Str1和Str2相同的话就是正确的flag
查看sub_401360函数,看做了什么修改
_BYTE *__cdecl sub_401260(int a1, unsigned int a2) { int v3; // [esp+Ch] [ebp-24h] int v4; // [esp+10h] [ebp-20h] int v5; // [esp+14h] [ebp-1Ch] int i; // [esp+1Ch] [ebp-14h] unsigned int v7; // [esp+20h] [ebp-10h] _BYTE *v8; // [esp+24h] [ebp-Ch] int v9; // [esp+28h] [ebp-8h] int v10; // [esp+28h] [ebp-8h] unsigned int v11; // [esp+2Ch] [ebp-4h] v8 = malloc(4 * ((a2 + 2) / 3) + 1); if ( !v8 ) return 0; v11 = 0; v9 = 0; while ( v11 < a2 ) { v5 = *(unsigned __int8 *)(v11 + a1); if ( ++v11 >= a2 ) { v4 = 0; } else { v4 = *(unsigned __int8 *)(v11 + a1); ++v11; } if ( v11 >= a2 ) { v3 = 0; } else { v3 = *(unsigned __int8 *)(v11 + a1); ++v11; } v7 = v3 + (v5 << 16) + (v4 << 8); v8[v9] = byte_413000[(v7 >> 18) & 0x3F]; v10 = v9 + 1; v8[v10] = byte_413000[(v7 >> 12) & 0x3F]; v8[++v10] = byte_413000[(v7 >> 6) & 0x3F]; v8[++v10] = byte_413000[v3 & 0x3F]; v9 = v10 + 1; } for ( i = 0; i < dword_413040[a2 % 3]; ++i ) v8[4 * ((a2 + 2) / 3) - i - 1] = 61; v8[4 * ((a2 + 2) / 3)] = 0; return v8; }
观察,是一个base64加密
获取编码表
base64_data=[0x5a,0x59,0x58,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f,0x50,0x51,0x52,0x53,0x54,0x55,0x56,0x57,0x7a,0x79,0x78,0x61,0x62,0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6a,0x6b,0x6c,0x6d,0x6e,0x6f,0x70,0x71,0x72,0x73,0x74,0x75,0x76,0x77,0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x2b,0x2f] base64_table='' for i in range(len(base64_data)): base64_table+=chr(base64_data[i]) print(base64_table)
WP
import base64 str1 = "x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q" base64_table = "ZYXABCDEFGHIJKLMNOPQRSTUVWzyxabcdefghijklmnopqrstuvw0123456789+/" base64_str = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" decoded_str = base64.b64decode(str1.translate(str.maketrans(base64_table, base64_str))) print(decoded_str)
flag{sh00ting_phish_in_a_barrel@flare-on.com}
