int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // eax
char *v4; // rcx
__m128i si128; // [rsp+20h] [rbp-19h] BYREF
int Buf2[8]; // [rsp+30h] [rbp-9h] BYREF
__int16 v8; // [rsp+50h] [rbp+17h]
__int128 Buf1; // [rsp+58h] [rbp+1Fh] BYREF
__int128 v10[2]; // [rsp+68h] [rbp+2Fh] BYREF
__int16 v11; // [rsp+88h] [rbp+4Fh]
Buf2[0] = 778273437;
Buf1 = 0i64;
memset(v10, 0, sizeof(v10));
v11 = 0;
Buf2[1] = -1051836401;
si128 = _mm_load_si128((const __m128i *)&xmmword_1400022B0);
Buf2[2] = -1690714183;
Buf2[3] = 1512016660;
Buf2[4] = 1636330974;
Buf2[5] = 1701168847;
Buf2[6] = -1626976412;
Buf2[7] = 594166774;
v8 = 32107;
sub_140001010("nice tea!\n> ");
sub_140001064("%50s");
sub_1400010B4(&Buf1, &si128);
sub_1400010B4((char *)&Buf1 + 8, &si128);
sub_1400010B4(v10, &si128);
sub_1400010B4((char *)v10 + 8, &si128);
v3 = memcmp(&Buf1, Buf2, 0x22ui64);
v4 = "wrong...";
if ( !v3 )
v4 = "Congratulations!";
sub_140001010(v4);
return 0;
}
重命名很重要
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // eax
char *v4; // rcx
__m128i si128; // [rsp+20h] [rbp-19h] BYREF
int Buf2[8]; // [rsp+30h] [rbp-9h] BYREF
__int16 v8; // [rsp+50h] [rbp+17h]
__int128 Buf1; // [rsp+58h] [rbp+1Fh] BYREF
__int128 v10[2]; // [rsp+68h] [rbp+2Fh] BYREF
__int16 v11; // [rsp+88h] [rbp+4Fh]
Buf2[0] = 778273437;
Buf1 = 0i64;
memset(v10, 0, sizeof(v10));
v11 = 0;
Buf2[1] = -1051836401;
si128 = _mm_load_si128((const __m128i *)&xmmword_7FF7A09122B0);
Buf2[2] = -1690714183;
Buf2[3] = 1512016660;
Buf2[4] = 1636330974;
Buf2[5] = 1701168847;
Buf2[6] = -1626976412;
Buf2[7] = 594166774;
v8 = 32107;
printf("nice tea!\n> ");
scanf("%50s", &Buf1);
tea((unsigned int *)&Buf1, si128.m128i_i32);
tea((unsigned int *)&Buf1 + 2, si128.m128i_i32);
tea((unsigned int *)v10, si128.m128i_i32);
tea((unsigned int *)v10 + 2, si128.m128i_i32);
v3 = memcmp(&Buf1, Buf2, 0x22ui64);
v4 = "wrong...";
if ( !v3 )
v4 = "Congratulations!";
printf(v4);
return 0;
}
看看加密部分
__int64 __fastcall tea(unsigned int *a1, int *a2)
{
int v2; // ebx
int v3; // r11d
int v4; // edi
int v5; // esi
int v6; // ebp
unsigned int v7; // r9d
__int64 v8; // rdx
unsigned int v9; // r10d
__int64 result; // rax
v2 = *a2;
v3 = 0;
v4 = a2[1];
v5 = a2[2];
v6 = a2[3];
v7 = *a1;
v8 = 32i64;
v9 = a1[1];
do
{
v3 -= 1412567261;
v7 += (v3 + v9) ^ (v2 + 16 * v9) ^ (v4 + (v9 >> 5));
result = v3 + v7;
v9 += result ^ (v5 + 16 * v7) ^ (v6 + (v7 >> 5));
--v8;
}
while ( v8 );
*a1 = v7;
a1[1] = v9;
return result;
}
由加密部分得知key为4位
key[4] = { 0x12345678,0x23456789,0x34567890,0x45678901 }
简单的tea加密
每次加密两个,刚好加密4次
写出解密脚本
#include<stdio.h>
void decrypt(unsigned int* a1, long long* a2)
{
int v2; // ebx
long long v3; // r11d
int v4; // edi
int v5; // esi
int v6; // ebp
unsigned int v7; // r9d
int v8; // rdx
unsigned int v9; // r10d
v2 = *a2;
v3 = 0;
v4 = a2[1];
v5 = a2[2];
v6 = a2[3];
v7 = *a1;
v8 = 32;
v9 = a1[1];
v3 = -(1412567261 * 32);
do
{
v9 -= (v3 + v7) ^ (v5 + 16 * v7) ^ (v6 + (v7 >> 5));
v7 -= (v3 + v9) ^ (v2 + 16 * v9) ^ (v4 + (v9 >> 5));
v3 += 1412567261;
--v8;
} while (v8);
*a1 = v7;
a1[1] = v9;
}
int main()
{
long long key[4] = { 0x12345678,0x23456789,0x34567890,0x45678901 };
unsigned int Buf2[8] = { 0 };
Buf2[0] = 778273437;
Buf2[1] = -1051836401;
Buf2[2] = -1690714183;
Buf2[3] = 1512016660;
Buf2[4] = 1636330974;
Buf2[5] = 1701168847;
Buf2[6] = -1626976412;
Buf2[7] = 594166774;
for (int i = 0; i < 8; i += 2)
{
decrypt(Buf2 + i, key);
}
char* p = (char*)Buf2;
for (int j = 0; j < 8 * 4; j++)
{
printf("%c", *(p + j));
}
printf("k}");
}
hgame{Tea_15_4_v3ry_h3a1thy_drlnk}