-
-
[原创]2019 Q2 第六题 消失的岛屿 分析
-
2019-6-23 19:20
3602
-
0x1 程序分析
main函数:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // eax
uint8_t bindata; // [esp+11h] [ebp-3Fh]
const char *v6; // [esp+48h] [ebp-8h]
char *v7; // [esp+4Ch] [ebp-4h]
__main();
printf("please enter Serial:");
scanf(" %s", &bindata);
if ( strlen((const char *)&bindata) > 0x31 )
puts("error");
v7 = (char *)calloc(1u, 0x400u);
v3 = strlen((const char *)&bindata);
base64_encode(&bindata, v7, v3);
v6 = "!NGV%,$h1f4S3%2P(hkQ94==";
if ( !strcmp("!NGV%,$h1f4S3%2P(hkQ94==", v7) )
puts("Success");
else
puts("Please Try Again");
free(v7);
system("pause");
return 0;
}
看起来像是改过的base64:
改过的编码表:
tuvwxTUlmnopqrs7YZabcdefghij8yz0123456VWXkABCDEFGHIJKLMNOPQRS9+/
字符变形:
char __cdecl charEncrypt(int data)
{
int dataa; // [esp+18h] [ebp+8h]
dataa = aTuvwxtulmnopqr[data];
if ( dataa > 64 && dataa <= 90 )
return -101 - dataa;
if ( dataa > 96 && dataa <= 122 )
return dataa - 64;
if ( dataa > 47 && dataa <= 57 )
return dataa + 50;
if ( dataa == 43 )
return 119;
if ( dataa == 47 )
dataa = 121;
return dataa;
}
0x2 解决
"""
base64实现
"""
import base64
import string
# base 字符集
base64_charset = 'tuvwxTUlmnopqrs7YZabcdefghij8yz0123456VWXkABCDEFGHIJKLMNOPQRS9+/'
def encode(origin_bytes):
"""
将bytes类型编码为base64
:param origin_bytes:需要编码的bytes
:return:base64字符串
"""
# 将每一位bytes转换为二进制字符串
base64_bytes = ['{:0>8}'.format(str(bin(b)).replace('0b', '')) for b in origin_bytes]
resp = ''
nums = len(base64_bytes) // 3
remain = len(base64_bytes) % 3
integral_part = base64_bytes[0:3 * nums]
while integral_part:
# 取三个字节,以每6比特,转换为4个整数
tmp_unit = ''.join(integral_part[0:3])
tmp_unit = [int(tmp_unit[x: x + 6], 2) for x in [0, 6, 12, 18]]
# 取对应base64字符
resp += ''.join([base64_charset[i] for i in tmp_unit])
integral_part = integral_part[3:]
if remain:
# 补齐三个字节,每个字节补充 0000 0000
remain_part = ''.join(base64_bytes[3 * nums:]) + (3 - remain) * '0' * 8
# 取三个字节,以每6比特,转换为4个整数
# 剩余1字节可构造2个base64字符,补充==;剩余2字节可构造3个base64字符,补充=
tmp_unit = [int(remain_part[x: x + 6], 2) for x in [0, 6, 12, 18]][:remain + 1]
resp += ''.join([base64_charset[i] for i in tmp_unit]) + (3 - remain) * '='
return resp
def decode(base64_str):
# 对每一个base64字符取下标索引,并转换为6为二进制字符串
base64_bytes = ['{:0>6}'.format(str(bin(base64_charset.index(s))).replace('0b', '')) for s in base64_str if
s != '=']
resp = bytearray()
nums = len(base64_bytes) // 4
remain = len(base64_bytes) % 4
integral_part = base64_bytes[0:4 * nums]
while integral_part:
# 取4个6位base64字符,作为3个字节
tmp_unit = ''.join(integral_part[0:4])
tmp_unit = [int(tmp_unit[x: x + 8], 2) for x in [0, 8, 16]]
for i in tmp_unit:
resp.append(i)
integral_part = integral_part[4:]
if remain:
remain_part = ''.join(base64_bytes[nums * 4:])
tmp_unit = [int(remain_part[i * 8:(i + 1) * 8], 2) for i in range(remain - 1)]
for i in tmp_unit:
resp.append(i)
return resp
def valid_base64_str(b_str):
"""
验证是否为合法base64字符串
:param b_str: 待验证的base64字符串
:return:是否合法
"""
if len(b_str) % 4:
return False
for m in b_str:
if m not in base64_charset:
return False
return True
target = '!NGV%,$h1f4S3%2P(hkQ94=='
target2 = ''
if __name__ == '__main__':
for c in target:
if ord(c)>=65 and ord(c)<=91:
ch = chr(155-ord(c))
elif ord(c)>=32 and ord(c)<=58:
ch = chr(64+ord(c))
elif ord(c)>=97 and ord(c)<=107:
ch = chr(ord(c)-50)
elif ord(c)==119:
ch = ord(43)
elif ord(c)==121:
ch = ord(47)
else:
ch = c
target2 += ch
print(target2)
print(decode(target2))
运行得key:KanXue2019ctf_st
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法