程序流程:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // eax
uint8_t bindata; // [esp+11h] [ebp-3Fh]
const char *v6; // [esp+48h] [ebp-8h]
char *v7; // [esp+4Ch] [ebp-4h]
__main();
printf("please enter Serial:");
scanf(" %s", &bindata);
if ( strlen((const char *)&bindata) > 0x31 )
puts("error");
v7 = (char *)calloc(1u, 0x400u);
v3 = strlen((const char *)&bindata);
base64_encode(&bindata, v7, v3);
v6 = "!NGV%,$h1f4S3%2P(hkQ94==";
if ( !strcmp("!NGV%,$h1f4S3%2P(hkQ94==", v7) )
puts("Success");
else
puts("Please Try Again");
free(v7);
system("pause");
return 0;
}
关键函数base64_encode()
替换了base64编码表,
int __cdecl base64_encode(const uint8_t *bindata, char *base64, int binlength)
{
int v3; // eax
char *v4; // ebx
int v5; // eax
int v6; // ST0C_4
char *v7; // ebx
int v8; // eax
int v9; // eax
char *v10; // ebx
int v11; // eax
int v12; // eax
char *v13; // ebx
uint8_t current; // [esp+Bh] [ebp-Dh]
uint8_t currenta; // [esp+Bh] [ebp-Dh]
int j; // [esp+Ch] [ebp-Ch]
int ja; // [esp+Ch] [ebp-Ch]
int jb; // [esp+Ch] [ebp-Ch]
int i; // [esp+10h] [ebp-8h]
i = 0;
j = 0;
while ( i < binlength )
{
v3 = j;
ja = j + 1;
v4 = &base64[v3];
*v4 = charEncrypt((bindata[i] >> 2) & 0x3F);
current = 16 * bindata[i] & 0x30;
if ( i + 1 >= binlength )
{
v5 = ja;
v6 = ja + 1;
v7 = &base64[v5];
*v7 = charEncrypt(current);
base64[v6] = '=';
v8 = v6 + 1;
j = v6 + 2;
base64[v8] = '=';
break;
}
v9 = ja;
jb = ja + 1;
v10 = &base64[v9];
*v10 = charEncrypt((bindata[i + 1] >> 4) | current);
currenta = 4 * bindata[i + 1] & 0x3C;
if ( i + 2 >= binlength )
{
base64[jb] = charEncrypt(currenta);
v11 = jb + 1;
j = jb + 2;
base64[v11] = 61;
break;
}
base64[jb] = charEncrypt((bindata[i + 2] >> 6) | currenta);
v12 = jb + 1;
j = jb + 2;
v13 = &base64[v12];
*v13 = charEncrypt(bindata[i + 2] & 0x3F);
i += 3;
}
base64[j] = 0;
return j;
}
并在charEncrypt()函数内对结果进行了替换
char __cdecl charEncrypt(int data)
{
int dataa; // [esp+18h] [ebp+8h]
dataa = aTuvwxtulmnopqr[data];
if ( dataa > 64 && dataa <= 'Z' ) // 大写字母
return 155 - dataa; // 转换后90-65 Z-A
if ( dataa > 96 && dataa <= 122 ) // 小写字母
return dataa - 64; // 33-58 !#
if ( dataa > 47 && dataa <= 57 ) // 数字
return dataa + 50; // 98-107 b-k
if ( dataa == 43 )
return 119;
if ( dataa == '/' )
dataa = 'y';
return dataa;
}
编写脚本解码:
# KanXue2019ctf_st
def strencode(mchar):
dataa=ord(mchar)
if (dataa > 64 and dataa <= 90):
return 155 - dataa;
if (dataa > 32 and dataa <= 58):
return dataa + 64;
if (dataa > 97 and dataa <= 107):
return dataa - 50;
if (dataa == 119):
return 43;
if (dataa == 121):
dataa = 47;
return dataa;
mb='!NGV%,$h1f4S3%2P(hkQ94=='
x=''
for tem in mb:
x+=chr(strencode(tem))
# print(x)
mg_base= "tuvwxTUlmnopqrs7YZabcdefghij8yz0123456VWXkABCDEFGHIJKLMNOPQRS9+/="
std_base= "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
de_base=x
print('<-魔改base64 加密结果->',de_base)
print('<-魔改base64 表->',mg_base)
print('<-标准base64 表->',std_base)
change=''
for x in de_base:
change+=(std_base[mg_base.index(x)])
print('魔改结果转换到标准结果-->',change)
import base64
import binascii
bstr=base64.b64decode(change)
print('base64解码-->',bstr.decode())
结果:KanXue2019ctf_st
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
