DASCTF babyre

分析

首先放入IDA中看

image-20230607145007286

括号里面的内容是二进制资源COD,此资源随后在sub_140001087中被异或解密

然后取提取该COD资源,用resource hacker(之前只用过一次,做题的时候没想到/(ㄒoㄒ)/~~)

image-20230607145238117

提取好只后,进入sub_140001087函数看

image-20230607145346804

这里直接用IDApython解码的时候出现了问题,然后我就交叉引用了F000这里的数据,发现还有一段在用这里的数据

image-20230607145436262

然后动调一下,得到正确的异或因子

image-20230607150323763

然后写一个脚本,把需要的内容dump出来

f = open("COD101.bin","rb").read()
key=[0x18, 0x57, 0x68, 0x64]
arr = []
for i,j in enumerate(f):
    arr.append(key[i%4]^j)
open("dump","wb").write(bytes(arr))

dump出来的东西有很多花,然后去花,看到%0x100也就是%256知道是RC4魔改(最后写脚本的时候主义最后三行要注意逆过来别出错)

image-20230607175443926

这些是key

image-20230607175517641

然后根据原来程序的判断是否正确部分能知道密文

image-20230607162025282

解密脚本

#include <stdio.h>
int size1 = 0x100;
int main()
{
unsigned char enc[44]={ 
  0xF7, 0x2E, 0x34, 0xF0, 0x72, 0xCF, 0x5E, 0x0A, 0xBB, 0xEC, 
  0xB1, 0x2B, 0x70, 0x88, 0x88, 0xED, 0x46, 0x38, 0xDB, 0xDA, 
  0x6C, 0xBD, 0xD4, 0x06, 0x77, 0xF2, 0xCF, 0x56, 0x88, 0xC6, 
  0x31, 0xD2, 0xB7, 0x5A, 0xC1, 0x42, 0xB0, 0xF4, 0x48, 0x37, 
  0xF5, 0x2C, 0xF5, 0x58};
 unsigned char sbox[257] = { 0 };
 unsigned int i, j, k;
 int tmp;
 char key[] = { 93,66,98,41,3,54,71,65,21,54 };
 int len = 0;
 char* p = (char *)enc;

 while (*p)
 {
  len++;
  p++;
 }
 for (i = 0; i < size1; i++) {
  sbox[i] = i;
 }

 j = k = 0;
 for (i = 0; i < size1; i++) {
  tmp = sbox[i];
  j = (2 * j + tmp + key[k]) % size1;
  sbox[i] = sbox[j];
  sbox[j] = tmp;
  if (++k >= 10)
   k = 0;
 }
 j = k = 0;
 int R;
 for (i = 0; i < len; i++) {
  j = (j + k) % size1;
  k = (k + sbox[j]) % size1;

  tmp = sbox[j];
  sbox[j] = sbox[k];
  sbox[k] = tmp;

  R = sbox[(sbox[j] + sbox[k] + k) % size1];
  enc[i] -= (i % 13);
  enc[i] ^= R ;
 }
 printf("%s",enc);
 } 
//DASCTF{03446c2c-dff7-11ed-9285-54e1ad98d649}