SHCTF2024-week3-wp|n0o0b's blog

忙起来了，只做了俩道简单题

web

小小cms

YzmCMS 7.0任意函数调用RCE 漏洞研究分析_yzmcms漏洞-CSDN博客

秒了

re

VTB

ez xtea

exp

#include<stdio.h>
#include<stdint.h>

void encipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) {
	unsigned int i;
	uint32_t v0 = v[0], v1 = v[1], sum = 0, delta = 0x9E3779B9;
	for (i = 0;i < num_rounds;i++) {
		v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
		sum += delta;
		v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);
	}
	v[0] = v0;v[1] = v1;
}

void decipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) {
	unsigned int i;
	uint32_t v0 = v[0], v1 = v[1], delta = 0x4C307633, sum = delta * num_rounds;
	for (i = 0;i < num_rounds;i++) {
		v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);
		sum -= delta;
		v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
	}
	v[0] = v0;v[1] = v1;
}

int main() {
	uint8_t v[40] = { 0x8d,0xc4,0xab,0x41,0xac,0xec,0x5b,0xe5,0xdc,0x5c,0x9e,0x6e,0xef,0xd,0x2f,0x26,0x5d,0xa6,0x48,0x3c,0x2,0xb1,0x89,0xbc,0x36,0x22,0x73,0x65,0x68,0xe4,0xf3,0xff,0x1c,0x3,0xd3,0x60,0xcc,0x67,0xcc,0x56 };

	uint32_t const k[4] = { 0x114514,0x1551,0x5115,0x144511 };
	unsigned int r = 40;				//这里是加密轮数，自己设置 
	for (int i = 0; i < 10; i++)
	{
		decipher(r, (uint32_t*)(v+8*i), k);

	}
	printf("解密后原始数据：%s", v);
	return 0;
}

The cover picture of the previous content

SHCTF2024-week4-wp

The cover picture of the next content

SHCTF2024-week2-wp