通過strings找到關鍵函數

int __fastcall main_0(int argc, const char **argv, const char **envp)
{char *v3; // rdi__int64 i; // rcxchar v6; // [rsp+20h] [rbp+0h] BYREFint v7; // [rsp+24h] [rbp+4h]int v8; // [rsp+44h] [rbp+24h]int four_key[12]; // [rsp+68h] [rbp+48h] BYREF_DWORD input[16]; // [rsp+98h] [rbp+78h] BYREFint flag[31]; // [rsp+D8h] [rbp+B8h] BYREFint j; // [rsp+154h] [rbp+134h]int k; // [rsp+174h] [rbp+154h]int m; // [rsp+194h] [rbp+174h]v3 = &v6;for ( i = 102i64; i; --i ){*(_DWORD *)v3 = -858993460;v3 += 4;}j___CheckForDebuggerJustMyCode(&unk_7FF600623009, argv, envp);v7 = 32;v8 = 0;four_key[0] = 1234;four_key[1] = 5678;four_key[2] = 9012;four_key[3] = 3456;memset(input, 0, 0x28ui64);flag[15] = 0;flag[23] = 0;print_strs();for ( j = 0; j < 10; ++j )scanf("%x", &input[j]);key(four_key);copy(input, flag);tea(input, four_key);v8 = fun4(input);if ( v8 ){print("you are right\n");for ( k = 0; k < 10; ++k ){for ( m = 3; m >= 0; --m )print("%c", (unsigned __int8)((unsigned int)flag[k] >> (8 * m)));}}else{print("fault!\nYou can go online and learn the tea algorithm!");}return 0;
}

發現xtea算法函數

for ( i = 0; i <= 8; ++i ){v6 = 0;delta = 256256256 * i;i_plus_1 = i + 1;do{++v6;*(_DWORD *)(res + 4i64 * i) += delta ^ (*(_DWORD *)(res + 4i64 * i_plus_1)+ ((*(_DWORD *)(res + 4i64 * i_plus_1) >> 5) ^ (16* *(_DWORD *)(res + 4i64 * i_plus_1)))) ^ (delta + *(_DWORD *)(key + 4i64 * (delta & 3)));*(_DWORD *)(res + 4i64 * i_plus_1) += (delta + *(_DWORD *)(key + 4i64 * ((delta >> 11) & 3))) ^ (*(_DWORD *)(res + 4i64 * i) + ((*(_DWORD *)(res + 4i64 * i) >> 5) ^ (16 * *(_DWORD *)(res + 4i64 * i))));delta += 256256256;}while ( v6 <= 0x20 );result = (unsigned int)(i + 1);}

找到key和result

{v7 = 4455;v8 = 6677;v9 = 8899;*a1 = 2233;a1[1] = v7;a1[2] = v8;result = v9;a1[3] = v9;return result;
}

v7 = 0;
v8[0] = 0x1A800BDA;
v8[1] = 0xF7A6219B;
v8[2] = 0x491811D8;
v8[3] = 0xF2013328;
v8[4] = 0x156C365B;
v8[5] = 0x3C6EAAD8;
v8[6] = 0x84D4BF28;
v8[7] = 0xF11A7EE7;
v8[8] = 0x3313B252;
v8[9] = 0xDD9FE279;
for ( j = 0; j < 10; ++j )
v7 = *(_DWORD *)(a1 + 4i64 * j) == v8[j];
return v7;

修改xtea解密模板中，修改key，delta，result和算法魔改部分

import binascii
from ctypes import *def decrypt(v, key, num):v0, v1 = c_uint32(v[0]), c_uint32(v[1])total = c_uint32(delta * (num + 33))for i in range(33):total.value -= deltav1.value -= (((v0.value * 16) ^ (v0.value >> 5)) + v0.value) ^ (total.value + key[(total.value >> 11) & 3])v0.value -= (((v1.value * 16) ^ (v1.value >> 5)) + v1.value) ^ (total.value + key[total.value & 3]) ^ total.valuereturn v0.value, v1.value# test
if __name__ == "__main__":################# 需要修改數據區域 ##################res = [0x1A800BDA, 0xF7A6219B, 0x491811D8, 0xF2013328, 0x156C365B, 0x3C6EAAD8, 0x84D4BF28, 0xF11A7EE7, 0x3313B252,0xDD9FE279]key = [2233, 4455, 6677, 8899]delta = 256256256################# 需要修改數據區域 ##################result = []for i in range(len(res) - 2, -1, -1):lists = res[i:i + 2]result = decrypt(lists, key, i)res[i] = result[0]res[i + 1] = result[1]# print("Decrypted data is : ", hex(result[0]), hex(result[1]))strs = ''
for i in res:strs += hex(i)[2:]
print(strs)
for i in range(0,len(strs)):try:print(binascii.a2b_hex(strs[:i*(-1)]).decode())except:pass

得到flag：HZCTF{hzCtf_94_re666fingcry5641qq}