ez_code
010 editor 里看到这种就是powershall混淆,第一次见
单击“开始” ,选择“Windows PowerShell” ,然后单击“Windows PowerShell ISE” 。或者,可以在任何命令 shell 或“运行”框中键入在ISE里 文件--打开--chall.ps1cv下去
输入
${@*}打印出多行代码,但是由于有换行符,直接复制粘贴再执行会错误
用vscode编辑器,crtl+alt+下键,插入多个光标后删除到一行
将一行的代码输入后,解析得到python代码
class chiper(): def __init__(self): self.d = 0x87654321 k0 = 0x67452301 k1 = 0xefcdab89 k2 = 0x98badcfe k3 = 0x10325476 self.k = [k0, k1, k2, k3] def e(self, n, v): from ctypes import c_uint32 def MX(z, y, total, key, p, e): temp1 = (z.value >> 6 ^ y.value << 4) + \ (y.value >> 2 ^ z.value << 5) temp2 = (total.value ^ y.value) + \ (key[(p & 3) ^ e.value] ^ z.value) return c_uint32(temp1 ^ temp2) key = self.k delta = self.d rounds = 6 + 52//n total = c_uint32(0) z = c_uint32(v[n-1]) e = c_uint32(0) while rounds > 0: total.value += delta e.value = (total.value >> 2) & 3 for p in range(n-1): y = c_uint32(v[p+1]) v[p] = c_uint32(v[p] + MX(z, y, total, key, p, e).value).value z.value = v[p] y = c_uint32(v[0]) v[n-1] = c_uint32(v[n-1] + MX(z, y, total, key, n-1, e).value).value z.value = v[n-1] rounds -= 1 return v def bytes2ints(self,cs:bytes)->list: new_length=len(cs)+(8-len(cs)%8)%8 barray=cs.ljust(new_length,b'\x00') i=0 v=[] while i < new_length: v0 = int.from_bytes(barray[i:i+4], 'little') v1 = int.from_bytes(barray[i+4:i+8], 'little') v.append(v0) v.append(v1) i += 8 return v def check(instr:str,checklist:list)->int: length=len(instr) if length%8: print("Incorrect format.") exit(1) c=chiper() v = c.bytes2ints(instr.encode()) output=list(c.e(len(v),v)) i=0 while(i<len(checklist)): if i<len(output) and output[i]==checklist[i]: i+=1 else: break if i==len(checklist): return 1 return 0 if __name__=="__main__": ans=[1374278842, 2136006540, 4191056815, 3248881376] # generateRes() flag=input('Please input flag:') res=check(flag,ans) if res: print("Congratulations, you've got the flag!") print("Flag is *ctf{your_input}!") exit(0) else: print('Nope,try again!')
去网上找xxtea的解密脚本,对照着题目改一下,MX,DELTA,v[],k[] ,输出格式
#include <stdio.h> #include <stdint.h> #include<windows.h> #define DELTA 0x87654321 #define MX (((z>>6^y<<4) + (y>>2^z<<5)) ^ ((sum^y) + (key[(p&3)^e] ^ z))) void btea(uint32_t *v, int n, uint32_t const key[4]) { uint32_t y, z, sum; unsigned p, rounds, e; if (n < -1) /* Decoding Part */ { n = -n; rounds = 6 + 52 / n; sum = rounds*DELTA; y = v[0]; do { e = (sum >> 2) & 3; for (p = n - 1; p>0; p--) { z = v[p - 1]; y = v[p] -= MX; } z = v[n - 1]; y = v[0] -= MX; sum -= DELTA; } while (--rounds); } } int main() { uint32_t v[4] = {1374278842, 2136006540, 4191056815, 3248881376}; uint32_t const k[4] = { (unsigned int)0x67452301, (unsigned int)0xefcdab89, (unsigned int)0x98badcfe, (unsigned int)0x10325476}; int n = 4; // n的绝对值表示v的长度,取正表示加密,取负表示解密 // v为要加密的数据是两个32位无符号整数 // k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位 btea(v, -n, k); printf("%x %x %x %x \n", v[0], v[1],v[2],v[3]); for (int i = 0; i < 16; i++) { printf("%c", *((char *)v + i)); } }//通用xxtea模板 //脚本来源https://blog.csdn.net/m0_51713041/article/details/115535776 //yOUar3g0oD@tPw5H