32位无壳
运行就是一个输入框(
有点奇的字符串
盲猜base和他的新密码表
main函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
char Buffer; // [esp+0h] [ebp-94h]
char *v5; // [esp+80h] [ebp-14h]
char *v6; // [esp+84h] [ebp-10h]
HANDLE v7; // [esp+88h] [ebp-Ch]
HANDLE hFile; // [esp+8Ch] [ebp-8h]
DWORD NumberOfBytesWritten; // [esp+90h] [ebp-4h]
hFile = GetStdHandle(0xFFFFFFF5);
v7 = GetStdHandle(0xFFFFFFF6);
v6 = "x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q";
WriteFile(hFile, "Enter password:\r\n", 0x12u, &NumberOfBytesWritten, 0);
ReadFile(v7, &Buffer, 0x80u, &NumberOfBytesWritten, 0);
v5 = sub_401260((int)&Buffer, NumberOfBytesWritten - 2);
if ( !strcmp(v5, v6) )
WriteFile(hFile, "Correct!\r\n", 0xBu, &NumberOfBytesWritten, 0);
else
WriteFile(hFile, "Wrong password\r\n", 0x11u, &NumberOfBytesWritten, 0);
return 0;
}
跟进sub_401260()
_BYTE *__cdecl sub_401260(int a1, unsigned int a2)
{
unsigned int v3; // ST24_4
int v4; // ST2C_4
int v5; // [esp+Ch] [ebp-24h]
int v6; // [esp+10h] [ebp-20h]
int v7; // [esp+14h] [ebp-1Ch]
int i; // [esp+1Ch] [ebp-14h]
_BYTE *v9; // [esp+24h] [ebp-Ch]
int v10; // [esp+28h] [ebp-8h]
unsigned int v11; // [esp+2Ch] [ebp-4h]
v9 = malloc(4 * ((a2 + 2) / 3) + 1);
if ( !v9 )
return 0;
v11 = 0;
v10 = 0;
while ( v11 < a2 )
{
if ( v11 >= a2 )
v7 = 0;
else
v7 = *(unsigned __int8 *)(v11++ + a1);
if ( v11 >= a2 )
v6 = 0;
else
v6 = *(unsigned __int8 *)(v11++ + a1);
if ( v11 >= a2 )
v5 = 0;
else
v5 = *(unsigned __int8 *)(v11++ + a1);
v3 = v5 + (v7 << 16) + (v6 << 8);
v9[v10] = byte_413000[(v3 >> 18) & 0x3F];
v4 = v10 + 1;
v9[v4++] = byte_413000[(v3 >> 12) & 0x3F];
v9[v4++] = byte_413000[(v3 >> 6) & 0x3F];
v9[v4] = byte_413000[v5 & 0x3F];
v10 = v4 + 1;
}
for ( i = 0; i < dword_413040[a2 % 3]; ++i )
v9[4 * ((a2 + 2) / 3) - i - 1] = 61;
v9[4 * ((a2 + 2) / 3)] = 0;
return v9;
}
byte_413000就是上面截的密码表
上老伙计
import base64
import string
str1 = 'x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q'
string1 = "ZYXABCDEFGHIJKLMNOPQRSTUVWzyxabcdefghijklmnopqrstuvw0123456789+/"
#更改后的密码表
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
print(base64.b64decode(str1.translate(str.maketrans(string1,string2))))
flag{sh00ting_phish_in_a_barrel@flare-on.com}