#include <stdbool.h>
#include <stdio.h>
#define MX \
((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))
bool btea(unsigned int* v, int n, unsigned int* k) {
unsigned int z = v[n - 1], y = v[0], sum = 0, e, DELTA = 0x9e3779b9;
unsigned int p, q;
if (n > 1) {
return 0;
} else if (n < -1) {
n = -n;
q = 6 + 52 / n;
sum = q * DELTA;
while (sum != 0) {
e = (sum >> 2) & 3;
for (p = n - 1; p > 0; p--)
z = v[p - 1], y = v[p] -= MX;
z = v[n - 1];
y = v[0] -= MX;
sum -= DELTA;
}
return 0;
}
return 1;
}
int main(int argc, char const* argv[]) {
__uint8_t res[24] = {0xCE, 0xBC, 0x40, 0x6B, 0x7C, 0x3A, 0x95, 0xC0,
0xEF, 0x9B, 0x20, 0x20, 0x91, 0xF7, 0x02, 0x35,
0x23, 0x18, 0x02, 0xC8, 0xE7, 0x56, 0x56, 0xFA};
for (size_t i = 23; i > 0; i--) {
for (size_t j = 0; j < i / 3; j++) {
res[i] ^= res[j];
}
}
for (size_t i = 0; i < 24; i++) {
printf("%x ", res[i]);
}
__uint8_t bteares[24] = {0};
bteares[2] = *res;
*bteares = res[1];
bteares[3] = res[2];
bteares[1] = res[3];
bteares[6] = res[4];
bteares[4] = res[5];
bteares[7] = res[6];
bteares[5] = res[7];
bteares[10] = res[8];
bteares[8] = res[9];
bteares[11] = res[10];
bteares[9] = res[11];
bteares[14] = res[12];
bteares[12] = res[13];
bteares[15] = res[14];
bteares[13] = res[15];
bteares[18] = res[16];
bteares[16] = res[17];
bteares[19] = res[18];
bteares[17] = res[19];
bteares[22] = res[20];
bteares[20] = res[21];
bteares[23] = res[22];
bteares[21] = res[23];
__uint32_t vres[6] = {0};
__uint32_t tmp[6] = {0};
for (size_t i = 0; i < 24; i += 4) {
vres[i / 4] = bteares[i] + (((__uint32_t)bteares[i + 1]) << 8) +
(((__uint32_t)bteares[i + 2]) << 16) +
(((__uint32_t)bteares[i + 3]) << 24);
tmp[i / 4] = vres[i / 4];
}
int index = 0;
unsigned int key[4] = {0, 0, 0, 0};
__uint8_t vvv[36] = {0x71, 0x77, 0x65, 0x72, 0x74, 0x79, 0x75, 0x69, 0x6f,
0x70, 0x61, 0x73, 0x64, 0x66, 0x67, 0x68, 0x6a, 0x6b,
0x6c, 0x7a, 0x78, 0x63, 0x76, 0x62, 0x6e, 0x6d, 0x31,
0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30};
for (size_t i = 0; i < 36; i++) {
for (size_t j = 0; j < 36; j++) {
for (size_t k = 0; k < 36; k++) {
for (size_t z = 0; z < 36; z++) {
key[0] = vvv[i] + (((__uint32_t)vvv[j]) << 8) +
(((__uint32_t)vvv[k]) << 16) + (((__uint32_t)vvv[z]) << 24);
for (size_t ii = 0; ii < 6; ii++) {
vres[ii] = tmp[ii];
}
btea(vres, -6, key);
if (vres[0] == key[0]) {
puts("");
printf("%x%x", vres[0], vres[1]);
printf("%x%x", vres[2], vres[3]);
printf("%x%x\n", vres[4], vres[5]);
for (size_t ii = 0; ii < 6; ii++) {
for (size_t jj = 0; jj < 4; jj++) {
printf("%c", ((vres[ii] >> (jj * 8)) & 0xff));
}
}
}
}
}
}
}
return 0;
}
flag{CXXand++tea}
0x02 easyRE
main函数解出了一个提示还有彩蛋
➜ hmb ./easyRE
Info:The first four chars are `flag`
continue!
https://bbs.pediy.com/thread-254172.htm
You found me!!!
bye bye~
根据提示最后发现了
unsigned __int64 sub_400D35()
{
unsigned __int64 result; // rax
unsigned int v1; // [rsp+Ch] [rbp-24h]
int i; // [rsp+10h] [rbp-20h]
int j; // [rsp+14h] [rbp-1Ch]
unsigned int v4; // [rsp+24h] [rbp-Ch]
unsigned __int64 v5; // [rsp+28h] [rbp-8h]
v5 = __readfsqword(0x28u);
v1 = sub_43FD20(0LL) - qword_6CEE38;
for ( i = 0; i <= 1233; ++i )
{
sub_40F790(v1);
sub_40FE60();
sub_40FE60();
v1 = (unsigned __int64)sub_40FE60() ^ 0x98765432;
}
v4 = v1;
if ( ((unsigned __int8)v1 ^ byte_6CC0A0[0]) == 102 && (HIBYTE(v4) ^ (unsigned __int8)byte_6CC0A3) == 103 )
{
for ( j = 0; j <= 24; ++j )
sub_410E90((unsigned __int8)(byte_6CC0A0[j] ^ *((_BYTE *)&v4 + j % 4)));
}
result = __readfsqword(0x28u) ^ v5;
if ( result )
sub_444020();
return result;
}
尝试解一下
byte_6CC0A0 = [0x40,0x35,0x20,0x56,0x5d,0x18,0x22,0x45,0x17,0x2f,0x24,0x6e,0x62,0x3c,0x27,0x54,0x48,0x6c,0x24,0x6e,0x72,0x3c,0x32,0x45,0x5b]
v4 = [byte_6CC0A0[0]^ord('f'),byte_6CC0A0[1]^ord('l'),byte_6CC0A0[2]^ord('a'),byte_6CC0A0[3]^ord('g')]
flag = ''
for i in range(len(byte_6CC0A0)):
flag+=chr(byte_6CC0A0[i] ^v4[i%4])
print (flag)
src ='1234567890-=!@#$%^&*()_+qwertyuiop[]QWERTYUIOP{}asdfghjkl;\x27ASDFGHJKL:"ZXCVBNM<>?zxcvbnm,./'
s1= '55565653255552225565565555243466334653663544426565555525555222'
s2='(_@4620!08!6_0*0442!@186%%0@3=66!!974*3234=&0^3&1@=&0908!6_0*&'
l = []
for i in range(62):
a = src.find(s1[i])
b = src.find(s2[i])
l.append(a*23+b)
print(''.join(map(chr,l)))
s1 = 'fg8hi94jk0lma52nobpqc6rsdtue731'
s2 = '1234567890abcdefghijklmnopqrstu'
res = '?My_Aut0_PWN@R0Pxx@@AAEPADPAE@Z'
l = ['0' for _ in range(31)]
for i in range(31):
a = s1[i]
l[s2.find(a)] = res[i]
input = ''.join(l)
print("flag{%s}"%md5(input).hexdigest())