NewStar re ezencrypt wp

NewStar re ezencrypt wp

jadx打开

[外链图片转存中…(img-qiKfNETY-1729913193217)]

发现加密，点进去

[外链图片转存中…(img-q5cEWSnD-1729913193218)]

发现先AES加密，key是title，然后Base64编码，让母后doEncCheck，我们没找到doEncCHeck的源码

官解提到

有 native 标签说明函数是 C 语言编写的，主体在 so 文件。涨知识

ida打开

是个RC4算法，RC4加密是个流加密算法，本质时异或，因此在执行一次RC4就能解密，a^b=c c^ b=a

代码如下：

key = 'meow'

k = [ord(key[i]) for i in range(len(key))]

flag = [
  0xC2, 0x6C, 0x73, 0xF4, 0x3A, 0x45, 0x0E, 0xBA, 0x47, 0x81,
  0x2A, 0x26, 0xF6, 0x79, 0x60, 0x78, 0xB3, 0x64, 0x6D, 0xDC,
  0xC9, 0x04, 0x32, 0x3B, 0x9F, 0x32, 0x95, 0x60, 0xEE, 0x82,
  0x97, 0xE7, 0xCA, 0x3D, 0xAA, 0x95, 0x76, 0xC5, 0x9B, 0x1D,
  0x89, 0xDB, 0x98, 0x5D
]

sbox = [i for i in range(256)]

def init_sbox():
  v2 = 0
  v3 = 0
  for i in range(256):
    v1 = sbox[i] % 256
    v3 = (k[v2] + v1 + v3) % 256
    sbox[i] = sbox[v3]
    sbox[v3] = v1
    v2 += 1
    if v2 >= len(k):
      v2 = 0

init_sbox()

def encc():
  v6 = 0
  v5 = 0
  for i in range(len(flag)):
    v6 = (v6 + 1) % 256
    v5 = (sbox[v6] + v5) % 256
    sbox[v5], sbox[v6] = sbox[v6], sbox[v5]
    flag[i] ^= sbox[(sbox[v5] + sbox[v6]) % 256]

encc()

for i in range(len(flag)):
  flag[i] ^= k[i % 4]
  print(chr(flag[i]), end='')

https://cyberchef.org/

在这个网站先Base64解码在解密，注意几个参数要跟反编译的参数一样，比如Mode，UTF8等

[外链图片转存中…(img-5ccYTzza-1729913193218)]

几个参数要跟反编译的参数一样，比如Mode，UTF8等

[外链图片转存中…(img-5ccYTzza-1729913193218)]

得到flag