【逆向分析】BUUCTF 逆向题目 reverse3
2023-12-1 00:0:36 Author: 利刃信安攻防实验室(查看原文) 阅读量:7 收藏

题目地址:

https://buuoj.cn/challenges#reverse3

https://files.buuoj.cn/files/aa4f6c7e8d5171d520b95420ee570e79/a9d22a0e-928d-4bb4-8525-e38c9481469e.rar

首先,查壳

信息:     文件名: H://BUUCTF/reverse3/reverse_3.exe    大小: 39424(38.50 KiB)    操作系统: Windows(Vista)    架构: I386    模式: 32    类型: 控制台    字节序: LE

使用IDA32打开

F5

Str2赋值e3nifIH9b_C@n@dH

根据代码分析,用户输入flag后,把flag赋值给Destination,然后Destination中的每一位字符对应的ascii码数值加上本身对应的下标,最后结果是e3nifIH9b_C@n@dH。

e3nifIH9b_C@n@dH —> 一个for循环减法 —> base64解密 —> flag

import base64
Str2 = 'e3nifIH9b_C@n@dH'len_str = len(Str2)key = ''for i in range(len_str): key += chr(ord(Str2[i]) - i)print('flag'+str(base64.b64decode(key)))print('flag'+str(base64.b64decode(key))[2:-1:])

#include <stdio.h>#include <stdlib.h>#include <string.h>
const char base64_chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
void base64_decode(const char *input, unsigned char **output, size_t *output_len) { size_t input_len = strlen(input);
if (input_len % 4 != 0) { fprintf(stderr, "Invalid base64 input length\n"); exit(EXIT_FAILURE); }
*output_len = 3 * (input_len / 4); *output = (unsigned char *)malloc(*output_len + 1);
size_t i, j = 0; for (i = 0; i < input_len; i += 4) { unsigned char sextet_a = strchr(base64_chars, input[i]) - base64_chars; unsigned char sextet_b = strchr(base64_chars, input[i + 1]) - base64_chars; unsigned char sextet_c = strchr(base64_chars, input[i + 2]) - base64_chars; unsigned char sextet_d = strchr(base64_chars, input[i + 3]) - base64_chars;
(*output)[j++] = (sextet_a << 2) | (sextet_b >> 4); (*output)[j++] = (sextet_b << 4) | (sextet_c >> 2); (*output)[j++] = (sextet_c << 6) | sextet_d; }
(*output)[j] = '\0';}
int main(void) { // Input: Base64 decoded string char base64_str[] = "e3nifIH9b_C@n@dH";
// Modify the input string int i; for (i = 0; i < 16; ++i) { base64_str[i] -= i; }
// Decode the modified base64 string unsigned char *decoded_str; size_t decoded_len; base64_decode(base64_str, &decoded_str, &decoded_len);
// Concatenate the decoded base64 string with the prefix "flag" char result[128]; // Adjust the size accordingly strcpy(result, "flag"); strcat(result, (char *)decoded_str);
// Print the final result printf("Final Result: %s\n", result);
// Clean up allocated memory free(decoded_str);
return 0;}


文章来源: http://mp.weixin.qq.com/s?__biz=MzU1Mjk3MDY1OA==&mid=2247508309&idx=2&sn=ef39c59b76c2e5fd8a06e2b8c8b8295d&chksm=fbfb1198cc8c988e9e423cad9e62767d231b75ce48d9f5097accce6f525c5e359f04ee156e85&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh