TEA系列概述:TEA算法是一种分组密码算法,由剑桥大学计算机实验室的David Wheeler和Roger Needham于1994年发明。它使用64位的明文分组和128位的密钥进行加密,通过不断增加的Delta(黄金分割率)值作为变化,使得每轮的加密过程不同。TEA算法的迭代次数可以改变,建议的迭代次数为32轮,尽管算法理论上可以进行64轮迭代。TEA算法采用Feistel分组加密框架,尽管设计者认为32轮已经足够,但64轮的理论存在也是为了提供更高的安全性。
TEA算法的特点在于其简单性和效率,通常只需要很少的代码就可以实现。它的设计目的是为了提供一个易于描述和执行的块密码算法,因此在安全领域中,TEA算法因其简单性和效率而被广泛关注。然而,TEA算法随后被发现存在缺陷,为了解决这些问题,设计者提出了一个升级版本——XTEA,它采用了与TEA相似的简单运算,但通过改变密钥的混合方式来提高安全性,尽管这样做会降低加密速度。
TEA算法的继任者还包括了XXTEA版本,它在1998年发布,进一步提高了TEA算法的安全性。XXTEA通过改进加密过程中的密钥管理和数据处理方式,增强了算法的整体安全性。
在CTF中比赛TEA和XTEA是常见的算法。
TEA 加密
TEA算法介绍:
TEA 采用与 DES 算法类似的 Feistel 结构,迭代的每次循环使用加法和移位操作,对明文和密钥进行扩散和混乱,实现明文的非线性变换。TEA 密钥长度和迭代次数都是 DES 的两倍,抗“试错法”攻击的强度不低于 DES 算法。算法以32bits 的字为运算单位,而不是耗费计算能力的逐位运算。算法没有采用 DES 那样的转换矩阵,它安全、高效、占用存储空间少,非常适合在嵌入式系统中应用。
1.初始化
首先,将128位的密钥划分成四个32位的子密钥$[k_0, k_1, k_2, k_3]$,并将明文块$[v_0, v_1]$分成两个32位的子块$[v_0, v_1]$。然后,初始化变量$sum$和$delta$,其中$sum$的初始值为0,$delta$的值为固定的常数0x9E3779B9。
void xtea_encipher(unsigned int num_rounds, uint32_t v[2], const uint32_t key[4]) {
uint32_t sum = 0;
uint32_t delta = 0x9E3779B9;
uint32_t k[4];
memcpy(k, key, sizeof(k));
uint32_t v0 = v[0];
uint32_t v1 = v[1];
2.迭代加密
接下来,对于每个明文块$[v_0, v_1]$,循环执行加密操作$num_rounds$次,每次加密操作中,都使用密钥的四个子密钥$[k_0, k_1, k_2, k_3]$对明文块$[v_0, v_1]$进行加密,加密结果保存在$v$数组中。
for (unsigned int i = 0; i < num_rounds; i++) {
v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + k[sum & 3]);
sum += delta;
v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + k[(sum >> 11) & 3]);
}
3.输出密文
最后,将加密结果$v$保存在输出数组中。
v[0] = v0;
v[1] = v1;
}
完整加密
#include <stdint.h>
#include <string.h>
void xtea_encipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) {
uint32_t sum = 0;
uint32_t delta = 0x9E3779B9;
uint32_t k[4];
memcpy(k, key, sizeof(k));
uint32_t v0 = v[0];
uint32_t v1 = v[1];
for (unsigned int i = 0; i < num_rounds; i++) {
v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + k[sum & 3]);
sum += delta;
v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + k[(sum >> 11) & 3]);
}
v[0] = v0;
v[1] = v1;
}
XTEA 加密
XTEA是TEA的升级版:增加了更多的密钥表,移位和异或操作等等
#include<stdio.h>
#include<stdint.h>
void encipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]){
unsigned int i;
uint32_t v0=v[0],v1=v[1],sum=0,delta=0x9E3779B9;
for(i=0;i<num_rounds;i++){
v0+=(((v1<<4)^(v1>>5))+v1)^(sum+key[sum&3]);
sum+=delta;
v1+=(((v0<<4)^(v0>>5))+v0)^(sum+key[(sum>>11)&3]);
}
v[0]=v0;v[1]=v1;
}
void decipher(unsigned int num_rounds,uint32_t v[2],uint32_t const key[4]){
unsigned int i;
uint32_t v0=v[0],v1=v[1],delta=0x9E3779B9,sum=delta*num_rounds;
for(i=0;i<num_rounds;i++){
v1-=(((v0<<4)^(v0>>5))+v0)^(sum+key[(sum>>11)&3]);
sum-=delta;
v0-=(((v1<<4)^(v1>>5))+v1)^(sum+key[sum&3]);
}
v[0]=v0;v[1]=v1;
}
int main(){
uint32_t v[2]={1,2};
uint32_t const k[4]={2,2,3,4};
unsigned int r=32;//加密轮数
printf("加密前原始数据:%u %un",v[0],v[1]);
encipher(r,v,k);
printf("加密后原始数据:%u %un",v[0],v[1]);
decipher(r,v,k);
printf("解密后原始数据:%u %un",v[0],v[1]);
return 0;
}
XXTEA 加密
XXTEA是XTEA的升级版,XXTEA是一个非平衡Feistel网络分组密码,在可变长度块上运行,这些块是32位大小的任意倍数(最小64位),使用128位密钥, 是目前TEA系列中最安全的算法,但性能较上两种有所降低。
#include<stdio.h>
#include<stdint.h>
#define DELTA 0x933779b9
#define MX (((z>>5^y<<2)+(y>>3^z<<4))^((sum^y)+(key[(p&3)^e]^z)))
void btea(uint32_t *v,int n,uint32_t const key[4])
{
uint32_t y,z,sum;
unsigned p,rounds,e;
if(n>1)
{
rounds=6+52/n;
sum=0;
z=v[n-1];
do
{
sum+=DELTA;
e=(sum>>2)&3;
for(p=0;p<n-1;p++)
{
y=v;
z=v+=MX;
}
y=v[0];
z=v[n-1]+=MX;
}
while(--rounds);
}
else if(n<-1)
{
n=-n;
rounds=6+52/n;
sum=rounds*DELTA;
y=v[0];
do
{
e=(sum>>2)&3;
for(p=n-1;p>0;p--)
{
z=v[p-1];
y=v-=MX;
}
z=v[n-1];
y=v[0]-=MX;
sum-=DELTA;
}
while(--rounds);
}
}
int main()
{
uint32_t v[2]={1,2};
uint32_t const k[4]={2,2,3,4};
int n=2;
printf("加密前原始数据:%u %un",v[0],v[1]);
btea(v,n,k);
printf("加密后数据:%u %un",v[0],v[1]);
btea(v,-n,k);
printf("解密后数据:%u %un",v[0],v[1]);
return 0;
}
例题
2019RedHat(红帽杯)-xx
ida打开
加密逻辑与过程
获取输入的部分
最后一个异或的逻辑,相当于从v20[3]开始,每一位都会和前面的几个数据循环异或,范围就是range(i//3),逆的时候从后往前算,总体的逻辑差不多是这样,输入的密钥是&v30,这个地址指向的内容是输入的前4位+后面都是0,长度为16字节,跟进加密算法,总体就是置换混淆到异或的结果
data = [0xCE, 0xBC, 0x40, 0x6B, 0x7C, 0x3A, 0x95, 0xC0, 0xEF, 0x9B,
0x20, 0x20, 0x91, 0xF7, 0x02, 0x35, 0x23, 0x18, 0x02, 0xC8,
0xE7, 0x56, 0x56, 0xFA ]
dec = ''
for i in range(7,-1,-1):
enc = ''
for j in range(3):
temp = data[i*3 + j]
for n in range(i):
temp ^= data[n]
enc += chr(temp)
dec = enc + dec
num = [2,0,3,1,6,4,7,5,10,8,11,9,14,12,15,13,18,16,19,17,22,20,23,21]
enc = [0] * 24
encflag = []
for i in range(24):
enc[num[i]] = dec[i]
for j in range(len(enc)):
encflag.append(ord(enc[j]))
print(encflag)
t = [int.from_bytes(encflag[i:i+4],byteorder='little') for i in range(0,len(encflag),4)]
# print(t)
v = []
for i in t:
v.append(hex(i))
# print(v)
temp = [0x40cea5bc, 0xe7b2b2f4, 0x129d12a9, 0x5bc810ae, 0x1d06d73d, 0xdcf870dc]
flag = b''
from ctypes import *
import libnum
def MX(z, y, sum1, k, p, e):
return c_uint32(((z.value>>5^y.value<<2)+(y.value>>3^z.value<<4))^((sum1.value^y.value)+(k[(p&3)^e.value]^z.value)))
def btea(v,k,n,delta):
if n>1:
sum1=c_uint32(0)
z=c_uint32(v[n-1])
rounds=6+52//n
e=c_uint32(0)
while rounds>0:
sum1.value+=delta
e.value=((sum1.value>>2)&3)#e要32位
for p in range(n-1):
y=c_uint32(v)
#v=c_uint32(v
+c_uint32((((z.value>>5^y.value<<2)+(y.value>>3^z.value<<4))^((sum1.value^y.value)+(k[(p&3)^e.value]^z.value)))).value).value
v= c_uint32(v
+ MX(z,y,sum1,k,p,e).value).value
z.value=v
y=c_uint32(v[0])
#v[n-1]=c_uint32(v[n-1]+c_uint32((((z.value>>5^y.value<<2)+(y.value>>3^z.value<<4))^((sum1.value^y.value)+(k[((n-1)&3)^e.value]^z.value)))).value).value
v[n-1] = c_uint32(v[n-1] + MX(z,y,sum1,k,n-1,e).value).value
z.value=v[n-1]
rounds-=1
else:
sum1=c_uint32(0)
n=-n
rounds=6+52//n
sum1.value=rounds*delta
y=c_uint32(v[0])
e=c_uint32(0)
while rounds>0:
e.value=((sum1.value>>2)&3)#e要32位
for p in range(n-1, 0, -1):
z=c_uint32(v[p-1])
#y=c_uint32(v
-c_uint32((((z.value>>5^y.value<<2)+(y.value>>3^z.value<<4))^((sum1.value^y.value)+(k[(p&3)^e.value]^z.value)))).value).value
v= c_uint32(v
- MX(z,y,sum1,k,p,e).value).value
y.value=v
z=c_uint32(v[n-1])
#v[n-1]=c_uint32(v[n-1]-c_uint32((((z.value>>5^y.value<<2)+(y.value>>3^z.value<<4))^((sum1.value^y.value)+(k[((n-1)&3)^e.value]^z.value)))).value).value
v[0] = c_uint32(v[0] - MX(z,y,sum1,k,0,e).value).value
y.value=v[0]
sum1.value-=delta
rounds-=1
return v
key = ''.join(format(ord(char), 'x') for char in reversed(['f', 'l', 'a', 'g']))
# print(key)
k = [0x67616c66,0x0,0x0,0x0]
if __name__ == '__main__':
a = temp
k = [0x67616c66,0x0,0x0,0x0]
delta = 0x9e3779b9
n = 6
res = btea(a,k,-n,delta)
for i in res:
flag += libnum.n2s(i)[::-1]
print("解密后数据:",flag)
# b'flag{CXX_and_++tea}x13'
[NCTF 2021]狗狗的秘密
输入长度是42。然后创造了新线程,进入线程开始地址'StartAddress'。
对off_405014交叉索引
看一下sub_403000,在SMC的代码区
进入sub_4011F0函数是个xtea加密
接下来我们反调试patch掉,直接执行if的子句
对sub_4011C0函数也反调试
在sub_403000处下个断点,动态调试。进入sub_403000。把那些数据按u未定义,再按c改为汇编代码
最后修改end address到此sub_403000函数的最后位置
f5反编译
void __cdecl sub_2C3000(const char *flag)
{
signed int v1; // [esp+0h] [ebp-98h]
unsigned int v2; // [esp+10h] [ebp-88h]
signed int v3; // [esp+1Ch] [ebp-7Ch]
int v4; // [esp+2Ch] [ebp-6Ch]
int v5; // [esp+2Ch] [ebp-6Ch]
char v6; // [esp+32h] [ebp-66h]
signed int Size; // [esp+34h] [ebp-64h]
unsigned int v8; // [esp+38h] [ebp-60h]
int k; // [esp+38h] [ebp-60h]
unsigned __int8 *v10; // [esp+3Ch] [ebp-5Ch]
int i; // [esp+40h] [ebp-58h]
signed int j; // [esp+40h] [ebp-58h]
signed int l; // [esp+40h] [ebp-58h]
signed int m; // [esp+40h] [ebp-58h]
signed int n; // [esp+40h] [ebp-58h]
char v16[62]; // [esp+44h] [ebp-54h]
int v17; // [esp+82h] [ebp-16h]
int v18; // [esp+86h] [ebp-12h]
int v19; // [esp+8Ah] [ebp-Eh]
int v20; // [esp+8Eh] [ebp-Ah]
__int16 v21; // [esp+92h] [ebp-6h]
v2 = strlen(flag);
Size = 0x92 * v2 / 0x64 + 1;
v3 = 0;
v10 = (unsigned __int8 *)malloc(Size);
v16[0] = 82;
v16[1] = -61;
v16[2] = 26;
v16[3] = -32;
v16[4] = 22;
v16[5] = 93;
v16[6] = 94;
v16[7] = -30;
v16[8] = 103;
v16[9] = 31;
v16[10] = 31;
v16[11] = 6;
v16[12] = 6;
v16[13] = 31;
v16[14] = 23;
v16[15] = 6;
v16[16] = 15;
v16[17] = -7;
v16[18] = 6;
v16[19] = 103;
v16[20] = 88;
v16[21] = -78;
v16[22] = -30;
v16[23] = -116;
v16[24] = 15;
v16[25] = 42;
v16[26] = 6;
v16[27] = -119;
v16[28] = -49;
v16[29] = 42;
v16[30] = 6;
v16[31] = 31;
v16[32] = -104;
v16[33] = 26;
v16[34] = 62;
v16[35] = 23;
v16[36] = 103;
v16[37] = 31;
v16[38] = -9;
v16[39] = 58;
v16[40] = 68;
v16[41] = -61;
v16[42] = 22;
v16[43] = 51;
v16[44] = 105;
v16[45] = 26;
v16[46] = 117;
v16[47] = 22;
v16[48] = 62;
v16[49] = 23;
v16[50] = -43;
v16[51] = 105;
v16[52] = 122;
v16[53] = 27;
v16[54] = 68;
v16[55] = 68;
v16[56] = 62;
v16[57] = 103;
v16[58] = -9;
v16[59] = -119;
v16[60] = 103;
v16[61] = -61;
v17 = 0;
v18 = 0;
v19 = 0;
v20 = 0;
v21 = 0;
memset(v10, 0, Size);
v8 = 0;
for ( i = 0; i < 256; ++i )
{
v6 = byte_2C5018[i];
byte_2C5018[i] = byte_2C5018[(i + *((unsigned __int8 *)&dword_2C5168 + i % 4)) % 256];
byte_2C5018[(i + *((unsigned __int8 *)&dword_2C5168 + i % 4)) % 256] = v6;
}
while ( v8 < strlen(flag) )
{
v4 = flag[v8];
for ( j = 0x92 * v2 / 0x64; ; --j )
{
v5 = v4 + (v10[j] << 8);
v10[j] = v5 % 47; //47进制
v4 = v5 / 47;
if ( j < v3 )
v3 = j;
if ( !v4 && j <= v3 )
break;
}
++v8;
}
for ( k = 0; !v10[k]; ++k )
;
for ( l = 0; l < Size; ++l )
v10[l] = byte_2C5118[v10[k++]]; #关键
while ( l < Size )
v10[l++] = 0;
v1 = strlen((const char *)v10);
for ( m = 0; m < v1; ++m )
v10[m] ^= byte_2C5018[v10[m]]; #关键
for ( n = 0; n < v1; ++n )
{
if ( v10[n] != (unsigned __int8)v16[n] ) //比较
{
sub_2C1510("Wrong!n", v1);
exit(0);
}
}
sub_2C1510("Right!n", v1);
}
已知v10数组已知,并且是int8类型,从0-256爆破,然后在看他在byte_2C5118中的位置就可以求出47进制形式
#byte_F5018
key1=[0x21, 0x43, 0x65, 0x87, 0x09, 0x21, 0x43, 0x65, 0xA2, 0x9B,
0xF4, 0xDF, 0xAC, 0x7C, 0xA1, 0xC6, 0x16, 0xD0, 0x0F, 0xDD,
0xDC, 0x73, 0xC5, 0x6B, 0xD1, 0x96, 0x47, 0xC2, 0x26, 0x67,
0x4E, 0x41, 0x82, 0x20, 0x56, 0x9A, 0x6E, 0x33, 0x92, 0x88,
0x29, 0xB5, 0xB4, 0x71, 0xA9, 0xCE, 0xC3, 0x34, 0x50, 0x59,
0xBF, 0x2D, 0x57, 0x22, 0xA6, 0x30, 0x04, 0xB2, 0xCD, 0x36,
0xD5, 0x68, 0x4D, 0x5B, 0x45, 0x9E, 0x85, 0xCF, 0x9D, 0xCC,
0x61, 0x78, 0x32, 0x76, 0x31, 0xE3, 0x80, 0xAD, 0x39, 0x4F,
0xFA, 0x72, 0x83, 0x4C, 0x86, 0x60, 0xB7, 0xD7, 0x63, 0x0C,
0x44, 0x35, 0xB3, 0x7B, 0x19, 0xD4, 0x69, 0x08, 0x0B, 0x1F,
0x3D, 0x11, 0x79, 0xD3, 0xEE, 0x93, 0x42, 0xDE, 0x23, 0x3B,
0x5D, 0x8D, 0xA5, 0x77, 0x5F, 0x58, 0xDB, 0x97, 0xF6, 0x7A,
0x18, 0x52, 0x15, 0x74, 0x25, 0x62, 0x2C, 0x05, 0xE8, 0x0D,
0x98, 0x2A, 0x43, 0xE2, 0xEF, 0x48, 0x87, 0x49, 0x1C, 0xCA,
0x2B, 0xA7, 0x8A, 0x09, 0x81, 0xE7, 0x53, 0xAA, 0xFF, 0x6F,
0x8E, 0x91, 0xF1, 0xF0, 0xA4, 0x46, 0x3A, 0x7D, 0x54, 0xEB,
0x2F, 0xC1, 0xC0, 0x0E, 0xBD, 0xE1, 0x6C, 0x64, 0xBE, 0xE4,
0x02, 0x3C, 0x5A, 0xA8, 0x9F, 0x37, 0xAF, 0xA0, 0x13, 0xED,
0x1B, 0xEC, 0x8B, 0x3E, 0x7E, 0x27, 0x99, 0x75, 0xAB, 0xFE,
0xD9, 0x3F, 0xF3, 0xEA, 0x70, 0xF7, 0x95, 0xBA, 0x1D, 0x40,
0xB0, 0xF9, 0xE5, 0xF8, 0x06, 0xBC, 0xB6, 0x03, 0xC9, 0x10,
0x9C, 0x2E, 0x89, 0x5C, 0x7F, 0xB1, 0x1A, 0xD6, 0x90, 0xAE,
0xDA, 0xE6, 0x5E, 0xB9, 0x84, 0xE9, 0x55, 0xBB, 0xC7, 0x0A,
0xE0, 0x66, 0xF2, 0xD8, 0xCB, 0x00, 0x12, 0xB8, 0x17, 0x94,
0x6A, 0x4A, 0x01, 0x24, 0x14, 0x51, 0x07, 0x65, 0x21, 0xC8,
0x38, 0xFD, 0x8F, 0xC4, 0xF5, 0xFC]
#byte_F5118
key2=[ 0xA7, 0x1C, 0x7E, 0xAF, 0xD9, 0xC2, 0xC0, 0xBE, 0x1F, 0x45,
0x9A, 0x85, 0x26, 0xE3, 0x87, 0xC3, 0x21, 0xE0, 0x95, 0x10,
0x71, 0x70, 0x02, 0x75, 0x35, 0xA5, 0x1D, 0x0D, 0x2F, 0xEE,
0x25, 0x7B, 0xB5, 0x82, 0x66, 0x8D, 0xDB, 0x53, 0x3A, 0x29,
0xD4, 0x43, 0x99, 0x97, 0x9D, 0xE8, 0x49, 0x00]
v10=[82, 195, 26, 224, 22, 93, 94, 226, 103, 31, 31, 6, 6, 31, 23, 6, 15, 249, 6, 103, 88, 178, 226, 140, 15, 42, 6, 137, 207, 42, 6, 31, 152, 26, 62, 23, 103, 31, 247, 58, 68, 195, 22, 51, 105, 26, 117, 22, 62, 23, 213, 105, 122, 27, 68, 68, 62, 103, 247, 137, 103, 195]
for c in v10:
for i in range(256):
if c==key1[i]^i:
#print(i)
if i in key2:
print(key2.index(i),end=' ')
print(' ')
会得到很多解,一个一个试
import Libnum
yu=[0,2,0,45,44,30,40,8,23,11,37,34,43,43,37,24,19,4,29,19,22,13,5,23,41,4,31,35,43
,37,3,33,10,24,22,37,38,1,25,0,30,6,42,45,36,30,10,24,21,42,26,28,25,38,9,11]
n =0
for i in range(Len(yu)):
n *= 47
n += yu[i]
print(libnum.n2s(n))
#NCTF{ADF0E239-D911-3781-7E40-A575A19E5835}
原文始发于微信公众号(火炬木攻防实验室):TEA密码与逆向工程
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论