DASCTF2024.10部分Reverse

ezre

14解

看上去有壳，但是无法手动脱

不能sfx脱壳，也不能动调

搜保护器的名字，找到unpack工具Releases · ergrelet/unlicense (github.com)

去花指令后得到main是rc4魔改+tea魔改

tea一次移一个字符，36次循环刚好移完全部密文

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
void decrypt(uint32_t v[2], uint32_t const key[4]) {
    unsigned int i;
    uint32_t v0 = v[0], v1 = v[1], delta = 0x9E3779B8, sum = 0x66778899+delta * (33);
    //printf("%x,%x,",v0,v1);
    for (i=0; i <= 32; i++) {
        v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]);
        sum -= delta;
        v0 -= (((v1 << 5) ^ (v1 >> 6)) + v1) ^ (sum + key[sum & 3]);

    }
    v[0] = v0; v[1] = v1;
    //printf("%x,%x,",v0,v1);
}

int main() {
    uint32_t const k[4] = {0x6E982837,0x44332211,0x11223344,0x3728986E};
    char enc[] = {0x50, 0xD4, 0xC8, 0xC4, 0x8F, 0x84, 0x40, 0xEB, 0x32, 0x81,
                  0x8F, 0x85, 0x6C, 0xB2, 0x2B, 0x06, 0xBF, 0x05, 0x35, 0x5D,
                  0x2E, 0xE3, 0x7D, 0x46, 0x8D, 0x35, 0x01, 0x70, 0x3A, 0x80,
                  0x81, 0xC5, 0xE6, 0x71, 0xD3, 0xD6, 0x50, 0x69, 0x6F, 0xE2,
                  0x6E, 0x78, 0x14, 0xD8};
    for(int i=36; i>=0; i-=1){
        decrypt(&enc[i], k);

    }
    for (int i = 0; i < 44; i++) {
        printf("0x%x,", enc[i]&0xff);
    }
    return 0;
}

rc4的魔改

def rc4(data, key):
    S = list(range(256))
    j = 0
    out = []

    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i], S[j] = S[j], S[i]

    i = j = 0
    for char in data:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        out.append((char - (S[(S[i] + S[j]) % 256]^0x33))%256)

    return bytes(out)

data = bytes([0xf5,0xcf,0xc9,0x90,0xba,0x79,0xd6,0xe3,0x51,0x22,0xd5,0x2c,0x50,0xe9,0xf6,0x99,0x71,0x4d,0x7a,0xde,0xff,0x44,0xc5,0xab,0x19,0x37,0xac,0xe8,0x72,0xb6,0xa4,0xe,0x93,0x86,0x4b,0xc3,0x55,0x36,0x74,0x19,0x36,0xa2,0xaf,0x45])
key = b'th0s_i0_ke9'
decrypted = rc4(data, key)
print(decrypted)