-
-
2022第五空间RE-5_Universal-题解
-
发表于: 2022-9-20 13:12
-
最终排名21
这里必须要吐槽一下,re2迷宫题题目里的flag格式是ctf{},但是赛后我问别的师傅发现flag是flag{}包裹的。导致这道题flag一直交不上,难受。
windows可执行程序,直接运行的话会退出,然后下断点一步步调试,在此处发现是argc为2,直接加个参数即可。
然后其实这个题逻辑也是比较简单,输入32位,然后丢到四个encode1里去进行加密。不过这里有个比较牛逼的点,就是f5伪代码有些逻辑看不到,要看汇编才能看到一些逻辑。
应对方法就是直接调汇编,不看伪代码,然后就可以看完整逻辑了(
循环32次,调试发现每次传入俩int。不过传入的int顺序也有差别,也得看汇编识别
看上方的32位和每次加密两次,瞬间想到tea,实际上也确实比较像。注意这里进这个sub_405462之前还在汇编里藏了加密,f5没显示
俩异或,其中一个异或用到了一个table,里面存的是下标,对应的是上上上上图存的那俩128位的大数,通过指定下标去找到对应的数异或
然后进入sub_405462函数,不用看伪代码,直接看汇编,发现有8个table,汇编逻辑比较简单,就是一个查表的操作,每次生成4bit,然后生成8次生成一个int。这里不细说,对着写出加密和解密。
在这里卡了很久,因为我自己写了一遍encode2的加密看逻辑,最开始有俩参数写反了,md,差点寄了。
改回来后发现,就是个纯加法。
俩encode函数都逆出来了,最后一个逻辑在这里
由于输入是32位,所以这里相当是一个循环异或,还有一个加和异或0xa5,而最开始的magic是不知道的,不过是一个字节,直接反过来爆破即可。
table_index = [0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
0x00000007, 0x00000006, 0x00000005, 0x00000004, 0x00000003, 0x00000002, 0x00000001, 0x00000000]
data = [0x31323334,0x35363738,0x31323334,0x35363738,0x31323334,0x35363738,0x31323334,0x35363738]
table = [0xDEADBEEF, 0x9E3779B9, 0xC6EF3720, 0xBEEFDEED, 0xDEADBEEF, 0x9E3779B9, 0xC6EF3720, 0xBEEFDEED]
table1 = [0x00000003, 0x0000000F, 0x0000000E, 0x0000000A, 0x00000004, 0x00000007, 0x00000000, 0x00000009,
0x00000001, 0x0000000D, 0x00000006, 0x00000002, 0x00000005, 0x0000000C, 0x0000000B, 0x00000008]
table2 = [ 0x00000003, 0x0000000A, 0x00000005, 0x00000008, 0x00000004, 0x0000000B, 0x0000000D, 0x0000000C,
0x00000007, 0x00000006, 0x00000000, 0x00000001, 0x00000002, 0x00000009, 0x0000000E, 0x0000000F]
table3 = [0x00000001, 0x00000000, 0x00000009, 0x0000000B, 0x0000000F, 0x00000005, 0x0000000C, 0x00000004,
0x0000000E, 0x0000000D, 0x0000000A, 0x00000008, 0x00000002, 0x00000006, 0x00000003, 0x00000007]
table4 = [0x0000000B, 0x00000003, 0x0000000E, 0x00000005, 0x00000006, 0x00000009, 0x00000001, 0x00000007,
0x00000000, 0x0000000D, 0x0000000C, 0x00000004, 0x00000008, 0x00000002, 0x0000000A, 0x0000000F]
table5 = [0x0000000D, 0x00000008, 0x00000009, 0x00000005, 0x00000001, 0x00000004, 0x00000002, 0x00000000,
0x00000006, 0x0000000A, 0x00000007, 0x0000000B, 0x0000000C, 0x00000003, 0x0000000E, 0x0000000F]
table6 = [0x0000000F, 0x0000000C, 0x0000000A, 0x00000006, 0x00000000, 0x00000009, 0x00000005, 0x0000000E,
0x00000002, 0x0000000B, 0x00000004, 0x00000007, 0x00000008, 0x00000001, 0x0000000D, 0x00000003]
table7 = [0x0000000D, 0x00000002, 0x00000009, 0x00000000, 0x0000000F, 0x00000003, 0x0000000A, 0x0000000B,
0x00000004, 0x00000005, 0x00000006, 0x0000000E, 0x00000007, 0x0000000C, 0x00000001, 0x00000008]
table8 = [0x00000004, 0x0000000E, 0x00000000, 0x0000000F, 0x00000009, 0x00000003, 0x00000002, 0x0000000D,
0x00000005, 0x00000001, 0x0000000C, 0x00000008, 0x00000007, 0x0000000A, 0x0000000B, 0x00000006]
table_list = [table1,table2,table3,table4,table5,table6,table7,table8]
def encode1(data,i1,i2,count1):
count = 0
temp = data[i1]
data[i1] ^= data[i2]
data[i1] ^= table[count1]
idx1 = data[i1] >> 0x1c
idx2 = (data[i1] >> 0x18) & 0xf
idx3 = (data[i1] >> 0x14) & 0xf
idx4 = (data[i1] >> 0x10) & 0xf
idx5 = (data[i1] >> 0xc) & 0xf
idx6 = (data[i1] >> 0x8) & 0xf
idx7 = (data[i1] >> 4) & 0xf
idx8 = (data[i1]) & 0xf
idx_list = [table1[idx1],table2[idx2],table3[idx3],table4[idx4],table5[idx5],table6[idx6],table7[idx7],table8[idx8]]
for j in idx_list:
count <<= 4
count += j
data[i2] = temp
data[i1] = count
def decode1(data,i1,i2,count1):
data_list = []
for i in range(8):
data_list.append(data[i1]&0xf)
data[i1] >>= 4
data_list = data_list[::-1]
count = 0
for i,j in enumerate(table_list):
index_data = j.index(data_list[i])
count <<= 4
count += index_data
count ^= table[count1]
count ^= data[i2]
data[i1] = data[i2]
data[i2] = count
input_data = [0x34333231, 0x38373635, 0x34333231, 0x38373635, 0x34333231, 0x38373635, 0x34333231, 0x38373635]
for i in range(32):
encode1(input_data,0,3,table_index[0x1f - i])
input_data[0],input_data[3] = input_data[3],input_data[0]
for i in range(32):
encode1(input_data,1,2,table_index[0x1f - i])
input_data[1],input_data[2] = input_data[2],input_data[1]
for i in range(32):
encode1(input_data,0+4,2+4,table_index[0x1f - i])
input_data[0+4],input_data[2+4] = input_data[2+4],input_data[0+4]
for i in range(32):
encode1(input_data,1+4,3+4,table_index[0x1f - i])
input_data[1+4],input_data[3+4] = input_data[3+4],input_data[1+4]
for i in range(len(data)//4):
input_data.append((data[i*4]&0xff)|((data[i*4+1]&0xff)<<8) | ((data[i*4+2]&0xff)<< 16) | ((data[i*4+3]&0xff) << 24))
# print(input_data)input_data[1 + 4], input_data[3 + 4] = input_data[3 + 4], input_data[1 + 4]
for i in range(32):
decode1(input_data, 1 + 4, 3 + 4, table_index[i])
input_data[0 + 4], input_data[2 + 4] = input_data[2 + 4], input_data[0 + 4]
for i in range(32):
decode1(input_data, 0 + 4, 2 + 4, table_index[i])
input_data[1], input_data[2] = input_data[2], input_data[1]
for i in range(32):
decode1(input_data, 1, 2, table_index[i])
input_data[0], input_data[3] = input_data[3], input_data[0]
for i in range(32):
decode1(input_data, 0, 3, table_index[i])
for i in input_data:
print(hex(i),end=',')
table_index = [0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
0x00000007, 0x00000006, 0x00000005, 0x00000004, 0x00000003, 0x00000002, 0x00000001, 0x00000000]
data = [0x31323334,0x35363738,0x31323334,0x35363738,0x31323334,0x35363738,0x31323334,0x35363738]
table = [0xDEADBEEF, 0x9E3779B9, 0xC6EF3720, 0xBEEFDEED, 0xDEADBEEF, 0x9E3779B9, 0xC6EF3720, 0xBEEFDEED]
table1 = [0x00000003, 0x0000000F, 0x0000000E, 0x0000000A, 0x00000004, 0x00000007, 0x00000000, 0x00000009,
0x00000001, 0x0000000D, 0x00000006, 0x00000002, 0x00000005, 0x0000000C, 0x0000000B, 0x00000008]
table2 = [ 0x00000003, 0x0000000A, 0x00000005, 0x00000008, 0x00000004, 0x0000000B, 0x0000000D, 0x0000000C,
0x00000007, 0x00000006, 0x00000000, 0x00000001, 0x00000002, 0x00000009, 0x0000000E, 0x0000000F]
table3 = [0x00000001, 0x00000000, 0x00000009, 0x0000000B, 0x0000000F, 0x00000005, 0x0000000C, 0x00000004,
0x0000000E, 0x0000000D, 0x0000000A, 0x00000008, 0x00000002, 0x00000006, 0x00000003, 0x00000007]
table4 = [0x0000000B, 0x00000003, 0x0000000E, 0x00000005, 0x00000006, 0x00000009, 0x00000001, 0x00000007,
0x00000000, 0x0000000D, 0x0000000C, 0x00000004, 0x00000008, 0x00000002, 0x0000000A, 0x0000000F]
table5 = [0x0000000D, 0x00000008, 0x00000009, 0x00000005, 0x00000001, 0x00000004, 0x00000002, 0x00000000,
0x00000006, 0x0000000A, 0x00000007, 0x0000000B, 0x0000000C, 0x00000003, 0x0000000E, 0x0000000F]
table6 = [0x0000000F, 0x0000000C, 0x0000000A, 0x00000006, 0x00000000, 0x00000009, 0x00000005, 0x0000000E,
0x00000002, 0x0000000B, 0x00000004, 0x00000007, 0x00000008, 0x00000001, 0x0000000D, 0x00000003]
table7 = [0x0000000D, 0x00000002, 0x00000009, 0x00000000, 0x0000000F, 0x00000003, 0x0000000A, 0x0000000B,
0x00000004, 0x00000005, 0x00000006, 0x0000000E, 0x00000007, 0x0000000C, 0x00000001, 0x00000008]
table8 = [0x00000004, 0x0000000E, 0x00000000, 0x0000000F, 0x00000009, 0x00000003, 0x00000002, 0x0000000D,
0x00000005, 0x00000001, 0x0000000C, 0x00000008, 0x00000007, 0x0000000A, 0x0000000B, 0x00000006]
table_list = [table1,table2,table3,table4,table5,table6,table7,table8]
def encode1(data,i1,i2,count1):
count = 0
temp = data[i1]
data[i1] ^= data[i2]
data[i1] ^= table[count1]
idx1 = data[i1] >> 0x1c
idx2 = (data[i1] >> 0x18) & 0xf
idx3 = (data[i1] >> 0x14) & 0xf
idx4 = (data[i1] >> 0x10) & 0xf
idx5 = (data[i1] >> 0xc) & 0xf
idx6 = (data[i1] >> 0x8) & 0xf
idx7 = (data[i1] >> 4) & 0xf
idx8 = (data[i1]) & 0xf
idx_list = [table1[idx1],table2[idx2],table3[idx3],table4[idx4],table5[idx5],table6[idx6],table7[idx7],table8[idx8]]
for j in idx_list:
count <<= 4
count += j
data[i2] = temp
data[i1] = count
def decode1(data,i1,i2,count1):
data_list = []
for i in range(8):
data_list.append(data[i1]&0xf)
data[i1] >>= 4
data_list = data_list[::-1]
count = 0
for i,j in enumerate(table_list):
index_data = j.index(data_list[i])
count <<= 4
count += index_data
count ^= table[count1]
count ^= data[i2]
data[i1] = data[i2]
data[i2] = count
input_data = [0x34333231, 0x38373635, 0x34333231, 0x38373635, 0x34333231, 0x38373635, 0x34333231, 0x38373635]
for i in range(32):
encode1(input_data,0,3,table_index[0x1f - i])
input_data[0],input_data[3] = input_data[3],input_data[0]
for i in range(32):
encode1(input_data,1,2,table_index[0x1f - i])
input_data[1],input_data[2] = input_data[2],input_data[1]
for i in range(32):
encode1(input_data,0+4,2+4,table_index[0x1f - i])
input_data[0+4],input_data[2+4] = input_data[2+4],input_data[0+4]
for i in range(32):
encode1(input_data,1+4,3+4,table_index[0x1f - i])
input_data[1+4],input_data[3+4] = input_data[3+4],input_data[1+4]
for i in range(len(data)//4):
input_data.append((data[i*4]&0xff)|((data[i*4+1]&0xff)<<8) | ((data[i*4+2]&0xff)<< 16) | ((data[i*4+3]&0xff) << 24))
# print(input_data)input_data[1 + 4], input_data[3 + 4] = input_data[3 + 4], input_data[1 + 4]
for i in range(32):
decode1(input_data, 1 + 4, 3 + 4, table_index[i])
input_data[0 + 4], input_data[2 + 4] = input_data[2 + 4], input_data[0 + 4]
for i in range(32):
decode1(input_data, 0 + 4, 2 + 4, table_index[i])
input_data[1], input_data[2] = input_data[2], input_data[1]
for i in range(32):
decode1(input_data, 1, 2, table_index[i])
input_data[0], input_data[3] = input_data[3], input_data[0]
for i in range(32):
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2022-9-23 11:21
被夏男人编辑
,原因:
