[FlareOn3]Challenge1
Start
直接F5:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char Buffer; // [esp+0h] [ebp-94h]
char *v5; // [esp+80h] [ebp-14h]
char *v6; // [esp+84h] [ebp-10h]
HANDLE v7; // [esp+88h] [ebp-Ch]
HANDLE hFile; // [esp+8Ch] [ebp-8h]
DWORD NumberOfBytesWritten; // [esp+90h] [ebp-4h]
hFile = GetStdHandle(0xFFFFFFF5);
v7 = GetStdHandle(0xFFFFFFF6);
v6 = "x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q";
WriteFile(hFile, "Enter password:\r\n", 0x12u, &NumberOfBytesWritten, 0);
ReadFile(v7, &Buffer, 0x80u, &NumberOfBytesWritten, 0);
v5 = (char *)sub_401260(&Buffer, NumberOfBytesWritten - 2);
if ( !strcmp(v5, v6) )
WriteFile(hFile, "Correct!\r\n", 0xBu, &NumberOfBytesWritten, 0);
else
WriteFile(hFile, "Wrong password\r\n", 0x11u, &NumberOfBytesWritten, 0);
return 0;
}
流程清晰明了,flag
放在Buffer
中,调用sub_401260
函数对flag
进行加密,最后与v6
对比。
sub_401260:
_BYTE *__cdecl sub_401260(int a1, unsigned int a2)
{
unsigned int v3; // ST24_4
int v4; // ST2C_4
int v5; // [esp+Ch] [ebp-24h]
int v6; // [esp+10h] [ebp-20h]
int v7; // [esp+14h] [ebp-1Ch]
int i; // [esp+1Ch] [ebp-14h]
_BYTE *v9; // [esp+24h] [ebp-Ch]
int v10; // [esp+28h] [ebp-8h]
unsigned int v11; // [esp+2Ch] [ebp-4h]
v9 = malloc(4 * ((a2 + 2) / 3) + 1);
if ( !v9 )
return 0;
v11 = 0;
v10 = 0;
while ( v11 < a2 )
{
if ( v11 >= a2 )
v7 = 0;
else
v7 = *(unsigned __int8 *)(v11++ + a1);
if ( v11 >= a2 )
v6 = 0;
else
v6 = *(unsigned __int8 *)(v11++ + a1);
if ( v11 >= a2 )
v5 = 0;
else
v5 = *(unsigned __int8 *)(v11++ + a1);
v3 = v5 + (v7 << 16) + (v6 << 8);
v9[v10] = byte_413000[(v3 >> 18) & 0x3F];
v4 = v10 + 1;
v9[v4++] = byte_413000[(v3 >> 12) & 0x3F];
v9[v4++] = byte_413000[(v3 >> 6) & 0x3F];
v9[v4] = byte_413000[v5 & 0x3F];
v10 = v4 + 1;
}
for ( i = 0; i < dword_413040[a2 % 3]; ++i )
v9[4 * ((a2 + 2) / 3) - i - 1] = 61;
v9[4 * ((a2 + 2) / 3)] = 0;
return v9;
}
return v9
说明加密后的结果为v9
,看到while
循环中的v9
时通过byte_413000
得到.
byte_413000
:
这串熟悉的字符串,然后看到for循环:
for ( i = 0; i < dword_413040[a2 % 3]; ++i )
v9[4 * ((a2 + 2) / 3) - i - 1] = 61;
如果不能被三整除,就在末尾添加61
-> =
再结合最终的结果v6
-> x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q
这不就是base64编码嘛。
直接用现成的脚本:
base编码脚本可以自定义码表
这里按照IDA中的顺序修改一下码表,然后解密即可拿到flag:
2021年1月14日更新:
利用maketrans和translate:
import base64
enc = 'x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q'
intab = 'ZYXABCDEFGHIJKLMNOPQRSTUVWzyxabcdefghijklmnopqrstuvw0123456789+/'
outtab = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
transtab = str.maketrans(intab,outtab)
enc = enc.translate(transtab)
print(base64.b64decode(enc).decode())