May 26, 2022

DASCTF2022 X VOID-CEF

(逆向思路逐渐多了起来)

0x00 日常查壳

无壳32位

image-20220526103103915

0x01 找到关键验证函数

参考了REtard师傅的思路:https://blog.csdn.net/REtard_/article/details/124933252

image-20220526103542098

也可以通过findcrypt插件识别一些数据也可以跳到这,不过代码有点乱,但其实真正的验证逻辑不乱

为了验证到底是哪开始在那个函数开始进行加密验证,我们可以在encFlag位置下个断点(按下F2)

再强行跳到验证正确地方判断是否是对的,再F9跑起来可以发现就是会爆corect

可能会出现的情况:输入两个字符可能会控制权到IDA这,在IDA F9,再在CEF程序框输入到32个字符串自动都又会断到IDA

image-20220526104724760

那么几轮跳下下来不难发现这段else就是加密的开始,其他代码都不用看

image-20220526104138379

0x02 SM4?

毕竟有动调,整个逻辑很多就能理解(一遍理解不了就来两遍)

image-20220526110609646

Round

主要还是Round函数,差不多在这里可以确定为魔改的SM4加密了?也许只是用了同一种思路,因为改的不止一点点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
int __cdecl Round(int a1, _DWORD *a2)
{
int result; // eax
int v3; // esi
bool v4; // zf
int v5; // [esp+Ch] [ebp-4h]

result = 2; // 注意result的值是2,自己代进去计算就知道取什么值了
v5 = 32;
do
{
v3 = *a2++ ^ *(a1 + 4 * (result % 4)) ^ *(a1 + 4 * ((result + 1) % 4)) ^ *(a1 + 4 * ((result - 1) % 4));
v4 = v5-- == 1;
*(a1 + 4 * ((result + 2) % 4)) = v3 ^ *(a1 + 4 * ((result - 2) & 3)) ^ __ROL4__(v3, 2) ^ __ROR4__(v3, 8) ^ __ROL4__(v3, 10) ^ __ROR4__(v3, 14);
++result;
}
while ( !v4 );
return result;
}

0x03 GetFlag!

那么密钥可以直接提取,密文也有了,直接开逆

那么关于基于SM4的解密思路可以看看我之前出的一道题的获取日期的地方,其实就是一个异或等式

时空飞行:https://ppppz.net/2022/02/05/%E6%97%B6%E7%A9%BA%E9%A3%9E%E8%A1%8C/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#include <stdio.h>
#include <string.h>

unsigned int SK[32] = {
0xE8DB227C, 0x012451B9, 0xED08A9DB, 0xC91F65C3,
0xB3D1E981, 0x319B4734, 0xA4BA5551, 0xD0F2ED2D,
0x4A00D692, 0xE0AEFE30, 0x6BBCDB4A, 0xC315F6F1,
0xB4E1B030, 0x694C4ACE, 0x479208D3, 0x3F8C7B97,
0x747777A6, 0xEDEC9BBB, 0xC8E506C1, 0xB955A92A,
0xB388FDBB, 0x1A4697C3, 0xB10826AA, 0xBB1F2207,
0x291DCD60, 0x2BA3E3A7, 0x1B83DFDD, 0x014D4FD5,
0x80C659F3, 0x3EB45B23, 0x43E36266, 0xBD22532C
};

#define GET_ULONG(n, b, i) \
(n) = ( (unsigned long) (b)[(i + 3)] << 24 ) \
| ( (unsigned long) (b)[(i + 2)] << 16 ) \
| ( (unsigned long) (b)[(i + 1)] << 8 ) \
| ( (unsigned long) (b)[(i )] ); \

#define PUT_ULONG(n, b, i) \
{ \
(b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
(b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
(b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
(b)[(i) ] = (unsigned char) ( (n) ); \
}

#define SHL(x, n) ( ((x) & 0xFFFFFFFF) << n )

#define ROTL(x, n) ( SHL((x), n) | ((x) >> (32 - n)) )

#define SWAP(a, b) { unsigned t = a; a = b; b = t; t = 0; }


void SM4_Decrypt(unsigned char * input, unsigned char * output, int len);
void Round(unsigned char input[16], unsigned char output[16]);

int main(void)
{

unsigned char input[] =
{
0x7D, 0x54, 0xCB, 0xC0, 0x74, 0xDB, 0xF5, 0xD7, 0x6F, 0xD9,
0x92, 0x1B, 0xEB, 0x28, 0x46, 0x20, 0xE5, 0xD5, 0xD3, 0x60,
0x80, 0x6D, 0x36, 0x2F, 0xB0, 0x63, 0x2F, 0x61, 0x20, 0x0F,
0xA9, 0x30
};
unsigned char output[32] = { 0 };
int i;

SM4_Decrypt(input, output, 32);

for ( i = 0; i < 32; i++ )
{
// printf("0x%X, ", output[i]);
printf("%c", output[i]);
}


return 0;
}

void SM4_Decrypt(unsigned char * input, unsigned char * output, int len)
{
int i;

for ( i = 0; i < 16; i++ )
SWAP(SK[i], SK[31 - i]);
while ( len > 0 )
{
Round(input, output);

input += 16;
output += 16;
len -= 16;
}
}

void Round(unsigned char input[16], unsigned char output[16])
{
unsigned long tmp[4] = { 0 };
int i;
unsigned int t = 0;

GET_ULONG(tmp[0], input, 0);
GET_ULONG(tmp[1], input, 4);
GET_ULONG(tmp[2], input, 8);
GET_ULONG(tmp[3], input, 12);
for ( i = 0; i < 32; i++ )
{
t = SK[i] ^ tmp[(i + 1) % 4] ^ tmp[(i + 2) % 4] ^ tmp[(i + 3) % 4];
tmp[i % 4] ^= t ^ ROTL(t, 2) ^ ROTL(t, 24) ^ ROTL(t, 10) ^ ROTL(t, 18);
}
for ( i = 0 ; i < 4; i++ )
GET_ULONG(SK[26 - i], input, i * 4); // 正好是把加密后的值放入 那么解密的时候就是把密文放入即可
PUT_ULONG(tmp[3], output, 0);
PUT_ULONG(tmp[2], output, 4);
PUT_ULONG(tmp[1], output, 8);
PUT_ULONG(tmp[0], output, 12);
}

GetFlag!

image-20220526111033443

DASCTF X SU
🍬
HFCTF2022
🍪

About this Post

This post is written by P.Z, licensed under CC BY-NC 4.0.