-
-
[原创] WMCTF2021 Re 部分复现
-
发表于: 2021-9-3 22:31
-
开局flutter,直呼内行
咕咕咕(bushi) 另外两题实在肝不动,等官方wp了
题目开局花指令常见花指令识别与处理方案 | 我的CTF学习笔记 (mas0n.cn)
去掉花指令后,正常F5,发现虚假控制流
对输入进行了条件约束
将起始下标定位到输入的WMCTF{后一位Str[6],而后进入控制流顺序执行。
首先开辟了一块大小为576的内存空间,给地址为首先将Block指针转为DOWRD*,而后*(Block + 273) = 0xdead
进入case 0,取了前四位字符,循环写入了四段数据
而后运行至case 1,取四字符之后的16位,写入Block + 530对应的地址空间
而后就是运行case 2了,此时index已经是6 + 4 + 16,而分析case 2发现其对之后的每五位进行处理,最大能够处理三组数据。
五位中,第一位被拿来作为不同函数调用的标志,再分别将后四位十六进制字符转换成int类型,而后调用相关函数
理解不了,先放一放,看后面
分析后,发现,cond开头的四个参数可以通过z3求出,而且,其值源自boxXor,虽然它不可逆,但我们在分析case 0的时候就知道,Block,Block + 257……四段正好是由四个字符处理而来。
考虑爆破出4字符
爆破得到Hah4
而后在上图也可以看到,我分析后标注了xteaEncrypt函数,key和src,但同时我也注释了两个unknown,为什么?后面再讲。
第一时间,当我们看到
很快能够想到之前case 0似乎有出现给Block + 273这一地址空间赋值0xdead
于是我们尝试解密,发现并不是可见字符——key是错误的。
0~0xffff尝试爆破出真正的值
看到明文
尝试解密
得到_D0_yOu_L1kE_It!
现在我们拿到了前半段flag,下面就是考虑如何拿到后半段flag
切入点:Block + 273
既然Block + 273被修改了,猜测是在case 2执行过程中修改了它
分析各个函数,想办法能够修改到Block + 273
这里就需要试着套流程 ,依靠脑洞了- -
最后得到@FFFE#0F20-11B7
tips: 这里的@,用到了一个0xff的溢出(-1)
android题,主逻辑一如既往在ndk
动态注册的函数调用。
先瞟一眼.init_array
看起来是加了混淆
再看JNI_OnLoad
发现一个出题者挖的坑,检测了调试机的root
试了试frida直接hook,结果hook不住……(有知道为啥的大佬教一下我)那就直接patch so吧
打包回去,安装
尴尬,改一下AndroidManifest.xml里的android:extractNativeLibs
再来
调试环境整好,下面先静态分析一下。
程序的正常流程是在这里注册
注册的函数为sub_10134
分析出来,先进行了AES加密而后进行RC4,这里的算法都是经过一定的魔改,并不是标准算法。
最后与stru_46000[0].n128_u8[v11]比对
KeyExpansion是标准的密钥扩展算法,AES主要的修改点在于Sbox和ShiftRows部分
而RC4的修改,在于最后异或时多异或了0x50
算法是分析完了,那么如何拿到AES Key,IV和RC4Key?
我们前面看到.init_array是对一些数据的解密,静态提取是不可取了,那就动态跑起来取,Frida Hook(动态调试So也是可以的)
下面继续取RC4的Key
拿到RC4Key:Hello from C++
再去Hook比对的加密文本
撸脚本解密了
拿出Sbox,跑出InvBox,修改ShiftRows
aes.cpp
AES.h
main.cpp
解出flag:wmctf{e78ce1a3ac4be37a96e27e98c}
v7 = index++;
str_7 = Str[v7]; // Str[27]
if ( str_7 == '_' && index + 4 <= length )
{
if ( (Str[index] < '0' || Str[index] > '9') && (Str[index] < 'A' || Str[index] > 'F')
|| (Str[index + 1] < '0' || Str[index + 1] > '9') && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < '0' || Str[index + 2] > '9') && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < '0' || Str[index + 3] > '9') && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v8 = index++;
str_8 = Str[v8];
v9 = index++;
str_9 = Str[v9];
str_10 = hex2int(str_8, str_9); // 十六进制转十进制
v10 = index++;
str_8 = Str[v10];
v11 = index++;
str_9 = Str[v11];
vars9B = hex2int(str_8, str_9);
sub_140003320((__int64)Block, str_10, vars9B);
}
}
else if ( str_7 == '@' && index + 4 <= length )
{
if ( (Str[index] < 48 || Str[index] > 57) && (Str[index] < 65 || Str[index] > 70)
|| (Str[index + 1] < 48 || Str[index + 1] > 57) && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < 48 || Str[index + 2] > 57) && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < 48 || Str[index + 3] > 57) && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v12 = index++;
str_8 = Str[v12];
v13 = index++;
str_9 = Str[v13];
str_10 = hex2int(str_8, str_9);
v14 = index++;
str_8 = Str[v14];
v15 = index++;
str_9 = Str[v15];
vars9B = hex2int(str_8, str_9);
sub_140003390((__int64)Block, str_10, vars9B);
}
}
else if ( str_7 == '#' && index + 4 <= length )
{
if ( (Str[index] < 48 || Str[index] > 57) && (Str[index] < 65 || Str[index] > 70)
|| (Str[index + 1] < 48 || Str[index + 1] > 57) && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < 48 || Str[index + 2] > 57) && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < 48 || Str[index + 3] > 57) && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v16 = index++;
str_8 = Str[v16];
v17 = index++;
str_9 = Str[v17];
str_10 = hex2int(str_8, str_9);
v18 = index++;
str_8 = Str[v18];
v19 = index++;
str_9 = Str[v19];
vars9B = hex2int(str_8, str_9);
sub_1400033F0(Block, str_10, vars9B);
}
}
else if ( str_7 == '?' && index + 4 <= length )
{
if ( (Str[index] < 48 || Str[index] > 57) && (Str[index] < 65 || Str[index] > 70)
|| (Str[index + 1] < 48 || Str[index + 1] > 57) && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < 48 || Str[index + 2] > 57) && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < 48 || Str[index + 3] > 57) && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v20 = index++;
str_8 = Str[v20];
v21 = index++;
str_9 = Str[v21];
str_10 = hex2int(str_8, str_9);
v22 = index++;
str_8 = Str[v22];
v23 = index++;
str_9 = Str[v23];
vars9B = hex2int(str_8, str_9);
sub_140003470((__int64)Block, str_10, vars9B);
}
}
else if ( str_7 == '!' && index + 4 <= length )
{
if ( (Str[index] < 48 || Str[index] > 57) && (Str[index] < 65 || Str[index] > 70)
|| (Str[index + 1] < 48 || Str[index + 1] > 57) && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < 48 || Str[index + 2] > 57) && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < 48 || Str[index + 3] > 57) && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v24 = index++;
str_8 = Str[v24];
v25 = index++;
str_9 = Str[v25];
str_10 = hex2int(str_8, str_9);
v26 = index++;
str_8 = Str[v26];
v27 = index++;
str_9 = Str[v27];
vars9B = hex2int(str_8, str_9);
sub_140003500(Block, str_10, vars9B);
}
}
else if ( str_7 == '&' && index + 4 <= length )
{
if ( (Str[index] < 48 || Str[index] > 57) && (Str[index] < 65 || Str[index] > 70)
|| (Str[index + 1] < 48 || Str[index + 1] > 57) && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < 48 || Str[index + 2] > 57) && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < 48 || Str[index + 3] > 57) && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v28 = index++;
str_8 = Str[v28];
v29 = index++;
str_9 = Str[v29];
str_10 = hex2int(str_8, str_9);
v30 = index++;
str_8 = Str[v30];
v31 = index++;
str_9 = Str[v31];
vars9B = hex2int(str_8, str_9);
sub_140003580(Block, str_10, vars9B);
}
}
else if ( str_7 == '-' && index + 4 <= length )
{
if ( (Str[index] < 48 || Str[index] > 57) && (Str[index] < 65 || Str[index] > 70)
|| (Str[index + 1] < 48 || Str[index + 1] > 57) && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < 48 || Str[index + 2] > 57) && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < 48 || Str[index + 3] > 57) && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v32 = index++;
str_8 = Str[v32];
v33 = index++;
str_9 = Str[v33];
str_10 = hex2int(str_8, str_9);
v34 = index++;
str_8 = Str[v34];
v35 = index++;
str_9 = Str[v35];
vars9B = hex2int(str_8, str_9);
sub_1400035E0(Block, str_10, vars9B);
}
}
else if ( str_7 == '$' && index + 4 <= length )
{
if ( (Str[index] < 48 || Str[index] > 57) && (Str[index] < 65 || Str[index] > 70)
|| (Str[index + 1] < 48 || Str[index + 1] > 57) && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < 48 || Str[index + 2] > 57) && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < 48 || Str[index + 3] > 57) && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v36 = index++;
str_8 = Str[v36];
v37 = index++;
str_9 = Str[v37];
str_10 = hex2int(str_8, str_9);
v38 = index++;
str_8 = Str[v38];
v39 = index++;
str_9 = Str[v39];
vars9B = hex2int(str_8, str_9);
sub_1400036A0(Block, str_10, vars9B);
}
}
else if ( str_7 == '+' && index + 4 <= length )
{
if ( (Str[index] < 48 || Str[index] > 57) && (Str[index] < 65 || Str[index] > 70)
|| (Str[index + 1] < 48 || Str[index + 1] > 57) && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < 48 || Str[index + 2] > 57) && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < 48 || Str[index + 3] > 57) && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v40 = index++;
str_8 = Str[v40];
v41 = index++;
str_9 = Str[v41];
str_10 = hex2int(str_8, str_9);
v42 = index++;
str_8 = Str[v42];
v43 = index++;
str_9 = Str[v43];
vars9B = hex2int(str_8, str_9);
sub_140003730((__int64)Block, str_10, vars9B);
}
}
else
{
Block[str_7 + 257] += str_7;
vars9A = 1;
}
break;
v7 = index++;
str_7 = Str[v7]; // Str[27]
if ( str_7 == '_' && index + 4 <= length )
{
if ( (Str[index] < '0' || Str[index] > '9') && (Str[index] < 'A' || Str[index] > 'F')
|| (Str[index + 1] < '0' || Str[index + 1] > '9') && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < '0' || Str[index + 2] > '9') && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < '0' || Str[index + 3] > '9') && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v8 = index++;
str_8 = Str[v8];
v9 = index++;
str_9 = Str[v9];
str_10 = hex2int(str_8, str_9); // 十六进制转十进制
v10 = index++;
str_8 = Str[v10];
v11 = index++;
str_9 = Str[v11];
vars9B = hex2int(str_8, str_9);
sub_140003320((__int64)Block, str_10, vars9B);
}
}
else if ( str_7 == '@' && index + 4 <= length )
{
if ( (Str[index] < 48 || Str[index] > 57) && (Str[index] < 65 || Str[index] > 70)
|| (Str[index + 1] < 48 || Str[index + 1] > 57) && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < 48 || Str[index + 2] > 57) && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < 48 || Str[index + 3] > 57) && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v12 = index++;
str_8 = Str[v12];
v13 = index++;
str_9 = Str[v13];
str_10 = hex2int(str_8, str_9);
v14 = index++;
str_8 = Str[v14];
v15 = index++;
str_9 = Str[v15];
vars9B = hex2int(str_8, str_9);
sub_140003390((__int64)Block, str_10, vars9B);
}
}
else if ( str_7 == '#' && index + 4 <= length )
{
if ( (Str[index] < 48 || Str[index] > 57) && (Str[index] < 65 || Str[index] > 70)
|| (Str[index + 1] < 48 || Str[index + 1] > 57) && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < 48 || Str[index + 2] > 57) && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < 48 || Str[index + 3] > 57) && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v16 = index++;
str_8 = Str[v16];
v17 = index++;
str_9 = Str[v17];
str_10 = hex2int(str_8, str_9);
v18 = index++;
str_8 = Str[v18];
v19 = index++;
str_9 = Str[v19];
vars9B = hex2int(str_8, str_9);
sub_1400033F0(Block, str_10, vars9B);
}
}
else if ( str_7 == '?' && index + 4 <= length )
{
if ( (Str[index] < 48 || Str[index] > 57) && (Str[index] < 65 || Str[index] > 70)
|| (Str[index + 1] < 48 || Str[index + 1] > 57) && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < 48 || Str[index + 2] > 57) && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < 48 || Str[index + 3] > 57) && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v20 = index++;
str_8 = Str[v20];
v21 = index++;
str_9 = Str[v21];
str_10 = hex2int(str_8, str_9);
v22 = index++;
str_8 = Str[v22];
v23 = index++;
str_9 = Str[v23];
vars9B = hex2int(str_8, str_9);
sub_140003470((__int64)Block, str_10, vars9B);
}
}
else if ( str_7 == '!' && index + 4 <= length )
{
if ( (Str[index] < 48 || Str[index] > 57) && (Str[index] < 65 || Str[index] > 70)
|| (Str[index + 1] < 48 || Str[index + 1] > 57) && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < 48 || Str[index + 2] > 57) && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < 48 || Str[index + 3] > 57) && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v24 = index++;
str_8 = Str[v24];
v25 = index++;
str_9 = Str[v25];
str_10 = hex2int(str_8, str_9);
v26 = index++;
str_8 = Str[v26];
v27 = index++;
str_9 = Str[v27];
vars9B = hex2int(str_8, str_9);
sub_140003500(Block, str_10, vars9B);
}
}
else if ( str_7 == '&' && index + 4 <= length )
{
if ( (Str[index] < 48 || Str[index] > 57) && (Str[index] < 65 || Str[index] > 70)
|| (Str[index + 1] < 48 || Str[index + 1] > 57) && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < 48 || Str[index + 2] > 57) && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < 48 || Str[index + 3] > 57) && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v28 = index++;
str_8 = Str[v28];
v29 = index++;
str_9 = Str[v29];
str_10 = hex2int(str_8, str_9);
v30 = index++;
str_8 = Str[v30];
v31 = index++;
str_9 = Str[v31];
vars9B = hex2int(str_8, str_9);
sub_140003580(Block, str_10, vars9B);
}
}
else if ( str_7 == '-' && index + 4 <= length )
{
if ( (Str[index] < 48 || Str[index] > 57) && (Str[index] < 65 || Str[index] > 70)
|| (Str[index + 1] < 48 || Str[index + 1] > 57) && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < 48 || Str[index + 2] > 57) && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < 48 || Str[index + 3] > 57) && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v32 = index++;
str_8 = Str[v32];
v33 = index++;
str_9 = Str[v33];
str_10 = hex2int(str_8, str_9);
v34 = index++;
str_8 = Str[v34];
v35 = index++;
str_9 = Str[v35];
vars9B = hex2int(str_8, str_9);
sub_1400035E0(Block, str_10, vars9B);
}
}
else if ( str_7 == '$' && index + 4 <= length )
{
if ( (Str[index] < 48 || Str[index] > 57) && (Str[index] < 65 || Str[index] > 70)
|| (Str[index + 1] < 48 || Str[index + 1] > 57) && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < 48 || Str[index + 2] > 57) && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < 48 || Str[index + 3] > 57) && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v36 = index++;
str_8 = Str[v36];
v37 = index++;
str_9 = Str[v37];
str_10 = hex2int(str_8, str_9);
v38 = index++;
str_8 = Str[v38];
v39 = index++;
str_9 = Str[v39];
vars9B = hex2int(str_8, str_9);
sub_1400036A0(Block, str_10, vars9B);
}
}
else if ( str_7 == '+' && index + 4 <= length )
{
if ( (Str[index] < 48 || Str[index] > 57) && (Str[index] < 65 || Str[index] > 70)
|| (Str[index + 1] < 48 || Str[index + 1] > 57) && (Str[index + 1] < 65 || Str[index + 1] > 70)
|| (Str[index + 2] < 48 || Str[index + 2] > 57) && (Str[index + 2] < 65 || Str[index + 2] > 70)
|| (Str[index + 3] < 48 || Str[index + 3] > 57) && (Str[index + 3] < 65 || Str[index + 3] > 70) )
{
vars9A = 1;
}
else
{
v40 = index++;
str_8 = Str[v40];
v41 = index++;
str_9 = Str[v41];
str_10 = hex2int(str_8, str_9);
v42 = index++;
str_8 = Str[v42];
v43 = index++;
str_9 = Str[v43];
vars9B = hex2int(str_8, str_9);
sub_140003730((__int64)Block, str_10, vars9B);
}
}
else
{
Block[str_7 + 257] += str_7;
vars9A = 1;
}
break;
import z3
cond1 = z3.BitVec("cond1", 32)
cond2 = z3.BitVec("cond2", 32)
cond3 = z3.BitVec("cond3", 32)
cond4 = z3.BitVec("cond4", 32)
result1 = cond2 + cond1 == 0x11AB7A7A
result2 = cond2 - cond3 == 0x1CD4F222
result3 = cond4 + cond3 == 0xC940F021
result4 = cond3 + cond1 - cond4 == 0x7C7D68D1
solve = z3.Solver()
solve.add(result1)solve.add(result2)solve.add(result3)solve.add(result4)if solve.check() == z3.sat:
m = solve.model()
cond1 = m.eval(cond1).as_long()
cond2 = m.eval(cond2).as_long()
cond3 = m.eval(cond3).as_long()
cond4 = m.eval(cond4).as_long()
print(hex(cond1), hex(cond2), hex(cond3), hex(cond4))
import string
box = [0x00000000, 0x703A11DE, 0xE07423BC, 0x904E3262, 0xC6A99C09, 0xB6938DD7, 0x26DDBFB5, 0x56E7AE6B, 0x8B12E363,
0xFB28F2BD, 0x6B66C0DF, 0x1B5CD101, 0x4DBB7F6A, 0x3D816EB4, 0xADCF5CD6, 0xDDF54D08, 0x10641DB7, 0x605E0C69,
0xF0103E0B, 0x802A2FD5, 0xD6CD81BE, 0xA6F79060, 0x36B9A202, 0x4683B3DC, 0x9B76FED4, 0xEB4CEF0A, 0x7B02DD68,
0x0B38CCB6, 0x5DDF62DD, 0x2DE57303, 0xBDAB4161, 0xCD9150BF, 0x20C83B6E, 0x50F22AB0, 0xC0BC18D2, 0xB086090C,
0xE661A767, 0x965BB6B9, 0x061584DB, 0x762F9505, 0xABDAD80D, 0xDBE0C9D3, 0x4BAEFBB1, 0x3B94EA6F, 0x6D734404,
0x1D4955DA, 0x8D0767B8, 0xFD3D7666, 0x30AC26D9, 0x40963707, 0xD0D80565, 0xA0E214BB, 0xF605BAD0, 0x863FAB0E,
0x1671996C, 0x664B88B2, 0xBBBEC5BA, 0xCB84D464, 0x5BCAE606, 0x2BF0F7D8, 0x7D1759B3, 0x0D2D486D, 0x9D637A0F,
0xED596BD1, 0x419076DC, 0x31AA6702, 0xA1E45560, 0xD1DE44BE, 0x8739EAD5, 0xF703FB0B, 0x674DC969, 0x1777D8B7,
0xCA8295BF, 0xBAB88461, 0x2AF6B603, 0x5ACCA7DD, 0x0C2B09B6, 0x7C111868, 0xEC5F2A0A, 0x9C653BD4, 0x51F46B6B,
0x21CE7AB5, 0xB18048D7, 0xC1BA5909, 0x975DF762, 0xE767E6BC, 0x7729D4DE, 0x0713C500, 0xDAE68808, 0xAADC99D6,
0x3A92ABB4, 0x4AA8BA6A, 0x1C4F1401, 0x6C7505DF, 0xFC3B37BD, 0x8C012663, 0x61584DB2, 0x11625C6C, 0x812C6E0E,
0xF1167FD0, 0xA7F1D1BB, 0xD7CBC065, 0x4785F207, 0x37BFE3D9, 0xEA4AAED1, 0x9A70BF0F, 0x0A3E8D6D, 0x7A049CB3,
0x2CE332D8, 0x5CD92306, 0xCC971164, 0xBCAD00BA, 0x713C5005, 0x010641DB, 0x914873B9, 0xE1726267, 0xB795CC0C,
0xC7AFDDD2, 0x57E1EFB0, 0x27DBFE6E, 0xFA2EB366, 0x8A14A2B8, 0x1A5A90DA, 0x6A608104, 0x3C872F6F, 0x4CBD3EB1,
0xDCF30CD3, 0xACC91D0D, 0x8320EDB8, 0xF31AFC66, 0x6354CE04, 0x136EDFDA, 0x458971B1, 0x35B3606F, 0xA5FD520D,
0xD5C743D3, 0x08320EDB, 0x78081F05, 0xE8462D67, 0x987C3CB9, 0xCE9B92D2, 0xBEA1830C, 0x2EEFB16E, 0x5ED5A0B0,
0x9344F00F, 0xE37EE1D1, 0x7330D3B3, 0x030AC26D, 0x55ED6C06, 0x25D77DD8, 0xB5994FBA, 0xC5A35E64, 0x1856136C,
0x686C02B2, 0xF82230D0, 0x8818210E, 0xDEFF8F65, 0xAEC59EBB, 0x3E8BACD9, 0x4EB1BD07, 0xA3E8D6D6, 0xD3D2C708,
0x439CF56A, 0x33A6E4B4, 0x65414ADF, 0x157B5B01, 0x85356963, 0xF50F78BD, 0x28FA35B5, 0x58C0246B, 0xC88E1609,
0xB8B407D7, 0xEE53A9BC, 0x9E69B862, 0x0E278A00, 0x7E1D9BDE, 0xB38CCB61, 0xC3B6DABF, 0x53F8E8DD, 0x23C2F903,
0x75255768, 0x051F46B6, 0x955174D4, 0xE56B650A, 0x389E2802, 0x48A439DC, 0xD8EA0BBE, 0xA8D01A60, 0xFE37B40B,
0x8E0DA5D5, 0x1E4397B7, 0x6E798669, 0xC2B09B64, 0xB28A8ABA, 0x22C4B8D8, 0x52FEA906, 0x0419076D, 0x742316B3,
0xE46D24D1, 0x9457350F, 0x49A27807, 0x399869D9, 0xA9D65BBB, 0xD9EC4A65, 0x8F0BE40E, 0xFF31F5D0, 0x6F7FC7B2,
0x1F45D66C, 0xD2D486D3, 0xA2EE970D, 0x32A0A56F, 0x429AB4B1, 0x147D1ADA, 0x64470B04, 0xF4093966, 0x843328B8,
0x59C665B0, 0x29FC746E, 0xB9B2460C, 0xC98857D2, 0x9F6FF9B9, 0xEF55E867, 0x7F1BDA05, 0x0F21CBDB, 0xE278A00A,
0x9242B1D4, 0x020C83B6, 0x72369268, 0x24D13C03, 0x54EB2DDD, 0xC4A51FBF, 0xB49F0E61, 0x696A4369, 0x195052B7,
0x891E60D5, 0xF924710B, 0xAFC3DF60, 0xDFF9CEBE, 0x4FB7FCDC, 0x3F8DED02, 0xF21CBDBD, 0x8226AC63, 0x12689E01,
0x62528FDF, 0x34B521B4, 0x448F306A, 0xD4C10208, 0xA4FB13D6, 0x790E5EDE, 0x09344F00, 0x997A7D62, 0xE9406CBC,
0xBFA7C2D7, 0xCF9DD309, 0x5FD3E16B, 0x2FE9F0B5]
def boxXor(a1, a2, a3):
v5 = 0
v4 = a1
while v5 < a3:
v4 = (v4 >> 8) ^ box[(a2[v5] ^ v4) & 0xff]
v5 += 1
return a1 ^ v4
def genBlock(a1, a2, a3):
block = []
for i in range(a3):
block.append(i + a1 + a2)
return block
cond0 = 0xFFFFFFFE
for c in string.printable:
block = genBlock(ord(c), 0, 256)
cond = boxXor(cond0, block, 256)
if cond == cond1:
print("find Str[7]: " + c)
for c in string.printable:
block = genBlock(ord(c), 1, 256)
cond = boxXor(cond1, block, 256)
if cond == cond2:
print("find Str[8]: " + c)
for c in string.printable:
block = genBlock(ord(c), 2, 0xf)
cond = boxXor(cond2, block, 0xf)
if cond == cond3:
print("find Str[9]: " + c)
for c in string.printable:
block = genBlock(ord(c), 3, 0x1c)
cond = boxXor(cond3, block, 0x1c)
if cond == cond4:
print("find Str[9]: " + c)
# Hah4import z3
cond1 = z3.BitVec("cond1", 32)
cond2 = z3.BitVec("cond2", 32)
cond3 = z3.BitVec("cond3", 32)
cond4 = z3.BitVec("cond4", 32)
result1 = cond2 + cond1 == 0x11AB7A7A
result2 = cond2 - cond3 == 0x1CD4F222
result3 = cond4 + cond3 == 0xC940F021
result4 = cond3 + cond1 - cond4 == 0x7C7D68D1
solve = z3.Solver()
solve.add(result1)solve.add(result2)solve.add(result3)solve.add(result4)if solve.check() == z3.sat:
m = solve.model()
cond1 = m.eval(cond1).as_long()
cond2 = m.eval(cond2).as_long()
cond3 = m.eval(cond3).as_long()
cond4 = m.eval(cond4).as_long()
print(hex(cond1), hex(cond2), hex(cond3), hex(cond4))
import string
box = [0x00000000, 0x703A11DE, 0xE07423BC, 0x904E3262, 0xC6A99C09, 0xB6938DD7, 0x26DDBFB5, 0x56E7AE6B, 0x8B12E363,
0xFB28F2BD, 0x6B66C0DF, 0x1B5CD101, 0x4DBB7F6A, 0x3D816EB4, 0xADCF5CD6, 0xDDF54D08, 0x10641DB7, 0x605E0C69,
0xF0103E0B, 0x802A2FD5, 0xD6CD81BE, 0xA6F79060, 0x36B9A202, 0x4683B3DC, 0x9B76FED4, 0xEB4CEF0A, 0x7B02DD68,
0x0B38CCB6, 0x5DDF62DD, 0x2DE57303, 0xBDAB4161, 0xCD9150BF, 0x20C83B6E, 0x50F22AB0, 0xC0BC18D2, 0xB086090C,
0xE661A767, 0x965BB6B9, 0x061584DB, 0x762F9505, 0xABDAD80D, 0xDBE0C9D3, 0x4BAEFBB1, 0x3B94EA6F, 0x6D734404,
0x1D4955DA, 0x8D0767B8, 0xFD3D7666, 0x30AC26D9, 0x40963707, 0xD0D80565, 0xA0E214BB, 0xF605BAD0, 0x863FAB0E,
0x1671996C, 0x664B88B2, 0xBBBEC5BA, 0xCB84D464, 0x5BCAE606, 0x2BF0F7D8, 0x7D1759B3, 0x0D2D486D, 0x9D637A0F,
0xED596BD1, 0x419076DC, 0x31AA6702, 0xA1E45560, 0xD1DE44BE, 0x8739EAD5, 0xF703FB0B, 0x674DC969, 0x1777D8B7,
0xCA8295BF, 0xBAB88461, 0x2AF6B603, 0x5ACCA7DD, 0x0C2B09B6, 0x7C111868, 0xEC5F2A0A, 0x9C653BD4, 0x51F46B6B,
0x21CE7AB5, 0xB18048D7, 0xC1BA5909, 0x975DF762, 0xE767E6BC, 0x7729D4DE, 0x0713C500, 0xDAE68808, 0xAADC99D6,
0x3A92ABB4, 0x4AA8BA6A, 0x1C4F1401, 0x6C7505DF, 0xFC3B37BD, 0x8C012663, 0x61584DB2, 0x11625C6C, 0x812C6E0E,
0xF1167FD0, 0xA7F1D1BB, 0xD7CBC065, 0x4785F207, 0x37BFE3D9, 0xEA4AAED1, 0x9A70BF0F, 0x0A3E8D6D, 0x7A049CB3,
0x2CE332D8, 0x5CD92306, 0xCC971164, 0xBCAD00BA, 0x713C5005, 0x010641DB, 0x914873B9, 0xE1726267, 0xB795CC0C,
0xC7AFDDD2, 0x57E1EFB0, 0x27DBFE6E, 0xFA2EB366, 0x8A14A2B8, 0x1A5A90DA, 0x6A608104, 0x3C872F6F, 0x4CBD3EB1,
0xDCF30CD3, 0xACC91D0D, 0x8320EDB8, 0xF31AFC66, 0x6354CE04, 0x136EDFDA, 0x458971B1, 0x35B3606F, 0xA5FD520D,
0xD5C743D3, 0x08320EDB, 0x78081F05, 0xE8462D67, 0x987C3CB9, 0xCE9B92D2, 0xBEA1830C, 0x2EEFB16E, 0x5ED5A0B0,
0x9344F00F, 0xE37EE1D1, 0x7330D3B3, 0x030AC26D, 0x55ED6C06, 0x25D77DD8, 0xB5994FBA, 0xC5A35E64, 0x1856136C,
0x686C02B2, 0xF82230D0, 0x8818210E, 0xDEFF8F65, 0xAEC59EBB, 0x3E8BACD9, 0x4EB1BD07, 0xA3E8D6D6, 0xD3D2C708,
0x439CF56A, 0x33A6E4B4, 0x65414ADF, 0x157B5B01, 0x85356963, 0xF50F78BD, 0x28FA35B5, 0x58C0246B, 0xC88E1609,
0xB8B407D7, 0xEE53A9BC, 0x9E69B862, 0x0E278A00, 0x7E1D9BDE, 0xB38CCB61, 0xC3B6DABF, 0x53F8E8DD, 0x23C2F903,
0x75255768, 0x051F46B6, 0x955174D4, 0xE56B650A, 0x389E2802, 0x48A439DC, 0xD8EA0BBE, 0xA8D01A60, 0xFE37B40B,
0x8E0DA5D5, 0x1E4397B7, 0x6E798669, 0xC2B09B64, 0xB28A8ABA, 0x22C4B8D8, 0x52FEA906, 0x0419076D, 0x742316B3,
0xE46D24D1, 0x9457350F, 0x49A27807, 0x399869D9, 0xA9D65BBB, 0xD9EC4A65, 0x8F0BE40E, 0xFF31F5D0, 0x6F7FC7B2,
0x1F45D66C, 0xD2D486D3, 0xA2EE970D, 0x32A0A56F, 0x429AB4B1, 0x147D1ADA, 0x64470B04, 0xF4093966, 0x843328B8,
0x59C665B0, 0x29FC746E, 0xB9B2460C, 0xC98857D2, 0x9F6FF9B9, 0xEF55E867, 0x7F1BDA05, 0x0F21CBDB, 0xE278A00A,
0x9242B1D4, 0x020C83B6, 0x72369268, 0x24D13C03, 0x54EB2DDD, 0xC4A51FBF, 0xB49F0E61, 0x696A4369, 0x195052B7,
0x891E60D5, 0xF924710B, 0xAFC3DF60, 0xDFF9CEBE, 0x4FB7FCDC, 0x3F8DED02, 0xF21CBDBD, 0x8226AC63, 0x12689E01,
0x62528FDF, 0x34B521B4, 0x448F306A, 0xD4C10208, 0xA4FB13D6, 0x790E5EDE, 0x09344F00, 0x997A7D62, 0xE9406CBC,
0xBFA7C2D7, 0xCF9DD309, 0x5FD3E16B, 0x2FE9F0B5]
def boxXor(a1, a2, a3):
v5 = 0
v4 = a1
while v5 < a3:
v4 = (v4 >> 8) ^ box[(a2[v5] ^ v4) & 0xff]
v5 += 1
return a1 ^ v4
def genBlock(a1, a2, a3):
block = []
for i in range(a3):
block.append(i + a1 + a2)
return block
cond0 = 0xFFFFFFFE
for c in string.printable:
block = genBlock(ord(c), 0, 256)
cond = boxXor(cond0, block, 256)
if cond == cond1:
print("find Str[7]: " + c)
for c in string.printable:
block = genBlock(ord(c), 1, 256)
cond = boxXor(cond1, block, 256)
if cond == cond2:
print("find Str[8]: " + c)
for c in string.printable:
block = genBlock(ord(c), 2, 0xf)
cond = boxXor(cond2, block, 0xf)
if cond == cond3:
print("find Str[9]: " + c)
for c in string.printable:
block = genBlock(ord(c), 3, 0x1c)
cond = boxXor(cond3, block, 0x1c)
if cond == cond4:
print("find Str[9]: " + c)
# Hah4#include <stdio.h>#include <stdint.h>#include <string.h>#include <windows.h>#include <iostream>void xteaEnc(DWORD *v, DWORD *kj, DWORD *a3)
{ unsigned int *result; // rax
unsigned int v4; // [rsp+0h] [rbp-30h]
unsigned int v5; // [rsp+Ch] [rbp-24h]
unsigned int v6; // [rsp+10h] [rbp-20h]
unsigned int i; // [rsp+14h] [rbp-1Ch]
v6 = *v;
v5 = v[1];
v4 = 0;
for ( i = 0; i < 0x20; ++i )
{
v6 += (kj[v4 & 3] + v4) ^ (v5 + ((v5 >> 5) ^ (16 * v5)));
v4 -= 0x667E5433;
v5 += (kj[(v4 >> 11) & 3] + v4) ^ (v6 + ((v6 >> 5) ^ (16 * v6)));
}
*a3 = v6;
a3[1] = v5;
}void xteaDec(DWORD *v, DWORD *kj, DWORD *a3)
{ unsigned int *result; // rax
unsigned int v4; // [rsp+0h] [rbp-30h]
unsigned int v5; // [rsp+Ch] [rbp-24h]
unsigned int v6; // [rsp+10h] [rbp-20h]
unsigned int i; // [rsp+14h] [rbp-1Ch]
v6 = *v;
v5 = v[1];
v4 = 0x303579a0;
for ( i = 0; i < 0x20; ++i )
{
v5 -= (kj[(v4 >> 11) & 3] + v4) ^ (v6 + ((v6 >> 5) ^ (16 * v6)));
v4 += 0x667E5433;
v6 -= (kj[v4 & 3] + v4) ^ (v5 + ((v5 >> 5) ^ (16 * v5)));
}
*a3 = v6;
a3[1] = v5;
}void DWORD2BYTE(uint8_t* Dst, uint64_t Value, const std::string& byteorder) {
/* ============================
* byteorder = "big" / "little"
* */
if (byteorder == "big") {
// big
for (int i = 0; i < 4; ++i) {
Dst[3 - i] = Value & 0xff;
Value >>= 8;
}
} else if (byteorder == "little") {
// little
for (int i = 0; i < 4; ++i) {
Dst[i] = Value & 0xff;
Value >>= 8;
}
} else {
perror("plz check byteorder");
}
}void fuzzing() { DWORD P1 = 0xa3eeb7be,
P2 = 0x6dbcc2bc,
P3 = 0x50e7d09a,
P4 = 0x78591f87;
DWORD plaintext[2] = {0x556E2853, 0x4393DF16};
for (int fuz = 0; fuz < 0x10000; ++fuz) {
DWORD vars7C = P4 & 0xFFFFFF00 | (unsigned __int8)fuz;
P3 &= 0xFFFF00FF;
P3 |= fuz & 0xFF00;
DWORD key[4] = {P1, P3, P2, vars7C};
DWORD result[2];
xteaDec(plaintext, key, result);
BYTE flag[9] = {0};
DWORD2BYTE(flag, result[0], "little");
DWORD2BYTE(&flag[4], result[1], "little");
int find = 1;
for (int i = 0; i < 8; ++i) {
if (flag[i] > 'z' || flag[i] < ' ') {
find = 0;
break;
}
}
if (find) {
printf("bytes: %x FLAG: %s\n", fuz, flag);
}
}
}int main()
{ fuzzing();
return 0;
}#include <stdio.h>#include <stdint.h>#include <string.h>#include <windows.h>#include <iostream>void xteaEnc(DWORD *v, DWORD *kj, DWORD *a3)
{ unsigned int *result; // rax
unsigned int v4; // [rsp+0h] [rbp-30h]
unsigned int v5; // [rsp+Ch] [rbp-24h]
unsigned int v6; // [rsp+10h] [rbp-20h]
unsigned int i; // [rsp+14h] [rbp-1Ch]
v6 = *v;
v5 = v[1];
v4 = 0;
for ( i = 0; i < 0x20; ++i )
{
v6 += (kj[v4 & 3] + v4) ^ (v5 + ((v5 >> 5) ^ (16 * v5)));
v4 -= 0x667E5433;
v5 += (kj[(v4 >> 11) & 3] + v4) ^ (v6 + ((v6 >> 5) ^ (16 * v6)));
}
*a3 = v6;
a3[1] = v5;
}void xteaDec(DWORD *v, DWORD *kj, DWORD *a3)
{ unsigned int *result; // rax
unsigned int v4; // [rsp+0h] [rbp-30h]
unsigned int v5; // [rsp+Ch] [rbp-24h]
unsigned int v6; // [rsp+10h] [rbp-20h]
unsigned int i; // [rsp+14h] [rbp-1Ch]
v6 = *v;
v5 = v[1];
v4 = 0x303579a0;
for ( i = 0; i < 0x20; ++i )
{
v5 -= (kj[(v4 >> 11) & 3] + v4) ^ (v6 + ((v6 >> 5) ^ (16 * v6)));
v4 += 0x667E5433;
v6 -= (kj[v4 & 3] + v4) ^ (v5 + ((v5 >> 5) ^ (16 * v5)));
}
*a3 = v6;
a3[1] = v5;
}void DWORD2BYTE(uint8_t* Dst, uint64_t Value, const std::string& byteorder) {
/* ============================
* byteorder = "big" / "little"
* */
if (byteorder == "big") {
// big
for (int i = 0; i < 4; ++i) {
Dst[3 - i] = Value & 0xff;
Value >>= 8;
}
} else if (byteorder == "little") {
// little
for (int i = 0; i < 4; ++i) {
Dst[i] = Value & 0xff;
Value >>= 8;
}
} else {
perror("plz check byteorder");
}
}void fuzzing() { DWORD P1 = 0xa3eeb7be,
P2 = 0x6dbcc2bc,
P3 = 0x50e7d09a,
P4 = 0x78591f87;
DWORD plaintext[2] = {0x556E2853, 0x4393DF16};
for (int fuz = 0; fuz < 0x10000; ++fuz) {
DWORD vars7C = P4 & 0xFFFFFF00 | (unsigned __int8)fuz;
P3 &= 0xFFFF00FF;
P3 |= fuz & 0xFF00;
DWORD key[4] = {P1, P3, P2, vars7C};
DWORD result[2];
xteaDec(plaintext, key, result);
BYTE flag[9] = {0};
DWORD2BYTE(flag, result[0], "little");
DWORD2BYTE(&flag[4], result[1], "little");
int find = 1;
for (int i = 0; i < 8; ++i) {
if (flag[i] > 'z' || flag[i] < ' ') {
find = 0;
break;
}
}
if (find) {
printf("bytes: %x FLAG: %s\n", fuz, flag);
}
}
}int main()
{ fuzzing();
return 0;
}int main()
{ DWORD P1 = 0xa3eeb7be,
P2 = 0x6dbcc2bc,
P3 = 0x50e7d09a,
P4 = 0x78591f87;
DWORD vars7C = P4 & 0xFFFFFF00 | (unsigned __int8)0xb7ad; // 不知道对不对
P3 &= 0xFFFF00FF;
P3 |= 0xb7ad & 0xFF00; // todo: unknown
DWORD plaintext[2] = {0x556E2853, 0x4393DF16};
DWORD key[4] = {P1, P3, P2, vars7C};
DWORD result[2];
xteaDec(plaintext, key, result);
printf("%lx %lx\n", result[0], result[1]);
DWORD plaintext2[2] = {0x1989FB2B, 0x83F5A243};
DWORD key2[4] = {vars7C, P2, P1, P3};
DWORD result2[2];
xteaDec(plaintext2, key2, result2);
printf("%lx %lx\n", result2[0], result2[1]);
BYTE flag[17] = {0};
DWORD2BYTE(flag, result[0], "little");
DWORD2BYTE(&flag[4], result2[0], "little");
DWORD2BYTE(&flag[8], result2[1], "little");
DWORD2BYTE(&flag[12], result[1], "little");
printf("%s\n", flag);
printf("%08lx %08lx %08lx %08lx\n", result[0], result2[0], result2[1] ,result[1]);
return 0;
}int main()
{ DWORD P1 = 0xa3eeb7be,
P2 = 0x6dbcc2bc,
P3 = 0x50e7d09a,
P4 = 0x78591f87;
DWORD vars7C = P4 & 0xFFFFFF00 | (unsigned __int8)0xb7ad; // 不知道对不对
P3 &= 0xFFFF00FF;
P3 |= 0xb7ad & 0xFF00; // todo: unknown
DWORD plaintext[2] = {0x556E2853, 0x4393DF16};
DWORD key[4] = {P1, P3, P2, vars7C};
DWORD result[2];
xteaDec(plaintext, key, result);
printf("%lx %lx\n", result[0], result[1]);
DWORD plaintext2[2] = {0x1989FB2B, 0x83F5A243};
DWORD key2[4] = {vars7C, P2, P1, P3};
DWORD result2[2];
xteaDec(plaintext2, key2, result2);
printf("%lx %lx\n", result2[0], result2[1]);
BYTE flag[17] = {0};
DWORD2BYTE(flag, result[0], "little");
DWORD2BYTE(&flag[4], result2[0], "little");
DWORD2BYTE(&flag[8], result2[1], "little");
DWORD2BYTE(&flag[12], result[1], "little");
printf("%s\n", flag);
printf("%08lx %08lx %08lx %08lx\n", result[0], result2[0], result2[1] ,result[1]);
return 0;
}// @FF FE
// #0F 20
// -11 B7
Block[546] = 0xDEAD;
Block[256] = 0xfe;
Block[528] = 0x20;
Block[547] = 0xb7;
// _
__int64 __fastcall sub_140003320(__int64 a1, unsigned __int8 a2, char a3){ __int64 result; // rax
result = (unsigned int)(dword_140027A50 + 1);
dword_140027A50 = result;
if ( (unsigned int)result <= 1 )
{
result = a1 + 548;
*(_BYTE *)(a1 + 548 + ((int)a2 >> 4) + 1) = a3;// 549 ~ 565
}
return result;
}// @
__int64 __fastcall sub_140003390(__int64 a1, char a2, char a3){ __int64 result; // rax
result = (unsigned int)(dword_140027A54 + 1);
dword_140027A54 = result;
if ( (unsigned int)result <= 1 )
{
result = a1 + 257;
*(_BYTE *)(a1 + 257 + a2) = a3; // 注意-1溢出 - 256
}
return result;
}// #
__int64 __fastcall sub_1400033F0(_BYTE *a1, char a2, char a3)
{ __int64 result; // rax
result = (unsigned int)(dword_140027A50 + 1);
dword_140027A50 = result;
if ( (unsigned int)result <= 1 )
{
result = (unsigned __int8)a1[256];
if ( (_DWORD)result == 0xFE )
{
result = (unsigned int)a2;
if ( (int)result < 0x10 )
{
result = (__int64)(a1 + 513);
a1[a2 + 513] = a3; // 513 ~ 768 528
}
}
}
return result;
}// ?
__int64 __fastcall sub_140003470(__int64 a1, char a2, char a3){ __int64 result; // rax
result = (unsigned int)(dword_140027A58 + 1);
dword_140027A58 = result;
if ( (unsigned int)result <= 1 )
{
result = *(unsigned __int16 *)(a1 + 528) / 3;
if ( !(*(unsigned __int16 *)(a1 + 528) % 3) )
{
result = a1 + 530;
*(_BYTE *)(a1 + 530 + (a2 & 0xC)) = a3; // 530 ~ 542 -> 530, 534, 538, 542
}
}
return result;
}// -
__int64 __fastcall sub_1400035E0(_BYTE *a1, char a2, char a3)
{ __int64 result; // rax
result = (unsigned int)(dword_140027A60 + 1);
dword_140027A60 = result;
if ( (unsigned int)result <= 1 )
{
result = *((unsigned __int16 *)a1 + 264) / 16; // a1[528]
if ( !(*((unsigned __int16 *)a1 + 264) % 16) )
{
result = *((unsigned __int16 *)a1 + 264) / 16;
if ( (unsigned int)(*((unsigned __int16 *)a1 + 264) / 16) < 3 )
{
result = (unsigned int)a2;
if ( (int)result <= *((unsigned __int16 *)a1 + 264) )
{
result = (__int64)(a1 + 530);
a1[a2 + 530] = a3;
}
}
}
}
return result;
}// @FF FE
// #0F 20
// -11 B7
Block[546] = 0xDEAD;
Block[256] = 0xfe;
Block[528] = 0x20;
Block[547] = 0xb7;
// _
__int64 __fastcall sub_140003320(__int64 a1, unsigned __int8 a2, char a3){ __int64 result; // rax
result = (unsigned int)(dword_140027A50 + 1);
dword_140027A50 = result;
if ( (unsigned int)result <= 1 )
{
result = a1 + 548;
*(_BYTE *)(a1 + 548 + ((int)a2 >> 4) + 1) = a3;// 549 ~ 565
}
return result;
}// @
__int64 __fastcall sub_140003390(__int64 a1, char a2, char a3){ __int64 result; // rax
result = (unsigned int)(dword_140027A54 + 1);
dword_140027A54 = result;
if ( (unsigned int)result <= 1 )
{
result = a1 + 257;
*(_BYTE *)(a1 + 257 + a2) = a3; // 注意-1溢出 - 256
}
return result;
}// #
__int64 __fastcall sub_1400033F0(_BYTE *a1, char a2, char a3)
{ __int64 result; // rax
result = (unsigned int)(dword_140027A50 + 1);
dword_140027A50 = result;
if ( (unsigned int)result <= 1 )
{
result = (unsigned __int8)a1[256];
if ( (_DWORD)result == 0xFE )
{
result = (unsigned int)a2;
if ( (int)result < 0x10 )
{
result = (__int64)(a1 + 513);
a1[a2 + 513] = a3; // 513 ~ 768 528
}
}
}
return result;
}// ?
__int64 __fastcall sub_140003470(__int64 a1, char a2, char a3){ __int64 result; // rax
result = (unsigned int)(dword_140027A58 + 1);
dword_140027A58 = result;
if ( (unsigned int)result <= 1 )
{
result = *(unsigned __int16 *)(a1 + 528) / 3;
if ( !(*(unsigned __int16 *)(a1 + 528) % 3) )
{
result = a1 + 530;
*(_BYTE *)(a1 + 530 + (a2 & 0xC)) = a3; // 530 ~ 542 -> 530, 534, 538, 542
}
}
return result;
}// -
__int64 __fastcall sub_1400035E0(_BYTE *a1, char a2, char a3)
{ __int64 result; // rax
result = (unsigned int)(dword_140027A60 + 1);
dword_140027A60 = result;
if ( (unsigned int)result <= 1 )
{
result = *((unsigned __int16 *)a1 + 264) / 16; // a1[528]
if ( !(*((unsigned __int16 *)a1 + 264) % 16) )
{
result = *((unsigned __int16 *)a1 + 264) / 16;
if ( (unsigned int)(*((unsigned __int16 *)a1 + 264) / 16) < 3 )
{
result = (unsigned int)a2;
if ( (int)result <= *((unsigned __int16 *)a1 + 264) )
{
result = (__int64)(a1 + 530);
a1[a2 + 530] = a3;
}
}
}
}
return result;
}function awaitHook() { Java.perform(function(){
var ptr = Module.findBaseAddress("libnative-lib.so");
if(ptr==null){ return 0;}
Interceptor.attach(ptr.add(0x011E6C),{
onEnter:function(arg){
console.log("\nHooking - AESEncrypt - IV: \n" + hexdump(arg[0].add(176), {length:16}));
console.log("\nHooking - AESEncrypt - Text: \n" + arg[1].readCString());
},
onLeave:function(arg){
console.log("\nHooking - AESEncrypt - EncText: \n", hexdump(arg, {length:32}));
console.log("Hooking - AESEncrypt - EXIT");
}
})
Interceptor.attach(ptr.add(0x00011820), {
onEnter: function(args) {
console.log("\narg[1] - AESKey\n" + hexdump(args[1], {length:16}));
},
onLeave: function(arg) {
// console.log("leave");
}
})
})
}setImmediate(function(){ setTimeout(awaitHook,10);
})// frida -U come.wmctf.crackme111 -l ctf.js --no-pause
function awaitHook() { Java.perform(function(){
var ptr = Module.findBaseAddress("libnative-lib.so");
if(ptr==null){ return 0;}
Interceptor.attach(ptr.add(0x011E6C),{
onEnter:function(arg){
console.log("\nHooking - AESEncrypt - IV: \n" + hexdump(arg[0].add(176), {length:16}));
console.log("\nHooking - AESEncrypt - Text: \n" + arg[1].readCString());
},
onLeave:function(arg){
console.log("\nHooking - AESEncrypt - EncText: \n", hexdump(arg, {length:32}));
console.log("Hooking - AESEncrypt - EXIT");
}
})
Interceptor.attach(ptr.add(0x00011820), {
onEnter: function(args) {
console.log("\narg[1] - AESKey\n" + hexdump(args[1], {length:16}));
},
onLeave: function(arg) {
// console.log("leave");
}
})
})
}setImmediate(function(){ setTimeout(awaitHook,10);
})// frida -U come.wmctf.crackme111 -l ctf.js --no-pause
Interceptor.attach(ptr.add(0x011624), {
onEnter: function(args) {
console.log("\narg[1] - RC4Key\n" + args[1].readCString());
},
onLeave: function(arg) {
// console.log("leave");
}
})
Interceptor.attach(ptr.add(0x011624), {
onEnter: function(args) {
console.log("\narg[1] - RC4Key\n" + args[1].readCString());
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
