首页 > 其他分享 >几道rust逆向

几道rust逆向

时间:2023-03-14 23:12:10浏览次数:50  
标签:逆向 return mm si128 几道 key v8 input rust

以前做了一两次rs题,唯一感觉就是这是什么大粪语言

今天好好练一下,两个简单题和一个又臭又长的题

checkin-rs

用来入门rust逆向感觉挺不错的

首先得找main函数

但是这玩意不是main,在汇编里

这里的checkin_rs4main才是真正的main函数

main里的v0存了42个数据,很像enflag

中间都是一些报错处理,然后下面是重点

thread::spawn是创建线程,然后thread::JoinHandle是将线程加入处理队列

mpsc::Receiver就是主线程用于接收子线程数据的,mpsc是Multiple Producer Single Consumer,简单来说就是多个线程发送数据,然后单个线程接收数据

ref: https://skyao.io/learning-rust/std/sync/mpsc.html

v14那里就是输出Failed和Congratulation

大概理一下,main里面创建了子线程,用v12承接该线程返回的布尔数值,并根据该布尔值判断flag的正误

现在关键在于这几把线程在哪找

上面的参考网站里有一句话

Sender 或 SyncSender 用于向 Receiver 发送数据。

我们在函数中找一下Sender

drop那俩函数是释放内存用的,真正的sender是mpsc::Sender函数,我们对它交叉引用一下就能找到调用它的子线程了。其函数名是std::sys_common::backtrace::__rust_begin_short_backtrace::hff8c1f96768f50f6

这里面的逻辑比较简单,除开一大坨报错检查之外,其逻辑就是将输入的flag翻转,随后进行异或加密然后比对。

(中间还有一个将flag截断并延长的操作,但是好像没啥用?)

这里在进行翻转操作

这里对flag进行了flag[i] ^ i的加密,随后与最开始v0处的数据进行了比对

这里就是Sender的位置,发送了最后的比较数据

那么分析完成,写出exp即可

#include <stdio.h>
unsigned char ida_chars[] =
{
        0x7D, 0x20, 0x23, 0x22, 0x25, 0x24, 0x68, 0x72, 0x6E, 0x56,
        0x79, 0x62, 0x53, 0x79, 0x7D, 0x7A, 0x62, 0x4E, 0x7C, 0x7A,
        0x7F, 0x76, 0x73, 0x7F, 0x7B, 0x46, 0x7F, 0x68, 0x6E, 0x78,
        0x68, 0x7A, 'R', '~', '[', 'P', 'E', '@', ']', 'L', 'F', '\\', 'Z', 'H', 'I', '^'
};
int main() 
{
    for (int i = 45; i >= 0; --i) printf("%c", ida_chars[i] ^ i);
    return 0;
}

secpunk{easy_reverse_checkin_rust_is_fun!!!!!}

easy_rs

有点牛的题

这一部分是检查flag长度是否为64

注意这里的StrSearcher

汇编中发现其加载了unk数组,里面存放的是字符'-',结合下方

初步判断该flag格式是64字节,并且其中含有8个'-'

同时,调试的时候发现86行的函数内会将flag分成8个8字节的块,我们猜测flag格式是0123456-1234567-2345678-3456789-4567890-5678901-6789012-7890123均匀划分的

(最终这个题的密文是2055字节,并且很良心地把密文输出了一下,这也可以发现必须是这样均匀划分才能做到密文是2055字节)

主要加密流程在函数easy_rs::mix::_$u7b$$u7b$closure$u7d$$u7d$::hf56f2cf042c7aa74中,动调可以发现:加密分成了六个部分

并且其顺序为:transform128 -> transform228 -> transform_base28 -> transform_anti28 -> transform_shift28 -> transform_base28 -> transform_anti28 -> transform_rev28

每一轮mix函数都将8位flag放进去加密,一共执行了8轮mix,每一轮mix中又执行了5轮transform函数链。

我们将每一部分函数分开来看

transform128

参数中a2是key, a3是input

动调可以发现该函数的唯一作用就是将input与key异或

下面的do..while永远不会执行

除此之外,在动调过程中会发现key值在不断地改变

在这里下断点,ecx内存储的是当前key值,我们会发现这个key值每五轮改变一次,是[0, 1, 2, 3 ,4, 5, 6, 7],也就是说,每一次执行mix函数该值都会改变

用python翻译一下就是

transform128_key = [0, 1, 2, 3, 4, 5, 6, 7]

def transform128(input, key):
    temp = b''
    for i in input:
        temp += pack('B', i ^ key)
    return temp

transform228

这个函数比较恶心,在每一轮mix中它的五次执行都有不同的控制流和key。key是[0xa, 0xb, 0x8, 0x9, 0xe, 0xf, 0xc, 0xd],控制流如下

轮1

执行了do..while_1和do..while_2(上面是1下面是2)

轮2

仅执行了do..while_2

轮3

执行了si128_if ,就是这个的if部分

轮4

执行了si128_if和do..while_2

轮5

执行了si128_else和do..while_2

在si128_if之前有一个比较难分析的地方:这个key被shuffle_epi32函数后到底变成了什么

在汇编中可以看见被存进了浮点数寄存器xmm0中,我们写个idapython提取一下

import idaapi


def convert2hex(m): # b'\x12\x32' -> 0x3412
    s = 0
    for i in range(len(m) - 1, -1, -1):
        s += m[i]
        s *= 0x100
    return hex(s)

def convert2hex_space(m): # b'\x12\x32' -> 12 34
    s = ''
    for i in range(len(m)):
        s += hex(m[i])[2:].rjust(2, '0') + ' '
    return s

def start(regs):
    for i in regs:
        b_rax = idaapi.get_reg_val(i)
        hex_rax = convert2hex(b_rax)
        hexspace_rax = convert2hex_space(b_rax)
        print(i + ' -> : ')
        print("\t bytes view: ", end="")
        print(b_rax)
        print("\t hex view: ", end="")
        print(hex_rax)
        print("\t hex view with space: ", end="")
        print(hexspace_rax)

regs = ["xmm0",
]
start(regs)

可以看见,是把key转换成bytes类型后复制了16份

依旧用python翻译一下整个函数,为了写exp方便一点,这里我们将函数拆成五个if来写。

有点多

def long2bytes(n):
    res = []
    while (n):
        res.append(n % 0x100)
        n //= 0x100
    return bytes(res)

def _mm_xor_si128(a, b):
    return bytes([x ^ y for x, y in zip(a, b)])

def _mm_add_epi8(a, b):
    return bytes([x + y for x, y in zip(a, b)])

def _mm_and_si128(a, b):
    return bytes([x & y for x, y in zip(a, b)])

transform228_key = [0xa, 0xb, 0x8, 0x9, 0xe, 0xf, 0xc, 0xd]
def transform228(input, key, round):
    length = len(input)
    v8 = []
    a2 = 0
    if round == 1:
        for i in range(3):
            v8.append(input[i] ^ (key + (a2 & 1)))
            a2 += 1

        v30 = a2 & 1
        v31 = key + v30
        v32 = key + (v30 ^ 1)

        v8.append(v31 ^ input[3])
        v8.append(v32 ^ input[4])
        v8.append(v31 ^ input[5])
        v8.append(v32 ^ input[6])
        return bytes(v8)

    elif round == 2:
        v30 = a2 & 1
        v31 = key + v30
        v32 = key + (v30 ^ 1)

        for i in range(0, 16, 4):
            v8.append(v31 ^ input[i])
            v8.append(v32 ^ input[i + 1])
            v8.append(v31 ^ input[i + 2])
            v8.append(v32 ^ input[i + 3])
        return bytes(v8)

    elif round == 3:
        v8 = b''
        v11 = pack('B', key) * 16
        si128 = long2bytes(0x1000100010001000100010001000100)

        v23 = _mm_add_epi8(v11, si128)
        v24 = _mm_xor_si128(input[0:16], v23)
        v25 = _mm_xor_si128(v23, input[16:32])
        v8 += v24
        v8 += v25
        return v8

    elif round == 4:
        v8 = b''
        v11 = pack('B', key) * 16
        si128 = long2bytes(0x1000100010001000100010001000100)
        v23 = _mm_add_epi8(v11, si128)
        v24 = _mm_xor_si128(input[0:16], v23)
        v25 = _mm_xor_si128(v23, input[16:32])
        v8 += v24
        v8 += v25

        v30 = a2 & 1
        v31 = key + v30
        v32 = key + (v30 ^ 1)
        for i in range(32, 56, 4):
            v8 += pack('B', v31 ^ input[i])
            v8 += pack('B', v32 ^ input[i + 1])
            v8 += pack('B', v31 ^ input[i + 2])
            v8 += pack('B', v32 ^ input[i + 3])
        return v8
    elif round == 5:
        v8 = b''
        v11 = pack('B', key) * 16
        v14 = long2bytes(0xF0E0D0C0B0A09080706050403020100)
        v16 = long2bytes(0x1010101010101010101010101010101)
        v17 = long2bytes(0x40404040404040404040404040404040)

        v19 = _mm_add_epi8(_mm_and_si128(v14, v16), v11)
        val_0 = _mm_xor_si128(input[0:16], v19)
        val_1 = _mm_xor_si128(input[16:32], v19)
        val_2 = _mm_xor_si128(input[32:48], v19)
        val_3 = _mm_xor_si128(input[48:64], v19)

        si128 = _mm_and_si128(v14, v16)
        v23 = _mm_add_epi8(v11, si128)
        v24 = _mm_xor_si128(input[64:80], v23)
        v25 = _mm_xor_si128(input[80:96], v23)

        v30 = a2 & 1
        v31 = key + v30
        v32 = key + (v30 ^ 1)
        v8 += val_0 + val_1 + val_2 + val_3 + v24 + v25
        for i in range(96, 104, 4):
            v8 += pack('B', v31 ^ input[i])
            v8 += pack('B', v32 ^ input[i + 1])
            v8 += pack('B', v31 ^ input[i + 2])
            v8 += pack('B', v32 ^ input[i + 3])
        return v8

transform_base28

这个比较简单,一轮mix会执行两次,第一次是换表base64,第二次是不换表base64

def transform_base28(input, round):
    orig_table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    new_table = '+/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
    if round & 1 == 1:
        dic = str.maketrans(orig_table, new_table)
        return ((str(base64.b64encode(input)).translate(dic))[2:-1]).encode()
    else:
        return base64.b64encode(input)

transform_anti28

这里有异或加密以及一步反动调

正常做的时候会发现最后一步异或很不对劲,最终会发现这里有一步反调试

当procfs::process::Process::status::hcb60ea34dc13cf4b检测到调试器后,anti_debug处的eax的值会变成一个常数,而我们把这个函数nop掉后,该eax的值会变成0

这个函数的原型可以参考官方文档

https://docs.rs/procfs/latest/procfs/process/struct.Process.html

pub fn status(&self) -> ProcResult<Status>

Return the Status for this process, based on the /proc/[pid]/status file.

按照官方文档的说法,这里会获取进程的全部信息,那么应该是通过这种方法检测到了调试器,并将相应的值赋了上去,以形成反调试对我们的算法分析产生干扰。

那么现在这个函数的流程就很简单了

transform_anti28_key = [0x29, 0xc5]
def transform_anti28(input, key):
    anti_debug = 0
    v6 = b''
    for i in range(len(input)):
        if i & 1 != 0:
            v8 = input[i] ^ (key + 1)
        else:
            v11 = input[i] ^ key
            v8 = anti_debug ^ v11

        v6 += pack("B", v8)
    return v6

但是nop完好像调试的时候就会报错,可能小小的出了个锅emm。。

transform_shift28

评价是没用

transform_rev28

这个很简单,就是翻转字符串

解密脚本非常好写,我们发现除了base64以外的加密都是单字节异或,那直接反着跑一次就行了,base64把encode改成decode就行

from struct import *
import base64

transform128_key = [0, 1, 2, 3, 4, 5, 6, 7]

def transform128(input, key):
    temp = b''
    for i in input:
        temp += pack('B', i ^ key)
    return temp

def long2bytes(n):
    res = []
    while (n):
        res.append(n % 0x100)
        n //= 0x100
    return bytes(res)

def _mm_xor_si128(a, b):
    return bytes([x ^ y for x, y in zip(a, b)])

def _mm_add_epi8(a, b):
    return bytes([x + y for x, y in zip(a, b)])

def _mm_and_si128(a, b):
    return bytes([x & y for x, y in zip(a, b)])

transform228_key = [0xa, 0xb, 0x8, 0x9, 0xe, 0xf, 0xc, 0xd]
def transform228(input, key, round):
    length = len(input)
    v8 = []
    a2 = 0
    if round == 1:
        for i in range(3):
            v8.append(input[i] ^ (key + (a2 & 1)))
            a2 += 1

        v30 = a2 & 1
        v31 = key + v30
        v32 = key + (v30 ^ 1)

        v8.append(v31 ^ input[3])
        v8.append(v32 ^ input[4])
        v8.append(v31 ^ input[5])
        v8.append(v32 ^ input[6])
        return bytes(v8)

    elif round == 2:
        v30 = a2 & 1
        v31 = key + v30
        v32 = key + (v30 ^ 1)

        for i in range(0, 16, 4):
            v8.append(v31 ^ input[i])
            v8.append(v32 ^ input[i + 1])
            v8.append(v31 ^ input[i + 2])
            v8.append(v32 ^ input[i + 3])
        return bytes(v8)

    elif round == 3:
        v8 = b''
        v11 = pack('B', key) * 16
        si128 = long2bytes(0x1000100010001000100010001000100)

        v23 = _mm_add_epi8(v11, si128)
        v24 = _mm_xor_si128(input[0:16], v23)
        v25 = _mm_xor_si128(v23, input[16:32])
        v8 += v24
        v8 += v25
        return v8

    elif round == 4:
        v8 = b''
        v11 = pack('B', key) * 16
        si128 = long2bytes(0x1000100010001000100010001000100)
        v23 = _mm_add_epi8(v11, si128)
        v24 = _mm_xor_si128(input[0:16], v23)
        v25 = _mm_xor_si128(v23, input[16:32])
        v8 += v24
        v8 += v25

        v30 = a2 & 1
        v31 = key + v30
        v32 = key + (v30 ^ 1)
        for i in range(32, 60, 4):
            v8 += pack('B', v31 ^ input[i])
            v8 += pack('B', v32 ^ input[i + 1])
            v8 += pack('B', v31 ^ input[i + 2])
            v8 += pack('B', v32 ^ input[i + 3])
        return v8
    elif round == 5:
        v8 = b''
        v11 = pack('B', key) * 16
        v14 = long2bytes(0xF0E0D0C0B0A09080706050403020100)
        v16 = long2bytes(0x1010101010101010101010101010101)
        v17 = long2bytes(0x40404040404040404040404040404040)

        v19 = _mm_add_epi8(_mm_and_si128(v14, v16), v11)
        val_0 = _mm_xor_si128(input[0:16], v19)
        val_1 = _mm_xor_si128(input[16:32], v19)
        val_2 = _mm_xor_si128(input[32:48], v19)
        val_3 = _mm_xor_si128(input[48:64], v19)

        si128 = _mm_and_si128(v14, v16)
        v23 = _mm_add_epi8(v11, si128)
        v24 = _mm_xor_si128(input[64:80], v23)
        v25 = _mm_xor_si128(input[80:96], v23)

        v30 = a2 & 1
        v31 = key + v30
        v32 = key + (v30 ^ 1)
        v8 += val_0 + val_1 + val_2 + val_3 + v24 + v25
        for i in range(96, 107, 4):
            v8 += pack('B', v31 ^ input[i])
            v8 += pack('B', v32 ^ input[i + 1])
            v8 += pack('B', v31 ^ input[i + 2])
            v8 += pack('B', v32 ^ input[i + 3])
        return v8

def transform_base28(input, round):
    orig_table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    new_table = '+/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
    if round & 1 == 1:
        dic = str.maketrans(orig_table, new_table)
        return ((base64.b64encode(input)).translate(dic)).encode()
    else:
        return base64.b64encode(input)

transform_anti28_key = [0x29, 0xc5]
def transform_anti28(input, key):
    anti_debug = 0
    v6 = b''
    for i in range(len(input)):
        if i & 1 != 0:
            v8 = input[i] ^ (key + 1)
        else:
            v11 = input[i] ^ key
            v8 = anti_debug ^ v11

        v6 += pack("B", v8)
    return v6

def transform_shift28(input):
    return input

def transform_rev28(input):
    return input[::-1]

def dec_transform_base28(input, round):
    orig_table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    new_table = '+/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
    if round & 1 == 1:
        dic = str.maketrans(new_table, orig_table)
        return base64.b64decode(input.decode().translate(dic))
    else:
        return base64.b64decode(input)

def decrypt(data):
    flag = b''
    global transform128_key, transform228_key, transform_anti28_key
    for i in range(8):
        enflag = dec_transform_base28(data.split(b'_')[i], 0)
        for j in range(5, 0, -1):
            enflag = transform_rev28(enflag)
            enflag = transform_anti28(enflag, transform_anti28_key[1])
            enflag = dec_transform_base28(enflag, 0)
            enflag = transform_shift28(enflag)
            enflag = transform_anti28(enflag, transform_anti28_key[0])
            enflag = dec_transform_base28(enflag, 1)
            enflag = transform228(enflag, transform228_key[i], j)
            enflag = transform128(enflag, transform128_key[i])
        flag += enflag + b'-'
    return flag[:-1]


if __name__ == '__main__':
    enflag = bytes.fromhex("73494F2B67497638714A4B7668373643386132556C34767739706545736132586E494355704B4F706849434538613264686679446F344366725A7A796A3547556F6257446C344F586B5943636B4B3258676643556C493674395A794A715A47416E4B61546C4B4F50714A47327162364E674C47746B712B446736534E6A3669557459654F6C344B39725A3244672F6153675A65546E5A2B5072616144693736666E3479546A61795439704C7A725936436C364B5267717958396F3258395A4758725053456E4A536D725A53796A363258702F54306C4C61586B614F4A7159476D725053416E4B6630394A47667161366D686257556C495038726161423850614E5F684943756E5A6174674A79766837366B2F7643746C497548395A6563746169646F373332703553556B35656967506141676679746E624778717144796F594F52365A2B746E4A614C713532766B3632586E4A54326C496D74394A794F72613655673565446A6247586B354C7A76593643674975656A612B68396F3242692F5358724A2B44676F4339725A32732F4B32676F7053426B706566725A796B384B715276492B446A5A2B4D395A53787666536D6F4A53526749365439702B4E6A3553586A4B33317070794C714A532F6836365371616D2B6C3643446C4B654839494F6B725A2B7470714754673547666836756D696679716C4B79396B3643313950574E5F73494F2B67497638714A4B7668373643386132556C34767739706545736132586E49435570494750394A4B49384B3252675053556B714371393665696F6F5341725043516C3457506C4932666B4B3258676643556C4B2F3068494B4A2F4A364167356554704B4F50714A47327162364E674C47746B712B446736534672623658705032656C344B39725A322F7666615368592F306B5A7975674A65587270474E6A7679746E504C30395A4B667266574E6C4B4B726E595077396F324971617155692F53456E344774725A3253674953516E492B4F6C363648714B61636935535870344F746B614877767048707161366D686257556C495038726161423850614E5F746F4F756B597570673661766837366E2F7643546C34767739707957384936676F5965556C346D50675943387461714E674975726C72794C6B354C7974594352725053756E4A654D6A7161446B2F61516A5A4F546C342B506735654C715A4743673565446B4A79686B3565766835366A6A716D746C494F54673653786A3447417334656F6E4A61486A7079796B354F57703565546C4A6630717079586949366672492B446A627950394A47766A36326367616D726B762B506B344C706A3675556B6F69426770617471705363716F435869616D2B6C354B446C4B4F436A3675556F3757716E4B6568397047746E2F61636C3454336E374C387261616E692F574E5F73494F2B67497638714A4B7668373643386132556C34767739706545736132586E49435570494750394A4B49384B3252675053556B716578674A4B6E394A4755716643546C3457396B3443636B4B3258676643556C493674395A794A715A47416E4B61546C4B4F50714A47326836694E676247746B707A396B3562796A3669527459654F6C344B39725A324467344F6A715A4F546E6166777170796B67344F666E3479446A66476839704B4A7466656369616D726E61794C6B35794E6A3553586B6F65726A595339714A616A385A53556A592B6F6B5A4B456C4B4F6339494F6D6F4A79746B614877767048707161366D686257556C495038726161423850614E5F2F344F756E5965666736662F683453432F7644326B7261746E706545735A47417262577170346D7072705357672F616D6E34754F6F4943786B4B53686935476469725774706F6D4C39714F762F506155696679556C4B2F77717047696A49476E2F3566326C366630395A53426E36326369616D426F502B78684A4B74683447416C59656F6E4A613967365363716171516F3565426C35574567594B58694B6953736679546A66474C7149323168354758674B32726C707A7839714368384C3652693733306C3443397170324A746136433876534F6C354C306C4A654C716169556A494F746F36663039594B532F4B6963704975446E374B506735622B3950574E5F73494F2B67497638714A4B7668373643386132556C34767739706545736132586E494355704B4F706849434538613264686679446F344366725A7A796A354755366257746E49507768494B736B3632636F366D556C4B4F50725A79466E344F6D67356574677166307135667A68353658693747546A5A7941684A79556B4A4F55726F2B546F3443396736534F716665576F714B45674B6D44727161582F62366D702F79746E496D50395A65667266574E6C4B4B726E595077396F3258395A4758725053456E4A534D714A542F7461716A6C49696F6B5969446C4B4F636A3675586F344F746B614877767048707161366D686257556C495038726161423850614E5F746F4F756B597570673661766837366E2F7643546C34767739707957384936676F5965556C364B757270477A384B324E6749756F6B6247787170326E6F6661527161326570343738673661796A354F526F6147746B622F307670654A682F6567736F75446B4A79686B3565567476574E6766534F6E49434467352B696950535371496631706F6D486A714338384A4F53386F2F306C3447746C494B582F5947676F354F746C36483071354C7A394B366D6C364B726B6F36546B3433706A3536583834656570355478714A5366716F435869592B4F6C374348714A795739494F67702F53716E4B6568397047746E2F61636C3454336E374C387261616E692F574E")
    flag = decrypt(enflag)
    print(flag)

welecom-toooooo-nu1lctf-2023hah-havegoo-odluckk-seeyouu-againnn

Ferris' proxy

占坑,这个更是个重量级

标签:逆向,return,mm,si128,几道,key,v8,input,rust
From: https://www.cnblogs.com/Here-is-SG/p/17216822.html

相关文章

  • Rust的安全性和稳健型
    Rust是围绕安全性和稳健性而设计的。也就是,安全代码是不使用unsafe关键字的代码,声音代码是不会导致内存损坏或其他未定义行为的代码。“未定义行为”(UB) 在 C、C++ 和......
  • 逆向工程
    1.软件汉化(.xml .arsc .dex):mt右上角高级搜索(全局搜索)字符 ——>.xml 文件开发者助手界面资源分析——> 点击需要汉化的文本复制,在MT全局搜索同......
  • 逆向-第二次实验
    本次实验内容是odbg爆破程序我使用的程序是爱盘-最新的在线破解工具包(52pojie.cn)  网上2020年的爆破教程,用的odbg也比较老这个中文版还可以下载解压之后先路......
  • java.security.KeyStoreException: problem accessing trust store
    发送邮件,使用了ssl认证,配置了相关代如下: 相同的配置在本地能发送邮件,在测试环境发送出现了下面的异常: 网上找了一些解决办法,说是把\jre\lib\security下的两个jar包......
  • Rust 3
    https://www.jetbrains.com.cn/rust/https://yew.rs/zh-Hans/docs/getting-started/introductionrustuptargetaddwasm32-unknown-unknown#notethatthismightta......
  • Rust 2
    ThisisthesourcecodeofthetraditionalHelloWorldprogram.//Thisisacomment,andisignoredbythecompiler.//Youcantestthiscodebyclickingthe......
  • Rust 1
    curl--proto'=https'--tlsv1.2-sSfhttps://sh.rustup.rs|shRustisamodernsystemsprogramminglanguagefocusingonsafety,speed,andconcurrency.Itac......
  • js逆向——小红书请求头参数X-s逆向(附源码)
    今天搞了一波web端小红书请求头参数X-s的逆向,给大伙分享一下逆向思路。逆向网站:https://www.xiaohongshu.com/explore。界面如下:  这是逆向参数:  通过全局搜索,发......
  • 【质因数分解算法详解】C/Java/Go/Python/JS/Dart/Swift/Rust等不同语言实现
    关于质因数分解算法的不同语言实现,通过实例来看不同语言的差异什么是质因数算法?即任意一个合数可以分解为多个质数相乘。例如:20=2*2*545=3*3*5210=2*......
  • 《渗透测试》算法分析&传输加密&数据格式&密文存储&代码混淆&逆向保护 2023 day8
           1数据在传输的时候为什么要进行编码   安全测试的时候往往会对url等地方进行修改、构造数据。数据传输的时候被编码的话,如果不按照对应编码......