BUUCTF [NPUCTF2020]芜湖

这道题是一个base64隐写，我们要先提取出所有的base加密值，然后用base隐写提取的函数，把flag提取出来，就得到了flag。

1.提取base值

本来想着用ida动调一下，应该可以提出来，结果值在堆上面，ida动调只能看到一半的base值，一点用也没有，没办法，就用pwn的pwndbg查看堆：

接下来就一直单步s运行下去，一个一个把base值提取出来，得到最终的base值：

"55y85YmN6YeN5aSN55qE6aOO5pmvLG==",
"5riQ5riQ5qih57OK5LqG57qm5a6aLO==",
"5pif56m65LiL5rWB5rWq55qE5L2gLH==",
"5LuN54S256eY5a+G55qE6Led56a7LA==",
"5rip5bqm5raI5aSx55qE556s6Ze0LH==",
"5peg5rOV6Kem5pG455qE5piO5aSpLF==",
"5rKh5pyJ5byV5Yqb55qE5LiW55WMLG==",
"5rKh5pyJ6ISa5Y2w55qE5YWJ5bm0LD==",
"6L+Y5Zyo562J552A5L2g5Ye6546wLH==",
"5pel5pel5aSc5aSc6Ieq6L2s55qE6KGM5pifLE==",
"5Yiw5aSE6YGu5ruh5Yir5Lq655qE6IOM5b2xLG==",
"6K6p6aOO5ZC55pWj5re35Lmx55qE5ZG85ZC4LG==",
"5b+r5b+r5riF6YaSfn==",
"6Z2Z6Z2Z54Wn5Lqu5Y6f5p2l55qE6Ieq5bexLL==",
"5aSp56m65rSS5ruh5b+954S255qE5YWJ5piOLE==",
"55y85Lit5Y+q6KaB57ua54OC55qE5aSp6ZmFLG==",
"5YaN6aOe6KGMIW==",
"5oiR5YuH5pWi5Zyw5oqs6LW35aS0LM==",
"55yL552A6Iyr6Iyr55qE5a6H5a6ZLH==",
"5aSa5bCR5pyq55+l55qE5pif55CDLJ==",
"5pyJ5rKh5pyJ6YCa5ZCR5pyq5p2l6Lev5Y+jLD==",
"5Lqy54ix55qE5LyZ5Ly0LB==",
"6K6p5oiR5Lus5LiA6LW354K554eDLG==",
"5YuH5rCU5ZKM5L+h5b+1LO==",
"5Zyo6YGl6L+c55qE5aSp6L65LG==",
"6ZO25rKz6L6557yYLH==",
"5pyJ5LiA54mH56We5aWH55qE5b2p6Jm55rW3LC==",
"5ZKM5oiR5LiA6LW35YaS6ZmpLB==",
"6aOe5ZCR5Y+m5LiA5Liq5LiW55WMLC==",
"5Zyo6YGl6L+c55qE5aSp6L65LB==",
"6ZO25rKz6L6557yYLC==",
"5pyJ5LiA54mH56We5aWH55qE5b2p6Jm55rW3LB==",
"5ZKM5oiR5LiA6LW35YaS6ZmpLH==",
"6aOe5ZCR5Y+m5LiA5Liq5LiW55WMLN==",
"c3VwZXIgbWFnaWMgd29ybGR+fg=="

2.找一个base64隐写的脚本：

def base64_stego(lines):alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'flag = ''temp = 0digit = 0for i in lines:if i[-1] != '=':continueelif i[-2] != '=':digit += 2temp = (temp << 2) + (alphabet.find(i[-2]) & 0x3)else:digit += 4temp = (temp << 4) + (alphabet.find(i[-3]) & 0xf)if digit == 8:digit = 0flag += chr(temp)temp = 0elif digit > 8:digit = 2flag += chr(temp >> 2)temp = temp & 0x3return flag

写个python脚本：

def base64_stego(lines):alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'flag = ''temp = 0digit = 0for i in lines:if i[-1] != '=':continueelif i[-2] != '=':digit += 2temp = (temp << 2) + (alphabet.find(i[-2]) & 0x3)else:digit += 4temp = (temp << 4) + (alphabet.find(i[-3]) & 0xf)if digit == 8:digit = 0flag += chr(temp)temp = 0elif digit > 8:digit = 2flag += chr(temp >> 2)temp = temp & 0x3return flag
a = ["55y85YmN6YeN5aSN55qE6aOO5pmvLG==",
"5riQ5riQ5qih57OK5LqG57qm5a6aLO==",
"5pif56m65LiL5rWB5rWq55qE5L2gLH==",
"5LuN54S256eY5a+G55qE6Led56a7LA==",
"5rip5bqm5raI5aSx55qE556s6Ze0LH==",
"5peg5rOV6Kem5pG455qE5piO5aSpLF==",
"5rKh5pyJ5byV5Yqb55qE5LiW55WMLG==",
"5rKh5pyJ6ISa5Y2w55qE5YWJ5bm0LD==",
"6L+Y5Zyo562J552A5L2g5Ye6546wLH==",
"5pel5pel5aSc5aSc6Ieq6L2s55qE6KGM5pifLE==",
"5Yiw5aSE6YGu5ruh5Yir5Lq655qE6IOM5b2xLG==",
"6K6p6aOO5ZC55pWj5re35Lmx55qE5ZG85ZC4LG==",
"5b+r5b+r5riF6YaSfn==",
"6Z2Z6Z2Z54Wn5Lqu5Y6f5p2l55qE6Ieq5bexLL==",
"5aSp56m65rSS5ruh5b+954S255qE5YWJ5piOLE==",
"55y85Lit5Y+q6KaB57ua54OC55qE5aSp6ZmFLG==",
"5YaN6aOe6KGMIW==",
"5oiR5YuH5pWi5Zyw5oqs6LW35aS0LM==",
"55yL552A6Iyr6Iyr55qE5a6H5a6ZLH==",
"5aSa5bCR5pyq55+l55qE5pif55CDLJ==",
"5pyJ5rKh5pyJ6YCa5ZCR5pyq5p2l6Lev5Y+jLD==",
"5Lqy54ix55qE5LyZ5Ly0LB==",
"6K6p5oiR5Lus5LiA6LW354K554eDLG==",
"5YuH5rCU5ZKM5L+h5b+1LO==",
"5Zyo6YGl6L+c55qE5aSp6L65LG==",
"6ZO25rKz6L6557yYLH==",
"5pyJ5LiA54mH56We5aWH55qE5b2p6Jm55rW3LC==",
"5ZKM5oiR5LiA6LW35YaS6ZmpLB==",
"6aOe5ZCR5Y+m5LiA5Liq5LiW55WMLC==",
"5Zyo6YGl6L+c55qE5aSp6L65LB==",
"6ZO25rKz6L6557yYLC==",
"5pyJ5LiA54mH56We5aWH55qE5b2p6Jm55rW3LB==",
"5ZKM5oiR5LiA6LW35YaS6ZmpLH==",
"6aOe5ZCR5Y+m5LiA5Liq5LiW55WMLN==",
"c3VwZXIgbWFnaWMgd29ybGR+fg=="]
print(base64_stego(a))
#npuctf{Fly1ng!!!}

得到flag:

flag{Fly1ng!!!}

BUUCTF [NPUCTF2020]芜湖相关推荐

[NPUCTF2020]芜湖（Base64隐写）
查壳: 拖进ida 异或 v2 = Oo0O((v3 >> (7 - k)) & 1, (97 >> (7 - k)) & 1) & 1 ^ 2 * v ...
BUUCTF刷题记录(7)
文章目录 web [NPUCTF2020]ezinclude [NPUCTF2020]ReadlezPHP [GXYCTF2019]BabysqliV3.0 非预期1 非预期2 预期 [NCTF201 ...
[buuctf] crypto全解——前84道（不建议直接抄flag）
buuctf crypto 1.MD5 2.Url编码 3.一眼就解密 4.看我回旋踢 5.摩丝 6.[BJDCTF 2nd]签到-y1ng 7.password 8.变异凯撒 9.Quoted-pr ...
BUUCTF Web 第二页全部Write ups
更多笔记,可以关注yym68686.top 目录 [强网杯 2019]高明的黑客 [BUUCTF 2018]Online Tool [RoarCTF 2019]Easy Java [GXYCTF201 ...
BUUCTF reverse题解汇总
本文是BUUCTF平台reverse题解的汇总题解均来自本人博客目录 Page1 Page2 Page3 Page4 Page1 easyre reverse1 reverse2 内涵的软件新年 ...
[NPUCTF2020]Mersenne twister
[NPUCTF2020]Mersenne twister 题目 cef4876036ee8b55aa59bca043725bf350a5e491debdef7ef7d63e9609a288ca1e2c ...
[watevrCTF 2019]Repyc [NPUCTF2020]BasicASM
文章目录 [watevrCTF 2019]Repyc 反编译替换后整体思路: 脚本: [NPUCTF2020]BasicASM 查看题目: 分析 `call __CheckForDebuggerJ ...
[NPUCTF2020]Baby Obfuscation [HDCTF2019]MFC
文章目录 [NPUCTF2020]Baby Obfuscation 把五个Fox分析一下 F0X1(int a, int b): 运用辗转相除法求得最大公因数(学到一个词汇:最大公约数GCD,最小公倍 ...
BUUCTF的Web真题学习整理（一）
目录 WEB1-WarmUp (任意文件包含漏洞) WEB2-高明的黑客(fuzz脚本) WEB3-easy_tornado (服务端模板注入(ssti攻击)) WEB4-Hack World(时间盲 ...

BUUCTF [NPUCTF2020]芜湖

BUUCTF [NPUCTF2020]芜湖相关推荐

最新文章

热门文章