xctf之ReverseMe-120
题目传送门:这里
主要:base64
wp:
下载,看到是exe文件,去查壳,发现无壳,是Vc++编写的,用IDA查看了一下代码。
发现要到达"correct"就得通过v9,v9是通过字符串"you_know_how_to_remove_junk_code"比较得到,寻找v13,发现for循环中:*(&v13 + v4) ^= 0x25u,与0x25u经过了多次的异或操作,猜测应该是对一串字符串逐字符进行亦或。再向上看:
看到一个关键函数:sub_401000,好像对v13进行了一些操作,而且与我们输入的字符有关。进入:
signed int __usercall sub_401000@<eax>(unsigned int *a1@<edx>, _BYTE *a2@<ecx>, unsigned __int8 *a3, unsigned int a4)
{
int v4; // ebx
unsigned int v5; // eax
int v6; // ecx
unsigned __int8 *v7; // edi
int v8; // edx
bool v9; // zf
unsigned __int8 v10; // cl
char v11; // cl
_BYTE *v12; // esi
unsigned int v13; // ecx
int v14; // ebx
unsigned __int8 v15; // cl
char v16; // dl
_BYTE *v18; // [esp+Ch] [ebp-Ch]
unsigned int *v19; // [esp+10h] [ebp-8h]
int v20; // [esp+14h] [ebp-4h]
unsigned int v21; // [esp+14h] [ebp-4h]
int i; // [esp+24h] [ebp+Ch]
v4 = 0;
v18 = a2;
v5 = 0;
v6 = 0;
v19 = a1;
v20 = 0;
if ( !a4 )
return 0;
v7 = a3;
do
{
v8 = 0;
v9 = v5 == a4;
if ( v5 < a4 )
{
do
{
if ( a3[v5] != 32 )
break;
++v5;
++v8;
}
while ( v5 < a4 );
v9 = v5 == a4;
}
if ( v9 )
break;
if ( a4 - v5 >= 2 && a3[v5] == 13 && a3[v5 + 1] == 10 || (v10 = a3[v5], v10 == 10) )
{
v6 = v20;
}
else
{
if ( v8 )
return 4294967252;
if ( v10 == 61 && (unsigned int)++v4 > 2 )
return 4294967252;
if ( v10 > 0x7Fu )
return 4294967252;
v11 = byte_414E40[v10];
if ( v11 == 127 || (unsigned __int8)v11 < 0x40u && v4 )
return 4294967252;
v6 = v20++ + 1;
}
++v5;
}
while ( v5 < a4 );
if ( !v6 )
return 0;
v12 = v18;
v13 = ((unsigned int)(6 * v6 + 7) >> 3) - v4;
if ( v18 && *v19 >= v13 )
{
v21 = 3;
v14 = 0;
for ( i = 0; v5; --v5 )
{
v15 = *v7;
if ( *v7 != 13 && v15 != 10 && v15 != 32 )
{
v16 = byte_414E40[v15];
v21 -= v16 == 64;
v14 = v16 & 0x3F | (v14 << 6);
if ( ++i == 4 )
{
i = 0;
if ( v21 )
*v12++ = BYTE2(v14);
if ( v21 > 1 )
*v12++ = BYTE1(v14);
if ( v21 > 2 )
*v12++ = v14;
}
}
++v7;
}
*v19 = v12 - v18;
return 0;
}
*v19 = v13;
return 4294967254;
}
看到的是一大串奇奇怪怪的代码(???),完全看不懂。去找了一下dalao们的wp,说查看到byte_414E40这个数组:
显然这是base64((╯‵□′)╯︵┻━┻完全不知道)。知道这个是base64以后,代码:
import base64
s='you_know_how_to_remove_junk_code'
flag = ''
for i in s:
flag += chr(ord(i)^0x25)
flag = base64.b64encode(flag.encode('utf-8'))
print('flag='+flag)
得到flag:XEpQek5LSlJ6TUpSelFKeldASEpTQHpPUEtOekZKQUA=
ps:还得多看看base64,最好是自己写一下代码,并反汇编一下。