沒有信息
丟進IDA
1 __int64 __cdecl main_0() 2 { 3 int v0; // eax 4 const char *v1; // eax 5 size_t v2; // eax 6 int v3; // edx 7 __int64 v4; // ST08_8 8 signed int j; // [esp DCh] [ebp-ACh] 9 signed int i; // [esp E8h] [ebp-A0h]10 signed int v8; // [esp E8h] [ebp-A0h]11 char Dest[108]; // [esp F4h] [ebp-94h]12 char Str; // [esp 160h] [ebp-28h]13 char v11; // [esp 17Ch] [ebp-Ch]14 15 for ( i = 0; i < 100; i )16 {17 if ( (unsigned int)i >= 0x64 )18 j____report_rangecheckfailure();19 Dest[i] = 0;20 }21 sub_41132F("please enter the flag:");22 sub_411375(" s", &Str);23 v0 = j_strlen(&Str);24 v1 = (const char *)sub_4110BE((int)&Str, v0, (int)&v11);25 strncpy(Dest, v1, 0x28u);26 v8 = j_strlen(Dest);27 for ( j = 0; j < v8; j )28 Dest[j] = j;29 v2 = j_strlen(Dest);30 if ( !strncmp(Dest, Str2, v2) )31 sub_41132F("rigth flag!\n");32 else33 sub_41132F("wrong flag!\n");34 HIDWORD(v4) = v3;35 LODWORD(v4) = 0;36 return v4;37 }
首先找到的信息就是Str2,Str2中存儲的是flag變換后的字符串
.data:0041A034 ; char Str2[].data:0041A034 Str2 db 'e3nifIH9b_C@n@dH',0 ; DATA XREF: _main_0 142↑o
第24行就是在對原str進行操作
然后把str的值給Dest
進入24行的函數(shù)
1 void *__cdecl sub_411AB0(char *a1, unsigned int a2, int *a3) 2 { 3 int v4; // STE0_4 4 int v5; // STE0_4 5 int v6; // STE0_4 6 int v7; // [esp D4h] [ebp-38h] 7 signed int i; // [esp E0h] [ebp-2Ch] 8 unsigned int v9; // [esp ECh] [ebp-20h] 9 int v10; // [esp ECh] [ebp-20h]10 signed int v11; // [esp ECh] [ebp-20h]11 void *Dst; // [esp F8h] [ebp-14h]12 char *v13; // [esp 104h] [ebp-8h]13 14 if ( !a1 || !a2 )15 return 0;16 v9 = a2 / 3;17 if ( (signed int)(a2 / 3) % 3 )18 v9;19 v10 = 4 * v9;20 *a3 = v10;21 Dst = malloc(v10 1);22 if ( !Dst )23 return 0;24 j_memset(Dst, 0, v10 1);25 v13 = a1;26 v11 = a2;27 v7 = 0;28 while ( v11 > 0 )29 {30 byte_41A144[2] = 0;31 byte_41A144[1] = 0;32 byte_41A144[0] = 0;33 for ( i = 0; i < 3 && v11 >= 1; i )34 {35 byte_41A144[i] = *v13;36 --v11;37 v13;38 }39 if ( !i )40 break;41 switch ( i )42 {43 case 1:44 *((_BYTE *)Dst v7) = aAbcdefghijklmn[(signed int)(unsigned __int8)byte_41A144[0] >> 2];45 v4 = v7 1;46 *((_BYTE *)Dst v4 ) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | 16 * (byte_41A144[0] & 3)];47 *((_BYTE *)Dst v4 ) = aAbcdefghijklmn[64];48 *((_BYTE *)Dst v4) = aAbcdefghijklmn[64];49 v7 = v4 1;50 break;51 case 2:52 *((_BYTE *)Dst v7) = aAbcdefghijklmn[(signed int)(unsigned __int8)byte_41A144[0] >> 2];53 v5 = v7 1;54 *((_BYTE *)Dst v5 ) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | 16 * (byte_41A144[0] & 3)];55 *((_BYTE *)Dst v5 ) = aAbcdefghijklmn[((byte_41A144[2] & 0xC0) >> 6) | 4 * (byte_41A144[1] & 0xF)];56 *((_BYTE *)Dst v5) = aAbcdefghijklmn[64];57 v7 = v5 1;58 break;59 case 3:60 *((_BYTE *)Dst v7) = aAbcdefghijklmn[(signed int)(unsigned __int8)byte_41A144[0] >> 2];61 v6 = v7 1;62 *((_BYTE *)Dst v6 ) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | 16 * (byte_41A144[0] & 3)];63 *((_BYTE *)Dst v6 ) = aAbcdefghijklmn[((byte_41A144[2] & 0xC0) >> 6) | 4 * (byte_41A144[1] & 0xF)];64 *((_BYTE *)Dst v6) = aAbcdefghijklmn[byte_41A144[2] & 0x3F];65 v7 = v6 1;66 break;67 }68 }69 *((_BYTE *)Dst v7) = 0;70 return Dst;71 }
在該函數(shù)的后半部分,Dst經(jīng)過aAbcdefghijklmn[]數(shù)組的變換,打開此處
.rdata:00417B30 aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /='.rdata:00417B30 ; DATA XREF: .text:004117E8↑o.rdata:00417B30 ; .text:00411827↑o ....rdata:00417B30 db 0.rdata:00417B72 align 4
從'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /='可知,這個函數(shù)應該是base64的加密函數(shù),因此只需要解密即可。
解題腳本如下:
import base64str1 = 'e3nifIH9b_C@n@dH'x = ''flag = ''for j in range(0, len(str1)): x = chr(ord(str1[j]) - j)flag = base64.b64decode(x)flag = flag.decode('ASCII')print(flag)
詳情參考:https://www.cnblogs.com/Mayfly-nymph/p/11465643.html
來源:https://www.icode9.com/content-4-657151.html