热门标签 | HotTags
当前位置:  开发笔记 > 编程语言 > 正文

开发笔记:2020BJDCTFReencode

篇首语:本文由编程笔记#小编为大家整理,主要介绍了2020 BJDCTF Re encode相关的知识,希望对你有一定的参考价值。 鏍囩锛?a href='http://www.mamicode.c

篇首语:本文由编程笔记#小编为大家整理,主要介绍了2020 BJDCTF Re encode相关的知识,希望对你有一定的参考价值。


鏍囩锛?a href='http://www.mamicode.com/so/1/imp' title='imp'>imp   range   utf-8   娴嬭瘯   瑙傚療   col   鑾峰彇   base   cdecl   

娴嬭瘯鏂囦欢锛?a href="https://www.lanzous.com/i9la55a" target="_blank">https://www.lanzous.com/i9la55a

 


鍑嗗

鎶€鏈浘鐗? src=

鑾峰彇淇℃伅锛?/p>


  • 32浣嶆枃浠?/li>
  • UPX澹?/li>

 


IDA鍒嗘瀽

UPX鑴卞3鍚庯紝IDA鎵撳紑


int sub_804887C()
{
int v0; // eax
int result; // eax
int v2; // ecx
unsigned int v3; // et1
unsigned int i; // [esp+Ch] [ebp-FCh]
unsigned int v5; // [esp+10h] [ebp-F8h]
unsigned int v6; // [esp+14h] [ebp-F4h]
int v7; // [esp+1Ah] [ebp-EEh]
int v8; // [esp+1Eh] [ebp-EAh]
int v9; // [esp+22h] [ebp-E6h]
int v10; // [esp+26h] [ebp-E2h]
__int16 v11; // [esp+2Ah] [ebp-DEh]
char v12[30]; // [esp+2Ch] [ebp-DCh]
int v13; // [esp+4Ah] [ebp-BEh]
int v14; // [esp+4Eh] [ebp-BAh]
int v15; // [esp+52h] [ebp-B6h]
int v16; // [esp+56h] [ebp-B2h]
int v17; // [esp+5Ah] [ebp-AEh]
int v18; // [esp+5Eh] [ebp-AAh]
int v19; // [esp+62h] [ebp-A6h]
int v20; // [esp+66h] [ebp-A2h]
int v21; // [esp+6Ah] [ebp-9Eh]
int v22; // [esp+6Eh] [ebp-9Ah]
int v23; // [esp+72h] [ebp-96h]
int v24; // [esp+76h] [ebp-92h]
__int16 v25; // [esp+7Ah] [ebp-8Eh]
char v26; // [esp+7Ch] [ebp-8Ch]
unsigned int v27; // [esp+FCh] [ebp-Ch]

v27
= __readgsdword(0x14u);
v7
= 鈥?/span>galF鈥?/span>;
v8
= 鈥?/span>ihT{鈥?/span>;
v9
= 鈥?/span>_a_s鈥?/span>;
v10
= 鈥?/span>galF鈥?/span>;
v11
= 鈥?/span>}鈥?/span>;
v5
= strlen(&v7);
v13
= 鈥?/span>8D8E鈥?/span>;
v14
= 鈥?/span>19DB鈥?/span>;
v15
= 鈥?/span>A178鈥?/span>;
v16
= 鈥?/span>65E1鈥?/span>;
v17
= 鈥?/span>F35F鈥?/span>;
v18
= 鈥?/span>9884鈥?/span>;
v19
= 鈥?/span>F286鈥?/span>;
v20
= 鈥?/span>4169鈥?/span>;
v21
= 鈥?/span>2FA2鈥?/span>;
v22
= 鈥?/span>F8BA鈥?/span>;
v23
= 鈥?/span>A7DE鈥?/span>;
v24
= 鈥?/span>5DFC鈥?/span>;
v25
= 鈥?/span>E鈥?/span>;
printf(
"Please input your flag:");
read(
0, &v26, 256);
if ( strlen(&v26) != 21 )
exit(
0);
v0
= sub_8048AC2((int)&v26);
strcpy((
int)v12, v0);
v6
= length(v12);
for ( i = 0; i //
寮傛垨鎿嶄綔
v12[i] ^= *((_BYTE *)&v7 + i % v5);
sub_8048E24(v12, v6,
&v7, v5);
if ( !strcmp(v12, &v13) )
exit(
0);
printf(
"right!");
result
= 0;
v3
= __readgsdword(0x14u);
v2
= v3 ^ v27;
if ( v3 != v27 )
sub_806FA00(v2);
return result;
}

寰堝鏈煡鍑芥暟锛屾垜浠兘澶熺寽鍑烘槸浠€涔堝嚱鏁帮紝鍦ㄤ唬鐮佷腑宸叉敼銆?/p>

 


浠g爜鍒嗘瀽

鍦ㄤ唬鐮佷腑锛屾湁涓ゅ鍑芥暟鎴戜滑涓嶆竻妤氫綔鐢ㄣ€傜涓€澶?/p>

v0 = sub_8048AC2((int)&v26);


鍑芥暟浼犲叆鍙傛暟鏄垜浠緭鍏ョ殑瀛楃涓诧紝鎵撳紑鍑芥暟鍚?/p>

int __cdecl sub_8048AC2(int a1)
{
int v2; // [esp+8h] [ebp-20h]
int v3; // [esp+Ch] [ebp-1Ch]
int v4; // [esp+10h] [ebp-18h]
int v5; // [esp+18h] [ebp-10h]
int v6; // [esp+1Ch] [ebp-Ch]

v5
= length(a1);
if ( v5 % 3 )
v2
= 4 * (v5 / 3 + 1);
else
v2
= 4 * (v5 / 3);
v6
= sub_80597A0(v2 + 1);
*(_BYTE *)(v2 + v6) = 0;
v3
= 0;
v4
= 0;
while ( v2 - 2 > v3 )
{
*(_BYTE *)(v6 + v3) = a0123456789Abcd[(unsigned __int8)(*(_BYTE *)(v4 + a1) >> 2)];
*(_BYTE *)(v6 + v3 + 1) = a0123456789Abcd[16 * (*(_BYTE *)(v4 + a1) & 3) | (unsigned __int8)(*(_BYTE *)(v4 + 1 + a1) >> 4)];
*(_BYTE *)(v6 + v3 + 2) = a0123456789Abcd[4 * (*(_BYTE *)(v4 + 1 + a1) & 0xF) | (unsigned __int8)(*(_BYTE *)(v4 + 2 + a1) >> 6)];
*(_BYTE *)(v6 + v3 + 3) = a0123456789Abcd[*(_BYTE *)(v4 + 2 + a1) & 0x3F];
v4
+= 3;
v3
+= 4;
}
if ( v5 % 3 == 1 )
{
*(_BYTE *)(v3 - 2 + v6) = 61;
*(_BYTE *)(v3 - 1 + v6) = 61;
}
else if ( v5 % 3 == 2 )
{
*(_BYTE *)(v3 - 1 + v6) = 61;
}
return v6;
}


.rodata:080BB9A8 a0123456789Abcd db 鈥?/span>0123456789+/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ鈥?/span>,0

閫氳繃瑙傚療锛岃繖搴旇鏄竴涓彉琛ㄧ殑Base64鍔犲瘑

 

绗簩澶?/p>

  sub_8048E24((int)v10, v4, (int)&v5, v3)



unsigned int __cdecl sub_8048E24(int a1, unsigned int a2, int a3, int a4)
{
char v4; // ST2B_1
unsigned int result; // eax
unsigned int v6; // et1
int v7; // [esp+1Ch] [ebp-11Ch]
int v8; // [esp+20h] [ebp-118h]
unsigned int i; // [esp+24h] [ebp-114h]
char v10[256]; // [esp+2Ch] [ebp-10Ch]
unsigned int v11; // [esp+12Ch] [ebp-Ch]

v11
= __readgsdword(0x14u);
sub_8048CC2((
int)v10, a3, a4);
LOBYTE(v7)
= 0;
LOBYTE(v8)
= 0;
for ( i = 0; i i )
{
v7 = (unsigned __int8)(v7 + 1);
v8
= (unsigned __int8)(v10[v7] + v8);
v4
= v10[v7];
v10[v7]
= v10[v8];
v10[v8]
= v4;
*(_BYTE *)(a1 + i) ^= v10[(unsigned __int8)(v10[v7] + v10[v8])];
}
v6
= __readgsdword(0x14u);
result
= v6 ^ v11;
if ( v6 != v11 )
sub_806FA00();
return result;
}

杩欏簲璇ユ槸涓€涓猂C4鍔犲瘑鍑芥暟锛?nbsp;sub_8048CC2((int)v10, a3, a4);鍑芥暟鏄垵濮嬪寲鍑芥暟

 


鎬濊矾

杩欐牱鏁翠釜浠g爜鐨勬€濊矾灏卞緢鏄庢櫚浜嗭紝瀵硅緭鍏ュ瓧绗︿覆杩涜base64鍔犲瘑鍚庯紝鍐嶈繘琛屽紓鎴栨搷浣滐紝鏈€鍚庤繘琛孯C4鍔犲瘑(Key = "Flag{This_a_Flag}")锛屽苟涓?E8D8BD91871A1E56F53F4889682F96142AF2AB8FED7ACFD5E"姣旇緝

 


瑙e瘑

瑙e瘑缃戠珯锛?/p>

http://tool.chacuo.net/cryptrc4

http://ctf.ssleye.com/rc4.html

http://tools.jb51.net/password/rc4_encode

https://gchq.github.io/CyberChef/

寰楀埌瑙e瘑鐨勫瓧绗︿覆锛?3152553081a5938126a3931275b0b1313085c330b356101511f105c


# -*- coding:utf-8 -*-
from base64 import b64decode
key
= 鈥?/span>Flag{This_a_Flag}鈥?/span>
decode_byte
= 鈥?/span>23152553081a5938126a3931275b0b1313085c330b356101511f105c鈥?/span>
encode_base64
= 鈥樷€?/span>
lists
= []
for i in range(len(decode_byte)//2):
lists.append(int(decode_byte[i
*2:(i+1)*2],16))
# for i in range(0,len(decode_byte),2):
#
lists.append(int(decode_byte[i:i+2],16))
print (lists)
for i in range(len(lists)):
encode_base64
+= chr(lists[i] ^ ord(key[i%len(key)]))
t
= 鈥?/span>0123456789+/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ=鈥?/span>
table
= 鈥?/span>ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=鈥?/span>
table
= str.maketrans(t, table)
flag
= b64decode(encode_base64.translate(table))
print(flag)

 


get flag!

BJD{0v0_Y0u_g07_1T!}


 

 

 

E8D8BD91871A1E56F53F4889682F96142AF2AB8FED7ACFD5E

推荐阅读
author-avatar
八卦男1002_426
这个家伙很懒,什么也没留下!
PHP1.CN | 中国最专业的PHP中文社区 | DevBox开发工具箱 | json解析格式化 |PHP资讯 | PHP教程 | 数据库技术 | 服务器技术 | 前端开发技术 | PHP框架 | 开发工具 | 在线工具
Copyright © 1998 - 2020 PHP1.CN. All Rights Reserved | 京公网安备 11010802041100号 | 京ICP备19059560号-4 | PHP1.CN 第一PHP社区 版权所有