Windows_Reverse2
要求输入code
查壳工具查壳,ASPack再进行脱壳
再IDA打开查看main函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
char Buffer; // [esp+8h] [ebp-C04h] BYREF
char v5[1023]; // [esp+9h] [ebp-C03h] BYREF
char v6; // [esp+408h] [ebp-804h] BYREF
char v7[1023]; // [esp+409h] [ebp-803h] BYREF
char v8; // [esp+808h] [ebp-404h] BYREF
char v9[1023]; // [esp+809h] [ebp-403h] BYREF
v6 = 0;
memset(v7, 0, sizeof(v7));
v8 = 0;
memset(v9, 0, sizeof(v9));
printf("input code:");
scanf("%s", &v6);
if ( !(unsigned __int8)sub_4011F0() )
{
printf("invalid input\n");
exit(0);
}
sub_401240(&v8);
Buffer = 0;
memset(v5, 0, sizeof(v5));
sprintf(&Buffer, "DDCTF{%s}", &v8);
if ( !strcmp(&Buffer, aDdctfReverse) )
printf("You've got it !!! %s\n", &Buffer);
else
printf("Something wrong. Try again...\n");
return 0;
}
查看sub_4011F0()
输入字符要在0-9以及A-F之间
if ( v1 && v1 % 2 != 1 )
{
v3 = 0;
if ( v1 <= 0 )
return 1;
while ( 1 )
{
v4 = a1[v3];
if ( (v4 < '0' || v4 > '9') && (v4 < 'A' || v4 > 'F') )
break;
if ( ++v3 >= v2 )
return 1;
}
查看sub_401240
:将字符转为相应的数字,最后有个return sub_401000
if ( v2 > 0 )
{
v4 = v9;
do
{
v5 = a1[v3];
if ( (unsigned __int8)(v5 - '0') > 9u )
{
if ( (unsigned __int8)(v5 - 'A') <= 5u )
v9 = v5 - '7';
}
else
{
v9 = a1[v3] - '0';
}
v6 = a1[v3 + 1];
if ( (unsigned __int8)(v6 - '0') > 9u )
{
if ( (unsigned __int8)(v6 - 'A') <= 5u )
v4 = v6 - '7';
}
else
{
v4 = a1[v3 + 1] - '0';
}
v7 = (unsigned int)v3 >> 1;
v3 += 2;
*(&v10 + v7) = v4 | (16 * v9);
}
while ( v3 < v2 );
}
return sub_401000(v2 / 2, (void *)a2);
}
sub_401000
:
if ( a1 )
{
do
{
*(&v14 + v5) = *v4;
v6 = v15;
++v5;
--v3;
++v4;
if ( v5 == 3 )
{
LOBYTE(v17) = v14 >> 2;
BYTE1(v17) = (v15 >> 4) + 16 * (v14 & 3);
BYTE2(v17) = (v16 >> 6) + 4 * (v15 & 0xF);
HIBYTE(v17) = v16 & 63;
for ( i = 0; i < 4; ++i )
__Y__basic_string_DU__char_trai(v19, (unsigned __int8)byte_403020[*((unsigned __int8 *)&v17 + i)] ^ 0x76);
v5 = 0;
}
}
while ( v3 );
if ( v5 )
{
if ( v5 < 3 )
{
memset(&v14 + v5, 0, 3 - v5);
v6 = v15;
}
BYTE1(v17) = (v6 >> 4) + 16 * (v14 & 3);
LOBYTE(v17) = v14 >> 2;
BYTE2(v17) = (v16 >> 6) + 4 * (v6 & 0xF);
v8 = 0;
for ( HIBYTE(v17) = v16 & 0x3F; v8 < v5 + 1; ++v8 )
__Y__basic_string_DU__char_trai(v19, (unsigned __int8)byte_403020[*((unsigned __int8 *)&v17 + v8)] ^ 0x76);
if ( v5 < 3 )
{
v9 = 3 - v5;
do
{
__Y__basic_string_DU__char_trai(v19, 61);
--v9;
}
while ( v9 );
}
}
}
前半段将byte_403020
异或处理:
a=[0x37,0x34,0x35,0x32,0x33,0x30,0x31,0x3E,0x3F,0x3C,0x3D,0x3A,0x3B,0x38,0x39,0x26,
0x27,0x24,0x25,0x22,0x23,0x20,0x21,0x2E,0x2F,0x2C,0x17,0x14,0x15,0x12,0x13,0x10,
0x11,0x1E,0x1F,0x1C,0x1D,0x1A,0x1B,0x18,0x19,0x06,0x07,0x04,0x05,0x02,0x03,0x00,
0x01,0x0E,0x0F,0x0C,0x46,0x47,0x44,0x45,0x42,0x43,0x40,0x41,0x4E,0x4F,0x5D,0x59]
b=[]
for i in range(len(a)):
b=chr(a[i]^0x76)
print(b,end='')
运行结果和base64的编码表一样
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
那么第三层就是base64解密
import base64
s='reverse+'
s=base64.b64decode(s) #base64解码
s=s.hex().upper() #十六进制转换
print(s)
ADEBDEAEC7BE