-
-
[原创]HGame Week1 Reverse WriteUp
-
发表于: 2023-1-13 10:39
-
只要IDA没问题,打开就是Flag
对每一位异或0x33
TEA加密算法,不过delta变成了0xabcdef23
看POC应该会比较明显
逆转程序运行顺序,从先异或0x32后减0x56变为加上0x56后再异或0x32
一个字符生成了两个数字,那么只要爆破就可以出解
s=[0x5b,0x54,0x52,0x5e,0x56,0x48,0x44,0x56,0x5f,0x50,0x3,0x5e,0x56,0x6c,0x47,0x3,0x6c,0x41,0x56,0x6c,0x44,0x5c,0x41,0x2,0x57,0x12,0x4e]
def enc(s):
return ''.join([chr(c ^ 0x33) for c in s])
print(enc(s))
s=[0x5b,0x54,0x52,0x5e,0x56,0x48,0x44,0x56,0x5f,0x50,0x3,0x5e,0x56,0x6c,0x47,0x3,0x6c,0x41,0x56,0x6c,0x44,0x5c,0x41,0x2,0x57,0x12,0x4e]
def enc(s):
return ''.join([chr(c ^ 0x33) for c in s])
print(enc(s))
#include<stdio.h>void decrypt (unsigned int* v, unsigned int* k) {
unsigned int v0=v[0], v1=v[1]; /* set up */
// unsigned int delta=0xabcdef23;
unsigned int delta=(0-0x543210DD)&0xffffffff;
// // unsigned int sum=0x79bde460;
unsigned int sum = delta<<5;
unsigned int k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */ for (int i=0; i<32; i++) { /* basic cycle start */ v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
sum -= delta;
} /* end cycle */ v[0]=v0; v[1]=v1;
} int main(){
// unsigned int a2[] = {0x45678901,0x34567890,0x23456789,0x12345678};
// 大小端的问题
unsigned int a2[] = {0x12345678,0x23456789,0x34567890,0x45678901};
unsigned int Buf2[8];
Buf2[0] = 0x2E63829D;
Buf2[1] = 0xC14E400F;
Buf2[2] = 0x9B39BFB9;
Buf2[3] = 0x5A1F8B14;
Buf2[4] = 0x61886DDE;
Buf2[5] = 0x6565C6CF;
Buf2[6] = 0x9F064F64;
Buf2[7] = 0x236A43F6;
decrypt(Buf2,a2);
decrypt(Buf2+2,a2);
decrypt(Buf2+4,a2);
decrypt(Buf2+6,a2);
for(int i=0;i<40;i++){
printf("%c",*((unsigned char*)Buf2+i));
}
return 0;
}#include<stdio.h>void decrypt (unsigned int* v, unsigned int* k) {
unsigned int v0=v[0], v1=v[1]; /* set up */
// unsigned int delta=0xabcdef23;
unsigned int delta=(0-0x543210DD)&0xffffffff;
// // unsigned int sum=0x79bde460;
unsigned int sum = delta<<5;
unsigned int k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */ for (int i=0; i<32; i++) { /* basic cycle start */ v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
sum -= delta;
} /* end cycle */ v[0]=v0; v[1]=v1;
} int main(){
// unsigned int a2[] = {0x45678901,0x34567890,0x23456789,0x12345678};
// 大小端的问题
unsigned int a2[] = {0x12345678,0x23456789,0x34567890,0x45678901};
unsigned int Buf2[8];
Buf2[0] = 0x2E63829D;
Buf2[1] = 0xC14E400F;
Buf2[2] = 0x9B39BFB9;
Buf2[3] = 0x5A1F8B14;
Buf2[4] = 0x61886DDE;
Buf2[5] = 0x6565C6CF;
Buf2[6] = 0x9F064F64;
Buf2[7] = 0x236A43F6;
decrypt(Buf2,a2);
decrypt(Buf2+2,a2);
decrypt(Buf2+4,a2);
decrypt(Buf2+6,a2);
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
