Core Decryption was another one of those painful problems. Though not hard, it's hard to find what direction you need to take. First off, you can't just run GDB with the core file. You have to compile the cryptor.c with gcc -m32 -g cryptor.c -o cryptor, we compile it in 32 bit mode with debugging symbols ON. This is the key to getting the core dump running. Running the core file and binary through GDB with the following commands:

root@neuron:~$ gdb cryptor core.26474
(gdb) bt
#0  0x08048564 in swap (sbox=0xffffd17c "", i=-11652, j=16) at cryptor.c:7
#1  0x08048719 in crypt (inf=0x0, keyf=0xffffd17c, outf=0xf7ffda5c) at cryptor.c:42
#2  0x08048894 in main (argc=4, argv=0xffffd374) at cryptor.c:67
(gdb) f 1
#1  0x08048719 in crypt (inf=0x0, keyf=0xffffd17c, outf=0xf7ffda5c) at cryptor.c:42
42 tmp ^= next_prg(sbox,&i,&j);
(gdb) info locals
sbox = "\000\001\002\003\004\005\006\a\b\t\n\v\f\r\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037 !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\177\200\201\202\203\204\205\206\207\210\211\212\213\214\215\216\217\220\221\222\223\224\225\226\227\230\231\232\233\234\235\236\237\240\241\242\243\244\245\246\247\250\251\252\253\254\255\256\257\260\261\262\263\264\265\266\267\270\271\272\273\274\275\276\277\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357\360\361\362\363\364\365\366\367\370\371\372\373\374\375\376\377"
i = 0
j = -135168078
key = "\305\344L\004\273/\\\020\272u\033×L\334", 
tmp = 247 '\367'

So we see that there is a key variable here. At first, we wondered what to do with it, what did "incomplete sequence" mean? We decided to ignore it, because if you refer back to the code, you know that the key will be 16 bytes long. We took the key, turned into hex so Python wouldn't have any trouble with it, and we got our result.

import random, base64
def crypt(data, key):
    x = 0
    box = range(256)
    for i in range(256):
        x = (x + box[i] + ord(key[i % len(key)])) % 256
        box[i], box[x] = box[x], box[i]
    x = y = 0
    out = []
    for char in data:
        x = (x + 1) % 256
        y = (y + box[x]) % 256
        box[x], box[y] = box[y], box[x]
        out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))
    return ''.join(out)
with open('ENCRYPTED', 'rb') as f:
        content = f.read()
print crypt(content, 'c5e44c04bb2f5c10ba751bc3974cdcdc'.decode('hex'))

The message, decrypted with RC4, was:

Well, assuming you're able to actually keep the secret keyfile safe, this is a legitimate way to encrypt files!
Your key is: astronomy_ceremony_times

给英文不好的同学:

Flag:

温馨提示: 此处内容需要评论本文后刷新才能查看,支付2元即可直接查看所有Flag。

小广告:关于获取西普实验吧所有Flag请点击这里查看索引

查看所有Flag文章需要输入密码,需要获取文章密码的童鞋请扫描下面微信或支付宝二维码捐助至少2元(老哥,捐多捐少是个缘分)之后发送支付凭证号联系我获取,Flag大全地址:Flag大全

新功能:捐款的小伙伴请联系我把自己的注册邮箱加入网站白名单,可以免回复看到本站所有Flag

PS:本站不是实验吧的官方站点,纯粹是个人博客,收取Flag费用仅是维持服务器费用,做站不易,且行窃珍惜!

微信二维码:
支付宝二维码: