首页
论坛
专栏
课程

[原创]2019 Q2 第六题 消失的岛屿 分析

2019-6-23 19:20 1335

[原创]2019 Q2 第六题 消失的岛屿 分析

2019-6-23 19:20
1335

0x1 程序分析

main函数:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // eax
  uint8_t bindata; // [esp+11h] [ebp-3Fh]
  const char *v6; // [esp+48h] [ebp-8h]
  char *v7; // [esp+4Ch] [ebp-4h]

  __main();
  printf("please enter Serial:");
  scanf(" %s", &bindata);
  if ( strlen((const char *)&bindata) > 0x31 )
    puts("error");
  v7 = (char *)calloc(1u, 0x400u);
  v3 = strlen((const char *)&bindata);
  base64_encode(&bindata, v7, v3);
  v6 = "!NGV%,$h1f4S3%2P(hkQ94==";
  if ( !strcmp("!NGV%,$h1f4S3%2P(hkQ94==", v7) )
    puts("Success");
  else
    puts("Please Try Again");
  free(v7);
  system("pause");
  return 0;
}

看起来像是改过的base64:
改过的编码表:

tuvwxTUlmnopqrs7YZabcdefghij8yz0123456VWXkABCDEFGHIJKLMNOPQRS9+/

字符变形:

char __cdecl charEncrypt(int data)
{
  int dataa; // [esp+18h] [ebp+8h]

  dataa = aTuvwxtulmnopqr[data];
  if ( dataa > 64 && dataa <= 90 )
    return -101 - dataa;
  if ( dataa > 96 && dataa <= 122 )
    return dataa - 64;
  if ( dataa > 47 && dataa <= 57 )
    return dataa + 50;
  if ( dataa == 43 )
    return 119;
  if ( dataa == 47 )
    dataa = 121;
  return dataa;
}

0x2 解决

"""
base64实现
"""

import base64
import string

# base 字符集

base64_charset = 'tuvwxTUlmnopqrs7YZabcdefghij8yz0123456VWXkABCDEFGHIJKLMNOPQRS9+/'


def encode(origin_bytes):
    """
    将bytes类型编码为base64
    :param origin_bytes:需要编码的bytes
    :return:base64字符串
    """

    # 将每一位bytes转换为二进制字符串
    base64_bytes = ['{:0>8}'.format(str(bin(b)).replace('0b', '')) for b in origin_bytes]

    resp = ''
    nums = len(base64_bytes) // 3
    remain = len(base64_bytes) % 3

    integral_part = base64_bytes[0:3 * nums]
    while integral_part:
        # 取三个字节,以每6比特,转换为4个整数
        tmp_unit = ''.join(integral_part[0:3])
        tmp_unit = [int(tmp_unit[x: x + 6], 2) for x in [0, 6, 12, 18]]
        # 取对应base64字符
        resp += ''.join([base64_charset[i] for i in tmp_unit])
        integral_part = integral_part[3:]

    if remain:
        # 补齐三个字节,每个字节补充 0000 0000
        remain_part = ''.join(base64_bytes[3 * nums:]) + (3 - remain) * '0' * 8
        # 取三个字节,以每6比特,转换为4个整数
        # 剩余1字节可构造2个base64字符,补充==;剩余2字节可构造3个base64字符,补充=
        tmp_unit = [int(remain_part[x: x + 6], 2) for x in [0, 6, 12, 18]][:remain + 1]
        resp += ''.join([base64_charset[i] for i in tmp_unit]) + (3 - remain) * '='

    return resp


def decode(base64_str):
    # 对每一个base64字符取下标索引,并转换为6为二进制字符串
    base64_bytes = ['{:0>6}'.format(str(bin(base64_charset.index(s))).replace('0b', '')) for s in base64_str if
                    s != '=']
    resp = bytearray()
    nums = len(base64_bytes) // 4
    remain = len(base64_bytes) % 4
    integral_part = base64_bytes[0:4 * nums]

    while integral_part:
        # 取4个6位base64字符,作为3个字节
        tmp_unit = ''.join(integral_part[0:4])
        tmp_unit = [int(tmp_unit[x: x + 8], 2) for x in [0, 8, 16]]
        for i in tmp_unit:
            resp.append(i)
        integral_part = integral_part[4:]

    if remain:
        remain_part = ''.join(base64_bytes[nums * 4:])
        tmp_unit = [int(remain_part[i * 8:(i + 1) * 8], 2) for i in range(remain - 1)]
        for i in tmp_unit:
            resp.append(i)

    return resp


def valid_base64_str(b_str):
    """
    验证是否为合法base64字符串
    :param b_str: 待验证的base64字符串
    :return:是否合法
    """
    if len(b_str) % 4:
        return False

    for m in b_str:
        if m not in base64_charset:
            return False
    return True


target = '!NGV%,$h1f4S3%2P(hkQ94=='
target2 = ''

if __name__ == '__main__':
    for c in target:
        if ord(c)>=65 and ord(c)<=91:
            ch = chr(155-ord(c))
        elif ord(c)>=32 and ord(c)<=58:
            ch = chr(64+ord(c))
        elif ord(c)>=97 and ord(c)<=107:
            ch = chr(ord(c)-50)
        elif ord(c)==119:
            ch = ord(43)
        elif ord(c)==121:
            ch = ord(47)
        else:
            ch = c
        target2 += ch
    print(target2)
    print(decode(target2))

运行得key:KanXue2019ctf_st



[公告][征集寄语] 看雪20周年年会 | 感恩有你,一路同行

最新回复 (1)
htg 2 2019-6-25 06:34
2
0
收藏了
游客
登录 | 注册 方可回帖
返回