[Reverse]crypt(rc4)
|
309
|
0
|
Reverse

309 字
|
6 分钟

题目下载链接:crypt

动态调试

首先我们在这两处下断点



按f9进入动态调试,我们需要输入22位数据(flag长度为22位)

进入这个窗口后我们选中22行按tab进入汇编界面

可以发现0x14000131B处出现了异或,也就是执行22行代码的位置,我们只需要把所有异或的v9储存下来然后与0x22和密文异或就行了。我们继续按f8当rip运行到
file

该处时我们将鼠标放到rdx上可以看到里面的数值也就是此刻v9的数值
file

反复操作22次我们可以得到如下数据

0xda,0xa9,0x73,0x1A,0xFE,0x4D,0xED,0x12,0x1E,0x66,0x5C,0x6D,0x8C,0x3C,0x96,0x49,0xFD,0x74,0xDF,0x43,0xDA,0x74

exp

#include<iostream>
#include<string>
using namespace std;

int data[]={0x9E,0xE7,0x30,0x5F,0xA7,0x01,0xA6,0x53,0x59,0x1B,0x0A,0x20,0xF1,0x73,0xD1,0x0E,0xAB,0x09,0x84,0x0E,0x8D, 0x2B};
int tmp[]={0xda,0xa9,0x73,0x1A,0xFE,0x4D,0xED,0x12,0x1E,0x66,0x5C,0x6D,0x8C,0x3C,0x96,0x49,0xFD,0x74,0xDF,0x43,0xDA,0x74};
string flag;
int main ()
{
    for(int i = 0 ; i < 22 ; i++ )
    {
        flag+=(char)(data[i]^tmp[i]^0x22);
    }
    cout<<flag;
}

传统rc4

exp

#include<stdio.h>
#include<windows.h>
#include<cstring>
using namespace std;

char key[] =
{
  0x9E, 0xE7, 0x30, 0x5F, 0xA7, 0x01, 0xA6, 0x53, 0x59, 0x1B, 
  0x0A, 0x20, 0xF1, 0x73, 0xD1, 0x0E, 0xAB, 0x09, 0x84, 0x0E, 
  0x8D, 0x2B, 0x00, 0x00
};
char Str[]="12345678abcdefghijklmnopqrspxyz";
__int64 __fastcall sub_140001120(DWORD *a1, char *a2, int a3)
{
  __int64 result; // rax
  int i; // [rsp+0h] [rbp-28h]
  int j; // [rsp+0h] [rbp-28h]
  int v6; // [rsp+4h] [rbp-24h]
  int v7; // [rsp+8h] [rbp-20h]
  int v8; // [rsp+Ch] [rbp-1Ch]
  DWORD *v9; // [rsp+10h] [rbp-18h]

  *a1 = 0;
  a1[1] = 0;
  v9 = a1 + 2;
  for ( i = 0; i < 256; ++i )
    v9[i] = i;
  v6 = 0;
  result = 0;
  v7 = 0;
  for ( j = 0; j < 256; ++j )
  {
    v8 = v9[j];
    v7 = (unsigned __int8)(*(BYTE *)(a2 + v6) + v8 + v7);
    v9[j] = v9[v7];
    v9[v7] = v8;
    if ( ++v6 >= a3 )
      v6 = 0;
    result = (unsigned int)(j + 1);
  }
  return result;
}
DWORD sub_140001240(DWORD *a1, char* a2, int a3)
{
  DWORD *result; // rax
  int i; // [rsp+0h] [rbp-28h]
  int v5; // [rsp+4h] [rbp-24h]
  int v6; // [rsp+8h] [rbp-20h]
  int v7; // [rsp+Ch] [rbp-1Ch]
  int v8; // [rsp+10h] [rbp-18h]
  DWORD *v9; // [rsp+18h] [rbp-10h]

  v5 = *a1;
  v6 = a1[1];
  v9 = a1 + 2;
  for ( i = 0; i < a3; ++i )
  {
    v5 = (unsigned __int8)(v5 + 1);
    v7 = v9[v5];
    v6 = (unsigned __int8)(v7 + v6);
    v8 = v9[v6];
    v9[v5] = v8;
    v9[v6] = v7;
    *(BYTE *)(a2 + i) ^= LOBYTE(v9[(unsigned __int8)(v8 + v7)]);
  }
  *a1 = v5;
  result = a1;
  a1[1] = v6;
}
int i;
int main()
{
    DWORD *v9;
    v9=(DWORD *)malloc(0x408*sizeof(v9));
    sub_140001120(v9,Str,strlen(Str));
    for(int i = 0 ; i < strlen(key);i ++  )
    {
        key[i]^=34;
    }
    sub_140001240(v9,key,strlen(key));
    printf("%s",key);
}

flag

flag{nice_to_meet_you}

暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
[Android]360加固保免费版分析

							
							

							
[Android]对init_array段调用的方法进行Hook

							
							

							
[CISCN2024]androidso_re题解以及崩溃原因分析

							
							

							
[Android]记一次艰难的Android11抓包过程

							
							

							
[Frida]Frida操作方法总结