2022年HGAME中REVERSE的fake shell
下载附件:
.
.
照例扔入 exeinfope 中查看信息:
.
.
照例扔入虚拟机中运行一下,查看主要回显信息:
结合题目暗示可以看出这的确是一个假的 shell
,只是简单的 if
命令分情况执行而已。
.
.
照例扔入 IDA64 中查看伪代码,有 main 函数看 main 函数:
.
.
跟踪前面说得 RC4 加密函数:(特征是 256 字节数组)
.
.
那直接下断点把要比较的密文提取出来加密即可,但是发现用密钥 "happyhg4me!“
解密不成功,看了大佬的资料用热键 'X'
来查看该字符串
的交叉引用
后发现好像中途被修改了:
.
.
所以用新密钥就可以解出来了:
#include<stdio.h>
void rc4_init(unsigned char* s, unsigned char* key, unsigned long Len_k)
{
int i = 0, j = 0;
char k[256] = { 0 };
unsigned char tmp = 0;
for (i = 0; i < 256; i++) {
s[i] = i;
k[i] = key[i % Len_k];
}
for (i = 0; i < 256; i++) {
j = (j + s[i] + k[i]) % 256;
tmp = s[i];
s[i] = s[j];
s[j] = tmp;
}
}
void rc4_crypt(unsigned char* Data, unsigned long Len_D, unsigned char* key, unsigned long Len_k) //加解密
{
unsigned char s[256];
rc4_init(s, key, Len_k);
int i = 0, j = 0, t = 0;
unsigned long k = 0;
unsigned char tmp;
for (k = 0; k < Len_D; k++) {
i = (i + 1) % 256;
j = (j + s[i]) % 256;
tmp = s[i];
s[i] = s[j];
s[j] = tmp;
t = (s[i] + s[j]) % 256;
Data[k] = Data[k] ^ s[t];
}
}
void main()
{
//密钥
unsigned char key[] = "w0wy0ugot1t";
unsigned long key_len = sizeof(key) - 1;
//密文
unsigned char data[] = {182, 148, 250, 143, 61, 95, 178, 224, 234, 15, 210, 102, 152, 108, 157, 231, 27, 8, 64, 113, 197, 190, 111, 109, 124, 123, 9, 141, 168, 189, 243, 246};
//解密
rc4_crypt(data, sizeof(data), key, key_len);
for (int i = 0; i < sizeof(data); i++)
{
printf("%c", data[i]);
}
printf("\n");
return;
}
.
.
解毕!
敬礼!