Reverse

week1

pypy

其实就是dis模块加密后的阅读了,照着文档一步步连读带猜都不难。

1
2
3
4
5
6
7
8
9
10
from typing import *
flag = '30466633346f59213b4139794520572b45514d61583151576638643a'
res = bytes([int(flag[i*2:i*2+2], 16) for i in range(len(flag) // 2)])
length = len(res)
raw = []
for i in range(length):
raw.append(res[i] ^ i)
for i in range(length // 2):
raw[i*2], raw[i*2+1] = raw[i*2+1], raw[i*2]
print(''.join(list(map(lambda i : chr(i),raw))))

helloRe

首先长度为22,每次跟一个值异或,然后值减一,跟一个字节数组对比,简单题。

1
2
3
4
5
6
7
8
9
10
11
12
key = '97 99 9C 91 9E 81 91 9D 9B 9A 9A AB 81 97 AE 80 83 8F 94 89 99 97'
key = list(map(lambda x : int(x, 16), key.split(' ')))
print(key)
flag = ''
i = 0
d = 0xff
while i < 22:

flag += chr(key[i] ^ d)
i += 1
d -= 1
print(flag)

a_pa_cha

通过find_crypt插件是tea加密,参考博客中逆向中的常用算法,有类似tea的轮函数,但是不完全相同,所以看看xtea和xxtea,分析后是xxtea算法

image-20210212223228366

那没事了,直接解密即可。https://www.jianshu.com/p/4272e0805da3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#include <stdio.h>  
#include <stdint.h>
#define DELTA 0x9e3779b9
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))

void btea(uint32_t *v, int n, uint32_t const key[4])
{
uint32_t y, z, sum;
unsigned p, rounds, e;
if (n > 1) /* Coding Part */
{
rounds = 6 + 52/n;
sum = 0;
z = v[n-1];
do
{
sum += DELTA;
e = (sum >> 2) & 3;
for (p=0; p<n-1; p++)
{
y = v[p+1];
z = v[p] += MX;
}
y = v[0];
z = v[n-1] += MX;
}
while (--rounds);
}
else if (n < -1) /* Decoding Part */
{
n = -n;
rounds = 6 + 52/n;
sum = rounds*DELTA;
y = v[0];
do
{
e = (sum >> 2) & 3;
for (p=n-1; p>0; p--)
{
z = v[p-1];
y = v[p] -= MX;
}
z = v[n-1];
y = v[0] -= MX;
sum -= DELTA;
}
while (--rounds);
}
}

int main()
{
uint32_t v[35]= {0xE74EB323, 0xB7A72836, 0x59CA6FE2, 0x967CC5C1, 0xE7802674, 0x3D2D54E6, 0x8A9D0356, 0x99DCC39C, 0x7026D8ED, 0x6A33FDAD, 0xF496550A, 0x5C9C6F9E, 0x1BE5D04C, 0x6723AE17, 0x5270A5C2, 0xAC42130A, 0x84BE67B2, 0x705CC779, 0x5C513D98, 0xFB36DA2D, 0x22179645, 0x5CE3529D, 0xD189E1FB, 0xE85BD489, 0x73C8D11F, 0x54B5C196, 0xB67CB490, 0x2117E4CA, 0x9DE3F994, 0x2F5AA1AA, 0xA7E801FD, 0xC30D6EAB, 0x1BADDC9C, 0x3453B04A, 0x92A406F9};
uint32_t const k[4]= {1,2,3,4};
int n= 35; //n的绝对值表示v的长度,取正表示加密,取负表示解密
// v为要加密的数据是两个32位无符号整数
// k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位
// printf("加密前原始数据:%u %u\n",v[0],v[1]);
// btea(v, n, k);
// printf("加密后的数据:%u %u\n",v[0],v[1]);
btea(v, -n, k);
// printf("解密后的数据:%u %u\n",v[0],v[1]);
for (int i = 0; i < 35; i++)
printf("%c", v[i]);
return 0;
}

week2

ezApk

这道题是java层的加密,将输入的字符串进行加密,

加密函数的关键步骤为aes的cbc,key为’A_HIDDEN_KEY’的sha-256,iv为’A_HIDDEN_KEY’的md5,嘛。。基础题

image-20210211144621412

在对其进行aes加密后使用base64编码

image-20210211144206437

emm,然而只限制前16长度也行不通,好叭,下个IDEA跑一跑。

需要安装证书,见https://blog.csdn.net/dafeige8/article/details/76019911

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
import org.bouncycastle.jce.provider.BouncyCastleProvider;

import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.Security;
import java.util.Base64;
//import

public class decode {
private static boolean initialized = false;
public static void main(String[] args) {
System.out.println(Aes256Decode("EEB23sI1Wd9Gvhvk1sgWyQZhjilnYwCi5au1guzOaIg5dMAj9qPA7lnIyVoPSdRY".getBytes(StandardCharsets.UTF_8)));
}

public static String Aes256Decode(byte[] bytes){
initialize();
String result = null;
String key_str = "A_HIDDEN_KEY";
byte[] key = encrypt_with("SHA-256", key_str);
byte[] iv = encrypt_with("MD5", key_str);
byte[] encrypt_bytes = Base64.getDecoder().decode(bytes);
try{
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "BC"); //算法即AES/ECB/PKCS7Padding
SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); //生成加密解密需要的Key
IvParameterSpec ivSpec = new IvParameterSpec(iv);
cipher.init(Cipher.DECRYPT_MODE, keySpec, ivSpec);
byte[] decoded = cipher.doFinal(encrypt_bytes);
result = new String(decoded, "UTF-8");
}catch(Exception e){
e.printStackTrace();
}
return result;
}

public static byte[] encrypt_with(String arg2, String arg3) {
try {
MessageDigest v2 = MessageDigest.getInstance(arg2);
byte[] v2_1 = v2.digest(arg3.getBytes(StandardCharsets.UTF_8));
return v2_1;
} catch (Exception e) {
return "".getBytes(StandardCharsets.UTF_8);
}
}

public static void initialize(){

if (initialized) return;
Security.addProvider(new BouncyCastleProvider());
initialized = true;
}
}

helloRe2

这题好像是多线程和共享内存,实际上不难,在字符串表可以看见bcrypt,是一种加密算法,首先看看password1

image-20210212112341975

将input读入后,先看长度是16,然后与4030F0做字节对比,4030F0是39383162303261336136653563306232,但是转成字节字符串后没法输入,先不管,(然而是我没转十六进制的问题),往下看新建了线程和获取共享内存啥的,还有反调。

image-20210212112547677

主要是这这里,对每一个字节异或了一下,也许之后password2会对共享内存里的这个数据进行读取,(线程间通信),那么回到头看看password2的验证,

image-20210212164518441

eax获取到了刚刚共享内存里的数据,放到了pbSecret里面,然后利用pbSecret生成key,iv是知道的,密文也是知道的,只要知道明文即可获取flag,所以唯一的疑惑只剩下key是多少,通过api的介绍,只是说明了可为给定的key创建一个密钥句柄,不妨认为这个key就是我们的pbSecret,那么试着写写程序

iv来自

image-20210212123137666

有两个encrypt函数,第一个作用如下,不用管也行。

image-20210212163542821

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from Crypto.Cipher import AES

a = '39383162303261336136653563306232'
b = [chr(int(a[i*2:i*2+2], 16)) for i in range(len(a) // 2)]
# 大小端
print(''.join(reversed(b)))
# passwd1
passwd1 = ''.join(reversed(b))

key = passwd1[0]
for i in range(1,16):
key += chr(ord(passwd1[i]) ^ i)
key = key.encode('utf8')
print(key)
iv = bytes([x for x in range(16)])

secret_text = '7EF602D5625F4E3F65797607D9FEFEB7'
secret_text = ''.join(reversed([secret_text[i*2:i*2+2] for i in range(len(secret_text) // 2)]))
print(secret_text)
secret_text = bytes.fromhex(secret_text)
aes = AES.new(key=key, iv=iv, mode=AES.MODE_CBC)
#print(aes.decrypt(secret_text).hex())

def toStr(a):
b = [chr(int(a[i*2:i*2+2], 16)) for i in range(len(a) // 2)]
return ''.join(b)

print(toStr(aes.decrypt(secret_text).hex()))

fake_debugger beta

挺简单的题不知道当时为啥没做出来。。。

image-20210218122739866

输入一段长度之后可以进入调试过程,对每位字符进行检验,第一步eax为当前位和ebx异或后的字母,ebx为参数,将a(97)和23异或之后为118,第二步即zf为1的时候,将eax与ebx比对,如果正确就进入下一步,所以第一步为127^23 = 104,即h,所以前面应当是hgame{,之后的进行爆破即可

image-20210218122829927

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from pwn import *
import re

flag = 'hgame{aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
while True:
print(flag)
p = remote('101.132.177.131', 9999)
p.recvuntil('now!\n')
p.sendline(flag)
p.recvuntil('-----\n')
i = 0
while flag[i] != '}' or i == len(flag):
print(flag[i])
p.sendline(' ')
l = p.recvuntil('-----\n').decode('utf8')
m1 = re.search(r'ebx: (.+?)\n', l).groups()[0]
p.sendline(' ')
l = p.recvuntil('-----\n').decode('utf8')
m2 = re.search(r'ebx: (.+?)\n', l).groups()[0]
if int(m1) ^ int(m2) == ord(flag[i]):
i += 1
else:
flag = list(flag)
flag[i] = chr(int(m1) ^ int (m2))
flag = ''.join(flag)
break
p.close()
if flag[i] == '}':
print(flag)
break

# hgame{You_Kn0w_debuGg3r}aaaaaaaaaaaaaaaaaaaaaaaaaaa

week3

FAKE

一看就是z3题,首先将输入从rbp-40h放到了rbp-D0h,让每位有4字节的宽度image-20210218170644925

不得不吐槽一下7.0和7.5的反编译,天上和地下了

image-20210218170611189

image-20210218170604535

解方程解出来后是FAKE_flag,仔细看函数发现这个函数存在一个异或过程,将比较代码即sub_401216替换了,但是在调试状态不会进入这个函数,所以把调试过程hook掉

image-20210219212951671

然后看到401216的代码不太好看,于是用idc脚本patch掉再重新打开静态分析,保存为.idc文件然后运行即可。

1
2
3
4
5
6
7
8
9
10
11
#include <idc.idc>

static main() {
auto b_arr_addr = 0x409080;
auto addr = 0x401216;
auto i = 0;
for (i = 0;i <= 0x43e;i++) {
auto x = Byte(addr + i) ^ Byte(b_arr_addr+i);
PatchByte(addr + i, x);
}
}

在file->script file中运行后,在edit->patch program->apply patchs to input file

重新打开后发现加密函数变成

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
_int64 __fastcall sub_401216(__int64 input)
{
int v2[36]; // [rsp+8h] [rbp-1D0h]
int v3[36]; // [rsp+98h] [rbp-140h]
int v4[38]; // [rsp+128h] [rbp-B0h] BYREF
int m; // [rsp+1C0h] [rbp-18h]
int l; // [rsp+1C4h] [rbp-14h]
int k; // [rsp+1C8h] [rbp-10h]
int j; // [rsp+1CCh] [rbp-Ch]
int i; // [rsp+1D0h] [rbp-8h]
unsigned int v10; // [rsp+1D4h] [rbp-4h]

memset(v4, 0, 0x90uLL);
v3[0] = 55030;
v3[1] = 61095;
v3[2] = 60151;
v3[3] = 57247;
v3[4] = 56780;
v3[5] = 55726;
v3[6] = 46642;
v3[7] = 52931;
v3[8] = 53580;
v3[9] = 50437;
v3[10] = 50062;
v3[11] = 44186;
v3[12] = 44909;
v3[13] = 46490;
v3[14] = 46024;
v3[15] = 44347;
v3[16] = 43850;
v3[17] = 44368;
v3[18] = 54990;
v3[19] = 61884;
v3[20] = 61202;
v3[21] = 58139;
v3[22] = 57730;
v3[23] = 54964;
v3[24] = 48849;
v3[25] = 51026;
v3[26] = 49629;
v3[27] = 48219;
v3[28] = 47904;
v3[29] = 50823;
v3[30] = 46596;
v3[31] = 50517;
v3[32] = 48421;
v3[33] = 46143;
v3[34] = 46102;
v3[35] = 46744;
v2[0] = 104;
v2[1] = 103;
v2[2] = 97;
v2[3] = 109;
v2[4] = 101;
v2[5] = 123;
v2[6] = 64;
v2[7] = 95;
v2[8] = 70;
v2[9] = 65;
v2[10] = 75;
v2[11] = 69;
v2[12] = 95;
v2[13] = 102;
v2[14] = 108;
v2[15] = 97;
v2[16] = 103;
v2[17] = 33;
v2[18] = 45;
v2[19] = 100;
v2[20] = 111;
v2[21] = 95;
v2[22] = 89;
v2[23] = 48;
v2[24] = 117;
v2[25] = 95;
v2[26] = 107;
v2[27] = 111;
v2[28] = 110;
v2[29] = 119;
v2[30] = 95;
v2[31] = 83;
v2[32] = 77;
v2[33] = 67;
v2[34] = 63;
v2[35] = 125;
v10 = 1;
for ( i = 0; i <= 5; ++i )
{
for ( j = 0; j <= 5; ++j )
{
for ( k = 0; k <= 5; ++k )
v4[6 * i + j] += v2[6 * k + j] * *(_DWORD *)(4LL * (6 * i + k) + input);
}
}
for ( l = 0; l <= 5; ++l )
{
for ( m = 0; m <= 5; ++m )
{
if ( v4[6 * l + m] != v3[6 * l + m] )
v10 = 0;
}
}
return v10;
}

整理后发现,就是一个矩阵乘法

image-20210220170944394

所以flag * v2 = v3,flag就是 v3 * v2.I

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
from z3 import *
import numpy as np
v2 = [0] * 36
v3 = [0] * 36
v4 = [0] * 36

v3[0] = 55030;
v3[1] = 61095;
v3[2] = 60151;
v3[3] = 57247;
v3[4] = 56780;
v3[5] = 55726;
v3[6] = 46642;
v3[7] = 52931;
v3[8] = 53580;
v3[9] = 50437;
v3[10] = 50062;
v3[11] = 44186;
v3[12] = 44909;
v3[13] = 46490;
v3[14] = 46024;
v3[15] = 44347;
v3[16] = 43850;
v3[17] = 44368;
v3[18] = 54990;
v3[19] = 61884;
v3[20] = 61202;
v3[21] = 58139;
v3[22] = 57730;
v3[23] = 54964;
v3[24] = 48849;
v3[25] = 51026;
v3[26] = 49629;
v3[27] = 48219;
v3[28] = 47904;
v3[29] = 50823;
v3[30] = 46596;
v3[31] = 50517;
v3[32] = 48421;
v3[33] = 46143;
v3[34] = 46102;
v3[35] = 46744;
v2[0] = 104;
v2[1] = 103;
v2[2] = 97;
v2[3] = 109;
v2[4] = 101;
v2[5] = 123;
v2[6] = 64;
v2[7] = 95;
v2[8] = 70;
v2[9] = 65;
v2[10] = 75;
v2[11] = 69;
v2[12] = 95;
v2[13] = 102;
v2[14] = 108;
v2[15] = 97;
v2[16] = 103;
v2[17] = 33;
v2[18] = 45;
v2[19] = 100;
v2[20] = 111;
v2[21] = 95;
v2[22] = 89;
v2[23] = 48;
v2[24] = 117;
v2[25] = 95;
v2[26] = 107;
v2[27] = 111;
v2[28] = 110;
v2[29] = 119;
v2[30] = 95;
v2[31] = 83;
v2[32] = 77;
v2[33] = 67;
v2[34] = 63;
v2[35] = 125;

v2, v3 = np.array(v2).reshape(6,6), np.array(v3).reshape(6,6)
flag = np.matmul(v3,np.linalg.inv(v2))
flag = flag.reshape(1, -1)
flag = flag.tolist()[0]
flag = ''.join(list(map(lambda x: chr(round(x)), flag)))
print(flag)
# hgame{E@sy_Se1f-Modifying_C0oodee33}

就是得注意不能用int而要用round

或者使用高斯消元

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
datanum = [[0] * 37 for i in range(36) ]
def gauss(a):
for i in range(len(a)):
if(a[i][i]==0):
for k in range(i+1,len(a)):
if(a[k][i]!=0):
a[k],a[i]=a[i],a[k]
break
tmp = a[i][i]
for j in range(i,len(a[i])):
a[i][j] = a[i][j] / tmp
for j in range(len(a)):
if j!=i:
for k in range(len(a[i])-1,i-1,-1):
a[j][k] = a[j][k]-a[j][i]*a[i][k]
return a
v2 = [0]*36
v2[0] = 104
v2[1] = 103
v2[2] = 97
v2[3] = 109
v2[4] = 101
v2[5] = 123
v2[6] = 64
v2[7] = 95
v2[8] = 70
v2[9] = 65
v2[10] = 75
v2[11] = 69
v2[12] = 95
v2[13] = 102
v2[14] = 108
v2[15] = 97
v2[16] = 103
v2[17] = 33
v2[18] = 45
v2[19] = 100
v2[20] = 111
v2[21] = 95
v2[22] = 89
v2[23] = 48
v2[24] = 117
v2[25] = 95
v2[26] = 107
v2[27] = 111
v2[28] = 110
v2[29] = 119
v2[30] = 95
v2[31] = 83
v2[32] = 77
v2[33] = 67
v2[34] = 63
v2[35] = 125
v3 = [0] *36
v3[0] = 55030
v3[1] = 61095
v3[2] = 60151
v3[3] = 57247
v3[4] = 56780
v3[5] = 55726
v3[6] = 46642
v3[7] = 52931
v3[8] = 53580
v3[9] = 50437
v3[10] = 50062
v3[11] = 44186
v3[12] = 44909
v3[13] = 46490
v3[14] = 46024
v3[15] = 44347
v3[16] = 43850
v3[17] = 44368
v3[18] = 54990
v3[19] = 61884
v3[20] = 61202
v3[21] = 58139
v3[22] = 57730
v3[23] = 54964
v3[24] = 48849
v3[25] = 51026
v3[26] = 49629
v3[27] = 48219
v3[28] = 47904
v3[29] = 50823
v3[30] = 46596
v3[31] = 50517
v3[32] = 48421
v3[33] = 46143
v3[34] = 46102
v3[35] = 46744
for i in range(6):
for j in range(6):
for k in range(6):
datanum[6*i+j][6*i+k] = v2[6*k+j]
for l in range(6):
for m in range(6):
datanum[6*l+m][36] = v3[6*l+m]
res = gauss(datanum)
for i in res:
print(chr(round(i[36])),end='')

gun

这道题使用了梆梆壳加密,用fridadexdump解出来,发现是使用okhttp进行了特定证书的加密传输,所以charles无法解密,找了些资料,发现可以用frida绕过pinning

https://xz.aliyun.com/t/6102

https://portswigger.net/support/configuring-an-android-device-to-work-with-burp

嗯,跑是跑起来了,但是没看到数据传输。。。准备看wp吧。

自闭。其中mainactivity开了个线程跑这个。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
package com.ryen.gun;

import aj;
import ak;
import al;
import am;
import an;
import ao;
import bj;
import bk;
import bl;
import bm;
import bn;
import bo;
import cj;
import ck;
import cl;
import cm;
import cn;
import co;
import dj;
import dk;
import dl;
import dm;
import dn;
import do;
import ej;
import ek;
import el;
import em;
import en;
import eo;
import fj;
import fk;
import fl;
import fm;
import fn;
import fo;
import gj;
import gk;
import gl;
import gm;
import gn;
import go;
import hj;
import hk;
import hl;
import hm;
import hn;
import ho;
import ij;
import ik;
import il;
import im;
import in;
import io;
import jj;
import jk;
import jl;
import jm;
import jn;
import jo;
import kj;
import kk;
import kl;
import km;
import kn;
import ko;
import lj;
import lk;
import ll;
import lm;
import ln;
import mj;
import mk;
import ml;
import mm;
import mn;
import nj;
import nk;
import nl;
import nm;
import nn;
import oj;
import ok;
import ol;
import om;
import on;
import pi;
import pj;
import pk;
import pl;
import pm;
import pn;
import qi;
import qj;
import qk;
import ql;
import qm;
import qn;
import ri;
import rj;
import rk;
import rl;
import rm;
import rn;
import si;
import sj;
import sk;
import sl;
import sm;
import sn;
import ti;
import tj;
import tk;
import tl;
import tm;
import tn;
import ui;
import uj;
import uk;
import ul;
import um;
import un;
import vi;
import vj;
import vk;
import vl;
import vm;
import vn;
import wi;
import wj;
import wk;
import wl;
import wm;
import wn;
import xi;
import xj;
import xk;
import xl;
import xm;
import xn;
import yi;
import yj;
import yk;
import yl;
import ym;
import yn;
import zi;
import zj;
import zk;
import zl;
import zm;
import zn;

public final class MainActivity.a implements Runnable {
public static final MainActivity.a a;

public static {
MainActivity.a.a = new MainActivity.a();
}

@Override
public final void run() {
try {
new ol().run();
new jm().run();
new fn().run();
new aj().run();
new xl().run();
new yn().run();
new qm().run();
new ao().run();
new vn().run();
new wm().run();
new wj().run();
new xn().run();
new jk().run();
new nl().run();
new co().run();
new um().run();
new nn().run();
new ll().run();
new ul().run();
new uj().run();
new ln().run();
new el().run();
new vk().run();
new hj().run();
new cl().run();
new ti().run();
new cn().run();
new kk().run();
new tl().run();
new go().run();
new pm().run();
new wi().run();
new fm().run();
new uk().run();
new bl().run();
new rk().run();
new bo().run();
new lk().run();
new bj().run();
new rl().run();
new il().run();
new ko().run();
new yi().run();
new pk().run();
new gm().run();
new dn().run();
new km().run();
new sm().run();
new yk().run();
new on().run();
new al().run();
new qk().run();
new hl().run();
new pj().run();
new pi().run();
new qi().run();
new qj().run();
new sj().run();
new yj().run();
new kl().run();
new vi().run();
new gj().run();
new nk().run();
new ej().run();
new vl().run();
new nm().run();
new bm().run();
new ri().run();
new dl().run();
new kn().run();
new mn().run();
new sn().run();
new ok().run();
new gl().run();
new eo().run();
new do().run();
new xj().run();
new zj().run();
new fl().run();
new dk().run();
new fj().run();
new im().run();
new zk().run();
new hm().run();
new xm().run();
new vm().run();
new ij().run();
new fo().run();
new oj().run();
new em().run();
new kj().run();
new zi().run();
new zm().run();
new rj().run();
new ho().run();
new ek().run();
new dm().run();
new un().run();
new tj().run();
new xi().run();
new qn().run();
new ml().run();
new cj().run();
new wn().run();
new zn().run();
new bk().run();
new in().run();
new jl().run();
new hk().run();
new jn().run();
new an().run();
new vj().run();
new tm().run();
new xk().run();
new sl().run();
new bn().run();
new nj().run();
new gn().run();
new wk().run();
new am().run();
new hn().run();
new ik().run();
new mj().run();
new zl().run();
new sk().run();
new mm().run();
new om().run();
new rm().run();
new gk().run();
new rn().run();
new io().run();
new tk().run();
new en().run();
new jo().run();
new pn().run();
new ym().run();
new lj().run();
new dj().run();
new ql().run();
new ck().run();
new cm().run();
new tn().run();
new yl().run();
new jj().run();
new fk().run();
new lm().run();
new wl().run();
new pl().run();
new ak().run();
new si().run();
new ui().run();
new mk().run();
}
catch(Exception v0) {
v0.printStackTrace();
}
}
}


然后随便取一个

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import java.util.ArrayList;

public final class um extends Thread {
@Override
public void run() {
ArrayList v0 = new ArrayList();
ArrayList v14 = fd.h("bullet", "name", "q", "value");
b v13 = jr.k;
v0.add(b.a(v13, "bullet", 0, 0, " \"\':;<=>@[]^`{}|/\\?#&!$(),~", false, false, true, false, null, 91));
fr v0_1 = fd.j(v14, b.a(v13, "q", 0, 0, " \"\':;<=>@[]^`{}|/\\?#&!$(),~", false, false, true, false, null, 91), v0, v14);
a v1 = new a();
v1.a("hgame.vidar.club", new String[]{"sha256/ocfaPpOi8wBS01tMzoT6f+q+zF7ufbbxSe2wQUcpqXY="});
v1.a("hgame.vidar.club", new String[]{"sha256/GI75anSEdkuHj05mreE0Sd9jE6dVqUIzzXRHHlZBVbI="});
v1.a("hgame.vidar.club", new String[]{"sha256/GI75anSEdkuHj05mreE0Sd9jE6dVqUIzzXRHHlZBVbI="});
rq v1_1 = v1.b();
mr.a v2 = fd.c(v1_1, "certificatePinner");
mp.a(v1_1, v2.q);
v2.q = v1_1;
((ks)fd.i("https://hgame.vidar.club", v0_1, 0x8C9BL, new mr(v2))).d();
}
}


bullet传递了一个字符,下面的fd.i是等候时间,所以读取全部的然后按时间排序即可得到答案

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from typing import *
import re
import os
order = 'ol jm fn aj xl yn qm ao vn wm wj xn jk nl co um nn ll ul uj ln el vk hj cl ti cn kk tl go pm wi fm uk bl rk bo lk bj rl il ko yi pk gm dn km sm yk on al qk hl pj pi qi qj sj yj kl vi gj nk ej vl nm bm ri dl kn mn sn ok gl eo do xj zj fl dk fj im zk hm xm vm ij fo oj em kj zi zm rj ho ek dm un tj xi qn ml cj wn zn bk in jl hk jn an vj tm xk sl bn nj gn wk am hn ik mj zl sk mm om rm gk rn io tk en jo pn ym lj dj ql ck cm tn yl jj fk lm wl pl ak si ui mk'.split(' ')

dic = {}
for i in order:
url = os.path.join('/Users/zrzz/Downloads/com.ryen.gun', i + '.java')
with open(url, 'r') as f:
content = f.read()
if "hgame.vidar.club" in content:
a = re.search(r'fd\.h\(\"bullet\", \"name\", \"(.)\", \"value\"\);', content).groups()[0]
time = re.search(r'v0_1, (.+?)L, new mr', content).groups()[0]
if '0x' in time:
time = int(time, 16)
else:
time = int(time)
dic[time] = a
dic = sorted(dic.items(), key=lambda x: x[0])
flag = list(map(lambda x:x[1], dic))
print(''.join(flag))
# tsmyq{dQh3x_y3_nk_z4F1h3_0d_zi7I0dw}

得到的显然是凯撒加密,key=12解密得到答案hgame{rEv3l_m3_by_n4T1v3_0r_nw7W0rk}

helloRe3

根据input字符串找到函数,将0x1400c8c3e的call … pop rax进行nop,再转换成伪代码,发现18行就是加密函数。

image-20210222162640368进到里面发现是rc4加密(%256,swap)

image-20210222162815676

啊。。找不到key