NSSCTF Round#27 Basic Reverse wp

ajguthahbzzb

0x0 前言

---

由于这次题目较为简单，所以4道题的exp放在一个帖子里。

0x1 easyre

---

找到main函数后就能看到有花指令，用nop填充花指令后就能看到加密逻辑。
加密逻辑是把base64的表作为rc4的key，然后对原始数据进行加密。解密代码如下：

[Python] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

def KSA(key):     """ Key-Scheduling Algorithm (KSA) """     S = list(range(256))     j = 0     for i in range(256):         j = (j + S[i] + key[i % len(key)]) % 256         S[i], S[j] = S[j], S[i]     return S    def PRGA(S):     """ Pseudo-Random Generation Algorithm (PRGA) """     i, j = 0, 0     while True:         i = (i + 1) % 256         j = (j + S[i]) % 256         S[i], S[j] = S[j], S[i]         K = S[(S[i] + S[j]) % 256]         yield K    def RC4(key, text: bytes):     """ RC4 encryption/decryption """     S = KSA(key)     keystream = PRGA(S)     res = []     for char in text:         res.append(char ^ next(keystream))     return bytes(res)   target = bytes.fromhex("41f1cb7d08085c69e9f935585968c212c1d9bb2f6d118400") res = RC4(b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/", target)   print(res)

0x2 ezcpp

---

代码用c++编写，不过被去掉了符号表。分析一下代码逻辑，得到代码逻辑：

[C] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

vec_init((__int64)binput); ilen = j_strlen(input); ilen_1 = ilen; v3 = (unsigned __int64)ilen * (unsigned __int128)4uLL; if ( !is_mul_ok(ilen, 4uLL) )     *(_QWORD *)&v3 = -1LL; v14 = (_DWORD *)new_arr(v3, *((__int64 *)&v3 + 1)); arr = v14; qmemcpy(key, "harker", 6); for ( j = 0; j < ilen; ++j ) {     v17 = input[j];     ilen_1 = j;     six = get_six((__int64)key);     arr[j] = (char)key[ilen_1 % six] ^ v17;     vec_set((__int64)binput, LOBYTE(arr[j])); } j_base64_enc((__int64)boutput, (__int64)binput); output = j_vec_cstr((__int64)boutput); ok_1 = j_check_res(output); v15 = arr; operator delete[](arr); if ( v15 ) {     arr = (_DWORD *)0x8123;     ilen_1 = 0x8123LL; } else {     ilen_1 = 0LL; } ok = ok_1; vec_del((__int64)boutput); vec_del((__int64)binput); return ok;

逻辑就是先异或一个数组，然后再进行base64编码。解密代码如下：

[Python] 纯文本查看 复制代码

?

1 2 3 4 5 6 7 8 9

import base64   target = "Dg0TDB4xGBEtWlAtPlIAGRwtW1VHEhg=" o1 = base64.b64decode(target) res = "" key = b"harker" for i in range(len(o1)):     res += chr(key[i % 6] ^ o1[i]) print(res)

0x3 EzProcessStruct

---

文件是windows内核驱动，程序从系统中获取了某进程的EPROCESS指针。参考以下两链接：
https://blog.csdn.net/emaste_r/article/details/8911718
https://blog.csdn.net/QQ_3094353627/article/details/124616462
得知代码

[C] 纯文本查看 复制代码

?

1	DbgPrint("%d.%d.%d", *(_DWORD *)(peb + 0xA4), *(_DWORD *)(peb + 0xA8), *(unsigned __int16 *)(peb + 0xAC));

会输出OS的Major、Minor和Build版本号。根据题目提示得知操作系统版本号为6.1.7601.17514。
然后程序的逻辑仅仅只是对用户输入进行了一个简单的异或，异或的key就是Major、Minor版本号异或值。解密代码如下：（解出来的base64码再经过解密即可得到flag）

[Python] 纯文本查看 复制代码

?

1 2 3 4 5 6 7 8

target = b"SkISV6U@b5Q1_6cwejUqc4Iaf5Q~ejQtNTA>" # for key in range(256): key = 6 ^ 1 res = [] for num in target:     res.append(num ^ key)   print(len(res), bytes(res).decode())

0x4 ezminiprograme

---

微信小程序文件，参考以下链接对__APP__.wxapkg解包：

https://blog.csdn.net/Xm3333691/article/details/120312160
解包后打开index.appservice.js文件，调整缩进即可看到加密逻辑。好像是rc4魔改，直接用rc4解密得不到结果。把源码稍微改下，把密文作为输入输进去，得到明文。

[JavaScript] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

function generateSbox(t) {   for (var a = [], n = t.length, e = [], o = 0; o < 256; o++)     a.push(o), e.push(t.charCodeAt(o % n));   for (var i = 0, r = 0; r < 256; r++) {     var s, u;     (s = [a[(i = (i + a[r] + e[r]) % 256)], a[r]]),       (a[r] = s[0]),       (a[i] = s[1]),       (u = [a[(i + 1) % 256], a[(r + 1) % 256]]),       (a[(r + 1) % 256] = u[0]),       (a[(i + 1) % 256] = u[1]);   }   return a; }   a = [     216, 156, 159, 86, 8, 143, 254, 92, 113, 3, 228, 74, 37, 80, 146,     68, 71, 42, 137, 132, 170, 85, 13, 196, 226, 152, 120, 176, 184, 36,     195, 233, 123, 230, 89, 10, 121, 180, 5, 219, ] var res = "" for (   var n = generateSbox("NSSCTF2025"), e = 0, o = 0, i = 0;   i < a.length;   i++ ) {     var r = [n[(e = (e + n[(o = (o + n[i % 256]) % 256)]) % 256)], n[o]];     (n[o] = r[0]), (n[e] = r[1]);     var s = n[(n[o] + n[e]) % 256];     res += String.fromCharCode(a[i] ^ s); } console.log(res)

wakinceng

感谢支持！

BrutusScipio

基础题吗？大神加把劲把高难题都拿下

fengbin8606

加油，虚心学习中