2025 NSSCTF Round27 Reverse个人赛 wp

发表于 阅读次数: 本文字数: 2.3k 阅读时长 ≈ 2 分钟

easyre

ida打开附件 根据字符串定位主要函数 有花 nop掉

easyre

加密就是个rc4 直接找加密后的输入异或回去即可

1
2
3
4
5
6
7
8
9
10
11
print("A" * 24)  
get = [0x4E, 0xE3, 0xD9, 0x7F, 0x1D, 0x0F, 0x66, 0x7C, 0xC0, 0xD1,  
       0x07, 0x46, 0x29, 0x7A, 0xDC, 0x21, 0xE3, 0xAC, 0xA5, 0x5D,  
       0x6D, 0x03, 0x9C, 0x3C]  
enc = [65, -15, -53, 125, 8, 8, 92, 105, -23, -7, 53, 88, 89, 104, -62, 18, -63, -39, -69, 47, 109, 17, -124, 0]  
keystream = [(ord("A") ^ i) & 0xff for i in get]  
for i in range(len(enc)):  
    enc[i] ^= keystream[i]  
    enc[i] &= 0xff  
print("".join(map(chr, enc)))
#NSSCTF{This_1S_rc4_3ASY}

Ezcpp

ida打开附件 跟进加密函数
EzCpp

主要加密就是xor然后base64 逆着写解密即可

1
2
3
4
5
6
7
enc = [0x0e, 0x0d, 0x13, 0x0c, 0x1e, 0x31, 0x18, 0x11, 0x2d, 0x5a, 0x50, 0x2d, 0x3e, 0x52, 0x00, 0x19, 0x1c, 0x2d, 0x5b,  
       0x55, 0x47, 0x12, 0x18]  
key = b'harker'  
for i in range(len(enc)):  
    enc[i] ^= key[i % len(key)]  
    print(chr(enc[i]), end='')  
#flag{Cpp_15_V3rry_345y}

EzProcessStruct

windows的内核逆向 加密就是个xor
内核
题目描述说版本号是7 直接异或回去 在解码即可

1
2
3
4
5
6
7
8
9
10
11
12
import base64  
  
enc = b'SkISV6U@b5Q1_6cwejUqc4Iaf5Q~ejQtNTA>'  
key = 7  
flag = []  
for i in range(len(enc)):  
    #print(chr(enc[i] ^ key), end='')  
    flag.append(enc[i] ^ key)  
flag_bytes = bytes(flag)  
decoded_flag = base64.b64decode(flag_bytes)  
print(decoded_flag.decode('utf-8'))  
#NSSCTF{ez_Windows_kernel!!}

ezminiprograme

微信小程序的逆向 先用wxappUnpacker解包 得到js文件 在app-service.js里翻到后面找到主要逻辑
ezminiprograme
发现很多256 大概就是个RC4 正常的解不开 所以应该是魔改了 key是NSSCTF2025 密文是216, 156, 159, 86, 8, 143, 254, 92, 113, 3, 228, 74, 37, 80, 146, 68, 71, 42, 137, 132, 170, 85, 13, 196, 226, 152, 120, 176, 184, 36, 195, 233, 123, 230, 89, 10, 121, 180, 5, 219
直接扔给gpt就能写出解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
def generate_sbox(key: str):
    a = list(range(256))
    n = len(key)
    e = [ord(key[i % n]) for i in range(256)]
    i = 0
    for r in range(256):
        i = (i + a[r] + e[r]) % 256
        a[r], a[i] = a[i], a[r]
        u0, u1 = a[(i + 1) % 256], a[(r + 1) % 256]
        a[(r + 1) % 256], a[(i + 1) % 256] = u0, u1
    return a

def decrypt(ciphertext, key):
    sbox = generate_sbox(key)
    e = 0
    o = 0
    plaintext = []
    for i in range(len(ciphertext)):
        e = (e + sbox[o := (o + sbox[i % 256]) % 256]) % 256
        sbox[o], sbox[e] = sbox[e], sbox[o]
        s = sbox[(sbox[o] + sbox[e]) % 256]
        plaintext.append(chr(ciphertext[i] ^ s))
    return "".join(plaintext)

ciphertext = [216, 156, 159, 86, 8, 143, 254, 92, 113, 3, 228, 74, 37, 80, 146, 68, 71, 42, 137, 132, 170, 85, 13, 196, 226, 152, 120, 176, 184, 36, 195, 233, 123, 230, 89, 10, 121, 180, 5, 219]
key = "NSSCTF2025"
plaintext = decrypt(ciphertext, key)
print("Decrypted text:", plaintext)
#NSSCTF{c6e67111c1aadd1bdc4dad6d99c254e7}