无壳直接扔到ida里面观察源码
int __cdecl sub_4017F0(int a1)
{
int result; // eax
char Str1[28]; // [esp+D8h] [ebp-24h] BYREF
int v3; // [esp+F4h] [ebp-8h]
int v4; // [esp+F8h] [ebp-4h]
v4 = 0;
v3 = 0;
while ( *(a1 + 4 * v4) < 62 && *(a1 + 4 * v4) >= 0 )
{
Str1[v4] = aAbcdefghiabcde[*(a1 + 4 * v4)];
++v4;
}
Str1[v4] = 0;
if ( !strcmp(Str1, "KanXueCTF2019JustForhappy") )
result = sub_401770();
else
result = sub_4017B0();
return result;
}
双击aAbcdefghiabcde看到储存的字符串
rdata:00403580 aAbcdefghiabcde db 'abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ',0
这里最重要的是while这个循环函数,这里的a1是后面的加密函数返回得到的一个数组,所以循环*(a1+4*v4)是指针,a1记录的是数组第一个元素的位置,因为a1是int类型,所以4v4的意思是在数组里每次向后面去一个元素,所以这个循环的意思就是在aAbcdefghiabcde储存的字符串里找到a1储存的数组里对应数字位置的元素,这里就可以写脚本算出对应的数组
s1='KanXueCTF2019JustForhappy'
s2='abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ'
flag1=[]
flag2=[]
a=0
for i in range(len(s1)):
for j in range(len(s2)):
if s1[i]==s2[j]:
flag1.append(j)
print(flag1)
#flag1=[19, 0, 27, 59, 44, 4, 11, 55, 14, 30, 28, 29, 37, 18, 44, 42, 43, 14, 38, 41, 7, 0, 39, 39, 48]
int __thiscall sub_401890(CWnd *this)
{
CWnd *v1; // eax
int v2; // eax
struct CString *v4; // [esp-4h] [ebp-C4h]
int v5[26]; // [esp+4Ch] [ebp-74h] BYREF
int i; // [esp+B4h] [ebp-Ch]
char *Str; // [esp+B8h] [ebp-8h]
CWnd *v8; // [esp+BCh] [ebp-4h]
v8 = this;
v4 = (this + 100);
v1 = CWnd::GetDlgItem(this, 1002);
CWnd::GetWindowTextA(v1, v4);
v2 = sub_401A30(v8 + 25);
Str = CString::GetBuffer((v8 + 100), v2);
if ( !strlen(Str) )
return CWnd::MessageBoxA(v8, &byte_4035DC, 0, 0);
for ( i = 0; Str[i]; ++i )
{
if ( Str[i] > 57 || Str[i] < 48 )
{
if ( Str[i] > 122 || Str[i] < 97 )
{
if ( Str[i] > 90 || Str[i] < 65 )
sub_4017B0();
else
v5[i] = Str[i] - 29;
}
else
{
v5[i] = Str[i] - 87;
}
}
else
{
v5[i] = Str[i] - 48;
}
}
return sub_4017F0(v5);#把修改后的数组结果作为参数赋给后面密文对照函数
}逆向写代码写脚本得到处理前的字符串
这里是用来加密输入元素的函数,我们之前算出了加密后的正确数组,所以可以写代码计算出我们所需正确的字符串
flag1=[19, 0, 27, 59, 44, 4, 11, 55, 14, 30, 28, 29, 37, 18, 44, 42, 43, 14, 38, 41, 7, 0, 39, 39, 48]
flag2=''
v5=0
for a in flag1:
if a>=0 and a<=9:
v5=a+48
elif a>=10 and a<=35:
v5=a+87
elif a>=36 and a<61:
v5=a+29
flag2+=chr(v5)
print(flag2)
#j0rXI4bTeustBiIGHeCF70DDM