本文最后更新于22 天前,其中的信息可能已经过时,如有错误请发送邮件到big_fw@foxmail.com
1.TBXO
全部代码都采用了栈地址修改的方法进行跳转,静态要找到加密函数比较困难,汇编层调试起来最后找到加密函数
是一个魔改的tea加密
对照着写出解密脚本
from ctypes import *
from binascii import *
from Crypto.Util import *
key = [0x67626463, 0x696D616E, 0x79645F65, 0x6B696C69]
enc = [0x31363010, 0xAD938623, 0x8492D4C5, 0x7567E366, 0xC786696B, 0xA0092E31, 0xDB695733, 0xDD13A893, 0x88D8A53E, 0x7E845437]
for i in range(0, len(enc), 2):
v0 = c_uint32(enc[i])
v1 = c_uint32(enc[i + 1])
delta = 0x9e3779b9
sum = c_uint32(delta * 32)
r = 32
for j in range(r):
v1.value -= (sum.value + v0.value) ^ (key[2] + 16 * v0.value) ^ (key[3] + (v0.value >> 5) ^ 0x33)
v0.value -= (sum.value + v1.value) ^ (key[0] + 16 * v1.value) ^ (key[1] + (v1.value >> 5) ^ 0x33)
sum.value -= delta
enc[i] = v0.value
enc[i + 1] = v1.value
print(number.long_to_bytes(enc[i]).decode()[::-1],end="")
print(number.long_to_bytes(enc[i+1]).decode()[::-1],end="")2.
