BUUCTF在线评测 (buuoj.cn)

查壳是32位，ida打开，进入main函数，进入sub_401260看看

查看byte_413000存的字符串

_BYTE *__cdecl sub_401260(int a1, unsigned int a2)
{int v3; // [esp+Ch] [ebp-24h]int v4; // [esp+10h] [ebp-20h]int v5; // [esp+14h] [ebp-1Ch]int i; // [esp+1Ch] [ebp-14h]unsigned int v7; // [esp+20h] [ebp-10h]_BYTE *v8; // [esp+24h] [ebp-Ch]int v9; // [esp+28h] [ebp-8h]int v10; // [esp+28h] [ebp-8h]unsigned int v11; // [esp+2Ch] [ebp-4h]v8 = malloc(4 * ((a2 + 2) / 3) + 1);if ( !v8 )return 0;v11 = 0;v9 = 0;while ( v11 < a2 ){v5 = *(unsigned __int8 *)(v11 + a1);if ( ++v11 >= a2 ){v4 = 0;}else{v4 = *(unsigned __int8 *)(v11 + a1);++v11;}if ( v11 >= a2 ){v3 = 0;}else{v3 = *(unsigned __int8 *)(v11 + a1);++v11;}v7 = v3 + (v5 << 16) + (v4 << 8);v8[v9] = byte_413000[(v7 >> 18) & 0x3F];v10 = v9 + 1;v8[v10] = byte_413000[(v7 >> 12) & 0x3F];v8[++v10] = byte_413000[(v7 >> 6) & 0x3F];v8[++v10] = byte_413000[v3 & 0x3F];v9 = v10 + 1;}for ( i = 0; i < dword_413040[a2 % 3]; ++i )v8[4 * ((a2 + 2) / 3) - i - 1] = 61;v8[4 * ((a2 + 2) / 3)] = 0;return v8;
}

明显是base64的变表

直接shift+F12也可以看到

直接用脚本解密

import base64str0="x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q"str1='ZYXABCDEFGHIJKLMNOPQRSTUVWzyxabcdefghijklmnopqrstuvw0123456789+/'
str2='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'print(base64.b64decode(str0.translate(str.maketrans(str1,str2))))#b'sh00ting_phish_in_a_barrel@flare-on.com'

本题是一个简单base64变表加密，脚本解密即可