# TLDR Some reverse challenge was given by one of my team mate ## XOR We are given a file with no extension first i use `file` command in linux and was able to find that this is a `Mach-O 64bit` so i load it into ida in order to read pseudo code and i found out this ```= int __fastcall main(int argc, const char **argv, const char **envp) { int i; // [rsp+2Ch] [rbp-124h] char v5[264]; // [rsp+40h] [rbp-110h] BYREF __int64 v6; // [rsp+148h] [rbp-8h] memset(v5, 0, 0x100uLL); printf("Input your flag:\n"); get_line(v5, 256LL); if ( strlen(v5) != 33 ) goto LABEL_7; for ( i = 1; i < 33; ++i ) v5[i] ^= v5[i - 1]; if ( !strncmp(v5, global, 0x21uLL) ) printf("Success"); else LABEL_7: printf("Failed"); if ( __stack_chk_guard == v6 ) return 0; else return __stack_chk_fail(); } ``` So what it does it xor with the forward with the backward and store it inside backward we can take an example like this we have `abcde` as a string need to xor we take `b ^ a` and store it at `b` I also found that after xor it will try to compare with a set of data as follow ```= byte_100000F6E db 66h ; DATA XREF: __data:_global↓o __cstring:0000000100000F6F db 0Ah __cstring:0000000100000F70 db 6Bh ; k __cstring:0000000100000F71 db 0Ch __cstring:0000000100000F72 db 77h ; w __cstring:0000000100000F73 db 26h ; & __cstring:0000000100000F74 db 4Fh ; O __cstring:0000000100000F75 db 2Eh ; . __cstring:0000000100000F76 db 40h ; @ __cstring:0000000100000F77 db 11h __cstring:0000000100000F78 db 78h ; x __cstring:0000000100000F79 db 0Dh __cstring:0000000100000F7A db 5Ah ; Z __cstring:0000000100000F7B db 3Bh ; ; __cstring:0000000100000F7C db 55h ; U __cstring:0000000100000F7D db 11h __cstring:0000000100000F7E db 70h ; p __cstring:0000000100000F7F db 19h __cstring:0000000100000F80 db 46h ; F __cstring:0000000100000F81 db 1Fh __cstring:0000000100000F82 db 76h ; v __cstring:0000000100000F83 db 22h ; " __cstring:0000000100000F84 db 4Dh ; M __cstring:0000000100000F85 db 23h ; # __cstring:0000000100000F86 db 44h ; D __cstring:0000000100000F87 db 0Eh __cstring:0000000100000F88 db 67h ; g __cstring:0000000100000F89 db 6 __cstring:0000000100000F8A db 68h ; h __cstring:0000000100000F8B db 0Fh __cstring:0000000100000F8C db 47h ; G __cstring:0000000100000F8D db 32h ; 2 __cstring:0000000100000F8E db 4Fh ; O ``` I wrote a simple python code inorder to get the flag ```= data = [0x66, 0x0A, 0x6B, 0x0C, 0x77, 0x26, 0x4F, 0x2E, 0x40, 0x11, 0x78, 0x0D, 0x5A, 0x3B, 0x55, 0x11, 0x70, 0x19, 0x46, 0x1F, 0x76, 0x22, 0x4D, 0x23, 0x44, 0x0E, 0x67, 0x6, 0x68, 0x0F, 0x47, 0x32, 0x4F] for i in range (1, len(data)): print(chr(data[i] ^ data[i - 1]), end="") ``` And we get the flag ```= Flag: flag{QianQiuWanDai_YiTongJiangHu} ``` ## Hello world A simple challenge load it into jadx then read the flag ```= Flag: flag{7631a988259a00816deda84afb29430a} ``` ## Hmm where is the snake? We are given a `.pyc` file so i use `https://decompiler.com` in order to retrive the source code and we have as follow ```= print 'Welcome to Re World!' print 'Your input1 is your flag~' l = len(input1) for i in range(l): num = ((input1[i] + i) % 128 + 128) % 128 code += num for i in range(l - 1): code[i] = code[i] ^ code[i + 1] print code code = ['\x1f', '\x12', '\x1d', '(', '0', '4', '\x01', '\x06', '\x14', '4', ',', '\x1b', 'U', '?', 'o', '6', '*', ':', '\x01', 'D', ';', '%', '\x13'] ``` To get the flag i will try to xor first then mod 128 ```= code = ['\x1f', '\x12', '\x1d', '(', '0', '4', '\x01', '\x06', '\x14', '4', ',', '\x1b', 'U', '?', 'o', '6', '*', ':', '\x01', 'D', ';', '%', '\x13'] for i in range(len(code) - 2, -1, -1): code[i] = chr(ord(code[i]) ^ ord(code[i + 1])) for i in range(len(code)): if((ord(code[i]) - i) >= 0): print(chr(ord(code[i]) - i), end="") else: print(chr(ord(code[i]) - i + 128), end="") ``` i got this `GWHT{Just_Re_1s_Ha66y!}` as a result don't know why ```= Flag: fag{Just_Re_1s_Ha66y!} ``` ## Java not in heart Well we got a `.CLASS` file so we decompile it and get the source code as follow ```= import java.util.ArrayList; import java.util.Scanner; public class Reverse { public static void main(String[] args) { Scanner s = new Scanner(System.in); System.out.println("Please input the flag ："); String str = s.next(); System.out.println("Your input is ："); System.out.println(str); char[] stringArr = str.toCharArray(); Encrypt(stringArr); } public static void Encrypt(char[] arr) { ArrayList<Integer> Resultlist = new ArrayList(); for(int i = 0; i < arr.length; ++i) { int result = arr[i] + 64 ^ 32; Resultlist.add(result); } int[] KEY = new int[]{180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65}; ArrayList<Integer> KEYList = new ArrayList(); for(int j = 0; j < KEY.length; ++j) { KEYList.add(KEY[j]); } System.out.println("Result:"); if (Resultlist.equals(KEYList)) { System.out.println("Congratulations！"); } else { System.err.println("Error！"); } } } ``` Another easy problem so i wrote a small python scrypt to solve this ```= data = [180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65] for item in data: for i in range (0, 128): if i + 64 ^ 32 == item: print(chr(i), end="") ``` In the source code we can get the flag if resultList is equals to KeyList but the resultList is gen by plus 64 and xor 32 using from 0 to len of input so the idea of my code i use a brute force to find that if from 0 to 128 if there is a number after encrypt if equal to item then it is the flag ```= Flag: flag{This_is_the_flag_!} ```