打开附件如下
勒索病毒我去上网查了一下,发现是通过加密数据,所以这个题可能和加密有关,除了勒索病毒还有一个enflag.txt打开如下
先不管这个
第一步查壳这个exe程序
无壳。
第二步用ida32位打开这个
shift+f12查看字符
有个充值成功,跟进
可以看到这个字符串 DHmqqvqxB^||zll@Jqjkwpmvez{
可以知道是异或,脚本如下
1 2 3 4 5 6
| s="DH~mqqvqxB^||zll@Jq~jkwpmvez{" key="" for c in s: key+=chr(ord(c)^0x1f) print(key)
|
[Warnning]Access_Unauthorized结合这个可以猜测这是个密钥,那个enflag是个密文,用winhex打开
0xC3,0x82,0xA3,0x25,0xF6,0x4C,
0x36,0x3B,0x59,0xCC,0xC4,0xE9,0xF1,0xB5,0x32,0x18,0xB1,
0x96,0xAe,0xBF,0x08,0x35
把这个放进data
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
| #include<stdio.h> void rc4_init(unsigned char* s, unsigned char* key, unsigned long Len_k) { int i = 0, j = 0; char k[256] = { 0 }; unsigned char tmp = 0; for (i = 0; i < 256; i++) { s[i] = i; k[i] = key[i % Len_k]; } for (i = 0; i < 256; i++) { j = (j + s[i] + k[i]) % 256; tmp = s[i]; s[i] = s[j]; s[j] = tmp; } } void rc4_crypt(unsigned char* Data, unsigned long Len_D, unsigned char* key, unsigned long Len_k) { unsigned char s[256]; rc4_init(s, key, Len_k); int i = 0, j = 0, t = 0; unsigned long k = 0; unsigned char tmp; for (k = 0; k < Len_D; k++) { i = (i + 1) % 256; j = (j + s[i]) % 256; tmp = s[i]; s[i] = s[j]; s[j] = tmp; t = (s[i] + s[j]) % 256; Data[k] = Data[k] ^ s[t]; } } int main() { unsigned char key[] = "[Warnning]Access_Unauthorized"; unsigned long key_len = sizeof(key) - 1; unsigned char data[] = { 0xC3,0x82,0xA3,0x25,0xF6,0x4C, 0x36,0x3B,0x59,0xCC,0xC4,0xE9,0xF1,0xB5,0x32,0x18,0xB1, 0x96,0xAe,0xBF,0x08,0x35}; rc4_crypt(data, sizeof(data), key, key_len); for (int i = 0; i < sizeof(data); i++) { printf("%c", data[i]); } printf("\n"); }
|
运行如下
flag{RC4&->ENc0d3F1le}