摘要:逆向分题变异,关键点是密钥盒的生成过程被魔改了。原理参考之前的博客基本流程初始循环填充,计算密钥盒,但是不是标准的算法。用的密钥盒修复得到最后的投石机思路是通过爆破得到个的值。一开始一直不对的原因是大端小端填充的问题。
变异RC4,关键点是密钥盒S的生成过程被魔改了。RC4原理参考之前的博客
1.初始循环填充key,key=“tallmewhy”
2.计算密钥盒S,但是不是标准的RC4算法。可以通过dump的方法将密钥和提取
3.ebp+ecx+var_534中是密文
由于不想看魔改的S盒生成算法,所以在S盒生成完成的地方下断点,dump S盒填充就可以了。
#include #include struct rc4_state{ int x, y, m[256];}rc4_state;void rc4_setup( struct rc4_state *s, unsigned char *key, int length );void rc4_crypt( struct rc4_state *s, unsigned char *data, int length );void rc4_setup( struct rc4_state *s, unsigned char *key, int length ){ int i, j, k, *m, a; s->x = 0; s->y = 0; m = s->m; for( i = 0; i < 256; i++ ) { m[i] = i; } j = k = 0; for( i = 0; i < 256; i++ ) { a = m[i]; j = (unsigned char) ( j + a + key[k] ); m[i] = m[j]; m[j] = a; if( ++k >= length ) k = 0; }}void rc4_crypt( struct rc4_state *s, unsigned char *data, int length ){ int i, x, y, *m, a, b; x = s->x; y = s->y; m = s->m; for( i = 0; i < length; i++ ) { x = (unsigned char) ( x + 1 ); a = m[x]; y = (unsigned char) ( y + a ); m[x] = b = m[y]; m[y] = a; data[i] ^= m[(unsigned char) ( a + b )]; } s->x = x; s->y = y;}int main(){ struct rc4_state rc4_ctx; char* key = "tallmewhy"; unsigned char content[256] = "aaaabbbbccccffffdd"; unsigned char encrpyt[256] = { 0xF5,0x8C,0x8D,0xE4,0x9F,0xA5,0x28,0x65,0x30,0xF4,0xEB,0xD3,0x24,0xA9,0x91,0x1A, 0x6F,0xD4,0x6A,0xD7,0x0B,0x8D,0xE8,0xB8,0x83,0x4A,0x5A,0x6E,0xBE,0xCB,0xF4,0x4B, 0x99,0xD6,0xE6,0x54,0x7A,0x4F,0x50,0x14,0xE5,0xEC,0x76,0x00,0x20,0xC9,0xD1,0x00 }; unsigned char mtrix[256] = { 0x74,0x1B,0xD8,0xAC,0x9E,0xB5,0x0B,0x7A,0xFB,0x10,0x8A,0xAB,0x3A,0x72,0x15,0x19 ,0x5B,0x18,0x00,0x67,0xE7,0xAA,0x75,0x24,0xB1,0xF4,0xE3,0x89,0x49,0x9F,0x84,0xB5 ,0x10,0xD2,0x5C,0x67,0x2A,0x6D,0xCA,0x4A,0x52,0x89,0x4A,0x6A,0x46,0xC5,0x76,0x6D ,0x8A,0xCE,0xE2,0x8C,0x60,0x36,0x06,0xF6,0x0B,0x61,0x39,0xCF,0x62,0xDD,0x7A,0x47 ,0xA8,0x95,0x43,0x12,0x41,0xF3,0xFE,0x7F,0x56,0x20,0x0E,0xD3,0x04,0x94,0xB3,0xBA ,0xA0,0xA1,0x3F,0xFA,0x30,0xBC,0xF7,0x53,0xF1,0xC5,0x42,0xF5,0x62,0xA1,0x2F,0x64 ,0x91,0xAF,0x44,0x92,0xD8,0x03,0xFA,0x1E,0xA0,0xC7,0xC0,0x71,0x85,0xD0,0xAA,0x6F ,0x05,0x02,0x17,0x47,0xF3,0x30,0x32,0x6B,0xB8,0x04,0x5E,0x83,0xA7,0xA6,0xEB,0x0F ,0xF0,0x2B,0x8E,0xC8,0x08,0x06,0x8B,0xB1,0xF5,0xEA,0xB6,0x2C,0x16,0x38,0x8F,0x99 ,0x95,0x4B,0xF4,0x25,0x94,0x68,0x5B,0x35,0xB4,0x58,0xF9,0x79,0x59,0xCB,0x00,0x0A ,0x7E,0x87,0xDF,0xEE,0x93,0xAB,0xC8,0xD4,0xA4,0x24,0xBA,0x98,0x44,0x2E,0x69,0x03 ,0x5D,0x77,0xFE,0xD1,0xD7,0xCA,0xEC,0x3E,0xF6,0xAD,0xDB,0x0C,0xD9,0x2D,0x36,0x45 ,0xE0,0x23,0xC6,0x77,0x92,0x29,0xE2,0x26,0x09,0x9B,0xED,0x63,0x57,0x78,0xFC,0x79 ,0x54,0x3B,0x1A,0x7B,0x2B,0x22,0x80,0x3A,0xE4,0xCC,0x7B,0xBF,0xDE,0x7F,0x68,0x51 ,0xAD,0x3D,0x65,0xDA,0x6E,0x1D,0xBF,0xD6,0xF8,0xDE,0x99,0xDC,0xB0,0x78,0xB9,0x85 ,0x26,0x1F,0x23,0xE8,0x16,0x28,0xA7,0x66,0xBB,0x4B,0xE1,0xB6,0xE5,0xB7,0xA9,0xD1 }; memset(&rc4_ctx,0,sizeof(rc4_state)); rc4_setup(&rc4_ctx,key,strlen(key)); for(int i=0;i<256;i++)//用dump的密钥盒S修复 { rc4_ctx.m[i]=mtrix[i]; } rc4_crypt(&rc4_ctx,encrpyt,strlen(encrpyt)); printf("%s/n"); printf("/n");}
得到最后的flag:flag{c5e0f5f6-f79e-5b9b-988f-28f046117802}
思路是通过爆破得到4个int32的值。一开始一直不对的原因是大端小端填充的问题。
flag的格式为flag{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
之后将char2hex进行转换
给了几个double的限制条件,爆破一下就好了
#include int main(){ for(unsigned long long int i=0;i<0xffffffff;i++) { unsigned long long int tmp = i<<32; double tmp2 = *(double*)(&tmp); double v4 = 149.2 * tmp2 + tmp2 * (-27.6) * tmp2 - 129.0; double v2 = tmp2 * (-39.6) * tmp2 + (59.2) * tmp2 + (37.8); double v1 = tmp2 * (-39.6) * tmp2 + (59.2) * tmp2 + (37.8); if( v4>-0.00003 && v4<0.00003) { printf("v4:%p/n",i); } if(v2>-0.00002 && v2<0.00002) { printf("v2:%p/n",i); } if(v1>-0.00003 && v1<0.00003) { printf("v1:%p/n",i); } } return 0;}
output
v4:0x3ff14a45v1:0x3fffa458v4:0x40114cf8v1:0xbfdee41dv2:0xbfdee41ev1:0xbfdee41ev1:0xbfdee41f
遍历一下或者根据前面的限制条件得到最后的flag
flag{f84c1140-454a-f1f3-1ee4-debf1de4debf}
没做出来,球球师傅教教我
文章版权归作者所有,未经允许请勿转载,若此文章存在违规行为,您可以联系管理员删除。
转载请注明本文地址:https://www.ucloud.cn/yun/121596.html
摘要:安全的战队经常参与各大比赛,了解赛事,我们在为打造安全圈好的技术氛围而努力,这里绝对是你学习技术的好地方。欢迎各位大佬小白入驻,大家一起打,一起进步。有意向的师傅请联系邮箱带上自己的简历,简历内容包括自己的学习方向,学习经历等 ...
摘要:当后端程序通过不正确的正则表达式比如将之后到为止的字符内容,也就是,认为是访问请求的地址时对上述的内容进行解析的时候,很有可能会认为访问的为,而实际上这个所请求的内容都是上的内容。 ...
摘要:苟,都可以苟只要我做的够快我就不会被刷掉体验很好,下次还来注更新目录签到签到我的木头啊我的木头啊一封信一封信有手就行有手就行杂项签到杂项签到打卡第一天打卡第一天见字 苟,都可以苟 只要我osint做的够快我就不会被刷掉.jpg 体验很好,下次还来( 注:tao2更新 目录 1、web w...
摘要:昨天的比赛又一次见识到了大师傅们多么厉害,疯狂上分,可怜如我,只做出了四个杂项。暑假这三个月都没有做题,明年就要专升本了,所以一直在看高数英语嗐,高中贪玩儿的后果。 ...
摘要:美亚杯一年比一年难了,加上个人赛检材容器密码一开始出现了大的问题,把人心态搞崩了。填空题阿力士的对话中,阿力士曾要求工地主管支付多少个请以阿拉伯数字回答分如图个比特币。 目录 前言 VTM iPhone6部分 主管计算机部分 路由器部分 Alex win部分 FTP部分 前...
阅读 919·2021-09-30 09:46
阅读 3343·2021-09-07 09:59
阅读 762·2021-09-07 09:58
阅读 1304·2021-09-07 09:58
阅读 2669·2021-09-04 16:40
阅读 2333·2019-08-30 15:55
阅读 2276·2019-08-30 15:54
阅读 1201·2019-08-30 15:52