下来是个压缩包,解开后一个原码,解码后是notflag,发现压缩包有5k大而解出的java文件只有1k,显然包里还有内容未解出

用010打开包发现有两个EzJar.class文件,手工切出解压

import zlib
inflator = zlib.decompressobj(-zlib.MAX_WBITS)
f=open('EzJar.jar','rb')
f.seek(659)
a=f.read(3248)
f.close()
x = inflator.decompress(a)
f=open('EzJar.class','wb')
f.write(x)
f.close()

用jd反编译得到主程序,其中l放的是数字I放的是一堆串,后边直接把输入的flag与其中一人比较。

package defpackage;import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Arrays;
import java.util.Base64;
import java.util.Scanner;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import javax.swing.JOptionPane;/* renamed from: EzJar */
public class EzJar {private static final /* synthetic */ String AC = I[l[16]];private static final /* synthetic */ String[] I = null;private static final /* synthetic */ String WA = I[l[15]];private static final /* synthetic */ String banner = I[l[11]];private static final /* synthetic */ String enc = I[l[14]];private static final /* synthetic */ String flag = I[l[12]];private static final /* synthetic */ String key = I[l[13]];private static final /* synthetic */ int[] l = null;static {EzJar.lII();EzJar.ll();}/* 把a2的md5作为key,对a1 base64解码后des加密 */private static String I(String a1, String a2) {try {SecretKeySpec v1 = new SecretKeySpec(Arrays.copyOf(MessageDigest.getInstance("MD5").digest(a2.getBytes(StandardCharsets.UTF_8)), l[8]), "DES");Cipher instance = Cipher.getInstance("DES");instance.init(l[3], v1);return new String(instance.doFinal(Base64.getDecoder().decode(a1.getBytes(StandardCharsets.UTF_8))), StandardCharsets.UTF_8);} catch (Exception e) {e.printStackTrace();return null;}}/* a1,a2异或, a1先循环补齐 */private static String l(String a1, String a2) {String v1 = new String(Base64.getDecoder().decode(a1.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8);StringBuilder stringBuilder = new StringBuilder();char[] toCharArray = a2.toCharArray();int v2= l[0];char[] toCharArray2 = v1.toCharArray();int length = toCharArray2.length;int i = l[0];while (EzJar.llI(i, length)) {stringBuilder.append((char) (toCharArray[v2 % toCharArray.length] ^ toCharArray2[i]));"".length();v2++;i++;"".length();if ((-" ".length()) > "   ".length()) {return null;}}return String.valueOf(stringBuilder);}/* 以a2的md5值为密钥, 对base64解码后的a1 Blowfish加密 */private static String lI(String a1, String a2) {try {SecretKeySpec v1 = new SecretKeySpec(MessageDigest.getInstance("MD5").digest(a2.getBytes(StandardCharsets.UTF_8)), "Blowfish");Cipher instance = Cipher.getInstance("Blowfish");instance.init(l[3], v1);return new String(instance.doFinal(Base64.getDecoder().decode(a1.getBytes(StandardCharsets.UTF_8))), StandardCharsets.UTF_8);} catch (Exception v2) {v2.printStackTrace();return null;}}private static void lII() {l = new int[18];l[0] = 0;l[1] = 1;l[2] = 3;l[3] = 2;l[4] = 4;l[5] = 5;l[6] = 6;l[7] = 7;l[8] = 8;l[9] = 9;l[10] = 10;l[11] = 11;l[12] = 12;l[13] = 13;l[14] = 14;l[15] = 15;l[16] = 16;l[17] = 17;}private static boolean lIl(int i) {return i != 0;}private static void ll() {I = new String[l[17]];I[l[0]] = EzJar.I("AQiA0bYffm9HvMlm7RnEMX/tEQAUj4Xb", "FrlAZ");I[l[1]] = EzJar.I("hXzZyx8IUHw=", "Esxsh");I[l[3]] = EzJar.l("ID8PFlEKM1kKHhIkWRUdBjFD", "gVysq");I[l[2]] = EzJar.I("50fO6ARqllg=", "VZbFF");I[l[4]] = EzJar.lI("mvXqH+/XIESPZaSG3ZbZlA==", "TuZSw");I[l[5]] = EzJar.l("JQ0R", "aHBFu");I[l[6]] = EzJar.I("dMKiRQ19iTevvzL7NtVg5+ye5BywL2QaxtVANFLuC5B2/KuC+/5L6BwtCB7zpWK1XBTQr0VWC3Vt/uYEl2xmjskE0dDrCk2C", "dPxYA");I[l[7]] = EzJar.lI("B/MVYKSzgq8=", "phiUP");I[l[8]] = EzJar.I("ZtBOhuHeK3Y=", "MfnkQ");I[l[9]] = EzJar.lI("aPhz+GjGynRlU3Alo00QeQ==", "wWtUj");I[l[10]] = EzJar.l("BRQFNiRyBwQrNDcUSw==", "RfjXC");I[l[11]] = EzJar.I("pT10j0lChvyrNwYRFdqBzxqFp1ruTgo9", "hGcuT");I[l[12]] = EzJar.lI("UhBbCDk5yqaWl1uHJyS/OGmtcfVyvOOsk78/1f0MU8U3UfAf1Xf0FWNbpcKes/0HRz9SU/icRJHswW2xWjHrcFzhpsvwzqUl", "eeMoV");I[l[13]] = EzJar.I("s11BihYBzRBpcX9EF43utw==", "RjiXK");I[l[14]] = EzJar.I("wk5jH1cyKoA=", "frsxP");I[l[15]] = EzJar.I("Nfa0rxB8IRArMq2F4iLlLg==", "ulQWJ");I[l[16]] = EzJar.lI("wLcWNd0Xsbw=", "JgPGn");}private static boolean llI(int i, int i2) {return i < i2;}public static void main(String[] strArr) throws Exception {JOptionPane.showMessageDialog(null, I[l[0]], I[l[1]], l[2]);System.out.print(I[l[3]]);System.out.print(I[l[2]]);String next = new Scanner(System.in).next();Cipher instance = Cipher.getInstance(I[l[2]]);instance.init(l[1], new SecretKeySpec(I[l[4]].getBytes(), I[l[5]]));if (EzJar.lIl(I[l[6]].equals(new String(Base64.getEncoder().encode(instance.doFinal(next.getBytes())))))) {JOptionPane.showMessageDialog(null, I[l[7]]);System.out.print(I[l[8]]);"".length();if (null != null) {}return;}JOptionPane.showMessageDialog(null, I[l[9]]);System.out.print(I[l[10]]);}
}

对main部分稍作修改,改为解密程序

    public static void main(String[] strArr) throws Exception {//for(int i=0;i<17;i++) System.out.println(I[l[i]]);Cipher instance = Cipher.getInstance(I[l[2]]);  // DESinstance.init(Cipher.DECRYPT_MODE, new SecretKeySpec(I[l[4]].getBytes(), I[l[5]])); //Ctf3r_me DES System.out.println(new String( instance.doFinal(Base64.getDecoder().decode(I[l[6]]))) );/*密文  Dg/TZuRXF4+UwSZ8Dpwgw8+VOoHVl1YlPL1QRVhroCy4ptnKEcdC05iXcpLyDnuR算法  DES密钥  Ctf3r_me*/}

运行得到flag

C:\ctf.show.reverse\红包六\a>javac EzJar.javaC:\ctf.show.reverse\红包六\a>java EzJar
ctfshow{eb5e2541-58e6-4f8f-ae6f-5c7a6f920d73}

附,修改后的完整程序

//package defpackage;import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Arrays;
import java.util.Base64;
import java.util.Scanner;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import javax.swing.JOptionPane;/* renamed from: EzJar */
public class EzJar {//private static final /* synthetic */ String AC = I[l[16]];private static  /* synthetic */ String[] I = null;//private static final /* synthetic */ String WA = I[l[15]];//private static final /* synthetic */ String banner = I[l[11]];//private static final /* synthetic */ String enc = I[l[14]];//private static final /* synthetic */ String flag = I[l[12]];//private static final /* synthetic */ String key = I[l[13]];private static  /* synthetic */ int[] l = new int[18];static {EzJar.fun_lII();EzJar.fun_ll();}private static String fun_I(String a1, String a2) {try {SecretKeySpec v1 = new SecretKeySpec(Arrays.copyOf(MessageDigest.getInstance("MD5").digest(a2.getBytes(StandardCharsets.UTF_8)), l[8]), "DES");Cipher instance = Cipher.getInstance("DES");instance.init(l[3], v1);return new String(instance.doFinal(Base64.getDecoder().decode(a1.getBytes(StandardCharsets.UTF_8))), StandardCharsets.UTF_8);} catch (Exception e) {e.printStackTrace();return null;}}private static String fun_l(String a1, String a2) {String v1 = new String(Base64.getDecoder().decode(a1.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8);StringBuilder stringBuilder = new StringBuilder();char[] toCharArray = a2.toCharArray();int v2= l[0];char[] toCharArray2 = v1.toCharArray();int length = toCharArray2.length;int i = l[0];while (EzJar.fun_llI(i, length)) {stringBuilder.append((char) (toCharArray[v2 % toCharArray.length] ^ toCharArray2[i]));"".length();v2++;i++;"".length();if ((-" ".length()) > "   ".length()) {return null;}}return String.valueOf(stringBuilder);}private static String fun_lI(String a1, String a2) {try {SecretKeySpec v1 = new SecretKeySpec(MessageDigest.getInstance("MD5").digest(a2.getBytes(StandardCharsets.UTF_8)), "Blowfish");Cipher instance = Cipher.getInstance("Blowfish");instance.init(l[3], v1);return new String(instance.doFinal(Base64.getDecoder().decode(a1.getBytes(StandardCharsets.UTF_8))), StandardCharsets.UTF_8);} catch (Exception v2) {v2.printStackTrace();return null;}}private static void fun_lII() {//l = new int[18];l[0] = 0;l[1] = 1;l[2] = 3;l[3] = 2;l[4] = 4;l[5] = 5;l[6] = 6;l[7] = 7;l[8] = 8;l[9] = 9;l[10] = 10;l[11] = 11;l[12] = 12;l[13] = 13;l[14] = 14;l[15] = 15;l[16] = 16;l[17] = 17;}private static boolean fun_lIl(int i) {return i != 0;}private static void fun_ll() {I = new String[l[17]];I[l[0]] = EzJar.fun_I("AQiA0bYffm9HvMlm7RnEMX/tEQAUj4Xb", "FrlAZ");I[l[1]] = EzJar.fun_I("hXzZyx8IUHw=", "Esxsh");I[l[3]] = EzJar.fun_l("ID8PFlEKM1kKHhIkWRUdBjFD", "gVysq");I[l[2]] = EzJar.fun_I("50fO6ARqllg=", "VZbFF");I[l[4]] = EzJar.fun_lI("mvXqH+/XIESPZaSG3ZbZlA==", "TuZSw");I[l[5]] = EzJar.fun_l("JQ0R", "aHBFu");I[l[6]] = EzJar.fun_I("dMKiRQ19iTevvzL7NtVg5+ye5BywL2QaxtVANFLuC5B2/KuC+/5L6BwtCB7zpWK1XBTQr0VWC3Vt/uYEl2xmjskE0dDrCk2C", "dPxYA");I[l[7]] = EzJar.fun_lI("B/MVYKSzgq8=", "phiUP");I[l[8]] = EzJar.fun_I("ZtBOhuHeK3Y=", "MfnkQ");I[l[9]] = EzJar.fun_lI("aPhz+GjGynRlU3Alo00QeQ==", "wWtUj");I[l[10]] = EzJar.fun_l("BRQFNiRyBwQrNDcUSw==", "RfjXC");I[l[11]] = EzJar.fun_I("pT10j0lChvyrNwYRFdqBzxqFp1ruTgo9", "hGcuT");I[l[12]] = EzJar.fun_lI("UhBbCDk5yqaWl1uHJyS/OGmtcfVyvOOsk78/1f0MU8U3UfAf1Xf0FWNbpcKes/0HRz9SU/icRJHswW2xWjHrcFzhpsvwzqUl", "eeMoV");I[l[13]] = EzJar.fun_I("s11BihYBzRBpcX9EF43utw==", "RjiXK");I[l[14]] = EzJar.fun_I("wk5jH1cyKoA=", "frsxP");I[l[15]] = EzJar.fun_I("Nfa0rxB8IRArMq2F4iLlLg==", "ulQWJ");I[l[16]] = EzJar.fun_lI("wLcWNd0Xsbw=", "JgPGn");}private static boolean fun_llI(int i, int i2) {return i < i2;}public static void main(String[] strArr) throws Exception {//for(int i=0;i<17;i++) System.out.println(I[l[i]]);Cipher instance = Cipher.getInstance(I[l[2]]);  // DESinstance.init(Cipher.DECRYPT_MODE, new SecretKeySpec(I[l[4]].getBytes(), I[l[5]])); //Ctf3r_me DES System.out.println(new String( instance.doFinal(Base64.getDecoder().decode(I[l[6]]))) );/*密文  Dg/TZuRXF4+UwSZ8Dpwgw8+VOoHVl1YlPL1QRVhroCy4ptnKEcdC05iXcpLyDnuR算法  DES密钥  Ctf3r_me*/}
}

[ctf.show.reverse] 红包六相关推荐

  1. [ctf.show.reverse] re2

    签到完了就一个小题,本身不繁杂但是有点长. 先是要求输入一个串然后逐位与0x1f异或后检查密钥是否正确 char __cdecl sub_401A70(char *Str, char *Str1) { ...

  2. XCTF-攻防世界CTF平台-Reverse逆向类——56、tar-tar-binks(Mac平台下的64位动态链接共享库.dylib逆向)

    目录标题 一.解压缩 二.查看文件 三.分析程序 四.程序主要逻辑: 五.逆向思路: 步骤一: 步骤二: 六.解密代码: 题目提供了两个文件flag.tar和libarchive.dylib 一.解压 ...

  3. [ctf.show.reverse] 吃鸡杯 ezmore,有手就行,EzAutoRe

    ezmore 动调的题,跟进去在4019d6下断点看比较情况得到neft输入后得到flag组成提示 有手就行 一上来就猜入口是_main然后解到一个fake s2 = [99,23,113,2,106 ...

  4. 攻防世界Reverse第六题open-source

    打开文件分析代码 1.由argc可知他一共有4个参数 第一个参数为cafe 第二个参数最小为25 第三个参数为h4cky0u 分析可知最后需要的flag为 c0ffee

  5. [ctf.show.reverse] 月饼杯 re1_西北望乡、re2_归心、re3_若无月

    re1_西北望乡 主程序很容易看明白,格式是flag{....}长45,然后把3,6,13,36拿出来作为系数,这些字符每5个一组分别乘系数后的和给定了.然后就是怎么解了. if ( strlen(f ...

  6. [ctf.show.reverse] 来一个派森,好好学习天天向上

    来一个派森 根据名字来看是一个编译成exe的python程序, 用py \tools\pyinstxtractor.py checkme.exe 将其解包, 然后将struct文件头部E3前的部分插入 ...

  7. XCTF-攻防世界CTF平台-Reverse逆向类——52、handcrafted-pyc(Python的pyc文件逆向)

    下载题目附件之后,查看附件52: 发现它就是一个Python代码文件 #!/usr/bin/env python # -*- coding: utf-8 -*-import marshal, zlib ...

  8. [ctf.show.reverse] 吃瓜杯 签层饼,Tea_tube_pot

    签层饼 真有一千层函数呀,沿着输入存入的两个变量找,找到3个函数: 主函数给出了flag的组织方式, check1说number2<882408, check2说number1 = number ...

  9. [ctf.show.reverse] re3

    逻辑很简单,但用python写的话由于python没有长度限制,直接用会有些问题需要解决.所以用gdb跟一下. v7 = 0x50;v8 = 0xFAE3;v9 = 0xD7D3F7B;v10 = 0 ...

最新文章

  1. element 密码输入框用*显示_用 Java 实现天天酷跑,这个真的有点强了
  2. 2020.8.26广联达笔试第二题——魔法师四种元素平衡(Python)
  3. MATLAB的GUI中给坐标轴四周加上边框
  4. 【算法分析与设计】快速排序
  5. Oracle 19c 新特性:Schema Only Account详解
  6. Ubuntu 18.04/20.04 部署minikube
  7. 干货|80天自学通过高级项目管理师
  8. JavaScript判断数组的方法
  9. indesign安装包.exe 自动简繁互转for_adobe Indesign (ID)插件集打包下载
  10. 【详细】国内网站备案流程与步骤
  11. mysql uuid分页优化_MySQL性能优化之分页查询优化
  12. mac qq 用户信息文件夹
  13. NR TM测试模式解析
  14. 《最强NBA》——手游产品测评
  15. 2019计算机考研大纲考什么,2019计算机考研大纲有哪些变动
  16. 大南湖地磅房升级需要改造哪些方面
  17. 客单价高达40万,月子中心是门赚钱的好生意?
  18. 中国新能源汽车行业运作模式与供需形势分析报告2022版
  19. 华硕主板固态硬盘不识别_如果ASUS主板BIOS主板无法识别NVMe m.2 SSD,该怎么办?...
  20. docker搭建并使用AB(apache bench)测试工具压力测试

热门文章

  1. 每日计划(3)——大二
  2. 2022-01-27 使用liquibase管理mysql执行版本
  3. android openCV检测图像的基本特征,包括Canny边缘检测、Harris角点检测、霍夫直线检测-基于Android studio
  4. 为Windows右键新建菜单添加菜单项
  5. 电脑快捷键和电脑磁盘清理
  6. HTTP Header中的内容(请求Header、响应Header)
  7. 格式化JSON stringify 的使用
  8. Android实现打开手机淘宝并自动识别淘宝口令弹出商品信息功能
  9. 使用STM32F4浮点运算(FPU)功能开启+使用DSP库
  10. Tails OS 让你实现隐形上网!