![[buuctf][WUSTCTF2020]level3](http://www.mshxw.com/aiimages/31/1013163.png "[buuctf][WUSTCTF2020]level3")
- 思路
- 脚本
这道题还是一个变了编码表的base64,查壳,是无壳的64位的一个可执行文件
之后拖入ida中进行查看,直接就是把main函数显示出来的。
之后看main函数的内容。
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v3; // ST0F_1
char *v4; // rax
char v6; // [rsp+10h] [rbp-40h]
unsigned __int64 v7; // [rsp+48h] [rbp-8h]
v7 = __readfsqword(0x28u);
printf("Try my base64 program?.....n>", argv, envp);
__isoc99_scanf("%20s", &v6);
v3 = time(0LL);
srand(v3);
if ( rand() & 1 )
{
v4 = base64_encode(&v6);
puts(v4);
puts("Is there something wrong?");
}
else
{
puts("Sorry I think it's not prepared yet....");
puts("And I get a strange string from my program which is different from the standard base64:");
puts("d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD==");
puts("What's wrong??");
}
return 0;
}
这里就是输出了一堆,之后发现了一个base64编码的,上面有个base64_encode进去一看,确实是base64加密的方式。
char *__fastcall base64_encode(char *a1)
{
int v1; // eax
int v2; // eax
int v3; // ST24_4
int v4; // eax
int v5; // eax
char *v6; // rax
int v7; // eax
int v8; // ST24_4
int v9; // eax
int v11; // [rsp+1Ch] [rbp-54h]
int v12; // [rsp+20h] [rbp-50h]
int v13; // [rsp+24h] [rbp-4Ch]
int v14; // [rsp+28h] [rbp-48h]
int v15; // [rsp+2Ch] [rbp-44h]
char src[56]; // [rsp+30h] [rbp-40h]
unsigned __int64 v17; // [rsp+68h] [rbp-8h]
v17 = __readfsqword(0x28u);
v1 = strlen(a1);
v15 = v1 % 3;
v14 = v1 / 3;
memset(src, 0, 0x30uLL);
v13 = 0;
v11 = 0;
v12 = 0;
while ( v11 < v14 )
{
v2 = v13;
v3 = v13 + 1;
src[v2] = base[(char)(a1[v12] >> 2)];
v4 = v3++;
src[v4] = base[16 * (a1[v12] & 3) | (char)(a1[v12 + 1] >> 4)];
src[v3] = base[4 * (a1[v12 + 1] & 0xF) | (char)(a1[v12 + 2] >> 6)];
v5 = v3 + 1;
v13 = v3 + 2;
src[v5] = base[a1[v12 + 2] & 0x3F];
v12 += 3;
++v11;
}
if ( v15 == 1 )
{
src[v13] = base[(char)(a1[v12] >> 2)];
src[v13 + 1] = base[16 * (a1[v12] & 3)];
v6 = &src[strlen(src)];
*(_WORD *)v6 = 15677;
v6[2] = 0;
}
else if ( v15 == 2 )
{
v7 = v13;
v8 = v13 + 1;
src[v7] = base[(char)(a1[v12] >> 2)];
v9 = v8++;
src[v9] = base[16 * (a1[v12] & 3) | (char)(a1[v12 + 1] >> 4)];
src[v8] = base[4 * (a1[v12 + 1] & 0xF)];
src[v8 + 1] = 61;
}
strcpy(a1, src);
return a1;
}
之后也没什么了,但是以解密,发现是乱码,那就是这里还有我没注意到的一些信息,发现在函数列表中,有一个LookAtYou,那么咱们进去看看,发现是对base做了变码,这里才是根源。
__int64 O_OLookAtYou()
{
char v0; // ST03_1
__int64 result; // rax
signed int i; // [rsp+2h] [rbp-4h]
for ( i = 0; i <= 9; ++i )
{
v0 = base[i];
base[i] = base[19 - i];
result = 19 - i;
base[result] = v0;
}
return result;
}
之后对应开始写脚本
脚本直接照搬O_OLookAtYou()中的函数,直接算出来变码之后的编码是多少。
#include#include int main() { char v0; // ST03_1 __int64 result; // rax signed int i; // [rsp+2h] [rbp-4h] char base[65] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; for (i = 0; i <= 9; ++i) { v0 = base[i]; base[i] = base[19 - i]; result = 19 - i; base[result] = v0; } printf("%sn", base); return 0; } //TSRQPONMLKJIHGFEDCBAUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
算出来变码是TSRQPONMLKJIHGFEDCBAUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/,之后利用python进行下一步,base64解码。
import base64
str_1 = "d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD=="
str_base = "TSRQPONMLKJIHGFEDCBAUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
str_zh_base = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
flag = base64.b64decode(str_1.translate(str.maketrans(str_base,str_zh_base)))
print(flag)#wctf2020{Base64_is_the_start_of_reverse}'
最后算出来flag是wctf2020{Base64_is_the_start_of_reverse}之后用flag包裹即可
