-
-
[原创] 第五题:魅影舞姬
-
发表于: 2019-9-24 13:50
-
作者是个好人,还有符号表这些东西的。菜鸡项目缠身没时间做难的,只有做些简单的了!来吧,尽情的吐槽我吧!
开门一个check_fun
但是只校验一个字节
进去看了下
看不懂在干啥
进去看了一眼发现有个常数
问了下度娘,她说这是MT随机数生成器
然后,简单用python简单实现了下
_DELTA = 0x9E3779B9 def _int32(x): # Get the 32 least significant bits. return int(0xFFFFFFFF & x) class MT19937: def __init__(self, seed): # Initialize the index to 0 self.index = 624 self.mt = [0] * 624 self.mt[0] = seed # Initialize the initial state to the seed for i in range(1, 624): self.mt[i] = _int32( 1812433253 * (self.mt[i - 1] ^ self.mt[i - 1] >> 30) + i) #print map(hex,self.mt) def extract_number(self): if self.index >= 624: self.twist() y = self.mt[self.index] # Right shift by 11 bits y = y ^ y >> 11 # Shift y left by 7 and take the bitwise and of 2636928640 y = y ^ y << 7 & 2636928640 # Shift y left by 15 and take the bitwise and of y and 4022730752 y = y ^ y << 15 & 4022730752 # Right shift by 18 bits y = y ^ y >> 18 self.index = self.index + 1 return _int32(y) def twist(self): for i in range(624): # Get the most significant bit and add it to the less significant # bits of the next number y = _int32((self.mt[i] & 0x80000000) + (self.mt[(i + 1) % 624] & 0x7fffffff)) self.mt[i] = self.mt[(i + 397) % 624] ^ y >> 1 if y % 2 != 0: self.mt[i] = self.mt[i] ^ 0x9908b0df self.index = 0 def encrypt(v,n,k): #if str == '': return str #v = _str2long(str, True) #k = _str2long(key.ljust(16, "\0"), False) #n = len(v) - 1 n=n-1 z = v[n] y = v[0] sum = 0 q = 6 + 52 // (n + 1) #print map(hex,v) #print n #print map(hex,k) while q > 0: sum = (sum + _DELTA) & 0xffffffff e = sum >> 2 & 3 for p in xrange(n): y = v[p + 1] v[p] = (v[p] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))) & 0xffffffff z = v[p] y = v[0] v[n] = (v[n] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[n & 3 ^ e] ^ z))) & 0xffffffff z = v[n] q -= 1 return v k=[0x67452301, 0x0EFCDAB89, 0x98BADCFE, 0x10325476] n=2 for i in range(0xFF): MT=MT19937(i) ret1=MT.extract_number() ret2=MT.extract_number() ret3=MT.extract_number() v=[ret1,ret3] v=encrypt(v,n,k) if ret2 - (v[0] + v[1]) == 0xA504A8F7: print "Found:",i,chr(i) break ''' MT=MT19937(0x31) ret1=MT.extract_number() ret2=MT.extract_number() ret3=MT.extract_number() v=[ret1,ret3] v=encrypt(v,n,k) print map(hex,v)VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ''' #if ret2 - (ret1 + ret3) == 0xA504A8F7
其中的xxtea 密钥提出来就好了
_DELTA = 0x9E3779B9 def _int32(x): # Get the 32 least significant bits. return int(0xFFFFFFFF & x) class MT19937: def __init__(self, seed): # Initialize the index to 0 self.index = 624 self.mt = [0] * 624 self.mt[0] = seed # Initialize the initial state to the seed for i in range(1, 624): self.mt[i] = _int32( 1812433253 * (self.mt[i - 1] ^ self.mt[i - 1] >> 30) + i) #print map(hex,self.mt) def extract_number(self): if self.index >= 624: self.twist() y = self.mt[self.index] # Right shift by 11 bits y = y ^ y >> 11 # Shift y left by 7 and take the bitwise and of 2636928640 y = y ^ y << 7 & 2636928640 # Shift y left by 15 and take the bitwise and of y and 4022730752 y = y ^ y << 15 & 4022730752 # Right shift by 18 bits y = y ^ y >> 18 self.index = self.index + 1 return _int32(y) def twist(self): for i in range(624): # Get the most significant bit and add it to the less significant # bits of the next number y = _int32((self.mt[i] & 0x80000000) + (self.mt[(i + 1) % 624] & 0x7fffffff)) self.mt[i] = self.mt[(i + 397) % 624] ^ y >> 1 if y % 2 != 0: self.mt[i] = self.mt[i] ^ 0x9908b0df self.index = 0 def encrypt(v,n,k): #if str == '': return str #v = _str2long(str, True) #k = _str2long(key.ljust(16, "\0"), False) #n = len(v) - 1 n=n-1 z = v[n] y = v[0] sum = 0 q = 6 + 52 // (n + 1) #print map(hex,v) #print n #print map(hex,k) while q > 0: sum = (sum + _DELTA) & 0xffffffff e = sum >> 2 & 3 for p in xrange(n): y = v[p + 1] v[p] = (v[p] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))) & 0xffffffff z = v[p] y = v[0] v[n] = (v[n] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[n & 3 ^ e] ^ z))) & 0xffffffff z = v[n] q -= 1 return v k=[0x67452301, 0x0EFCDAB89, 0x98BADCFE, 0x10325476] n=2 for i in range(0xFF): MT=MT19937(i) ret1=MT.extract_number() ret2=MT.extract_number() ret3=MT.extract_number() v=[ret1,ret3] v=encrypt(v,n,k) if ret2 - (v[0] + v[1]) == 0xA504A8F7: print "Found:",i,chr(i) break ''' MT=MT19937(0x31) ret1=MT.extract_number() ret2=MT.extract_number() ret3=MT.extract_number() v=[ret1,ret3] v=encrypt(v,n,k) print map(hex,v)VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ''' #if ret2 - (ret1 + ret3) == 0xA504A8F7
其中的xxtea 密钥提出来就好了
输入的经过base64 解码然后des,MD5 一大堆运算
做这题我们不妨倒着来看
直接看比较的地方。这才符合逆向 ”逆“这个字吧!
查看引用,发现关键点在这个地方
进去圈圈的算法一看发现
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2019-9-24 14:39
被大帅锅编辑
,原因:
|
|
|---|---|
