Problem: [LitCTF 2023]enbase64
ida分析
int __cdecl main(int argc, const char **argv, const char **envp) { char v4[61]; // [esp+1Fh] [ebp-81Dh] BYREF char v5[4]; // [esp+5Ch] [ebp-7E0h] BYREF char v6[4]; // [esp+60h] [ebp-7DCh] BYREF char v7[996]; // [esp+64h] [ebp-7D8h] BYREF char Str[4]; // [esp+448h] [ebp-3F4h] BYREF _BYTE v9[996]; // [esp+44Ch] [ebp-3F0h] BYREF __main(); *(_DWORD *)Str = 0; memset(v9, 0, sizeof(v9)); *(_DWORD *)v6 = 0; memset(v7, 0, sizeof(v7)); *(_DWORD *)v4 = *(_DWORD *)"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; strcpy(v5, "9+/"); qmemcpy(&v4[1], &aAbcdefghijklmn[-(v4 - &v4[1])], 4 * (((v4 - &v4[1] + 65) & 0xFFFFFFFC) >> 2)); puts("Please input flag:"); gets(Str); if ( strlen(Str) == 33 ) { base64(v4, Str, v6); basecheck(v6); } return 0; }
发现是base64,但是直接拿basecheck() 里面的密文解密会有乱码,所以应该是自定义字母表,打开base64()函数
signed int __cdecl base64(char *a1, char *Str, char *a3) { signed int result; // eax signed int v4; // [esp+14h] [ebp-14h] signed int i; // [esp+18h] [ebp-10h] int v6; // [esp+1Ch] [ebp-Ch] basechange(a1); v4 = strlen(Str); v6 = 0; for ( i = 0; ; i += 3 ) { result = i; if ( i >= v4 ) break; a3[v6] = a1[Str[i] >> 2]; a3[v6 + 1] = a1[(16 * Str[i]) & 0x30 | (Str[i + 1] >> 4)]; a3[v6 + 2] = a1[(4 * Str[i + 1]) & 0x3C | (Str[i + 2] >> 6)]; a3[v6 + 3] = a1[Str[i + 2] & 0x3F]; v6 += 4; } return result; }
注意到它把传入的字母表a1做了更改,我们直接在a3[v6] = a1[Str[i] >> 2]; 处打下断点,然后通过动态调试获得码表
但是运行时直接退出了,运行程序提示缺少libgcc_s_dw2-1.dll ,去DLL‑files下载一个,放在和程序路径一样的文件夹下就可以运行程序了
通过动态调试得到了字母表
gJ1BRjQie/FIWhEslq7GxbnL26M4+HXUtcpmVTKaydOP38of5v90ZSwrkYzCAuND
然后直接解码就行了