PE32位,ida打开,如题所述,有很多花指令但是只有两种
上述花指令保存ebx的值后xor ebx,ebx后ebx为0,到jz后必然跳转到401219,故可以将箭头处nop
上述call后跳转到40135e故esp的值为call下一条指令的地址40135d,add [esp],8后esp的值为40135d+8=401365,ret后eip为401365,手动识别代码,将箭头处nop
按p生成函数得到反编译后的main函数
输入flag后进入401030函数后进行循环异或进入40128f比较
401030为rc4加密,但是改变了位移和密钥以及与密文异或的索引
原密钥为Hello_Ctfers!!!长度为15,但参数传进去为16,故要在密钥尾部加上\x00.
rc4密文的范围在0-255之间但是所给的密文大于255故需要&0xff
exp
# RC4加密
def rc4(key, ciphertext):
sbox = list(range(256))
j = 0
for i in range(256):
j = (j + sbox[i] + key[i % 16]) % 256
sbox[i], sbox[j] = sbox[j], sbox[i]
i = 0
j = 0
keystream = []
for _ in range(len(ciphertext)):
i = (i + 3) % 256
j = (j + sbox[i] +1) % 256
sbox[i], sbox[j] = sbox[j], sbox[i]
k = sbox[(sbox[i] + sbox[j]) % 256]
keystream.append(k)
# 解密密文
plaintext = []
for i in range(len(ciphertext)):
m = (ciphertext[i] ^ keystream[i])&0xff
plaintext.append(m)
print(plaintext)
return ''.join([chr(p) for p in plaintext])
key_arr=[]
v16=[4026531853, 4026531904, 268435366, 268435439, 4026531962, 4026531961, 4026531924, 4026531967, 268435397, 4026531887, 4026531906, 268435389, 268435428, 268435348, 268435348, 268435343, 4026531878, 4026531850, 268435386, 268435336, 4026531856, 4026531967, 268435443, 268435365, 7, 75, 50]
key = "Hello_Ctfers!!!"
for x in key:
key_arr.append(ord(x))
key_arr.append(0)
plaintext = rc4(key_arr, v16)
print(plaintext)
Comments NOTHING