BUUCTF_RE_[WUSTCTF2020]level3
64位ELF文件
查字符串找到这么个字符串,当然,肯定没那么简单就直接base64
主函数:
int __cdecl main(int argc, const char **argv, const char **envp) { char *v3; // rax char v5; // [rsp+Fh] [rbp-41h] char v6[56]; // [rsp+10h] [rbp-40h] BYREF unsigned __int64 v7; // [rsp+48h] [rbp-8h] v7 = __readfsqword(0x28u); printf("Try my base64 program?.....\n>"); __isoc99_scanf("%20s", v6); v5 = time(0LL); srand(v5); if ( (rand() & 1) != 0 ) { v3 = base64_encode(v6); puts(v3); puts("Is there something wrong?"); } else { puts("Sorry I think it's not prepared yet...."); puts("And I get a strange string from my program which is different from the standard base64:"); puts("d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD=="); puts("What's wrong??"); } return 0; }
一开始我看着它的随机种子,以为是随机base64加密,
然后尝试之后,发现也不对,解不出来
百度得知
然后得到一个新的快捷键
Ctrl+x,查看调用函数
然后就该是变表了
查看base64_table表的函数调用
你会发现O_OLookAtYou
跟进汇编C代码
__int64 O_OLookAtYou() { __int64 result; // rax char v1; // [rsp+1h] [rbp-5h] int i; // [rsp+2h] [rbp-4h] for ( i = 0; i <= 9; ++i ) { v1 = base64_table[i]; base64_table[i] = base64_table[19 - i]; result = 19 - i; base64_table[result] = v1; } return result; }
然后这个变换表就很清楚了
exp:
import base64 import string base64_table0 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' base64_table1=[] for i in range(len(base64_table0)): base64_table1.append(base64_table0[i]) base64_table2='' s='d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD==' for i in range(9): v1=base64_table1[i] base64_table1[i]=base64_table1[19-i] result=19-i base64_table1[result]=v1 for i in range(len(base64_table1)): base64_table2+=base64_table1[i] string1=base64_table2 string2='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' print(base64.b64decode(s.translate(str.maketrans(string1,string2))))
我的exp有点复杂,我把那个表转换成了数组,让后再转换成字符串,再换表解密
得到flag
wctf2020{Base64_is_the_start_of_reverse}