查看信息,无壳,64位程序
IDA打开分析代码,又是一个字符串比较的问题,输入flag,对flag加密三次,flag的长度为38
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // eax
int v4; // eax
int v5; // eax
char flag[48]; // [rsp+20h] [rbp-60h] BYREF
char flag_encode_3[64]; // [rsp+50h] [rbp-30h] BYREF
char flag_encode_2[64]; // [rsp+90h] [rbp+10h] BYREF
char flag_encode_1[64]; // [rsp+D0h] [rbp+50h] BYREF
char Str2[60]; // [rsp+110h] [rbp+90h] BYREF
int v12; // [rsp+14Ch] [rbp+CCh] BYREF
_main();
strcpy(Str2, "EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG");
puts("Hello, please input your flag and I will tell you whether it is right or not.");
scanf("%38s", flag);
if ( strlen(flag) != 38
|| (v3 = strlen(flag), (unsigned int)encode_one(flag, v3, flag_encode_1, &v12))
|| (v4 = strlen(flag_encode_1), (unsigned int)encode_two(flag_encode_1, v4, flag_encode_2, &v12))
|| (v5 = strlen(flag_encode_2), (unsigned int)encode_three(flag_encode_2, v5, flag_encode_3, &v12))
|| strcmp(flag_encode_3, Str2) )
{
printf("Something wrong. Keep going.");
return 0;
}
else
{
puts("you are right!");
return 0;
}
}
三个加密函数从后往前分析
第三个加密函数对第二次加密得到的字符串进行了一个移位变化
__int64 __fastcall encode_three(const char *a1, int a2, char *a3, int *a4)
{
char v5; // [rsp+Fh] [rbp-11h]
int i; // [rsp+14h] [rbp-Ch]
const char *v8; // [rsp+30h] [rbp+10h]
v8 = a1;
if ( !a1 || !a2 )
return 0xFFFFFFFFi64;
for ( i = 0; i < a2; ++i )
{
v5 = *v8;
if ( *v8 <= 64 || v5 > 90 )
{
if ( v5 <= 96 || v5 > 122 )
{
if ( v5 <= 47 || v5 > 57 )
*a3 = v5;
else
*a3 = (v5 - 48 + 3) % 10 + 48;
}
else
{
*a3 = (v5 - 97 + 3) % 26 + 97;
}
}
else
{
*a3 = (v5 - 65 + 3) % 26 + 65;
}
++a3;
++v8;
}
return 0i64;
}
写个爆破脚本,得到第二次加密的字符串
for i in range(len(Str2)):
for j in range(33,127,1):
k = 0
if(j <= 64) or (j > 90):
if( j <= 96 ) or (j > 122):
if(j <= 47 ) or (j > 57):
k = j
else:
k = (j - 48 + 3) % 10 + 48
else:
k = (j