2022-01-07
Java逆向解密
程序员小张不小心弄丢了加密文件用的秘钥,已知还好小张曾经编写了一个秘钥验证算法,聪明的你能帮小张找到秘钥吗? 注意:得到的 flag 请包上 flag{} 提交
解压就得到一个.class文件,用Eclipse还打不开
搜了一下java反编译工具,jd-gui要下载,直接用的在线反编译网站:https://jdec.app/
得到
/* Decompiler 33ms, total 22066ms, lines 39 */
import java.util.ArrayList;
import java.util.Scanner;public class Reverse {public static void main(String[] args) {Scanner s = new Scanner(System.in);System.out.println("Please input the flag :");String str = s.next();System.out.println("Your input is :");System.out.println(str);char[] stringArr = str.toCharArray();Encrypt(stringArr);}public static void Encrypt(char[] arr) {ArrayList<Integer> Resultlist = new ArrayList();for(int i = 0; i < arr.length; ++i) {int result = arr[i] + 64 ^ 32;Resultlist.add(result);}int[] KEY = new int[]{180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65};ArrayList<Integer> KEYList = new ArrayList();for(int j = 0; j < KEY.length; ++j) {KEYList.add(KEY[j]);}System.out.println("Result:");if (Resultlist.equals(KEYList)) {System.out.println("Congratulations!");} else {System.err.println("Error!");}}
}
还是习惯用python敲
strs = [180, 136, 137, 147, 191, 137, 147, 191,148, 136, 133, 191, 134, 140, 129, 135, 191, 65]flag = ""
for i in range(0,len(strs)):flag += chr(strs[i] - ord('@') ^ 0x20)
print(flag)
运行得到
flag{This_is_the_flag_!}
RSA
import gmpy2
from Crypto.Util.number import getPrime
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
from base64 import b64encodeflag = open('flag', 'r').read().strip() * 23def encrypt(p, q, e, msg):while True:n = p * qtry:phi = (p - 1)*(q - 1)pubkey = RSA.construct((int(n), int(e)))key = PKCS1_v1_5.new(pubkey)enc = b64encode(key.encrypt(msg))return encexcept:p = gmpy2.next_prime(p**2 + q**2)q = gmpy2.next_prime(2*p*q)e = gmpy2.next_prime(e**2)p = getPrime(128)
q = getPrime(128)
n = p*q
e = getPrime(64)
pubkey = RSA.construct((n, e))
with open('pubkey.pem', 'wb') as f:f.write(pubkey.exportKey())
with open('flag.enc', 'wb') as g:g.write(encrypt(p, q, e, flag.encode()))
照例先进行公钥解析
题目中n可以分解
p = 184333227921154992916659782580114145999
q = 336771668019607304680919844592337860739
n = 62078208638445817213739226854534031566665495569130972218813975279479576033261
e = 9850747023606211927
正常解,得到
并没有得到flag
重新读代码
所以需要加一个循环,等条件满足了再解密
from gmpy2 import *
from sympy import *
from Crypto.Util.number import *
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
from base64 import b64decodec = bytes_to_long(b64decode(open('flag.enc', 'r').read()))n = 62078208638445817213739226854534031566665495569130972218813975279479576033261
e = 9850747023606211927
p = 184333227921154992916659782580114145999
q = 336771668019607304680919844592337860739i = 1
while 1:print(i)i += 1n = q*pif n >= c:phi = (p-1)*(q-1)d = invert(e, phi)m = pow(c, int(d), int(n))print(m)print(long_to_bytes(m))breakelse:p = next_prime(p**2+q**2)q = next_prime(2*q*p)e = next_prime(e**2)
运行得到
21130430102349851344375907769720046484677029119428837396672932715876625383945370341175910951423912243330586361156136290092204002927065190841481131566459116773453246871757757823779794339114822031832596668783157803487998365708485081872049293871850576177149533382597361704504961093792908771866752876348062277434073071889312899586270935385784945924334005249552610480611289214527568844305559106603600018566929797890928176626555862695618418757613020212459322650264561053816448737905971241379935205105514666988287379360172503588707266968468214658214806734945961547412026484158466007375950994697228739953339960206763694563951938227300323961533465852374474323974466788489494540824433887252700477167031278699226560115746479722693928216633617899653625881863492322931150255129472759564345221044014212615176088745172305188187969942140845856558821840760241230906447618882995941860930345904234649300635995029078116116000398889152779488806137751516303308434626148764759017112230666143483350753359092334376383832558156392114656754542536303250262690385361910886616106355699110084413595231691655741871936117939178923936354300417492024309932830222791864588057245518070666325194802557546094107337061841277143915440240581450700287044773939297691649430945373719331434822275917092651804710270515273945123953214293242630960760591850137449965845572686404352917593436844813740451883307968101043043105036122673580071693173311173462705627667546633231350823031456126655265991555075901877279265952658394772898737872531524707773354867729527394596455488986761511453432440662729084866352234374765219975638130644553369563672920115805779997258268448569189017741605641083000677922451058711996773612461711741548934203827335498317539917264952788581712138950255481544545919749733800
b'\x01xg<_{\xf0q\x860C\xc43\x9f\xf7>[\xd7\xf5J\xdc\x85\xbd\xe1f\x0b\xea\x97)Q,\t}\xbe\xff]\x91\x12\xab\xa7R\x9azL\x0c\xf9k\xc8\x0c\xe6d&\x961y\xfc\xf3\x80\x97\xab\x08\xf5\x96\xa6*\xba]\x80\xa9vQ\xad\xc3g\xa6\xed\x94\x90\x19*\xe9\xc5!5\x0e\xeb\x91q/~\xd3\xd8\xb7\xc8\\\xd5D\xf4\xec*\x8f\xbb\x98\x87\xa5=\xeb\xe9U\xdf\x83\xa9\r\xf2D\xf1\x1a\xdfm\xb3\x97\x88"J\xfdnA\xfd(\x0f\xf3\xd7\xd3\xd4\x83\xea\x8aq\xc9\x0f9r\x1c\x17\x9f\xe6\x18\x924\x83\xfa0j.\xb6-zU\x1b\xa3\x1cp\xe1\xff\x02mu\xf9\xa8p\xb0\xe9\x0b/v\x18\xb0\xc60\xd7\'\x1b\x90g\x8cl\xb7\x10Fe\xf6\x9d7\xa2\x8c\xaa\xbfH\xeb\x90*\xef\x8e\xcfE\xa8\xed\xe1U.0\xd5j\xfcZ\xcb\xe1 V-\xf1Dyo>\xe0\xdc\x9d\x86\xf6\xd4\xc66\xf2\x94H\xb5\xb7\x9d\xe4\xf7lC\xde1\x8c\xb1\xc6\xd2\xd0\x12[4\x9dA>\xa6\x9e\xa9\x883\x90\xbci\xf3\xa7\xfdH\xceC,M\xc77\xadX\x08\xd9\x1c/s]\x8dV\xc4\xf6\x12\x8a\xec\x14\xd1\xa7\xc4\xf7\xebAp\xee&\x03\xcb\xe7\xa4\xe5QK\x19\xc8O\'#\xf9#-\xcb\xe3\xdf6\xba4\xd1\x1f\x1d\xae\xae5\xf0\xf5\xdd\x05\xd9\x91uF\x1c\xd0\x84W\x10\xb4\xbe\x94nj.\xbe`;\x99\x90\xa0\x16`\x97\x8bq\xf8&q\xc00\xaa_n3\x9c\xc4\xa4\xe6zK\x97\x08\x00\x11\xf8\xa7lAEU8#\xa7\xb0<?\xe9\xe8\xfa,\xfe\xf8\xe0x\xa1\x02\xba\xef.\xa7\xda\xd4\r\x8d\'h\x7f\x9e$\x88\x97&\xdf\xe8\xd8y\x91\x05\x1bHo\x92t\xebwn\xd3m\x9f\xcd\x7f:\x8a\r2\xe8\x8d\x04\xba1\xa1\xdc"\x9d0\xab\x16\xe9\x065 \xd9A\xcc\xac\x1d\xd8\xcb\xceN&\x84J#\xdcB3\x92\x9c\x14s\xb9\x1a\xe4\xb4\x91\x13\xf7\x08\x92\xad\x83\x80e\x95\xec\x9e\x10\x91\xc3(_\xa4\x8f\x9f\x80C\xed\x884\x90\xbe\x13<\x08\x8a\x83\xb4j\x96\xe5\x1d\xda\xcfE\x89\xe1\xf6I\xc1*\xb0v-\x85\xa4\xe2\xf6`\x1db\xc0\xa0\x9bL5\xadg\x80\xd4\tH+\xe7O)}\xa9\x1a\xca\xca\x89\xc0/)\xfbz?\xa5\x10\xacC\x83\xf9&\xa4\xe9\xe1\xaa\xf3\xfc\xde\xa1\xc4\xdb\xbc"<\xff\xe5\xb4\xda\xd3\xd3\xee\xc3\x8f\xc1\xcd\x95\xc5\x16<\x18\x94\x93\xe6h\xa9\xe8\x083+\xc8\xccC\x19\xd2p\xf2\xee\xfd84YN\xd4fj\xf2\x9c\x11t,MX\xca\x02\x16q\x9b~tT\x0c\xb7f\xe8\xee\x91F\x1a\xe7\x89j\x93Ys\x97}u+\x1c3;_\x03u\x1b\x98I\x81\xe2@\x14]\xca\xdaC\x1b\xf6\xf6V\\\xce\xe9\xf0fY\x1c\xab\xf5\xba\xa0\xf9.\xe6\xf7\xda\xf4\x12\x97N\xf1b2\xa4\xd8\\(G\xa6\xa36\xa4W\xf4%\xff\x96\xb5!J\x12\xbd\xe0\x81rc\xc8\xd6=\xa8'
发现都是\x开头的,所以换一种编码方式
得到
???
发现另一个小细节,这里的RSA是PKCS#1 v1.5的RSA
所以,换一种书写方式
from gmpy2 import *
from sympy import *
from Crypto.Util.number import *
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
from base64 import b64decodec = b64decode(open('flag.enc', 'r').read())n = 62078208638445817213739226854534031566665495569130972218813975279479576033261
e = 9850747023606211927
p = 184333227921154992916659782580114145999
q = 336771668019607304680919844592337860739i = 1
while 1:print(i)i += 1n = q*pif n >= bytes_to_long(c):phi = (p-1)*(q-1)d = invert(e, phi)prikey = RSA.construct((int(n), int(e), int(d)))key = PKCS1_v1_5.new(prikey)dec = key.decrypt(c, None)print(dec)breakelse:p = next_prime(p**2+q**2)q = next_prime(2*q*p)e = next_prime(e**2)
2022-01-07相关推荐
- NOI题库 python题解-2022.01.07整理(1.4-1.7)
python && C++ NOI编程题解1.4 https://blog.csdn.net/yigezzchengxuyuan/article/details/86651658 ht ...
- NOI题库 python题解-2022.01.07整理(1.1-1.3)
python && C++ NOI编程题解1.1 https://blog.csdn.net/yigezzchengxuyuan/article/details/86582640 ht ...
- STM32CubeIDE用DAP调试的超级无敌简单方法——2022.01.07
STM32CubeIDE作为ST生态中重要的一环,必然以支持自家的ST-LINK为第一要务.不过当我们手上没有ST-LINK只有其他调试器时也是可以debug和下载的,只需要做一丢丢的简单操作,下面这 ...
- 互联网の早报(2022/01/07)
更多内容,欢迎关注微信公众号"看相声也要敲代码"
- 《安富莱嵌入式周报》第247期:2022.01.03--2022.01.09
往期周报汇总地址:嵌入式周报 - uCOS & uCGUI & emWin & embOS & TouchGFX & ThreadX - 硬汉嵌入式论坛 - P ...
- 2019.01.07|区块链技术头条
2019.01.07|区块链技术头条 1.科普 | 深处的蚁穴:与 Gas 相关的三种安全问题 2.科普 | OmiseGo 将如何把 Plasma 带入寻常百姓家 3.干货 | 详解 MimbleW ...
- [Leedcode][JAVA][面试题 01.07][找规律][旋转数组]
[问题描述] [面试题 01.07. 旋转矩阵] 示例 1:给定 matrix = [[1,2,3],[4,5,6],[7,8,9] ],原地旋转输入矩阵,使其变为: [[7,4,1],[8,5,2] ...
- 洛谷 刷题 深基部分题解(python版)-2022.01.29
P5703 [深基2.例5]苹果采购(python3实现) https://blog.csdn.net/dllglvzhenfeng/article/details/122690555 P5703 [ ...
- 小学奥数 7657 连乘积末尾0的个数-2022.01.26
http://noi.openjudge.cn/math/7657/ /* 小学奥数 7657 连乘积末尾0的个数-2022.01.26 http://noi.openjudge.cn/math/76 ...
- 1168:大整数加法--2022.01.22 AC
/* 1168:大整数加法--2022.01.22 AC http://ybt.ssoier.cn:8088/problem_show.php?pid=1168c++中 cin.cin.get().c ...
最新文章
- python csv模块心得
- 【论文解读】IPM2020 | 长短期兴趣建模的图神经网络新闻推荐系统
- 看我如何基于PythonFacepp打造智能监控系统
- OpenSSL原理与实现
- Delphi MlSkin v3.9 (2019.4.15)发布啦! 它能让你的程序拥有像QQ一样多彩炫丽的外观...
- hadoop连接远程mysql_Hadoop之Hive本地与远程MySQL数据库管理模式安装手册
- 创建.config后缀文件
- 对象转为json形式
- MATLAB图像拼接算法及实现
- IDEA+Java+Servlet+JSP+Mysql实现新闻发布系统
- 宝塔Linux面板如何进入,云服务器怎么进入宝塔面板
- 美化我们的windows xp
- 五个国外在线时间管理(GTD)工具推荐
- 【电磁】基于Matlab模拟电偶极子电磁场附GUI界面
- Excel如何快速对选中区域截图?
- HyperMesh 2D网格划分
- 计算机求等级值的计算,2015年计算机一级MS OFFICE等级考试计算题
- 定义自定义字体需要css的什么规则,css3自定义字体需要什么规则 css3基本选择器...
- 什么是水务信息化规划、水务信息化规划有什么用?
- Optimus Ride选用Velodyne Lidar的开创性传感器为其自动驾驶汽车提供支持
热门文章
- 绿色计算在数据中心的应用及节能效果浅析
- 2019年Q3:全球超大规模数据中心数量增至504个
- 使用DCIM软件确保数据中心符合DCOI
- 数据中心机房空调系统的这些“套路”你知多少?
- ML:MLOps系列讲解之《端到端 ML工作流生命周期》解读
- 成功解决AttributeError: ‘Series‘ object has no attribute ‘columns‘
- ML之k-NN:k-NN实现对150朵共三种花的实例的萼片长度、宽,花瓣长、宽数据统计,根据一朵新花的四个特征来预测其种类
- mysql(mariadb)常用命令(持续更新ing)
- 决策树-特征属性选择划分
- requireJS 从概念到实战