23位无壳
拖入32位ida
查看字符串
可能会用到base64编码
查看main函数的伪代码
__int64 __usercall main_0@<edx:eax>(int a1@<ebx>, int a2@<edi>, int a3@<esi>)
{
int v3; // eax
const char *v4; // eax
size_t v5; // eax
int v6; // edx
__int64 v7; // ST08_8
signed int j; // [esp+DCh] [ebp-ACh]
signed int i; // [esp+E8h] [ebp-A0h]
signed int v11; // [esp+E8h] [ebp-A0h]
char Dest[108]; // [esp+F4h] [ebp-94h]
char Str; // [esp+160h] [ebp-28h]
char v14; // [esp+17Ch] [ebp-Ch]
for ( i = 0; i < 100; ++i )
{
if ( (unsigned int)i >= 0x64 )
j____report_rangecheckfailure(a1, a2, a3);
Dest[i] = 0;
}
//初始化Dest
sub_41132F("please enter the flag:");
sub_411375((int)"%20s", (unsigned int)&Str);
//读入20个字符串给Str
v3 = j_strlen(&Str);
//获取Str长度
v4 = (const char *)sub_4110BE((int)&Str, v3, (int)&v14);
//sub_4110BE函数加密
strncpy(Dest, v4, 0x28u);
//将v7的前40位复制给Dest
v11 = j_strlen(Dest);
//获取Dest的长度
for ( j = 0; j < v11; ++j )
Dest[j] += j;
//对Dest的每位字符加上下标
v5 = j_strlen(Dest);
if ( !strncmp(Dest, Str2, v5) )
//Str2值为'e3nifIH9b_C@n@dH'
sub_41132F("rigth flag!\n");
else
sub_41132F("wrong flag!\n");
HIDWORD(v7) = v6;
LODWORD(v7) = 0;
return v7;
}
跟进sub_4110BE函数
while ( v11 > 0 )
{
byte_41A144[2] = 0;
byte_41A144[1] = 0;
byte_41A144[0] = 0;
for ( i = 0; i < 3 && v11 >= 1; ++i )
{
byte_41A144[i] = *v13;
--v11;
++v13;
}
if ( !i )
break;
switch ( i )
{
case 1:
*((_BYTE *)Dst + v7) = aAbcdefghijklmn[(signed int)(unsigned __int8)byte_41A144[0] >> 2];
v4 = v7 + 1;
*((_BYTE *)Dst + v4++) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | 16 * (byte_41A144[0] & 3)];
*((_BYTE *)Dst + v4++) = aAbcdefghijklmn[64];
*((_BYTE *)Dst + v4) = aAbcdefghijklmn[64];
v7 = v4 + 1;
break;
case 2:
*((_BYTE *)Dst + v7) = aAbcdefghijklmn[(signed int)(unsigned __int8)byte_41A144[0] >> 2];
v5 = v7 + 1;
*((_BYTE *)Dst + v5++) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | 16 * (byte_41A144[0] & 3)];
*((_BYTE *)Dst + v5++) = aAbcdefghijklmn[((byte_41A144[2] & 0xC0) >> 6) | 4 * (byte_41A144[1] & 0xF)];
*((_BYTE *)Dst + v5) = aAbcdefghijklmn[64];
v7 = v5 + 1;
break;
case 3:
*((_BYTE *)Dst + v7) = aAbcdefghijklmn[(signed int)(unsigned __int8)byte_41A144[0] >> 2];
v6 = v7 + 1;
*((_BYTE *)Dst + v6++) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | 16 * (byte_41A144[0] & 3)];
*((_BYTE *)Dst + v6++) = aAbcdefghijklmn[((byte_41A144[2] & 0xC0) >> 6) | 4 * (byte_41A144[1] & 0xF)];
*((_BYTE *)Dst + v6) = aAbcdefghijklmn[byte_41A144[2] & 0x3F];
v7 = v6 + 1;
break;
}
}
*((_BYTE *)Dst + v7) = 0;
return Dst;
}
以及aAbcdefghijklmn的值
有点难看
先转Str2
a = "e3nifIH9b_C@n@dH"
b = ""
for i in range(0,len(a)):
b += chr(ord(a[i]) - i)
print(b)
得到e2lfbDB2ZV95b3V9
然后根据哈希表和string的提示尝试base64解密
得到{i_l0ve_you}