HDCTF enc

分析

进入IDA发现三个函数

image-20230425211602197

先进入第一个函数sub_411523

image-20230425211647677

一个简单的tea加密

keyimage-20230425211722605

加密内容image-20230425211811895

Tea解密脚本

#include <stdio.h>
#include <stdint.h>  // 使用uint32_t数据类型需要包含此头文件
#include <string.h>
 #include<iostream>
 using namespace std;
// 定义加密函数
void tea_decrypt(uint32_t *v, uint32_t *k) {
    uint32_t v0 = v[0], v1 = v[1], sum = 0xC6EF3720, i;  // 根据TEA算法,解密轮次的计算需要初始化sum
    uint32_t delta = 0x9e3779b9;
 
    for (i = 0; i < 32; i++) {
        v1 -= ((v0 << 4) + k[2]) ^ (v0 + sum) ^ ((v0 >> 5) + k[3]);
        v0 -= ((v1 << 4) + k[0]) ^ (v1 + sum) ^ ((v1 >> 5) + k[1]);
        sum -= delta;
    }
 
    v[0] = v0;
    v[1] = v1;
}
 
int main() {
    uint32_t enc[2]={0x60FCDEF7,0x236DBEC};
    uint32_t key[]={0x12,0x34,0x56,0x78};
    tea_decrypt(enc,key);
    cout<<enc[0];
    return 0;
}
//3

得到3,然后看第二个函数sub_4113DE

第二个函数是把刚刚得到的3当做参数输入了进去

image-20230425212141617

看到数据段,知道是SMC加密

加密部分

image-20230425212217021

发现这里就是将加密段与3进行了简单的异或处理

找到加密段(shift+F7)

image-20230425212453146

然后去用IDAPython写脚本

from idc_bc695 import *
a = 0x0041D000
b = 0x0041E600
for i in range(5632):
    PatchByte((a+i),Byte(a+i)^3)

得到新的函数部分

image-20230425212647986

发现这是一个RC4的加密,直接写解密脚本

RC4脚本

#include<iostream>
#include<algorithm>
#include<cstdio>
#include<cmath>
#include<map>
#include<vector>
#include<queue>
#include<stack>
#include<set>
#include<string>
#include<cstring>
#include<list>
#include<stdlib.h>
using namespace std;
typedef int status;
typedef int selemtype;

unsigned char ida_chars[] =
{
	0xD4, 0x16, 0x87, 0xD6, 0x54, 0x68, 0xBC, 0x02, 0x15, 0x6D, 
	0x30, 0x08, 0x4B, 0x61, 0x4C, 0x5E, 0x42, 0xFD, 0x55, 0x61,
	0xB9, 0x27, 0x6F, 0xF5, 0xB6, 0x86, 0x23, 0xA9, 0xEF, 0x1C,
	0x04, 0x9F
};
typedef unsigned longULONG;
 
/*初始化函数*/
void rc4_init(unsigned char*s, unsigned char*key, unsigned long Len)
{
    int i = 0, j = 0;
    char k[256] = { 0 };
    unsigned char tmp = 0;
    for (i = 0; i<256; i++)
    {
        s[i] = i;
        k[i] = key[i%Len];
    }
    for (i = 0; i<256; i++)
    {
        j = (j + s[i] + k[i]) % 256;
        tmp = s[i];
        s[i] = s[j];//交换s[i]和s[j]
        s[j] = tmp;
    }
}
 
/*加解密*/
void rc4_crypt(unsigned char*s, unsigned char*Data, unsigned long Len)
{
    int i = 0, j = 0, t = 0;
    unsigned long k = 0;
    unsigned char tmp;
    for (k = 0; k<Len; k++)
    {
        i = (i + 1) % 256;
        j = (j + s[i]) % 256;
        tmp = s[i];
        s[i] = s[j];//交换s[x]和s[y]
        s[j] = tmp;
        t = (s[i] + s[j]) % 256;
        Data[k] ^= s[t];
    }
}
 
int main()
{
    unsigned char s[256] = { 0 }, s2[256] = { 0 };//S-box
    char key[256] = { "you_are_master" };
   unsigned char pData[512] = {
		0xf,0x94,0xae,0xf2,0xc0,0x57,0xc2,0xe0,0x9a,0x45,
		0x37,0x50,0xf5,0xa0,0x5e,0xcb,0x2c,0x16,0x28,0x29,
		0xfe,0xff,0x33,0x46,0xe,0x57,0x82,0x22,0x52,0x26,
		0x2b,0x6e,0xe4,0x82,0x24
	};
    unsigned long len = 35;
    int i;
 
    printf("pData=%s\n", pData);
    printf("key=%s,length=%d\n\n", key, strlen(key));
    rc4_init(s, (unsigned char*)key, strlen(key));//已经完成了初始化
    printf("完成对S[i]的初始化,如下:\n\n");
    for (i = 0; i<256; i++)
    {
        printf("%02X", s[i]);
        if (i && (i + 1) % 16 == 0)putchar('\n');
    }
    printf("\n\n");
    for (i = 0; i<256; i++)//用s2[i]暂时保留经过初始化的s[i],很重要的!!!
    {
        s2[i] = s[i];
    }

    rc4_crypt(s, (unsigned char*)pData, len);//解密

    printf("现在解密:\n\n");
    //rc4_init(s,(unsignedchar*)key,strlen(key));//初始化密钥
    //rc4_crypt(s2, (unsigned char*)pData, len);//解密
    printf("pData=%s\n\n", pData);
    return 0;
}
//HDCTF{y0u_ar3_rc4_t3a_smc_m4ster!!}