题目下载链接:crypt
动态调试
首先我们在这两处下断点
按f9进入动态调试,我们需要输入22位数据(flag长度为22位)
进入这个窗口后我们选中22行按tab进入汇编界面
可以发现0x14000131B处出现了异或,也就是执行22行代码的位置,我们只需要把所有异或的v9储存下来然后与0x22和密文异或就行了。我们继续按f8当rip运行到
该处时我们将鼠标放到rdx上可以看到里面的数值也就是此刻v9的数值
反复操作22次我们可以得到如下数据
0xda,0xa9,0x73,0x1A,0xFE,0x4D,0xED,0x12,0x1E,0x66,0x5C,0x6D,0x8C,0x3C,0x96,0x49,0xFD,0x74,0xDF,0x43,0xDA,0x74
exp
#include<iostream>
#include<string>
using namespace std;
int data[]={0x9E,0xE7,0x30,0x5F,0xA7,0x01,0xA6,0x53,0x59,0x1B,0x0A,0x20,0xF1,0x73,0xD1,0x0E,0xAB,0x09,0x84,0x0E,0x8D, 0x2B};
int tmp[]={0xda,0xa9,0x73,0x1A,0xFE,0x4D,0xED,0x12,0x1E,0x66,0x5C,0x6D,0x8C,0x3C,0x96,0x49,0xFD,0x74,0xDF,0x43,0xDA,0x74};
string flag;
int main ()
{
for(int i = 0 ; i < 22 ; i++ )
{
flag+=(char)(data[i]^tmp[i]^0x22);
}
cout<<flag;
}
传统rc4
exp
#include<stdio.h>
#include<windows.h>
#include<cstring>
using namespace std;
char key[] =
{
0x9E, 0xE7, 0x30, 0x5F, 0xA7, 0x01, 0xA6, 0x53, 0x59, 0x1B,
0x0A, 0x20, 0xF1, 0x73, 0xD1, 0x0E, 0xAB, 0x09, 0x84, 0x0E,
0x8D, 0x2B, 0x00, 0x00
};
char Str[]="12345678abcdefghijklmnopqrspxyz";
__int64 __fastcall sub_140001120(DWORD *a1, char *a2, int a3)
{
__int64 result; // rax
int i; // [rsp+0h] [rbp-28h]
int j; // [rsp+0h] [rbp-28h]
int v6; // [rsp+4h] [rbp-24h]
int v7; // [rsp+8h] [rbp-20h]
int v8; // [rsp+Ch] [rbp-1Ch]
DWORD *v9; // [rsp+10h] [rbp-18h]
*a1 = 0;
a1[1] = 0;
v9 = a1 + 2;
for ( i = 0; i < 256; ++i )
v9[i] = i;
v6 = 0;
result = 0;
v7 = 0;
for ( j = 0; j < 256; ++j )
{
v8 = v9[j];
v7 = (unsigned __int8)(*(BYTE *)(a2 + v6) + v8 + v7);
v9[j] = v9[v7];
v9[v7] = v8;
if ( ++v6 >= a3 )
v6 = 0;
result = (unsigned int)(j + 1);
}
return result;
}
DWORD sub_140001240(DWORD *a1, char* a2, int a3)
{
DWORD *result; // rax
int i; // [rsp+0h] [rbp-28h]
int v5; // [rsp+4h] [rbp-24h]
int v6; // [rsp+8h] [rbp-20h]
int v7; // [rsp+Ch] [rbp-1Ch]
int v8; // [rsp+10h] [rbp-18h]
DWORD *v9; // [rsp+18h] [rbp-10h]
v5 = *a1;
v6 = a1[1];
v9 = a1 + 2;
for ( i = 0; i < a3; ++i )
{
v5 = (unsigned __int8)(v5 + 1);
v7 = v9[v5];
v6 = (unsigned __int8)(v7 + v6);
v8 = v9[v6];
v9[v5] = v8;
v9[v6] = v7;
*(BYTE *)(a2 + i) ^= LOBYTE(v9[(unsigned __int8)(v8 + v7)]);
}
*a1 = v5;
result = a1;
a1[1] = v6;
}
int i;
int main()
{
DWORD *v9;
v9=(DWORD *)malloc(0x408*sizeof(v9));
sub_140001120(v9,Str,strlen(Str));
for(int i = 0 ; i < strlen(key);i ++ )
{
key[i]^=34;
}
sub_140001240(v9,key,strlen(key));
printf("%s",key);
}
flag
flag{nice_to_meet_you}