有点小搞,python逆向,最开始从pyc里还原出源码的时候不太能看懂,就只能看懂几个读写的操作,当时没太懂意思,然后运行程序后发现bin1变成了exe,提示是用exe来解密bin2,脑子抽了,没懂意思,结果是直接patch原exe的bin1成bin2,以这种方式解密,解密完bin2就是一个简单的xxtea
#include <stdio.h>
#include <stdint.h>
#include<stdlib.h>
#define DELTA 0x7937B99E
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))
void btea(uint32_t *v, int n, uint32_t const key[4])
{
uint32_t y, z, sum;
unsigned p, rounds, e;
//加密
if (n > 1)
{
/*rounds = 6 + 52 / n;
sum = 0;
z = v[n - 1];
do
{
sum += DELTA;
e = (sum >> 2) & 3;
for (p = 0; p<n - 1; p++)
{
y = v[p + 1];
z = v[p] += MX;
}
y = v[0];
z = v[n - 1] += MX;
} while (--rounds);*/
}
//解密
else if (n < -1)
{
n = -n;
rounds = 52 / n;
sum = rounds*DELTA;
y = v[0];
do
{
e = (sum >> 2) & 3;
for (p = n - 1; p>0; p--)
{
z = v[p - 1];
y = v[p] -= MX;
}
z = v[n - 1];
y = v[0] -= MX;
sum -= DELTA;
} while (--rounds);
}
}
int main()
{
/*
原数据为: 传进去的参数为:
0xbc 0xa5 0xce 0x40 ->0x40cea5bc
0xf4 0xb2 0xb2 0xe7 ->0xe7b2b2f4
0xa9 0x12 0x9d 0x12 ->0x129d12a9
0xae 0x10 0xc8 0x5b ->0x5bc810ae
0x3d 0xd7 0x06 0x1d ->0x1d06d73d
0xdc 0x70 0xf8 0xdc ->0xdcf870dc
*/
uint32_t v[11] = {
(unsigned int)0xCC45699D,
(unsigned int)0x683D5352,(unsigned int)0xB8BB71A0,
(unsigned int)0x0D3817AD,(unsigned int)0x7547E79E,
(unsigned int)0x4BDD8C7C,(unsigned int)0x95E25A81,
(unsigned int)0xC4525103,(unsigned int)0x7049B46F,
(unsigned int)0x5417F77C,(unsigned int)0x65567138,
};
/*
密钥为字符串"flag"
十六进制表示为 0x66 0x6c 0x61 0x67
于是传进去的参数要转换成 0x67616c66
由于密钥长度为128位,其余需填充0
*/
uint32_t const k[4] = {
(unsigned int)0x4B5F, (unsigned int)0xDEAD,
(unsigned int)0x11ED, (unsigned int)0xB3CC };
//n的绝对值表示v的长度,取正表示加密,取负表示解密
int n = sizeof(v) / sizeof(uint32_t);
int i =0;
int j =0;
//printf("加密前原始数据:0x%x 0x%x\n", v[0], v[1]);
//btea(v, n, k);
//printf("加密后的数据:0x%x 0x%x\n", v[0], v[1]);
btea(v, -11, k);
//printf("解密后的数据:0x%x 0x%x\n", v[0], v[1]);
for (i =0;i<11;i++){
printf(" 0x%x\n",v[i]);
//printf("%d ",*((char *)v +i) & 0xff);
}
printf("\n");
system("pause");
return 0;
}
除了盖delta的数值外,解密的轮数也变了,直接用52/n(找了好久,小搞)
DASCTF{7eb20cb2-deac-11ed-ae42-94085339ce84}