一道有关变种RC4和变种BASE64适合新手的逆向算法题
运行一下,发现应该是普通的字符串匹配题目
进入IDA进行分析,发现几个可疑的函数
首先跟进sub_401760,函数里面就是两个简单的for循环。这个函数的内容与RC4初始化的内容比较相似,所以可以将这个函数命名为RC4_INIT
接着继续分析sub_40188D,与RC4加密函数对比时候发现这其实就是一个RC4加密,但是在异或的地方由少许不同,数据偏移加了24
最后分析sub_401530,首先注意一个比较可疑的字符串。
而这个算法其实就是一个类似base64的编码运算。根据其原理和C语言的对比可以推断得到这个结论。而那个字符串就是就是base64的码表,只是变异的。致于和真正的base64区别在于sub_401711这个函数将码表进行了偏移—向左循环24位
通过每个函数的分析之后再来看主函数逻辑就比较清楚了。
程序首先对输入进行变种rc4加密,然后通过变种的base64编码,将结果与密文B4QrGVzkpZVeHssap5HEgWfSQQ0zmMAA进行比较
这样就可以写出脚本
完整EXP(修改与我之前发的一篇标准BASE64串修改的博客,对BASE64变异有兴趣的可以参考一下https://blog.csdn.net/weixin_43884935/article/details/101022672)
#coding:utf-8
import re
def RC4_INIT(key):
key=list(key)
for i in range(len(key)):
key[i]=ord(key[i])
k=[0 for i in range(256)]
s=[0 for i in range(256)]
j=0
length=len(key)
for i in range(256):
s[i]=i
k[i]=key[i % length]
for i in range(256):
j=(j + s[i] + k[i])%256
s[i],s[j]=s[j],s[i]
return s
def RC4_DECRYPTE(Data,key):
Data=list(Data)
for i in range(len(Data)):
Data[i]=ord(Data[i])
s=RC4_INIT(key)
i=j=t=0
length=len(Data)
for k in range(length):
i = (i+1)%256
j=(j + s[i])%256
s[i],s[j]=s[j],s[i]
t=(s[i]+s[j]+24)%256#不同于正常RC4
Data[k]=Data[k]^s[t]
return Data
def base64_encode(s, dictionary):
r = ""
p = ""
c = len(s) % 3
if (c > 0):
for i in range(c, 3):
p += '='
s += "\0"
for c in range(0, len(s), 3):
n = (ord(s[c]) << 16) + (ord(s[c+1]) << 8) + (ord(s[c+2]))
n = [(n >> 18) & 0x3F, (n >> 12) & 0x3F, (n >> 6) & 0x3F, n & 0x3F]
r += dictionary[n[0]] + dictionary[n[1]] + dictionary[n[2]] + dictionary[n[3]]
return r[0:len(r) - len(p)] + p
def base64_decode(s, dictionary):
base64inv = {}
for i in range(len(dictionary)):
base64inv[dictionary[i]] = i
s = s.replace("\n", "")
if not re.match(r"^([{alphabet}]{{4}})*([{alphabet}]{{3}}=|[{alphabet}]{{2}}==)?$".format(alphabet = dictionary), s):
raise ValueError("Invalid input: {}".format(s))
if len(s) == 0:
return ""
p = "" if (s[-1] != "=") else "AA" if (len(s) > 1 and s[-2] == "=") else "A"
r = ""
s = s[0:len(s) - len(p)] + p
for c in range(0, len(s), 4):
n = (base64inv[s[c]] << 18) + (base64inv[s[c+1]] << 12) + (base64inv[s[c+2]] << 6) + base64inv[s[c+3]]
r += chr((n >> 16) & 255) + chr((n >> 8) & 255) + chr(n & 255)
return r[0:len(r) - len(p)]
def test_base64():
import base64
import string
import random
dictionary = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
def random_string(length):
return ''.join(random.choice(string.ascii_letters) for m in range(length))
for i in range(100):
s = random_string(i)
encoded = base64_encode(s, dictionary)
assert(encoded == base64.b64encode(s))
assert(s == base64_decode(encoded, dictionary))
if __name__ == "__main__":
dictionary = 'Mq/J0tTI1RkSimKFwnczo2VXpPshL4_UgjH6DEG39yr+aOYWCfBeN5lb8v7QdxZuA'#向左平移后的码表
Data=base64_decode("B4QrGVzkpZVeHssap5HEgWfSQQ0zmMAA", dictionary)
key='Please input the flag:\n'
flag=RC4_DECRYPTE(Data,key)
for i in flag:
print(chr(i),end='')
print()
题目链接
链接:https://pan.baidu.com/s/1uE49L77x5V2trS_Vopxqag
提取码:vnuo