勒索病毒
跟踪字符串
发现加密,将字符串与0x1F异或之后与一个字符串比对,解密脚本:
str="DH~mqqvqxB^||zll@Jq~jkwpmvez{" flag="" for i in str: flag+=chr(ord(i)^0x1F) print(flag) #[Warnning]Access_Unauthorized
连续交叉引用,发现一个函数调用了这个函数
看到这个解密后的字符串是密钥
跟进这些函数
看到了RC4的初始化函数
题目是勒索病毒,加密了一个文件,题目给的另一个文件是解密后的
用010editor打开
获取密文
def rc4_decrypt(key, ciphertext): S = list(range(256)) j = 0 out = [] for i in range(256): j = (j + S[i] + key[i % len(key)]) % 256 S[i], S[j] = S[j], S[i] i = j = 0 for k in range(len(ciphertext)): i = (i + 1) % 256 j = (j + S[i]) % 256 S[i], S[j] = S[j], S[i] out.append(ciphertext[k] ^ S[(S[i] + S[j]) % 256]) return bytes(out) key = b'[Warnning]Access_Unauthorized' ciphertext = b'\xC3\x82\xA3\x25\xF6\x4C\x36\x3B\x59\xCC\xC4\xE9\xF1\xB5\x32\x18\xB1\x96\xAE\xBF\x08\x35' plaintext = rc4_decrypt(key, ciphertext) print(plaintext)
