HGame Week1 Reverse WriteUp

test your IDA

只要IDA没问题，打开就是Flag

easyasm

对每一位异或0x33

s=[0x5b,0x54,0x52,0x5e,0x56,0x48,0x44,0x56,0x5f,0x50,0x3,0x5e,0x56,0x6c,0x47,0x3,0x6c,0x41,0x56,0x6c,0x44,0x5c,0x41,0x2,0x57,0x12,0x4e]
def enc(s):
    return ''.join([chr(c ^ 0x33) for c in s])
print(enc(s))

a cup of tea

TEA加密算法，不过delta变成了0xabcdef23

看POC应该会比较明显

#include<stdio.h>
void decrypt (unsigned int* v, unsigned int* k) {  
    unsigned int v0=v[0], v1=v[1];  /* set up */
 
    // unsigned int delta=0xabcdef23;          
    unsigned int delta=(0-0x543210DD)&0xffffffff; 
 
    // // unsigned int sum=0x79bde460;
    unsigned int sum = delta<<5;
 
    unsigned int k0=k[0], k1=k[1], k2=k[2], k3=k[3];   /* cache key */ 
    for (int i=0; i<32; i++) {                         /* basic cycle start */ 
        v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);  
        v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);  
        sum -= delta;  
    }                                              /* end cycle */ 
    v[0]=v0; v[1]=v1;  
}  
 
 
int main(){
    // unsigned int a2[] = {0x45678901,0x34567890,0x23456789,0x12345678}; 
    // 大小端的问题
    unsigned int a2[] = {0x12345678,0x23456789,0x34567890,0x45678901}; 
    unsigned int Buf2[8];
    Buf2[0] = 0x2E63829D;
    Buf2[1] = 0xC14E400F;
    Buf2[2] = 0x9B39BFB9;
    Buf2[3] = 0x5A1F8B14;
    Buf2[4] = 0x61886DDE;
    Buf2[5] = 0x6565C6CF;
    Buf2[6] = 0x9F064F64;
    Buf2[7] = 0x236A43F6;
 
    decrypt(Buf2,a2);
    decrypt(Buf2+2,a2);
    decrypt(Buf2+4,a2);
    decrypt(Buf2+6,a2);
 
    for(int i=0;i<40;i++){
        printf("%c",*((unsigned char*)Buf2+i));
    }
 
    return 0;
}

easyenc

逆转程序运行顺序，从先异或0x32后减0x56变为加上0x56后再异或0x32

#include <stdio.h>
int main(){
    unsigned int v8[10];
    v8[0] = 0x9FDFF04;
    v8[1] = 0xB0F301;
    v8[2] = 0xADF00500;
    v8[3] = 0x5170607;
    v8[4] = 0x17FD17EB;
    v8[5] = 0x1EE01EA;
    v8[6] = 0xFA05B1EA;
    v8[7] = 0xAC170108;
    v8[8] = 0xFDEA01EC;
    v8[9] = 0x60705F0;
 
    for(int i=0;i<41;i++){
        unsigned char c = (*((unsigned char *)v8 + i)+0x56)^0x32;
        printf("%c", c);
    }
 
}

encode

一个字符生成了两个数字，那么只要爆破就可以出解

#include<stdio.h>
int main(){
    int ida[] = {
        0x08, 0x06, 0x07, 0x06, 0x01, 0x06, 0x0D, 0x06, 0x05, 0x06, 0x0B, 0x07, 0x05, 0x06, 0x0E, 0x06, 0x03, 0x06,
        0x0F, 0x06, 0x04, 0x06, 0x05, 0x06, 0x0F, 0x05, 0x09, 0x06, 0x03, 0x07, 0x0F, 0x05, 0x05, 0x06, 0x01, 0x06,
        0x03, 0x07, 0x09, 0x07, 0x0F, 0x05, 0x06, 0x06, 0x0F, 0x06, 0x02, 0x07, 0x0F, 0x05, 0x01, 0x06, 0x0F, 0x05,
        0x02, 0x07, 0x05, 0x06, 0x06, 0x07, 0x05, 0x06, 0x02, 0x07, 0x03, 0x07, 0x05, 0x06, 0x0F, 0x05, 0x05, 0x06,
        0x0E, 0x06, 0x07, 0x06, 0x09, 0x06, 0x0E, 0x06, 0x05, 0x06, 0x05, 0x06, 0x02, 0x07, 0x0D, 0x07
        };
 
    int temp[2];
    for(int i = 0;i < 50;i++){
        for(int j = 0; j <= 255; j++) {
            temp[0] = j & 0xF;
            temp[1] = (j >> 4) & 0xF;
            if(ida[2 * i] == temp[0] && ida[2 * i + 1]==temp[1]){
                printf("%c", j);
                break;
            }
        }
    }
}