BUUCTF 新年快乐 内涵的软件 Java逆向解密 刮开有奖
本文共 8711 字,大约阅读时间需要 29 分钟。
文章目录
新年快乐
内涵的软件
flag{49d3c93df25caad81232130f3d2ebfad}
Java逆向解密
import java.util.*;public class Reverse{ public static void main(final String[] args) { final Scanner s = new Scanner(System.in); System.out.println("Please input the flag \uff1a"); final String str = s.next(); System.out.println("Your input is \uff1a"); System.out.println(str); final char[] stringArr = str.toCharArray(); Encrypt(stringArr); } public static void Encrypt(final char[] arr) { final ArrayList<Integer> Resultlist = new ArrayList<Integer>(); for (int i = 0; i < arr.length; ++i) { final int result = arr[i] + '@' ^ 0x20; Resultlist.add(result); } final int[] KEY = { 180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65 }; final ArrayList<Integer> KEYList = new ArrayList<Integer>(); for (int j = 0; j < KEY.length; ++j) { KEYList.add(KEY[j]); } System.out.println("Result:"); if (Resultlist.equals(KEYList)) { System.out.println("Congratulations\uff01"); } else { System.err.println("Error\uff01"); } }}贴脚本:
public class REVERSE_JAVA { public static void main(String[] args) { final int[] KEY = { 180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65 }; final ArrayList<Integer> Resultlist = new ArrayList<Integer>(); for (int i = 0; i < KEY.length; ++i) { final int result = KEY[i] - '@' ^ 0x20; System.out.print((char)result); } }}
刮开有奖
sub_4010F0((int)&v7, 0, 10);(加密函数)
v7 = 90; v8 = 74; v9 = 83; v10 = 'E'; v11 = 'C'; v12 = 'a'; v13 = 'N'; v14 = 72; v15 = 51; v16 = 110; v17 = 103; sub_4010F0((int)&v7, 0, 10);int __cdecl sub_4010F0(int a1, int a2, int a3){ int result; // eax int i; // esi int v5; // ecx int v6; // edx result = a3; for ( i = a2; i <= a3; a2 = i ) { v5 = 4 * i; v6 = *(_DWORD *)(4 * i + a1); if ( a2 < result && i < result ) { do { if ( v6 > *(_DWORD *)(a1 + 4 * result) ) { if ( i >= result ) break; ++i; *(_DWORD *)(v5 + a1) = *(_DWORD *)(a1 + 4 * result); if ( i >= result ) break; while ( *(_DWORD *)(a1 + 4 * i) <= v6 ) { if ( ++i >= result ) goto LABEL_13; } if ( i >= result ) break; v5 = 4 * i; *(_DWORD *)(a1 + 4 * result) = *(_DWORD *)(4 * i + a1); } --result; } while ( i < result ); }LABEL_13: *(_DWORD *)(a1 + 4 * result) = v6; sub_4010F0(a1, a2, i - 1); result = a3; ++i; } return result;}照着加密函数写一下,本来想动调的,结果下了断点,鼠标和键盘都快搞炸了,这程序还是没法进行交互式进行。。。。。
#include <stdio.h>#include <string.h>int sub_4010F0(char*a1, int a2, int a3){ int result; // eax int i; // esi int v5; // ecx int v6; // edx result = a3; for ( i = a2; i <= a3; a2 = i ) { v5 = i; v6 = a1[i]; if ( a2 < result && i < result ) { do { if ( v6 > a1[result] ) { if ( i >= result ) break; ++i; a1[v5]= a1[result]; if ( i >= result ) break; while ( a1[i] <= v6 ) { if ( ++i >= result ) goto LABEL_13; } if ( i >= result ) break; v5 = i; a1[result] = a1[i]; } --result; } while ( i < result ); } LABEL_13: a1[result]= v6; sub_4010F0(a1, a2, i - 1); result = a3; ++i; } return result;}int main(){ char s[]="ZJSECaNH3ng"; printf("%s",s\n); sub_4010F0(s,0,10); printf("%s",s); return 0;}运行结果:
ZJSECaNH3ng3CEHJNSZagnsub_401000((int)&v26, strlen(&v26));
v4 = sub_401000((int)&v26, strlen(&v26)); memset(&v26, 0, 0xFFFFu); v27 = v21; v26 = v20; v28 = v22; v5 = sub_401000((int)&v26, strlen(&v26));_BYTE *__cdecl sub_401000(int a1, int a2){ int v2; // eax int v3; // esi size_t v4; // ebx _BYTE *v5; // eax _BYTE *v6; // edi int v7; // eax _BYTE *v8; // ebx int v9; // edi signed int v10; // edx int v11; // edi signed int v12; // eax signed int v13; // esi _BYTE *result; // eax _BYTE *v15; // [esp+Ch] [ebp-10h] _BYTE *v16; // [esp+10h] [ebp-Ch] int v17; // [esp+14h] [ebp-8h] int v18; // [esp+18h] [ebp-4h] v2 = a2 / 3; v3 = 0; if ( a2 % 3 > 0 ) ++v2; v4 = 4 * v2 + 1; v5 = malloc(v4); v6 = v5; v15 = v5; if ( !v5 ) exit(0); memset(v5, 0, v4); v7 = a2; v8 = v6; v16 = v6; if ( a2 > 0 ) { while ( 1 ) { v9 = 0; v10 = 0; v18 = 0; do { if ( v3 >= v7 ) break; ++v10; v9 = *(unsigned __int8 *)(v3++ + a1) | (v9 << 8); } while ( v10 < 3 ); v11 = v9 << 8 * (3 - v10); v12 = 0; v17 = v3; v13 = 18; do { if ( v10 >= v12 ) { *((_BYTE *)&v18 + v12) = (v11 >> v13) & 0x3F; v8 = v16; } else { *((_BYTE *)&v18 + v12) = 64; } *v8++ = byte_407830[*((char *)&v18 + v12)]; v13 -= 6; ++v12; v16 = v8; } while ( v13 > -6 ); v3 = v17; if ( v17 >= a2 ) break; v7 = a2; } v6 = v15; } result = v6; *v8 = 0; return result;}找到一个数组:
*v8++ = byte_407830[*((char *)&v18 + v12)];byte_407830 db 41h ; DATA XREF: sub_401000+C0↑r.rdata:00407831 db 42h ; B.rdata:00407832 db 43h ; C.rdata:00407833 db 44h ; D.rdata:00407834 db 45h ; E.rdata:00407835 db 46h ; F.rdata:00407836 db 47h ; G.rdata:00407837 db 48h ; H.rdata:00407838 db 49h ; I.rdata:00407839 db 4Ah ; J.rdata:0040783A db 4Bh ; K.rdata:0040783B db 4Ch ; L.rdata:0040783C db 4Dh ; M.rdata:0040783D db 4Eh ; N.rdata:0040783E db 4Fh ; O.rdata:0040783F db 50h ; P.rdata:00407840 db 51h ; Q.rdata:00407841 db 52h ; R.rdata:00407842 db 53h ; S.rdata:00407843 db 54h ; T.rdata:00407844 db 55h ; U.rdata:00407845 db 56h ; V.rdata:00407846 db 57h ; W.rdata:00407847 db 58h ; X.rdata:00407848 db 59h ; Y.rdata:00407849 db 5Ah ; Z.rdata:0040784A db 61h ; a.rdata:0040784B db 62h ; b.rdata:0040784C db 63h ; c.rdata:0040784D db 64h ; d.rdata:0040784E db 65h ; e.rdata:0040784F db 66h ; f.rdata:00407850 db 67h ; g.rdata:00407851 db 68h ; h.rdata:00407852 db 69h ; i.rdata:00407853 db 6Ah ; j.rdata:00407854 db 6Bh ; k.rdata:00407855 db 6Ch ; l.rdata:00407856 db 6Dh ; m.rdata:00407857 db 6Eh ; n.rdata:00407858 db 6Fh ; o.rdata:00407859 db 70h ; p.rdata:0040785A db 71h ; q.rdata:0040785B db 72h ; r.rdata:0040785C db 73h ; s.rdata:0040785D db 74h ; t.rdata:0040785E db 75h ; u.rdata:0040785F db 76h ; v.rdata:00407860 db 77h ; w.rdata:00407861 db 78h ; x.rdata:00407862 db 79h ; y.rdata:00407863 db 7Ah ; z.rdata:00407864 db 30h ; 0.rdata:00407865 db 31h ; 1.rdata:00407866 db 32h ; 2.rdata:00407867 db 33h ; 3.rdata:00407868 db 34h ; 4.rdata:00407869 db 35h ; 5.rdata:0040786A db 36h ; 6.rdata:0040786B db 37h ; 7.rdata:0040786C db 38h ; 8.rdata:0040786D db 39h ; 9.rdata:0040786E db 2Bh ; +.rdata:0040786F db 2Fh ; /.rdata:00407870 db 3Dh ; =很正常的base64,顺序没变,外加后面
核心
if ( String == v7 + 34 && v19 == v11 && 4 * v20 - 141 == 3 * v9 && v21 / 4 == 2 * (v14 / 9) && !strcmp(v4, "ak1w") && !strcmp(v5, "V1Ax") )v4和v5都是经过base64编码后的字符串,所以我们分别对ak1w和V1Ax进行解码即可,分别为jMp和WP1
仔细观察后,也就是
UJWP1jMp先给出一个字符串,然后有两个经过base64加密,然后再来凑起来
转载地址:http://rvve.baihongyu.com/
你可能感兴趣的文章
VS2005图标默认存放位置
查看>>
常用正则表达式
查看>>
C#中换行的代码
查看>>
用正则表达式过滤多余空格
查看>>
XML:采用XHTML和CSS设计可重用可换肤的WEB站点
查看>>
U盘“无法识别的USB设备”解决办法
查看>>
4-6 在Vue中使用插槽
查看>>
十二、 PHP (PDO)操作数据库
查看>>
二叉树 简单实现 问题解决
查看>>
第2章 可行性研究
查看>>
python入门——运算符
查看>>
less简介、less安装、编译、less语法之变量、嵌套、类混入、函数混入、运算、less文件导入
查看>>
【springmvc】传值的几种方式&&postman接口测试
查看>>
泳道图简介
查看>>
Tomcat6中web项目部署路径webapps和wtpwebapps的区别
查看>>
Java判断字符串是否为金额
查看>>
CodeCombat代码全记录(Python学习利器)--安息之云山峰(第四章)代码9
查看>>
nginx配置文件nginx.conf详细讲解(2)
查看>>
nginx配置文件nginx.conf详细讲解(4)--终结篇
查看>>
某公司运维岗位笔试题8
查看>>