H&NCTF2024-Re-Baby_OBVBS(VBS代码混淆)

拜读wp:

  1. 2024 H&NCTF WriteUP-CSDN博客
  2. https://www.52pojie.cn/thread-1924143-1-1.html

涉及到的知识点:
RC4流密码
hashcat工具的使用
解释性语言代码混淆

题目原代码:

被混淆了直接将Execute改成输出语句就可以得到被混淆的源码了~
解混淆代码:代码太长就不贴完整的了自己补全

Dim expression
expression = Chr((37 + 64))......0)) & Chr((47 - 7)) & Chr((51 * 2.03921568627451)) & Chr((163 - 74)) & Chr((159 - 83)) & Chr((106 + 11)) & Chr((77 - 36))

Dim outputFilePath
outputFilePath = "decode.txt"

Dim fso, outputFile
Set fso = CreateObject("Scripting.FileSystemObject")
Set outputFile = fso.CreateTextFile(outputFilePath, True)

outputFile.WriteLine(expression)

outputFile.Close

成功解出混淆发现还有一个base64混淆:
继续使用vbs解密混淆:通用的逻辑直接将代码输出出来就好!

Function Base64Decode(base64EncodedString)
    Dim xml, elem
    Set xml = CreateObject("MSXML2.DOMDocument")
    Set elem = xml.createElement("tmp")
    elem.dataType = "bin.base64" 
    elem.text = base64EncodedString 
    Dim stream
    Set stream = CreateObject("ADODB.Stream")
    stream.Type = 1 'Binary
    stream.Open
    stream.Write elem.nodeTypedValue 
    stream.Position = 0
    stream.Type = 2 'Text
    stream.Charset = "utf-8"
    Base64Decode = stream.ReadText
    stream.Close
End Function

nbbt="RnVuY3R.....24="

NFqt="RnVuY3Rpb24gT...dGlvbg=="

NsFw="RnVuY3Rpb24gRW5Dcn...5jdGlvbg=="

hYLu="bXNnYm94ICJEbyB5b3Uga25vdyBWQlNjcmlwdD8iDQptc2dib3ggIlZCU2NyaXB0ICgiIk1pY3Jvc29mdCBWaXN1YWwgQmFzaWMgU2NyaXB0aW5nIEV..."


Dim outputFilePath
outputFilePath = "decode1.txt"

Dim fso, outputFile
Set fso = CreateObject("Scripting.FileSystemObject")
Set outputFile = fso.CreateTextFile(outputFilePath, True)

outputFile.WriteLine(base64Decode(nbbt)& vbCr & vbLf & base64Decode(NFqt)& vbCr & vbLf & base64Decode(NsFw)& vbCr & vbLf & base64Decode(hYLu))

outputFile.Close

最后的解密结果是这个:

Function Base64Decode(base64EncodedString)
    Dim xml, elem
    Set xml = CreateObject("MSXML2.DOMDocument")
    Set elem = xml.createElement("tmp")
    elem.dataType = "bin.base64" 
    elem.text = base64EncodedString 
    Dim stream
    Set stream = CreateObject("ADODB.Stream")
    stream.Type = 1 'Binary
    stream.Open
    stream.Write elem.nodeTypedValue 
    stream.Position = 0
    stream.Type = 2 'Text
    stream.Charset = "utf-8"
    Base64Decode = stream.ReadText
    stream.Close
End Function

Function Initialize(strPwd)
    Dim box(256)
    Dim tempSwap
    Dim a
    Dim b

    For i = 0 To 255
        box(i) = i
    Next

    a = 0
    b = 0

    For i = 0 To 255
        a = (a + box(i) + Asc(Mid(strPwd, (i Mod Len(strPwd)) + 1, 1))) Mod 256
        tempSwap = box(i)
        box(i) = box(a)
        box(a) = tempSwap
    Next

    Initialize = box
End Function
Function Myfunc(strToHash)
    Dim tmpFile, strCommand, objFSO, objWshShell, out
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objWshShell = CreateObject("WScript.Shell")
    tmpFile = objFSO.GetSpecialFolder(2).Path & "\" & objFSO.GetTempName
    objFSO.CreateTextFile(tmpFile).Write(strToHash)
    strCommand = "certutil -hashfile " & tmpFile & " MD5"
    out = objWshShell.Exec(strCommand).StdOut.ReadAll
	msgbox out
    objFSO.DeleteFile tmpFile
    Myfunc = Replace(Split(Trim(out), vbCrLf)(1), " ", "")
End Function
Function EnCrypt(box, strData)
    Dim tempSwap
    Dim a
    Dim b
    Dim x
    Dim y
    Dim encryptedData
    encryptedData = ""
    For x = 1 To Len(strData)
        a = (a + 1) Mod 256
        b = (b + box(a)) Mod 256
        tempSwap = box(a)
        box(a) = box(b)
        box(b) = tempSwap
        y = Asc(Mid(strData, x, 1)) Xor box((box(a) + box(b)) Mod 256)
        encryptedData = encryptedData & LCase(Right("0" & Hex(y), 2))
    Next
    EnCrypt = encryptedData
End Function
eAqi = "59fc6b263c3d0fcbc331ade699e62d3473bbf85522d588e3423e6c751ca091528a3c0186e460483917192c14"
ANtg = "baacc7ffa8232d28f814bb14c428798b"
key = InputBox("Enter the key:", "CTF Challenge")
if (key = False) then wscript.quit
if (len(key)<>6) then
    wscript.echo "wrong key length!"
    wscript.quit
end if
If (Myfunc(key) = ANtg) Then
    wscript.echo "You get the key!Move to next challenge."
Else
    wscript.echo "Wrong key!Try again!"
    wscript.quit
End If

userInput = InputBox("Enter the flag:", "CTF Challenge")
if (userInput = False) then wscript.quit
if (len(userInput)<>44) then
    wscript.echo "wrong!"
    wscript.quit
end if
box = Initialize(key)
encryptedInput = EnCrypt(box, userInput)

If (encryptedInput = eAqi) Then
    MsgBox "Congratulations! You have learned VBS!"
Else
    MsgBox "Wrong flag. Try again."
End If

wscript.echo "bye!"

发现主要逻辑:

  1. 首先输入key作为rc4的密钥,但是只知道key的hash值和key的长度为6
  2. 输入的flag是44个字节结果与eAqi进行比较判断flag的正确性

由于key的长度是确定的可以直接使用kali自带的hash解密工具来爆破出key的值!
使用方法:https://blog.csdn.net/smli_ng/article/details/106111493

baacc7ffa8232d28f814bb14c428798b:H&NKEY                   
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: baacc7ffa8232d28f814bb14c428798b
Time.Started.....: Thu May 16 00:49:03 2024 (2 mins, 11 secs)
Time.Estimated...: Thu May 16 00:51:14 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?a?a?a?a?a?a [6]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   128.9 MH/s (1.78ms) @ Accel:512 Loops:128 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 15483021312/735091890625 (2.11%)
Rejected.........: 0/15483021312 (0.00%)
Restore.Point....: 1714176/81450625 (2.10%)
Restore.Sub.#1...: Salt:0 Amplifier:6016-6144 Iteration:0-128
Candidate.Engine.: Device Generator
Candidates.#1....: 6W{t ! -> QjDLEY
Hardware.Mon.#1..: Util: 92%

Started: Thu May 16 00:48:31 2024
Stopped: Thu May 16 00:51:16 2024

解出key的值那么接下来就算上py脚本解密出flag了!

from Crypto.Cipher import ARC4

def rc4_decrypt(key, encrypt_data):
    """
    RC4 decryption using the Crypto.Cipher library
    """
    cipher = ARC4.new(key)
    decrypted_data = cipher.decrypt(encrypt_data)
    return decrypted_data

# Example usage
key = b'H&NKEY'
encrypt_data = bytes.fromhex("59fc6b263c3d0fcbc331ade699e62d3473bbf85522d588e3423e6c751ca091528a3c0186e460483917192c14")

decrypted_data = rc4_decrypt(key, encrypt_data)
print(decrypted_data.decode())
  • 5
    点赞
  • 8
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值