happytime

一、查壳

无壳，64位

二、IDA分析

1.main

2.cry函数

总体：是魔改的XXTEA加密

在main中可以看到被加密且分段的flag在最后的循环中与V6进行比较，刚好和上面v6数组相同。

所以毫无疑问密文是v6.

而与flag一起进入加密函数的v5就是key.

在cry 加密函数中可以看到DELTA是0x61C88647

所以脚本：

 #include <stdbool.h>#include <stdio.h>#define DELTA  0x61C88647#define MX (((z >> 5) ^ (y << 2)) + ((y >> 3) ^ (z << 4)) ^ (sum ^ y) + (k[(p & 3) ^ e] ^ z))bool btea(unsigned int *v, int n, unsigned int *k){unsigned int z = v[n - 1], y = v[0], sum = 0, e;unsigned int p, q;if (n > 1){ /* enCoding Part */q = 415 / n + 114;while (q-- > 0){sum += DELTA;e = (sum >> 2) & 3;for (p = 0; p < (n - 1); p++){y = v[p + 1];z = v[p] += MX;}y = v[0];z = v[n - 1] += MX;}return 0;}else if (n < -1){ /* Decoding Part */n = -n;q = 415 / n + 114;sum = -q * DELTA;while (sum != 0){e = (sum >> 2) & 3;for (p = n - 1; p > 0; p--){z = v[p - 1];y = v[p] -= MX;}z = v[n - 1];y = v[0] -= MX;sum += DELTA;}return 0;}return 1;}​int main(){unsigned int v[11] = {0x480AC20C, 0xCE9037F2, 0x8C212018, 0xE92A18D, 0xA4035274, 0x2473AAB1, 0xA9EFDB58, 0xA52CC5C8, 0xE432CB51, 0xD04E9223, 0x6FD07093}, key[4] = {0x79696755, 0x67346F6C, 0x69231231, 0x5F674231};int n = 11;       // n为要加密的数据个数btea(v, -n, key); // 取正为加密，取负为解密char *p = (char *)v;for (int i = 0; i < 44; i++){printf("%c", *p);p++;}return 0;}//flag{efccf8f0-0c97-12ec-82e0-0c9d9242e335}