NewStarCTF WP WEEK2 _ reverse

androgenshin

元神启动

主函数 找找

一个 rc 一个base64

解rc4

#include<bits/stdc++.h>
using namespace std;
signed main(){
	int base64_table[] = {125, 239, 101, 151, 77, 163, 163, 110, 58, 230, 186, 206, 84, 84, 189, 193, 30, 63, 104, 178, 130, 211, 164, 94, 75, 16, 32, 33, 193, 160, 120, 47, 30, 127, 157, 66, 163, 181, 177, 47, 0, 236, 106, 107, 144, 231, 111, 16, 36, 34, 91, 9, 188, 81, 5, 241, 235, 3, 54, 150, 40, 119, 202, 150};
	string key = "genshinimpact";
	int s[256],k[256];
	int j=0;
	for (int i = 0; i < 256; i++) {
            s[i] = i;
            k[i] = key[i % key.length()];
        }
        for (int i2 = 0; i2 < 256; i2++) {
            j = (s[i2] + j + k[i2]) & 255;
            int temp = s[i2];
            s[i2] = s[j];
            s[j] = temp;
        }
	int j2 = 0;
    int i3 = 0;
        for (int i4 : base64_table) {
            i3 = (i3 + 1) & 255;
            j2 = (s[i3] + j2) & 255;
            int temp2 = s[i3];
            s[i3] = s[j2];
            s[j2] = temp2;
            int rnd = s[(s[i3] + s[j2]) & 255];
            cout<<((char) (i4 ^ rnd));
        }


}

得到一个表 BADCFEHGJILKNMPORQTSVUXWZYbadcfehgjilknmporqtsuxwzy1032547698/+
开始写换表base64

cipher = 'YnwgY2txbE8TRyQecyE1bE8DZWMkMiRgJW1='
ori = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
changed = 'BADCFEHGJILKNMPORQTSVUXWZYbadcfehgjilknmporqtsvuxwzy1032547698/+'
print(base64.b64decode(cipher.translate(str.maketrans(changed,ori))))

flag flag{0h_RC4_w1th_Base64!!}

账户：genshinimpact
密码 flag
可以元神启动

easy_enc

str 进行了 4次循环 最终与 Buf1 开始的 29 个分别对应相等

看v5[3] 大概是 byte 最大 256 字 52 mod 256
因为强制转换为了 BYTE 类型(8bit) 由于 52 和 256 不互素，所以要通过枚举的方法来逆向.

看v5[2] 一个强转后的取反

这里给了 key str 引用到主函数 前面的mod 256
![image.png](https://s2.loli.net/2023/12/01/Wduv7X4nlbSkUYy.png
位移转换 大写和小写的映射为小写 只做位移转换 枚举

最后exp 需要 mod 的数学方法 互质数

buf1 = [-24+256,0x80,-124+256,8,24,60,120,104,0,112,124,-108+256,-56+256,-32+256,16,-20+256,-76+256,-84+256,104,-88+256,12,28,-112+256,-52+256,84,60,20,-36+256,48]

a1 = [0]*29
key = "NewStarCTF"
for i in range(29):
    for j in range(1,256):
        if((j*52) % 256 == buf1[i]):
            j = ~j
            j -= ord(key[i % len(key)])
            j = (j + 256) % 256
            check = 0
            if(j>=97 & j <= 122):
                for a in range(97,122+1):
                    if((a-89)%26+97 == j):
                        check = 1
                        print(chr(a),end = "")
                        break
            if(j>=65 & j <= 90):
                for a in range(65,90+1):
                    if((a- 52) % 26 + 65==j ):
                        check = 1
                        print(chr(a),end="")
            else:
                check = 0
                if(check):
                    break

BruteForceIsAGoodwaytoGetFlag

SMC

main 看源代码 NtCurrentPeb()->BeingDebugged 代码存在 反调试碰到这种就跑路 开玩笑

跟进去 %s 的限制

address1 = 0x403040
address2 = 0x403068
for i in range(38):
byte_value = get_byte(address1 + i) ^ get_byte(address2 + (i&3))
byte_data = byte_value.to_bytes(1, 'little')
patch_bytes(address1 + i, byte_data)

走个脚本
跟进 403040

char sub_403040()
{
int v0; // edx
v0 = 0;
while ( ((unsigned __int8)input[v0] ^ 0x11) + 5 == (unsigned__int8)byte_403020[v0] )
{
if ( ++v0 >= 32 )
return 1;
}

有比较 +5 存放进括号 -5

byte_403020 = [
0x7C, 0x82, 0x75, 0x7B, 0x6F, 0x47, 0x61, 0x57, 0x53, 0x25,
0x47, 0x53, 0x25, 0x84, 0x6A, 0x27, 0x68, 0x27, 0x67, 0x6A,
0x7D, 0x84, 0x7B, 0x35, 0x35, 0x48, 0x25, 0x7B, 0x7E, 0x6A,
0x33, 0x71]
flag = ''
for i in range(len(byte_403020)):
     flag += chr((byte_403020[i]-5)^0x11)
print(flag)

Random

直接main 断点出关键代码 直接跟着走 table 函数 存储比较函数下的 s2

#include<time.h>
#include<stdio.h>
#include<string.h>
#include<stdlib.h>
#include<bits/stdc++.h>
using namespace std;
signed main(){
unsigned char Table[256] = {
 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 
0xAB, 0x76, 
 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 
0x72, 0xC0, 
 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 
0x31, 0x15, 
 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 
0xB2, 0x75, 
 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 
0x2F, 0x84, 
 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 
0x58, 0xCF, 
 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 
0x9F, 0xA8, 
 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 
0xF3, 0xD2, 
 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 
0x19, 0x73, 
 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 
0x0B, 0xDB, 
 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 
0xE4, 0x79, 
 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 
0xAE, 0x08, 
 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 
0x8B, 0x8A, 
 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 
0x1D, 0x9E, 
 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 
0x28, 0xDF, 
 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 
0xBB, 0x16
};
int s2[] = {
0xEE,0xE6,0xD7,0xB2,0x8a,0xab,0x13,0x35,
 0x02,0x7b,0xc9,0xb9,0x9c,0xba,0xed,0x2e,
 0xbd,0x4f,0xfa,0xee,0xc8,0xf8,0xe4,0x16,
 0x82,0x63,0x3b,0x98,0xf4,0x14,0x30,0x38,
 0x07,0x36,0x84,0x3d,0x0c,0x36,0x32,0xea,
 0x55,0xa6
};
srand(0x5377654E);//初始化 seed
for(int i=0;i<42;i++){
	int v4 = rand();
	for(int v3=0;v3<256;v3++){
		if(s2[i] == Table[(16 * ((unsigned char)(v3 + v4 % 255) >> 4) + 15) & (unsigned char)(v3 + v4 % 255)]){
			printf("%d ",s2[i]);
			printf("%c",v3);
			break;
}
}
}
return 0;
}

petals

调试发现加花指令


此处加花 U 一下 90一下 nop 回到 1208+1 F9 一下



开始推断 v6 大概 256 异或取反长度
~(i ^ 25) & ((1<<8)-1)
for i in renge(256)

from hashlib import md5

unk = [0xD0, 0xD0, 0x85, 0x85, 0x80, 0x80, 0xC5, 0x8A, 0x93, 0x89, 0x92, 0x8F, 0x87, 0x88, 0x9F, 0x8F, 0xC5, 0x84, 0xD6, 0xD1, 0xD2, 0x82, 0xD3, 0xDE, 0x87]
v5 = [~(i ^ 25) & ((1<<8)-1) for i in range(256)]
flag = ""

for i in range(len(unk)):
    for j in range(len(v5)):
        if unk[i] == v5[j]:
            flag += chr(j)

c = md5(flag.encode("utf-8"))
print(c.hexdigest())

flag{d780c9b2d2aa9d40010a753bc15770de}

PZthon

利用工具 exe 反 pyc
生成

#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.9


def hello():
    art = '\n  \n    //   ) )     / /    //   ) )  // | |     / /        // | |  \\ / / \\    / /       \n   //___/ /     / /    //        //__| |    / /        //__| |   \\  /   \\  / /        \n  / ____ /     / /    //  ____  / ___  |   / /        / ___  |   / /     \\/ /         \n //           / /    //    / / //    | |  / /        //    | |  / /\\     / /          \n//           / /___ ((____/ / //     | | / /____/ / //     | | / /  \\   / /           \n           \n     / /        //   / / ||   / / //   / /  / /       /__  ___/ ||   / |  / / //   ) ) \n    / /        //____    ||  / / //____    / /          / /     ||  /  | / / //   / /  \n   / /        / ____     || / / / ____    / /          / /      || / /||/ / //   / /   \n  / /        //          ||/ / //        / /          / /       ||/ / |  / //   / /    \n / /____/ / //____/ /    |  / //____/ / / /____/ /   / /        |  /  | / ((___/ /     \n'
    print(art)
    return bytearray(input('Please give me the flag: ').encode())

enc = [
    115,
    121,
    116,
    114,
    110,
    76,
    37,
    96,
    88,
    116,
    113,
    112,
    36,
    97,
    65,
    125,
    103,
    37,
    96,
    114,
    125,
    65,
    39,
    112,
    70,
    112,
    118,
    37,
    123,
    113,
    69,
    79,
    82,
    84,
    89,
    84,
    77,
    76,
    36,
    112,
    99,
    112,
    36,
    65,
    39,
    116,
    97,
    36,
    102,
    86,
    37,
    37,
    36,
    104]
data = hello()
for i in range(len(data)):
    data[i] = data[i] ^ 21
if bytearray(enc) == data:
    print('WOW!!')
else:
    print('I believe you can do it!')
input('To be continue...')

简单来看 是数组 异或 21

enc = [
    115,
    121,
    116,
    114,
    110,
    76,
    37,
    96,
    88,
    116,
    113,
    112,
    36,
    97,
    65,
    125,
    103,
    37,
    96,
    114,
    125,
    65,
    39,
    112,
    70,
    112,
    118,
    37,
    123,
    113,
    69,
    79,
    82,
    84,
    89,
    84,
    77,
    76,
    36,
    112,
    99,
    112,
    36,
    65,
    39,
    116,
    97,
    36,
    102,
    86,
    37,
    37,
    36,
    104]
date = ""
for i in enc:
    date += chr(i ^ 21)
    print(date)

得flag{Y0uMade1tThr0ughT2eSec0ndPZGALAXY1eve1T2at1sC001}

C?C++?

直接 .net 中分析

解密反着写 数学不好问了一下网上的牛子 遇到瓶颈 真痛

#include<bits/stdc++.h>
#include<windows.h>
using namespace std;
signed main(){
	string text2="NEWSTAR";
	int array[] = {68, 75, 66, 72, 99, 19, 19, 78, 83, 74,
				91, 86, 35, 39, 77, 85, 44, 89, 47, 92,
				49, 88, 48, 91, 88, 102, 105, 51, 76, 115,
				-124, 125, 79, 122, -103};
	int num=35;
	for(int k=6;k>=0;k--){
		int num8=k+28;
		array[num8] -= text2[k] / '\u0005' + '\n';
		int num7 = k + 21;
		array[num7] -= (char)(k ^ 2);
		int num6 = k + 14;
		array[num6] -= (char)(2 * k);
		int num5 = k + 7;
		array[num5] -= (char)(text2[k] % '\u0005');
		int num4 = k;
		array[num4] -= (char)(k ^ (int)(-(int)(text2[k] % '\u0004')));
	}
	for(int j=num-1;j>=0;j--){
		array[j]+=' ';
		array[j]-=char(j);
	}
	for(int i=0;i<num;i++){
		cout<<char(array[i]);
	}
}