ISCC2022-Bob’s Code
查壳:32位无壳
拖进ida中静态分析
sub_4116C7,sub_411389,sub_411023,sub_4116E0
这几个函数比较可疑
sub_4116C7:
base64加密并判断a4是否为0来决定base64加密后最后补充的字符是’.‘还是’=’
sub_411389:
base64加密变种,for循环内算法对Base64基数变换
sub_411023:
这个函数出现了两次其中传参不同
主要功能是在a2位置插入一个字符a3并将其后面的字符依次后移
sub_4116E0:
将大小写字母轮转加2
分析可写出脚本
//将大小写字母轮转减2
char str[] = ".W1BqthGbfhJWdG5BBGW1u.iXVojNqXbGyX1tEu1p5oZpqtMRbVYzyV1fkoF0.";
char str1[62];
for (int i = 0; i < 62; i++)
{
if (str[i] >= 'A' && str[i] <= 'Z')
{
str[i]= (str[i] - 65 - 2 + 26) % 26 + 65;
}
else if (str[i] >= 'a' && str[i] <= 'z')
{
str[i] = (str[i] - 97 - 2 + 26) % 26 + 97;
}
}
//解两次不同参数的sub_411023函数
for (int j = 0; j < 62; j++)
{
str1[j] = str[j];
}
for (int k = 22; k < 62; k++)
{
str1[k] = str[k+1];
}
for (int k = 0; k < 62; k++)
{
str1[k] = str1[k + 1];
}
//base64变种转化为常规base64
char Destination[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
char Source[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
char v12;
for (int i = 5; i < 19; ++i)
{
v12 = Destination[i];
Destination[i] = Source[i + 26];
Destination[i + 26] = v12;
}
for (int i = 0; i < sizeof(key) - 1; i++)
{
for (int j = 0; j < sizeof(str) - 1; j++)
{
if (str1[i] == Destination[j])
cout << Source[j];
}
}
//得到U1ZORFEzdFhUbE5ZZEU1SGVTMHlOVzEwV1RCS1N5MXNORkpzTWxwT1dIMD0=(代码中没处理最后的等号,不影响解题)
用工具解两次base64得到flag
ISCC{WNSXtNGy-25mtY0JK-l4Rl2ZNX}