mrT4ntr4

=========== (0x000301fd) len=0x2b =========== Main
00 : pop V_60
01 : V_1 = "squirrelware" 
02 : resolve method V_2 => System.Void System.Console::set_Title(System.String)
03 : push V_1
04 : call V_2
05 : V_3 = "enter your username" 
06 : resolve method V_4 => System.Void System.Console::WriteLine(System.String)
07 : push V_3
08 : call V_4

mrT4ntr4

import idautils
import idaapi
import idc

f = open('chall_constraints.txt', 'w+')

for func_addr in idautils.Functions():
    func_name = idc.get_func_name(func_addr)
    if "flag" in func_name:
        print(f"[+] Extracting constraints from {func_name}")

mrT4ntr4

# The main algo for encryption can be depicted as :
'''
==== flag.enc ====
636d 6668 6e66 676a 636c 676a 666d 6a68 ____        
2f3e 2670 6659 6e06 0902 6d24 250d 380e ----\-------------      
6e6d 6b73 6b6c 6d6b 6c66 6d68 6b76 7a6d _____\            \
3314 566d 2704 5234 442e 3e02 180c 153e ------\------------XORED
6468 6b6d 6868 666a 6876 6d66 7a62 676d ______/__SHUFFLED  /  
003f 6756 2337 2176 6071 0f74 4c4b 2161 -----/------------/     
736e 686b 6468 666b 7361 6e68 6278 6161 ____/            /

mrT4ntr4

import r2pipe
import struct

password = ""
fname = "rec_pwd.txt"
f = open(fname, 'w')

with open('rec_profile.rr2', 'w') as prof:
        prof.write('#!/usr/bin/rarun2\nstdin="%s"\n'%('A'*80))

mrT4ntr4

#Writeup : https://ctftime.org/writeup/17193

flag = ""
i=1
for x in range(1,1000):
    gdb.execute('set python print-stack full')
    gdb.execute('set confirm off')
    gdb.execute('file {:03}.c.out'.format(x))
    gdb.execute('b *main')
    gdb.execute('run < test')

mrT4ntr4

from z3 import *
import string


def algo(myinput):
	# stolen arr (seed[0xDEFEA7], rand arr[0-255], swapped vals)
	rand_num_0_255 ="29, 24, 74, 0E8, 18, 0D6, 91, 43, 8B, 2D, 3D, 62, 75, 32, 88, 0EA, 0C2, 4F, 83, 0E9, 67, 2B, 0AC, 0A9, 6F, 8F, 0C7, 13, 0A3, 0AD, 5F, 66, 0E5, 59, 15, 5A, 2F, 11, 4E, 61, 55, 16, 0CC, 0B, 80, 42, 5, 2E, 0D, 0, 5D, 82, 2A, 0B9, 3B, 8E, 3F, 41, 0A1, 8A, 0D5, 89, 49, 69, 12, 0FB, 0DD, 22, 0C0, 3E, 3C, 4C, 56, 44, 0C6, 8D, 40, 0AA, 0B1, 14, 9B, 0BE, 0F4, 0BA, 78, 1, 0D8, 94, 0EC, 50, 0EE, 0ED, 0AE, 1F, 71, 76, 6B, 47, 0BC, 0D0, 33, 10, 0B4, 0DA, 57, 6E, 93, 7, 8C, 37, 6C, 98, 0E, 0BF, 2C, 0C4, 25, 0F3, 7C, 17, 7E, 0DC, 7A, 0D7, 6D, 0C1, 0AB, 0C, 2, 77, 0D3, 68, 5C, 0F0, 0E6, 79, 0D9, 46, 58, 9, 1E, 0CE, 6, 35, 5E, 0CF, 85, 0B2, 0CA, 0F9, 0C3, 70, 45, 0FC, 0F, 26, 0AF, 19, 7F, 4D, 0BD, 5B, 0A2, 52, 1D, 99, 0BB, 36, 84, 72, 0EF, 0B0, 38, 0A5, 0B3, 0B8, 9F, 0FE, 21, 97, 20, 0C5, 90, 0A8, 31, 0E2, 0A7, 0D4, 0D2, 0DE, 0B5, 0E0, 4B, 92, 87, 0E4, 0F5, 0DB, 6A, 65, 9C, 34, 95, 0F8, 0D1, 0A0,

mrT4ntr4

'''
Challenge Source Backup :
https://gist.github.com/mrT4ntr4/4e02a52c0bc89ecac7f03e38e0934628

Manually dissecting the assembly code and porting it to python
'''

def f(x):
	if(x):
		if(x != 1):

mrT4ntr4

start(int, int):
        push    rbp
        mov     rbp, rsp
        sub     rsp, 48
        mov     DWORD PTR [rbp-36], edi
        mov     DWORD PTR [rbp-40], esi
        mov     eax, DWORD PTR [rbp-36]
        mov     edi, eax
        call    f(int)
        mov     DWORD PTR [rbp-4], eax

mrT4ntr4

#encoding: utf-8
from z3 import *

def algo(inp):
	got = "ow0_wh4t_4_h4ckr_y0u_4r3"

	realflag = [9,4,23,8,17,1,18,0,13,7,2,20,16,10,22,12,19,6,15,21,3,14,5,11]
	therealflag = [20,16,12,9,6,15,21,3,18,0,13,7,1,4,23,8,17,2,10,22,19,11,14,5]

	theflags = ['*'] * 24

mrT4ntr4

from z3 import *

s = Solver()

serial = list("76876-77776")

inp = []

for i in range(4):
	b = BitVec("%d" % i, 16)