Satan
The competition just look at the question this channel reverse, fast transfer out of the afternoon when they were rjj pull over to sing, come back in the evening is over, adjusting the bug a few scripts out of this question.
Subject to the ELF of a 64-bit, IDA thrown open, the main logic within the main function, using C ++ / STL prepared a lot of string operations.
Look at the operation of the first few lines, the first line 183 initializes a character string. 184 OK "operator >>" C ++ is an input stream, and the "unk_6072A0" cin can be found by cross-reference, then this line to read the user input string. The first 185 rows from the user input string built another string, after the new string into sub_4020DF do test, if the test fails, the output "error".
We see from sub_4020DF function input format, the first flag {} package, which consists of five sections, a '-' separator. A sample can be constructed to facilitate dynamic debugging flag.
flag{abcd1234-abcd-1234-abcd-abcdefghijkl}
After a big switch in accordance with the size of the first character of the flag the first paragraph, the method for determining the shuffle, five pieces of input do a shuffle. For example the following figure, the first section of the first character '0', the sequence is scrambled 01,433. This transformation only once, there is no difficulty does not need to look carefully.
After came the most critical areas of this question, encryption. 32-bit code for flag after the shuffle is divided into two, namely encryption. sub_401AA3 is an encryption function.
The encryption key is generated by the function itself text segment, sub_4025A2 start function according to the starting position, all the contents until the start + 0x3D22, V96 generates an integer, then the integer key configuration of 256bit v177. Clearly text content segment will not change, the key is fixed. (If you think it will be to pit ,,,)
Get the key, leaving only the encryption algorithm. I checked the box encryption algorithm used to encrypt and what not found. SP structure similar to the whole encryption process of AES. Each round key plus a need to go through, a nonlinear transformation and the cartridge displacement transducer. Can not find a known algorithm, we can only take the head to reverse. Recall that the AES decryption process, round keys applied only to exchange the order of the exclusive OR, S-box transformation and reverse displacement transducer is required to write algorithm. And because the key is fixed, can be deducted directly from gdb out all round keys, the reverse seems to require not much work.
Round function
Plaintext algorithm is divided into four, each block in the presence of a 32-bit integer. Total 33, front 31, each one pair of round keys applied plaintext, linear transformation and nonlinear mixing cartridge. The final 32 and 33 be slightly different, but the same function are used.
Nonlinear transformation cassette
Here we need to understand how this transformation. After a reverse iron head, the code from each of four blocks from a plaintext, combined into a 4bit integer, then do the substitution in the box, the substitution value spliced together after the last of the four original substitution plaintext.
Reverse, the entire flow is the same, but use the inverse substitution box to do it. The topic and people are more kind-hearted, non-linear inverse boxes stored in the back of the box, with IDA deducted directly out just fine. Finally, write the inverse transform using python.
Linear Mixed
Here to do a cyclic shift and XOR. At first I wanted to be lazy with z3, have not solved the problem, or direct inverse out.
We can see that the line 13 and 14, the first block and the third block XOR of 0 and generates a second block, after the first and third chunks are not modified, only the 0,2 cyclic shift block . That is, when reverse, we can direct reduction lines 13 and 14, exclusive-or 0,2 up block, then it can restore the original exclusive OR block 0,2. Similarly the first and third block can be restored. So this code can be written directly inverse algorithm.
Several problems have been resolved, dynamic debugging just plucked out of round keys, and then do validation on the line. Here met a pit. You need to know about the principles of gdb debugging.
Gdb internal use ptrace implemented in the next breakpoint time, will replace the target instruction for the trap, when executing the target instruction, the actual execution trap instruction, the control to the controller, which is gdb. That gdb breakpoint value will modify the program text segment, then the encryption key generation function was affected. This question will find tune with gdb round keys change frequently and suspect cases inconsistent.
This is simple to figure out, write a script directly compute the return value of the function sub_4025A2, then gdb debugging able to get a real round keys.
Finally do decryption, restore what shuflle got the flag.
flag{96ae4d91-7595-48da-8a40-62dd06baf7a4}