0x01 关于rc4

rc4简介

rc4的维基

具体实现

step1 rc4_init()

void rc4_init(unsigned char* s_box,unsigned char* key)
{
	int i=0,j=0;
	char k[256];
	int len=strlen(key);
	
	for(i=0;i<256;i++){
	//以256填充s盒
	s[i]=i;
	
	//使用key循环填充k
	k[i]=key[i%len];
	}
	//打乱s盒
	for(i=0;i<len;i++){
	j=(j+s_box[i]+k[i]);
	swap(s_box[i],s_box[j]);
	}
}

step3 rc4_crypt()

void rc4_crypt(unsigned char* s_box,char* data)
{
	int i=0,j=0;
	int result=0;
	int len=strlen(data);
	
	for(int k=0;k<len;k++){
	i=(i+1)%256;
	j=(j+s_box[i])%256;
	swap(s_box[i],s_box[j]);
	result=(s_box[i]+s_box[j])%256;
	data[k]^=s_box[i];
	}
}

0x02 rc4解密

rc4解密关键在于key的选取，只要有正确的key和密文，编写脚本再跑一遍密文即可

0x03 关于题目

关于密文

IDA的问题，没有识别出v8和v9，buf1数组共四个数据

关于key

追踪key

检查交叉，发现是假key

xor解密

key="fenkey?"
key=list(key)
key1=[10, 12, 26, 8, 17, 31, 30]
for i in range(len(key)):
    key[i]=chr(ord(key[i])^key1[i])
for i in range(0,len(key)):
    print(key[i],end="")
//litctf!

0x03 EXP

#include "string"
#include <cstring>
using namespace std;
long long buf[4];
unsigned char v10[256];
unsigned char v11[256];

void rc4_init()
{
    char key[]="litctf!";
    unsigned int a3= strlen(key);
    for (int i = 0; i < 256; ++i) {
        v10[i]=i;
        v11[i]=key[i%a3];
    }
    int j=0;
    for (int i = 0; i < 256; ++i)
    {
        j=(j+v10[i]+v11[i])%256;
        swap(v10[i],v10[j]);
    }
}

void rc4_crypt(char* flag) {
    int i = 0, j = 0;
    int result;
    unsigned long len= strlen(flag);
    for (int k = 0; k < len; ++k) {
        i = (i + 1) % 256;
        j = (j+v10[i])%256;
        swap(v10[i], v10[j]);
        result = (v10[i]+v10[j])%256;
        flag[k]^=v10[result];
    }
}

int main() {
    buf[0]=0x606EA290DC7CB2D5;
    buf[1]=0x3190B05971E41306;
    buf[2]=0xD71DC7B2;
    buf[3]=0x7F;
    rc4_init();
    rc4_crypt((char*) buf);
    printf("%s",buf);
    return 0;
}
//LitCTF{rc4_love_nice 少个“}”,O.o?