强网——re

最新推荐文章于 2025-05-12 19:20:32 发布

z3L0ng

最新推荐文章于 2025-05-12 19:20:32 发布

阅读量386

点赞数 9

文章标签： python 网络安全安全

本文链接：https://blog.youkuaiyun.com/qq_62844354/article/details/135188497

版权

Ezre

打开Ida翻到这个函数

这里面有两个盒子，查出来是sm4解密即可

Ezre 强网先锋

起调试长度为32

调试断点取每个的表的值

第一次base64encode :

1+USN4J5Rfj0TaVOcnzXiPGZIBpoAExuQtHyKD692hwmqe7/Mgk8v1sdCW3bYFLr

第二次base64decode:

FGseVD3ibtHWR1czhLnUfJK6SEZ2OyPAIpQoqgY0w49u+7rad5CxljMXvNTBkm/8

第三次base64encode:

Hc0xwuZmy3DpQnSgj2LhUtrlVvNYks+BX/MOoETaKqR4eb9WF8ICGzf6id1P75JA

第四次 base64decode:

pnHQwlAveo4DhGg1jE3SsIqJ2mrzxCiNb+Mf0YVd5L8c97/WkOTtuKFZyRBUPX6a

第五次 base64encode:

p1xXOZtaiUneJIhk7qSYEjD1Km94o0FTu52VQgNL3vCBH8zsA/b+dycGPRMwWfr6

这里还有一次加密

需要逆向，v7的值，不知道为什么我的main函数无法去平坦化，只有内部函数可以

data = [0x3A, 0x2C, 0x4B, 0x51, 0x68, 0x46, 0x59, 0x63, 0x24, 0x04,0x5E, 0x5F, 0x00, 0x0C, 0x2B, 0x03, 0x29, 0x5C, 0x74, 0x70,0x6A, 0x62, 0x7F, 0x3D, 0x2C, 0x4E, 0x6F, 0x13, 0x06, 0x0D,0x06, 0x0C, 0x4D, 0x56, 0x0F, 0x28, 0x4D, 0x51, 0x76, 0x70,0x2B, 0x05, 0x51, 0x68, 0x48, 0x55, 0x24, 0x19]

key = list("plxXOZtaiUneJIhk7qSYEjD1Km94o0FTu52VQgNL3vCBH8zsA/b+dycGPRMwWfr6")
flag=[]
for i in range(len(key)):
    flag.append(ord(key[i]) ^ 0x27)

v7 = 2023
v6 = 0
v8 = 48
xor = []
while v6 < v8 - 1:
    if v6 % 3 == 1:
        v7 = (v7 + 5) % 20
        v3 = flag[6+v7 + 1]
    elif v6 % 3 == 2:
        v7 = (v7 + 7) % 19
        v3 = flag[6+v7 + 2]
    else:
        v7 = (v7 + 3) % 17
        v3 = flag[6+v7 + 3]
    v6 += 1
    xor.append(v3)
for i in range(len(data)-1-1, -1, -1):
    data[i] ^= data[i-1]
    data[i] ^= xor[i]
print(''.join([chr(x)for x in data]))

解flag

babyre

魔改的xtea

修改好脚本

好像无法调试，使用attach 跟进发现密文和秘钥被改了

正确的密文：[0x9523F2E0, 0x8ED8C293, 0x8668C393, 0xDDF250BC, 0x510E4499, 0x8C60BD44, 0x34DCABF2, 0xC10FD260]

正确的Key=[0x62, 0x6F, 0x6D, 0x62]

循环变成了33次

就剩下sum不知道了，方法把encrypt改成正向加密，输出正确的sum，得到解密脚本

#include <stdio.h>
#include <stdint.h>

//加密函数
void encrypt(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) {
    unsigned int i;
    uint32_t v0 = v[0], v1 = v[1], sum = 0x90508D47, delta =0x77BF7F99;
    for (int y=0;y<4;y++){
    for (i = 0; i < num_rounds; i++) {
        v0 += (((v1 >> 4) ^ (v1 << 5)) + v1) ^ (sum + key[sum & 3]);
        v1 += (((v0 >> 4) ^ (v0 << 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);
        sum -= delta;

    }
    }
    v[0] = v0; v[1] = v1;
    printf("%x",sum);
}

//解密函数
void decrypt(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) {
    unsigned int i;
    uint32_t v0 = v[0], v1 = v[1], sum = 0xd192c263, delta =0x77bf7f99 ;
    for(int j=0;j<4;j++){
    for (i = 0; i < num_rounds; i++) {
        sum += delta;
        v1 -= (((v0  >>4) ^ (v0 << 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);
        
        v0 -= (((v1 >> 4) ^ (v1 << 5)) + v1) ^ (sum + key[sum & 3])^sum;
        

    }
    v[0] = v0; v[1] = v1;
}
}
int main()
{
    // v为要加解密的数据，两个32位无符号整数
    uint32_t v[] = {   0x34DCABF2, 0xC10FD260};
    // k为加解密密钥，4个32位无符号整数，密钥长度为128位, 0x8D62CA9B, 0xD2FC5DB0, 0x421C5589, 0x9B76A850, 0x2FC6B2EA, 0xDE11CF7C
    uint32_t k[4] = {0x62, 0x6F, 0x6D, 0x62 };
    int n = sizeof(v) / sizeof(uint32_t);
    // num_rounds，建议取值为32
    unsigned int r = 33;

    decrypt(r,v, k);
    printf("0x%x 0x%x\n", v[0], v[1]);
    for (int i = 0; i < 2; i++)
    {
        for (int j = 0; j < sizeof(uint32_t) / sizeof(uint8_t); j++)
        {
            printf("%c", (v[i] >> (j * 8)) & 0xFF);
        }
    }
    printf("\n");
    return 0;
}
/*W31com3_2_Th3_QwbS7_4nd_H4v3_Fun*/