一.Babyre
程序入口处调用了一个check函数,但这个是假的检验
跟进去发现做了一些简单操作,尝试了几次但逆不出来,就到别的文件里看了看,结果发现还有一段解密
读取了enc文件,并且进行解密,替换class.dex
将enc文件从apk中解压出来,然后解密
package software;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;
public class Activity {
public static void main(String[] args)throws IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
try {
InputStream open = new FileInputStream("C:\\Users\\Lenovo\\Desktop\\enc");
byte[] bArr = new byte[open.available()];
open.read(bArr);
for (int i = 0; i < bArr.length; i++) {
bArr[i] = (byte) (bArr[i] ^ 52);
}
File dir = new File("C:\\Users\\Lenovo\\Desktop");
File file = new File(dir.getAbsolutePath() + File.separator + "classes.dex");
if (!file.exists()) {
file.createNewFile();
}
FileOutputStream fileOutputStream = new FileOutputStream(file);
fileOutputStream.write(bArr);
fileOutputStream.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
解密完发现是AES+base64加密,直接使用在线网站解密
二.Easyre
ida进入main函数,发现把输入分成了四部分,每部分进行相同的处理
跟进fun函数,发现是改的xtea,修改了delta和sum的运算
找到key和data解密即可
#include <stdio.h>
#include <stdint.h>
void decipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) {
unsigned int i;
uint32_t v0=v[0], v1=v[1], delta=0x61C88647, sum=0;
for(i = 0;i < 32;i++)
{
sum -= 0x61C88647;
}
for (i=0; i < num_rounds; i++) {
v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]);
sum += delta;
v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
}
v[0]=v0; v[1]=v1;
}
int main()
{ //0x34,0x9b,0xb2,0xc0,0x6a,0xaf,0x30,0xef,
//0x38,0xb2,0xcc,0x98,0x95,0xf1,0xb6,0x85,
//0x85,0x6,0x48,0xa2,0x59,0x9b,0x3d,0xa6,
//0x1e,0xc7,0x91,0xf1,0x7b,0x76,0x90,0x67
uint32_t v[2]={0xc0b29b34,0xef30af6a};
uint32_t v1[2]={0x98ccb238,0x85b6f195};
uint32_t v2[2]={0xa2480685,0xa63d9b59};
uint32_t v3[2]={0xf191c71e,0x6790767b};
uint32_t const k[4]={0x29,0x4823,0x18be,0x6784};
unsigned int r=32;//num_rounds建议取值为32
// v为要加密的数据是两个32位无符号整数
// k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位
printf("解密前的数据:%x %x\n",v[0],v[1]);
decipher(r, v, k);
printf("解密后的数据:%x %x\n",v[0],v[1]);
printf("解密前的数据:%x %x\n",v1[0],v1[1]);
decipher(r, v1, k);
printf("解密后的数据:%x %x\n",v1[0],v1[1]);
printf("解密前的数据:%x %x\n",v2[0],v2[1]);
decipher(r, v2, k);
printf("解密后的数据:%x %x\n",v2[0],v2[1]);
printf("解密前的数据:%x %x\n",v3[0],v3[1]);
decipher(r, v3, k);
printf("解密后的数据:%x %x\n",v3[0],v3[1]);
uint32_t flag[32] = {0x39,0x63,0x33,0x32,0x30,0x36,0x61,0x33,0x39,0x34,0x32,0x65,0x30,0x38,0x33,0x35,0x64,0x61,0x62,0x61,0x61,0x31,0x38,0x32,0x31,0x32,0x38,0x64,0x36,0x30,0x62,0x63};
for(int i = 0;i < 32;i++)
{
printf("%c",flag[i]);
}
return 0;
}
标签:java,v1,winter2022,解密,uint32,re,printf,import,hws From: https://www.cnblogs.com/polang19/p/17040840.html