前言

NSS上[SWPUCTF 2021 新生赛]简简单单的解密

知识点

python

RC4解密

题目

下载附件得到python源码

import base64, urllib.parse

key = "HereIsFlagggg"
flag = "xxxxxxxxxxxxxxxxxxx"

s_box = list(range(256))
j = 0
for i in range(256):
    j = (j + s_box[i] + ord(key[i % len(key)])) % 256
    s_box[i], s_box[j] = s_box[j], s_box[i]
res = []
i = j = 0
for s in flag:
    i = (i + 1) % 256
    j = (j + s_box[i]) % 256
    s_box[i], s_box[j] = s_box[j], s_box[i]
    t = (s_box[i] + s_box[j]) % 256
    k = s_box[t]
    res.append(chr(ord(s) ^ k))
cipher = "".join(res)
crypt = (str(base64.b64encode(cipher.encode('utf-8')), 'utf-8'))
enc = str(base64.b64decode(crypt), 'utf-8')
enc = urllib.parse.quote(enc)
print(enc)
# enc = %C2%A6n%C2%87Y%1Ag%3F%C2%A01.%C2%9C%C3%B7%C3%8A%02%C3%80%C2%92W%C3%8C%C3%BA

两个for循环语句是flag进行RC4加密的过程

key作为密钥

flag经过RC4加密后又被进行一次base64加密和解密（等于不变），最后url编码得到enc

思路

知识补充

python join()方法

将序列中的元素以指定的字符连接生成一个新的字符串

symbol = "-"
seq = ("a", "b", "c") # 字符串序列
print symbol.join( seq )

#a-b-c

python urllib.parse.quote()方法

urllib库

URL 编码

解码用urllib.request.unquote()

​

操作

将encurl解码后对其再次进行RC4加密（即解密）

按位获取flag

import urllib.parse
key = "HereIsFlagggg"
enc = '%C2%A6n%C2%87Y%1Ag%3F%C2%A01.%C2%9C%C3%B7%C3%8A%02%C3%80%C2%92W%C3%8C%C3%BA'
flag = ""
crypt = urllib.parse.unquote(enc)
s_box = list(range(256))
j = 0
for i in range(256):
    j = (j + s_box[i] + ord(key[i % len(key)])) % 256
    s_box[i], s_box[j] = s_box[j], s_box[i]
res = []
i = j = 0
for s in crypt:
    i = (i + 1) % 256
    j = (j + s_box[i]) % 256
    s_box[i], s_box[j] = s_box[j], s_box[i]
    t = (s_box[i] + s_box[j]) % 256
    k = s_box[t]
    flag+=(chr(ord(s) ^ k))
print(flag)
#NSSCTF{REAL_EZ_RC4}

总结

学习RC4的解密方法