-
-
[原创] 第五题:魅影舞姬
-
发表于: 2019-9-24 13:50 4482
-
作者是个好人,还有符号表这些东西的。菜鸡项目缠身没时间做难的,只有做些简单的了!来吧,尽情的吐槽我吧!
开门一个check_fun
但是只校验一个字节
进去看了下
看不懂在干啥
进去看了一眼发现有个常数
问了下度娘,她说这是MT随机数生成器
然后,简单用python简单实现了下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 | _DELTA = 0x9E3779B9 def _int32(x): # Get the 32 least significant bits. return int ( 0xFFFFFFFF & x) class MT19937: def __init__( self , seed): # Initialize the index to 0 self .index = 624 self .mt = [ 0 ] * 624 self .mt[ 0 ] = seed # Initialize the initial state to the seed for i in range ( 1 , 624 ): self .mt[i] = _int32( 1812433253 * ( self .mt[i - 1 ] ^ self .mt[i - 1 ] >> 30 ) + i) #print map(hex,self.mt) def extract_number( self ): if self .index > = 624 : self .twist() y = self .mt[ self .index] # Right shift by 11 bits y = y ^ y >> 11 # Shift y left by 7 and take the bitwise and of 2636928640 y = y ^ y << 7 & 2636928640 # Shift y left by 15 and take the bitwise and of y and 4022730752 y = y ^ y << 15 & 4022730752 # Right shift by 18 bits y = y ^ y >> 18 self .index = self .index + 1 return _int32(y) def twist( self ): for i in range ( 624 ): # Get the most significant bit and add it to the less significant # bits of the next number y = _int32(( self .mt[i] & 0x80000000 ) + ( self .mt[(i + 1 ) % 624 ] & 0x7fffffff )) self .mt[i] = self .mt[(i + 397 ) % 624 ] ^ y >> 1 if y % 2 ! = 0 : self .mt[i] = self .mt[i] ^ 0x9908b0df self .index = 0 def encrypt(v,n,k): #if str == '': return str #v = _str2long(str, True) #k = _str2long(key.ljust(16, "\0"), False) #n = len(v) - 1 n = n - 1 z = v[n] y = v[ 0 ] sum = 0 q = 6 + 52 / / (n + 1 ) #print map(hex,v) #print n #print map(hex,k) while q > 0 : sum = ( sum + _DELTA) & 0xffffffff e = sum >> 2 & 3 for p in xrange (n): y = v[p + 1 ] v[p] = (v[p] + ((z >> 5 ^ y << 2 ) + (y >> 3 ^ z << 4 ) ^ ( sum ^ y) + (k[p & 3 ^ e] ^ z))) & 0xffffffff z = v[p] y = v[ 0 ] v[n] = (v[n] + ((z >> 5 ^ y << 2 ) + (y >> 3 ^ z << 4 ) ^ ( sum ^ y) + (k[n & 3 ^ e] ^ z))) & 0xffffffff z = v[n] q - = 1 return v k = [ 0x67452301 , 0x0EFCDAB89 , 0x98BADCFE , 0x10325476 ] n = 2 for i in range ( 0xFF ): MT = MT19937(i) ret1 = MT.extract_number() ret2 = MT.extract_number() ret3 = MT.extract_number() v = [ret1,ret3] v = encrypt(v,n,k) if ret2 - (v[ 0 ] + v[ 1 ]) = = 0xA504A8F7 : print "Found:" ,i, chr (i) break ''' MT=MT19937(0x31) ret1=MT.extract_number() ret2=MT.extract_number() ret3=MT.extract_number() v=[ret1,ret3] v=encrypt(v,n,k) print map(hex,v)VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ''' #if ret2 - (ret1 + ret3) == 0xA504A8F7 |
其中的xxtea 密钥提出来就好了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 | _DELTA = 0x9E3779B9 def _int32(x): # Get the 32 least significant bits. return int ( 0xFFFFFFFF & x) class MT19937: def __init__( self , seed): # Initialize the index to 0 self .index = 624 self .mt = [ 0 ] * 624 self .mt[ 0 ] = seed # Initialize the initial state to the seed for i in range ( 1 , 624 ): self .mt[i] = _int32( 1812433253 * ( self .mt[i - 1 ] ^ self .mt[i - 1 ] >> 30 ) + i) #print map(hex,self.mt) def extract_number( self ): if self .index > = 624 : self .twist() y = self .mt[ self .index] # Right shift by 11 bits y = y ^ y >> 11 # Shift y left by 7 and take the bitwise and of 2636928640 y = y ^ y << 7 & 2636928640 # Shift y left by 15 and take the bitwise and of y and 4022730752 y = y ^ y << 15 & 4022730752 # Right shift by 18 bits y = y ^ y >> 18 self .index = self .index + 1 return _int32(y) def twist( self ): for i in range ( 624 ): # Get the most significant bit and add it to the less significant # bits of the next number y = _int32(( self .mt[i] & 0x80000000 ) + ( self .mt[(i + 1 ) % 624 ] & 0x7fffffff )) self .mt[i] = self .mt[(i + 397 ) % 624 ] ^ y >> 1 if y % 2 ! = 0 : self .mt[i] = self .mt[i] ^ 0x9908b0df self .index = 0 def encrypt(v,n,k): #if str == '': return str #v = _str2long(str, True) #k = _str2long(key.ljust(16, "\0"), False) #n = len(v) - 1 n = n - 1 z = v[n] y = v[ 0 ] sum = 0 q = 6 + 52 / / (n + 1 ) #print map(hex,v) #print n #print map(hex,k) while q > 0 : sum = ( sum + _DELTA) & 0xffffffff e = sum >> 2 & 3 for p in xrange (n): y = v[p + 1 ] v[p] = (v[p] + ((z >> 5 ^ y << 2 ) + (y >> 3 ^ z << 4 ) ^ ( sum ^ y) + (k[p & 3 ^ e] ^ z))) & 0xffffffff z = v[p] y = v[ 0 ] v[n] = (v[n] + ((z >> 5 ^ y << 2 ) + (y >> 3 ^ z << 4 ) ^ ( sum ^ y) + (k[n & 3 ^ e] ^ z))) & 0xffffffff z = v[n] q - = 1 return v k = [ 0x67452301 , 0x0EFCDAB89 , 0x98BADCFE , 0x10325476 ] n = 2 for i in range ( 0xFF ): MT = MT19937(i) ret1 = MT.extract_number() ret2 = MT.extract_number() ret3 = MT.extract_number() v = [ret1,ret3] v = encrypt(v,n,k) if ret2 - (v[ 0 ] + v[ 1 ]) = = 0xA504A8F7 : print "Found:" ,i, chr (i) break ''' MT=MT19937(0x31) ret1=MT.extract_number() ret2=MT.extract_number() ret3=MT.extract_number() v=[ret1,ret3] v=encrypt(v,n,k) print map(hex,v)VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ''' #if ret2 - (ret1 + ret3) == 0xA504A8F7 |
其中的xxtea 密钥提出来就好了
输入的经过base64 解码然后des,MD5 一大堆运算
做这题我们不妨倒着来看
直接看比较的地方。这才符合逆向 ”逆“这个字吧!
查看引用,发现关键点在这个地方
进去圈圈的算法一看发现
最后于 2019-9-24 14:39
被大帅锅编辑
,原因:
赞赏记录
参与人
雪币
留言
时间
PLEBFE
为你点赞~
2022-7-27 01:35
心游尘世外
为你点赞~
2022-7-26 23:23
飘零丶
为你点赞~
2022-7-17 02:48
beimingyouyu
为你点赞~
2019-9-26 11:33
赞赏
他的文章
谁下载
无
谁下载
无
谁下载
无
看原图
赞赏
雪币:
留言: