ezrc4
Análisis en IDA muestra cifrado RC4 modificado. El texto cifrado y la clave se almacenan en little-endian. La función de cifrado encluye una operación XOR adicional con 0x66. Script de descifrado:
#include <stdio.h>
void init_rc4(unsigned char* s_box, unsigned char* key, unsigned long key_len) {
int i = 0, j = 0;
unsigned char temp;
unsigned char k[256];
for (i = 0; i < 256; i++) {
s_box[i] = i;
k[i] = key[i % key_len];
}
for (i = 0; i < 256; i++) {
j = (j + s_box[i] + k[i]) % 256;
temp = s_box[i];
s_box[i] = s_box[j];
s_box[j] = temp;
}
}
void decrypt_rc4(unsigned char* data, unsigned long data_len, unsigned char* key, unsigned long key_len) {
unsigned char s[256];
init_rc4(s, key, key_len);
int i = 0, j = 0, t = 0;
for (unsigned long k = 0; k < data_len; k++) {
i = (i + 1) % 256;
j = (j + s[i]) % 256;
temp = s[i];
s[i] = s[j];
s[j] = temp;
t = (s[i] + s[j]) % 256;
data[k] = data[k] ^ s[t] ^ 0x66;
}
}
int main() {
unsigned char key[] = "FenKey!!";
unsigned char encrypted[] = {0x21,0xAB,0x3F,0x42,0x65,0x8F,0x3C,0x5B,
0x0C,0x17,0x05,0x6E,0x84,0xE7,0x1A,0x69,
0xC3,0x77,0x70,0x1F,0x11};
decrypt_rc4(encrypted, sizeof(encrypted), key, sizeof(key)-1);
for(int i=0; i<21; i++) printf("%c", encrypted[i]);
return 0;
}
xor
Operaciones XOR con claves rotativas basadas en posición:
#include <stdio.h>
int main() {
unsigned char data[] = {0xC3,0x69,0x72,0xC4,0x67,0x4A,0xE8,0x11,
0x43,0xCF,0x6F,0xA,0xF3,0x44,0x6E,0xF8,
0x59,0x49,0xE8,0x4E,0x5E,0xE2,0x53,0x43,
0xB1,0x5C};
for (int idx = 0; idx < 26; idx++) {
switch(idx % 3) {
case 0: data[idx] ^= 0x90; break;
case 1: data[idx] ^= 0x21; break;
case 2: data[idx] ^= 0x31; break;
}
printf("%c", data[idx]);
}
return 0;
}
EzDBG
Análisis con WinDbg e IDA. Datos cifrados:
#include <stdio.h>
int main() {
int encrypted[] = {0x35,0x2E,0x25,0x32,0x20,0x1D,0x3,0x5E,0x7,0x56,
0,0x3,0x57,0x57,0x53,0x50,0,0x54,7,0,7,7,0,3,
0x50,2,0x51,0x5E,0x5E,3,0x5F,2,0x56,3,0x57,0,
0x50,0x50,0x1B};
for(int i=0; i<39; i++) {
printf("%c", encrypted[i] ^ 0x66);
}
}
GameGame
Solución mediante calculadora de Sudoku: 468912723481342575971422657913948591537428763345261
cancanneed
Hookeo dinámico en Android usando Frida:
Java.perform(function() {
var TargetClass = Java.use("com.example.test.MainActivity");
TargetClass.check.implementation = function(input) {
return 1;
};
});
babytea
Descifrado de algoritmo XTEA modificado:
#include <stdint.h>
#include <stdio.h>
void decode(uint32_t rounds, uint32_t v[2], uint32_t const key[4]) {
uint32_t v0 = v[0], v1 = v[1];
uint32_t delta = 0x61C88747;
uint32_t sum = delta * rounds + 0x8DDE2E40;
for (uint32_t i = 0; i < rounds; i++) {
v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]) ^ v1;
sum -= delta;
v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]) ^ v0;
}
v[0] = v0; v[1] = v1;
}
int main() {
uint32_t enc_data[] = {0x18C2E339,0xE9550982,0x108A30F7,0x018430DD,
0xD5DE57B0,0xD43E0740,0xF42FDDE4,0x968886E8,
0xE5D77B79,0x685D758F};
uint32_t secret[4] = {1,1,2,3};
for(int i=0; i<10; i+=2) {
uint32_t block[2] = {enc_data[i], enc_data[i+1]};
decode(64, block, secret);
printf("%.8s%.8s", (char*)&block[0], (char*)&block[1]);
}
return 0;
}
Loader
Dump de clases dinámicas usando frida-dexdump. Generación de cadena pseudoaleatoria:
import java.util.Random;
public class FlagGenerator {
private static final String CHARS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
public static String createString(int seed, int length) {
Random rand = new Random(seed);
StringBuilder sb = new StringBuilder(length);
for (int i = 0; i < length; i++) {
sb.append(CHARS.charAt(rand.nextInt(CHARS.length())));
}
return sb.toString();
}
}
遮遮掩掩?CCRC!
Descifrado de texto mediante fuerza bruta CRC32 y decodificación con cifrado especial.
拜师之旅
Análisis de chunks IDAT en PNG con TweakPNG.
Schneider
Extracción de contraseña desde archivo .vxdz con EcoStruxure Operator Terminal Expert.