[reverse]河北省职工职业技能大赛决赛re2(rotate-xtea-aes)

main

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char *v3; // rdi
  int v4; // r15d
  unsigned __int64 i; // rbx
  unsigned int *v6; // rbx
  __int64 v7; // rdi
  __int64 v8; // rsi
  char *v9; // rax
  int v10; // r12d
  int v11; // r14d
  char *v12; // r13
  _QWORD *v13; // rsi
  void *v14; // rax
  void *v15; // rbx
  int v16; // edi
  void *Block; // [rsp+20h] [rbp-89h] BYREF
  int v19; // [rsp+28h] [rbp-81h]
  int v20; // [rsp+2Ch] [rbp-7Dh]
  __int128 v21; // [rsp+30h] [rbp-79h] BYREF
  __int128 v22; // [rsp+40h] [rbp-69h]
  char Buffer[16]; // [rsp+50h] [rbp-59h] BYREF
  __int128 v24; // [rsp+60h] [rbp-49h]
  char v25; // [rsp+70h] [rbp-39h]
  __int128 Src[4]; // [rsp+80h] [rbp-29h] BYREF
  char v27; // [rsp+C0h] [rbp+17h]

  memset(Src, 0, sizeof(Src));
  v27 = 0;
  v21 = 0i64;
  v22 = 0i64;
  sub_7FF601481010("flag:\r\n", argv, envp);
  v25 = 0;
  *Buffer = 0i64;
  v24 = 0i64;
  sub_7FF601481BA0("%32s");
  v3 = Buffer;
  v4 = 0;
  for ( i = 0i64; i < 0x10; ++i )
  {
    sub_7FF601481C00(v3, "%02hhX");             // str-hex
    v3 += 2;
  }
  rotate(Src);                                  // 循环左移
  v6 = &v21;
  v21 = Src[0];
  Block = 0x341200001212i64;                    // xtea的密钥
  v7 = 2i64;
  v19 = 0x5612;                                 // xtea的密钥
  v20 = 0x8923;                                 // xtea的密钥
  do
  {
    xtea(v6, &Block);
    v6 += 2;
    --v7;
  }
  while ( v7 );
  v8 = -1i64;
  Src[0] = v21;
  do
    ++v8;
  while ( *(Src + v8) );
  LODWORD(v21) = 4;
  *&v22 = aDfb8007c773561;                      // aes的密钥
  *(&v21 + 4) = 0x100000004i64;
  HIDWORD(v21) = 10;
  v9 = sub_7FF601481070(&v21);                  // aes密钥扩展算法
  v10 = v21;
  Block = v9;
  if ( v8 % (4 * v21) )
    v11 = 4 * v21 * (v8 / (4 * v21) + 1);
  else
    v11 = v8;
  v12 = operator new(v11);
  memcpy(v12, Src, v8);
  memset(&v12[v8], 0, v11 - v8);
  v13 = operator new(v11);
  if ( v11 / (4 * v10) > 0 )
  {
    do
    {
      v14 = sub_7FF6014813E0(&v21, &v12[4 * v10 * v4], Block);// aes加密，ecb
      v10 = v21;
      v15 = v14;
      v16 = 4 * v21;
      memcpy(v13 + 4 * v21 * v4, v14, 4 * v21);
      j_j_free(v15);
      ++v4;
    }
    while ( v4 < v11 / v16 );
  }
  j_j_free(Block);
  j_j_free(v12);
  if ( *v13 == qword_7FF6014860A0 && v13[1] == qword_7FF6014860A8 )// 密文
    puts("Congratulations!");
  else
    sub_7FF601481010("no!\n");
  return 0;
}

流程是输入的字符每两个转为一个字节，单字节循环左移，xtea加密，aes加密。

注意最后密文显示是小端序模式，在脚本解密时，应按8字节逆转。xtea部分同理，按4字节逆转。

脚本内的xtea的key并未用到。可根据算法手动计算xtea内部异或用到的数（4字节无符号数）。

from ctypes import * 
from Crypto.Cipher import AES
from Crypto.Util.number import *
def l_rotate(n, d):
    return (n << d)|(n >> (8 - d))&1

def r_rotate(n, d):
    return (n >> d)|(n << (8 - d))&0b10000000

def encrypt(v, key):
    v0, v1  = c_uint32(v[0]), c_uint32(v[1])
    # delta = 0x9E3779B9
    #first round
    v0.value+=(0x1212^(((v1.value << 5) ^ (v1.value >> 6))+ v0.value))
    # total = c_uint32(delta * 32)
    offset=[0xcbbdfd0f,0xcbbdfd0f,0x98a8c4ba,0x98a908ba,0x65942576,0x65942576,0x327edc10,0x327e9810,0xff69a3bb,0xff69a3bb,0xcc546b66,0xcc54e277,0x993fcc22,0x993f5511,0x662a82bc,0x662a60bc,0x33154a67,0x33156c67,][::-1]
    for i in range(9):
        # total.value -= delta 
        v1.value += (((v0.value << 4) ^ (v0.value >> 5)) + v0.value) ^ (offset[2*i] )
        v0.value += (((v1.value << 5) ^ (v1.value >> 6)) + v1.value) ^ (offset[2*i+1])
        
    #last round
    v1.value+=(0xfed36875^(((v0.value << 4) ^ (v0.value >> 5)))+v0.value) 
    return [v0.value, v1.value] 


def decrypt(v, key):
    v0, v1  = c_uint32(v[0]), c_uint32(v[1])
    # delta = 0x9E3779B9
    #first round
    v1.value-=0xfed36875^(v0.value+((v0.value << 4) ^ (v0.value >> 5))) 
    # total = c_uint32(delta * 32)
    offset=[0xcbbdfd0f,0xcbbdfd0f,0x98a8c4ba,0x98a908ba,0x65942576,0x65942576,0x327edc10,0x327e9810,0xff69a3bb,0xff69a3bb,0xcc546b66,0xcc54e277,0x993fcc22,0x993f5511,0x662a82bc,0x662a60bc,0x33154a67,0x33156c67,]
    for i in range(9):
        # total.value -= delta 
        v0.value -= (((v1.value << 5) ^ (v1.value >> 6)) + v1.value) ^ (offset[2*i] )
        v1.value -= (((v0.value << 4) ^ (v0.value >> 5)) + v0.value) ^ (offset[2*i+1] )
    #last round
    v0.value-=(0x1212^(((v1.value << 5) ^ (v1.value >> 6))+ v1.value))

    return [v0.value, v1.value] 
  

# test
if __name__ == "__main__":
    cipher=long_to_bytes(0xd5913f4fa43609f541b139503107e67f)

    key_aes=b'dfb8007c773561da'

    aes=AES.new(key_aes,AES.MODE_ECB)

    
    plain_aes=aes.decrypt(cipher)
    print('AES decrypt:',hex(bytes_to_long(plain_aes)),len(plain_aes))
    

    value = [[bytes_to_long(plain_aes[:4][::-1]),bytes_to_long(plain_aes[4:8][::-1])],[bytes_to_long(plain_aes[8:12][::-1]),bytes_to_long(plain_aes[12:][::-1])]]

    print(value)
    
    key_tea = [0x1212, 0x3412, 0x5612, 0x8923]

    plain_tea0 = decrypt(value[0], key_tea)
    print("XTEA Decrypted data is : ", hex(plain_tea0[0]), hex(plain_tea0[1]))
    plain_tea1 = decrypt(value[1], key_tea)
    print("XTEA Decrypted data is : ", hex(plain_tea1[0]), hex(plain_tea1[1]))
    
    plain_bytes=long_to_bytes(plain_tea0[0])[::-1]+long_to_bytes(plain_tea0[1])[::-1]+long_to_bytes(plain_tea1[0])[::-1]+long_to_bytes(plain_tea1[1])[::-1]

    l=[]
    print('info: lens',len(plain_bytes),plain_bytes)
    
    
    for each in plain_bytes:
        
        origin=r_rotate(each,1)
        l.append(long_to_bytes(origin))
    print(l)
    l=b''.join(l)
    print(l,len(l))
    print('%x'%(bytes_to_long(l)))
"""
decaec9d25889199865401fb84cd8a7c   flag
"""

xtea做的不多第一眼看过去确实有点蒙。

aes如果ida有findcrypt插件能直接识别， 或者看到sbox，63,7c打头也能想到了。

还好只有一个分组，且并没用少见的加密模式。