从文件中追踪流得到elf文件,RC4加密,得到一个fake
__int64 __fastcall sub_1360(__int64 a1, _BYTE *a2, __int64 a3)
{
_BYTE *v3; // r10
unsigned int v4; // er9
unsigned int v5; // er8
char *v6; // rax
char v7; // dl
char *v8; // rcx
__int64 result; // rax
if ( a3 )
{
v3 = &a2[a3];
LOBYTE(v4) = 0;
LOBYTE(v5) = 0;
do
{
v5 = (unsigned __int8)(v5 + 1);
v6 = (char *)(a1 + v5);
v7 = *v6;
v4 = (unsigned __int8)(*v6 + v4);
v8 = (char *)(a1 + v4);
*v6 = *v8;
*v8 = v7;
result = *(unsigned __int8 *)(a1 + (unsigned __int8)(*v6 + v7));
*a2++ ^= result;
}
while ( v3 != a2 );
}
return result;
}
只是文件中不仅一个密钥和密文(密文通过向前偏移确定),前面的密文不变密钥变化,其中一大段重复密钥,确定这是正确的密钥, 后边密钥不变后密文开始变化,并且每次多对一个字符,取最后一个密文解密
#key = b'ThisIsKEEEY'
#key = b'Th1sTruEK3Y'
#key = b'Th1sIsKEEEY'
#key = b'Th1sTrKEEEY'
#key = b'Th1sTruEEEY'
#key = b'Th1sTruEKEY'
key = b'Th1sTruEK3Y'
a1 = [0]*256
v8 = [0]*256
for i in range(255,-1,-1):
a1[i] = i
v8[i] = key[i%len(key)]
v5 = 0
for v4 in range(256):
v5 = (v5 + a1[v4] + v8[v4])&0xff
a1[v4],a1[v5] = a1[v5],a1[v4]
#变化的密文,每个向下会多一个正确字符,取最后一个密文
a2 = list(open(key+b'.5dat','rb').read())
v4 = 0
for i in range(len(a2)):
v4 = (v4 + a1[i+1])&0xff
a1[i+1],a1[v4] = a1[v4],a1[i+1]
a2[i] ^= a1[(a1[v4]+a1[i+1])&0xff]
print(bytes(a2))
#ctfshow{IDAPro_Pc4p_1ntErestIIIIn9}