-
-
[原创]消失的岛屿WP
-
发表于:
2019-6-19 10:49
2741
-
主函数内容
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3;
uint8_t bindata;
const char *v6;
char *v7;
__main();
printf("please enter Serial:");
scanf(" %s", &bindata);//输入serial
if ( strlen((const char *)&bindata) > 0x31 )//判断长度
puts("error");
v7 = (char *)calloc(1u, 0x400u);
v3 = strlen((const char *)&bindata);
base64_encode(&bindata, v7, v3);//疑似base64加密
v6 = "!NGV%,$h1f4S3%2P(hkQ94==";
if ( !strcmp("!NGV%,$h1f4S3%2P(hkQ94==", v7) )
puts("Success");
else
puts("Please Try Again");
free(v7);
system("pause");
return 0;
}
!strcmp("!NGV%,$h1f4S3%2P(hkQ94==", v7)
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3;
uint8_t bindata;
const char *v6;
char *v7;
__main();
printf("please enter Serial:");
scanf(" %s", &bindata);//输入serial
if ( strlen((const char *)&bindata) > 0x31 )//判断长度
puts("error");
v7 = (char *)calloc(1u, 0x400u);
v3 = strlen((const char *)&bindata);
base64_encode(&bindata, v7, v3);//疑似base64加密
v6 = "!NGV%,$h1f4S3%2P(hkQ94==";
if ( !strcmp("!NGV%,$h1f4S3%2P(hkQ94==", v7) )
puts("Success");
else
puts("Please Try Again");
free(v7);
system("pause");
return 0;
}
!strcmp("!NGV%,$h1f4S3%2P(hkQ94==", v7)
!strcmp("!NGV%,$h1f4S3%2P(hkQ94==", v7)
很明显输入serial,先进行长度判断。
之后进入了一个base64_encode函数。对serial进行变化后与字符串“!NGV%,$h1f4S3%2P(hkQ94==”比较。
但是,base64加密显然是没有“!%”等这种字符的,所以base64函数可能进行了一些变种。
进去分析一下发现charEncrypt 函数。这个函数代码如下
char __cdecl charEncrypt(int data)
{
int dataa;
dataa = aTuvwxtulmnopqr[data];
if ( dataa > 64 && dataa <= 90 )
return -101 - dataa;
if ( dataa > 96 && dataa <= 122 )
return dataa - 64;
if ( dataa > 47 && dataa <= 57 )
return dataa + 50;
if ( dataa == 43 )
return 119;
if ( dataa == 47 )
dataa = 121;
return dataa;
}
很明显这段函数是把base64原有的字符表给变换了。
而其他代码的确是标准base64.
代码抄下来,跑一下跑出新的字符表。
#include <stdio.h>
#include <string.h>
int main()
{
char str[100];
char dataa;
char data[] = "tuvwxTUlmnopqrs7YZabcdefghij8yz0123456VWXkABCDEFGHIJKLMNOPQRS9+/";
for (int i= 0;i<100;i++)
{
dataa =data[i];
if ( dataa > 64 && dataa <= 90 )
str[i] = -101 - dataa;
if ( dataa > 96 && dataa <= 122 )
str[i] = dataa - 64;
if ( dataa > 47 && dataa <= 57 )
str[i] = dataa + 50;
if ( dataa == 43 )
str[i] = 119;
if ( dataa == 47 )
str[i] = 121;
}
printf("%s",str);
}
新的字符表为“45678GF,-./0123iBA!"#$%&'()*j9:bcdefghEDC+ZYXWVUTSRQPONMLKJIHkwy”
新的字符表代入base64解密程序。密文“!NGV%,$h1f4S3%2P(hkQ94==”
参考代码如下
#include <stdio.h>
#include <cstring>
int base64_decode(const char *base64, unsigned char *bindata);
const char *base64char = "45678GF,-./0123iBA!\"#$%&'()*j9:bcdefghEDC+ZYXWVUTSRQPONMLKJIHkwy";
int main()
{
char base64[1000]="!NGV%,$h1f4S3%2P(hkQ94==";
unsigned char data[1000];
for(int i=0;i<1000;i++) data[i] = 0;
base64_decode(base64,data);
printf("%s\n", data);
return 0;
}
int base64_decode(const char *base64, unsigned char *bindata)
{
int i, j;
unsigned char k;
unsigned char t;
unsigned char temp[4];
for (i = 0, j = 0; base64[i] != '\0'; i += 4)
{
memset(temp, 0xFF, sizeof(temp));
for (k = 0; k < 64; k++)
{
if (base64char[k] == base64[i])
temp[0] = k;
}
for (k = 0; k < 64; k++)
{
if (base64char[k] == base64[i + 1])
temp[1] = k;
}
for (k = 0; k < 64; k++)
{
if (base64char[k] == base64[i + 2])
temp[2] = k;
}
for (k = 0; k < 64; k++)
{
if (base64char[k] == base64[i + 3])
temp[3] = k;
}
bindata[j++] = ((unsigned char) (((unsigned char) (temp[0] << 2)) & 0xFC)) |((unsigned char) ((unsigned char) (temp[1] >> 4) & 0x03));
if (base64[i + 2] == '=')
break;
bindata[j++] = ((unsigned char) (((unsigned char) (temp[1] << 4)) & 0xF0)) | ((unsigned char) ((unsigned char) (temp[2] >> 2) & 0x0F));
if (base64[i + 3] == '=')
break;
bindata[j++] = ((unsigned char) (((unsigned char) (temp[2] << 6)) & 0xF0)) | ((unsigned char) (temp[3] & 0x3F));
}
return j;
}
char __cdecl charEncrypt(int data)
{
int dataa;
dataa = aTuvwxtulmnopqr[data];
if ( dataa > 64 && dataa <= 90 )
return -101 - dataa;
if ( dataa > 96 && dataa <= 122 )
return dataa - 64;
if ( dataa > 47 && dataa <= 57 )
return dataa + 50;
if ( dataa == 43 )
return 119;
if ( dataa == 47 )
dataa = 121;
return dataa;
}
很明显这段函数是把base64原有的字符表给变换了。
而其他代码的确是标准base64.
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
