NewStar re ezencrypt wp
jadx打开
[外链图片转存中…(img-qiKfNETY-1729913193217)]
发现加密,点进去
[外链图片转存中…(img-q5cEWSnD-1729913193218)]
发现先AES加密,key是title,然后Base64编码,让母后doEncCheck,我们没找到doEncCHeck的源码
官解提到
有 native 标签说明函数是 C 语言编写的,主体在 so 文件。涨知识
ida打开
是个RC4算法,RC4加密是个流加密算法,本质时异或,因此在执行一次RC4就能解密,a^b=c c^ b=a
代码如下:
key = 'meow'
k = [ord(key[i]) for i in range(len(key))]
flag = [
0xC2, 0x6C, 0x73, 0xF4, 0x3A, 0x45, 0x0E, 0xBA, 0x47, 0x81,
0x2A, 0x26, 0xF6, 0x79, 0x60, 0x78, 0xB3, 0x64, 0x6D, 0xDC,
0xC9, 0x04, 0x32, 0x3B, 0x9F, 0x32, 0x95, 0x60, 0xEE, 0x82,
0x97, 0xE7, 0xCA, 0x3D, 0xAA, 0x95, 0x76, 0xC5, 0x9B, 0x1D,
0x89, 0xDB, 0x98, 0x5D
]
sbox = [i for i in range(256)]
def init_sbox():
v2 = 0
v3 = 0
for i in range(256):
v1 = sbox[i] % 256
v3 = (k[v2] + v1 + v3) % 256
sbox[i] = sbox[v3]
sbox[v3] = v1
v2 += 1
if v2 >= len(k):
v2 = 0
init_sbox()
def encc():
v6 = 0
v5 = 0
for i in range(len(flag)):
v6 = (v6 + 1) % 256
v5 = (sbox[v6] + v5) % 256
sbox[v5], sbox[v6] = sbox[v6], sbox[v5]
flag[i] ^= sbox[(sbox[v5] + sbox[v6]) % 256]
encc()
for i in range(len(flag)):
flag[i] ^= k[i % 4]
print(chr(flag[i]), end='')
https://cyberchef.org/
在这个网站先Base64解码在解密,注意几个参数要跟反编译的参数一样,比如Mode,UTF8等
[外链图片转存中…(img-5ccYTzza-1729913193218)]
几个参数要跟反编译的参数一样,比如Mode,UTF8等
[外链图片转存中…(img-5ccYTzza-1729913193218)]
得到flag
标签:sbox,NewStar,v2,re,flag,v5,v6,wp,256 From: https://blog.csdn.net/LH1013886337/article/details/143250905