shenghuo2's Blog
shenghuo2's Blog

HGAME WEEK1 Re WP

shenghuo2 shenghuo2 收录于 Writeup
  约 600 字 预计阅读 2 分钟 
https://file.shenghuo2.top/typecho/202302011308733.png
警告
本文最后更新于 2023-02-01,文中内容可能已过时。

为什么只有re,因为别的方向懒得写了( 也没做几题

Reverse

test your IDA

image-20230110220618973

1

hgame{te5t_y0ur_IDA}

easyasm

给了段汇编代码,以及加密后的密文

重点是这句

1

xor     eax, 33h

异或0x33

1

print("".join([chr (i^0x33)for i in [0x5b,0x54,0x52,0x5e,0x56,0x48,0x44,0x56,0x5f,0x50,0x3,0x5e,0x56,0x6c,0x47,0x3,0x6c,0x41,0x56,0x6c,0x44,0x5c,0x41,0x2,0x57,0x12,0x4e]]))

不知道为什么忽然喜欢写一行了(

1

hgame{welc0me_t0_re_wor1d!}

easyenc

搞了半天发现是漏了个0x00

但是我确实动调不起来

image-20230111164053153

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

v8 = "F9060705F0FDEA01ECAC170108FA05B1EA01EE01EA17FD17EB05170607ADF0050000B0F30109FDFF04"
for i in range(len(v8),-1,-1):
    # value = v8[i:i+2]
    if i % 2 ==0:
        continue
    value = int(v8[i-1:i+1],16)
    # if 
    try:
        print(chr(((~(value^0xff))+86)^0x32),end='')
    except:
        print(chr((((value))+86)^0x32),end='')
1

hgame{4ddit1on_is_a_rever5ible_0peration}

encode

image-20230111105501791

就是把flag每位拆成高4b和低4b

分别存储为[i*2+1][i*2]

还原回来就行

1
2
3
4
5
6

u4 = [  0x08, 0x06, 0x07, 0x06, 0x01, 0x06, 0x0D, 0x06, 0x05, 0x06, 0x0B, 0x07, 0x05, 0x06, 0x0E, 0x06, 0x03, 0x06, 0x0F, 0x06, 0x04, 0x06, 0x05, 0x06, 0x0F, 0x05, 0x09, 0x06, 0x03, 0x07, 0x0F, 0x05, 0x05, 0x06, 0x01, 0x06, 0x03, 0x07, 0x09, 0x07, 0x0F, 
0x05, 0x06, 0x06, 0x0F, 0x06, 0x02, 0x07, 0x0F, 0x05, 0x01, 0x06, 0x0F, 0x05, 0x02, 0x07, 0x05, 0x06, 0x06, 0x07, 0x05, 0x06, 0x02, 0x07, 0x03, 0x07, 0x05, 0x06, 0x0F, 0x05, 0x05, 0x06, 0x0E, 0x06, 0x07, 0x06, 0x09, 0x06, 0x0E, 0x06, 0x05, 0x06, 0x05,
0x06, 0x02, 0x07, 0x0D, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]

for i in range(50):
    print(chr(int(("{:0b}".format(~(u4[i*2+1]^0xf)&0xf))+("{:04b}".format(~(u4[i*2]^0xf)&0xf)),2)),end='')
1

hgame{encode_is_easy_for_a_reverse_engineer}

a_cup_of_tea

tea

key

image-20230111160718723

flag最后一段

image-20230111160755033

image-20230111160821945

delta=0x543210dd

++-,没给sum,是加密函数

反过来写解密函数

image-20230111163204876

动调到最后一轮得到sum

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

import binascii
from ctypes import * 
#这里没用到encrypt
def encrypt(v,k):
    v0=c_uint32(v[0])
    v1=c_uint32(v[1])
    sum1=c_uint32(0)
    delta=c_uint32(0x543210DD)
    for i in range(32):
        sum1.value+=delta
        v0.value+=((v1.value<<4)+k[0])^(v1.value+sum1.value)^((v1.value>>5)+k[1])
        v1.value+=((v0.value<<4)+k[2])^(v0.value+sum1.value)^((v0.value>>5)+k[3])
    return v0.value,v1.value

def decrypt(v,k):
    v0=c_uint32(v[0])
    v1=c_uint32(v[1])
    delta=c_uint32(0x543210DD)
    sum1=c_uint32(0x79BDE460)
    for i in range(32):
        v1.value-=((v0.value<<4)+k[2])^(v0.value+sum1.value)^((v0.value>>5)+k[3])
        v0.value-=((v1.value<<4)+k[0])^(v1.value+sum1.value)^((v1.value>>5)+k[1])
        sum1.value+=delta.value

    return hex(v0.value),hex(v1.value)
# 大小端序转换
def big_small_end_convert(data):
    result = binascii.hexlify(binascii.unhexlify(data)[::-1])
    return str(result)[2:-1:]

# 16进制转字符串
def hex_string(hexstr):
    
    flag = ""
    while len(hexstr):
        flag = flag + chr(int(hexstr[:2],16)%128)
        hexstr = hexstr[2:]
    return flag

# 主函数
if __name__=='__main__':
    flag = ""
    all=[0x2E63829D, 0xC14E400F, 0x9B39BFB9, 0x5A1F8B14, 0x61886DDE, 0x6565C6CF, 0x9F064F64, 0x236A43F6, 0x00007D6B]
    for i in range(4):
        a=[all[i*2],all[i*2+1]]
        k=[0x12345678, 0x23456789, 0x34567890, 0x45678901]
        res=decrypt(a,k)
        flag += big_small_end_convert(res[0][2::]) + big_small_end_convert(res[1][2::])
    print(hex_string(flag))
1

hgame{Tea_15_4_v3ry_h3a1thy_drlnk}
更新于 2023-02-01 
CC BY-NC-SA 4.0
返回 | 主页
0%