buuctf re [WUSTCTF2020]level3

int __cdecl main(int argc, const char **argv, const char **envp)
{
  const char *v3; // rax
  char v5; // [rsp+Fh] [rbp-41h]
  char v6[56]; // [rsp+10h] [rbp-40h] BYREF
  unsigned __int64 v7; // [rsp+48h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  printf("Try my base64 program?.....\n>");
  __isoc99_scanf("%20s", v6);
  v5 = time(0LL);
  srand(v5);
  if ( (rand() & 1) != 0 )
  {
    v3 = (const char *)base64_encode(v6);
    puts(v3);
    puts("Is there something wrong?");
  }
  else
  {
    puts("Sorry I think it's not prepared yet....");
    puts("And I get a strange string from my program which is different from the standard base64:");
    puts("d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD==");
    puts("What's wrong??");
  }
  return 0;
}

输出里 puts是base加密 然后根据printf("Try my base64 program?.....\n>");看出是base64

但直接按照base64脚本解密是错误的
于是查看base64_encode 发现其中的tabe表一直在被调用

查看都是谁在调用

查看到有一个函数进入

__int64 O_OLookAtYou()
{
  __int64 result; // rax
  char v1; // [rsp+1h] [rbp-5h]
  int i; // [rsp+2h] [rbp-4h]

  for ( i = 0; i <= 9; ++i )
  {
    v1 = base64_table[i];
    base64_table[i] = base64_table[19 - i];
    result = 19 - i;
    base64_table[result] = v1;
  }
  return result;
}

base64_table[i] = base64_table[19 - i];

跑一下发现是A-T调换顺序

#include<iostream>
#include<cstring>
using namespace std;
int main()
{
	char base64_table[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
	char flag[]="d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD==";
	char v0;
	int result;
	for (int i=0;i<=9;i++)
	{
		v0=base64_table[i];
    base64_table[i] = base64_table[19 - i];
    result = 19 - i;
    base64_table[result] = v0;
     }
    for (int i=0;i<=63;i++)
	  {
	  	cout<<base64_table[i];
	  }
	  cout<<endl;
	  for (int i=0;i<strlen(flag);i++)
	  {
	  	if(flag[i]>='A'&&flag[i]<='T')
	  	{
	  		flag[i]=(19-(flag[i]-'A')+'A');
		  }
		cout<<flag[i];
	  }
 } 

flag{Base64_is_the_start_of_reverse}