某次热身赛re方向wp
base64只不过换了一个表没有任何包装这个总能做了吧int __fastcall main(int argc, const char **argv, const char **envp) { int flag_len; // [rsp4h] [rbp-2Ch] char *encoded; // [rsp8h] [rbp-28h] char flag[24]; // [rsp10h] [rbp-20h] BYREF unsigned __int64 v7; // [rsp28h] [rbp-8h] v7 __readfsqword(0x28u); read(0, flag, 0x15u); flag_len strlen(flag); encoded (char *)malloc(4 * flag_len / 3 4); if ( encoded ) { base64_custom_encode((const unsigned __int8 *)flag, flag_len, encoded); if ( !strcmp(encoded, zNoHvOEJwug8z9sH0NQH0NQH0NQU) ) puts(success); else puts(fail); free(encoded); return 0; } else { fwrite(malloc failed\n, 1u, 0xEu, stderr); return 1; } }看到base64_custom_encode函数void __cdecl base64_custom_encode(const unsigned __int8 *input, int len, char *output) { int v3; // eax int v4; // eax int v5; // eax int i; // [rsp1Ch] [rbp-Ch] int j; // [rsp20h] [rbp-8h] unsigned int triple; // [rsp24h] [rbp-4h] unsigned int triplea; // [rsp24h] [rbp-4h] unsigned int tripleb; // [rsp24h] [rbp-4h] i 0; j 0; while ( len i 2 ) { triple (input[i 1] 8) | (input[i] 16) | input[i 2]; output[j] custom_b64_table[(triple 18) 0x3F]; output[j 1] custom_b64_table[(triple 12) 0x3F]; output[j 2] custom_b64_table[(triple 6) 0x3F]; v3 j 3; j 4; output[v3] custom_b64_table[triple 0x3F]; i 3; } if ( len i 1 ) { triplea input[i] 16; output[j] custom_b64_table[(input[i] 2) 0x3F]; output[j 1] custom_b64_table[(triplea 12) 0x3F]; output[j 2] 61; v4 j 3; j 4; output[v4] 61; } else if ( len i 2 ) { tripleb (input[i] 16) | (input[i 1] 8); output[j] custom_b64_table[(tripleb 18) 0x3F]; output[j 1] custom_b64_table[(tripleb 12) 0x3F]; output[j 2] custom_b64_table[(tripleb 6) 0x3F]; v5 j 3; j 4; output[v5] 61; } output[j] 0; }再看到custom_b64_table双击custom_b64_table db XYZabcdefghijklmnopqrstuvwxyz0123456789/ABCDEFGHIJKLMNOPQRSTUVW拿到自定义的base64编码表直接找在线工具http://web.chacuo.net/netbasexsdpc{rererepwnpwnpwn}或者手搓pythonSTANDARD_ALPHABET XYZabcdefghijklmnopqrstuvwxyz0123456789/ABCDEFGHIJKLMNOPQRSTUVW def encode(data: str, alphabet: str STANDARD_ALPHABET) - str: result [] for i in range(0, len(data), 3): #步长为3 chunk data[i : i 3] #三个一组 value ord(chunk[0]) 16 if len(chunk) 1: value | ord(chunk[1]) 8 if len(chunk) 2: value | ord(chunk[2]) for j in range(4): if j len(chunk) 1: result.append(alphabet[(value (18 - j * 6)) 0x3F]) else: result.append() return .join(result) def decode(data: str, alphabet: str STANDARD_ALPHABET) - str: padding data.count() data data.rstrip() result [] for i in range(0, len(data), 4): chunk data[i : i 4] value 0 for j, c in enumerate(chunk): value | alphabet.index(c) (18 - j * 6) n 4 - padding if i len(data) - 4 else 4 #判断是否为最后一组 for j in range(n - 1): result.append(chr((value (16 - j * 8)) 0xFF)) return .join(result) adecode(zNoHvOEJwug8z9sH0NQH0NQH0NQU) print(a)如果脚本或代码有看不懂的可以用以下提示词把这段代码当作我完全不会编程来解释逐行说明每行代码做了什么、为什么这样做以及整个程序的功能。用最通俗的语言不要跳过任何基础概念包括函数用法。不会吧直接给class文件还不会做吗