codegate2020

Author Avatar
Xzhah 2月 11, 2020
  • 在其它设备中阅读本文章

[TOC]

Reverse

RS

rust逆向,没逆国rust逆向,参考https://blog.csdn.net/qq_33438733/article/details/81138573 现学现做

总的来说,盯死密文产生的内存位置,确定到关键函数就出了,还是挺简单的。逆向的时候把地址随机化关了会方便很多。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
def my_55eab0(a1,a2):
	v3=0
	v4=a1
	v5=a2
	while(v5):
		if(v5%2!=0):
			v3=v3^v4
		v5=v5>>1
		v4=v4*2
		if(v4>=0x100):
			v4=v4^0x11d
	return v3

def re_my_55eab0(a1,a2):
	for i in range(0,0xff):
		if my_55eab0(a1,i)==a2:
			return i

'''aa=my_55eab0(3,66)
bb=re_my_55eab0(3,aa)
print bb'''


def my_55ea90(a1,a2):
	return a1^a2

def my_block_encrypt(msg,tmp_ci):
	for j in range(16):
		for i in range(32):
			v37=msg[i+1+j]
			v35=tmp_ci[i+1]
			v33=msg[j]
			v22=my_55eab0(v35,v33)
			v23=my_55ea90(v37,v22)
			msg[i+1+j]=v23
	
'''tmp=my_55eab0(0x36,0x37)
print hex(tmp)'''

def my_block_decrypt(ci,tmp_ci):
	for j in range(16):
		for i in range(32):
			if(i==0):
				v1=ci[47-i-j]
				v2=0^v1
				v3=tmp_ci[32-i]
				v33=re_my_55eab0(v3,v2)
				print v33,i,j,v3,v2
				ci[15-j]=v33
			v35=tmp_ci[32-i]
			v22=my_55eab0(v35,ci[15-j])
			#print v22,ci[47-i-j],47-i-j,ci
			ci[47-i-j]=ci[47-i-j]^v22
tmp_ci=[0x01,0x74,0x40,0x34,0xAE,0x36,0x7E,0x10,0xC2,0xA2,0x21,0x21,0x9D,0xB0,0xC5,0xE1,0xC,0x3B,0x37,0xFD,0xE4,0x94,0x2F,0xB3,0xB9,0x18,0x8A,0xFD,0x14,0x8E,0x37,0xAC,0x58]
msg=[0xA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
res=my_block_encrypt(msg,tmp_ci)
#print map(hex,msg)
block_ci=msg[16:]
print map(hex,block_ci)
ci=[0xef,0x43,0x4b,0x3f,0x5e,0xb9,0xf0,0xd0,0x8c,0xb5,0x7e,0x6f,0x7b,0xc8,0xa6,0x7b,0x09,0xe2,0x61,0x9d,0x98,0x03,0x5f,0x56,0x5d,0x66,0x82,0x0b,0x9e,0x2b,0x76,0x92,0x5b,0xc3,0xdc,0xf2,0x3c,0xd0,0xb6,0x81,0x60,0x34,0xa5,0x66,0xca,0xbd,0x7d,0x6a,0x00,0xfe,0xe4,0x0b,0x44,0xe1,0xba,0x81,0xcb,0xae,0x8b,0x24,0x0b,0xa5,0x1f,0x6d,0xba,0x0e,0x61,0x1a,0x30,0xa7,0x77,0x51,0x23,0x41,0xa6,0x1a,0xc0,0x7f,0x71,0x71,0x9f,0xd5,0x93,0xe5,0x38,0xce,0x52,0x8b,0x25,0x86,0xb3,0x12,0xb7,0xa7,0x1c,0x43,0xb4,0x08,0x81,0x47,0xae,0xd6,0x18,0x46,0xc5,0x6b,0x69,0x63,0x0b,0xcc,0x95,0xab,0x49,0x53,0x6f,0xde,0xbe,0x2f,0x2e,0xd9,0x9b,0xdc,0xdd,0x76,0x69,0xa4,0xf0,0x58]
t_ci=[]
flag=''
for i in range(4):
	t_ci=[]
	for k in range(16):
		t_ci.append(0)
	for k in range(32*i,32*(i+1)):
		t_ci.append(ci[k])
	my_block_decrypt(t_ci,tmp_ci)
	print map(chr,t_ci)
	
	for k in range(16):
		flag+=chr(t_ci[k])
print flag