背景:在抓包过程中经常发现数据包被加密了,被加密成大小写字母混杂着些‘+,/’这种。然后后面还有两个==号,经常让人误以为仅仅是base64加密。(后悔大学没好好听密码学这门课)。在一次偶然间对GitHub上找的免杀马代码学习的时候才认识了这个加密方式,在这个行业之间人与人的差距不是一点半点。
介绍:RC4算法的特点是算法简单,执行速度快。并且密钥长度是可变的,可变范围为1-256字节(8-2048比特),在现在技术支持的前提下,当密钥长度为128比特时,用暴力法搜索密钥已经不太可行,所以能够预见RC4的密钥范围任然能够在今后相当长的时间里抵御暴力搜索密钥的攻击。实际上,现在也没有找到对于128bit密钥长度的RC4加密算法的有效攻击方法。
正文开始
========================================
形如以下这种格式的
ySo7K1EC+OcYZ1EVu5DOxhU0gyDHzKW99O+iv02Gcbf/xxxJPbTkoW0GmAYEOPUuHXtR8APvmc1JEA5gixASLF/qphCZ64BxfO/2Qlw933WvLpKBhU4E6Z+r+jNz2Sw8MBOVKUzlqSm9BTUIdDw9i554fXwMkoqar9qbbCllfQMGI+s6Slo75+x4gBBsmfvJwwKF8RSUc/bXHbQQgfywcMSWMDrJ7aGSVXrNCUyXJy+Me9fpyrjw2+j6In9rVNfbaljKWsF9jro9HJXCdLc0eB0VDt3OSzqYY5gcQngE7n8qtVP9UAbaXCb2v8OzZ51wLC3OknMl1fIKC5VTVAFZj8jviS3ihLrP19/wiUuuvkEkf3oOqf9RSZe8VFXDAeKdclrN9S9yt5bJ0MxnlXgqb+aGWrBURVE3RBsaJXOHW4szqG+/YkkX4YuZzL9yMof7Tk9uIAq4D12880ptuwcugT+gJOpt62HPl5DEiseqR2yOURHUEpZGqtcjcWadwNf+9jl5Q==
这是某次抓包中随机遇到的,具体明文是啥也不知道。即使到目前为止也不是很确定就是这种加密 。下面就使用python对这个加解密过程进行实现。可使用的语言很多,但是核心代码没变,部分代码有改动,这里就这个免杀代码里的部分拿出来进行加解密的实现。
加密代码(python2):
import hashlib, base64
date = "username=admin,password=admin,111111111111,fsdfsanfjaaaa,aaaaa111=aaaaaa,111aaaaa111,2424,fffffffaaaaaaaaaaaaaaaaabbCCSSSSSSSSSSSSSAAAAAAAAAAAGGGGGGGGGGGGsd11111,dDAASFASDFS,1111,2222222222222,55555555555,1fasdfasfsddfdsadfdsfdssdcd"
def rc4(text, key):
key = hashlib.md5(key).hexdigest()
result = ''
key_len = len(key)
box = list(range(256))
j = 0
for i in range(256):
j = (j + box[i] + ord(key[i%key_len]))%256
box[i],box[j] = box[j],box[i]
i = j = 0
for element in text:
i = (i+1)%256
j = (j+box[i])%256
box[i],box[j] = box[j],box[i]
k = chr(ord(element) ^ box[(box[i]+box[j])%256])
result += k
result = base64.b64encode(result)
return result
key = "abcd7788"
a = rc4(date,key)
print a
解密代码如下(python2):
import hashlib, base64
def rc4(text, key):
key = hashlib.md5(key).hexdigest()
text = base64.b64decode(text)
result = ''
key_len = len(key)
box = list(range(256))
j = 0
for i in range(256):
j = (j + box[i] + ord(key[i%key_len]))%256
box[i],box[j] = box[j],box[i]
i = j = 0
for element in text:
i = (i+1)%256
j = (j+box[i])%256
box[i],box[j] = box[j],box[i]
k = chr(ord(element) ^ box[(box[i]+box[j])%256])
result += k
return result
将两处代码进行整合,加解密过程结束后判断明文是否一致,代码如下:
# -*- coding: utf-8 -*-
import hashlib, base64
date = "username=admin,password=admin,111111111111,fsdfsanfjaaaa,aaaaa111=aaaaaa,111aaaaa111,2424,fffffffaaaaaaaaaaaaaaaaabbCCSSSSSSSSSSSSSAAAAAAAAAAAGGGGGGGGGGGGsd11111,dDAASFASDFS,1111,2222222222222,55555555555,1fasdfasfsddfdsadfdsfdssdcd"
def rc4(text, key):
key = hashlib.md5(key).hexdigest()
result = ''
key_len = len(key)
box = list(range(256))
j = 0
for i in range(256):
j = (j + box[i] + ord(key[i%key_len]))%256
box[i],box[j] = box[j],box[i]
i = j = 0
for element in text:
i = (i+1)%256
j = (j+box[i])%256
box[i],box[j] = box[j],box[i]
k = chr(ord(element) ^ box[(box[i]+box[j])%256])
result += k
result = base64.b64encode(result)
return result
key = "abcd7788"
a = rc4(date,key)
def rc4_jie(text, key):
key = hashlib.md5(key).hexdigest()
text = base64.b64decode(text)
result = ''
key_len = len(key)
box = list(range(256))
j = 0
for i in range(256):
j = (j + box[i] + ord(key[i%key_len]))%256
box[i],box[j] = box[j],box[i]
i = j = 0
for element in text:
i = (i+1)%256
j = (j+box[i])%256
box[i],box[j] = box[j],box[i]
k = chr(ord(element) ^ box[(box[i]+box[j])%256])
result += k
return result
b = rc4_jie(a,key)
if date == b:
print "success"
print date
print a
print b
else:
print "fail"
运行截图如下:
图片.png