美亚柏科2017

Author Avatar
Xzhah 1月 19, 2018
  • 在其它设备中阅读本文章

这次美(公)亚(费)柏(旅)科(游)还是好玩,近距离接触到了蓝莲花大哥和天枢大哥(大哥们真的很友好),仰望

先说总结

中文flag秀得我头晕,很多师傅当时貌似都吃了编码的亏,我也。。。
这是一个魔改rc4和魔改base64,把你输入的字符串加密后写入一个txt文档,要求写的内容是Itl9qnxD/IJhoarL,除了正常逆向之外,其实还可以不解释爆破。

魔改rc4

直接上图吧
1.png
2.png
初始化完成后就是对明文的加密
3.png

魔改base64

就是把base64的表替换成AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789+/

解决脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
import base64
b64='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
vb64='AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789/+'
Dst=[0xA0,0x1A,0x04,0x68,0x23,0xBF,0x21,0x0D,0x14,0x47,0x26,0x56,0x42,0x41,0x0B,0xDC,0x5D,0x52,0x9C,0x61,0x58,0xA7,0xF5,0x31,0xB9,0xC9,0x5E,0xEE,0xA2,0x81,0x48,0x7B,0xD2,0xE1,0x8E,0x50,0x3C,0x72,0x4B,0x07,0x57,0xF6,0x99,0x59,0x6A,0x5A,0xD8,0x8B,0x27,0xEB,0x1B,0x54,0xC7,0x46,0x89,0xA6,0xB8,0xC6,0x9D,0xFA,0x91,0x70,0x7E,0x6D,0x92,0x10,0x08,0x4D,0xA3,0xCF,0x7C,0xF9,0x2B,0x2D,0xB6,0xDD,0x3F,0x69,0x43,0x63,0xA8,0x17,0xF7,0x1D,0x35,0xF1,0x3D,0x84,0x0E,0x86,0x03,0xAD,0x33,0x53,0x2C,0xE6,0x05,0x83,0x65,0x34,0x5B,0x20,0x9F,0xC5,0x3E,0x38,0x62,0x12,0x71,0xE2,0x7D,0x37,0xA1,0x15,0x40,0x4C,0xB2,0xBD,0xB5,0x3B,0xE3,0x00,0x67,0x32,0xAF,0xE5,0x6B,0xF2,0xFC,0xAC,0x18,0x75,0x3A,0xD0,0xA5,0x19,0xF8,0xBE,0xEF,0xA9,0x4E,0xEC,0x2E,0xD6,0xC0,0x49,0xDE,0xF4,0x9A,0x0F,0x24,0xF0,0xCC,0xA4,0xBC,0xE9,0xB0,0xDF,0x1C,0x97,0x6F,0x87,0xB3,0x90,0x66,0x25,0x29,0xE8,0x51,0x85,0xAB,0xAA,0x00,0xFE,0x80,0xB7,0x94,0xD7,0xBA,0x2A,0xB1,0x0A,0x01,0x4F,0x95,0xD1,0x22,0xE7,0x09,0x1E,0xB4,0x78,0x8F,0x8D,0xD3,0xD5,0x5F,0x6E,0x36,0x93,0x98,0xDA,0x88,0x64,0x13,0xE4,0x77,0x30,0x44,0xED,0x11,0xD9,0xE0,0xDB,0xBB,0xC4,0x2F,0x28,0x55,0xCA,0x8A,0xCB,0x9B,0xC1,0x7F,0x8C,0xCE,0xC3,0x0C,0x39,0xD4,0xF3,0xC8,0xFF,0xFD,0x73,0x79,0x16,0x1F,0xEA,0x76,0xC2,0x74,0x82,0x96,0x6C,0x60,0x4A,0xFB,0x02,0x06,0x45,0xCD,0xAE,0x9E,0x7A]
def cb64(s):
tmp=''
for i in s:
tmp+=b64[vb64.index(i)]
tmp=base64.b64decode(tmp)
return(tmp)
def crc4(s):
v4=0
v5=0
ans=''
for i in s:
v7=(v4+1)%256
v8=(Dst[v7]+v5)%256
Dst[v7]^=Dst[v8]
Dst[v8]^=Dst[v7]
Dst[v7]^=Dst[v8]
v9=(Dst[v7]+Dst[v8])%256
v4=v7+1
v5=v8+1
v6=i^Dst[v9]
ans+=chr(v6)
print(hex(v6))
return(ans)
key='Itl9qnxD/IJhoarL'
key=cb64(key)
key=crc4(key)

结果
4.png

flag

5.png

然后不解释爆破也可以,以下是爆破结果
flag.png