一道xxtea加密的题
主要过程分五步
1、读入数据
2、构造key数组
3、xxtea加密
4、打乱数据
5、二次加密
先查壳,64位无壳
直接拖入ida分析
读入数据并计算长度
判断输入的字符串数据是否都在Code中
一开始没有看出来这里是干什么的,直接去分析后面了,后来看了其他师傅的wp才知道,这里是构造xxtea加密的key数组
这里就是xxtea加密的部分
在这里打乱了加密后数组的顺序
在这里又对数组进行了二次加密
进行最后的校验
以上就是整体流程,所有的过程都是可逆的,只是比较麻烦,直接给出解密脚本
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#define xxtea_DELTA 0x9e3779b9
#define xxtea_MX (((xxtea_z>>5^xxtea_y<<2) + (xxtea_y>>3^xxtea_z<<4)) ^ ((xxtea_sum^xxtea_y) + (xxtea_key[(xxtea_p&3)^xxtea_e] ^ xxtea_z)))
void xxtea(uint32_t* xxtea_origin, int xxtea_n, uint32_t const xxtea_key[4])
{
uint32_t xxtea_y, xxtea_z, xxtea_sum;
unsigned xxtea_p, xxtea_rounds, xxtea_e;
if (xxtea_n > 1) /* Coding Part */
{
xxtea_rounds = 6 + 52 / xxtea_n;
xxtea_sum = 0;
xxtea_z = xxtea_origin[xxtea_n - 1];
do
{
xxtea_sum += xxtea_DELTA;
xxtea_e = (xxtea_sum >> 2) & 3;
for (xxtea_p = 0; xxtea_p < xxtea_n - 1; xxtea_p++)
{
xxtea_y = xxtea_origin[xxtea_p + 1];
xxtea_z = xxtea_origin[xxtea_p] += xxtea_MX;
}
xxtea_y = xxtea_origin[0];
xxtea_z = xxtea_origin[xxtea_n - 1] += xxtea_MX;
} while (--xxtea_rounds);
}
else if (xxtea_n < -1) /* Decoding Part */
{
xxtea_n = -xxtea_n;
xxtea_rounds = 6 + 52 / xxtea_n;
xxtea_sum = xxtea_rounds * xxtea_DELTA;
xxtea_y = xxtea_origin[0];
do
{
xxtea_e = (xxtea_sum >> 2) & 3;
for (xxtea_p = xxtea_n - 1; xxtea_p > 0; xxtea_p--)
{
xxtea_z = xxtea_origin[xxtea_p - 1];
xxtea_y = xxtea_origin[xxtea_p] -= xxtea_MX;
}
xxtea_z = xxtea_origin[xxtea_n - 1];
xxtea_y = xxtea_origin[0] -= xxtea_MX;
xxtea_sum -= xxtea_DELTA;
} while (--xxtea_rounds);
}
}
int main()
{
unsigned char v30[] = {0xce,0xbc,0x40,0x6b,0x7c,0x3a,0x95,0xc0,0xef,0x9b,0x20,0x20,0x91,0xf7,0x2,0x35,0x23,0x18,0x2,0xc8,0xe7,0x56,0x56,0xfa};
__int64 v23; // rcx
char v24; // al
unsigned char *v22; // r8
int v21 = 1;
int v18 = 24;
//第二处加密
v22 = v30 + 24;
v21 = v18;
for (;v21 > 1;--v22)
{
v23 = 0;
if (v21 / 3 > 0)
{
v24 = *v22;
do
{
v24 ^= v30[v23++];
*v22 = v24;
}
while ( v23 < v21 / 3 );
}
--v21;
}
//恢复打乱的顺序
unsigned char *v19;
v19 = v30;
*v19 = v30[1];
v19[2] = *v30;
v19[3] = v30[2];
v19[1] = v30[3];
v19[6] = v30[4];
v19[4] = v30[5];
v19[7] = v30[6];
v19[5] = v30[7];
v19[10] =v30[8];
v19[8] = v30[9];
v19[11] =v30[10];
v19[9] =v30[11];
v19[14] =v30[12];
v19[12] =v30[13];
v19[15] =v30[14];
v19[13] =v30[15];
v19[18] =v30[16];
v19[16] =v30[17];
v19[19] =v30[18];
v19[17] =v30[19];
v19[22] =v30[20];
v19[20] =v30[21];
v19[23] =v30[22];
v19[21] =v30[23];
/* for(int i = 0;i < 6;i++)
{
printf("0x");
for(int j = 3;j >= 0;j--)
{
printf("%x",v19[i*4+j]);
}
printf(",");
}
*/
unsigned int v11[6] = {0x40cea5bc,0xe7b2b2f4,0x129d12a9,0x5bc810ae,0x1d06d73d,0xdcf870dc};
uint32_t const key1[4] = { (unsigned int)0x67616c66,(unsigned int)0x0,(unsigned int)0x0,(unsigned int)0x0 };
int n = -6;
xxtea(v11, n, key1);
//67616c665858437b646e615f742b2b5f7d616513
/* for (int i = 0; i < 6; i++)
{
printf("%x", v11[i]);
}
*/
int flag[] = {0x67,0x61,0x6c,0x66,0x58,0x58,0x43,0x7b,0x64,0x6e,0x61,0x5f,0x74,0x2b,0x2b,0x5f,0x7d,0x61,0x65};
for(int i = 0;i < 19;i++)
{
printf("%c",flag[i]);
}
}
标签:v30,origin,v19,int,ctf,unsigned,xx,红帽,xxtea From: https://www.cnblogs.com/polang19/p/16928619.html