32位exe,upx壳,直接自动脱掉就行,但ida反编译出了问题,最开始看伪代码有点困难,先看看汇编,发现大体流程,结合题目hint是xxtea,手动修改函数和栈
然后就可以f5了
最后那里还是有点问题,是输出right字符串的,不是加密代码,没有再处理了
xxtea的加密解密参见(4条消息) C语言实现TEA系列加解密算法_P1umH0的博客-CSDN博客
其中delta是1732584193,密钥盒key是
{(unsigned int)0xEFCDAB89,(unsigned int)0X10325476,(unsigned int)0x98BADCFE, (unsigned int)0xC3D2E1F0}
加密字符串是{(unsigned int)3640088821, (unsigned int)1382566363, (unsigned int)3805750627,(unsigned int) 1214181292, (unsigned int)1620003782, (unsigned int)1482291050,(unsigned int) 2956289443, (unsigned int)1044419009,(unsigned int) 3554368410}
看到这里就
#include <stdio.h>
#include <stdint.h>
#define DELTA 1732584193
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))
void btea(uint32_t *v,int n, uint32_t const key[4])
{
uint32_t y, z, sum;
unsigned p, rounds, e;
//加密
if (n > 1)
{
rounds = 6 + 52 / n;
sum = 0;
z = v[n - 1];
do
{
sum += DELTA;
e = (sum >> 2) & 3;
for (p = 0; (int)p<n - 1; p++)
{
y = v[p + 1];
z = v[p] += MX;
}
y = v[0];
z = v[n - 1] += MX;
} while (--rounds);
}
//解密
else if (n < -1)
{
n = 9;
rounds =12;
sum = rounds*DELTA;
y = v[0];
do
{
e = (sum >> 2) & 3;
for (p = n - 1; p>0; p--)
{
z = v[p - 1];
y = v[p] -= MX;
}
z = v[n - 1];
y = v[0] -= MX;
sum -= DELTA;
} while (--rounds);
}
}
int main()
{
uint32_t v[] = {
(unsigned int)3640088821, (unsigned int)1382566363, (unsigned int)3805750627,(unsigned int) 1214181292, (unsigned int)1620003782, (unsigned int)1482291050,(unsigned int) 2956289443,
(unsigned int)1044419009,(unsigned int) 3554368410};
uint32_t const k[4] = {
(unsigned int)0xEFCDAB89,(unsigned int)0X10325476,(unsigned int)0x98BADCFE, (unsigned int)0xC3D2E1F0,
};
//n的绝对值表示v的长度,取正表示加密,取负表示解密
int n = sizeof(v) / sizeof(uint32_t);
btea(v, -n, k);
for (int i=0 ;i<=10;i++)
{
printf("%x\n",v[i]);
}
printf("\n");
getchar();
getchar();
return 0;
}
是flag了,整理一下就行