520迎新赛wp

2022dest0g3（RE）

Day1

simpleXOR

64位无壳，丢进ida

将input[i]与i相加再与247异或，然后和ans比较出flag

int main()
{
    int flag[] = {
        179, 145, 130,128,195,155,206,117,207,156,154,133,133,
        205,184,132,170,125,189,187,177,181,150,113,141,158,134,
        191,115,168,163,156,131,101,158,87};

    for(int i = 0; i <= 36; i++)
    {
        printf("%c", ((flag[i]^247)-i));
    }
}

解出Dest0g3{0bcgf-AdMy892-KobPW-hB6LTqG}

hi

64位无壳，ida

首先对enc进行拆解

int main()
{
    long long enc[6];
    enc[0] = 0x9F8E7A1CC6486497LL;
    enc[1] = 0x69EEF382E760BD46LL;
    enc[2] = 0xB9C017E2E30EF749LL;
    enc[3] = 0x98410148A430392CLL;
    enc[4] = 0xE80E7411E5B5A939LL;

    unsigned char * p = (unsigned char*)enc;
    for(int i = 0; i < 32; i++)
    {
        printf("%d ", *(p++));
    }
}

得出enc数组后开始爆破

int main()
{
	int i; // [rsp+4h] [rbp-ACh]
	int v1; // [rsp+8h] [rbp-A8h]
	char str[100]; // [rsp+40h] [rbp-70h] BYREF
	unsigned __int64 v8; // [rsp+A8h] [rbp-8h]


 	memset(str, 0, sizeof(str));
 	unsigned char enc[45] = {
 		0x97, 0x64, 0x48, 0xC6, 0x1C, 0x7A, 0x8E, 0x9F, 0x46, 0xBD, 0x60, 0xE7, 0x82, 0xF3, 0xEE, 0x69,0x49, 0xF7, 0x0E, 0xE3, 0xE2, 0x17, 0xC0, 0xB9, 0x2C, 0x39, 0x30, 0xA4, 0x48, 0x01, 0x41, 0x98, 0x39, 0xA9, 0xB5, 0xE5, 0x11, 0x74, 0x0E, 0xE8, 0xAC, 0xFD, 0x8B, 0xA5, 0x6D };


 	unsigned char x[45] = {
 		0x7B, 0x51, 0xF3, 0x5A, 0xCC, 0x39, 0xF9, 0x92, 0x1C, 0x9E, 0x58, 0x69, 0x9D, 0xF7, 0xFD, 0x4A, 0x3E, 0xFB, 0x1D, 0x2C, 0x4D, 0x0C, 0x70, 0xB1, 0x3B, 0x8D, 0x25, 0xED, 0x91, 0xB1, 0x73, 0x8D, 0x82, 0xE6, 0xE7, 0x50, 0x20, 0x61, 0x62, 0x3C, 0x00, 0x3A, 0xA6, 0x9D, 0x32 };


 	for (i = 0; i <= 44; ++i)
 	{
  		for (int j = 0; j < 0xff; j++)
  		{	
   			v1 = 23 * j;
   			if (static_cast<unsigned char>((char)v1 + x[i]) == 	static_cast<unsigned char>(enc[i]))
   				{
    				cout << (char)j; break;
   				}
  		}
	 }
}

得出Dest0g3{f982cd79-d7a3-0874-aa0b-a5b37e4445c8}

Day2

tttea

32位ida， 无壳

输入为str，经过函数sub_40116D后与byte_40A01做比较

进入sub_40116D,发现这是个xxtea加密，v4 >> 2代表着组元为4， 即将44位的数组分成11段，写脚本的时候需注意类型转换。

为xxtea加密，不过与原版修改了移位的值和delta

注意，有TLS反调试

因此对其进行分析

首先将0040A018的值改为0x66403319

然后再与上0x12345678

即真正的delta为0x66403319 ^ 0x12345678,即0x74746561

#define DELTA 0x74746561
#define MX (((z>>6^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z))) 

uint32_t key[] = {0x61, 0x65, 0x74, 0x74};//delta

void btea(uint32_t *v, int n, uint32_t const key[4])
{
    uint32_t y, z, sum;
    unsigned p, rounds, e;
    if (n > 1)            /* Coding Part */
    {
        rounds = 6 + 52/n;
        sum = 0;
        z = v[n-1];
        do
        {
            sum += DELTA;
            e = (sum >> 2) & 3;
            for (p=0; p<n-1; p++)
            {
                y = v[p+1];
                z = v[p] += MX;
            }
            y = v[0];
            z = v[n-1] += MX;
        }
        while (--rounds);
    }
    else if (n < -1)      /* Decoding Part */
    {
        n = -n;
        rounds = 6 + 52/n;
        sum = rounds*DELTA;
        y = v[0];
        do
        {
            e = (sum >> 2) & 3;
            for (p=n-1; p>0; p--)
            {
                z = v[p-1];
                y = v[p] -= MX;
            }
            z = v[n-1];
            y = v[0] -= MX;
            sum -= DELTA;
        }
        while (--rounds);
    }
}

int main()
{
	unsigned char str[] =
{
    3,  35,  34,  47,  54, 136, 253,  67,  33, 232, 
   91, 101,  49,  30,  59, 166,  75, 184, 220, 136, 
  128,  25, 132, 111, 151, 114,  33,  38, 173, 100, 
  238, 187, 136,   4,  77,   6,  47,  38, 229, 107, 
  129,  75, 245, 115,  0};


	btea((uint32_t*)str, -11, key);

	for(int i = 0; i < 45; i++)
	{
		cout << str[i];
	}
    return 0;
}

得出flag：Dest0g3{73dd38c2-9d45-4f7a-9bd0-90a1e9907c1}