[HGAME 2023 week1]a_cup_of_tea

最新推荐文章于 2024-06-12 10:00:23 发布

liqingdi437

最新推荐文章于 2024-06-12 10:00:23 发布

阅读量199

点赞数

分类专栏：逆向 C 文章标签：算法 c语言网络数据结构 c++ 青少年编程汇编

本文链接：https://blog.csdn.net/liaochonxiang/article/details/131874047

版权

逆向同时被 2 个专栏收录

43 篇文章 0 订阅

订阅专栏

10 篇文章 0 订阅

订阅专栏

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // eax
  char *v4; // rcx
  __m128i si128; // [rsp+20h] [rbp-19h] BYREF
  int Buf2[8]; // [rsp+30h] [rbp-9h] BYREF
  __int16 v8; // [rsp+50h] [rbp+17h]
  __int128 Buf1; // [rsp+58h] [rbp+1Fh] BYREF
  __int128 v10[2]; // [rsp+68h] [rbp+2Fh] BYREF
  __int16 v11; // [rsp+88h] [rbp+4Fh]

  Buf2[0] = 778273437;
  Buf1 = 0i64;
  memset(v10, 0, sizeof(v10));
  v11 = 0;
  Buf2[1] = -1051836401;
  si128 = _mm_load_si128((const __m128i *)&xmmword_1400022B0);
  Buf2[2] = -1690714183;
  Buf2[3] = 1512016660;
  Buf2[4] = 1636330974;
  Buf2[5] = 1701168847;
  Buf2[6] = -1626976412;
  Buf2[7] = 594166774;
  v8 = 32107;
  sub_140001010("nice tea!\n> ");
  sub_140001064("%50s");
  sub_1400010B4(&Buf1, &si128);
  sub_1400010B4((char *)&Buf1 + 8, &si128);
  sub_1400010B4(v10, &si128);
  sub_1400010B4((char *)v10 + 8, &si128);
  v3 = memcmp(&Buf1, Buf2, 0x22ui64);
  v4 = "wrong...";
  if ( !v3 )
    v4 = "Congratulations!";
  sub_140001010(v4);
  return 0;
}

重命名很重要

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // eax
  char *v4; // rcx
  __m128i si128; // [rsp+20h] [rbp-19h] BYREF
  int Buf2[8]; // [rsp+30h] [rbp-9h] BYREF
  __int16 v8; // [rsp+50h] [rbp+17h]
  __int128 Buf1; // [rsp+58h] [rbp+1Fh] BYREF
  __int128 v10[2]; // [rsp+68h] [rbp+2Fh] BYREF
  __int16 v11; // [rsp+88h] [rbp+4Fh]

  Buf2[0] = 778273437;
  Buf1 = 0i64;
  memset(v10, 0, sizeof(v10));
  v11 = 0;
  Buf2[1] = -1051836401;
  si128 = _mm_load_si128((const __m128i *)&xmmword_7FF7A09122B0);
  Buf2[2] = -1690714183;
  Buf2[3] = 1512016660;
  Buf2[4] = 1636330974;
  Buf2[5] = 1701168847;
  Buf2[6] = -1626976412;
  Buf2[7] = 594166774;
  v8 = 32107;
  printf("nice tea!\n> ");
  scanf("%50s", &Buf1);
  tea((unsigned int *)&Buf1, si128.m128i_i32);
  tea((unsigned int *)&Buf1 + 2, si128.m128i_i32);
  tea((unsigned int *)v10, si128.m128i_i32);
  tea((unsigned int *)v10 + 2, si128.m128i_i32);
  v3 = memcmp(&Buf1, Buf2, 0x22ui64);
  v4 = "wrong...";
  if ( !v3 )
    v4 = "Congratulations!";
  printf(v4);
  return 0;
}

看看加密部分

__int64 __fastcall tea(unsigned int *a1, int *a2)
{
  int v2; // ebx
  int v3; // r11d
  int v4; // edi
  int v5; // esi
  int v6; // ebp
  unsigned int v7; // r9d
  __int64 v8; // rdx
  unsigned int v9; // r10d
  __int64 result; // rax

  v2 = *a2;
  v3 = 0;
  v4 = a2[1];
  v5 = a2[2];
  v6 = a2[3];
  v7 = *a1;
  v8 = 32i64;
  v9 = a1[1];
  do
  {
    v3 -= 1412567261;
    v7 += (v3 + v9) ^ (v2 + 16 * v9) ^ (v4 + (v9 >> 5));
    result = v3 + v7;
    v9 += result ^ (v5 + 16 * v7) ^ (v6 + (v7 >> 5));
    --v8;
  }
  while ( v8 );
  *a1 = v7;
  a1[1] = v9;
  return result;
}

由加密部分得知key为4位

key[4] = { 0x12345678,0x23456789,0x34567890,0x45678901 }

简单的tea加密

每次加密两个，刚好加密4次

写出解密脚本

#include<stdio.h>
void decrypt(unsigned int* a1, long long* a2)
{
	int v2; // ebx
	long long v3; // r11d
	int v4; // edi
	int v5; // esi
	int v6; // ebp
	unsigned int v7; // r9d
	int v8; // rdx
	unsigned int v9; // r10d

	v2 = *a2;
	v3 = 0;
	v4 = a2[1];
	v5 = a2[2];
	v6 = a2[3];
	v7 = *a1;
	v8 = 32;
	v9 = a1[1];
	v3 = -(1412567261 * 32);
	do
	{
		v9 -= (v3 + v7) ^ (v5 + 16 * v7) ^ (v6 + (v7 >> 5));
		v7 -= (v3 + v9) ^ (v2 + 16 * v9) ^ (v4 + (v9 >> 5));
		v3 += 1412567261;
		--v8;
	} while (v8);
	*a1 = v7;
	a1[1] = v9;
}

int main()
{
	long long key[4] = { 0x12345678,0x23456789,0x34567890,0x45678901 };
	unsigned int Buf2[8] = { 0 };
	Buf2[0] = 778273437;
	Buf2[1] = -1051836401;
	Buf2[2] = -1690714183;
	Buf2[3] = 1512016660;
	Buf2[4] = 1636330974;
	Buf2[5] = 1701168847;
	Buf2[6] = -1626976412;
	Buf2[7] = 594166774;
	for (int i = 0; i < 8; i += 2)
	{
		decrypt(Buf2 + i, key);
	}
	char* p = (char*)Buf2;
	for (int j = 0; j < 8 * 4; j++)
	{
		printf("%c", *(p + j));
	}
	printf("k}");
}