CTF-HGame-2021

Reverse

week1

pypy

其实就是dis模块加密后的阅读了，照着文档一步步连读带猜都不难。

from typing import *
flag = '30466633346f59213b4139794520572b45514d61583151576638643a'
res = bytes([int(flag[i*2:i*2+2], 16) for i in range(len(flag) // 2)])
length = len(res)
raw = []
for i in range(length):
	raw.append(res[i] ^ i)
for i in range(length // 2):
	raw[i*2], raw[i*2+1] = raw[i*2+1], raw[i*2]
print(''.join(list(map(lambda i : chr(i),raw))))

helloRe

首先长度为22，每次跟一个值异或，然后值减一，跟一个字节数组对比，简单题。

key = '97 99 9C 91 9E 81 91 9D 9B 9A 9A AB 81 97 AE 80 83 8F 94 89 99 97'
key = list(map(lambda x : int(x, 16), key.split(' ')))
print(key)
flag = ''
i = 0
d = 0xff
while i < 22:
	
	flag += chr(key[i] ^ d)
	i += 1
	d -= 1
print(flag)

a_pa_cha

通过find_crypt插件是tea加密，参考博客中逆向中的常用算法，有类似tea的轮函数，但是不完全相同，所以看看xtea和xxtea，分析后是xxtea算法

那没事了，直接解密即可。https://www.jianshu.com/p/4272e0805da3

#include <stdio.h>  
#include <stdint.h>  
#define DELTA 0x9e3779b9  
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))  

void btea(uint32_t *v, int n, uint32_t const key[4])  
{  
	uint32_t y, z, sum;  
	unsigned p, rounds, e;  
	if (n > 1)            /* Coding Part */  
	{  
		rounds = 6 + 52/n;  
		sum = 0;  
		z = v[n-1];  
		do  
		{  
			sum += DELTA;  
			e = (sum >> 2) & 3;  
			for (p=0; p<n-1; p++)  
			{  
				y = v[p+1];  
				z = v[p] += MX;  
			}  
			y = v[0];  
			z = v[n-1] += MX;  
		}  
		while (--rounds);  
	}  
	else if (n < -1)      /* Decoding Part */  
	{  
		n = -n;  
		rounds = 6 + 52/n;  
		sum = rounds*DELTA;  
		y = v[0];  
		do  
		{  
			e = (sum >> 2) & 3;  
			for (p=n-1; p>0; p--)  
			{  
				z = v[p-1];  
				y = v[p] -= MX;  
			}  
			z = v[n-1];  
			y = v[0] -= MX;  
			sum -= DELTA;  
		}  
		while (--rounds);  
	}  
}  

int main()  
{  
	uint32_t v[35]= {0xE74EB323, 0xB7A72836, 0x59CA6FE2, 0x967CC5C1, 0xE7802674, 0x3D2D54E6, 0x8A9D0356, 0x99DCC39C, 0x7026D8ED, 0x6A33FDAD, 0xF496550A, 0x5C9C6F9E, 0x1BE5D04C, 0x6723AE17, 0x5270A5C2, 0xAC42130A, 0x84BE67B2, 0x705CC779, 0x5C513D98, 0xFB36DA2D, 0x22179645, 0x5CE3529D, 0xD189E1FB, 0xE85BD489, 0x73C8D11F, 0x54B5C196, 0xB67CB490, 0x2117E4CA, 0x9DE3F994, 0x2F5AA1AA, 0xA7E801FD, 0xC30D6EAB, 0x1BADDC9C, 0x3453B04A, 0x92A406F9};  
	uint32_t const k[4]= {1,2,3,4};  
	int n= 35; //n的绝对值表示v的长度，取正表示加密，取负表示解密  
	// v为要加密的数据是两个32位无符号整数  
	// k为加密解密密钥，为4个32位无符号整数，即密钥长度为128位  
//	printf("加密前原始数据：%u %u\n",v[0],v[1]);  
//	btea(v, n, k);  
//	printf("加密后的数据：%u %u\n",v[0],v[1]);  
	btea(v, -n, k);  
//	printf("解密后的数据：%u %u\n",v[0],v[1]);  
	for (int i = 0; i < 35; i++)
		printf("%c", v[i]);
	return 0;  
}  

week2

ezApk

这道题是java层的加密，将输入的字符串进行加密，

加密函数的关键步骤为aes的cbc，key为’A_HIDDEN_KEY’的sha-256，iv为’A_HIDDEN_KEY’的md5，嘛。。基础题

在对其进行aes加密后使用base64编码

emm，然而只限制前16长度也行不通，好叭，下个IDEA跑一跑。

需要安装证书，见https://blog.csdn.net/dafeige8/article/details/76019911

import org.bouncycastle.jce.provider.BouncyCastleProvider;

import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.Security;
import java.util.Base64;
//import

public class decode {
    private static boolean initialized = false;
    public static void main(String[] args) {
        System.out.println(Aes256Decode("EEB23sI1Wd9Gvhvk1sgWyQZhjilnYwCi5au1guzOaIg5dMAj9qPA7lnIyVoPSdRY".getBytes(StandardCharsets.UTF_8)));
    }

    public static String Aes256Decode(byte[] bytes){
        initialize();
        String result = null;
        String key_str = "A_HIDDEN_KEY";
        byte[] key = encrypt_with("SHA-256", key_str);
        byte[] iv = encrypt_with("MD5", key_str);
        byte[] encrypt_bytes = Base64.getDecoder().decode(bytes);
        try{
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "BC");  //算法即AES/ECB/PKCS7Padding
            SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); //生成加密解密需要的Key
            IvParameterSpec ivSpec = new IvParameterSpec(iv);
            cipher.init(Cipher.DECRYPT_MODE, keySpec, ivSpec);
            byte[] decoded = cipher.doFinal(encrypt_bytes);
            result = new String(decoded, "UTF-8");
        }catch(Exception e){
            e.printStackTrace();
        }
        return result;
    }

    public static byte[] encrypt_with(String arg2, String arg3) {
        try {
            MessageDigest v2 = MessageDigest.getInstance(arg2);
            byte[] v2_1 = v2.digest(arg3.getBytes(StandardCharsets.UTF_8));
            return v2_1;
        } catch (Exception e) {
            return "".getBytes(StandardCharsets.UTF_8);
        }
    }

    public static void initialize(){

        if (initialized) return;
        Security.addProvider(new BouncyCastleProvider());
        initialized = true;
    }
}

helloRe2

这题好像是多线程和共享内存，实际上不难，在字符串表可以看见bcrypt，是一种加密算法，首先看看password1

将input读入后，先看长度是16，然后与4030F0做字节对比，4030F0是39383162303261336136653563306232，但是转成字节字符串后没法输入，先不管，(然而是我没转十六进制的问题)，往下看新建了线程和获取共享内存啥的，还有反调。

主要是这这里，对每一个字节异或了一下，也许之后password2会对共享内存里的这个数据进行读取，（线程间通信），那么回到头看看password2的验证，

eax获取到了刚刚共享内存里的数据，放到了pbSecret里面，然后利用pbSecret生成key，iv是知道的，密文也是知道的，只要知道明文即可获取flag，所以唯一的疑惑只剩下key是多少，通过api的介绍，只是说明了可为给定的key创建一个密钥句柄，不妨认为这个key就是我们的pbSecret，那么试着写写程序

iv来自

有两个encrypt函数，第一个作用如下，不用管也行。

from Crypto.Cipher import AES

a = '39383162303261336136653563306232'
b = [chr(int(a[i*2:i*2+2], 16)) for i in range(len(a) // 2)]
# 大小端
print(''.join(reversed(b)))
# passwd1
passwd1 = ''.join(reversed(b))

key = passwd1[0]
for i in range(1,16):
	key += chr(ord(passwd1[i]) ^ i)
key = key.encode('utf8')
print(key)
iv = bytes([x for x in range(16)])

secret_text = '7EF602D5625F4E3F65797607D9FEFEB7'
secret_text = ''.join(reversed([secret_text[i*2:i*2+2] for i in range(len(secret_text) // 2)]))
print(secret_text)
secret_text = bytes.fromhex(secret_text)
aes = AES.new(key=key, iv=iv, mode=AES.MODE_CBC)
#print(aes.decrypt(secret_text).hex())

def toStr(a):
	b = [chr(int(a[i*2:i*2+2], 16)) for i in range(len(a) // 2)]
	return ''.join(b)
	
print(toStr(aes.decrypt(secret_text).hex()))

fake_debugger beta

挺简单的题不知道当时为啥没做出来。。。

输入一段长度之后可以进入调试过程，对每位字符进行检验，第一步eax为当前位和ebx异或后的字母，ebx为参数，将a(97)和23异或之后为118，第二步即zf为1的时候，将eax与ebx比对，如果正确就进入下一步，所以第一步为127^23 = 104，即h，所以前面应当是hgame{，之后的进行爆破即可

from pwn import *
import re

flag = 'hgame{aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
while True:
	print(flag)
	p = remote('101.132.177.131', 9999)
	p.recvuntil('now!\n')
	p.sendline(flag)
	p.recvuntil('-----\n')
	i = 0
	while flag[i] != '}' or i == len(flag):
		print(flag[i])
		p.sendline(' ')
		l = p.recvuntil('-----\n').decode('utf8')
		m1 = re.search(r'ebx: (.+?)\n', l).groups()[0]
		p.sendline(' ')
		l = p.recvuntil('-----\n').decode('utf8')
		m2 = re.search(r'ebx: (.+?)\n', l).groups()[0]
		if int(m1) ^ int(m2) == ord(flag[i]):
			i += 1
		else:
			flag = list(flag)
			flag[i] = chr(int(m1) ^ int (m2))
			flag = ''.join(flag)
			break
	p.close()
	if flag[i] == '}':
		print(flag)
		break
    
# hgame{You_Kn0w_debuGg3r}aaaaaaaaaaaaaaaaaaaaaaaaaaa

week3

FAKE

一看就是z3题，首先将输入从rbp-40h放到了rbp-D0h，让每位有4字节的宽度

不得不吐槽一下7.0和7.5的反编译，天上和地下了

解方程解出来后是FAKE_flag，仔细看函数发现这个函数存在一个异或过程，将比较代码即sub_401216替换了，但是在调试状态不会进入这个函数，所以把调试过程hook掉

然后看到401216的代码不太好看，于是用idc脚本patch掉再重新打开静态分析，保存为.idc文件然后运行即可。

#include <idc.idc>

static main() {
	auto b_arr_addr = 0x409080;
	auto addr = 0x401216;
	auto i = 0;
	for (i = 0;i <= 0x43e;i++) {
		auto x = Byte(addr + i) ^ Byte(b_arr_addr+i);
		PatchByte(addr + i, x);
	}
}

在file->script file中运行后，在edit->patch program->apply patchs to input file

重新打开后发现加密函数变成

_int64 __fastcall sub_401216(__int64 input)
{
  int v2[36]; // [rsp+8h] [rbp-1D0h]
  int v3[36]; // [rsp+98h] [rbp-140h]
  int v4[38]; // [rsp+128h] [rbp-B0h] BYREF
  int m; // [rsp+1C0h] [rbp-18h]
  int l; // [rsp+1C4h] [rbp-14h]
  int k; // [rsp+1C8h] [rbp-10h]
  int j; // [rsp+1CCh] [rbp-Ch]
  int i; // [rsp+1D0h] [rbp-8h]
  unsigned int v10; // [rsp+1D4h] [rbp-4h]

  memset(v4, 0, 0x90uLL);
  v3[0] = 55030;
  v3[1] = 61095;
  v3[2] = 60151;
  v3[3] = 57247;
  v3[4] = 56780;
  v3[5] = 55726;
  v3[6] = 46642;
  v3[7] = 52931;
  v3[8] = 53580;
  v3[9] = 50437;
  v3[10] = 50062;
  v3[11] = 44186;
  v3[12] = 44909;
  v3[13] = 46490;
  v3[14] = 46024;
  v3[15] = 44347;
  v3[16] = 43850;
  v3[17] = 44368;
  v3[18] = 54990;
  v3[19] = 61884;
  v3[20] = 61202;
  v3[21] = 58139;
  v3[22] = 57730;
  v3[23] = 54964;
  v3[24] = 48849;
  v3[25] = 51026;
  v3[26] = 49629;
  v3[27] = 48219;
  v3[28] = 47904;
  v3[29] = 50823;
  v3[30] = 46596;
  v3[31] = 50517;
  v3[32] = 48421;
  v3[33] = 46143;
  v3[34] = 46102;
  v3[35] = 46744;
  v2[0] = 104;
  v2[1] = 103;
  v2[2] = 97;
  v2[3] = 109;
  v2[4] = 101;
  v2[5] = 123;
  v2[6] = 64;
  v2[7] = 95;
  v2[8] = 70;
  v2[9] = 65;
  v2[10] = 75;
  v2[11] = 69;
  v2[12] = 95;
  v2[13] = 102;
  v2[14] = 108;
  v2[15] = 97;
  v2[16] = 103;
  v2[17] = 33;
  v2[18] = 45;
  v2[19] = 100;
  v2[20] = 111;
  v2[21] = 95;
  v2[22] = 89;
  v2[23] = 48;
  v2[24] = 117;
  v2[25] = 95;
  v2[26] = 107;
  v2[27] = 111;
  v2[28] = 110;
  v2[29] = 119;
  v2[30] = 95;
  v2[31] = 83;
  v2[32] = 77;
  v2[33] = 67;
  v2[34] = 63;
  v2[35] = 125;
  v10 = 1;
  for ( i = 0; i <= 5; ++i )
  {
    for ( j = 0; j <= 5; ++j )
    {
      for ( k = 0; k <= 5; ++k )
        v4[6 * i + j] += v2[6 * k + j] * *(_DWORD *)(4LL * (6 * i + k) + input);
    }
  }
  for ( l = 0; l <= 5; ++l )
  {
    for ( m = 0; m <= 5; ++m )
    {
      if ( v4[6 * l + m] != v3[6 * l + m] )
        v10 = 0;
    }
  }
  return v10;
}

整理后发现，就是一个矩阵乘法

所以flag * v2 = v3，flag就是 v3 * v2.I

from z3 import *
import numpy as np
v2 = [0] * 36
v3 = [0] * 36
v4 = [0] * 36

v3[0] = 55030;
v3[1] = 61095;
v3[2] = 60151;
v3[3] = 57247;
v3[4] = 56780;
v3[5] = 55726;
v3[6] = 46642;
v3[7] = 52931;
v3[8] = 53580;
v3[9] = 50437;
v3[10] = 50062;
v3[11] = 44186;
v3[12] = 44909;
v3[13] = 46490;
v3[14] = 46024;
v3[15] = 44347;
v3[16] = 43850;
v3[17] = 44368;
v3[18] = 54990;
v3[19] = 61884;
v3[20] = 61202;
v3[21] = 58139;
v3[22] = 57730;
v3[23] = 54964;
v3[24] = 48849;
v3[25] = 51026;
v3[26] = 49629;
v3[27] = 48219;
v3[28] = 47904;
v3[29] = 50823;
v3[30] = 46596;
v3[31] = 50517;
v3[32] = 48421;
v3[33] = 46143;
v3[34] = 46102;
v3[35] = 46744;
v2[0] = 104;
v2[1] = 103;
v2[2] = 97;
v2[3] = 109;
v2[4] = 101;
v2[5] = 123;
v2[6] = 64;
v2[7] = 95;
v2[8] = 70;
v2[9] = 65;
v2[10] = 75;
v2[11] = 69;
v2[12] = 95;
v2[13] = 102;
v2[14] = 108;
v2[15] = 97;
v2[16] = 103;
v2[17] = 33;
v2[18] = 45;
v2[19] = 100;
v2[20] = 111;
v2[21] = 95;
v2[22] = 89;
v2[23] = 48;
v2[24] = 117;
v2[25] = 95;
v2[26] = 107;
v2[27] = 111;
v2[28] = 110;
v2[29] = 119;
v2[30] = 95;
v2[31] = 83;
v2[32] = 77;
v2[33] = 67;
v2[34] = 63;
v2[35] = 125;

v2, v3 = np.array(v2).reshape(6,6), np.array(v3).reshape(6,6)
flag = np.matmul(v3,np.linalg.inv(v2))
flag = flag.reshape(1, -1)
flag = flag.tolist()[0]
flag = ''.join(list(map(lambda x: chr(round(x)), flag)))
print(flag)
# hgame{E@sy_Se1f-Modifying_C0oodee33}

就是得注意不能用int而要用round

或者使用高斯消元

datanum = [[0] * 37 for i in range(36) ]
def gauss(a):
    for i in range(len(a)):
        if(a[i][i]==0):
            for k in range(i+1,len(a)):
                if(a[k][i]!=0):
                    a[k],a[i]=a[i],a[k]
                    break
        tmp = a[i][i]
        for j in range(i,len(a[i])):
            a[i][j] = a[i][j] / tmp
        for j in range(len(a)):
            if j!=i:
                for k in range(len(a[i])-1,i-1,-1):
                    a[j][k] = a[j][k]-a[j][i]*a[i][k]
    return a
v2 = [0]*36
v2[0] = 104
v2[1] = 103
v2[2] = 97
v2[3] = 109
v2[4] = 101
v2[5] = 123
v2[6] = 64
v2[7] = 95
v2[8] = 70
v2[9] = 65
v2[10] = 75
v2[11] = 69
v2[12] = 95
v2[13] = 102
v2[14] = 108
v2[15] = 97
v2[16] = 103
v2[17] = 33
v2[18] = 45
v2[19] = 100
v2[20] = 111
v2[21] = 95
v2[22] = 89
v2[23] = 48
v2[24] = 117
v2[25] = 95
v2[26] = 107
v2[27] = 111
v2[28] = 110
v2[29] = 119
v2[30] = 95
v2[31] = 83
v2[32] = 77
v2[33] = 67
v2[34] = 63
v2[35] = 125   
v3 = [0] *36
v3[0] = 55030
v3[1] = 61095
v3[2] = 60151
v3[3] = 57247
v3[4] = 56780
v3[5] = 55726
v3[6] = 46642
v3[7] = 52931
v3[8] = 53580
v3[9] = 50437
v3[10] = 50062
v3[11] = 44186
v3[12] = 44909
v3[13] = 46490
v3[14] = 46024
v3[15] = 44347
v3[16] = 43850
v3[17] = 44368
v3[18] = 54990
v3[19] = 61884
v3[20] = 61202
v3[21] = 58139
v3[22] = 57730
v3[23] = 54964
v3[24] = 48849
v3[25] = 51026
v3[26] = 49629
v3[27] = 48219
v3[28] = 47904
v3[29] = 50823
v3[30] = 46596
v3[31] = 50517
v3[32] = 48421
v3[33] = 46143
v3[34] = 46102
v3[35] = 46744
for i in range(6):
    for j in range(6):
        for k in range(6):
            datanum[6*i+j][6*i+k] = v2[6*k+j]
for l in range(6):
    for m in range(6):
        datanum[6*l+m][36] = v3[6*l+m]
res = gauss(datanum)
for i in res:
    print(chr(round(i[36])),end='')

gun

这道题使用了梆梆壳加密，用fridadexdump解出来，发现是使用okhttp进行了特定证书的加密传输，所以charles无法解密，找了些资料，发现可以用frida绕过pinning

https://xz.aliyun.com/t/6102

https://portswigger.net/support/configuring-an-android-device-to-work-with-burp

嗯，跑是跑起来了，但是没看到数据传输。。。准备看wp吧。

自闭。其中mainactivity开了个线程跑这个。

package com.ryen.gun;

import aj;
import ak;
import al;
import am;
import an;
import ao;
import bj;
import bk;
import bl;
import bm;
import bn;
import bo;
import cj;
import ck;
import cl;
import cm;
import cn;
import co;
import dj;
import dk;
import dl;
import dm;
import dn;
import do;
import ej;
import ek;
import el;
import em;
import en;
import eo;
import fj;
import fk;
import fl;
import fm;
import fn;
import fo;
import gj;
import gk;
import gl;
import gm;
import gn;
import go;
import hj;
import hk;
import hl;
import hm;
import hn;
import ho;
import ij;
import ik;
import il;
import im;
import in;
import io;
import jj;
import jk;
import jl;
import jm;
import jn;
import jo;
import kj;
import kk;
import kl;
import km;
import kn;
import ko;
import lj;
import lk;
import ll;
import lm;
import ln;
import mj;
import mk;
import ml;
import mm;
import mn;
import nj;
import nk;
import nl;
import nm;
import nn;
import oj;
import ok;
import ol;
import om;
import on;
import pi;
import pj;
import pk;
import pl;
import pm;
import pn;
import qi;
import qj;
import qk;
import ql;
import qm;
import qn;
import ri;
import rj;
import rk;
import rl;
import rm;
import rn;
import si;
import sj;
import sk;
import sl;
import sm;
import sn;
import ti;
import tj;
import tk;
import tl;
import tm;
import tn;
import ui;
import uj;
import uk;
import ul;
import um;
import un;
import vi;
import vj;
import vk;
import vl;
import vm;
import vn;
import wi;
import wj;
import wk;
import wl;
import wm;
import wn;
import xi;
import xj;
import xk;
import xl;
import xm;
import xn;
import yi;
import yj;
import yk;
import yl;
import ym;
import yn;
import zi;
import zj;
import zk;
import zl;
import zm;
import zn;

public final class MainActivity.a implements Runnable {
    public static final MainActivity.a a;

    public static {
        MainActivity.a.a = new MainActivity.a();
    }

    @Override
    public final void run() {
        try {
            new ol().run();
            new jm().run();
            new fn().run();
            new aj().run();
            new xl().run();
            new yn().run();
            new qm().run();
            new ao().run();
            new vn().run();
            new wm().run();
            new wj().run();
            new xn().run();
            new jk().run();
            new nl().run();
            new co().run();
            new um().run();
            new nn().run();
            new ll().run();
            new ul().run();
            new uj().run();
            new ln().run();
            new el().run();
            new vk().run();
            new hj().run();
            new cl().run();
            new ti().run();
            new cn().run();
            new kk().run();
            new tl().run();
            new go().run();
            new pm().run();
            new wi().run();
            new fm().run();
            new uk().run();
            new bl().run();
            new rk().run();
            new bo().run();
            new lk().run();
            new bj().run();
            new rl().run();
            new il().run();
            new ko().run();
            new yi().run();
            new pk().run();
            new gm().run();
            new dn().run();
            new km().run();
            new sm().run();
            new yk().run();
            new on().run();
            new al().run();
            new qk().run();
            new hl().run();
            new pj().run();
            new pi().run();
            new qi().run();
            new qj().run();
            new sj().run();
            new yj().run();
            new kl().run();
            new vi().run();
            new gj().run();
            new nk().run();
            new ej().run();
            new vl().run();
            new nm().run();
            new bm().run();
            new ri().run();
            new dl().run();
            new kn().run();
            new mn().run();
            new sn().run();
            new ok().run();
            new gl().run();
            new eo().run();
            new do().run();
            new xj().run();
            new zj().run();
            new fl().run();
            new dk().run();
            new fj().run();
            new im().run();
            new zk().run();
            new hm().run();
            new xm().run();
            new vm().run();
            new ij().run();
            new fo().run();
            new oj().run();
            new em().run();
            new kj().run();
            new zi().run();
            new zm().run();
            new rj().run();
            new ho().run();
            new ek().run();
            new dm().run();
            new un().run();
            new tj().run();
            new xi().run();
            new qn().run();
            new ml().run();
            new cj().run();
            new wn().run();
            new zn().run();
            new bk().run();
            new in().run();
            new jl().run();
            new hk().run();
            new jn().run();
            new an().run();
            new vj().run();
            new tm().run();
            new xk().run();
            new sl().run();
            new bn().run();
            new nj().run();
            new gn().run();
            new wk().run();
            new am().run();
            new hn().run();
            new ik().run();
            new mj().run();
            new zl().run();
            new sk().run();
            new mm().run();
            new om().run();
            new rm().run();
            new gk().run();
            new rn().run();
            new io().run();
            new tk().run();
            new en().run();
            new jo().run();
            new pn().run();
            new ym().run();
            new lj().run();
            new dj().run();
            new ql().run();
            new ck().run();
            new cm().run();
            new tn().run();
            new yl().run();
            new jj().run();
            new fk().run();
            new lm().run();
            new wl().run();
            new pl().run();
            new ak().run();
            new si().run();
            new ui().run();
            new mk().run();
        }
        catch(Exception v0) {
            v0.printStackTrace();
        }
    }
}

然后随便取一个

import java.util.ArrayList;

public final class um extends Thread {
    @Override
    public void run() {
        ArrayList v0 = new ArrayList();
        ArrayList v14 = fd.h("bullet", "name", "q", "value");
        b v13 = jr.k;
        v0.add(b.a(v13, "bullet", 0, 0, " \"\':;<=>@[]^`{}|/\\?#&!$(),~", false, false, true, false, null, 91));
        fr v0_1 = fd.j(v14, b.a(v13, "q", 0, 0, " \"\':;<=>@[]^`{}|/\\?#&!$(),~", false, false, true, false, null, 91), v0, v14);
        a v1 = new a();
        v1.a("hgame.vidar.club", new String[]{"sha256/ocfaPpOi8wBS01tMzoT6f+q+zF7ufbbxSe2wQUcpqXY="});
        v1.a("hgame.vidar.club", new String[]{"sha256/GI75anSEdkuHj05mreE0Sd9jE6dVqUIzzXRHHlZBVbI="});
        v1.a("hgame.vidar.club", new String[]{"sha256/GI75anSEdkuHj05mreE0Sd9jE6dVqUIzzXRHHlZBVbI="});
        rq v1_1 = v1.b();
        mr.a v2 = fd.c(v1_1, "certificatePinner");
        mp.a(v1_1, v2.q);
        v2.q = v1_1;
        ((ks)fd.i("https://hgame.vidar.club", v0_1, 0x8C9BL, new mr(v2))).d();
    }
}

bullet传递了一个字符，下面的fd.i是等候时间，所以读取全部的然后按时间排序即可得到答案

from typing import *
import re
import os
order = 'ol jm fn aj xl yn qm ao vn wm wj xn jk nl co um nn ll ul uj ln el vk hj cl ti cn kk tl go pm wi fm uk bl rk bo lk bj rl il ko yi pk gm dn km sm yk on al qk hl pj pi qi qj sj yj kl vi gj nk ej vl nm bm ri dl kn mn sn ok gl eo do xj zj fl dk fj im zk hm xm vm ij fo oj em kj zi zm rj ho ek dm un tj xi qn ml cj wn zn bk in jl hk jn an vj tm xk sl bn nj gn wk am hn ik mj zl sk mm om rm gk rn io tk en jo pn ym lj dj ql ck cm tn yl jj fk lm wl pl ak si ui mk'.split(' ')

dic = {}
for i in order:
	url = os.path.join('/Users/zrzz/Downloads/com.ryen.gun', i + '.java')
	with open(url, 'r') as f: 
		content = f.read()
		if "hgame.vidar.club" in content:
			a = re.search(r'fd\.h\(\"bullet\", \"name\", \"(.)\", \"value\"\);', content).groups()[0]
			time = re.search(r'v0_1, (.+?)L, new mr', content).groups()[0]
			if '0x' in time:
				time = int(time, 16)
			else:
				time = int(time)
			dic[time] = a
dic = sorted(dic.items(), key=lambda x: x[0])
flag = list(map(lambda x:x[1], dic))
print(''.join(flag))
# tsmyq{dQh3x_y3_nk_z4F1h3_0d_zi7I0dw}

得到的显然是凯撒加密，key=12解密得到答案hgame{rEv3l_m3_by_n4T1v3_0r_nw7W0rk}

helloRe3

根据input字符串找到函数，将0x1400c8c3e的call … pop rax进行nop，再转换成伪代码，发现18行就是加密函数。

进到里面发现是rc4加密(%256,swap)

啊。。找不到key