程序流程很清晰
1 int __cdecl main(int argc, const char **argv, const char **envp) 2 { 3 unsigned int v3; // edx 4 unsigned int i; // ecx 5 __m128i v5; // xmm1 6 unsigned int v6; // esi 7 const __m128i *v7; // eax 8 __m128i v8; // xmm0 9 int v9; // eax 10 char sc; // [esp+0h] [ebp-CCh] 11 char str; // [esp+1h] [ebp-CBh] 12 char s_; // [esp+64h] [ebp-68h] 13 char v14; // [esp+65h] [ebp-67h] 14 unsigned int de_s_len; // [esp+C8h] [ebp-4h] 15 16 printf("please input your flah:"); 17 sc = 0; 18 memset(&str, 0, 0x63u); 19 scanf("%s", &sc); 20 s_ = 0; 21 memset(&v14, 0, 0x63u); 22 sub_401000(&de_s_len, &s_, (unsigned __int8 *)&sc, strlen(&sc));// base64解码 23 v3 = de_s_len; // 解码后长度 24 i = 0; 25 if ( de_s_len ) 26 { 27 if ( de_s_len >= 0x10 ) 28 { 29 v5 = _mm_load_si128((const __m128i *)&xmmword_414F20); 30 v6 = de_s_len - (de_s_len & 0xF); 31 v7 = (const __m128i *)&s_; 32 do 33 { 34 v8 = _mm_loadu_si128(v7); 35 i += 16; 36 ++v7; 37 _mm_storeu_si128((__m128i *)&v7[-1], _mm_xor_si128(v8, v5)); 38 } 39 while ( i < v6 ); 40 } 41 for ( ; i < v3; ++i ) 42 *(&s_ + i) ^= 0x25u; // 异或 43 } 44 v9 = strcmp(&s_, "you_know_how_to_remove_junk_code"); 45 if ( v9 ) 46 v9 = -(v9 < 0) | 1; 47 if ( v9 ) 48 printf("wrong "); 49 else 50 printf("correct "); 51 system("pause"); 52 return 0; 53 }
关键比较
strcmp(&s_, "you_know_how_to_remove_junk_code")向上跟踪,发现sub_401000(&de_s_len, &s_, (unsigned __int8 *)&sc, strlen(&sc));
进入函数分析可以发现是base64解码
1 signed int __usercall sub_401000@<eax>(unsigned int *a1@<edx>, _BYTE *a2@<ecx>, unsigned __int8 *sc, unsigned int size) 2 { 3 int j; // ebx 4 unsigned int k; // eax 5 int v6; // ecx 6 unsigned __int8 *v7; // edi 7 int v8; // edx 8 bool v9; // zf 9 unsigned __int8 v10; // cl 10 char v11; // cl 11 _BYTE *v12; // esi 12 unsigned int v13; // ecx 13 int v14; // ebx 14 unsigned __int8 v15; // cl 15 char v16; // dl 16 _BYTE *v18; // [esp+Ch] [ebp-Ch] 17 unsigned int *v19; // [esp+10h] [ebp-8h] 18 int v20; // [esp+14h] [ebp-4h] 19 unsigned int v21; // [esp+14h] [ebp-4h] 20 int sizea; // [esp+24h] [ebp+Ch] 21 22 j = 0; 23 v18 = a2; 24 k = 0; 25 v6 = 0; 26 v19 = a1; 27 v20 = 0; 28 if ( !size ) 29 return 0; 30 v7 = sc; 31 do 32 { 33 v8 = 0; 34 v9 = k == size; 35 if ( k < size ) 36 { 37 do 38 { 39 if ( sc[k] != ' ' ) 40 break; 41 ++k; // 不含空格 42 ++v8; 43 } 44 while ( k < size ); 45 v9 = k == size; 46 } 47 if ( v9 ) 48 break; 49 if ( size - k >= 2 && sc[k] == ' ' && sc[k + 1] == ' ' || (v10 = sc[k], v10 == ' ') ) 50 { 51 v6 = v20; 52 } 53 else 54 { 55 if ( v8 ) 56 return 0xFFFFFFD4; 57 if ( v10 == '=' && (unsigned int)++j > 2 ) 58 return 0xFFFFFFD4; 59 if ( v10 > 0x7Fu ) 60 return 0xFFFFFFD4; 61 v11 = byte_414E40[v10]; 62 if ( v11 == 0x7F || (unsigned __int8)v11 < '@' && j ) 63 return 0xFFFFFFD4; 64 v6 = v20++ + 1; 65 } 66 ++k; 67 } 68 while ( k < size ); 69 if ( !v6 ) 70 return 0; 71 v12 = v18; 72 v13 = ((unsigned int)(6 * v6 + 7) >> 3) - j; 73 if ( v18 && *v19 >= v13 ) 74 { 75 v21 = 3; 76 v14 = 0; 77 for ( sizea = 0; k; --k ) 78 { 79 v15 = *v7; 80 if ( *v7 != ' ' && v15 != ' ' && v15 != ' ' ) 81 { 82 v16 = byte_414E40[v15]; // 关键处理 83 v21 -= v16 == '@'; 84 v14 = v16 & 0x3F | (v14 << 6); 85 if ( ++sizea == 4 ) 86 { 87 sizea = 0; 88 if ( v21 ) 89 *v12++ = BYTE2(v14); 90 if ( v21 > 1 ) 91 *v12++ = BYTE1(v14); 92 if ( v21 > 2 ) 93 *v12++ = v14; 94 } 95 } 96 ++v7; 97 } 98 *v19 = v12 - v18; 99 return 0; 100 } 101 *v19 = v13; 102 return -42; 103 }
识别base64解码函数是这题主要的考点,之后的操作就很简单
流程:
base64解码-->异或-->strcmp(&s_, "you_know_how_to_remove_junk_code")
1 import base64 2 3 s = 'you_know_how_to_remove_junk_code' 4 tmp = '' 5 for i in range(len(s)): 6 tmp += chr(ord(s[i]) ^ 0x25) 7 print(base64.b64encode(tmp.encode('utf-8')))
XEpQek5LSlJ6TUpSelFKeldASEpTQHpPUEtOekZKQUA=