2020 BJDCTF Re encode

测试文件：https://www.lanzous.com/i9la55a

准备

获取信息：

• 32位文件
• UPX壳

IDA分析

UPX脱壳后，IDA打开

int sub_804887C()
{
  int v0; // eax
  int result; // eax
  int v2; // ecx
  unsigned int v3; // et1
  unsigned int i; // [esp+Ch] [ebp-FCh]
  unsigned int v5; // [esp+10h] [ebp-F8h]
  unsigned int v6; // [esp+14h] [ebp-F4h]
  int v7; // [esp+1Ah] [ebp-EEh]
  int v8; // [esp+1Eh] [ebp-EAh]
  int v9; // [esp+22h] [ebp-E6h]
  int v10; // [esp+26h] [ebp-E2h]
  __int16 v11; // [esp+2Ah] [ebp-DEh]
  char v12[30]; // [esp+2Ch] [ebp-DCh]
  int v13; // [esp+4Ah] [ebp-BEh]
  int v14; // [esp+4Eh] [ebp-BAh]
  int v15; // [esp+52h] [ebp-B6h]
  int v16; // [esp+56h] [ebp-B2h]
  int v17; // [esp+5Ah] [ebp-AEh]
  int v18; // [esp+5Eh] [ebp-AAh]
  int v19; // [esp+62h] [ebp-A6h]
  int v20; // [esp+66h] [ebp-A2h]
  int v21; // [esp+6Ah] [ebp-9Eh]
  int v22; // [esp+6Eh] [ebp-9Ah]
  int v23; // [esp+72h] [ebp-96h]
  int v24; // [esp+76h] [ebp-92h]
  __int16 v25; // [esp+7Ah] [ebp-8Eh]
  char v26; // [esp+7Ch] [ebp-8Ch]
  unsigned int v27; // [esp+FCh] [ebp-Ch]

  v27 = __readgsdword(0x14u);
  v7 = 'galF';
  v8 = 'ihT{';
  v9 = '_a_s';
  v10 = 'galF';
  v11 = '}';
  v5 = strlen(&v7);
  v13 = '8D8E';
  v14 = '19DB';
  v15 = 'A178';
  v16 = '65E1';
  v17 = 'F35F';
  v18 = '9884';
  v19 = 'F286';
  v20 = '4169';
  v21 = '2FA2';
  v22 = 'F8BA';
  v23 = 'A7DE';
  v24 = '5DFC';
  v25 = 'E';
  printf("Please input your flag:");
  read(0, &v26, 256);
  if ( strlen(&v26) != 21 )
    exit(0);
  v0 = sub_8048AC2((int)&v26);
  strcpy((int)v12, v0);
  v6 = length(v12);
  for ( i = 0; i < v6; ++i )                    // 异或操作
    v12[i] ^= *((_BYTE *)&v7 + i % v5);
  sub_8048E24(v12, v6, &v7, v5);
  if ( !strcmp(v12, &v13) )
    exit(0);
  printf("right!");
  result = 0;
  v3 = __readgsdword(0x14u);
  v2 = v3 ^ v27;
  if ( v3 != v27 )
    sub_806FA00(v2);
  return result;
}

很多未知函数，我们能够猜出是什么函数，在代码中已改。

代码分析

在代码中，有两处函数我们不清楚作用。第一处

v0 = sub_8048AC2((int)&v26);

函数传入参数是我们输入的字符串，打开函数后

int __cdecl sub_8048AC2(int a1)
{
  int v2; // [esp+8h] [ebp-20h]
  int v3; // [esp+Ch] [ebp-1Ch]
  int v4; // [esp+10h] [ebp-18h]
  int v5; // [esp+18h] [ebp-10h]
  int v6; // [esp+1Ch] [ebp-Ch]

  v5 = length(a1);
  if ( v5 % 3 )
    v2 = 4 * (v5 / 3 + 1);
  else
    v2 = 4 * (v5 / 3);
  v6 = sub_80597A0(v2 + 1);
  *(_BYTE *)(v2 + v6) = 0;
  v3 = 0;
  v4 = 0;
  while ( v2 - 2 > v3 )
  {
    *(_BYTE *)(v6 + v3) = a0123456789Abcd[(unsigned __int8)(*(_BYTE *)(v4 + a1) >> 2)];
    *(_BYTE *)(v6 + v3 + 1) = a0123456789Abcd[16 * (*(_BYTE *)(v4 + a1) & 3) | (unsigned __int8)(*(_BYTE *)(v4 + 1 + a1) >> 4)];
    *(_BYTE *)(v6 + v3 + 2) = a0123456789Abcd[4 * (*(_BYTE *)(v4 + 1 + a1) & 0xF) | (unsigned __int8)(*(_BYTE *)(v4 + 2 + a1) >> 6)];
    *(_BYTE *)(v6 + v3 + 3) = a0123456789Abcd[*(_BYTE *)(v4 + 2 + a1) & 0x3F];
    v4 += 3;
    v3 += 4;
  }
  if ( v5 % 3 == 1 )
  {
    *(_BYTE *)(v3 - 2 + v6) = 61;
    *(_BYTE *)(v3 - 1 + v6) = 61;
  }
  else if ( v5 % 3 == 2 )
  {
    *(_BYTE *)(v3 - 1 + v6) = 61;
  }
  return v6;
}

.rodata:080BB9A8 a0123456789Abcd db '0123456789+/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ',0

通过观察，这应该是一个变表的Base64加密

第二处

  sub_8048E24((int)v10, v4, (int)&v5, v3)

unsigned int __cdecl sub_8048E24(int a1, unsigned int a2, int a3, int a4)
{
  char v4; // ST2B_1
  unsigned int result; // eax
  unsigned int v6; // et1
  int v7; // [esp+1Ch] [ebp-11Ch]
  int v8; // [esp+20h] [ebp-118h]
  unsigned int i; // [esp+24h] [ebp-114h]
  char v10[256]; // [esp+2Ch] [ebp-10Ch]
  unsigned int v11; // [esp+12Ch] [ebp-Ch]

  v11 = __readgsdword(0x14u);
  sub_8048CC2((int)v10, a3, a4);
  LOBYTE(v7) = 0;
  LOBYTE(v8) = 0;
  for ( i = 0; i < a2; ++i )
  {
    v7 = (unsigned __int8)(v7 + 1);
    v8 = (unsigned __int8)(v10[v7] + v8);
    v4 = v10[v7];
    v10[v7] = v10[v8];
    v10[v8] = v4;
    *(_BYTE *)(a1 + i) ^= v10[(unsigned __int8)(v10[v7] + v10[v8])];
  }
  v6 = __readgsdword(0x14u);
  result = v6 ^ v11;
  if ( v6 != v11 )
    sub_806FA00();
  return result;
}

这应该是一个RC4加密函数， sub_8048CC2((int)v10, a3, a4);函数是初始化函数

思路

这样整个代码的思路就很明晰了，对输入字符串进行base64加密后，再进行异或操作，最后进行RC4加密(Key = "Flag{This_a_Flag}")，并与"E8D8BD91871A1E56F53F4889682F96142AF2AB8FED7ACFD5E"比较

解密

解密网站：

http://tool.chacuo.net/cryptrc4

http://ctf.ssleye.com/rc4.html

http://tools.jb51.net/password/rc4_encode

https://gchq.github.io/CyberChef/

得到解密的字符串：23152553081a5938126a3931275b0b1313085c330b356101511f105c

# -*- coding:utf-8 -*-

from base64 import b64decode

key = 'Flag{This_a_Flag}'
decode_byte = '23152553081a5938126a3931275b0b1313085c330b356101511f105c'

encode_base64 = ''
lists = []

for i in range(len(decode_byte)//2):
    lists.append(int(decode_byte[i*2:(i+1)*2],16))
# for i in range(0,len(decode_byte),2):
#     lists.append(int(decode_byte[i:i+2],16))

print (lists)
for i in range(len(lists)):
    encode_base64 += chr(lists[i] ^ ord(key[i%len(key)]))

t = '0123456789+/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ='
table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='
table = str.maketrans(t, table)
flag = b64decode(encode_base64.translate(table))
print(flag)

get flag!

BJD{0v0_Y0u_g07_1T!}