2020-11-22 d60a3e994fdffc152f49af90218427ac 99+ 4 m 0.6 k0 visits

moectf2020 write up for RxEncode

前言

很难很难很难很难的一道逆向题QAQ非新手友好向QAQQQ

不敢想象后面的easyC++有多难Or2

逻辑分析

拖入IDA中进行分析：

程序里头s2 + v15 + v16的地址是连在一起的，整体应当是一个被IDA解析成碎片的字符串

分析主函数逻辑可知程序会将我们输入的flag经过RxEncode()函数处理后与前面的那个字符串进行比对

核心函数：RxEncode()

接下来分析RxEncode()

一堆看不懂的操作QAQ

不过我们可以发现其用到了一个find_pos()函数，里面有一个类似base64码表的东西

大胆猜测RxEncode()应当是一个换表base64解码（decode）函数！

所以说这个起名方式…

写一个换表base64程序就能够得到flag啦~

解码程序

#include <iostream>
#include <cstdlib>
#include <cstring>

using namespace std;

char key_form[100] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234{}789+/=";

char * encode(char * str);

int main(void)
{
    //initialize the encoded flag
    char decoded_flag[100];
    long long *ptr = static_cast<long long*>((void*)decoded_flag);
    *ptr = 0x4AD158FEB59C879ALL;
    *(ptr + 1) = 0xCBEBFDFA6CED0BFELL;
    *(ptr + 2) = 0x7A47A38E43A334E8LL;
    *(ptr + 3) = 0x0000000000000000LL;
    *(ptr + 4) = 0;
    char * flag;

    //decode the flag
    flag = encode(decoded_flag);
    cout << "flag: " << flag << endl;s

    //return 0 to the system
    return 0;
}

char * encode(char * str)
{
    int len = strlen(str);
    int bins_used = 0;
    int index = 0;
    char * flag = static_cast<char*>(malloc(0x80));

    for(int i=0;str[i];)
    {
        if(bins_used == 0)
        {
            unsigned char ch = str[i];
            ch >>= 2;
            flag[index++] = ch;
            //flag[index++] = (str[i] >> 2);
            bins_used = 6;
        }
        else if (bins_used == 6)
        {
            unsigned char ch1 = str[i];ch1 <<= 6;ch1 >>= 2;
            unsigned char ch2 = str[i+1];ch2 >>= 4;
            flag[index++] = ch1+ ch2;
            //flag[index++] = (((str[i] << 6) >> 2) + (str[i+1] >> 4));
            bins_used = 4;
            i++;
        }
        else if (bins_used == 4)
        {
            unsigned char ch1 = str[i];ch1 <<= 4;ch1 >>= 2;
            unsigned char ch2 = str[i+1];ch2 >>= 6;
            flag[index++] = ch1+ ch2;
            //flag[index++] = ((str[i] << 4) >> 2) + (str[i+1] >> 6);
            bins_used = 2;
            i++;
        }
        else if(bins_used == 2)
        {
            unsigned char ch = str[i];
            ch <<= 2;
            ch >>= 2;
            flag[index++] = ch;
            //flag[index++] = ((str[i] << 2) >> 2);
            bins_used = 0;
            i++;
        }
    }
    flag[index] = '\0';

    for(int i=0;i<index;i++)
    {
        flag[i] = key_form[flag[i]];
    }

    return flag;
}

得到flag

1	moectf{Y0Ur+C+1s+v3ry+g0o0OOo0d}

后面才发现python有好多可以用的库…好气啊…

不过我也不会python T T..

以及还需要注意大小端序（wsm倒着存啊…以前的程序员思路好奇怪欸…）
1
2
3
4
5
6
7
8
from base64 import *
from string import *

decoded_flag = b'\x9A\x87\x9C\xB5\xFE\x58\xD1\x4A\xFE\x0B\xED\x6C\xFA\xFD\xEB\xCB\xE8\x34\xA3\x43\x8E\xA3\x47\x7A'

flag = b64encode(decoded_flag).decode().translate(str.maketrans('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/',"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234{}789+/"))

print(flag)

moectf2020 write up for RxEncode

http://meteorpursuer.github.io/2020/11/22/moectf2020 write up for RxEncode/

Author

MeteorPursuer

Posted on

2020-11-22

Updated on

2020-11-22

moectf2020 write up for RxEncode

前言

逻辑分析

核心函数：RxEncode()

解码程序

Author

Posted on

Updated on

Licensed under

Like this article? Support the author with

Links

Latest Comment

Recents

Categories

Archives

Tags

Subscribe for updates