BUUCTF_RE_[WUSTCTF2020]level3
阿新 • • 發佈:2022-05-06
64位ELF檔案
查字串找到這麼個字串,當然,肯定沒那麼簡單就直接base64
主函式:
int __cdecl main(int argc, const char **argv, const char **envp) { char *v3; // rax char v5; // [rsp+Fh] [rbp-41h] char v6[56]; // [rsp+10h] [rbp-40h] BYREF unsigned __int64 v7; // [rsp+48h] [rbp-8h] v7 = __readfsqword(0x28u); printf("Try my base64 program?.....\n>"); __isoc99_scanf("%20s", v6); v5 = time(0LL); srand(v5); if ( (rand() & 1) != 0 ) { v3 = base64_encode(v6); puts(v3); puts("Is there something wrong?"); } else { puts("Sorry I think it's not prepared yet...."); puts("And I get a strange string from my program which is different from the standard base64:"); puts("d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD=="); puts("What's wrong??"); } return 0; }
一開始我看著它的隨機種子,以為是隨機base64加密,
然後嘗試之後,發現也不對,解不出來
百度得知
然後得到一個新的快捷鍵
Ctrl+x,檢視呼叫函式
然後就該是變表了
檢視base64_table表的函式呼叫
你會發現O_OLookAtYou
跟進彙編C程式碼
__int64 O_OLookAtYou() { __int64 result;// rax char v1; // [rsp+1h] [rbp-5h] int i; // [rsp+2h] [rbp-4h] for ( i = 0; i <= 9; ++i ) { v1 = base64_table[i]; base64_table[i] = base64_table[19 - i]; result = 19 - i; base64_table[result] = v1; } return result; }
然後這個變換表就很清楚了
exp:
import base64 import string base64_table0 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' base64_table1=[] for i in range(len(base64_table0)): base64_table1.append(base64_table0[i]) base64_table2='' s='d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD==' for i in range(9): v1=base64_table1[i] base64_table1[i]=base64_table1[19-i] result=19-i base64_table1[result]=v1 for i in range(len(base64_table1)): base64_table2+=base64_table1[i] string1=base64_table2 string2='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' print(base64.b64decode(s.translate(str.maketrans(string1,string2))))
我的exp有點複雜,我把那個錶轉換成了陣列,讓後再轉換成字串,再換表解密
得到flag
wctf2020{Base64_is_the_start_of_reverse}