ida进入主函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
unsigned int v3; // edx
unsigned int v4; // ecx
__m128i v5; // xmm1
unsigned int v6; // esi
const __m128i *v7; // eax
__m128i v8; // xmm0
int v9; // eax
char v11; // [esp+0h] [ebp-CCh] BYREF
char v12[99]; // [esp+1h] [ebp-CBh] BYREF
char v13; // [esp+64h] [ebp-68h] BYREF
char v14[99]; // [esp+65h] [ebp-67h] BYREF
unsigned int v15; // [esp+C8h] [ebp-4h]
printf("please input your flah:");
v11 = 0;
memset(v12, 0, sizeof(v12));
scanf("%s", &v11);
v13 = 0;
memset(v14, 0, sizeof(v14));
sub_401000(&v11, strlen(&v11));
v3 = v15;
v4 = 0;
if ( v15 )
{
if ( v15 >= 0x10 )
{
v5 = _mm_load_si128((const __m128i *)&xmmword_414F20);
v6 = v15 - (v15 & 0xF);
v7 = (const __m128i *)&v13;
do
{
v8 = _mm_loadu_si128(v7);
v4 += 16;
++v7;
v7[-1] = _mm_xor_si128(v8, v5);
}
while ( v4 < v6 );
}
for ( ; v4 < v3; ++v4 )
*(&v13 + v4) ^= 0x25u;
}
v9 = strcmp(&v13, "you_know_how_to_remove_junk_code");
if ( v9 )
v9 = v9 < 0 ? -1 : 1;
if ( v9 )
printf("wrong\n");
else
printf("correct\n");
system("pause");
return 0;
}
这函数可看出是base64加密
int __usercall sub_401000@<eax>(unsigned int *a1@<edx>, _BYTE *a2@<ecx>, unsigned __int8 *a3, unsigned int a4)
{
int v4; // ebx
unsigned int v5; // eax
int v6; // ecx
unsigned __int8 *v7; // edi
int v8; // edx
bool v9; // zf
unsigned __int8 v10; // cl
char v11; // cl
_BYTE *v12; // esi
unsigned int v13; // ecx
int v14; // ebx
unsigned __int8 v15; // cl
char v16; // dl
int v20; // [esp+14h] [ebp-4h]
unsigned int v21; // [esp+14h] [ebp-4h]
int i; // [esp+24h] [ebp+Ch]
v4 = 0;
v5 = 0;
v6 = 0;
v20 = 0;
if ( !a4 )
return 0;
v7 = a3;
do
{
v8 = 0;
v9 = v5 == a4;
if ( v5 < a4 )
{
do
{
if ( a3[v5] != 32 )
break;
++v5;
++v8;
}
while ( v5 < a4 );
v9 = v5 == a4;
}
if ( v9 )
break;
if ( a4 - v5 >= 2 && a3[v5] == 13 && a3[v5 + 1] == 10 || (v10 = a3[v5], v10 == 10) )
{
v6 = v20;
}
else
{
if ( v8 )
return -44;
if ( v10 == 61 && (unsigned int)++v4 > 2 )
return -44;
if ( v10 > 0x7Fu )
return -44;
v11 = byte_414E40[v10];
if ( v11 == 127 || (unsigned __int8)v11 < 0x40u && v4 )
return -44;
v6 = ++v20;
}
++v5;
}
while ( v5 < a4 );
if ( !v6 )
return 0;
v12 = a2;
v13 = ((unsigned int)(6 * v6 + 7) >> 3) - v4;
if ( a2 && *a1 >= v13 )
{
v21 = 3;
v14 = 0;
for ( i = 0; v5; --v5 )
{
v15 = *v7;
if ( *v7 != 13 && v15 != 10 && v15 != 32 )
{
v16 = byte_414E40[v15];
v21 -= v16 == 64;
v14 = v16 & 0x3F | (v14 << 6);
if ( ++i == 4 ) //每四位进行一次处理,每个字节查一表获得对应字节,每四个字节变成三个字节输出
{
i = 0;
if ( v21 )
*v12++ = BYTE2(v14);
if ( v21 > 1 )
*v12++ = BYTE1(v14);
if ( v21 > 2 )
*v12++ = v14;
}
}
++v7;
}
*a1 = v12 - a2;
return 0;
}
*a1 = v13;
return -42;
}
这里本来不熟悉,一查得知是base64解密。不得不拍拍脑袋。结合main函数里最后的处理,将you_know_how_to_remove_junk_code与0x25进行异或之后,再进行base64加密即可得到flag。
这里关键是想要个人总结一下对base64特征的识别。
总结
base64正向加密,每三个字节处理变成四个字节,生成一个长字节,再从这个长字节中查四次表生成对应的四个字符。反过来就是先将4个字符进行查表转化成四个字节,然后再四变三。具体的细节就不讨论了,特征应该是如此。对于base系列加密解密,查表与字节变换是核心,非常简单,以后应该留心不能再识别不出来了。
python脚本
import base64
s = 'you_know_how_to_remove_junk_code'
tmp = ''
for i in range(len(s)):
tmp += chr(ord(s[i]) ^ 0x25)
print(tmp)
print(base64.b64encode(tmp.encode('utf-8')))
\JPzNKJRzMJRzQJzW@HJS@zOPKNzFJA@
b'XEpQek5LSlJ6TUpSelFKeldASEpTQHpPUEtOekZKQUA='