记录DDCTF中一道非常需要耐心的逆向题

这题出现在DDCTF的level8,题目给了两张图片和一段文字,稍后我会提供附件。

挑战:《Crack me if you can》

赛题背景:图片信息隐藏与数字水印技术一直是安全研究领域的热门话题之一,本挑战结合了图片内嵌、算法逆向等知识点,考察了挑战者的综合技术素养。

赛题描述:本题是一张图片,请试分析图片中隐藏的内嵌文件,逆向 Crack me 算法并得到 DDCTF-65f9 输入所对应的密钥。

评分标准:密钥正确则可进入下一题。

图片1:

图片2(名字crackme.png,关键附件,请从下文中下载原图):

附件下载:http://pan.baidu.com/s/1jIMaBum 密码:5cah

从图片到程序

首先由名字crackme,我们知道了这是一道re题,但他给了一张图片。

我们用010editor打开他。

emmm,标准的jpg文件头,果然png的后缀名是假的,jpg的文件结尾标志是FFD9,ctrl+F查找

发现后面附加了一段数据,把这段数据先单独存下来。

0x789c是zlib的压缩数据的头部标志,用python写脚本解压一下。

1
2
3
4
import zlib
enc = open('dump','rb').read()
dec = zlib.decompress(enc)
print dec

输出了一段base64,由于数据过长,就不贴了。我把他base64解码后写到文件。

1
2
3
4
import zlib
enc = open('dump','rb').read()
dec = zlib.decompress(enc).decode('base64')
open('dump_base64','wb').write(dec)

再用010editor打开,发现我们熟悉的zip文件头PK被改成了KP(滑稽)

改过来以后得到压缩包dump.zip

然而解压需要密码。

结合题目提供的第一张图,这是一个除零错误。

试一试就知道了。

1
2/0
1
2
3
4
5
Traceback (most recent call last):
File "C:\Users\veritas501\Desktop\study\test.py", line 1, in <module>
2/0
ZeroDivisionError: integer division or modulo by zero
[Finished in 0.1s]

所以压缩密码是integer division or modulo by zero

成功得到crackme.exe!!

IDA加OD动静态分析

OD里下GetDlgItemTextA断点,来到获取输入的地址0x00**1EE4,IDA也相应的来到0x00**1EE4

接下来在IDA中疯狂整理代码逻辑和变量名。这段辛酸过程省略,不想整理的话我上面的附件里也提供了我当时做题时整理好的idb文件,直接载入也行。

首先程序里有一段240bytes长的char * head,作为常量,结合输入的password(即mail)进行大量的运算,所得的值1和输入的uasename通过某种运算的到的值2相等。

整理一下逻辑。

username题目告诉我们了,因为用了strcat,所以key可以推出,key到IV3由于是正向计算,直接在OD中动态跟一下结果IV3也就出来了。又因为IV2和IV3是相等的关系,所以IV2也可以直接得到。head到hash是正向算法,hash也可以直接动态跟出来。

1
2
3
4
5
6
7
8
9
10
11
12
13

head->hash\
IV1\
mail_mid->pwd/ IV2\
head/ equal!!
username->key->IV3/

username:DDCTF-65f9
IV3:IV2:'e8d8e2ceaf9de076a0f211f5a1895352'.encode('hex')
len IV2,IV3 = 16
hash:
7DEC14283116611B3CBD497513843B3B304D171BF021FF0C9E8D4692307EBC7AE8223FB03CE6FE1C6EC09B6C957C40A49D8D2CC63F13953F8973EDF80CD3B7775C5DE5D0BE87E7B62AD148729F60649E3D059704628685678A0AEC8BC80ED5F70AB1B095042BFD3FCDA94906961437F5A8009DBC70D01C4591D583A6FE967A9992CF10E197BDBAAD3BE159E448393F08DAC047366783936D408B2DA876AFB530CAA6F54FAD0AF83A6F860B9E8B40EC1D
len hash :0xB0

所以现在的关键是需要对IV12IV3这个算法求逆,由IV2和head推出IV1。然后再对hash2IV1这个函数求逆,由IV1和hash推出pwd。然后pwd直接encode_hex就能得到mail_mid。

分析IV12IV2

又是一段艰苦的逆向,最后发现就是一个稍微变化过的aes解码函数。。。

当然逆向这东西,事后看看都觉得简单,只有自己逆过才懂得艰辛。

用python写出加密和解密函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
head = '4E5332303137434D2D44444354462D006469646963687578696E672E636F6D00E3E22A86D2D569CBFF912D88ABD70088795A7C0A1A320972735C6E5C1033035C7E73C8AAACA6A16153378CE9F8E08C61B0FD53F4AACF5A86D99334DAC9A037861090A478BC360519EF0189F017E105912C5455E7869B0F615F083BBB96A80C3DDD94FDCB61A2F8D28EA37122994274B3434E26BBC5D529DA9ADD12610C751E5C0DB91FCF6C1BE71DE2B8963F7BFAE28CAF1526946AC00F4EF01D1D2FFC680373A928A37DC5334460278BD25F5C7130D34D8C69C6274C6688D7517BA72B3978D4CBAF95E70E9CD187291703D87566330B'.decode('hex')

box = 'E2D681A62AFEC53CBDAF540A75D85120E9BBED7A92EE48A46E03B56DB8A5597DDF4A391A4DD3C722EC50DEFCF3C95CC8899183D7F4438874C06A5896020837720C7C0DA92F7E6980684C352D40BE9A36F72C8FC6B6DBCE09BCEB04D0A8C411B20552B1D415A2972E90642963318AE8CA873E762321D20B257824E034A1D90EAC8D0060E4AA5D0FEA3827BA7FA3703216FB66DA06653DBF3B2871E162F8AD9F4E9D42F2CF1285A04F672B93F0824B01561C9CE513C2FAFFDC9B9498E3F684EF77E76B10465EB386B0F9176F73D1AE7B446CAB1ED55B9E265FC33A14181B3F79F1FD8EB7C1CC55F5455357A747958BCD6149198C1F305A99411D33B4E6CB07DDB9'.decode('hex')

inv_box = [0]*256

inv_a = [3,1,1,2]
a = [9,0xe,0xb,0xd]

int_1 = 14
def AddRoundKey(tmp,head,k):
for j in range(4):
tmp[j] ^= ord(head[16*k+4*j])
tmp[j+4] ^= ord(head[16*k+4*j+1])
tmp[j+8] ^= ord(head[16*k+4*j+2])
tmp[j+12] ^= ord(head[16*k+4*j+3])
return tmp

def ShiftRows(tmp):
for i in range(1,4):
for j in range(i):
v3 = tmp[4*i+3]
for k in range(3,0,-1):
tmp[4*i+k] = tmp[4*i+k-1]
tmp[4*i] = v3
return tmp

def inv_ShiftRows(tmp):
for i in range(1,4):
for j in range(i):
v3 = tmp[4*i]
for k in range(0,3):
tmp[4*i+k] = tmp[4*i+k+1]
tmp[4*i+3] = v3
return tmp

def SubBytes(tmp):
for i in range(4):
for j in range(4):
tmp[4*i+j] = ord(box[16 * (tmp[4*i+j] & 0xF) + (( tmp[4*i+j] & 0xF0) >> 4)])
return tmp

def inv_SubBytes(tmp):
for i in range(256):
inv_box[ord(box[i])] = i

for i in range(4):
for j in range(4):
tmp[4*i+j] = inv_box[tmp[4*i+j]]
tmp[4*i+j] = 16 * (tmp[4*i+j] & 0xF) + (( tmp[4*i+j] & 0xF0) >> 4)
return tmp

def mix_single_column(v6):
d = [0]*4
d[0] = gmult(a[0],v6[0])^gmult(a[3],v6[1])^gmult(a[2],v6[2])^gmult(a[1],v6[3]);
d[1] = gmult(a[1],v6[0])^gmult(a[0],v6[1])^gmult(a[3],v6[2])^gmult(a[2],v6[3]);
d[2] = gmult(a[2],v6[0])^gmult(a[1],v6[1])^gmult(a[0],v6[2])^gmult(a[3],v6[3]);
d[3] = gmult(a[3],v6[0])^gmult(a[2],v6[1])^gmult(a[1],v6[2])^gmult(a[0],v6[3]);
return d

def gmult(aa,bb):
p=0
hbs=0
for i in range(8):
if (bb&1):
p ^= aa
hbs=aa&0x80
aa<<=1
aa = aa&0xff
if hbs:
aa ^= 0x1b
bb>>=1
return p

def mix_columns(tmp):
v6 = [0]*4
for i in range(4):
for j in range(4):
v6[j] = tmp[4*j+i]
v6 = mix_single_column(v6)
for j in range(4):
tmp[4*j+i] = v6[j]
return tmp

def inv_mix_columns(tmp):
v6 = [0]*4
for i in range(4):
for j in range(4):
v6[j] = tmp[4*j+i]
v6 = inv_mix_single_column(v6)
for j in range(4):
tmp[4*j+i] = v6[j]
return tmp

def inv_mix_single_column(v6):
d = [0]*4
d[0] = gmult(inv_a[0],v6[0])^gmult(inv_a[3],v6[1])^gmult(inv_a[2],v6[2])^gmult(inv_a[1],v6[3]);
d[1] = gmult(inv_a[1],v6[0])^gmult(inv_a[0],v6[1])^gmult(inv_a[3],v6[2])^gmult(inv_a[2],v6[3]);
d[2] = gmult(inv_a[2],v6[0])^gmult(inv_a[1],v6[1])^gmult(inv_a[0],v6[2])^gmult(inv_a[3],v6[3]);
d[3] = gmult(inv_a[3],v6[0])^gmult(inv_a[2],v6[1])^gmult(inv_a[1],v6[2])^gmult(inv_a[0],v6[3]);
return d

def print_iv(iv):
out=''
for i in range(len(iv)):
out += chr(iv[i])
print out.encode('hex')

def enc(iv1):
print iv1
iv1 = list(iv1.decode('hex'))
for i in range(len(iv1)):
iv1[i] = ord(iv1[i])

tmp=[0]*16
iv2=[0]*16
for i in range(4):
for j in range(4):
tmp[4*i+j] = iv1[4*j+i]

tmp = AddRoundKey(tmp,head,int_1)

for k in range(int_1-1,0,-1):
tmp = ShiftRows(tmp)
tmp = SubBytes(tmp)
tmp = AddRoundKey(tmp,head,k)
tmp = mix_columns(tmp)
tmp = ShiftRows(tmp)
tmp = SubBytes(tmp)
tmp = AddRoundKey(tmp,head,0)

for i in range(4):
for j in range(4):
iv2[4*j+i] = tmp[4*i+j]

for i in range(len(iv2)):
iv2[i] = chr(iv2[i])

iv2 = ''.join(iv2)
iv2 = iv2.encode('hex')
return iv2

def dec(iv1):
print iv1
iv1 = list(iv1.decode('hex'))
for i in range(len(iv1)):
iv1[i] = ord(iv1[i])

tmp=[0]*16
iv2=[0]*16
for i in range(4):
for j in range(4):
tmp[4*i+j] = iv1[4*j+i]

tmp = AddRoundKey(tmp,head,0)
tmp = inv_SubBytes(tmp)
tmp = inv_ShiftRows(tmp)

for k in range(1,int_1):
tmp = inv_mix_columns(tmp)
tmp = AddRoundKey(tmp,head,k)
tmp = inv_SubBytes(tmp)
tmp = inv_ShiftRows(tmp)

tmp = AddRoundKey(tmp,head,int_1)

for i in range(4):
for j in range(4):
iv2[4*j+i] = tmp[4*i+j]

for i in range(len(iv2)):
iv2[i] = chr(iv2[i])

iv2 = ''.join(iv2)
iv2 = iv2.encode('hex')
return iv2


iv2 = 'e8d8e2ceaf9de076a0f211f5a1895352'
iv1 = dec(iv2)
print iv1

得到iv1:e3c8f0eb7ad23ff182c8d87383f44918

分析hash2IV1函数

又是一阵疯狂的逆向加整理。

如果你直接在ida里按f5的话,你会得到这样的代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
int __cdecl hash2IV1(char *hash, char *pwd, char *IV1)
{
unsigned int v3; // ST14_4@3
unsigned int v4; // ST24_4@3
char *v5; // ST18_4@3
unsigned int v6; // ST0C_4@3
int v7; // ST14_4@3
int v8; // ST0C_4@4
int v9; // ST24_4@4
int result; // eax@4
int xxx4; // [sp+Ch] [bp-20h]@1
int xxx1; // [sp+10h] [bp-1Ch]@1
char *v13; // [sp+18h] [bp-14h]@1
int xxx3; // [sp+1Ch] [bp-10h]@1
int xxx2; // [sp+24h] [bp-8h]@1
unsigned int i; // [sp+28h] [bp-4h]@1

xxx2 = *((_DWORD *)pwd + 1);
xxx4 = *((_DWORD *)pwd + 3);
xxx3 = *((_DWORD *)pwd + 2) - *((_DWORD *)hash + 0x2B);
xxx1 = *(_DWORD *)pwd - *((_DWORD *)hash + 0x2A);
v13 = hash + 0xA4;
for ( i = 0; i < 0x14; ++i )
{
v3 = ((unsigned int)(xxx1 * (2 * xxx3 + 1)) >> 25) | (xxx1 * (2 * xxx3 + 1) << 7);
v4 = v3 ^ (((unsigned int)(xxx2 - *(_DWORD *)v13) >> (32 - ((unsigned int)(xxx3 * (2 * xxx1 + 1)) >> 23))) | ((xxx2 - *(_DWORD *)v13) << ((unsigned int)(xxx3 * (2 * xxx1 + 1)) >> 23)));
v5 = v13 - 4;
v6 = (((unsigned int)(xxx3 * (2 * xxx1 + 1)) >> 23) | (xxx3 * (2 * xxx1 + 1) << 9)) ^ (((unsigned int)(xxx4 - *(_DWORD *)v5) >> (32 - (32 - v3))) | ((xxx4 - *(_DWORD *)v5) << (32 - v3)));
v13 = v5 - 4;
v7 = v6;
xxx4 = xxx3;
xxx3 = v4;
xxx2 = xxx1;
xxx1 = v7;
}
v8 = xxx4 - *(_DWORD *)v13;
v9 = xxx2 - *((_DWORD *)v13 - 1);
*((_DWORD *)IV1 + 3) = xxx1;
*(_DWORD *)IV1 = v9;
*((_DWORD *)IV1 + 1) = xxx3;
result = v8;
*((_DWORD *)IV1 + 2) = v8;
return result;
}

这种代码你想写逆算法根本是不可能的,我们要先对这段代码进行整理和改编。

由于用了一些不同数据长度的类型的转换,所以这里我用c语言来写。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
include <stdio.h>
#include <stdlib.h>
#include <iostream>
using namespace std;
typedef unsigned char byte;
typedef unsigned int uint;

byte pwd[] = { 0x59 ,0x43 ,0x29 ,0x31 ,0x19 ,0xA8 ,0x45 ,0xE9 ,0xBB ,0xDB ,0xDE ,0x5A ,0x36 ,0x9C ,0x1F ,0x50 };
byte iv1[] = { 0xe3 ,0xc8 ,0xf0 ,0xeb ,0x7a ,0xd2 ,0x3f ,0xf1 ,0x82 ,0xc8 ,0xd8 ,0x73 ,0x83 ,0xf4 ,0x49 ,0x18 };
byte out[] = { 0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 };
byte hashcode[] = { 0x7D,0xEC,0x14,0x28,0x31,0x16,0x61,0x1B,0x3C,0xBD,0x49,0x75,0x13,0x84,0x3B,0x3B,0x30,0x4D,0x17,0x1B,0xF0,0x21,0xFF,0x0C,0x9E,0x8D,0x46,0x92,0x30,0x7E,0xBC,0x7A,0xE8,0x22,0x3F,0xB0,0x3C,0xE6,0xFE,0x1C,0x6E,0xC0,0x9B,0x6C,0x95,0x7C,0x40,0xA4,0x9D,0x8D,0x2C,0xC6,0x3F,0x13,0x95,0x3F,0x89,0x73,0xED,0xF8,0x0C,0xD3,0xB7,0x77,0x5C,0x5D,0xE5,0xD0,0xBE,0x87,0xE7,0xB6,0x2A,0xD1,0x48,0x72,0x9F,0x60,0x64,0x9E,0x3D,0x05,0x97,0x04,0x62,0x86,0x85,0x67,0x8A,0x0A,0xEC,0x8B,0xC8,0x0E,0xD5,0xF7,0x0A,0xB1,0xB0,0x95,0x04,0x2B,0xFD,0x3F,0xCD,0xA9,0x49,0x06,0x96,0x14,0x37,0xF5,0xA8,0x00,0x9D,0xBC,0x70,0xD0,0x1C,0x45,0x91,0xD5,0x83,0xA6,0xFE,0x96,0x7A,0x99,0x92,0xCF,0x10,0xE1,0x97,0xBD,0xBA,0xAD,0x3B,0xE1,0x59,0xE4,0x48,0x39,0x3F,0x08,0xDA,0xC0,0x47,0x36,0x67,0x83,0x93,0x6D,0x40,0x8B,0x2D,0xA8,0x76,0xAF,0xB5,0x30,0xCA,0xA6,0xF5,0x4F,0xAD,0x0A,0xF8,0x3A,0x6F,0x86,0x0B,0x9E,0x8B,0x40,0xEC,0x1D };
void printout(byte* pout) {
int unequal = 0;
for (int i = 0; i < 16; i++) {
unequal |= (pwd[i] ^ pout[i]);
printf("%x,", pout[i]);
}
printf("\n\n");
if (!unequal) {
printf("true!!!\n");
}
else {
printf("FALSE\n");
}
}

inline uint rol(uint a, uint off) {
return (a << off) | (a >> (32 - off));
}

inline uint ror(uint a, uint off) {
return (a << (32 - off)) | (a >> off);
}

void enc(byte* in_pwd) {
uint xxx1, xxx2, xxx3, xxx4;
byte * v13;
uint a, b, c, d;
xxx1 = *((uint*)in_pwd) - *((uint*)hashcode + 0x2a);
xxx2 = *((uint*)in_pwd + 1);
xxx3 = *((uint*)in_pwd + 2) - *((uint*)hashcode + 0x2b);
xxx4 = *((uint*)in_pwd + 3);

for (int i = 0; i < 0x14; ++i) {
v13 = hashcode + 0xa4 - i * 8;

a = rol(xxx1 * (2 * xxx3 + 1), 7);
b = rol(xxx2 - *(uint *)v13, ((xxx3 * (2 * xxx1 + 1)) >> 23));
c = rol(xxx3 * (2 * xxx1 + 1), 9);
d = ror(xxx4 - *(uint *)(v13 - 4), a);

xxx4 = xxx3;
xxx3 = a^b;
xxx2 = xxx1;
xxx1 = c^d;
}

*(uint *)out = xxx2 - *((uint *)hashcode);
*((uint *)out + 1) = xxx3;
*((uint *)out + 2) = xxx4 - *(uint *)(hashcode + 4);
*((uint *)out + 3) = xxx1;

}

从这改编过的代码中,我们可以明显看出轮加密的痕迹,也就是Feistel网络结构。

那逆算法就好写了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
include <stdio.h>
#include <stdlib.h>
#include <iostream>
using namespace std;
typedef unsigned char byte;
typedef unsigned int uint;

byte pwd[] = { 0x59 ,0x43 ,0x29 ,0x31 ,0x19 ,0xA8 ,0x45 ,0xE9 ,0xBB ,0xDB ,0xDE ,0x5A ,0x36 ,0x9C ,0x1F ,0x50 };
byte iv1[] = { 0xe3 ,0xc8 ,0xf0 ,0xeb ,0x7a ,0xd2 ,0x3f ,0xf1 ,0x82 ,0xc8 ,0xd8 ,0x73 ,0x83 ,0xf4 ,0x49 ,0x18 };
byte out[] = { 0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 };
byte hashcode[] = { 0x7D,0xEC,0x14,0x28,0x31,0x16,0x61,0x1B,0x3C,0xBD,0x49,0x75,0x13,0x84,0x3B,0x3B,0x30,0x4D,0x17,0x1B,0xF0,0x21,0xFF,0x0C,0x9E,0x8D,0x46,0x92,0x30,0x7E,0xBC,0x7A,0xE8,0x22,0x3F,0xB0,0x3C,0xE6,0xFE,0x1C,0x6E,0xC0,0x9B,0x6C,0x95,0x7C,0x40,0xA4,0x9D,0x8D,0x2C,0xC6,0x3F,0x13,0x95,0x3F,0x89,0x73,0xED,0xF8,0x0C,0xD3,0xB7,0x77,0x5C,0x5D,0xE5,0xD0,0xBE,0x87,0xE7,0xB6,0x2A,0xD1,0x48,0x72,0x9F,0x60,0x64,0x9E,0x3D,0x05,0x97,0x04,0x62,0x86,0x85,0x67,0x8A,0x0A,0xEC,0x8B,0xC8,0x0E,0xD5,0xF7,0x0A,0xB1,0xB0,0x95,0x04,0x2B,0xFD,0x3F,0xCD,0xA9,0x49,0x06,0x96,0x14,0x37,0xF5,0xA8,0x00,0x9D,0xBC,0x70,0xD0,0x1C,0x45,0x91,0xD5,0x83,0xA6,0xFE,0x96,0x7A,0x99,0x92,0xCF,0x10,0xE1,0x97,0xBD,0xBA,0xAD,0x3B,0xE1,0x59,0xE4,0x48,0x39,0x3F,0x08,0xDA,0xC0,0x47,0x36,0x67,0x83,0x93,0x6D,0x40,0x8B,0x2D,0xA8,0x76,0xAF,0xB5,0x30,0xCA,0xA6,0xF5,0x4F,0xAD,0x0A,0xF8,0x3A,0x6F,0x86,0x0B,0x9E,0x8B,0x40,0xEC,0x1D };
void printout(byte* pout) {
int unequal = 0;
for (int i = 0; i < 16; i++) {
unequal |= (pwd[i] ^ pout[i]);
printf("%x,", pout[i]);
}
printf("\n\n");
if (!unequal) {
printf("true!!!\n");
}
else {
printf("FALSE\n");
}
}

inline uint rol(uint a, uint off) {
return (a << off) | (a >> (32 - off));
}

inline uint ror(uint a, uint off) {
return (a << (32 - off)) | (a >> off);
}

void enc(byte* in_pwd) {
uint xxx1, xxx2, xxx3, xxx4;
byte * v13;
uint a, b, c, d;
xxx1 = *((uint*)in_pwd) - *((uint*)hashcode + 0x2a);
xxx2 = *((uint*)in_pwd + 1);
xxx3 = *((uint*)in_pwd + 2) - *((uint*)hashcode + 0x2b);
xxx4 = *((uint*)in_pwd + 3);

for (int i = 0; i < 0x14; ++i) {
v13 = hashcode + 0xa4 - i * 8;

a = rol(xxx1 * (2 * xxx3 + 1), 7);
b = rol(xxx2 - *(uint *)v13, ((xxx3 * (2 * xxx1 + 1)) >> 23));
c = rol(xxx3 * (2 * xxx1 + 1), 9);
d = ror(xxx4 - *(uint *)(v13 - 4), a);

xxx4 = xxx3;
xxx3 = a^b;
xxx2 = xxx1;
xxx1 = c^d;
}

*(uint *)out = xxx2 - *((uint *)hashcode);
*((uint *)out + 1) = xxx3;
*((uint *)out + 2) = xxx4 - *(uint *)(hashcode + 4);
*((uint *)out + 3) = xxx1;

}

void dec(byte* in_iv) {
uint xxx1, xxx1_up, xxx2, xxx2_up, xxx3, xxx3_up, xxx4, xxx4_up;
byte * v13;
uint a, b, c, d;

xxx2 = *(uint *)in_iv + *((uint *)hashcode);
xxx3 = *((uint *)in_iv + 1);
xxx4 = *((uint *)in_iv + 2) + *(uint *)(hashcode + 4);;
xxx1 = *((uint *)in_iv + 3);

for (int i = 0x13; i >= 0; --i) {
v13 = hashcode + 0xa4 - i * 8;

xxx1_up = xxx2;
xxx3_up = xxx4;

a = rol(xxx1_up * (2 * xxx3_up + 1), 7);
c = rol(xxx3_up * (2 * xxx1_up + 1), 9);
b = xxx3^a;
d = xxx1^c;

xxx2_up = ror(b, ((xxx3_up * (2 * xxx1_up + 1)) >> 23)) + *(uint *)v13;
xxx4_up = rol(d, a) + *(uint *)(v13 - 4);

xxx4 = xxx4_up;
xxx3 = xxx3_up;
xxx2 = xxx2_up;
xxx1 = xxx1_up;
}

*((uint*)out) = xxx1 + *((uint*)hashcode + 0x2a);
*((uint*)out + 1) = xxx2;
*((uint*)out + 2) = xxx3 + *((uint*)hashcode + 0x2b);
*((uint*)out + 3) = xxx4;

}
int main(void) {
dec(iv1);

printout(out);
system("pause");
return 0;
}

从而得到pwd:93c65c807c3800b15f3600d449c64692

收尾

由格式知,我们的password(也就是mail)为
DDCTF-93c65c807c3800b15f3600d449c64692@didichuxing.com

总结这道题,不说前面的非re部分,难点主要在于求这两个的逆函数上。对此应当对常见的加密算法模式有比较透彻的理解。

而且从头到尾彻彻底底的写了一遍AES加密算法和AES的解密算法还真TM赤鸡呢!