easyre

base64加密的反编译代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
__int64 __fastcall encode_one(char *a1, int a2, char *a3, int *a4)
{
  int v5; // esi
  int v6; // esi
  int v7; // esi
  int v8; // [rsp+34h] [rbp-1Ch]
  int v9; // [rsp+38h] [rbp-18h]
  int v11; // [rsp+48h] [rbp-8h]
  int i; // [rsp+4Ch] [rbp-4h]
  unsigned __int8 *v13; // [rsp+70h] [rbp+20h]

  v13 = (unsigned __int8 *)a1;
  if ( !a1 || !a2 )
    return 0xFFFFFFFFi64;
  v11 = 0;
  if ( a2 % 3 )
    v11 = 3 - a2 % 3;
  v9 = a2 + v11;
  v8 = 8 * (a2 + v11) / 6;
  for ( i = 0; i < v9; i += 3 )
  {
    *a3 = alphabet[(char)*v13 >> 2];
    if ( a2 + v11 - 3 == i && v11 )
    {
      if ( v11 == 1 )
      {
        v5 = (char)cmove_bits(*v13, 6u, 2u);
        a3[1] = alphabet[v5 + (char)cmove_bits(v13[1], 0, 4u)];
        a3[2] = alphabet[(char)cmove_bits(v13[1], 4u, 2u)];
        a3[3] = 61;
      }
      else if ( v11 == 2 )
      {
        a3[1] = alphabet[(char)cmove_bits(*v13, 6u, 2u)];
        a3[2] = 61;
        a3[3] = 61;
      }
    }
    else
    {
      v6 = (char)cmove_bits(*v13, 6u, 2u);
      a3[1] = alphabet[v6 + (char)cmove_bits(v13[1], 0, 4u)];
      v7 = (char)cmove_bits(v13[1], 4u, 2u);
      a3[2] = alphabet[v7 + (char)cmove_bits(v13[2], 0, 6u)];
      a3[3] = alphabet[v13[2] & 0x3F];
    }
    a3 += 4;
    v13 += 3;
  }
  if ( a4 )
    *a4 = v8;
  return 0i64;
}

404

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import base64,urllib.parse
key = "HereIsFlagggg"
flag = "xxxxxxxxxxxxxxxxxxx"

s_box = list(range(256))
j = 0
for i in range(256):
    j = (j + s_box[i] + ord(key[i % len(key)])) % 256
    s_box[i], s_box[j] = s_box[j], s_box[i]
res = []
i = j = 0
for s in flag:
    i = (i + 1) % 256
    j = (j + s_box[i]) % 256
    s_box[i], s_box[j] = s_box[j], s_box[i]
    t = (s_box[i] + s_box[j]) % 256
    k = s_box[t]
    res.append(chr(ord(s) ^ k))
cipher = "".join(res)
crypt = (str(base64.b64encode(cipher.encode('utf-8')), 'utf-8'))
enc = str(base64.b64decode(crypt),'utf-8')
enc = urllib.parse.quote(enc)
print(enc)
# enc = %C2%A6n%C2%87Y%1Ag%3F%C2%A01.%C2%9C%C3%B7%C3%8A%02%C3%80%C2%92W%C3%8C%C3%BA

1717937134032-d68b3536-93ff-4c10-87b0-c751d06e5e85.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import base64,urllib.parse
key = "HereIsFlagggg"
enc = "%C2%A6n%C2%87Y%1Ag%3F%C2%A01.%C2%9C%C3%B7%C3%8A%02%C3%80%C2%92W%C3%8C%C3%BA"
enc = urllib.parse.unquote(enc)
s_box = list(range(256))
j = 0

for i in range(256):
    j = (j + s_box[i] + ord(key[i % len(key)])) % 256
    s_box[i], s_box[j] = s_box[j], s_box[i]
res = []
i = j = 0

for s in enc:
    i = (i + 1) % 256
    j = (j + s_box[i]) % 256
    s_box[i], s_box[j] = s_box[j], s_box[i]
    t = (s_box[i] + s_box[j]) % 256
    k = s_box[t]
    res.append(chr(ord(s) ^ k))
cipher = "".join(res)
print(cipher)

405 简单逆向

1
2
3
4
5
6
7
8
9
flag = 'xxxxxxxxxxxxxxxxxxxxx'
s = 'wesyvbniazxchjko1973652048@$+-&*<>'
result = ''
for i in range(len(flag)):
    s1 = ord(flag[i])//17
    s2 = ord(flag[i])%17
    result += s[(s1+i)%34]+s[-(s2+i+1)%34]
print(result)
# result = 'v0b9n1nkajz@j0c4jjo3oi1h1i937b395i5y5e0e$i'
1
2
3
4
5
6
7
8
9
10
11
12
13
s ='wesyvbniazxchjko1973652048@$+-&*<>'
result = 'v0b9n1nkajz@j0c4jjo3oi1h1i937b395i5y5e0e$i'
flag= ''
for i in range(len(result)//2):
    char1 = result[2*i]//两个一组为一个flag
    char2 = result[2*i+1]

    s1=s.index(char1)%34-i
    s2=-(s.index(char2)+i+1)%34
    for j in range(32, 128):
        if j // 17 == s1 and j % 17 == s2:
            flag += chr(j)
print(flag)

445

1717917201454-ae1d224f-b664-4a0d-9ec5-7aa8aa6d5cea.png

查壳看到是64位程序,放入64ida

1717917171822-b04d7864-bdcf-4d04-b852-4e230b6eacff.png

观察主要函数是一个循环,编写逆向脚本

注意,因为a为执行过后的字符串,所以要修改判断的范围,

if ( (Str[i] <= 96 || Str[i] > 98) && (Str[i] <= 64 || Str[i] > 66) )

要改成if ((ord(char) <= 94 or ord(char) > 96) and (ord(char) <= 62 or ord(char) > 64)):

1
2
3
4
5
6
7
8
9
a = "ylqq]aycqyp{"

for char in a:
    if ((ord(char) <= 94 or ord(char) > 96) and (ord(char) <= 62 or ord(char) > 64)):
        char = chr(ord(char)+2)
        print(char,end = '');
    else:
        char = chr(ord(char)-24)
        print(char,end = '');

得到{nss_c{es{r}

1717917305894-9f2ff6d7-171f-4c8f-acb3-cfd4d8d294bf.png

**提交flag也不成功,看了一下评论区说程序里a可以用{代替所以flag就是:NSSCTF{nss_caesar} **

1416

1721443980982-eaaa5ee9-dfba-4997-86c1-224994b7226b.png

看到明文和三个加密函数

第一个是base64加密

第二个是字符串顺序打乱

第三个是自定义加密

1721444087788-ca6aecf2-1811-4fa9-9712-834ba3952f38.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
__int64 __fastcall encode_one(char *a1, int a2, char *a3, int *a4)
{
  int v5; // esi
  int v6; // esi
  int v7; // esi
  int v8; // [rsp+34h] [rbp-1Ch]
  int v9; // [rsp+38h] [rbp-18h]
  int v11; // [rsp+48h] [rbp-8h]
  int i; // [rsp+4Ch] [rbp-4h]
  unsigned __int8 *v13; // [rsp+70h] [rbp+20h]

  v13 = (unsigned __int8 *)a1;
  if ( !a1 || !a2 )
    return 0xFFFFFFFFi64;
  v11 = 0;
  if ( a2 % 3 )
    v11 = 3 - a2 % 3;
  v9 = a2 + v11;
  v8 = 8 * (a2 + v11) / 6;
  for ( i = 0; i < v9; i += 3 )
  {
    *a3 = alphabet[(char)*v13 >> 2];
    if ( a2 + v11 - 3 == i && v11 )
    {
      if ( v11 == 1 )
      {
        v5 = (char)cmove_bits(*v13, 6u, 2u);
        a3[1] = alphabet[v5 + (char)cmove_bits(v13[1], 0, 4u)];
        a3[2] = alphabet[(char)cmove_bits(v13[1], 4u, 2u)];
        a3[3] = 61;
      }
      else if ( v11 == 2 )
      {
        a3[1] = alphabet[(char)cmove_bits(*v13, 6u, 2u)];
        a3[2] = 61;
        a3[3] = 61;
      }
    }
    else
    {
      v6 = (char)cmove_bits(*v13, 6u, 2u);
      a3[1] = alphabet[v6 + (char)cmove_bits(v13[1], 0, 4u)];
      v7 = (char)cmove_bits(v13[1], 4u, 2u);
      a3[2] = alphabet[v7 + (char)cmove_bits(v13[2], 0, 6u)];
      a3[3] = alphabet[v13[2] & 0x3F];
    }
    a3 += 4;
    v13 += 3;
  }
  if ( a4 )
    *a4 = v8;
  return 0i64;
}

切割字符串然后拼接,反过来拼接就行

flag+=tmp[13:26]+tmp[39:52]+tmp[0:13]+tmp[26:39]

第一个参数的变化可以得知每次截取的长度为13,第二个参数即为原来str的起始位置

1721444242795-467870c3-f283-4c0b-928a-a362eaeca2a6.png

1721444293768-1f348d88-1f78-4382-811c-5bb40cdd2690.png

修改一下看会轻松的多

1721444484321-cf89244e-2daf-422b-a3ed-89e71fefe60e.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import base64
a='EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG'
flag=''
tmp=''
for i in a:
    if (ord(i)<=64 or ord(i)>90):
        if(ord(i)<=94 or ord(i)>122):
            if(ord(i)<=47 or ord(i)>57):
                tmp+=i
            else:
                tmp+=chr((ord(i)-48-3)%10+48)
        else:
            tmp+=chr((ord(i)-97-3)%26+97)
    else:
        tmp+=chr((ord(i)-65-3)%26+65)
print(tmp)
flag=tmp[13:26]+tmp[39:52]+tmp[:13]+tmp[26:39]
print(base64.b64decode(flag))

encode

发现加密函数
所以是需要找到密文即可解出flag。
可以看出密文就是dword_404000。在该内存空间中找,找到100个数据即为密文。
根据加密逻辑,可以看出没两个数据中高位是ASCII码的高。低位是ASCII码的低位,编写脚本解出

1721460339801-09eef6d1-3520-4ef4-9bb8-c010024c0d86.png

1721460396040-f629698d-b0ed-4069-8137-831fca288b0f.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
a = [
  8, 6, 7, 6, 1, 6, 13, 6, 5, 6, 11, 7, 5, 6, 14, 6, 3, 6, 15, 6, 4, 6,
  5, 6, 15, 5, 9, 6, 3, 7, 15, 5, 5, 6, 1, 6, 3, 7, 9, 7, 15, 5, 6, 6,
  15, 6, 2, 7, 15, 5, 1, 6, 15, 5, 2, 7, 5, 6, 6, 7, 5, 6, 2, 7, 3, 7,
  5, 6, 15, 5, 5, 6, 14, 6, 7, 6, 9, 6, 14, 6, 5, 6, 5, 6, 2, 7, 13, 7,
  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
]
b=''
for i in range(50):
    f1=a[i*2]&0xF
    f2=(a[i*2+1]&0xF) << 4
    flag=f1 | f2
    b+=chr(flag)
print(b)

exp2

根据加密逻辑,可以看出没两个数据中高位是ASCII码的高。低位是ASCII码的低位,编写脚本解出

1
2
3
4
5
6
7
8
9
10
11
12
13
a=[8, 6, 7, 6, 1, 6, 13, 6, 5, 6,11, 7, 5, 6,14,
6, 3, 6,15, 6, 4, 6, 5, 6, 15, 5, 9, 6, 3,7 ,15,5,5
,6, 1, 6, 3, 7, 9, 7,15, 5,6,6,15,
6, 2, 7,15, 5, 1, 6,15, 5, 2, 7, 5,6,6, 7, 5,
6, 2, 7, 3, 7, 5, 6,15,5,5, 6,14, 6, 7, 6, 9, 6,14,
6, 5, 6, 5, 6, 2,7,13,7]
b=[0 for i in range(100)]
res=""
for i in range(44):
    c1=a[2*i]
    c2=a[2*i+1]
    res+=chr(c2*16+c1)
print(res)

更新: 2025-06-29 18:49:19
原文: https://www.yuque.com/chaye-apqbl/vsc85q/firbpo49ggcotccz

http://example.com/2026/01/19/RE/例题/NSSCTF/easyre/
Author
chaye
Posted on
January 19, 2026
Licensed under