Reverse1
思路:
64位elf
ida分析
分析这几个函数
init函数初始化了一个table,一看就是rc4加密
继续看crypt1 和 crypt2, 是魔改的rc4
before_main函数加密key,秘钥是keykey
after_main函数使用加密之后的key作为秘钥加密了flag
exp:
def crypt1(s,key, key_len):
v5 = 0
v6 = 0
res = []
for i in range(key_len):
v5 = (v5 + 1) % 256
v6 = (v6 + s[v5]) % 256
v4 = s[v5]
s[v5] = s[v6]
s[v6] = v4
res.append(key[i] ^ (s[(s[v5] + s[v6]) %256]))
return res
def crypt2(s,enc,enc_len):
v5 = 0
v6 = 0
res = []
for i in range(enc_len):
v5 = (v5 + 1) % 256
v6 = (v6 + s[v5]) % 256
v4 = s[v5]
s[v5] = s[v6]
s[v6] = v4
res.append(enc[i] + s[(s[v5] + s[v6])%256])
return res
def init(s,key,key_len):
v8 = [0]*258
for i in range(256):
s[i] = i
v8[i] = key[i % key_len]
v6 =0
for j in range(256):
v6 = (v8[j] + v6 + s[j]) % 256
v4 = s[j]
s[j] = s[v6]
s[v6] = v4
s = [0]*256
key1 = [ord(b) for b in "keykey"]
key = [ord(b) for b in "ban_debug!"]
init(s,key1,len(key1))
res = crypt1(s,key,len(key))
print(res)
s2 = [0]*256
key2 = init(s2, res,len(res))
enc = [0x4E, 0x47, 0x38, 0x47, 0x62, 0x0A, 0x79, 0x6A, 0x03, 0x66,
0xC0, 0x69, 0x8D, 0x1C, 0x84, 0x0F, 0x54, 0x4A, 0x3B, 0x08,
0xE3, 0x30, 0x4F, 0xB9, 0x6C, 0xAB, 0x36, 0x24, 0x52, 0x81,
0xCF]
flag = crypt2(s2,enc,len(enc))
for i in flag:
print(chr(i%256),end="")
'''
运行结果
[105, 13, 90, 178, 64, 234, 25, 63, 47, 106]
flag{1237-12938-9372-1923-4u92}
'''
reverse2
思路:
有upx, 十六进制查看upx特征是否被修改
将这三个ABC改回成UPX就能脱壳
ida分析代码
main函数中看到一个密文
往下看 很明显的base64加密,查看a9876543210zyxw数组
是base64换表
exp:
赛博厨子直接一把梭
