0x01 xx
Test file: https://www.lanzous.com/i7dyqhc
1. Prepare
getting information
- 64 files
2.IDA Open
Scripts can be seen using Findcrypt
Combined with the file name is xx , and therefore guess the code uses encryption method xxtea
3. Process summary
Therefore, the total process:
- Determining for each input character string is included in "qwertyuiopasdfghjklzxcvbnm1234567890" in
- Take enter the first four characters of the string, i.e., "flag", expanded to 16 bits, a secret key encryption key xxtea
- The encryption key using the input character string, the character stored in the encrypted array of characters V18, a total of 24 characters
- V18 upset array, the array saved to v19
- 24 characters, each of a group 3, each set of exclusive-OR value (see the specific codes) to obtain a new encrypted string
- The new encrypted string with an existing string comparison, the same that is win
Therefore, only the inverse transform can be obtained flag
Use dynamic debugging, you can get to the string already exists
enc = 'CEBC406B7C3A95C0EF9B202091F70235231802C8E75656FA'
4. decryption script
Python has xxtea package, but when I use, I have been suggesting " ValueError:. Need A 16-byte Key ", with rjust or '\ x00' * 16 make up the 16-bit will not work.
So use another method, borrowed xxtea the following article:
Reference article: https://blog.csdn.net/weixin_41474364/article/details/84314674
# encoding: utf-8 import struct _DELTA = 0x9E3779B9 def _long2str(v, w): n = (len(v) - 1) << 2 if w: m = v[-1] if (m < n - 3) or (m > n): return '' n = m s = struct.pack('<%iL' % len(v), *v) return s[0:n] if w else s def _str2long(s, w): n = len(s) m = (4 - (n & 3) & 3) + n s = s.ljust(m, "\0") v = list(struct.unpack('<%iL' % (m >> 2), s)) if w: v.append(n) return v def encrypt(str, key): if str == '': return str v = _str2long(str, True) k = _str2long(key.ljust(16, "\0"), False) n = len(v) - 1 z = v[n] y = v[0] sum = 0 q = 6 + 52 // (n + 1) while q > 0: sum = (sum + _DELTA) & 0xffffffff e = sum >> 2 & 3 for p in xrange(n): y = v[p + 1] v[p] = (v[p] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))) & 0xffffffff z = v[p] y = v[0] v[n] = (v[n] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[n & 3 ^ e] ^ z))) & 0xffffffff z = v[n] q -= 1 return _long2str(v, False) def decrypt(str, key): if str == '': return str v = _str2long(str, False) k = _str2long(key.ljust(16, "\0"), False) n = len(v) - 1 z = v[n] y = v[0] q = 6 + 52 // (n + 1) sum = (q * _DELTA) & 0xffffffff while (sum != 0): e = sum >> 2 & 3 for p in xrange(n, 0, -1): z = v[p - 1] v[p] = (v[p] - ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))) & 0xffffffff y = v[p] z = v[n] v[0] = (v[0] - ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[0 & 3 ^ e] ^ z))) & 0xffffffff y = v[0] sum = (sum - _DELTA) & 0xffffffff return _long2str(v, True) def xor(x ,y): word (x) +Return the ord (Y) # is converted to hexadecimal ARR = ' CEBC406B7C3A95C0EF9B202091F70235231802C8E75656FA ' .decode ( ' hex ' ) On Dec = '' # because the forward encryption is encrypted, the characters will be used after the encryption, decryption and therefore need reverse decryption for I in Range (. 7, -1, -1 ): RES = '' # every 3 months for a group for J in Range (. 3 ): TEMP = the ord (ARR [. 3 * I + J]) # required XOR value such that group i, ARR [i + J *. 3] ^ (ARR [n-] for n-in Range (i)) for m inRange (I): TEMP ^ = the ord (ARR [m]) RES + = CHR (TEMP) On Dec = RES + On Dec # original array v18 to v19 are disrupted the sorted num = [2,0,3,1,6,4 , 7,5,10,8,11,9,14,12,15,13,18,16,19,17,22,20,23,21 ] ENC = [0] * 24 # Key needs 16 = Key ' in Flag ' + ' \ xOO ' * 12 is for I in Range (24 ): ENC [NUM [I]] = On Dec [I] DEC2 = '' .join (ENC) DEC3 = the decrypt (DEC2, Key) print dec4
5.get flag!
flag{CXX_and_++tea}
pending upgrade... ...