首页 > 其他分享 >【Android 逆向】【攻防世界】人民的名义-抓捕赵德汉1-200

【Android 逆向】【攻防世界】人民的名义-抓捕赵德汉1-200

时间:2023-03-17 12:55:06浏览次数:40  
标签:200 System len 赵德汉 new import byte password Android

1. 这一题下载下来是个jar文件,感觉很android关系不大,但还是放在了mobile这个分类下了

2. 直接java jar运行,提示需要输入密码

# java -jar 169e139f152e45d5ae634223fe53e6be.jar 
Enter password:
1234
Incorrect password
Enter password:

3. jadx 打开jar文件

public static void main(String[] args) throws ClassNotFoundException, InstantiationException, IllegalAccessException, IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
        CheckInterface checkerObject = loadCheckerObject();
        BufferedReader stdin = new BufferedReader(new InputStreamReader(System.in));
        while (true) {
            System.out.println("Enter password:");
            String line = stdin.readLine();
            if (checkerObject.checkPassword(line)) {
                System.out.println("Well done, that is the correct password");
                System.exit(0);
            } else {
                System.out.println("Incorrect password");
            }
        }
    }

    private static CheckInterface loadCheckerObject() throws IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, ClassFormatError, InstantiationException, IllegalAccessException {
        CheckPassword mycl = new CheckPassword();
        InputStream in = CheckPassword.class.getClass().getResourceAsStream("/ClassEnc");
        ByteArrayOutputStream bout = new ByteArrayOutputStream();
        byte[] bytes = new byte[512];
        while (true) {
            int len = in.read(bytes);
            if (len > -1) {
                bout.write(bytes, 0, len);
            } else {
                byte[] myClassBytesEnc = bout.toByteArray();
                in.close();
                SecretKeySpec secretKeySpec = new SecretKeySpec(hexStringToByteArray(hexKey), "AES");
                Cipher decAEScipher = Cipher.getInstance("AES");
                decAEScipher.init(2, secretKeySpec);
                byte[] myClassBytes = decAEScipher.doFinal(myClassBytesEnc);
                CheckInterface passCheckObject = (CheckInterface) mycl.defineClass(null, myClassBytes, 0, myClassBytes.length).newInstance();
                return passCheckObject;
            }
        }
    }

从这里可以看出,checkerObject 对象是通过classloader加载外部文件来获得的,外部文件还需要通过AES进行解密,那么我们只需要获得这个解密后的文件,就可以查看他的逻辑了

4 将代码复制出来,放到IDEA里运行



import java.io.*;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;

/* renamed from: CheckPassword  reason: default package */
/* loaded from: 169e139f152e45d5ae634223fe53e6be.jar:CheckPassword.class */
public class CheckPassword extends ClassLoader {

    static String hexKey = "bb27630cf264f8567d185008c10c3f96";

    public static void main(String[] args) throws ClassNotFoundException, InstantiationException, IllegalAccessException, IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
        CheckInterface checkerObject = loadCheckerObject();
        BufferedReader stdin = new BufferedReader(new InputStreamReader(System.in));
        while (true) {
            System.out.println("Enter password:");
            String line = stdin.readLine();
            if (checkerObject.checkPassword(line)) {
                System.out.println("Well done, that is the correct password");
                System.exit(0);
            } else {
                System.out.println("Incorrect password");
            }
        }
    }

    private static CheckInterface loadCheckerObject() throws IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, ClassFormatError, InstantiationException, IllegalAccessException {
        CheckPassword mycl = new CheckPassword();
        InputStream in = CheckPassword.class.getClass().getResourceAsStream("/ClassEnc");
        ByteArrayOutputStream bout = new ByteArrayOutputStream();
        byte[] bytes = new byte[512];
        while (true) {
            int len = in.read(bytes);
            if (len > -1) {
                bout.write(bytes, 0, len);
            } else {
                byte[] myClassBytesEnc = bout.toByteArray();
                in.close();
                SecretKeySpec secretKeySpec = new SecretKeySpec(hexStringToByteArray(hexKey), "AES");
                Cipher decAEScipher = Cipher.getInstance("AES");
                decAEScipher.init(2, secretKeySpec);
                byte[] myClassBytes = decAEScipher.doFinal(myClassBytesEnc);
                writeToFile(myClassBytes);
                CheckInterface passCheckObject = (CheckInterface) mycl.defineClass(null, myClassBytes, 0, myClassBytes.length).newInstance();
                return passCheckObject;
            }
        }
    }

    private static void writeToFile(byte[] bytes) throws IOException {
        Files.write(Paths.get("./file.class"), bytes);
    }

    private static byte[] hexStringToByteArray(String s) {
        int len = s.length();
        byte[] data = new byte[len / 2];
        for (int i = 0; i < len; i += 2) {
            data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16));
        }
        return data;
    }
}

直接得到file.class, 使用IDEA打开会自动反编译成源代码,获得了MD5后的字符串fa3733c647dca53a66cf8df953c2d539
md5解密工具 https://www.cmd5.com/ 中查询得到flag monkey99

标签:200,System,len,赵德汉,new,import,byte,password,Android
From: https://www.cnblogs.com/gradyblog/p/17226252.html

相关文章

  • 【Android 逆向】【攻防世界】APK逆向
    1.apk安装到手机,提示输入flag2.jadx打开apk定位到checkSN方法publicbooleancheckSN(StringuserName,Stringsn){if(userName!=null){try{......
  • Android轻量级数据SparseArray详解
    SparseArray是Android中特有的数据结构,他的几个重要的特点;以键值对形式进行存储,基于二分查找,因此查找的时间复杂度为0(LogN);.由于SparseArray中Key存储的是数组形式,......
  • Android Studio预览Markdown文件办法
     01、安装Markdown插件打开File>>Settings>>Plugins>>Marketplace菜单,输入Markdown搜索,点击Install安装。02、下载ChooseRuntime插件JetBrains插件市场......
  • android studio之常用基本控件的使用
    转自:(7条消息)androidstudio之常用基本控件的使用_androidstudio控件栏_PPYY3344的博客-CSDN博客在Android开发中,需要使用的控件很多,除了TextView、Button、EditText......
  • Android android:exported="true" 属性
    android:exported="true"是什么android:exported其实并不是Android12的新属性,在前面的版本也可以看见它。它是Android中的四大组件Activity,Service,Provider,Receiver四......
  • 【Android 逆向】【攻防世界】android2.0
    这是一道纯算法还原题1.apk安装到手机,提示输入flag,看来输入就是flag2.jadx打开apk查看this.button.setOnClickListener(newView.OnClickListener(){//fr......
  • Android代码静态检查(lint、Checkstyle、ktlint、Detekt)
    Android代码静态检查(lint、Checkstyle、ktlint、Detekt)在​​Android​​项目开发过程中,开发团队往往要花费大量的时间和精力发现并修改代码缺陷。静态代码分析工具能够在代......
  • 【Android 逆向】【攻防世界】基础android
    1.下载并安装apk,提示要输入密码2.apk拖入到jadx中看一下this.login.setOnClickListener(newView.OnClickListener(){//fromclass:com.example.test.ctf02.MainAc......
  • Android FBE
    参考文档:https://github.com/novelinux/android/wiki/Android-FBE前面两个章节来自上述链接,在此致以谢意!AndroidFBE简介名称:FBE,File-BasedEncryption,基于文件的加......
  • sqlserver2008 两种分页操作
    1.有唯一项字段(例如id)SELECTtop分页大小*FROM表名whereidnotin(selecttop(分页大小*(第几页-1))idfrom表名where搜索字段1='aaa'and搜索字段2='bbb'o......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99