首页
社区
课程
招聘
[原创]HGame Week1 Reverse WriteUp
发表于: 2023-1-13 10:39 13324

[原创]HGame Week1 Reverse WriteUp

2023-1-13 10:39
13324

只要IDA没问题,打开就是Flag

对每一位异或0x33

TEA加密算法,不过delta变成了0xabcdef23

image-20230112164635615

看POC应该会比较明显

逆转程序运行顺序,从先异或0x32后减0x56变为加上0x56后再异或0x32

一个字符生成了两个数字,那么只要爆破就可以出解

s=[0x5b,0x54,0x52,0x5e,0x56,0x48,0x44,0x56,0x5f,0x50,0x3,0x5e,0x56,0x6c,0x47,0x3,0x6c,0x41,0x56,0x6c,0x44,0x5c,0x41,0x2,0x57,0x12,0x4e]
def enc(s):
    return ''.join([chr(c ^ 0x33) for c in s])
print(enc(s))
s=[0x5b,0x54,0x52,0x5e,0x56,0x48,0x44,0x56,0x5f,0x50,0x3,0x5e,0x56,0x6c,0x47,0x3,0x6c,0x41,0x56,0x6c,0x44,0x5c,0x41,0x2,0x57,0x12,0x4e]
def enc(s):
    return ''.join([chr(c ^ 0x33) for c in s])
print(enc(s))
 
 
#include<stdio.h>
void decrypt (unsigned int* v, unsigned int* k) { 
    unsigned int v0=v[0], v1=v[1];  /* set up */
 
    // unsigned int delta=0xabcdef23;         
    unsigned int delta=(0-0x543210DD)&0xffffffff;
 
    // // unsigned int sum=0x79bde460;
    unsigned int sum = delta<<5;
 
    unsigned int k0=k[0], k1=k[1], k2=k[2], k3=k[3];   /* cache key */ 
    for (int i=0; i<32; i++) {                         /* basic cycle start */ 
        v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3); 
        v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1); 
        sum -= delta; 
    }                                              /* end cycle */ 
    v[0]=v0; v[1]=v1; 
 
 
int main(){
    // unsigned int a2[] = {0x45678901,0x34567890,0x23456789,0x12345678};
    // 大小端的问题
    unsigned int a2[] = {0x12345678,0x23456789,0x34567890,0x45678901};
    unsigned int Buf2[8];
    Buf2[0] = 0x2E63829D;
    Buf2[1] = 0xC14E400F;
    Buf2[2] = 0x9B39BFB9;
    Buf2[3] = 0x5A1F8B14;
    Buf2[4] = 0x61886DDE;
    Buf2[5] = 0x6565C6CF;
    Buf2[6] = 0x9F064F64;
    Buf2[7] = 0x236A43F6;
 
    decrypt(Buf2,a2);
    decrypt(Buf2+2,a2);
    decrypt(Buf2+4,a2);
    decrypt(Buf2+6,a2);
 
    for(int i=0;i<40;i++){
        printf("%c",*((unsigned char*)Buf2+i));
    }
 
    return 0;
}
#include<stdio.h>
void decrypt (unsigned int* v, unsigned int* k) { 
    unsigned int v0=v[0], v1=v[1];  /* set up */
 
    // unsigned int delta=0xabcdef23;         
    unsigned int delta=(0-0x543210DD)&0xffffffff;
 
    // // unsigned int sum=0x79bde460;
    unsigned int sum = delta<<5;
 
    unsigned int k0=k[0], k1=k[1], k2=k[2], k3=k[3];   /* cache key */ 
    for (int i=0; i<32; i++) {                         /* basic cycle start */ 
        v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3); 
        v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1); 
        sum -= delta; 
    }                                              /* end cycle */ 
    v[0]=v0; v[1]=v1; 
 
 
int main(){
    // unsigned int a2[] = {0x45678901,0x34567890,0x23456789,0x12345678};
    // 大小端的问题
    unsigned int a2[] = {0x12345678,0x23456789,0x34567890,0x45678901};
    unsigned int Buf2[8];
    Buf2[0] = 0x2E63829D;
    Buf2[1] = 0xC14E400F;
    Buf2[2] = 0x9B39BFB9;
    Buf2[3] = 0x5A1F8B14;
    Buf2[4] = 0x61886DDE;
    Buf2[5] = 0x6565C6CF;
    Buf2[6] = 0x9F064F64;
    Buf2[7] = 0x236A43F6;
 
    decrypt(Buf2,a2);
    decrypt(Buf2+2,a2);
    decrypt(Buf2+4,a2);
    decrypt(Buf2+6,a2);
 

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//