Reverse week1 pypy 其实就是dis模块加密后的阅读了,照着文档一步步连读带猜都不难。
from typing import *flag = '30466633346f59213b4139794520572b45514d61583151576638643a' res = bytes([int(flag[i*2 :i*2 +2 ], 16 ) for i in range(len(flag) // 2 )]) length = len(res) raw = [] for i in range(length):trueraw.append(res[i] ^ i) for i in range(length // 2 ):trueraw[i*2 ], raw[i*2 +1 ] = raw[i*2 +1 ], raw[i*2 ] print('' .join(list(map(lambda i : chr(i),raw))))
helloRe 首先长度为22,每次跟一个值异或,然后值减一,跟一个字节数组对比,简单题。
key = '97 99 9C 91 9E 81 91 9D 9B 9A 9A AB 81 97 AE 80 83 8F 94 89 99 97' key = list(map(lambda x : int(x, 16 ), key.split(' ' ))) print(key) flag = '' i = 0 d = 0xff while i < 22 :true trueflag += chr(key[i] ^ d) truei += 1 trued -= 1 print(flag)
a_pa_cha 通过find_crypt插件是tea加密,参考博客中逆向中的常用算法,有类似tea的轮函数,但是不完全相同,所以看看xtea和xxtea,分析后是xxtea算法
那没事了,直接解密即可。https://www.jianshu.com/p/4272e0805da3
#include <stdio.h> #include <stdint.h> #define DELTA 0x9e3779b9 #define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z))) void btea (uint32_t *v, int n, uint32_t const key[4 ]) { trueuint32_t y, z, sum; trueunsigned p, rounds, e; trueif (n > 1 ) true{ truetruerounds = 6 + 52 /n; truetruesum = 0 ; truetruez = v[n-1 ]; truetruedo truetrue{ truetruetruesum += DELTA; truetruetruee = (sum >> 2 ) & 3 ; truetruetruefor (p=0 ; p<n-1 ; p++) truetruetrue{ truetruetruetruey = v[p+1 ]; truetruetruetruez = v[p] += MX; truetruetrue} truetruetruey = v[0 ]; truetruetruez = v[n-1 ] += MX; truetrue} truetruewhile (--rounds); true} trueelse if (n < -1 ) true{ truetruen = -n; truetruerounds = 6 + 52 /n; truetruesum = rounds*DELTA; truetruey = v[0 ]; truetruedo truetrue{ truetruetruee = (sum >> 2 ) & 3 ; truetruetruefor (p=n-1 ; p>0 ; p--) truetruetrue{ truetruetruetruez = v[p-1 ]; truetruetruetruey = v[p] -= MX; truetruetrue} truetruetruez = v[n-1 ]; truetruetruey = v[0 ] -= MX; truetruetruesum -= DELTA; truetrue} truetruewhile (--rounds); true} } int main () { trueuint32_t v[35 ]= {0xE74EB323 , 0xB7A72836 , 0x59CA6FE2 , 0x967CC5C1 , 0xE7802674 , 0x3D2D54E6 , 0x8A9D0356 , 0x99DCC39C , 0x7026D8ED , 0x6A33FDAD , 0xF496550A , 0x5C9C6F9E , 0x1BE5D04C , 0x6723AE17 , 0x5270A5C2 , 0xAC42130A , 0x84BE67B2 , 0x705CC779 , 0x5C513D98 , 0xFB36DA2D , 0x22179645 , 0x5CE3529D , 0xD189E1FB , 0xE85BD489 , 0x73C8D11F , 0x54B5C196 , 0xB67CB490 , 0x2117E4CA , 0x9DE3F994 , 0x2F5AA1AA , 0xA7E801FD , 0xC30D6EAB , 0x1BADDC9C , 0x3453B04A , 0x92A406F9 }; trueuint32_t const k[4 ]= {1 ,2 ,3 ,4 }; trueint n= 35 ; true true truebtea(v, -n, k); truefor (int i = 0 ; i < 35 ; i++) truetrueprintf ("%c" , v[i]); truereturn 0 ; }
week2 ezApk 这道题是java层的加密,将输入的字符串进行加密,
加密函数的关键步骤为aes的cbc,key为’A_HIDDEN_KEY’的sha-256,iv为’A_HIDDEN_KEY’的md5,嘛。。基础题
在对其进行aes加密后使用base64编码
emm,然而只限制前16长度也行不通,好叭,下个IDEA跑一跑。
需要安装证书,见https://blog.csdn.net/dafeige8/article/details/76019911
import org.bouncycastle.jce.provider.BouncyCastleProvider;import javax.crypto.Cipher;import javax.crypto.spec.IvParameterSpec;import javax.crypto.spec.SecretKeySpec;import java.nio.charset.StandardCharsets;import java.security.MessageDigest;import java.security.Security;import java.util.Base64;public class decode { private static boolean initialized = false ; public static void main (String[] args) { System.out.println(Aes256Decode("EEB23sI1Wd9Gvhvk1sgWyQZhjilnYwCi5au1guzOaIg5dMAj9qPA7lnIyVoPSdRY" .getBytes(StandardCharsets.UTF_8))); } public static String Aes256Decode (byte [] bytes) { initialize(); String result = null ; String key_str = "A_HIDDEN_KEY" ; byte [] key = encrypt_with("SHA-256" , key_str); byte [] iv = encrypt_with("MD5" , key_str); byte [] encrypt_bytes = Base64.getDecoder().decode(bytes); try { Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding" , "BC" ); SecretKeySpec keySpec = new SecretKeySpec(key, "AES" ); IvParameterSpec ivSpec = new IvParameterSpec(iv); cipher.init(Cipher.DECRYPT_MODE, keySpec, ivSpec); byte [] decoded = cipher.doFinal(encrypt_bytes); result = new String(decoded, "UTF-8" ); }catch (Exception e){ e.printStackTrace(); } return result; } public static byte [] encrypt_with(String arg2, String arg3) { try { MessageDigest v2 = MessageDigest.getInstance(arg2); byte [] v2_1 = v2.digest(arg3.getBytes(StandardCharsets.UTF_8)); return v2_1; } catch (Exception e) { return "" .getBytes(StandardCharsets.UTF_8); } } public static void initialize () { if (initialized) return ; Security.addProvider(new BouncyCastleProvider()); initialized = true ; } }
helloRe2 这题好像是多线程和共享内存,实际上不难,在字符串表可以看见bcrypt,是一种加密算法,首先看看password1
将input读入后,先看长度是16,然后与4030F0做字节对比,4030F0是39383162303261336136653563306232,但是转成字节字符串后没法输入,先不管,(然而是我没转十六进制的问题),往下看新建了线程和获取共享内存啥的,还有反调。
主要是这这里,对每一个字节异或了一下,也许之后password2会对共享内存里的这个数据进行读取,(线程间通信),那么回到头看看password2的验证,
eax获取到了刚刚共享内存里的数据,放到了pbSecret里面,然后利用pbSecret生成key,iv是知道的,密文也是知道的,只要知道明文即可获取flag,所以唯一的疑惑只剩下key是多少,通过api的介绍,只是说明了可为给定的key创建一个密钥句柄,不妨认为这个key就是我们的pbSecret,那么试着写写程序
iv来自
有两个encrypt函数,第一个作用如下,不用管也行。
from Crypto.Cipher import AESa = '39383162303261336136653563306232' b = [chr(int(a[i*2 :i*2 +2 ], 16 )) for i in range(len(a) // 2 )] print('' .join(reversed(b))) passwd1 = '' .join(reversed(b)) key = passwd1[0 ] for i in range(1 ,16 ):truekey += chr(ord(passwd1[i]) ^ i) key = key.encode('utf8' ) print(key) iv = bytes([x for x in range(16 )]) secret_text = '7EF602D5625F4E3F65797607D9FEFEB7' secret_text = '' .join(reversed([secret_text[i*2 :i*2 +2 ] for i in range(len(secret_text) // 2 )])) print(secret_text) secret_text = bytes.fromhex(secret_text) aes = AES.new(key=key, iv=iv, mode=AES.MODE_CBC) def toStr (a) :trueb = [chr(int(a[i*2 :i*2 +2 ], 16 )) for i in range(len(a) // 2 )] truereturn '' .join(b) true print(toStr(aes.decrypt(secret_text).hex()))
fake_debugger beta 挺简单的题不知道当时为啥没做出来。。。
输入一段长度之后可以进入调试过程,对每位字符进行检验,第一步eax为当前位和ebx异或后的字母,ebx为参数,将a(97)和23异或之后为118,第二步即zf为1的时候,将eax与ebx比对,如果正确就进入下一步,所以第一步为127^23 = 104,即h
,所以前面应当是hgame{
,之后的进行爆破即可
from pwn import *import reflag = 'hgame{aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' while True :trueprint(flag) truep = remote('101.132.177.131' , 9999 ) truep.recvuntil('now!\n' ) truep.sendline(flag) truep.recvuntil('-----\n' ) truei = 0 truewhile flag[i] != '}' or i == len(flag): truetrueprint(flag[i]) truetruep.sendline(' ' ) truetruel = p.recvuntil('-----\n' ).decode('utf8' ) truetruem1 = re.search(r'ebx: (.+?)\n' , l).groups()[0 ] truetruep.sendline(' ' ) truetruel = p.recvuntil('-----\n' ).decode('utf8' ) truetruem2 = re.search(r'ebx: (.+?)\n' , l).groups()[0 ] truetrueif int(m1) ^ int(m2) == ord(flag[i]): truetruetruei += 1 truetrueelse : truetruetrueflag = list(flag) truetruetrueflag[i] = chr(int(m1) ^ int (m2)) truetruetrueflag = '' .join(flag) truetruetruebreak truep.close() trueif flag[i] == '}' : truetrueprint(flag) truetruebreak
week3 FAKE 一看就是z3题,首先将输入从rbp-40h放到了rbp-D0h,让每位有4字节的宽度
不得不吐槽一下7.0和7.5的反编译,天上和地下了


解方程解出来后是FAKE_flag,仔细看函数发现这个函数存在一个异或过程,将比较代码即sub_401216替换了,但是在调试状态不会进入这个函数,所以把调试过程hook掉
然后看到401216的代码不太好看,于是用idc脚本patch掉再重新打开静态分析,保存为.idc文件然后运行即可。
static main() { trueauto b_arr_addr = 0x409080 trueauto addr = 0x401216 trueauto i = 0 truefor (i = 0 truetrueauto x = Byte(addr + i) ^ Byte(b_arr_addr+i); PatchByte(addr + i, x)true} }
在file->script file中运行后,在edit->patch program->apply patchs to input file
重新打开后发现加密函数变成
_int64 __fastcall sub_401216 (__int64 input) { int v2[36 ]; int v3[36 ]; int v4[38 ]; int m; int l; int k; int j; int i; unsigned int v10; memset (v4, 0 , 0x90 uLL); v3[0 ] = 55030 ; v3[1 ] = 61095 ; v3[2 ] = 60151 ; v3[3 ] = 57247 ; v3[4 ] = 56780 ; v3[5 ] = 55726 ; v3[6 ] = 46642 ; v3[7 ] = 52931 ; v3[8 ] = 53580 ; v3[9 ] = 50437 ; v3[10 ] = 50062 ; v3[11 ] = 44186 ; v3[12 ] = 44909 ; v3[13 ] = 46490 ; v3[14 ] = 46024 ; v3[15 ] = 44347 ; v3[16 ] = 43850 ; v3[17 ] = 44368 ; v3[18 ] = 54990 ; v3[19 ] = 61884 ; v3[20 ] = 61202 ; v3[21 ] = 58139 ; v3[22 ] = 57730 ; v3[23 ] = 54964 ; v3[24 ] = 48849 ; v3[25 ] = 51026 ; v3[26 ] = 49629 ; v3[27 ] = 48219 ; v3[28 ] = 47904 ; v3[29 ] = 50823 ; v3[30 ] = 46596 ; v3[31 ] = 50517 ; v3[32 ] = 48421 ; v3[33 ] = 46143 ; v3[34 ] = 46102 ; v3[35 ] = 46744 ; v2[0 ] = 104 ; v2[1 ] = 103 ; v2[2 ] = 97 ; v2[3 ] = 109 ; v2[4 ] = 101 ; v2[5 ] = 123 ; v2[6 ] = 64 ; v2[7 ] = 95 ; v2[8 ] = 70 ; v2[9 ] = 65 ; v2[10 ] = 75 ; v2[11 ] = 69 ; v2[12 ] = 95 ; v2[13 ] = 102 ; v2[14 ] = 108 ; v2[15 ] = 97 ; v2[16 ] = 103 ; v2[17 ] = 33 ; v2[18 ] = 45 ; v2[19 ] = 100 ; v2[20 ] = 111 ; v2[21 ] = 95 ; v2[22 ] = 89 ; v2[23 ] = 48 ; v2[24 ] = 117 ; v2[25 ] = 95 ; v2[26 ] = 107 ; v2[27 ] = 111 ; v2[28 ] = 110 ; v2[29 ] = 119 ; v2[30 ] = 95 ; v2[31 ] = 83 ; v2[32 ] = 77 ; v2[33 ] = 67 ; v2[34 ] = 63 ; v2[35 ] = 125 ; v10 = 1 ; for ( i = 0 ; i <= 5 ; ++i ) { for ( j = 0 ; j <= 5 ; ++j ) { for ( k = 0 ; k <= 5 ; ++k ) v4[6 * i + j] += v2[6 * k + j] * *(_DWORD *)(4L L * (6 * i + k) + input); } } for ( l = 0 ; l <= 5 ; ++l ) { for ( m = 0 ; m <= 5 ; ++m ) { if ( v4[6 * l + m] != v3[6 * l + m] ) v10 = 0 ; } } return v10; }
整理后发现,就是一个矩阵乘法
所以flag * v2 = v3,flag就是 v3 * v2.I
from z3 import *import numpy as npv2 = [0 ] * 36 v3 = [0 ] * 36 v4 = [0 ] * 36 v3[0 ] = 55030 ; v3[1 ] = 61095 ; v3[2 ] = 60151 ; v3[3 ] = 57247 ; v3[4 ] = 56780 ; v3[5 ] = 55726 ; v3[6 ] = 46642 ; v3[7 ] = 52931 ; v3[8 ] = 53580 ; v3[9 ] = 50437 ; v3[10 ] = 50062 ; v3[11 ] = 44186 ; v3[12 ] = 44909 ; v3[13 ] = 46490 ; v3[14 ] = 46024 ; v3[15 ] = 44347 ; v3[16 ] = 43850 ; v3[17 ] = 44368 ; v3[18 ] = 54990 ; v3[19 ] = 61884 ; v3[20 ] = 61202 ; v3[21 ] = 58139 ; v3[22 ] = 57730 ; v3[23 ] = 54964 ; v3[24 ] = 48849 ; v3[25 ] = 51026 ; v3[26 ] = 49629 ; v3[27 ] = 48219 ; v3[28 ] = 47904 ; v3[29 ] = 50823 ; v3[30 ] = 46596 ; v3[31 ] = 50517 ; v3[32 ] = 48421 ; v3[33 ] = 46143 ; v3[34 ] = 46102 ; v3[35 ] = 46744 ; v2[0 ] = 104 ; v2[1 ] = 103 ; v2[2 ] = 97 ; v2[3 ] = 109 ; v2[4 ] = 101 ; v2[5 ] = 123 ; v2[6 ] = 64 ; v2[7 ] = 95 ; v2[8 ] = 70 ; v2[9 ] = 65 ; v2[10 ] = 75 ; v2[11 ] = 69 ; v2[12 ] = 95 ; v2[13 ] = 102 ; v2[14 ] = 108 ; v2[15 ] = 97 ; v2[16 ] = 103 ; v2[17 ] = 33 ; v2[18 ] = 45 ; v2[19 ] = 100 ; v2[20 ] = 111 ; v2[21 ] = 95 ; v2[22 ] = 89 ; v2[23 ] = 48 ; v2[24 ] = 117 ; v2[25 ] = 95 ; v2[26 ] = 107 ; v2[27 ] = 111 ; v2[28 ] = 110 ; v2[29 ] = 119 ; v2[30 ] = 95 ; v2[31 ] = 83 ; v2[32 ] = 77 ; v2[33 ] = 67 ; v2[34 ] = 63 ; v2[35 ] = 125 ; v2, v3 = np.array(v2).reshape(6 ,6 ), np.array(v3).reshape(6 ,6 ) flag = np.matmul(v3,np.linalg.inv(v2)) flag = flag.reshape(1 , -1 ) flag = flag.tolist()[0 ] flag = '' .join(list(map(lambda x: chr(round(x)), flag))) print(flag)
就是得注意不能用int而要用round
或者使用高斯消元
datanum = [[0 ] * 37 for i in range(36 ) ] def gauss (a) : for i in range(len(a)): if (a[i][i]==0 ): for k in range(i+1 ,len(a)): if (a[k][i]!=0 ): a[k],a[i]=a[i],a[k] break tmp = a[i][i] for j in range(i,len(a[i])): a[i][j] = a[i][j] / tmp for j in range(len(a)): if j!=i: for k in range(len(a[i])-1 ,i-1 ,-1 ): a[j][k] = a[j][k]-a[j][i]*a[i][k] return a v2 = [0 ]*36 v2[0 ] = 104 v2[1 ] = 103 v2[2 ] = 97 v2[3 ] = 109 v2[4 ] = 101 v2[5 ] = 123 v2[6 ] = 64 v2[7 ] = 95 v2[8 ] = 70 v2[9 ] = 65 v2[10 ] = 75 v2[11 ] = 69 v2[12 ] = 95 v2[13 ] = 102 v2[14 ] = 108 v2[15 ] = 97 v2[16 ] = 103 v2[17 ] = 33 v2[18 ] = 45 v2[19 ] = 100 v2[20 ] = 111 v2[21 ] = 95 v2[22 ] = 89 v2[23 ] = 48 v2[24 ] = 117 v2[25 ] = 95 v2[26 ] = 107 v2[27 ] = 111 v2[28 ] = 110 v2[29 ] = 119 v2[30 ] = 95 v2[31 ] = 83 v2[32 ] = 77 v2[33 ] = 67 v2[34 ] = 63 v2[35 ] = 125 v3 = [0 ] *36 v3[0 ] = 55030 v3[1 ] = 61095 v3[2 ] = 60151 v3[3 ] = 57247 v3[4 ] = 56780 v3[5 ] = 55726 v3[6 ] = 46642 v3[7 ] = 52931 v3[8 ] = 53580 v3[9 ] = 50437 v3[10 ] = 50062 v3[11 ] = 44186 v3[12 ] = 44909 v3[13 ] = 46490 v3[14 ] = 46024 v3[15 ] = 44347 v3[16 ] = 43850 v3[17 ] = 44368 v3[18 ] = 54990 v3[19 ] = 61884 v3[20 ] = 61202 v3[21 ] = 58139 v3[22 ] = 57730 v3[23 ] = 54964 v3[24 ] = 48849 v3[25 ] = 51026 v3[26 ] = 49629 v3[27 ] = 48219 v3[28 ] = 47904 v3[29 ] = 50823 v3[30 ] = 46596 v3[31 ] = 50517 v3[32 ] = 48421 v3[33 ] = 46143 v3[34 ] = 46102 v3[35 ] = 46744 for i in range(6 ): for j in range(6 ): for k in range(6 ): datanum[6 *i+j][6 *i+k] = v2[6 *k+j] for l in range(6 ): for m in range(6 ): datanum[6 *l+m][36 ] = v3[6 *l+m] res = gauss(datanum) for i in res: print(chr(round(i[36 ])),end='' )
gun 这道题使用了梆梆壳加密,用fridadexdump解出来,发现是使用okhttp进行了特定证书的加密传输,所以charles无法解密,找了些资料,发现可以用frida绕过pinning
https://xz.aliyun.com/t/6102
https://portswigger.net/support/configuring-an-android-device-to-work-with-burp
嗯,跑是跑起来了,但是没看到数据传输。。。准备看wp吧。
自闭。其中mainactivity开了个线程跑这个。
package com.ryen.gun;import aj;import ak;import al;import am;import an;import ao;import bj;import bk;import bl;import bm;import bn;import bo;import cj;import ck;import cl;import cm;import cn;import co;import dj;import dk;import dl;import dm;import dn;import do ;import ej;import ek;import el;import em;import en;import eo;import fj;import fk;import fl;import fm;import fn;import fo;import gj;import gk;import gl;import gm;import gn;import go;import hj;import hk;import hl;import hm;import hn;import ho;import ij;import ik;import il;import im;import in ;import io;import jj;import jk;import jl;import jm;import jn;import jo;import kj;import kk;import kl;import km;import kn;import ko;import lj;import lk;import ll;import lm;import ln;import mj;import mk;import ml;import mm;import mn;import nj;import nk;import nl;import nm;import nn;import oj;import ok;import ol;import om;import on;import pi;import pj;import pk;import pl;import pm;import pn;import qi;import qj;import qk;import ql;import qm;import qn;import ri;import rj;import rk;import rl;import rm;import rn;import si;import sj;import sk;import sl;import sm;import sn;import ti;import tj;import tk;import tl;import tm;import tn;import ui;import uj;import uk;import ul;import um;import un;import vi;import vj;import vk;import vl;import vm;import vn;import wi;import wj;import wk;import wl;import wm;import wn;import xi;import xj;import xk;import xl;import xm;import xn;import yi;import yj;import yk;import yl;import ym;import yn;import zi;import zj;import zk;import zl;import zm;import zn;public final class MainActivity .a implements Runnable { public static final MainActivity.a a; public static { MainActivity.a.a = new MainActivity .a(); } @Override public final void run() { try { new ol ().run(); new jm ().run(); new fn ().run(); new aj ().run(); new xl ().run(); new yn ().run(); new qm ().run(); new ao ().run(); new vn ().run(); new wm ().run(); new wj ().run(); new xn ().run(); new jk ().run(); new nl ().run(); new co ().run(); new um ().run(); new nn ().run(); new ll ().run(); new ul ().run(); new uj ().run(); new ln ().run(); new el ().run(); new vk ().run(); new hj ().run(); new cl ().run(); new ti ().run(); new cn ().run(); new kk ().run(); new tl ().run(); new go ().run(); new pm ().run(); new wi ().run(); new fm ().run(); new uk ().run(); new bl ().run(); new rk ().run(); new bo ().run(); new lk ().run(); new bj ().run(); new rl ().run(); new il ().run(); new ko ().run(); new yi ().run(); new pk ().run(); new gm ().run(); new dn ().run(); new km ().run(); new sm ().run(); new yk ().run(); new on ().run(); new al ().run(); new qk ().run(); new hl ().run(); new pj ().run(); new pi ().run(); new qi ().run(); new qj ().run(); new sj ().run(); new yj ().run(); new kl ().run(); new vi ().run(); new gj ().run(); new nk ().run(); new ej ().run(); new vl ().run(); new nm ().run(); new bm ().run(); new ri ().run(); new dl ().run(); new kn ().run(); new mn ().run(); new sn ().run(); new ok ().run(); new gl ().run(); new eo ().run(); new do ().run(); new xj ().run(); new zj ().run(); new fl ().run(); new dk ().run(); new fj ().run(); new im ().run(); new zk ().run(); new hm ().run(); new xm ().run(); new vm ().run(); new ij ().run(); new fo ().run(); new oj ().run(); new em ().run(); new kj ().run(); new zi ().run(); new zm ().run(); new rj ().run(); new ho ().run(); new ek ().run(); new dm ().run(); new un ().run(); new tj ().run(); new xi ().run(); new qn ().run(); new ml ().run(); new cj ().run(); new wn ().run(); new zn ().run(); new bk ().run(); new in ().run(); new jl ().run(); new hk ().run(); new jn ().run(); new an ().run(); new vj ().run(); new tm ().run(); new xk ().run(); new sl ().run(); new bn ().run(); new nj ().run(); new gn ().run(); new wk ().run(); new am ().run(); new hn ().run(); new ik ().run(); new mj ().run(); new zl ().run(); new sk ().run(); new mm ().run(); new om ().run(); new rm ().run(); new gk ().run(); new rn ().run(); new io ().run(); new tk ().run(); new en ().run(); new jo ().run(); new pn ().run(); new ym ().run(); new lj ().run(); new dj ().run(); new ql ().run(); new ck ().run(); new cm ().run(); new tn ().run(); new yl ().run(); new jj ().run(); new fk ().run(); new lm ().run(); new wl ().run(); new pl ().run(); new ak ().run(); new si ().run(); new ui ().run(); new mk ().run(); } catch (Exception v0) { v0.printStackTrace(); } } }
然后随便取一个
import java.util.ArrayList;public final class um extends Thread { @Override public void run () { ArrayList v0 = new ArrayList(); ArrayList v14 = fd.h("bullet" , "name" , "q" , "value" ); b v13 = jr.k; v0.add(b.a(v13, "bullet" , 0 , 0 , " \"\':;<=>@[]^`{}|/\\?#&!$(),~" , false , false , true , false , null , 91 )); fr v0_1 = fd.j(v14, b.a(v13, "q" , 0 , 0 , " \"\':;<=>@[]^`{}|/\\?#&!$(),~" , false , false , true , false , null , 91 ), v0, v14); a v1 = new a(); v1.a("hgame.vidar.club" , new String[]{"sha256/ocfaPpOi8wBS01tMzoT6f+q+zF7ufbbxSe2wQUcpqXY=" }); v1.a("hgame.vidar.club" , new String[]{"sha256/GI75anSEdkuHj05mreE0Sd9jE6dVqUIzzXRHHlZBVbI=" }); v1.a("hgame.vidar.club" , new String[]{"sha256/GI75anSEdkuHj05mreE0Sd9jE6dVqUIzzXRHHlZBVbI=" }); rq v1_1 = v1.b(); mr.a v2 = fd.c(v1_1, "certificatePinner" ); mp.a(v1_1, v2.q); v2.q = v1_1; ((ks)fd.i("https://hgame.vidar.club" , v0_1, 0x8C9BL , new mr(v2))).d(); } }
bullet传递了一个字符,下面的fd.i是等候时间,所以读取全部的然后按时间排序即可得到答案
from typing import *import reimport osorder = 'ol jm fn aj xl yn qm ao vn wm wj xn jk nl co um nn ll ul uj ln el vk hj cl ti cn kk tl go pm wi fm uk bl rk bo lk bj rl il ko yi pk gm dn km sm yk on al qk hl pj pi qi qj sj yj kl vi gj nk ej vl nm bm ri dl kn mn sn ok gl eo do xj zj fl dk fj im zk hm xm vm ij fo oj em kj zi zm rj ho ek dm un tj xi qn ml cj wn zn bk in jl hk jn an vj tm xk sl bn nj gn wk am hn ik mj zl sk mm om rm gk rn io tk en jo pn ym lj dj ql ck cm tn yl jj fk lm wl pl ak si ui mk' .split(' ' ) dic = {} for i in order:trueurl = os.path.join('/Users/zrzz/Downloads/com.ryen.gun' , i + '.java' ) truewith open(url, 'r' ) as f: truetruecontent = f.read() truetrueif "hgame.vidar.club" in content: truetruetruea = re.search(r'fd\.h\(\"bullet\", \"name\", \"(.)\", \"value\"\);' , content).groups()[0 ] truetruetruetime = re.search(r'v0_1, (.+?)L, new mr' , content).groups()[0 ] truetruetrueif '0x' in time: truetruetruetruetime = int(time, 16 ) truetruetrueelse : truetruetruetruetime = int(time) truetruetruedic[time] = a dic = sorted(dic.items(), key=lambda x: x[0 ]) flag = list(map(lambda x:x[1 ], dic)) print('' .join(flag))
得到的显然是凯撒加密,key=12解密得到答案hgame{rEv3l_m3_by_n4T1v3_0r_nw7W0rk}
helloRe3 根据input字符串找到函数,将0x1400c8c3e的call … pop rax进行nop,再转换成伪代码,发现18行就是加密函数。
)进到里面发现是rc4加密(%256,swap)
啊。。找不到key