devbox
小蓝xlanll
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

XY_RE复现(五)

作者:小蓝xlanll | 2024-05-02 23:44:42

XY_RE复现(五)

一,给阿姨倒一杯卡布奇诺

是一道魔改TEA加密

给出了一些初始化,然后输入的flag拆分,两两一组,通过for循环放入encrypt加密函数

  1. #include <stdio.h>
  2. #define uint32_t unsigned int
  3.  
  4. void decrypt(uint32_t *v, uint32_t *key)
  5. {
  6.     static uint32_t data1 = 0x5F797274;
  7.     static uint32_t data2 = 0x64726168;
  8.     int i;   // [rsp+20h] [rbp-10h]
  9.     uint32_t sum; // [rsp+24h] [rbp-Ch]
  10.     uint32_t v1;  // [rsp+28h] [rbp-8h]
  11.     uint32_t v0;  // [rsp+2Ch] [rbp-4h]
  12.  
  13.     sum = 0x6E75316C * 32;
  14.     uint32_t data1_tmp = v[0];
  15.     uint32_t data2_tmp = v[1];
  16.     v0 = v[0];
  17.     v1 = v[1];
  18.     for (i = 31; i >= 0; i--)
  19.     {
  20.         v1 -= ((v0 >> 5) + key[3]) ^ (v0 + sum) ^ (key[2] + 16 * v0) ^ (sum + i);
  21.         v0 -= ((v1 >> 5) + key[1]) ^ (v1 + sum) ^ (key[0] + 16 * v1) ^ (sum + i);
  22.         sum -= 0x6E75316C;
  23.     }
  24.     v[0] = v0 ^ data1;
  25.     v[1] = v1 ^ data2;
  26.     data1 = data1_tmp;
  27.     data2 = data2_tmp;
  28. }
  29.  
  30. int main()
  31. {
  32.     uint32_t key[4];   // [rsp+60h] [rbp-40h] BYREF
  33.     uint32_t array[8]; // [rsp+70h] [rbp-30h]
  34.     array[0] = 0x9B28ED45;
  35.     array[1] = 0x145EC6E9;
  36.     array[2] = 0x5B27A6C3;
  37.     array[3] = 0xE59E75D5;
  38.     array[4] = 0xE82C2500;
  39.     array[5] = 0xA4211D92;
  40.     array[6] = 0xCD8A4B62;
  41.     array[7] = 0xA668F440;
  42.     key[0] = 0x65766967;
  43.     key[1] = 0x756F795F;
  44.     key[2] = 0x7075635F;
  45.     key[3] = 0x6165745F;
  46.     for (int i = 0; i <= 7; i += 2)
  47.     {
  48.         decrypt(array + i, key);
  49.     }
  50.     for(int i=0; i<32; i++)
  51.     {
  52.         printf("%c", ((char*)array)[i]);
  53.     }
  54.     return 0;
  55. }
  56.  
  57. // 133bffe401d223a02385d90c5f1ca377

二,ez_rand

  1. int __cdecl main(int argc, const char **argv, const char **envp)
  2. {
  3.   unsigned __int64 v3; // rbx ,无符号64位整数型
  4.   unsigned __int16 v4; // ax  , 无符号16位整数型
  5.   int v5; // edi
  6.   __int64 v6; // rsi
  7.   int v7; // eax
  8.   int v9[7]; // [rsp+20h] [rbp-50h]
  9.   char v10; // [rsp+3Ch] [rbp-34h]
  10.   __int16 v11; // [rsp+3Dh] [rbp-33h]
  11.   __int128 v12; // [rsp+40h] [rbp-30h]
  12.   __int64 v13; // [rsp+50h] [rbp-20h]
  13.   int v14; // [rsp+58h] [rbp-18h]
  14.   __int16 v15; // [rsp+5Ch] [rbp-14h]
  15.   char v16; // [rsp+5Eh] [rbp-12h]
  16.  
  17.   v13 = 0i64;
  18.   v12 = 0i64;
  19.   v14 = 0;
  20.   v15 = 0;
  21.   v16 = 0;
  22.   print((char *)&Format);
  23.   scanf("%s");
  24.   v9[0] = -362017699;
  25.   v11 = 0;
  26.   v3 = -1i64;
  27.   v9[1] = 888936774;
  28.   v9[2] = 119759538;
  29.   v9[3] = -76668318;
  30.   v9[4] = -1443698508;
  31.   v9[5] = -2044652911;
  32.   v9[6] = 1139379931;
  33.   v10 = 77;
  34.   do
  35.     ++v3;
  36.   while ( *((_BYTE *)&v12 + v3) );
  37.   v4 = time64(0i64);
  38.   srand(v4);
  39.   v5 = 0;
  40.   if ( v3 )
  41.   {
  42.     v6 = 0i64;
  43.     do
  44.     {
  45.       v7 = rand();
  46.       if ( (*((_BYTE *)&v12 + v6) ^ (unsigned __int8)(v7
  47.                                                     + ((((unsigned __int64)(2155905153i64 * v7) >> 32) & 0x80000000) != 0i64)
  48.                                                     + ((int)((unsigned __int64)(2155905153i64 * v7) >> 32) >> 7))) != *((_BYTE *)v9 + v6) )
  49.       {
  50.         print("Error???\n");
  51.         exit(0);
  52.       }
  53.       ++v5;
  54.       ++v6;
  55.     }
  56.     while ( v5 < v3 );
  57.   }
  58.   print("Right???\n");
  59.   system("pause");
  60.   return 0;
  61. }

就是随机数v7与v9异或

随机数种子是通过time来取的,C语言中的srand(time)是伪随机,直接爆破,题目描述给出了flag头为"XYCTF",根据这个信息去爆破随机数种子,即我们将v9的前5位与生成的前五位随机数做异或,如果结果与“XYCTF”相同,则那个随机数种子就是我们需要求的结果 

  1. #include<iostream>
  2. #include<cstdlib>
  3. using namespace std;
  4. int main()
  5. {
  6.     unsigned char str[5] = { 0x5D, 0x0C, 0x6C, 0xEA, 0x46 };
  7.     unsigned char random[6] = { 0 };
  8.     unsigned char flag[6] = { 'X', 'Y', 'C', 'T', 'F', '\0' };
  9.     for (int i = 0xFFFF; i >= 0; i--) {
  10.         srand(i);
  11.         for (int j = 0; j < 5; j++) {
  12.             random[j] = rand() % 0xFF;
  13.         }
  14.         bool found = true;
  15.         for (int j = 0; j < 5; j++) {
  16.             if ((random[j] ^ str[j]) != flag[j]) {
  17.                 found = false;
  18.                 break;
  19.             }
  20.         }
  21.         if (found) {
  22.             cout << "Found! It is: " << i << endl;
  23.             break;
  24.         }
  25.         else
  26.             cout << "Not " << i << " Nope" << endl;
  27.     }
  28.     return 0;
  29. }
  30. //Found! It is: 21308

 爆破出随机数种子:21308

  1. #include<iostream>
  2. #include<cstdlib>
  3. using namespace std;
  4.  
  5. int main()
  6. {
  7.     srand(21308);
  8.     for (int i = 0; i < 29; i++) {
  9.         int num = rand();
  10.         cout << num << ",";
  11.     }
  12.     return 0;
  13. }
  14. //得到随机数4085,19210,5147,22630,16830,25853,6039,15416,9400,1281,32764,16374,8177,18485,16126,29528,5590,4777,18044,26256,25694,24259,10836,5327,13701,7138,5244,22538,13308,

 

随机数是16位的: 可以int num = rand() % 0xFF ;

得到:16位key

  1. v9=[ 0x5D, 0x0C, 0x6C, 0xEA, 0x46, 0x19, 0xFC, 0x34, 0xB2, 0x62,
  2.   0x23, 0x07, 0x62, 0x22, 0x6E, 0xFB, 0xB4, 0xE8, 0xF2, 0xA9,
  3.   0x91, 0x12, 0x21, 0x86, 0xDB, 0x8E, 0xE9, 0x43, 0x4D]
  4. key=[5,85,47,190,0,98,174,116,220,6,124,54,17,125,61,203,235,187,194,246,194,34,126,227,186,253,144,98,48]
  5. flag=''
  6. for i in range(len(v9)):
  7.     flag+=chr(v9[i]^key[i])
  8. print(flag)
  9. #XYCTF{R@nd_1s_S0_S0_S0_easy!}

为什么就是v12^v7!=v9(?)

三,ez_cube

  1. __int64 sub_140012930()
  2. {
  3.   int i; // [rsp+44h] [rbp+24h]
  4.   char v2; // [rsp+64h] [rbp+44h]
  5.   int v3; // [rsp+84h] [rbp+64h]
  6.  
  7.   sub_140011384(&unk_1400240A2);
  8.   for ( i = 0; i < 9; ++i )
  9.   {
  10.     top[i] = &unk_14001CC24;                    // red
  11.     under[i] = "Blue";
  12.     right[i] = "Green";
  13.     left[i] = "Orange";
  14.     advance[i] = "Yellow";
  15.     below[i] = "White";
  16.   }
  17.   under[1] = &unk_14001CC24;
  18.   top[1] = "Green";
  19.   right[1] = "Blue";
  20.   while ( 1 )
  21.   {
  22.     do
  23.       v2 = getchar();
  24.     while ( v2 == 10 );
  25.     switch ( v2 )
  26.     {
  27.       case 'R':
  28.         sub_140011375();
  29.         break;
  30.       case 'U':
  31.         sub_1400113BB();
  32.         break;
  33.       case 'r':
  34.         sub_140011366();
  35.         break;
  36.       case 'u':
  37.         sub_14001115E();
  38.         break;
  39.     }
  40.     ++dword_14001F1C0;
  41.     v3 = j_check();
  42.     if ( v3 == 1 )
  43.       break;
  44.     if ( v3 == 2 )
  45.       goto LABEL_19;
  46.   }
  47.   print(aGreatYouAreAGo);
  48. LABEL_19:
  49.   system("pause");
  50.   return 0i64;
  51. }

'R' 'U' 'r' 'u'操作每一步

  1. _QWORD *sub_1400117F0()
  2. {
  3.   _QWORD *result; // rax
  4.   __int64 v1; // [rsp+28h] [rbp+8h]
  5.   __int64 v2; // [rsp+48h] [rbp+28h]
  6.   __int64 v3; // [rsp+68h] [rbp+48h]
  7.   __int64 v4; // [rsp+88h] [rbp+68h]
  8.   __int64 v5; // [rsp+A8h] [rbp+88h]
  9.  
  10.   sub_140011384(&unk_1400240A2);
  11.   v1 = top[2];
  12.   v2 = top[5];
  13.   v3 = top[8];
  14.   top[2] = below[2];
  15.   top[5] = below[5];
  16.   top[8] = below[8];
  17.   below[2] = left[6];
  18.   below[5] = left[3];
  19.   below[8] = left[0];
  20.   left[0] = advance[8];
  21.   left[3] = advance[5];
  22.   left[6] = advance[2];
  23.   advance[2] = v1;
  24.   advance[5] = v2;
  25.   advance[8] = v3;
  26.   v4 = right[1];
  27.   right[1] = right[3];
  28.   right[3] = right[7];
  29.   right[7] = right[5];
  30.   right[5] = v4;
  31.   v5 = right[0];
  32.   right[0] = right[6];
  33.   right[6] = right[8];
  34.   right[8] = right[2];
  35.   result = right;
  36.   right[2] = v5;
  37.   return result;
  38. }

嗯,自己玩分析可能有点麻烦,想想应该可以直接写脚本。(自己用c++写了一下,不知道怎么搞四个字符操作那里,有点麻烦)先借一下别人的脚本吧

爆破的脚本还是需要再学一下。

四,What's this

Lua bytecode

可以找一个lua在线反编译网站。Lua 工具箱 (luatool.cn)

应该先变字符然后base64解密 ,发现不对,前面应该还有一些操作

  1. function Xor(num1, num2)
  2.   local tmp1 = num1
  3.   local tmp2 = num2
  4.   local str = ""
  5.   repeat
  6.     local s1 = tmp1 % 2
  7.     local s2 = tmp2 % 2
  8.     if s1 == s2 then
  9.       str = "0" .. str
  10.     else
  11.       str = "1" .. str
  12.     end
  13.     tmp1 = math.modf(tmp1 / 2)
  14.     tmp2 = math.modf(tmp2 / 2)
  15.   until tmp1 == 0 and tmp2 == 0
  16.   return tonumber(str, 2)
  17. end
  18.  
  19. value = ""
  20. output = ""
  21. i = 1
  22. while true do
  23.   local temp = string.byte(flag, i)
  24.   temp = string.char(Xor(temp, 8) % 256)
  25.   value = value .. temp
  26.   i = i + 1
  27.   if i > string.len(flag) then
  28.     break
  29.   end
  30. end
  31. for _ = 1, 1000 do
  32.   x = 3
  33.   y = x * 3
  34.   z = y / 4
  35.   w = z - 5
  36.   if w == 0 then
  37.     print("This line will never be executed")
  38.   end
  39. end
  40. for i = 1, string.len(flag) do
  41.   temp = string.byte(value, i)
  42.   temp = string.char(temp + 3)
  43.   output = output .. temp
  44. end
  45. result = output:rep(10)
  46. invalid_list = {
  47.   1,
  48.   2,
  49.   3
  50. }
  51. for _ = 1, 20 do
  52.   table.insert(invalid_list, 4)
  53. end
  54. for _ = 1, 50 do
  55.   result = result .. "A"
  56.   table.insert(invalid_list, 4)
  57. end
  58. for i = 1, string.len(output) do
  59.   temp = string.byte(output, i)
  60.   temp = string.char(temp - 1)
  61. end
  62. for _ = 1, 30 do
  63.   result = result .. string.lower(output)
  64. end
  65. for _ = 1, 950 do
  66.   x = 3
  67.   y = x * 3
  68.   z = y / 4
  69.   w = z - 5
  70.   if w == 0 then
  71.     print("This line will never be executed")
  72.   end
  73. end
  74. for _ = 1, 50 do
  75.   x = -1
  76.   y = x * 4
  77.   z = y / 2
  78.   w = z - 3
  79.   if w == 0 then
  80.     print("This line will also never be executed")
  81.   end
  82. end
  83. require("base64")
  84. obfuscated_output = to_base64(output)
  85. obfuscated_output = string.reverse(obfuscated_output)
  86. obfuscated_output = string.gsub(obfuscated_output, "g", "3")
  87. obfuscated_output = string.gsub(obfuscated_output, "H", "4")
  88. obfuscated_output = string.gsub(obfuscated_output, "W", "6")
  89. invalid_variable = obfuscated_output:rep(5)
  90. if obfuscated_output == "==AeuFEcwxGPuJ0PBNzbC16ctFnPB5DPzI0bwx6bu9GQ2F1XOR1U" then
  91.   print("You get the flag.")
  92. else
  93.   print("F**k!")
  94. end

先异或8后+3

  1. import  base64
  2. enc='==AeuFEcwxGPuJ0PBNzbC16ctFnPB5DPzI0bwx6bu9GQ2F1XOR1U'
  3. print(enc[::-1])
  4. str=list(enc[::-1])
  5. for i in range(len(str)):
  6.     if str[i]=='3':
  7.         str[i]='g'
  8.     elif str[i]=='4':
  9.         str[i]='H'
  10.     elif str[i]=='6':
  11.         str[i]="W"
  12. print(''.join(str))
  13. ant='U1ROX1F2QG9ubWxwb0IzPD5BPnFtcW1CbzNBP0JuPGxwcEFueA=='
  14. date=base64.b64decode(ant)
  15. flag = ""
  16. for i in date:
  17.    flag += chr((i - 3) ^ 8)
  18. print(flag)
  19. #XYCTF{5dcbaed781363fbfb7d8647c1aee6c}

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小蓝xlanll/article/detail/526707
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号