{"id":66,"date":"2025-09-03T18:28:32","date_gmt":"2025-09-03T10:28:32","guid":{"rendered":"http:\/\/www.xuanbin.top\/?p=66"},"modified":"2025-09-10T20:20:16","modified_gmt":"2025-09-10T12:20:16","slug":"nepctf2025-reverse-%e5%a4%8d%e7%8e%b0%ef%bc%88%e9%83%a8%e5%88%86%ef%bc%89","status":"publish","type":"post","link":"http:\/\/www.xuanbin.top\/index.php\/2025\/09\/03\/nepctf2025-reverse-%e5%a4%8d%e7%8e%b0%ef%bc%88%e9%83%a8%e5%88%86%ef%bc%89\/","title":{"rendered":"NepCTF2025\u2014\u2014REVERSE\u2014\u2014\u590d\u73b0\uff08\u90e8\u5206\uff09"},"content":{"rendered":"\n

\u6691\u5047\u6253\u4e86\u633a\u591a\u7ebf\u4e0a\u7684CTF\uff0cNepCTF\u7684RE\u9898\u8d28\u91cf\u4e00\u5982\u65e2\u5f80\u7684\u9ad8\u3002<\/p>\n\n\n\n

realme<\/h2>\n\n\n\n

\u901a\u8fc7\u5b57\u7b26\u4e32\u5b9a\u4f4d\u6cd5\u5b9a\u4f4d\u5230\u4e3b\u51fd\u6570\uff0c\u521d\u6b21\u5206\u6790\u53d1\u73b0\u662fRC4\u9b54\u6539\uff0c\u7f6e\u6362S\u76d2\u65f6\u5f02\u62160X66\u4e14\u6700\u540e\u7684\u5f02\u6216\u6539\u4e3a\u6a21\u9664\u3002\u540e\u7eed\u53d1\u73b0\u6709\u53cd\u8c03\u8bd5\uff0c\u8fd9\u91cc\u7ed9\u51faScyllaHide\u63d2\u4ef6dump\u548cpatch\u53cd\u8c03\u8bd5\u4e24\u79cd\u505a\u6cd5\u3002<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

ScyllaHide\u63d2\u4ef6dump<\/h3>\n\n\n\n

\u901a\u8fc7ScyllaHide\u81ea\u52a8\u8fc7\u53cd\u8c03\u8bd5\uff0c\u7ed3\u5408\u7a0b\u5e8f\u4e0d\u76f4\u63a5\u9000\u51fa\u731c\u6d4b\u6709\u81ea\u4fee\u6539\uff0c\u5728\u8f93\u51fa\u65f6dump\uff0c\u53d1\u73b0\u5b9e\u9645\u9b54\u6539\u3002<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

patch\u53cd\u8c03\u8bd5<\/h3>\n\n\n\n

\u901a\u8fc7\u6808\u56de\u6eaf\u6cd5\u5b9a\u4f4d\u5230\u7b2c\u4e00\u6b21\u53cd\u8c03\u8bd5\u5904\uff0cHOOK\u4e86scanf\u51fd\u6570\uff0c\u4fee\u6539\u4e86\u9b54\u6539RC4\u7684\u903b\u8f91\u5e76\u901a\u8fc7\u5f02\u6216\u6fc0\u6d3b\u7b2c\u4e8c\u6b21\u53cd\u8c03\u8bd5\u3002<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

\u7b2c\u4e8c\u6b21\u518d\u6b21\u4fee\u6539\u9b54\u6539RC4\u903b\u8f91\u3002<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u6700\u540e\u7684\u4e24\u5904\u9b54\u6539<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
#include<iostream>\n#include<string>\n#include<string.h>\nusing namespace std;\nvoid rc4init(unsigned char K[],unsigned char key[])\n{\n    unsigned char S[256];\n    unsigned char T[256];\n    int Len=strlen((char*)(key));\n    for(int i=0;i<256;i++)\n    {\n        S[i]=i^0xCF;\n        T[i]=key[i%Len];\n    }\n    int j=0;\n    int temp=0;\n    for(int i=0;i<256;i++)\n    {\n        j=(j+S[i]+T[i])%256;\n        temp=S[i];\n        S[i]=S[j];\n        S[j]=temp^0xAD;\n    }\n    \/\/\u751f\u6210\u5bc6\u94a5\u6d41\n    int i = 0;\n    j=0;\n    int t = 0;\n    unsigned long k = 0;\n    for(int time=0;time<256;time++)\n    {\n        i=(i+1)%256;\n        j=(j+i*S[i])%256;\n        temp=S[i];\n        S[i]=S[j];\n        S[j]=temp;\n        t=(S[i]+S[j])%256;\n        K[time]=S[t];\n    }\n}\nint main()\n{\n    unsigned char K[256]={0};\n    unsigned char key[]=\"Y0u_Can't_F1nd_Me!\";\n    rc4init(K,key);\n    unsigned char flag[]={  0x50, 0x59, 0xA2, 0x94, 0x2E, 0x8E, 0x5C, 0x95, 0x79, 0x16, \n  0xE5, 0x36, 0x60, 0xC7, 0xE8, 0x06, 0x33, 0x78, 0xF0, 0xD0, \n  0x36, 0xC8, 0x73, 0x1B, 0x65, 0x40, 0xB5, 0xD4, 0xE8, 0x9C, \n  0x65, 0xF4, 0xBA, 0x62, 0xD0};\n    for(int i=0;i<sizeof(flag)\/sizeof(flag[0]);i++)\n    {\n        if(i%2==0)\n        {\n            flag[i]+=K[i];\n        }\n        else\n        {\n            flag[i]-=K[i];\n        }\n        cout<<flag[i];\n    }\n}<\/code><\/pre>\n\n\n\n
Crackme<\/h2>\n\n\n\n
\u5f85\u7eed<\/p>\n\n\n\n
qrs<\/h2>\n\n\n\n
\u5f85\u7eed<\/p>\n","protected":false},"excerpt":{"rendered":"
\u6691\u5047\u6253\u4e86\u633a\u591a\u7ebf\u4e0a\u7684CTF\uff0cNepCTF\u7684RE\u9898\u8d28\u91cf\u4e00\u5982\u65e2\u5f80\u7684\u9ad8\u3002 realme \u901a\u8fc7\u5b57\u7b26\u4e32\u5b9a\u4f4d\u6cd5\u5b9a\u4f4d\u5230\u4e3b\u51fd\u6570\uff0c\u521d\u6b21\u5206\u6790\u53d1\u73b0\u662fRC4 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-66","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/posts\/66","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/comments?post=66"}],"version-history":[{"count":4,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/posts\/66\/revisions"}],"predecessor-version":[{"id":110,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/posts\/66\/revisions\/110"}],"wp:attachment":[{"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/media?parent=66"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/categories?post=66"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/tags?post=66"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}