JarvisOJ的逆向部分题解（不定期更新

Tover

这几天面了两下试，被问的不是游戏反外挂就是Web的东西（PWN手没人权啊！
找下JarvisOJ的题目做下吧，顺便把win的逆向也学一下（Jarvis的题目简单点hhhh

软件密码破解-1

IDA一打开一大堆函数，后来搜索下字符串（IDA里搜不到什么，是用x32dbg在调试时搜的），发现了个“{FLAG:....}”的字符串，然后在IDA中找到对应的位置瞄了一下就是check的代码了，位置在0x281BB0。

代码逻辑也不难，下图①是对输入的字串和另一字串相异或，②是对异或后的结果进行比较，就是check。

用来异或的那个字串（可以叫key吧）可以在x32dbg中内存里找到：

exp：

b = [0x1b, 0x1c, 0x17, 0x46, 0xf4, 0xfd, 0x20, 0x30, 0xb7, 0x0c, 0x8e, 0x7e, 0x78, 0xde]
a = [0x28, 0x57, 0x64, 0x6b, 0x93, 0x8f, 0x65, 0x51, 0xe3, 0x53, 0xe4, 0x4e, 0x1a, 0xff]
print(''.join([chr(a[i]^b[i]) for i in range(14)]))

DD-Android Easy

题目如标题，dex-jar解包后把函数i重写一遍就有了

p = [-40, -62, 107, 66, -126, 103, -56, 77, 122, -107, -24, -127, 72, -63, -98, 64, -24, -5, -49, -26, 79, -70, -26, -81, 120, 25, 111, -100, -23, -9, 122, -35, 66, -50, -116, 3, -72, 102, -45, -85, 0, 126, -34, 62, 83, -34, 48, -111, 61, -9, -51, 114, 20, 81, -126, -18, 27, -115, -76, -116, -48, -118, -10, -102, -106, 113, -104, 98, -109, 74, 48, 47, -100, -88, 121, 22, -63, -32, -20, -41, -27, -20, -118, 100, -76, 70, -49, -39, -27, -106, -13, -108, 115, -87, -1, -22, -53, 21, -100, 124, -95, -40, 62, -69, 29, 56, -53, 85, -48, 25, 37, -78, 11, -110, -24, -120, -82, 6, -94, -101]
q = [-57, -90, 53, -71, -117, 98, 62, 98, 101, -96, 36, 110, 77, -83, -121, 2, -48, 94, -106, -56, -49, -80, -1, 83, 75, 66, -44, 74, 2, -36, -42, -103, 6, -115, -40, 69, -107, 85, -78, -49, 54, 78, -26, 15, 98, -70, 8, -90, 94, -61, -84, 64, 112, 51, -29, -34, 126, -21, -126, -71, -31, -24, -60, -2, -81, 66, -84, 85, -91, 10, 84, 70, -8, -63, 26, 126, -76, -104, -123, -71, -126, -62, -23, 11, -39, 70, 14, 59, -101, -39, -124, 91, -109, 102, -49, 21, 105, 0, 37, -128, -57, 117, 110, -115, -86, 56, 25, -46, -55, 7, -125, 109, 76, 104, -15, 82, -53, 18, -28, -24]

for i in range(len(p)):
    if p[i]<0:
        p[i] = 256+p[i]

for i in range(len(q)):
    if q[i]<0:
        q[i] = 256+q[i]

a = ''
for i in range(len(p)):
    a += chr(p[i]^q[i])
k = ord(a[0])
print(a[31:-35])

Smali

用dex-jar里的smali先把smali转到dex再用dex-jar就可以愉快地看jar了。然后把decrypt函数重写了一下（不得不说，写Java真是太太太太太麻烦了- -）

// javac 11.0.6
// openjdk 11.0.6
// build 11.0.6+10-post-Ubuntu-1ubuntu118.04.1
import java.util.Base64;
import java.util.*;
import javax.crypto.*;
import javax.crypto.spec.*;

public class Crackme
{
  private static void Crackme2()
  {
    GetFlag("sSNnx1UKbYrA1+MOrdtDTA==");
  }
  
  private static String GetFlag(String paramString)
  {
    String str2 = new String("cGhyYWNrICBjdGYgMjAxNg==");
    byte[] arrayOfByte = Base64.getDecoder().decode(paramString.getBytes());
    paramString = new String(Base64.getDecoder().decode(str2.getBytes()));
    System.out.println(decrypt(arrayOfByte, paramString));
    return null;
  }
  
  private static String decrypt(byte[] cipher, String key)
  {
    Object localObject1 = null;

    try{
      Cipher c = Cipher.getInstance("AES/ECB/NoPadding");
      c.init(2, new SecretKeySpec(key.getBytes(), "AES"));
      byte[] plain = c.doFinal(cipher);
      return new String(plain);

    }catch(Exception e){
      System.out.println("Error");
      e.printStackTrace(System.out);
      return "";
    }
  }

  public static void main(String[] args){
    Crackme2();
  }
}