526互联

BUUCTF Reverse/[NPUCTF2020]你好sao啊

发布时间 2023-09-22 18:26:22作者: 这就是强者的世界么

里面就一个加密函数,分析后发现这是一段变表的base解密,将四个字符替换成三个字符

点击查看代码 
void *__fastcall RxEncode(const char *a1, int a2)
{
  int v3; // [rsp+18h] [rbp-38h]
  int v4; // [rsp+1Ch] [rbp-34h]
  int v5; // [rsp+20h] [rbp-30h]
  int v6; // [rsp+24h] [rbp-2Ch]
  int v7; // [rsp+28h] [rbp-28h]
  int v8; // [rsp+28h] [rbp-28h]
  int i; // [rsp+2Ch] [rbp-24h]
  _BYTE *v10; // [rsp+30h] [rbp-20h]
  void *s; // [rsp+38h] [rbp-18h]

  v3 = 3 * (a2 / 4);
  v4 = 0;
  v5 = 0;
  if ( a1[a2 - 1] == 61 )
    v4 = 1;
  if ( a1[a2 - 2] == 61 )
    ++v4;
  if ( a1[a2 - 3] == 61 )
    ++v4;
  if ( v4 == 3 )
  {
    v3 += 2;
  }
  else if ( v4 <= 3 )
  {
    if ( v4 == 2 )
    {
      v3 += 3;
    }
    else if ( v4 )
    {
      if ( v4 == 1 )
        v3 += 4;
    }
    else
    {
      v3 += 4;
    }
  }
  s = malloc(v3);
  if ( s )
  {
    memset(s, 0, v3);
    v10 = s;
    while ( v5 < a2 - v4 )
    {
      v6 = 0;
      v7 = 0;
      while ( v6 <= 3 && v5 < a2 - v4 )
      {
        v7 = (v7 << 6) | (char)find_pos(a1[v5]);
        ++v6;
        ++v5;
      }
      v8 = v7 << (6 * (4 - v6));
      for ( i = 0; i <= 2 && i != v6; ++i )
        *v10++ = v8 >> (8 * (2 - i));
    }
    *v10 = 0;
    return s;
  }
  else
  {
    puts("No enough memory.");
    return 0LL;
  }
}

base表: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234{}789+/="

写个爆破脚本来爆破

s = [  0x9E, 0x9B, 0x9C, 0xB5, 0xFE, 0x70, 0xD3, 0x0F, 0xB2, 0xD1, 
  0x4F, 0x9C, 0x02, 0x7F, 0xAB, 0xDE, 0x59, 0x65, 0x63, 0xE7, 
  0x40, 0x9D, 0xCD, 0xFA]
flag = []

base = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234{}789+/='
v5 = 0

for i in range(0,24,3):
    v7 = 0
    for j1 in range(len(base)):
        tmp = 0
        v8 = (v7 << 6) | j1
        for j2 in range(len(base)):
            v9 = (v8 << 6) | j2
            for j3 in range(len(base)):
                v10 = (v9 << 6) | j3
                for j4 in range(len(base)):
                    v11 = (v10 << 6) | j4
                    #print(v10)
                    if (s[i] == (v11 >> 16) % 256 ) and (s[i + 1] == (v11 >> 8) % 256 ) and (s[i + 2] == v11 % 256):
                        flag.append(j1)
                        flag.append(j2)
                        flag.append(j3)
                        flag.append(j4)
               
                        print(i,"{}{}{}{}".format(base[j1],base[j2],base[j3],base[j4]))
                       
print(flag)
print(len(flag))

由于这个爆破的结果有几个都满足条件所以我都输出出来了,爆破结果:

0 npuc
3 tf{w
6 0w+y
9 0U+c
12 An+r
12 =n+r
15 3lll
18 Y+c=
18 Y+dA
18 Y+d=
21 nc3}
[39, 41, 46, 28, 45, 31, 57, 48, 52, 48, 62, 50, 52, 20, 62, 28, 0, 39, 62, 43, 64, 39, 62, 43, 55, 37, 37, 37, 24, 62, 28, 64, 24, 62, 29, 0, 24, 62, 29, 64, 39, 28, 55, 58]
44

尝试拼了下前面几段,猜测中间应该是没有等于号(‘=’)的,肯定是拿加号(‘+’)拼接

最终flag:npuctf{w0w+y0U+cAn+r3lllY+dAnc3}