fishnet
upx壳,被魔改了。 动调定位的逻辑
一直f7,循环就跳过。然后程序跑起来了
搜字符串
交叉引用
发现有花指令,全patch掉
然后就可以正常f5看了
发现是RC4,但是有改动
enc=[0x39, 0x9C, 0xD0, 0x4E ,0x75, 0xF7, 0xE5, 0x92, 0x35, 0x3A, 0xC9, 0xF4, 0xD8, 0x38, 0x1D, 0xB4,0x34, 0xAF, 0x95, 0xFD,0x0C, 0x3B, 0x6F, 0x21,0xFE, 0x2D, 0x3C, 0x09,0x73, 0xE4, 0x25, 0xD5,0xD1, 0x7D, 0x23, 0xF8,0x37, 0xCA]
a=[0]*256
key="fishnet"
for i in range(256):
a[i]=i
v6 = 0
for j in range(256):
v6=(ord(key[j%len(key)])+v6+a[j])%256
v3 = a[j]
a[j] = a[v6]^v3
a[v6] ^= v3
v7 = 0
v8 = 0
for k in range(len(enc)):
v8 = (v8 + 1) % 256
v7 = (v7 + a[v8]) % 256
temp = a[v8]
a[v8] = a[v7]
a[v7] = temp
enc[k] -= a[(a[v7] + a[v8]) % 256]
enc[k]&=0xff
print(bytes(enc))#b'flag{7fb7801bc65a0a9364ae4c633e25574d}'
polenta
xxtea加密
这里会看高位是0还是1,0就会触发异常,我们的sum会进行异或
#include<string.h>
#include<stdio.h>
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))
#include <stdint.h>
void decrypto_xtea(uint32_t* v, int n, uint32_t key[4])
{
uint32_t y, z, sum;
unsigned p, rounds, e;
int irr_key[] = { 0x9e3779b9,0x35e99631,0xd4210fea,0x7bdfece0,0x139003da,0xb1c77d93,0x4679920f,0xe4b10bc8,0x82e88581,0x28989a79,0xc6d01432 };
rounds = 6 + 52 / n;
y = v[0];
do
{
sum = irr_key[rounds - 1];
e = (sum >> 2) & 3;
for (p = n - 1; p > 0; p--)
{
z = v[p - 1];
y = v[p] -= MX;
}
z = v[n - 1];
y = v[0] -= MX;
} while (--rounds);
}
int main()
{
char enc[] = { 0x91, 0xB8, 0x43, 0x9E, 0xF1, 0xEA, 0x37, 0xA9, 0x84, 0x6C,0xC4, 0xDD, 0xDA, 0xDF, 0x3D, 0x71, 0x3E, 0x2E, 0x07, 0xE0,0xC1, 0x42, 0xAD, 0xC8, 0xED, 0xAC, 0x9F, 0xA7, 0x4E, 0xAE,0x1D, 0x95, 0x88, 0xAB, 0xD0, 0xE7, 0x6D, 0x46, 0x65, 0x13 ,0 };
uint32_t xxtea_key[] = { 0x12345678, 0x90ABCDEF, 0xDEADBEEF, 0x87654321 };
decrypto_xtea((uint32_t*)enc, 10, xxtea_key);
for (int i = 0; i < 40; i++)
{
putchar(enc[i]);
}
return 0;
}
Mobile
so文件比对,base64直接解