DASCTF 2021.08 RE Writeup

注意
本文最后更新于 2024-02-12,文中内容可能已过时。

py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
def encode(s):
    str = ''
    for i in range(len(s)):
        res = ord(s[i]) ^ 32
        res += 31
        str += chr(res)

    return str

def decode(s):
    str = ''
    for i in range(len(s)):
        res = ord(s[i]) - 31
        res ^= 32
        str += chr(res)

    return str

m = 'ek`fz13b3c5e047b`bd`0/c268e600e7c5d1`|'
strings = ''
print decode(m)

apkrev

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#include <cstdio>
#include <cstring>

unsigned char enc[] =
{
  0x8C, 0xC4, 0x00, 0xE6, 0x6A, 0x88, 0xB8, 0x90, 0xC2, 0x07,
  0x6B, 0xA9, 0xC3, 0x0A, 0x3E, 0xC0, 0x44, 0xA6, 0xFE, 0x7E,
  0xF0, 0x59, 0x4C, 0x83, 0x3D, 0x2B, 0xE2, 0xD3, 0x38, 0xCB,
  0x82, 0x5B, 0x00
};

void rc4_init(unsigned char* s, unsigned char* key, unsigned long Len)
{
    int i = 0, j = 0;
    unsigned char k[256] = { 0 };
    unsigned char tmp = 0;
    for (i = 0; i < 256; i++)
    {
        s[i] = i;
        k[i] = key[i % Len];
    }
    for (i = 0; i < 256; i++)
    {
        j = (j + s[i] + k[i]) % 256;
        tmp = s[i];
        s[i] = s[j];
        s[j] = tmp;
    }
}

void rc4_crypt(unsigned char* s, unsigned char* Data, unsigned long Len)
{
    int i = 0, j = 0, t = 0;
    unsigned long k = 0;
    unsigned char tmp;
    for (k = 0; k < Len; k++)
    {
        i = (i + 1) % 256;
        j = (j + s[i]) % 256;
        tmp = s[i];
        s[i] = s[j];
        s[j] = tmp;
        t = (s[i] + s[j]) % 256;
        Data[k] ^= s[t];
    }
}

int main()
{
    unsigned char s[256];
    unsigned char key[9] = "12345678";
    rc4_init(s, key, 8);
    rc4_crypt(s, enc, 32);
    printf("%s", enc);
    return 0;
}

LittleJunk

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#include <cstdio>
#include "defs.h"


void tea_decrypt(unsigned __int64* v, unsigned __int64* k)
{
	__int64 sum = 0, i;
	unsigned __int64 v0 = v[0], v1 = v[1], v2 = v[2], v3 = v[3];
	unsigned __int64 k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
	for (i = 0; i < 0x20; i++) 
		sum += 0x9E3779B9i64;
	for (i = 0; i < 32; i++)
	{
		v3 -= ((v2 << 4) + k2) ^ (v2 + sum) ^ ((v2 >> 5) + k3);
		v2 -= ((v3 << 4) + k0) ^ (v3 + sum) ^ ((v3 >> 5) + k1);
		v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
		v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
		sum -= 0x9E3779B9i64;
	}
	v[0] = v0;
	v[1] = v1;
	v[2] = v2;
	v[3] = v3;
}

void rc4_init(unsigned char* s, unsigned char* key, unsigned long Len)
{
	int i = 0, j = 0;
	unsigned char k[256] = { 0 };
	unsigned char tmp = 0;
	for (i = 0; i < 256; i++)
	{
		s[i] = i;
		k[i] = key[i % Len];
	}
	for (i = 0; i < 256; i++)
	{
		j = (j + s[i] + k[i]) % 256;
		tmp = s[i];
		s[i] = s[j];
		s[j] = tmp;
	}
}

void rc4_crypt(unsigned char* s, unsigned char* Data, unsigned long Len)
{
	int i = 0, j = 0, t = 0;
	unsigned long k = 0;
	unsigned char tmp;
	for (k = 0; k < Len; k++)
	{
		i = (i + 1) % 256;
		j = (j + s[i]) % 256;
		tmp = s[i];
		s[i] = s[j];
		s[j] = tmp;
		Data[k] ^= s[k];
	}
}


int main()
{
	unsigned __int64 v[] = { 
		0xE990A522BE80F786, 0x8B836286B8A5EB59, 0x2FDE61CCEFC70FF8, 0x56BC19E119C8B07B, 0
	};
	unsigned char k[] = "vTLHv`FTDC_vOPPEyam_uoyZht_deen_w";
	unsigned char s[256];
	unsigned char key[] = "dasctf:3";

	tea_decrypt(v, (unsigned __int64 *)k);
	for (int i = 0; i < 4; ++i)
	{
		int j = (i + 1) << 3;
		unsigned __int64 t = v[i];
		while (t)
		{
			((unsigned char*)v)[--j] = t & 0xFF;
			t >>= 8;
		}
	}
	rc4_init(s, key, 8);
	rc4_crypt(s, (unsigned char *)v, 32);
	printf("%s", v);
	return 0;
}
0%