-
-
[原创]第六题:消失的岛屿
-
2019-6-26 16:01
5155
-
第六题:消失的岛屿
main函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // eax
uint8_t bindata; // [esp+11h] [ebp-3Fh]
const char *v6; // [esp+48h] [ebp-8h]
char *v7; // [esp+4Ch] [ebp-4h]
__main();
printf("please enter Serial:");
scanf(" %s", &bindata);
if ( strlen((const char *)&bindata) > 0x31 )
puts("error");
v7 = (char *)calloc(1u, 0x400u);
v3 = strlen((const char *)&bindata);
base64_encode(&bindata, v7, v3);
v6 = "!NGV%,$h1f4S3%2P(hkQ94==";
if ( !strcmp("!NGV%,$h1f4S3%2P(hkQ94==", v7) )
puts("Success");
else
puts("Please Try Again");
free(v7);
system("pause");
return 0;
}
逻辑非常简单,将输入base64_encode之后与常量比较,看一眼base64_encode
没什么问题,很base64,进入charEncrypt
char __cdecl charEncrypt(int data)
{
int dataa; // [esp+18h] [ebp+8h]
dataa = aTuvwxtulmnopqr[data];
if ( dataa > 0x40 && dataa <= 0x5A )
return 0x9B - dataa;
if ( dataa > 0x60 && dataa <= 0x7A )
return dataa - 0x40;
if ( dataa > 0x2F && dataa <= 0x39 )
return dataa + 0x32;
if ( dataa == 0x2B )
return 0x77;
if ( dataa == 0x2F )
dataa = 0x79;
return dataa;
}
拿到table 'tuvwxTUlmnopqrs7YZabcdefghij8yz0123456VWXkABCDEFGHIJKLMNOPQRS9+/'
看到table还经过了简单的变换,直接复制出来然后解base64就搞定了
import string
import base64
def fun(dataa):
if dataa > 0x40 and dataa <= 0x5A:
dataa = 0x9B - dataa
elif dataa > 0x60 and dataa <= 0x7A:
dataa = dataa - 0x40
elif dataa > 0x2F and dataa <= 0x39:
dataa = dataa + 0x32
elif dataa == 0x2B:
dataa = 0x77
elif dataa == 0x2F:
dataa = 0x79
return dataa
base64_table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
data = 'tuvwxTUlmnopqrs7YZabcdefghij8yz0123456VWXkABCDEFGHIJKLMNOPQRS9+/'
table = ''
cipher_text = '!NGV%,$h1f4S3%2P(hkQ94=='
for i in data:
table += chr(fun(ord(i)))
print table
key = base64.b64decode(cipher_text.translate(string.maketrans(table,base64_table)))
print key
KanXue2019ctf_st
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
