[buuctf.reverse] [安洵杯 2019]crackMe

走错了好远，才发现原来是sm4

在ida用findcrypt查密是base64和SM4

这个变表的base64先要将str2奇偶交换，然后表是右移24，并且大小写互换

int __cdecl sub_412C30(_DWORD *a1)
{
  int result; // eax
  char v2; // [esp+D3h] [ebp-11h]
  size_t i; // [esp+DCh] [ebp-8h]

  result = (int)a1;
  if ( *(_DWORD *)*a1 == 0xC0000005 )
  {
    for ( i = 0; i < j_strlen(Str2); i += 2 )
    {
      v2 = Str2[i];
      Str2[i] = Str2[i + 1];
      Str2[i + 1] = v2;
    }
    Str1 = (char *)sub_41126C(byte_41A180);     // base64
    *(_DWORD *)(a1[1] + 176) = *(_DWORD *)(*a1 + 20);
    *(_DWORD *)(a1[1] + 164) = *(_DWORD *)(*a1 + 24);
    *(_DWORD *)(a1[1] + 172) = *(_DWORD *)(*a1 + 28);
    *(_DWORD *)(a1[1] + 168) = *(_DWORD *)(*a1 + 32);
    *(_DWORD *)(a1[1] + 156) = *(_DWORD *)(*a1 + 36);
    *(_DWORD *)(a1[1] + 160) = *(_DWORD *)(*a1 + 40);
    *(_DWORD *)(a1[1] + 184) = sub_411136;      // 判断正误
    return -1;
  }
  return result;
}

_BYTE *__cdecl sub_413090(char *Str)
{
  int k; // [esp+E4h] [ebp-5Ch]
  int v3; // [esp+F0h] [ebp-50h]
  int j; // [esp+FCh] [ebp-44h]
  int v5; // [esp+108h] [ebp-38h]
  signed int i; // [esp+114h] [ebp-2Ch]
  _BYTE *v7; // [esp+120h] [ebp-20h]
  signed int v8; // [esp+12Ch] [ebp-14h]
  int v9; // [esp+138h] [ebp-8h]

  v5 = 0;
  v8 = j_strlen(Str);
  if ( v8 % 3 )
    v9 = 4 * (v8 / 3) + 4;
  else
    v9 = 4 * (v8 / 3);
  v7 = malloc(__CFADD__(v9, 1) ? -1 : v9 + 1);
  v7[v9] = 0;
  for ( i = 0; i < v8; i += 3 )
  {
    v3 = 0;
    for ( j = 0; j < 3; ++j )
      v3 |= (unsigned __int8)Str[j + i] << (8 * (2 - j));
    for ( k = 0; k < 4; ++k )
    {
      if ( k >= 4 - (i + 3 - v8) && i + 3 > v8 )
        v7[v5] = 33;
      else
        v7[v5] = BASE64_table_41A080[sub_4110FF((v3 >> (6 * (3 - k))) & 0x3F)]; //这里有个移位
      ++v5;
    }
  }
  return v7;
}


int __cdecl sub_412760(int a1)
{
  return (a1 + 24) % 64;  //右移24
}

//表的大小写互换
int __stdcall sub_412AB0(int a1, int a2, int a3, int a4)
{
  size_t i; // [esp+D8h] [ebp-8h]

  for ( i = 0; i < j_strlen(BASE64_table_41A080); ++i )
  {
    if ( BASE64_table_41A080[i] <= 122 && BASE64_table_41A080[i] >= 97 )
    {
      BASE64_table_41A080[i] -= 32;
    }
    else if ( BASE64_table_41A080[i] <= 90 && BASE64_table_41A080[i] >= 65 )
    {
      BASE64_table_41A080[i] += 32;
    }
  }
  MessageBoxA(0, "hooked", "successed", 0);
  AddVectoredExceptionHandler(0, Handler);
  return 0;
}

然后是SM4写了半天没弄出来，后来一查有对应的库pysm4

1. yang3yen/pysm4 github上下载，不过国内有gitee加速还能下
2. 改setup.py 26行 with open('README.md', 'r', encoding='utf-8') as fp: 加encoding
3. python setup.py install安装

最后直接调用方法就行了

import base64
from libnum import s2n,n2s
from pysm4 import decrypt

sm4_key = s2n(b"where_are_u_now?")
print(hex(sm4_key))

#变码base64  1:奇偶换位， 2:右移24取码表，3码表大小写换位a-zA-Z0-9+/
str2 = list('1UTAOIkpyOSWGv/mOYFY4R==')  #!!->==
for i in range(0, len(str2),2):
    str2[i],str2[i+1] = str2[i+1],str2[i]
str2 = ''.join(str2) 
biao = str.maketrans("yzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/abcdefghijklmnopqrstuvwx","ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/")
cipher = s2n(base64.b64decode(str2.translate(biao).encode('utf-8')))
print(hex(cipher))

print(b'flag{' + n2s(decrypt(cipher, sm4_key)) + b"}")
#flag{SM4foRExcepioN?!}