双击程序打开直接报错退出,动态反调试看了看没绕过,直接静态分析吧。
IDA打开main函数里没什么东西,搜索字符串please Input the flag:,找到关键函数sub_411930。
函数sub_411370写入内存,逐步跟进sub_411BD0,对base64的表字符串大小写互换,弹窗注入成功,AddVectoredExceptionHandler百度发现是和异常处理函数有关。
跟进Handler,找到sub_4120C0函数,将sm4的秘钥赋值到某区段unk_41C268,交叉引用找到sub_412040(选中区域创建函数再反编译)识别到sm4的表,进而确定sm4(安恒四月赛遇到过),SetUnhandledExceptionFilter百度查到也是异常处理的函数,往里跟在sub_411DB0函数将目标字符串变换,对base64的前32位和后32位互换进行base64的解密,sub_412450函数对目标字符比较。
总的来说,输入的字符先sm4加密,在base64加密,这base64表经过了两次变化,大小写互换,前32位后32位互换,最后和目标字符串比较,目标字符串经过一次变换
from base64 import b64decode
#base64换表
str_base='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
Str_ = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
strbase=[]
for i in range(64):
strbase.append(ord(str_base[i]))
print(strbase)
for i in range(64):
if strbase[i] <= 122 and strbase[i] >= 97 :
strbase[i]=strbase[i]-32
elif strbase[i] <= 90 and strbase[i] >= 65 :
strbase[i]=strbase[i]+32
strbase0=''
strbase0=''.join(map(chr,strbase))
print(strbase0)
strbase1=''
for i in strbase0:
strbase1+=strbase0[(strbase0.find(i)+32)%len(strbase0)]
print(strbase1)
#目标字符串变换
str_target='N25IKJBC5IyHav8+ZA3aqm!!'
strtarget=[]
for i in range(len(str_target)):
strtarget.append(ord(str_target[i]))
for i in range(0,len(strtarget),2):
v2=strtarget[i]
strtarget[i]=strtarget[i+1]
strtarget[i+1]=v2
print(''.join(map(chr,strtarget)))
strtarget0=''.join(map(chr,strtarget))
strtarget1=''
for i in range(len(strtarget0)):
if strtarget0[i] =='!':
strtarget1 +='='
else:
strtarget1 +=Str_[strbase1.find(strtarget0[i])]
print(strtarget1)
jieguo=b64decode(strtarget1) #base64解密
print(jieguo)
jieguo0=''
for i in range(len(jieguo)):
jieguo0+=hex(jieguo[i])[2:]
print('加密内容的16进制'+jieguo0)
str_sm4=b'Thisisinsteresth'
str_sm40=''
for i in range(len(str_sm4)):
str_sm40+=hex(str_sm4[i])[2:]
print('sm4的秘钥16进制'+str_sm40)
#加密内容的16进制587099c4f3b99078d679ce93817b3
#sm4的秘钥16进制546869736973696e7374657265737468
sm4解密
from pysm4 import decrypt
en = 0x5870990c4f3b099078d6079ce93817b3
key = 0x546869736973696e7374657265737468
de = decrypt(en, key)
print hex(de)[2:]
#446f796f754b6e6f7756454853454821
得到的结果16进制转字符串
DoyouKnowVEHSEH!
附件:
https://wwx.lanzoux.com/iyqONjxmckb
密码:6o3n