BUUCTF RE reverse3

BUUCTF RE reverse3

下载链接 reverse3

解题步骤

  1. 拖进EXEInforPE查壳,无壳

    BUUCTF RE reverse3

  2. 拖进IDA,直接shift+f12查看字符串,发现关键语句

    BUUCTF RE reverse3

  3. 右键进入代码区

    BUUCTF RE reverse3

  4. f5转换为伪代码

    BUUCTF RE reverse3

    BUUCTF RE reverse3

  5. 分析代码,发现就是将输入的语句用sub_4110BE函数加密后再进行一个for循环变换,直接进入sub_4110BE

    BUUCTF RE reverse3

  6. 进入sub_411AB0,发现是3位加密成四位,盲猜base64加密

    BUUCTF RE reverse3

    加密函数:

    `while ( v11 > 0 )
    {
    byte_41A144[2] = 0;
    byte_41A144[1] = 0;
    byte_41A144[0] = 0;
    for ( i = 0; i < 3 && v11 >= 1; ++i )
    {
    byte_41A144[i] = *v13;
    --v11;
    ++v13;
    }
    if ( !i )
    break;
    switch ( i )
    {
    case 1:
    *((_BYTE *)Dst + v7) = aAbcdefghijklmn[(signed int)(unsigned __int8)byte_41A144[0] >> 2];
    v4 = v7 + 1;
    *((_BYTE *)Dst + v4++) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | 16 * (byte_41A144[0] & 3)];
    *((_BYTE *)Dst + v4++) = aAbcdefghijklmn[64];
    *((_BYTE *)Dst + v4) = aAbcdefghijklmn[64];
    v7 = v4 + 1;
    break;
    case 2:
    *((_BYTE *)Dst + v7) = aAbcdefghijklmn[(signed int)(unsigned __int8)byte_41A144[0] >> 2];
    v5 = v7 + 1;
    *((_BYTE *)Dst + v5++) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | 16 * (byte_41A144[0] & 3)];
    *((_BYTE *)Dst + v5++) = aAbcdefghijklmn[((byte_41A144[2] & 0xC0) >> 6) | 4 * (byte_41A144[1] & 0xF)];
    *((_BYTE *)Dst + v5) = aAbcdefghijklmn[64];
    v7 = v5 + 1;
    break;
    case 3:
    *((_BYTE *)Dst + v7) = aAbcdefghijklmn[(signed int)(unsigned __int8)byte_41A144[0] >> 2];
    v6 = v7 + 1;
    *((_BYTE *)Dst + v6++) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | 16 * (byte_41A144[0] & 3)];
    *((_BYTE *)Dst + v6++) = aAbcdefghijklmn[((byte_41A144[2] & 0xC0) >> 6) | 4 * (byte_41A144[1] & 0xF)];
    *((_BYTE *)Dst + v6) = aAbcdefghijklmn[byte_41A144[2] & 0x3F];
    v7 = v6 + 1;
    break;
    }
    }
    *((_BYTE *)Dst + v7) = 0;

  7. 查看str2,e3nifIH9b_C@n@dH

    BUUCTF RE reverse3

  8. 编写python脚本,跑出flag{{i_l0ve_you}}

    脚本代码:

    `import base64

    s = "e3nifIH9b_C@n@dH"

    x = ""

    for i in range(0,len(s)):

    x += chr(ord(s[i]) - i)

    print(base64.b64decode(x))`

    BUUCTF RE reverse3

总结

算是目前为止做到的最难的题了,其实前面的步骤都差不多,主要是这个文件的函数名都很怪,我刚开始把加密函数当作一般的字符串函数来处理了,但是一直出不来flag,后面才发现那是一个自定义函数,用来加密的,然后又是加密函数看了半天,最后才猜的是base64加密。这道题相当于是reverse和crypto结合了,还需要有一定的c语言基础。

上一篇:buuctf web easy md5


下一篇:BUUCTF RE 内涵的软件 WP