第六届安洵杯网络安全挑战赛——牢大想你了

队友打穿了，就出了一个re第五题

找到Assembly-CSharp.dll，用dotpeek进行反编译，GameManager中定位关键代码直接找到了tea的密文密钥

此处是加密函数

  public uint[] BABBBBBBAAAAAABABBBAAAABBABBBAABABAAABABBAAABBA(uint ABBAABAAAAAABAAAABBBBBBABAABAAAABBBABBBAABBABBA, uint BAABBAAAAABABBAABBABBAABABABABABABAAABABBBABABA)
  {
    uint num1 = ABBAABAAAAAABAAAABBBBBBABAABAAAABBBABBBAABBABBA;
    uint num2 = BAABBAAAAABABBAABBABBAABABABABABABAAABABBBABABA;
    uint num3 = 0;
    uint num4 = 2654435769;
    uint[] bbababbbabbababaaabbbaabbaaaaaaabbbbbaabbaaaaaa = this.BBABABBBABBABABAAABBBAABBAAAAAAABBBBBAABBAAAAAA;
    for (int index = 0; index < 32; ++index)
    {
      num3 += num4;
      num1 += (uint) (((int) num2 << 4) + (int) bbababbbabbababaaabbbaabbaaaaaaabbbbbaabbaaaaaa[0] ^ (int) num2 + (int) num3 ^ (int) (num2 >> 5) + (int) bbababbbabbababaaabbbaabbaaaaaaabbbbbaabbaaaaaa[1]);
      num2 += (uint) (((int) num1 << 4) + (int) bbababbbabbababaaabbbaabbaaaaaaabbbbbaabbaaaaaa[2] ^ (int) num1 + (int) num3 ^ (int) (num1 >> 5) + (int) bbababbbabbababaaabbbaabbaaaaaaabbbbbaabbaaaaaa[3]);
    }
    return new uint[2]{ num1, num2 };
  }

跟进，进行解密，就是一个tea，得到了最终的flag，

#include<iostream>
using namespace std;

typedef unsigned int uint;

void decry(uint v[],uint k[]){
	uint v0=v[0];
	uint v1=v[1];
	uint delta = 2654435769;
	uint sum=delta*32;
	for (int index = 0; index < 32; ++index){
		v1-=((v0<<4)+k[2])^(v0+sum)^((v0>>5)+k[3]);
		v0-=((v1<<4)+k[0])^(v1+sum)^((v1>>5)+k[1]);
		sum -= delta;
	}
	int i;
	for (i = 0; i < 4; i++) {
        printf("%c", (v0 >> (8 * i)) & 0xff);
    }

    for (i = 0; i < 4; i++) {
        printf("%c", (v1 >> (8 * i)) & 0xff);
    }
}

int main(){
	uint data[] = {3363017039, 1247970816, 549943836, 445086378, 3606751618, 1624361316, 3112717362, 705210466, 3343515702, 2402214294, 4010321577, 2743404694};
    uint key[] = {286331153, 286331153, 286331153, 286331153};
    for (int i = 0; i < sizeof(data) / sizeof(unsigned int); i += 2) {
        decry(&data[i], key);
    }
	return 0;
}