SYCTF2023-Reverse官方题解

01

程序逻辑:将flag异或“随机数”后得到正确flag,再直接与输入比较。

只要srand的参数确定了,一系列rand()返回值都能确定。其中flag原值可通过IDA Pro的LazyIDA一键导出(需要另行安装)。

exp:

1
2
3
4
5
6
7
8
9
10
#include <cstdlib>
#include <cstdio>
using namespace std;
char flag[]={0xa1,0x7c,0x7a,0xb2,0x13,0x68,0x28,0xe5,0x25,0x5,0xca,0x8c,0xce,0x7f,0xf3,0xaa,0x50,0x5a,0x50,0x63,0x17,0x5b,0x18,0xd7,0x51,0xae,0x14,0x87,0x7f,0x7f,0x79,0xa4,0xc4,0x24,0xa7,0x89,0xa4,0xab,0x4b,0xae,0xb8,0x06,0xdf};
int main(void){
    srand(0xDEADC0DE);
    for(int i=0;i<43;i++)
        printf("%c",flag[i]^(rand()&0xFF));
    return 0;
};

ezGo

Go语言代码阅读题,加密逻辑:flag先异或0x9C,再经过换表Base64后转十六进制。

异或解密:

1
2
3
4
enc=[0xf7,0xce,0xde,0xaf,0xf0,0xa8,0xec,0xc4,0xf4,0xa8,0xf3,0xce,0xff,0xe6,0xf3,0xd2,0xf9,0xaf,0xff,0xd6,0xfb,0xcc,0xeb,0xc8,0xfb,0xe5,0xcd,0xcd,0xf8,0xe6,0xef,0xd3,0xfe,0xf6,0xff,0xcc,0xfb,0xcd,0xa8,0xd6,0xf8,0xcc,0xf7,0xd3,0xf8,0xcd,0xff,0xcc,0xf4,0xaf,0xf8,0xaa,0xf8,0xdd,0xf7,0xce,0xea,0xfb,0xa1,0xa1]
for i in range(len(enc)):
    enc[i]^=0x9c
    print(chr(enc[i]),end='')

CyberChef脚本

1
2
From_Hex('Auto')
From_Base64('0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/=',true,false)

CrackSYapk

用jadx打开,发现为AES加密,其中密钥为“SYCTF2023yyds666”,密文在flag数组中。解密exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import java.security.*;
import javax.crypto.*;
import javax.crypto.spec.SecretKeySpec;
import java.math.BigInteger;
public class exp{
    public static void main(String[]args){
        byte[] flag=new byte[]{0x4, (byte) 0xe0, (byte) 0xc7,0x4c, (byte) 0x92, (byte) 0x89,0x60,0x18, (byte) 0xe3,0x3c, (byte) 0xa0,0x75, (byte) 0xa2,0x13,0x51,0x68, (byte) 0x93, (byte) 0xd4, (byte) 0xda,0x3b,0x47,0x3e,0x0, (byte) 0x94,0x59, (byte) 0x9f, (byte) 0xd4,0x41,0xa, (byte) 0xf7, (byte) 0xdd, (byte) 0xe8, (byte) 0x80,0x37,0x3c,0x6d, (byte) 0xd9, (byte) 0xee, (byte) 0xb8, (byte) 0x80,0x6e, (byte) 0xcd,0x0, (byte) 0xbc,0x1b,0x1c,0x35,0x76};
        String key="SYCTF2023yyds666";
        byte[] decryptData=DecryptAES(key,flag);
        System.out.println(new String(decryptData));
    };
    private static byte[] DecryptAES(String key,byte[] data){
        try{
            SecretKey secretKey=new SecretKeySpec(key.getBytes(),"AES");
            Cipher cipher=Cipher.getInstance("AES/ECB/PKCS5Padding");
            cipher.init(Cipher.DECRYPT_MODE,secretKey);
            return cipher.doFinal(data);
        }
        catch(Exception e){
            e.printStackTrace();
        };
        return new byte[]{0};
    };
};

也可以用赛博厨子做:

1
2
3
Input:04e0c74c92896018e33ca075a213516893d4da3b473e0094599fd4410af7dde880373c6dd9eeb8806ecd00bc1b1c3576
AES_Decrypt({'option':'UTF8','string':'SYCTF2023yyds666'},{'option':'Hex','string':''},'ECB/NoPadding','Hex','Raw',{'option':'Hex','string':''},{'option':'Hex','string':''})
Output:SYCTF{CE07DDE4-A771-8499-56A8-49AC9D04817F}.....