HardSignin _ 入土为安的第十二天

简介: HardSignin _ 入土为安的第十二天

有壳  55 50 58   用010 把vmp改成upx

ctrl+f2,查找main函数

点第三个

Ctrl+x交叉引用

把花指令改了90

一共三处

找db按c

找函数按p封装,按f5反编译函数

smc 用pythonida绕一下

from ida_bytes import *
addr = 0x00401890
for i in range(170):
    patch_byte(addr + i,get_wide_byte(addr + i)^0x66)

c+p进入主函数

sub 401940=printf

sub_401990=scanf

sub 4016B0为加密函数,点进去

分别是换表的base64加密,rc4,xtea

找rc4还有xtea的key,发现是随机数 交叉索引找到TLS1和TLS2

pythonida 得到答案unk_404000

from ida_bytes import *
from idaapi import *
addr=0x00404000
data=[]
for i in range(64//4):
    data.append(get_dword(addr+i*4))
print(data)

[3036486489, 3653154923, 3598177203, 408905200, 1396350368, 645614189, 1318861428, 3625534240, 3046501746, 1445070236, 2433841867, 213678751, 3463276874, 699118653, 845347425, 3058494644]

xtea:

#include<stdio.h>
#include<stdlib.h>
#include<stdint.h>
#include<string.h>
 
void XTEA_decrypt(uint32_t* enc, uint32_t* key);
 
int main() {
    uint8_t RC4_key[16] = { 0 };
    char XTEA_key[16] = { 0 };
    uint32_t enc[] = { 3036486489, 3653154923, 3598177203, 408905200, 1396350368, 645614189, 1318861428, 3625534240, 3046501746, 1445070236, 2433841867, 213678751, 3463276874, 699118653, 845347425, 3058494644 };
    srand(0x1919810u);
    for (int i = 0; ; ++i){
        if (i >= 16)
            break;
        RC4_key[i] = rand() % 255;
        XTEA_key[i] = rand() % 255;
    }
    XTEA_decrypt(enc, (uint32_t*)XTEA_key);//指针强转
    uint8_t* temp = (uint8_t*)enc;
    for (int i = 0; i < 64; i++) {
        printf("%d, ", temp[i]);
        //printf("%d, ", RC4_key[i]);
    }
    return 0;
}
void XTEA_decrypt(uint32_t* enc, uint32_t* XTEA_key) {
    uint32_t v7, v6, v5;
    for (int i = 0; i < 16; i += 2){
        v7 = enc[i];
        v6 = enc[i + 1];
        v5 = 0x9E3779B9 * 0x64;
        for (int j = 0; j < 0x64; ++j)
        {
            v6 -= (XTEA_key[(v5 >> 11) & 3] + v5) ^ (v7 + ((v7 >> 5) ^ (16 * v7)));
            v5 -= 0x9E3779B9;
            v7 -= (XTEA_key[v5 & 3] + v5) ^ (v6 + ((v6 >> 5) ^ (16 * v6)));
        }
        enc[i] = v7;
        enc[i + 1] = v6;
    }
}

enc=[188, 237, 0, 123, 134, 244, 22, 147, 149, 249, 135, 220, 103, 168, 162, 127, 77, 226, 98, 159, 123, 52, 174, 233, 69, 3, 126, 53, 66, 208, 139, 112, 240, 251, 46, 199, 221, 233, 185, 115, 227, 204, 26, 117, 173, 220, 253, 20, 168, 200, 69, 22, 49, 110, 42, 8, 44, 15, 29, 159, 7, 186, 213, 239]

RC4_key = [118, 137, 51, 73, 25, 19, 195, 199, 173, 216, 228, 104, 252, 72, 4, 188]

rc4:

def rc4_decrypt(ciphertext, key):
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i], S[j] = S[j], S[i]
 
    i = j = 0
    plaintext = []
    for byte in ciphertext:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        k = S[(S[i] + S[j]) % 256]
        plaintext.append(byte ^ k)
 
    return bytes(plaintext)
enc = [188, 237, 0, 123, 134, 244, 22, 147, 149, 249, 135, 220, 103, 168, 162, 127, 77, 226, 98, 159, 123, 52, 174, 233,
       69, 3, 126, 53, 66, 208, 139, 112, 240, 251, 46, 199, 221, 233, 185, 115, 227, 204, 26, 117, 173, 220, 253, 20,
       168, 200, 69, 22, 49, 110, 42, 8, 44, 15, 29, 159, 7, 186, 213, 239]
RC4_key = [118, 137, 51, 73, 25, 19, 195, 199, 173, 216, 228, 104, 252, 72, 4, 188]
 
decrypted_data = rc4_decrypt(enc, RC4_key)
print(decrypted_data)

b'C+vFCnHRGPghbmyQMXvFMRNd7fNCG8jcU+jcbnjRJTj2GTCOGUvgtOS0CTge7fNs'

base64:

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
 
void swap(char* a, char* b) {
    char temp = *a;
    *a = *b;
    *b = temp;
}
 
int main() {
    char base64table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
    int v6, v4;
    srand(0x114514u);
    for (int i = 0; i < 100; ++i) {
        v6 = rand() % 64;
        v4 = rand() % 64;
        swap(&base64table[v6], &base64table[v4]);
    }
    printf("%s\n", base64table);
    return 0;
}

4yZRiNP8LoK/GSA5ElWkUjXtJCz7bMYcuFfpm6+hV0rxeHIdwv32QOTnqg1BDsa9

import base64
text1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
text2 = '4yZRiNP8LoK/GSA5ElWkUjXtJCz7bMYcuFfpm6+hV0rxeHIdwv32QOTnqg1BDsa9'
enc = 'C+vFCnHRGPghbmyQMXvFMRNd7fNCG8jcU+jcbnjRJTj2GTCOGUvgtOS0CTge7fNs'
 
decoded_bytes = base64.b64decode(enc.translate(str.maketrans(text2, text1)))
 
print(decoded_bytes.decode("utf-8"))
  • 将自定义 Base64 编码字符集中的字符映射到标准 Base64 编码字符集。
  • 将自定义 Base64 编码字符串转换为标准 Base64 编码字符串。
  • 对标准 Base64 编码字符串进行解码,得到原始的字节数据。



  • flag{C0ngr@tulat1on!Y0u_Re_suCces3fu1Ly_Signln!}
目录
相关文章
星际争霸之小霸王之小蜜蜂(十六)--狂奔的花猫
星际争霸之小霸王之小蜜蜂(十六)--狂奔的花猫
|
4月前
|
人工智能
notsequence 入土为安的第七天
notsequence 入土为安的第七天
33 1
|
4月前
|
安全
babystack2.0-入土为安的第十六天
babystack2.0-入土为安的第十六天
43 0
|
4月前
deedeedee 入土为安的第六天
deedeedee 入土为安的第六天
31 0
|
4月前
|
算法
[MoeCTF 2022]Art 入土为安的第四天
[MoeCTF 2022]Art 入土为安的第四天
44 1
|
4月前
|
数据安全/隐私保护
DosSnake-入土为安第八天
DosSnake-入土为安第八天
39 0
|
4月前
|
Python
re4-unvm-me 入土为安的第六天
re4-unvm-me 入土为安的第六天
50 0
|
4月前
|
Python
[MoeCTF 2022]EquationPy-入土为安的第十九天
[MoeCTF 2022]EquationPy-入土为安的第十九天
48 0
|
4月前
signin-入土为安的第十九天
signin-入土为安的第十九天
51 0
|
4月前
[MoeCTF 2022]ezTea-入土为安的第十九天
[MoeCTF 2022]ezTea-入土为安的第十九天
46 0