exe文件,被smc混淆了,动态调试到主函数,发现逻辑是将输入的字符三个为一组,经过一系列变换后作为下标,通过一个固定的s盒转换为四个字符。已知明文,可以通过爆破求解。
s=[ 0xE4, 0xC4, 0xE7, 0xC7, 0xE6, 0xC6, 0xE1, 0xC1, 0xE0, 0xC0, 0xE3, 0xC3, 0xE2, 0xC2, 0xED, 0xCD, 0xEC, 0xCC, 0xEF, 0xCF, 0xEE, 0xCE, 0xE9, 0xC9, 0xE8, 0xC8, 0xEB, 0xCB, 0xEA, 0xCA, 0xF5, 0xD5, 0xF4, 0xD4, 0xF7, 0xD7, 0xF6, 0xD6, 0xF1, 0xD1, 0xF0, 0xD0, 0xF3, 0xD3, 0xF2, 0xD2, 0xFD, 0xDD, 0xFC, 0xDC, 0xFF, 0xDF, 0x95, 0x9C, 0x9D, 0x92, 0x93, 0x90, 0x91, 0x96, 0x97, 0x94, 0x8A, 0x8E] data="H>oQn6aqLr{DH6odhdm0dMe`MBo?lRglHtGPOdobDlknejmGI|ghDb<4" data=list(data) flag=[0]*45 def shl(c, b): return (c << b) & 0xff def sar(c, b): temp = bin(c)[2:].rjust(8, '0') if temp[0] == '0': return (c>>b)&0xff else: for _ in range(b): temp='1'+temp[:7] return int(temp,2) count=0 for m in range(8): for i in range(32,126): for j in range(32,126): for z in range(32,126): a1 = s[sar(i, 2)%len(s)] ^ 0xa6 a2 = s[(sar(j, 4) | shl(i & 3, 4))%len(s)] ^ 0xa3 a3 = s[(shl(j & 0xf, 2) | sar(z, 6))%len(s)] ^ 0xa9 a4 = s[(z & 0x3f)%len(s)] ^ 0xac if (a1 == ord(data[count]) and a2 == ord(data[count + 1]) and a3 == ord(data[count + 2]) and a4 == ord( data[count + 3])): count += 4 print(chr(i),end="") print(chr(j), end="") print(chr(z), end="") for i in range(32, 126): for j in range(32, 126): for z in range(32, 126): a1 = s[sar(i, 2) % len(s)] ^ 0xa6 a2 = s[(sar(j, 4) | shl(i & 3, 4)) % len(s)] ^ 0xa3 a3 = s[(shl(j & 0xf, 2) | sar(z, 6)) % len(s)] ^ 0xa9 a4 = s[(z & 0x3f) % len(s)] ^ 0xac if (a1 == ord(data[count]) and a2 == ord(data[count + 1])): count += 4 print(chr(i), end="") print(chr(j), end="")
最后三位爆不出,结果发现没有三位,就两位,卡了好久。。。。