2020-DDCTF

ctf 2 minutes read (About 371 words)

这次re全是安卓,后面两题连脱壳的环境都没搭好……

re1

安卓逆向,但是没加壳,很容易找到判断的逻辑,两层加密最后经过一层md5,后来更新提示把md5之前的结果给出来了,就很好逆了。

整个程序流程是一个AES加密之后进行XXTEA加密,只是AES的S盒经过了处理,逆回来就可以发现是AES的S盒,直接上脚本解密就好了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
from Crypto.Cipher import AES
from binascii import a2b_hex

_DELTA = 0x9E3779B9

def decrypt_xxtea(str):
    if str == '': return str
    v = str
    k = [2, 2, 3, 4]
    n = len(v) - 1
    z = v[n]
    y = v[0]
    q = 6 + 52 // (n + 1)
    sum = (q * _DELTA) & 0xffffffff
    while (sum != 0):
        e = sum >> 2 & 3
        for p in range(n, 0, -1):
            z = v[p - 1]
            v[p] = (v[p] - ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))) & 0xffffffff
            y = v[p]
        z = v[n]
        v[0] = (v[0] - ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[0 & 3 ^ e] ^ z))) & 0xffffffff
        y = v[0]
        sum = (sum - _DELTA) & 0xffffffff
    return v

t = [0x15ef75f4, 0xc4277b7a, 0xe7f4412d, 0x78e78345, 0xecf16de2, 0xd5d29477, 0x2169b3a0, 0x2a685baa]
target = decrypt_xxtea(t)
s = ""
for i in target:
    tmp = hex(i)[2:].rjust(8, '0')
    s += tmp[-2:]
    s += tmp[-4:-2]
    s += tmp[-6:-4]
    s += tmp[-8:-6]
s = s.encode()

def decrypt(text):
    key = b"1234567890123456"
    # iv = b"\x9d\x25\xdd\xe0\xc1\x37\x86\x21\x32\xec\x0c\x32\x4c\xfb\xf0\x46"
    mode = AES.MODE_ECB
    cryptos = AES.new(key, mode)
    plain_text = cryptos.decrypt(a2b_hex(text))
    return plain_text

d = decrypt(s)
print("解密:", d)
# 解密: b'DDCTF{qazasd1234$}\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

得到flag

2020-ciscn 西北赛区分区赛 2020-钓鱼城杯-wp

Comments

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×