codegate2020

Author Avatar
Xzhah 2月 11, 2020
  • 在其它设备中阅读本文章

[TOC]

Reverse

RS

rust逆向,没逆国rust逆向,参考https://blog.csdn.net/qq_33438733/article/details/81138573 现学现做

总的来说,盯死密文产生的内存位置,确定到关键函数就出了,还是挺简单的。逆向的时候把地址随机化关了会方便很多。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
def my_55eab0(a1,a2):
v3=0
v4=a1
v5=a2
while(v5):
if(v5%2!=0):
v3=v3^v4
v5=v5>>1
v4=v4*2
if(v4>=0x100):
v4=v4^0x11d
return v3
def re_my_55eab0(a1,a2):
for i in range(0,0xff):
if my_55eab0(a1,i)==a2:
return i
'''aa=my_55eab0(3,66)
bb=re_my_55eab0(3,aa)
print bb'''
def my_55ea90(a1,a2):
return a1^a2
def my_block_encrypt(msg,tmp_ci):
for j in range(16):
for i in range(32):
v37=msg[i+1+j]
v35=tmp_ci[i+1]
v33=msg[j]
v22=my_55eab0(v35,v33)
v23=my_55ea90(v37,v22)
msg[i+1+j]=v23
'''tmp=my_55eab0(0x36,0x37)
print hex(tmp)'''
def my_block_decrypt(ci,tmp_ci):
for j in range(16):
for i in range(32):
if(i==0):
v1=ci[47-i-j]
v2=0^v1
v3=tmp_ci[32-i]
v33=re_my_55eab0(v3,v2)
print v33,i,j,v3,v2
ci[15-j]=v33
v35=tmp_ci[32-i]
v22=my_55eab0(v35,ci[15-j])
#print v22,ci[47-i-j],47-i-j,ci
ci[47-i-j]=ci[47-i-j]^v22
tmp_ci=[0x01,0x74,0x40,0x34,0xAE,0x36,0x7E,0x10,0xC2,0xA2,0x21,0x21,0x9D,0xB0,0xC5,0xE1,0xC,0x3B,0x37,0xFD,0xE4,0x94,0x2F,0xB3,0xB9,0x18,0x8A,0xFD,0x14,0x8E,0x37,0xAC,0x58]
msg=[0xA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
res=my_block_encrypt(msg,tmp_ci)
#print map(hex,msg)
block_ci=msg[16:]
print map(hex,block_ci)
ci=[0xef,0x43,0x4b,0x3f,0x5e,0xb9,0xf0,0xd0,0x8c,0xb5,0x7e,0x6f,0x7b,0xc8,0xa6,0x7b,0x09,0xe2,0x61,0x9d,0x98,0x03,0x5f,0x56,0x5d,0x66,0x82,0x0b,0x9e,0x2b,0x76,0x92,0x5b,0xc3,0xdc,0xf2,0x3c,0xd0,0xb6,0x81,0x60,0x34,0xa5,0x66,0xca,0xbd,0x7d,0x6a,0x00,0xfe,0xe4,0x0b,0x44,0xe1,0xba,0x81,0xcb,0xae,0x8b,0x24,0x0b,0xa5,0x1f,0x6d,0xba,0x0e,0x61,0x1a,0x30,0xa7,0x77,0x51,0x23,0x41,0xa6,0x1a,0xc0,0x7f,0x71,0x71,0x9f,0xd5,0x93,0xe5,0x38,0xce,0x52,0x8b,0x25,0x86,0xb3,0x12,0xb7,0xa7,0x1c,0x43,0xb4,0x08,0x81,0x47,0xae,0xd6,0x18,0x46,0xc5,0x6b,0x69,0x63,0x0b,0xcc,0x95,0xab,0x49,0x53,0x6f,0xde,0xbe,0x2f,0x2e,0xd9,0x9b,0xdc,0xdd,0x76,0x69,0xa4,0xf0,0x58]
t_ci=[]
flag=''
for i in range(4):
t_ci=[]
for k in range(16):
t_ci.append(0)
for k in range(32*i,32*(i+1)):
t_ci.append(ci[k])
my_block_decrypt(t_ci,tmp_ci)
print map(chr,t_ci)
for k in range(16):
flag+=chr(t_ci[k])
print flag