本文为看雪论坛优秀文章
看雪论坛作者ID:newu
前言
-
反调试 -
花指令 -
chacha20加密 -
rc4加密
静态分析
初步函数流程的分析
加花函数的分析与还原
chacha20算法的分析
经过一番搜索,才知道这个加密函数是chacha20加密,找到了这个算法的C代码实现,https://github.com/shiffthq/chacha20,算法大致先进行初始化,矩阵置换,然后再是轮函数,最后生成了密钥流,以下是被调用加/解密函数接口:
void ChaCha20XOR(uint8_t key[32], uint32_t counter, uint8_t nonce[12], uint8_t *in, uint8_t *out, int inlen) {int i, j;uint32_t s[16];uint8_t block[64];//static void chacha20_init_state(uint32_t s[16], uint8_t key[32], uint32_t counter, uint8_t nonce[12])chacha20_init_state(s, key, counter, nonce);for (i = 0; i < inlen; i += 64) {//static void chacha20_block(uint32_t in[16], uint8_t out[64], int num_rounds)chacha20_block(s, block, 20);s[12]++;for (j = i; j < i + 64; j++) {if (j >= inlen) {break;}out[j] = in[j] ^ block[j - i];}}}
注:我们使用的话,将github源码下载下来,把cpp和h文件导入即可;ChaCha20是一种流密码,可以将其理解为对称加密算法。
RC4算法
分析随机数生成序列
写wp代码
void get_flag(unsigned char* mykey, int v0, int pid){unsigned char s[256] = { 0 };unsigned char key[12] = "Encrypted!!";char hexData[48] = {0xFC, 0xD4, 0x19, 0x74, 0x51, 0x67, 0xED, 0x4B, 0x9C, 0x48, 0xC6, 0x5F, 0x9B, 0x5D, 0xB4, 0xF0,0x44, 0x02, 0xAF, 0xAC, 0x66, 0x01, 0x06, 0xA5, 0xBE, 0xBC, 0xD0, 0x77, 0x29, 0x64, 0x8D, 0x5E,0x41, 0xD4, 0x77, 0x31, 0x40, 0xB4, 0x92, 0x22, 0xF9, 0x9F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; //flag.enc字节序列int enc_len = strlen(hexData);rc4_init(s, key, strlen((const char *)key));rc4_crypt(s, (uint8_t *)hexData, enc_len);ChaCha20XOR((uint8_t *)mykey, 1, key, (uint8_t *)hexData, strlen(hexData));if (hexData[0] == 'f' && hexData[1] == 'l' && hexData[2] == 'a') { //判定前三个字母是fla输出即可printf("timestamp:%d,pid:%d ", v0, pid);for (int i = 0; i < 48; i++){printf("%c", hexData[i]);}printf("n");exit(0);}}int main() {unsigned char mykey[32];int timestamp;DWORD Seed;timestamp = 1662973302; // time(0); 2022-09-12 17:01:42for (int pid = 1; pid < 9000; pid++){for (timestamp = 1662909722; timestamp <= 1662973302; timestamp++) { //最坑的点在这里,时间戳要从出题时间点开始算起Seed = timestamp ^ pid;srand(Seed);for (int i = 0; i < 32; ++i)mykey[i] = (unsigned __int16)rand() >> 8;get_flag(mykey, timestamp, pid); //传入timestamp和pid纯属好奇}}printf("endn");return 0;}
小结
参考
rc4参考:
https://ctf-wiki.org/reverse/identify-encode-encryption/introduction/#rc4
chacha20参考:
https://github.com/shiffthq/chacha20
ChaCha20-Poly1305算法:
https://segmentfault.com/a/1190000040082539
看雪ID:newu
https://bbs.pediy.com/user-home-592531.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!
原文始发于微信公众号(看雪学苑):一道简单Chacha20_RC4算法CTF题目
