写了逆向方向两个题5mc,df5

5mc

拖进ida,32位,后面有一段比较冗长但又难以理解的代码,实际作用是在初始化后续的加密段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
  sub_7FF67C8E1020("flag:", argv, envp);
  sub_7FF67C8E1080("%s", Buf1);
  n32_2 = -1LL;
  do
    ++n32_2;
  while ( Buf1[n32_2] );
  if ( n32_2 == 32 )
  {
    srand(0x1BF52u);
    box = box;
    n256 = 0;
    v9 = off_7FF67C905070;
    box_1 = box;
    v11 = off_7FF67C905078;
    v12 = off_7FF67C905080;
    do
      *box_1++ = n256++;
    while ( n256 < 256 );
    n512 = 512LL;
    do
    {
      v14 = rand();
      v15 = rand();
      v16 = box[v14];
      box[v14] = box[v15];
      box[v15] = v16;
      --n512;
    }
    while ( n512 );
    n32 = 0;
    v18 = v9;
    do
      *v18++ = n32++;
    while ( n32 < 32 );
    n32_1 = 32LL;
    do
    {
      v20 = rand() % 32;
      v21 = rand() % 32;
      v22 = v9[v20];
      v9[v20] = v9[v21];
      v9[v21] = v22;
      --n32_1;
    }
    while ( n32_1 );
    for ( i = 0LL; i < 32; ++i )
      v11[i] = rand();
    for ( j = 0LL; j < 32; ++j )
      v12[j] = rand();
    n17 = 0;
    v26 = 0LL;
    do
    {
      v27 = VirtualAlloc(0LL, 0xD2uLL, MEM_COMMIT, PAGE_READWRITE);
      lpAddress[v26] = v27;
      if ( !v27 )
        return -1;
      v28 = v43[v26];
      ++n17;
      ++v26;
      *v27 = *v28;
      v27[1] = v28[1];
      v27[2] = v28[2];
      v27[3] = v28[3];
      v27[4] = v28[4];
      v27[5] = v28[5];
      v27[6] = v28[6];
      v29 = v28[7];
      v28 += 8;
      v27[7] = v29;
      v27[8] = *v28;
      v27[9] = v28[1];
      v27[10] = v28[2];
      v27[11] = v28[3];
      v27[12] = v28[4];
      *(v27 + 104) = *(v28 + 40);
    }
    while ( n17 < 17 );
    lpAddress_1 = lpAddress[0];
    for ( k = 0LL; k < 16; ++k )
    {
      for ( m = 0LL; m < 17; ++m )
      {
        if ( m != k + 1 )
        {
          v33 = lpAddress[m];
          n192 = 0LL;
          v35 = lpAddress[k + 1];
          if ( v33 <= (v35 + 209) && &v33[13].m128i_i8[1] >= v35 )
            goto LABEL_37;
          v36 = v33 + 2;
          do
          {
            v37 = _mm_loadu_si128(v36 - 2);
            v36 += 4;
            v38 = _mm_loadu_si128(&v35[n192 + 32]);
            v36[-6] = _mm_xor_si128(_mm_loadu_si128(&v35[n192]), v37);
            v36[-5] = _mm_xor_si128(_mm_loadu_si128(&v35[n192 + 16]), _mm_loadu_si128(v36 - 5));
            v39 = _mm_loadu_si128(&v35[n192 + 48]);
            n192 += 64LL;
            v36[-4] = _mm_xor_si128(v38, _mm_loadu_si128(v36 - 4));
            v36[-3] = _mm_xor_si128(v39, _mm_loadu_si128(v36 - 3));
          }
          while ( n192 < 192 );
          if ( n192 < 210 )
          {
LABEL_37:
            do
            {
              v33->m128i_i8[n192] ^= v35[n192];
              ++n192;
            }
            while ( n192 < 210 );
          }
        }
      }
      memset(lpAddress[k + 1], 0, 0xD2uLL);
      VirtualProtect(lpAddress_1, 0xD2uLL, PAGE_EXECUTE_READ, flOldProtect);
      (lpAddress_1)(Buf1, &box);
      VirtualProtect(lpAddress_1, 0xD2uLL, PAGE_READWRITE, flOldProtect);
    }
    v40 = memcmp(Buf1, &Buf2_, 0x20uLL);
    right_n = "right\n";
    if ( v40 )
      right_n = "wrong\n";
    sub_7FF67C8E1020(right_n, "wrong\n", envp_1);
    return 0;
  }
  else
  {
    sub_7FF67C8E1020("wrong\n", argv_1, envp_2);
    return 0;
  }
}

这里是加密主要逻辑,对明文的加密段存储在lpAddress中,并且不是一成不变的,这里利用了SSE来进行对加密段的异或,看似复杂,实际上只是实现了同一段代码,经过不同种的异或最终做到不同的加密方式

还好是一个可以动调的程序,所以只需关注下面的(v30)(Buf1, &box);

16种加密,每四个一轮,每轮中前两种加密相同,后两种都比较相似,耐心即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
unsigned char box1[256] = {
    0xB0, 0xF0, 0x21, 0xCF, 0xF2, 0x04, 0x3A, 0x68, 0x84, 0x7B, 0x39, 0x86, 0x36, 0x87, 0x9B, 0xF7,
    0x3D, 0x18, 0x1E, 0x61, 0x1B, 0x2E, 0x6C, 0xDF, 0x2C, 0xAE, 0x65, 0x9D, 0xEB, 0x2F, 0xDA, 0xF4,
    0xDE, 0xCA, 0x56, 0x92, 0x75, 0x3B, 0x62, 0x45, 0x06, 0x3C, 0x52, 0x33, 0x6E, 0x25, 0xCE, 0xA3,
    0xD2, 0x44, 0xA1, 0x4A, 0x58, 0xB1, 0xA0, 0x2A, 0x47, 0x0A, 0x02, 0xAF, 0x50, 0xC3, 0xDC, 0xEA,
    0xE5, 0x0D, 0x67, 0x91, 0xE1, 0x51, 0xE3, 0xC1, 0xAA, 0x95, 0x5C, 0x79, 0x72, 0x1C, 0x3F, 0xB8,
    0xE8, 0x1F, 0xFF, 0x7A, 0x73, 0x26, 0x54, 0x9E, 0xED, 0xA9, 0x41, 0x20, 0xEF, 0xA6, 0x48, 0x97,
    0x4F, 0xD4, 0xBB, 0x23, 0x66, 0xD9, 0xE4, 0x0B, 0x30, 0x15, 0xD7, 0x6B, 0x19, 0xCD, 0xC4, 0x08,
    0xB4, 0xC8, 0x14, 0xFD, 0x7F, 0x28, 0x0E, 0x05, 0x0F, 0x4B, 0x6F, 0xF5, 0x90, 0x76, 0xBF, 0x60,
    0xE7, 0x24, 0x78, 0x6D, 0x71, 0xA8, 0x43, 0xB5, 0x0C, 0x31, 0xF9, 0xA2, 0x9C, 0x99, 0xF6, 0x2D,
    0xDB, 0xB7, 0xC9, 0x85, 0x81, 0x03, 0x64, 0x1D, 0x07, 0x34, 0x5A, 0xBD, 0x37, 0x4C, 0xA7, 0x5F,
    0x46, 0xE9, 0x35, 0x93, 0x8D, 0xA5, 0xFB, 0x42, 0x01, 0xC2, 0x17, 0x12, 0x1A, 0x77, 0xC6, 0x53,
    0x83, 0x4D, 0xB2, 0x10, 0x2B, 0xF8, 0x88, 0x6A, 0x3E, 0xD0, 0x7C, 0x63, 0x40, 0x27, 0xBE, 0xD5,
    0x38, 0xD1, 0x74, 0xB6, 0x57, 0x94, 0xAB, 0x8A, 0xB9, 0xBC, 0x7D, 0xB3, 0x96, 0x7E, 0xFC, 0xAD,
    0x22, 0x4E, 0xFA, 0xE0, 0xCB, 0x8B, 0xEE, 0x32, 0xA4, 0x16, 0xFE, 0x5B, 0x13, 0xDD, 0xC0, 0x9A,
    0x5E, 0x8E, 0x29, 0xF3, 0x8F, 0x49, 0xE6, 0x9F, 0xF1, 0xC5, 0x70, 0x55, 0x8C, 0x11, 0xCC, 0x5D,
    0xEC, 0x00, 0xAC, 0x89, 0xD3, 0x82, 0x69, 0xD6, 0xBA, 0xD8, 0x59, 0x98, 0x09, 0x80, 0xE2, 0xC7
};
unsigned char box2[32] = {
    0x13, 0x1F, 0x10, 0x1D, 0x01, 0x0D, 0x07, 0x15, 0x08, 0x06, 0x16, 0x00, 0x0F, 0x0C, 0x02, 0x05,
    0x0E, 0x03, 0x12, 0x04, 0x18, 0x14, 0x1A, 0x1C, 0x1E, 0x19, 0x09, 0x1B, 0x11, 0x0B, 0x17, 0x0A
};
unsigned char box3[32] = {
    0x7D, 0xB7, 0x24, 0x7E, 0xC3, 0x6B, 0xBD, 0xD8, 0x7F, 0x13, 0x6E, 0x0F, 0x43, 0xCD, 0x6B, 0xCF,
    0x18, 0x4F, 0x26, 0x18, 0x12, 0x2A, 0x7E, 0x9B, 0x27, 0x4C, 0x33, 0x67, 0x40, 0xC9, 0x9E, 0xC4
};
unsigned char box4[32] = {
    0x91, 0xDB, 0x9F, 0x5F, 0x26, 0x27, 0xD6, 0xA8, 0xBF, 0x41, 0x16, 0x79, 0xDE, 0x73, 0x16, 0xF8,
    0x1E, 0xBA, 0x6A, 0xBE, 0xC6, 0x12, 0xB2, 0x39, 0x9E, 0xF3, 0x12, 0x4E, 0x02, 0x1C, 0xE2, 0x43
};
unsigned char sbox1[256] = { 0 };
void getsbox1() {
    for (int i = 0; i < 256; i++)
    {
        sbox1[box1[i]] = i;
    }
}
void decrpty(unsigned char* flag, int length) {
    int i, j;
    char v2[32];
    for (j = 0; j <= 31; ++j)
        v2[j] = flag[box2[j]];
    for (i = 0; i <= 31; ++i)
        flag[i] = v2[box2[i]];

    for (i = 0; i < length; i++)
    {
        flag[i] = sbox1[flag[i]];
    }
}
int main() {
    // 生成 box1 的逆查表
    getsbox1();
    // 初始加密后的 flag,与加密程序中保持一致
    unsigned char flag[32] = {
        0x5B, 0x2D, 0xE9, 0x66, 0xED, 0x39, 0x90, 0x23, 0xAF, 0xDA, 0xEB, 0x2E, 0xD1, 0x0D, 0xBB, 0xBD,
        0x57, 0x52, 0x02, 0xB0, 0xBA, 0x9D, 0x52, 0xFA, 0x67, 0xEE, 0xA3, 0x85, 0xA9, 0x84, 0xE2, 0x6F
    };    int length = 32;
    int i, j;

    for (i = 0; i <= 31; ++i)
    {

        flag[i] = (flag[i] << 7) | (flag[i] >> 1);
        flag[i] = (box3[i] ^ flag[i]) - box4[i];
    }
    for (i = 0; i <= 31; ++i)
    {
        flag[i] = (flag[i] << 6) | (flag[i] >> 2);
        flag[i] = box3[i] ^ (flag[i] - box4[i]);
    }
    decrpty(flag, length);

    for (i = 0; i <= 31; ++i)
    {

        flag[i] = (flag[i] << 3) | (flag[i] >> 5);
        flag[i] = (box3[i] ^ flag[i]) - box4[i];
    }
    for (i = 0; i <= 31; ++i)
    {
        flag[i] = (flag[i] << 5) | (flag[i] >> 3);
        flag[i] = box3[i] ^ (flag[i] - box4[i]);
    }
    decrpty(flag, length);

    for (i = 0; i <= 31; ++i)
    {

        flag[i] = (flag[i] << 4) | (flag[i] >> 4);
        flag[i] = (box3[i] ^ flag[i]) - box4[i];
    }
    for (i = 0; i <= 31; ++i)
    {
        flag[i] = (flag[i] << 2) | (flag[i] >> 6);
        flag[i] = box3[i] ^ (flag[i] - box4[i]);
    }
    decrpty(flag, length);
    for (i = 0; i <= 31; ++i)
    {

        flag[i] = (flag[i] << 1) | (flag[i] >> 7);
        flag[i] = (box3[i] ^ flag[i]) - box4[i];
    }
    for (i = 0; i <= 31; ++i)
    {
        flag[i] = (flag[i] << 5) | (flag[i] >> 3);
        flag[i] = box3[i] ^ (flag[i] - box4[i]);
    }
    decrpty(flag, length);
    for (int i = 0; i < 32; i++)
    {
        printf("0x%x,", flag[i]);
    }
    printf("\n");


    for (int i = 0; i < 32; i++)
    {
        printf("%c", flag[i]);
    }
    printf("\n");
    return 0;
}//flag{Master_of_5mc_XoR_aDD_r0r!}

df5

这道题难在解密实现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 v3; // rdi
  const char *v4; // rdx
  __int64 v5; // r8
  __int64 len; // rax
  const char *v7; // rcx
  _BYTE *ppbox1; // rsi
  int v9; // eax
  _BYTE *ppbox2; // r14
  _BYTE *pppbox1; // rcx
  _BYTE *ppbox3; // r15
  _BYTE *ppbox4; // r12
  __int64 v14; // rbp
  unsigned __int8 v15; // bl
  unsigned __int8 v16; // al
  char v17; // r8
  int v18; // eax
  _BYTE *v19; // rcx
  __int64 v20; // rsi
  unsigned __int8 v21; // bl
  unsigned __int8 v22; // al
  char v23; // r8
  __int64 i; // rbx
  __int64 j; // rbx
  int v26; // eax
  __int64 v28[4]; // [rsp+28h] [rbp-70h]
  char Buf1[40]; // [rsp+48h] [rbp-50h] BYREF

  v3 = 0i64;
  v28[0] = sub_7FF6C66410E0;
  v28[1] = sub_7FF6C66412A0;
  v28[2] = sub_7FF6C6641610;
  v28[3] = sub_7FF6C66416B0;
  sub_7FF6C6641020("flag:", argv, envp);
  scnaf("%s", Buf1);
  len = -1i64;
  do
    ++len;
  while ( Buf1[len] );
  if ( len == 32 )
  {
    srand(0x1BF52u);
    ppbox1 = pbox1;
    v9 = 0;
    ppbox2 = pbox2;
    pppbox1 = pbox1;
    ppbox3 = pbox3;
    ppbox4 = pbox4;
    do
      *pppbox1++ = v9++;                        // 造盒
    while ( v9 < 256 );
    v14 = 512i64;
    do
    {
      v15 = rand();
      v16 = rand();
      v17 = ppbox1[v15];
      ppbox1[v15] = ppbox1[v16];                // 打乱盒
      ppbox1[v16] = v17;
      --v14;
    }
    while ( v14 );
    v18 = 0;
    v19 = ppbox2;
    do
      *v19++ = v18++;
    while ( v18 < 32 );
    v20 = 32i64;
    do
    {
      v21 = rand() % 32;
      v22 = rand() % 32;
      v23 = ppbox2[v21];
      ppbox2[v21] = ppbox2[v22];                // 打乱box2
      ppbox2[v22] = v23;
      --v20;
    }
    while ( v20 );
    for ( i = 0i64; i < 32; ++i )
      ppbox3[i] = rand();
    for ( j = 0i64; j < 32; ++j )
      ppbox4[j] = rand();
    do
      (v28[Buf1[v3++] & 3])(Buf1, &pbox1);
    while ( v3 < 32 );
    v26 = memcmp(Buf1, &unk_7FF6C6665AD0, 0x20ui64);
    v7 = "right\n";
    v4 = "wrong\n";
    if ( v26 )
      v7 = "wrong\n";
  }
  else
  {
    v7 = "wrong\n";
  }
  sub_7FF6C6641020(v7, v4, v5);
  return 0;
}

可以看到,也是四种加密方式,不同的是加密逻辑是根据输入的每一位&3,形成的结果进行加密,32轮,如此一来解密时就需要知道上一轮经过什么加密,我先对当前轮对应的明文元素称之为,加密种数,我的想法是,先将密文四种都尝试解密,解密后的加密种数&3,查看是否结果与它所经过的加密一致

但同时有新的问题,如果它的解密结果刚好一致呢?所以要采取回溯法,就像走迷宫一样,这条路走不通,就回退换路,实现我选用递归

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>


unsigned char box3[32] = {
    0x7D, 0xB7, 0x24, 0x7E, 0xC3, 0x6B, 0xBD, 0xD8, 0x7F, 0x13, 0x6E, 0x0F, 0x43, 0xCD, 0x6B, 0xCF,
    0x18, 0x4F, 0x26, 0x18, 0x12, 0x2A, 0x7E, 0x9B, 0x27, 0x4C, 0x33, 0x67, 0x40, 0xC9, 0x9E, 0xC4
};
unsigned char box4[32] = {
    0x91, 0xDB, 0x9F, 0x5F, 0x26, 0x27, 0xD6, 0xA8, 0xBF, 0x41, 0x16, 0x79, 0xDE, 0x73, 0x16, 0xF8,
    0x1E, 0xBA, 0x6A, 0xBE, 0xC6, 0x12, 0xB2, 0x39, 0x9E, 0xF3, 0x12, 0x4E, 0x02, 0x1C, 0xE2, 0x43
};
unsigned char box2[32] = {
    0x13, 0x1F, 0x10, 0x1D, 0x01, 0x0D, 0x07, 0x15, 0x08, 0x06, 0x16, 0x00, 0x0F, 0x0C, 0x02, 0x05,
    0x0E, 0x03, 0x12, 0x04, 0x18, 0x14, 0x1A, 0x1C, 0x1E, 0x19, 0x09, 0x1B, 0x11, 0x0B, 0x17, 0x0A
};
unsigned char box1[256] = {
    0xB0, 0xF0, 0x21, 0xCF, 0xF2, 0x04, 0x3A, 0x68, 0x84, 0x7B, 0x39, 0x86, 0x36, 0x87, 0x9B, 0xF7,
    0x3D, 0x18, 0x1E, 0x61, 0x1B, 0x2E, 0x6C, 0xDF, 0x2C, 0xAE, 0x65, 0x9D, 0xEB, 0x2F, 0xDA, 0xF4,
    0xDE, 0xCA, 0x56, 0x92, 0x75, 0x3B, 0x62, 0x45, 0x06, 0x3C, 0x52, 0x33, 0x6E, 0x25, 0xCE, 0xA3,
    0xD2, 0x44, 0xA1, 0x4A, 0x58, 0xB1, 0xA0, 0x2A, 0x47, 0x0A, 0x02, 0xAF, 0x50, 0xC3, 0xDC, 0xEA,
    0xE5, 0x0D, 0x67, 0x91, 0xE1, 0x51, 0xE3, 0xC1, 0xAA, 0x95, 0x5C, 0x79, 0x72, 0x1C, 0x3F, 0xB8,
    0xE8, 0x1F, 0xFF, 0x7A, 0x73, 0x26, 0x54, 0x9E, 0xED, 0xA9, 0x41, 0x20, 0xEF, 0xA6, 0x48, 0x97,
    0x4F, 0xD4, 0xBB, 0x23, 0x66, 0xD9, 0xE4, 0x0B, 0x30, 0x15, 0xD7, 0x6B, 0x19, 0xCD, 0xC4, 0x08,
    0xB4, 0xC8, 0x14, 0xFD, 0x7F, 0x28, 0x0E, 0x05, 0x0F, 0x4B, 0x6F, 0xF5, 0x90, 0x76, 0xBF, 0x60,
    0xE7, 0x24, 0x78, 0x6D, 0x71, 0xA8, 0x43, 0xB5, 0x0C, 0x31, 0xF9, 0xA2, 0x9C, 0x99, 0xF6, 0x2D,
    0xDB, 0xB7, 0xC9, 0x85, 0x81, 0x03, 0x64, 0x1D, 0x07, 0x34, 0x5A, 0xBD, 0x37, 0x4C, 0xA7, 0x5F,
    0x46, 0xE9, 0x35, 0x93, 0x8D, 0xA5, 0xFB, 0x42, 0x01, 0xC2, 0x17, 0x12, 0x1A, 0x77, 0xC6, 0x53,
    0x83, 0x4D, 0xB2, 0x10, 0x2B, 0xF8, 0x88, 0x6A, 0x3E, 0xD0, 0x7C, 0x63, 0x40, 0x27, 0xBE, 0xD5,
    0x38, 0xD1, 0x74, 0xB6, 0x57, 0x94, 0xAB, 0x8A, 0xB9, 0xBC, 0x7D, 0xB3, 0x96, 0x7E, 0xFC, 0xAD,
    0x22, 0x4E, 0xFA, 0xE0, 0xCB, 0x8B, 0xEE, 0x32, 0xA4, 0x16, 0xFE, 0x5B, 0x13, 0xDD, 0xC0, 0x9A,
    0x5E, 0x8E, 0x29, 0xF3, 0x8F, 0x49, 0xE6, 0x9F, 0xF1, 0xC5, 0x70, 0x55, 0x8C, 0x11, 0xCC, 0x5D,
    0xEC, 0x00, 0xAC, 0x89, 0xD3, 0x82, 0x69, 0xD6, 0xBA, 0xD8, 0x59, 0x98, 0x09, 0x80, 0xE2, 0xC7
};
unsigned char sbox1[256];
void initsbox1() {
    for (int i = 0; i < 256; i++)
    {
        sbox1[box1[i]] = i;
    }
}
char ror(unsigned char a, int i) {
    return (a >> i) | (a << (8 - i));
}
void decrpty0(unsigned char* flag) {
    for (int i = 0; i < 32; i++)
    {
        flag[i] = sbox1[flag[i]];
    }
}
void decrpty1(unsigned char* flag) {
    char v2[32];
    for (int i = 0;i < 32;i++)
        v2[i] = flag[box2[i]];
    for (int i = 0;i < 32;i++)
        flag[i] = v2[box2[i]];
}
void decrpty2(unsigned char* flag) {
    for (int i = 0; i < 32; i++) {
        flag[i] -= box4[i];
        flag[i] ^= box3[i];
    }
}
void decrpty3(unsigned char* flag) {
    for (int i = 0;i < 32;i++) {
        flag[i] = ror(flag[i], 5);
    }
}
void decrpty(char* flag, int now) {
    if (now < 0) {
        if (!strncmp(flag, "flag", 4)) {
            printf("%s", flag);
        }
        return;
    }
    for (int i = 0; i < 4; i++)
    {
        unsigned char tryflag[33];
        memcpy(tryflag, flag, 33);
        switch (i) {
        case 0:decrpty0(tryflag);break;
        case 1:decrpty1(tryflag);break;
        case 2:decrpty2(tryflag);break;
        case 3:decrpty3(tryflag);break;
        }
        if ((tryflag[now] & 3) == i) {
            decrpty((char*)tryflag, now - 1);
        }
    }
}
int main() {
    char flag[] = {
        0x65, 0x3E, 0x43, 0xB8, 0xBA, 0xDB, 0xF6, 0x88, 0x25, 0x1B, 0x28, 0xC7, 0xC0, 0x54, 0xA6, 0x4A,
        0x90, 0x37, 0xBC, 0x29, 0x41, 0xAA, 0x28, 0xDB, 0x9A, 0x59, 0x63, 0x9E, 0x4B, 0xCF, 0x2E, 0x41,
        0
    };
    initsbox1();
    decrpty(flag, 31);
    //flag{Ea5y_enCrypt_And_decrYpt!!}
    return 0;
}