文章目錄

• • AreYouRich
  • • 分析
    • • 登錄
      • 驗(yàn)證token
      • 簡(jiǎn)單異或
    • 腳本
  • DesignEachStep
  • • 分析
    • 總結(jié)：

AreYouRich

分析

登錄

拿到這個(gè)題的時(shí)候，新手往往會(huì)把這里當(dāng)成重點(diǎn)：

比如說我。。。。老狗了。。。其實(shí)搞出用戶名和密碼啥用都沒有。。當(dāng)時(shí)一直就圍繞前面這個(gè)來思考。結(jié)果想斷篇了。這個(gè)類主要用處就是傳遞token，其它的啥用沒有

把這里找好

驗(yàn)證token

而驗(yàn)證token的話，最主要是兩個(gè)while循環(huán)（其中有個(gè)還是賦值操作。笑哭）

while(v9 < v6) {v11 = (v5[v10] & 0xFF) + (v7[v9] & 0xFF) + v11 & 0xFF;v12 = v7[v9];v7[v9] = v7[v11];v7[v11] = v12;v10 = (v10 + 1) % v5.length;++v9; while(v9 < v5_1) {v10 = v10 + 1 & 0xFF;v11 = (v7[v10] & 0xFF) + v11 & 0xFF;v12 = v7[v10];v7[v10] = v7[v11];v7[v11] = v12;if((((byte)(v7[(v7[v10] & 0xFF) + (v7[v11] & 0xFF) & 0xFF] ^ v3[v9]))) == v2[v9]) {v6 *= 2;}

這里的v3就是token，v2是已知的，v7也是已知的，都是正向，沒難度，只需要仔細(xì)看就行
找到token繼續(xù)傳下去，

簡(jiǎn)單異或

v5[v6] = ((byte)(v5[v6] ^ v10_1[v6]));

v5已知，v10_1是傳過來的token，最后得出v5就是flag，與其說考逆向，不如說考java。

腳本

v5=[15, 70, 3, 41, 1, 0x30, 35, 0x40, 58, 50, 0, 101, 100, 99, 11, 0x7B, 52, 8, 60, 0x77, 62, 0x73, 73, 17, 16] aa = b"5FQ5AaBGbqLGfYwjaRAuWGdDvyjbX5nH"; b=[81, -13, 84, -110, 72, 77, -96, 77, 0x20, -115, -75, -38, -97, 69, -64, 49, 8, -27, 56, 0x72, -68, -82, 76, -106, -34] v7=[0]*0x100 v6=0x100 for i in range(0x100):v7[i]=i v9 = 0 v10 = 0 v11 = 0 while v9<v6:v11=(aa[v10]&0xff)+(v7[v9] & 0xff)+v11 & 0xffv12=v7[v9]v7[v9]=v7[v11]v7[v11]=v12v10=(v10+1)%len(aa)v9=v9+1 a=min(len(b),len(v5)) v6 = 16 v9 = 0 v10 = 0 v11 = 0while v9 < a:v10 = v10 + 1 & 0xFFv11 = (v7[v10] & 0xFF) + v11 & 0xFFv12 = v7[v10]v7[v10] = v7[v11]v7[v11] = v12st=((v7[(v7[v10] & 0xFF) + (v7[v11] & 0xFF) & 0xFF] ^ b[v9])^v5[v9])v9=v9+1print(chr(st&0xff),end='')

y0u_h@V3_@_107_0f_m0n3y!!

DesignEachStep

分析

package com.test.designeachstep;import android.content.Context; import android.content.res.AssetManager; import android.graphics.BitmapFactory; import android.view.View$OnClickListener; import android.view.View; import android.widget.Toast; import b.b.a.a.a; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.DataInputStream; import java.io.IOException; import java.io.InputStream; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.zip.GZIPInputStream; import java.util.zip.Inflater; import javax.crypto.BadPaddingException; import javax.crypto.Cipher; import javax.crypto.IllegalBlockSizeException; import javax.crypto.NoSuchPaddingException; import net.jpountz.lz4.LZ4Factory; import net.jpountz.lz4.LZ4SafeDecompressor;public class MainActivity$a implements View$OnClickListener {public MainActivity$a(MainActivity arg1) {this.b = arg1;super();}public void onClick(View arg15) {Cipher v5_8; // v15是“DES”byte[] v8_1;byte[] v6_1;byte[] v4_1;String v15 = "DES";String v0 = this.b.o.getText().toString(); // 輸入值if(v0.length() != 24) { // 長(zhǎng)度必須為24Toast.makeText(this.b, "Nono, try again please", 0).show();return;}byte[] v0_1 = v0.getBytes(); // 輸入值轉(zhuǎn)為字節(jié)數(shù)組v0_1int v1 = 8;byte[] v2 = new byte[v1]; // new出一個(gè)8字節(jié)的數(shù)組AssetManager v4 = this.b.getAssets();try {DataInputStream v5 = new DataInputStream(v4.open("data.bin")); // 數(shù)據(jù)輸入流data.bin文件v4_1 = new byte[v5.available()];v5.readFully(v4_1); // v5讀取}catch(IOException v15_1) {Toast.makeText(this.b, "Get data error", 0).show();v15_1.printStackTrace();return;}System.arraycopy(v0_1, 0, v2, 0, v1); // 把輸入字符前八個(gè)放入v2中ByteArrayOutputStream v5_1 = new ByteArrayOutputStream(); // 數(shù)據(jù)輸出流ByteArrayInputStream v6 = new ByteArrayInputStream(v4_1); // data.bin文件字節(jié)輸入流int v4_2 = 2;byte[] v7 = null;try {GZIPInputStream v8 = new GZIPInputStream(((InputStream)v6)); // data.bin文件字節(jié)輸出流被加密v6_1 = new byte[0x100];while(true) {int v9 = v8.read(v6_1); // 每次從文件中讀取256字節(jié)的data.bin文件數(shù)據(jù) if(v9 < 0) {break;}v5_1.write(v6_1, 0, v9); // 然后寫到數(shù)據(jù)輸出流中}}catch(IOException ) {goto label_75;}byte[] v5_2 = v5_1.toByteArray(); // 數(shù)據(jù)流轉(zhuǎn)字節(jié)數(shù)組if(v5_2.length >= v1) { // 大于8字節(jié)v6_1 = new byte[v1];System.arraycopy(v5_2, 0, v6_1, 0, v1); // 把文件的字節(jié)數(shù)組放在開辟的8字節(jié)數(shù)組中v8_1 = new byte[v5_2.length - v1];System.arraycopy(v5_2, v1, v8_1, 0, v5_2.length - v1); // 把剩下文件的字節(jié)數(shù)組放在開辟的字節(jié)數(shù)組中if(!Arrays.equals(v6_1, v2)) { // 輸入的前八個(gè)字符等于data.bin文件中取出的前八個(gè)解密后字符goto label_75;}try {v5_8 = Cipher.getInstance(v15); // v15是“DES”v5_8.init(v4_2, a.j(v2)); // v4_2=2，把輸入的前八個(gè)字符扔進(jìn)去v5_2 = v5_8.doFinal(v8_1); // 把剩余字節(jié)數(shù)組進(jìn)行DES加密goto label_76;}catch(InvalidKeyException v5_3) {v5_3.printStackTrace();}catch(IllegalBlockSizeException v5_4) {v5_4.printStackTrace();}catch(BadPaddingException v5_5) {v5_5.printStackTrace();}catch(NoSuchPaddingException v5_6) {v5_6.printStackTrace();}catch(NoSuchAlgorithmException v5_7) {v5_7.printStackTrace();}}label_75:v5_2 = v7;label_76:if(v5_2 == null) {Toast.makeText(this.b, "The first step incorrect, try again please", 0).show();return;}System.arraycopy(v0_1, v1, v2, 0, v1); // 把輸入字符的8~15個(gè)字節(jié)放入字節(jié)數(shù)組v2中Inflater v6_2 = new Inflater();v6_2.setInput(v5_2); // data.bin后八字節(jié)經(jīng)過加密的數(shù)據(jù)ByteArrayOutputStream v8_2 = new ByteArrayOutputStream(v5_2.length);int v5_9 = 0x400;try {v5_2 = new byte[v5_9];while(!v6_2.finished()) {v8_2.write(v5_2, 0, v6_2.inflate(v5_2));}}catch(Throwable v15_2) {goto label_139;}catch(Exception v5_10) {goto label_141;}try {v8_2.close();}catch(IOException v5_11) {v5_11.printStackTrace();}v6_2.end();v5_2 = v8_2.toByteArray();if(v5_2.length < v1) { // v1=8goto label_146;}v6_1 = new byte[v1];System.arraycopy(v5_2, 0, v6_1, 0, v1); // v5_2前8個(gè)拷貝到v6_1中v8_1 = new byte[v5_2.length - v1];System.arraycopy(v5_2, v1, v8_1, 0, v5_2.length - v1); // v5_2后面全部字節(jié)拷貝到v5_2if(!Arrays.equals(v6_1, v2)) { // v2是輸入的8~15字節(jié)goto label_146;}try {v5_8 = Cipher.getInstance(v15);v5_8.init(v4_2, a.j(v2)); // 8~15字節(jié)進(jìn)行秘鑰初始化，v4_2=2v5_2 = v5_8.doFinal(v8_1); // 加密操作goto label_136;}catch(InvalidKeyException v5_3) {v5_3.printStackTrace();}catch(IllegalBlockSizeException v5_4) {v5_4.printStackTrace();}catch(BadPaddingException v5_5) {v5_5.printStackTrace();}catch(NoSuchPaddingException v5_6) {v5_6.printStackTrace();}catch(NoSuchAlgorithmException v5_7) {v5_7.printStackTrace();}v5_2 = v7;label_136: // 加密16~256數(shù)據(jù)進(jìn)行賦值byte[] v9_1 = v5_2; // 加密16~256數(shù)據(jù)進(jìn)行賦值goto label_147;try {label_141:v5_10.printStackTrace();}catch(Throwable v15_2) {goto label_139;}try {v8_2.close();}catch(IOException v5_11) {v5_11.printStackTrace();}label_146:v9_1 = v7;label_147:if(v9_1 == null) {Toast.makeText(this.b, "The first step has been taken, try again please", 0).show();return;}System.arraycopy(v0_1, 16, v2, 0, v1); // 把16~24字節(jié)數(shù)據(jù)放到v2數(shù)組中LZ4SafeDecompressor v8_3 = LZ4Factory.safeInstance().safeDecompressor();v0_1 = new byte[v9_1.length * 5]; // v9_1是加密數(shù)據(jù)v5_9 = v8_3.decompress(v9_1, 0, v9_1.length, v0_1, 0); // 把加密數(shù)據(jù)進(jìn)行l(wèi)z4進(jìn)行編碼放在數(shù)組v6_1中v6_1 = new byte[v5_9];System.arraycopy(v0_1, 0, v6_1, 0, v5_9); // 編碼數(shù)組拷貝到v6_1中if(v5_9 >= v1) {v0_1 = new byte[v1];System.arraycopy(v6_1, 0, v0_1, 0, v1); // 取出8個(gè)字節(jié)v5_9 -= v1;v8_1 = new byte[v5_9];System.arraycopy(v6_1, v1, v8_1, 0, v5_9); // 剩下的放在v8_1字節(jié)數(shù)組中if(!Arrays.equals(v0_1, v2)) { // 判斷是否相等goto label_196;}try {Cipher v15_8 = Cipher.getInstance(v15);v15_8.init(v4_2, a.j(v2)); // v2當(dāng)做keyv7 = v15_8.doFinal(v8_1); // 把剩下的進(jìn)行再次加密}catch(InvalidKeyException v15_3) {v15_3.printStackTrace();}catch(IllegalBlockSizeException v15_4) {v15_4.printStackTrace();}catch(BadPaddingException v15_5) {v15_5.printStackTrace();}catch(NoSuchPaddingException v15_6) {v15_6.printStackTrace();}catch(NoSuchAlgorithmException v15_7) {v15_7.printStackTrace();}}label_196:MainActivity v15_9 = this.b;if(v7 == null) {Toast.makeText(((Context)v15_9), "Almost succeeded, try again please", 0).show();return;}Toast.makeText(((Context)v15_9), "Each step is correct, Congs!", 0).show();this.b.p.setImageBitmap(BitmapFactory.decodeByteArray(v7, 0, v7.length)); // 進(jìn)行解碼顯示圖片return;label_139:try {v8_2.close();}catch(IOException v0_2) {v0_2.printStackTrace();}throw v15_2;} }

總結(jié)：

GZIP加密data.bin整個(gè)的文件數(shù)據(jù)1~8: 輸入的1~8等于data.bin文件經(jīng)過GZIP加密的數(shù)據(jù) v5_2=把data.bin文件8~256以輸入的1~8作為key經(jīng)過DES加密9~16: v5_2的前8個(gè)判斷是否等于輸入的9~16 v5_2后面16~256字節(jié)拷貝到v8_1 v5_2=把data.bin文件16~256以輸入的9~16作為key經(jīng)過DES加密17~24: data.bin文件16~256數(shù)據(jù)進(jìn)行LZ4編碼后放在v0_1 取出v0_1的前八個(gè)字節(jié)判斷是否和17~24相等 v7=把data.bin文件24~256以輸入的17~24作為key經(jīng)過DES加密

總結(jié)

以上是生活随笔為你收集整理的鹤城Re题目的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。