REVERSE-COMPETITION-HGAME2022-Week3

- Answer's Windows
- creakme3
- hardened
- fishman

Answer’s Windows

含有GUI的程序，ida打开，Shift+F12打开字符串窗口，发现"right"和"wrong"
windows-strings
对"right"查找交叉引用，来到sub_140002300函数
分析知道sub_140001F90是个变表base64，但是不知道变表
windows-main
起调试，在如下图所示处下断，这里是生成变表的地方
调试时修改ZF标志位使程序能够执行if中的代码
windows-debug
F7进入sub_7FF637FD1F90函数，这里qword_7FF638E52000存储的就是变表的地址

于是找到变表，最后的"a"相当于"="，起到补充作用
windows-base64
最后用脚本解变表base64即可得到flag

# -*- coding:utf-8 -*-
#base="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"  原表
base=[0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A,0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54,0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62, 0x63, 0x64,0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E,0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,0x79, 0x7A, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,0x38, 0x39, 0x2B, 0x2F]  #原表的ascii码表示，方便进行原表变换
#对原表进行变换，不要变表时，注释掉原表变换的代码即可
#for i in range(0,10):
#    base[i],base[19-i]=base[19-i],base[i]
#base_changed是变表，需要转成字符串的形式
base_changed='!"#$%&\x27()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`'
print("Current Base:\n%s " %base_changed) #打印base_changed变表
def base64_encode(inputs):    #inputs是待编码的字符串# 将字符串转化为2进制bin_str = []for i in inputs:x = str(bin(ord(i))).replace('0b', '')bin_str.append('{:0>8}'.format(x))# 输出的字符串outputs = ""# 不够三倍数，需补齐的次数nums = 0while bin_str:# 每次取三个字符的二进制temp_list = bin_str[:3]if (len(temp_list) != 3):nums = 3 - len(temp_list)while len(temp_list) < 3:temp_list += ['0' * 8]temp_str = "".join(temp_list)# 将三个8字节的二进制转换为4个十进制temp_str_list = []for i in range(0, 4):temp_str_list.append(int(temp_str[i * 6:(i + 1) * 6], 2))if nums:temp_str_list = temp_str_list[0:4 - nums]for i in temp_str_list:outputs += base_changed[i]bin_str = bin_str[3:]outputs += nums * '='print("Encoded String:\n%s " % outputs)
def base64_decode(inputs): #inputs是base64字符串# 将字符串转化为2进制bin_str = []for i in inputs:if i != 'a':x = str(bin(base_changed.index(i))).replace('0b', '')bin_str.append('{:0>6}'.format(x))# 输出的字符串outputs = ""nums = inputs.count('a')while bin_str:temp_list = bin_str[:4]temp_str = "".join(temp_list)# 补足8位字节if (len(temp_str) % 8 != 0):temp_str = temp_str[0:-1 * nums * 2]# 将四个6字节的二进制转换为三个字符for i in range(0, int(len(temp_str) / 8)):outputs += chr(int(temp_str[i * 8:(i + 1) * 8], 2))bin_str = bin_str[4:]print("Decoded String:\n%s " % outputs)
#plain是待编码的字符串
#plain="This_is_a_base64_example"
#base64_encode(plain)
#enc是经base64编码的字符串
enc=";'>B<76\\=82@-8.@=T\"@-7ZU:8*F=X2J<G>@=W^@-8.@9D2T:49U@1aa"
base64_decode(enc)
# hgame{qt_1s_s0_1nteresting_so_1s_b4se64}

creakme3

观察第14行和第19行的代码
a的大小为178，即2*89
a中每两个元素为一组，前一个元素(下标为偶数)是要打印出的字符
后一个元素(下标为奇数)是要在第14行代码中进行比较的数
而且第14行代码要求从a中取出的值是递增的
creakme3-main
我们对每组的后一个元素(下标为奇数)进行递增排序
将每组的前一个元素(下标为偶数)按照递增排序的结果打印出来，即可得到flag

# -*- coding:utf-8 -*-
a_0="000001222223333333335889999B____adddddeefffffffgghhhhhiiijjkklmnnnoooprrrssssssstttuuww{}"
a_1=[0x4e7d,0x67bd,0x7a48,0x82a2,0x933e,0x9c18,0x5aff,0x6cd7,0xa6ca,0xbd79,0xcebd,0x324a,0x3292,0x3905,0x4291,0x5ade,0x6e9f,0xa52a,0xbe35,0xcb63,0x7f3b,0x3914,0xb2ad,0x38da,0x4e50,0x6a02,0xb10f,0x78e5,0x7ef6,0x89a3,0x8ebd,0x95e3,0x73da,0x538c,0x633b,0x9e9c,0xb78b,0xc866,0x32ae,0x7679,0x2ae7,0x4d6a,0x5708,0x6610,0xa258,0xb80c,0xc885,0x710a,0x7cf4,0x3f76,0x702b,0xa3ee,0xad50,0xbac7,0x4024,0x8a22,0xc055,0x2b52,0xc687,0x5f00,0xc417,0x6182,0x75db,0x3c61,0x4996,0x5dc1,0x2d76,0x7d17,0xa91b,0x9aed,0x45d0,0x8467,0xab5d,0x5083,0x6222,0x8d93,0x923a,0x971e,0xb4ba,0xc785,0x3558,0x86bd,0x9738,0x3710,0x9779,0x2f3f,0x44dd,0x78e1,0x9f42]
tmp=[0x4e7d,0x67bd,0x7a48,0x82a2,0x933e,0x9c18,0x5aff,0x6cd7,0xa6ca,0xbd79,0xcebd,0x324a,0x3292,0x3905,0x4291,0x5ade,0x6e9f,0xa52a,0xbe35,0xcb63,0x7f3b,0x3914,0xb2ad,0x38da,0x4e50,0x6a02,0xb10f,0x78e5,0x7ef6,0x89a3,0x8ebd,0x95e3,0x73da,0x538c,0x633b,0x9e9c,0xb78b,0xc866,0x32ae,0x7679,0x2ae7,0x4d6a,0x5708,0x6610,0xa258,0xb80c,0xc885,0x710a,0x7cf4,0x3f76,0x702b,0xa3ee,0xad50,0xbac7,0x4024,0x8a22,0xc055,0x2b52,0xc687,0x5f00,0xc417,0x6182,0x75db,0x3c61,0x4996,0x5dc1,0x2d76,0x7d17,0xa91b,0x9aed,0x45d0,0x8467,0xab5d,0x5083,0x6222,0x8d93,0x923a,0x971e,0xb4ba,0xc785,0x3558,0x86bd,0x9738,0x3710,0x9779,0x2f3f,0x44dd,0x78e1,0x9f42]
a_1.sort()#递增排序
flag=[0]*89
for i in range(len(a_1)):for j in range(len(tmp)):if a_1[i]==tmp[j]:flag[i]=ord(a_0[j])break
print("".join(chr(i) for i in flag))
# hgame{B0go_50rt_is_s0_stup1d}

hardened

apk文件，jadx打开
输入先aesEncryption，再bbbbb，最后和已知的base64字符串比较
aes-main
ida分析libenc.so
aesEncryption函数是CBC模式的AES256加密，知道key和iv
aes-aes
bbbbb->l1111lll111ll11l，变表base64
aes-base64
发现base64表不太对，对byte_19060查找交叉引用
在datadiv_decode2033151976302482259函数中发现对key，iv以及base64表都有异或变换
aes-xor
于是得到正确的key，iv和base64表

key=[0x0A, 0x15, 0x13, 0x14, 0x1F, 0x01, 0x1F, 0x0E, 0x0F, 0x12,0x0D, 0x01, 0x0C, 0x1F, 0x0B, 0x05, 0x19, 0x1F, 0x06, 0x0F,0x12, 0x1F, 0x19, 0x0F, 0x15, 0x1F, 0x14, 0x0F, 0x1F, 0x04,0x05, 0x03]
iv=[0x3A, 0x2C, 0x36, 0x1C, 0x25, 0x2A, 0x2D, 0x27, 0x1C, 0x2E,0x26, 0x62, 0x62, 0x62, 0x62, 0x62]
base=[0xB3, 0xB2, 0xB1, 0xB0, 0xB7, 0xB6, 0xB5, 0xB4, 0xBB, 0xBA,0xC2, 0xC1, 0xC0, 0xC7, 0xC6, 0xC5, 0xC4, 0xCB, 0xCA, 0xC9,0xC8, 0xCF, 0xCE, 0xCD, 0xCC, 0xD3, 0xD2, 0xD1, 0xD0, 0xD7,0xD6, 0xD5, 0xD4, 0xDB, 0xDA, 0xD9, 0xE2, 0xE1, 0xE0, 0xE7,0xE6, 0xE5, 0xE4, 0xEB, 0xEA, 0xE9, 0xE8, 0xEF, 0xEE, 0xED,0xEC, 0xF3, 0xF2, 0xF1, 0xF0, 0xF7, 0xF6, 0xF5, 0xF4, 0xFB,0xFA, 0xF9, 0xA8, 0xAC]
for i in range(len(key)):key[i]^=0x40
for i in range(len(iv)):iv[i]^=0x43
for i in range(len(base)):base[i]^=0x83
print("".join(chr(i) for i in key))
print("".join(chr(i) for i in iv))
print("".join(chr(i) for i in base))
#JUST_A_NORMAL_KEY_FOR_YOU_TO_DEC
#you_find_me!!!!!
#0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/

先解变表base64，再解AES256即可得到flag

#coding:utf-8
from Crypto.Cipher import AES
#base="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"  原表
base=[0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A,0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54,0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62, 0x63, 0x64,0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E,0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,0x79, 0x7A, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,0x38, 0x39, 0x2B, 0x2F]  #原表的ascii码表示，方便进行原表变换
#对原表进行变换，不要变表时，注释掉原表变换的代码即可
#for i in range(0,10):#base[i],base[19-i]=base[19-i],base[i]
#base_changed是变表，需要转成字符串的形式
base_changed="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/"
print("Current Base:\n%s " %base_changed) #打印base_changed变表
def base64_encode(inputs):    #inputs是待编码的字符串# 将字符串转化为2进制bin_str = []for i in inputs:x = str(bin(ord(i))).replace('0b', '')bin_str.append('{:0>8}'.format(x))# 输出的字符串outputs = ""# 不够三倍数，需补齐的次数nums = 0while bin_str:# 每次取三个字符的二进制temp_list = bin_str[:3]if (len(temp_list) != 3):nums = 3 - len(temp_list)while len(temp_list) < 3:temp_list += ['0' * 8]temp_str = "".join(temp_list)# 将三个8字节的二进制转换为4个十进制temp_str_list = []for i in range(0, 4):temp_str_list.append(int(temp_str[i * 6:(i + 1) * 6], 2))if nums:temp_str_list = temp_str_list[0:4 - nums]for i in temp_str_list:outputs += base_changed[i]bin_str = bin_str[3:]outputs += nums * '='print("Encoded String:\n%s " % outputs)
def base64_decode(inputs): #inputs是base64字符串# 将字符串转化为2进制bin_str = []for i in inputs:if i != '=':x = str(bin(base_changed.index(i))).replace('0b', '')bin_str.append('{:0>6}'.format(x))# 输出的字符串outputs = ""nums = inputs.count('=')while bin_str:temp_list = bin_str[:4]temp_str = "".join(temp_list)# 补足8位字节if (len(temp_str) % 8 != 0):temp_str = temp_str[0:-1 * nums * 2]# 将四个6字节的二进制转换为三个字符for i in range(0, int(len(temp_str) / 8)):outputs += chr(int(temp_str[i * 8:(i + 1) * 8], 2))bin_str = bin_str[4:]print("Decoded String:\n%s " % outputs)return outputs
#plain是待编码的字符串
#plain="This_is_a_base64_example"
#base64_encode(plain)
#enc是经base64编码的字符串
enc="mXYxnHYp61u/5qksdDel6TgiKqcvUbBkX3xErlR4lO0aEAdU0acJY8PRSVXJxxsRR8Dq9MTJhkWLSbBvCG5gtm=="
cipher_str=base64_decode(enc)
key_str="JUST_A_NORMAL_KEY_FOR_YOU_TO_DEC"
iv_str="you_find_me!!!!!"
aes=AES.new(key_str,AES.MODE_CBC,iv_str)
print(aes.decrypt(cipher_str))
#hgame{cONGraTUl4T|0N5!N0w_yoU_C4n_eN?Oy~thE~MUsIc}

fishman

.pyd文件，相当于exe的dll，elf的so，ida打开
定位到sub_7FF9DA032380函数是对输入的check函数，整体实现的是blowfish加密算法
参考：blowfish加密算法
我们在check函数中找到密文为unk_7FF9DA034220，但是找不到密钥
通过对blowfish加密算法的学习，我们发现，其实在加密过程中，明文只与P盒和S盒做相关运算
而P盒和S盒是在明文加密前，根据密钥进行变换的
下图中，P盒和S盒实际已经根据密钥进行过变换了，所以可以直接和明文做相关运算
unk_7FF9DA035840的前18个dword就是变换后的P盒，后面就是S盒的4*256个dword
我们考虑在blowfish加密算法源码中直接将P盒和S盒替换成unk_7FF9DA035840中的值
然而静态分析得不到变换后的P盒和S盒，需要调试得到
ida先打开.pyd，在check函数中下断点，如下图所示
fishman-check
在任意一个可调试python代码的集成开发环境中起一个调试
在进程调用.pyd文件中的某函数时下断
如下图所示
fishman-pyd
现在知道该python进程id为15416，回到ida，Debugger->Attach to process，找到id为15416的进程
fishman-debug
attach成功后，ida中会断在ntdll.dll模块中，此时要点击右上角红框标注的按钮
fishman-ida
让ida处于Running状态

回到ide，单步步过，当调用fishman.check时，ida中就会断下来

此时unk_7FFA34D05840中就是变换后的P盒和S盒数据了，用脚本dump出来即可
fishman-pbox
最后使用替换P盒和S盒的blowfish源码对密文进行解密即可
blowfish_head.h

#ifndef BLOWFISHH#define BLOWFISHH
#include<stdlib.h>
#include<string.h>void blowfish_encrypt(void*, void*);
void blowfish_decrypt(void*, void*);
void getkey(char*);
unsigned long f(unsigned long);#endif

main.cpp，与密钥无关，不需要密钥

#include"blowfish_head.h"
#include<stdio.h>
//变换后的P盒
unsigned long pbx[18] =
{0x6af74079, 0xc87db4da, 0x064b77a4, 0x33a56687, 0x73924432, 0x3a78e859, 0xa0f9451e, 0x6e99ea5f, 0xcb62f79c,0xec009d50, 0x46b85709, 0x3b2bfdf6, 0xd0a0f937, 0x67c4c3e1, 0x80d02257, 0x4162d4de, 0x814dce61, 0x227bde9b};
//变换后的S盒
unsigned long sbx[4][256] =
{{ 0x857e5597, 0x326dad20, 0x2d507f8e, 0x2b80ba2c, 0xd711e661, 0x4b7e9667, 0x7a4b2509, 0x5117c0a3, 0x537791d2,0xbda0ec99, 0x9f5d600, 0x97d7453e, 0x6c3dede1, 0xefbec2ec, 0x31f20650, 0x86ea7ee1, 0x4a380c4e, 0x688500c0,0xc939e94b, 0xee64fe1f, 0xdae4a7bd, 0xafdfe274, 0xef95a497, 0xca5e8fc8, 0xa16220a, 0x9c85d82f, 0x3f411e1f,0x199cd133, 0x52ecbaa8, 0x68886557, 0xf8d4ca71, 0x729c0def, 0x5d6d4eb4, 0x550b9697, 0x77a9b569, 0xae8aacd5,0xa48c80d0, 0xb171f834, 0xd6828c5f, 0xf5219b37, 0x260e8a36, 0x9a8fbeba, 0xdf6ca01, 0x5f5ee56f, 0xc2e21a2f,0x87d75493, 0x87ef74ef, 0xfe01a2da, 0x8326e260, 0x7b3f0f, 0xc21ab19, 0x589f28be, 0x9ff0636, 0x2ac6affc, 0xb8e547d,0x91fa13e2, 0xde9a211f, 0x70b95314, 0x5879cad1, 0x8d38aa78, 0xffae559e, 0x132d25af, 0x4244c5f1, 0x7831cb8d,0x5625d8a2, 0xa99878b6, 0x44dfa664, 0x5b4e43c7, 0xfde79c18, 0xa8f89efb, 0x96a65669, 0xfa7ec977, 0x6438138b,0x63098e28, 0x7048ba4b, 0xc6f0e94, 0xabc7ae87, 0xdce4560, 0x2ee85291, 0xa7e24dd8, 0xdf0b5970, 0x3d8fcbe5,0x55b43ae4, 0x9eceee50, 0x6542e890, 0x4f70b16b, 0x778b58dc, 0xf3f830e4, 0x1b9d5867, 0x7076b41c, 0x6b8386de,0x8b148ce, 0x31c2fb7d, 0x42fe87c5, 0x108eb334, 0x7c40206, 0x2f783c90, 0xe593491f, 0x2b4ace07, 0xeba73a3c,0x44fa6586, 0x56ed2871, 0xd9b3ed4f, 0xb04d3c81, 0x93c1656c, 0xc8044fcb, 0x127ff622, 0x159d9dcf, 0x2fc79936,0x8549ee27, 0x262156cb, 0x721d3364, 0xf5a6f15e, 0x7fe8b137, 0x6cb075da, 0xfaa54cf4, 0x634519ec, 0xde79d57d,0x8b728797, 0x4b994f3e, 0x242eb5e6, 0x274f5cec, 0xc0f072e0, 0xb6928b6f, 0x8922972b, 0x2207de1e, 0xc0236ffa,0xc9dca5e5, 0x8d1286f, 0x90729fa3, 0x6a6ed134, 0x4369fae7, 0xf9ae5610, 0x13398b9e, 0xfdd59299, 0x21a3a98b,0xae6a4a80, 0x6b6e89a6, 0xce85be83, 0xda4c3800, 0x867af755, 0x26b3fb41, 0x96141cce, 0xf176999a, 0x1d844757,0xe27ce11f, 0x18638c21, 0x960ccbf2, 0xe4ccbbae, 0xaa0fab55, 0xf093bd6f, 0x4cb18fad, 0xf27853df, 0x5d5d925b,0xc389a234, 0xa9e9b90b, 0x6f06d9e4, 0xf0389646, 0xc75f5884, 0x9961dd6b, 0x44b1dc6a, 0x7ef092, 0xa4ca52a6,0x5342115d, 0x31d445bb, 0x6cb0b744, 0xd1abcf6, 0x95c6f259, 0xdf719b5d, 0xea51c785, 0xc7303253, 0x1e6a034e,0xf60989f1, 0x93f55b8d, 0xde786239, 0x9d01dfc5, 0xa4cd54ba, 0xfa60804a, 0x3da55ae7, 0x64d673a, 0x5ee1a39c,0x6daa769a, 0xec57802a, 0x7acdc0b0, 0xcdfedc6d, 0x72cb1321, 0x42d07041, 0xa45aa294, 0xdbf5b287, 0xca681d73,0x8d302710, 0x2b1ad68d, 0xc1c6521d, 0x4f40a81c, 0xf4762cb1, 0x8962117f, 0xe33e8bc2, 0xffa7db53, 0xd617f8af,0xd8b1563b, 0x1ed7d3b4, 0x9f998ca6, 0x1c32a736, 0x3513f35f, 0x7a4da8a8, 0x93f43a38, 0x6bf2eac7, 0xfe3041fd,0x8853f184, 0x81c00f3e, 0xc601a409, 0x1ceba826, 0x94bc26cd, 0xd07aaf4e, 0x46884d2, 0x5d4ec036, 0xe5587bf2,0xa3482f3f, 0xdbecc4b2, 0xe5a8e81e, 0x1287e1a3, 0x6e4ef861, 0xb4560ada, 0x5f18f3d5, 0xd9299202, 0xbab5cc00,0x18464f47, 0x58877430, 0xb4335a0a, 0x7a6e33e, 0xe62e23b4, 0x648e0251, 0xdd94b375, 0x719a409f, 0x5d45064d,0x243af927, 0xfbd3ab12, 0xdc74bb88, 0x21a563a8, 0x37b0a314, 0x5da98b1f, 0xfc4d4869, 0xbf0c7320, 0xebf308d3,0x714a3f9a, 0x6606297c, 0x28ff2689, 0xa6779947, 0xfb556d94, 0xb6413de2, 0x21519c0f, 0xb1052485, 0x69c2624b,0xde9cc548, 0xce36df75, 0x5dbfa8a7 },{ 0xaee3df14, 0x399d3136, 0x1c0b3ea1, 0xf8416210, 0x719b0d88, 0x908ce2e5, 0x623e46a2, 0xef7772ec, 0xdbc4da3a,0xe88f6e2e, 0x7fb80562, 0x1a33bfa7, 0xb972b27c, 0xfccb67ab, 0xb53bc933, 0xad99167e, 0x1831a7f0, 0x295e3c91,0x6afb6529, 0xb1d2c1eb, 0x38702ff1, 0xfb03fc16, 0xf85c29e8, 0x154bbcbf, 0xfc10c6d8, 0x1a07656, 0x9ec55090,0x52201a4a, 0x9b0ee83f, 0xe08b560a, 0xaff5a8bc, 0x35c5d6d7, 0x8d1f52f, 0x7b2becf0, 0xaf01ac97, 0x3b8700c9,0xfe56cea4, 0x1c4b14f6, 0xef86351c, 0x27a382c9, 0x28f51829, 0xcdeeee51, 0x3d73d792, 0x152c4a00, 0x7122ccea,0xbe459436, 0x624f6a81, 0xba728d6f, 0xdf7f103d, 0x7faf6a84, 0xd91174e1, 0xef9ca2f5, 0xa0675400, 0x9e0129,0x276f61d4, 0xf6e0bbb, 0x2f5e103d, 0x3d24363f, 0x36f1d769, 0xddabaa4d, 0xbd209d7b, 0x38898cda, 0x59aa0a47,0x3dc28a3b, 0x9374f915, 0x7164635e, 0xa09379f0, 0x462da24e, 0x7a6cd48d, 0xde20ce, 0xeac2f361, 0x9796cbc3,0x2cc87742, 0x2220d2f5, 0xab17e0c2, 0x16cb3b75, 0x5dc0d229, 0x7d14b8c8, 0x86ad060c, 0xfc1ac21c, 0xa25f8e37,0x23e553f1, 0xcfca2eb5, 0xda61f278, 0x7a6d0c2c, 0x10f72c33, 0xb9e7da31, 0xf0271ef1, 0xf6d8d0da, 0xccb9fb54,0x9c16adcc, 0x9c793e5d, 0x308dbae0, 0x8152f53d, 0xb8b02ea8, 0xbb7a73ef, 0x5b52b6e7, 0xda7691a1, 0x6f15166f,0x1bcf2abf, 0xed9eb801, 0xcc07f0d1, 0x30fd146a, 0xed552ed1, 0xfe280048, 0xca519936, 0xc6bb62d3, 0x78eb0ca9,0xde25bf1e, 0x377099d1, 0x9e3d9a2a, 0x58d4fdc5, 0x9ef6d4ba, 0x4c4b801c, 0x8d5c098c, 0x84cad315, 0x43b323ca,0xaff0262, 0x2b3be91f, 0xfd49761b, 0x93671206, 0x2460dd5e, 0x1328fc3, 0xa87f6e1a, 0xceebf4dc, 0x21f7d1d6,0x8dafb785, 0x1f058aa4, 0xf636282e, 0xf5d5c6a2, 0xdcb85ea1, 0xea4ce0f2, 0xb37fcdaa, 0xadb4cd12, 0xa51b34b3,0xb2aa712e, 0xa15f5bd, 0x617f127c, 0x7a5dbd16, 0x8aee5420, 0x4d0af701, 0xb2e113d9, 0xb4d09dcb, 0xd258e319,0x704ec155, 0x533c80be, 0x400c952d, 0xc0dd74a1, 0xa9e5599f, 0xada9e64, 0xa775ef10, 0x35abb495, 0x238b1eb3,0x5c8ea9e9, 0xd63ac5e, 0xecb22c6f, 0x836879b, 0xdb4958b0, 0x26606a34, 0x33fa456d, 0x91dc9940, 0xccbd103, 0x644cf9a7,0x80165230, 0xb0e45576, 0x4d28c64d, 0x8d9841cc, 0x3d42c9d1, 0x6fce26aa, 0xe5bd6421, 0xd0e1eb58, 0xfd61f403,0xdeff165, 0xd5a1bfb1, 0xb3323bbe, 0xdb641c02, 0xbfca7536, 0xb8f5820f, 0xda30db7b, 0xd76a9581, 0x61b8a87f,0x5d8410c2, 0x4b2df093, 0xc96447e9, 0xc4ba2487, 0xb24afc5a, 0x797db008, 0xc362253a, 0xc6bbe115, 0x1cc0ed71,0xabe73320, 0xc4364688, 0x5adef1c2, 0x59af22fb, 0xa9aca101, 0x4b5bac9b, 0xb121e519, 0xd8fcf69e, 0x2f0f0f89,0xef615692, 0xd9fac700, 0x6729f5e, 0x15b5965f, 0x83a0e48a, 0xd80cd549, 0xc85443c6, 0xdb051d9e, 0x8646780f,0x7e1bcd54, 0x7746aafa, 0xbc85c57a, 0x42430bc6, 0x36ab5fb6, 0x92e892ed, 0x87b8897f, 0xefcf526c, 0x6b10f264,0xe72e284, 0x6fe2966, 0x42f18a1f, 0xdff79c2a, 0x77fbe8e7, 0x942c9858, 0x637710f, 0xad12b3b8, 0xcf786ed1, 0xd7cda884,0x2cb1dcf1, 0x94f76ac0, 0xf7c4ebbe, 0x6d5591de, 0x6524ea76, 0x200d037e, 0xeb51ac71, 0x8b37601, 0xc9ac832,0x7721b2a4, 0xca23beee, 0x328c7019, 0xd27fd8c8, 0xc5be7325, 0xe9244524, 0x5b1ea918, 0x74c75201, 0x37621445,0xae75bef7, 0x174937dc, 0xf71c7cef, 0xf41d6ed3, 0x94c2d289, 0x7d68c2f0, 0xbddfcee6, 0x51d86ee8, 0x97379f95,0x4275b8c2, 0xf9b3122c },{ 0x6dbfa6dd, 0x6808c4be, 0x65fb06bd, 0xfde21a89, 0xf4c126b7, 0x438a1cc0, 0x850a843, 0x377114b2, 0x259c0fd,0x5881f166, 0x6e9fa190, 0x899a312e, 0x8001b123, 0x56d91bd5, 0x31b9a6db, 0x5a4f1940, 0x98140dee, 0x73ad8506,0x6649c267, 0x6fd7daa8, 0x682bb9e5, 0x7f9061dc, 0x27732a88, 0xa2755af7, 0x54b1b2ec, 0xc171fe6d, 0x33a31667,0x9afc41e2, 0x396678d5, 0x83cb861, 0xfc473f10, 0x575a023e, 0xfe11cafc, 0xe8ea4057, 0x1289aaa7, 0xa38ef05a,0x502c3f4a, 0xcb0928e9, 0x8d521829, 0x24c29091, 0xc07fbd37, 0x30cad78f, 0xcd8dba45, 0xc8ccbce8, 0xfdaee556,0x2a1fc86f, 0x8206edd4, 0x14c2ec89, 0xf0050d48, 0x31f5c320, 0xa5626fd9, 0x19ca606d, 0x65f46320, 0x43e58985,0xe3f777da, 0x4b9fa89e, 0xf3532d19, 0x1e63ee86, 0xa4c0f1b1, 0x56e691ed, 0xc79b5aa3, 0x1d005b01, 0x7ff86805,0xed4f0ce3, 0x167128ab, 0x96702d6b, 0x6f2cb666, 0x40d6b43d, 0x7f2e27f9, 0x25813783, 0xf06f47fe, 0xa1eb246e,0xe11c9c3f, 0x165237ab, 0xa9719981, 0xe0c072ef, 0xbc1430c8, 0x319018e0, 0x65323013, 0xa6337184, 0xe1c06cf0,0x2c99ecdc, 0xd682f79f, 0x2ebde8d2, 0xbdeca5a8, 0xb85ab458, 0xabc0be15, 0x5ed69b9d, 0x28bf53d3, 0x791d867b,0x86e6a98a, 0xba722e1c, 0x2311281a, 0xc8cce88d, 0x6c2d3743, 0xf868a752, 0xe0b86a8a, 0x70058bb9, 0xba926231,0x86a5a32c, 0x3e907ed6, 0x6f03f61e, 0xa87fbe48, 0xa09e8eaa, 0xdd78f5b, 0x622c29eb, 0x26cce112, 0x57215e0f,0xf9d9b37d, 0xc195133e, 0x703bd721, 0x27f1319b, 0xdccf0b77, 0xb73b7af4, 0xc9f75f9e, 0xf5c62fcb, 0x7293703,0xeed8b98f, 0x4a9bf102, 0x7349d5c7, 0xda6f8b23, 0x34529af2, 0x968579a9, 0x986d4e5f, 0x8d1903a2, 0x8960df2e,0x4dccb15c, 0x6a87f919, 0x8bc8e948, 0x82c8274c, 0x52f8bb80, 0xb3b5512c, 0x6b51a116, 0x16abf8e9, 0x99e48bf6,0xea03be4e, 0xa0766e91, 0x75e2c7e, 0x237be6a5, 0x8c1bd482, 0x473541f5, 0xc4af608b, 0xed686762, 0x1bf0cfc1,0x4844f0ca, 0x6a9a1980, 0x9d01dbf5, 0x10660435, 0x72fb5e04, 0xbf3de5a3, 0x21fbb319, 0xd303ed2f, 0xa30d610a,0x76ff38bb, 0x87136fca, 0xa4d11a77, 0xe6c197fd, 0x4e6bc1d1, 0xf2a87aa9, 0xcc795622, 0xb82be2b4, 0x77487ed2,0x2e7719ad, 0x142854f3, 0xe501258d, 0xb8556c95, 0x4e1a1309, 0x3d74b894, 0xfc1b626d, 0xcff955ec, 0x33bdc46f,0xed6091ef, 0x645f4f02, 0x7707e28a, 0x556f385a, 0xf8758408, 0xb06b762e, 0xa698d074, 0x46147980, 0x22668afc,0xdc1f5fa9, 0x245dc1d5, 0x32c87ded, 0xcfa4f49d, 0x734187b5, 0x700bc670, 0x97beeab3, 0x70f6ad54, 0xf0d6535d,0x76e34811, 0xb734677, 0x7ddbb9d3, 0x2bd695ab, 0xdb2daa29, 0x35c9f605, 0xfc4be706, 0x6e44a54b, 0xa96c5fbe,0x51e51ba6, 0xc4ebe8c7, 0xe103a24a, 0x842b0bac, 0xdfac2d6d, 0x1aed355d, 0xbdeafbde, 0x32338f9d, 0xaa634582,0xe152c83a, 0x84be8504, 0x46291ed, 0x7b863e96, 0xdb6776f8, 0x20f815f2, 0xa82af75d, 0xab76c0f5, 0xd550efa2,0xfd0330f1, 0x22e1fab0, 0x5f4407a3, 0x9b8e9e11, 0xeb1cadde, 0x3d104b1f, 0xc3054713, 0x982eb7fb, 0x543314da,0x13ae6d5d, 0x56594d93, 0x7af9ddb3, 0x5dbd0b3c, 0xeca553d0, 0x5f892e42, 0xdc466104, 0xf3b8fe09, 0xea63cc0e,0xe8187fa1, 0xf587d222, 0x762e3246, 0xe3134afd, 0xc8a909a3, 0x2a1b8843, 0xbcf88b37, 0x106d829d, 0xbc6cb72b,0xba700358, 0x4419c67b, 0x298e5b99, 0x53633710, 0xb4676dfb, 0x5003bfdd, 0x4b1f3fd6, 0xbff5676e, 0xfe221749,0x22769dec, 0xfa874d3f, 0xe3ab93a1, 0x7e7eac49 },{ 0xda47873d, 0xb4067196, 0x35629fff, 0x5f9ba741, 0xfc3b885c, 0x7db96275, 0x4be65d7c, 0xaac5aaff, 0xc48e069f,0xa2b51d88, 0x68efc326, 0x5dc94059, 0xf8fa7b3d, 0xc3e21cc2, 0xa619a16f, 0x46dec824, 0x399fea6, 0x8fc7db62,0x184569be, 0xc5f04731, 0x90c0dea5, 0xc180bf5f, 0xfccbd6c9, 0x49d7a598, 0x96425151, 0xe53c49fb, 0x15713840,0xcea6a8a0, 0x5c360e6b, 0x8278ef53, 0xa45ce852, 0xaf1fa60d, 0xd1d357d4, 0xcac8c677, 0x1258a65b, 0x561cc841,0xe73da602, 0x907e2447, 0xe62e297f, 0x107a743, 0xb0d19719, 0x84bb247a, 0xf8077268, 0xd5f63d60, 0xd9a141de,0x3486e6a4, 0xbe1052bf, 0x5be4fa46, 0xe792c9c8, 0xb9fbf3b0, 0xcfd36c94, 0x726aa896, 0x683cd337, 0x392a533a,0x223657a2, 0xf83da285, 0x16c1a03f, 0x68bdbcf5, 0xada3c5ab, 0x124148a8, 0xe7d2a95c, 0xd11922ac, 0x4c6899fd,0x7d8edf38, 0x118e9247, 0x15c6f2f0, 0x9056dd9f, 0x33520052, 0x7204913c, 0x3171d62d, 0x25d9ff0b, 0x8b629a57,0xc3ea9218, 0x699e2abf, 0xa9ff8e0f, 0x14dd1c3e, 0xee95bbe7, 0xa2e277c9, 0xd3966991, 0xce4fb1c6, 0x62f9c9,0x24bee229, 0xc677cc3e, 0x2163ca36, 0xbf6dd3f1, 0x7ae4222f, 0x4322f038, 0x692542df, 0x6692aca0, 0xf6d4946f,0x89154cfd, 0x9f6a7dbc, 0x104ea9f0, 0x89e3289, 0x87c95990, 0xf945a420, 0xb6a20072, 0x5b630e87, 0x848636c0,0xa48bb210, 0x4d5494bb, 0x7b7fb94f, 0xc48841b7, 0x422a2e4, 0x6d915a09, 0xcdabb5a5, 0xa36a9dd3, 0x2b321655,0xe7bd69cf, 0x8c5a8dd8, 0x74615473, 0x8c143ade, 0x6cb1ce59, 0x4396f842, 0xfccbf901, 0xf39018b0, 0x576ba9f5,0x97aeb15d, 0x6f7df74, 0x30f10bb9, 0x214789d7, 0xdf5edc71, 0xcdd4d413, 0x4e26b481, 0xa96771c4, 0xfbbf9600,0x61b03c10, 0xb41ec41b, 0x50e85e2c, 0x9ae79ae9, 0x1bffa793, 0x18402dde, 0x3a896084, 0x604aca05, 0xf0370269,0x83f6b326, 0xfb64099a, 0xabf943bf, 0xe9aa8b99, 0x54ec3adb, 0xa56b3a46, 0x71c05f89, 0x4a7f1444, 0xdf991094,0x8f5efd28, 0x9ad00ad5, 0x3cbee3c, 0xf5898fc4, 0x692ba57, 0x1928304a, 0x2978de0f, 0x64f85786, 0x62b4f525,0xda78ad05, 0xb3da431b, 0xdde89dde, 0xcc7da3d9, 0xbde46885, 0xd26c42cf, 0xa7850e7c, 0xff3b73d, 0xd60665a5,0x825b2d8c, 0xbce1ba7, 0x12be55de, 0x7cf29faa, 0x71a29eca, 0xbd067b1a, 0x2e33857, 0xf0c7e782, 0x9ac9f181,0x61d9b196, 0x288412eb, 0x756010ba, 0x20f99e06, 0x67e6cb96, 0xd1efb6, 0x1a4dfffb, 0x9d097c31, 0x6890b138,0xa162f385, 0x5038a02a, 0xdcca2edc, 0xd68af382, 0xed5c9bb, 0xe88cf6c4, 0x4c031e98, 0xca08127b, 0xc67a831f,0x306fb3f6, 0x9d7315c5, 0x2c72ae76, 0xdd3b3ecc, 0x2ab71490, 0x6e79ef13, 0xe6aa6316, 0x3729bfbc, 0xa13c9bea,0xa4fa53c, 0xdbafeec6, 0x57a11cc2, 0x8f1be1ba, 0x542a4d3b, 0x8f9c90c4, 0xa2b3ad9f, 0x8951b50, 0xda0641dd,0xd7cdf19b, 0xebe79e9b, 0x7d6ae548, 0x2ae7eb6f, 0x3ebefb7f, 0xb9cf555d, 0x22b46357, 0x963e79b5, 0x81729e6f,0xa0657b30, 0x297d0ea1, 0x2d722676, 0xd7c263c7, 0x8fd31545, 0x74b4d545, 0xc9ddb768, 0xd7af1a95, 0x3b41452d,0xeaa84874, 0x3094af86, 0xc71461f6, 0x8cd49c9b, 0x9d6f96b1, 0x9b45bb4c, 0x58742714, 0x29b19a6a, 0xa85bddc6,0xb1e0cf54, 0xb55e81d4, 0xcb219b85, 0xcea74b66, 0xd28a041e, 0xe28c4803, 0x490de006, 0x19bb91b1, 0x14d67500,0x80243406, 0x1ed8b3e, 0xef5636b3, 0x956f13bd, 0x9ae34304, 0xaea37a2c, 0xc90fe0b9, 0x2301fb8f, 0x55716d77,0xc50297f7, 0x3cabc6a4, 0xa0764bb0, 0xcf38a2a2 } 
};/*P盒和S盒根据密钥进行变换因为我们直接替换成变换后的P盒和S盒，所以不需要调用
*/
void getkey(char *keytext)
{int i = -1, j = 0;unsigned long key[18];while (keytext[++i]);while (i<72) keytext[i++] = 0;memcpy(key, keytext, 72);for (i = 0; i<18; i++) pbx[i] ^= key[i];key[0] = key[1] = 0;for (i = 0; i<18; i += 2){blowfish_encrypt(key, key);memcpy(&pbx[i], key, 8);}for (i = 0; i<4; i++){for (j = 0; j<256; j += 2){blowfish_encrypt(key, key);memcpy(&sbx[i][j], key, 8);}}
}void blowfish_encrypt(void *protext, void *ciptext)
{int i = 0;unsigned long x[2], temp;memcpy(x, protext, 8);for (i = 0; i<16; i++){x[0] ^= pbx[i];x[1] ^= f(x[0]);temp = x[1];x[1] = x[0];x[0] = temp;}temp = x[1];x[1] = x[0];x[0] = temp;x[0] ^= pbx[17];x[1] ^= pbx[16];memcpy(ciptext, x, 8);printf("0x%x,0x%x\n", x[0], x[1]);
}void blowfish_decrypt(void *protext, void *ciptext)
{int i = 0;unsigned long x[2], temp;memcpy(x, ciptext, 8);for (i = 17; i >= 2; i--){x[0] ^= pbx[i];x[1] ^= f(x[0]);temp = x[1];x[1] = x[0];x[0] = temp;}temp = x[1];x[1] = x[0];x[0] = temp;x[0] ^= pbx[0];x[1] ^= pbx[1];memcpy(protext, x, 8);printf("0x%x,0x%x\n", x[0], x[1]);
}unsigned long f(unsigned long x)
{unsigned long a, b, c, d;a = (x & 0xff000000) >> 24;b = (x & 0x00ff0000) >> 16;c = (x & 0x0000ff00) >> 8;d = (x & 0x000000ff) >> 0;return(((sbx[0][a] + sbx[1][b]) ^ sbx[2][c]) + sbx[3][d]);
}int main()
{char data[] = "abcdefgh";char cipher[]={ 0xBF, 0x4E, 0x6F, 0x54, 0x7B, 0x93, 0xED, 0xB4 };//0x6d616768,0x30447b65//0x7E, 0xA0, 0xD2, 0x82, 0xDD, 0xEF, 0xD3, 0x13->0x7530795f,0x3465725f//0x0F, 0xAE, 0x09, 0x22, 0x61, 0xDF, 0x4E, 0x59->0x5f563131,0x336b3131//0x2C, 0x78, 0x33, 0xB9, 0x32, 0xE5, 0x07, 0x1C->0x7456395f,0x7d6e6f68//blowfish_encrypt(data, cipher);blowfish_decrypt(data, cipher);
}

将明文转为字符串即为flag

flag=[0x6d616768,0x30447b65,0x7530795f,0x3465725f,0x5f563131,0x336b3131,0x7456395f,0x7d6e6f68]
flag_s=""
for i in flag:for j in range(4):flag_s+=chr((i>>8*j)&0xff)
print(flag_s)
#hgame{D0_y0u_re411V_11k3_9Vthon}