文章目錄

• • 拖進(jìn)ida
  • RxEncode(&s, 33)
  • strcmp
  • 分析過(guò)程
  • • 腳本

拖進(jìn)ida

找到關(guān)鍵函數(shù)RxEncode(&s, 33)

RxEncode(&s, 33)

void *__fastcall RxEncode(const char *a1, int a2) {void *result; // raxint v3; // [rsp+18h] [rbp-38h]signed int v4; // [rsp+1Ch] [rbp-34h]int v5; // [rsp+20h] [rbp-30h]signed int v6; // [rsp+24h] [rbp-2Ch]int v7; // [rsp+28h] [rbp-28h]int v8; // [rsp+28h] [rbp-28h]signed int i; // [rsp+2Ch] [rbp-24h]_BYTE *v10; // [rsp+30h] [rbp-20h]void *s; // [rsp+38h] [rbp-18h]v3 = 3 * (a2 / 4);v4 = 0;v5 = 0;if ( a1[a2 - 1] == '=' )v4 = 1;if ( a1[a2 - 2] == '=' )++v4;if ( a1[a2 - 3] == '=' )++v4;if ( v4 == 3 ){v3 += 2;}else if ( v4 <= 3 ){if ( v4 == 2 ){v3 += 3;}else if ( v4 <= 2 ){if ( v4 ){if ( v4 == 1 )v3 += 4;}else{v3 += 4;}}}s = malloc(v3);if ( s ){memset(s, 0, v3);v10 = s;while ( v5 < a2 - v4 ){v6 = 0;v7 = 0;while ( v6 <= 3 && v5 < a2 - v4 ){v7 = (v7 << 6) | (char)find_pos(a1[v5]);++v6;++v5;}v8 = v7 << 6 * (4 - v6);for ( i = 0; i <= 2 && i != v6; ++i )*v10++ = v8 >> 8 * (2 - i);}*v10 = 0;result = s;}else{puts("No enough memory.");result = 0LL;}return result; }

看到了find_pos函數(shù)

strcmp

strcmp(s1, s2) unsigned char s2[] = {0x9E, 0x9B, 0x9C, 0xB5, 0xFE, 0x70, 0xD3, 0x0F, 0xB2, 0xD1, 0x4F, 0x9C, 0x02, 0x7F, 0xAB, 0xDE, 0x59, 0x65, 0x63, 0xE7, 0x40, 0x9D, 0xCD, 0xFA };

分析過(guò)程

一眼看上去，有點(diǎn)像關(guān)于base64的一些操作，仔細(xì)一看不是（以為又可以動(dòng)用工具進(jìn)行一系列操作。。）然后看了一下大佬的wp，他們直接玩爆破。。。。。

腳本

table="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234{}789+/=" c="9E9B9C B5FE70 D30FB2 D14F9C 027FAB DE5965 63E740 9DCDFA" c=c.split() for i in range(len(c)):c[i]=eval("0x"+c[i])print(c) for x in c:t=0for i in range(len(table)):for j in range(len(table)):for k in range(len(table)):for l in range(len(table)):t=(0<<6)|it=(t<<6)|jt=(t<<6)|kt=(t<<6)|lif(t==x):print(table[i]+table[j]+table[k]+table[l])

把帶有=的刪掉，剩下的拼接起來(lái)就是flag

npuctf{w0w+y0U+cAn+r3lllY+dAnc3}

總結(jié)

以上是生活随笔為你收集整理的[NPUCTF2020]你好sao啊的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。