avatar

CTF-HGame-2021

Reverse

week1

pypy

其实就是dis模块加密后的阅读了,照着文档一步步连读带猜都不难。

from typing import *
flag = '30466633346f59213b4139794520572b45514d61583151576638643a'
res = bytes([int(flag[i*2:i*2+2], 16) for i in range(len(flag) // 2)])
length = len(res)
raw = []
for i in range(length):
trueraw.append(res[i] ^ i)
for i in range(length // 2):
trueraw[i*2], raw[i*2+1] = raw[i*2+1], raw[i*2]
print(''.join(list(map(lambda i : chr(i),raw))))

helloRe

首先长度为22,每次跟一个值异或,然后值减一,跟一个字节数组对比,简单题。

key = '97 99 9C 91 9E 81 91 9D 9B 9A 9A AB 81 97 AE 80 83 8F 94 89 99 97'
key = list(map(lambda x : int(x, 16), key.split(' ')))
print(key)
flag = ''
i = 0
d = 0xff
while i < 22:
true
trueflag += chr(key[i] ^ d)
truei += 1
trued -= 1
print(flag)

a_pa_cha

通过find_crypt插件是tea加密,参考博客中逆向中的常用算法,有类似tea的轮函数,但是不完全相同,所以看看xtea和xxtea,分析后是xxtea算法

image-20210212223228366

那没事了,直接解密即可。https://www.jianshu.com/p/4272e0805da3

#include <stdio.h>  
#include <stdint.h>
#define DELTA 0x9e3779b9
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))

void btea(uint32_t *v, int n, uint32_t const key[4])
{
trueuint32_t y, z, sum;
trueunsigned p, rounds, e;
trueif (n > 1) /* Coding Part */
true{
truetruerounds = 6 + 52/n;
truetruesum = 0;
truetruez = v[n-1];
truetruedo
truetrue{
truetruetruesum += DELTA;
truetruetruee = (sum >> 2) & 3;
truetruetruefor (p=0; p<n-1; p++)
truetruetrue{
truetruetruetruey = v[p+1];
truetruetruetruez = v[p] += MX;
truetruetrue}
truetruetruey = v[0];
truetruetruez = v[n-1] += MX;
truetrue}
truetruewhile (--rounds);
true}
trueelse if (n < -1) /* Decoding Part */
true{
truetruen = -n;
truetruerounds = 6 + 52/n;
truetruesum = rounds*DELTA;
truetruey = v[0];
truetruedo
truetrue{
truetruetruee = (sum >> 2) & 3;
truetruetruefor (p=n-1; p>0; p--)
truetruetrue{
truetruetruetruez = v[p-1];
truetruetruetruey = v[p] -= MX;
truetruetrue}
truetruetruez = v[n-1];
truetruetruey = v[0] -= MX;
truetruetruesum -= DELTA;
truetrue}
truetruewhile (--rounds);
true}
}

int main()
{
trueuint32_t v[35]= {0xE74EB323, 0xB7A72836, 0x59CA6FE2, 0x967CC5C1, 0xE7802674, 0x3D2D54E6, 0x8A9D0356, 0x99DCC39C, 0x7026D8ED, 0x6A33FDAD, 0xF496550A, 0x5C9C6F9E, 0x1BE5D04C, 0x6723AE17, 0x5270A5C2, 0xAC42130A, 0x84BE67B2, 0x705CC779, 0x5C513D98, 0xFB36DA2D, 0x22179645, 0x5CE3529D, 0xD189E1FB, 0xE85BD489, 0x73C8D11F, 0x54B5C196, 0xB67CB490, 0x2117E4CA, 0x9DE3F994, 0x2F5AA1AA, 0xA7E801FD, 0xC30D6EAB, 0x1BADDC9C, 0x3453B04A, 0x92A406F9};
trueuint32_t const k[4]= {1,2,3,4};
trueint n= 35; //n的绝对值表示v的长度,取正表示加密,取负表示解密
true// v为要加密的数据是两个32位无符号整数
true// k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位
// printf("加密前原始数据:%u %u\n",v[0],v[1]);
// btea(v, n, k);
// printf("加密后的数据:%u %u\n",v[0],v[1]);
truebtea(v, -n, k);
// printf("解密后的数据:%u %u\n",v[0],v[1]);
truefor (int i = 0; i < 35; i++)
truetrueprintf("%c", v[i]);
truereturn 0;
}

week2

ezApk

这道题是java层的加密,将输入的字符串进行加密,

加密函数的关键步骤为aes的cbc,key为’A_HIDDEN_KEY’的sha-256,iv为’A_HIDDEN_KEY’的md5,嘛。。基础题

image-20210211144621412

在对其进行aes加密后使用base64编码

image-20210211144206437

emm,然而只限制前16长度也行不通,好叭,下个IDEA跑一跑。

需要安装证书,见https://blog.csdn.net/dafeige8/article/details/76019911

import org.bouncycastle.jce.provider.BouncyCastleProvider;

import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.Security;
import java.util.Base64;
//import

public class decode {
private static boolean initialized = false;
public static void main(String[] args) {
System.out.println(Aes256Decode("EEB23sI1Wd9Gvhvk1sgWyQZhjilnYwCi5au1guzOaIg5dMAj9qPA7lnIyVoPSdRY".getBytes(StandardCharsets.UTF_8)));
}

public static String Aes256Decode(byte[] bytes){
initialize();
String result = null;
String key_str = "A_HIDDEN_KEY";
byte[] key = encrypt_with("SHA-256", key_str);
byte[] iv = encrypt_with("MD5", key_str);
byte[] encrypt_bytes = Base64.getDecoder().decode(bytes);
try{
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "BC"); //算法即AES/ECB/PKCS7Padding
SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); //生成加密解密需要的Key
IvParameterSpec ivSpec = new IvParameterSpec(iv);
cipher.init(Cipher.DECRYPT_MODE, keySpec, ivSpec);
byte[] decoded = cipher.doFinal(encrypt_bytes);
result = new String(decoded, "UTF-8");
}catch(Exception e){
e.printStackTrace();
}
return result;
}

public static byte[] encrypt_with(String arg2, String arg3) {
try {
MessageDigest v2 = MessageDigest.getInstance(arg2);
byte[] v2_1 = v2.digest(arg3.getBytes(StandardCharsets.UTF_8));
return v2_1;
} catch (Exception e) {
return "".getBytes(StandardCharsets.UTF_8);
}
}

public static void initialize(){

if (initialized) return;
Security.addProvider(new BouncyCastleProvider());
initialized = true;
}
}

helloRe2

这题好像是多线程和共享内存,实际上不难,在字符串表可以看见bcrypt,是一种加密算法,首先看看password1

image-20210212112341975

将input读入后,先看长度是16,然后与4030F0做字节对比,4030F0是39383162303261336136653563306232,但是转成字节字符串后没法输入,先不管,(然而是我没转十六进制的问题),往下看新建了线程和获取共享内存啥的,还有反调。

image-20210212112547677

主要是这这里,对每一个字节异或了一下,也许之后password2会对共享内存里的这个数据进行读取,(线程间通信),那么回到头看看password2的验证,

image-20210212164518441

eax获取到了刚刚共享内存里的数据,放到了pbSecret里面,然后利用pbSecret生成key,iv是知道的,密文也是知道的,只要知道明文即可获取flag,所以唯一的疑惑只剩下key是多少,通过api的介绍,只是说明了可为给定的key创建一个密钥句柄,不妨认为这个key就是我们的pbSecret,那么试着写写程序

iv来自

image-20210212123137666

有两个encrypt函数,第一个作用如下,不用管也行。

image-20210212163542821

from Crypto.Cipher import AES

a = '39383162303261336136653563306232'
b = [chr(int(a[i*2:i*2+2], 16)) for i in range(len(a) // 2)]
# 大小端
print(''.join(reversed(b)))
# passwd1
passwd1 = ''.join(reversed(b))

key = passwd1[0]
for i in range(1,16):
truekey += chr(ord(passwd1[i]) ^ i)
key = key.encode('utf8')
print(key)
iv = bytes([x for x in range(16)])

secret_text = '7EF602D5625F4E3F65797607D9FEFEB7'
secret_text = ''.join(reversed([secret_text[i*2:i*2+2] for i in range(len(secret_text) // 2)]))
print(secret_text)
secret_text = bytes.fromhex(secret_text)
aes = AES.new(key=key, iv=iv, mode=AES.MODE_CBC)
#print(aes.decrypt(secret_text).hex())

def toStr(a):
trueb = [chr(int(a[i*2:i*2+2], 16)) for i in range(len(a) // 2)]
truereturn ''.join(b)
true
print(toStr(aes.decrypt(secret_text).hex()))

fake_debugger beta

挺简单的题不知道当时为啥没做出来。。。

image-20210218122739866

输入一段长度之后可以进入调试过程,对每位字符进行检验,第一步eax为当前位和ebx异或后的字母,ebx为参数,将a(97)和23异或之后为118,第二步即zf为1的时候,将eax与ebx比对,如果正确就进入下一步,所以第一步为127^23 = 104,即h,所以前面应当是hgame{,之后的进行爆破即可

image-20210218122829927

from pwn import *
import re

flag = 'hgame{aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
while True:
trueprint(flag)
truep = remote('101.132.177.131', 9999)
truep.recvuntil('now!\n')
truep.sendline(flag)
truep.recvuntil('-----\n')
truei = 0
truewhile flag[i] != '}' or i == len(flag):
truetrueprint(flag[i])
truetruep.sendline(' ')
truetruel = p.recvuntil('-----\n').decode('utf8')
truetruem1 = re.search(r'ebx: (.+?)\n', l).groups()[0]
truetruep.sendline(' ')
truetruel = p.recvuntil('-----\n').decode('utf8')
truetruem2 = re.search(r'ebx: (.+?)\n', l).groups()[0]
truetrueif int(m1) ^ int(m2) == ord(flag[i]):
truetruetruei += 1
truetrueelse:
truetruetrueflag = list(flag)
truetruetrueflag[i] = chr(int(m1) ^ int (m2))
truetruetrueflag = ''.join(flag)
truetruetruebreak
truep.close()
trueif flag[i] == '}':
truetrueprint(flag)
truetruebreak

# hgame{You_Kn0w_debuGg3r}aaaaaaaaaaaaaaaaaaaaaaaaaaa

week3

FAKE

一看就是z3题,首先将输入从rbp-40h放到了rbp-D0h,让每位有4字节的宽度![image-20210218170644925](/Users/zrzz/Library/Application Support/typora-user-images/image-20210218170644925.png)

不得不吐槽一下7.0和7.5的反编译,天上和地下了

![image-20210218170611189](/Users/zrzz/Library/Application Support/typora-user-images/image-20210218170611189.png)

![image-20210218170604535](/Users/zrzz/Library/Application Support/typora-user-images/image-20210218170604535.png)

解方程解出来后是FAKE_flag,仔细看函数发现这个函数存在一个异或过程,将比较代码即sub_401216替换了,但是在调试状态不会进入这个函数,所以把调试过程hook掉

image-20210219212951671

然后看到401216的代码不太好看,于是用idc脚本patch掉再重新打开静态分析,保存为.idc文件然后运行即可。

#include <idc.idc>

static main() {
trueauto b_arr_addr = 0x409080;
trueauto addr = 0x401216;
trueauto i = 0;
truefor (i = 0;i <= 0x43e;i++) {
truetrueauto x = Byte(addr + i) ^ Byte(b_arr_addr+i);
PatchByte(addr + i, x);
true}
}

在file->script file中运行后,在edit->patch program->apply patchs to input file

重新打开后发现加密函数变成

_int64 __fastcall sub_401216(__int64 input)
{
int v2[36]; // [rsp+8h] [rbp-1D0h]
int v3[36]; // [rsp+98h] [rbp-140h]
int v4[38]; // [rsp+128h] [rbp-B0h] BYREF
int m; // [rsp+1C0h] [rbp-18h]
int l; // [rsp+1C4h] [rbp-14h]
int k; // [rsp+1C8h] [rbp-10h]
int j; // [rsp+1CCh] [rbp-Ch]
int i; // [rsp+1D0h] [rbp-8h]
unsigned int v10; // [rsp+1D4h] [rbp-4h]

memset(v4, 0, 0x90uLL);
v3[0] = 55030;
v3[1] = 61095;
v3[2] = 60151;
v3[3] = 57247;
v3[4] = 56780;
v3[5] = 55726;
v3[6] = 46642;
v3[7] = 52931;
v3[8] = 53580;
v3[9] = 50437;
v3[10] = 50062;
v3[11] = 44186;
v3[12] = 44909;
v3[13] = 46490;
v3[14] = 46024;
v3[15] = 44347;
v3[16] = 43850;
v3[17] = 44368;
v3[18] = 54990;
v3[19] = 61884;
v3[20] = 61202;
v3[21] = 58139;
v3[22] = 57730;
v3[23] = 54964;
v3[24] = 48849;
v3[25] = 51026;
v3[26] = 49629;
v3[27] = 48219;
v3[28] = 47904;
v3[29] = 50823;
v3[30] = 46596;
v3[31] = 50517;
v3[32] = 48421;
v3[33] = 46143;
v3[34] = 46102;
v3[35] = 46744;
v2[0] = 104;
v2[1] = 103;
v2[2] = 97;
v2[3] = 109;
v2[4] = 101;
v2[5] = 123;
v2[6] = 64;
v2[7] = 95;
v2[8] = 70;
v2[9] = 65;
v2[10] = 75;
v2[11] = 69;
v2[12] = 95;
v2[13] = 102;
v2[14] = 108;
v2[15] = 97;
v2[16] = 103;
v2[17] = 33;
v2[18] = 45;
v2[19] = 100;
v2[20] = 111;
v2[21] = 95;
v2[22] = 89;
v2[23] = 48;
v2[24] = 117;
v2[25] = 95;
v2[26] = 107;
v2[27] = 111;
v2[28] = 110;
v2[29] = 119;
v2[30] = 95;
v2[31] = 83;
v2[32] = 77;
v2[33] = 67;
v2[34] = 63;
v2[35] = 125;
v10 = 1;
for ( i = 0; i <= 5; ++i )
{
for ( j = 0; j <= 5; ++j )
{
for ( k = 0; k <= 5; ++k )
v4[6 * i + j] += v2[6 * k + j] * *(_DWORD *)(4LL * (6 * i + k) + input);
}
}
for ( l = 0; l <= 5; ++l )
{
for ( m = 0; m <= 5; ++m )
{
if ( v4[6 * l + m] != v3[6 * l + m] )
v10 = 0;
}
}
return v10;
}

整理后发现,就是一个矩阵乘法

image-20210220170944394

所以flag * v2 = v3,flag就是 v3 * v2.I

from z3 import *
import numpy as np
v2 = [0] * 36
v3 = [0] * 36
v4 = [0] * 36

v3[0] = 55030;
v3[1] = 61095;
v3[2] = 60151;
v3[3] = 57247;
v3[4] = 56780;
v3[5] = 55726;
v3[6] = 46642;
v3[7] = 52931;
v3[8] = 53580;
v3[9] = 50437;
v3[10] = 50062;
v3[11] = 44186;
v3[12] = 44909;
v3[13] = 46490;
v3[14] = 46024;
v3[15] = 44347;
v3[16] = 43850;
v3[17] = 44368;
v3[18] = 54990;
v3[19] = 61884;
v3[20] = 61202;
v3[21] = 58139;
v3[22] = 57730;
v3[23] = 54964;
v3[24] = 48849;
v3[25] = 51026;
v3[26] = 49629;
v3[27] = 48219;
v3[28] = 47904;
v3[29] = 50823;
v3[30] = 46596;
v3[31] = 50517;
v3[32] = 48421;
v3[33] = 46143;
v3[34] = 46102;
v3[35] = 46744;
v2[0] = 104;
v2[1] = 103;
v2[2] = 97;
v2[3] = 109;
v2[4] = 101;
v2[5] = 123;
v2[6] = 64;
v2[7] = 95;
v2[8] = 70;
v2[9] = 65;
v2[10] = 75;
v2[11] = 69;
v2[12] = 95;
v2[13] = 102;
v2[14] = 108;
v2[15] = 97;
v2[16] = 103;
v2[17] = 33;
v2[18] = 45;
v2[19] = 100;
v2[20] = 111;
v2[21] = 95;
v2[22] = 89;
v2[23] = 48;
v2[24] = 117;
v2[25] = 95;
v2[26] = 107;
v2[27] = 111;
v2[28] = 110;
v2[29] = 119;
v2[30] = 95;
v2[31] = 83;
v2[32] = 77;
v2[33] = 67;
v2[34] = 63;
v2[35] = 125;

v2, v3 = np.array(v2).reshape(6,6), np.array(v3).reshape(6,6)
flag = np.matmul(v3,np.linalg.inv(v2))
flag = flag.reshape(1, -1)
flag = flag.tolist()[0]
flag = ''.join(list(map(lambda x: chr(round(x)), flag)))
print(flag)
# hgame{E@sy_Se1f-Modifying_C0oodee33}

就是得注意不能用int而要用round

或者使用高斯消元

datanum = [[0] * 37 for i in range(36) ]
def gauss(a):
for i in range(len(a)):
if(a[i][i]==0):
for k in range(i+1,len(a)):
if(a[k][i]!=0):
a[k],a[i]=a[i],a[k]
break
tmp = a[i][i]
for j in range(i,len(a[i])):
a[i][j] = a[i][j] / tmp
for j in range(len(a)):
if j!=i:
for k in range(len(a[i])-1,i-1,-1):
a[j][k] = a[j][k]-a[j][i]*a[i][k]
return a
v2 = [0]*36
v2[0] = 104
v2[1] = 103
v2[2] = 97
v2[3] = 109
v2[4] = 101
v2[5] = 123
v2[6] = 64
v2[7] = 95
v2[8] = 70
v2[9] = 65
v2[10] = 75
v2[11] = 69
v2[12] = 95
v2[13] = 102
v2[14] = 108
v2[15] = 97
v2[16] = 103
v2[17] = 33
v2[18] = 45
v2[19] = 100
v2[20] = 111
v2[21] = 95
v2[22] = 89
v2[23] = 48
v2[24] = 117
v2[25] = 95
v2[26] = 107
v2[27] = 111
v2[28] = 110
v2[29] = 119
v2[30] = 95
v2[31] = 83
v2[32] = 77
v2[33] = 67
v2[34] = 63
v2[35] = 125
v3 = [0] *36
v3[0] = 55030
v3[1] = 61095
v3[2] = 60151
v3[3] = 57247
v3[4] = 56780
v3[5] = 55726
v3[6] = 46642
v3[7] = 52931
v3[8] = 53580
v3[9] = 50437
v3[10] = 50062
v3[11] = 44186
v3[12] = 44909
v3[13] = 46490
v3[14] = 46024
v3[15] = 44347
v3[16] = 43850
v3[17] = 44368
v3[18] = 54990
v3[19] = 61884
v3[20] = 61202
v3[21] = 58139
v3[22] = 57730
v3[23] = 54964
v3[24] = 48849
v3[25] = 51026
v3[26] = 49629
v3[27] = 48219
v3[28] = 47904
v3[29] = 50823
v3[30] = 46596
v3[31] = 50517
v3[32] = 48421
v3[33] = 46143
v3[34] = 46102
v3[35] = 46744
for i in range(6):
for j in range(6):
for k in range(6):
datanum[6*i+j][6*i+k] = v2[6*k+j]
for l in range(6):
for m in range(6):
datanum[6*l+m][36] = v3[6*l+m]
res = gauss(datanum)
for i in res:
print(chr(round(i[36])),end='')

gun

这道题使用了梆梆壳加密,用fridadexdump解出来,发现是使用okhttp进行了特定证书的加密传输,所以charles无法解密,找了些资料,发现可以用frida绕过pinning

https://xz.aliyun.com/t/6102

https://portswigger.net/support/configuring-an-android-device-to-work-with-burp

嗯,跑是跑起来了,但是没看到数据传输。。。准备看wp吧。

自闭。其中mainactivity开了个线程跑这个。

package com.ryen.gun;

import aj;
import ak;
import al;
import am;
import an;
import ao;
import bj;
import bk;
import bl;
import bm;
import bn;
import bo;
import cj;
import ck;
import cl;
import cm;
import cn;
import co;
import dj;
import dk;
import dl;
import dm;
import dn;
import do;
import ej;
import ek;
import el;
import em;
import en;
import eo;
import fj;
import fk;
import fl;
import fm;
import fn;
import fo;
import gj;
import gk;
import gl;
import gm;
import gn;
import go;
import hj;
import hk;
import hl;
import hm;
import hn;
import ho;
import ij;
import ik;
import il;
import im;
import in;
import io;
import jj;
import jk;
import jl;
import jm;
import jn;
import jo;
import kj;
import kk;
import kl;
import km;
import kn;
import ko;
import lj;
import lk;
import ll;
import lm;
import ln;
import mj;
import mk;
import ml;
import mm;
import mn;
import nj;
import nk;
import nl;
import nm;
import nn;
import oj;
import ok;
import ol;
import om;
import on;
import pi;
import pj;
import pk;
import pl;
import pm;
import pn;
import qi;
import qj;
import qk;
import ql;
import qm;
import qn;
import ri;
import rj;
import rk;
import rl;
import rm;
import rn;
import si;
import sj;
import sk;
import sl;
import sm;
import sn;
import ti;
import tj;
import tk;
import tl;
import tm;
import tn;
import ui;
import uj;
import uk;
import ul;
import um;
import un;
import vi;
import vj;
import vk;
import vl;
import vm;
import vn;
import wi;
import wj;
import wk;
import wl;
import wm;
import wn;
import xi;
import xj;
import xk;
import xl;
import xm;
import xn;
import yi;
import yj;
import yk;
import yl;
import ym;
import yn;
import zi;
import zj;
import zk;
import zl;
import zm;
import zn;

public final class MainActivity.a implements Runnable {
public static final MainActivity.a a;

public static {
MainActivity.a.a = new MainActivity.a();
}

@Override
public final void run() {
try {
new ol().run();
new jm().run();
new fn().run();
new aj().run();
new xl().run();
new yn().run();
new qm().run();
new ao().run();
new vn().run();
new wm().run();
new wj().run();
new xn().run();
new jk().run();
new nl().run();
new co().run();
new um().run();
new nn().run();
new ll().run();
new ul().run();
new uj().run();
new ln().run();
new el().run();
new vk().run();
new hj().run();
new cl().run();
new ti().run();
new cn().run();
new kk().run();
new tl().run();
new go().run();
new pm().run();
new wi().run();
new fm().run();
new uk().run();
new bl().run();
new rk().run();
new bo().run();
new lk().run();
new bj().run();
new rl().run();
new il().run();
new ko().run();
new yi().run();
new pk().run();
new gm().run();
new dn().run();
new km().run();
new sm().run();
new yk().run();
new on().run();
new al().run();
new qk().run();
new hl().run();
new pj().run();
new pi().run();
new qi().run();
new qj().run();
new sj().run();
new yj().run();
new kl().run();
new vi().run();
new gj().run();
new nk().run();
new ej().run();
new vl().run();
new nm().run();
new bm().run();
new ri().run();
new dl().run();
new kn().run();
new mn().run();
new sn().run();
new ok().run();
new gl().run();
new eo().run();
new do().run();
new xj().run();
new zj().run();
new fl().run();
new dk().run();
new fj().run();
new im().run();
new zk().run();
new hm().run();
new xm().run();
new vm().run();
new ij().run();
new fo().run();
new oj().run();
new em().run();
new kj().run();
new zi().run();
new zm().run();
new rj().run();
new ho().run();
new ek().run();
new dm().run();
new un().run();
new tj().run();
new xi().run();
new qn().run();
new ml().run();
new cj().run();
new wn().run();
new zn().run();
new bk().run();
new in().run();
new jl().run();
new hk().run();
new jn().run();
new an().run();
new vj().run();
new tm().run();
new xk().run();
new sl().run();
new bn().run();
new nj().run();
new gn().run();
new wk().run();
new am().run();
new hn().run();
new ik().run();
new mj().run();
new zl().run();
new sk().run();
new mm().run();
new om().run();
new rm().run();
new gk().run();
new rn().run();
new io().run();
new tk().run();
new en().run();
new jo().run();
new pn().run();
new ym().run();
new lj().run();
new dj().run();
new ql().run();
new ck().run();
new cm().run();
new tn().run();
new yl().run();
new jj().run();
new fk().run();
new lm().run();
new wl().run();
new pl().run();
new ak().run();
new si().run();
new ui().run();
new mk().run();
}
catch(Exception v0) {
v0.printStackTrace();
}
}
}

然后随便取一个

import java.util.ArrayList;

public final class um extends Thread {
@Override
public void run() {
ArrayList v0 = new ArrayList();
ArrayList v14 = fd.h("bullet", "name", "q", "value");
b v13 = jr.k;
v0.add(b.a(v13, "bullet", 0, 0, " \"\':;<=>@[]^`{}|/\\?#&!$(),~", false, false, true, false, null, 91));
fr v0_1 = fd.j(v14, b.a(v13, "q", 0, 0, " \"\':;<=>@[]^`{}|/\\?#&!$(),~", false, false, true, false, null, 91), v0, v14);
a v1 = new a();
v1.a("hgame.vidar.club", new String[]{"sha256/ocfaPpOi8wBS01tMzoT6f+q+zF7ufbbxSe2wQUcpqXY="});
v1.a("hgame.vidar.club", new String[]{"sha256/GI75anSEdkuHj05mreE0Sd9jE6dVqUIzzXRHHlZBVbI="});
v1.a("hgame.vidar.club", new String[]{"sha256/GI75anSEdkuHj05mreE0Sd9jE6dVqUIzzXRHHlZBVbI="});
rq v1_1 = v1.b();
mr.a v2 = fd.c(v1_1, "certificatePinner");
mp.a(v1_1, v2.q);
v2.q = v1_1;
((ks)fd.i("https://hgame.vidar.club", v0_1, 0x8C9BL, new mr(v2))).d();
}
}

bullet传递了一个字符,下面的fd.i是等候时间,所以读取全部的然后按时间排序即可得到答案

from typing import *
import re
import os
order = 'ol jm fn aj xl yn qm ao vn wm wj xn jk nl co um nn ll ul uj ln el vk hj cl ti cn kk tl go pm wi fm uk bl rk bo lk bj rl il ko yi pk gm dn km sm yk on al qk hl pj pi qi qj sj yj kl vi gj nk ej vl nm bm ri dl kn mn sn ok gl eo do xj zj fl dk fj im zk hm xm vm ij fo oj em kj zi zm rj ho ek dm un tj xi qn ml cj wn zn bk in jl hk jn an vj tm xk sl bn nj gn wk am hn ik mj zl sk mm om rm gk rn io tk en jo pn ym lj dj ql ck cm tn yl jj fk lm wl pl ak si ui mk'.split(' ')

dic = {}
for i in order:
trueurl = os.path.join('/Users/zrzz/Downloads/com.ryen.gun', i + '.java')
truewith open(url, 'r') as f:
truetruecontent = f.read()
truetrueif "hgame.vidar.club" in content:
truetruetruea = re.search(r'fd\.h\(\"bullet\", \"name\", \"(.)\", \"value\"\);', content).groups()[0]
truetruetruetime = re.search(r'v0_1, (.+?)L, new mr', content).groups()[0]
truetruetrueif '0x' in time:
truetruetruetruetime = int(time, 16)
truetruetrueelse:
truetruetruetruetime = int(time)
truetruetruedic[time] = a
dic = sorted(dic.items(), key=lambda x: x[0])
flag = list(map(lambda x:x[1], dic))
print(''.join(flag))
# tsmyq{dQh3x_y3_nk_z4F1h3_0d_zi7I0dw}

得到的显然是凯撒加密,key=12解密得到答案hgame{rEv3l_m3_by_n4T1v3_0r_nw7W0rk}

helloRe3

根据input字符串找到函数,将0x1400c8c3e的call … pop rax进行nop,再转换成伪代码,发现18行就是加密函数。

image-20210222162640368)进到里面发现是rc4加密(%256,swap)

image-20210222162815676

啊。。找不到key

文章作者: X Mεl0n
文章链接: http://www.zrzz.site/posts/d53776fd/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 X Mεl0n | 随手记

评论