无壳64位exe
运行还是老样子
查看字符串,先放一个base64在这里
跟进主函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // eax
int v4; // eax
int v5; // eax
int result; // eax
char Str; // [rsp+20h] [rbp-60h]
char Str1; // [rsp+50h] [rbp-30h]
char v9; // [rsp+90h] [rbp+10h]
char v10; // [rsp+D0h] [rbp+50h]
char Str2[8]; // [rsp+110h] [rbp+90h]
int v12; // [rsp+14Ch] [rbp+CCh]
_main();
strcpy(Str2, "EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG");
puts("Hello, please input your flag and I will tell you whether it is right or not.");
scanf("%38s", &Str);
if ( strlen(&Str) == 38
&& (v3 = strlen(&Str), (unsigned int)encode_one(&Str, v3, &v10, &v12) == 0)
&& (v4 = strlen(&v10), (unsigned int)encode_two(&v10, v4, &v9, &v12) == 0)
&& (v5 = strlen(&v9), (unsigned int)encode_three(&v9, v5, &Str1, &v12) == 0)
&& !strcmp(&Str1, Str2) )
{
puts("you are right!");
result = 0;
}
else
{
printf("Something wrong. Keep going.");
result = 0;
}
return result;
}
一个输入,三个加密函数,逐步分析
encode_one
__int64 __fastcall encode_one(const char *a1, int a2, char *a3, int *a4)
{
int v5; // esi
int v6; // esi
int v7; // esi
int v8; // [rsp+34h] [rbp-1Ch]
int v9; // [rsp+38h] [rbp-18h]
char *v10; // [rsp+40h] [rbp-10h]
int v11; // [rsp+48h] [rbp-8h]
int i; // [rsp+4Ch] [rbp-4h]
unsigned __int8 *v13; // [rsp+70h] [rbp+20h]
int v14; // [rsp+78h] [rbp+28h]
int *v15; // [rsp+88h] [rbp+38h]
v13 = (unsigned __int8 *)a1;
v14 = a2;
v15 = a4;
if ( !a1 || !a2 )
return 0xFFFFFFFFi64;
v11 = 0;
if ( a2 % 3 )
v11 = 3 - a2 % 3;
v9 = a2 + v11;
v8 = 8 * (a2 + v11) / 6;
v10 = a3;
for ( i = 0; i < v9; i += 3 )
{
*v10 = alphabet[(char)*v13 >> 2];
if ( v14 + v11 - 3 == i && v11 )
{
if ( v11 == 1 )
{
v5 = (char)cmove_bits(*v13, 6u, 2u);
v10[1] = alphabet[v5 + (char)cmove_bits(v13[1], 0, 4u)];
v10[2] = alphabet[(char)cmove_bits(v13[1], 4u, 2u)];
v10[3] = 61;
}
else if ( v11 == 2 )
{
v10[1] = alphabet[(char)cmove_bits(*v13, 6u, 2u)];
v10[2] = 61;
v10[3] = 61;
}
}
else
{
v6 = (char)cmove_bits(*v13, 6u, 2u);
v10[1] = alphabet[v6 + (char)cmove_bits(v13[1], 0, 4u)];
v7 = (char)cmove_bits(v13[1], 4u, 2u);
v10[2] = alphabet[v7 + (char)cmove_bits(v13[2], 0, 6u)];
v10[3] = alphabet[v13[2] & 0x3F];
}
v10 += 4;
v13 += 3;
}
if ( v15 )
*v15 = v8;
return 0i64;
}
alphabet就是密码表
encode_two
encode_one中v10 = a3;
__int64 __fastcall encode_two(const char *a1, int a2, char *a3, int *a4)
{
char *Source; // [rsp+40h] [rbp+10h]
char *v6; // [rsp+50h] [rbp+20h]
Source = (char *)a1;
v6 = a3;
if ( !a1 || !a2 )
return 0xFFFFFFFFi64;
strncpy(a3, a1 + 26, 0xDui64);
strncpy(v6 + 13, Source, 0xDui64);
strncpy(v6 + 26, Source + 39, 0xDui64);
strncpy(v6 + 39, Source + 13, 0xDui64);
return 0i64;
}
encode_three
__int64 __fastcall encode_three(const char *a1, int a2, char *a3, int *a4)
{
char v5; // [rsp+Fh] [rbp-11h]
int i; // [rsp+14h] [rbp-Ch]
char *v7; // [rsp+18h] [rbp-8h]
const char *v8; // [rsp+30h] [rbp+10h]
v8 = a1;
if ( !a1 || !a2 )
return 0xFFFFFFFFi64;
v7 = a3;
for ( i = 0; i < a2; ++i )
{
v5 = *v8;
if ( *v8 <= 64 || v5 > 90 )
{
if ( v5 <= 96 || v5 > 122 )
{
if ( v5 <= 47 || v5 > 57 )
*v7 = v5;
else
*v7 = (v5 - 48 + 3) % 10 + 48;
}
else
{
*v7 = (v5 - 97 + 3) % 26 + 97;
}
}
else
{
*v7 = (v5 - 65 + 3) % 26 + 65;
}
++v7;
++v8;
}
return 0i64;
}
偏移为3的凯撒密码
凯撒解密不带数字玩,就自己写一个
(好像手动减三会比写脚本方便点)
import base64
Str1=list('BjYjM5Mjk7NzMR4dIVHs5NzJjY3MTEzM5VhMn3=zQ6NzhhMzhlOD')
for i in range(len(Str1)):
if Str1[i]>='0' and Str1[i]<='9':
Str1[i]=str(int(Str1[i])-3)
Str1=''.join(Str1)
flag = Str1[13:26] + Str1[39:] + Str1[:13] + Str1[26:39]
print(base64.b64decode(flag))
flag{672cc4778a38e80cb362987341133ea2}