攻防世界 reverse 进阶 12 ReverseMe-120

程序流程很清晰

 1 int __cdecl main(int argc, const char **argv, const char **envp)
 2 {
 3   unsigned int v3; // edx
 4   unsigned int i; // ecx
 5   __m128i v5; // xmm1
 6   unsigned int v6; // esi
 7   const __m128i *v7; // eax
 8   __m128i v8; // xmm0
 9   int v9; // eax
10   char sc; // [esp+0h] [ebp-CCh]
11   char str; // [esp+1h] [ebp-CBh]
12   char s_; // [esp+64h] [ebp-68h]
13   char v14; // [esp+65h] [ebp-67h]
14   unsigned int de_s_len; // [esp+C8h] [ebp-4h]
15 
16   printf("please input your flah:");
17   sc = 0;
18   memset(&str, 0, 0x63u);
19   scanf("%s", &sc);
20   s_ = 0;
21   memset(&v14, 0, 0x63u);
22   sub_401000(&de_s_len, &s_, (unsigned __int8 *)&sc, strlen(&sc));// base64解码
23   v3 = de_s_len;                                // 解码后长度
24   i = 0;
25   if ( de_s_len )
26   {
27     if ( de_s_len >= 0x10 )
28     {
29       v5 = _mm_load_si128((const __m128i *)&xmmword_414F20);
30       v6 = de_s_len - (de_s_len & 0xF);
31       v7 = (const __m128i *)&s_;
32       do
33       {
34         v8 = _mm_loadu_si128(v7);
35         i += 16;
36         ++v7;
37         _mm_storeu_si128((__m128i *)&v7[-1], _mm_xor_si128(v8, v5));
38       }
39       while ( i < v6 );
40     }
41     for ( ; i < v3; ++i )
42       *(&s_ + i) ^= 0x25u;                      // 异或
43   }
44   v9 = strcmp(&s_, "you_know_how_to_remove_junk_code");
45   if ( v9 )
46     v9 = -(v9 < 0) | 1;
47   if ( v9 )
48     printf("wrong\n");
49   else
50     printf("correct\n");
51   system("pause");
52   return 0;
53 }

关键比较

strcmp(&s_, "you_know_how_to_remove_junk_code")向上跟踪,发现sub_401000(&de_s_len, &s_, (unsigned __int8 *)&sc, strlen(&sc));

进入函数分析可以发现是base64解码

  1 signed int __usercall sub_401000@<eax>(unsigned int *a1@<edx>, _BYTE *a2@<ecx>, unsigned __int8 *sc, unsigned int size)
  2 {
  3   int j; // ebx
  4   unsigned int k; // eax
  5   int v6; // ecx
  6   unsigned __int8 *v7; // edi
  7   int v8; // edx
  8   bool v9; // zf
  9   unsigned __int8 v10; // cl
 10   char v11; // cl
 11   _BYTE *v12; // esi
 12   unsigned int v13; // ecx
 13   int v14; // ebx
 14   unsigned __int8 v15; // cl
 15   char v16; // dl
 16   _BYTE *v18; // [esp+Ch] [ebp-Ch]
 17   unsigned int *v19; // [esp+10h] [ebp-8h]
 18   int v20; // [esp+14h] [ebp-4h]
 19   unsigned int v21; // [esp+14h] [ebp-4h]
 20   int sizea; // [esp+24h] [ebp+Ch]
 21 
 22   j = 0;
 23   v18 = a2;
 24   k = 0;
 25   v6 = 0;
 26   v19 = a1;
 27   v20 = 0;
 28   if ( !size )
 29     return 0;
 30   v7 = sc;
 31   do
 32   {
 33     v8 = 0;
 34     v9 = k == size;
 35     if ( k < size )
 36     {
 37       do
 38       {
 39         if ( sc[k] != ' ' )
 40           break;
 41         ++k;                                    // 不含空格
 42         ++v8;
 43       }
 44       while ( k < size );
 45       v9 = k == size;
 46     }
 47     if ( v9 )
 48       break;
 49     if ( size - k >= 2 && sc[k] == '\r' && sc[k + 1] == '\n' || (v10 = sc[k], v10 == '\n') )
 50     {
 51       v6 = v20;
 52     }
 53     else
 54     {
 55       if ( v8 )
 56         return 0xFFFFFFD4;
 57       if ( v10 == '=' && (unsigned int)++j > 2 )
 58         return 0xFFFFFFD4;
 59       if ( v10 > 0x7Fu )
 60         return 0xFFFFFFD4;
 61       v11 = byte_414E40[v10];
 62       if ( v11 == 0x7F || (unsigned __int8)v11 < '@' && j )
 63         return 0xFFFFFFD4;
 64       v6 = v20++ + 1;
 65     }
 66     ++k;
 67   }
 68   while ( k < size );
 69   if ( !v6 )
 70     return 0;
 71   v12 = v18;
 72   v13 = ((unsigned int)(6 * v6 + 7) >> 3) - j;
 73   if ( v18 && *v19 >= v13 )
 74   {
 75     v21 = 3;
 76     v14 = 0;
 77     for ( sizea = 0; k; --k )
 78     {
 79       v15 = *v7;
 80       if ( *v7 != '\r' && v15 != '\n' && v15 != ' ' )
 81       {
 82         v16 = byte_414E40[v15];                 // 关键处理
 83         v21 -= v16 == '@';
 84         v14 = v16 & 0x3F | (v14 << 6);
 85         if ( ++sizea == 4 )
 86         {
 87           sizea = 0;
 88           if ( v21 )
 89             *v12++ = BYTE2(v14);
 90           if ( v21 > 1 )
 91             *v12++ = BYTE1(v14);
 92           if ( v21 > 2 )
 93             *v12++ = v14;
 94         }
 95       }
 96       ++v7;
 97     }
 98     *v19 = v12 - v18;
 99     return 0;
100   }
101   *v19 = v13;
102   return -42;
103 }
View Code

识别base64解码函数是这题主要的考点,之后的操作就很简单

流程:

base64解码-->异或-->strcmp(&s_, "you_know_how_to_remove_junk_code")

1 import base64
2 
3 s = 'you_know_how_to_remove_junk_code'
4 tmp = ''
5 for i in range(len(s)):
6     tmp += chr(ord(s[i]) ^ 0x25)
7 print(base64.b64encode(tmp.encode('utf-8')))
XEpQek5LSlJ6TUpSelFKeldASEpTQHpPUEtOekZKQUA=

 

 


posted @ 2019-09-02 16:54  DirWangK  阅读(647)  评论(0编辑  收藏  举报