蓝桥杯-网络安全 reverse wp

2024-04-27T10:18:00+08:00

re1ida查看打开，直接看伪代码image-20240427111249890.png程序逻辑很简单，将输入保存到buff，经过cry函数加密，和密文v6进行比较直接查看cry函数image-20240427111630697.png经过分析，这是一个魔改的xxtea加密，改了循环轮数和DELTA值写脚本解密enc#include #include #define DELTA 0x9e3779b9 void btea(uint32_t *v, int n, uint32_t const key[4]) { uint32_t y, z, sum; unsigned i, rounds, e; rounds = 415 / n + 114; //确定轮转数 sum = rounds*DELTA; //根据轮转数计算sum y = v[0]; do { e = (sum >> 2) & 3; for (i=n-1; i>0; i--) //逆序倒推 { z = v[i-1]; //先解密v[n-1]，需要知道v[0]和v[n-2]， v[i] -= (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(i&3)^e] ^ z))); y = v[i];//只会解密到v[1] } z = v[n-1]; //对于第一个v[0]的解密，要知道v[n-1]和v[1] v[0] -= (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(i&3)^e] ^ z))); y = v[0]; sum += 0x61C88647; } while (--rounds); } int main() { uint32_t enc_data[] = {0x480AC20C,0x0CE9037F2,0x8C212018,0x0E92A18D,0x0A4035274,0x2473AAB1,0x0A9EFDB58,0x0A52CC5C8,0x0E432CB51,0x0D04E9223,0x6FD07093}; uint32_t const k[4]= {0x79696755,0x67346F6C,0x69231231,0x5F674231}; int n= 11; btea(enc_data, n, k); for(int i = 0; i < sizeof(enc_data)/sizeof(uint32_t); i++) { printf("%x", enc_data[i]); } return 0; }运行结果：67616c666366657b6638666363302d30312d37392d636532306532383963302d34323964333365327d35为了方便使用python将这段十六进制转换成stringenc = "67616c666366657b6638666363302d30312d37392d636532306532383963302d34323964333365327d35" for i in range(0,len(enc), 2): print(chr(int(enc[i:i+2], 16)),end="")运行结果:galfcfe{f8fcc0-01-79-ce20e289c0-429d33e2}5发现flag的顺序不对，应该是大小端序的原因，修改代码enc = "67616c666366657b6638666363302d30312d37392d636532306532383963302d34323964333365327d35" flag='' for i in range(0,len(enc), 2): flag += chr(int(enc[i:i+2], 16)) for i in range(0,len(flag),4): print((flag[i:i+4][::-1]),end="")运行结果:flag{efccf8f0-0c97-12ec-82e0-0c9d9242e335}re2直接上ida查看伪代码image-20240427093116948.pngimage-20240427093129676.png这里是一堆赋值，最后将这些变量传入了sub_401005函数，跟进去查看image-20240427093427762.png这就是个rc4加密，我们在return上打个断点就能看到解密后的数据image-20240427093458621.png成功getflagimage-20240427093627803.png

Inf0 - ctf

蓝桥杯-网络安全 reverse wp