當前位置：首頁 > 编程语言 > java >内容正文

java

BUUCTF 新年快乐内涵的软件 Java逆向解密刮开有奖

發布時間：2025/3/21 java 28 豆豆

生活随笔收集整理的這篇文章主要介紹了 BUUCTF 新年快乐内涵的软件 Java逆向解密刮开有奖小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

文章目錄

- 新年快樂
- 內涵的軟件
- Java逆向解密
- - 貼腳本：
- 刮開有獎
- - sub_4010F0((int)&v7, 0, 10);（加密函數）
  - sub_401000((int)&v26, strlen(&v26));
  - 核心

新年快樂

內涵的軟件

flag{49d3c93df25caad81232130f3d2ebfad}

Java逆向解密

import java.util.*;public class Reverse {public static void main(final String[] args) {final Scanner s = new Scanner(System.in);System.out.println("Please input the flag \uff1a");final String str = s.next();System.out.println("Your input is \uff1a");System.out.println(str);final char[] stringArr = str.toCharArray();Encrypt(stringArr);}public static void Encrypt(final char[] arr) {final ArrayList<Integer> Resultlist = new ArrayList<Integer>();for (int i = 0; i < arr.length; ++i) {final int result = arr[i] + '@' ^ 0x20;Resultlist.add(result);}final int[] KEY = { 180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65 };final ArrayList<Integer> KEYList = new ArrayList<Integer>();for (int j = 0; j < KEY.length; ++j) {KEYList.add(KEY[j]);}System.out.println("Result:");if (Resultlist.equals(KEYList)) {System.out.println("Congratulations\uff01");}else {System.err.println("Error\uff01");}} }

貼腳本：

public class REVERSE_JAVA {public static void main(String[] args) {final int[] KEY = { 180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65 };final ArrayList<Integer> Resultlist = new ArrayList<Integer>();for (int i = 0; i < KEY.length; ++i) {final int result = KEY[i] - '@' ^ 0x20;System.out.print((char)result);}} }

刮開有獎

sub_4010F0((int)&v7, 0, 10);（加密函數）

v7 = 90;v8 = 74;v9 = 83;v10 = 'E';v11 = 'C';v12 = 'a';v13 = 'N';v14 = 72;v15 = 51;v16 = 110;v17 = 103;sub_4010F0((int)&v7, 0, 10); int __cdecl sub_4010F0(int a1, int a2, int a3) {int result; // eaxint i; // esiint v5; // ecxint v6; // edxresult = a3;for ( i = a2; i <= a3; a2 = i ){v5 = 4 * i;v6 = *(_DWORD *)(4 * i + a1);if ( a2 < result && i < result ){do{if ( v6 > *(_DWORD *)(a1 + 4 * result) ){if ( i >= result )break;++i;*(_DWORD *)(v5 + a1) = *(_DWORD *)(a1 + 4 * result);if ( i >= result )break;while ( *(_DWORD *)(a1 + 4 * i) <= v6 ){if ( ++i >= result )goto LABEL_13;}if ( i >= result )break;v5 = 4 * i;*(_DWORD *)(a1 + 4 * result) = *(_DWORD *)(4 * i + a1);}--result;}while ( i < result );} LABEL_13:*(_DWORD *)(a1 + 4 * result) = v6;sub_4010F0(a1, a2, i - 1);result = a3;++i;}return result; }

照著加密函數寫一下，本來想動調的，結果下了斷點，鼠標和鍵盤都快搞炸了，這程序還是沒法進行交互式進行。。。。。

#include <stdio.h> #include <string.h> int sub_4010F0(char*a1, int a2, int a3) {int result; // eaxint i; // esiint v5; // ecxint v6; // edxresult = a3;for ( i = a2; i <= a3; a2 = i ){v5 = i;v6 = a1[i];if ( a2 < result && i < result ){do{if ( v6 > a1[result] ){if ( i >= result )break;++i;a1[v5]= a1[result];if ( i >= result )break;while ( a1[i] <= v6 ){if ( ++i >= result )goto LABEL_13;}if ( i >= result )break;v5 = i;a1[result] = a1[i];}--result;}while ( i < result );}LABEL_13:a1[result]= v6;sub_4010F0(a1, a2, i - 1);result = a3;++i;}return result; } int main() {char s[]="ZJSECaNH3ng";printf("%s",s\n);sub_4010F0(s,0,10);printf("%s",s);return 0; }

運行結果：

ZJSECaNH3ng 3CEHJNSZagn

sub_401000((int)&v26, strlen(&v26));

v4 = sub_401000((int)&v26, strlen(&v26));memset(&v26, 0, 0xFFFFu);v27 = v21;v26 = v20;v28 = v22;v5 = sub_401000((int)&v26, strlen(&v26)); _BYTE *__cdecl sub_401000(int a1, int a2) {int v2; // eaxint v3; // esisize_t v4; // ebx_BYTE *v5; // eax_BYTE *v6; // ediint v7; // eax_BYTE *v8; // ebxint v9; // edisigned int v10; // edxint v11; // edisigned int v12; // eaxsigned int v13; // esi_BYTE *result; // eax_BYTE *v15; // [esp+Ch] [ebp-10h]_BYTE *v16; // [esp+10h] [ebp-Ch]int v17; // [esp+14h] [ebp-8h]int v18; // [esp+18h] [ebp-4h]v2 = a2 / 3;v3 = 0;if ( a2 % 3 > 0 )++v2;v4 = 4 * v2 + 1;v5 = malloc(v4);v6 = v5;v15 = v5;if ( !v5 )exit(0);memset(v5, 0, v4);v7 = a2;v8 = v6;v16 = v6;if ( a2 > 0 ){while ( 1 ){v9 = 0;v10 = 0;v18 = 0;do{if ( v3 >= v7 )break;++v10;v9 = *(unsigned __int8 *)(v3++ + a1) | (v9 << 8);}while ( v10 < 3 );v11 = v9 << 8 * (3 - v10);v12 = 0;v17 = v3;v13 = 18;do{if ( v10 >= v12 ){*((_BYTE *)&v18 + v12) = (v11 >> v13) & 0x3F;v8 = v16;}else{*((_BYTE *)&v18 + v12) = 64;}*v8++ = byte_407830[*((char *)&v18 + v12)];v13 -= 6;++v12;v16 = v8;}while ( v13 > -6 );v3 = v17;if ( v17 >= a2 )break;v7 = a2;}v6 = v15;}result = v6;*v8 = 0;return result; }

找到一個數組：

*v8++ = byte_407830[*((char *)&v18 + v12)]; byte_407830 db 41h ; DATA XREF: sub_401000+C0↑r .rdata:00407831 db 42h ; B .rdata:00407832 db 43h ; C .rdata:00407833 db 44h ; D .rdata:00407834 db 45h ; E .rdata:00407835 db 46h ; F .rdata:00407836 db 47h ; G .rdata:00407837 db 48h ; H .rdata:00407838 db 49h ; I .rdata:00407839 db 4Ah ; J .rdata:0040783A db 4Bh ; K .rdata:0040783B db 4Ch ; L .rdata:0040783C db 4Dh ; M .rdata:0040783D db 4Eh ; N .rdata:0040783E db 4Fh ; O .rdata:0040783F db 50h ; P .rdata:00407840 db 51h ; Q .rdata:00407841 db 52h ; R .rdata:00407842 db 53h ; S .rdata:00407843 db 54h ; T .rdata:00407844 db 55h ; U .rdata:00407845 db 56h ; V .rdata:00407846 db 57h ; W .rdata:00407847 db 58h ; X .rdata:00407848 db 59h ; Y .rdata:00407849 db 5Ah ; Z .rdata:0040784A db 61h ; a .rdata:0040784B db 62h ; b .rdata:0040784C db 63h ; c .rdata:0040784D db 64h ; d .rdata:0040784E db 65h ; e .rdata:0040784F db 66h ; f .rdata:00407850 db 67h ; g .rdata:00407851 db 68h ; h .rdata:00407852 db 69h ; i .rdata:00407853 db 6Ah ; j .rdata:00407854 db 6Bh ; k .rdata:00407855 db 6Ch ; l .rdata:00407856 db 6Dh ; m .rdata:00407857 db 6Eh ; n .rdata:00407858 db 6Fh ; o .rdata:00407859 db 70h ; p .rdata:0040785A db 71h ; q .rdata:0040785B db 72h ; r .rdata:0040785C db 73h ; s .rdata:0040785D db 74h ; t .rdata:0040785E db 75h ; u .rdata:0040785F db 76h ; v .rdata:00407860 db 77h ; w .rdata:00407861 db 78h ; x .rdata:00407862 db 79h ; y .rdata:00407863 db 7Ah ; z .rdata:00407864 db 30h ; 0 .rdata:00407865 db 31h ; 1 .rdata:00407866 db 32h ; 2 .rdata:00407867 db 33h ; 3 .rdata:00407868 db 34h ; 4 .rdata:00407869 db 35h ; 5 .rdata:0040786A db 36h ; 6 .rdata:0040786B db 37h ; 7 .rdata:0040786C db 38h ; 8 .rdata:0040786D db 39h ; 9 .rdata:0040786E db 2Bh ; + .rdata:0040786F db 2Fh ; / .rdata:00407870 db 3Dh ; =

很正常的base64，順序沒變，外加后面

核心

if ( String == v7 + 34&& v19 == v11&& 4 * v20 - 141 == 3 * v9&& v21 / 4 == 2 * (v14 / 9)&& !strcmp(v4, "ak1w")&& !strcmp(v5, "V1Ax") )

v4和v5都是經過base64編碼后的字符串，所以我們分別對ak1w和V1Ax進行解碼即可，分別為jMp和WP1

仔細觀察后，也就是

UJWP1jMp

先給出一個字符串，然后有兩個經過base64加密，然后再來湊起來

《新程序員》：云原生和全面數字化實踐50位技術專家共同創作，文字、視頻、音頻交互閱讀

總結

以上是生活随笔為你收集整理的BUUCTF 新年快乐内涵的软件 Java逆向解密刮开有奖的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇：常用的IDC函数
下一篇：安洵杯——game（混淆控制流平坦化）