re部分模板(持续更新)

• xor
• 解矩形方阵
• 使用前序中序求后续遍历-使用中序后序求前序遍历
  • 使用前序中序求后续遍历
  • 使用中序后序求前序遍历
• 网鼎杯signal
• 爆破脚本（SoulLike）
• 将数据(0FD370FEB59C9B9Eh)转化为可识别字符串
• angr符号执行
• DES算法在CBC模式下解密一个Base64编码的字符串
• tea的解密脚本
• xxtea的解密脚本
• rc4解密脚本
  • c语言
  • python
• base64无表魔改解码脚本
• mfc事件处理时(写个程序向MFC程序发送这个消息)
• base64换码表的解题代码
• 先用base64解密，再用rc4解密
• Fuck混淆解码脚本
• IDA的get_wide_dword的使用
• mov混淆的ida脚本
• 两个EzJar.class文件，手工切出解压

xor

#XOR脚本
# 定义原始数据
data = [
    0x7E, # '~'
    0x7A, # 'z'
    0x6D, # 'm'
    0x7F,
    0x42, # 'B'
    0x7F,
    0x08,
    0x09,
    0x4E, # 'N'
    0x0A,
    0x4B, # 'K'
    0x44, # 'D'
    0x00  # 假设以0x00结尾
]

# XOR 操作数
xor_value = 0x39

# 执行异或操作
result = [byte ^ xor_value for byte in data]

# 将结果转换为字符串，不可打印的字符用点号表示
def to_printable_string(byte_list):
    return ''.join(chr(b) if 32 <= b <= 126 else '.' for b in byte_list)

# 输出结果
print("原始数据:", [hex(b) for b in data])
print("XOR 后的数据:", [hex(b) for b in result])
print("XOR 后的字符串:", to_printable_string(result))

解矩形方阵

第一种：

from z3 import *

v1,v2,v3,v4,v5,v6,v7,v8,v9,v11 = Ints('v1 v2 v3 v4 v5 v6 v7 v8 v9 v11')
s = Solver()
s.add(-85 * v9 + 58 * v8 + 97 * v6 + v7 + -45 * v5 + 84 * v4 + 95 * v2 - 20 * v1 + 12 * v3 == 12613)
s.add(30 * v11 + -70 * v9 + -122 * v6 + -81 * v7 + -66 * v5 + -115 * v4 + -41 * v3 + -86 * v1 - 15 * v2 - 30 * v8 == -54400)
s.add(-103 * v11 + 120 * v8 + 108 * v7 + 48 * v4 + -89 * v3 + 78 * v1 - 41 * v2 + 31 * v5 - (v6 * 64) - 120 * v9 == -10283)
s.add(71 * v6 + (v7 * 128) + 99 * v5 + -111 * v3 + 85 * v1 + 79 * v2 - 30 * v4 - 119 * v8 + 48 * v9 - 16 * v11 == 22855)
s.add(5 * v11 + 23 * v9 + 122 * v8 + -19 * v6 + 99 * v7 + -117 * v5 + -69 * v3 + 22 * v1 - 98 * v2 + 10 * v4 == -2944)
s.add(-54 * v11 + -23 * v8 + -82 * v3 + -85 * v2 + 124 * v1 - 11 * v4 - 8 * v5 - 60 * v7 + 95 * v6 + 100 * v9 == -2222)
s.add(-83 * v11 + -111 * v7 + -57 * v2 + 41 * v1 + 73 * v3 - 18 * v4 + 26 * v5 + 16 * v6 + 77 * v8 - 63 * v9 == -13258)
s.add(81 * v11 + -48 * v9 + 66 * v8 + -104 * v6 + -121 * v7 + 95 * v5 + 85 * v4 + 60 * v3 + -85 * v2 + 80 * v1 == -1559)
s.add(101 * v11 + -85 * v9 + 7 * v6 + 117 * v7 + -83 * v5 + -101 * v4 + 90 * v3 + -28 * v1 + 18 * v2 - v8 == 6308)
s.add(99 * v11 + -28 * v9 + 5 * v8 + 93 * v6 + -18 * v7 + -127 * v5 + 6 * v4 + -9 * v3 + -93 * v1 + 58 * v2 == -1697)
check = s.check()
print(check)
model = s.model()
print(model）

第二种：

from z3 import *

# Initialize the solver
solver = Solver()

# Create 14 BitVecs for each character in the input string, assuming ASCII encoding (8 bits per character)
input_chars = [BitVec(f'c{i}', 8) for i in range(14)]

# Ensure that all characters are valid ASCII characters
for char in input_chars:
    solver.add(And(char >= 0, char <= 127))

# XOR adjacent characters and store results in code
code = [input_chars[i] ^ input_chars[i + 1] for i in range(13)] + [input_chars[13]]

# Extract variables a1 to a14 as described in the problem statement
a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14 = [code[i] for i in [2, 1, 0, 3, 4, 5, 6, 7, 9, 8, 10, 11, 12, 13]]

# Define the constraints as provided in the original code
constraints = [
    ((((a1 * 88 + a2 * 67 + a3 * 65 - a4 * 5) + a5 * 43 + a6 * 89 + a7 * 25 + a8 * 13 - a9 * 36) + a10 * 15 + a11 * 11 + a12 * 47 - a13 * 60) + a14 * 29 == 22748),
    ((((a1 * 89 + a2 * 7 + a3 * 12 - a4 * 25) + a5 * 41 + a6 * 23 + a7 * 20 - a8 * 66) + a9 * 31 + a10 * 8 + a11 * 2 - a12 * 41 - a13 * 39) + a14 * 17 == 7258),
    ((((a1 * 28 + a2 * 35 + a3 * 16 - a4 * 65) + a5 * 53 + a6 * 39 + a7 * 27 + a8 * 15 - a9 * 33) + a10 * 13 + a11 * 101 + a12 * 90 - a13 * 34) + a14 * 23 == 26190),
    ((((a1 * 23 + a2 * 34 + a3 * 35 - a4 * 59) + a5 * 49 + a6 * 81 + a7 * 25 + (a8 << 7) - a9 * 32) + a10 * 75 + a11 * 81 + a12 * 47 - a13 * 60) + a14 * 29 == 37136),
    (((a1 * 38 + a2 * 97 + a3 * 35 - a4 * 52) + a5 * 42 + a6 * 79 + a7 * 90 + a8 * 23 - a9 * 36) + a10 * 57 + a11 * 81 + a12 * 42 - a13 * 62 - a14 * 11 == 27915),
    ((((a1 * 22 + a2 * 27 + a3 * 35 - a4 * 45) + a5 * 47 + a6 * 49 + a7 * 29 + a8 * 18 - a9 * 26) + a10 * 35 + a11 * 41 + a12 * 40 - a13 * 61) + a14 * 28 == 17298),
    ((((a1 * 12 + a2 * 45 + a3 * 35 - a4 * 9 - a5 * 42) + a6 * 86 + a7 * 23 + a8 * 85 - a9 * 47) + a10 * 34 + a11 * 76 + a12 * 43 - a13 * 44) + a14 * 65 == 19875),
    (((a1 * 79 + a2 * 62 + a3 * 35 - a4 * 85) + a5 * 33 + a6 * 79 + a7 * 86 + a8 * 14 - a9 * 30) + a10 * 25 + a11 * 11 + a12 * 57 - a13 * 50 - a14 * 9 == 22784),
    ((((a1 * 8 + a2 * 6 + a3 * 64 - a4 * 85) + a5 * 73 + a6 * 29 + a7 * 2 + a8 * 23 - a9 * 36) + a10 * 5 + a11 * 2 + a12 * 47 - a13 * 64) + a14 * 27 == 9710),
    (((((a1 * 67 - a2 * 68) + a3 * 68 - a4 * 51 - a5 * 43) + a6 * 81 + a7 * 22 - a8 * 12 - a9 * 38) + a10 * 75 + a11 * 41 + a12 * 27 - a13 * 52) + a14 * 31 == 13376),
    ((((a1 * 85 + a2 * 63 + a3 * 5 - a4 * 51) + a5 * 44 + a6 * 36 + a7 * 28 + a8 * 15 - a9 * 6) + a10 * 45 + a11 * 31 + a12 * 7 - a13 * 67) + a14 * 78 == 24065),
    ((((a1 * 47 + a2 * 64 + a3 * 66 - a4 * 5) + a5 * 43 + a6 * 112 + a7 * 25 + a8 * 13 - a9 * 35) + a10 * 95 + a11 * 21 + a12 * 43 - a13 * 61) + a14 * 20 == 27687),
    (((a1 * 89 + a2 * 67 + a3 * 85 - a4 * 25) + a5 * 49 + a6 * 89 + a7 * 23 + a8 * 56 - a9 * 92) + a10 * 14 + a11 * 89 + a12 * 47 - a13 * 61 - a14 * 29 == 29250),
    (((a1 * 95 + a2 * 34 + a3 * 62 - a4 * 9 - a5 * 43) + a6 * 83 + a7 * 25 + a8 * 12 - a9 * 36) + a10 * 16 + a11 * 51 + a12 * 47 - a13 * 60 - a14 * 24 == 15317)
]

# Add all constraints to the solver
for constraint in constraints:
    solver.add(constraint)

# Check if there is a solution
if solver.check() == sat:
    model = solver.model()
    # Convert the solution back into a string
    solution = ''.join([chr(model.evaluate(input_chars[i]).as_long()) for i in range(14)])
    print('Solution:', solution)
else:
    print("No solution found")

第三种：

# -*- coding:utf-8 -*-

from z3 import *

l = [Int("l%d"%i) for i in range(0x2a)]

s = Solver()
for i in l:
    s.add(i>0)
    s.add(i<255)
..............(s.add());
if s.check() == sat:
    m = s.model()
    for i in range(0x2a):
        print (chr(int("%s"%(m[l[i]]))),end="")

使用前序中序求后续遍历-使用中序后序求前序遍历

使用前序中序求后续遍历

# encoding: utf-8
class TreeNode:
    def __init__(self, x):
        self.val = x
        self.left = None
        self.right = None
class Solution:
    # 返回构造的TreeNode根节点
    def reConstructBinaryTree(self, pre, tin):
        if len(pre)==0:
            return None
        root=TreeNode(pre[0])
        TinIndex=tin.index(pre[0])
        root.left=self.reConstructBinaryTree(pre[1:TinIndex+1], tin[0:TinIndex])
        root.right=self.reConstructBinaryTree(pre[TinIndex+1:], tin[TinIndex+1:])
        return root
    def PostTraversal(self,root):  #后序遍历
        if root != None:
            self.PostTraversal(root.left)
            self.PostTraversal(root.right)
            print(root.val)
pre=[1,2,4,7,3,5,6,8]
tin=[4,7,2,1,5,3,8,6]
S=Solution()
root=S.reConstructBinaryTree(pre,tin)
S.PostTraversal(root)

使用中序后序求前序遍历

class TreeNode:
    def __init__(self,x):
        self.val=x
        self.left=None
        self.right=None

class Solution:
    def reConstructBinaryTree(self,post,tin):
        if len(post)==0:
            return None
        root=TreeNode(post[-1])
        TinIndex=tin.index(post[-1])
        root.left=self.reConstructBinaryTree(post[0:TinIndex],tin[0:TinIndex])
        root.right=self.reConstructBinaryTree(post[TinIndex:len(post)-1],tin[TinIndex+1:])
        return root
    
    def PreTraversal(self,root):
        if root !=None:
            print(root.val，end="")
            self.PreTraversal(root.left)
            self.PreTraversal(root.right)

post =[7,4,2,5,8,6,3,1]
tin  =[4,7,2,1,5,3,8,6]
pre  =[1,2,4,7,3,5,6,8]

S=Solution()
root=S.reConstructBinaryTree(post,tin)
S.PreTraversal(root)

网鼎杯signal

a1=[]
v4=[10, 4, 16, 8, 3, 5, 1, 4, 32, 8, 5, 3, 1, 3, 2, 8, 11, 1, 12, 8, 4, 4, 1, 5, 3, 8, 3, 33, 1, 11, 8, 11, 1, 4, 9, 8, 3, 32, 1, 2, 81, 8, 4, 36, 1, 12, 8, 11, 1, 5, 2, 8, 2, 37, 1, 2, 54, 8, 4, 65, 1, 2, 32, 8, 5, 1, 1, 5, 3, 8, 2, 37, 1, 4, 9, 8, 3, 32, 1, 2, 65, 8, 12, 1, 7, 34, 7, 63, 7, 52, 7, 50, 7, 114, 7, 51, 7, 24, 7, 167, 255, 255, 255, 7, 49, 7, 241, 255, 255, 255, 7, 40, 7, 132, 255, 255, 255, 7, 193, 255, 255, 255, 7, 30, 7, 122]
for i in range(0,len(v4)):
          if v4[i]==7:
                    a1.append(v4[i+1])
#print(a1)

a1 = [34, 63, 52, 50, 114, 51, 24, 167, 49, 241, 40, 132, 193, 30, 122]
a1.reverse()
v4.reverse()

v9 = 0
us = 0
v5 = 0
flag = []
for i in range(0, len(v4)):
    if i == len(v4) - 1:
        flag.append(us)

    if v4[i] == 1 and v4[i - 1] != 1:
        v5 = a1[v9]
        v9 += 1
        flag.append(us)

    if v4[i] == 2:
        if (v4[i + 1] != 3 and v4[i + 1] != 4 and v4[i + 1] != 5):
            us = v5 - v4[i - 1]
            # print(us,v5,a[i-1])

    if v4[i] == 3:
        if (v4[i + 1] != 2 and v4[i + 1] != 4 and v4[i + 1] != 5):
            us = v5 + v4[i - 1]  # LOBYTE是al有8位，参与运算的5、33、32是全值，所以LOBYTE可省略

    if v4[i] == 4:
        if (v4[i + 1] != 3 and v4[i + 1] != 2 and v4[i + 1] != 5):
            us = v5 ^ v4[i - 1]

    if v4[i] == 5:
        if (v4[i + 1] != 3 and v4[i + 1] != 4 and v4[i + 1] != 2):
            us = int(v5 / v4[i - 1])
    if v4[i] == 8:
        v5 = us

    if v4[i] == 11:
        us = v5 + 1

    if v4[i] == 12:
        us = v5 - 1
        # print("12:",us)

flag.reverse()
out = ''
for j in flag:
    out += chr(j)
print("flag{" + out + "}")

爆破脚本（SoulLike）

from pwn import *
 
T = ['\x00', '\x01', '\x02', '\x03', '\x04', '\x05', '\x06', '\x07', '\x08', '\t', '\n', '\x0b', '\x0c', '\r', '\x0e', '\x0f', '\x10', '\x11', '\x12', '\x13', '\x14', '\x15', '\x16', '\x17', '\x18', '\x19', '\x1a', '\x1b', '\x1c', '\x1d', '\x1e', '\x1f', ' ', '!', '"', '#', '$', '%', '&', "'", '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';', '<', '=', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^', '_', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~', '\x7f']
 
a = 'actf{'
b = 0
pty = 1
while 1:
    if b == 12:
        break
    for i in T:
        io = process('./SoulLike')     
        flag = a + i
        flag = flag.ljust(17,'@')
        flag += '}'
        success(flag)
        io.sendline(flag)      
        io.recvuntil('#')      
        if b < 9 :
            n = int(io.recv(1)) 
        else:
            n = int(io.recv(2))
        io.close()              
        if n == b + 1:          
            a = a + i
            b = b + 1
            break

将数据(0FD370FEB59C9B9Eh)转化为可识别字符串

#include <iostream>
#include <cstring>

int main() {
    unsigned long long s[] = {
        0xFD370FEB59C9B9E,
        0xDEAB7F029C4FD1B2,
        0xFACD9D40E7636559,
        0x4,
        0x0
    };


    for (int i = 0; i < 25; i++) {
        int c = (int) * ((unsigned char *) (s) + i);
        std::cout << "\\x" << std::hex << c;
    }
    std::cout << std::endl;

    return 0;
}

angr符号执行

import angr
import claripy

p = angr.Project('D:\\桌面\\attachment1', load_options={"auto_load_libs": False})
f = p.factory
state = f.entry_state(addr=0x400605)  # 设置state开始运行时的地址
flag = claripy.BVS('flag', 8 * 32)  # 要求的内容有32个，用BVS转成二进制给flag变量
state.memory.store(0x603055 + 0x300 + 5, flag)  # 因为程序没有输入，所以直接把字符串设置到内存
state.regs.rdx = 0x603055 + 0x300
state.regs.rdi = 0x603055 + 0x300 + 5  # 然后设置两个寄存器

sm = p.factory.simulation_manager(state)  # 准备从state开始遍历路径

print("ready")

sm.explore(find=0x401DAE)  # 遍历到成功的地址

if sm.found:
    print("sucess")
    x = sm.found[0].solver.eval(flag, cast_to=bytes)
    print(x)
else:
    print('error')

DES算法在CBC模式下解密一个Base64编码的字符串

from Crypto.Cipher import DES
import base64

d_flag = b'1Tsy0ZGotyMinSpxqYzVBWnfMdUcqCMLu0MA+22Jnp+MNwLHvYuFToxRQr0c+ONZc6Q7L0EAmzbycqobZHh4H23U4WDTNmmXwusW4E+SZjygsntGkO2sGA=='
key = b'1\x002\x003\x004\x00'

generator = DES.new(key, DES.MODE_CBC, iv=key)
flag = generator.decrypt(base64.b64decode(d_flag))
print(flag.decode('utf-16'))

tea的解密脚本

#include <stdint.h>
#include <stdio.h>
void tea_dec(uint32_t* v, uint32_t* k) {
    uint32_t v0 = v[0], v1 = v[1];  // v0、v1分别是密文的左、右半部分
    uint32_t delta = 1166789954;    //作为sum每次累加的变化值，题目中往往会修改此值
    uint32_t sum = 64 * delta; 
	int i;     //题目中的tea加密轮数为64轮，因此解密时要做出对应的修改，最终sum是64倍的delta
    for (i = 0; i < 64; i++) {  // tea加密进行64轮
        //根据加密时的顺序颠倒下面3行的顺序，将加法改为减法（异或部分都是整体，不用管），就是逆向解密过程
        v1 -= (v0 + sum + 20) ^ ((v0 << 6) + k[2]) ^ ((v0 >> 9) + k[3]) ^ 0x10;
        v0 -= (v1 + sum + 11) ^ ((v1 << 6) + k[0]) ^ ((v1 >> 9) + k[1]) ^ 0x20;
        sum -= delta;
    }
    // 解密后的内容要还给v数组
    v[0] = v0;
    v[1] = v1;
}

xxtea的解密脚本

import struct
import sys

_DELTA = 0x9E3779B9


def _long2str(v, w):
    n = (len(v) - 1) << 2
    if w:
        m = v[-1]
        if (m < n - 3) or (m > n): return b''  # 返回空字节串
        n = m
    s = struct.pack('<%iL' % len(v), *v)
    return s[0:n] if w else s


def _str2long(s, w):
    n = len(s)
    m = (4 - (n & 3) & 3) + n
    # 确保s是字节串
    if isinstance(s, str):
        s = s.encode('utf-8')  # 如果s是str类型，则转换为字节串
    s = s.ljust(m, b'\0')  # 使用字节串填充
    v = list(struct.unpack('<%iL' % (m >> 2), s))
    if w: v.append(n)
    return v


def encrypt(s, key):
    if not s: return b''  # 如果输入为空，则返回空字节串
    v = _str2long(s, True)
    k = _str2long(key.ljust(16, '\0').encode('utf-8'), False)  # 确保密钥也是字节串
    n = len(v) - 1
    z = v[n]
    y = v[0]
    sum = 0
    q = 6 + 52 // (n + 1)
    while q > 0:
        sum = (sum + _DELTA) & 0xffffffff
        e = sum >> 2 & 3
        for p in range(n):
            y = v[p + 1]
            v[p] = (v[p] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))) & 0xffffffff
            z = v[p]
        y = v[0]
        v[n] = (v[n] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[n & 3 ^ e] ^ z))) & 0xffffffff
        z = v[n]
        q -= 1
    return _long2str(v, False)


def decrypt(s, key):
    if not s: return b''  # 如果输入为空，则返回空字节串
    v = _str2long(s, False)
    k = _str2long(key.ljust(16, '\0').encode('utf-8'), False)  # 确保密钥也是字节串
    n = len(v) - 1
    z = v[n]
    y = v[0]
    q = 6 + 52 // (n + 1)
    sum = (q * _DELTA) & 0xffffffff
    while sum != 0:
        e = sum >> 2 & 3
        for p in range(n, 0, -1):
            z = v[p - 1]
            v[p] = (v[p] - ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))) & 0xffffffff
            y = v[p]
        z = v[n]
        v[0] = (v[0] - ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[0 & 3 ^ e] ^ z))) & 0xffffffff
        y = v[0]
        sum = (sum - _DELTA) & 0xffffffff
    return _long2str(v, True)


# Convert hex string to bytes
dec = 'bca5ce40f4b2b2e7a9129d12ae10c85b3dd7061ddc70f8dc'
if sys.version_info[0] >= 3:
    dec_bytes = bytes.fromhex(dec)
else:
    import binascii
    dec_bytes = binascii.unhexlify(dec)

key = 'flag'
dec2 = decrypt(dec_bytes, key)
print(len(dec2))
try:
    print(dec2.decode('utf-8', errors='replace'))  # 尝试将结果解码为UTF-8字符串，如果失败则替换不可解码的字符
except UnicodeDecodeError:
    print("Failed to decode the decrypted bytes as UTF-8.")

rc4解密脚本

c语言

#include <stdio.h>
#include <string.h>
#include <stdint.h>

// 初始化S盒
void RC4_init(uint8_t S[256], const uint8_t *key, int keylen) {
	int i;
    for ( i = 0; i < 256; ++i) {
        S[i] = i;
    }
    int j = 0;
    for (i = 0; i < 256; ++i) {
        j = (j + S[i] + key[i % keylen]) % 256;
        // 交换S[i]和S[j]
        uint8_t temp = S[i];
        S[i] = S[j];
        S[j] = temp;
    }
}

// 解密（RC4加密和解密过程相同）
void RC4_decrypt(const uint8_t *key, int keylen, uint8_t *data, int datalen) {
    uint8_t S[256];
    RC4_init(S, key, keylen);

    int i = 0, j = 0;
    int n;
    for ( n = 0; n < datalen; ++n) {
        i = (i + 1) % 256;
        j = (j + S[i]) % 256;
        // 交换S[i]和S[j]
        uint8_t temp = S[i];
        S[i] = S[j];
        S[j] = temp;

        uint8_t t = (S[i] + S[j]) % 256;
        data[n] ^= S[t];
    }
}

int main() {
    // 定义密钥为一个字节数组，而不是字符串
    const uint8_t key[] = {0x10, 0x20, 0x30, 0x30, 0x20, 0x20, 0x10, 0x40};  // 替换为你的密钥
    int keylen = sizeof(key) / sizeof(key[0]);

    // 示例加密数据
    const uint8_t encrypted_data[] = {
        0x76, 0x35, 0xFD, 0xF5, 0x7D, 0x47, 0xFE, 0x95,
        0x13, 0x7A, 0x26, 0x59, 0x3F, 0xFF, 0x31, 0xA1,
        0x85, 0x7C, 0x63, 0x02, 0x6E, 0xBD, 0x93, 0x6A,
        0x3E, 0x4D, 0x8D, 0xD7, 0x27, 0x73, 0x2D, 0x5E,
        0xCC, 0x62, 0xF2, 0xDF, 0xE5, 0xD2, 0x00
    };
    int encrypted_data_len = sizeof(encrypted_data) / sizeof(encrypted_data[0]);

    // 创建一个副本用于解密，并留出空间给字符串终止符
    uint8_t decrypted_data[encrypted_data_len + 1];
    memcpy(decrypted_data, encrypted_data, encrypted_data_len);
    decrypted_data[encrypted_data_len] = '\0'; // 添加字符串终止符

    // 执行解密操作
    RC4_decrypt(key, keylen, decrypted_data, encrypted_data_len);

    // 输出解密后的数据（以十六进制格式）
    printf("Decrypted data in hex: ");
    int i;
    for(i = 0; i < encrypted_data_len; i++) {
        printf("%02X ", decrypted_data[i]);
    }
    printf("\n");

    // 输出解密后的数据（以字符串格式），仅当解密后是有效文本时才这么做
    printf("Decrypted data as string: %s\n", decrypted_data);

    return 0;
}

rc4解密脚本：（python）
1.
from Crypto.Cipher import ARC4
import base64

def rc4_decrypt(data, key):
# 解密前先进行Base64解码
data = base64.b64decode(data)
# 将密钥转换为字节
key = bytes(key, encoding='utf-8')
# 创建ARC4解密对象
enc = ARC4.new(key)
# 解密数据
res = enc.decrypt(data)
# 将解密后的数据转换为字符串
res = str(res, 'utf-8')
return res

if __name__ == "__main__":
# 加密后的数据
encrypted_data = '加密后的数据'
# 解密密钥
key = '123456'
# 解密数据
decrypted_data = rc4_decrypt(encrypted_data, key)
print('解密后:', decrypted_data)

python

from Crypto.Cipher import ARC4

def decrypt_rc4(key, ciphertext):
    cipher = ARC4.new(key)
    plaintext = cipher.decrypt(ciphertext)
    return plaintext

# 示例用法
if __name__ == "__main__":
    # 替换为你的密钥和要解密的密文
    key = b'your-encryption-key'
    encrypted_data = b'your-encrypted-data'

    decrypted_data = decrypt_rc4(key, encrypted_data)
    print("Decrypted data:", decrypted_data)

3.
from Crypto.Cipher import ARC4
import binascii


def decrypt_rc4(key, ciphertext):
    cipher = ARC4.new(key)
    # 确保ciphertext是bytes类型
    if isinstance(ciphertext, list):
        ciphertext = bytes(ciphertext)  # 将整数列表转换为bytes类型
    plaintext = cipher.decrypt(ciphertext)
    return plaintext


# 示例用法
if __name__ == "__main__":
    # 替换为你的密钥和要解密的密文
    key = b'[Warnning]Access_Unauthorized'
    encrypted_data = [0xC3, 0x82, 0xA3, 0x25, 0xF6, 0x4C, 0x36, 0x3B, 0x59, 0xCC, 0xC4, 0xE9, 0xF1, 0xB5, 0x32, 0x18,
                      0xB1, 0x96, 0xAE, 0xBF, 0x08, 0x35]

    decrypted_data = decrypt_rc4(key, encrypted_data)
    print("Decrypted data in hex: ", binascii.hexlify(decrypted_data).decode())

    try:
        # 如果你知道解密后的数据是文本，则可以尝试这样打印
        print("Decrypted data as string: ", decrypted_data.decode('utf-8'))
    except UnicodeDecodeError:
        print("Decrypted data is not valid UTF-8 text.")

base64无表魔改解码脚本

data=[0x5a, 0x60, 0x54, 0x7A, 0x7A, 0x54, 0x72, 0x44,0x7C, 0x66, 0x51, 0x50, 0x5B, 0x5F, 0x56, 0x56,0x4C, 0x7C, 0x79, 0x6E, 0x65, 0x55, 0x52, 0x79,0x55, 0x6D, 0x46, 0x6B, 0x6C, 0x56, 0x4A, 0x67,0x4C, 0x61, 0x73, 0x4A, 0x72, 0x6F, 0x5A, 0x70,0x48, 0x52, 0x78, 0x49, 0x55, 0x6C, 0x48, 0x5C,0x76, 0x5A, 0x45, 0x3D]
flag=''
for i in range(0,len(data),4):
    flag+=hex((((data[i]-0x3D)&0x3F)<<2)|(((data[i+1]-0x3D)&0x30)>>4))+','
    flag+=hex((((data[i+1]-0x3D)&0x0F)<<4)|(((data[i+2]-0x3D)&0x3C)>>2))+','
    flag+=hex(((data[i+3]-0x3D)&0x3F)|((data[i+2]-0x3D)&0x03)<<6)+','
print(flag)

mfc事件处理时(写个程序向MFC程序发送这个消息)

#include<Windows.h>
#include<stdio.h>
int main()
{
	HWND h = FindWindowA(NULL, "Flag就在控件里");
	if (h)
	{
		SendMessage(h, 0x0464, 0, 0);
		printf("success");
	}
	else printf("failure");
}

base64换码表的解题代码

from base64 import b64decode 
miwen="_r-+_Cl5;vgq_pdme7#7eC0="
key1=list("@,.1fgvw#`/2ehux$~\"3dity%_;4cjsz^+{5bkrA&=}6alqB*-[70mpC()]89noD")	
base64="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
secret=""
for i in miwen:
	k=key1.index(i)
	secret+=base64[k]
print(secret)
print(len(secret))
print(b64decode(secret))

2.
import base64
import string

str1 = "x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q"

string1 = "ZYXABCDEFGHIJKLMNOPQRSTUVWzyxabcdefghijklmnopqrstuvw0123456789+/"
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

print (base64.b64decode(str1.translate(str.maketrans(string1,string2))))

先用base64解密，再用rc4解密

import base64
from Crypto.Cipher import ARC4


def rc4_decrypt(key, data):
    cipher = ARC4.new(key)
    return cipher.decrypt(data)


def decode_base64_and_rc4(base64_data, key):
    # 确保Base64字符串长度是4的倍数，添加必要的填充
    missing_padding = len(base64_data) % 4
    if missing_padding:
        base64_data += '=' * (4 - missing_padding)

    try:
        # 解码Base64编码的数据
        decoded_data = base64.b64decode(base64_data)
        # 使用RC4解密
        decrypted_data = rc4_decrypt(key, decoded_data)
        return decrypted_data
    except (base64.binascii.Error, Exception) as e:
        print(f"An error occurred during decoding or decrypting: {e}")
        return None


if __name__ == "__main__":
    # 示例Base64编码的RC4加密数据（你需要替换为你自己的数据）
    base64_encrypted_data = "HcWAX+cMWAaxnh09eD+FdqaXiQ/ijIRVxlvEVgK78rpxoxbBeKYhpwSWKQ"
    # RC4加密使用的密钥（你需要替换为你自己的密钥）
    encryption_key = "flag{123321321123badbeef012}".encode('utf-8')  # 转换为字节类型

    # 解码并解密数据
    result = decode_base64_and_rc4(base64_encrypted_data, encryption_key)

    if result is not None:
        try:
            # 尝试解码为UTF-8字符串，并打印结果
            print("Decrypted data:", result.decode('utf-8'))
        except UnicodeDecodeError:
            # 如果解密后的内容不是有效的UTF-8编码，则以十六进制格式打印原始字节
            print("Decrypted data (hex):", result.hex())

Fuck混淆解码脚本：

<script>
function deEquation(str) {
  for (let i = 0; i <= 1; i++) {
  str = str.replace(/l\[(\D*?)](\+l|-l|==)/g, (m, a, b) => 'l[' + eval(a) + ']' + b);
  }
  str = str.replace(/==(\D*?)&&/g, (m, a) => '==' + eval(a) + '&&');
  return str;
}
s="..........";
ss=deEquation(s);
document.write(ss);
</script>

IDA的get_wide_dword的使用

第一种:

import idaapi

addr = 0x6020c0
list1 = []

# 计算元素数量
num_elements = (0x60213c - addr) // 4  # 使用整数除法

for i in range(num_elements):
    value = idaapi.get_wide_dword(addr + 4*i)
    list1.append(value)

print(list1)

第二种：

from ida_bytes import get_wide_dword

addr = 0x435dc0
list1 = [get_wide_dword(addr + 4 * i) for i in range(14)]
print(list1)

addr2 = 0x435df8
list2 = [get_wide_dword(addr2 + 4 * i) for i in range(14)]
print(list2)

addr3 = 0x435e30
list3 = [get_wide_dword(addr3 + 4 * i) for i in range(14)]
print(list3)

mov混淆的ida脚本

import idaapi
import ida_bytes

def find_flag(start, end):
    flag = ""
    current = start
    
    while current < end:
        byte = ida_bytes.get_byte(current)
        
        if ((48 <= byte <= 57) or  # '0'-'9'
            (65 <= byte <= 90) or  # 'A'-'Z'
            (97 <= byte <= 122) or # 'a'-'z'
            byte in [33, 64, 35, 123, 125, 39, 42, 38, 95]):  # '!', '@', '#', '{', '}', '\'', '*', '&', '_'
            

            if (ida_bytes.get_byte(current + 1) == 0 and 
                ida_bytes.get_byte(current + 2) == 0 and 
                ida_bytes.get_byte(current + 3) == 0):
                flag += chr(byte)
        

        current += 1

    return flag


start_address = 0x80487c4
end_address = 0x8060B38


flag = find_flag(start_address, end_address)
print(f"Found flag: {flag}")

两个EzJar.class文件，手工切出解压

import zlib
inflator = zlib.decompressobj(-zlib.MAX_WBITS)
f=open('"D:\\桌面\\attachment\\EzJar\\EzJar.class\\EzJar.java"','rb')
f.seek(659)
a=f.read(3248)
f.close()
x = inflator.decompress(a)
f=open('EzJar.class','wb')
f.write(x)
f.close()