[GDOUCTF 2023]Tea writeup

发布于:2024-07-11 ⋅ 阅读:(23) ⋅ 点赞:(0)

通过strings找到关键函数

int __fastcall main_0(int argc, const char **argv, const char **envp)
{
  char *v3; // rdi
  __int64 i; // rcx
  char v6; // [rsp+20h] [rbp+0h] BYREF
  int v7; // [rsp+24h] [rbp+4h]
  int v8; // [rsp+44h] [rbp+24h]
  int four_key[12]; // [rsp+68h] [rbp+48h] BYREF
  _DWORD input[16]; // [rsp+98h] [rbp+78h] BYREF
  int flag[31]; // [rsp+D8h] [rbp+B8h] BYREF
  int j; // [rsp+154h] [rbp+134h]
  int k; // [rsp+174h] [rbp+154h]
  int m; // [rsp+194h] [rbp+174h]

  v3 = &v6;
  for ( i = 102i64; i; --i )
  {
    *(_DWORD *)v3 = -858993460;
    v3 += 4;
  }
  j___CheckForDebuggerJustMyCode(&unk_7FF600623009, argv, envp);
  v7 = 32;
  v8 = 0;
  four_key[0] = 1234;
  four_key[1] = 5678;
  four_key[2] = 9012;
  four_key[3] = 3456;
  memset(input, 0, 0x28ui64);
  flag[15] = 0;
  flag[23] = 0;
  print_strs();
  for ( j = 0; j < 10; ++j )
    scanf("%x", &input[j]);
  key(four_key);
  copy(input, flag);
  tea(input, four_key);
  v8 = fun4(input);
  if ( v8 )
  {
    print("you are right\n");
    for ( k = 0; k < 10; ++k )
    {
      for ( m = 3; m >= 0; --m )
        print("%c", (unsigned __int8)((unsigned int)flag[k] >> (8 * m)));
    }
  }
  else
  {
    print("fault!\nYou can go online and learn the tea algorithm!");
  }
  return 0;
}

发现xtea算法函数

for ( i = 0; i <= 8; ++i )
  {
    v6 = 0;
    delta = 256256256 * i;
    i_plus_1 = i + 1;
    do
    {
      ++v6;
      *(_DWORD *)(res + 4i64 * i) += delta ^ (*(_DWORD *)(res + 4i64 * i_plus_1)
                                            + ((*(_DWORD *)(res + 4i64 * i_plus_1) >> 5) ^ (16
                                                                                          * *(_DWORD *)(res + 4i64 * i_plus_1)))) ^ (delta + *(_DWORD *)(key + 4i64 * (delta & 3)));
      *(_DWORD *)(res + 4i64 * i_plus_1) += (delta + *(_DWORD *)(key + 4i64 * ((delta >> 11) & 3))) ^ (*(_DWORD *)(res + 4i64 * i) + ((*(_DWORD *)(res + 4i64 * i) >> 5) ^ (16 * *(_DWORD *)(res + 4i64 * i))));
      delta += 256256256;
    }
    while ( v6 <= 0x20 );
    result = (unsigned int)(i + 1);
  }

找到key和result

{
  v7 = 4455;
  v8 = 6677;
  v9 = 8899;
  *a1 = 2233;
  a1[1] = v7;
  a1[2] = v8;
  result = v9;
  a1[3] = v9;
  return result;
}
v7 = 0;
v8[0] = 0x1A800BDA;
v8[1] = 0xF7A6219B;
v8[2] = 0x491811D8;
v8[3] = 0xF2013328;
v8[4] = 0x156C365B;
v8[5] = 0x3C6EAAD8;
v8[6] = 0x84D4BF28;
v8[7] = 0xF11A7EE7;
v8[8] = 0x3313B252;
v8[9] = 0xDD9FE279;
for ( j = 0; j < 10; ++j )
v7 = *(_DWORD *)(a1 + 4i64 * j) == v8[j];
return v7;

修改xtea解密模板中,修改key,delta,result和算法魔改部分

import binascii
from ctypes import *

def decrypt(v, key, num):
    v0, v1 = c_uint32(v[0]), c_uint32(v[1])
    total = c_uint32(delta * (num + 33))
    for i in range(33):
        total.value -= delta
        v1.value -= (((v0.value * 16) ^ (v0.value >> 5)) + v0.value) ^ (total.value + key[(total.value >> 11) & 3])
        v0.value -= (((v1.value * 16) ^ (v1.value >> 5)) + v1.value) ^ (total.value + key[total.value & 3]) ^ total.value

    return v0.value, v1.value


# test
if __name__ == "__main__":
    ################# 需要修改数据区域 ##################
    res = [0x1A800BDA, 0xF7A6219B, 0x491811D8, 0xF2013328, 0x156C365B, 0x3C6EAAD8, 0x84D4BF28, 0xF11A7EE7, 0x3313B252,
           0xDD9FE279]
    key = [2233, 4455, 6677, 8899]
    delta = 256256256
    ################# 需要修改数据区域 ##################

    result = []
    for i in range(len(res) - 2, -1, -1):
        lists = res[i:i + 2]
        result = decrypt(lists, key, i)
        res[i] = result[0]
        res[i + 1] = result[1]
        # print("Decrypted data is : ", hex(result[0]), hex(result[1]))


strs = ''
for i in res:
    strs += hex(i)[2:]
print(strs)
for i in range(0,len(strs)):
    try:
        print(binascii.a2b_hex(strs[:i*(-1)]).decode())
    except:
        pass

得到flag:HZCTF{hzCtf_94_re666fingcry5641qq}