打开附件如下
勒索病毒我去上网查了一下,发现是通过加密数据,所以这个题可能和加密有关,除了勒索病毒还有一个enflag.txt打开如下
先不管这个
第一步查壳这个exe程序
无壳。
第二步用ida32位打开这个
shift+f12查看字符
有个充值成功,跟进
可以看到这个字符串 DHmqqvqxB^||zll@Jqjkwpmvez{
可以知道是异或,脚本如下
s="DH~mqqvqxB^||zll@Jq~jkwpmvez{"
key=""
for c in s:key+=chr(ord(c)^0x1f)
print(key)
#[Warnning]Access_Unauthorized
[Warnning]Access_Unauthorized结合这个可以猜测这是个密钥,那个enflag是个密文,用winhex打开
0xC3,0x82,0xA3,0x25,0xF6,0x4C,
0x36,0x3B,0x59,0xCC,0xC4,0xE9,0xF1,0xB5,0x32,0x18,0xB1,
0x96,0xAe,0xBF,0x08,0x35
把这个放进data
#include<stdio.h>
void rc4_init(unsigned char* s, unsigned char* key, unsigned long Len_k) //初始化函数
{int i = 0, j = 0;char k[256] = { 0 };unsigned char tmp = 0;for (i = 0; i < 256; i++) {s[i] = i;k[i] = key[i % Len_k];}for (i = 0; i < 256; i++) {j = (j + s[i] + k[i]) % 256;tmp = s[i];s[i] = s[j];s[j] = tmp;}
}
void rc4_crypt(unsigned char* Data, unsigned long Len_D, unsigned char* key, unsigned long Len_k) //加解密
{unsigned char s[256];rc4_init(s, key, Len_k);int i = 0, j = 0, t = 0;unsigned long k = 0;unsigned char tmp;for (k = 0; k < Len_D; k++) {i = (i + 1) % 256;j = (j + s[i]) % 256;tmp = s[i];s[i] = s[j];s[j] = tmp;t = (s[i] + s[j]) % 256;Data[k] = Data[k] ^ s[t];}
}
int main()
{unsigned char key[] = "[Warnning]Access_Unauthorized";unsigned long key_len = sizeof(key) - 1;unsigned char data[] = { 0xC3,0x82,0xA3,0x25,0xF6,0x4C,0x36,0x3B,0x59,0xCC,0xC4,0xE9,0xF1,0xB5,0x32,0x18,0xB1,0x96,0xAe,0xBF,0x08,0x35};rc4_crypt(data, sizeof(data), key, key_len);for (int i = 0; i < sizeof(data); i++){printf("%c", data[i]);}printf("\n");
}运行如下
flag{RC4&->ENc0d3F1le}
