64位ELF檔案

 查字串找到這麼個字串,當然,肯定沒那麼簡單就直接base64

主函式:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char *v3; // rax
  char v5; // [rsp+Fh] [rbp-41h]
  char v6[56]; // [rsp+10h] [rbp-40h] BYREF
  unsigned __int64 v7; // [rsp+48h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  printf("Try my base64 program?.....\n>
 
");
  __isoc99_scanf("%20s", v6);
  v5 = time(0LL);
  srand(v5);
  if ( (rand() & 1) != 0 )
  {
    v3 = base64_encode(v6);
    puts(v3);
    puts("Is there something wrong?");
  }
  else
  {
    puts("Sorry I think it's not prepared yet....");
    puts("And I get a strange string from my program which is different from the standard base64:
 
");
    puts("d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD==");
    puts("What's wrong??");
  }
  return 0;
}

一開始我看著它的隨機種子,以為是隨機base64加密,

然後嘗試之後,發現也不對,解不出來

百度得知

然後得到一個新的快捷鍵

Ctrl+x,檢視呼叫函式

然後就該是變表了

檢視base64_table表的函式呼叫

 你會發現O_OLookAtYou

跟進彙編C程式碼

__int64 O_OLookAtYou()
{
  __int64 result; 
 
// rax
  char v1; // [rsp+1h] [rbp-5h]
  int i; // [rsp+2h] [rbp-4h]

  for ( i = 0; i <= 9; ++i )
  {
    v1 = base64_table[i];
    base64_table[i] = base64_table[19 - i];
    result = 19 - i;
    base64_table[result] = v1;
  }
  return result;
}

然後這個變換表就很清楚了

exp:

import base64
import string
base64_table0 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
base64_table1=[]
for i in range(len(base64_table0)):
    base64_table1.append(base64_table0[i])
base64_table2=''

s='d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD=='
for i in range(9):
    v1=base64_table1[i]
    base64_table1[i]=base64_table1[19-i]
    result=19-i
    base64_table1[result]=v1
for i in range(len(base64_table1)):
    base64_table2+=base64_table1[i]
string1=base64_table2
string2='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
print(base64.b64decode(s.translate(str.maketrans(string1,string2))))

我的exp有點複雜,我把那個錶轉換成了陣列,讓後再轉換成字串,再換表解密

得到flag

wctf2020{Base64_is_the_start_of_reverse}