roger 发表于 2020-4-27 11:52:37

xuenixiang_2020_re_Reverse8


# babybaseX Writeup

> 主要考察base family中的base58编码



但是给的表是打乱的具有迷惑性的`vrYenHCzNgu7FRTDbLiqtBpQZoUS3f5dKWsaM8Gm1EyVJkjw4cA6X92Pxh0OLl+/ `,在base58后加入了base64的`0OLl+/`部分,但其实并不会用到这六个字符同时在题目中也未明确出现58字样,而是通过`int base = *(pbegin+1)-*pbegin+25; `隐式给出了base,所以在写base解码的时候不能直接写出base58,而是需要测试base的值,最终得到与加密后结果`gmJNxnNCPChRefqDYSU1KZ`相同的输入,即为flag。

base58解码的writeup如下:

```shell

#include <iostream>
#include <vector>
#include <assert.h>
#include <string.h>
#include <iomanip>      // std::setw

static const char* pszBase58 = "vrYenHCzNgu7FRTDbLiqtBpQZoUS3f5dKWsaM8Gm1EyVJkjw4cA6X92Pxh0OLl+/";
bool DecodeBase58(const char* psz, std::vector<unsigned char>& vch)
{
    // Skip leading spaces.
    while (*psz && isspace(*psz))
      psz++;
    // Skip and count leading '1's.
    int zeroes = 0;
    int length = 0;
    while (*psz == '1') {
      zeroes++;
      psz++;
    }
    // Allocate enough space in big-endian base256 representation.
    int size = strlen(psz) * 733 /1000 + 1; // log(58) / log(256), rounded up.
    std::vector<unsigned char> b256(size);
    // Process the characters.
    while (*psz && !isspace(*psz)) {
      // Decode base58 character
      const char* ch = strchr(pszBase58, *psz);
      if (ch == nullptr)
            return false;
      // Apply "b256 = b256 * 58 + ch".
      int carry = ch - pszBase58;
      int i = 0;
      for (std::vector<unsigned char>::reverse_iterator it = b256.rbegin(); (carry != 0 || i < length) && (it != b256.rend()); ++it, ++i) {
            carry += 58 * (*it);
            *it = carry % 256;
            carry /= 256;
      }
      assert(carry == 0);
      length = i;
      psz++;
    }
    // Skip trailing spaces.
    while (isspace(*psz))
      psz++;
    if (*psz != 0)
      return false;
    // Skip leading zeroes in b256.
    std::vector<unsigned char>::iterator it = b256.begin() + (size - length);
    while (it != b256.end() && *it == 0)
      it++;
    vch.reserve(zeroes + (b256.end() - it));
    vch.assign(zeroes, 0x00);
    while (it != b256.end())
      vch.push_back(*(it++));
    return true;
}

bool DecodeBase58(const std::string& str, std::vector<unsigned char>& vchRet)
{
    return DecodeBase58(str.c_str(), vchRet);
}
int main(int argc, char* argv[]){
    std::string encode="gmJNxnNCPChRefqDYSU1KZ";
    std::vector<unsigned char> decode;
    DecodeBase58(encode, decode);
    std::cout<<"Decode: ";
    for(std::vector<unsigned char>::iterator iter = decode.begin(); iter != decode.end(); ++iter)
    {
      std::cout<<*iter;
    }

    std::cout<<std::endl;
    return 0;
}
```

`flag:flag{NowYouKnowBa5358}`
**** Hidden Message *****

snorlax 发表于 2021-5-10 17:11:03

用心讨论,共获提升!

Arsenal 发表于 2021-11-5 10:13:52

谢谢大佬们!!!!!!!!!

TylerJiang 发表于 2022-5-10 11:31:30

可以这样回复么
页: [1]
查看完整版本: xuenixiang_2020_re_Reverse8