-
-
[原创]看雪2019-Q2-第六题-WP
-
2019-6-24 10:50
-
0x00 首先还是运行程序
0x01 分析
1.丢入ida,F5查看main函数源码
可以发现关键,将输入的sn进行base64编码,然后与字符串"!NGV%,$h1f4S3%2P(hkQ94=="比对,如果正确返回success
根据字符串后缀“==”可以看出像是base64编码后的字符串,但是有“!”,"%",“(”等字符,可以猜测字符串编码表可能有改动
2. shift + F12 查看字符串
可以找到一个类似编码表的字符串,通过查看调用,可以马上找到编码表位置
可以发现在_charEncrypt函数里
也可以从base64_encode函数里根据函数名提示发现编码表函数 charEncrypt
3.charEncrypt函数,这里对base64的编码做了变形转换
写个脚本跑一跑,得到变形后的编码表:
#!/usr/bin/python str1 = 'tuvwxTUlmnopqrs7YZabcdefghij8yz0123456VWXkABCDEFGHIJKLMNOPQRS9+/' str2 = '' for i in str1: x = ord(i) if x == 43: str2 = str2 + chr(119) elif x == 47: str2 = str2 + chr(121) elif x > 47 and x <= 57: str2 = str2 + chr(x + 50) elif x > 96 and x <= 122: str2 = str2 + chr(x - 64) elif x > 64 and x <= 90: str2 = str2 + chr(155 - x) print(str2) #45678GF,-./0123iBA!"#$%&'()*j9:bcdefghEDC+ZYXWVUTSRQPONMLKJIHkwy
接下来根据编码表对
"!NGV%,$h1f4S3%2P(hkQ94=="
字符串进行解码就可以了
4.base64解码:
解法一:
本来自己前两天自己写了个python的base64脚本,但是出问题了,这里用表姐的C语言脚本
链接地址:https://bbs.pediy.com/thread-251117.htm
用的VS2017版,改动了下
#include <iostream>
//const char base_table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
const char base_table[] = "45678GF,-./0123iBA!\"#$%&'()*j9:bcdefghEDC+ZYXWVUTSRQPONMLKJIHkwy";
//转义字符\对引号进行转义
static int myEncode(const uint8_t *bindata, char *base64, int binlength)
{
int i, j;
uint8_t current;
/*每次处理三个字符*/
for (i = 0, j = 0; i < binlength; i += 3) {
/*前6个bit 首先右移两位*/
current = (bindata[i] >> 2);
current &= (uint8_t)0x3F;
base64[j++] = base_table[(int)current];
/*第一个字节的最后两个二进制位*/
current = ((uint8_t)(bindata[i] << 4)) & ((uint8_t)0x30);
if (i + 1 >= binlength) {
base64[j++] = base_table[(int)current];
base64[j++] = '=';
base64[j++] = '=';
break;
}
/*9~12bit, 并连接7~8bit*/
current |= ((uint8_t)(bindata[i + 1] >> 4)) & ((uint8_t)0x0F);
base64[j++] = base_table[(int)current];
/*13~16bit*/
current = ((uint8_t)(bindata[i + 1] << 2)) & ((uint8_t)0x3C);
/*就此结尾*/
if (i + 2 >= binlength) {
base64[j++] = base_table[(int)current];
base64[j++] = '=';
break;
}
/*17~18bit, 并连接13~16bit*/
current |= ((uint8_t)(bindata[i + 2] >> 6)) & ((uint8_t)0x03);
base64[j++] = base_table[(int)current];
/*19~24bit*/
current = ((uint8_t)bindata[i + 2]) & ((uint8_t)0x3F);
base64[j++] = base_table[(int)current];
}
base64[j] = '\0';
return j;
}
static int base64_decode(const uint8_t *bindata, char *base64, int binlength)
{
int i, j;
uint8_t current;
//4个字母为一组一起处理
int mybindata[4];
for (i = 0, j = 0; i < binlength; i += 4) {
for (int h = 0; h < 64; h++)
{
if (bindata[i] == base_table[h])
{
mybindata[0] = h;
break;
}
}
for (int h = 0; h < 64; h++)
{
if (bindata[i + 1] == base_table[h])
{
mybindata[1] = h;
break;
}
}
for (int h = 0; h < 64; h++)
{
if (bindata[i + 2] == base_table[h])
{
mybindata[2] = h;
break;
}
}
for (int h = 0; h < 64; h++)
{
if (bindata[i + 3] == base_table[h])
{
mybindata[3] = h;
break;
}
}
current = (mybindata[0] << 2);
current |= ((uint8_t)(mybindata[1] >> 4)) & ((uint8_t)0x03);
base64[j++] = (char)current;
current = (mybindata[1] << 4);
current |= ((uint8_t)(mybindata[2] >> 2)) & ((uint8_t)0x0F);
base64[j++] = (char)current;
current = (mybindata[2] << 6);
current |= ((uint8_t)(mybindata[3]));
base64[j++] = (char)current;
}
if (bindata[binlength - 2] == '=')
{
base64[j - 1] = ' ';
base64[j - 2] = ' ';
base64[j - 2] = '\0';
return j;
}
if (bindata[binlength - 1] == '=')
{
base64[j - 1] = ' ';
base64[j - 1] = '\0';
return j;
}
base64[j] = '\0';
return j;
}
int main(int argc, char **argv)
{
/*
char *str = (char*)"Guy1";
printf("input: %s \n", str);
char *base64_str = (char*)calloc(1, 1024);
myEncode((const uint8_t*)str, base64_str, strlen(str));
printf("encode base64: %s \n", base64_str);
char *debase64_str = (char*)calloc(1, 1024);
base64_decode((const uint8_t*)base64_str, debase64_str, strlen(base64_str));
printf("decode base64: %s \n", debase64_str);
*/
char *str2 = (char*)"!NGV%,$h1f4S3%2P(hkQ94==";
printf("INPUT:%s \n", str2);
char *debase64_str = (char*)calloc(1, 1024);
base64_decode((const uint8_t*)str2, debase64_str, strlen(str2));
printf("decode base64: %s \n", debase64_str);
getchar();
free(debase64_str);
//free(base64_str);
getchar();
return 0;
}结果获得:
解法二:
在线web:
https://gchq.github.io/CyberChef/#recipe=From_Base64('0-9A-Za-z%2B/%3D',true)&input=SHRMdg
看雪表哥发的工具:https://tools.pediy.com/win/cryptography.htm
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
|
|
|---|---|
