首页
论坛
课程
招聘
[原创]2019看雪CTF总决赛第七题:东北奇闻WP
2019-12-19 23:56 3089

[原创]2019看雪CTF总决赛第七题:东北奇闻WP

2019-12-19 23:56
3089

2019看雪CTF总决赛第七题:东北奇闻WP

此题是安卓题。Jeb反编后,发现有native层,调用函数为showAssist,不知道为什么不直接加载native:

public class MainActivity extends AppC0mpatActivity {
    public MainActivity() {
        super();
    }

    protected void onCreate(Bundle arg4) {
        super.onCreate(arg4);
        this.setContentView(2131361820);
        this.findViewById(2131165250).setOnClickListener(new View$OnClickListener(this.findViewById(2131165268), arg4) {
            public void onClick(View arg3) {
                if(this.val$ed.getText() == null || (TextUtils.isEmpty(this.val$ed.getText().toString())) || (MainActivity.this.showAssist(this.val$savedInstanceState))) {
                    Toast.makeText(MainActivity.this, "null", 1).show();
                }
            }
        });
    }
}




public class AppC0mpatActivity extends AppCompatActivity {
    static {
        System.loadLibrary("native-lib");
    }

    public AppC0mpatActivity() {
        super();
    }

    public native boolean showAssist(Bundle arg1) {
    }
}

静态大致看了下native层的代码,发现控制结构比较难看,都是通过表来跳转的(这种描述或许并不准确),里面的所有数据均进行了异或编码,showAssist函数在动态注册的,注册用的数据在偏移0x2B668处,函数偏移为0x19F80。showAssist函数读取输入后,调用函数sub_1823C。函数sub_1823C为算法函数,似乎是魔改的cast-128。
加密函数先申请堆计算扩展密钥(密钥在异或解码后为明文--findViewById(I)L),然后8字节一组进行25组加密,最后hex后与异或后的明文进行校验。分组加密伪代码如下:

  v6 = data;
  v7 = data[1];
  v8 = bswap32(*data);
  printf(aX, v8);
  v9 = bswap32(v7);
  printf(aX, v9);
  v10 = __ROR4__(v4->km[0] + v9, 32 - v4->kr[0]);
  v11 = v8 ^ ((t2[(v10 >> 16) & 0xFF] ^ t1[v10 >> 24]) - t3[v10 >> 8] + t4[v10]);
  v12 = __ROR4__(v11 ^ v4->km[1], 32 - v4->kr[1]);
  v13 = (t1[v12 >> 24] - t2[(v12 >> 16) & 0xFF] + t3[v12 >> 8]) ^ v9 ^ t4[v12];
  v14 = __ROR4__(v4->km[2] - v13, 32 - v4->kr[2]);
  v15 = (((t2[(v14 >> 16) & 0xFF] + t1[v14 >> 24]) ^ t3[v14 >> 8]) - t4[v14]) ^ v11;
  v16 = __ROR4__(v15 + v4->km[3], 32 - v4->kr[3]);
  v17 = (t4[v16] + (t2[(v16 >> 16) & 0xFF] ^ t1[v16 >> 24]) - t3[v16 >> 8]) ^ v13;
  v18 = __ROR4__(v4->km[4] ^ v17, 32 - v4->kr[4]);
  v19 = t4[v18] ^ v15 ^ (t1[v18 >> 24] - t2[(v18 >> 16) & 0xFF] + t3[v18 >> 8]);
  v20 = __ROR4__(v4->km[5] - v19, 32 - v4->kr[5]);
  v21 = v17 ^ (((t1[v20 >> 24] + t2[(v20 >> 16) & 0xFF]) ^ t3[v20 >> 8]) - t4[v20]);
  v22 = __ROR4__(v4->km[6] + v21, 32 - v4->kr[6]);
  v23 = v19 ^ ((t2[(v22 >> 16) & 0xFF] ^ t1[v22 >> 24]) - t3[v22 >> 8] + t4[v22]);
  v24 = __ROR4__(v4->km[7] ^ v23, 32 - v4->kr[7]);
  v25 = t4[v24] ^ v21 ^ (t1[v24 >> 24] - t2[(v24 >> 16) & 0xFF] + t3[v24 >> 8]);
  v26 = __ROR4__(v4->km[8] - v25, 32 - v4->kr[8]);
  v27 = v23 ^ (((t2[(v26 >> 16) & 0xFF] + t1[v26 >> 24]) ^ t3[v26 >> 8]) - t4[v26]);
  v28 = __ROR4__(v4->km[9] + v27, 32 - v4->kr[9]);
  v29 = v25 ^ ((t1[v28 >> 24] ^ t2[(v28 >> 16) & 0xFF]) - t3[v28 >> 8] + t4[v28]);
  v30 = __ROR4__(v4->km[10] ^ v29, 32 - v4->kr[10]);
  v31 = (t1[v30 >> 24] - t2[(v30 >> 16) & 0xFF] + t3[v30 >> 8]) ^ t4[v30] ^ v27;
  v32 = __ROR4__(v4->km[11] - v31, 32 - LOBYTE(v4->kr[11]));
  v33 = ((t3[v32 >> 8] ^ (t1[v32 >> 24] + t2[(v32 >> 16) & 0xFF])) - t4[v32]) ^ v29;
  *v6 = byte_encode(v33 >> 24);
  *(v6 + 1) = byte_encode((v33 >> 16) & 0xFF);
  *(v6 + 2) = byte_encode(v33 >> 8);
  *(v6 + 3) = byte_encode(v33);
  *(v6 + 4) = byte_encode(v31 >> 24);
  *(v6 + 5) = byte_encode((v31 >> 16) & 0xFF);
  *(v6 + 6) = byte_encode(v31 >> 8);
  *(v6 + 7) = byte_encode(v31);

在分组加密的返回前有一个逐字节的编码函数,且此编码函数使用了OLLVM。
逐字节的编码函数由于输入输出是单字节一一映射的关系,所以直接跑个表出来查表就OK了。扩展密钥也可以直接dump出来,那后就直接反解就好了。

# -*- coding:utf-8 -*-
import struct
t1 =[ 0x01010400, 0x00000000, 0x00010000, 0x01010404, 0x01010004, 0x00010404, 0x00000004, 0x00010000, 
      0x00000400, 0x01010400, 0x01010404, 0x00000400, 0x01000404, 0x01010004, 0x01000000, 0x00000004, 
      0x00000404, 0x01000400, 0x01000400, 0x00010400, 0x00010400, 0x01010000, 0x01010000, 0x01000404, 
      0x00010004, 0x01000004, 0x01000004, 0x00010004, 0x00000000, 0x00000404, 0x00010404, 0x01000000, 
      0x00010000, 0x01010404, 0x00000004, 0x01010000, 0x01010400, 0x01000000, 0x01000000, 0x00000400, 
      0x01010004, 0x00010000, 0x00010400, 0x01000004, 0x00000400, 0x00000004, 0x01000404, 0x00010404, 
      0x01010404, 0x00010004, 0x01010000, 0x01000404, 0x01000004, 0x00000404, 0x00010404, 0x01010400, 
      0x00000404, 0x01000400, 0x01000400, 0x00000000, 0x00010004, 0x00010400, 0x00000000, 0x01010004, 
      0x80108020, 0x80008000, 0x00008000, 0x00108020, 0x00100000, 0x00000020, 0x80100020, 0x80008020, 
      0x80000020, 0x80108020, 0x80108000, 0x80000000, 0x80008000, 0x00100000, 0x00000020, 0x80100020, 
      0x00108000, 0x00100020, 0x80008020, 0x00000000, 0x80000000, 0x00008000, 0x00108020, 0x80100000, 
      0x00100020, 0x80000020, 0x00000000, 0x00108000, 0x00008020, 0x80108000, 0x80100000, 0x00008020, 
      0x00000000, 0x00108020, 0x80100020, 0x00100000, 0x80008020, 0x80100000, 0x80108000, 0x00008000, 
      0x80100000, 0x80008000, 0x00000020, 0x80108020, 0x00108020, 0x00000020, 0x00008000, 0x80000000, 
      0x00008020, 0x80108000, 0x00100000, 0x80000020, 0x00100020, 0x80008020, 0x80000020, 0x00100020, 
      0x00108000, 0x00000000, 0x80008000, 0x00008020, 0x80000000, 0x80100020, 0x80108020, 0x00108000, 
      0x00000208, 0x08020200, 0x00000000, 0x08020008, 0x08000200, 0x00000000, 0x00020208, 0x08000200, 
      0x00020008, 0x08000008, 0x08000008, 0x00020000, 0x08020208, 0x00020008, 0x08020000, 0x00000208, 
      0x08000000, 0x00000008, 0x08020200, 0x00000200, 0x00020200, 0x08020000, 0x08020008, 0x00020208, 
      0x08000208, 0x00020200, 0x00020000, 0x08000208, 0x00000008, 0x08020208, 0x00000200, 0x08000000, 
      0x08020200, 0x08000000, 0x00020008, 0x00000208, 0x00020000, 0x08020200, 0x08000200, 0x00000000, 
      0x00000200, 0x00020008, 0x08020208, 0x08000200, 0x08000008, 0x00000200, 0x00000000, 0x08020008, 
      0x08000208, 0x00020000, 0x08000000, 0x08020208, 0x00000008, 0x00020208, 0x00020200, 0x08000008, 
      0x08020000, 0x08000208, 0x00000208, 0x08020000, 0x00020208, 0x00000008, 0x08020008, 0x00020200, 
      0x00802001, 0x00002081, 0x00002081, 0x00000080, 0x00802080, 0x00800081, 0x00800001, 0x00002001, 
      0x00000000, 0x00802000, 0x00802000, 0x00802081, 0x00000081, 0x00000000, 0x00800080, 0x00800001, 
      0x00000001, 0x00002000, 0x00800000, 0x00802001, 0x00000080, 0x00800000, 0x00002001, 0x00002080, 
      0x00800081, 0x00000001, 0x00002080, 0x00800080, 0x00002000, 0x00802080, 0x00802081, 0x00000081, 
      0x00800080, 0x00800001, 0x00802000, 0x00802081, 0x00000081, 0x00000000, 0x00000000, 0x00802000, 
      0x00002080, 0x00800080, 0x00800081, 0x00000001, 0x00802001, 0x00002081, 0x00002081, 0x00000080, 
      0x00802081, 0x00000081, 0x00000001, 0x00002000, 0x00800001, 0x00002001, 0x00802080, 0x00800081, 
      0x00002001, 0x00002080, 0x00800000, 0x00802001, 0x00000080, 0x00800000, 0x00002000, 0x00802080,]

t2 =[ 0x00000100, 0x02080100, 0x02080000, 0x42000100, 0x00080000, 0x00000100, 0x40000000, 0x02080000, 
      0x40080100, 0x00080000, 0x02000100, 0x40080100, 0x42000100, 0x42080000, 0x00080100, 0x40000000, 
      0x02000000, 0x40080000, 0x40080000, 0x00000000, 0x40000100, 0x42080100, 0x42080100, 0x02000100, 
      0x42080000, 0x40000100, 0x00000000, 0x42000000, 0x02080100, 0x02000000, 0x42000000, 0x00080100, 
      0x00080000, 0x42000100, 0x00000100, 0x02000000, 0x40000000, 0x02080000, 0x42000100, 0x40080100, 
      0x02000100, 0x40000000, 0x42080000, 0x02080100, 0x40080100, 0x00000100, 0x02000000, 0x42080000, 
      0x42080100, 0x00080100, 0x42000000, 0x42080100, 0x02080000, 0x00000000, 0x40080000, 0x42000000, 
      0x00080100, 0x02000100, 0x40000100, 0x00080000, 0x00000000, 0x40080000, 0x02080100, 0x40000100, 
      0x20000010, 0x20400000, 0x00004000, 0x20404010, 0x20400000, 0x00000010, 0x20404010, 0x00400000, 
      0x20004000, 0x00404010, 0x00400000, 0x20000010, 0x00400010, 0x20004000, 0x20000000, 0x00004010, 
      0x00000000, 0x00400010, 0x20004010, 0x00004000, 0x00404000, 0x20004010, 0x00000010, 0x20400010, 
      0x20400010, 0x00000000, 0x00404010, 0x20404000, 0x00004010, 0x00404000, 0x20404000, 0x20000000, 
      0x20004000, 0x00000010, 0x20400010, 0x00404000, 0x20404010, 0x00400000, 0x00004010, 0x20000010, 
      0x00400000, 0x20004000, 0x20000000, 0x00004010, 0x20000010, 0x20404010, 0x00404000, 0x20400000, 
      0x00404010, 0x20404000, 0x00000000, 0x20400010, 0x00000010, 0x00004000, 0x20400000, 0x00404010, 
      0x00004000, 0x00400010, 0x20004010, 0x00000000, 0x20404000, 0x20000000, 0x00400010, 0x20004010, 
      0x00200000, 0x04200002, 0x04000802, 0x00000000, 0x00000800, 0x04000802, 0x00200802, 0x04200800, 
      0x04200802, 0x00200000, 0x00000000, 0x04000002, 0x00000002, 0x04000000, 0x04200002, 0x00000802, 
      0x04000800, 0x00200802, 0x00200002, 0x04000800, 0x04000002, 0x04200000, 0x04200800, 0x00200002,
      0x04200000, 0x00000800, 0x00000802, 0x04200802, 0x00200800, 0x00000002, 0x04000000, 0x00200800, 
      0x04000000, 0x00200800, 0x00200000, 0x04000802, 0x04000802, 0x04200002, 0x04200002, 0x00000002, 
      0x00200002, 0x04000000, 0x04000800, 0x00200000, 0x04200800, 0x00000802, 0x00200802, 0x04200800, 
      0x00000802, 0x04000002, 0x04200802, 0x04200000, 0x00200800, 0x00000000, 0x00000002, 0x04200802, 
      0x00000000, 0x00200802, 0x04200000, 0x00000800, 0x04000002, 0x04000800, 0x00000800, 0x00200002, 
      0x10001040, 0x00001000, 0x00040000, 0x10041040, 0x10000000, 0x10001040, 0x00000040, 0x10000000, 
      0x00040040, 0x10040000, 0x10041040, 0x00041000, 0x10041000, 0x00041040, 0x00001000, 0x00000040, 
      0x10040000, 0x10000040, 0x10001000, 0x00001040, 0x00041000, 0x00040040, 0x10040040, 0x10041000, 
      0x00001040, 0x00000000, 0x00000000, 0x10040040, 0x10000040, 0x10001000, 0x00041040, 0x00040000, 
      0x00041040, 0x00040000, 0x10041000, 0x00001000, 0x00000040, 0x10040040, 0x00001000, 0x00041040,
      0x10001000, 0x00000040, 0x10000040, 0x10040000, 0x10040040, 0x10000000, 0x00040000, 0x10001040, 
      0x00000000, 0x10041040, 0x00040040, 0x10000040, 0x10040000, 0x10001000, 0x10001040, 0x00000000, 
      0x10041040, 0x00041000, 0x00041000, 0x00001040, 0x00001040, 0x00040040, 0x10000000, 0x10041000,]

t3 =[ 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 
      0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 
      0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 
      0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 
      0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 
      0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 
      0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 
      0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 
      0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 
      0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 
      0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 
      0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 
      0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 
      0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 
      0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 
      0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16]

t4 =[ 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 
      0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 
      0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 
      0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 
      0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 
      0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 
      0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, 
      0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 
      0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 
      0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 
      0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 
      0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 
      0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 
      0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 
      0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 
      0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D]

km = [0xD573F1E4, 0xFA05E8A8, 0x2C6D872D, 0xC193BC8F, 
      0x18C94337, 0x64BC5C3A, 0x8F4696C2, 0x384C937C, 
      0xB658582A, 0x78F874CA, 0x258BF885, 0x6D208F8A, 
      0x5CD503D7, 0xD4FA1E37, 0x93DD1BE, 0x507F2A3E, ]
kr = [0x10, 0x11, 0x06, 0x0A, 0x16, 0x1D, 0x1A, 0x13, 
      0x0B, 0x03, 0x1C, 0x00, 0x1D, 0x10, 0x19, 0x1B,]

table = [ 0x00, 0x02, 0x01, 0x03, 0xA8, 0xAA, 0xA9, 0xAB, 0x54, 0x56, 0x55, 0x57, 0xFC, 0xFE, 0xFD, 0xFF, 
          0x0A, 0x08, 0x0B, 0x09, 0xA2, 0xA0, 0xA3, 0xA1, 0x5E, 0x5C, 0x5F, 0x5D, 0xF6, 0xF4, 0xF7, 0xF5, 
          0x05, 0x07, 0x04, 0x06, 0xAD, 0xAF, 0xAC, 0xAE, 0x51, 0x53, 0x50, 0x52, 0xF9, 0xFB, 0xF8, 0xFA, 
          0x0F, 0x0D, 0x0E, 0x0C, 0xA7, 0xA5, 0xA6, 0xA4, 0x5B, 0x59, 0x5A, 0x58, 0xF3, 0xF1, 0xF2, 0xF0, 
          0x20, 0x22, 0x21, 0x23, 0x88, 0x8A, 0x89, 0x8B, 0x74, 0x76, 0x75, 0x77, 0xDC, 0xDE, 0xDD, 0xDF, 
          0x2A, 0x28, 0x2B, 0x29, 0x82, 0x80, 0x83, 0x81, 0x7E, 0x7C, 0x7F, 0x7D, 0xD6, 0xD4, 0xD7, 0xD5, 
          0x25, 0x27, 0x24, 0x26, 0x8D, 0x8F, 0x8C, 0x8E, 0x71, 0x73, 0x70, 0x72, 0xD9, 0xDB, 0xD8, 0xDA, 
          0x2F, 0x2D, 0x2E, 0x2C, 0x87, 0x85, 0x86, 0x84, 0x7B, 0x79, 0x7A, 0x78, 0xD3, 0xD1, 0xD2, 0xD0, 
          0x10, 0x12, 0x11, 0x13, 0xB8, 0xBA, 0xB9, 0xBB, 0x44, 0x46, 0x45, 0x47, 0xEC, 0xEE, 0xED, 0xEF, 
          0x1A, 0x18, 0x1B, 0x19, 0xB2, 0xB0, 0xB3, 0xB1, 0x4E, 0x4C, 0x4F, 0x4D, 0xE6, 0xE4, 0xE7, 0xE5, 
          0x15, 0x17, 0x14, 0x16, 0xBD, 0xBF, 0xBC, 0xBE, 0x41, 0x43, 0x40, 0x42, 0xE9, 0xEB, 0xE8, 0xEA, 
          0x1F, 0x1D, 0x1E, 0x1C, 0xB7, 0xB5, 0xB6, 0xB4, 0x4B, 0x49, 0x4A, 0x48, 0xE3, 0xE1, 0xE2, 0xE0, 
          0x30, 0x32, 0x31, 0x33, 0x98, 0x9A, 0x99, 0x9B, 0x64, 0x66, 0x65, 0x67, 0xCC, 0xCE, 0xCD, 0xCF, 
          0x3A, 0x38, 0x3B, 0x39, 0x92, 0x90, 0x93, 0x91, 0x6E, 0x6C, 0x6F, 0x6D, 0xC6, 0xC4, 0xC7, 0xC5, 
          0x35, 0x37, 0x34, 0x36, 0x9D, 0x9F, 0x9C, 0x9E, 0x61, 0x63, 0x60, 0x62, 0xC9, 0xCB, 0xC8, 0xCA, 
          0x3F, 0x3D, 0x3E, 0x3C, 0x97, 0x95, 0x96, 0x94, 0x6B, 0x69, 0x6A, 0x68, 0xC3, 0xC1, 0xC2, 0xC]

def ROR(n,r):
  n = n&0xffffffff
  return ((n>>r) | (n<<(32-r)))&0xffffffff

def de_group(s):
  v33,v31 = struct.unpack('>II',s)
  v32 = ROR(km[11] - v31, 32 - kr[11])
  v29 = ((t3[(v32 >> 8)&0xFF] ^ (t1[v32 >> 24] + t2[(v32 >> 16) & 0xFF]))- t4[(v32) & 0xFF]) ^ v33
  v30 = ROR(km[10] ^ v29, 32 - kr[10])
  v27 = (t1[v30 >> 24] - t2[(v30 >> 16) & 0xFF] + t3[(v30 >> 8)&0xFF]) ^ t4[(v30) & 0xFF] ^ v31
  v28 = ROR(km[9] + v27, 32 - kr[9])
  v25 = v29 ^ ((t1[v28 >> 24] ^ t2[(v28 >> 16) & 0xFF]) - t3[(v28 >> 8)&0xFF]+ t4[(v28) & 0xFF])
  v26 = ROR(km[8] - v25, 32 - kr[8])
  v23 = v27 ^ (((t2[(v26 >> 16) & 0xFF] + t1[v26 >> 24]) ^ t3[(v26 >> 8)&0xFF])- t4[(v26) & 0xFF])
  v24 = ROR(km[7] ^ v23, 32 - kr[7])
  v21 = t4[(v24) & 0xFF] ^ v25 ^ (t1[v24 >> 24]- t2[(v24 >> 16) & 0xFF] + t3[(v24 >> 8)&0xFF])
  v22 = ROR(km[6] + v21, 32 - kr[6])
  v19 = v23 ^ ((t2[(v22 >> 16) & 0xFF] ^ t1[v22 >> 24]) - t3[(v22 >> 8)&0xFF] + t4[(v22) & 0xFF])
  v20 = ROR(km[5] - v19, 32 - kr[5])
  v17 = v21 ^ (((t1[v20 >> 24] + t2[(v20 >> 16) & 0xFF]) ^ t3[(v20 >> 8)&0xFF]) - t4[(v20) & 0xFF])
  v18 = ROR(km[4] ^ v17, 32 - kr[4])
  v15 = t4[(v18) & 0xFF] ^ v19 ^ (t1[v18 >> 24]- t2[(v18 >> 16) & 0xFF]+ t3[(v18 >> 8)&0xFF])
  v16 = ROR(v15 + km[3], 32 - kr[3])
  v13 = (t4[(v16) & 0xFF] + (t2[(v16 >> 16) & 0xFF] ^ t1[v16 >> 24])- t3[(v16 >> 8)&0xFF]) ^ v17
  v14 = ROR(km[2] - v13, 32 - kr[2])
  v11 = (((t2[(v14 >> 16) & 0xFF] + t1[v14 >> 24]) ^ t3[(v14 >> 8)&0xFF])- t4[(v14) & 0xFF]) ^ v15
  v12 = ROR(v11 ^ km[1], 32 - kr[1])
  v9 = (t1[v12 >> 24] - t2[(v12 >> 16) & 0xFF] + t3[(v12 >> 8)&0xFF]) ^ v13 ^ t4[(v12) & 0xFF]
  v10 = ROR(km[0] + v9, 32 - kr[0])
  v8 = v11 ^ ((t2[(v10 >> 16) & 0xFF] ^ t1[v10 >> 24])  - t3[(v10 >> 8)&0xFF] + t4[(v10) & 0xFF])
  return struct.pack('>II',v8&0xffffffff,v9&0xffffffff)

def get_flag():
  c = '68dd8a0f7065609e3106fb2bb1059423e80fb1347318ffeb83b8a074a7e6c9cf'.decode('hex')
  c1 = ''.join(map(lambda x:chr(table.index(ord(x))),c))
  flag = ''
  for i in range(4):
    flag += de_group(c1[8*i:8*i+8])
  print flag

def main():
  get_flag()
  print 'end.'

if __name__ == '__main__':
  main()

[公告]名企招聘!

最后于 2019-12-20 00:05 被poyoten编辑 ,原因:
收藏
点赞0
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回