2024 春秋杯冬季赛 DAY2 RE wp

前言：当时应该是去打西湖了 就没怎么看day2的题 现在来复现一下

skip

jadx打开附件 发现需要输入用户名和密码

用户名校验的部分在native层 密码被加密算法skip32加密 直接看so先找一下用户名

跟进encrypt可以看出是一个DES 修改了sbox

密文密钥已知 直接本地找个DES的脚本解一下

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

/*--------------------------------------------------------------------------------------------------------------*/

typedef unsigned char ubyte;

/*--------------------------------------------------------------------------------------------------------------*/

#define KEY_LEN 8

typedef ubyte key_t[KEY_LEN];

/*--------------------------------------------------------------------------------------------------------------*/

const static ubyte PC1[] = {

    57, 49, 41, 33, 25, 17,  9,

    1, 58, 50, 42, 34, 26, 18,

    10,  2, 59, 51, 43, 35, 27,

    19, 11,  3, 60, 52, 44, 36,

    63, 55, 47, 39, 31, 23, 15,

    7, 62, 54, 46, 38, 30, 22,

    14,  6, 61, 53, 45, 37, 29,

    21, 13,  5, 28, 20, 12,  4

};

/*--------------------------------------------------------------------------------------------------------------*/

const static ubyte PC2[] = {

    14, 17, 11, 24,  1,  5,

    3, 28, 15,  6, 21, 10,

    23, 19, 12,  4, 26,  8,

    16,  7, 27, 20, 13,  2,

    41, 52, 31, 37, 47, 55,

    30, 40, 51, 45, 33, 48,

    44, 49, 39, 56, 34, 53,

    46, 42, 50, 36, 29, 32

};

/*--------------------------------------------------------------------------------------------------------------*/

const static ubyte IP[] = {

    58, 50, 42, 34, 26, 18, 10,  2,

    60, 52, 44, 36, 28, 20, 12,  4,

    62, 54, 46, 38, 30, 22, 14,  6,

    64, 56, 48, 40, 32, 24, 16,  8,

    57, 49, 41, 33, 25, 17,  9,  1,

    59, 51, 43, 35, 27, 19, 11,  3,

    61, 53, 45, 37, 29, 21, 13,  5,

    63, 55, 47, 39, 31, 23, 15,  7

};

/*--------------------------------------------------------------------------------------------------------------*/

const static ubyte E[] = {

    32,  1,  2,  3,  4,  5,

    4,  5,  6,  7,  8,  9,

    8,  9, 10, 11, 12, 13,

    12, 13, 14, 15, 16, 17,

    16, 17, 18, 19, 20, 21,

    20, 21, 22, 23, 24, 25,

    24, 25, 26, 27, 28, 29,

    28, 29, 30, 31, 32,  1

};

/*--------------------------------------------------------------------------------------------------------------*/

const static ubyte S[][64] = {

    {

        6, 6, 4, 9, 6, 7, 4, 11, 0, 2, 8, 12, 10, 8, 0, 1, 12, 6, 9, 9, 3, 7, 11, 5, 4, 13, 1, 3, 15, 8, 10, 13, 5, 13, 10, 2, 12, 0, 14, 13, 11, 14, 5, 3, 2, 8, 14, 3, 14, 4, 11, 7, 15, 5, 1, 7, 1, 12, 9, 0, 10, 2, 15, 15

},

{

        10, 2, 4, 8, 12, 15, 3, 10, 4, 8, 3, 4, 14, 5, 7, 15, 15, 8, 0, 7, 9, 4, 13, 0, 5, 8, 11, 14, 6, 2, 2, 6, 13, 9, 2, 3, 10, 7, 1, 9, 5, 15, 1, 11, 9, 14, 13, 11, 7, 12, 12, 5, 1, 10, 14, 6, 6, 0, 0, 12, 3, 1, 11, 13

},

{

        10, 0, 0, 6, 5, 13, 9, 14, 3, 1, 1, 8, 13, 9, 8, 15, 12, 7, 1, 3, 15, 7, 11, 7, 5, 10, 3, 10, 2, 6, 8, 10, 9, 3, 2, 14, 14, 11, 11, 2, 13, 15, 7, 6, 8, 4, 4, 12, 0, 1, 14, 5, 12, 12, 4, 2, 6, 9, 4, 5, 11, 15, 0, 13

},

{

        6, 12, 1, 11, 14, 0, 4, 4, 4, 2, 15, 3, 3, 1, 1, 2, 8, 0, 9, 6, 0, 8, 13, 2, 12, 3, 3, 10, 7, 15, 12, 8, 15, 14, 7, 4, 6, 14, 1, 7, 7, 9, 6, 9, 15, 5, 11, 0, 10, 13, 13, 9, 13, 5, 5, 11, 12, 11, 8, 2, 5, 10, 14, 10

},

{

        5, 5, 7, 9, 9, 13, 0, 5, 6, 11, 12, 5, 4, 15, 0, 12, 11, 13, 13, 10, 8, 2, 13, 3, 3, 14, 14, 6, 9, 3, 0, 7, 10, 9, 7, 8, 10, 2, 1, 0, 6, 14, 15, 8, 14, 15, 2, 1, 7, 6, 15, 10, 3, 12, 12, 4, 1, 8, 4, 11, 2, 1, 11, 4

},

{

        14, 6, 14, 6, 0, 13, 9, 5, 5, 11, 0, 7, 2, 3, 0, 0, 3, 13, 8, 2, 15, 9, 1, 7, 9, 1, 12, 4, 10, 9, 8, 11, 4, 1, 6, 15, 12, 14, 11, 2, 5, 14, 13, 4, 3, 7, 1, 15, 11, 10, 3, 7, 8, 8, 15, 5, 12, 12, 10, 10, 4, 6, 13, 2

},

{

        15, 14, 10, 3, 3, 15, 12, 14, 0, 2, 14, 12, 8, 0, 5, 6, 14, 2, 0, 1, 8, 1, 13, 4, 11, 4, 7, 11, 9, 15, 1, 12, 5, 0, 7, 13, 6, 10, 6, 12, 11, 6, 13, 3, 8, 4, 9, 9, 13, 4, 2, 5, 1, 7, 9, 5, 7, 2, 8, 15, 3, 10, 10, 11

},

{

        4, 7, 4, 15, 0, 5, 9, 14, 8, 11, 13, 0, 7, 3, 1, 2, 1, 6, 7, 5, 12, 4, 13, 13, 8, 1, 5, 12, 11, 9, 5, 11, 6, 10, 3, 1, 15, 14, 14, 15, 9, 9, 15, 2, 12, 12, 14, 0, 4, 8, 6, 3, 11, 7, 3, 6, 10, 2, 0, 2, 8, 10, 10, 13

}

};

/*--------------------------------------------------------------------------------------------------------------*/

const static ubyte P[] = {

    16,  7, 20, 21,

    29, 12, 28, 17,

    1, 15, 23, 26,

    5, 18, 31, 10,

    2,  8, 24, 14,

    32, 27,  3,  9,

    19, 13, 30,  6,

    22, 11,  4, 25

};

/*--------------------------------------------------------------------------------------------------------------*/

const static ubyte IP2[] = {

    40,  8, 48, 16, 56, 24, 64, 32,

    39,  7, 47, 15, 55, 23, 63, 31,

    38,  6, 46, 14, 54, 22, 62, 30,

    37,  5, 45, 13, 53, 21, 61, 29,

    36,  4, 44, 12, 52, 20, 60, 28,

    35,  3, 43, 11, 51, 19, 59, 27,

    34,  2, 42, 10, 50, 18, 58, 26,

    33,  1, 41,  9, 49, 17, 57, 25

};

/*--------------------------------------------------------------------------------------------------------------*/

const static ubyte SHIFTS[] = {

    1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1

};

/*--------------------------------------------------------------------------------------------------------------*/

typedef struct {

    ubyte *data;

    int len;

} String;

/*--------------------------------------------------------------------------------------------------------------*/

/*

* Transform a single nibble into a hex character

*

* in: a value < 0x10

*

* returns: the character that represents the nibble

*/

static char toHex(ubyte in) {

    if (0x00 <= in && in < 0x0A) {

        return '0' + in;

    }

    if (0x0A <= in && in <= 0x0F) {

        return 'A' + in - 0x0A;

    }

    return 0;

}

/*--------------------------------------------------------------------------------------------------------------*/

/*

* Convert an array of bytes into a string

*

* ptr: the array of bytes

* len: the number of bytes

* out: a buffer allocated by the caller with enough space for 2*len+1 characters

*/

static void printBytes(const ubyte *ptr, int len, char *out) {

    while (len-- > 0) {

        *out++ = toHex(*ptr >> 4);

        *out++ = toHex(*ptr & 0x0F);

  

        ptr++;

    }

    *out = 0;

}

/*--------------------------------------------------------------------------------------------------------------*/

/*

* Gets the value of a bit in an array of bytes

*

* src: the array of bytes to index

* index: the desired bit to test the value of

*

* returns: the bit at the specified position in the array

*/

static int peekBit(const ubyte *src, int index) {

    int cell = index / 8;

    int bit = 7 - index % 8;

    return (src[cell] & (1 << bit)) != 0;

}

/*--------------------------------------------------------------------------------------------------------------*/

/*

* Sets the value of a bit in an array of bytes

*

* dst: the array of bits to set a bit in

* index: the position of the bit to set

* value: the value for the bit to set

*/

static void pokeBit(ubyte *dst, int index, int value) {

    int cell = index / 8;

    int bit = 7 - index % 8;

    if (value == 0) {

        dst[cell] &= ~(1 << bit);

    }

    else {

        dst[cell] |= (1 << bit);

    }

}

/*--------------------------------------------------------------------------------------------------------------*/

/*

* Transforms one array of bytes by shifting the bits the specified number of positions

*

* src: the array to shift bits from

* len: the length of the src array

* times: the number of positions that the bits should be shifted

* dst: a bytes array allocated by the caller to store the shifted values

*/

static void shiftLeft(const ubyte *src, int len, int times, ubyte *dst) {

    int i, t;

    for (i = 0; i <= len; ++i) {

        pokeBit(dst, i, peekBit(src, i));

    }

    for (t = 1; t <= times; ++t) {

        int temp = peekBit(dst, 0);

        for (i = 1; i <= len; ++i) {

            pokeBit(dst, i - 1, peekBit(dst, i));

        }

        pokeBit(dst, len - 1, temp);

    }

}

/*--------------------------------------------------------------------------------------------------------------*/

/*

* Calculates the sub keys to be used in processing the messages

*

* key: the array of bytes representing the key

* ks: the subkeys that have been allocated by the caller

*/

typedef ubyte subkey_t[17][6]; /* 17 sets of 48 bits */

static void getSubKeys(const key_t key, subkey_t ks) {

    ubyte c[17][7];  /* 56 bits */

    ubyte d[17][4];  /* 28 bits */

    ubyte kp[7];

    int i, j;

  

    /* intialize */

    memset(c, 0, sizeof(c));

    memset(d, 0, sizeof(d));

    memset(ks, 0, sizeof(subkey_t));

  

    /* permute 'key' using table PC1 */

    for (i = 0; i < 56; ++i) {

        pokeBit(kp, i, peekBit(key, PC1[i] - 1));

    }

  

    /* split 'kp' in half and process the resulting series of 'c' and 'd' */

    for (i = 0; i < 28; ++i) {

        pokeBit(c[0], i, peekBit(kp, i));

        pokeBit(d[0], i, peekBit(kp, i + 28));

    }

  

    /* shift the components of c and d */

    for (i = 1; i < 17; ++i) {

        shiftLeft(c[i - 1], 28, SHIFTS[i - 1], c[i]);

        shiftLeft(d[i - 1], 28, SHIFTS[i - 1], d[i]);

    }

  

    /* merge 'd' into 'c' */

    for (i = 1; i < 17; ++i) {

        for (j = 28; j < 56; ++j) {

            pokeBit(c[i], j, peekBit(d[i], j - 28));

        }

    }

  

    /* form the sub-keys and store them in 'ks'

    * permute 'c' using table PC2 */

    for (i = 1; i < 17; ++i) {

        for (j = 0; j < 48; ++j) {

            pokeBit(ks[i], j, peekBit(c[i], PC2[j] - 1));

        }

    }

}

/*--------------------------------------------------------------------------------------------------------------*/

/*

* Function used in processing the messages

*

* r: an array of bytes to be processed

* ks: one of the subkeys to be used for processing

* sp: output from the processing

*/

static void f(ubyte *r, ubyte *ks, ubyte *sp) {

    ubyte er[6]; /* 48 bits */

    ubyte sr[4]; /* 32 bits */

    int i;

  

    /* initialize */

    memset(er, 0, sizeof(er));

    memset(sr, 0, sizeof(sr));

  

    /* permute 'r' using table E */

    for (i = 0; i < 48; ++i) {

        pokeBit(er, i, peekBit(r, E[i] - 1));

    }

  

    /* xor 'er' with 'ks' and store back into 'er' */

    for (i = 0; i < 6; ++i) {

        er[i] ^= ks[i];

    }

  

    /* process 'er' six bits at a time and store resulting four bits in 'sr' */

    for (i = 0; i < 8; ++i) {

        int j = i * 6;

        int b[6];

        int k, row, col, m, n;

  

        for (k = 0; k < 6; ++k) {

            b[k] = peekBit(er, j + k) != 0 ? 1 : 0;

        }

  

        row = 2 * b[0] + b[5];

        col = 8 * b[1] + 4 * b[2] + 2 * b[3] + b[4];

        m = S[i][row * 16 + col]; /* apply table s */

        n = 1;

  

        while (m > 0) {

            int p = m % 2;

            pokeBit(sr, (i + 1) * 4 - n, p == 1);

            m /= 2;

            n++;

        }

    }

  

    /* permute sr using table P */

    for (i = 0; i < 32; ++i) {

        pokeBit(sp, i, peekBit(sr, P[i] - 1));

    }

}

/*--------------------------------------------------------------------------------------------------------------*/

/*

* Processing of block of the message

*

* message: an 8 byte block from the message

* ks: the subkeys to use in processing

* ep: space for an encoded 8 byte block allocated by the caller

*/

static void processMessage(const ubyte *message, subkey_t ks, ubyte *ep) {

    ubyte left[17][4];  /* 32 bits */

    ubyte right[17][4]; /* 32 bits */

    ubyte mp[8];        /* 64 bits */

    ubyte e[8];         /* 64 bits */

    int i, j;

  

    /* permute 'message' using table IP */

    for (i = 0; i < 64; ++i) {

        pokeBit(mp, i, peekBit(message, IP[i] - 1));

    }

  

    /* split 'mp' in half and process the resulting series of 'l' and 'r */

    for (i = 0; i < 32; ++i) {

        pokeBit(left[0], i, peekBit(mp, i));

        pokeBit(right[0], i, peekBit(mp, i + 32));

    }

    for (i = 1; i < 17; ++i) {

        ubyte fs[4]; /* 32 bits */

  

        memcpy(left[i], right[i - 1], 4);

        f(right[i - 1], ks[i], fs);

        for (j = 0; j < 4; ++j) {

            left[i - 1][j] ^= fs[j];

        }

        memcpy(right[i], left[i - 1], 4);

    }

  

    /* amalgamate r[16] and l[16] (in that order) into 'e' */

    for (i = 0; i < 32; ++i) {

        pokeBit(e, i, peekBit(right[16], i));

    }

    for (i = 32; i < 64; ++i) {

        pokeBit(e, i, peekBit(left[16], i - 32));

    }

  

    /* permute 'e' using table IP2 ad return result as a hex string */

    for (i = 0; i < 64; ++i) {

        pokeBit(ep, i, peekBit(e, IP2[i] - 1));

    }

}

/*--------------------------------------------------------------------------------------------------------------*/

/*

* Encrypts a message using DES

*

* key: the key to use to encrypt the message

* message: the message to be encrypted

* len: the length of the message

*

* returns: a paring of dynamically allocated memory for the encoded message,

*          and the length of the encoded message.

*          the caller will need to free the memory after use.

*/

String encrypt(const key_t key, const ubyte *message, int len) {

    String result = { 0, 0 };

    subkey_t ks;

    ubyte padByte;

    int i;

  

    getSubKeys(key, ks);

  

    padByte = 8 - len % 8;

    result.len = len + padByte;

    result.data = (ubyte*)malloc(result.len);

    memcpy(result.data, message, len);

    memset(&result.data[len], padByte, padByte);

  

    for (i = 0; i < result.len; i += 8) {

        processMessage(&result.data[i], ks, &result.data[i]);

    }

  

    return result;

}

/*--------------------------------------------------------------------------------------------------------------*/

/*

* Decrypts a message using DES

*

* key: the key to use to decrypt the message

* message: the message to be decrypted

* len: the length of the message

*

* returns: a paring of dynamically allocated memory for the decoded message,

*          and the length of the decoded message.

*          the caller will need to free the memory after use.

*/

String decrypt(const key_t key, const ubyte *message, int len) {

    String result = { 0, 0 };

    subkey_t ks;

    int i, j;

    ubyte padByte;

  

    getSubKeys(key, ks);

    /* reverse the subkeys */

    for (i = 1; i < 9; ++i) {

        for (j = 0; j < 6; ++j) {

            ubyte temp = ks[i][j];

            ks[i][j] = ks[17 - i][j];

            ks[17 - i][j] = temp;

        }

    }

  

    result.data = (ubyte*)malloc(len);

    memcpy(result.data, message, len);

    result.len = len;

    for (i = 0; i < result.len; i += 8) {

        processMessage(&result.data[i], ks, &result.data[i]);

    }

  

    padByte = result.data[len - 1];

    result.len -= padByte;

    return result;

}

/*--------------------------------------------------------------------------------------------------------------*/

/*

* Convienience method for showing the round trip processing of a message

*/

void driver(const key_t key, const ubyte *message, int len) {

    String encoded, decoded;

    char buffer[128];

  

    printBytes(key, KEY_LEN, buffer);

    printf("Key     : %s\n", buffer);

  

    printBytes(message, len, buffer);

    printf("Message : %s\n", buffer);

  

    encoded = encrypt(key, message, len);

    printBytes(encoded.data, encoded.len, buffer);

    printf("Encoded : %s\n", buffer);

  

    decoded = decrypt(key, encoded.data, encoded.len);

    printBytes(decoded.data, decoded.len, buffer);

    printf("Decoded : %s\n\n", buffer);

  

    /* release allocated memory */

    if (encoded.len > 0) {

        free(encoded.data);

        encoded.data = 0;

    }

    if (decoded.len > 0) {

        free(decoded.data);

        decoded.data = 0;

    }

}

/*--------------------------------------------------------------------------------------------------------------*/

void main()

{

    String decoded;

    int len;

    //密钥

    const key_t key = {107, 101, 121, 33, 107, 101, 121, 33 };

    //密文

    const ubyte data[] = {125, 234, 224, 219, 27, 214, 109, 85, 209, 233, 192, 113, 12, 1, 19, 43};

    //密文长度

    len = sizeof(data) / sizeof(ubyte);

    decoded = decrypt(key, data, len);

    printf("Decoded:%s\n", decoded.data);

    //释放内存

    if (decoded.len > 0) {

        free(decoded.data);

        decoded.data = 0;

    }

    return;

}
//sd77cfe8

然后开始解skip32 网上找了一套python的源码 这里做了一个魔改 修改了一下key的长度 原本的skip32的key是10字节 这里修改为8字节 所以修改一下脚本 但是直接解没有解开 于是看一下so文件 发现对FTABLE进行了一些操作 修改了他原本的值

所以hook一下这个FTABLE

Java.perform(function()

{

    let Skip32 = Java.use("com.ex.skip.Skip32");

    var FTABLE = Skip32.FTABLE.value;

    console.log(FTABLE);

})

164,216,10,132,249,73,247,245,180,34,22,121,154,178,176,250,232,46,78,139,207,77,203,47,83,150,218,31,79,57,69,41,11,224,3,161,24,242,97,105,19,184,123,196,234,251,62,84,151,133,108,187,243,100,155,26,125,175,230,246,248,23,107,163,58,183,124,16,194,148,130,28,239,181,27,235,209,146,48,185,86,186,219,134,64,66,192,225,91,89,129,96,103,12,217,145,54,214,193,168,52,7,102,106,70,1,149,87,110,153,156,119,152,253,179,195,177,255,220,33,226,236,215,229,222,72,75,30,67,238,159,111,74,61,206,68,40,211,8,213,223,200,104,25,138,204,49,32,142,199,144,171,201,117,221,202,94,93,50,165,113,137,98,45,160,14,44,136,81,131,85,101,39,126,4,65,53,76,29,116,210,197,254,60,205,252,128,172,231,63,92,166,174,5,36,157,21,82,35,241,42,122,114,127,0,141,15,227,13,240,189,115,118,112,56,162,237,212,143,99,140,135,17,233,9,120,18,191,147,80,37,198,51,55,158,208,244,167,188,173,95,109,170,20,88,38,182,228,190,169,59,2,6,90,43,71

再去解密还是解不开 运行了一下之前解密用户名的脚本 发现每次生成用户名的第一个字符不一样

这里我直接暴力猜测第一个字符了 从0开始 尝试到7的时候 发现可以正确解出密码 所以用户名就是7d77cfe8

import struct  
FTABLE = (  
    164, 216, 10, 132, 249, 73, 247, 245, 180, 34, 22, 121, 154, 178, 176, 250, 232, 46, 78, 139, 207, 77, 203, 47, 83, 150,  
    218, 31, 79, 57, 69, 41, 11, 224, 3, 161, 24, 242, 97, 105, 19, 184, 123, 196, 234, 251, 62, 84, 151, 133, 108, 187,  
    243, 100, 155, 26, 125, 175, 230, 246, 248, 23, 107, 163, 58, 183, 124, 16, 194, 148, 130, 28, 239, 181, 27, 235, 209,  
    146, 48, 185, 86, 186, 219, 134, 64, 66, 192, 225, 91, 89, 129, 96, 103, 12, 217, 145, 54, 214, 193, 168, 52, 7, 102,  
    106, 70, 1, 149, 87, 110, 153, 156, 119, 152, 253, 179, 195, 177, 255, 220, 33, 226, 236, 215, 229, 222, 72, 75, 30, 67,  
    238, 159, 111, 74, 61, 206, 68, 40, 211, 8, 213, 223, 200, 104, 25, 138, 204, 49, 32, 142, 199, 144, 171, 201, 117, 221,  
    202, 94, 93, 50, 165, 113, 137, 98, 45, 160, 14, 44, 136, 81, 131, 85, 101, 39, 126, 4, 65, 53, 76, 29, 116, 210, 197,  
    254, 60, 205, 252, 128, 172, 231, 63, 92, 166, 174, 5, 36, 157, 21, 82, 35, 241, 42, 122, 114, 127, 0, 141, 15, 227, 13,  
    240, 189, 115, 118, 112, 56, 162, 237, 212, 143, 99, 140, 135, 17, 233, 9, 120, 18, 191, 147, 80, 37, 198, 51, 55, 158,  
    208, 244, 167, 188, 173, 95, 109, 170, 20, 88, 38, 182, 228, 190, 169, 59, 2, 6, 90, 43, 71)  
  
  
def g(key, k, w):  
    g1 = 0xFF & (w >> 8)  
    g2 = 0xFF & w  
  
    g3 = FTABLE[g2 ^ key[(4 * k + 0) % 8]] ^ g1  
    g4 = FTABLE[g3 ^ key[(4 * k + 1) % 8]] ^ g2  
    g5 = FTABLE[g4 ^ key[(4 * k + 2) % 8]] ^ g3  
    g6 = FTABLE[g5 ^ key[(4 * k + 3) % 8]] ^ g4  
  
    return ((g5 << 8) + g6)  
  
  
def skip32(key, buf, encrypt):  
    # sort out direction  
    if encrypt:  
        k, step = 0, 1  
    else:  
        k, step = 23, -1  
  
    # pack into words  
    wl = (buf[0] << 8) + buf[1]  
    wr = (buf[2] << 8) + buf[3]  
  
    # 24 feistel rounds, doubled up  
    for _ in range(12):  
        wr ^= g(key, k, wl) ^ k  
        k += step  
        wl ^= g(key, k, wr) ^ k  
        k += step  
  
    # implicitly swap halves while unpacking  
    buf[0] = (wr >> 8)  
    buf[1] = (wr & 0xFF)  
    buf[2] = (wl >> 8)  
    buf[3] = (wl & 0xFF)  
  
  
  
def decrypt(key, value):  
    buf = [  
        (value >> 24) & 0xff,  
        (value >> 16) & 0xff,  
        (value >> 8) & 0xff,  
        (value >> 0) & 0xff,  
    ]  
    skip32(key, buf, False)  
    return (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]  
  
  
key = b"7d77cfe8"  
encrypted = [52, 142, 226, 172, 108, 94, 80, 51, 11, 251, 68, 164, 231, 6, 124, 223, 100, 62, 116, 70]  
  
  
# Decrypt the encrypted values  
for i in range(0, 20, 4):  
    password = (encrypted[i] << 24) | (encrypted[i + 1] << 16) | (encrypted[i + 2] << 8) | (encrypted[i + 3])  
    decrypted_password = decrypt(key,password)  
    encrypted[i] = (decrypted_password >> 24) & 0xff  
    encrypted[i + 1] = (decrypted_password >> 16) & 0xff  
    encrypted[i + 2] = (decrypted_password >> 8) & 0xff  
    encrypted[i + 3] = decrypted_password & 0xff  
  
result = ''.join(chr(password) for password in encrypted)  
print(result)  
#c58b6a2f988bc9434a45

成功拿到flag

Nu1tka

逻辑很简单 调试过程很折磨人
ida打开附件 发现是一个跳板程序 直接打个断点找到真正的程序

dump下来 ida打开dump下来的Nu1tka.exe 交叉引用_main_字符串以及动态调试 定位到关键函数

随后一点一点看 分析main_0
这里计算了长度并且比较 得知flag长度是40

这里将输入的flag每4位转化为bytes 所以key跟enc应该是每个数组10个元素

经过反复的调试 找到enc跟key 提取出来

最后的加密 enc跟key异或

写脚本求一下
发现有别的多余的字符 在程序中没发现别的运算 只有xor 所以根据文件头计算一下那些乱码异或的值 得到flag

from Crypto.Util.number import *  
key = [0x35138033, 0x185A0194, 0x34C41B8F, 0x0B1E6089, 0x0DB7419B, 0x1C6873F3, 0x049FAA92, 0x30D6B47E, 0x23AD4395, 0x33EA34C7]  
enc = [0x1272EC55, 0x286F64EF, 0x0CA02DED, 0x3A2A4DEF, 0x299A25FA, 0x310B4BC2, 0x22A89BF4, 0x12E28553, 0x109920A3, 0x0EDD52A6]  
flag = "".join(long_to_bytes(e ^ k)[::-1].decode('utf-8') for e, k in zip(enc, key))  
print(flag)  
print((ord('=') ^ ord('}')))  # 64  
for c in "\'$&\"":  
    print(chr(ord(c) ^ 64))  
#flag{e50b6d8f-41ad-d18c-f17f-14b6c43af7}