] + 146 * flag[8] - 50 * flag[9] + 16 * flag[10] + 6 * flag[11] - 1 * flag[12] + 69 * flag[13] - 27 * flag[14] + 45 * flag[15] - 6 * flag[16] + 17 * flag[17] == 18257,
         25 * flag[0] + 26 * flag[1] - 89 * flag[2] + 16 * flag[3] + 19 * flag[4] + 44 * flag[5] + 36 * flag[6] + 66 * flag[7] - 150 * flag[8] - 250 * flag[9] + 166 * flag[10] + 126 * flag[11] - 11 * flag[12] + 690 * flag[13] - 207 * flag[14] + 46 * flag[15] + 6 * flag[16] + 7 * flag[17] - 18 * flag[18] == 12591,
         5 * flag[0] + 26 * flag[1] + 8 * flag[2] + 160 * flag[3] + 9 * flag[4] - 4 * flag[5] + 36 * flag[6] + 6 * flag[7] - 15 * flag[8] - 20 * flag[9] + 66 * flag[10] + 16 * flag[11] - 1 * flag[12] + 690 * flag[13] - 20 * flag[14] + 46 * flag[15] + 6 * flag[16] + 7 * flag[17] - 18 * flag[18] + 19 * flag[19] == 52041,
         29 * flag[0] - 26 * flag[1] + 0 * flag[2] + 60 * flag[3] + 90 * flag[4] - 4 * flag[5] + 6 * flag[6] + 6 * flag[7] - 16 * flag[8] - 21 * flag[9] + 69 * flag[10] + 6 * flag[11] - 12 * flag[12] + 69 * flag[13] - 20 * flag[14] - 46 * flag[15] + 65 * flag[16] + 0 * flag[17] - 1 * flag[18] + 39 * flag[19] - 20 * flag[20] == 20253,
         45 * flag[0] - 56 * flag[1] + 10 * flag[2] + 650 * flag[3] - 900 * flag[4] + 44 * flag[5] + 66 * flag[6] - 6 * flag[7] - 6 * flag[8] - 21 * flag[9] + 9 * flag[10] - 6 * flag[11] - 12 * flag[12] + 69 * flag[13] - 2 * flag[14] - 406 * flag[15] + 651 * flag[16] + 2 * flag[17] - 10 * flag[18] + 69 * flag[19] - 0 * flag[20] + 21 * flag[21] == 18768,
         555 * flag[0] - 6666 * flag[1] + 70 * flag[2] + 510 * flag[3] - 90 * flag[4] + 499 * flag[5] + 66 * flag[6] - 66 * flag[7] - 610 * flag[8] - 221 * flag[9] + 9 * flag[10] - 23 * flag[11] - 102 * flag[12] + 6 * flag[13] + 2050 * flag[14] - 406 * flag[15] + 665 * flag[16] + 333 * flag[17] + 100 * flag[18] + 609 * flag[19] + 777 * flag[20] + 201 * flag[21] - 22 * flag[22] == 111844,
         1 * flag[0] - 22 * flag[1] + 333 * flag[2] + 4444 * flag[3] - 5555 * flag[4] + 6666 * flag[5] - 666 * flag[6] + 676 * flag[7] - 660 * flag[8] - 22 * flag[9] + 9 * flag[10] - 73 * flag[11] - 107 * flag[12] + 6 * flag[13] + 250 * flag[14] - 6 * flag[15] + 65 * flag[16] + 39 * flag[17] + 10 * flag[18] + 69 * flag[19] + 777 * flag[20] + 201 * flag[21] - 2 * flag[22] + 23 * flag[23] == 159029,
         520 * flag[0] - 222 * flag[1] + 333 * flag[2] + 4 * flag[3] - 56655 * flag[4] + 6666 * flag[5] + 666 * flag[6] + 66 * flag[7] - 60 * flag[8] - 220 * flag[9] + 99 * flag[10] + 73 * flag[11] + 1007 * flag[12] + 7777 * flag[13] + 2500 * flag[14] + 6666 * flag[15] + 605 * flag[16] + 390 * flag[17] + 100 * flag[18] + 609 * flag[19] + 99999 * flag[20] + 210 * flag[21] + 232 * flag[22] + 23 * flag[23] - 24 * flag[24] == 2762025,
         1323 * flag[0] - 22 * flag[1] + 333 * flag[2] + 4 * flag[3] - 55 * flag[4] + 666 * flag[5] + 666 * flag[6] + 66 * flag[7] - 660 * flag[8] - 220 * flag[9] + 99 * flag[10] + 3 * flag[11] + 100 * flag[12] + 777 * flag[13] + 2500 * flag[14] + 6666 * flag[15] + 605 * flag[16] + 390 * flag[17] + 100 * flag[18] + 609 * flag[19] + 9999 * flag[20] + 210 * flag[21] + 232 * flag[22] + 23 * flag[23] - 24 * flag[24] + 25 * flag[25] == 1551621,
         777 * flag[0] - 22 * flag[1] + 6969 * flag[2] + 4 * flag[3] - 55 * flag[4] + 666 * flag[5] - 6 * flag[6] + 96 * flag[7] - 60 * flag[8] - 220 * flag[9] + 99 * flag[10] + 3 * flag[11] + 100 * flag[12] + 777 * flag[13] + 250 * flag[14] + 666 * flag[15] + 65 * flag[16] + 90 * flag[17] + 100 * flag[18] + 609 * flag[19] + 999 * flag[20] + 21 * flag[21] + 232 * flag[22] + 23 * flag[23] - 24 * flag[24] + 25 * flag[25] - 26 * flag[26] == 948348,
         97 * flag[0] - 22 * flag[1] + 6969 * flag[2] + 4 * flag[3] - 56 * flag[4] + 96 * flag[5] - 6 * flag[6] + 96 * flag[7] - 60 * flag[8] - 20 * flag[9] + 99 * flag[10] + 3 * flag[11] + 10 * flag[12] + 707 * flag[13] + 250 * flag[14] + 666 * flag[15] + -9 * flag[16] + 90 * flag[17] + -2 * flag[18] + 609 * flag[19] + 0 * flag[20] + 21 * flag[21] + 2 * flag[22] + 23 * flag[23] - 24 * flag[24] + 25 * flag[25] - 26 * flag[26] + 27 * flag[27] == 777044,
         177 * flag[0] - 22 * flag[1] + 699 * flag[2] + 64 * flag[3] - 56 * flag[4] - 96 * flag[5] - 66 * flag[6] + 96 * flag[7] - 60 * flag[8] - 20 * flag[9] + 99 * flag[10] + 3 * flag[11] + 10 * flag[12] + 707 * flag[13] + 250 * flag[14] + 666 * flag[15] + -9 * flag[16] + 0 * flag[17] + -2 * flag[18] + 69 * flag[19] + 0 * flag[20] + 21 * flag[21] + 222 * flag[22] + 23 * flag[23] - 224 * flag[24] + 25 * flag[25] - 26 * flag[26] + 27 * flag[27] - 28 * flag[28] == 185016,
         77 * flag[0] - 2 * flag[1] + 6 * flag[2] + 6 * flag[3] - 96 * flag[4] - 9 * flag[5] - 6 * flag[6] + 96 * flag[7] - 0 * flag[8] - 20 * flag[9] + 99 * flag[10] + 3 * flag[11] + 10 * flag[12] + 707 * flag[13] + 250 * flag[14] + 666 * flag[15] + -9 * flag[16] + 0 * flag[17] + -2 * flag[18] + 9 * flag[19] + 0 * flag[20] + 21 * flag[21] + 222 * flag[22] + 23 * flag[23] - 224 * flag[24] + 26 * flag[25] - -58 * flag[26] + 27 * flag[27] - 2 * flag[28] + 29 * flag[29] == 130106]
        if all(result):
            print("Congratulation!!!")
        else:
            print("wrong_wrong!!!")

# okay decompiling output.pyc

z3约束一下,获得 H1Z1N1U1C1T1F1{1a6d275f7-463}1

前面还有111111116257645365477364777645752361 代表着出现的次数,其实z3获得的两个两个一组,第一个是字符,第二个是出现次数,然后往里面填flag就好a6 d2 75 f7 -4 63

得到HZNUCTF{adffa-f6af-ff6a-fffa-fffd6a}

randomsystem

先静态分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
int __cdecl main(int argc, const char **argv, const char **envp)
{
//初始化省略...

  sub_E3137A(&unk_E3E0A9);
  p_n53 = 0;
  n53_1 = 0;
  n53_2 = 0;
  n53_3 = 0;
  v30 = 0;
  j_memset(box, 0, 0x100u);
  j_memset(&v21, 0, 0x100u);
  strcpy(KeYkEy__, "KeYkEy!!");
//flag初始化省略...
  sub_E310EB("Welcome to HZNUCTF!!!\n", v7);
  sub_E310EB("Enter something: \n", v8);
  scanf("%64s", v32);
  sub_E31339(v32, v31);
  sub_E3128F(v31[0], v31[1], &p_n53);
  if ( //对第一次输入验证 )
  {
    sub_E310EB("good_job!!!\n", v9);
    sub_E310EB("So, Plz input the flag:\n", v10);
    scanf("%73s", &v24);
    strncpy_s(Destination, 65u, Source, 64u);
    sub_E3127B();
    srand(Seed);
    sub_E3127B();
    j_memset(num, 0, 0x80u);
    for ( i = 0; i < 32; ++i )
    {
      do
      {
        rand();
        v4 = sub_E3127B() % 32;
        v16 = 1;
        for ( j = 0; j < i; ++j )
        {
          if ( num[j] == v4 )
          {
            v16 = 0;
            break;
          }
        }
      }
      while ( !v16 );
      num[i] = v4;
    }
    j_a2z(Destination, num);
    j_make(box, Destination);
    j_makekey(&p_n53, KeYkEy__);
    j_encrypt(box1, box, &v21);
    v14 = 0;
    for ( k = 0; k < 8; ++k )
    {
      for ( m = 0; m < 8; ++m )
      {
        box[32 * k + m + 64] ^= KeYkEy__[v14 % j_strlen(KeYkEy__)];
        ++v14;
      }
    }
    if ( j_strcmp(&v21, flag) == 1 )
      sub_E310EB("Congratulation!!!\n", v11);
  }
  else
  {
    sub_E310EB("wrong_wrong!!!\n", v9);
  }
  sub_E3120D(&savedregs, &dword_E32D48, 0, v3);
  return v6;
}

sub_E3127B函数是函数指针的调用,调用者就是上面的函数

那么大致流程就是先输入然后验证,在输入明文,明文被随机数打乱,然后生成8*8的矩阵,紧接着用第一次输入构造key,然后用box1和输入矩阵生成新的矩阵,然后矩阵异或key,最后验证

所以直接z3求解,大部分的可以dump下来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#flag = 0x12a,0x101,0xff,0x190,0x147,0x12c,0xd8,0x133,0x17c,0x13f,0xc7,0x154,0x118,0x101,0x13e,0x160,0x162,0x167,0xf0,0x181,0x160,0x128,0x108,0x136,0xc5,0xa7,0xaf,0x10a,0xfb,0xac,0xe5,0xfd,0xfb,0xfe,0xfd,0x17b,0xcc,0x141,0xd4,0x108,0x97,0x71,0x96,0xc4,0xc6,0x58,0xaa,0xa2,0xaf,0x5c,0xa9,0xe3,0xa4,0xff,0x71,0x62,0xc8,0xd0,0xc3,0x104,0xca,0x100,0xf6,0xc5,
flag=[0x00000178, 0x00000164, 0x000000A9, 0x000001F5, 0x00000115, 0x00000149, 0x0000008B, 0x00000156, 0x0000017C, 0x0000016D, 0x000000A2, 0x00000102, 0x0000017D, 0x00000153, 0x0000015B, 0x00000133, 0x00000107, 0x00000167, 0x000000A2, 0x000001E4, 0x00000136, 0x0000014D, 0x0000015A, 0x00000153, 0x00000096, 0x000000C2, 0x000000AF, 0x00000158, 0x0000009E, 0x000000FA, 0x00000080, 0x000000AF, 0x0000009E, 0x000000AD, 0x00000098, 0x0000017B, 0x0000009E, 0x00000124, 0x00000082, 0x0000016D, 0x000000C5, 0x00000014, 0x000000C5, 0x000000A1, 0x000000C6, 0x0000000A, 0x000000CF, 0x000000F4, 0x000000CA, 0x0000000E, 0x000000CC, 0x000000B0, 0x000000C1, 0x000000FF, 0x00000023, 0x00000007, 0x0000009E, 0x000000B5, 0x00000091, 0x00000161, 0x00000099, 0x00000165, 0x000000F6, 0x00000097]
#flag=[0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000184, 0x00000123, 0x00000123, 0x00000123, 0x00000123, 0x00000123, 0x00000123, 0x00000123, 0x00000123, 0x00000123, 0x00000123, 0x00000123, 0x00000123, 0x00000123, 0x00000123, 0x00000123, 0x00000123, 0x000000C2, 0x000000C2, 0x000000C2, 0x000000C2, 0x000000C2, 0x000000C2, 0x000000C2, 0x000000C2, 0x000000C2, 0x000000C2, 0x000000C2, 0x000000C2, 0x000000C2, 0x000000C2, 0x000000C2, 0x000000C2, 0x00000123, 0x00000123, 0x00000123, 0x00000123, 0x00000123, 0x00000123, 0x00000123, 0x00000123]
#flag=[0x000001D6, 0x000001E1, 0x000001D2, 0x000001E1, 0x000001D6, 0x000001E1, 0x000001D7, 0x000001E1, 0x000001D6, 0x000001E1, 0x000001D2, 0x000001E1, 0x000001D6, 0x000001E1, 0x000001D7, 0x000001E1, 0x000001D6, 0x000001E1, 0x000001D2, 0x000001E1, 0x000001D6, 0x000001E1, 0x000001D7, 0x000001E1, 0x00000171, 0x00000146, 0x00000175, 0x00000146, 0x00000171, 0x00000146, 0x00000170, 0x00000146, 0x00000171, 0x00000146, 0x00000175, 0x00000146, 0x00000171, 0x00000146, 0x00000170, 0x00000146, 0x00000090, 0x000000A7, 0x00000094, 0x000000A7, 0x00000090, 0x000000A7, 0x00000091, 0x000000A7, 0x00000090, 0x000000A7, 0x00000094, 0x000000A7, 0x00000090, 0x000000A7, 0x00000091, 0x000000A7, 0x00000171, 0x00000146, 0x00000175, 0x00000146, 0x00000171, 0x00000146, 0x00000170, 0x00000146]

xor = [82,101,86,101,82,101,83,101,82,101,86,101,82,101,83,101,82,101,86,101,82,101,83,101,82,101,86,101,82,101,83,101,82,101,86,101,82,101,83,101,82,101,86,101,82,101,83,101,82,101,86,101,82,101,83,101,82,101,86,101,82,101,83,101,]

outputbox_pre_xor = [flag[i] ^ xor[i] for i in range(64)]
from z3 import *

data = [
    [1,1,0,1,0,0,1,0],
    [0,1,1,0,0,1,0,1],
    [0,0,1,1,0,1,1,0],
    [0,0,0,1,0,1,0,1],
    [0,1,0,0,1,0,1,0],
    [0,0,0,0,0,1,0,1],
    [0,0,0,0,0,0,1,1],
    [0,1,1,0,0,0,0,1]
]

solver = Solver()
inputbox = [[Int(f"inputbox_{i}_{j}") for j in range(8)] for i in range(8)]

for i in range(8):
    for j in range(8):
        solver.add(inputbox[i][j] >= 0, inputbox[i][j] <= 255)

for i in range(8):
    for j in range(8):
        total = sum(data[i][k] * inputbox[k][j] for k in range(8))
        solver.add(total == outputbox_pre_xor[i*8 + j])

if solver.check() == sat:
    model = solver.model()
    inputbox_values = [[model.eval(inputbox[i][j]).as_long() for j in range(8)] for i in range(8)]
    print(inputbox_values)
else:
    print("No solution found.")
processed_input = [inputbox_values[i][j] for i in range(8) for j in range(8)]


randnum = [
    27, 26, 25, 23, 28, 1, 6, 10,
    20, 7, 15, 14, 31, 18, 19, 21,
    9, 30, 22, 24, 8, 2, 29, 3,
    12, 11, 17, 16, 0, 13, 5, 4
]

v4 = len(processed_input)
for i in range(v4 >> 1):
    pos = v4 - randnum[i] - 1
    processed_input[i], processed_input[pos] = processed_input[pos], processed_input[i]
original_input = bytes(processed_input)
print(original_input.decode())

得到3zfb899ac5c256d-7a8r59f0tccd-4fa6b8vfd111-a44ffy4r0-6dce5679da58