buuctf re [WUSTCTF2020]level3
int __cdecl main(int argc, const char **argv, const char **envp)
{
const char *v3; // rax
char v5; // [rsp+Fh] [rbp-41h]
char v6[56]; // [rsp+10h] [rbp-40h] BYREF
unsigned __int64 v7; // [rsp+48h] [rbp-8h]
v7 = __readfsqword(0x28u);
printf("Try my base64 program?.....\n>");
__isoc99_scanf("%20s", v6);
v5 = time(0LL);
srand(v5);
if ( (rand() & 1) != 0 )
{
v3 = (const char *)base64_encode(v6);
puts(v3);
puts("Is there something wrong?");
}
else
{
puts("Sorry I think it's not prepared yet....");
puts("And I get a strange string from my program which is different from the standard base64:");
puts("d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD==");
puts("What's wrong??");
}
return 0;
}
输出里 puts是base加密 然后根据printf("Try my base64 program?.....\n>");看出是base64
但直接按照base64脚本解密是错误的
于是查看base64_encode 发现其中的tabe表一直在被调用
查看都是谁在调用
查看到有一个函数进入
__int64 O_OLookAtYou()
{
__int64 result; // rax
char v1; // [rsp+1h] [rbp-5h]
int i; // [rsp+2h] [rbp-4h]
for ( i = 0; i <= 9; ++i )
{
v1 = base64_table[i];
base64_table[i] = base64_table[19 - i];
result = 19 - i;
base64_table[result] = v1;
}
return result;
}
base64_table[i] = base64_table[19 - i];
跑一下发现是A-T调换顺序
#include
#include
using namespace std;
int main()
{
char base64_table[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
char flag[]="d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD==";
char v0;
int result;
for (int i=0;i<=9;i++)
{
v0=base64_table[i];
base64_table[i] = base64_table[19 - i];
result = 19 - i;
base64_table[result] = v0;
}
for (int i=0;i<=63;i++)
{
cout<='A'&&flag[i]<='T')
{
flag[i]=(19-(flag[i]-'A')+'A');
}
cout< flag{Base64_is_the_start_of_reverse}