下载得到py文件
import base64,urllib.parse
key = "HereIsFlagggg"
flag = "xxxxxxxxxxxxxxxxxxx"
s_box = list(range(256))
j = 0
for i in range(256):# 初始化
j = (j + s_box[i] + ord(key[i % len(key)])) % 256
s_box[i], s_box[j] = s_box[j], s_box[i]
res = []
i = j = 0
for s in flag: # 开始加密
i = (i + 1) % 256
j = (j + s_box[i]) % 256
s_box[i], s_box[j] = s_box[j], s_box[i]
t = (s_box[i] + s_box[j]) % 256
k = s_box[t]
res.append(chr(ord(s) ^ k))
cipher = "".join(res) # 转换格式
crypt = (str(base64.b64encode(cipher.encode('utf-8')), 'utf-8')) # base64了
enc = str(base64.b64decode(crypt),'utf-8') # base64解了
enc = urllib.parse.quote(enc) # url 编码
print(enc)
# enc = %C2%A6n%C2%87Y%1Ag%3F%C2%A01.%C2%9C%C3%B7%C3%8A%02%C3%80%C2%92W%C3%8C%C3%BA
分析一下就是给了key,然后rc4加密了,最后在用url编码,中间的base64 en来de去是迷惑的
代码最后也给了enc
写个脚本
import base64,urllib.parse
key = "HereIsFlagggg"
enc = "%C2%A6n%C2%87Y%1Ag%3F%C2%A01.%C2%9C%C3%B7%C3%8A%02%C3%80%C2%92W%C3%8C%C3%BA"
enc = urllib.parse.unquote(enc) # url 先转过来
s_box = list(range(256))
j = 0
# 两个for循环在做rc4,不用改
for i in range(256):
j = (j + s_box[i] + ord(key[i % len(key)])) % 256
s_box[i], s_box[j] = s_box[j], s_box[i]
res = []
i = j = 0
for s in enc:
i = (i + 1) % 256
j = (j + s_box[i]) % 256
s_box[i], s_box[j] = s_box[j], s_box[i]
t = (s_box[i] + s_box[j]) % 256
k = s_box[t]
res.append(chr(ord(s) ^ k))
print(res)
cipher = "".join(res) # 去一下逗号和空格
print(cipher) # 输出
# NSSCTF{REAL_EZ_RC4}
总结:就是代码逆向
知识点: rc4 url编码 python utf-8,base64,url等语法的使用
import base64,urllib.parse
先引入这个库函数
enc = urllib.parse.quote(enc)
这个函数把enc变成url编码
enc = urllib.parse.unquote(enc)
把url编码变回去
cipher = "".join(res)
这句是消除res里面的逗号空格,比如:res
是一个包含了 ['A', 'B', 'C']
的列表,那么 "".join(res)
的结果就是 'ABC'
crypt = (str(base64.b64encode(cipher.encode('utf-8')), 'utf-8'))
enc = str(base64.b64decode(crypt),'utf-8')
这个又encode又decode整的花里胡哨,其实没变到,注意utf-8语句的使用