FSCTF2023-reverse复现

signin

脱壳，IDA64载入

简单替换，查看字符串找到密文

转ascll

i代替1，a代替4，s代替5，o代替0

最后flag为

FSCTF{it_is_really_obvious_to_find}

Xor

题目描述：

简单的异或题

伪代码

简单异或，赛博厨子直接一把梭

最后flag为

flag{This_is_a_easy_reverse}

EZRC4

题目描述：

听说你喜欢玩原神？

查看伪代码

rc4解密

exp：

def rc4_init(s_box, key, key_len):  # rc4初始化函数，产生s_box
    k = [0] * 256
    i = j = 0
    for i in range(256):
        s_box[i] = i
        k[i] = key[i % key_len]
    for i in range(256):
        j = (j + s_box[i] + ord(k[i])) % 256
        s_box[i], s_box[j] = s_box[j], s_box[i]
def rc4_crypt(s_box, data, data_len, key, key_len):  # rc4算法，由于异或运算的对合性，RC4加密解密使用同一套算法，加解密都是它
    rc4_init(s_box, key, key_len)
    i = j = 0
    for k in range(data_len):
        i = (i + 1) % 256
        j = (j + s_box[i]) % 256
        s_box[i], s_box[j] = s_box[j], s_box[i]
        t = (s_box[i] + s_box[j]) % 256
        data[k] ^= s_box[t]
 
if __name__ == '__main__':
    s_box = [0] * 257  # 定义存放s_box数据的列表
 
    # 此处的data即要解密的密文，需要定义成列表形式，其中的元素可以是十六进制或十进制数
    # 如果题目给出的是字符串，需要你自己先把数据处理成列表形式再套用脚本
    data = [0xEB,0xD,0x61,0x29,0xBF,0x9B,5,0x22,0xF3,0x32,0x28,0x97,0xE3,0x86,0x4D,0x2D,0x5A,0x2A,0xA3,0x55,0xAA,0xD5,0xB4,0x6C,0x8B,0x51,0xB1]
    #key一定要字符串
    key = "wanyuanshenwande"
 
    rc4_crypt(s_box, data, len(data), key, len(key))
    for i in data:
        print(chr(i), end='')

运行得到

最后flag为

flag{I_L0VE_gensh1n_Imp4ct}

MINE SWEEPER

纯签到题，查看伪代码找到flag

最后flag为

FSCTF{We1C0m3 t0 rev w0r1d!!!}

ez_pycxor

pyc反编译得到源码

得到

flag = input('plz input your flag:')
encoded_flag = []
key = 'FUTURESTARS'
ciphertxt = [
    168,
    169,
    185,
    170,
    160,
    157,
    197,
    132,
    226,
    134,
    134,
    145,
    255,
    242,
    130,
    139,
    234,
    140,
    180,
    229,
    179,
    246,
    243,
    181,
    183,
    182,
    249,
    163,
    254,
    189,
    246,
    166]
for i in range(len(flag)):
    encoded_flag.append((ord(flag[i]) ^ 168) + i)
for i in range(len(encoded_flag)):
    if i % 2 == 0:
        encoded_flag[i] ^= ord(key[i % 11])
    if i % 2 == 1:
        encoded_flag[i] ^= ord(key[i % 11])
if encoded_flag == ciphertxt:
    print('OK! You have crack it!')
    return None

写个解密脚本

exp：

ciphertxt = [
    168, 169, 185, 170, 160, 157, 197, 132, 226, 134, 
    134, 145, 255, 242, 130, 139, 234, 140, 180, 229, 
    179, 246, 243, 181, 183, 182, 249, 163, 254, 189, 
    246, 166
]

key = 'FUTURESTARS'
flag = []

for i in range(len(ciphertxt)):
    # 第一步：根据索引奇偶性使用密钥进行异或
    temp = ciphertxt[i] ^ ord(key[i % 11])
    # 第二步：减去索引值
    temp -= i
    # 第三步：与168异或得到原始字符
    flag_char = chr(temp ^ 168)
    flag.append(flag_char)

print(''.join(flag))

运行得到

最后flag为

FSCTF{8a3ccd61ab7ff9e87acb9c9d1}

Tea_apk

题目描述：

这是个apk

jadx打开apk文件

xxtea解密

最后flag为

flag{pldCiQuCBtakT4ctlsZQ}

ezcode

魔改RC4

看到base表

赛博厨子一把梭

RC4解密

exp：

def rc4_decrypt(ciphertext, key):
    # 初始化 S-box
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i], S[j] = S[j], S[i]

    # 初始化变量
    i = j = 0
    plaintext = []
    y = 'FSCTF'
    # 解密过程
    for byte in ciphertext:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        k = S[(S[i] + S[j]) % 256]
        plaintext.append(byte ^ k ^ ord(y[i % 5]))

    return bytes(plaintext)


# 示例用法
encrypted_data = [61, 46, 7, 35, 77, 216, 81, 239, 157, 242, 12, 116, 194, 208, 173, 118, 124, 183]  # 替换成你的密文
encryption_key = b'XFFTnT'  # 替换成你的密钥

decrypted_data = rc4_decrypt(encrypted_data, encryption_key)
print("Decrypted Data:", decrypted_data.decode('utf-8'))

运行得到

最后flag为

最后flag为

FSCTF{G00d_j0b!!!}

ezbroke

修复mz头、pe头、壳UPX修复再脱壳

IDA查看伪代码，VM虚拟机的题目

异或0x17

exp：

list_1 = [0x51, 0x44, 0x54, 0x43, 0x51, 0x6C, 0x4E, 0x27, 0x62, 0x37, 0x64, 0x62, 0x74, 0x74, 0x72, 0x64, 0x64, 0x71, 0x62, 0x26, 0x26, 0x6E, 0x37, 0x75, 0x65, 0x27, 0x7C, 0x24, 0x37, 0x7A, 0x6E, 0x37, 0x67, 0x65, 0x27, 0x63, 0x24, 0x74, 0x63, 0x26, 0x27, 0x79, 0x36, 0x36, 0x36, 0x6A, 0x00]

for i in list_1:
    print(chr(i^0x17),end='')

运行得到

最后flag为

FSCTF{Y0u successfu11y br0k3 my pr0t3ct10n!!!}

rrrrust!!!

动调，循环异或

exp：

res = [0x3E,0x2A,0x27,0x33,0x15,0x03,0x3D,0x77,0x25,0x64,0x03,0x67,
0x07,0x32,0x76,0x0B,0x1C,0x21,0x2B,0x32,0x19,0x23,0x5E,0x26,0x69,0x22,0x3B]
len_res = len(res)
print(len_res)
key = [0x58,0x46,0x46,0x54,0x6e,0x54]
for i in range(len_res):
    print(chr(res[i]^key[i%len(key)]),end="")

运行得到

最后flag为

flag{We1c0m3_t0_rust_w0r1d}