MoeCTF 2021Re部分------baby

文章目录

baby.bc
- 编译
- ida分析
- Rc4
- - 初始化
  - 加密
- Base64变形
- 结果数组
- 解密代码：
总结

baby.bc

编译

llc chall.bc -o chall.s

然后把.s（汇编代码搞成可执行程序）在进行编译的时候出现了如下报错：

 gcc -c chall.s -o hello

报错如下：

chall.s: Assembler messages:
chall.s:4: Error: unknown pseudo-op: `.def'
chall.s:5: Error: unknown pseudo-op: `.scl'
chall.s:6: Error: Missing symbol name in directive
chall.s:7: Error: unknown pseudo-op: `.endef'
chall.s:8: Error: expected symbol name
chall.s:9: Error: expected symbol name
chall.s:11: Error: unknown pseudo-op: `.def'
chall.s:12: Error: unknown pseudo-op: `.scl'
chall.s:13: Error: Missing symbol name in directive
chall.s:13: Error: unrecognized symbol type "32"
chall.s:14: Error: unknown pseudo-op: `.endef'
chall.s:30: Error: register save offset not a multiple of 8
chall.s:105: Error: unknown pseudo-op: `.def'
chall.s:106: Error: unknown pseudo-op: `.scl'
chall.s:107: Error: Missing symbol name in directive
chall.s:107: Error: unrecognized symbol type "32"
chall.s:108: Error: unknown pseudo-op: `.endef'
chall.s:122: Error: register save offset not a multiple of 8
chall.s:196: Error: unknown pseudo-op: `.def'
chall.s:197: Error: unknown pseudo-op: `.scl'
chall.s:198: Error: Missing symbol name in directive
chall.s:198: Error: unrecognized symbol type "32"
chall.s:199: Error: unknown pseudo-op: `.endef'
chall.s:331: Error: unknown pseudo-op: `.def'
chall.s:332: Error: unknown pseudo-op: `.scl'
chall.s:333: Error: Missing symbol name in directive
chall.s:333: Error: unrecognized symbol type "32"
chall.s:334: Error: unknown pseudo-op: `.endef'
chall.s:350: Error: register save offset not a multiple of 8
chall.s:352: Error: register save offset not a multiple of 8
chall.s:483: Fatal error: bad .section directive: want a,w,x,M,S,G,T in string

使用windows下的llvm结果成这样，所以的话，还是配了一下linux下的llvm
编译之后称为elf文件，拖进ida查看

ida分析

Rc4

秘钥

unsigned char ida_chars[] =
{0x11, 0x45, 0x14, 0x61, 0x76, 0x61, 0x6C, 0x6F, 0x6E, 0x2C, 0x79, 0x79, 0x64, 0x73
};

初始化

_int64 __fastcall func_114514(__int64 a1, __int64 a2, int a3)
{int s[257]; // [rsp+0h] [rbp-430h] BYREFunsigned int v5; // [rsp+404h] [rbp-2Ch]__int64 v6; // [rsp+408h] [rbp-28h]int v7; // [rsp+410h] [rbp-20h]int v8; // [rsp+414h] [rbp-1Ch]__int64 v9; // [rsp+418h] [rbp-18h]int v10; // [rsp+424h] [rbp-Ch]int i; // [rsp+428h] [rbp-8h]int j; // [rsp+42Ch] [rbp-4h]v9 = a1;v6 = a2;v7 = a3;v10 = 0;memset(s, 0, 0x400uLL);for ( i = 0; i < 256; ++i ){*(_DWORD *)(v9 + 4LL * i) = i;              // 初始化v9数组（状态向量S）s[i] = *(unsigned __int8 *)(v6 + i % v7);   // 使用dest数组初始化是s数组（临时向量T）}for ( j = 0; j < 256; ++j ){v10 = (unsigned __int8)(LOBYTE(s[j]) + *(_BYTE *)(v9 + 4LL * j) + v10);// 取状态向量,临时向量以及 v10和进行低八位处理赋值给v10,v10作为一个下标数组v8 = *(_DWORD *)(v9 + 4LL * j);             // v8为临时变量*(_DWORD *)(v9 + 4LL * j) = *(_DWORD *)(v9 + 4LL * v10);*(_DWORD *)(v9 + 4LL * v10) = v8;}return v5;
}

加密

_int64 __fastcall func_1919810(__int64 a1, __int64 a2, int a3)
{unsigned int v4; // [rsp+0h] [rbp-2Ch]int i; // [rsp+1Ch] [rbp-10h]int v6; // [rsp+20h] [rbp-Ch]int v7; // [rsp+24h] [rbp-8h]unsigned __int8 v8; // [rsp+2Bh] [rbp-1h]v7 = 0;LOBYTE(v6) = 0;for ( i = 0; i < a3; ++i ){v7 = (v7 + 1) % 256;v6 = (unsigned __int8)(*(_BYTE *)(a1 + 4LL * v7) + v6);v8 = *(_DWORD *)(a1 + 4LL * v7);*(_DWORD *)(a1 + 4LL * v7) = *(_DWORD *)(a1 + 4LL * v6);*(_DWORD *)(a1 + 4LL * v6) = v8;*(_BYTE *)(a2 + i) ^= *(_BYTE *)(a1 + 4LL * (unsigned __int8)(*(_BYTE *)(a1 + 4LL * v6) + *(_BYTE *)(a1 + 4LL * v7)));}return v4;
}

Base64变形

这个变形是属于什么变形呢，它直接算出下标，利用下标进行减法（也就是说没有拿着下标去找base64数组取值）

_int64 __fastcall HSencode(__int64 a1, int a2, __int64 a3)
{unsigned int v4; // [rsp+0h] [rbp-28h]int v5; // [rsp+4h] [rbp-24h]int v6; // [rsp+20h] [rbp-8h]int v7; // [rsp+24h] [rbp-4h]if ( a2 % 3 )v5 = 4 * (a2 / 3 + 1);elsev5 = 4 * (a2 / 3);v7 = 0;v6 = 0;while ( v7 < v5 - 2 ){*(_BYTE *)(a3 + v7) = (((int)*(unsigned __int8 *)(a1 + v6) >> 2) & 0x3F) + 0x3D;*(_BYTE *)(a3 + v7 + 1) = (((int)*(unsigned __int8 *)(a1 + v6 + 1) >> 4) & 0xF | (16 * (*(_BYTE *)(a1 + v6) & 3)))+ 61;*(_BYTE *)(a3 + v7 + 2) = (((int)*(unsigned __int8 *)(a1 + v6 + 2) >> 6) & 3 | (4 * (*(_BYTE *)(a1 + v6 + 1) & 0xF)))+ 61;*(_BYTE *)(a3 + v7 + 3) = (*(_BYTE *)(a1 + v6 + 2) & 0x3F) + 61;v6 += 3;v7 += 4;}if ( a2 % 3 == 1 ){*(_BYTE *)(a3 + v7 - 2) = '=';}else if ( a2 % 3 != 2 ){return v4;}*(_BYTE *)(a3 + v7 - 1) = '=';return v4;
}

结果数组

unsigned char bytes_114514[] =
{0x40, 0x42, 0x64, 0x78, 0x52, 0x54, 0x62, 0x52, 0x42, 0x62, 0x6A, 0x49, 0x56, 0x66, 0x60, 0x50, 0x45, 0x79, 0x71, 0x65, 0x5E, 0x5C, 0x5E, 0x5C, 0x7C, 0x63, 0x63, 0x7C, 0x4A, 0x52, 0x75, 0x62, 0x61, 0x47, 0x4C, 0x79, 0x74, 0x48, 0x65, 0x52, 0x49, 0x40, 0x6A, 0x67, 0x4E, 0x65, 0x67, 0x48, 0x55, 0x5B, 0x4D, 0x79, 0x79, 0x5D, 0x3D, 0x3D
};

我们需要把结果减去0x3D，然后拿着下标取出base64数据，然后进行base64解码，紧接着再进行RC4解密

解密代码：

#include <iostream>
#include<Windows.h>
using namespace std;
void rc4_init(unsigned char* s, unsigned char* key, unsigned long Len)
{int i = 0, j = 0;char k[256] = { 0 };unsigned char tmp = 0;for (i = 0; i < 256; i++){s[i] = i;k[i] = key[i % Len];}for (i = 0; i < 256; i++){j = (j + s[i] + k[i]) % 256;tmp = s[i];s[i] = s[j];//交换s[i]和s[j]s[j] = tmp;}
}void rc4_crypt(unsigned char* s, unsigned char* Data, unsigned long Len)
{int i = 0, j = 0, t = 0;unsigned long k = 0;unsigned char tmp;for (k = 0; k < Len; k++){i = (i + 1) % 256;j = (j + s[i]) % 256;tmp = s[i];s[i] = s[j];//交换s[x]和s[y]s[j] = tmp;t = (s[i] + s[j]) % 256;Data[k] ^= s[t];}
}int main()
{const char base[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";unsigned char ida_charsa[] ={0x40, 0x42, 0x64, 0x78, 0x52, 0x54, 0x62, 0x52, 0x42, 0x62,0x6A, 0x49, 0x56, 0x66, 0x60, 0x50, 0x45, 0x79, 0x71, 0x65,0x5E, 0x5C, 0x5E, 0x5C, 0x7C, 0x63, 0x63, 0x7C, 0x4A, 0x52,0x75, 0x62, 0x61, 0x47, 0x4C, 0x79, 0x74, 0x48, 0x65, 0x52,0x49, 0x40, 0x6A, 0x67, 0x4E, 0x65, 0x67, 0x48, 0x55, 0x5B,0x4D, 0x79, 0x79, 0x5D};for (int i = 0; i < 54; i++) {char c = base[ida_charsa[i] - 0x3D];cout << c;}unsigned char ida_chars[] ={0x0C,0x59,0xFB,0x55,0x79,0x55,0x16,0x5B,0x4C,0x66,0x98,0xD3,0x23,0xCD,0x28,0x85,0xF8,0x5F,0xFE,0x69,0xBF,0x35,0x5E,0x25,0x90,0xA3,0xFC,0xDC,0xBA,0x15,0x30,0x3B,0x6A,0x46,0x8A,0x8B,0x61,0xE4,0x3C,0xF2 };char key[256] = { 0x11, 0x45, 0x14, 0x61, 0x76, 0x61, 0x6C, 0x6F, 0x6E, 0x2C,0x79, 0x79, 0x64, 0x73 };unsigned char s[256] = { 0 },s2[256] = { 0 };rc4_init(s, (unsigned char*)key, strlen(key));for (int i = 0; i < 256; i++)//用s2[i]暂时保留经过初始化的s[i]，很重要的！！！{s2[i] = s[i];}cout << endl;rc4_crypt(s2, (unsigned char*)ida_chars, 40);for (int i = 0; i < 40; i++) {cout << char(ida_chars[i]);}}

DFn7VXlVFltMZpjTI80ohfhf/mm/NV4lkKP83LoVMDtqRoqLYeQ88g

总结

RC4
改版base64
linux系统的llvm

MoeCTF 2021Re部分------baby_bc相关推荐

MoeCTF 2021Re部分------大佬请喝咖啡，A_game
文章目录大佬请喝咖啡反编译解释\u: z3解码 A_game 数独题: 这里判断行数据是1~9: 这里判断列数据是1~9: 9*9数独阵分为9个3*3方阵,每个方阵数据1~9 进行异或magic ...
MoeCTF 2021Re部分------PE
文章目录 ida分析算出秘钥解密脚本总结 ida分析这个题呢,目的是用附件异或一串秘钥得出一个exe,然后运行exe即可得出flag,然后秘钥主要藏在PE文件头中算出秘钥说实话,这题有点脑 ...
MoeCTF 2021Re部分------ez（递归转循环）
文章目录 ida 分析总结 ida for ( i = 0; i <= 75; ++i ){Character = fuck(i * i) ^ flag[i];putchar(Characte ...
MoeCTF 2021Re部分------Midpython.exe
文章目录 Midpython.exe marshal和dis库配合: 手动改为py 解密脚本总结: Midpython.exe python代码写成的exe,进行反编译,先搞成pyc,然后把pyc反 ...
MoeCTF 2021Re部分------time2go
文章目录 time2go keypatch使用 main_fun2(后一半) 总结: time2go keypatch使用 (ida中的keypatch插件)考点主要是玩keypatch,把sleep ...
MoeCTF 2021Re部分------RedC4Bomb
文章目录去花后 keys(key) init(key, v9, (int)key); 脚本总结: 去花后只需要管是三个函数keys(key) init(key, v9, (int)key); e ...
MoeCTF 2021Re部分------Algorithm_revenge
文章目录 ida分析脚本分析生成map地图数据累加提醒:绝对不是取出每行最大值相加(特别注意当前元素的上行元素的左中右这个限制),然后把所在列坐标进行存储挑出50行最大值列坐标总结 ida ...
【moeCTF题解-0x01】Reverse
title: [moeCTF题解-0x01]Reverse categories: CTF moeCTF tags: CTF [moeCTF题解-0x01]Reverse 一个全新的领域 [moeCT ...
【moeCTF题解-0x04】Crypto
title: [moeCTF题解-0x04]Crypto categories: CTF moeCTF tags: CTF Python Crypto [moeCTF题解-0x04]Crypto 有多 ...

MoeCTF 2021Re部分------baby_bc