通过strings找到关键函数
int __fastcall main_0(int argc, const char **argv, const char **envp)
{
char *v3; // rdi
__int64 i; // rcx
char v6; // [rsp+20h] [rbp+0h] BYREF
int v7; // [rsp+24h] [rbp+4h]
int v8; // [rsp+44h] [rbp+24h]
int four_key[12]; // [rsp+68h] [rbp+48h] BYREF
_DWORD input[16]; // [rsp+98h] [rbp+78h] BYREF
int flag[31]; // [rsp+D8h] [rbp+B8h] BYREF
int j; // [rsp+154h] [rbp+134h]
int k; // [rsp+174h] [rbp+154h]
int m; // [rsp+194h] [rbp+174h]
v3 = &v6;
for ( i = 102i64; i; --i )
{
*(_DWORD *)v3 = -858993460;
v3 += 4;
}
j___CheckForDebuggerJustMyCode(&unk_7FF600623009, argv, envp);
v7 = 32;
v8 = 0;
four_key[0] = 1234;
four_key[1] = 5678;
four_key[2] = 9012;
four_key[3] = 3456;
memset(input, 0, 0x28ui64);
flag[15] = 0;
flag[23] = 0;
print_strs();
for ( j = 0; j < 10; ++j )
scanf("%x", &input[j]);
key(four_key);
copy(input, flag);
tea(input, four_key);
v8 = fun4(input);
if ( v8 )
{
print("you are right\n");
for ( k = 0; k < 10; ++k )
{
for ( m = 3; m >= 0; --m )
print("%c", (unsigned __int8)((unsigned int)flag[k] >> (8 * m)));
}
}
else
{
print("fault!\nYou can go online and learn the tea algorithm!");
}
return 0;
}
发现xtea算法函数
for ( i = 0; i <= 8; ++i )
{
v6 = 0;
delta = 256256256 * i;
i_plus_1 = i + 1;
do
{
++v6;
*(_DWORD *)(res + 4i64 * i) += delta ^ (*(_DWORD *)(res + 4i64 * i_plus_1)
+ ((*(_DWORD *)(res + 4i64 * i_plus_1) >> 5) ^ (16
* *(_DWORD *)(res + 4i64 * i_plus_1)))) ^ (delta + *(_DWORD *)(key + 4i64 * (delta & 3)));
*(_DWORD *)(res + 4i64 * i_plus_1) += (delta + *(_DWORD *)(key + 4i64 * ((delta >> 11) & 3))) ^ (*(_DWORD *)(res + 4i64 * i) + ((*(_DWORD *)(res + 4i64 * i) >> 5) ^ (16 * *(_DWORD *)(res + 4i64 * i))));
delta += 256256256;
}
while ( v6 <= 0x20 );
result = (unsigned int)(i + 1);
}
找到key和result
{
v7 = 4455;
v8 = 6677;
v9 = 8899;
*a1 = 2233;
a1[1] = v7;
a1[2] = v8;
result = v9;
a1[3] = v9;
return result;
}
v7 = 0;
v8[0] = 0x1A800BDA;
v8[1] = 0xF7A6219B;
v8[2] = 0x491811D8;
v8[3] = 0xF2013328;
v8[4] = 0x156C365B;
v8[5] = 0x3C6EAAD8;
v8[6] = 0x84D4BF28;
v8[7] = 0xF11A7EE7;
v8[8] = 0x3313B252;
v8[9] = 0xDD9FE279;
for ( j = 0; j < 10; ++j )
v7 = *(_DWORD *)(a1 + 4i64 * j) == v8[j];
return v7;
修改xtea解密模板中,修改key,delta,result和算法魔改部分
import binascii
from ctypes import *
def decrypt(v, key, num):
v0, v1 = c_uint32(v[0]), c_uint32(v[1])
total = c_uint32(delta * (num + 33))
for i in range(33):
total.value -= delta
v1.value -= (((v0.value * 16) ^ (v0.value >> 5)) + v0.value) ^ (total.value + key[(total.value >> 11) & 3])
v0.value -= (((v1.value * 16) ^ (v1.value >> 5)) + v1.value) ^ (total.value + key[total.value & 3]) ^ total.value
return v0.value, v1.value
# test
if __name__ == "__main__":
################# 需要修改数据区域 ##################
res = [0x1A800BDA, 0xF7A6219B, 0x491811D8, 0xF2013328, 0x156C365B, 0x3C6EAAD8, 0x84D4BF28, 0xF11A7EE7, 0x3313B252,
0xDD9FE279]
key = [2233, 4455, 6677, 8899]
delta = 256256256
################# 需要修改数据区域 ##################
result = []
for i in range(len(res) - 2, -1, -1):
lists = res[i:i + 2]
result = decrypt(lists, key, i)
res[i] = result[0]
res[i + 1] = result[1]
# print("Decrypted data is : ", hex(result[0]), hex(result[1]))
strs = ''
for i in res:
strs += hex(i)[2:]
print(strs)
for i in range(0,len(strs)):
try:
print(binascii.a2b_hex(strs[:i*(-1)]).decode())
except:
pass
得到flag:HZCTF{hzCtf_94_re666fingcry5641qq}