NEKO

Jarvis逆向

2017/12/11

FindKey

链接:https://pan.baidu.com/s/1nvDYbRb 密码:xqm1
kali下用file命令发现是python 2.7 byte-compiled
即python 2.72进制编译文件也就是pyc文件,在https://tool.lu/pyc/反编译得到加密脚本,编写解密脚本即可

1
2
3
4
5
6
7
8
lookup=[196,153,149,206,17,221,10,217,167,18,36,135,103,61,111,31,92,152,21,228,105,191,173,41,2,245,23,144,1,246,89,178,182,119,38,85,48,226,165,241,166,214,71,90,151,3,109,169,150,224,69,156,158,57,181,29,200,37,51,252,227,93,65,82,66,80,170,77,49,177,81,94,202,107,25,73,148,98,129,231,212,14,84,121,174,171,64,180,233,74,140,242,75,104,253,44,39,87,86,27,68,22,55,76,35,248,96,5,56,20,161,213,238,220,72,100,247,8,63,249,145,243,155,222,122,32,43,186,0,102,216,126,15,42,115,138,240,147,229,204,117,223,141,159,131,232,124,254,60,116,46,113,79,16,128,6,251,40,205,137,199,83,54,188,19,184,201,110,255,26,91,211,132,160,168,154,185,183,244,78,33,123,28,59,12,210,218,47,163,215,209,108,235,237,118,101,24,234,106,143,88,9,136,95,30,193,176,225,198,197,194,239,134,162,192,11,70,58,187,50,67,236,230,13,99,190,208,207,7,53,219,203,62,114,127,125,164,179,175,112,172,250,133,130,52,189,97,146,34,157,120,195,45,4,142,139]
pwda=[188,155,11,58,251,208,204,202,150,120,206,237,114,92,126,6,42]
pwdb=[53,222,230,35,67,248,226,216,17,209,32,2,181,200,171,60,108]

flag=''
for i in range(17):
flag=flag+chr(lookup[i + pwdb[i]]-pwda[i] & 255)
print(flag[::-1])

Classical Crackme

链接:https://pan.baidu.com/s/1c1STsvm 密码:aqdg
PEiD查看发现是32位的C#程序

ILSpy.exe

使用ILSpy.exe反编译C#程序,在代码中发现
ILSpy.exe:
链接:https://pan.baidu.com/s/1jIzlhY2 密码:zv7d

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
private void ‬​‪‭‭‌‎‮‮‬‫‫‏‭‎‬‏‍‏‫‌‪‭‍‌‪‭‮(object obj, EventArgs eventArgs)
{
string s = this.‎‏‬‌​‭‭‏‫‌‭‫‌‭‏‮​‬‍‍‬‏‮‮‮.Text.ToString();
byte[] bytes = Encoding.Default.GetBytes(s);
string a = Convert.ToBase64String(bytes);
string b = "UENURntFYTV5X0RvX05ldF9DcjRjazNyfQ==";
if (a == b)
{
MessageBox.Show("注册成功!", "提示", MessageBoxButtons.OK);
}
else
{
MessageBox.Show("注册失败!", "提示", MessageBoxButtons.OK, MessageBoxIcon.Hand);
}
}

ida

ida打开,同理可找到base64密钥

Smali

链接:https://pan.baidu.com/s/1crZPMY 密码:vb8c
Smali2Java:链接:https://pan.baidu.com/s/1nuFdMS5 密码:o17w
会smali可以直接选择看smali,参考:http://blog.csdn.net/chenrunhua/article/details/41250613
http://blog.csdn.net/qq_35078631/article/details/78222249#t7
也可以用Smali2Java将smali文件反编译为Java文件
编译后的java代码为(有些变量加上了””,我删了)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
/**
* Generated by smali2java 1.0.0.558
* Copyright (C) 2013 Hensence.com
*/

package net.bluelotus.tomorrow.easyandroid;

import android.util.Base64;
import java.io.PrintStream;
import java.security.NoSuchAlgorithmException;
import javax.crypto.NoSuchPaddingException;
import java.security.InvalidKeyException;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.BadPaddingException;
import javax.crypto.spec.SecretKeySpec;
import javax.crypto.Cipher;
import java.security.Key;
import java.security.GeneralSecurityException;

public class Crackme {
private String str2 = "cGhyYWNrICBjdGYgMjAxNg==";

public Crackme() {
GetFlag("sSNnx1UKbYrA1+MOrdtDTA==");
}

private String GetFlag(String p1) {
byte[] content = Base64.decode(p1.getBytes(), 0x0);
String kk = new String(Base64.decode(str2.getBytes(), 0x0));
System.out.println(decrypt(content, kk));
return null;
}

private String decrypt(byte[] p1, String p2) {
String m = 0x0;
try {
byte[] keyStr = p2.getBytes();
SecretKeySpec key = new SecretKeySpec(keyStr, "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding");
cipher.init(0x2, key);
byte[] result = cipher.doFinal(p1);
return m;
} catch(NoSuchPaddingException e) {
e.printStackTrace();
}
return m;
}
}

意思就是用一个字符串b64解密后当做密钥,然后使用AES的ECB模式加密另一个b64解密后的字符串。

Java解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import sun.misc.BASE64Decoder;
import java.io.IOException;
import javax.crypto.spec.SecretKeySpec;
import javax.crypto.Cipher;

public class Crackme {
public static void main(String[] args) {
String s1="sSNnx1UKbYrA1+MOrdtDTA==";
String s2 = "cGhyYWNrICBjdGYgMjAxNg==";
byte[] p1=new byte[1024];
byte[] p2=new byte[1024];
try{
p1=new BASE64Decoder().decodeBuffer(s1);
p2=new BASE64Decoder().decodeBuffer(s2);
}catch(IOException e){
System.out.println("error1");
}
SecretKeySpec key = new SecretKeySpec(p2, "AES");
try{
Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding");
cipher.init(0x2, key);
byte[] result = cipher.doFinal(p1);
for(byte i:result)
System.out.print((char)i);
}catch(Exception e){
System.out.println("error2");
}
}
}

Python解密脚本

1
2
3
4
5
6
import base64
from Crypto.Cipher import AES
password=base64.b64decode('cGhyYWNrICBjdGYgMjAxNg==')
content=base64.b64decode('sSNnx1UKbYrA1+MOrdtDTA==')
handle = AES.new(password,AES.MODE_ECB)
print (handle.decrypt(content))

原文作者: n3k0

发表日期: December 11th 2017, 10:01:14

发出嘶吼: 没有魔夜2玩我要死了

CATALOG
  1. 1. FindKey
  2. 2. Classical Crackme
    1. 2.1. ILSpy.exe
    2. 2.2. ida
  3. 3. Smali
    1. 3.1. Java解密脚本
    2. 3.2. Python解密脚本