首先简单的花指令,反调试,不说了,代码逆出来,可以看出来是RC4加密:
然后就是本体最大坑点,一往贯彻落实了脑经急转弯的风格,这里密钥四位我爆破完了,其实是五位。
五位我写了个程序开了0xff个线程,还是没有在我等得及的时间内爆破完。
=0=
源程序的愿意是给了一个四位的密钥得到一个错误的解密后的字符串。
实际上他的本意是,这四个给定的密钥和另外一位进行爆破的同时再做全排列=0=
实在是醉了=0=
见代码,一清二楚:
# -*- coding:utf-8 -*-
from threading import Thread
def rc4(data, key):
if(type(data) is type("string")):
tmpData=data
data=[]
for tmp in tmpData:
data.append(ord(tmp))
if(type(key) is type("string")):
tmpKey=key
key=[]
for tmp in tmpKey:
key.append(ord(tmp))
x = 0
box= list(range(256))
for i in range(256):
x = (x + box[i] + key[i % len(key)]) % 256
box[i], box[x] = box[x], box[i]
x = 0
y = 0
out = []
for c in data:
x = (x + 1) % 256
y = (y + box[x]) % 256
box[x], box[y] = box[y], box[x]
out.append(c ^ box[(box[x] + box[y]) % 256])
result=""
printable=True
for tmp in out:
if(tmp<0x21 or tmp>0x7e):
printable=False
break
result += chr(tmp)
if(printable==False):
result=""
for tmp in out:
result += "{0:02X}".format(tmp)
return result
def run(key_1):
date="\x86\x0d\xcd\x27\xce\x09\x25\x64\x5f\x7d\xcd\x03\xa8\x1e\x14\x18\x4c\xe9\x6d\x24\x04\x43\x54\xc7\x67\xaa\x05\x38\x7d\xa4\xa1\xd5\xfc\x59"
#这个是爆破了好几天也没弄出来的=0=
'''
for key_2 in range(0x21,0x7e):
for key_3 in range(0x21,0x7e):
for key_4 in range(0x21,0x7e):
for key_5 in range(0x21,0x7e):
temp=rc4(date,[key_1,key_2,key_3,key_4,key_5])
# print temp
if "XDCT" in temp:
print hex(key_1),hex(key_2),hex(key_3),hex(key_4),hex(key_5),temp
'''
t=[0x40,0x33,0x21,0x46,key_1]
for k1 in t:
for k2 in t:
for k3 in t:
for k4 in t:
for k5 in t:
temp=rc4(date,[k1,k2,k3,k4,k5])
if "XDCT" in temp:
print hex(k1),hex(k2),hex(k3),hex(k4),hex(k5),temp
if __name__ == '__main__':
for key_1 in range(0x21,0x7e):
t1 = Thread(target=run,args=(key_1,))
t1.start()
'''
#这是答案
key=[0x58,0x40,0x33,0x21,0x46]
t2=rc4(date,key)
print t2
'''