crackeme
xtea 线性约束
main函数 能简单看出来有一个xor 还有flag{}包裹 再点点看看其他函数
__int64 sub_400ADF()
{
int v0; // edx
int v1; // ecx
int v2; // r8d
int v3; // r9d
__int64 v4; // rax
unsigned int v5; // eax
__int64 result; // rax
int i; // [rsp+0h] [rbp-120h]
int v8; // [rsp+4h] [rbp-11Ch]
_BYTE *v9; // [rsp+8h] [rbp-118h]
__m128i v10; // [rsp+10h] [rbp-110h] BYREF
int v11[60]; // [rsp+25h] [rbp-FBh] BYREF
unsigned __int64 v12; // [rsp+118h] [rbp-8h]
v12 = __readfsqword(0x28u);
sub_410E10(off_6CB848, 0, 2, 0);
sub_410E10(off_6CB840, 0, 2, 0);
sub_410E10(off_6CB838, 0, 2, 0);
sub_410410("input: ", 0, v0, v1, v2, v3);
sub_440790(0, &v10, 256);
v9 = j_ifunc_4226A0(&v10, 10);
if ( v9 )
*v9 = 0;
if ( j_ifunc_4274A0(&v10, "flag{", 5) )
goto LABEL_11;
v8 = sub_424C60(&v10);
if ( v10.m128i_i8[v8 - 1] != 125 )
goto LABEL_11;
v10.m128i_i8[v8 - 1] = 0;
LODWORD(v4) = sub_424C60(&v10.m128i_u8[5]);
if ( v4 != 16 )
goto LABEL_11;
sub_42D630(v11, "nice2you", 8u);
sub_4009AE(&v10.m128i_u8[5], &v10.m128i_u64[1] + 5);
v5 = sub_424C60(&v10.m128i_u8[5]);
sub_400A8C(&v10.m128i_u8[5], v5, &unk_6CB0A0);
for ( i = 0; i <= 7; ++i )
v10.m128i_i8[i + 13] ^= v10.m128i_u8[i + 5];
if ( sub_400D6A(&v10.m128i_u8[5]) == 1 )
{
printf("ok");
result = 0;
}
else
{
LABEL_11:
result = printf("error");
}
if ( __readfsqword(0x28u) != v12 )
sub_4440D0();
return result;
}
线性约束
_BOOL8 __fastcall sub_400D6A(unsigned __int8 *a1)
{
bool v2; // [rsp+Fh] [rbp-9h]
v2 = -202850 * *a1 == -34078800;
if ( 182136 * *a1 - 75396 * a1[1] != 18610884 )
v2 = 0;
if ( -360745 * a1[1] - 465588 * a1[2] - 300043 * *a1 != -145478307 )
v2 = 0;
if ( -97624 * *a1 + 386642 * a1[3] - 515451 * a1[2] + 42526 * a1[1] != -8086825 )
v2 = 0;
if ( 31288 * *a1 + -324524 * a1[3] + -89265 * a1[1] - 239750 * a1[4] - 241348 * a1[2] != -91924377 )
v2 = 0;
if ( -266640 * a1[2] + 216272 * a1[5] + 411737 * *a1 + 210304 * a1[3] - 8658 * a1[4] + 454111 * a1[1] != 144299767 )
v2 = 0;
if ( -402351 * a1[4]
+ -496724 * *a1
+ 367831 * a1[2]
+ 371046 * a1[5]
+ -123257 * a1[3]
+ 188174 * a1[1]
+ 178541 * a1[6] != -37352471 )
v2 = 0;
if ( -415443 * a1[1]
+ 237549 * a1[5]
+ -323336 * a1[7]
+ -207212 * a1[3]
+ -23780 * *a1
+ 94300 * a1[4]
+ 364867 * a1[6]
+ 273839 * a1[2] != -8993582 )
v2 = 0;
if ( 511561 * a1[5]
+ -215494 * *a1
+ 44567 * a1[6]
+ 179735 * a1[2]
+ 55541 * a1[8]
+ -204854 * a1[7]
+ -160275 * a1[1]
+ 441741 * a1[4]
+ 443248 * a1[3] != 57425926 )
v2 = 0;
if ( 407430 * *a1
+ 407030 * a1[3]
+ 503571 * a1[6]
+ -434809 * a1[5]
+ 385646 * a1[4]
+ 437781 * a1[7]
+ 20147 * a1[9]
+ -10713 * a1[2]
- 247694 * a1[8]
+ 4963 * a1[1] != 267063706 )
v2 = 0;
if ( 128236 * a1[7]
+ -189787 * a1[4]
+ 298269 * a1[2]
+ 117737 * a1[8]
+ -59638 * a1[1]
+ 503873 * a1[5]
+ -288072 * a1[9]
+ -449297 * a1[3]
+ -307883 * a1[6]
- 60891 * *a1
+ 313065 * a1[10] != -99001600 )
v2 = 0;
if ( 127585 * a1[3]
+ 447223 * a1[10]
+ -511720 * *a1
+ -64919 * a1[1]
+ -115935 * a1[11]
+ -328029 * a1[6]
+ 2659 * a1[4]
+ -246110 * a1[2]
+ -491943 * a1[8]
+ -392232 * a1[9]
- 178041 * a1[5]
+ 49684 * a1[7] != -319105050 )
v2 = 0;
if ( 431281 * a1[7]
+ 303436 * a1[10]
+ 322142 * a1[8]
+ 190343 * a1[2]
+ 522606 * a1[5]
+ -368910 * a1[9]
+ 427328 * a1[12]
+ -403570 * a1[11]
+ -430137 * *a1
+ 436111 * a1[4]
+ -435520 * a1[6]
- 267519 * a1[3]
- 525665 * a1[1] != -150506496 )
v2 = 0;
if ( -423522 * a1[4]
+ -393086 * a1[6]
+ -323745 * a1[12]
+ 463495 * a1[1]
+ 345256 * a1[8]
+ 138356 * a1[7]
+ -225302 * *a1
+ 251299 * a1[11]
+ -82368 * a1[9]
+ -428085 * a1[10]
+ 71943 * a1[13]
+ 425456 * a1[2]
+ 56298 * a1[3]
- 365233 * a1[5] != -14594715 )
v2 = 0;
if ( -26106 * a1[14]
+ -143761 * a1[3]
+ 15549 * a1[13]
+ -503539 * a1[10]
+ -398270 * a1[9]
+ 36874 * a1[2]
+ -84278 * a1[7]
+ 434801 * a1[12]
+ -472636 * *a1
+ 448925 * a1[8]
+ -46393 * a1[5]
+ -129268 * a1[4]
+ -43783 * a1[11]
+ 60534 * a1[6]
+ 441341 * a1[1] != -38159340 )
v2 = 0;
if ( -408983 * a1[3]
+ -453493 * a1[9]
+ 246957 * a1[5]
+ 197292 * a1[15]
+ -62054 * a1[8]
+ -21100 * a1[6]
+ -500028 * a1[14]
+ -386306 * a1[2]
+ 415182 * a1[13]
+ 24237 * *a1
+ -414063 * a1[4]
+ 524530 * a1[1]
+ 93336 * a1[10]
+ 7350 * a1[12]
+ 129819 * a1[11]
- 293569 * a1[7] != -124057838 )
return 0;
return v2;
}
然后xor 然后在网上看 有一个Sbox替换
__int64 __fastcall sub_400A8C(__int64 a1, int a2, __int64 a3)
{
__int64 result; // rax
unsigned int i; // [rsp+24h] [rbp-4h]
for ( i = 0; ; ++i )
{
result = i;
if ( i >= a2 )
break;
*(a1 + i) = *(*(i + a1) + a3);
}
return result;
}
然后在网上看 能看到一个XTEA
__int64 __fastcall sub_4009AE(unsigned int *a1, _DWORD *a2)
{
unsigned int v3; // [rsp+1Ch] [rbp-24h]
unsigned int v4; // [rsp+20h] [rbp-20h]
unsigned int i; // [rsp+24h] [rbp-1Ch]
int v6; // [rsp+28h] [rbp-18h]
v3 = *a1;
v4 = a1[1];
v6 = 0;
for ( i = 0; i <= 0x1F; ++i )
{
v6 += 305419896;
v3 += (v4 + v6) ^ (16 * v4 + *a2) ^ ((v4 >> 5) + a2[1]);
v4 += (v3 + v6) ^ (16 * v3 + a2[2]) ^ ((v3 >> 5) + a2[3]);
}
*a1 = v3;
a1[1] = v4;
return v4;
}
那上面的"nice2you"就应该是key
数据
inv = [0x25, 0x3a, 0x4c, 0x27, 0x8e, 0x5f, 0xa8, 0xc5, 0x20, 0xc2, 0xff, 0x8b, 0x28, 0x30, 0xb4, 0x3c, 0x19, 0xc0, 0x2f, 0x6a, 0x65, 0x24, 0x8c, 0x13, 0x7e, 0xf6, 0x3e, 0x17, 0xdd, 0x89, 0x55, 0x82, 0x57, 0x3, 0xf1, 0xe1, 0x3d, 0xb8, 0x31, 0x67, 0x0, 0x22, 0x2d, 0xa7, 0x32, 0x58, 0x8f, 0xcf, 0x78, 0x39, 0x73, 0x44, 0x34, 0xd8, 0x77, 0x12, 0x88, 0xf5, 0x51, 0x75, 0xc9, 0x7f, 0x7b, 0xf, 0xe5, 0xf8, 0x6e, 0xe2, 0x83, 0x5, 0x47, 0x72, 0xfe, 0xe0, 0xf7, 0xf0, 0x4, 0x9a, 0x80, 0x1c, 0x8d, 0xef, 0x4e, 0x33, 0xaa, 0x66, 0x9c, 0x37, 0xb1, 0x21, 0x85, 0x1d, 0xaf, 0x81, 0x42, 0x5b, 0xc7, 0x9d, 0xe6, 0x38, 0x8a, 0x49, 0x7a, 0xae, 0xd0, 0xdf, 0xfb, 0x79, 0x18, 0xdc, 0xf3, 0xa5, 0x59, 0x29, 0xeb, 0xb0, 0xd, 0x43, 0xec, 0xee, 0xcc, 0x2e, 0xf9, 0x8, 0x74, 0x5e, 0x50, 0xba, 0xe4, 0x61, 0xa6, 0x14, 0x54, 0xe8, 0xdb, 0xb5, 0xfa, 0xd9, 0xed, 0xa3, 0x1, 0xb3, 0x11, 0x2b, 0x96, 0x6f, 0x52, 0x36, 0x23, 0x16, 0x1e, 0xf2, 0x40, 0x6c, 0x48, 0x35, 0x9e, 0xb9, 0x45, 0xc3, 0x2, 0x7d, 0x97, 0x94, 0x4a, 0xd1, 0x95, 0xcb, 0xc4, 0x2c, 0xa4, 0x15, 0x7, 0xbd, 0xa2, 0xab, 0x9f, 0xb6, 0x9b, 0xfd, 0xb2, 0x53, 0x64, 0x5a, 0xde, 0xb, 0x70, 0xbe, 0x76, 0xe9, 0x4d, 0xbf, 0xea, 0xf4, 0xac, 0x86, 0xc, 0x6b, 0x63, 0x5c, 0x71, 0x91, 0x2a, 0x3b, 0x9, 0x90, 0xfc, 0x98, 0x46, 0xa9, 0x69, 0xb7, 0xd7, 0xda, 0xc1, 0x93, 0xc8, 0xd4, 0x6, 0x4f, 0x62, 0x6d, 0x3f, 0xbc, 0x92, 0x84, 0x26, 0x68, 0x60, 0xe3, 0xd6, 0xc6, 0xca, 0x1a, 0xce, 0xad, 0x10, 0x1f, 0xbb, 0x41, 0x7c, 0xa0, 0x5d, 0xe, 0x1b, 0x99, 0xe7, 0x4b, 0xd2, 0xcd, 0xa, 0xd3, 0xa1, 0x87, 0xd5, 0x56]
exp
import struct
DELTA = 0x12345678
MASK = 0xffffffff
eq = [
([(0, -202850)], -34078800),
([(0, 182136), (1, -75396)], 18610884),
([(0, -300043), (1, -360745), (2, -465588)], -145478307),
([(0, -97624), (1, 42526), (2, -515451), (3, 386642)], -8086825),
([(0, 31288), (1, -89265), (2, -241348), (3, -324524), (4, -239750)], -91924377),
([(0, 411737), (1, 454111), (2, -266640), (3, 210304), (4, -8658), (5, 216272)], 144299767),
([(0, -496724), (1, 188174), (2, 367831), (3, -123257), (4, -402351), (5, 371046), (6, 178541)], -37352471),
([(0, -23780), (1, -415443), (2, 273839), (3, -207212), (4, 94300), (5, 237549), (6, 364867), (7, -323336)], -8993582),
([(0, -215494), (1, -160275), (2, 179735), (3, 443248), (4, 441741), (5, 511561), (6, 44567), (7, -204854), (8, 55541)], 57425926),
([(0, 407430), (1, 4963), (2, -10713), (3, 407030), (4, 385646), (5, -434809), (6, 503571), (7, 437781), (8, -247694), (9, 20147)], 267063706),
([(0, -60891), (1, -59638), (2, 298269), (3, -449297), (4, -189787), (5, 503873), (6, -307883), (7, 128236), (8, 117737), (9, -288072), (10, 313065)], -99001600),
([(0, -511720), (1, -64919), (2, -246110), (3, 127585), (4, 2659), (5, -178041), (6, -328029), (7, 49684), (8, -491943), (9, -392232), (10, 447223), (11, -115935)], -319105050),
([(0, -430137), (1, -525665), (2, 190343), (3, -267519), (4, 436111), (5, 522606), (6, -435520), (7, 431281), (8, 322142), (9, -368910), (10, 303436), (11, -403570), (12, 427328)], -150506496),
([(0, -225302), (1, 463495), (2, 425456), (3, 56298), (4, -423522), (5, -365233), (6, -393086), (7, 138356), (8, 345256), (9, -82368), (10, -428085), (11, 251299), (12, -323745), (13, 71943)], -14594715),
([(0, -472636), (1, 441341), (2, 36874), (3, -143761), (4, -129268), (5, -46393), (6, 60534), (7, -84278), (8, 448925), (9, -398270), (10, -503539), (11, -43783), (12, 434801), (13, 15549), (14, -26106)], -38159340),
([(0, 24237), (1, 524530), (2, -386306), (3, -408983), (4, -414063), (5, 246957), (6, -21100), (7, -293569), (8, -62054), (9, -453493), (10, 93336), (11, 129819), (12, 7350), (13, 415182), (14, -500028), (15, 197292)], -124057838),
]
inv = [
40,140,160,33,76,69,218,172,123,204,250,185,196,116,243,63,
236,142,55,23,131,171,149,27,108,16,233,244,79,91,150,237,
8,89,41,148,21,0,226,3,12,113,202,143,169,42,121,18,
13,38,44,83,52,155,147,87,99,49,1,203,15,36,26,222,
152,239,94,117,51,158,208,70,154,101,164,247,2,190,82,219,
126,58,146,181,132,30,255,32,45,112,183,95,199,242,125,5,
228,129,220,198,182,20,85,39,227,210,19,197,153,221,66,145,
186,200,71,50,124,59,188,54,48,107,102,62,240,161,24,61,
78,93,31,68,225,90,195,253,56,29,100,11,22,80,4,46,
205,201,224,215,163,166,144,162,207,245,77,178,86,97,156,176,
241,252,174,139,170,111,130,43,6,209,84,175,194,235,103,92,
115,88,180,141,14,135,177,211,37,157,127,238,223,173,187,191,
17,214,9,159,168,7,231,96,216,60,232,167,120,249,234,47,
104,165,248,251,217,254,230,212,53,137,213,134,109,28,184,105,
73,35,67,229,128,64,98,246,133,189,192,114,118,138,119,81,
75,34,151,110,193,57,25,74,65,122,136,106,206,179,72,10
]
x = []
for i, (items, right) in enumerate(eq):
s = 0
c = 0
for j, k in items:
if j == i:
c = k
else:
s += k * x[j]
x.append((right - s) // c)
target = bytes(x)
b = bytes(inv[target[i + 8] ^ target[i]] for i in range(8))
a = bytes(inv[target[i]] for i in range(8))
v0, v1 = struct.unpack("<II", a)
k0, k1, k2, k3 = struct.unpack("<IIII", b + b"nice2you")
s = (DELTA * 32) & MASK
for _ in range(32):
v1 = (v1 - ((((v0 << 4) & MASK) + k2) ^ ((v0 + s) & MASK) ^ (((v0 >> 5) + k3) & MASK))) & MASK
v0 = (v0 - ((((v1 << 4) & MASK) + k0) ^ ((v1 + s) & MASK) ^ (((v1 >> 5) + k1) & MASK))) & MASK
s = (s - DELTA) & MASK
a = struct.pack("<II", v0, v1)
print((b"flag{" + a + b + b"}").decode())
flag
flag{y0u_g0t_p455c0d3}
评论