首页
社区
课程
招聘
2022第五空间RE-5_Universal-题解
2022-9-20 13:12 6529

2022第五空间RE-5_Universal-题解

2022-9-20 13:12
6529

碎碎念

最终排名21

 

图片描述

 

这里必须要吐槽一下,re2迷宫题题目里的flag格式是ctf{},但是赛后我问别的师傅发现flag是flag{}包裹的。导致这道题flag一直交不上,难受。

 

图片描述

步骤

windows可执行程序,直接运行的话会退出,然后下断点一步步调试,在此处发现是argc为2,直接加个参数即可。

 

图片描述

 

图片描述

 

然后其实这个题逻辑也是比较简单,输入32位,然后丢到四个encode1里去进行加密。不过这里有个比较牛逼的点,就是f5伪代码有些逻辑看不到,要看汇编才能看到一些逻辑。

 

图片描述

 

图片描述

 

应对方法就是直接调汇编,不看伪代码,然后就可以看完整逻辑了(

encode1

图片描述

 

循环32次,调试发现每次传入俩int。不过传入的int顺序也有差别,也得看汇编识别

 

图片描述

 

看上方的32位和每次加密两次,瞬间想到tea,实际上也确实比较像。注意这里进这个sub_405462之前还在汇编里藏了加密,f5没显示

 

图片描述

 

俩异或,其中一个异或用到了一个table,里面存的是下标,对应的是上上上上图存的那俩128位的大数,通过指定下标去找到对应的数异或

 

图片描述

 

然后进入sub_405462函数,不用看伪代码,直接看汇编,发现有8个table,汇编逻辑比较简单,就是一个查表的操作,每次生成4bit,然后生成8次生成一个int。这里不细说,对着写出加密和解密。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
table_index = [0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
    0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
    0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
    0x00000007, 0x00000006, 0x00000005, 0x00000004, 0x00000003, 0x00000002, 0x00000001, 0x00000000]
data = [0x31323334,0x35363738,0x31323334,0x35363738,0x31323334,0x35363738,0x31323334,0x35363738]
table = [0xDEADBEEF, 0x9E3779B9, 0xC6EF3720, 0xBEEFDEED, 0xDEADBEEF, 0x9E3779B9, 0xC6EF3720, 0xBEEFDEED]
table1 = [0x00000003, 0x0000000F, 0x0000000E, 0x0000000A, 0x00000004, 0x00000007, 0x00000000, 0x00000009,
    0x00000001, 0x0000000D, 0x00000006, 0x00000002, 0x00000005, 0x0000000C, 0x0000000B, 0x00000008]
table2 = [ 0x00000003, 0x0000000A, 0x00000005, 0x00000008, 0x00000004, 0x0000000B, 0x0000000D, 0x0000000C,
    0x00000007, 0x00000006, 0x00000000, 0x00000001, 0x00000002, 0x00000009, 0x0000000E, 0x0000000F]
table3 = [0x00000001, 0x00000000, 0x00000009, 0x0000000B, 0x0000000F, 0x00000005, 0x0000000C, 0x00000004,
    0x0000000E, 0x0000000D, 0x0000000A, 0x00000008, 0x00000002, 0x00000006, 0x00000003, 0x00000007]
table4 = [0x0000000B, 0x00000003, 0x0000000E, 0x00000005, 0x00000006, 0x00000009, 0x00000001, 0x00000007,
    0x00000000, 0x0000000D, 0x0000000C, 0x00000004, 0x00000008, 0x00000002, 0x0000000A, 0x0000000F]
table5 = [0x0000000D, 0x00000008, 0x00000009, 0x00000005, 0x00000001, 0x00000004, 0x00000002, 0x00000000,
    0x00000006, 0x0000000A, 0x00000007, 0x0000000B, 0x0000000C, 0x00000003, 0x0000000E, 0x0000000F]
table6 = [0x0000000F, 0x0000000C, 0x0000000A, 0x00000006, 0x00000000, 0x00000009, 0x00000005, 0x0000000E,
    0x00000002, 0x0000000B, 0x00000004, 0x00000007, 0x00000008, 0x00000001, 0x0000000D, 0x00000003]
table7 = [0x0000000D, 0x00000002, 0x00000009, 0x00000000, 0x0000000F, 0x00000003, 0x0000000A, 0x0000000B,
    0x00000004, 0x00000005, 0x00000006, 0x0000000E, 0x00000007, 0x0000000C, 0x00000001, 0x00000008]
table8 = [0x00000004, 0x0000000E, 0x00000000, 0x0000000F, 0x00000009, 0x00000003, 0x00000002, 0x0000000D,
    0x00000005, 0x00000001, 0x0000000C, 0x00000008, 0x00000007, 0x0000000A, 0x0000000B, 0x00000006]
table_list = [table1,table2,table3,table4,table5,table6,table7,table8]
def encode1(data,i1,i2,count1):
    count = 0
    temp = data[i1]
    data[i1] ^= data[i2]
    data[i1] ^= table[count1]
    idx1 = data[i1] >> 0x1c
    idx2 = (data[i1] >> 0x18) & 0xf
    idx3 = (data[i1] >> 0x14) & 0xf
    idx4 = (data[i1] >> 0x10) & 0xf
    idx5 = (data[i1] >> 0xc) & 0xf
    idx6 = (data[i1] >> 0x8) & 0xf
    idx7 = (data[i1] >> 4) & 0xf
    idx8 = (data[i1]) & 0xf
    idx_list = [table1[idx1],table2[idx2],table3[idx3],table4[idx4],table5[idx5],table6[idx6],table7[idx7],table8[idx8]]
    for j in idx_list:
        count <<= 4
        count += j
    data[i2] = temp
    data[i1] = count
 
 
def decode1(data,i1,i2,count1):
    data_list = []
    for i in range(8):
        data_list.append(data[i1]&0xf)
        data[i1] >>= 4
    data_list = data_list[::-1]
    count = 0
    for i,j in enumerate(table_list):
        index_data = j.index(data_list[i])
        count <<= 4
        count += index_data
    count ^= table[count1]
    count ^= data[i2]
    data[i1] = data[i2]
    data[i2] = count
input_data = [0x34333231, 0x38373635, 0x34333231, 0x38373635, 0x34333231, 0x38373635, 0x34333231, 0x38373635]
for i in range(32):
    encode1(input_data,0,3,table_index[0x1f - i])
input_data[0],input_data[3] = input_data[3],input_data[0]
for i in range(32):
    encode1(input_data,1,2,table_index[0x1f - i])
input_data[1],input_data[2] = input_data[2],input_data[1]
for i in range(32):
    encode1(input_data,0+4,2+4,table_index[0x1f - i])
input_data[0+4],input_data[2+4] = input_data[2+4],input_data[0+4]
for i in range(32):
    encode1(input_data,1+4,3+4,table_index[0x1f - i])
input_data[1+4],input_data[3+4] = input_data[3+4],input_data[1+4]
for i in range(len(data)//4):
    input_data.append((data[i*4]&0xff)|((data[i*4+1]&0xff)<<8) | ((data[i*4+2]&0xff)<< 16) | ((data[i*4+3]&0xff) << 24))
# print(input_data)
input_data[1 + 4], input_data[3 + 4] = input_data[3 + 4], input_data[1 + 4]
for i in range(32):
    decode1(input_data, 1 + 4, 3 + 4, table_index[i])
input_data[0 + 4], input_data[2 + 4] = input_data[2 + 4], input_data[0 + 4]
for i in range(32):
    decode1(input_data, 0 + 4, 2 + 4, table_index[i])
input_data[1], input_data[2] = input_data[2], input_data[1]
for i in range(32):
    decode1(input_data, 1, 2, table_index[i])
input_data[0], input_data[3] = input_data[3], input_data[0]
for i in range(32):
    decode1(input_data, 0, 3, table_index[i])
for i in input_data:
    print(hex(i),end=',')

encode2

在这里卡了很久,因为我自己写了一遍encode2的加密看逻辑,最开始有俩参数写反了,md,差点寄了。

 

改回来后发现,就是个纯加法。

爆破

俩encode函数都逆出来了,最后一个逻辑在这里

 

图片描述

 

由于输入是32位,所以这里相当是一个循环异或,还有一个加和异或0xa5,而最开始的magic是不知道的,不过是一个字节,直接反过来爆破即可。

最终脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
from Crypto.Util.number import *
duibi = 0xC2, 0x3A, 0x86, 0xC1, 0x44, 0x07, 0x13, 0x0C, 0x7B, 0xBE,
  0x1A, 0x6D, 0xCB, 0xFA, 0x26, 0x99, 0x62, 0x7C, 0x82, 0x66,
  0x9F, 0x1C, 0xD9, 0x99, 0x44, 0xC3, 0xB7, 0x1D, 0x67, 0x3C,
  0x7B, 0x80]
table_index = [0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
    0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
    0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
    0x00000007, 0x00000006, 0x00000005, 0x00000004, 0x00000003, 0x00000002, 0x00000001, 0x00000000]
data = [0x31323334,0x35363738,0x31323334,0x35363738,0x31323334,0x35363738,0x31323334,0x35363738]
table = [0xDEADBEEF, 0x9E3779B9, 0xC6EF3720, 0xBEEFDEED, 0xDEADBEEF, 0x9E3779B9, 0xC6EF3720, 0xBEEFDEED]
table1 = [0x00000003, 0x0000000F, 0x0000000E, 0x0000000A, 0x00000004, 0x00000007, 0x00000000, 0x00000009,
    0x00000001, 0x0000000D, 0x00000006, 0x00000002, 0x00000005, 0x0000000C, 0x0000000B, 0x00000008]
table2 = [ 0x00000003, 0x0000000A, 0x00000005, 0x00000008, 0x00000004, 0x0000000B, 0x0000000D, 0x0000000C,
    0x00000007, 0x00000006, 0x00000000, 0x00000001, 0x00000002, 0x00000009, 0x0000000E, 0x0000000F]
table3 = [0x00000001, 0x00000000, 0x00000009, 0x0000000B, 0x0000000F, 0x00000005, 0x0000000C, 0x00000004,
    0x0000000E, 0x0000000D, 0x0000000A, 0x00000008, 0x00000002, 0x00000006, 0x00000003, 0x00000007]
table4 = [0x0000000B, 0x00000003, 0x0000000E, 0x00000005, 0x00000006, 0x00000009, 0x00000001, 0x00000007,
    0x00000000, 0x0000000D, 0x0000000C, 0x00000004, 0x00000008, 0x00000002, 0x0000000A, 0x0000000F]
table5 = [0x0000000D, 0x00000008, 0x00000009, 0x00000005, 0x00000001, 0x00000004, 0x00000002, 0x00000000,
    0x00000006, 0x0000000A, 0x00000007, 0x0000000B, 0x0000000C, 0x00000003, 0x0000000E, 0x0000000F]
table6 = [0x0000000F, 0x0000000C, 0x0000000A, 0x00000006, 0x00000000, 0x00000009, 0x00000005, 0x0000000E,
    0x00000002, 0x0000000B, 0x00000004, 0x00000007, 0x00000008, 0x00000001, 0x0000000D, 0x00000003]
table7 = [0x0000000D, 0x00000002, 0x00000009, 0x00000000, 0x0000000F, 0x00000003, 0x0000000A, 0x0000000B,
    0x00000004, 0x00000005, 0x00000006, 0x0000000E, 0x00000007, 0x0000000C, 0x00000001, 0x00000008]
table8 = [0x00000004, 0x0000000E, 0x00000000, 0x0000000F, 0x00000009, 0x00000003, 0x00000002, 0x0000000D,
    0x00000005, 0x00000001, 0x0000000C, 0x00000008, 0x00000007, 0x0000000A, 0x0000000B, 0x00000006]
table_list = [table1,table2,table3,table4,table5,table6,table7,table8]
def encode1(data,i1,i2,count1):
    count = 0
    temp = data[i1]
    data[i1] ^= data[i2]
    data[i1] ^= table[count1]
    idx1 = data[i1] >> 0x1c
    idx2 = (data[i1] >> 0x18) & 0xf
    idx3 = (data[i1] >> 0x14) & 0xf
    idx4 = (data[i1] >> 0x10) & 0xf
    idx5 = (data[i1] >> 0xc) & 0xf
    idx6 = (data[i1] >> 0x8) & 0xf
    idx7 = (data[i1] >> 4) & 0xf
    idx8 = (data[i1]) & 0xf
    idx_list = [table1[idx1],table2[idx2],table3[idx3],table4[idx4],table5[idx5],table6[idx6],table7[idx7],table8[idx8]]
    for j in idx_list:
        count <<= 4
        count += j
    data[i2] = temp
    data[i1] = count
 
 
def decode1(data,i1,i2,count1):
    data_list = []
    for i in range(8):
        data_list.append(data[i1]&0xf)
        data[i1] >>= 4
    data_list = data_list[::-1]
    count = 0
    for i,j in enumerate(table_list):
        index_data = j.index(data_list[i])
        count <<= 4
        count += index_data
    count ^= table[count1]
    count ^= data[i2]
    data[i1] = data[i2]
    data[i2] = count
 
def encode2(data_cur,magic):
    while data_cur:
        t1 = data_cur ^ magic
        data_cur &= magic
        data_cur *= 2
        magic = t1
    return magic&0xff
# for i in range(32):
#     encode1(input_data,0,3,table_index[0x1f - i])
# input_data[0],input_data[3] = input_data[3],input_data[0]
# for i in range(32):
#     encode1(input_data,1,2,table_index[0x1f - i])
# input_data[1],input_data[2] = input_data[2],input_data[1]
# for i in range(32):
#     encode1(input_data,0+4,2+4,table_index[0x1f - i])
# input_data[0+4],input_data[2+4] = input_data[2+4],input_data[0+4]
# for i in range(32):
#     encode1(input_data,1+4,3+4,table_index[0x1f - i])
# input_data[1+4],input_data[3+4] = input_data[3+4],input_data[1+4]
for m in range(256):
    data = [0xC2, 0x3A, 0x86, 0xC1, 0x44, 0x07, 0x13, 0x0C, 0x7B, 0xBE,
     0x1A, 0x6D, 0xCB, 0xFA, 0x26, 0x99, 0x62, 0x7C, 0x82, 0x66,
     0x9F, 0x1C, 0xD9, 0x99, 0x44, 0xC3, 0xB7, 0x1D, 0x67, 0x3C,
     0x7B, 0x80]
    magic = m
 
    for i in range(63, -1, -1):
        data[i & 0x1f] = ~(data[i & 0x1f] ^ magic) ^ data[(i+1) & 0x1f]
        magic = (magic ^ 0xa5) - data[(i - 1) & 0x1f]
        magic &= 0xff
    input_data = []
    for i in range(len(data)//4):
        input_data.append((data[i*4]&0xff)|((data[i*4+1]&0xff)<<8) | ((data[i*4+2]&0xff)<< 16) | ((data[i*4+3]&0xff) << 24))
    # print(input_data)
    input_data[1 + 4], input_data[3 + 4] = input_data[3 + 4], input_data[1 + 4]
    for i in range(32):
        decode1(input_data, 1 + 4, 3 + 4, table_index[i])
    input_data[0 + 4], input_data[2 + 4] = input_data[2 + 4], input_data[0 + 4]
    for i in range(32):
        decode1(input_data, 0 + 4, 2 + 4, table_index[i])
    input_data[1], input_data[2] = input_data[2], input_data[1]
    for i in range(32):
        decode1(input_data, 1, 2, table_index[i])
    input_data[0], input_data[3] = input_data[3], input_data[0]
    for i in range(32):
        decode1(input_data, 0, 3, table_index[i])
    for i in input_data:
        print(long_to_bytes(i),end="")
    print()
s = [b'rh3S',b'nid0',b'_re7',b'nU_3',b're4i',b'_la3',b'r00D',b'111s']
for i in s:
    print(i.decode()[::-1],end="")

[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界

最后于 2022-9-23 11:21 被夏男人编辑 ,原因:
上传的附件:
收藏
点赞3
打赏
分享
最新回复 (2)
雪    币: 16428
活跃值: (59376)
能力值: (RANK:125 )
在线值:
发帖
回帖
粉丝
Editor 2022-9-22 19:10
2
0
麻烦将题目附件上传到论坛本地,方便版主设置精华优秀
雪    币: 887
活跃值: (2072)
能力值: ( LV4,RANK:52 )
在线值:
发帖
回帖
粉丝
夏男人 2022-9-23 11:20
3
0
Editor 麻烦将题目附件上传到论坛本地,方便版主设置精华优秀
游客
登录 | 注册 方可回帖
返回