BUU–BabyAlgorithm

分析

首先用工具查壳看是否有壳image-20220404205707257

发现这是个64位无壳的文件,于是用IDA进行静态分析

image-20220404205827920

如果要得到flag就要是数组v7与数组v8相等

sub_400874函数调用了v7我们进入sub_400874函数看它在干嘛image-20220404210032697

image-20220404210121959

sub_40067A发现这是一个生产密匙流的函数,然后看看sub_400646函数在干嘛image-20220404210237569

这里是交换的意思然后退出去看看sub_400753函数在干嘛

image-20220404210322470

这是进行了加密运算,也就是说我们可以从这里得到flag

flag也就是密文去异或密匙流得到的明文

脚本

#include<stdio.h>
void rc4_init(unsigned char* s, unsigned char* key, unsigned long Len_k)//流密匙的生成 (也就是新的s盒生产,它由密钥和与原s盒生成) 
{                                                                       //需要输入s表,密匙,密匙长度 
	int i = 0, j = 0;
	char k[256] = { 0 };
	unsigned char tmp = 0;
	for (i = 0; i < 256; i++) {
		s[i] = i;//初始化s盒 
		k[i] = key[i % Len_k];
	}
	for (i = 0; i < 256; i++) {
		j = (j + s[i] + k[i]) % 256;
		tmp = s[i];
		s[i] = s[j];                             
		s[j] = tmp;
	}
}
/*
RC4加解密函数
unsigned char* Data     加解密的数据
unsigned long Len_D     明文的长度 
unsigned char* key      密钥
unsigned long Len_k     密钥长度
*/
void rc4_crypt(unsigned char* Data, unsigned long Len_D, unsigned char* key, unsigned long Len_k) //加解密(由密匙流和明文异或而得到密文) 
{                                                                                                 //需要输入密文,密文长度,(密匙,密匙长度用于密匙流生成) 
	unsigned char s[256];
	rc4_init(s, key, Len_k);
	int i = 0, j = 0, t = 0;
	unsigned long k = 0;
	unsigned char tmp;
	for (k = 0; k < Len_D; k++) {
		i = (i + 1) % 256;
		j = (j + s[i]) % 256;
		tmp = s[i];
		s[i] = s[j];
		s[j] = tmp;
		t = (s[i] + s[j]) % 256;
		Data[k] = Data[k] ^ s[t];//Data[为输入的明文] (这里逆向过来是密文异或密匙流而得到明文) 
	}
}
int main()
{
	unsigned char key[] = "Nu1Lctf233";//密匙 
	unsigned long key_len = sizeof(key) - 1;//密匙长度 
	unsigned char data[] = { 
        0xC6, 0x21, 0xCA, 0xBF, 0x51, 0x43, 0x37, 0x31, 0x75, 0xE4,
	    0x8E, 0xC0, 0x54, 0x6F, 0x8F, 0xEE, 0xF8, 0x5A, 0xA2, 0xC1,
		0xEB, 0xA5, 0x34, 0x6D, 0x71, 0x55, 0x08, 0x07, 0xB2, 0xA8,
		0x2F, 0xF4, 0x51, 0x8E, 0x0C, 0xCC, 0x33, 0x53, 0x31, 0x00,
		0x40, 0xD6, 0xCA, 0xEC, 0xD4 };//密文 
	rc4_crypt(data, sizeof(data), key, key_len);
	for (int i = 0; i < sizeof(data); i++)
	{
		printf("%c", data[i]);
	}
	printf("\n");
	return 0;
}

总结:

RC4的算法的算法步骤:

1.先初始化s盒,也就是给出s[256]的初始化

2.初始化的s盒与密钥进行处理得到密匙流,处理方法

void rc4_init(unsigned char*s,unsigned char*key, unsigned long Len)
{
    int i=0,j=0;
    char k[256]={0};
    unsigned char tmp=0;
    for(i=0;i<256;i++) {
        s[i]=i;
        k[i]=key[i%Len];
    }
    for(i=0;i<256;i++) {
        j=(j+s[i]+k[i])%256;
        tmp=s[i];
        s[i]=s[j];//交换s[i]和s[j]
        s[j]=tmp;
    }
}

3.然后用密匙流与明文去异或得到密文

void rc4_crypt(unsigned char*s,unsigned char*Data,unsigned long Len)
{
    int i=0,j=0,t=0;
    unsigned long k=0;
    unsigned char tmp;
    for(k=0;k<Len;k++)
    {
        i=(i+1)%256;
        j=(j+s[i])%256;
        tmp=s[i];
        s[i]=s[j];//交换s[x]和s[y]
        s[j]=tmp;
        t=(s[i]+s[j])%256;
        Data[k]^=s[t];
    }
}