2019红帽杯 xx

https://buuoj.cn/challenges#[2019%E7%BA%A2%E5%B8%BD%E6%9D%AF]xx

64 C++ PE

do
  ++str_len;
while ( *((_BYTE *)Code + str_len) );

检测字符串输入 19

qwertyuiopasdfghjklzxcvbnm1234567890

取出来前面 4 个字符和一个 0，验证（“flag”）是否是小写字母或数字（鉴定为勾石 CPP）

new_array = (__int128 *)operator new(5ui64);  // 申请了5个byte的数组
keyboardmap = *(_QWORD *)&Code;               // qwertyuiopasdfghjklzxcvbnm1234567890
ptr_ref = new_array;
v8 = 0;
array_ptr = new_array;
do
{
  now = *((_BYTE *)array_ptr + (char *)input - (char *)new_array);
  keyboardmap_len_find_index_res = 0;
  *(_BYTE *)array_ptr = now;
  keyboardmap_len_find_index_res2 = 0i64;
  keyboardmap_len = -1i64;
  do                                          // 求keyboardmap_len
    ++keyboardmap_len;
  while ( *(_BYTE *)(keyboardmap + keyboardmap_len) );
  if ( keyboardmap_len )
  {
    do                                        // findindex(keyboardmap)
    {
      if ( now == *(_BYTE *)(keyboardmap + keyboardmap_len_find_index_res2) )
        break;
      ++keyboardmap_len_find_index_res;
      ++keyboardmap_len_find_index_res2;
    }
    while ( keyboardmap_len_find_index_res < keyboardmap_len );
  }
  keyboardmap_len2 = -1i64;
  do
    ++keyboardmap_len2;
  while ( *(_BYTE *)(keyboardmap + keyboardmap_len2) );
  if ( keyboardmap_len_find_index_res == keyboardmap_len2 )
    _exit(keyboardmap);
  array_ptr = (__int128 *)((char *)array_ptr + 1);
}
while ( (char *)array_ptr - (char *)new_array < 4 );
*((_BYTE *)new_array + 4) = 0;

这个该怎么动调啊，怎么输入不了东西。有点难搞

一直到 112 行才是开始主要逻辑的地方，前面比赛的时候大可不必分析，主要是对输入合法性进行验证和初始化

findCrypt 识别出是 Tea加密

v30 = 52 / (unsigned int)v12 + 6; 可以看出来是 XXtea（名字也能看出来啦）

xxTea 之后是对整体一个移位，然后有一个诡异的异或，最后和明文比较（IDA 又识别错数组了）

先逆向异或，把 v20 解出来

flag = [0xce, 0xbc, 0x40, 0x6b, 0x7c, 0x3a, 0x95, 0xc0,  
        0xef, 0x9b, 0x20, 0x20, 0x91, 0xf7, 0x02, 0x35,  
        0x23, 0x18, 0x02, 0xc8,  
        0xe7, 0x56, 0x56, 0xfa  
        ]  
  
for v21 in range(1,len(flag))[::-1]:  
    if v21 // 3 > 0:  
        for i in range(v21 // 3):  
            flag[v21] ^= flag[i]  
  
ts = [2, 0, 3, 1, 6, 4, 7, 5, 10, 8, 11, 9, 14, 12, 15, 13, 18, 16, 19, 17, 22, 20, 23, 21]  
flag_ts = [0] * 24  
for i in range(len(ts)):  
    flag_ts[ts[i]] = flag[i]  
  
  
for i in range(len(flag_ts)):  
    print(hex(flag_ts[i]), end=' ' )

0xbc 0xa5 0xce 0x40 0xf4 0xb2 0xb2 0xe7 0xa9 0x12 0x9d 0x12 0xae 0x10 0xc8 0x5b 0x3d 0xd7 0x6 0x1d 0xdc 0x70 0xf8 0xdc 

用 xxtea 解密解出来

flag{CXX_and_++tea}