骑麦兜看落日

[WriteUp]巅峰极客

字数统计: 443阅读时长: 2 min
2018/07/21 Share

Reserve


Simple Base-N


题目信息

答案加上flag{}


程序分析

根据题目提示应该是base编码的题,所以需要分析出是base家族的哪一个


解题过程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // eax
int v5; // eax
const char *v6; // edx

sub_401590(std::cout, "please input your flag:");
sub_4017D0(std::cin);
if ( (signed int)strlen(input) >= 10 )
{
change(input);
v3 = strcmp(input, "guvf_vf_n_snxr_synt");
if ( v3 )
v3 = -(v3 < 0) | 1;
if ( !v3 )
{
sub_401590(std::cout, "try a little bit harder!\n");
return 0;
}
table();
base32((int)&input[1], strlen(input));
v5 = strcmp(keystr, "weNTDk5LZsNRHk6cVogqTZmFy2NRP7X4ZHLTBZwg");
if ( v5 )
v5 = -(v5 < 0) | 1;
v6 = "Congratulations!!!\n";
if ( v5 )
v6 = "soooooooooorry\n";
sub_401590(std::cout, v6);
system("pause");
}
return 0;
}

使用IDA打开程序,F5反编译

开始有一个函数change(),对输入的内容进行简单运算,运算后与运算前的对应关系为

abcdefghijklmnopqrstuvwxyz
nopqrstuvwxyzabcdefghijklm

ABCDEFGHIJKLMNOPQRSTUVWXYZ
NOPQRSTUVWXYZABCDEFGHIJKLM

然后调用一个strcmp()函数,对字符串进行比较,我们根据函数change()对字符串进行逆运算

1
2
3
4
5
6
7
8
9
10
11
12
#!/usr/bin/env python

string = 'nopqrstuvwxyzabcdefghijklm'
key = 'guvf_vf_n_snxr_synt'
dec = ''

for x in key:
x = ord(x)
if(x>=0x61 and x <=0x7A):
x = ord(string[x-0x61])
dec += chr(x)
print(dec)

得到内容

this_is_a_fake_flag
[Finished in 0.1s]

……

再往下有一个table()函数,其作用是将base32编码的密码表进行加密,加密后与加密前的对应关系为

ABCDEFGHIJKLMNOPQRSTUVWXYZ234567
aBcDeFgHiJkLmNoPqRsTuVwXyZ567234

之后调用base32()函数进行base32编码

然后将编码后的字符串与weNTDk5LZsNRHk6cVogqTZmFy2NRP7X4ZHLTBZwg进行比较


解密算法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/usr/bin/env python

import base64

string = 'NOPQRSTUVWXYZABCDEFGHIJKLM'
key = 'weNTDk5LZsNRHk6cVogqTZmFy2NRP7X4ZHLTBZwg'
enc = ''
flag = ''

for x in key:
x = ord(x)
if(x>0x60):
x = string[x-0x61]
elif(x>0x40):
x = string[x-0x41]
else:
if(x>0x34):
x = chr(x-0x3)
else:
x = chr(x+0x3)
enc += x

enc = base64.b32decode(enc)

for x in enc:
if(x>0x40 and x<0x5B):
x = string[x-0x41]
elif(x>0x60 and x<0x7B):
x = chr(ord(string[x-0x61])+0x20)
else:
x = chr(x)
flag += x

print(flag)

相关资料

CATALOG
  1. 1. Reserve
    1. 1.1. Simple Base-N
      1. 1.1.1. 题目信息
      2. 1.1.2. 程序分析
      3. 1.1.3. 解题过程
      4. 1.1.4. 解密算法
      5. 1.1.5. 相关资料