人民的名义-抓捕赵德汉1-200

人民的名义-抓捕赵德汉1-200

来道简单的逆向题目,学习一下，正好最近简学了下java

文档说明

本文作者:SwBack
创作时间:2023-04-09 20:40:55
知乎:https://www.zhihu.com/people/back-88-87
CSDN:https://blog.csdn.net/qq_30817059
百度搜索: SwBack

来一道简单的逆向

下载下来的jar文件。

运行之后显示如下:

逆向查看源码发现三个文件

一个接口文件,两个java

内容分别如下:

CheckInterface

该文件主要是定义了CheckInterface类,实现了checkPassword方法

package defpackage;

/* renamed from: CheckInterface */
/* loaded from: reverse.jar:CheckInterface.class */
public interface CheckInterface {
    boolean checkPassword(String str);
}

CheckPassword

可以看到这个文件存在main方法

main方法中通过checkerObject.checkPassword(line) 进行判断密码是否正确,然后该方法是下面定义的 CheckInterface checkerObject = loadCheckerObject();

loadCheckerObject() 大概可以看到是通过解密ClassEnc

package defpackage;

import java.io.BufferedReader;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;

/* renamed from: CheckPassword */
/* loaded from: reverse.jar:CheckPassword.class */
public class CheckPassword extends ClassLoader {
    static String hexKey = "bb27630cf264f8567d185008c10c3f96";

    public static void main(String[] args) throws ClassNotFoundException, InstantiationException, IllegalAccessException, IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
        CheckInterface checkerObject = loadCheckerObject();
        BufferedReader stdin = new BufferedReader(new InputStreamReader(System.in));
        while (true) {
            System.out.println("Enter password:");
            String line = stdin.readLine();
            if (checkerObject.checkPassword(line)) {
                System.out.println("Well done, that is the correct password");
                System.exit(0);
            } else {
                System.out.println("Incorrect password");
            }
        }
    }

    private static CheckInterface loadCheckerObject() throws IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, ClassFormatError, InstantiationException, IllegalAccessException {
        CheckPassword mycl = new CheckPassword();
        InputStream in = CheckPassword.class.getClass().getResourceAsStream("/ClassEnc");
        ByteArrayOutputStream bout = new ByteArrayOutputStream();
        byte[] bytes = new byte[512];
        while (true) {
            int len = in.read(bytes);
            if (len > -1) {
                bout.write(bytes, 0, len);
            } else {
                byte[] myClassBytesEnc = bout.toByteArray();
                in.close();
                SecretKeySpec secretKeySpec = new SecretKeySpec(hexStringToByteArray(hexKey), "AES");
                Cipher decAEScipher = Cipher.getInstance("AES");
                decAEScipher.init(2, secretKeySpec);
                byte[] myClassBytes = decAEScipher.doFinal(myClassBytesEnc);
                CheckInterface passCheckObject = (CheckInterface) mycl.defineClass(null, myClassBytes, 0, myClassBytes.length).newInstance();
                return passCheckObject;
            }
        }
    }

    private static byte[] hexStringToByteArray(String s) {
        int len = s.length();
        byte[] data = new byte[len / 2];
        for (int i = 0; i < len; i += 2) {
            data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16));
        }
        return data;
    }
}

看到这里大概明白解题思路了.

但是逆向之后,他还有第三个文件.

CheckPass

package defpackage;

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

/* renamed from: CheckPass */
/* loaded from: reverse.jar:newClassName.class */
public class CheckPass implements CheckInterface {
    @Override // defpackage.CheckInterface
    public boolean checkPassword(String input) {
        MessageDigest md5Obj = null;
        try {
            md5Obj = MessageDigest.getInstance("MD5");
        } catch (NoSuchAlgorithmException e) {
            System.out.println("Hash Algorithm not supported");
            System.exit(-1);
        }
        byte[] bArr = new byte[40];
        md5Obj.update(input.getBytes(), 0, input.length());
        byte[] hashBytes = md5Obj.digest();
        return byteArrayToHexString(hashBytes).equals("fa3733c647dca53a66cf8df953c2d539");
    }

    private static String byteArrayToHexString(byte[] data) {
        int i;
        StringBuffer buf = new StringBuffer();
        for (int i2 = 0; i2 < data.length; i2++) {
            int halfbyte = (data[i2] >>> 4) & 15;
            int two_halfs = 0;
            do {
                if (halfbyte >= 0 && halfbyte <= 9) {
                    buf.append((char) (48 + halfbyte));
                } else {
                    buf.append((char) (97 + (halfbyte - 10)));
                }
                halfbyte = data[i2] & 15;
                i = two_halfs;
                two_halfs++;
            } while (i < 1);
        }
        return buf.toString();
    }
}

可以直接看到,这里通过equals去判断输入字符的md5是否等于 fa3733c647dca53a66cf8df953c2d539

我们通过cmd5进行解密.得到密码monkey99

看到密码输入正确.

所以flag就是 monkey99

上面在分析CheckPassword.java 的时候说是通过解密ClassEnc 进行校验的.

我们直接解压jar文件之后得到如下内容

然后我们根据CheckPassword.java的算法写出解密脚本,得到的内容正是CheckPass的内容

以下直接是大佬写过的脚本

import os
from Crypto.Cipher import AES
filename="ClassEnc"
key = "bb27630cf264f8567d185008c10c3f96"
key_bytes = bytes.fromhex(key)
aes = AES.new((key_bytes), AES.MODE_ECB)
data = bytearray(os.path.getsize(filename))    
with open(filename, 'rb') as f:        
	f.readinto(data)    
	f.close()    
decryption_data = aes.decrypt(data)
with open(filename+"_decryption", 'ba') as f:
    f.write(decryption_data)
f.close()

可以看到这里我运行之后生成的ClassEnc_decryption逆向得到的内容和CheckPass 内容一模一样