首页
社区
课程
招聘
2022第五空间RE-5_Universal-题解
发表于: 2022-9-20 13:12 7709

2022第五空间RE-5_Universal-题解

2022-9-20 13:12
7709

最终排名21

图片描述

这里必须要吐槽一下,re2迷宫题题目里的flag格式是ctf{},但是赛后我问别的师傅发现flag是flag{}包裹的。导致这道题flag一直交不上,难受。

图片描述

windows可执行程序,直接运行的话会退出,然后下断点一步步调试,在此处发现是argc为2,直接加个参数即可。

图片描述

图片描述

然后其实这个题逻辑也是比较简单,输入32位,然后丢到四个encode1里去进行加密。不过这里有个比较牛逼的点,就是f5伪代码有些逻辑看不到,要看汇编才能看到一些逻辑。

图片描述

图片描述

应对方法就是直接调汇编,不看伪代码,然后就可以看完整逻辑了(

图片描述

循环32次,调试发现每次传入俩int。不过传入的int顺序也有差别,也得看汇编识别

图片描述

看上方的32位和每次加密两次,瞬间想到tea,实际上也确实比较像。注意这里进这个sub_405462之前还在汇编里藏了加密,f5没显示

图片描述

俩异或,其中一个异或用到了一个table,里面存的是下标,对应的是上上上上图存的那俩128位的大数,通过指定下标去找到对应的数异或

图片描述

然后进入sub_405462函数,不用看伪代码,直接看汇编,发现有8个table,汇编逻辑比较简单,就是一个查表的操作,每次生成4bit,然后生成8次生成一个int。这里不细说,对着写出加密和解密。

在这里卡了很久,因为我自己写了一遍encode2的加密看逻辑,最开始有俩参数写反了,md,差点寄了。

改回来后发现,就是个纯加法。

俩encode函数都逆出来了,最后一个逻辑在这里

图片描述

由于输入是32位,所以这里相当是一个循环异或,还有一个加和异或0xa5,而最开始的magic是不知道的,不过是一个字节,直接反过来爆破即可。

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
table_index = [0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
    0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
    0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
    0x00000007, 0x00000006, 0x00000005, 0x00000004, 0x00000003, 0x00000002, 0x00000001, 0x00000000]
data = [0x31323334,0x35363738,0x31323334,0x35363738,0x31323334,0x35363738,0x31323334,0x35363738]
table = [0xDEADBEEF, 0x9E3779B9, 0xC6EF3720, 0xBEEFDEED, 0xDEADBEEF, 0x9E3779B9, 0xC6EF3720, 0xBEEFDEED]
table1 = [0x00000003, 0x0000000F, 0x0000000E, 0x0000000A, 0x00000004, 0x00000007, 0x00000000, 0x00000009,
    0x00000001, 0x0000000D, 0x00000006, 0x00000002, 0x00000005, 0x0000000C, 0x0000000B, 0x00000008]
table2 = [ 0x00000003, 0x0000000A, 0x00000005, 0x00000008, 0x00000004, 0x0000000B, 0x0000000D, 0x0000000C,
    0x00000007, 0x00000006, 0x00000000, 0x00000001, 0x00000002, 0x00000009, 0x0000000E, 0x0000000F]
table3 = [0x00000001, 0x00000000, 0x00000009, 0x0000000B, 0x0000000F, 0x00000005, 0x0000000C, 0x00000004,
    0x0000000E, 0x0000000D, 0x0000000A, 0x00000008, 0x00000002, 0x00000006, 0x00000003, 0x00000007]
table4 = [0x0000000B, 0x00000003, 0x0000000E, 0x00000005, 0x00000006, 0x00000009, 0x00000001, 0x00000007,
    0x00000000, 0x0000000D, 0x0000000C, 0x00000004, 0x00000008, 0x00000002, 0x0000000A, 0x0000000F]
table5 = [0x0000000D, 0x00000008, 0x00000009, 0x00000005, 0x00000001, 0x00000004, 0x00000002, 0x00000000,
    0x00000006, 0x0000000A, 0x00000007, 0x0000000B, 0x0000000C, 0x00000003, 0x0000000E, 0x0000000F]
table6 = [0x0000000F, 0x0000000C, 0x0000000A, 0x00000006, 0x00000000, 0x00000009, 0x00000005, 0x0000000E,
    0x00000002, 0x0000000B, 0x00000004, 0x00000007, 0x00000008, 0x00000001, 0x0000000D, 0x00000003]
table7 = [0x0000000D, 0x00000002, 0x00000009, 0x00000000, 0x0000000F, 0x00000003, 0x0000000A, 0x0000000B,
    0x00000004, 0x00000005, 0x00000006, 0x0000000E, 0x00000007, 0x0000000C, 0x00000001, 0x00000008]
table8 = [0x00000004, 0x0000000E, 0x00000000, 0x0000000F, 0x00000009, 0x00000003, 0x00000002, 0x0000000D,
    0x00000005, 0x00000001, 0x0000000C, 0x00000008, 0x00000007, 0x0000000A, 0x0000000B, 0x00000006]
table_list = [table1,table2,table3,table4,table5,table6,table7,table8]
def encode1(data,i1,i2,count1):
    count = 0
    temp = data[i1]
    data[i1] ^= data[i2]
    data[i1] ^= table[count1]
    idx1 = data[i1] >> 0x1c
    idx2 = (data[i1] >> 0x18) & 0xf
    idx3 = (data[i1] >> 0x14) & 0xf
    idx4 = (data[i1] >> 0x10) & 0xf
    idx5 = (data[i1] >> 0xc) & 0xf
    idx6 = (data[i1] >> 0x8) & 0xf
    idx7 = (data[i1] >> 4) & 0xf
    idx8 = (data[i1]) & 0xf
    idx_list = [table1[idx1],table2[idx2],table3[idx3],table4[idx4],table5[idx5],table6[idx6],table7[idx7],table8[idx8]]
    for j in idx_list:
        count <<= 4
        count += j
    data[i2] = temp
    data[i1] = count
 
 
def decode1(data,i1,i2,count1):
    data_list = []
    for i in range(8):
        data_list.append(data[i1]&0xf)
        data[i1] >>= 4
    data_list = data_list[::-1]
    count = 0
    for i,j in enumerate(table_list):
        index_data = j.index(data_list[i])
        count <<= 4
        count += index_data
    count ^= table[count1]
    count ^= data[i2]
    data[i1] = data[i2]
    data[i2] = count
input_data = [0x34333231, 0x38373635, 0x34333231, 0x38373635, 0x34333231, 0x38373635, 0x34333231, 0x38373635]
for i in range(32):
    encode1(input_data,0,3,table_index[0x1f - i])
input_data[0],input_data[3] = input_data[3],input_data[0]
for i in range(32):
    encode1(input_data,1,2,table_index[0x1f - i])
input_data[1],input_data[2] = input_data[2],input_data[1]
for i in range(32):
    encode1(input_data,0+4,2+4,table_index[0x1f - i])
input_data[0+4],input_data[2+4] = input_data[2+4],input_data[0+4]
for i in range(32):
    encode1(input_data,1+4,3+4,table_index[0x1f - i])
input_data[1+4],input_data[3+4] = input_data[3+4],input_data[1+4]
for i in range(len(data)//4):
    input_data.append((data[i*4]&0xff)|((data[i*4+1]&0xff)<<8) | ((data[i*4+2]&0xff)<< 16) | ((data[i*4+3]&0xff) << 24))
# print(input_data)
input_data[1 + 4], input_data[3 + 4] = input_data[3 + 4], input_data[1 + 4]
for i in range(32):
    decode1(input_data, 1 + 4, 3 + 4, table_index[i])
input_data[0 + 4], input_data[2 + 4] = input_data[2 + 4], input_data[0 + 4]
for i in range(32):
    decode1(input_data, 0 + 4, 2 + 4, table_index[i])
input_data[1], input_data[2] = input_data[2], input_data[1]
for i in range(32):
    decode1(input_data, 1, 2, table_index[i])
input_data[0], input_data[3] = input_data[3], input_data[0]
for i in range(32):
    decode1(input_data, 0, 3, table_index[i])
for i in input_data:
    print(hex(i),end=',')
table_index = [0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
    0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
    0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007,
    0x00000007, 0x00000006, 0x00000005, 0x00000004, 0x00000003, 0x00000002, 0x00000001, 0x00000000]
data = [0x31323334,0x35363738,0x31323334,0x35363738,0x31323334,0x35363738,0x31323334,0x35363738]
table = [0xDEADBEEF, 0x9E3779B9, 0xC6EF3720, 0xBEEFDEED, 0xDEADBEEF, 0x9E3779B9, 0xC6EF3720, 0xBEEFDEED]
table1 = [0x00000003, 0x0000000F, 0x0000000E, 0x0000000A, 0x00000004, 0x00000007, 0x00000000, 0x00000009,
    0x00000001, 0x0000000D, 0x00000006, 0x00000002, 0x00000005, 0x0000000C, 0x0000000B, 0x00000008]
table2 = [ 0x00000003, 0x0000000A, 0x00000005, 0x00000008, 0x00000004, 0x0000000B, 0x0000000D, 0x0000000C,
    0x00000007, 0x00000006, 0x00000000, 0x00000001, 0x00000002, 0x00000009, 0x0000000E, 0x0000000F]
table3 = [0x00000001, 0x00000000, 0x00000009, 0x0000000B, 0x0000000F, 0x00000005, 0x0000000C, 0x00000004,
    0x0000000E, 0x0000000D, 0x0000000A, 0x00000008, 0x00000002, 0x00000006, 0x00000003, 0x00000007]
table4 = [0x0000000B, 0x00000003, 0x0000000E, 0x00000005, 0x00000006, 0x00000009, 0x00000001, 0x00000007,
    0x00000000, 0x0000000D, 0x0000000C, 0x00000004, 0x00000008, 0x00000002, 0x0000000A, 0x0000000F]
table5 = [0x0000000D, 0x00000008, 0x00000009, 0x00000005, 0x00000001, 0x00000004, 0x00000002, 0x00000000,
    0x00000006, 0x0000000A, 0x00000007, 0x0000000B, 0x0000000C, 0x00000003, 0x0000000E, 0x0000000F]
table6 = [0x0000000F, 0x0000000C, 0x0000000A, 0x00000006, 0x00000000, 0x00000009, 0x00000005, 0x0000000E,
    0x00000002, 0x0000000B, 0x00000004, 0x00000007, 0x00000008, 0x00000001, 0x0000000D, 0x00000003]
table7 = [0x0000000D, 0x00000002, 0x00000009, 0x00000000, 0x0000000F, 0x00000003, 0x0000000A, 0x0000000B,
    0x00000004, 0x00000005, 0x00000006, 0x0000000E, 0x00000007, 0x0000000C, 0x00000001, 0x00000008]
table8 = [0x00000004, 0x0000000E, 0x00000000, 0x0000000F, 0x00000009, 0x00000003, 0x00000002, 0x0000000D,
    0x00000005, 0x00000001, 0x0000000C, 0x00000008, 0x00000007, 0x0000000A, 0x0000000B, 0x00000006]
table_list = [table1,table2,table3,table4,table5,table6,table7,table8]
def encode1(data,i1,i2,count1):
    count = 0
    temp = data[i1]
    data[i1] ^= data[i2]
    data[i1] ^= table[count1]
    idx1 = data[i1] >> 0x1c
    idx2 = (data[i1] >> 0x18) & 0xf
    idx3 = (data[i1] >> 0x14) & 0xf
    idx4 = (data[i1] >> 0x10) & 0xf
    idx5 = (data[i1] >> 0xc) & 0xf
    idx6 = (data[i1] >> 0x8) & 0xf
    idx7 = (data[i1] >> 4) & 0xf
    idx8 = (data[i1]) & 0xf
    idx_list = [table1[idx1],table2[idx2],table3[idx3],table4[idx4],table5[idx5],table6[idx6],table7[idx7],table8[idx8]]
    for j in idx_list:
        count <<= 4
        count += j
    data[i2] = temp
    data[i1] = count
 
 
def decode1(data,i1,i2,count1):
    data_list = []
    for i in range(8):
        data_list.append(data[i1]&0xf)
        data[i1] >>= 4
    data_list = data_list[::-1]
    count = 0
    for i,j in enumerate(table_list):
        index_data = j.index(data_list[i])
        count <<= 4
        count += index_data
    count ^= table[count1]
    count ^= data[i2]
    data[i1] = data[i2]
    data[i2] = count
input_data = [0x34333231, 0x38373635, 0x34333231, 0x38373635, 0x34333231, 0x38373635, 0x34333231, 0x38373635]
for i in range(32):
    encode1(input_data,0,3,table_index[0x1f - i])
input_data[0],input_data[3] = input_data[3],input_data[0]
for i in range(32):
    encode1(input_data,1,2,table_index[0x1f - i])
input_data[1],input_data[2] = input_data[2],input_data[1]
for i in range(32):
    encode1(input_data,0+4,2+4,table_index[0x1f - i])
input_data[0+4],input_data[2+4] = input_data[2+4],input_data[0+4]
for i in range(32):
    encode1(input_data,1+4,3+4,table_index[0x1f - i])
input_data[1+4],input_data[3+4] = input_data[3+4],input_data[1+4]
for i in range(len(data)//4):
    input_data.append((data[i*4]&0xff)|((data[i*4+1]&0xff)<<8) | ((data[i*4+2]&0xff)<< 16) | ((data[i*4+3]&0xff) << 24))
# print(input_data)
input_data[1 + 4], input_data[3 + 4] = input_data[3 + 4], input_data[1 + 4]
for i in range(32):
    decode1(input_data, 1 + 4, 3 + 4, table_index[i])
input_data[0 + 4], input_data[2 + 4] = input_data[2 + 4], input_data[0 + 4]
for i in range(32):
    decode1(input_data, 0 + 4, 2 + 4, table_index[i])
input_data[1], input_data[2] = input_data[2], input_data[1]
for i in range(32):
    decode1(input_data, 1, 2, table_index[i])
input_data[0], input_data[3] = input_data[3], input_data[0]
for i in range(32):

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

最后于 2022-9-23 11:21 被夏男人编辑 ,原因:
上传的附件:
收藏
免费 3
支持
分享
最新回复 (2)
雪    币: 29182
活跃值: (63621)
能力值: (RANK:135 )
在线值:
发帖
回帖
粉丝
2
麻烦将题目附件上传到论坛本地,方便版主设置精华优秀
2022-9-22 19:10
0
雪    币: 886
活跃值: (2415)
能力值: ( LV4,RANK:52 )
在线值:
发帖
回帖
粉丝
3
Editor 麻烦将题目附件上传到论坛本地,方便版主设置精华优秀
2022-9-23 11:20
0
游客
登录 | 注册 方可回帖
返回
//