[羊城杯 2020]easyre
题目:[羊城杯 2020]easyre
64位无壳程序
![[羊城杯 2020]easyre_第1张图片](http://img.e-com-net.com/image/info8/70c6a8162eb74dcb8164d8a3a1b9d444.jpg)
ida64打开查看伪代码:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // eax
int v4; // eax
int v5; // eax
int result; // eax
char Str[48]; // [rsp+20h] [rbp-60h] BYREF
char Str1[64]; // [rsp+50h] [rbp-30h] BYREF
char v9[64]; // [rsp+90h] [rbp+10h] BYREF
char v10[64]; // [rsp+D0h] [rbp+50h] BYREF
char Str2[60]; // [rsp+110h] [rbp+90h] BYREF
int v12; // [rsp+14Ch] [rbp+CCh] BYREF
_main(argc, argv, envp);
strcpy(Str2, "EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG");
puts("Hello, please input your flag and I will tell you whether it is right or not.");
scanf("%38s", Str); //长度38
if ( strlen(Str) != 38
|| (v3 = strlen(Str), encode_one(Str, v3, v10, &v12))
|| (v4 = strlen(v10), encode_two(v10, v4, v9, &v12))
|| (v5 = strlen(v9), encode_three(v9, v5, Str1, &v12))
|| strcmp(Str1, Str2) ) //3次加密
{
printf("Something wrong. Keep going.");
result = 0;
}
else
{
puts("you are right!");
result = 0;
}
return result;
}
可以看出我们要输入长度为38的字符串,对输入的字符串要进行三次加密再跟
"EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG"
比对。
下面来分析三个加密函数:
encode_one
第一个显然是个base64,alphabet是码表。
__int64 __fastcall encode_one(const char *a1, int a2, char *a3, int *a4)
{
int v5; // esi
int v6; // esi
int v7; // esi
int v8; // [rsp+34h] [rbp-1Ch]
int v9; // [rsp+38h] [rbp-18h]
int v11; // [rsp+48h] [rbp-8h]
int i; // [rsp+4Ch] [rbp-4h]
unsigned __int8 *v13; // [rsp+70h] [rbp+20h]
v13 = a1;
if ( !a1 || !a2 )
return 0xFFFFFFFFi64;
v11 = 0;
if ( a2 % 3 )
v11 = 3 - a2 % 3;
v9 = a2 + v11;
v8 = 8 * (a2 + v11) / 6;
for ( i = 0; i < v9; i += 3 )
{
*a3 = alphabet[*v13 >> 2];
if ( a2 + v11 - 3 == i && v11 )
{
if ( v11 == 1 )
{
v5 = cmove_bits(*v13, 6u, 2u);
a3[1] = alphabet[v5 + cmove_bits(v13[1], 0, 4u)];
a3[2] = alphabet[cmove_bits(v13[1], 4u, 2u)];
a3[3] = '=';
}
else if ( v11 == 2 )
{
a3[1] = alphabet[cmove_bits(*v13, 6u, 2u)];
a3[2] = '=';
a3[3] = '=';
}
}
else
{
v6 = cmove_bits(*v13, 6u, 2u);
a3[1] = alphabet[v6 + cmove_bits(v13[1], 0, 4u)];
v7 = cmove_bits(v13[1], 4u, 2u);
a3[2] = alphabet[v7 + cmove_bits(v13[2], 0, 6u)];
a3[3] = alphabet[v13[2] & 0x3F];
}
a3 += 4;
v13 += 3;
}
if ( a4 )
*a4 = v8;
return 0i64;
}
encode_two
无非是把编码后的字符串以13个为一组顺序换一下。。
__int64 __fastcall encode_two(const char *a1, int a2, char *a3, int *a4)
{
if ( !a1 || !a2 )
return 0xFFFFFFFFi64;
strncpy(a3, a1 + 26, 0xDui64);
strncpy(a3 + 13, a1, 0xDui64);
strncpy(a3 + 26, a1 + 39, 0xDui64);
strncpy(a3 + 39, a1 + 13, 0xDui64);
return 0i64;
}
encode_three
很经典的凯撒密码。。。
__int64 __fastcall encode_three(const char *a1, int a2, char *a3, int *a4)
{
char v5; // [rsp+Fh] [rbp-11h]
int i; // [rsp+14h] [rbp-Ch]
const char *v8; // [rsp+30h] [rbp+10h]
v8 = a1;
if ( !a1 || !a2 )
return 0xFFFFFFFFi64;
for ( i = 0; i < a2; ++i )
{
v5 = *v8;
if ( *v8 <= 64 || v5 > 90 )
{
if ( v5 <= 96 || v5 > 122 )
{
if ( v5 <= 47 || v5 > 57 )
*a3 = v5;
else
*a3 = (v5 - 48 + 3) % 10 + 48;
}
else
{
*a3 = (v5 - 97 + 3) % 26 + 97;
}
}
else
{
*a3 = (v5 - 65 + 3) % 26 + 65;
}
++a3;
++v8;
}
return 0i64;
}
EXP
根据三个加密函数我写了个exp:
import base64
data='EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG'
data1=''
for i in data:
if ord(i)>=48 and ord(i)<=57:
data1 += chr((ord(i)-3-48)%10+48)
elif ord(i)>=65 and ord(i)<=90:
data1 += chr((ord(i)-3-65)%26+65)
elif ord(i)>=97 and ord(i)<=122:
data1 += chr((ord(i)-3-97)%26+97)
else:
data1 += i
flag = data1[13:26] + data1[39:] + data1[:13] + data1[26:39]
print(base64.b64decode(flag))
有博主用爆破的方式我们可以参考一下:
from base64 import b64encode, b64decode
aim = "EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG"
p = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234567890+/="
count = len(aim)
print(count)
# 38位
flag = ""
# 从encode3开始爆破
tmp = ‘‘
for i in range(count):
print(i)
for j in p:
if ord(j) <= 0x40 or ord(j) > 0x5a:
if ord(j) <= 0x60 or ord(j) > 0x7a:
if ord(j) <= 0x2f or ord(j) > 0x39:
t = j
else:
t = chr((ord(j)-48+3)%10 + 48)
else:
t = chr((ord(j)-97+3)%26 + 97)
else:
t = chr((ord(j)-65+3)%26 + 65)
if t == aim[i]:
tmp += j
print(tmp)
break
print(tmp)
# BjYjM2Mjk4NzMR1dIVHs2NzJjY0MTEzM2VhMn0=zQ3NzhhMzhlOD
# encode2
_tmp = tmp[13:26] + tmp[39:] + tmp[:13] + tmp[26:39]
print(b64decode(_tmp))
得到flag:
![[羊城杯 2020]easyre_第2张图片](http://img.e-com-net.com/image/info8/b0dfba3e3269485ca3cce95cd6bfe667.jpg)
flag{
672cc4778a38e80cb362987341133ea2}