當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

MoeCTF 2021Re部分------baby_bc

發布時間：2025/3/21 编程问答 29 豆豆

生活随笔收集整理的這篇文章主要介紹了 MoeCTF 2021Re部分------baby_bc 小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

文章目錄

- baby.bc
- - 編譯
  - ida分析
  - Rc4
  - - 初始化
    - 加密
  - Base64變形
  - 結果數組
  - 解密代碼：
- 總結

baby.bc

編譯

llc chall.bc -o chall.s

然后把.s（匯編代碼搞成可執行程序）在進行編譯的時候出現了如下報錯：

gcc -c chall.s -o hello

報錯如下：

chall.s: Assembler messages: chall.s:4: Error: unknown pseudo-op: `.def' chall.s:5: Error: unknown pseudo-op: `.scl' chall.s:6: Error: Missing symbol name in directive chall.s:7: Error: unknown pseudo-op: `.endef' chall.s:8: Error: expected symbol name chall.s:9: Error: expected symbol name chall.s:11: Error: unknown pseudo-op: `.def' chall.s:12: Error: unknown pseudo-op: `.scl' chall.s:13: Error: Missing symbol name in directive chall.s:13: Error: unrecognized symbol type "32" chall.s:14: Error: unknown pseudo-op: `.endef' chall.s:30: Error: register save offset not a multiple of 8 chall.s:105: Error: unknown pseudo-op: `.def' chall.s:106: Error: unknown pseudo-op: `.scl' chall.s:107: Error: Missing symbol name in directive chall.s:107: Error: unrecognized symbol type "32" chall.s:108: Error: unknown pseudo-op: `.endef' chall.s:122: Error: register save offset not a multiple of 8 chall.s:196: Error: unknown pseudo-op: `.def' chall.s:197: Error: unknown pseudo-op: `.scl' chall.s:198: Error: Missing symbol name in directive chall.s:198: Error: unrecognized symbol type "32" chall.s:199: Error: unknown pseudo-op: `.endef' chall.s:331: Error: unknown pseudo-op: `.def' chall.s:332: Error: unknown pseudo-op: `.scl' chall.s:333: Error: Missing symbol name in directive chall.s:333: Error: unrecognized symbol type "32" chall.s:334: Error: unknown pseudo-op: `.endef' chall.s:350: Error: register save offset not a multiple of 8 chall.s:352: Error: register save offset not a multiple of 8 chall.s:483: Fatal error: bad .section directive: want a,w,x,M,S,G,T in string

使用windows下的llvm結果成這樣，所以的話，還是配了一下linux下的llvm
編譯之后稱為elf文件，拖進ida查看

ida分析

Rc4

秘鑰

unsigned char ida_chars[] = {0x11, 0x45, 0x14, 0x61, 0x76, 0x61, 0x6C, 0x6F, 0x6E, 0x2C, 0x79, 0x79, 0x64, 0x73 };

初始化

_int64 __fastcall func_114514(__int64 a1, __int64 a2, int a3) {int s[257]; // [rsp+0h] [rbp-430h] BYREFunsigned int v5; // [rsp+404h] [rbp-2Ch]__int64 v6; // [rsp+408h] [rbp-28h]int v7; // [rsp+410h] [rbp-20h]int v8; // [rsp+414h] [rbp-1Ch]__int64 v9; // [rsp+418h] [rbp-18h]int v10; // [rsp+424h] [rbp-Ch]int i; // [rsp+428h] [rbp-8h]int j; // [rsp+42Ch] [rbp-4h]v9 = a1;v6 = a2;v7 = a3;v10 = 0;memset(s, 0, 0x400uLL);for ( i = 0; i < 256; ++i ){*(_DWORD *)(v9 + 4LL * i) = i; // 初始化v9數組（狀態向量S）s[i] = *(unsigned __int8 *)(v6 + i % v7); // 使用dest數組初始化是s數組（臨時向量T）}for ( j = 0; j < 256; ++j ){v10 = (unsigned __int8)(LOBYTE(s[j]) + *(_BYTE *)(v9 + 4LL * j) + v10);// 取狀態向量,臨時向量以及 v10和進行低八位處理賦值給v10,v10作為一個下標數組v8 = *(_DWORD *)(v9 + 4LL * j); // v8為臨時變量*(_DWORD *)(v9 + 4LL * j) = *(_DWORD *)(v9 + 4LL * v10);*(_DWORD *)(v9 + 4LL * v10) = v8;}return v5; }

加密

_int64 __fastcall func_1919810(__int64 a1, __int64 a2, int a3) {unsigned int v4; // [rsp+0h] [rbp-2Ch]int i; // [rsp+1Ch] [rbp-10h]int v6; // [rsp+20h] [rbp-Ch]int v7; // [rsp+24h] [rbp-8h]unsigned __int8 v8; // [rsp+2Bh] [rbp-1h]v7 = 0;LOBYTE(v6) = 0;for ( i = 0; i < a3; ++i ){v7 = (v7 + 1) % 256;v6 = (unsigned __int8)(*(_BYTE *)(a1 + 4LL * v7) + v6);v8 = *(_DWORD *)(a1 + 4LL * v7);*(_DWORD *)(a1 + 4LL * v7) = *(_DWORD *)(a1 + 4LL * v6);*(_DWORD *)(a1 + 4LL * v6) = v8;*(_BYTE *)(a2 + i) ^= *(_BYTE *)(a1 + 4LL * (unsigned __int8)(*(_BYTE *)(a1 + 4LL * v6) + *(_BYTE *)(a1 + 4LL * v7)));}return v4; }

Base64變形

這個變形是屬于什么變形呢，它直接算出下標，利用下標進行減法（也就是說沒有拿著下標去找base64數組取值）

_int64 __fastcall HSencode(__int64 a1, int a2, __int64 a3) {unsigned int v4; // [rsp+0h] [rbp-28h]int v5; // [rsp+4h] [rbp-24h]int v6; // [rsp+20h] [rbp-8h]int v7; // [rsp+24h] [rbp-4h]if ( a2 % 3 )v5 = 4 * (a2 / 3 + 1);elsev5 = 4 * (a2 / 3);v7 = 0;v6 = 0;while ( v7 < v5 - 2 ){*(_BYTE *)(a3 + v7) = (((int)*(unsigned __int8 *)(a1 + v6) >> 2) & 0x3F) + 0x3D;*(_BYTE *)(a3 + v7 + 1) = (((int)*(unsigned __int8 *)(a1 + v6 + 1) >> 4) & 0xF | (16 * (*(_BYTE *)(a1 + v6) & 3)))+ 61;*(_BYTE *)(a3 + v7 + 2) = (((int)*(unsigned __int8 *)(a1 + v6 + 2) >> 6) & 3 | (4 * (*(_BYTE *)(a1 + v6 + 1) & 0xF)))+ 61;*(_BYTE *)(a3 + v7 + 3) = (*(_BYTE *)(a1 + v6 + 2) & 0x3F) + 61;v6 += 3;v7 += 4;}if ( a2 % 3 == 1 ){*(_BYTE *)(a3 + v7 - 2) = '=';}else if ( a2 % 3 != 2 ){return v4;}*(_BYTE *)(a3 + v7 - 1) = '=';return v4; }

結果數組

unsigned char bytes_114514[] = {0x40, 0x42, 0x64, 0x78, 0x52, 0x54, 0x62, 0x52, 0x42, 0x62, 0x6A, 0x49, 0x56, 0x66, 0x60, 0x50, 0x45, 0x79, 0x71, 0x65, 0x5E, 0x5C, 0x5E, 0x5C, 0x7C, 0x63, 0x63, 0x7C, 0x4A, 0x52, 0x75, 0x62, 0x61, 0x47, 0x4C, 0x79, 0x74, 0x48, 0x65, 0x52, 0x49, 0x40, 0x6A, 0x67, 0x4E, 0x65, 0x67, 0x48, 0x55, 0x5B, 0x4D, 0x79, 0x79, 0x5D, 0x3D, 0x3D };

我們需要把結果減去0x3D，然后拿著下標取出base64數據，然后進行base64解碼，緊接著再進行RC4解密

解密代碼：

#include <iostream> #include<Windows.h> using namespace std; void rc4_init(unsigned char* s, unsigned char* key, unsigned long Len) {int i = 0, j = 0;char k[256] = { 0 };unsigned char tmp = 0;for (i = 0; i < 256; i++){s[i] = i;k[i] = key[i % Len];}for (i = 0; i < 256; i++){j = (j + s[i] + k[i]) % 256;tmp = s[i];s[i] = s[j];//交換s[i]和s[j]s[j] = tmp;} }void rc4_crypt(unsigned char* s, unsigned char* Data, unsigned long Len) {int i = 0, j = 0, t = 0;unsigned long k = 0;unsigned char tmp;for (k = 0; k < Len; k++){i = (i + 1) % 256;j = (j + s[i]) % 256;tmp = s[i];s[i] = s[j];//交換s[x]和s[y]s[j] = tmp;t = (s[i] + s[j]) % 256;Data[k] ^= s[t];} }int main() {const char base[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";unsigned char ida_charsa[] ={0x40, 0x42, 0x64, 0x78, 0x52, 0x54, 0x62, 0x52, 0x42, 0x62,0x6A, 0x49, 0x56, 0x66, 0x60, 0x50, 0x45, 0x79, 0x71, 0x65,0x5E, 0x5C, 0x5E, 0x5C, 0x7C, 0x63, 0x63, 0x7C, 0x4A, 0x52,0x75, 0x62, 0x61, 0x47, 0x4C, 0x79, 0x74, 0x48, 0x65, 0x52,0x49, 0x40, 0x6A, 0x67, 0x4E, 0x65, 0x67, 0x48, 0x55, 0x5B,0x4D, 0x79, 0x79, 0x5D};for (int i = 0; i < 54; i++) {char c = base[ida_charsa[i] - 0x3D];cout << c;}unsigned char ida_chars[] ={0x0C,0x59,0xFB,0x55,0x79,0x55,0x16,0x5B,0x4C,0x66,0x98,0xD3,0x23,0xCD,0x28,0x85,0xF8,0x5F,0xFE,0x69,0xBF,0x35,0x5E,0x25,0x90,0xA3,0xFC,0xDC,0xBA,0x15,0x30,0x3B,0x6A,0x46,0x8A,0x8B,0x61,0xE4,0x3C,0xF2 };char key[256] = { 0x11, 0x45, 0x14, 0x61, 0x76, 0x61, 0x6C, 0x6F, 0x6E, 0x2C,0x79, 0x79, 0x64, 0x73 };unsigned char s[256] = { 0 },s2[256] = { 0 };rc4_init(s, (unsigned char*)key, strlen(key));for (int i = 0; i < 256; i++)//用s2[i]暫時保留經過初始化的s[i]，很重要的！！！{s2[i] = s[i];}cout << endl;rc4_crypt(s2, (unsigned char*)ida_chars, 40);for (int i = 0; i < 40; i++) {cout << char(ida_chars[i]);}} DFn7VXlVFltMZpjTI80ohfhf/mm/NV4lkKP83LoVMDtqRoqLYeQ88g

總結

RC4

改版base64

linux系統的llvm

總結

以上是生活随笔為你收集整理的MoeCTF 2021Re部分------baby_bc的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇： MoeCTF 2021Re部分-----
下一篇： MoeCTF 2021Re部分-----