32位下由C++编译的EXE文件,无壳。
int __cdecl main(int argc, const char **argv, const char **envp)
{
unsigned int v3; // edx
unsigned int v4; // ecx
__m128i v5; // xmm1
unsigned int v6; // esi
const __m128i *v7; // eax
__m128i v8; // xmm0
int v9; // eax
char v11; // [esp+0h] [ebp-CCh]
char v12; // [esp+1h] [ebp-CBh]
char v13; // [esp+64h] [ebp-68h]
char v14; // [esp+65h] [ebp-67h]
unsigned int v15; // [esp+C8h] [ebp-4h]
printf("please input your flah:");
v11 = 0;
memset(&v12, 0, 0x63u);
scanf("%s", &v11);
v13 = 0;
memset(&v14, 0, 0x63u);
sub_401000(&v15, &v13, (unsigned __int8 *)&v11, strlen(&v11));
v3 = v15; //v3=32
v4 = 0;
if ( v15 )
{
if ( v15 >= 0x10 )
{
v5 = _mm_load_si128((const __m128i *)&xmmword_414F20);
v6 = v15 - (v15 & 0xF);
v7 = (const __m128i *)&v13;
do
{
v8 = _mm_loadu_si128(v7);
v4 += 16;
++v7;
_mm_storeu_si128((__m128i *)&v7[-1], _mm_xor_si128(v8, v5));
}
while ( v4 < v6 );
}
for ( ; v4 < v3; ++v4 )
*(&v13 + v4) ^= 0x25u;//v4<32,v13[i]=v13[i]^0x25
}
v9 = strcmp(&v13, "you_know_how_to_remove_junk_code");//strlen(v13)=32
if ( v9 )
v9 = -(v9 < 0) | 1;
if ( v9 )
printf("wrong\n");
else
printf("correct\n");
system("pause");
return 0;
}
signed int __usercall sub_401000@<eax>(unsigned int *a1@<edx>, _BYTE *a2@<ecx>, unsigned __int8 *a3, unsigned int a4)
{//a2=0,a3=输入的字符串,a4=字符串长度
int v4; // ebx
unsigned int v5; // eax
int v6; // ecx
unsigned __int8 *v7; // edi
int v8; // edx
bool v9; // zf
unsigned __int8 v10; // cl
char v11; // cl
_BYTE *v12; // esi
unsigned int v13; // ecx
int v14; // ebx
unsigned __int8 v15; // cl
char v16; // dl
_BYTE *v18; // [esp+Ch] [ebp-Ch]
unsigned int *v19; // [esp+10h] [ebp-8h]
int v20; // [esp+14h] [ebp-4h]
unsigned int v21; // [esp+14h] [ebp-4h]
int i; // [esp+24h] [ebp+Ch]
v4 = 0;
v18 = a2;
v5 = 0;
v6 = 0;
v19 = a1;
v20 = 0;
if ( !a4 )//长度
return 0;
v7 = a3;//输入的字符串
do
{
v8 = 0;
v9 = v5 == a4;
if ( v5 < a4 )
{
do
{
if ( a3[v5] != 32 )//a3[i]不是空格就退出循环
break;
++v5;
++v8;//v8算字符串中有多少个空格
}
while ( v5 < a4 );
v9 = v5 == a4;
}
if ( v9 )
break;
if ( a4 - v5 >= 2 && a3[v5] == 13 && a3[v5 + 1] == 10 || (v10 = a3[v5], v10 == 10) )
{
v6 = v20;
}
else
{
if ( v8 )
return -44;
if ( v10 == 61 && (unsigned int)++v4 > 2 )
return -44;
if ( v10 > 0x7Fu )
return -44;
v11 = byte_414E40[v10];
if ( v11 == 127 || (unsigned __int8)v11 < 0x40u && v4 )
return -44;
v6 = v20++ + 1;
}
++v5;
}
while ( v5 < a4 );
if ( !v6 )
return 0;
v12 = v18;
v13 = ((unsigned int)(6 * v6 + 7) >> 3) - v4;
if ( v18 && *v19 >= v13 )
{
v21 = 3;
v14 = 0;
for ( i = 0; v5; --v5 )
{
v15 = *v7;
if ( *v7 != 13 && v15 != 10 && v15 != 32 )
{
v16 = byte_414E40[v15];
v21 -= v16 == 64;
v14 = v16 & 0x3F | (v14 << 6);
if ( ++i == 4 )
{
i = 0;
if ( v21 )
*v12++ = BYTE2(v14);
if ( v21 > 1 )
*v12++ = BYTE1(v14);
if ( v21 > 2 )
*v12++ = v14;
}
}
++v7;
}
*v19 = v12 - v18;
return 0;
}
*v19 = v13;
return -42;
}
看不懂啊…看wp说sub_401000()是base64解密算法。也就是说这个程序是将字符串拿去base64解密后再与0x25异或。
char n[33]="you_know_how_to_remove_junk_code";
int flag[33];
int i;
for(i=0; i<32; i++)
{
flag[i] = n[i] ^ 0x25;
printf("%c",(char)flag[i]);
}
//\JPzNKJRzMJRzQJzW@HJS@zOPKNzFJA@
拿去base64加密得
XEpQek5LSlJ6TUpSelFKeldASEpTQHpPUEtOekZKQUA=