LitCTF2024——ezrc4
0x01 关于rc4
rc4简介
具体实现
step1 rc4_init()
void rc4_init(unsigned char* s_box,unsigned char* key)
{
int i=0,j=0;
char k[256];
int len=strlen(key);
for(i=0;i<256;i++){
//以256填充s盒
s[i]=i;
//使用key循环填充k
k[i]=key[i%len];
}
//打乱s盒
for(i=0;i<256;i++){
j=(j+s_box[i]+k[i]);
swap(s_box[i],s_box[j]);
}
}
step2 rc4_crypt()
void rc4_crypt(unsigned char* s_box,char* data)
{
int i=0,j=0;
int result=0;
int len=strlen(data);
for(int k=0;k<len;k++){
i=(i+1)%256;
j=(j+s_box[i])%256;
swap(s_box[i],s_box[j]);
result=(s_box[i]+s_box[j])%256;
data[k]^=s_box[i];
}
}
0x02 rc4解密
rc4解密关键在于key的选取,只要有正确的key和密文,编写脚本再跑一遍密文即可
0x03 关于题目
关于密文
IDA的问题,没有识别出v8和v9,buf1数组共四个数据
关于key
追踪key
检查交叉,发现是假key
xor解密
key="fenkey?"
key=list(key)
key1=[10, 12, 26, 8, 17, 31, 30]
for i in range(len(key)):
key[i]=chr(ord(key[i])^key1[i])
for i in range(0,len(key)):
print(key[i],end="")
//litctf!
0x03 EXP
#include "string"
#include <cstring>
using namespace std;
long long buf[4];
unsigned char v10[256];
unsigned char v11[256];
void rc4_init()
{
char key[]="litctf!";
unsigned int a3= strlen(key);
for (int i = 0; i < 256; ++i) {
v10[i]=i;
v11[i]=key[i%a3];
}
int j=0;
for (int i = 0; i < 256; ++i)
{
j=(j+v10[i]+v11[i])%256;
swap(v10[i],v10[j]);
}
}
void rc4_crypt(char* flag) {
int i = 0, j = 0;
int result;
unsigned long len= strlen(flag);
for (int k = 0; k < len; ++k) {
i = (i + 1) % 256;
j = (j+v10[i])%256;
swap(v10[i], v10[j]);
result = (v10[i]+v10[j])%256;
flag[k]^=v10[result];
}
}
int main() {
buf[0]=0x606EA290DC7CB2D5;
buf[1]=0x3190B05971E41306;
buf[2]=0xD71DC7B2;
buf[3]=0x7F;
rc4_init();
rc4_crypt((char*) buf);
printf("%s",buf);
return 0;
}
//LitCTF{rc4_love_nice 少个“}”,O.o?
