NSSCTF Round#27 Basic Reverse wp

ajguthahbzzb

0x0 前言

---

由于这次题目较为简单，所以4道题的exp放在一个帖子里。

0x1 easyre

---

找到main函数后就能看到有花指令，用nop填充花指令后就能看到加密逻辑。
加密逻辑是把base64的表作为rc4的key，然后对原始数据进行加密。解密代码如下：

[Python] 纯文本查看 复制代码

def KSA(key):
    """ Key-Scheduling Algorithm (KSA) """
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i], S[j] = S[j], S[i]
    return S
 
def PRGA(S):
    """ Pseudo-Random Generation Algorithm (PRGA) """
    i, j = 0, 0
    while True:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        K = S[(S[i] + S[j]) % 256]
        yield K
 
def RC4(key, text: bytes):
    """ RC4 encryption/decryption """
    S = KSA(key)
    keystream = PRGA(S)
    res = []
    for char in text:
        res.append(char ^ next(keystream))
    return bytes(res)

target = bytes.fromhex("41f1cb7d08085c69e9f935585968c212c1d9bb2f6d118400")
res = RC4(b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/", target)

print(res)

0x2 ezcpp

---

代码用c++编写，不过被去掉了符号表。分析一下代码逻辑，得到代码逻辑：

[C] 纯文本查看 复制代码

vec_init((__int64)binput);
ilen = j_strlen(input);
ilen_1 = ilen;
v3 = (unsigned __int64)ilen * (unsigned __int128)4uLL;
if ( !is_mul_ok(ilen, 4uLL) )
    *(_QWORD *)&v3 = -1LL;
v14 = (_DWORD *)new_arr(v3, *((__int64 *)&v3 + 1));
arr = v14;
qmemcpy(key, "harker", 6);
for ( j = 0; j < ilen; ++j )
{
    v17 = input[j];
    ilen_1 = j;
    six = get_six((__int64)key);
    arr[j] = (char)key[ilen_1 % six] ^ v17;
    vec_set((__int64)binput, LOBYTE(arr[j]));
}
j_base64_enc((__int64)boutput, (__int64)binput);
output = j_vec_cstr((__int64)boutput);
ok_1 = j_check_res(output);
v15 = arr;
operator delete[](arr);
if ( v15 )
{
    arr = (_DWORD *)0x8123;
    ilen_1 = 0x8123LL;
}
else
{
    ilen_1 = 0LL;
}
ok = ok_1;
vec_del((__int64)boutput);
vec_del((__int64)binput);
return ok;

逻辑就是先异或一个数组，然后再进行base64编码。解密代码如下：

[Python] 纯文本查看 复制代码

import base64

target = "Dg0TDB4xGBEtWlAtPlIAGRwtW1VHEhg="
o1 = base64.b64decode(target)
res = ""
key = b"harker"
for i in range(len(o1)):
    res += chr(key[i % 6] ^ o1[i])
print(res)

0x3 EzProcessStruct

---

文件是windows内核驱动，程序从系统中获取了某进程的EPROCESS指针。参考以下两链接：
https://blog.csdn.net/emaste_r/article/details/8911718
https://blog.csdn.net/QQ_3094353627/article/details/124616462
得知代码

[C] 纯文本查看 复制代码

DbgPrint("%d.%d.%d", *(_DWORD *)(peb + 0xA4), *(_DWORD *)(peb + 0xA8), *(unsigned __int16 *)(peb + 0xAC));

会输出OS的Major、Minor和Build版本号。根据题目提示得知操作系统版本号为6.1.7601.17514。
然后程序的逻辑仅仅只是对用户输入进行了一个简单的异或，异或的key就是Major、Minor版本号异或值。解密代码如下：（解出来的base64码再经过解密即可得到flag）

[Python] 纯文本查看 复制代码

target = b"SkISV6U@b5Q1_6cwejUqc4Iaf5Q~ejQtNTA>"
# for key in range(256):
key = 6 ^ 1
res = []
for num in target:
    res.append(num ^ key)

print(len(res), bytes(res).decode())

0x4 ezminiprograme

---

微信小程序文件，参考以下链接对__APP__.wxapkg解包：

https://blog.csdn.net/Xm3333691/article/details/120312160
解包后打开index.appservice.js文件，调整缩进即可看到加密逻辑。好像是rc4魔改，直接用rc4解密得不到结果。把源码稍微改下，把密文作为输入输进去，得到明文。

[JavaScript] 纯文本查看 复制代码

function generateSbox(t) {
  for (var a = [], n = t.length, e = [], o = 0; o < 256; o++)
    a.push(o), e.push(t.charCodeAt(o % n));
  for (var i = 0, r = 0; r < 256; r++) {
    var s, u;
    (s = [a[(i = (i + a[r] + e[r]) % 256)], a[r]]),
      (a[r] = s[0]),
      (a[i] = s[1]),
      (u = [a[(i + 1) % 256], a[(r + 1) % 256]]),
      (a[(r + 1) % 256] = u[0]),
      (a[(i + 1) % 256] = u[1]);
  }
  return a;
}

a = [
    216, 156, 159, 86, 8, 143, 254, 92, 113, 3, 228, 74, 37, 80, 146,
    68, 71, 42, 137, 132, 170, 85, 13, 196, 226, 152, 120, 176, 184, 36,
    195, 233, 123, 230, 89, 10, 121, 180, 5, 219,
]
var res = ""
for (
  var n = generateSbox("NSSCTF2025"), e = 0, o = 0, i = 0;
  i < a.length;
  i++
) {
    var r = [n[(e = (e + n[(o = (o + n[i % 256]) % 256)]) % 256)], n[o]];
    (n[o] = r[0]), (n[e] = r[1]);
    var s = n[(n[o] + n[e]) % 256];
    res += String.fromCharCode(a[i] ^ s);
}
console.log(res)

wakinceng

感谢支持！

BrutusScipio

基础题吗？大神加把劲把高难题都拿下

fengbin8606

加油，虚心学习中