upx壳,
./upx -d encode
脱壳后看到函数都没有被命名
根据代码推测函数,鼠标放到函数上N键重命名
进入sub_8048AC2,base加密的代码看多了一眼就认出了这是base加密,蓝色的a0123456789Abcd就是密码表双击进入得到密码表0123456789+/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
再进入sub_8048E24,是一个rc4加密
其中sub_8048CC2(v9, a3, a4);
是对密钥key和s盒进行初始化操作
由if ( !strcmp(&v5[18], v6) )
可知RC4加密后的字符串为E8D8BD91871A010E560F53F4889682F961420AF2AB08FED7ACFD5E00
sub_8048E24(&v5[18], v4, v5, v3);
v5[18]是加密数据,v4是长度,v5是密钥,v3是v5长度
strcpy(v5, "Flag{This_a_Flag}");
密钥v5=Flag{This_a_Flag}
进行解密
key0 = b'Flag{This_a_Flag}' #密钥
c = bytes.fromhex('E8D8BD91871A010E560F53F4889682F961420AF2AB08FED7ACFD5E00')
v9 = [i for i in range(256)]
v8 = (key0 * 50)[:256]
j = 0
for i in range(256):
j = (v9[i] + j + v8[i]) % 256
v9[i], v9[j] = v9[j], v9[i]
tab = [0] * 28
i, j = 0, 0
for t in range(28):
i = (i + 1) % 256
j = (v9[i] + j) % 256
v9[i], v9[j] = v9[j], v9[i]
tab[t] = v9[(v9[i] + v9[j]) % 256]
c = [tab[i] ^ v for i, v in enumerate(c)]
print(c)
#[35, 21, 37, 83, 8, 26, 89, 56, 18, 106, 57, 49, 39, 91, 11, 19, 19, 8, 92, 51, 11, 53, 97, 1, 81, 31, 16, 92]
得到了异或后的v5[18]
再异或回去
c=[35, 21, 37, 83, 8, 26, 89, 56, 18, 106, 57, 49, 39, 91, 11, 19, 19, 8, 92, 51, 11, 53, 97, 1, 81, 31, 16, 92]
key='Flag{This_a_Flag}'
d=[]
e=[]
for i in range(len(key)):
d.append(ord(key[i]))
print(d)
for i in range (len(c)):
e.append(c[i]^d[i%len(d)])
print(chr(e[i]),end='')
#eyD4sN1Qa5Xna7jtnN0RlN5i8lO=
然后再base解密得到falg
BJD{0v0_Y0u_g07_1T!}
不知为何我的ida插件Findcrypto识别不出来Base和RC4加密