normal11

这题目和以往的不太一样，虽然同为elf文件

但是在main函数的内容里的加密是不执行的

v13此处是恒为0的

回去main函数检查一下

一般main函数调用之前会先调用init，最后用fini收尾

linux编程之main()函数启动过程【转】 - sky-heaven - 博客园 (cnblogs.com)

用二进制方式打开文件，可以发现两个elf文件头

把里面的文件提取出来重新编译，得到一个新的文件

encrypt处有个smc自解密，下图是快速patch法

用idapython脚本逆掉，ida7.5和7.6会对PatchByte 不兼容，从idc_bc695 import 一下

from idc_bc695 import *
addr=0x0000000000000AF0
for i in range(310):
  PatchByte(addr+i+20,Byte(addr+i+20)^i)

对着函数 u 取无符号，p修复就好了

解出完整加密

再写个提取数据的小脚本

addr=0x0000000000000B46
arr=[]
for i in range(27):
    arr.append(get_wide_byte(addr))
    addr+=7
    
print(arr)

看到除模256一眼丁真rc4加密

用下之前的rc4脚本

#include<stdio.h>
#include<string.h>
typedef unsigned longULONG;

/*初始化函数*/
void rc4_init(unsigned char* s, unsigned char* key, unsigned long Len)
{
    int i = 0, j = 0;
    char k[256] = { 0 };
    unsigned char tmp = 0;
    for (i = 0; i < 256; i++)
    {
        s[i] = i;
        k[i] = key[i % Len];
    }
    for (i = 0; i < 256; i++)
    {
        j = (j + s[i] + k[i]) % 256;
        tmp = s[i];
        s[i] = s[j];//交换s[i]和s[j]
        s[j] = tmp;
    }
}

/*加解密*/
void rc4_crypt(unsigned char* s, unsigned char* Data, unsigned long Len)
{
    int i = 0, j = 0, t = 0;
    unsigned long k = 0;
    unsigned char tmp;
    for (k = 0; k < Len; k++)
    {
        i = (i + 1) % 256;
        j = (j + s[i]) % 256;
        tmp = s[i];
        s[i] = s[j];//交换s[x]和s[y] 
        s[j] = tmp;
        t = (s[i] + s[j]) % 256;
        Data[k] ^= s[t];
    }
}

int main()
{
    unsigned char s[256] = { 0 }, s2[256] = { 0 };
    char key[256] = {"hgame!@#"};
    char pData[512] = {67, 36, 229, 161, 197, 29, 114, 210, 40, 239, 190, 234, 165, 151, 68, 96, 217, 15, 44, 111, 94, 38, 179, 10, 252, 212, 179};

    int i;
 
    unsigned long len = strlen(pData);

  

    rc4_init(s, (unsigned char*)key, strlen(key));//已经完成了初始化
    for (i = 0; i < 256; i++)           
    {
        s2[i] = s[i];
    } 
    rc4_crypt(s2, (unsigned char*)pData, len);//解密
    printf("answer= %s\n\n", pData);;
    return 0;
}