SMC做题随笔

做题

[HDCTF 2023]enc

TEA解密exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#include <cstdio>
using namespace std;
unsigned int v5,v6;
int sum,a2[4]={18,52,86,120};
int main(void){
    v6=0x60fcdef7,
    v5=0x236dbec,
    sum=-0xc3910c8e0;
    for(register int i=0;i<32;i++)
        v5-=(a2[3]+(v6>>5))^(sum+v6)^(a2[2]+(v6<<4)),
        v6-=(a2[1]+(v5>>5))^(sum+v5)^(a2[0]+(v5<<4)),
        sum+=0x61c88647;
    printf("%d\n",v6);
    return 0;
};

得smc加密方式为$\oplus3$,由程序可知加密为.hdctf部分,可知section size为0x1600

idapython exp为:

1
2
3
import idc
for i in range(0x41d000,0x41e600):
    patch_byte(i,get_wide_byte(i)^3)

新建函数,得rc4加密,exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import re
def rc4_decrypt(ciphertext,key):
    S=list(range(256))
    j=0
    res=[]
    #初始化S
    for i in range(256):
        j=(j+S[i]+key[i%len(key)])%256
        S[i],S[j]=S[j],S[i]
    #解密
    i=j=0
    for char in ciphertext:
        i=(i+1)%256
        j=(j+S[i])%256
        S[i],S[j]=S[j],S[i]
        res.append(char^S[(S[i]+S[j])%256])
    return bytes(res)
s = """
mov     [ebp+var_2C], 0Fh
...
"""
pattern=r',\s*(\S+)h'
data_list=re.findall(pattern,s)
data_list=['0x'+x for x in data_list]
data_list=[int(j,16) for j in data_list]
key='you_are_master'
key_list=[ord(c) for c in key]
flag=rc4_decrypt(data_list,key_list)
print(flag)

得flag

[GWCTF 2019]re3

SMC分析:

1
2
3
import idc
for i in range(0x402219,0x402300):
    patch_byte(i,get_wide_byte(i)^0x99)

对程序进行仔细分析,发现有很多无关加密操作。

主要逻辑为AES加密。密钥由动调找出。

AES解码用赛博厨子,模式选ECB。

[HGAME 2023 week3]patchme

SMC解密:

1
2
3
import idc
for i in range(0x14C6,0x188C):
    patch_byte(i,get_wide_byte(i)^0x66)

选择直接逆向:

1
2
3
4
key1=[0x54,0x16,0xD9,0x99,0x80,0x8A,0x28,0xFA,0x58,0x85,0x05,0x09,0x49,0x53,0xB5,0x63,0xCE,0x8C,0xF3,0xA0,0xDC,0x66,0x90,0x97,0x4C,0x5C,0xF3,0xE8,0x54,0xF4,0x4C,0xBD,0xD1,0x44,0xE4,0x99,0x16,0x67,0x83,0x31,0xDA,0x61,0x6B,0xAC,0xBB,0xD0,0x55]
key2=[0x3B,0x4F,0xA2,0xFC,0xED,0xEB,0x4F,0x92,0x07,0xE4,0x5A,0x6C,0x3B,0x67,0xEA,0x16,0xAF,0xE1,0xAC,0xC8,0xBF,0x12,0xD0,0xE7,0x13,0x2E,0xC3,0xB7,0x26,0x91,0x38,0xCE,0x8E,0x21,0x97,0xEB,0x73,0x11,0xE6,0x43,0xae,0x54,0x0a,0xc1,0xc9,0xb5,0x28]
for i in range(len(key1)):
    print(chr(key1[i]^key2[i]),end='')

[SWPUCTF 2023 秋季新生赛]Easy SMC

简单SMC

1
2
3
4
5
6
7
8
9
10
#include <cstdio>
using namespace std;
unsigned int enc[64]={
    0x4E,0x52,0x51,0x40,0x50,0x41,0x75,0x61,0x2B,0x2C,0x4F,0x25,0x6A,0x5C,0x34,0x5D,0x31,0x65,0x3A,0x22,0x4B,0x1C,0x58,0x5D,0x1B,0x59,0x4B,0x1A,0x58,0x4C,0x50,0x48,0x3F,0x52,0x11,0x0E,0x42,0x3A,0x47,0x09,0x3C,0x08,0x3C,0x4E,0x33,0x36,0x02,0x35,0x03,0x2E,0xFFFFFFFF,0x05,0x23,0x1E,0x12,0x0D,0x1E,0xFFFFFFFA,0x3B,0xFFFFFFFC,0x33,0x06,0x16,0x3E
};
int main(void){
    for(register int i=0;i<64;i++)
        printf("%c",enc[i]+i);
    return 0;
};

[羊城杯 2021]BabySmc

直接动调解SMC,发现为变表不可见字符Base64,然后异或变可见字符得密文。

“1”和“4”得作用相当于原表“=”,直接strip即可。

1
2
3
4
5
6
7
8
9
10
11
res="H>oQn6aqLr{DH6odhdm0dMe`MBo?lRglHtGPOdobDlknejmGI|ghDb<"
key=[0xA6,0xA3,0xA9,0xAC]
flag=[]
for i in range(len(res)):
    flag.append(ord(res[i])^key[i%len(key)])
table=[0xE4,0xC4,0xE7,0xC7,0xE6,0xC6,0xE1,0xC1,0xE0,0xC0,0xE3,0xC3,0xE2,0xC2,0xED,0xCD,0xEC,0xCC,0xEF,0xCF,0xEE,0xCE,0xE9,0xC9,0xE8,0xC8,0xEB,0xCB,0xEA,0xCA,0xF5,0xD5,0xF4,0xD4,0xF7,0xD7,0xF6,0xD6,0xF1,0xD1,0xF0,0xD0,0xF3,0xD3,0xF2,0xD2,0xFD,0xDD,0xFC,0xDC,0xFF,0xDF,0x95,0x9C,0x9D,0x92,0x93,0x90,0x91,0x96,0x97,0x94,0x8A,0x8E]
result=b''
for i in flag:
    result+=bytes('{:0>6}'.format(bin(table.index(i)).replace("0b","")).encode())
for i in range(0,len(result),8):
    print(chr(int(result[i:i+8],2)),end='')

当然拿IDAPython也能做:

1
2
3
4
5
6
7
8
9
import idc,ida_bytes
start=0x140001085
end=0x140001D00
def change_byte(uint8):
    return (((uint8&7)<<5)|(uint8>>3))^0x5a #ROR3
size=end-start+1
b=idc.get_bytes(start,size)
b2=bytes([change_byte(x) for x in b])
ida_bytes.patch_bytes(start,b2)