首页
论坛
专栏
课程

[原创] 看雪CTF2019Q2第六题消失的岛屿解题过程

2019-6-17 18:53 358

[原创] 看雪CTF2019Q2第六题消失的岛屿解题过程

2019-6-17 18:53
358

运行一下这个程序,发现就是要求输入序列号。

在IDA中分析一下可以发现是用的变形base64算法,base64表被换过了,并且从base64表中取元素也是另一套方法。


直接改的网上找到一个base64的源代码(https://www.twblogs.net/a/5cd3ff75bd9eee67a77f284d),改过的代码如下。

#include <stdio.h>
#include <string.h>

char charDecrypt(int data)
{
    if (0x9b - data > 0x40 && 0x9b - data <= 0x5A)
    {
        if (0x9b - data == 0x41)
            return 42;
        if (0x9b - data == 0x42)
            return 43;
        if (0x9b - data == 0x43)
            return 44;
        if (0x9b - data == 0x44)
            return 45;
        if (0x9b - data == 0x45)
            return 46;
        if (0x9b - data == 0x46)
            return 47;
        if (0x9b - data == 0x47)
            return 48;
        if (0x9b - data == 0x48)
            return 49;
        if (0x9b - data == 0x49)
            return 50;
        if (0x9b - data == 0x4A)
            return 51;
        if (0x9b - data == 0x4B)
            return 52;
        if (0x9b - data == 0x4C)
            return 53;
        if (0x9b - data == 0x4D)
            return 54;
        if (0x9b - data == 0x4E)
            return 55;
        if (0x9b - data == 0x4F)
            return 56;
        if (0x9b - data == 0x50)
            return 57;
        if (0x9b - data == 0x51)
            return 58;
        if (0x9b - data == 0x52)
            return 59;
        if (0x9b - data == 0x53)
            return 60;
        if (0x9b - data == 0x54)
            return 5;
        if (0x9b - data == 0x55)
            return 6;
        if (0x9b - data == 0x56)
            return 38;
        if (0x9b - data == 0x57)
            return 39;
        if (0x9b - data == 0x58)
            return 40;
        if (0x9b - data == 0x59)
            return 16;
        if (0x9b - data == 0x5A)
            return 17;
    }
    if (data + 0x40 > 0x60 && data + 0x40 <= 0x7A)
    {
        if (data + 0x40 == 0x61)
            return 18;
        if (data + 0x40 == 0x62)
            return 19;
        if (data + 0x40 == 0x63)
            return 20;
        if (data + 0x40 == 0x64)
            return 21;
        if (data + 0x40 == 0x65)
            return 22;
        if (data + 0x40 == 0x66)
            return 23;
        if (data + 0x40 == 0x67)
            return 24;
        if (data + 0x40 == 0x68)
            return 25;
        if (data + 0x40 == 0x69)
            return 26;
        if (data + 0x40 == 0x6A)
            return 27;
        if (data + 0x40 == 0x6B)
            return 41;
        if (data + 0x40 == 0x6C)
            return 7;
        if (data + 0x40 == 0x6D)
            return 8;
        if (data + 0x40 == 0x6E)
            return 9;
        if (data + 0x40 == 0x6F)
            return 10;
        if (data + 0x40 == 0x70)
            return 11;
        if (data + 0x40 == 0x71)
            return 12;
        if (data + 0x40 == 0x72)
            return 13;
        if (data + 0x40 == 0x73)
            return 14;
        if (data + 0x40 == 0x74)
            return 0;
        if (data + 0x40 == 0x75)
            return 1;
        if (data + 0x40 == 0x76)
            return 2;
        if (data + 0x40 == 0x77)
            return 3;
        if (data + 0x40 == 0x78)
            return 4;
        if (data + 0x40 == 0x79)
            return 29;
        if (data + 0x40 == 0x7A)
            return 30;
    }
    if (data - 0x32 > 0x2f && data - 0x32 <= 0x39)
    {
        if (data - 0x32 == 0x30)
            return 31;
        if (data - 0x32 == 0x31)
            return 32;
        if (data - 0x32 == 0x32)
            return 33;
        if (data - 0x32 == 0x33)
            return 34;
        if (data - 0x32 == 0x34)
            return 35;
        if (data - 0x32 == 0x35)
            return 36;
        if (data - 0x32 == 0x36)
            return 37;
        if (data - 0x32 == 0x37)
            return 15;
        if (data - 0x32 == 0x38)
            return 28;
        if (data - 0x32 == 0x39)
            return 61;
    }
    if (data == 0x77)
        return 62;
    if (data == 0x79)
        return 63;
}

int base64_decode(const char* base64, unsigned char* dedata)
{
    int i = 0, j = 0;
    int trans[4] = { 0, 0, 0, 0 };
    for (; base64[i] != '\0'; i += 4) 
    {
        trans[0] = charDecrypt(base64[i]);
        trans[1] = charDecrypt(base64[i + 1]);
        dedata[j++] = ((trans[0] << 2) & 0xfc) | ((trans[1] >> 4) & 0x03);
        if (base64[i + 2] == '=') 
        {
            continue;
        }
        else 
        {
            trans[2] = charDecrypt(base64[i + 2]);
        }
        dedata[j++] = ((trans[1] << 4) & 0xf0) | ((trans[2] >> 2) & 0x0f);
        if (base64[i + 3] == '=') 
        {
            continue;
        }
        else {
            trans[3] = charDecrypt(base64[i + 3]);
        }
        dedata[j++] = ((trans[2] << 6) & 0xc0) | (trans[3] & 0x3f);
    }
    dedata[j] = '\0';
    return 0;
}

int main()
{
    char base64[128] = "!NGV%,$h1f4S3%2P(hkQ94==";
    char dedata[128];
    base64_decode(base64, (unsigned char*)dedata);
    printf("解码:%s", dedata);
    getchar();
    getchar();
    return 0;
}

运行结果如下。



[公告]安全服务和外包项目请将项目需求发到看雪企服平台:https://qifu.kanxue.com

最后于 2019-6-17 19:23 被houjingyi编辑 ,原因:
最新回复 (0)
游客
登录 | 注册 方可回帖
返回