[RE] uniapp - cew

xp0int Posted on Sep 19 2021

解压出apps\__UNI__14D1880\www\app-service.js
主要逻辑在这
![enter image description here](https://leanote.com/api/file/getImage?fileId=614350fdab64417e140849f7)
f\["encrypt"\](c)调用类似chacha加密的函数，依葫芦画瓢解密即可

```
iv = [0, 0, 0, 0, 0, 0, 0, 74, 0, 0, 0, 0]
key = [_ for _ in range(32)]              
def _get32(t, e):
    return t[e] ^ t[e+1] << 8 ^ t[e+2] << 16 ^ t[e+3] << 24

n = 1
_rounds = 20
_sigma = [1634760805, 857760878, 2036477234, 1797285236]
_param = [_sigma[0], _sigma[1], _sigma[2], _sigma[3], _get32(key, 0), _get32(key, 4), _get32(key, 8), _get32(key, 12), _get32(key, 16), _get32(key, 20), _get32(key, 24), _get32(key, 28), n, _get32(iv, 0), _get32(iv, 4), _get32(iv, 8)]
_keystream = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
_byteCounter = 0

def _rotl(num, e):
    return (num << e | num >> 32 - e) & 0xffffffff

def _quarterround(t, e, n, r, o):
    print(t)
    t[e] += t[n]
    t[e] &= 0xffffffff
    t[o] = _rotl(t[o] ^ t[e], 16)
    t[r] += t[o]
    t[r] &= 0xffffffff
    t[n] = _rotl(t[n] ^ t[r], 12)
    t[e] += t[n]
    t[e] &= 0xffffffff
    t[o] = _rotl(t[o] ^ t[e], 8)
    t[r] += t[o]
    t[r] &= 0xffffffff
    t[n] = _rotl(t[n] ^ t[r], 7)
    t[e] >>= 0
    t[n] >>= 0
    t[r] >>= 0
    t[o] >>= 0

return t

def encrypt(t):
    return _update(t)

def decrypt(t):
    return _update(t)

def _chacha():
    n = 0
    t = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
    for i in range(16):
        t[i] = _param[i]

for i in range(0, _rounds, 2):
        t = _quarterround(t, 0, 4, 8, 12)
        t = _quarterround(t, 1, 5, 9, 13)
        t = _quarterround(t, 2, 6, 10, 14)
        t = _quarterround(t, 3, 7, 11, 15) 
        t = _quarterround(t, 0, 5, 10, 15) 
        t = _quarterround(t, 1, 6, 11, 12)
        t = _quarterround(t, 2, 7, 8, 13)
        t = _quarterround(t, 3, 4, 9, 14)
    
    for e in range(16):
        t[e] += _param[e]
        _keystream[n] = 255 & t[e]
        n += 1 
        _keystream[n] = t[e] >> 8 & 255
        n += 1 
        _keystream[n] = t[e] >> 16 & 255
        n += 1 
        _keystream[n] = t[e] >> 24 & 255
        n += 1 
    
    print(_keystream)
    return _keystream

key = _chacha()
cmp = [34, 69, 86, 242, 93, 72, 134, 226, 42, 138, 112, 56, 189, 53, 77, 178, 223, 76, 78, 221, 63, 40, 86, 231, 121, 29, 154, 189, 204, 243, 205, 44, 141, 100, 13, 164, 35, 123]
cmp = [102 ^ cmp[_] ^ key[_] for _ in range(len(cmp))]
print(bytes(cmp))
```
FLAG:flag{59ec211c0695979db6ca4674fd2a9aa7}

打赏还是打残，这是个问题