• BUUCTF reverse wp 71 - 75


    [NPUCTF2020]你好sao啊

    在这里插入图片描述

    int __cdecl main(int argc, const char **argv, const char **envp)
    {
      __int64 v3; // rax
      __int64 v4; // rdx
      __int64 v5; // rax
      size_t v6; // rax
      __int64 v7; // rax
      __int64 v8; // rdx
      __int64 v9; // rax
      __int64 v11; // rdx
      __int64 v12; // rax
      char *s1; // [rsp+8h] [rbp-68h]
      char s2[8]; // [rsp+10h] [rbp-60h] BYREF
      __int64 v15; // [rsp+18h] [rbp-58h]
      __int64 v16; // [rsp+20h] [rbp-50h]
      __int64 v17; // [rsp+28h] [rbp-48h]
      char v18; // [rsp+30h] [rbp-40h]
      char s[40]; // [rsp+40h] [rbp-30h] BYREF
      unsigned __int64 v20; // [rsp+68h] [rbp-8h]
    
      v20 = __readfsqword(0x28u);
      v3 = std::operator<<<std::char_traits<char>>(&std::cout, "Welcome To Reverier-Encode Program!", envp);
      std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);
      v5 = std::operator<<<std::char_traits<char>>(&std::cout, "Input Your flag:", v4);
      std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);
      *(_QWORD *)s2 = 0xFD370FEB59C9B9ELL;
      v15 = 0xDEAB7F029C4FD1B2LL;
      v16 = 0xFACD9D40E7636559LL;
      v17 = 4LL;
      v18 = 0;
      __isoc99_scanf("%33s", s);
      s1 = (char *)RxEncode(s, 33);
      if ( strlen(s) == 32 )
      {
        if ( !strcmp(s1, s2) )
          v12 = std::operator<<<std::char_traits<char>>(&std::cout, "Congratulations!", v11);
        else
          v12 = std::operator<<<std::char_traits<char>>(&std::cout, "Wrong!", v11);
        std::ostream::operator<<(v12, &std::endl<char,std::char_traits<char>>);
        return 0;
      }
      else
      {
        v6 = strlen(s);
        v7 = std::ostream::operator<<(&std::cout, v6);
        std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);
        v9 = std::operator<<<std::char_traits<char>>(&std::cout, "Wrong!", v8);
        std::ostream::operator<<(v9, &std::endl<char,std::char_traits<char>>);
        return 0;
      }
    }
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51

    在这里插入图片描述

    估计是base64, 但是仔细读一下RxEncode函数, 发现是b64解码函数, 拿工具编码一下

    void *__fastcall RxEncode(const char *a1, int a2)
    {
      int v3; // [rsp+18h] [rbp-38h]
      int v4; // [rsp+1Ch] [rbp-34h]
      int v5; // [rsp+20h] [rbp-30h]
      int v6; // [rsp+24h] [rbp-2Ch]
      int v7; // [rsp+28h] [rbp-28h]
      int v8; // [rsp+28h] [rbp-28h]
      int i; // [rsp+2Ch] [rbp-24h]
      _BYTE *v10; // [rsp+30h] [rbp-20h]
      void *s; // [rsp+38h] [rbp-18h]
    
      v3 = 3 * (a2 / 4);
      v4 = 0;
      v5 = 0;
      if ( a1[a2 - 1] == 61 )
        v4 = 1;
      if ( a1[a2 - 2] == 61 )
        ++v4;
      if ( a1[a2 - 3] == 61 )
        ++v4;
      if ( v4 == 3 )
      {
        v3 += 2;
      }
      else if ( v4 <= 3 )
      {
        if ( v4 == 2 )
        {
          v3 += 3;
        }
        else if ( v4 )
        {
          if ( v4 == 1 )
            v3 += 4;
        }
        else
        {
          v3 += 4;
        }
      }
      s = malloc(v3);
      if ( s )
      {
        memset(s, 0, v3);
        v10 = s;
        while ( v5 < a2 - v4 )
        {
          v6 = 0;
          v7 = 0;
          while ( v6 <= 3 && v5 < a2 - v4 )
          {
            v7 = (v7 << 6) | (char)find_pos(a1[v5]);
            ++v6;
            ++v5;
          }
          v8 = v7 << (6 * (4 - v6));
          for ( i = 0; i <= 2 && i != v6; ++i )
            *v10++ = v8 >> (8 * (2 - i));
        }
        *v10 = 0;
        return s;
      }
      else
      {
        puts("No enough memory.");
        return 0LL;
      }
    }
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63
    • 64
    • 65
    • 66
    • 67
    • 68
    • 69

    在这里插入图片描述

    [安洵杯 2019]crackMe

    在这里插入图片描述

    int __cdecl __noreturn main_0(int argc, const char **argv, const char **envp)
    {
      int (__cdecl *v3)(int); // [esp-4h] [ebp-D0h]
    
      printf("please Input the flag:\n");
      scanf_s("%s", &input);
      MessageBoxW(0, L"Exception", L"Warning", 0);
      v3 = sub_41100F;
      MEMORY[0] = 1;
      sub_411136(HIWORD(v3));
    }
    
    void __noreturn sub_4132E0()
    {
      if ( !j_strcmp(Str1, Str2) )
        printf("right\n");
      else
        printf("wrong\n");
      system("pause");
      exit(0);
    }
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21

    静态代码的逻辑找不到线索, 动调一下, 进入下面这个函数, 大小写互换
    在这里插入图片描述

    输入flag之后, 会进入exception处理, 这里会被AddVectoredExceptionHandlerhook, 然后调用handler执行, 点进去

    int __stdcall Handler_0(_DWORD **a1)
    {
      char v2[20]; // [esp+D0h] [ebp-18h] BYREF
    
      if ( **a1 == -1073741819 )
      {
        qmemcpy(v2, "where_are_u_now?", 16);
        sub_951172(&unk_95A218, v2);
        SetUnhandledExceptionFilter(TopLevelExceptionFilter);
      }
      return 0;
    }
    
    int __cdecl sub_951F50(int a1, unsigned int *a2)
    {
      int result; // eax
      unsigned int v3; // [esp+D0h] [ebp-B8h]
      unsigned int v4; // [esp+DCh] [ebp-ACh]
      unsigned int v5; // [esp+E0h] [ebp-A8h]
      unsigned int v6; // [esp+E4h] [ebp-A4h]
      int v7[35]; // [esp+E8h] [ebp-A0h]
      unsigned int v8; // [esp+174h] [ebp-14h]
      unsigned int v9; // [esp+178h] [ebp-10h]
      unsigned int v10; // [esp+17Ch] [ebp-Ch]
      unsigned int v11; // [esp+180h] [ebp-8h]
    
      v3 = 0;
      v8 = _byteswap_ulong(*a2);
      v9 = _byteswap_ulong(a2[1]);
      v10 = _byteswap_ulong(a2[2]);
      v11 = _byteswap_ulong(a2[3]);
      v4 = v8 ^ 0xA3B1BAC6;
      v5 = dword_957A68[1] ^ v9;
      v6 = dword_957A68[2] ^ v10;
      result = 12;
      v7[0] = dword_957A68[3] ^ v11;
      while ( v3 < 0x20 )
      {
        v7[v3 + 1] = *(&v4 + v3) ^ sub_9514E0(dword_957A78[v3] ^ v7[v3] ^ v7[v3 - 1] ^ *(&v5 + v3));
        *(_DWORD *)(a1 + 4 * v3) = v7[v3 + 1];
        result = ++v3;
      }
      return result;
    }
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44

    跟进去发现逻辑看不懂, 试用findcrypt找下一下是否有密码函数
    在这里插入图片描述

    发现SM4特征值, 猜测sub_951F50SM4加密, 密钥是where_are_u_now?, 继续跟TopLevelExceptionFilter

    int __cdecl sub_952C30(_DWORD *a1)
    {
      int result; // eax
      char v2; // [esp+D3h] [ebp-11h]
      size_t i; // [esp+DCh] [ebp-8h]
    
      result = (int)a1;
      if ( *(_DWORD *)*a1 == 0xC0000005 )
      {
        for ( i = 0; i < j_strlen(Str2); i += 2 )   // process str2
        {
          v2 = Str2[i];
          Str2[i] = Str2[i + 1];
          Str2[i + 1] = v2;
        }
        Str1 = (char *)sub_95126C(byte_95A180);     // process str1 
        *(_DWORD *)(a1[1] + 176) = *(_DWORD *)(*a1 + 20);
        *(_DWORD *)(a1[1] + 164) = *(_DWORD *)(*a1 + 24);
        *(_DWORD *)(a1[1] + 172) = *(_DWORD *)(*a1 + 28);
        *(_DWORD *)(a1[1] + 168) = *(_DWORD *)(*a1 + 32);
        *(_DWORD *)(a1[1] + 156) = *(_DWORD *)(*a1 + 36);
        *(_DWORD *)(a1[1] + 160) = *(_DWORD *)(*a1 + 40);
        *(_DWORD *)(a1[1] + 184) = checkfunc;
        return -1;
      }
      return result;
    }
    
    _BYTE *__cdecl sub_953090(char *Str)
    {
      int k; // [esp+E4h] [ebp-5Ch]
      int v3; // [esp+F0h] [ebp-50h]
      int j; // [esp+FCh] [ebp-44h]
      int v5; // [esp+108h] [ebp-38h]
      signed int i; // [esp+114h] [ebp-2Ch]
      _BYTE *v7; // [esp+120h] [ebp-20h]
      signed int v8; // [esp+12Ch] [ebp-14h]
      int v9; // [esp+138h] [ebp-8h]
    
      v5 = 0;
      v8 = j_strlen(Str);
      if ( v8 % 3 )
        v9 = 4 * (v8 / 3) + 4;
      else
        v9 = 4 * (v8 / 3);
      v7 = malloc(__CFADD__(v9, 1) ? -1 : v9 + 1);
      v7[v9] = 0;
      for ( i = 0; i < v8; i += 3 )
      {
        v3 = 0;
        for ( j = 0; j < 3; ++j )
          v3 |= (unsigned __int8)Str[j + i] << (8 * (2 - j));
        for ( k = 0; k < 4; ++k )
        {
          if ( k >= 4 - (i + 3 - v8) && i + 3 > v8 )
            v7[v5] = 33;
          else
            v7[v5] = BASE64_table_95A080[sub_9510FF((v3 >> (6 * (3 - k))) & 0x3F)];
          ++v5;
        }
      }
      return v7;
    }
    
    int __cdecl sub_952760(int a1)
    {
      return (a1 + 24) % 64;
    }
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63
    • 64
    • 65
    • 66
    • 67
    • 68

    Str2经过奇偶位交换后得到, Str1是经过类似base64编码处理, 跟进去发现sub_952760会进行变表, 猜测是变表base64
    最后Str1和Str2进行比较, 逆向思路: Str2处理后, 经过变表base64解码, 然后SM4解密

    import base64
    from pysm4 import decrypt
    
    
    def b64_change_decode(encodestr):
        changebase64 = "yzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/abcdefghijklmnopqrstuvwx"
        originbase64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    
        trans_encodestr = encodestr.translate(str.maketrans(changebase64,originbase64))
        res = base64.b64decode(trans_encodestr)
        return res
    
    
    Str2 = [
        0x31, 0x55, 0x54, 0x41, 0x4F, 0x49, 0x6B, 0x70, 0x79, 0x4F, 
        0x53, 0x57, 0x47, 0x76, 0x2F, 0x6D, 0x4F, 0x59, 0x46, 0x59, 
        0x34, 0x52, 0x21, 0x21
    ]
    
    Str2_exc = [0 for _ in range(len(Str2))]
    
    for i in range(0, len(Str2), 2):
        Str2_exc[i] = chr(Str2[i + 1]) 
        Str2_exc[i + 1] = chr(Str2[i])
        
    Str2 = ''.join(Str2_exc)
    print(Str2)
    
    tmp_flag = b64_change_decode(Str2[:len(Str2) - 2] + '==')
    mid_flag = int.from_bytes(tmp_flag, byteorder='big')
    print(tmp_flag, hex(mid_flag))
    
    key = 'where_are_u_now?'
    key_tmp = key.encode('utf-8')
    key_int = int.from_bytes(key_tmp, byteorder='big')
    print(hex(key_int))
    
    decrypt_flag = decrypt(mid_flag, key_int)
    flag = bytes.fromhex(hex(decrypt_flag)[2:]).decode()
    # {{ stands for /, }} stands for /
    print('flag{{{}}}'.format(flag))
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41

    [WUSTCTF2020]funnyre

    在这里插入图片描述

    无法反编译, 直接读汇编, 这里需要从命令行输入参数
    在这里插入图片描述

    接下来是头尾的单字节比较, 要求前5个字符是flag{,第38个字符是}, 中间32位字节分别 xor 和 add N个硬编码数据, 如下面的操作, 即对32个字节进行xor操作之后, 再add操作
    在这里插入图片描述
    在这里插入图片描述

    最后和验证数组进行比较
    在这里插入图片描述

    这些操作可以叠加起来看作是只有一次xor和add, 所以有checklist可以直接爆破

    checklist = [
        217,  44,  39, 214, 216,  42, 218,  45, 215,  44, 
        220, 225, 219,  44, 217, 221,  39,  45,  42, 220, 
        219,  44, 225,  41, 218, 218,  44, 218,  42, 217, 
        41,  42
    ]
    
    def add(xx, kk):
        return [(x+kk) & 0xFF for x in xx]
    
    
    def xor(xx, kk):
        return [x ^ kk for x in xx]
    
    
    def check(xx):
        for x in xx:
            if x < ord('0') or (x > ord('9') and x < ord('a')) or x > ord('f'):
                return False
        return True
    
    
    if __name__ == '__main__':
        for k1 in range(0x100):
            tmp_add = add(checklist, k1)
            for k2 in range(0x100):
                tmp_xor = xor(tmp_add, k2)
                if check(tmp_xor):
                    print(bytes(tmp_xor))
                    print(k1, k2)
    
    '''
    b'1dc20f6e3d497d15cef47d9a66d6f1af'
    42 50
    b'1dc20f6e3d497d15cef47d9a66d6f1af'
    74 18
    b'1dc20f6e3d497d15cef47d9a66d6f1af'
    170 178
    b'1dc20f6e3d497d15cef47d9a66d6f1af'
    '''
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40

    [WMCTF2020]easy_re

    在这里插入图片描述

    直接逆找不到线索, 搜索一下 perlapp 逆向找到一个帖子

    在这里插入图片描述

    perl打包的exe需要找到解压函数, 动态调试, 断点到这个函数之后可以定位到关键代码, 这个解压函数会带有特征字符串script

    在这里插入图片描述

    rax就是解压函数的返回值, 点进去就发现解压出来的flag

    在这里插入图片描述

    [GUET-CTF2019]encrypt

    在这里插入图片描述

    __int64 __fastcall main(int a1, char **a2, char **a3)
    {
      unsigned int v3; // eax
      unsigned int length; // eax
      char v6[4]; // [rsp+4h] [rbp-93Ch] BYREF
      int i; // [rsp+8h] [rbp-938h]
      int v8; // [rsp+Ch] [rbp-934h]
      char v9[1040]; // [rsp+10h] [rbp-930h] BYREF
      char v10[16]; // [rsp+420h] [rbp-520h] BYREF
      char input[256]; // [rsp+430h] [rbp-510h] BYREF
      char encrypt[1032]; // [rsp+530h] [rbp-410h] BYREF
      unsigned __int64 v13; // [rsp+938h] [rbp-8h]
    
      v13 = __readfsqword(0x28u);
      v10[0] = 16;
      v10[1] = 32;
      v10[2] = 48;
      v10[3] = 48;
      v10[4] = 32;
      v10[5] = 32;
      v10[6] = 16;
      v10[7] = 64;
      memset(input, 0, sizeof(input));
      v8 = strlen(input);
      memset(encrypt, 0, 0x400uLL);
      printf("please input your flag:");
      scanf("%s", input);
      memset(v9, 0, 0x408uLL);
      func1(v9, v10, 8LL);
      v3 = strlen(input);
      func2(v9, input, v3);
      length = strlen(input);
      func3(input, length, encrypt, v6);
      for ( i = 0; i <= 50; ++i )
      {
        if ( encrypt[i] != checklist[i] )
        {
          puts("Wrong");
          return 0LL;
        }
      }
      puts("Good");
      return 0LL;
    }
    
    bool __fastcall sub_4006B6(_DWORD *a1, __int64 a2, int a3)
    {
      bool result; // al
      int i; // [rsp+1Ch] [rbp-18h]
      int j; // [rsp+1Ch] [rbp-18h]
      int v6; // [rsp+20h] [rbp-14h]
      int v7; // [rsp+24h] [rbp-10h]
      int v8; // [rsp+28h] [rbp-Ch]
      _DWORD *v9; // [rsp+2Ch] [rbp-8h]
    
      *a1 = 0;
      a1[1] = 0;
      v9 = a1 + 2;
      for ( i = 0; i <= 255; ++i )
        v9[i] = i;
      v7 = 0;
      result = 0;
      LOBYTE(v6) = 0;
      for ( j = 0; j <= 255; ++j )
      {
        v8 = v9[j];
        v6 = (unsigned __int8)(v6 + v8 + *(_BYTE *)(v7 + a2));
        v9[j] = v9[v6];
        v9[v6] = v8;
        result = ++v7 >= a3;
        if ( v7 >= a3 )
          v7 = 0;
      }
      return result;
    }
    
    _DWORD *__fastcall func2(_DWORD *a1, __int64 input, int a3)
    {
      _DWORD *result; // rax
      int i; // [rsp+18h] [rbp-1Ch]
      int v5; // [rsp+1Ch] [rbp-18h]
      int v6; // [rsp+20h] [rbp-14h]
      int v7; // [rsp+24h] [rbp-10h]
      int v8; // [rsp+28h] [rbp-Ch]
      _DWORD *v9; // [rsp+2Ch] [rbp-8h]
    
      v5 = *a1;
      v6 = a1[1];
      v9 = a1 + 2;
      for ( i = 0; i < a3; ++i )
      {
        v5 = (unsigned __int8)(v5 + 1);
        v7 = v9[v5];
        v6 = (unsigned __int8)(v6 + v7);
        v8 = v9[v6];
        v9[v5] = v8;
        v9[v6] = v7;
        *(_BYTE *)(i + input) ^= LOBYTE(v9[(unsigned __int8)(v7 + v8)]);
      }
      *a1 = v5;
      result = a1;
      a1[1] = v6;
      return result;
    }
    
    _DWORD *__fastcall func3(__int64 input, int length, const char *encrypt, _DWORD *a4)
    {
      int v4; // eax
      int v5; // eax
      unsigned __int8 v6; // al
      int v7; // eax
      unsigned __int8 v8; // al
      int v9; // eax
      int v10; // edx
      _DWORD *result; // rax
      char v13; // [rsp+2Dh] [rbp-13h]
      unsigned __int8 v14; // [rsp+2Eh] [rbp-12h]
      unsigned __int8 v15; // [rsp+2Fh] [rbp-11h]
      int v16; // [rsp+30h] [rbp-10h]
      int i; // [rsp+34h] [rbp-Ch]
    
      v16 = 0;
      i = 0;
      while ( i < length )
      {
        v4 = i++;
        v13 = *(_BYTE *)(v4 + input);
        if ( i >= length )
        {
          v6 = 0;
        }
        else
        {
          v5 = i++;
          v6 = *(_BYTE *)(v5 + input);
        }
        v14 = v6;
        if ( i >= length )
        {
          v8 = 0;
        }
        else
        {
          v7 = i++;
          v8 = *(_BYTE *)(v7 + input);
        }
        v15 = v8;
        encrypt[v16] = ((v13 >> 2) & 0x3F) + '=';
        encrypt[v16 + 1] = ((((int)v14 >> 4) | (16 * v13)) & 0x3F) + '=';
        encrypt[v16 + 2] = ((((int)v8 >> 6) | (4 * v14)) & 0x3F) + '=';
        v9 = v16 + 3;
        v16 += 4;
        encrypt[v9] = (v15 & 0x3F) + '=';
      }
      if ( length % 3 == 1 )
      {
        encrypt[--v16] = '=';
      }
      else if ( length % 3 != 2 )
      {
        goto LABEL_15;
      }
      encrypt[v16 - 1] = 61;
    LABEL_15:
      v10 = strlen(encrypt);
      result = a4;
      *a4 = v10;
      return result;
    }
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63
    • 64
    • 65
    • 66
    • 67
    • 68
    • 69
    • 70
    • 71
    • 72
    • 73
    • 74
    • 75
    • 76
    • 77
    • 78
    • 79
    • 80
    • 81
    • 82
    • 83
    • 84
    • 85
    • 86
    • 87
    • 88
    • 89
    • 90
    • 91
    • 92
    • 93
    • 94
    • 95
    • 96
    • 97
    • 98
    • 99
    • 100
    • 101
    • 102
    • 103
    • 104
    • 105
    • 106
    • 107
    • 108
    • 109
    • 110
    • 111
    • 112
    • 113
    • 114
    • 115
    • 116
    • 117
    • 118
    • 119
    • 120
    • 121
    • 122
    • 123
    • 124
    • 125
    • 126
    • 127
    • 128
    • 129
    • 130
    • 131
    • 132
    • 133
    • 134
    • 135
    • 136
    • 137
    • 138
    • 139
    • 140
    • 141
    • 142
    • 143
    • 144
    • 145
    • 146
    • 147
    • 148
    • 149
    • 150
    • 151
    • 152
    • 153
    • 154
    • 155
    • 156
    • 157
    • 158
    • 159
    • 160
    • 161
    • 162
    • 163
    • 164
    • 165
    • 166
    • 167
    • 168
    • 169

    RC4加密, 动调拿xor数组, 写逆

    #include 
    
    
    int data0[258] = {
        0x00, 0x00, 0xB0, 0x31, 0x75, 0x70, 0xF8, 0xDF,
        0x07, 0x3C, 0x78, 0x71, 0x50, 0x29, 0x2C, 0x16,
        0x69, 0x12, 0xC8, 0x2B, 0x3B, 0x7F, 0xB2, 0xE7,
        0x4B, 0x68, 0x8C, 0xC5, 0xA6, 0x15, 0x03, 0x58,
        0x47, 0x04, 0x13, 0x8D, 0x87, 0x26, 0x09, 0xED,
        0x17, 0x8A, 0xC2, 0xF2, 0x43, 0xC0, 0xAC, 0x59,
        0x97, 0xF5, 0x3F, 0x67, 0x5E, 0x39, 0x86, 0xD5,
        0x72, 0x61, 0xDA, 0xF7, 0x01, 0x05, 0x8B, 0xC3,
        0xB1, 0x77, 0xAF, 0x1D, 0x30, 0xC6, 0x45, 0x0E,
        0x5F, 0xEE, 0xAE, 0xF0, 0x28, 0xCE, 0xCD, 0xA7,
        0x9B, 0x2A, 0x19, 0x48, 0x08, 0x44, 0x20, 0xFE,
        0x6D, 0xB5, 0x2E, 0x6A, 0xF1, 0x34, 0xBC, 0x1E,
        0x3E, 0xCC, 0x41, 0x92, 0xD8, 0xBD, 0xA5, 0xE8,
        0x4D, 0x0A, 0x49, 0x0D, 0xA2, 0xFA, 0x62, 0x74,
        0xD4, 0x83, 0x96, 0x94, 0x3D, 0xCB, 0x18, 0x63,
        0x99, 0x46, 0xCA, 0xB7, 0x8E, 0xCF, 0xFB, 0xA3,
        0x6C, 0x7E, 0x51, 0x27, 0x60, 0x9A, 0x11, 0xF3,
        0x5C, 0x6E, 0xBA, 0x42, 0x76, 0x2F, 0xEF, 0xBF,
        0x21, 0xAA, 0xE4, 0xD6, 0x1B, 0x55, 0x7D, 0xBE,
        0xEA, 0xD3, 0x10, 0xF4, 0xC7, 0x4A, 0x23, 0x79,
        0x84, 0xA4, 0x1C, 0xAB, 0x14, 0xDB, 0x4C, 0x3A,
        0xB8, 0x52, 0xEC, 0x37, 0x38, 0xB6, 0xD2, 0xA0,
        0x5A, 0x5B, 0x98, 0x66, 0x54, 0x9E, 0x4E, 0x4F,
        0xB4, 0xC4, 0xC9, 0xD0, 0x25, 0x9C, 0x80, 0xDE,
        0x2D, 0x06, 0x22, 0x0B, 0x91, 0x6B, 0x9F, 0xF6,
        0xE6, 0xE2, 0xC1, 0x0F, 0x93, 0x90, 0x7B, 0x9D,
        0x8F, 0xDD, 0xE5, 0x65, 0x35, 0xAD, 0xA9, 0xDC,
        0x82, 0xBB, 0x00, 0x53, 0xD1, 0xA8, 0x33, 0xE9,
        0x40, 0x1A, 0xFF, 0xA1, 0x95, 0x36, 0xD9, 0xEB,
        0x89, 0xE3, 0x7C, 0x73, 0x85, 0x88, 0x7A, 0xE0,
        0xFD, 0x64, 0x0C, 0x57, 0x32, 0xB3, 0xB9, 0x1F,
        0xD7, 0xFC, 0x81, 0xE1, 0x02, 0xF9, 0x5D, 0x56,
        0x6F, 0x24 
    };
        
    unsigned char checklist[52] = {
    	0x5a, 0x60, 0x54, 0x7A, 0x7A, 0x54, 0x72, 0x44, 0x7C, 0x66, 0x51, 0x50, 0x5B, 0x5F, 0x56, 0x56, 
    	0x4C, 0x7C, 0x79, 0x6E, 0x65, 0x55, 0x52, 0x79, 0x55, 0x6D, 0x46, 0x6B, 0x6C, 0x56, 0x4A, 0x67, 
    	0x4C, 0x61, 0x73, 0x4A, 0x72, 0x6F, 0x5A, 0x70, 0x48, 0x52, 0x78, 0x49, 0x55, 0x6C, 0x48, 0x5C, 
    	0x76, 0x5A, 0x45, 0x3D
    };
    
    void exchange(unsigned char*flag, int len) {
        int v7, v8,i,v3,v4;
        v7 = data0[0];
        v8 = data0[1];
        int* v9 = data0 + 2;
        for (i = 0; i < len; ++i) {
            v7 = (unsigned char)(v7 + 1);
            v3 = v9[v7];
            v8 = (unsigned char)(v8 + v3);
            v4 = v9[v8];
            v9[v7] = v4;
            v9[v8] = v3;
            flag[i] ^= v9[(unsigned char)(v3 + v4)];
        }
    }
    
    int main() {
        unsigned char flag[40] = { 0 };
        int i = 0,j = 0;
        for (i = 0; i < 52; i++)
            checklist[i] -= 61;
            
        for (i = 0, j = 0; i < 52; i += 4, j += 3) {
            flag[j] = checklist[i] << 2 | checklist[i + 1] >> 4;
            flag[j + 1] = (checklist[i + 1] & 0xF) << 4 | checklist[i + 2] >> 2;
            flag[j + 2] = (checklist[i + 2] & 0xF) << 6 | checklist[i + 3];
        }
        
        exchange(flag, 39);
        flag[38] = 0;
        printf("%s\n", (char*)flag);
        return 0;
    }
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63
    • 64
    • 65
    • 66
    • 67
    • 68
    • 69
    • 70
    • 71
    • 72
    • 73
    • 74
    • 75
    • 76
    • 77
    • 78
    • 79
  • 相关阅读:
    安全漏洞扫描工具
    C语言求该二维数组的最大值
    Windows环境下下载安装Elasticsearch和Kibana
    Android开发笔记——快速入门(从入门ACT到Fragment放肆)
    计算机组成原理(2)--进位计数制、BCD码,有符号数和无符号数、浮点数
    函数执行上下文
    2023年亚太杯数学建模思路 - 复盘:校园消费行为分析
    cefsharp 最新稳定版104.4.240 (chromium-104.0.5112.102)
    【Java基础】注释、关键字、常量及数据类型
    【OpenCV】Mat矩阵解析 Mat类赋值,单/双/三通道 Mat赋值
  • 原文地址:https://blog.csdn.net/qq_33976344/article/details/133241919