背景:在抓包過程中經常發現數據包被加密了,被加密成大小寫字母混雜著些‘+,/’這種。然后后面還有兩個==號,經常讓人誤以為僅僅是base64加密。(后悔大學沒好好聽密碼學這門課)。在一次偶然間對GitHub上找的免殺馬代碼學習的時候才認識了這個加密方式,在這個行業之間人與人的差距不是一點半點。
介紹:RC4算法的特點是算法簡單,執行速度快。并且密鑰長度是可變的,可變范圍為1-256字節(8-2048比特),在現在技術支持的前提下,當密鑰長度為128比特時,用暴力法搜索密鑰已經不太可行,所以能夠預見RC4的密鑰范圍任然能夠在今后相當長的時間里抵御暴力搜索密鑰的攻擊。實際上,現在也沒有找到對于128bit密鑰長度的RC4加密算法的有效攻擊方法。
正文開始
========================================
形如以下這種格式的
ySo7K1EC+OcYZ1EVu5DOxhU0gyDHzKW99O+iv02Gcbf/xxxJPbTkoW0GmAYEOPUuHXtR8APvmc1JEA5gixASLF/qphCZ64BxfO/2Qlw933WvLpKBhU4E6Z+r+jNz2Sw8MBOVKUzlqSm9BTUIdDw9i554fXwMkoqar9qbbCllfQMGI+s6Slo75+x4gBBsmfvJwwKF8RSUc/bXHbQQgfywcMSWMDrJ7aGSVXrNCUyXJy+Me9fpyrjw2+j6In9rVNfbaljKWsF9jro9HJXCdLc0eB0VDt3OSzqYY5gcQngE7n8qtVP9UAbaXCb2v8OzZ51wLC3OknMl1fIKC5VTVAFZj8jviS3ihLrP19/wiUuuvkEkf3oOqf9RSZe8VFXDAeKdclrN9S9yt5bJ0MxnlXgqb+aGWrBURVE3RBsaJXOHW4szqG+/YkkX4YuZzL9yMof7Tk9uIAq4D12880ptuwcugT+gJOpt62HPl5DEiseqR2yOURHUEpZGqtcjcWadwNf+9jl5Q==
這是某次抓包中隨機遇到的,具體明文是啥也不知道。即使到目前為止也不是很確定就是這種加密 。下面就使用python對這個加解密過程進行實現。可使用的語言很多,但是核心代碼沒變,部分代碼有改動,這里就這個免殺代碼里的部分拿出來進行加解密的實現。
加密代碼(python2):
import hashlib, base64
date = "username=admin,password=admin,111111111111,fsdfsanfjaaaa,aaaaa111=aaaaaa,111aaaaa111,2424,fffffffaaaaaaaaaaaaaaaaabbCCSSSSSSSSSSSSSAAAAAAAAAAAGGGGGGGGGGGGsd11111,dDAASFASDFS,1111,2222222222222,55555555555,1fasdfasfsddfdsadfdsfdssdcd"
def rc4(text, key):
key = hashlib.md5(key).hexdigest()
result = ''
key_len = len(key)
box = list(range(256))
j = 0
for i in range(256):
j = (j + box[i] + ord(key[i%key_len]))%256
box[i],box[j] = box[j],box[i]
i = j = 0
for element in text:
i = (i+1)%256
j = (j+box[i])%256
box[i],box[j] = box[j],box[i]
k = chr(ord(element) ^ box[(box[i]+box[j])%256])
result += k
result = base64.b64encode(result)
return result
key = "abcd7788"
a = rc4(date,key)
print a
解密代碼如下(python2):
import hashlib, base64
def rc4(text, key):
key = hashlib.md5(key).hexdigest()
text = base64.b64decode(text)
result = ''
key_len = len(key)
box = list(range(256))
j = 0
for i in range(256):
j = (j + box[i] + ord(key[i%key_len]))%256
box[i],box[j] = box[j],box[i]
i = j = 0
for element in text:
i = (i+1)%256
j = (j+box[i])%256
box[i],box[j] = box[j],box[i]
k = chr(ord(element) ^ box[(box[i]+box[j])%256])
result += k
return result
將兩處代碼進行整合,加解密過程結束后判斷明文是否一致,代碼如下:
# -*- coding: utf-8 -*-
import hashlib, base64
date = "username=admin,password=admin,111111111111,fsdfsanfjaaaa,aaaaa111=aaaaaa,111aaaaa111,2424,fffffffaaaaaaaaaaaaaaaaabbCCSSSSSSSSSSSSSAAAAAAAAAAAGGGGGGGGGGGGsd11111,dDAASFASDFS,1111,2222222222222,55555555555,1fasdfasfsddfdsadfdsfdssdcd"
def rc4(text, key):
key = hashlib.md5(key).hexdigest()
result = ''
key_len = len(key)
box = list(range(256))
j = 0
for i in range(256):
j = (j + box[i] + ord(key[i%key_len]))%256
box[i],box[j] = box[j],box[i]
i = j = 0
for element in text:
i = (i+1)%256
j = (j+box[i])%256
box[i],box[j] = box[j],box[i]
k = chr(ord(element) ^ box[(box[i]+box[j])%256])
result += k
result = base64.b64encode(result)
return result
key = "abcd7788"
a = rc4(date,key)
def rc4_jie(text, key):
key = hashlib.md5(key).hexdigest()
text = base64.b64decode(text)
result = ''
key_len = len(key)
box = list(range(256))
j = 0
for i in range(256):
j = (j + box[i] + ord(key[i%key_len]))%256
box[i],box[j] = box[j],box[i]
i = j = 0
for element in text:
i = (i+1)%256
j = (j+box[i])%256
box[i],box[j] = box[j],box[i]
k = chr(ord(element) ^ box[(box[i]+box[j])%256])
result += k
return result
b = rc4_jie(a,key)
if date == b:
print "success"
print date
print a
print b
else:
print "fail"
運行截圖如下:
圖片.png
