作者:八卦男1002_426 | 来源:互联网 | 2024-12-24 09:26
篇首语:本文由编程笔记#小编为大家整理,主要介绍了2020 BJDCTF Re encode相关的知识,希望对你有一定的参考价值。 鏍囩锛?a href='http://www.mamicode.c
篇首语:本文由编程笔记#小编为大家整理,主要介绍了2020 BJDCTF Re encode相关的知识,希望对你有一定的参考价值。
鏍囩锛?a href='http://www.mamicode.com/so/1/imp' title='imp'>imp range utf-8 娴嬭瘯 瑙傚療 col 鑾峰彇 base cdecl
娴嬭瘯鏂囦欢锛?a href="https://www.lanzous.com/i9la55a" target="_blank">https://www.lanzous.com/i9la55a
鍑嗗
鑾峰彇淇℃伅锛?/p>
IDA鍒嗘瀽
UPX鑴卞3鍚庯紝IDA鎵撳紑
int sub_804887C()
{
int v0; // eax
int result; // eax
int v2; // ecx
unsigned int v3; // et1
unsigned int i; // [esp+Ch] [ebp-FCh]
unsigned int v5; // [esp+10h] [ebp-F8h]
unsigned int v6; // [esp+14h] [ebp-F4h]
int v7; // [esp+1Ah] [ebp-EEh]
int v8; // [esp+1Eh] [ebp-EAh]
int v9; // [esp+22h] [ebp-E6h]
int v10; // [esp+26h] [ebp-E2h]
__int16 v11; // [esp+2Ah] [ebp-DEh]
char v12[30]; // [esp+2Ch] [ebp-DCh]
int v13; // [esp+4Ah] [ebp-BEh]
int v14; // [esp+4Eh] [ebp-BAh]
int v15; // [esp+52h] [ebp-B6h]
int v16; // [esp+56h] [ebp-B2h]
int v17; // [esp+5Ah] [ebp-AEh]
int v18; // [esp+5Eh] [ebp-AAh]
int v19; // [esp+62h] [ebp-A6h]
int v20; // [esp+66h] [ebp-A2h]
int v21; // [esp+6Ah] [ebp-9Eh]
int v22; // [esp+6Eh] [ebp-9Ah]
int v23; // [esp+72h] [ebp-96h]
int v24; // [esp+76h] [ebp-92h]
__int16 v25; // [esp+7Ah] [ebp-8Eh]
char v26; // [esp+7Ch] [ebp-8Ch]
unsigned int v27; // [esp+FCh] [ebp-Ch]
v27 = __readgsdword(0x14u);
v7 = 鈥?/span>galF鈥?/span>;
v8 = 鈥?/span>ihT{鈥?/span>;
v9 = 鈥?/span>_a_s鈥?/span>;
v10 = 鈥?/span>galF鈥?/span>;
v11 = 鈥?/span>}鈥?/span>;
v5 = strlen(&v7);
v13 = 鈥?/span>8D8E鈥?/span>;
v14 = 鈥?/span>19DB鈥?/span>;
v15 = 鈥?/span>A178鈥?/span>;
v16 = 鈥?/span>65E1鈥?/span>;
v17 = 鈥?/span>F35F鈥?/span>;
v18 = 鈥?/span>9884鈥?/span>;
v19 = 鈥?/span>F286鈥?/span>;
v20 = 鈥?/span>4169鈥?/span>;
v21 = 鈥?/span>2FA2鈥?/span>;
v22 = 鈥?/span>F8BA鈥?/span>;
v23 = 鈥?/span>A7DE鈥?/span>;
v24 = 鈥?/span>5DFC鈥?/span>;
v25 = 鈥?/span>E鈥?/span>;
printf("Please input your flag:");
read(0, &v26, 256);
if ( strlen(&v26) != 21 )
exit(0);
v0 = sub_8048AC2((int)&v26);
strcpy((int)v12, v0);
v6 = length(v12);
for ( i = 0; i // 寮傛垨鎿嶄綔
v12[i] ^= *((_BYTE *)&v7 + i % v5);
sub_8048E24(v12, v6, &v7, v5);
if ( !strcmp(v12, &v13) )
exit(0);
printf("right!");
result = 0;
v3 = __readgsdword(0x14u);
v2 = v3 ^ v27;
if ( v3 != v27 )
sub_806FA00(v2);
return result;
}
寰堝鏈煡鍑芥暟锛屾垜浠兘澶熺寽鍑烘槸浠€涔堝嚱鏁帮紝鍦ㄤ唬鐮佷腑宸叉敼銆?/p>
浠g爜鍒嗘瀽
鍦ㄤ唬鐮佷腑锛屾湁涓ゅ鍑芥暟鎴戜滑涓嶆竻妤氫綔鐢ㄣ€傜涓€澶?/p>
v0 = sub_8048AC2((int)&v26);
鍑芥暟浼犲叆鍙傛暟鏄垜浠緭鍏ョ殑瀛楃涓诧紝鎵撳紑鍑芥暟鍚?/p>
int __cdecl sub_8048AC2(int a1)
{
int v2; // [esp+8h] [ebp-20h]
int v3; // [esp+Ch] [ebp-1Ch]
int v4; // [esp+10h] [ebp-18h]
int v5; // [esp+18h] [ebp-10h]
int v6; // [esp+1Ch] [ebp-Ch]
v5 = length(a1);
if ( v5 % 3 )
v2 = 4 * (v5 / 3 + 1);
else
v2 = 4 * (v5 / 3);
v6 = sub_80597A0(v2 + 1);
*(_BYTE *)(v2 + v6) = 0;
v3 = 0;
v4 = 0;
while ( v2 - 2 > v3 )
{
*(_BYTE *)(v6 + v3) = a0123456789Abcd[(unsigned __int8)(*(_BYTE *)(v4 + a1) >> 2)];
*(_BYTE *)(v6 + v3 + 1) = a0123456789Abcd[16 * (*(_BYTE *)(v4 + a1) & 3) | (unsigned __int8)(*(_BYTE *)(v4 + 1 + a1) >> 4)];
*(_BYTE *)(v6 + v3 + 2) = a0123456789Abcd[4 * (*(_BYTE *)(v4 + 1 + a1) & 0xF) | (unsigned __int8)(*(_BYTE *)(v4 + 2 + a1) >> 6)];
*(_BYTE *)(v6 + v3 + 3) = a0123456789Abcd[*(_BYTE *)(v4 + 2 + a1) & 0x3F];
v4 += 3;
v3 += 4;
}
if ( v5 % 3 == 1 )
{
*(_BYTE *)(v3 - 2 + v6) = 61;
*(_BYTE *)(v3 - 1 + v6) = 61;
}
else if ( v5 % 3 == 2 )
{
*(_BYTE *)(v3 - 1 + v6) = 61;
}
return v6;
}
.rodata:080BB9A8 a0123456789Abcd db 鈥?/span>0123456789+/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ鈥?/span>,0
閫氳繃瑙傚療锛岃繖搴旇鏄竴涓彉琛ㄧ殑Base64鍔犲瘑
绗簩澶?/p>
sub_8048E24((int)v10, v4, (int)&v5, v3)
unsigned int __cdecl sub_8048E24(int a1, unsigned int a2, int a3, int a4)
{
char v4; // ST2B_1
unsigned int result; // eax
unsigned int v6; // et1
int v7; // [esp+1Ch] [ebp-11Ch]
int v8; // [esp+20h] [ebp-118h]
unsigned int i; // [esp+24h] [ebp-114h]
char v10[256]; // [esp+2Ch] [ebp-10Ch]
unsigned int v11; // [esp+12Ch] [ebp-Ch]
v11 = __readgsdword(0x14u);
sub_8048CC2((int)v10, a3, a4);
LOBYTE(v7) = 0;
LOBYTE(v8) = 0;
for ( i = 0; i i )
{
v7 = (unsigned __int8)(v7 + 1);
v8 = (unsigned __int8)(v10[v7] + v8);
v4 = v10[v7];
v10[v7] = v10[v8];
v10[v8] = v4;
*(_BYTE *)(a1 + i) ^= v10[(unsigned __int8)(v10[v7] + v10[v8])];
}
v6 = __readgsdword(0x14u);
result = v6 ^ v11;
if ( v6 != v11 )
sub_806FA00();
return result;
}
杩欏簲璇ユ槸涓€涓猂C4鍔犲瘑鍑芥暟锛?nbsp;sub_8048CC2((int)v10, a3, a4);鍑芥暟鏄垵濮嬪寲鍑芥暟
鎬濊矾
杩欐牱鏁翠釜浠g爜鐨勬€濊矾灏卞緢鏄庢櫚浜嗭紝瀵硅緭鍏ュ瓧绗︿覆杩涜base64鍔犲瘑鍚庯紝鍐嶈繘琛屽紓鎴栨搷浣滐紝鏈€鍚庤繘琛孯C4鍔犲瘑(Key = "Flag{This_a_Flag}")锛屽苟涓?E8D8BD91871A1E56F53F4889682F96142AF2AB8FED7ACFD5E"姣旇緝
瑙e瘑
瑙e瘑缃戠珯锛?/p>
http://tool.chacuo.net/cryptrc4
http://ctf.ssleye.com/rc4.html
http://tools.jb51.net/password/rc4_encode
https://gchq.github.io/CyberChef/
寰楀埌瑙e瘑鐨勫瓧绗︿覆锛?3152553081a5938126a3931275b0b1313085c330b356101511f105c
# -*- coding:utf-8 -*-
from base64 import b64decode
key = 鈥?/span>Flag{This_a_Flag}鈥?/span>
decode_byte = 鈥?/span>23152553081a5938126a3931275b0b1313085c330b356101511f105c鈥?/span>
encode_base64 = 鈥樷€?/span>
lists = []
for i in range(len(decode_byte)//2):
lists.append(int(decode_byte[i*2:(i+1)*2],16))
# for i in range(0,len(decode_byte),2):
# lists.append(int(decode_byte[i:i+2],16))
print (lists)
for i in range(len(lists)):
encode_base64 += chr(lists[i] ^ ord(key[i%len(key)]))
t = 鈥?/span>0123456789+/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ=鈥?/span>
table = 鈥?/span>ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=鈥?/span>
table = str.maketrans(t, table)
flag = b64decode(encode_base64.translate(table))
print(flag)
get flag!
BJD{0v0_Y0u_g07_1T!}
E8D8BD91871A1E56F53F4889682F96142AF2AB8FED7ACFD5E