在查看原始二进制转储时,是否有任何工具可以帮助识别和解码其中包含的 base64 字符串?本质上是“字符串”,但要考虑到 base64。
在二进制转储中查找 base64 字符串的工具
逆向工程
工具
2021-06-18 00:30:30
1个回答
使用 PowerShell
C:\>type bana.txt
bXkgZmlyc3Qgc3RyaW5nCm15IHNlY29uZCBzdHJpbmcKbXkgdGhpcmQgc3RyaW5nZ2cgb2sh
CiJIZWxsbyBXb3JsZCI=
C:\>powershell -c "gc .\bana.txt | Select-String -Pattern ".*" |% { [text.encodi
ng]::ASCII.GetString([convert]::FromBase64String($_)) }"
my first string
my second string
my third stringgg ok!
"Hello World"
如果文件包含 unicode 编码的 bas464 stringg,则将编码更改为 utf-8
C:\>cat unibana.txt
■b X k g Z m l y c 3 Q g c 3 R y a W 5 n C m 1 5 I H N l Y 2 9 u Z C B z d H J
b m c K b X k g d G h p c m Q g c 3 R y a W 5 n Z 2 c g b 2 s h
C i J I Z W x s b y B X b 3 J s Z C I =
C:\>powershell -c "gc .\bana.txt | Select-String -Pattern ".*" |% { [text.encodi
ng]::utf8.GetString([convert]::FromBase64String($_)) }"
my first string
my second string
my third stringgg ok!
"Hello World"
C:\>ls -l *ban*
-rw-rw-rw- 1 Admin 0 96 2015-10-02 12:23 bana.txt
-rw-rw-rw- 1 Admin 0 194 2015-10-02 12:27 unibana.txt
如果字符串是无效的 bas64 字符串,这将抛出无效格式异常并继续解码文件的其余部分
C:\>cat bana.txt
bXkgZmlyc3Qgc3RyaW5nCm15IHNlY29uZCBzdHJpbmcKbXkgdGhpcmQgc3RyaW5nZ2cgb2sh
CiJIZWxsbyBXb3JsZCI=
yakku
bakku
bXkgZmlyc3Qgc3RyaW5nCm15IHNlY29uZCBzdHJpbmcKbXkgdGhpcmQgc3RyaW5nZ2cgb2sh
CiJIZWxsbyBXb3JsZCI=
C:\>powershell -c "gc .\bana.txt | Select-String -Pattern ".*" |% { [text.encodi
ng]::ASCII.GetString([convert]::FromBase64String($_)) }"
my first string
my second string
my third stringgg ok!
"Hello World"
Exception calling "FromBase64String" with "1" argument(s): "Invalid length for
a Base-64 char array."
At line:1 char:108
+ gc .\bana.txt | Select-String -Pattern .* |% { [text.encoding]::ASCII.GetStri
ng([convert]::FromBase64String <<<< ($_)) }
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Exception calling "FromBase64String" with "1" argument(s): "Invalid length for
a Base-64 char array."
At line:1 char:108
+ gc .\bana.txt | Select-String -Pattern .* |% { [text.encoding]::ASCII.GetStri
ng([convert]::FromBase64String <<<< ($_)) }
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
my first string
my second string
my third stringgg ok!
"Hello World"
编辑是对 thomas weller 的评论的回复,
您是否有测试套件供我测试或滥用下面的测试用例 foo.txt 以打破回复中所做的假设
恕我直言,字符串是一串字符,中间散布着回车和/或回车+换行,以空值结尾,如果它的长度是 4 的倍数,并且包含与 base64 字符串中使用的字符相同的子集,则普通字符串不能与一个字符串区分开来其他
PS C:\> xxd -g 1 .\foo.txt
0000000: 75 0d 62 58 6b 67 0d 62 58 6b 67 0d 0a 62 58 6b u.bXkg.bXkg..bXk
0000010: 67 75 0d 0a 62 58 6b 67 75 0d 62 58 6b 67 0d 62 gu..bXkgu.bXkg.b
0000020: 58 6b 67 62 58 6b 67 0d 62 58 6b 67 62 58 6b 67 XkgbXkg.bXkgbXkg
PS C:\> cat .\foo.txt
u
bXkg
bXkg
bXkgu
bXkgu
bXkg
bXkgbXkg
bXkgbXkg
PS C:\> strings.exe -q -n 1 .\foo.txt
u
bXkg
bXkg
bXkgu
bXkgu
bXkg
bXkgbXkg
bXkgbXkg
PS C:\> cat .\decodeb64strings.ps1
$ErrorActionPreference="silentlycontinue"
select-string -Path $args[0] -Pattern ".*" |%{$out=[text.encoding]::Ascii.getst
ring([convert]::FromBase64String($_.Line));if($?){$out}else{$_}}
PS C:\>
PS C:\> .\decodeb64strings.ps1 .\foo.txt
foo.txt:1:u
my
my
foo.txt:4:bXkgu
foo.txt:5:bXkgu
my
my my
my my