记录一次有趣的逆向题
查壳
无壳 32 c语言
逆向
原逆向
简单分析后
先看base64 是否换表
(base64加密算法有个坑
确实换表了
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/
分析这条语句
v7[i] += LOBYTE(key_table[((unsigned __int16)(((_WORD)i + 1) << 8) - Str[i]) >> 8]);
发现本质是
v7[i] += key_table[i];
Str[i]并未实质参加运算
原因:char型为8位
1<<8 = 100000000(2进制)减去任意一个char = 0xxxxxxxx >>8 = 0
v7[i] = Str[key_table[i]];
这个其实很简单 就是个字典 不过多赘述
enc = [0xcb,0x4b,0x5f,0xe4,0x6b,0xa5,0xd0,0x62,0x54,0xc3,0xaa,0x4d,0xc5,0x7d,0x60,0xb9,0x53,0x6b,0xd6,0x4f,0x79,0xe9,0x33,0x70,0xbc,0x67,0x1e,0xef,0x49,0x66,0xc5,0x52,0x77,0xf5,0x47,0x5f,0x00,0x81]
# cyberchef yyds
key_table = [0x00000019, 0x0000000D, 0x00000004, 0x00000000, 0x00000002, 0x0000001F, 0x00000020, 0x00000003, 0x00000013, 0x00000011, 0x00000025, 0x00000001, 0x00000012, 0x00000010, 0x0000000E, 0x0000000A, 0x00000023, 0x00000018, 0x00000021, 0x00000014, 0x00000024, 0x00000006, 0x00000007, 0x00000017, 0x00000008, 0x00000009, 0x00000005, 0x0000000B, 0x0000000C, 0x0000000F, 0x00000015, 0x00000022, 0x0000001E, 0x00000016, 0x0000001D, 0x0000001A, 0x0000001C, 0x0000001B]
dic = {}
flag=''
for i in range(38):
enc[i]-=key_table[i]
for j in range(38):
dic.setdefault(key_table[j],j)
dec = dict(sorted(dic.items(), key=lambda v: v[0]))
for k in range(38):
flag+=chr(enc[dec[k]])
print(flag)
报错 原因 有一个是负的
(如果天真的 把负的+128/256 会发现 flag 乱码
这个时候就要留意之前的坑了
发现用表时有偏移
(不要问我怎么看出来的 去补习base64算法吧
对于小白来说 会有疑问 “这是不是还得重写base64解密啊”
其实不用 本质还是换表
GHIJKLMNOPQRSTUVWXYZ0123456789+/abcdefghijklmnopqrstuvwxyzABCDEF
能看出来这个和上面的有什么区别吧
重新cyberchef解密
enc = [0x49,0x43,0x7f,0x66,0x63,0x85,0x52,0x6a,0x74,0x41,0xa2,0x6d,0x47,0x75,0x40,0x3b,0x5b,0x4b,0x54,0x47,0x59,0x6b,0x3b,0x50,0x3e,0x6f,0x3e,0x6d,0x41,0x46,0x47,0x5a,0x57,0x77,0x4f,0x7f,0x82,0x89]
key_table = [0x00000019, 0x0000000D, 0x00000004, 0x00000000, 0x00000002, 0x0000001F, 0x00000020, 0x00000003, 0x00000013, 0x00000011, 0x00000025, 0x00000001, 0x00000012, 0x00000010, 0x0000000E, 0x0000000A, 0x00000023, 0x00000018, 0x00000021, 0x00000014, 0x00000024, 0x00000006, 0x00000007, 0x00000017, 0x00000008, 0x00000009, 0x00000005, 0x0000000B, 0x0000000C, 0x0000000F, 0x00000015, 0x00000022, 0x0000001E, 0x00000016, 0x0000001D, 0x0000001A, 0x0000001C, 0x0000001B]
dic = {}
flag=''
for i in range(38):
enc[i]-=key_table[i]
for j in range(38):
dic.setdefault(key_table[j],j)
dec = dict(sorted(dic.items(), key=lambda v: v[0]))
for k in range(38):
flag+=chr(enc[dec[k]])
print(flag)
总结
三个坑
1.v7[i] += LOBYTE(key_table[((unsigned __int16)(((_WORD)i + 1) << 8) - Str[i]) >> 8]);考察基本类型
2.常规base64换表
3.非常规base64换表