勒索病毒.exe
在这里插入图片描述
打开IDA_main函数里的返回值main_0:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
__CheckForDebuggerJustMyCode(&unk_40B027);
  Str = 0;
  memset(v19, 0, sizeof(v19));
  Str1 = 0;
  memset(v17, 0, sizeof(v17));
  memset(v15, 0, 0x100u);
  memset(v14, 0, 0x100u);
  v11 = 1;
  do
  {
    sub_401037("**************************我的Flag出了什么问题??**************************\n", v4);
    sub_401037("您的一些重要数据被我们加密了,就算您叫破喉咙来也没有办法恢复。\n", v5);
    sub_401037("**************************那有没有恢复的方法呢??**************************\n", v6);
    sub_401037(asc_406CA8, v7);
    sub_401037("做出你的选择:\n", v8);
    sub_401037("1.充钱\n2.退出\n", v9);
    sub_401073("%d", (char)v10);
    if ( v10[0] == 1 )
    {
      v13 = fopen("flag.txt", "r");
      if ( !v13 )
      {
        sub_401037("打开源文件失败!\n", v4);
        getchar();
        exit(0);
      }
      v12 = fopen("enflag.txt", "w");
      if ( !v12 )
      {
        sub_401037("找不到加密文件!\n", v4);
        getchar();
        exit(0);
      }
      sub_401037("\n请输入您的密钥:", v4);
      sub_401073("%s", (char)&Str);

发现关键函数sub_401A70

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
char __cdecl sub_401A70(char *Str, char *Str1)
{
  char v3; // [esp+0h] [ebp-E4h]
  signed int i; // [esp+D0h] [ebp-14h]
  signed int v5; // [esp+DCh] [ebp-8h]

  __CheckForDebuggerJustMyCode(&unk_40B027);
  v5 = strlen(Str);
  for ( i = 0; i < v5; ++i )
    Str1[i] += Str[i] ^ 0x1F;
  if ( !strcmp(Str1, "DH~mqqvqxB^||zll@Jq~jkwpmvez{") )
    sub_401037("充值成功.\n", v3);
  else
    sub_401037("Error!\n", v3);
  return *Str1;
}

写脚本:

1
2
3
4
5
str='DH~mqqvqxB^||zll@Jq~jkwpmvez{'
flag=''
for i in str:
    flag+=chr(ord(i)^31)
print(flag)

运行

1
[Warnning]Access_Unauthorized

运行发现不是flag,然后在IDA中发现了另一个函数sub_4015E0

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
__CheckForDebuggerJustMyCode(&unk_40B027);
 v7 = 0;
 v6 = 0;
 for ( i = fgetc(Stream); ; i = fgetc(Stream) )
 {
   result = i;
   if ( i == -1 )
     break;
   v7 = (v7 + 1) % 256;//i=(i+1)%256;
   v6 = (v6 + *(unsigned __int8 *)(v7 + a1)) % 256;// j=(j+s[i])%256;
   v4 = *(_BYTE *)(v7 + a1);//  tmp=s[i];
   *(_BYTE *)(v7 + a1) = *(_BYTE *)(v6 + a1);// s[i]=s[j];//交换s[x]和s[y]
   *(_BYTE *)(v6 + a1) = v4;// s[j]=tmp;
   fputc(*(_BYTE *)((*(unsigned __int8 *)(v6 + a1) + *(unsigned __int8 *)(v7 + a1)) % 256 + a1) ^ i, a3);// t=(s[i]+s[j])%256;
 }
 return result;

看起来很像RC4,对照一下百度上的RC4:基本一模一样
在这里插入图片描述
然后根据百度上的代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
//程序开始
#include<stdio.h>
#include<string.h>
typedef unsigned longULONG;
 
/*初始化函数*/
void rc4_init(unsigned char*s, unsigned char*key, unsigned long Len)
{
    int i = 0, j = 0;
    char k[256] = { 0 };
    unsigned char tmp = 0;
    for (i = 0; i<256; i++)
    {
        s[i] = i;
        k[i] = key[i%Len];
    }
    for (i = 0; i<256; i++)
    {
        j = (j + s[i] + k[i]) % 256;
        tmp = s[i];
        s[i] = s[j];//交换s[i]和s[j]
        s[j] = tmp;
    }
}
 
/*加解密*/
void rc4_crypt(unsigned char*s, unsigned char*Data, unsigned long Len)
{
    int i = 0, j = 0, t = 0;
    unsigned long k = 0;
    unsigned char tmp;
    for (k = 0; k<Len; k++)
    {
        i = (i + 1) % 256;
        j = (j + s[i]) % 256;
        tmp = s[i];
        s[i] = s[j];//交换s[x]和s[y]
        s[j] = tmp;
        t = (s[i] + s[j]) % 256;
        Data[k] ^= s[t];
    }
}
 
int main()
{
    unsigned char s[256] = { 0 }, s2[256] = { 0 };//S-box
    char key[256] = { "justfortest" };
    char pData[512] = "这是一个用来加密的数据Data";
    unsigned long len = strlen(pData);
    int i;
 
    printf("pData=%s\n", pData);
    printf("key=%s,length=%d\n\n", key, strlen(key));
    rc4_init(s, (unsigned char*)key, strlen(key));//已经完成了初始化
    printf("完成对S[i]的初始化,如下:\n\n");
    for (i = 0; i<256; i++)
    {
        printf("%02X", s[i]);
        if (i && (i + 1) % 16 == 0)putchar('\n');
    }
    printf("\n\n");
    for (i = 0; i<256; i++)//用s2[i]暂时保留经过初始化的s[i],很重要的!!!
    {
        s2[i] = s[i];
    }
    printf("已经初始化,现在加密:\n\n");
    rc4_crypt(s, (unsigned char*)pData, len);//加密
    printf("pData=%s\n\n", pData);
    printf("已经加密,现在解密:\n\n");
    //rc4_init(s,(unsignedchar*)key,strlen(key));//初始化密钥
    rc4_crypt(s2, (unsigned char*)pData, len);//解密
    printf("pData=%s\n\n", pData);
    return 0;
}

在main函数的地方做适当修改:

1
2
3
4
5
6
7
8
9
10
int main()
{
    unsigned char s[256] = { 0 }, s2[256] = { 0 };//S-box
    char key[256] = { "[Warnning]Access_Unauthorized" };
    char pData[512] = { 0xC3,0x82,0xA3,0x25,0xF6,0x4C,
	0x36,0x3B,0x59,0xCC,0xC4,0xE9,0xF1,0xB5,0x32,0x18,0xB1,
	0x96,0xAe,0xBF,0x08,0x35};
    unsigned long len = strlen(pData);
    int i;

运行
在这里插入图片描述
得到flag

1
pData=flag{RC4&->ENc0d3F1le}