[GUET-CTF2019]encrypt 变表base

[GUET-CTF2019]encrypt.zip

这道题 ida 分析

sub_4006B6 函数定义了一个 buf 加密表，可以利用动态 dump 出对应密码表

base64 是换表加密。

方法

1.先推出对应加密钱的字符串

2.利用爆破一次得到明文。

c = "Z`TzzTrD|fQP[_VVL|yneURyUmFklVJgLasJroZpHRxIUlH\\\\vZE="
print 
# print len(string1)
an = []
for i in range(0, len(c), 4):
    a1 = ((ord(c[i])-61)<<2|((ord(c[i+1])-61)>>4)) & 0xff
    a2 = ((((ord(c[i+1])-61)&0x3f)<<4) | ((ord(c[i+2])-61)>>2))&0xff
    a3 = (((ord(c[i+2])-61)&0x3f)<<6| (ord(c[i+3])-61)) & 0xff
    an.append(a1)
    an.append(a2)
    an.append(a3)
# print an
an = [118, 53, 253, 245, 125, 71, 254, 149, 19, 122, 38, 89, 63, 255, 49, 161, 133, 124, 99, 2, 110, 189, 147, 106, 62, 77, 141, 215, 39, 115, 45, 94, 204, 98, 242, 223, 229, 210]

arr = [0, 0, 176, 49, 117, 112, 248, 223, 7, 60, 120, 113, 80, 41, 44, 22, 105, 18, 200, 43, 59, 127, 178, 231, 75, 104, 140, 197, 166, 21, 3, 88, 71, 4, 19, 141, 135, 38,
9, 237, 23, 138, 194, 242, 67, 192, 172, 89, 151, 245, 63, 103, 94, 57, 134, 213, 114, 97, 218, 247, 1, 5, 139, 195, 177, 119, 175, 29, 48, 198, 69, 14, 95, 238, 174, 240, 40, 206, 205, 167, 155, 42, 25, 72, 8, 68, 32, 254, 109, 181, 46, 106, 241, 52, 188, 30, 62, 204, 65, 146, 216, 189, 165, 232, 77, 10, 73, 13, 162, 250, 98, 116, 212, 131, 150, 148, 61, 203, 24, 99, 153, 70, 202, 183, 142, 207, 251, 163, 108, 126, 81, 39, 96, 154, 17, 243, 92, 110, 186, 66, 118, 47, 239, 191, 33, 170, 228, 214, 27, 85, 125, 190, 234, 211, 16, 244, 199, 74, 35, 121, 132, 164, 28, 171, 20, 219, 76, 58, 184, 82, 236, 55, 56, 182, 210, 160, 90, 91, 152, 102, 84, 158, 78, 79, 180, 196, 201, 208, 37, 156, 128, 222, 45, 6, 34, 11, 145, 107, 159, 246, 230, 226, 193, 15, 147, 144, 123, 157, 143, 221, 229, 101, 53, 173, 169, 220, 130, 187, 0,
83, 209, 168, 51, 233, 64, 26, 255, 161, 149, 54, 217, 235, 137, 227, 124, 115, 133, 136, 122, 224, 253, 100, 12, 87, 50, 179, 185, 31, 215, 252, 129, 225, 2, 249, 93, 86, 111, 36]

flag = ""
v7 = arr[0]
v8 = arr[1]
v9 = arr[2]
for i in range(len(an)):
    v7 = (v7 + 1) &0xff
    v3 = arr[arr.index(v9)+v7]
    v8 = (v8 + v3) & 0xff
    v4 = arr[arr.index(v9)+v8]
    arr[v7 + arr.index(v9)] = v4
    arr[v8 + arr.index(v9)] = v3
    for j in range(128):
        if j^arr[arr.index(v9) + ((v3 + v4)&0xff)] == an[i]:
            flag += chr(j)

print flag

# flag{e10adc3949ba59abbe56e057f20f883e}