exec
用赛博厨手动解base,拿到混淆源码
a=True
d=len
G=list
g=range
s=next
R=bytes
o=input
Y=print
def l(S):
i=0
j=0
while a:
i=(i+1)%256
j=(j+S[i])%256
S[i],S[j]=S[j],S[i]
K=S[(S[i]+S[j])%256]
yield K
def N(key,O):
I=d(key)
S=G(g(256))
j=0
for i in g(256):
j=(j+S[i]+key[i%I])%256
S[i],S[j]=S[j],S[i]
z=l(S)
n=[]
for k in O:
n.append(k^s(z)+2)
return R(n)
def E(s,parts_num):
Q=d(s.decode())
S=Q//parts_num
u=Q%parts_num
W=[]
j=0
for i in g(parts_num):
T=j+S
if u>0:
T+=1
u-=1
W.append(s[j:T])
j=T
return W
if __name__=='__main__':
L=o('input the flag: >>> ').encode()
assert d(L)%2==0,'flag length should be even'
t=b'v3ry_s3cr3t_p@ssw0rd'
O=E(L,2)
U=[]
for i in O:
U.append(N(t,i).hex())
if U==['1796972c348bc4fe7a1930b833ff10a80ab281627731ab705dacacfef2e2804d74ab6bc19f60','2ea999141a8cc9e47975269340c177c726a8aa732953a66a6af183bcd9cec8464a']:
Y('Congratulations! You got the flag!')
else:
Y('Wrong flag!')
rc4直接秒了
exp
a = True
d = len
G = list
g = range
s = next
R = bytes
o = input
Y = print
def l(S):
i = 0
j = 0
while a:
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
K = S[(S[i] + S[j]) % 256]
yield K
def N(key, O):
I = len(key)
S = G(range(256))
j = 0
for i in range(256):
j = (j + S[i] + key[i % I]) % 256
S[i], S[j] = S[j], S[i]
z = l(S)
n = []
for k in O:
n.append(k ^ next(z) + 2)
return bytes(n)
def E(s, parts_num):
Q = len(s.decode())
S = Q // parts_num
u = Q % parts_num
W = []
j = 0
for i in range(parts_num):
T = j + S
if u > 0:
T += 1
u -= 1
W.append(s[j:T])
j = T
return W
if __name__ == '__main__':
t = b'v3ry_s3cr3t_p@ssw0rd'
enc=['1796972c348bc4fe7a1930b833ff10a80ab281627731ab705dacacfef2e2804d74ab6bc19f60','2ea999141a8cc9e47975269340c177c726a8aa732953a66a6af183bcd9cec8464a']
for i in enc:
dec1=bytes.fromhex(i)
print(N(t,dec1).decode(),end="")
joyVBS
去混淆脚本
import re
def deobfuscate_vbs_from_file(file_path):
# 用来存储最终的字符列表
chars = []
# 打开文件并逐行读取
with open(file_path, 'r') as file:
for line in file:
# 使用 re.findall() 查找所有 chr() 调用
matches = re.findall(r'chr\((.*?)\)', line)
for match in matches:
# 提取数学表达式并计算其值
match=match.replace("/","//")
try:
# 计算表达式的值
char_value = eval(match)
# 确保 char_value 在合法的 ASCII 范围内
if 0 <= char_value <= 255:
# 将计算结果转为字符并添加到 chars 列表
chars.append(chr(char_value))
except Exception as e:
print(f"Error evaluating expression '{match}': {e}")
# 拼接所有字符并返回最终字符串
return ''.join(chars)
# 指定文件路径
file_path = 'chall.vbs' # 修改为实际文件路径
# 调用函数并打印去混淆后的字符串
result = deobfuscate_vbs_from_file(file_path)
print(result)
去混淆后
MsgBox "VBScript, often abbreviated as VBS, is an event-driven programming language developed by Microsoft, primarily used for scripting in the Windows environment."
MsgBox "It is based on the Visual Basic programming language and is designed to be simple and easy to use, especially for those familiar with the BASIC programming language."
MsgBox "And for me, it is the first programming language that I've leart"
MsgBox "Hackers! Have fun with this VBS challenge!"
flag = InputBox("Enter the FLAG:", "Hack for fun")
wefbuwiue = "NalvN3hKExBtALBtInPtNHTnKJ80L3JtqxTboRA/MbF3LnT0L2zHL2SlqnPtJLAnFbIlL2SnFT8lpzFzA2JHrRTiNmT9"
qwfe = 9+2+2+1
Function Base64Decode(base64EncodedString)
Dim xml, elem
Set xml = CreateObject("MSXML2.DOMDocument")
Set elem = xml.createElement("tmp")
elem.dataType = "bin.base64"
elem.text = base64EncodedString
Dim stream
Set stream = CreateObject("ADODB.Stream")
stream.Type = 1 'Binary
stream.Open
stream.Write elem.nodeTypedValue
stream.Position = 0
stream.Type = 2 'Text
stream.Charset = "utf-8"
Base64Decode = stream.ReadText
stream.Close
End Function
Function Caesar(str,offset)
Dim length,char,i
Caesar = ""
length = Len(str)
For i = 1 To length
char = Mid(str,i,1)
If char >= "A" And char <= "Z" Then
char = Asc("A") + (Asc(char) - Asc("A") + offset) Mod 26
Caesar = Caesar & Chr(char)
ElseIf char >= "a" And char <= "z" Then
char = Asc("a") + (Asc(char) - Asc("a") + offset) Mod 26
Caesar = Caesar & Chr(char)
Else
Caesar = Caesar & char
End If
Next
End Function
If flag = Base64Decode(Caesar(wefbuwiue, 26-qwfe)) Then
MsgBox "Congratulations! Correct FLAG!"
Else
MsgBox "Wrong flag."
End If
明文对比,直接输出flag
If flag = Base64Decode(Caesar(wefbuwiue, 26-qwfe)) Then
MsgBox "Congratulations! Correct FLAG!"
Else
MsgBox Base64Decode(Caesar(wefbuwiue, 26-qwfe))
End If
VB3_1s_S0_e1sY_4_u_r1gh3?btw_1t_iS_a1s0_Us3Fu1_a3D_1nTe3eSt1ng!
Rafflesia
看似tea,但魔改
提取enc
from idaapi import*
for i in range(0x40401F-0x404000+1):
print(hex(get_byte(0x404000+i)),end=",")
#0xf8,0x63,0x20,0xea,0x52,0xf2,0x66,0x8f,0xef,0x72,0x2a,0x90,0x74,0xda,0x1f,0x41,0x4d,0xd,0x59,0x19,0x17,0x43,0xe7,0xca,0x3f,0xf,0x87,0x63,0x61,0xae,0x53,0xd7,
修改key
key
delta是随机数
exp
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
uint32_t r_box[5][33];
void get_rand_box() {
srand(0);
for (int i = 0; i < 4; i++)
{
for (int j = 0; j < 32; j++)
{
r_box[i][31 - j] = rand();
}
}
for (int i = 0; i < 4; i++)
{
for (int j = 0; j < 32; j++)
{
printf("%x ",r_box[i][j]);
}
printf("\n");
}
}
uint32_t box_sum(int index) {
uint32_t sum = 0;
for (int j = 0; j < 32; j++)
{
sum+=r_box[index][j];
}
return sum;
}
void encrypt(uint32_t* v, uint32_t* k) {
uint32_t v0 = v[0], v1 = v[1], sum = 0, i;
uint32_t delta = 0x9e3779b9;
uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
for (i = 0;i < 32;i++) {
sum += delta;
v0 += ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
v1 += ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
}
v[0] = v0;v[1] = v1;
}
void decrypt(uint32_t* v, uint32_t* k,int index) {
uint32_t v0 = v[0], v1 = v[1], sum = box_sum(index), i; //这里的sum是0x9e3779b9*32后截取32位的结果,截取很重要。
uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
for (i = 0;i < 32;i++) {
v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
sum -= r_box[index][i];
}
v[0] = v0;v[1] = v1;
}
int main()
{
get_rand_box();
char enc[] = { 0xf8,0x63,0x20,0xea,0x52,0xf2,0x66,0x8f,0xef,0x72,0x2a,0x90,0x74,0xda,0x1f,0x41,0x4d,0xd,0x59,0x19,0x17,0x43,0xe7,0xca,0x3f,0xf,0x87,0x63,0x61,0xae,0x53,0xd7 };
uint32_t k[4] = { 2,2,3,3 };
for (int i = 0; i < 4; ++i)
decrypt((unsigned int*)enc + 2 * i, k,i);
printf("%s",enc);
return 0;
}
Rafflesia
改ZF过反动调
表是改过的
HElRNYGmBOMWnbDvUCgcpu1QdPqJIS+iTry39KXse4jLh/x26Ff5Z7Vokt8wzAa0
打断点拿到enc
H@^jHwpsH)[jH{M/\tBBK_|-O{W.iJZ7\)|~zaB^H+Lwv{SS|-j@\_[Y
换表base64+异或