BUUCTF Reverse/[羊城杯 2020]easyre
![BUUCTF Reverse/[羊城杯 2020]easyre_第1张图片](http://img.e-com-net.com/image/info8/6d485e1a1db844ffb4545b9db6bbfe4e.jpg)
查看信息,无壳,64位程序
![BUUCTF Reverse/[羊城杯 2020]easyre_第2张图片](http://img.e-com-net.com/image/info8/71e67f30df3a4f738a19069acd2ee8ef.jpg)
IDA打开分析代码,又是一个字符串比较的问题,输入flag,对flag加密三次,flag的长度为38
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // eax
int v4; // eax
int v5; // eax
char flag[48]; // [rsp+20h] [rbp-60h] BYREF
char flag_encode_3[64]; // [rsp+50h] [rbp-30h] BYREF
char flag_encode_2[64]; // [rsp+90h] [rbp+10h] BYREF
char flag_encode_1[64]; // [rsp+D0h] [rbp+50h] BYREF
char Str2[60]; // [rsp+110h] [rbp+90h] BYREF
int v12; // [rsp+14Ch] [rbp+CCh] BYREF
_main();
strcpy(Str2, "EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG");
puts("Hello, please input your flag and I will tell you whether it is right or not.");
scanf("%38s", flag);
if ( strlen(flag) != 38
|| (v3 = strlen(flag), (unsigned int)encode_one(flag, v3, flag_encode_1, &v12))
|| (v4 = strlen(flag_encode_1), (unsigned int)encode_two(flag_encode_1, v4, flag_encode_2, &v12))
|| (v5 = strlen(flag_encode_2), (unsigned int)encode_three(flag_encode_2, v5, flag_encode_3, &v12))
|| strcmp(flag_encode_3, Str2) )
{
printf("Something wrong. Keep going.");
return 0;
}
else
{
puts("you are right!");
return 0;
}
}
三个加密函数从后往前分析
第三个加密函数对第二次加密得到的字符串进行了一个移位变化
__int64 __fastcall encode_three(const char *a1, int a2, char *a3, int *a4)
{
char v5; // [rsp+Fh] [rbp-11h]
int i; // [rsp+14h] [rbp-Ch]
const char *v8; // [rsp+30h] [rbp+10h]
v8 = a1;
if ( !a1 || !a2 )
return 0xFFFFFFFFi64;
for ( i = 0; i < a2; ++i )
{
v5 = *v8;
if ( *v8 <= 64 || v5 > 90 )
{
if ( v5 <= 96 || v5 > 122 )
{
if ( v5 <= 47 || v5 > 57 )
*a3 = v5;
else
*a3 = (v5 - 48 + 3) % 10 + 48;
}
else
{
*a3 = (v5 - 97 + 3) % 26 + 97;
}
}
else
{
*a3 = (v5 - 65 + 3) % 26 + 65;
}
++a3;
++v8;
}
return 0i64;
}
写个爆破脚本,得到第二次加密的字符串
for i in range(len(Str2)):
for j in range(33,127,1):
k = 0
if(j <= 64) or (j > 90):
if( j <= 96 ) or (j > 122):
if(j <= 47 ) or (j > 57):
k = j
else:
k = (j - 48 + 3) % 10 + 48
else:
k = (j - 97 + 3) % 26 + 97
else:
k = (j - 65 + 3) % 26 + 65
if ord(Str2[i]) == k: #字符转ascii码
flag_encode_2.append(chr(j))
break
第二个加密函数将第一次加密得到的字符串打乱
__int64 __fastcall encode_two(const char *a1, int a2, char *a3, int *a4)
{
if ( !a1 || !a2 ) // 打乱顺序
return 0xFFFFFFFFi64;
strncpy(a3, a1 + 26, 13ui64); // 拷贝13位数
strncpy(a3 + 13, a1, 13ui64);
strncpy(a3 + 26, a1 + 39, 13ui64);
strncpy(a3 + 39, a1 + 13, 13ui64);
return 0i64;
}
按原样逆回去,得到第一次加密的字符串
flag_encode_1 = flag_encode_2[13:26] + flag_encode_2[39:] + flag_encode_2[0:13] + flag_encode_2[26:39]
第一个加密函数是一个base64加密
base表:
‘ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/A’
__int64 __fastcall encode_one(const char *a1, int a2, char *a3, int *a4)
{
int v5; // esi
int v6; // esi
int v7; // esi
int v8; // [rsp+34h] [rbp-1Ch]
int v9; // [rsp+38h] [rbp-18h]
int v11; // [rsp+48h] [rbp-8h]
int i; // [rsp+4Ch] [rbp-4h]
unsigned __int8 *v13; // [rsp+70h] [rbp+20h]
v13 = (unsigned __int8 *)a1;
if ( !a1 || !a2 )
return 0xFFFFFFFFi64;
v11 = 0;
if ( a2 % 3 ) // a2 = 38
v11 = 3 - a2 % 3; // v11 = 1
v9 = a2 + v11; // v9 = 39
v8 = 8 * (a2 + v11) / 6;
for ( i = 0; i < v9; i += 3 )
{
*a3 = BASE64_table_405080[(char)*v13 >> 2];
if ( a2 + v11 - 3 == i && v11 ) // 最后补位
{
if ( v11 == 1 )
{
v5 = (char)cmove_bits(*v13, 6, 2);
a3[1] = BASE64_table_405080[v5 + (char)cmove_bits(v13[1], 0, 4)];
a3[2] = BASE64_table_405080[(char)cmove_bits(v13[1], 4, 2)];
a3[3] = 61;
}
else if ( v11 == 2 )
{
a3[1] = BASE64_table_405080[(char)cmove_bits(*v13, 6, 2)];
a3[2] = 61;
a3[3] = 61;
}
}
else
{
v6 = (char)cmove_bits(*v13, 6, 2);
a3[1] = BASE64_table_405080[v6 + (char)cmove_bits(v13[1], 0, 4)];
v7 = (char)cmove_bits(v13[1], 4, 2);
a3[2] = BASE64_table_405080[v7 + (char)cmove_bits(v13[2], 0, 6)];
a3[3] = BASE64_table_405080[v13[2] & 0x3F];
}
a3 += 4;
v13 += 3;
}
if ( a4 )
*a4 = v8;
return 0i64;
}
依旧是写个爆破脚本爆破
def cmove_bits(a1,a2,a3):
return (((a1 << a2) % 2 ** 8) >> a3) % 128
def decode_1():
#base64表
flag = []
base64_table = list('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/A')
for i in range(0,len(Str2),4): #4位4位解密
if i != (len(Str2) - 4):
#print(1)
for j1 in range(32,127): #爆破第一位
if flag_encode_1[i] == base64_table[j1 >> 2]:
v6 = cmove_bits(j1,6,2)
for j2 in range(32,127): #爆破第二位
if flag_encode_1[i + 1] == base64_table[v6 + cmove_bits(j2,0,4)]:
v7 = cmove_bits(j2,4,2)
for j3 in range(32,127): #爆破第三位
if (flag_encode_1[i + 2] == base64_table[v7 + cmove_bits(j3,0,6)]) and (flag_encode_1[i + 3] == base64_table[j3 & 0x3F]):
flag.append(chr(j1))
flag.append(chr(j2))
flag.append(chr(j3))
else: #最后四位
for j1 in range(32,127): #爆破第一位
if flag_encode_1[i] == base64_table[j1 >> 2]:
v5 = cmove_bits(j1,6,2)
for j2 in range(32,127): #爆破第二位
if flag_encode_1[i + 1] == base64_table[v5 + cmove_bits(j2,0,4)]:
for j3 in range(32,127): #爆破第三位
if flag_encode_1[i + 2] == base64_table[cmove_bits(j2,4,2)]:
flag.append(chr(j1))
flag.append(chr(j2))
flag.append(chr(j3))
return flag
完整代码
Str2 = list("EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG")
flag = []
flag_encode_1 = []
flag_encode_2 = []
def decode_3():
for i in range(len(Str2)):
for j in range(33,127,1):
k = 0
if(j <= 64) or (j > 90):
if( j <= 96 ) or (j > 122):
if(j <= 47 ) or (j > 57):
k = j
else:
k = (j - 48 + 3) % 10 + 48
else:
k = (j - 97 + 3) % 26 + 97
else:
k = (j - 65 + 3) % 26 + 65
if ord(Str2[i]) == k: #字符转ascii码
flag_encode_2.append(chr(j))
break
return flag_encode_2
def decode_2():
flag_encode_1 = flag_encode_2[13:26] + flag_encode_2[39:] + flag_encode_2[0:13] + flag_encode_2[26:39]
return flag_encode_1
def cmove_bits(a1,a2,a3):
return (((a1 << a2) % 2 ** 8) >> a3) % 128
def decode_1():
#base64表
flag = []
base64_table = list('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/A')
for i in range(0,len(Str2),4): #4位4位解密
if i != (len(Str2) - 4):
#print(1)
for j1 in range(32,127): #爆破第一位
if flag_encode_1[i] == base64_table[j1 >> 2]:
v6 = cmove_bits(j1,6,2)
for j2 in range(32,127): #爆破第二位
if flag_encode_1[i + 1] == base64_table[v6 + cmove_bits(j2,0,4)]:
v7 = cmove_bits(j2,4,2)
for j3 in range(32,127): #爆破第三位
if (flag_encode_1[i + 2] == base64_table[v7 + cmove_bits(j3,0,6)]) and (flag_encode_1[i + 3] == base64_table[j3 & 0x3F]):
flag.append(chr(j1))
flag.append(chr(j2))
flag.append(chr(j3))
else: #最后四位
for j1 in range(32,127): #爆破第一位
if flag_encode_1[i] == base64_table[j1 >> 2]:
v5 = cmove_bits(j1,6,2)
for j2 in range(32,127): #爆破第二位
if flag_encode_1[i + 1] == base64_table[v5 + cmove_bits(j2,0,4)]:
for j3 in range(32,127): #爆破第三位
if flag_encode_1[i + 2] == base64_table[cmove_bits(j2,4,2)]:
flag.append(chr(j1))
flag.append(chr(j2))
flag.append(chr(j3))
return flag
print("Str2 = ",Str2)
flag_encode_2 = decode_3()
print("flag_encode_2 = ",flag_encode_2)
flag_encode_1 = decode_2()
print("flag_encode_1 = ",flag_encode_1)
flag = decode_1()
print("flag = ",flag)
for i in flag:
print(i,end='')
输出结果
Str2 = ['E', 'm', 'B', 'm', 'P', '5', 'P', 'm', 'n', '7', 'Q', 'c', 'P', 'U', '4', 'g', 'L', 'Y', 'K', 'v', '5', 'Q', 'c', 'M', 'm', 'B', '3', 'P', 'W', 'H', 'c', 'P', '5', 'Y', 'k', 'P', 'q', '3', '=', 'c', 'T', '6', 'Q', 'c', 'k', 'k', 'P', 'c', 'k', 'o', 'R', 'G']
flag_encode_2 = ['B', 'j', 'Y', 'j', 'M', '2', 'M', 'j', 'k', '4', 'N', 'z', 'M', 'R', '1', 'd', 'I', 'V', 'H', 's', '2', 'N', 'z', 'J', 'j', 'Y', '0', 'M', 'T', 'E', 'z', 'M', '2', 'V', 'h', 'M', 'n', '0', '=', 'z', 'Q', '3', 'N', 'z', 'h', 'h', 'M', 'z', 'h', 'l', 'O', 'D']
flag_encode_1 = ['R', '1', 'd', 'I', 'V', 'H', 's', '2', 'N', 'z', 'J', 'j', 'Y', 'z', 'Q', '3', 'N', 'z', 'h', 'h', 'M', 'z', 'h', 'l', 'O', 'D', 'B', 'j', 'Y', 'j', 'M', '2', 'M', 'j', 'k', '4', 'N', 'z', 'M', '0', 'M', 'T', 'E', 'z', 'M', '2', 'V', 'h', 'M', 'n', '0', '=']
flag = ['G', 'W', 'H', 'T', '{', '6', '7', '2', 'c', 'c', '4', '7', '7', '8', 'a', '3', '8', 'e', '8', '0', 'c', 'b', '3', '6', '2', '9', '8', '7', '3', '4', '1', '1', '3', '3', 'e', 'a', '2', '}', '
']
GWHT{672cc4778a38e80cb362987341133ea2}
得到最终flag为 :flag{672cc4778a38e80cb362987341133ea2}