【逆向分析】BUUCTF 逆向题目 reverse3
2023-12-1 00:0:36 Author: 利刃信安攻防实验室(查看原文) 阅读量:7 收藏

题目地址:

https://buuoj.cn/challenges#reverse3

https://files.buuoj.cn/files/aa4f6c7e8d5171d520b95420ee570e79/a9d22a0e-928d-4bb4-8525-e38c9481469e.rar

首先,查壳

信息:     文件名: H://BUUCTF/reverse3/reverse_3.exe    大小: 39424(38.50 KiB)    操作系统: Windows(Vista)    架构: I386    模式: 32    类型: 控制台    字节序: LE

使用IDA32打开

F5

Str2赋值e3nifIH9b_C@n@dH

根据代码分析,用户输入flag后,把flag赋值给Destination,然后Destination中的每一位字符对应的ascii码数值加上本身对应的下标,最后结果是e3nifIH9b_C@n@dH。

e3nifIH9b_C@n@dH —> 一个for循环减法 —> base64解密 —> flag

import base64
Str2 = 'e3nifIH9b_C@n@dH'len_str = len(Str2)key = ''for i in range(len_str):      key += chr(ord(Str2[i]) - i)print('flag'+str(base64.b64decode(key)))print('flag'+str(base64.b64decode(key))[2:-1:])

#include <stdio.h>#include <stdlib.h>#include <string.h>
const char base64_chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
void base64_decode(const char *input, unsigned char **output, size_t *output_len) {    size_t input_len = strlen(input);
    if (input_len % 4 != 0) {        fprintf(stderr, "Invalid base64 input length\n");        exit(EXIT_FAILURE);    }
    *output_len = 3 * (input_len / 4);    *output = (unsigned char *)malloc(*output_len + 1);
    size_t i, j = 0;    for (i = 0; i < input_len; i += 4) {        unsigned char sextet_a = strchr(base64_chars, input[i]) - base64_chars;        unsigned char sextet_b = strchr(base64_chars, input[i + 1]) - base64_chars;        unsigned char sextet_c = strchr(base64_chars, input[i + 2]) - base64_chars;        unsigned char sextet_d = strchr(base64_chars, input[i + 3]) - base64_chars;
        (*output)[j++] = (sextet_a << 2) | (sextet_b >> 4);        (*output)[j++] = (sextet_b << 4) | (sextet_c >> 2);        (*output)[j++] = (sextet_c << 6) | sextet_d;    }
    (*output)[j] = '\0';}
int main(void) {    // Input: Base64 decoded string    char base64_str[] = "e3nifIH9b_C@n@dH";
    // Modify the input string    int i;    for (i = 0; i < 16; ++i) {        base64_str[i] -= i;    }
    // Decode the modified base64 string    unsigned char *decoded_str;    size_t decoded_len;    base64_decode(base64_str, &decoded_str, &decoded_len);
    // Concatenate the decoded base64 string with the prefix "flag"    char result[128]; // Adjust the size accordingly    strcpy(result, "flag");    strcat(result, (char *)decoded_str);
    // Print the final result    printf("Final Result: %s\n", result);
    // Clean up allocated memory    free(decoded_str);
    return 0;}


文章来源: http://mp.weixin.qq.com/s?__biz=MzU1Mjk3MDY1OA==&mid=2247508309&idx=2&sn=ef39c59b76c2e5fd8a06e2b8c8b8295d&chksm=fbfb1198cc8c988e9e423cad9e62767d231b75ce48d9f5097accce6f525c5e359f04ee156e85&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh