Tags: z3 arm rev 

Rating:

Load file in IDA, select "ARM little-endian", set "ROM start address" and "Loading address" to 0x8000000; sub_8000290 - is main; after reverse we can create script like this, and get flag **34C3_1_d0_m4th**
```
from z3_staff import * # https://github.com/KosBeg/z3_staff

var_num = 14
create_vars(var_num, size=8)
solver()
init_vars(globals())
set_ranges(var_num)

add_eq(34*x13+-4*(x1+-5*x0+-16*x2+3*x3)+-73*x4+-65*x5+77*x6+20*x7+-66*x8+4*x9+-58*x10+-6*x11+94*x12==8701)
add_eq(-48*x13+-66*x0+56*x1+-37*x2+-8*x3+-26*x4+-79*x5+-28*x6+-99*x7+-87*x8+-86*x9+71*x10+-69*x11+-43*x12==-40417)
add_eq(38*x13+93*x0+77*x1+-43*x2+-19*x3+99*x4+61*x5+5*x6+-67*x7+-60*x8+88*x9+41*x10+19*x11+70*x12==34075)
add_eq((x13<<6)+-44*x0+-32*x1+-30*x2+5*x3+56*x4+-28*x5+61*x6+9*x7+80*x8+40*x9+-66*x10+-42*x11+62*x12==17090)
add_eq(-40*x13+-61*x0+46*x1+35*x2+-33*x3+91*x4+-13*x5+-39*x6+7*x7+51*x8+93*x9+55*x10+49*x11+94*x12==31516)
add_eq(33*x13+17*x0+-61*x1+51*x2+26*x3+75*x4+14*x5+-32*x6+-46*x7+-10*x8+-36*x9+81*x10+69*x11+-32*x12==10846)
add_eq(29*x13+69*x0+-92*x1+24*x2+-33*x3+16*x4+57*x5+-31*x6+91*x7+85*x8+72*x9+23*x10+21*x11+45*x12==31883)
add_eq(-66*x13+-22*x0+21*x1+52*x2+71*x3+76*x4+-80*x5+-97*x6+4*x7+99*x8+-7*x9+-43*x10+-13*x11+37*x12==-2288)
add_eq(-63*x13+-59*x0+74*x1+65*x2+61*x3+-21*x4+-9*x5+44*x6+13*x7+30*x8+13*x9+-69*x10+-2*x11+9*x12==891)
add_eq(74*x13+51*x0+58*x1+16*x2+58*x3+83*x4+30*x5+-57*x6+-27*x7+-28*x8+94*x9+55*x10+72*x11+-96*x12==24772)
add_eq(56*x13+68*x0+-5*x1+19*x2+-85*x3+38*x4+84*x5+17*x6+77*x7+-98*x8+-37*x9+-38*x10+32*x11+-45*x12==7094)
add_eq(59*x13+13*x0+99*x1+-21*x2+58*x3+26*x4+18*x5+-87*x6+26*x7+-77*x8+-47*x9+33*x10+-45*x11+-78*x12==-4767)
add_eq(31*x13+-95*x0+63*x1+18*x2+-12*x3+56*x4+-77*x5+68*x6+70*x7+54*x8+41*x9+25*x10+-78*x11+43*x12==27400)
add_eq(-78*x13+22*x0+-33*x1+-31*x2+-46*x3+20*x4+80*x5+-54*x6+55*x7+77*x8+94*x9+-89*x10+51*x11+-27*x12==-4494)

i = 0
start_time = time.time()
while s.check() == sat:
prepare_founded_values(var_num)
print prepare_key(var_num)
iterate_all(var_num)
i += 1
print('--- %.2f seconds && %d answer(s) ---' % ((time.time() - start_time), i) )

```
```
PS C:\!CTF> python arm4_solver.py
34C3_1_d0_m4th
--- 0.74 seconds && 1 answer(s) ---
```

KosBegDec. 29, 2017, 11:01 p.m.

Sorry, but this task from another CTF. It's from 34C3 Junior CTF. My first writeup and such a gross error. Sorry for mistake ;(