DASCTF 2024 10月 Reverse 完成笔记 附题目

题目链接:
https://github.com/Airrcat/long_long/tree/main/DASCTF_2024_10

ezre

查PE
在这里插入图片描述

32位无壳

开始分析
在这里插入图片描述

看起来很像加壳了
在这里插入图片描述

字符串未有暴露信息,但是段中有一个themida
在这里插入图片描述

发现是一个壳,直接去找脱壳机
在这里插入图片描述

一些脱壳工具(Magicmida)是动态启动后脱壳,会被程序的反调试检查到
在这里插入图片描述

后来发现了这个静态脱壳工具
unlicense

PS C:\Users\Songs\Desktop\DASCTF10月\tempdir\REVERSE附件> .\unlicense.exe '.\ezre.exe'
INFO - Detected packer version: 3.x
frida-agent: Setting up OEP tracing for "ezre.exe"
frida-agent: Exception handler registered
frida-agent: OEP found (thread #22604): 0x8a18fe
INFO - OEP reached: OEP=0x8a18fe BASE=0x8a0000 DOTNET=False
INFO - Looking for the IAT...
INFO - Performing linear scan in data sections...
INFO - Looking for wrapped imports in code sections...
INFO - Potential import wrappers found: 15
INFO - IAT found: 0x8a3000-0x8a300b
INFO - Resolving imports ...
INFO - Imports resolved: 43
INFO - Fixed IAT at 0x8a3000, size=0xc5
INFO - Dumping PE with OEP=0x8a18fe ...
INFO - Fixing dump ...
INFO - Rebuilding PE ...
INFO - Output file has been saved at 'unpacked_ezre.exe'

main函数默认反编译不了,有个花
在这里插入图片描述

处理一下把jmp地址的e8 patch成90即可
在这里插入图片描述

上头一个cipher,底下两个处理函数然后就比较了
处理函数也有花,记得处理
第一个是魔改rc4,
在这里插入图片描述

重命名一下
在这里插入图片描述

第二个是魔改xtea
外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传
要注意的是,魔改xtea在执行的时候,地址是byte +1+1并patch回去,也就是cipher的[0:4]~ [4:8] [1:5] ~ [4~9]…
因此最后得倒着运算
exp:


# 普通的rc4解密
from ctypes import *
key = "th0s_i0_ke9"
S = []


# 期待输入存储字节型的列表。
# 预期输出存储0~256下标的列表。
def rc4_init(S, K):  # S盒初始化置换,K为密钥
    j = 0
    S.clear()  # init的时候重置sbox
    for i in range(256):
        S.append(i)
    for i in range(256):
        try:
            j = (j + S[i] + ord(K[i % len(K)])) % 256
        except:
            j = (j + S[i] + K[i % len(K)]) % 256
        S[i], S[j] = S[j], S[i]  # 交换S[i],S[j]


def rc4_xor(S, D):
    i = j = 0
    result = []

    for a in D:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        try:
            k = ord(a) + (S[(S[i] + S[j]) % 256] ^ 0x33)
        except:
            k = a + (S[(S[i] + S[j]) % 256] ^ 0x33)
        result.append(k)
    return result


def rc4_xor2(S, D):
    i = j = 0
    result = []

    for a in D:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        try:
            k = ord(a) - (S[(S[i] + S[j]) % 256] ^ 0x33)
        except:
            k = (a - (S[(S[i] + S[j]) % 256] ^ 0x33)) & 0xff
        result.append(k)
    return result


def encrypt(v, key):

    v0, v1 = c_uint32(v[0]), c_uint32(v[1])
    delta = 0x9E3779B8
    rounds = 33
    total = c_uint32(0x66778899)

    for i in range(rounds):
        v0.value += (((v1.value << 5) ^ (v1.value >> 6)) +
                     v1.value) ^ (total.value + key[total.value & 3])
        total.value += delta
        v1.value += (((v0.value << 4) ^ (v0.value >> 5)) +
                     v0.value) ^ (total.value + key[(total.value >> 11) & 3])

    return v0.value, v1.value


def decrypt(v, key):
    v0, v1 = c_uint32(v[0]), c_uint32(v[1])
    delta = 0x9E3779B8
    rounds = 33
    total = c_uint32(delta * rounds+0x66778899)

    for i in range(rounds):
        v1.value -= (((v0.value << 4) ^ (v0.value >> 5)) +
                     v0.value) ^ (total.value + key[(total.value >> 11) & 3])
        total.value -= delta
        v0.value -= (((v1.value << 5) ^ (v1.value >> 6)) +
                     v1.value) ^ (total.value + key[total.value & 3])

    return v0.value, v1.value


rc4_init(S, key)
cipher = rc4_xor(S, "12341234")
print(cipher)
value = [0]*2
value[0] = int.from_bytes(bytes(cipher[0:4]), 'little')
value[1] = int.from_bytes(bytes(cipher[4:8]), 'little')
print(encrypt(value, [0x6e982837, 0x44332211, 0x11223344, 0x3728986e]))
cipher = decrypt([1690332198, 2660953638], [
    0x6e982837, 0x44332211, 0x11223344, 0x3728986e])
rc4_init(S, key)
flag = rc4_xor2(S, cipher[0].to_bytes(4, 'little') +
                cipher[1].to_bytes(4, 'little'))
print(flag)
# 标准xtea
if __name__ == "__main__":
    cipher = b'P\xd4\xc8\xc4\x8f\x84@\xeb2\x81\x8f\x85l\xb2+\x06\xbf\x055].\xe3}F\x8d5\x01p:\x80\x81\xc5\xe6q\xd3\xd6Pio\xe2nx\x14\xd8'
    cipher = list(cipher)
    print("cypher len:", len(cipher))
    print(f"cipher :{cipher}")
    # 四个key,每个是32bit,即密钥长度为128bit
    tea_key = [0x6e982837, 0x44332211, 0x11223344, 0x3728986e]

    flag = b""
    for i in range(36, -1, -1):
        value = [0]*2
        value[0] = int.from_bytes(bytes(cipher[i:i+4]), 'little')
        value[1] = int.from_bytes(bytes(cipher[i+4:i+8]), 'little')
        value = decrypt(value, tea_key)
        # print(cipher)
        for l in range(4):
            cipher[i+l] = value[0].to_bytes(4, 'little')[l]
            cipher[i+4+l] = value[1].to_bytes(4, 'little')[l]
        # print(cipher)
    print(f"after xtea:{cipher}")
    rc4_init(S, key)
    flag = rc4_xor2(S, cipher)
    print(f"after rc4:{bytes(flag)}")

"""
Data is :  0x12345678 0x78563412
Encrypted data is :  0xae685ec7 0x59af4238
Decrypted data is :  0x12345678 0x78563412
"""
[226, 192, 169, 129, 151, 101, 142, 195]
(1690332198, 2660953638)
[49, 50, 51, 52, 49, 50, 51, 52]
cypher len: 44
cipher :[80, 212, 200, 196, 143, 132, 64, 235, 50, 129, 143, 133, 108, 178, 43, 6, 191, 5, 53, 93, 46, 227, 125, 70, 141, 53, 1, 112, 58, 128, 129, 197, 230, 113, 211, 214, 80, 105, 111, 226, 110, 120, 20, 216]
after xtea:[245, 207, 201, 144, 186, 121, 214, 227, 81, 34, 213, 44, 80, 233, 246, 153, 113, 77, 122, 222, 255, 68, 197, 171, 25, 55, 172, 232, 114, 182, 164, 14, 147, 134, 75, 195, 85, 54, 116, 25, 54, 162, 175, 69]
after rc4:b'DASCTF{Th1l_t8e1a_rc4_l8s_s8o_int9r3es4t1ng}'

ezelf

查pe
在这里插入图片描述

64位
打开一看ollvm
在这里插入图片描述

试试D810
在这里插入图片描述

效果难以接受
deflat还可以,使用deflat的flat_control_flow
在这里插入图片描述

cipher1
在这里插入图片描述

cipher2
在这里插入图片描述

第一个加密是个rc4+xxtea
在这里插入图片描述

这里经过deflat后代码结构可能会发生变化,比如xxtea的循环结构这里就不太对,可以参照源文件或者用ollvm解混淆的版本。
我大致看了下基本的结构,参数没变化,rounds16、n8.稍特别一点的是&7,&7这里实际应该是&n,一个参考的xxtea如:在这里插入图片描述

每个n的小循环里最后一轮需要一个v[0]参数,而&n能够直接在让p走一个循环,即y = v[(p+1)&n]可以在0~n内完成y从v[1]到v[n-1]后再到v[0]的变化。
部分变量优化后如图:
在这里插入图片描述

猜测是xxtea key,动调可对比
在这里插入图片描述

这个应该是rc4 key,盲猜

试着解一下第一个cipher,会发现xxtea能出东西,然后rc4没什么东西,实际调试发现rc4好像暂时用不到?
xxtea:

from ctypes import *
import dis


def MX(z, y, total, key, p, e):
    temp1 = (z.value >> 5 ^ y.value << 2) + (y.value >> 3 ^ z.value << 4)
    temp2 = (total.value ^ y.value) + (key[(p & 3) ^ e.value] ^ z.value)

    return c_uint32(temp1 ^ temp2)


def encrypt(n, v, key):
    delta = 0x11451400
    rounds = 16

    total = c_uint32(0)
    z = c_uint32(v[n-1])
    e = c_uint32(0)

    while rounds > 0:
        total.value += delta
        e.value = (total.value >> 2) & 3
        for p in range(n-1):
            y = c_uint32(v[p+1])
            v[p] = c_uint32(v[p] + MX(z, y, total, key, p, e).value).value
            z.value = v[p]
        y = c_uint32(v[0])
        v[n-1] = c_uint32(v[n-1] + MX(z, y, total, key, n-1, e).value).value
        z.value = v[n-1]
        rounds -= 1

    return v


def decrypt(n, v, key):
    delta = 0x11451400
    rounds = 16

    total = c_uint32(rounds * delta)
    y = c_uint32(v[0])
    e = c_uint32(0)

    while rounds > 0:
        e.value = (total.value >> 2) & 3
        for p in range(n-1, 0, -1):
            z = c_uint32(v[p-1])
            v[p] = c_uint32((v[p] - MX(z, y, total, key, p, e).value)).value
            y.value = v[p]
        z = c_uint32(v[n-1])
        v[0] = c_uint32(v[0] - MX(z, y, total, key, 0, e).value).value
        y.value = v[0]
        total.value -= delta
        rounds -= 1

    return v


#  test
if __name__ == "__main__":

    # 该算法中每次可加密不只64bit的数据,并且加密的轮数由加密数据长度决定
    cipher = b'\xb4\xb5ZB\xa6y\x0b\xac\x0e#x\xde\xe1-\xc6\x1d\xbb)\x8c\xe2\x94\xfe\x14\xd9\xaa\x03\xe3\x8a\x14\x92\x1cd'
    # cipher = b'01234567890123456790123465789012'
    key = [0xb, 0x2d, 0xe, 0x309]
    v = [0] * (len(cipher)//4)
    print("cipher len:", len(cipher))
    # 密文cipher格式转化,从字节转成int
    for i in range(0, len(cipher), 4):
        if 'bytes' in str(type(cipher)):
            v[i//4] = int.from_bytes(cipher[i:i+4], 'little')
        elif 'list' in str(type(cipher)):
            try:
                v[i//4] = (ord(cipher[i]) | (ord(cipher[i+1]) << 8) |
                           (ord(cipher[i+2]) << 16) | (ord(cipher[i+3]) << 24))
            except:
                v[i//4] = ((cipher[i]) | ((cipher[i+1]) << 8) |
                           ((cipher[i+2]) << 16) | ((cipher[i+3]) << 24))

    k = key
    n = len(v)
    for i in v:
        print(hex(i), end=" ")
    print()
    for i in k:
        print(hex(i), end=" ")
    print()
    res = decrypt(8, v, k)
    flag = b''
    for i in res:
        flag += i.to_bytes(4, 'little')
    print(flag)

之后翻到了疑似rc4加密的函数

int *__fastcall sub_403A90(int *a1)
{
  int *result; // rax
  _QWORD v2[10]; // [rsp+0h] [rbp-B0h] BYREF
  int i; // [rsp+54h] [rbp-5Ch]
  int *v4; // [rsp+58h] [rbp-58h]
  int **v5; // [rsp+60h] [rbp-50h]
  int *v6; // [rsp+68h] [rbp-48h]
  int *v7; // [rsp+70h] [rbp-40h]
  int v8; // [rsp+78h] [rbp-38h]
  bool v9; // [rsp+7Fh] [rbp-31h]
  int *v10; // [rsp+80h] [rbp-30h]
  int v11; // [rsp+8Ch] [rbp-24h]
  int v12; // [rsp+90h] [rbp-20h]
  int v13; // [rsp+94h] [rbp-1Ch]
  int *v14; // [rsp+98h] [rbp-18h]
  _DWORD v15[2]; // [rsp+A0h] [rbp-10h] BYREF
  int *v16; // [rsp+A8h] [rbp-8h]
  __int64 savedregs; // [rsp+B0h] [rbp+0h] BYREF

  v2[9] = a1;
  v5 = (int **)&v2[-2];
  i = 1498122419;
  v6 = (int *)&savedregs;
  v7 = v15;
  v4 = a1;
  *v5 = (int *)v2[8];
  *v4 ^= pbox[0];
  *v7 = 1;
  for ( i = -391087700; ; i = -391087700 )
  {
    v8 = *v7;
    v9 = v8 <= 16;
    i = 1128705075;
    if ( v8 > 16 )
      break;
    v10 = v4;
    i = -211233099;
    *v6 = *v4;
    v11 = **v5;
    v12 = dword_40A500[(unsigned __int8)BYTE2(*v6)] + sbox[HIBYTE(*v6)];
    v13 = dword_40A900[(unsigned __int8)BYTE1(*v6)];
    v14 = &sbox[(unsigned __int8)*v6 + 768];
    i = 822856190;
    *v4 = (*v14 + v13) ^ v12 ^ v11;
    **v5 = *v6;
    i = 1380722011;
    v15[0] = *v7 + 1;
    *v7 = v15[0];
  }
  v15[1] = dword_40A0E4;
  i = 2118140716;
  **v5 ^= dword_40A0E4;
  *v6 = *v4;
  v16 = *v5;
  i = 1584127650;
  *v4 = *v16;
  result = *v5;
  **v5 = *v6;
  return result;
}

其接收了前面的rc4_init吐出来的参数,但这里可以看出来并不是rc4
结合题目的提示,我们可以猜测是blowfish加密
在这里插入图片描述

这里的加密部分略微魔改
在这里插入图片描述

left一开始异或了pbox[0],而在结束时不再异或pbox[N+1],同时每一轮里不再异或pbox,等于说pbox只异或了一次,循环内全程异或sbox,约等于rc4的加密模式
在这里插入图片描述

这里的加密差不多是:(xl即left,这里的left、right命名参考了网上blowfish博客里的命名)
在这里插入图片描述

简单逆向分析一下
从正向来看,next_left是由left+right运算得来,而next_right存储了本轮的初始left,并不多做运算,算一个状态存储
即:
left+right->next_left
left->next_right
因此在一轮中,可以很直接从next_right得到left,进而由left+next_left求得right即:
next_right->left
next_left+left->right

ps:需要注意的是,encrypt最后交换了一次left和right,同时头尾还分别异或了一次pbox[0]和pbox[18]

算法完整实现:



sbox = [[0x00000179, 0x000001BE, 0x243F6B50, 0x00000164, 0x243F6ABF, 0x243F6B94, 0x00000175, 0x243F6B20, 0x0000009A, 0x00000056, 0x243F6B1F, 0x000001E3, 0x243F6BE8, 0x243F6A16, 0x000000F7, 0x243F6B88, 0x000001BD, 0x000001BC, 0x243F6A41, 0x000000FB, 0x243F6B18, 0x243F6A04, 0x0000003D, 0x243F6B22, 0x000000F0, 0x00000042, 0x243F6BF5, 0x000000E0, 0x243F6A7F, 0x243F6A9A, 0x0000009C, 0x243F6A8C, 0x000001AD, 0x00000116, 0x243F6AF7, 0x000001C0, 0x243F6BBD, 0x243F6A2F, 0x0000016A, 0x0000079B, 0x243F6D8B, 0x000001CA, 0x000006A3, 0x243F6C37, 0x243F6A65, 0x243F6A6F, 0x0000018D, 0x00000617, 0x243F6DEA, 0x00000059, 0x000007CB, 0x243F6D22, 0x243F6B05, 0x243F6A2B, 0x0000007A, 0x00000717, 0x243F6CC1, 0x000001A2, 0x000007D3, 0x243F6D93, 0x243F6A5A, 0x243F6A5C, 0x00000041, 0x000007B6, 0x243F6D71, 0x00000139, 0x000006B7, 0x243F6D90, 0x243F6A2F, 0x243F6BF5, 0x00000026, 0x0000069D, 0x243F6D9A, 0x000001BF, 0x00000709, 0x243F6C54, 0x243F6AE9, 0x243F6BF7, 0x00000054, 0x00000752, 0x243F6C2C, 0x000000FA, 0x0000073A, 0x243F6C82, 0x243F6BB7, 0x243F6A09, 0x000000DA, 0x000007AF, 0x243F6C34, 0x000001E8, 0x000006E6, 0x243F6CCC, 0x243F6B05, 0x243F6AB7, 0x00000196, 0x00000693, 0x243F6C4D, 0x0000013B, 0x00000734, 0x243F6D31, 0x243F6B96, 0x243F6BD7, 0x00000110, 0x000007C2, 0x243F6DA1, 0x00000146, 0x00000795, 0x243F6C7A, 0x243F6A1F, 0x243F6A52, 0x00000087, 0x00000645, 0x243F6D74, 0x00000199, 0x00000707, 0x243F6C52, 0x243F6B1C, 0x243F6B6C, 0x00000138, 0x000006D7, 0x243F6D5C, 0x000000CA, 0x0000077A, 0x243F6DC3, 0x243F6A68, 0x243F6BC7, 0x0000008F, 0x000006CA, 0x243F6D11, 0x000001F2, 0x0000076E, 0x243F6CA9, 0x243F6A75, 0x243F6BC9, 0x00000135, 0x0000078A, 0x243F6D76, 0x00000013, 0x00000780, 0x243F6C46, 0x243F6BEB, 0x243F6A5B, 0x000000EB, 0x00000795, 0x243F6D4B, 0x0000004A, 0x000006C0, 0x243F6DDA, 0x243F6B71, 0x243F6A17, 0x000001E3, 0x00000667, 0x243F6C1B, 0x000000AF, 0x0000062A, 0x243F6DDE, 0x243F6B53, 0x243F6B4F, 0x0000019E, 0x00000613, 0x243F6D53, 0x000001EC, 0x0000076B, 0x243F6D78, 0x243F6B84, 0x243F6A1C, 0x00000009, 0x000006D8, 0x243F6CD1, 0x0000012B, 0x00000641, 0x243F6D10, 0x243F6A1C, 0x243F6A61, 0x00000104, 0x00000646, 0x243F6D6D, 0x0000000A, 0x0000061F, 0x243F6D92, 0x243F6A81, 0x243F6AE0, 0x0000017D, 0x00000666, 0x243F6C1D, 0x0000017B, 0x000007E6, 0x243F6C39, 0x243F6BE1, 0x243F6B23, 0x000000CA, 0x000006E5, 0x243F6D5A, 0x00000034, 0x0000079C, 0x243F6C18, 0x243F6B0F, 0x243F6AB2, 0x000000FC, 0x00000702, 0x243F6D7A, 0x0000005E, 0x000007D8, 0x243F6D9E, 0x243F6B03, 0x243F6A3A, 0x00000137, 0x00000619, 0x243F6C1C, 0x00000070, 0x0000071E, 0x243F6CB7, 0x243F6A42, 0x243F6A37, 0x00000150, 0x000007BB, 0x243F6D5A, 0x00000075, 0x0000071A, 0x243F6DCA, 0x243F6A48, 0x243F6B5B, 0x000001AA, 0x0000069C, 0x243F6D9D, 0x0000001B, 0x00000720, 0x243F6D57, 0x243F6B10, 0x243F6BE8, 0x000000FD, 0x00000656, 0x243F6CF4, 0x00000047, 0x00000686, 0x243F6C0B, 0x243F6BD9, 0x243F6BD8, 0x00000130, 0x000007DE, 0x243F6D74, 0x00000002, 0x000007F3, 0x243F6D4B, 0x243F6A41, 0x243F6B50, 0x00000033, 0x00000624, 0x243F6DC5, 0x00000133, 0x00000645, 0x243F6DCC, 0x243F6B43, 0x243F6B41, 0x000000E9, 0x00000753], [0x243F6D0A, 0x000000D7, 0x243F6A70, 0x243F6CA6, 0x000006A7, 0x243F6B0C, 0x000001B5, 0x00000760, 0x243F6CEB, 0x000000EE, 0x243F6ADE, 0x243F6D02, 0x00000743, 0x243F6A5C, 0x000000DC, 0x000006D9, 0x243F6DC6, 0x000001DD, 0x243F6A12, 0x243F6DFF, 0x00000732, 0x243F6B80, 0x000001AC, 0x000007D5, 0x243F6D06, 0x000000C5, 0x243F6B51, 0x243F6D2B, 0x000006DC, 0x243F6A2D, 0x00000055, 0x000006FC, 0x243F6D7D, 0x000001D0, 0x243F6AA3, 0x243F6C75, 0x0000061A, 0x243F6A2A, 0x00000101, 0x000006F0, 0x243F6C4D, 0x00000138, 0x243F6A75, 0x243F6CA9, 0x000007FC, 0x243F6B27, 0x00000123, 0x000006C5, 0x243F6D32, 0x0000003B, 0x243F6A23, 0x243F6CB3, 0x00000686, 0x243F6B1A, 0x00000107, 0x00000608, 0x243F6DFD, 0x000001E8, 0x243F6BBB, 0x243F6D08, 0x0000062B, 0x243F6B94, 0x000000A1, 0x0000075A, 0x243F6CDC, 0x000000FB, 0x243F6B69, 0x243F6DD6, 0x00000655, 0x243F6ADD, 0x000000DD, 0x000007DC, 0x243F6DBD, 0x00000068, 0x243F6B0C, 0x243F6C95, 0x00000745, 0x243F6B15, 0x000001C9, 0x00000754, 0x243F6D3A, 0x0000003D, 0x243F6B34, 0x243F6DD6, 0x000006E1, 0x243F6A4E, 0x0000004E, 0x00000776, 0x243F6D6C, 0x000000F3, 0x243F6B5D, 0x243F6CEF, 0x000007F9, 0x243F6B68, 0x000001D0, 0x000007BB, 0x243F6DC9, 0x00000164, 0x243F6A2B, 0x243F6C43, 0x00000670, 0x243F6A8A, 0x0000007B, 0x000006DC, 0x243F6DAD, 0x000000FC, 0x243F6B51, 0x243F6CE4, 0x00000760, 0x243F6AF2, 0x00000004, 0x000006B5, 0x243F6D8E, 0x0000018C, 0x243F6B3C, 0x243F6D44, 0x0000071A, 0x243F6ADD, 0x0000002E, 0x0000075A, 0x243F6DCE, 0x00000120, 0x243F6BFB, 0x243F6D9F, 0x000007B1, 0x243F6BCC, 0x00000063, 0x0000068A, 0x243F6C2D, 0x00000034, 0x243F6A0C, 0x243F6D0A, 0x000006D7, 0x243F6B8B, 0x00000112, 0x000006EE, 0x243F6DF2, 0x000000AF, 0x243F6A7C, 0x243F6C01, 0x00000628, 0x243F6B11, 0x0000005D, 0x00000657, 0x243F6CE0, 0x0000008A, 0x243F6B43, 0x243F6C86, 0x00000682, 0x243F6B31, 0x0000003B, 0x000007A5, 0x243F6CF5, 0x00000058, 0x243F6B6B, 0x243F6DA1, 0x00000657, 0x243F6B40, 0x0000008E, 0x000006F1, 0x243F6C5E, 0x00000031, 0x243F6A50, 0x243F6CBD, 0x00000721, 0x243F6BF3, 0x0000019E, 0x00000766, 0x243F6C8A, 0x0000008D, 0x243F6B1B, 0x243F6C2B, 0x0000076D, 0x243F6BCA, 0x0000019D, 0x000007BD, 0x243F6C64, 0x000001F6, 0x243F6B7C, 0x243F6D1B, 0x00000735, 0x243F6BB3, 0x000000B0, 0x000006B1, 0x243F6D6A, 0x000000DD, 0x243F6BC6, 0x243F6CC0, 0x000007E2, 0x243F6A78, 0x0000004B, 0x00000639, 0x243F6D29, 0x000001DF, 0x243F6BB1, 0x243F6CD2, 0x000006E6, 0x243F6B54, 0x000001E0, 0x000007CC, 0x243F6C8D, 0x000000C7, 0x243F6B33, 0x243F6C98, 0x00000666, 0x243F6B02, 0x000001C8, 0x0000071D, 0x243F6CC3, 0x000000BF, 0x243F6AA3, 0x243F6DE8, 0x000006E9, 0x243F6BEF, 0x000000DB, 0x00000660, 0x243F6DB8, 0x000001DD, 0x243F6BD5, 0x243F6C87, 0x0000072C, 0x243F6BAA, 0x000001F5, 0x00000663, 0x243F6DB3, 0x00000069, 0x243F6A29, 0x243F6C6A, 0x000006EB, 0x243F6B17, 0x00000137, 0x0000071B, 0x243F6CF1, 0x00000193, 0x243F6A00, 0x243F6D1A, 0x000006FF, 0x243F6B0E, 0x00000021, 0x000007B1, 0x243F6D28, 0x000001BE, 0x243F6BEA, 0x243F6DB3, 0x00000787, 0x243F6B74, 0x00000104, 0x00000736, 0x243F6CBE, 0x00000089, 0x243F6A05, 0x243F6C0C, 0x000007AE, 0x243F6A08, 0x00000142, 0x000006B0], [0x243F6DD9, 0x0000017F, 0x243F6A57, 0x0000012C, 0x243F6A21, 0x243F6B8B, 0x000000C6, 0x000018C5, 0x243F6ACE, 0x243F6C4B, 0x0000067A, 0x243F6A2B, 0x243F6F63, 0x00001C37, 0x000019D3, 0x00000114, 0x00001C6A, 0x243F73C0, 0x00001819, 0x243F740E, 0x243F7446, 0x243F73F7, 0x243F7319, 0x00000004, 0x243F683B, 0x243F7154, 0x243F6CD1, 0x00001B40, 0x000007D2, 0x00001A18, 0x243F6047, 0x000019FF, 0x243F6828, 0x0000120F, 0x243F788D, 0x00000358, 0x243F755C, 0x00001D78, 0x243F6EC0, 0x243F7510, 0x00000CB6, 0x00000259, 0x243F6AC6, 0x243F605F, 0x000010D7, 0x243F7496, 0x000006CA, 0x00001B44, 0x243F77E8, 0x243F750D, 0x00001E97, 0x243F74E5, 0x00001F57, 0x00000388, 0x000019A3, 0x243F6DF6, 0x243F74D4, 0x00000BD2, 0x243F782D, 0x00001DE7, 0x243F7596, 0x243F6E9E, 0x000005B8, 0x243F64B7, 0x243F7743, 0x243F79C4, 0x00000D70, 0x243F7230, 0x00000167, 0x00000FD2, 0x243F67CF, 0x0000028A, 0x243F6DAA, 0x00000914, 0x00000C6C, 0x000018C1, 0x243F6FD0, 0x00000D73, 0x243F7FFB, 0x000005DB, 0x243F728A, 0x0000109A, 0x243F7838, 0x243F6A4F, 0x00000590, 0x243F60EC, 0x00001ECE, 0x000018AE, 0x243F7780, 0x243F6C0D, 0x243F6944, 0x00001F7E, 0x243F6C54, 0x00001A3C, 0x243F69BD, 0x00001C8C, 0x243F6735, 0x243F6B1C, 0x00000E62, 0x243F6BAC, 0x243F77D8, 0x00000610, 0x00001C91, 0x243F72D8, 0x000002C3, 0x000006B5, 0x243F6EFD, 0x000004FA, 0x243F7964, 0x000000C1, 0x243F6B31, 0x00000FC6, 0x243F6599, 0x243F6FC0, 0x000016D1, 0x243F7E5C, 0x0000161A, 0x000001C2, 0x243F72FB, 0x00001AF6, 0x243F630A, 0x243F677E, 0x243F75A2, 0x0000008F, 0x243F612D, 0x000005C4, 0x00001739, 0x00001A95, 0x243F7163, 0x00001517, 0x243F73A9, 0x243F7B9F, 0x243F6605, 0x243F789F, 0x243F78D9, 0x243F6481, 0x00000407, 0x00001402, 0x243F76DD, 0x243F6C84, 0x243F65DE, 0x0000085E, 0x243F613E, 0x00001BE3, 0x243F6A7D, 0x000016B9, 0x00001A72, 0x243F7DE6, 0x243F6E50, 0x243F6582, 0x000001B3, 0x243F7A6A, 0x00001A0D, 0x0000195F, 0x243F6CEE, 0x243F6B4B, 0x00001517, 0x00000F71, 0x00001733, 0x00001304, 0x243F6D4A, 0x243F73EC, 0x000014C1, 0x00000D60, 0x00001A0A, 0x243F65C5, 0x243F6362, 0x000007DF, 0x0000090D, 0x000002B4, 0x243F7F3E, 0x00000E12, 0x243F7DB5, 0x243F709F, 0x243F712C, 0x243F638E, 0x243F77A0, 0x00000089, 0x243F7B1A, 0x00000763, 0x243F7C76, 0x243F6F14, 0x243F7626, 0x000009C4, 0x243F77BC, 0x243F6C86, 0x243F7FD2, 0x00000600, 0x243F76A8, 0x243F6F27, 0x0000047F, 0x000006DE, 0x243F78B8, 0x243F6DC0, 0x00001238, 0x243F7FF0, 0x243F66DE, 0x243F6E3F, 0x00000860, 0x000019ED, 0x000007B5, 0x00000C92, 0x243F70FE, 0x243F6DB7, 0x243F7049, 0x243F6BFF, 0x243F6C8F, 0x0000017F, 0x243F7510, 0x243F7C75, 0x00001AE7, 0x000015B8, 0x000009F6, 0x0000038E, 0x243F614F, 0x243F7A8B, 0x243F696F, 0x00001871, 0x243F7670, 0x243F699C, 0x243F7707, 0x243F6622, 0x243F643A, 0x000017B5, 0x0000170B, 0x00001405, 0x243F7819, 0x243F6A96, 0x243F6815, 0x00000892, 0x243F7699, 0x243F7FB6, 0x243F7F3F, 0x00000EF4, 0x243F777E, 0x000005C3, 0x0000006B, 0x00001984, 0x00001B5F, 0x000010CC, 0x00000155, 0x243F7738, 0x00001A56, 0x00000709, 0x00001DE0, 0x243F6CA6, 0x243F7F68, 0x243F7230, 0x00001280, 0x243F6E81, 0x00001078, 0x00001D32, 0x243F68BD, 0x00000818, 0x243F6311, 0x243F675C], [0x243F78C4, 0x243F753E, 0x243F736D, 0x243F75C4, 0x243F7B49, 0x243F6182, 0x243F7736, 0x487EDA66, 0x6C41AE95, 0x00000ED2, 0x243F68E7, 0x243F51D9, 0x243F4D7E, 0x00001881, 0x487EFA5B, 0x243F50D5, 0x00003A76, 0x00004BFD, 0x000042CC, 0x243F5740, 0x4881D4F4, 0x243F3454, 0x487E9D94, 0x24C0BCA1, 0x24C0A52D, 0x6C41ECE3, 0x243FAFD6, 0x00FFCA25, 0x24C0A4AC, 0x6C418D7F, 0x0000322D, 0x24C0BC9A, 0xB4418102, 0x243F458F, 0x90FE5500, 0xFC3F4317, 0xD8003DE3, 0xD880B029, 0xD88067D2, 0xFD414299, 0x6D3F9C8A, 0x680273CD, 0x4C3D6B79, 0x907ED9F3, 0xD8005409, 0x4C3D9464, 0x04BC53DA, 0x9100426C, 0x01805807, 0x4CC294D4, 0x91FD752E, 0xB4BE1640, 0x48010E11, 0xE3032424, 0xE37C4473, 0x48012FF8, 0x48014B78, 0xE37C0627, 0x8B7EECC2, 0x6C3EE5FB, 0xFC3FB6E8, 0xAB02DFA6, 0x1E3DA9CE, 0xB3FA7DB4, 0x97C4E4E9, 0x6EBFFAE7, 0x3DBE4086, 0xDB3BD655, 0x9180AE11, 0x74402D92, 0xE4C0B226, 0x417E59CF, 0x2D3E9A98, 0x74C0161F, 0x3CBED7FF, 0x65404821, 0xBA7D1866, 0x453CFEF2, 0x4EF981B4, 0x63065FB2, 0xBBF9EB62, 0x6604C332, 0xC1409279, 0xCE3B5B30, 0xA27A27C0, 0xA402D0DB, 0xA402A165, 0x6A38B205, 0x9E4030AD, 0x8143D678, 0x81BCEF4A, 0x2A01BF61, 0xC33CB9D4, 0xA58387B8, 0xA5839152, 0x5C7FE1E9, 0x79BE6BC7, 0xD6FEA602, 0x9E80BA77, 0xD4BF5F2C, 0x7403D770, 0x63C1B0E9, 0xE683FB24, 0x8806F26D, 0x313A14C9, 0xF0FDD92D, 0x257EF53D, 0x6FFBD242, 0x93BB1CE6, 0x23F9C6D3, 0x40B9FEED, 0x247C6C25, 0xA5BE678D, 0xD1056FF7, 0x41047DD2, 0x3339C309, 0x2084BA70, 0x94B8F697, 0xBFBB7643, 0xCD40FE71, 0x18C7E438, 0x9FFA5966, 0x6DFBE110, 0xD9C73A1C, 0x8E8409F9, 0x457A62B9, 0x61BB67C5, 0xA34394F8, 0x133EC8BB, 0xD4044FDD, 0x37C2F42A, 0xD27CB5F5, 0xFA4385E6, 0xDB463532, 0xE77C83DB, 0x627AF59D, 0xB2BEF94C, 0x9538FC45, 0x94C780B8, 0xCE7D1809, 0x3600DB13, 0xD4043B07, 0x823978D3, 0xC941E157, 0xCF3B9C59, 0x1BBE0DBF, 0x45B82831, 0x2FBA2022, 0xBA404B95, 0xFBC6E8E9, 0x6BB97E01, 0xFE856CA4, 0xE0F86BE2, 0x417CFCC8, 0x593E2226, 0xCFC24E4C, 0x7A0120B8, 0x497C2328, 0xDABA34D7, 0xE4FEF97A, 0x30F9F8F0, 0xA3008CE8, 0x53042AB9, 0xDCC61F48, 0x413C8D0D, 0xF58629DF, 0xFE86F2F4, 0x9D7DC3B9, 0x78C46C05, 0x0F0042A4, 0xE0C6DC69, 0xF03965FE, 0x0D392FF5, 0x96BD28CC, 0x5007B425, 0xB23A094E, 0x78C58334, 0x554534AD, 0x76BB974C, 0xCE463A66, 0x503E5C7E, 0xECC6E9D5, 0xB2BC9A65, 0x7EFA2172, 0x9CBC1C30, 0x8ABB77E4, 0xC405B76D, 0x957E308C, 0x33C63316, 0x4538C965, 0x9E7DEEC8, 0x52429D62, 0x12477299, 0x5B06AB74, 0xE230A2BD, 0xECC0E3FC, 0x3BBB450A, 0xDD08DCAF, 0x85310C1D, 0xD6BF06E5, 0x8EFA5117, 0x008ED76D, 0xE60CBBDB, 0x153F2D29, 0x40036983, 0xCECDFD2E, 0xFBB1B2D1, 0x7545E297, 0xE8358074, 0x8DF723F0, 0xA23629D2, 0x5FCBD770, 0x94BB0B3F, 0xCC884977, 0x8DF5FC17, 0xA2F3EFA9, 0x0032BD44, 0x454EB69F, 0x52361CBE, 0x284A2C50, 0x808DB6EF, 0x100C2C87, 0xC231A257, 0xF649F162, 0x34744D4A, 0xA1C8D102, 0xA4BB9290, 0xD0889351, 0x880D0584, 0xD947E8F7, 0x6773EB5C, 0x150E2584, 0x0F75E358, 0xE5F772E0, 0x9F383204, 0x75F4A824, 0x20B41979, 0x7141F2E2, 0x2889B099, 0x3A48D877, 0x0D8FEB17, 0xBB82ED5A, 0x137E775D, 0x1489F19C, 0x1D4E3534, 0xEBF75BE4, 0x638042BA, 0x88B12A5F, 0x1B731B37, 0x7340DC9D, 0x86BF7902, 0x310D3C12, 0x00F6DEFE, 0xFF3B2E2F, 0x2748AF3A, 0xC6BE79AE]
        ]
cipher = [0x8DF0B770, 0x4B1EB28E, 0x73C65C1C, 0x53DE48FD,
          0x982EDF34, 0xD8229123, 0x90271182, 0x1F4271E7]

flag = b''
for i in range(0, len(cipher), 2):
    left = cipher[i+1]
    right = cipher[i] ^ 0x243F6BA8
    for l in range(16):
        prev_left = right
        pref_right = left ^ (sbox[0][right >> 24] + sbox[1][right >> 16 & 0xff]) ^ (
            sbox[2][right >> 8 & 0xff] + sbox[3][right & 0xff])
        left = prev_left
        right = pref_right & 0xffffffff
    left ^= 0x125
    flag += left.to_bytes(4, 'little') + right.to_bytes(4, 'little')
print(flag)

ezAndroid

本题的考点是会不会对luajava加密的lua文件进行解密。
解密的关键是分析加密函数,本题的加密落在常规的luaL_loadbufferx函数(参其它对luajava分析的文章)
针对本题的加密写了一个py脚本进行lua解密:
https://github.com/Airrcat/luajava_decode
解密出来得到的是luac,可以使用unluac等软件或一些在线反编译软件进行解密,本题用https://luadec.metaworm.site/这个网站解密效果较好。
exp:

from ctypes import *
cipher = [863918170,
          366827450,
          2944604520,
          1314064158,
          2534040034,
          1250268803,
          3402278143,
          1361039932,
          3087907484,
          3107271874]
key = [
    5976,
    40857,
    3298229483,
    1500946329
]


def decrypt(v, key):
    v0, v1 = c_uint32(v[0] ^ 14), c_uint32(v[1] ^ 17)
    delta = 0x80D6732B
    rounds = 38
    total = c_uint32(delta * rounds)

    for i in range(rounds):
        v1.value -= (((v0.value << 4) ^ (v0.value >> 5)) +
                     v0.value) ^ (total.value + key[(total.value >> 11) & 3])
        v0.value -= (((v1.value << 4) ^ (v1.value >> 5)) +
                     v1.value) ^ (total.value + key[total.value & 3])
        total.value -= delta

    return v0.value, v1.value


# 标准xtea
if __name__ == "__main__":

    value = cipher
    print("cypher len:", len(cipher))

    flag = b""
    for i in range(0, len(value), 2):
        res = decrypt(value[i:i+2], key)
        flag += res[0].to_bytes(4, 'big') + res[1].to_bytes(4, 'big')
    print(flag, len(flag))

"""
Data is :  0x12345678 0x78563412
Encrypted data is :  0xae685ec7 0x59af4238
Decrypted data is :  0x12345678 0x78563412
"""

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/922204.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

kafka进阶_2.存储消息

文章目录 一、存储消息介绍二、副本同步2.1、数据一致性2.2、HW在副本之间的传递 如果想了解kafka基础架构和生产者架构可以参考 kafka基础和 Kafka进阶_1.生产消息。 一、存储消息介绍 数据已经由生产者Producer发送给Kafka集群&#xff0c;当Kafka接收到数据后&#xff0c…

志愿者小程序源码社区网格志愿者服务小程序php

志愿者服务小程序源码开发方案&#xff1a;开发语言后端php&#xff0c;tp框架&#xff0c;前端是uniapp。 一 志愿者端-小程序&#xff1a; 申请成为志愿者&#xff0c;志愿者组织端进行审核。成为志愿者后&#xff0c;可以报名参加志愿者活动。 志愿者地图&#xff1a;可以…

SpringMVC-01-回顾MVC

1. 回顾MVC 1.1. 什么是MVC MVC是模型(Model)、视图(View)、控制器(Controller)的简写&#xff0c;是一种软件设计规范。是将业务逻辑、数据、显示分离的方法来组织代码。MVC主要作用是降低了视图与业务逻辑间的双向偶合。MVC不是一种设计模式&#xff0c;MVC是一种架构模式。…

解决k8s拉取私有镜像401 Unauthorized 问题

拉取镜像时未指定账户和密码通常是因为需要访问的镜像仓库启用了认证&#xff0c;但 Kubernetes 默认配置中未提供访问凭据。要解决此问题&#xff0c;可以按照以下步骤配置镜像仓库的认证信息&#xff1a; 1. 创建 Kubernetes Secret 为镜像仓库配置访问凭据&#xff0c;使用…

AmazonS3集成minio实现https访问

最近系统全面升级到https&#xff0c;之前AmazonS3大文件分片上传直接使用http://ip:9000访问minio的方式已然行不通&#xff0c;https服务器访问http资源会报Mixed Content混合内容错误。 一般有两种解决方案&#xff0c;一是升级minio服务&#xff0c;配置ssl证书&#xff0c…

el-table-column自动生成序号在序号前插入图标

实现效果&#xff1a; 代码如下&#xff1a; 在el-table里加入这个就可以了&#xff0c;需要拿到值可以用scope.$index ​​​​​​​<el-table-column type"index" label"序号" show-overflow-tooltip"true" min-width"40">…

JavaEE 实现 登录+注册(采用注解方式链接数据库)

&#xff08;Spring MVC的Controller练习&#xff09; 工具&#xff1a;Tomcat 10.0.23&#xff0c;MySQL&#xff0c;JDK18 一、运行效果展示 点击运行Tomcat首先进入index.jsp页面 若已有账号点击登录即可进行登录&#xff0c;这里先点击“获取ROY6账号”去注册&#xff0…

V-rep机器人仿真软件学习笔记

常用的机器人仿真软件有哪些&#xff1f;为什么选择V-rep&#xff1f; 目前常用的机器人物理仿真软件有Gazebo、V-rep、Webots等&#xff0c;这三款都是开源软件&#xff0c;自己使用过前两种&#xff0c;Gazebo配合ROS使用功能十分强大&#xff0c;但是要在Linux系统下使用&am…

数据库中的增删改查操作、聚合函数、内置函数、分组查询

数据库中的增删改查操作、聚合函数、内置函数、分组查询 CRUD简介Create 新增语法示例单⾏数据全列插⼊单⾏数据指定列插⼊多⾏数据指定列插⼊ Retrieve 检索语法⽰例构造数据 Select全列查询指定列查询查询字段为表达式为查询结果指定别名语法⽰例 结果去重查询 Order by 排序…

Flink转换算子——flatMap/map/filter/keyby/reduce综合案例

需求: 对流数据中的单词进行统计&#xff0c;排除敏感词TMD【腾讯美团滴滴】 此处用到了一个windows版本的软件 netcat&#xff0c;具体用法&#xff0c;先解压&#xff0c;然后在路径中输入cmd,来到黑窗口。 官网地址&#xff1a;netcat 1.11 for Win32/Win64Netcat介绍及安装…

图算法 | 3、图分析与数据科学

图分析(Graph Analytics)在本质上是对图数据的处理与分析&#xff0c;其过程可以概括为图计算。 而图计算的范畴不仅包含数据的计算或分析&#xff0c;还包含元数据管理、模式管理、数据建模、数据清洗、转换、加载、治理、图分析与计算等一系列操作。 或许我们用大数据生命周…

鲸鱼机器人和乐高机器人的比较

鲸鱼机器人和乐高机器人各有其独特的优势和特点&#xff0c;家长在选择时可以根据孩子的年龄、兴趣、经济能力等因素进行综合考虑&#xff0c;选择最适合孩子的教育机器人产品。 优势 鲸鱼机器人 1&#xff09;价格亲民&#xff1a;鲸鱼机器人的产品价格相对乐高更为亲民&…

【Unity】 GamePlay开发:通用的检查点/成就/条件触发系统

特别适用于各种解谜关卡, 成就系统&#xff0c;任务系统&#xff0c;的 通用事件处理 CheckPointHandler.cs随便挂在场景中的某个物体上 (单例模式&#xff0c;场景中只要有一个&#xff09; 1) How To Use CheckPoint Events是一个列表&#xff0c;每个元素是一个组合事件&…

企业OA管理系统:Spring Boot技术实现与案例研究

摘要 随着信息技术在管理上越来越深入而广泛的应用&#xff0c;管理信息系统的实施在技术上已逐步成熟。本文介绍了企业OA管理系统的开发全过程。通过分析企业OA管理系统管理的不足&#xff0c;创建了一个计算机管理企业OA管理系统的方案。文章介绍了企业OA管理系统的系统分析部…

【SQL Server】华中农业大学空间数据库实验报告 实验三 数据操作

1.实验目的 熟悉了解掌握SQL Server软件的基本操作与使用方法&#xff0c;以及通过理论课学习与实验参考书的帮助&#xff0c;熟练掌握使用T-SQL语句和交互式方法对数据表进行插入数据、修改数据、删除数据等等的操作&#xff1b;作为后续实验的基础&#xff0c;根据实验要求重…

基于AXI PCIE IP的FPGA PCIE卡示意图

创作不易&#xff0c;转载请注明出处&#xff1a;https://blog.csdn.net/csdn_gddf102384398/article/details/143926217 上图中&#xff0c;在FPGA PCIE卡示意图内&#xff0c;有2个AXI Master设备&#xff0c;即&#xff1a;PCIE到AXI4-Full-Master桥、AXI CDMA IP&#xff1…

Docker1:认识docker、在Linux中安装docker

欢迎来到“雪碧聊技术”CSDN博客&#xff01; 在这里&#xff0c;您将踏入一个专注于Java开发技术的知识殿堂。无论您是Java编程的初学者&#xff0c;还是具有一定经验的开发者&#xff0c;相信我的博客都能为您提供宝贵的学习资源和实用技巧。作为您的技术向导&#xff0c;我将…

java-排序算法汇总

排序算法&#xff1a; 冒泡排序&#xff08;Bubble Sort&#xff09; 选择排序&#xff08;Selection Sort&#xff09; 插入排序&#xff08;Insertion Sort&#xff09; 快速排序&#xff08;Quick Sort&#xff09; 归并排序&#xff08;Merge Sort&#xff09; 堆排序&…

瑞佑液晶控制芯片RA6807系列介绍 (三)软件代码详解 Part.10(让PNG图片动起来)完结篇

RA6807是RA8876M的缩小版&#xff0c;具备RA8876M的所有功能&#xff0c;只将MCU控制接口进行缩减&#xff0c;仅保留SPI-3和I2C接口&#xff0c;其它功能基本相同。 该芯片最大可控制854x600的分辨率&#xff0c;内建64Mbits显存&#xff0c;多个图层&#xff0c;使用起来相当…

org.apache.log4j的日志记录级别和基础使用Demo

org.apache.log4j的日志记录级别和基础使用Demo&#xff0c;本次案例展示&#xff0c;使用是的maven项目&#xff0c;搭建的一个简单的爬虫案例。里面采用了大家熟悉的日志记录插件&#xff0c;log4j。来自apache公司的开源插件。 package com.qian.test;import org.apache.log…