-
-
[原创]HGame Week1 Reverse WriteUp
-
2023-1-13 10:39 12661
-
HGame Week1 Reverse WriteUp
test your IDA
只要IDA没问题,打开就是Flag
easyasm
对每一位异或0x33
1 2 3 4 | s = [ 0x5b , 0x54 , 0x52 , 0x5e , 0x56 , 0x48 , 0x44 , 0x56 , 0x5f , 0x50 , 0x3 , 0x5e , 0x56 , 0x6c , 0x47 , 0x3 , 0x6c , 0x41 , 0x56 , 0x6c , 0x44 , 0x5c , 0x41 , 0x2 , 0x57 , 0x12 , 0x4e ] def enc(s): return ''.join([ chr (c ^ 0x33 ) for c in s]) print (enc(s)) |
a cup of tea
TEA加密算法,不过delta变成了0xabcdef23
看POC应该会比较明显
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | #include<stdio.h> void decrypt (unsigned int * v, unsigned int * k) { unsigned int v0 = v[ 0 ], v1 = v[ 1 ]; / * set up * / / / unsigned int delta = 0xabcdef23 ; unsigned int delta = ( 0 - 0x543210DD )& 0xffffffff ; / / / / unsigned int sum = 0x79bde460 ; unsigned int sum = delta<< 5 ; unsigned int k0 = k[ 0 ], k1 = k[ 1 ], k2 = k[ 2 ], k3 = k[ 3 ]; / * cache key * / for ( int i = 0 ; i< 32 ; i + + ) { / * basic cycle start * / v1 - = ((v0<< 4 ) + k2) ^ (v0 + sum ) ^ ((v0>> 5 ) + k3); v0 - = ((v1<< 4 ) + k0) ^ (v1 + sum ) ^ ((v1>> 5 ) + k1); sum - = delta; } / * end cycle * / v[ 0 ] = v0; v[ 1 ] = v1; } int main(){ / / unsigned int a2[] = { 0x45678901 , 0x34567890 , 0x23456789 , 0x12345678 }; / / 大小端的问题 unsigned int a2[] = { 0x12345678 , 0x23456789 , 0x34567890 , 0x45678901 }; unsigned int Buf2[ 8 ]; Buf2[ 0 ] = 0x2E63829D ; Buf2[ 1 ] = 0xC14E400F ; Buf2[ 2 ] = 0x9B39BFB9 ; Buf2[ 3 ] = 0x5A1F8B14 ; Buf2[ 4 ] = 0x61886DDE ; Buf2[ 5 ] = 0x6565C6CF ; Buf2[ 6 ] = 0x9F064F64 ; Buf2[ 7 ] = 0x236A43F6 ; decrypt(Buf2,a2); decrypt(Buf2 + 2 ,a2); decrypt(Buf2 + 4 ,a2); decrypt(Buf2 + 6 ,a2); for ( int i = 0 ;i< 40 ;i + + ){ printf( "%c" , * ((unsigned char * )Buf2 + i)); } return 0 ; } |
easyenc
逆转程序运行顺序,从先异或0x32后减0x56变为加上0x56后再异或0x32
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | #include <stdio.h> int main(){ unsigned int v8[ 10 ]; v8[ 0 ] = 0x9FDFF04 ; v8[ 1 ] = 0xB0F301 ; v8[ 2 ] = 0xADF00500 ; v8[ 3 ] = 0x5170607 ; v8[ 4 ] = 0x17FD17EB ; v8[ 5 ] = 0x1EE01EA ; v8[ 6 ] = 0xFA05B1EA ; v8[ 7 ] = 0xAC170108 ; v8[ 8 ] = 0xFDEA01EC ; v8[ 9 ] = 0x60705F0 ; for ( int i = 0 ;i< 41 ;i + + ){ unsigned char c = ( * ((unsigned char * )v8 + i) + 0x56 )^ 0x32 ; printf( "%c" , c); } } |
encode
一个字符生成了两个数字,那么只要爆破就可以出解
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | #include<stdio.h> int main(){ int ida[] = { 0x08 , 0x06 , 0x07 , 0x06 , 0x01 , 0x06 , 0x0D , 0x06 , 0x05 , 0x06 , 0x0B , 0x07 , 0x05 , 0x06 , 0x0E , 0x06 , 0x03 , 0x06 , 0x0F , 0x06 , 0x04 , 0x06 , 0x05 , 0x06 , 0x0F , 0x05 , 0x09 , 0x06 , 0x03 , 0x07 , 0x0F , 0x05 , 0x05 , 0x06 , 0x01 , 0x06 , 0x03 , 0x07 , 0x09 , 0x07 , 0x0F , 0x05 , 0x06 , 0x06 , 0x0F , 0x06 , 0x02 , 0x07 , 0x0F , 0x05 , 0x01 , 0x06 , 0x0F , 0x05 , 0x02 , 0x07 , 0x05 , 0x06 , 0x06 , 0x07 , 0x05 , 0x06 , 0x02 , 0x07 , 0x03 , 0x07 , 0x05 , 0x06 , 0x0F , 0x05 , 0x05 , 0x06 , 0x0E , 0x06 , 0x07 , 0x06 , 0x09 , 0x06 , 0x0E , 0x06 , 0x05 , 0x06 , 0x05 , 0x06 , 0x02 , 0x07 , 0x0D , 0x07 }; int temp[ 2 ]; for ( int i = 0 ;i < 50 ;i + + ){ for ( int j = 0 ; j < = 255 ; j + + ) { temp[ 0 ] = j & 0xF ; temp[ 1 ] = (j >> 4 ) & 0xF ; if (ida[ 2 * i] = = temp[ 0 ] && ida[ 2 * i + 1 ] = = temp[ 1 ]){ printf( "%c" , j); break ; } } } } |
赞赏
他的文章
看原图
赞赏
雪币:
留言: