2020 BJDCTF Re encode
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了2020 BJDCTF Re encode相关的知识,希望对你有一定的参考价值。
鏍囩锛?a href='http://www.mamicode.com/so/1/imp' title='imp'>imp range utf-8 娴嬭瘯 瑙傚療 col 鑾峰彇 base cdecl
娴嬭瘯鏂囦欢锛?a href="https://www.lanzous.com/i9la55a" target="_blank">https://www.lanzous.com/i9la55a
鍑嗗
鑾峰彇淇℃伅锛?/p>
- 32浣嶆枃浠?/li>
- UPX澹?/li>
IDA鍒嗘瀽
UPX鑴卞3鍚庯紝IDA鎵撳紑
int sub_804887C() { int v0; // eax int result; // eax int v2; // ecx unsigned int v3; // et1 unsigned int i; // [esp+Ch] [ebp-FCh] unsigned int v5; // [esp+10h] [ebp-F8h] unsigned int v6; // [esp+14h] [ebp-F4h] int v7; // [esp+1Ah] [ebp-EEh] int v8; // [esp+1Eh] [ebp-EAh] int v9; // [esp+22h] [ebp-E6h] int v10; // [esp+26h] [ebp-E2h] __int16 v11; // [esp+2Ah] [ebp-DEh] char v12[30]; // [esp+2Ch] [ebp-DCh] int v13; // [esp+4Ah] [ebp-BEh] int v14; // [esp+4Eh] [ebp-BAh] int v15; // [esp+52h] [ebp-B6h] int v16; // [esp+56h] [ebp-B2h] int v17; // [esp+5Ah] [ebp-AEh] int v18; // [esp+5Eh] [ebp-AAh] int v19; // [esp+62h] [ebp-A6h] int v20; // [esp+66h] [ebp-A2h] int v21; // [esp+6Ah] [ebp-9Eh] int v22; // [esp+6Eh] [ebp-9Ah] int v23; // [esp+72h] [ebp-96h] int v24; // [esp+76h] [ebp-92h] __int16 v25; // [esp+7Ah] [ebp-8Eh] char v26; // [esp+7Ch] [ebp-8Ch] unsigned int v27; // [esp+FCh] [ebp-Ch] v27 = __readgsdword(0x14u); v7 = 鈥?/span>galF鈥?/span>; v8 = 鈥?/span>ihT{鈥?/span>; v9 = 鈥?/span>_a_s鈥?/span>; v10 = 鈥?/span>galF鈥?/span>; v11 = 鈥?/span>}鈥?/span>; v5 = strlen(&v7); v13 = 鈥?/span>8D8E鈥?/span>; v14 = 鈥?/span>19DB鈥?/span>; v15 = 鈥?/span>A178鈥?/span>; v16 = 鈥?/span>65E1鈥?/span>; v17 = 鈥?/span>F35F鈥?/span>; v18 = 鈥?/span>9884鈥?/span>; v19 = 鈥?/span>F286鈥?/span>; v20 = 鈥?/span>4169鈥?/span>; v21 = 鈥?/span>2FA2鈥?/span>; v22 = 鈥?/span>F8BA鈥?/span>; v23 = 鈥?/span>A7DE鈥?/span>; v24 = 鈥?/span>5DFC鈥?/span>; v25 = 鈥?/span>E鈥?/span>; printf("Please input your flag:"); read(0, &v26, 256); if ( strlen(&v26) != 21 ) exit(0); v0 = sub_8048AC2((int)&v26); strcpy((int)v12, v0); v6 = length(v12); for ( i = 0; i < v6; ++i ) // 寮傛垨鎿嶄綔 v12[i] ^= *((_BYTE *)&v7 + i % v5); sub_8048E24(v12, v6, &v7, v5); if ( !strcmp(v12, &v13) ) exit(0); printf("right!"); result = 0; v3 = __readgsdword(0x14u); v2 = v3 ^ v27; if ( v3 != v27 ) sub_806FA00(v2); return result; }
寰堝鏈煡鍑芥暟锛屾垜浠兘澶熺寽鍑烘槸浠€涔堝嚱鏁帮紝鍦ㄤ唬鐮佷腑宸叉敼銆?/p>
浠g爜鍒嗘瀽
鍦ㄤ唬鐮佷腑锛屾湁涓ゅ鍑芥暟鎴戜滑涓嶆竻妤氫綔鐢ㄣ€傜涓€澶?/p>
v0 = sub_8048AC2((int)&v26);
鍑芥暟浼犲叆鍙傛暟鏄垜浠緭鍏ョ殑瀛楃涓诧紝鎵撳紑鍑芥暟鍚?/p>
int __cdecl sub_8048AC2(int a1) { int v2; // [esp+8h] [ebp-20h] int v3; // [esp+Ch] [ebp-1Ch] int v4; // [esp+10h] [ebp-18h] int v5; // [esp+18h] [ebp-10h] int v6; // [esp+1Ch] [ebp-Ch] v5 = length(a1); if ( v5 % 3 ) v2 = 4 * (v5 / 3 + 1); else v2 = 4 * (v5 / 3); v6 = sub_80597A0(v2 + 1); *(_BYTE *)(v2 + v6) = 0; v3 = 0; v4 = 0; while ( v2 - 2 > v3 ) { *(_BYTE *)(v6 + v3) = a0123456789Abcd[(unsigned __int8)(*(_BYTE *)(v4 + a1) >> 2)]; *(_BYTE *)(v6 + v3 + 1) = a0123456789Abcd[16 * (*(_BYTE *)(v4 + a1) & 3) | (unsigned __int8)(*(_BYTE *)(v4 + 1 + a1) >> 4)]; *(_BYTE *)(v6 + v3 + 2) = a0123456789Abcd[4 * (*(_BYTE *)(v4 + 1 + a1) & 0xF) | (unsigned __int8)(*(_BYTE *)(v4 + 2 + a1) >> 6)]; *(_BYTE *)(v6 + v3 + 3) = a0123456789Abcd[*(_BYTE *)(v4 + 2 + a1) & 0x3F]; v4 += 3; v3 += 4; } if ( v5 % 3 == 1 ) { *(_BYTE *)(v3 - 2 + v6) = 61; *(_BYTE *)(v3 - 1 + v6) = 61; } else if ( v5 % 3 == 2 ) { *(_BYTE *)(v3 - 1 + v6) = 61; } return v6; }
.rodata:080BB9A8 a0123456789Abcd db 鈥?/span>0123456789+/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ鈥?/span>,0
閫氳繃瑙傚療锛岃繖搴旇鏄竴涓彉琛ㄧ殑Base64鍔犲瘑
绗簩澶?/p>
sub_8048E24((int)v10, v4, (int)&v5, v3)
unsigned int __cdecl sub_8048E24(int a1, unsigned int a2, int a3, int a4) { char v4; // ST2B_1 unsigned int result; // eax unsigned int v6; // et1 int v7; // [esp+1Ch] [ebp-11Ch] int v8; // [esp+20h] [ebp-118h] unsigned int i; // [esp+24h] [ebp-114h] char v10[256]; // [esp+2Ch] [ebp-10Ch] unsigned int v11; // [esp+12Ch] [ebp-Ch] v11 = __readgsdword(0x14u); sub_8048CC2((int)v10, a3, a4); LOBYTE(v7) = 0; LOBYTE(v8) = 0; for ( i = 0; i < a2; ++i ) { v7 = (unsigned __int8)(v7 + 1); v8 = (unsigned __int8)(v10[v7] + v8); v4 = v10[v7]; v10[v7] = v10[v8]; v10[v8] = v4; *(_BYTE *)(a1 + i) ^= v10[(unsigned __int8)(v10[v7] + v10[v8])]; } v6 = __readgsdword(0x14u); result = v6 ^ v11; if ( v6 != v11 ) sub_806FA00(); return result; }
杩欏簲璇ユ槸涓€涓猂C4鍔犲瘑鍑芥暟锛?nbsp;sub_8048CC2((int)v10, a3, a4);鍑芥暟鏄垵濮嬪寲鍑芥暟
鎬濊矾
杩欐牱鏁翠釜浠g爜鐨勬€濊矾灏卞緢鏄庢櫚浜嗭紝瀵硅緭鍏ュ瓧绗︿覆杩涜base64鍔犲瘑鍚庯紝鍐嶈繘琛屽紓鎴栨搷浣滐紝鏈€鍚庤繘琛孯C4鍔犲瘑(Key = "Flag{This_a_Flag}")锛屽苟涓?E8D8BD91871A1E56F53F4889682F96142AF2AB8FED7ACFD5E"姣旇緝
瑙e瘑
瑙e瘑缃戠珯锛?/p>
http://tool.chacuo.net/cryptrc4
http://ctf.ssleye.com/rc4.html
http://tools.jb51.net/password/rc4_encode
https://gchq.github.io/CyberChef/
寰楀埌瑙e瘑鐨勫瓧绗︿覆锛?3152553081a5938126a3931275b0b1313085c330b356101511f105c
# -*- coding:utf-8 -*- from base64 import b64decode key = 鈥?/span>Flag{This_a_Flag}鈥?/span> decode_byte = 鈥?/span>23152553081a5938126a3931275b0b1313085c330b356101511f105c鈥?/span> encode_base64 = 鈥樷€?/span> lists = [] for i in range(len(decode_byte)//2): lists.append(int(decode_byte[i*2:(i+1)*2],16)) # for i in range(0,len(decode_byte),2): # lists.append(int(decode_byte[i:i+2],16)) print (lists) for i in range(len(lists)): encode_base64 += chr(lists[i] ^ ord(key[i%len(key)])) t = 鈥?/span>0123456789+/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ=鈥?/span> table = 鈥?/span>ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=鈥?/span> table = str.maketrans(t, table) flag = b64decode(encode_base64.translate(table)) print(flag)
get flag!
BJD{0v0_Y0u_g07_1T!}
E8D8BD91871A1E56F53F4889682F96142AF2AB8FED7ACFD5E以上是关于2020 BJDCTF Re encode的主要内容,如果未能解决你的问题,请参考以下文章
[BJDCTF2020]Mark loves cat |变量覆盖(三解)