[miniVN] VSnake

发表于 分类于
miniVN VSnake 题解,定位得分逻辑与多层加密(RC4/AES/XTEA),基于 MD5 关键值爆破果实序列。

题目信息

题目名称: VSnake
类型: Reverse Engineering

解题过程

粗看一眼 main 什么都看不出来,直接动调发现第二个函数通过读取按键控制蛇头方向。

第一个函数打印游戏画面和积分统计。

发现加分逻辑在第三个函数里面,调试发现加分逻辑在这个函数内部。

找到这个函数,能猜出来三个 case 分别对应三种食物。

动调能看出 A 对应 1,B 对应 2,W 对应 3。

a 是一个包含三个 DWORD 的数组:a[0] 是吃果实数量,a[1] 是积分。再把这三个 dword 总共 12 字节传入 MD5,再用输出 buf 来进行下面的 XTEA、AES。

最后检验如果密文的前四位变成了 VNCT,则游戏结束输出 flag。

根据题目描述可以知道正确的果实顺序总长度是 10,并且 hint 也提示需要 MD5 爆破。

先提取各魔改常量,照着程序写加密脚本。

RC4 S 盒:

AES S 盒:

然后就是写爆破脚本,得到正确的果实顺序,也可以直接用脚本输出 flag。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
import hashlib
import struct
from itertools import product

SRC_TABLE = bytes([
  0x3f, 0x1e, 0xfc, 0x3d, 0x68, 0x51, 0xf0, 0x20, 0x92, 0x02, 0x9d, 0xac, 0x54, 0x6e, 0xfb, 0x42,
  0x29, 0xe8, 0x23, 0x2a, 0xd5, 0xa2, 0x3a, 0xc0, 0xd4, 0xba, 0xb5, 0x84, 0xa6, 0x74, 0x5c, 0x08,
  0xf2, 0x22, 0xa7, 0x41, 0x8b, 0xeb, 0x32, 0x0d, 0x8a, 0x89, 0x46, 0x70, 0x5e, 0xa0, 0xef, 0x67,
  0x49, 0xd3, 0x18, 0x76, 0xbd, 0xd0, 0x8d, 0x2f, 0xb4, 0x55, 0xc5, 0xc8, 0x36, 0x37, 0x66, 0x04,
  0xd8, 0x01, 0x5a, 0x2e, 0xed, 0x91, 0xff, 0x15, 0x6c, 0x64, 0x5d, 0x24, 0x72, 0x1a, 0x75, 0x30,
  0x56, 0xbf, 0xb1, 0x73, 0xc7, 0x95, 0x05, 0xb6, 0x52, 0x31, 0xb3, 0x10, 0x2b, 0x6f, 0x43, 0xbb,
  0x62, 0x7c, 0x7b, 0xa3, 0xbe, 0xd9, 0xbc, 0xdc, 0xc9, 0x8f, 0xa4, 0xe3, 0xe7, 0x17, 0x5f, 0xe9,
  0xca, 0x6d, 0x4e, 0xae, 0x83, 0x63, 0x82, 0x27, 0x4a, 0x21, 0x71, 0x2c, 0x57, 0x7d, 0xaf, 0x44,
  0x85, 0xc1, 0x47, 0x4b, 0x48, 0xf4, 0xfd, 0x3c, 0xf1, 0x45, 0x1f, 0x5b, 0xb8, 0xa1, 0xc4, 0x79,
  0x53, 0x09, 0xea, 0xee, 0x0c, 0xd6, 0x61, 0xc6, 0xaa, 0xb0, 0x69, 0x81, 0xb9, 0x7f, 0xec, 0x94,
  0xce, 0xa9, 0x97, 0x3b, 0xda, 0x8e, 0xe5, 0x86, 0x16, 0x11, 0xad, 0xd1, 0xd7, 0x40, 0xb2, 0x65,
  0xcb, 0xb7, 0x1c, 0x7a, 0xf6, 0x87, 0xcd, 0x4f, 0x9f, 0xab, 0x4d, 0x0f, 0x6a, 0xa8, 0xde, 0xc3,
  0x39, 0x50, 0xfa, 0x35, 0x33, 0x90, 0xdf, 0xf8, 0x25, 0x8c, 0x9c, 0xe0, 0xf7, 0x07, 0xe2, 0x99,
  0x77, 0x00, 0x26, 0x6b, 0x0b, 0x3e, 0x1d, 0xe1, 0x58, 0x38, 0xc2, 0x78, 0x0e, 0x59, 0x93, 0x1b,
  0x88, 0xdd, 0x9b, 0xd2, 0x19, 0x7e, 0xf9, 0xdb, 0xfe, 0x60, 0x13, 0x4c, 0xcc, 0xf3, 0xa5, 0x14,
  0x34, 0x96, 0x80, 0xe6, 0x9a, 0xf5, 0x9e, 0xe4, 0x2d, 0x03, 0x12, 0x0a, 0xcf, 0x98, 0x28, 0x06
])

SBOX = bytes([
  0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
  0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
  0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
  0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
  0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
  0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
  0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
  0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
  0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
  0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
  0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
  0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
  0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
  0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
  0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
  0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
])

INV_SBOX = bytes([
  0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
  0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
  0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
  0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
  0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
  0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
  0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
  0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
  0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
  0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
  0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
  0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
  0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
  0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
  0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
  0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
])

RCON = [
  0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000,
  0x20000000, 0x40000000, 0x80000000, 0x1B000000, 0x36000000
]

DELTA = 0x7CB893DC
TARGET = 0x54434E56

def ror(val, shift):
  return ((val >> shift) | (val << (32 - shift))) & 0xFFFFFFFF

def b2d(data):
  return list(struct.unpack('<8I', data))

def d2b(dwords):
  return struct.pack('<8I', *dwords)

def update_p(p, n2):
  if n2 == 1:
    c = 0x17FBDD80
    n = 151
  elif n2 == 2:
    c = 0x97223FFC
    n = 27
  elif n2 == 3:
    c = 0xBE95BDCE
    n = 194
  else:
    return

  p[1] = (p[1] + c) & 0xFFFFFFFF
  p[0] = (p[0] + 1) & 0xFFFFFFFF
  temp = ((p[2] >> 2) ^ (32 * p[2])) & 0xFFFFFFFF
  p[2] = (n + temp) & 0xFFFFFFFF
  p[2] = ((p[2] * c) ^ p[2]) & 0xFFFFFFFF

def A(data):
  s = bytearray(SRC_TABLE)
  v3 = 0
  v4 = 0
  for i in range(len(data)):
    v3 = (v3 + 1) & 0xFF
    v4 = (s[v3] + v4) & 0xFF
    s[v3], s[v4] = s[v4], s[v3]
    k = s[(s[v4] + s[v3]) & 0xFF]
    data[i] ^= k ^ 0x12
  return data

# AES parts

def sub_7FF6790E1100(buf, a3):
  for i in range(4):
    a3[i] = struct.unpack('>I', buf[4*i:4*i+4])[0]
  v8_idx = 0
  for j in range(10):
    v8_3 = a3[v8_idx + 3]
    b0 = SBOX[(v8_3 >> 24) & 0xFF]
    b1 = SBOX[(v8_3 >> 0) & 0xFF]
    b2 = SBOX[(v8_3 >> 8) & 0xFF]
    b3 = SBOX[(v8_3 >> 16) & 0xFF]
    temp = (b0 | (b1 << 8) | ((b2 << 16) & 0xFF0000) | (b3 << 24)) ^ RCON[j] ^ a3[v8_idx]
    a3[v8_idx + 4] = temp
    a3[v8_idx + 5] = a3[v8_idx + 4] ^ a3[v8_idx + 1]
    a3[v8_idx + 6] = a3[v8_idx + 5] ^ a3[v8_idx + 2]
    a3[v8_idx + 7] = a3[v8_idx + 6] ^ a3[v8_idx + 3]
    v8_idx += 4
  temp_keys = [a3[i] for i in range(44)]
  v9_idx = 40
  v10_idx = 44
  for _ in range(11):
    for m in range(4):
      a3[v10_idx + m] = temp_keys[v9_idx + m]
    v9_idx -= 4
    v10_idx += 4

def sub_7FF6790E1000(buf, a2):
  idx = 0
  for i in range(4):
    for j in range(4):
      buf[4 * j + i] = a2[idx]
      idx += 1

def sub_7FF6790E1080(buf, a2, offset=0):
  idx = offset
  for i in range(4):
    for j in range(4):
      a2[idx] = buf[4 * j + i]
      idx += 1

def sub_7FF6790E1470(buf, rk):
  for i in range(4):
    for j in range(4):
      b = (rk[j] >> (8 * (3 - i))) & 0xFF
      buf[4 * i + j] ^= b

def sub_7FF6790E15C0(buf):
  for i in range(4):
    w = struct.unpack('>I', bytes(buf[4*i:4*i+4]))[0]
    w = ror(w, 8 * i)
    buf[4*i] = (w >> 24) & 0xFF
    buf[4*i + 1] = (w >> 16) & 0xFF
    buf[4*i + 2] = (w >> 8) & 0xFF
    buf[4*i + 3] = w & 0xFF

def sub_7FF6790E1540(buf):
  for i in range(4):
    for j in range(4):
      buf[4 * i + j] = INV_SBOX[buf[4 * i + j]]

def sub_7FF6790E17B0(a1, a2):
  v3 = 0
  for _ in range(8):
    if (a1 & 1) != 0:
      v3 ^= a2
    v5 = a2 & 0x80
    a2 = (a2 * 2) & 0xFF
    if v5:
      a2 ^= 0x1B
    a1 >>= 1
  return v3

def sub_7FF6790E1840(buf):
  mat = [[14, 11, 13, 9], [9, 14, 11, 13], [13, 9, 14, 11], [11, 13, 9, 14]]
  v13 = bytearray(buf)
  for k in range(4):
    for m in range(4):
      res = 0
      for n in range(4):
        res ^= sub_7FF6790E17B0(mat[k][n], v13[m + 4 * n])
      buf[4 * k + m] = res

def W(data, p):
  md5_in = struct.pack('<III', p[0], p[1], p[2])
  key = hashlib.md5(md5_in).digest()

  exp_key = [0] * 88
  sub_7FF6790E1100(key, exp_key)

  res = bytearray(32)
  off1 = 0
  off2 = 0

  for _ in range(2):
    buf = bytearray(16)
    sub_7FF6790E1000(buf, data[off1:off1+16])
    sub_7FF6790E1470(buf, exp_key[44:48])

    idx = 44
    for _ in range(1, 10):
      idx += 4
      sub_7FF6790E15C0(buf)
      sub_7FF6790E1540(buf)
      sub_7FF6790E1470(buf, exp_key[idx:idx+4])
      sub_7FF6790E1840(buf)

    sub_7FF6790E1540(buf)
    sub_7FF6790E15C0(buf)
    sub_7FF6790E1470(buf, exp_key[84:88])

    sub_7FF6790E1080(buf, res, off2)
    off1 += 16
    off2 += 16

  return bytes(res)

def B(state, p):
  md5_in = struct.pack('<III', p[0], p[1], p[2])
  key = hashlib.md5(md5_in).digest()

  n = 8
  q = 6 + 52 // n
  sum_val = (DELTA * q) & 0xFFFFFFFF
  y = state[0]

  while q > 0:
    e = (sum_val >> 2) & 3
    for i in range(n - 1, 0, -1):
      z = state[i - 1]
      k = struct.unpack('<I', key[4*((i&3)^e):4*((i&3)^e)+4])[0]
      mx = (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum_val^y) + (k^z))) & 0xFFFFFFFF
      state[i] = (state[i] - mx) & 0xFFFFFFFF
      y = state[i]

    z = state[n - 1]
    k = struct.unpack('<I', key[4*(e&3):4*(e&3)+4])[0]
    mx = (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum_val^y) + (k^z))) & 0xFFFFFFFF
    state[0] = (state[0] - mx) & 0xFFFFFFFF
    y = state[0]

    sum_val = (sum_val - DELTA) & 0xFFFFFFFF
    q -= 1

  return state

def check(seq):
  state = [
    0x7F9067FE, 0x1DAC3F30, 0x8F6C954C, 0x175BA730,
    0x2F91961A, 0x6F30DD2F, 0x8410EDB3, 0xFD823986
  ]
  p = [0, 0, 0]

  for f in seq:
    update_p(p, f)
    if f == 1:
      sb = bytearray(d2b(state))
      sb = A(sb)
      state = b2d(sb)
    elif f == 3:
      sb = d2b(state)
      sb = W(sb, p)
      state = b2d(sb)
    elif f == 2:
      state = B(list(state), p)
  return state

if __name__ == '__main__':
  print('start...')
  # 1=A, 2=B, 3=W
  map_char = {1: 'A', 2: 'B', 3: 'W'}

  for seq in product([1, 2, 3], repeat=10):
    try:
      res = check(seq)
      if res[0] == TARGET:
        s = ''.join([map_char[x] for x in seq])
        print('found:', s)
        print(res)
        break
    except Exception:
      pass
# found: ABWBBABWWA
# [1413697110, 1850964806, 1600482145, 661548868, 1868128116, 1867276149, 1230988662, 2103394164]

把结果转成字符串即可拿到 flag:

1
2
3
4
5
6
7
8
import struct

for j in [1413697110, 1850964806, 1600482145, 661548868, 1868128116, 1867276149, 1230988662, 2103394164]:
  by = struct.pack('<I', j)
  flag = list(struct.unpack('<4B', by))
  flag = [chr(i) for i in flag]
  print(''.join(flag), end='')
# VNCTF{Snake_Don't_You_Love_It?_}

照着答案玩游戏也可以得到 flag:

最终 flag:VNCTF{Snake_Don't_You_Love_It?_}

阅读 加载中...