只能下断点跳过几个反调试了
就是一个简单TEA加密,但是dododo()里有随机数会改变密钥v7的值
#include <stdio.h>
#include <string.h>
#include <stdint.h>
int main(void)
{
unsigned int a1[]={0x0DAD5B6C5, 0x0CE5F717, 0x8BE8AF6B, 0x0D74C6EB4, 0x0EEB8B5A0, 0x0A07618E0, 0x1B425FD0, 0x0C0B77641, 0x0A30FA9BE,0x0CB4F5089, 0x0EBF9EC1D, 0x0F870EF3D};
int a2[] = {0x91,0x71,0x11,0xbb};
unsigned int v0,v1,i;
for (int k = 0; k < 12; k += 2)
{
v0 = a1[k];
v1 = a1[k + 1];
long delta = 0x79B99E37;
long sum = (32 * delta);
for (i = 0; i <= 31; ++i)
{
v1 -= (((v0 * 16) ^ (v0 >> 5)) + v0) ^ (sum + a2[(sum >> 11 ) & 3]);
sum -= delta;
v0 -= (((v1 * 16) ^ (v1 >> 5)) + v1) ^ (sum + a2[(sum & 3)]);
}
a1[k] = v0;
a1[k+1] = v1;
}
for (i = 0; i < 12; i++)
{
printf("%c",a1[i]);
}
}
// #_Ant!+Debu9
[NPUCTF2020]你好sao啊
先处理数据
#include <iostream>
#include <cstring>
int main() {
unsigned long long s[] = {
0xFD370FEB59C9B9E,
0xDEAB7F029C4FD1B2,
0xFACD9D40E7636559,
0x4,
0x0
};
for (int i = 0; i < 25; i++) {
int c = (int) * ((unsigned char *) (s) + i);
std::cout << "\\x" << std::hex << c;
}
std::cout << std::endl;
return 0;
}
//\x9e\x9b\x9c\xb5\xfe\x70\xd3\xf\xb2\xd1\x4f\x9c\x2\x7f\xab\xde\x59\x65\x63\xe7\x40\x9d\xcd\xfa\x4
不足要补齐,找个对应脚本
# coding:utf-8
s = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234{}789+/'
def My_base64_encode():
inputs = b'\x9e\x9b\x9c\xb5\xfe\x70\xd3\x0f\xb2\xd1\x4f\x9c\x02\x7f\xab\xde\x59\x65\x63\xe7\x40\x9d\xcd\xfa\x04'
# 将字符串转化为2进制
bin_str = []
for i in inputs:
x = str(bin(i)).replace('0b', '')
bin_str.append('{:0>8}'.format(x))
# print(bin_str)
# 输出的字符串
outputs = ""
# 不够三倍数,需补齐的次数
nums = 0
while bin_str:
# 每次取三个字符的二进制
temp_list = bin_str[:3]
if(len(temp_list) != 3):
nums = 3 - len(temp_list)
while len(temp_list) < 3:
temp_list += ['0' * 8]
temp_str = "".join(temp_list)
# print(temp_str)
# 将三个8字节的二进制转换为4个十进制
temp_str_list = []
for i in range(0, 4):
temp_str_list.append(int(temp_str[i*6:(i+1)*6], 2))
# print(temp_str_list)
if nums:
temp_str_list = temp_str_list[0:4 - nums]
for i in temp_str_list:
outputs += s[i]
bin_str = bin_str[3:]
outputs += nums * '='
print("Encrypted String:\n%s " % outputs)
My_base64_encode()