-
-
[原创]HGame Week1 Reverse WriteUp
-
发表于: 2023-1-13 10:39 13364
-
只要IDA没问题,打开就是Flag
对每一位异或0x33
TEA加密算法,不过delta变成了0xabcdef23
看POC应该会比较明显
逆转程序运行顺序,从先异或0x32后减0x56变为加上0x56后再异或0x32
一个字符生成了两个数字,那么只要爆破就可以出解
s
=
[
0x5b
,
0x54
,
0x52
,
0x5e
,
0x56
,
0x48
,
0x44
,
0x56
,
0x5f
,
0x50
,
0x3
,
0x5e
,
0x56
,
0x6c
,
0x47
,
0x3
,
0x6c
,
0x41
,
0x56
,
0x6c
,
0x44
,
0x5c
,
0x41
,
0x2
,
0x57
,
0x12
,
0x4e
]
def
enc(s):
return
''.join([
chr
(c ^
0x33
)
for
c
in
s])
print
(enc(s))
s
=
[
0x5b
,
0x54
,
0x52
,
0x5e
,
0x56
,
0x48
,
0x44
,
0x56
,
0x5f
,
0x50
,
0x3
,
0x5e
,
0x56
,
0x6c
,
0x47
,
0x3
,
0x6c
,
0x41
,
0x56
,
0x6c
,
0x44
,
0x5c
,
0x41
,
0x2
,
0x57
,
0x12
,
0x4e
]
def
enc(s):
return
''.join([
chr
(c ^
0x33
)
for
c
in
s])
print
(enc(s))
#include<stdio.h>
void decrypt (unsigned
int
*
v, unsigned
int
*
k) {
unsigned
int
v0
=
v[
0
], v1
=
v[
1
];
/
*
set
up
*
/
/
/
unsigned
int
delta
=
0xabcdef23
;
unsigned
int
delta
=
(
0
-
0x543210DD
)&
0xffffffff
;
/
/
/
/
unsigned
int
sum
=
0x79bde460
;
unsigned
int
sum
=
delta<<
5
;
unsigned
int
k0
=
k[
0
], k1
=
k[
1
], k2
=
k[
2
], k3
=
k[
3
];
/
*
cache key
*
/
for
(
int
i
=
0
; i<
32
; i
+
+
) {
/
*
basic cycle start
*
/
v1
-
=
((v0<<
4
)
+
k2) ^ (v0
+
sum
) ^ ((v0>>
5
)
+
k3);
v0
-
=
((v1<<
4
)
+
k0) ^ (v1
+
sum
) ^ ((v1>>
5
)
+
k1);
sum
-
=
delta;
}
/
*
end cycle
*
/
v[
0
]
=
v0; v[
1
]
=
v1;
}
int
main(){
/
/
unsigned
int
a2[]
=
{
0x45678901
,
0x34567890
,
0x23456789
,
0x12345678
};
/
/
大小端的问题
unsigned
int
a2[]
=
{
0x12345678
,
0x23456789
,
0x34567890
,
0x45678901
};
unsigned
int
Buf2[
8
];
Buf2[
0
]
=
0x2E63829D
;
Buf2[
1
]
=
0xC14E400F
;
Buf2[
2
]
=
0x9B39BFB9
;
Buf2[
3
]
=
0x5A1F8B14
;
Buf2[
4
]
=
0x61886DDE
;
Buf2[
5
]
=
0x6565C6CF
;
Buf2[
6
]
=
0x9F064F64
;
Buf2[
7
]
=
0x236A43F6
;
decrypt(Buf2,a2);
decrypt(Buf2
+
2
,a2);
decrypt(Buf2
+
4
,a2);
decrypt(Buf2
+
6
,a2);
for
(
int
i
=
0
;i<
40
;i
+
+
){
printf(
"%c"
,
*
((unsigned char
*
)Buf2
+
i));
}
return
0
;
}
#include<stdio.h>
void decrypt (unsigned
int
*
v, unsigned
int
*
k) {
unsigned
int
v0
=
v[
0
], v1
=
v[
1
];
/
*
set
up
*
/
/
/
unsigned
int
delta
=
0xabcdef23
;
unsigned
int
delta
=
(
0
-
0x543210DD
)&
0xffffffff
;
/
/
/
/
unsigned
int
sum
=
0x79bde460
;
unsigned
int
sum
=
delta<<
5
;
unsigned
int
k0
=
k[
0
], k1
=
k[
1
], k2
=
k[
2
], k3
=
k[
3
];
/
*
cache key
*
/
for
(
int
i
=
0
; i<
32
; i
+
+
) {
/
*
basic cycle start
*
/
v1
-
=
((v0<<
4
)
+
k2) ^ (v0
+
sum
) ^ ((v0>>
5
)
+
k3);
v0
-
=
((v1<<
4
)
+
k0) ^ (v1
+
sum
) ^ ((v1>>
5
)
+
k1);
sum
-
=
delta;
}
/
*
end cycle
*
/
v[
0
]
=
v0; v[
1
]
=
v1;
}
int
main(){
/
/
unsigned
int
a2[]
=
{
0x45678901
,
0x34567890
,
0x23456789
,
0x12345678
};
/
/
大小端的问题
unsigned
int
a2[]
=
{
0x12345678
,
0x23456789
,
0x34567890
,
0x45678901
};
unsigned
int
Buf2[
8
];
Buf2[
0
]
=
0x2E63829D
;
Buf2[
1
]
=
0xC14E400F
;
Buf2[
2
]
=
0x9B39BFB9
;
Buf2[
3
]
=
0x5A1F8B14
;
Buf2[
4
]
=
0x61886DDE
;
Buf2[
5
]
=
0x6565C6CF
;
Buf2[
6
]
=
0x9F064F64
;
Buf2[
7
]
=
0x236A43F6
;
decrypt(Buf2,a2);
decrypt(Buf2
+
2
,a2);
decrypt(Buf2
+
4
,a2);
decrypt(Buf2
+
6
,a2);
赞赏
他的文章
看原图
赞赏
雪币:
留言: