Windows_Reverse2
要求输入code
在这里插入图片描述
查壳工具查壳,ASPack再进行脱壳
在这里插入图片描述
再IDA打开查看main函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char Buffer; // [esp+8h] [ebp-C04h] BYREF
  char v5[1023]; // [esp+9h] [ebp-C03h] BYREF
  char v6; // [esp+408h] [ebp-804h] BYREF
  char v7[1023]; // [esp+409h] [ebp-803h] BYREF
  char v8; // [esp+808h] [ebp-404h] BYREF
  char v9[1023]; // [esp+809h] [ebp-403h] BYREF

  v6 = 0;
  memset(v7, 0, sizeof(v7));
  v8 = 0;
  memset(v9, 0, sizeof(v9));
  printf("input code:");
  scanf("%s", &v6);
  if ( !(unsigned __int8)sub_4011F0() )
  {
    printf("invalid input\n");
    exit(0);
  }
  sub_401240(&v8);
  Buffer = 0;
  memset(v5, 0, sizeof(v5));
  sprintf(&Buffer, "DDCTF{%s}", &v8);
  if ( !strcmp(&Buffer, aDdctfReverse) )
    printf("You've got it !!! %s\n", &Buffer);
  else
    printf("Something wrong. Try again...\n");
  return 0;
}

查看sub_4011F0()输入字符要在0-9以及A-F之间

1
2
3
4
5
6
7
8
9
10
11
12
13
if ( v1 && v1 % 2 != 1 )
 {
   v3 = 0;
   if ( v1 <= 0 )
     return 1;
   while ( 1 )
   {
     v4 = a1[v3];
     if ( (v4 < '0' || v4 > '9') && (v4 < 'A' || v4 > 'F') )
       break;
     if ( ++v3 >= v2 )
       return 1;
   }

查看sub_401240:将字符转为相应的数字,最后有个return sub_401000

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
if ( v2 > 0 )
  {
    v4 = v9;
    do
    {
      v5 = a1[v3];
      if ( (unsigned __int8)(v5 - '0') > 9u )
      {
        if ( (unsigned __int8)(v5 - 'A') <= 5u )
          v9 = v5 - '7';
      }
      else
      {
        v9 = a1[v3] - '0';
      }
      v6 = a1[v3 + 1];
      if ( (unsigned __int8)(v6 - '0') > 9u )
      {
        if ( (unsigned __int8)(v6 - 'A') <= 5u )
          v4 = v6 - '7';
      }
      else
      {
        v4 = a1[v3 + 1] - '0';
      }
      v7 = (unsigned int)v3 >> 1;
      v3 += 2;
      *(&v10 + v7) = v4 | (16 * v9);
    }
    while ( v3 < v2 );
  }
  return sub_401000(v2 / 2, (void *)a2);
}

sub_401000

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
if ( a1 )
 {
   do
   {
     *(&v14 + v5) = *v4;
     v6 = v15;
     ++v5;
     --v3;
     ++v4;
     if ( v5 == 3 )
     {
       LOBYTE(v17) = v14 >> 2;
       BYTE1(v17) = (v15 >> 4) + 16 * (v14 & 3);
       BYTE2(v17) = (v16 >> 6) + 4 * (v15 & 0xF);
       HIBYTE(v17) = v16 & 63;
       for ( i = 0; i < 4; ++i )
         __Y__basic_string_DU__char_trai(v19, (unsigned __int8)byte_403020[*((unsigned __int8 *)&v17 + i)] ^ 0x76);
       v5 = 0;
     }
   }
   while ( v3 );
   if ( v5 )
   {
     if ( v5 < 3 )
     {
       memset(&v14 + v5, 0, 3 - v5);
       v6 = v15;
     }
     BYTE1(v17) = (v6 >> 4) + 16 * (v14 & 3);
     LOBYTE(v17) = v14 >> 2;
     BYTE2(v17) = (v16 >> 6) + 4 * (v6 & 0xF);
     v8 = 0;
     for ( HIBYTE(v17) = v16 & 0x3F; v8 < v5 + 1; ++v8 )
       __Y__basic_string_DU__char_trai(v19, (unsigned __int8)byte_403020[*((unsigned __int8 *)&v17 + v8)] ^ 0x76);
     if ( v5 < 3 )
     {
       v9 = 3 - v5;
       do
       {
         __Y__basic_string_DU__char_trai(v19, 61);
         --v9;
       }
       while ( v9 );
     }
   }
 }

前半段将byte_403020异或处理:

1
2
3
4
5
6
7
8
9
a=[0x37,0x34,0x35,0x32,0x33,0x30,0x31,0x3E,0x3F,0x3C,0x3D,0x3A,0x3B,0x38,0x39,0x26,
0x27,0x24,0x25,0x22,0x23,0x20,0x21,0x2E,0x2F,0x2C,0x17,0x14,0x15,0x12,0x13,0x10,
0x11,0x1E,0x1F,0x1C,0x1D,0x1A,0x1B,0x18,0x19,0x06,0x07,0x04,0x05,0x02,0x03,0x00,
0x01,0x0E,0x0F,0x0C,0x46,0x47,0x44,0x45,0x42,0x43,0x40,0x41,0x4E,0x4F,0x5D,0x59]
b=[]
for i in range(len(a)):
   b=chr(a[i]^0x76)
   print(b,end='')

运行结果和base64的编码表一样

1
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

那么第三层就是base64解密

1
2
3
4
5
import base64
s='reverse+'
s=base64.b64decode(s) #base64解码
s=s.hex().upper() #十六进制转换
print(s)
1
ADEBDEAEC7BE