ctf-re-羊城2020_easyre

代码解读

main

将输入的str进行三次不同的加密,每次加密的传入参数

(src,len(src),result,const)

三次加密后的结果为str1与str2进行比对

其中

  • str1 38个字符大小
  • str2的值为(32个字符):EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG

encode_one

标准表的base64,没有变表

encode_two

本质上是对base64后的结果进行位置交换

__int64 __fastcall encode_two(const char *a1, int a2, char *a3, int *a4)
{
  char *Source; // [rsp+40h] [rbp+10h]
  char *v6; // [rsp+50h] [rbp+20h]
​
  Source = (char *)a1;
  v6 = a3;
  if ( !a1 || !a2 )
    return 0xFFFFFFFFi64;
  strncpy(a3, a1 + 26, 0xDui64);                // result[0-12]=src[26-38]
  strncpy(v6 + 13, Source, 13ui64);             // result[13-25]=src[0-12]
  strncpy(v6 + 26, Source + 39, 0xDui64);       // result[26-38]=src[39-51]
  strncpy(v6 + 39, Source + 13, 0xDui64);       // result[39-51]=src[13-25]
  return 0i64;
}

encode_three

其中关键的:

  • 大写字母:*v7 = (v5 - 65 + 3) % 26 + 65
  • 小写字母:*v7 = (v5 - 97 + 3) % 26 + 97
  • 0-9 数字:*v7 = (v5 - 48 + 3) % 10 + 48

这几个转换本质上是移位的凯撒密码表,移位是3,比如数字,48是0的字符码

__int64 __fastcall encode_three(const char *a1, int a2, char *a3, int *a4)
{
  char v5; // [rsp+Fh] [rbp-11h]
  int i; // [rsp+14h] [rbp-Ch]
  char *v7; // [rsp+18h] [rbp-8h]
  const char *v8; // [rsp+30h] [rbp+10h]
​
  v8 = a1;
  if ( !a1 || !a2 )
    return 0xFFFFFFFFi64;
  v7 = a3;
  for ( i = 0; i < a2; ++i )
  {
    v5 = *v8;
    if ( *v8 <= 64 || v5 > 90 )
    {
      if ( v5 <= 96 || v5 > 122 )
      {
        if ( v5 <= 47 || v5 > 57 )
          *v7 = v5;                             // v7==a3==result
        else                                    // v5==v8==a1==src
          *v7 = (v5 - 48 + 3) % 10 + 48;        // 0-9数字
      }
      else
      {
        *v7 = (v5 - 97 + 3) % 26 + 97;          // 小写字母
      }
    }-
    else
    {
      *v7 = (v5 - 65 + 3) % 26 + 65;            // 大写字母
    }
    ++v7;
    ++v8;
  }
  return 0i64;
}

注册机

import base64
​
result = 'EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG'
dic    = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
dic_big= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
dic_sma= dic_big.lower()
dic_num= '0123456789'
de_thre= ''
for i in range(len(result)):
    flag = 0
    for j in dic:
        if j in dic_big:
            tmp = (ord(j) - 65 + 3) % 26 + 65
            if chr(tmp)==result[i]:
                de_thre+=j
                flag+=1
        elif j in dic_sma:
            tmp = (ord(j) - 97 + 3) % 26 + 97
            if chr(tmp) == result[i]:
                de_thre += j
                flag+=1
        elif j in dic_num:
            tmp = (ord(j)-48+3)%10+48
            if chr(tmp) == result[i]:
                de_thre += j
                flag+=1
    if flag==0:
        de_thre+=result[i]
# 位数对的上:BjYjM2Mjk4NzMR1dIVHs2NzJjY0MTEzM2VhMn0=zQ3NzhhMzhlOD 52
print(de_thre,len(de_thre))
de_two = de_thre[13:26] + de_thre[39:52] + de_thre[0:13] + de_thre[26:39]
# R1dIVHs2NzJjYzQ3NzhhMzhlODBjYjM2Mjk4NzM0MTEzM2VhMn0= 52
print(de_two,len(de_two))
de_one = base64.b64decode(de_two)
# GWHT{672cc4778a38e80cb362987341133ea2}
print(de_one)

image.png

Last modification:March 18, 2021
© Allow specification reprint
如果觉得我的文章对你有用,请随意赞赏。咖啡(12RMB)进度+100%,一块巧克力(1RMB)进度+6%。
(赞赏请备注你的名称哦!后台记录中来自理工小菜狗)