有壳 55 50 58 用010 把vmp改成upx
ctrl+f2,查找main函数
点第三个
Ctrl+x交叉引用
把花指令改了90
一共三处
找db按c
找函数按p封装,按f5反编译函数
smc 用pythonida绕一下
from ida_bytes import * addr = 0x00401890 for i in range(170): patch_byte(addr + i,get_wide_byte(addr + i)^0x66)
c+p进入主函数
sub 401940=printf
sub_401990=scanf
sub 4016B0为加密函数,点进去
分别是换表的base64加密,rc4,xtea
找rc4还有xtea的key,发现是随机数 交叉索引找到TLS1和TLS2
pythonida 得到答案unk_404000
from ida_bytes import * from idaapi import * addr=0x00404000 data=[] for i in range(64//4): data.append(get_dword(addr+i*4)) print(data)
[3036486489, 3653154923, 3598177203, 408905200, 1396350368, 645614189, 1318861428, 3625534240, 3046501746, 1445070236, 2433841867, 213678751, 3463276874, 699118653, 845347425, 3058494644]
xtea:
#include<stdio.h> #include<stdlib.h> #include<stdint.h> #include<string.h> void XTEA_decrypt(uint32_t* enc, uint32_t* key); int main() { uint8_t RC4_key[16] = { 0 }; char XTEA_key[16] = { 0 }; uint32_t enc[] = { 3036486489, 3653154923, 3598177203, 408905200, 1396350368, 645614189, 1318861428, 3625534240, 3046501746, 1445070236, 2433841867, 213678751, 3463276874, 699118653, 845347425, 3058494644 }; srand(0x1919810u); for (int i = 0; ; ++i){ if (i >= 16) break; RC4_key[i] = rand() % 255; XTEA_key[i] = rand() % 255; } XTEA_decrypt(enc, (uint32_t*)XTEA_key);//指针强转 uint8_t* temp = (uint8_t*)enc; for (int i = 0; i < 64; i++) { printf("%d, ", temp[i]); //printf("%d, ", RC4_key[i]); } return 0; } void XTEA_decrypt(uint32_t* enc, uint32_t* XTEA_key) { uint32_t v7, v6, v5; for (int i = 0; i < 16; i += 2){ v7 = enc[i]; v6 = enc[i + 1]; v5 = 0x9E3779B9 * 0x64; for (int j = 0; j < 0x64; ++j) { v6 -= (XTEA_key[(v5 >> 11) & 3] + v5) ^ (v7 + ((v7 >> 5) ^ (16 * v7))); v5 -= 0x9E3779B9; v7 -= (XTEA_key[v5 & 3] + v5) ^ (v6 + ((v6 >> 5) ^ (16 * v6))); } enc[i] = v7; enc[i + 1] = v6; } }
enc=[188, 237, 0, 123, 134, 244, 22, 147, 149, 249, 135, 220, 103, 168, 162, 127, 77, 226, 98, 159, 123, 52, 174, 233, 69, 3, 126, 53, 66, 208, 139, 112, 240, 251, 46, 199, 221, 233, 185, 115, 227, 204, 26, 117, 173, 220, 253, 20, 168, 200, 69, 22, 49, 110, 42, 8, 44, 15, 29, 159, 7, 186, 213, 239]
RC4_key = [118, 137, 51, 73, 25, 19, 195, 199, 173, 216, 228, 104, 252, 72, 4, 188]
rc4:
def rc4_decrypt(ciphertext, key): S = list(range(256)) j = 0 for i in range(256): j = (j + S[i] + key[i % len(key)]) % 256 S[i], S[j] = S[j], S[i] i = j = 0 plaintext = [] for byte in ciphertext: i = (i + 1) % 256 j = (j + S[i]) % 256 S[i], S[j] = S[j], S[i] k = S[(S[i] + S[j]) % 256] plaintext.append(byte ^ k) return bytes(plaintext) enc = [188, 237, 0, 123, 134, 244, 22, 147, 149, 249, 135, 220, 103, 168, 162, 127, 77, 226, 98, 159, 123, 52, 174, 233, 69, 3, 126, 53, 66, 208, 139, 112, 240, 251, 46, 199, 221, 233, 185, 115, 227, 204, 26, 117, 173, 220, 253, 20, 168, 200, 69, 22, 49, 110, 42, 8, 44, 15, 29, 159, 7, 186, 213, 239] RC4_key = [118, 137, 51, 73, 25, 19, 195, 199, 173, 216, 228, 104, 252, 72, 4, 188] decrypted_data = rc4_decrypt(enc, RC4_key) print(decrypted_data)
b'C+vFCnHRGPghbmyQMXvFMRNd7fNCG8jcU+jcbnjRJTj2GTCOGUvgtOS0CTge7fNs'
base64:
#include <stdio.h> #include <stdlib.h> #include <stdint.h> void swap(char* a, char* b) { char temp = *a; *a = *b; *b = temp; } int main() { char base64table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; int v6, v4; srand(0x114514u); for (int i = 0; i < 100; ++i) { v6 = rand() % 64; v4 = rand() % 64; swap(&base64table[v6], &base64table[v4]); } printf("%s\n", base64table); return 0; }
4yZRiNP8LoK/GSA5ElWkUjXtJCz7bMYcuFfpm6+hV0rxeHIdwv32QOTnqg1BDsa9
import base64 text1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" text2 = '4yZRiNP8LoK/GSA5ElWkUjXtJCz7bMYcuFfpm6+hV0rxeHIdwv32QOTnqg1BDsa9' enc = 'C+vFCnHRGPghbmyQMXvFMRNd7fNCG8jcU+jcbnjRJTj2GTCOGUvgtOS0CTge7fNs' decoded_bytes = base64.b64decode(enc.translate(str.maketrans(text2, text1))) print(decoded_bytes.decode("utf-8"))
- 将自定义 Base64 编码字符集中的字符映射到标准 Base64 编码字符集。
- 将自定义 Base64 编码字符串转换为标准 Base64 编码字符串。
- 对标准 Base64 编码字符串进行解码,得到原始的字节数据。
- flag{C0ngr@tulat1on!Y0u_Re_suCces3fu1Ly_Signln!}