Buuctf - 羊城杯easyre 之Base64.Caeser.String 重排
首先,IDA打开mian函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
int inlen; // eax
int outdata_len; // eax
int outdata2_len; // eax
char indata[48]; // [rsp+20h] [rbp-60h] BYREF
char Str1[64]; // [rsp+50h] [rbp-30h] BYREF
char outdata2[64]; // [rsp+90h] [rbp+10h] BYREF
char outdata[64]; // [rsp+D0h] [rbp+50h] BYREF
char Str2[60]; // [rsp+110h] [rbp+90h] BYREF
int outlen; // [rsp+14Ch] [rbp+CCh] BYREF
_main(argc, argv, envp);
strcpy(Str2, "EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG");
puts("Hello, please input your flag and I will tell you whether it is right or not.");
scanf("%38s", indata);
if ( strlen(indata) != 38
|| (inlen = strlen(indata), (unsigned int)base64_encode(indata, inlen, outdata, &outlen))
|| (outdata_len = strlen(outdata), (unsigned int)encode_two(outdata, outdata_len, outdata2, &outlen))
|| (outdata2_len = strlen(outdata2), (unsigned int)Caesar(outdata2, outdata2_len, Str1, &outlen))
|| strcmp(Str1, Str2) )
{
printf("Something wrong. Keep going.");
return 0;
}
else
{
puts("you are right!");
return 0;
}
}
函数逻辑还是比较清晰的 首先输入Str1,已知Str2
Str1经过三次encode
Base64加密
第一次很明显的常量表Base64_encode
它虽然简单,但是对照标准base64加密,可以告诉我们很多变量信息,比如input input_len之类的
代码:
import base64
a = "R1dIVHs2NzJjYzQ3NzhhMzhlODBjYjM2Mjk4NzM0MTEzM2VhMn0="
b = base64.b64decode(a)
for i in range(len(b)):
print(chr(b[i]),end = "")
第二次
字符串重排
这个逻辑我贴一张大佬的图
代码:
def decode_two(a3):
# 确保输入长度足够
if len(a3) < 52:
raise ValueError("Input string must be at least 52 characters long.")
# 初始化 a1 为一个长度为52的空字符串
a1 = [''] * 52
# 将 a3[13..25] 复制到 a1[0..12]
a1[0:13] = a3[13:26]
# 将 a3[39..51] 复制到 a1[13..25]
a1[13:26] = a3[39:52]
# 将 a3[0..12] 复制到 a1[26..38]
a1[26:39] = a3[0:13]
# 将 a3[26..38] 复制到 a1[39..51]
a1[39:52] = a3[26:39]
# 将列表转换回字符串
return ''.join(a1)
# 测试
if __name__ == "__main__":
# 假设编码后的字符串
encoded = "BjYjM2Mjk4NzMR1dIVHs2NzJjY0MTEzM2VhMn0=zQ3NzhhMzhlOD"
# 解码
decoded = decode_two(encoded)
# 打印结果
print("Encoded :", encoded)
print("Decoded :", decoded)
第三次
Caeser加密
__int64 __fastcall encode_three(const char *a1, int a2, char *a3, int *a4)
{
char v5; // [rsp+Fh] [rbp-11h]
int i; // [rsp+14h] [rbp-Ch]
const char *v8; // [rsp+30h] [rbp+10h]
v8 = a1;
if ( !a1 || !a2 )
return 0xFFFFFFFFi64;
for ( i = 0; i < a2; ++i )
{
v5 = *v8;
if ( *v8 <= 64 || v5 > 90 )
{
if ( v5 <= 96 || v5 > 122 )
{
if ( v5 <= 47 || v5 > 57 )
*a3 = v5;
else
*a3 = (v5 - 48 + 3) % 10 + 48; // 数字处理
}
else
{
*a3 = (v5 - 97 + 3) % 26 + 97; // 小写字母处理
}
}
else
{
*a3 = (v5 - 65 + 3) % 26 + 65; // 大写字母处理
}
++a3;
++v8;
}
return 0i64;
}
偏移量为3,其实知道了偏移量,在线加解密网站还挺好用的
代码
a = "EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG"
b = ""
for i in a:
if ord(i) >= 65 and ord(i) <= 90:
b += chr((ord(i) - 65 - 3 + 26) % 26 + 65)
elif ord(i) >= 97 and ord(i) <= 122:
b += chr((ord(i) - 97 -3 + 26 ) % 26 + 97)
elif ord(i) >= 48 and ord(i) <= 57:
b += chr((ord(i) - 48 - 3 + 10) % 10 + 48)
else:
b += i
print(b)
print(len(b))
倒着执行回去即可得到flag
浙公网安备 33010602011771号