【2025/01/16】攻防世界、BUUCTF竞赛题目研究

SYSTEM-RAMOS · 发表于 2025-1-16 21:02:10

本帖最后由 SYSTEM-RAMOS 于 2025-1-16 21:02 编辑

1.攻防世界：csaw2013reversing2
IDA打开，将main函数反编译为C语言文件后，得到

<blockquote>int __cdecl __noreturn main(int argc, const char **argv, const char **envp)

复制代码

1.看到第16行代码，输出flag，lpMem中保存着flag值。

2.第8行代码，为lpMen申请内存空间。

3.第9行代码，为lpMem赋值。其中&unk_409B10的值为

.data:00409B10 unk_409B10 db 0BBh ; DATA XREF: _main+33↑o
.data:00409B11 db 0CCh
.data:00409B12 db 0A0h
.data:00409B13 db 0BCh
.data:00409B14 db 0DCh
.data:00409B15 db 0D1h
.data:00409B16 db 0BEh
.data:00409B17 db 0B8h
.data:00409B18 db 0CDh
.data:00409B19 db 0CFh
.data:00409B1A db 0BEh
.data:00409B1B db 0AEh
.data:00409B1C db 0D2h
.data:00409B1D db 0C4h
.data:00409B1E db 0ABh
.data:00409B1F db 82h
.data:00409B20 db 0D2h
.data:00409B21 db 0D9h
.data:00409B22 db 93h
.data:00409B23 db 0B3h
.data:00409B24 db 0D4h
.data:00409B25 db 0DEh
.data:00409B26 db 93h
.data:00409B27 db 0A9h
.data:00409B28 db 0D3h
.data:00409B29 db 0CBh
.data:00409B2A db 0B8h
.data:00409B2B db 82h
.data:00409B2C db 0D3h
.data:00409B2D db 0CBh
.data:00409B2E db 0BEh
.data:00409B2F db 0B9h
.data:00409B30 db 9Ah
.data:00409B31 db 0D7h
.data:00409B32 db 0CCh
.data:00409B33 db 0DDh

复制代码

从第13行代码我们知道，第10~15行代码在对lpMem操作，又因为 ExitProcess(0xFFFFFFFF);所以猜测，这段if结构没有执行（执行的话，就会直接退出，不会有跳出MessageBox对话框），于是使用OD对程序进行调试：

00111307 > [ DISCUZ_CODE_1181 ]nbsp; E8 531A0000 call 00112D5F
0011130C .^ E9 95FEFFFF jmp 001111A6
00111311 > 8BFF mov edi,edi
00111313 /. 55 push ebp
00111314 |. 8BEC mov ebp,esp
00111316 |. 81EC 28030000 sub esp,0x328
0011131C |. A3 589C1100 mov dword ptr ds:[0x119C58],eax
00111321 |. 890D 549C1100 mov dword ptr ds:[0x119C54],ecx
00111327 |. 8915 509C1100 mov dword ptr ds:[0x119C50],edx
0011132D |. 891D 4C9C1100 mov dword ptr ds:[0x119C4C],ebx
00111333 |. 8935 489C1100 mov dword ptr ds:[0x119C48],esi
00111339 |. 893D 449C1100 mov dword ptr ds:[0x119C44],edi
0011133F |. 66:8C15 709C1>mov word ptr ds:[0x119C70],ss
00111346 |. 66:8C0D 649C1>mov word ptr ds:[0x119C64],cs
0011134D |. 66:8C1D 409C1>mov word ptr ds:[0x119C40],ds
00111354 |. 66:8C05 3C9C1>mov word ptr ds:[0x119C3C],es
0011135B |. 66:8C25 389C1>mov word ptr ds:[0x119C38],fs
00111362 |. 66:8C2D 349C1>mov word ptr ds:[0x119C34],gs
00111369 |. 9C pushfd
0011136A |. 8F05 689C1100 pop dword ptr ds:[0x119C68]
00111370 |. 8B45 00 mov eax,dword ptr ss:[ebp]
00111373 |. A3 5C9C1100 mov dword ptr ds:[0x119C5C],eax
00111378 |. 8B45 04 mov eax,dword ptr ss:[ebp+0x4]
0011137B |. A3 609C1100 mov dword ptr ds:[0x119C60],eax
00111380 |. 8D45 08 lea eax,[arg.1]
00111383 |. A3 6C9C1100 mov dword ptr ds:[0x119C6C],eax
00111388 |. 8B85 E0FCFFFF mov eax,[local.200]
0011138E |. C705 A89B1100>mov dword ptr ds:[0x119BA8],0x10001
00111398 |. A1 609C1100 mov eax,dword ptr ds:[0x119C60]
0011139D |. A3 5C9B1100 mov dword ptr ds:[0x119B5C],eax
001113A2 |. C705 509B1100>mov dword ptr ds:[0x119B50],0xC0000409
001113AC |. C705 549B1100>mov dword ptr ds:[0x119B54],0x1
001113B6 |. A1 04901100 mov eax,dword ptr ds:[0x119004]
001113BB |. 8985 D8FCFFFF mov [local.202],eax
001113C1 |. A1 08901100 mov eax,dword ptr ds:[0x119008]
001113C6 |. 8985 DCFCFFFF mov [local.201],eax
001113CC |. FF15 14601100 call dword ptr ds:[<&KERNEL32.IsDebugger>; [IsDebuggerPresent
001113D2 |. A3 A09B1100 mov dword ptr ds:[0x119BA0],eax
001113D7 |. 6A 01 push 0x1
001113D9 |. E8 1C1A0000 call 00112DFA
001113DE |. 59 pop ecx
001113DF |. 6A 00 push 0x0 ; /pTopLevelFilter = NULL
001113E1 |. FF15 34601100 call dword ptr ds:[<&KERNEL32.SetUnhandl>; \SetUnhandledExceptionFilter
001113E7 |. 68 3C611100 push 0011613C ; /pExceptionInfo = pro3.0011613C
001113EC |. FF15 30601100 call dword ptr ds:[<&KERNEL32.UnhandledE>; \UnhandledExceptionFilter
001113F2 |. 833D A09B1100>cmp dword ptr ds:[0x119BA0],0x0
001113F9 |. 75 08 jnz X00111403
001113FB |. 6A 01 push 0x1
001113FD |. E8 F8190000 call 00112DFA
00111402 |. 59 pop ecx
00111403 |> 68 090400C0 push 0xC0000409 ; /ExitCode = C0000409 (-1073740791.)
00111408 |. FF15 2C601100 call dword ptr ds:[<&KERNEL32.GetCurrent>; |[GetCurrentProcess
0011140E |. 50 push eax ; |hProcess
0011140F |. FF15 28601100 call dword ptr ds:[<&KERNEL32.TerminateP>; \TerminateProcess
00111415 |. C9 leave
00111416 \. C3 retn

复制代码

右键查找全部字符串，找到“Flag”的位置

001110A5 . 6A 02 push 0x2 ; /Style = MB_ABORTRETRYIGNORE|MB_APPLMODAL
001110A7 . 68 20781100 push 00117820 ; |Title = "Flag"
001110AC . FF75 F4 push dword ptr ss:[ebp-0xC] ; |Text
001110AF . 6A 00 push 0x0 ; |hOwner = NULL
001110B1 . FF15 E4601100 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
001110B7 . EB 14 jmp X001110CD
001110B9 > 6A 02 push 0x2 ; /Style = MB_ABORTRETRYIGNORE|MB_APPLMODAL
001110BB . 68 20781100 push 00117820 ; |Title = "Flag"
001110C0 . 8B45 F4 mov eax,dword ptr ss:[ebp-0xC] ; |
001110C3 . 40 inc eax ; |
001110C4 . 50 push eax ; |Text
001110C5 . 6A 00 push 0x0 ; |hOwner = NULL
001110C7 . FF15 E4601100 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA

复制代码

通过设置断点调试，我们可以了解到，if结构和第1个“Flag”处没有执行。

if结构对应汇编代码：

00111083 . E8 A2FFFFFF call 0011102A
00111088 . 85C0 test eax,eax
0011108A . 75 0A jnz X00111096
0011108C . FF15 14601100 call dword ptr ds:[<&KERNEL32.IsDebugger>; [IsDebuggerPresent
00111092 . 85C0 test eax,eax
00111094 74 23 je X001110B9
00111096 > 41 inc ecx
00111097 . 41 inc ecx
00111098 . 41 inc ecx
00111099 . 41 inc ecx
0011109A . CC int3
0011109B . 8B55 F4 mov edx,dword ptr ss:[ebp-0xC]
0011109E . E8 5DFFFFFF call 00111000
001110A3 . EB 4A jmp X001110EF

复制代码

既然这个if结构中有对flag值的操作，而且还跳过了，秉承“偷鸡摸狗，必定有内幕”的侦探心理，在OD修改代码，使得程序执行if结构，再跳转到第二个MessageBox处，对代码进行修改：

00111083 . E8 A2FFFFFF call 0011102A
00111088 . 85C0 test eax,eax
0011108A . 75 0A jnz X00111096
0011108C . FF15 14601100 call dword ptr ds:[<&KERNEL32.IsDebugger>; [IsDebuggerPresent
00111092 . 85C0 test eax,eax
00111094 90 nop
00111095 90 nop
00111096 > 41 inc ecx
00111097 . 41 inc ecx
00111098 . 41 inc ecx
00111099 . 41 inc ecx
0011109A 90 nop
0011109B . 8B55 F4 mov edx,dword ptr ss:[ebp-0xC]
0011109E . E8 5DFFFFFF call 00111000
001110A3 EB 14 jmp X001110B9

复制代码

运行即可得到FLAG。
2.攻防世界：crackme
用简单的ODdump脱壳就行了。载入IDA，修改判断处的代码，直接打印出正确答案即可。

from ida_bytes import get_bytes
s = ''
data = get_bytes(0x402130, 0x402140-0x402130)
r = get_bytes(0x402150, 0x402200-0x402150)
print(len(r))
for i in range(int((len(r))/4)):
s += chr(ord(data[i % 16]) ^ ord(r[i * 4]))
print(s)

复制代码

3.攻防世界：testre反编译后，找到了一个比较字符串的函数，他还专门拆开来写。我们需要按照顺序将字符串进行拼接，得到D9cS9N9iHjMLTdA8YSMRMp，另在代码看见“58”，猜测可能是base58加密，使用工具解密后即可得到flag。

4.攻防世界：Newbie_calculations
经IDA分析后，直接修改答案处的输出代码：

#include<iostream>
#include<cstdio>
using namespace std;
int sub_401000(int a1, int a2)
{
return a1+a2;
}
int sub_401100(int a1, int a2)
{
return a1*a2;
}
int sub_401220(int a1, int a2)
{
return a1-a2;
}
int main()
{
int v3; // eax
int v4; // eax
int v5; // eax
int v6; // eax
int v7; // eax
int v8; // eax
int v9; // eax
int v10; // eax
int v11; // eax
int v12; // eax
int v13; // eax
int v14; // eax
int v15; // eax
int v16; // eax
int v17; // eax
int v18; // eax
int v19; // eax
int v20; // eax
int v21; // eax
int v22; // eax
int v23; // eax
int v24; // eax
int v25; // eax
int v26; // eax
int v27; // eax
int v28; // eax
int v29; // eax
int v30; // eax
int v31; // eax
int v32; // eax
int v33; // eax
int v34; // eax
int v35; // eax
int v36; // eax
int v37; // eax
int v38; // eax
int v39; // eax
int v40; // eax
int v41; // eax
int v42; // eax
int v43; // eax
int v44; // eax
int v45; // eax
int v46; // eax
int v47; // eax
int v48; // eax
int v49; // eax
int v50; // eax
int v51; // eax
int v52; // eax
int v53; // eax
int v54; // eax
int v55; // eax
int v56; // eax
int v57; // eax
int v58; // eax
int v59; // eax
int v60; // eax
int v61; // eax
int v62; // eax
int v63; // eax
int v64; // eax
int v65; // eax
int v66; // eax
int v67; // eax
int v68; // eax
int v69; // eax
int v70; // eax
int v71; // eax
int v72; // eax
int v73; // eax
int v74; // eax
int v75; // eax
int v76; // eax
int v77; // eax
int v78; // eax
int v79; // eax
int v80; // eax
int v81; // eax
int v82; // eax
int v83; // eax
int v84; // eax
int v85; // eax
int v86; // eax
int v87; // eax
int v88; // eax
int v89; // eax
int v90; // eax
int v91; // eax
int v92; // eax
int v93; // eax
int v94; // eax
int v95; // eax
int v96; // eax
int v97; // eax
int v98; // eax
int v99; // eax
int v100; // eax
int v101; // eax
int v102; // eax
int v103; // eax
int v104; // eax
int v105; // eax
int v106; // eax
int v107; // eax
int v108; // eax
int v109; // ST1C_4
int v110; // eax
int v111; // eax
int v112; // ST20_4
int v113; // eax
int v114; // eax
int v115; // ST20_4
int v116; // eax
signed int i; // [esp+4h] [ebp-90h]
signed int j; // [esp+8h] [ebp-8Ch]
int v120[32]; // [esp+Ch] [ebp-88h]
int v121; // [esp+8Ch] [ebp-8h]
for ( i = 0; i < 32; ++i )
v120[i] = 1;
v121 = 0;
puts("Your flag is:");
v3 = sub_401100(v120[0], 1000000000);
v4 = sub_401220(v3, 999999950);
v120[0] = sub_401100(v4, 2);
v5 = sub_401000(v120[1], 5000000);
v6 = sub_401220(v5, 6666666);
v7 = sub_401000(v6, 1666666);
v8 = sub_401000(v7, 45);
v9 = sub_401100(v8, 2);
v120[1] = sub_401000(v9, 5);
v10 = sub_401100(v120[2], 1000000000);
v11 = sub_401220(v10, 999999950);
v12 = sub_401100(v11, 2);
v120[2] = sub_401000(v12, 2);
v13 = sub_401000(v120[3], 55);
v14 = sub_401220(v13, 3);
v15 = sub_401000(v14, 4);
v120[3] = sub_401220(v15, 1);
v16 = sub_401100(v120[4], 100000000);
v17 = sub_401220(v16, 99999950);
v18 = sub_401100(v17, 2);
v120[4] = sub_401000(v18, 2);
v19 = sub_401220(v120[5], 1);
v20 = sub_401100(v19, 1000000000);
v21 = sub_401000(v20, 55);
v120[5] = sub_401220(v21, 3);
v22 = sub_401100(v120[6], 1000000);
v23 = sub_401220(v22, 999975);
v120[6] = sub_401100(v23, 4);
v24 = sub_401000(v120[7], 55);
v25 = sub_401220(v24, 33);
v26 = sub_401000(v25, 44);
v120[7] = sub_401220(v26, 11);
v27 = sub_401100(v120[8], 10);
v28 = sub_401220(v27, 5);
v29 = sub_401100(v28, 8);
v120[8] = sub_401000(v29, 9);
v30 = sub_401000(v120[9], 0);
v31 = sub_401220(v30, 0);
v32 = sub_401000(v31, 11);
v33 = sub_401220(v32, 11);
v120[9] = sub_401000(v33, 53);
v34 = sub_401000(v120[10], 49);
v35 = sub_401220(v34, 2);
v36 = sub_401000(v35, 4);
v120[10] = sub_401220(v36, 2);
v37 = sub_401100(v120[11], 1000000);
v38 = sub_401220(v37, 999999);
v39 = sub_401100(v38, 4);
v120[11] = sub_401000(v39, 50);
v40 = sub_401000(v120[12], 1);
v41 = sub_401000(v40, 1);
v42 = sub_401000(v41, 1);
v43 = sub_401000(v42, 1);
v44 = sub_401000(v43, 1);
v45 = sub_401000(v44, 1);
v46 = sub_401000(v45, 10);
v120[12] = sub_401000(v46, 32);
v47 = sub_401100(v120[13], 10);
v48 = sub_401220(v47, 5);
v49 = sub_401100(v48, 8);
v50 = sub_401000(v49, 9);
v120[13] = sub_401000(v50, 48);
v51 = sub_401220(v120[14], 1);
v52 = sub_401100(v51, -294967296);
v53 = sub_401000(v52, 55);
v120[14] = sub_401220(v53, 3);
v54 = sub_401000(v120[15], 1);
v55 = sub_401000(v54, 2);
v56 = sub_401000(v55, 3);
v57 = sub_401000(v56, 4);
v58 = sub_401000(v57, 5);
v59 = sub_401000(v58, 6);
v60 = sub_401000(v59, 7);
v120[15] = sub_401000(v60, 20);
v61 = sub_401100(v120[16], 10);
v62 = sub_401220(v61, 5);
v63 = sub_401100(v62, 8);
v64 = sub_401000(v63, 9);
v120[16] = sub_401000(v64, 48);
v65 = sub_401000(v120[17], 7);
v66 = sub_401000(v65, 6);
v67 = sub_401000(v66, 5);
v68 = sub_401000(v67, 4);
v69 = sub_401000(v68, 3);
v70 = sub_401000(v69, 2);
v71 = sub_401000(v70, 1);
v120[17] = sub_401000(v71, 20);
v72 = sub_401000(v120[18], 7);
v73 = sub_401000(v72, 2);
v74 = sub_401000(v73, 4);
v75 = sub_401000(v74, 3);
v76 = sub_401000(v75, 6);
v77 = sub_401000(v76, 5);
v78 = sub_401000(v77, 1);
v120[18] = sub_401000(v78, 20);
v79 = sub_401100(v120[19], 1000000);
v80 = sub_401220(v79, 999999);
v81 = sub_401100(v80, 4);
v82 = sub_401000(v81, 50);
v120[19] = sub_401220(v82, 1);
v83 = sub_401220(v120[20], 1);
v84 = sub_401100(v83, -294967296);
v85 = sub_401000(v84, 49);
v120[20] = sub_401220(v85, 1);
v86 = sub_401220(v120[21], 1);
v87 = sub_401100(v86, 1000000000);
v88 = sub_401000(v87, 54);
v89 = sub_401220(v88, 1);
v90 = sub_401000(v89, 1000000000);
v120[21] = sub_401220(v90, 1000000000);
v91 = sub_401000(v120[22], 49);
v92 = sub_401220(v91, 1);
v93 = sub_401000(v92, 2);
v120[22] = sub_401220(v93, 1);
v94 = sub_401100(v120[23], 10);
v95 = sub_401220(v94, 5);
v96 = sub_401100(v95, 8);
v97 = sub_401000(v96, 9);
v120[23] = sub_401000(v97, 48);
v98 = sub_401000(v120[24], 1);
v99 = sub_401000(v98, 3);
v100 = sub_401000(v99, 3);
v101 = sub_401000(v100, 3);
v102 = sub_401000(v101, 6);
v103 = sub_401000(v102, 6);
v104 = sub_401000(v103, 6);
v120[24] = sub_401000(v104, 20);
v105 = sub_401000(v120[25], 55);
v106 = sub_401220(v105, 33);
v107 = sub_401000(v106, 44);
v108 = sub_401220(v107, 11);
v120[25] = sub_401000(v108, 42);
v120[26] = sub_401000(v120[26], v120[25]);
v120[27] = sub_401000(v120[27], v120[12]);
v109 = v120[27];
v110 = sub_401220(v120[28], 1);
v111 = sub_401000(v110, v109);
v120[28] = sub_401220(v111, 1);
v112 = v120[23];
v113 = sub_401220(v120[29], 1);
v114 = sub_401100(v113, 1000000);
v120[29] = sub_401000(v114, v112);
v115 = v120[27];
v116 = sub_401000(v120[30], 1);
v120[30] = sub_401100(v116, v115);
v120[31] = sub_401000(v120[31], v120[30]);
printf("CTF{");
for ( j = 0; j < 32; ++j )
printf("%c", v120[j]);
printf("}\n");
return 0;
}

复制代码

5.攻防世界：elrond32

# import string
a=[15, 31, 4, 9, 28, 18, 66, 9, 12, 68, 13, 7, 9, 6, 45, 55, 89, 30, 0, 89, 15, 8, 28, 35, 54, 7, 85, 2, 12, 8, 65, 10, 20]
# T = 'iendagsr'
T = 'isengard'
for i in range(len(a)):
print(chr(a[i] ^ ord(T[i%len(T)])),end='')

复制代码

6.BUUCTF：[FlareOn4]IgniteMe

byte_403000=[0x0D,0x26,0x49, 0x45, 0x2A, 0x17, 0x78, 0x44, 0x2B, 0x6C, 0x5D,0x5E, 0x45, 0x12, 0x2F, 0x17, 0x2B, 0x44, 0x6F, 0x6E, 0x56, 0x9,0x5F, 0x45, 0x47, 0x73, 0x26, 0x0A, 0x0D, 0x13, 0x17, 0x48, 0x42,0x1, 0x40, 0x4D, 0x0C, 0x2, 0x69, 0x0]
flag=""
L=len(byte_403000)-1
for i in range(len(byte_403000)):
if i==0:
byte_403000[L-i]= byte_403000[L-i]^0x4
byte_403000[L-i-1] = byte_403000[L-i-1]^byte_403000[L-i]
flag+=chr(byte_403000[L-i])
print(byte_403000)
print(flag[::-1])

复制代码

7.BUUCTF：特殊的 BASE64
反编译后，查看主函数部分代码：

int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rax
__int64 v4; // rax
std::string result; // [rsp+20h] [rbp-60h]
std::string rightFlag; // [rsp+30h] [rbp-50h]
std::string str; // [rsp+40h] [rbp-40h]
char v9; // [rsp+4Fh] [rbp-31h]
std::string v10; // [rsp+50h] [rbp-30h]
_main();
std::string::string(&str);
std::allocator<char>::allocator(&v9);
std::string::string(&rightFlag, "mTyqm7wjODkrNLcWl0eqO8K8gc1BPk1GNLgUpI==", &v9);
std::allocator<char>::~allocator(&v9);
v3 = std::operator<<<std::char_traits<char>>(refptr__ZSt4cout, "Please input your flag!!!!");
std::ostream::operator<<(v3, refptr__ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_);
std::operator>><char,std::char_traits<char>,std::allocator<char>>(refptr__ZSt3cin, &str);
std::string::string(&v10, &str);
base64Encode(&result);
std::string::~string(&v10);
if ( std::operator==<char>(&result, &rightFlag) )
v4 = std::operator<<<std::char_traits<char>>(refptr__ZSt4cout, "The flag is right!!!!!!!!!");
else
v4 = std::operator<<<std::char_traits<char>>(refptr__ZSt4cout, "This is a wrong flag!!!!!!!!");
std::ostream::operator<<(v4, refptr__ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_);
std::string::~string(&result);
std::string::~string(&rightFlag);
std::string::~string(&str);
return 0;
}

复制代码

std::string __cdecl base64Encode(std::string *p_decode)
{
std::string *v1; // rdx
char *v2; // rax
int v3; // eax
int v4; // ebx
char *v5; // rax
int v6; // eax
int v7; // ebx
char *v8; // rax
int v9; // eax
_BYTE *v10; // rax
int v11; // eax
char *v12; // rax
int v13; // eax
_BYTE *v14; // rax
int v15; // eax
char *v16; // rax
int v17; // eax
int v18; // ebx
char *v19; // rax
int v20; // eax
_BYTE *v21; // rax
int v22; // eax
__int64 v24; // [rsp+0h] [rbp-80h]
char v25; // [rsp+2Fh] [rbp-51h]
int pos_0; // [rsp+30h] [rbp-50h]
int pos; // [rsp+34h] [rbp-4Ch]
int len; // [rsp+38h] [rbp-48h]
int i; // [rsp+3Ch] [rbp-44h]
std::string *p_encodeResult; // [rsp+60h] [rbp-20h]
std::string *p_decodea; // [rsp+68h] [rbp-18h]
p_encodeResult = p_decode;
p_decodea = v1;
std::allocator<char>::allocator((char *)&v24 + 47);
std::string::string(p_encodeResult, &unk_489084, &v25);
std::allocator<char>::~allocator(&v25);
len = std::string::length(p_decodea);
for ( i = 0; len / 3 > i; ++i )
{
v2 = (char *)std::string::operator[](p_decodea, 3 * i);
v3 = *(char *)std::string::operator[](&baseKey, *v2 >> 2);
std::string::operator+=(p_encodeResult);
v4 = 16 * (*(_BYTE *)std::string::operator[](p_decodea, 3 * i) & 3);
v5 = (char *)std::string::operator[](p_decodea, 3 * i + 1);
v6 = *(char *)std::string::operator[](&baseKey, v4 | (*v5 >> 4));
std::string::operator+=(p_encodeResult);
v7 = 4 * (*(_BYTE *)std::string::operator[](p_decodea, 3 * i + 1) & 0xF);
v8 = (char *)std::string::operator[](p_decodea, 3 * i + 2);
v9 = *(char *)std::string::operator[](&baseKey, v7 | (*v8 >> 6));
std::string::operator+=(p_encodeResult);
v10 = (_BYTE *)std::string::operator[](p_decodea, 3 * i + 2);
v11 = *(char *)std::string::operator[](&baseKey, *v10 & 0x3F);
std::string::operator+=(p_encodeResult);
}
if ( len % 3 == 1 )
{
pos = 3 * (len / 3);
v12 = (char *)std::string::operator[](p_decodea, 3 * (len / 3));
v13 = *(char *)std::string::operator[](&baseKey, *v12 >> 2);
std::string::operator+=(p_encodeResult);
v14 = (_BYTE *)std::string::operator[](p_decodea, pos);
v15 = *(char *)std::string::operator[](&baseKey, 16 * (*v14 & 3));
std::string::operator+=(p_encodeResult);
std::string::operator+=(p_encodeResult, "==");
}
if ( len % 3 == 2 )
{
pos_0 = 3 * (len / 3);
v16 = (char *)std::string::operator[](p_decodea, 3 * (len / 3));
v17 = *(char *)std::string::operator[](&baseKey, *v16 >> 2);
std::string::operator+=(p_encodeResult);
v18 = 16 * (*(_BYTE *)std::string::operator[](p_decodea, pos_0) & 3);
v19 = (char *)std::string::operator[](p_decodea, pos_0 + 1);
v20 = *(char *)std::string::operator[](&baseKey, v18 | (*v19 >> 4));
std::string::operator+=(p_encodeResult);
v21 = (_BYTE *)std::string::operator[](p_decodea, pos_0 + 1);
v22 = *(char *)std::string::operator[](&baseKey, 4 * (*v21 & 0xF));
std::string::operator+=(p_encodeResult);
std::string::operator+=(p_encodeResult, "=");
}
return (std::string)p_encodeResult;
}

复制代码

最后编写python脚本进行解码：

import base64
str_1 = "mTyqm7wjODkrNLcWl0eqO8K8gc1BPk1GNLgUpI=="
str_base = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0987654321/+"
str_zh_base = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
flag = base64.b64decode(str_1.translate(str.maketrans(str_base,str_zh_base)))
print(flag)#flag{Special_Base64_By_Lich}'

复制代码

8.BUUCTF：[CFI-CTF 2018]IntroToPE
反编译后发现一个字符串Q0ZJey5OZXRDI18xc19AdzNzMG0zfQ==
直接base4解码，得到密码。

android · 发表于 2025-1-17 21:27:39

谢谢楼主分享

cena · 发表于 2025-1-17 11:37:24

谢谢分享

wang1126 · 发表于 2025-1-17 09:52:11

厉害，谢谢楼主分享。

k8_ka · 发表于 2025-1-17 09:49:05

感谢分享

小灰兔 · 发表于 2025-1-17 07:23:42

感谢分享

2012sunyu4506 · 发表于 2025-1-17 00:01:19

谢谢分享，支持个。

yc2428 · 发表于 2025-1-16 23:07:01

谢谢分享

hmaaaa · 发表于 2025-1-16 22:54:41

感謝大大分享!^^ 辛苦了！

呵呵#1861 · 发表于 2025-1-16 22:51:35

谢谢分享

dhlxtynz · 发表于 2025-1-16 22:49:55

厉害！看不懂

15126222223 · 发表于 2025-1-16 22:32:31

厉害。学习了。

		自动登录	找回密码
密码			注册

[转贴] 【2025/01/16】攻防世界、BUUCTF竞赛题目研究