拿到题目用die扫一下
然后拖入32位ida看看
发现有很多函数,不知道关键函数在哪,shift+f12看看
找到关键语句进去看看
结果发现有花指令,全是jx +1 jx+1的这种结构
对着跳转的位置按D转换成数据,然后把花指令nop掉,然后再把数据C一下转换成代码,最后P一下创建函数就可以了
后面的jx +1 jx+1 这样的花指令都是这样做
然后就可以f5看伪代码了
但有个地方堆栈不平衡
要手动改一下
改完之后再去看伪代码
发现这题要两个flag
先搞第一个
找到加密算法部分,发现是把 is flag八个字符加在输入的32个字符后面然后加密
加密完之后再跟byte_817004进行比较
分析一下flag1的加密算法,Str就是上一个v7的高十六位和低十六位互换,然后v6又变成异或完之后的Str的高十六位和低十六位互换,以此类推,看脚本就行了
一开始用c语言写的脚本,写的有问题,也挂出来丢脸一下把
后面用python重新写了个。这是算法分析部分
data = [0x53, 0x79, 0x63, 0x6C, 0x6F, 0x6C, 0x65, 0x76, 0x61, 0xC0, 0x54, 0xD7, 0x8B, 0xA7, 0x3B, 0x02, 0x45, 0x7C,
0xFD, 0xEB, 0xEF, 0xC8, 0xCB, 0x60, 0xBC, 0xA4, 0xA6, 0x9C, 0xCF, 0x5E, 0xE8, 0x6B, 0x76, 0x5C, 0x4E, 0xE8,
0x36, 0x2C, 0x81, 0x07]
a1 = ['{:0>8}'.format(bin(i).replace('0b', '')) for i in data]
c = []
while a1:
b = a1[:4]
b = b[::-1]
b = ''.join(b)
c.append(int(b, 2))
a1 = a1[4:]
flag = 8 * [0]
flag[0] = c[0]
for i in range(1,8):
a1 = c[i+1]
for j in range(i):
a1 = a1 ^ c[j]
flag[i] = a1 << 17 & 0xFFFFFFFF | a1 >> 15
flag1 = ['{:0>32}'.format(bin(i).replace('0b', '')) for i in flag]
while flag1:
flag2 = flag1[:1]
flag2 = ''.join(flag2)
flag3 = [flag2[i:i+8] for i in [0, 8, 16, 24]]
flag3 = flag3[::-1]
flag3 = [int(i, 2) for i in flag3]
print(''.join(map(chr, flag3)), end='')
flag1 = flag1[1:]
得到flag1
Syclover{0ne_M0RE_step_To_f1nal}
然后去解flag2
sub_B21253等同于^
sub_B21253函数可以进去看看
等同于(a|b)&(a|b)
a^b又等于下面三个式子
1.(a|b)&(a|b)
2.(a&b)&(a&b)
3.(a&b)|(a&b)
可以知道这是一个Tea加密,可逆,没有必要爆破
脚本如下
unk = [0xDA, 0xFB, 0xDE, 0x10, 0x8B, 0x59, 0x62, 0xF4, 0x0E, 0x78, 0x6C, 0xF1, 0xC9, 0x94, 0x83, 0x0D, 0x29,0xBC,0x0A,0x29, 0xFE,0xA2,0x3E,0x0B, 0xDC,0x87,0xEA,0x05, 0x13,0xC7,0x35,0x0D]
key = [0x6C637953, 0x76656C6F, 0xD754C061, 0x023BA78B]
lznb = 0x6C7A6E62
a1 = ['{:0>8}'.format(bin(i).replace('0b', '')) for i in unk]
c = []
while a1:
b = a1[:4]
b = b[::-1]
b = ''.join(b)
c.append(int(b, 2))
a1 = a1[4:]
for i in range(4):
v13 = c[i * 2]
v12 = c[i * 2 + 1]
for x in range(32):
j = 31 - x
v11 = (j + 1) * lznb & 0xffffffff
v14 = v13 ^ j & 0xffffffff
v3 = ((v11 + v14) ^ (key[3] + (v14 >> 5))) & 0xffffffff
v4 = ((key[2] + 4 * v14) ^ v3) & 0xffffffff
v12 = ((v12 ^ j) - v4) & 0xffffffff
v2 = ((key[0] + 4 * v12) ^ (v11 + v12)) & 0xffffffff
v13 = (v14 - (v2 ^ (key[1] + (v12 >> 5)))) & 0xffffffff
c[i * 2] = v13
c[i * 2 + 1] = v12
c = ['{:0>32}'.format(bin(i).replace('0b', '')) for i in c]
while c:
flag2 = c[:1]
flag2 = ''.join(flag2)
flag3 = [flag2[i:i+8] for i in [0, 8, 16, 24]]
flag3 = flag3[::-1]
flag3 = [int(i, 2) for i in flag3]
print(''.join(map(chr, flag3)), end='')
c = c[1:]
写个总结:
- python脚本不熟练,写的缓慢,报错还多,要加强coding能力,python还是方便打比赛啥的
- 位运算不一定是爆破,之前77也说过,看情况来吧,耐心一点说不定就可逆了
- 逆向能力有待提高,还是慢了
- 了解了tea算法