有壳 55 50 58 用010 把vmp改成upx
ctrl+f2,查找main函数
点第三个
Ctrl+x交叉引用
把花指令改了90
一共三处
找db按c
找函数按p封装,按f5反编译函数
smc 用pythonida绕一下
from ida_bytes import *
addr = 0x00401890
for i in range(170):
patch_byte(addr + i,get_wide_byte(addr + i)^0x66)c+p进入主函数
sub 401940=printf
sub_401990=scanf
sub 4016B0为加密函数,点进去
分别是换表的base64加密,rc4,xtea
找rc4还有xtea的key,发现是随机数 交叉索引找到TLS1和TLS2
pythonida 得到答案unk_404000
from ida_bytes import *
from idaapi import *
addr=0x00404000
data=[]
for i in range(64//4):
data.append(get_dword(addr+i*4))
print(data)[3036486489, 3653154923, 3598177203, 408905200, 1396350368, 645614189, 1318861428, 3625534240, 3046501746, 1445070236, 2433841867, 213678751, 3463276874, 699118653, 845347425, 3058494644]
xtea:
#include<stdio.h>
#include<stdlib.h>
#include<stdint.h>
#include<string.h>
void XTEA_decrypt(uint32_t* enc, uint32_t* key);
int main() {
uint8_t RC4_key[16] = { 0 };
char XTEA_key[16] = { 0 };
uint32_t enc[] = { 3036486489, 3653154923, 3598177203, 408905200, 1396350368, 645614189, 1318861428, 3625534240, 3046501746, 1445070236, 2433841867, 213678751, 3463276874, 699118653, 845347425, 3058494644 };
srand(0x1919810u);
for (int i = 0; ; ++i){
if (i >= 16)
break;
RC4_key[i] = rand() % 255;
XTEA_key[i] = rand() % 255;
}
XTEA_decrypt(enc, (uint32_t*)XTEA_key);//指针强转
uint8_t* temp = (uint8_t*)enc;
for (int i = 0; i < 64; i++) {
printf("%d, ", temp[i]);
//printf("%d, ", RC4_key[i]);
}
return 0;
}
void XTEA_decrypt(uint32_t* enc, uint32_t* XTEA_key) {
uint32_t v7, v6, v5;
for (int i = 0; i < 16; i += 2){
v7 = enc[i];
v6 = enc[i + 1];
v5 = 0x9E3779B9 * 0x64;
for (int j = 0; j < 0x64; ++j)
{
v6 -= (XTEA_key[(v5 >> 11) & 3] + v5) ^ (v7 + ((v7 >> 5) ^ (16 * v7)));
v5 -= 0x9E3779B9;
v7 -= (XTEA_key[v5 & 3] + v5) ^ (v6 + ((v6 >> 5) ^ (16 * v6)));
}
enc[i] = v7;
enc[i + 1] = v6;
}
}enc=[188, 237, 0, 123, 134, 244, 22, 147, 149, 249, 135, 220, 103, 168, 162, 127, 77, 226, 98, 159, 123, 52, 174, 233, 69, 3, 126, 53, 66, 208, 139, 112, 240, 251, 46, 199, 221, 233, 185, 115, 227, 204, 26, 117, 173, 220, 253, 20, 168, 200, 69, 22, 49, 110, 42, 8, 44, 15, 29, 159, 7, 186, 213, 239]
RC4_key = [118, 137, 51, 73, 25, 19, 195, 199, 173, 216, 228, 104, 252, 72, 4, 188]
rc4:
def rc4_decrypt(ciphertext, key):
S = list(range(256))
j = 0
for i in range(256):
j = (j + S[i] + key[i % len(key)]) % 256
S[i], S[j] = S[j], S[i]
i = j = 0
plaintext = []
for byte in ciphertext:
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
k = S[(S[i] + S[j]) % 256]
plaintext.append(byte ^ k)
return bytes(plaintext)
enc = [188, 237, 0, 123, 134, 244, 22, 147, 149, 249, 135, 220, 103, 168, 162, 127, 77, 226, 98, 159, 123, 52, 174, 233,
69, 3, 126, 53, 66, 208, 139, 112, 240, 251, 46, 199, 221, 233, 185, 115, 227, 204, 26, 117, 173, 220, 253, 20,
168, 200, 69, 22, 49, 110, 42, 8, 44, 15, 29, 159, 7, 186, 213, 239]
RC4_key = [118, 137, 51, 73, 25, 19, 195, 199, 173, 216, 228, 104, 252, 72, 4, 188]
decrypted_data = rc4_decrypt(enc, RC4_key)
print(decrypted_data)
b'C+vFCnHRGPghbmyQMXvFMRNd7fNCG8jcU+jcbnjRJTj2GTCOGUvgtOS0CTge7fNs'
base64:
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
void swap(char* a, char* b) {
char temp = *a;
*a = *b;
*b = temp;
}
int main() {
char base64table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
int v6, v4;
srand(0x114514u);
for (int i = 0; i < 100; ++i) {
v6 = rand() % 64;
v4 = rand() % 64;
swap(&base64table[v6], &base64table[v4]);
}
printf("%s\n", base64table);
return 0;
}
4yZRiNP8LoK/GSA5ElWkUjXtJCz7bMYcuFfpm6+hV0rxeHIdwv32QOTnqg1BDsa9
import base64
text1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
text2 = '4yZRiNP8LoK/GSA5ElWkUjXtJCz7bMYcuFfpm6+hV0rxeHIdwv32QOTnqg1BDsa9'
enc = 'C+vFCnHRGPghbmyQMXvFMRNd7fNCG8jcU+jcbnjRJTj2GTCOGUvgtOS0CTge7fNs'
decoded_bytes = base64.b64decode(enc.translate(str.maketrans(text2, text1)))
print(decoded_bytes.decode("utf-8"))- 将自定义 Base64 编码字符集中的字符映射到标准 Base64 编码字符集。
- 将自定义 Base64 编码字符串转换为标准 Base64 编码字符串。
- 对标准 Base64 编码字符串进行解码,得到原始的字节数据。
- flag{C0ngr@tulat1on!Y0u_Re_suCces3fu1Ly_Signln!}
