题目

密文:uLdAuO8duojAFLEKjIgdpfGeZoELjJp9kSieuIsAjJ/LpSXDuCGduouz

泄露的密文:

···pTjMwJ9WiQHfvC+eFCFKTBpWQtmgjopgqtmPjfKfjSmdFLpeFf/Aj2ud3tN7u2+enC9+nLN8kgdWo29ZnCrOFCDdFCrOFoF=···

泄露的明文:

ashlkj!@sj1223%^&*Sd4564sd879s5d12f231a46qwjkd12J;DJjl;LjL;KJ8729128713

解题思路

Base64 符合号表替换，根据泄露明文及密文对，计算出密文正常情况下的BASE64字符串，发现部分字符未知(未知字符用&代替)。

c1_base64=ZmxhZ3sxZTNhMm&lN&0xYz&yLT&mNGYtOWIyZ&&hNGFmYW&kZj&xZTZ&

去重后发现，发现密文中只有6个字符未知其变换前对应的字符

tmp=["E","I","G","s","X","z"]

base64符号表中未使用的字符串如下  

no_equal="ACHJKPRVefnuvw156789+/"

使用爆破方式求解flag，并对flag的格式进行验证。

if(flag==0 and base64.b64decode(c2_base64_tmp)[-1]=='}' and base64.b64decode(c2_base64_tmp)[13]=='-'):

完整exp如下

```import base64

import itertools

table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'

table1='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-{}'

m1="ashlkj!@sj1223%^&*Sd4564sd879s5d12f231a46qwjkd12J;DJjl;LjL;KJ8729128713"

c1="pTjMwJ9WiQHfvC+eFCFKTBpWQtmgjopgqtmPjfKfjSmdFLpeFf/Aj2ud3tN7u2+enC9+nLN8kgdWo29ZnCrOFCDdFCrOFoF="

c1_base64=base64.b64encode(m1)

c2="uLdAuO8duojAFLEKjIgdpfGeZoELjJp9kSieuIsAjJ/LpSXDuCGduouz"

c2_base64=""

for i in c2:

index=c1.find(i)

if(index==-1):

c2_base64+="&"

else:

c2_base64+=c1_base64[index]

no_equal=""

for i in table:

if(c1_base64.find(i)==-1):

no_equal+=i

tmp=[]

for i in range(len(c2_base64)):

if c2_base64[i]=="&":

tmp.append(c2[i])

tmp = list(set(tmp))

for i in itertools.permutations(no_equal, 6):

combin=i

c2_base64_tmp=""

for k in range(len(c2_base64)):

if(c2_base64[k]=='&'):

for j in range(len(tmp)):

if(c2[k]==tmp[j]):

c2_base64_tmp+=combin[j]

else:

c2_base64_tmp+=c2_base64[k]

flag=0

for m in base64.b64decode(c2_base64_tmp):

if(table1.find(m)==-1):

flag=1

if(flag==0 and base64.b64decode(c2_base64_tmp)[-1]=='}' and base64.b64decode(c2_base64_tmp)[13]=='-'):

print(base64.b64decode(c2_base64_tmp)+"\n")

```

flag存在多解现象，需手动提交（BP无法自动提交，这点很坑）