当前位置:网站首页>2022国赛Re1 baby_tree
2022国赛Re1 baby_tree
2022-07-06 09:18:00 【Hofiy】
前言
打开题目,发现是一大串非代码格式的文字。(萌新慌了)
第一步
结合文件后缀名以及题目名称baby_tree,可以明白这是ast的语法树。在文件开头可以发现这是由swift编写的程序,即"re.swift"。
搜索相关资料后得知,
Swift compiler has an interesting mode: -dump-ast which outputs the abstract syntax tree of a swift source code. AST is used to represent the source code in form of a tree containing syntactic information.
由此可以得知该题的考点,分析swift的ast语法,判断加密流程,得到flag,开始分析。(tips:应该也可以本地部署swift的环境对照分析)
第二步
1.找到密文
由于该AST共有635行,顺着读效率太低,于是打算先找密文,找到突破口。在文件的528行开始,找到了密文,并发现了比对的痕迹。
这里有一个点是要明白该ast逻辑如何生效,并把它套用到之后的分析。
通过分析,发现是先在decl处调用Swift.(file).Array extension.==,类似于先声明运算符,然后在type处声明该运算符操作结果 typerepr='ArrayUInt8>,最后再载入操作数,该题是b和加密后的数组88,35,88,225,7,201,57,94,77,56,75,168,72,218,64,91,16,101,32,207,73,130,74,128,76,201,16,248,41,205,103,84,91,99,79,202,22,131,63,255,20,16
2.逐行分析
基于刚刚的逻辑开始从头分析,可以节省很多时间。
可以看到,check函数有2个string参数encoded和keyvalue,然后分别把它们转换成b和k。(图中是b的,k的在下方)
然后就是r0,r1,r2,r3的生成
之后进入重点for循环
参照密文比对的逻辑,不难发现这就是声明了for i in range(0,len(b)-4+1)
然后进入循环体
整理一下逻辑,就是r0 = b[i],r1 = b[i+1],r2=b[i+2],r3=b[i+3]
(图中是r0和r1的赋值)
继续往下看
发现是b[i]=r2^((k[0]+(r0>>4))&0xff)
(图片不是完整的,整个流程很长,但逻辑不难,是从207-288行)
然后就是一直往下看,发现是不断赋值,取新值
最终发现for循环在return前停止,后面就是进行密文比对,那么说明check函数到这里结束。
3.写出加密流程
def check(data,key):
b=data
k=key
for i in range(len(b)-4+1):
r0,r1,r2,r3=b[i],b[i+1],b[i+2],b[i+3]
b[i]=r2^((k[0]+(r0>>4))&0xff)
b[i+1]=r3^((k[1]+(r1>>2))&0xff)
b[i+2]=r0^k[2]
b[i+3]=r1^k[3]
k[0] = k[1]
k[1] = k[2]
k[2] = k[3]
k[3] = k[0]
return b==res
4.逆回去解密
def decode(data,key):
b=data
k=key
k[0] = k[2]
k[1] = k[3]
k[2] = k[0]
k[3] = k[1]
r1 = b[38 + 3] ^ k[3]
r0 = b[38 + 2] ^ k[2]
r3 = b[38 + 1] ^ ((k[1] + (r1 >> 2)) & 0xff)
r2 = b[38] ^ ((k[0] + (r0 >> 4)) & 0xff)
b[38], b[38 + 1], b[38 + 2], b[38 + 3] = r0, r1, r2, r3
for i in range(37,-1,-1):
k[1] = k[0]
k[2] = k[1]
k[3] = k[2]
k[0] = k[3]
r1=b[i+3]^k[3]
r0=b[i+2]^k[2]
r3=b[i+1]^((k[1]+(r1>>2))&0xff)
r2=b[i]^((k[0]+(r0>>4))&0xff)
b[i], b[i + 1], b[i + 2], b[i + 3] = r0, r1, r2, r3
print("".join(chr(i) for i in b))
总结
硬看
边栏推荐
- 2021.11.10汇编考试
- Conditional probability
- FairyGUI循环列表
- Unity3d camera, the keyboard controls the front and rear left and right up and down movement, and the mouse controls the rotation, zoom in and out
- 【干货】提升RTK模糊度固定率的建议之周跳探测
- 数据库课程设计:高校教务管理系统(含代码)
- FGUI工程打包发布&导入Unity&将UI显示出来的方式
- 2021.11.10 compilation examination
- rtklib单点定位spp使用抗差估计遇到的问题及解决
- 第一人称视角的角色移动
猜你喜欢
NRF24L01 troubleshooting
服务未正常关闭导致端口被占用
MySQL shutdown is slow
(4) Data visualization of R language -- matrix chart, histogram, pie chart, scatter chart, linear regression and strip chart
Design and implementation of general interface open platform - (39) simple and crude implementation of API services
[算法] 剑指offer2 golang 面试题8:和大于或等于k的最短子数组
Easy to use shortcut keys in idea
Single chip Bluetooth wireless burning
FairyGUI简单背包的制作
FairyGUI循环列表
随机推荐
Compilation principle: preprocessing of source program and design and implementation of lexical analysis program (including code)
FairyGUI增益BUFF数值改变的显示
Esp8266 connect onenet (old mqtt mode)
Derivation of logistic regression theory
(core focus of software engineering review) Chapter V detailed design exercises
Liste des boucles de l'interface graphique de défaillance
[leetcode19]删除链表中倒数第n个结点
(5) Introduction to R language bioinformatics -- ORF and sequence analysis
Containers and Devops: container based Devops delivery pipeline
GPS高程拟合抗差中误差的求取代码实现
FairyGUI条子家族(滚动条,滑动条,进度条)
第一人称视角的角色移动
Unity3D制作注册登录界面,并实现场景跳转
Particle system for introduction to unity3d Foundation (attribute introduction + case production of flame particle system)
FairyGUI按钮动效的混用
It has been solved by personal practice: MySQL row size too large (> 8126) Changing some columns to TEXT or BLOB or using ROW_ FORMAT
Unity3d, Alibaba cloud server, platform configuration
[offer29] sorted circular linked list
How to improve the deletion speed of sequential class containers?
PR 2021 quick start tutorial, first understanding the Premiere Pro working interface