[ACTF新生赛2020]usualCrypt

这道题是魔改了base64替换表,同时在进行最后的比较的时候也有一个坑,就是大小写互换的问题。

首先程序没有任何壳,也没啥保护机制,打开就能看到主要关系代换:

程序逻辑还是比较清晰的,sub_401000就是对原始替换表的处理函数,可以动态转储出来:

然后就是明显的base64加密函数,三个一组进行替换,可以通过修改已知代码完成:

base64.cpp:

include "base64.h"

include

static const std::string base64_chars =
"ABCDEFQRSTUVWXYPGHIJKLMNOZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789+/";

static inline bool is_base64(unsigned char c) {
return (isalnum(c) || (c == '+') || (c == '/'));
}

std::string base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len) {
std::string ret;
int i = 0;
int j = 0;
unsigned char char_array_3[3];
unsigned char char_array_4[4];

while (in_len--) {
    char_array_3[i++] = *(bytes_to_encode++);
    if (i == 3) {
        char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
        char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
        char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
        char_array_4[3] = char_array_3[2] & 0x3f;

        for (i = 0; (i < 4); i++)
            ret += base64_chars[char_array_4[i]];
        i = 0;
    }
}

if (i)
{
    for (j = i; j < 3; j++)
        char_array_3[j] = '\0';

    char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
    char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
    char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
    char_array_4[3] = char_array_3[2] & 0x3f;

    for (j = 0; (j < i + 1); j++)
        ret += base64_chars[char_array_4[j]];

    while ((i++ < 3))
        ret += '=';

}

return ret;

}

std::string base64_decode(std::string const& encoded_string) {
int in_len = encoded_string.size();
int i = 0;
int j = 0;
int in_ = 0;
unsigned char char_array_4[4], char_array_3[3];
std::string ret;

while (in_len-- && (encoded_string[in_] != '=') && is_base64(encoded_string[in_])) {
    char_array_4[i++] = encoded_string[in_]; in_++;
    if (i == 4) {
        for (i = 0; i < 4; i++)
            char_array_4[i] = base64_chars.find(char_array_4[i]);

        char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4);
        char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2);
        char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3];

        for (i = 0; (i < 3); i++)
            ret += char_array_3[i];
        i = 0;
    }
}

if (i) {
    for (j = i; j < 4; j++)
        char_array_4[j] = 0;

    for (j = 0; j < 4; j++)
        char_array_4[j] = base64_chars.find(char_array_4[j]);

    char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4);
    char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2);
    char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3];

    for (j = 0; (j < i - 1); j++) ret += char_array_3[j];
}

return ret;

}

base64.h:

include

std::string base64_encode(unsigned char const*, unsigned int len);
std::string base64_decode(std::string const& s);

main.h:

include "base64.h"

include

using namespace std;

int main() {
const std::string s = "jiangtao";

std::string encoded = base64_encode(reinterpret_cast<const unsigned char*>(s.c_str()), s.length());
std::string decoded = base64_decode(encoded);

std::cout << "encoded: " << encoded << std::endl;
std::cout << "decoded: " << decoded << std::endl;

std::cout << "decoded: " <<std::string(base64_decode("ZmxhZ3tiGNXlXjHfaDTzN2FfK3LycRTpc2L9")) << std::endl;

return 0;

}

注意关键判断位置虽然有一个比较字符串:

但是源程序还进行了其他操作,大小写字母互换,所以需要把里面的大小写字母处理之后再运算。

得到flag:

flag{bAse64_h2s_a_Surprise}

题目链接:https://buuoj.cn/files/7f51f14d871550406211ffe7cecd50d3/attachment.tar?token=eyJ1c2VyX2lkIjo1NTY4LCJ0ZWFtX2lkIjpudWxsLCJmaWxlX2lkIjoxNjgxfQ.Xoqaeg.QAyxvbSXoMRzS87-FdeiulJxIoY

posted @ 2020-04-06 11:06  jentle  阅读(736)  评论(0编辑  收藏  举报