Lost Decryption

--- lang: ja-jp breaks: true --- Lost Decryption === ## 問題概要 ### ジャンル binary ### 点数 200 points ### 問題文 Lost Decryption I created my own cipher and encrypted the very important file. However, I lost the decryption program because of file system error, so now I cannot read the file. Please help me. lost_decryption.zip ### フラグ ??? ### 挑戦者 tkmru ## 解法 ## 議論 ``` $ ./cipher ./cipher: error while loading shared libraries: libdecrypt.so: cannot open shared object file: No such file or directory ``` libencrypt.soはあるけどlibdecrypt.soはない。 libencrypt頑張って読んでdecryptすればよさそう。 sub_700()つらい残り時間で読むのきつい ```c= int sub_700(int arg0, int arg1) { stack[2047] = 0xfa94b1238c6dd663; stack[2046] = r14; stack[2045] = 0x6ed0153c8f6d2b11; stack[2044] = r12; stack[2043] = 0x5; stack[2042] = rbx; r12 = arg0; rbx = arg1; // ここに0x9104f95de694dc50 counter = 0x5; rsp = rsp - 0x8 - 0x8 - 0x8 - 0x8 - 0x8 - 0x8 - 0x8; do { rax = (((r12 << 0x39) + r12 << 0x4) - r12 ^ r12) + rbx ^ ((((r12 << 0x39) + r12 << 0x4) - r12 ^ r12) + rbx) * 0x8 ^ rbx * 0xfa94b1238c6dd663 + 0x2f3942d23a31a317 ^ ((((r12 << 0x39) + r12 << 0x4) - r12 ^ r12) + rbx ^ ((((r12 << 0x39) + r12 << 0x4) - r12 ^ r12) + rbx) * 0x8) + 0x6ed0153c8f6d2b11; rsi = (rbx * 0xfa94b1238c6dd663 + 0x2f3942d23a31a317 ^ (rax ^ rax >> 0x11 & 0xb78bc70454e32323) - rbx * 0xfa94b1238c6dd663 + 0x2f3942d23a31a317 ^ rbx * 0xfa94b1238c6dd663 + 0x2f3942d23a31a317) >> 0x1 ^ (rax ^ rax >> 0x11 & 0xb78bc70454e32323) - rbx * 0xfa94b1238c6dd663 + 0x2f3942d23a31a317 ^ rbx * 0xfa94b1238c6dd663 + 0x2f3942d23a31a317; rbx = rbx * 0xfa94b1238c6dd663 + 0x2f3942d23a31a317 ^ (rax ^ rax >> 0x11 & 0xb78bc70454e32323) - rbx * 0xfa94b1238c6dd663 + 0x2f3942d23a31a317 ^ rbx * 0xfa94b1238c6dd663 + 0x2f3942d23a31a317 ^ rsi + rsi; rax = (rbx >> 0x2 ^ rsi) * 0x4 ^ rbx ^ (rbx >> 0x2 ^ rsi ^ ((rbx >> 0x2 ^ rsi) * 0x4 ^ rbx) >> 0x3) * 0x8; rdx = ((rax >> 0x4 ^ rbx >> 0x2 ^ rsi ^ ((rbx >> 0x2 ^ rsi) * 0x4 ^ rbx) >> 0x3) << 0x4 ^ rax ^ (rax >> 0x4 ^ rbx >> 0x2 ^ rsi ^ ((rbx >> 0x2 ^ rsi) * 0x4 ^ rbx) >> 0x3 ^ ((rax >> 0x4 ^ rbx >> 0x2 ^ rsi ^ ((rbx >> 0x2 ^ rsi) * 0x4 ^ rbx) >> 0x3) << 0x4 ^ rax) >> 0x5) << 0x5) >> 0x6 ^ rax >> 0x4 ^ rbx >> 0x2 ^ rsi ^ ((rbx >> 0x2 ^ rsi) * 0x4 ^ rbx) >> 0x3 ^ ((rax >> 0x4 ^ rbx >> 0x2 ^ rsi ^ ((rbx >> 0x2 ^ rsi) * 0x4 ^ rbx) >> 0x3) << 0x4 ^ rax) >> 0x5; rax = rdx << 0x6 ^ (rax >> 0x4 ^ rbx >> 0x2 ^ rsi ^ ((rbx >> 0x2 ^ rsi) * 0x4 ^ rbx) >> 0x3) << 0x4 ^ rax ^ (rax >> 0x4 ^ rbx >> 0x2 ^ rsi ^ ((rbx >> 0x2 ^ rsi) * 0x4 ^ rbx) >> 0x3 ^ ((rax >> 0x4 ^ rbx >> 0x2 ^ rsi ^ ((rbx >> 0x2 ^ rsi) * 0x4 ^ rbx) >> 0x3) << 0x4 ^ rax) >> 0x5) << 0x5; r12 = rax >> 0x7 ^ rdx; rbx = rax ^ (rax >> 0x7 ^ rdx) << 0x7; if (rax != (rax >> 0x7 ^ rdx) << 0x7) { r12 = r12 * rbx; } r14 = 0x0; do { rax = sub_5e0(rbx >> r14 & 0xff); rcx = r14; r14 = r14 + 0x8; r12 = r12 ^ sign_extend_32((rax & 0xff) << rcx); } while (r14 != 0x40); counter--; } while (counter != 0x0); return r12; } ``` ```c= counter = 0xe; r13 = arg_1; do { var_0 = var_0 ^ sub_700(ENCRYPT, ENCRYPT); sub_700(ENCRYPT, 0x9104f95de694dc50); sub_880(rbp); sub_880(r13); counter--; } while (counter != 0x0); ``` xor多いし、ちょっと変更すればdecryptにそのまま使えるのではという気持ち