【Android 逆向】【攻防世界】人民的名义-抓捕赵德汉1-200

android,逆向,攻防,世界,人民,名义,抓捕 · 浏览次数 : 35

小编点评

**1. 下载 jar 文件** 您可以从网上下载包含 Java 代码的 JAR 文件。请确保将文件保存为 `169e139f152e45d5ae634223fe53e6be.jar`。 **2. 解压 jar 文件** 您可以使用 Java 运行以下命令来解压 JAR 文件: ```bash jar -x 169e139f152e45d5ae634223fe53e6be.jar ``` **3. 运行代码** 解压缩后的目录中包含一个名为 `CheckPassword.class` 的 Java 类。您可以使用以下命令运行它: ```bash java -jar CheckPassword.class ``` **4. 进入程序** 程序将自动启动并允许您输入密码。正确的密码为 `1234`。 **5. 退出程序** 程序将自动退出当您输入了正确的密码后。

正文

1. 这一题下载下来是个jar文件,感觉很android关系不大,但还是放在了mobile这个分类下了

2. 直接java jar运行,提示需要输入密码

# java -jar 169e139f152e45d5ae634223fe53e6be.jar 
Enter password:
1234
Incorrect password
Enter password:

3. jadx 打开jar文件

public static void main(String[] args) throws ClassNotFoundException, InstantiationException, IllegalAccessException, IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
        CheckInterface checkerObject = loadCheckerObject();
        BufferedReader stdin = new BufferedReader(new InputStreamReader(System.in));
        while (true) {
            System.out.println("Enter password:");
            String line = stdin.readLine();
            if (checkerObject.checkPassword(line)) {
                System.out.println("Well done, that is the correct password");
                System.exit(0);
            } else {
                System.out.println("Incorrect password");
            }
        }
    }

    private static CheckInterface loadCheckerObject() throws IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, ClassFormatError, InstantiationException, IllegalAccessException {
        CheckPassword mycl = new CheckPassword();
        InputStream in = CheckPassword.class.getClass().getResourceAsStream("/ClassEnc");
        ByteArrayOutputStream bout = new ByteArrayOutputStream();
        byte[] bytes = new byte[512];
        while (true) {
            int len = in.read(bytes);
            if (len > -1) {
                bout.write(bytes, 0, len);
            } else {
                byte[] myClassBytesEnc = bout.toByteArray();
                in.close();
                SecretKeySpec secretKeySpec = new SecretKeySpec(hexStringToByteArray(hexKey), "AES");
                Cipher decAEScipher = Cipher.getInstance("AES");
                decAEScipher.init(2, secretKeySpec);
                byte[] myClassBytes = decAEScipher.doFinal(myClassBytesEnc);
                CheckInterface passCheckObject = (CheckInterface) mycl.defineClass(null, myClassBytes, 0, myClassBytes.length).newInstance();
                return passCheckObject;
            }
        }
    }

从这里可以看出,checkerObject 对象是通过classloader加载外部文件来获得的,外部文件还需要通过AES进行解密,那么我们只需要获得这个解密后的文件,就可以查看他的逻辑了

4 将代码复制出来,放到IDEA里运行



import java.io.*;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;

/* renamed from: CheckPassword  reason: default package */
/* loaded from: 169e139f152e45d5ae634223fe53e6be.jar:CheckPassword.class */
public class CheckPassword extends ClassLoader {

    static String hexKey = "bb27630cf264f8567d185008c10c3f96";

    public static void main(String[] args) throws ClassNotFoundException, InstantiationException, IllegalAccessException, IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
        CheckInterface checkerObject = loadCheckerObject();
        BufferedReader stdin = new BufferedReader(new InputStreamReader(System.in));
        while (true) {
            System.out.println("Enter password:");
            String line = stdin.readLine();
            if (checkerObject.checkPassword(line)) {
                System.out.println("Well done, that is the correct password");
                System.exit(0);
            } else {
                System.out.println("Incorrect password");
            }
        }
    }

    private static CheckInterface loadCheckerObject() throws IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, ClassFormatError, InstantiationException, IllegalAccessException {
        CheckPassword mycl = new CheckPassword();
        InputStream in = CheckPassword.class.getClass().getResourceAsStream("/ClassEnc");
        ByteArrayOutputStream bout = new ByteArrayOutputStream();
        byte[] bytes = new byte[512];
        while (true) {
            int len = in.read(bytes);
            if (len > -1) {
                bout.write(bytes, 0, len);
            } else {
                byte[] myClassBytesEnc = bout.toByteArray();
                in.close();
                SecretKeySpec secretKeySpec = new SecretKeySpec(hexStringToByteArray(hexKey), "AES");
                Cipher decAEScipher = Cipher.getInstance("AES");
                decAEScipher.init(2, secretKeySpec);
                byte[] myClassBytes = decAEScipher.doFinal(myClassBytesEnc);
                writeToFile(myClassBytes);
                CheckInterface passCheckObject = (CheckInterface) mycl.defineClass(null, myClassBytes, 0, myClassBytes.length).newInstance();
                return passCheckObject;
            }
        }
    }

    private static void writeToFile(byte[] bytes) throws IOException {
        Files.write(Paths.get("./file.class"), bytes);
    }

    private static byte[] hexStringToByteArray(String s) {
        int len = s.length();
        byte[] data = new byte[len / 2];
        for (int i = 0; i < len; i += 2) {
            data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16));
        }
        return data;
    }
}

直接得到file.class, 使用IDEA打开会自动反编译成源代码,获得了MD5后的字符串fa3733c647dca53a66cf8df953c2d539
md5解密工具 https://www.cmd5.com/ 中查询得到flag monkey99

与【Android 逆向】【攻防世界】人民的名义-抓捕赵德汉1-200相似的内容:

【Android 逆向】【攻防世界】人民的名义-抓捕赵德汉1-200

1. 这一题下载下来是个jar文件,感觉很android关系不大,但还是放在了mobile这个分类下了 2. 直接java jar运行,提示需要输入密码 # java -jar 169e139f152e45d5ae634223fe53e6be.jar Enter password: 1234 Inc

【Android 逆向】【攻防世界】基础android

1. 下载并安装apk,提示要输入密码 2. apk拖入到jadx中看一下 this.login.setOnClickListener(new View.OnClickListener() { // from class: com.example.test.ctf02.MainActivity.1

【Android 逆向】【攻防世界】android2.0

这是一道纯算法还原题 1. apk安装到手机,提示输入flag,看来输入就是flag 2. jadx 打开apk查看 this.button.setOnClickListener(new View.OnClickListener() { // from class: com.example.test

【Android 逆向】【攻防世界】APK逆向

1. apk安装到手机,提示输入flag 2. jadx打开apk 定位到checkSN方法 public boolean checkSN(String userName, String sn) { if (userName != null) { try { if (userName.length(

【Android 逆向】【攻防世界】ill-intentions

1. apk 安装到手机, 啥输入框都没有 2. apk拖入到jadx中看看 public class MainActivity extends Activity { @Override // android.app.Activity public void onCreate(Bundle save

【Android 逆向】【攻防世界】boomshakalaka-3

1. apk 安装到手机,是一个cocos2dx 写的打飞机的游戏 题目描述跟得分有关(题目描述: play the game, get the highest score) 2. jadx 打开apk public class FirstTest extends Cocos2dxActivity

【Android 逆向】【攻防世界】easy-apk

apk 安装到手机,随便输入点内容,提示错误 2. apk 拖入到jadx中看看 public class MainActivity extends AppCompatActivity { /* JADX INFO: Access modifiers changed from: protected

【Android 逆向】【攻防世界】app1

1. apk安装到手机, 老套路了 2. jadx打开 this.btn.setOnClickListener(new View.OnClickListener() { // from class: com.example.yaphetshan.tencentgreat.MainActivity.1

【Android 逆向】【攻防世界】app2

1. 手机安装apk,随便点击,进入到第二个页面就停了 2. jadx打开apk,发现一共有三个activity,其中第三个activity: FileDataActivity 里面有东西 public class FileDataActivity extends a { private TextV

【Android 逆向】【攻防世界】easy-so

1. apk安装到手机,随便输入点内容,提示错误 2. jadx打开apk btn.setOnClickListener(new View.OnClickListener() { // from class: com.testjava.jack.pingan2.MainActivity.1 @Ove