SWPU NSS新生赛（校外通道）

​ 逆向入门ing…

贪吃蛇

玩够60分就行，动调我还不太熟:)

babyre

字符串里 The flag is: NSSCTF{this_is_the_first_flag}

easyre

字符串里 NSSCTF{oh_you_find_it}

base64

字符串里找到TlNTQ1RGe2Jhc2VfNjRfTlRXUTRaR0ROQzdOfQ==，base64解密即可

base64-2

字符串窗口可定位码表：NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm0123456789+/ 逻辑都不需要看了，换表而已，脚本处理下即可：

import string
old = string.ascii_uppercase + string.ascii_lowercase + string.digits
new = 'NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm0123456789+/'
c = 'GyAGD1ETr3AcGKNkZ19PLKAyAwEsAIELHx1nFSH2IwyGsD'
oldc = ''
for i in c:
    tmp = new.index(i)
    oldc = oldc + old[tmp]
print(oldc)

xor

c = 'LQQAVDyZMP]3q]emmf]uc{]vm]glap{rv]dnce'
for i in c:
    print(chr(ord(i)^2),end='')

android

反编译成java源码，在mian类里明文可见：NSSCTF{a_simple_Android}

upx

upx脱壳，所有位异或2得flag

c = 'LQQAVDyWRZ]3q]zmpf]uc{]vm]glap{rv]dnce'
for i in c:
    print(chr(ord(i)^2),end='')

py1

参考博客，安装了最新的pyinstxtractor，最新的uncomepyle6，然后一步步反编译得到py源码。直接可以看到flag：

# uncompyle6 version 3.8.0
# Python bytecode 3.6 (3379)
# Decompiled from: Python 3.9.5 (tags/v3.9.5:0a7dcbd, May  3 2021, 17:27:52) [MSC v.1928 64 bit (AMD64)]
# Embedded file name: re1.py
import os, time
print("Welcome to NSS,Let's play a game~ if you answer the questions you'll get flag")
time.sleep(3)
print("First, Let's look look some easy Reverse")
time.sleep(3)
print('Please answer : 2684 XOR 2486 = ?')
while True:
    scanf_0 = input()
    if scanf_0 == '970':
        print("That's right! And next...")
        break
    else:
        print('Oh,Something gose wrong,Try again?')
        continue

time.sleep(2)
print("Let's try reverse it! Please answer : 258 XOR ? = 369")
while True:
    scanf_1 = input()
    if scanf_1 == '115':
        print('good!')
        break
    else:
        print('Try again?')
        continue

time.sleep(2)
print('You know that the number can be XOR now,but how letters xor?')
time.sleep(2)
print()
print('The last level is : a XOR z = ?')
print("tips: '?' is a number.")
while True:
    scanf_2 = input()
    if scanf_2 == '27':
        print('Wow~ Great! and the flag is...')
        time.sleep(10)
        print('NSSCTF{k0nw_of_r3}')
        os.system('pause')
    else:
        print('you are close to victory, Come on!')
        continue
# okay decompiling re1.pyc

py2

类似py1恢复源码，base64解密

# uncompyle6 version 3.8.0
# Python bytecode 3.6 (3379)
# Decompiled from: Python 3.9.5 (tags/v3.9.5:0a7dcbd, May  3 2021, 17:27:52) [MSC v.1928 64 bit (AMD64)]
# Embedded file name: re2.py
import base64
print("Input 'start' to start game:")
scanf = input()
if scanf == 'start':
    exit(0)
else:
    if scanf == 'TlNTQ1RGe29oaGghXzNhc3lfcHlyZX0K':
        print(base64.b64decode('TlNTQ1RGe29oaGghXzNhc3lfcHlyZX0K'.encode('UTF-8')))
        os.system('pause')
    else:
        print("Please input 'start' to start game~")
# okay decompiling re2.pyc
# NSSCTF{ohhh!_3asy_pyre}

pypy

甚至不需要将exe反编译为pyc，直接给的pyc文件，恢复得到源码：

# uncompyle6 version 3.8.0
# Python bytecode 3.6 (3379)
# Decompiled from: Python 3.9.5 (tags/v3.9.5:0a7dcbd, May  3 2021, 17:27:52) [MSC v.1928 64 bit (AMD64)]
# Embedded file name: 1.py
# Compiled at: 2022-09-17 15:54:07
# Size of source mod 2**32: 1433 bytes


def init_S():
    global S
    for i in range(256):
        S.append(i)


def init_T():
    global Key
    global T
    Key = 'abcdefg'
    keylen = len(Key)
    for i in range(256):
        tmp = Key[(i % keylen)]
        T.append(tmp)


def swap_S():
    j = 0
    for i in range(256):
        j = (j + S[i] + ord(T[i])) % 256
        tmp = S[i]
        S[i] = S[j]
        S[j] = tmp


def Get_KeyStream():
    global KeyStream
    global text
    txtlen = len(text)
    j, t = (0, 0)
    for i in range(txtlen):
        i = i % 256
        j = (j + S[i]) % 256
        tmp = S[i]
        S[i] = S[j]
        S[j] = tmp
        t = (S[i] + S[j]) % 256
        KeyStream.append(S[t])


def Get_code():
    res = []
    for i in range(len(text)):
        res.append(ord(text[i]) ^ KeyStream[i])

    return res


if __name__ == '__main__':
    T, S, Key = [], [], []
    PlainText, CryptoText, KeyStream = '', '', []
    text = input('please input you flag:\n')
    if not text:
        print('bad')
        exit()
    init_S()
    init_T()
    swap_S()
    Get_KeyStream()
    res = Get_code()
    print(res)
    for i, ele in enumerate(res):
        if not ele == [84, 91, 254, 48, 129, 210, 135, 132, 112, 234, 208, 15, 213, 39, 108, 253, 86, 118, 248][i]:
            print('bad')
            exit()

    print('good')
# global CryptoText ## Warning: Unused global
# global PlainText ## Warning: Unused global
# okay decompiling pyAndR.pyc

简单逆一下：

def init_S():
    global S
    for i in range(256):
        S.append(i)


def init_T():
    global Key
    global T
    Key = 'abcdefg'
    keylen = len(Key)
    for i in range(256):
        tmp = Key[(i % keylen)]
        T.append(tmp)


def swap_S():
    j = 0
    for i in range(256):
        j = (j + S[i] + ord(T[i])) % 256
        tmp = S[i]
        S[i] = S[j]
        S[j] = tmp


def Get_KeyStream():
    global KeyStream
    global text
    txtlen = 19
    j, t = (0, 0)
    for i in range(txtlen):
        i = i % 256
        j = (j + S[i]) % 256
        tmp = S[i]
        S[i] = S[j]
        S[j] = tmp
        t = (S[i] + S[j]) % 256
        KeyStream.append(S[t])

c = [84, 91, 254, 48, 129, 210, 135, 132, 112, 234, 208, 15, 213, 39, 108, 253, 86, 118, 248]
print(len(c))
T, S, Key = [], [], []
PlainText, CryptoText, KeyStream = '', '', []
init_S()
init_T()
swap_S()
Get_KeyStream()
print(KeyStream)
for i in range(19):
    print(chr(KeyStream[i]^c[i]),end='')
# NSSCTF{this_is_rc4}

oh这就是rc4？以前没看过源码，感觉挺简单的。

android2

反编译定位到encode类：

package com.example.ilililililil;

/* loaded from: classes.dex */
public class Encoder {
    private int key = 123456789;

    public String encode(String str) {
        StringBuilder sb = new StringBuilder();
        for (char c : str.toCharArray()) {
            sb.append((char) (c ^ this.key));
        }
        return sb.toString();
    }
}

已知key做异或即可。