1/13
very bad script
1.vbs解密
打开发现是这种无法阅读的代码
上网寻找别人的脚本,命名为de.vbs
Option Explicit
Function Defuscator(vbs)
Dim t
t = InStr(1, vbs, "Execute", 1)
t = Mid(vbs, t + Len("Execute"))
t = Eval(t)
Defuscator = t
End Function
Dim fso, i
Const ForReading = 1
Set fso = CreateObject("Scripting.FileSystemObject")
For i = 0 To WScript.Arguments.Count - 1
Dim FileName
FileName = WScript.Arguments(i)
Dim MyFile
Set MyFile = fso.OpenTextFile(FileName, ForReading)
Dim vbs
vbs = MyFile.ReadAll
WScript.Echo Defuscator(vbs)
MyFile.Close
Next
Set fso = Nothing
命令行执行 cscript.exe de.vbs re.vbs > de_2.vbs
查看de_2.vbs
Dim userInput
userInput = InputBox("Input your flag: ", "check")
Dim key
key = "key_key_key"
Function RC4(key, input1)
Dim S(255), inputBytes(), i, j, temp, k
Dim result
result = ""
For i = 0 To 255
S(i) = i
Next
ReDim inputBytes(Len(input1) - 1)
For i = 0 To Len(input1) - 1
inputBytes(i) = Asc(Mid(input1, i + 1, 1)) Xor Asc(Mid(key, (i Mod Len(key)) + 1, 1)) //different
Next
j = 0
For i = 0 To 255
j = (j + S(i) + Asc(Mid(key, (i Mod Len(key)) + 1, 1))) Mod 256
temp = S(i)
S(i) = S(j)
S(j) = temp
Next
i = 0
j = 0
For k = 0 To UBound(inputBytes)
i = (i + 1) Mod 256
j = (j + S(i)) Mod 256
temp = S(i)
S(i) = S(j)
S(j) = temp
keystreamByte = S((S(i) + S(j)) Mod 256)
encryptedByte = inputBytes(k) Xor keystreamByte Xor 32 //different
result = result & Right("0" & Hex(encryptedByte), 2)
Next
RC4 = result
End Function
Dim encryptedFlag
encryptedFlag = RC4(key, userInput)
Dim fso, file, fileContent
Set fso = CreateObject("Scripting.FileSystemObject")
Set file = fso.OpenTextFile("flag", 1)
fileContent = file.ReadAll
file.Close
If encryptedFlag = fileContent Then
MsgBox "right", vbInformation, "Result"
Else
MsgBox "wrong", vbCritical, "Result"
End If
应该是个和RC4有关的加密,但是使用在线工具解码为乱码,手动写一份逆向代码吧
2.逆向代码书写
首先这个RC4显然经过魔改,和常见RC4对比之后发现,文中标记different两处便是不同之处,
def rc4_decrypt(key, encrypted_hex):
# 将密钥转换为字节序列
key = [ord(k) for k in key]
# 将十六进制字符串转为字节列表
encrypted_bytes = [int(encrypted_hex[i:i+2], 16) for i in range(0, len(encrypted_hex), 2)]
# 初始化S盒
S = list(range(256))
# 初始化密钥调度算法(KSA)
j = 0
for i in range(256):
j = (j + S[i] + key[i % len(key)]) % 256
S[i], S[j] = S[j], S[i]
# Pseudo-Random Generation Algorithm (PRGA)
i = j = 0
decrypted_bytes = []
for byte in encrypted_bytes:
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
keystream_byte = S[(S[i] + S[j]) % 256]
# 逆向加密过程,先与 32 异或再与密钥流字节异或
decrypted_byte = byte ^ keystream_byte ^ 32 //魔改第一处
decrypted_bytes.append(decrypted_byte)
# 恢复原始输入数据
decrypted_string = ''.join(chr(decrypted_bytes[i] ^ key[i % len(key)]) for i in range(len(decrypted_bytes))) //魔改第二处
return decrypted_string
# 示例使用
key = "key_key_key"
encrypted_hex = "E675C3733653B0AFC6F42118F246E98245AC829FF740A316B8761D272FCDC5980511B63EE28238528B391D39177BD95544A0DE54" # 放入你需要解密的十六进制字符串
decrypted_flag = rc4_decrypt(key, encrypted_hex)
print("Decrypted flag:", decrypted_flag)