- 已编辑
这几天面了两下试,被问的不是游戏反外挂就是Web的东西(PWN手没人权啊!
找下JarvisOJ的题目做下吧,顺便把win的逆向也学一下(Jarvis的题目简单点hhhh
软件密码破解-1
IDA一打开一大堆函数,后来搜索下字符串(IDA里搜不到什么,是用x32dbg在调试时搜的),发现了个“{FLAG:....}”的字符串,然后在IDA中找到对应的位置瞄了一下就是check的代码了,位置在0x281BB0。
代码逻辑也不难,下图①是对输入的字串和另一字串相异或,②是对异或后的结果进行比较,就是check。
用来异或的那个字串(可以叫key吧)可以在x32dbg中内存里找到:
exp:
b = [0x1b, 0x1c, 0x17, 0x46, 0xf4, 0xfd, 0x20, 0x30, 0xb7, 0x0c, 0x8e, 0x7e, 0x78, 0xde]
a = [0x28, 0x57, 0x64, 0x6b, 0x93, 0x8f, 0x65, 0x51, 0xe3, 0x53, 0xe4, 0x4e, 0x1a, 0xff]
print(''.join([chr(a[i]^b[i]) for i in range(14)]))DD-Android Easy
题目如标题,dex-jar解包后把函数i重写一遍就有了
p = [-40, -62, 107, 66, -126, 103, -56, 77, 122, -107, -24, -127, 72, -63, -98, 64, -24, -5, -49, -26, 79, -70, -26, -81, 120, 25, 111, -100, -23, -9, 122, -35, 66, -50, -116, 3, -72, 102, -45, -85, 0, 126, -34, 62, 83, -34, 48, -111, 61, -9, -51, 114, 20, 81, -126, -18, 27, -115, -76, -116, -48, -118, -10, -102, -106, 113, -104, 98, -109, 74, 48, 47, -100, -88, 121, 22, -63, -32, -20, -41, -27, -20, -118, 100, -76, 70, -49, -39, -27, -106, -13, -108, 115, -87, -1, -22, -53, 21, -100, 124, -95, -40, 62, -69, 29, 56, -53, 85, -48, 25, 37, -78, 11, -110, -24, -120, -82, 6, -94, -101]
q = [-57, -90, 53, -71, -117, 98, 62, 98, 101, -96, 36, 110, 77, -83, -121, 2, -48, 94, -106, -56, -49, -80, -1, 83, 75, 66, -44, 74, 2, -36, -42, -103, 6, -115, -40, 69, -107, 85, -78, -49, 54, 78, -26, 15, 98, -70, 8, -90, 94, -61, -84, 64, 112, 51, -29, -34, 126, -21, -126, -71, -31, -24, -60, -2, -81, 66, -84, 85, -91, 10, 84, 70, -8, -63, 26, 126, -76, -104, -123, -71, -126, -62, -23, 11, -39, 70, 14, 59, -101, -39, -124, 91, -109, 102, -49, 21, 105, 0, 37, -128, -57, 117, 110, -115, -86, 56, 25, -46, -55, 7, -125, 109, 76, 104, -15, 82, -53, 18, -28, -24]
for i in range(len(p)):
if p[i]<0:
p[i] = 256+p[i]
for i in range(len(q)):
if q[i]<0:
q[i] = 256+q[i]
a = ''
for i in range(len(p)):
a += chr(p[i]^q[i])
k = ord(a[0])
print(a[31:-35])Smali
用dex-jar里的smali先把smali转到dex再用dex-jar就可以愉快地看jar了。然后把decrypt函数重写了一下(不得不说,写Java真是太太太太太麻烦了- -)
// javac 11.0.6
// openjdk 11.0.6
// build 11.0.6+10-post-Ubuntu-1ubuntu118.04.1
import java.util.Base64;
import java.util.*;
import javax.crypto.*;
import javax.crypto.spec.*;
public class Crackme
{
private static void Crackme2()
{
GetFlag("sSNnx1UKbYrA1+MOrdtDTA==");
}
private static String GetFlag(String paramString)
{
String str2 = new String("cGhyYWNrICBjdGYgMjAxNg==");
byte[] arrayOfByte = Base64.getDecoder().decode(paramString.getBytes());
paramString = new String(Base64.getDecoder().decode(str2.getBytes()));
System.out.println(decrypt(arrayOfByte, paramString));
return null;
}
private static String decrypt(byte[] cipher, String key)
{
Object localObject1 = null;
try{
Cipher c = Cipher.getInstance("AES/ECB/NoPadding");
c.init(2, new SecretKeySpec(key.getBytes(), "AES"));
byte[] plain = c.doFinal(cipher);
return new String(plain);
}catch(Exception e){
System.out.println("Error");
e.printStackTrace(System.out);
return "";
}
}
public static void main(String[] args){
Crackme2();
}
}
