-
-
[原创]看雪2019-Q2-第六题-WP
-
2019-6-24 10:50 2637
-
0x00 首先还是运行程序
0x01 分析
1.丢入ida,F5查看main函数源码
可以发现关键,将输入的sn进行base64编码,然后与字符串"!NGV%,$h1f4S3%2P(hkQ94=="比对,如果正确返回success
根据字符串后缀“==”可以看出像是base64编码后的字符串,但是有“!”,"%",“(”等字符,可以猜测字符串编码表可能有改动
2. shift + F12 查看字符串
可以找到一个类似编码表的字符串,通过查看调用,可以马上找到编码表位置
可以发现在_charEncrypt函数里
也可以从base64_encode函数里根据函数名提示发现编码表函数 charEncrypt
3.charEncrypt函数,这里对base64的编码做了变形转换
写个脚本跑一跑,得到变形后的编码表:
#!/usr/bin/python str1 = 'tuvwxTUlmnopqrs7YZabcdefghij8yz0123456VWXkABCDEFGHIJKLMNOPQRS9+/' str2 = '' for i in str1: x = ord(i) if x == 43: str2 = str2 + chr(119) elif x == 47: str2 = str2 + chr(121) elif x > 47 and x <= 57: str2 = str2 + chr(x + 50) elif x > 96 and x <= 122: str2 = str2 + chr(x - 64) elif x > 64 and x <= 90: str2 = str2 + chr(155 - x) print(str2) #45678GF,-./0123iBA!"#$%&'()*j9:bcdefghEDC+ZYXWVUTSRQPONMLKJIHkwy
接下来根据编码表对
"!NGV%,$h1f4S3%2P(hkQ94=="
字符串进行解码就可以了
4.base64解码:
解法一:
本来自己前两天自己写了个python的base64脚本,但是出问题了,这里用表姐的C语言脚本
链接地址:https://bbs.pediy.com/thread-251117.htm
用的VS2017版,改动了下
#include <iostream> //const char base_table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; const char base_table[] = "45678GF,-./0123iBA!\"#$%&'()*j9:bcdefghEDC+ZYXWVUTSRQPONMLKJIHkwy"; //转义字符\对引号进行转义 static int myEncode(const uint8_t *bindata, char *base64, int binlength) { int i, j; uint8_t current; /*每次处理三个字符*/ for (i = 0, j = 0; i < binlength; i += 3) { /*前6个bit 首先右移两位*/ current = (bindata[i] >> 2); current &= (uint8_t)0x3F; base64[j++] = base_table[(int)current]; /*第一个字节的最后两个二进制位*/ current = ((uint8_t)(bindata[i] << 4)) & ((uint8_t)0x30); if (i + 1 >= binlength) { base64[j++] = base_table[(int)current]; base64[j++] = '='; base64[j++] = '='; break; } /*9~12bit, 并连接7~8bit*/ current |= ((uint8_t)(bindata[i + 1] >> 4)) & ((uint8_t)0x0F); base64[j++] = base_table[(int)current]; /*13~16bit*/ current = ((uint8_t)(bindata[i + 1] << 2)) & ((uint8_t)0x3C); /*就此结尾*/ if (i + 2 >= binlength) { base64[j++] = base_table[(int)current]; base64[j++] = '='; break; } /*17~18bit, 并连接13~16bit*/ current |= ((uint8_t)(bindata[i + 2] >> 6)) & ((uint8_t)0x03); base64[j++] = base_table[(int)current]; /*19~24bit*/ current = ((uint8_t)bindata[i + 2]) & ((uint8_t)0x3F); base64[j++] = base_table[(int)current]; } base64[j] = '\0'; return j; } static int base64_decode(const uint8_t *bindata, char *base64, int binlength) { int i, j; uint8_t current; //4个字母为一组一起处理 int mybindata[4]; for (i = 0, j = 0; i < binlength; i += 4) { for (int h = 0; h < 64; h++) { if (bindata[i] == base_table[h]) { mybindata[0] = h; break; } } for (int h = 0; h < 64; h++) { if (bindata[i + 1] == base_table[h]) { mybindata[1] = h; break; } } for (int h = 0; h < 64; h++) { if (bindata[i + 2] == base_table[h]) { mybindata[2] = h; break; } } for (int h = 0; h < 64; h++) { if (bindata[i + 3] == base_table[h]) { mybindata[3] = h; break; } } current = (mybindata[0] << 2); current |= ((uint8_t)(mybindata[1] >> 4)) & ((uint8_t)0x03); base64[j++] = (char)current; current = (mybindata[1] << 4); current |= ((uint8_t)(mybindata[2] >> 2)) & ((uint8_t)0x0F); base64[j++] = (char)current; current = (mybindata[2] << 6); current |= ((uint8_t)(mybindata[3])); base64[j++] = (char)current; } if (bindata[binlength - 2] == '=') { base64[j - 1] = ' '; base64[j - 2] = ' '; base64[j - 2] = '\0'; return j; } if (bindata[binlength - 1] == '=') { base64[j - 1] = ' '; base64[j - 1] = '\0'; return j; } base64[j] = '\0'; return j; } int main(int argc, char **argv) { /* char *str = (char*)"Guy1"; printf("input: %s \n", str); char *base64_str = (char*)calloc(1, 1024); myEncode((const uint8_t*)str, base64_str, strlen(str)); printf("encode base64: %s \n", base64_str); char *debase64_str = (char*)calloc(1, 1024); base64_decode((const uint8_t*)base64_str, debase64_str, strlen(base64_str)); printf("decode base64: %s \n", debase64_str); */ char *str2 = (char*)"!NGV%,$h1f4S3%2P(hkQ94=="; printf("INPUT:%s \n", str2); char *debase64_str = (char*)calloc(1, 1024); base64_decode((const uint8_t*)str2, debase64_str, strlen(str2)); printf("decode base64: %s \n", debase64_str); getchar(); free(debase64_str); //free(base64_str); getchar(); return 0; }
结果获得:
解法二:
在线web:
https://gchq.github.io/CyberChef/#recipe=From_Base64('0-9A-Za-z%2B/%3D',true)&input=SHRMdg
看雪表哥发的工具:https://tools.pediy.com/win/cryptography.htm
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
赞赏
他的文章
看原图