JavaCM

LoRyu · 发表于 2020-12-17 23:13

本帖最后由 LoRyu 于 2020-12-18 20:59 编辑

java写的，易语言启动需要有java环境
-----------------------------------------
12/18 19:09
之前那个有点小问题，更新了下附件
-----------------------------------------
12/18 20:56
一开始那个有aes加密之类的，所以更新了下附件，但是现在有大佬解出了那个版本，我还是把那个版本放回来

solly · 发表于 2020-12-18 20:44

本帖最后由 solly 于 2020-12-18 20:46 编辑

LoRyu 发表于 2020-12-18 20:02
大佬能说下怎么整的吗

先取得临时目录下的 CrackMe.jar、Check.class.CrackMe 和 Frame.class.CrackMe 这三个文件。
创建一个 java project，并把 CrackMe.jar 加入java build path，利用反射，调用 lllllllllllllll.class 的方法，取得 cn.loryu.crackme.CrackMe 和另一个 ClassLoader: cn.loryu.crackme.a，然后再调用 cn.loryu.crackme.a 中的方法，取得 cn.loryu.crackme.Frame 和 cn.loryu.crackme.Check，而这两个文件都没有混淆，通过 cn.loryu.crackme.Check 可直接逆得前面发的注册机。

下面是取得这4个文件的源码：

[Java] 纯文本查看 复制代码

import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;

public class StartCrk {
	static String basePath = "I:\\Downloads\\crack\\000\\CrackMe_java3\\";
	static String tempDir  = "F:\\temp\\";

	public static void main(String[] args) {
		// TODO Auto-generated method stub
		
		try {
			Class<?> crk = Class.forName("lllllllllllllll");
			/////
			Object obj = crk.newInstance();
			/////
			Method m = crk.getMethod("loadClass", String.class);
			m.setAccessible(true);
			Field f0 = crk.getDeclaredField("lll");  //// String[]
			f0.setAccessible(true);
			Field f1 = crk.getDeclaredField("lIIl"); ///// int[58]
			f1.setAccessible(true);
			Field f2 = crk.getDeclaredField("llI"); ///// int[34]
			f2.setAccessible(true);
			//String className1 = f0[f1[1]];
			int n1 = 58;
			//int i[] = new int[n1];
			int ii[] = (int[])f1.get(null);
//			System.out.print("int lIIl[] = {");
//			for(int j=0; j<n1; j++) {
//				System.out.print(ii[j] + ",");
//			}
//			System.out.println("}");
			int n2 = 34;
			byte ii2[] = (byte[])f2.get(null);
//			System.out.print("int llI[] = {");
//			for(int j=0; j<n2; j++) {
//				System.out.print(ii2[j] + ",");
//			}
//			System.out.println("}");
			
			//int n2 = 3;
			//String s[] = new String[n2];
			String ss[] = (String[])f0.get(null);
			
			System.out.println("0: " + ss[0]);
			System.out.println("1: " + ss[1]);
			System.out.println("2: " + ss[2]);
			
			String className = ss[ii[1]];
			System.out.println("class Name: " + className);
			
			/////
			saveClass("cn.loryu.crackme.CrackMe");
			saveClass("cn.loryu.crackme.a");
			//saveClass("cn.loryu.crackme.Check");
			//saveClass("cn.loryu.crackme.Frame");
			
			
			Object params[] = new String[1];
			params[0] = className; 
			Class<?> claz2 = (Class<?>)m.invoke(obj, params);   //// Class: cn.loryu.crackme.CrackMe
			if(claz2 != null) {
				System.out.println("load class success: " + params[0]);
				/////
				Object obj2 = (claz2).newInstance();	
				
				Method mth[] = claz2.getDeclaredMethods();
				for(int k=0; k<mth.length; k++) {
					System.out.println("method: " + mth[k]);
				}
				Field fld[] = claz2.getDeclaredFields();
				for(int k=0; k<fld.length; k++) {
					System.out.println("field: " + fld[k]);
				}
				
				Class param_type_main[] = new Class[1];
				param_type_main[0] = String[].class;		
				Object param_value_main[] = new Object[1];
				param_value_main[0] = args;
				
				//// 这里是执行 crackme
				// claz2.getDeclaredMethod("main", param_type_main[0]).invoke(null, param_value_main);
				
		        long flag1 = 0x274c89061a03L;
		        long flag2 = flag1 ^ 0x2e660bfc3229L;
				
				//// field
				Field f5 = claz2.getDeclaredField("ll");  //// int[]
				f5.setAccessible(true);
				int n5 = 281;
				int ll[] = (int[])f5.get(null);
//				System.out.print("int llI[] = {");
//				for(int j=0; j<n5; j++) {
//					System.out.print(ll[j] + ",");
//				}
//				System.out.println("}");

		        //// java.lang.String cn.loryu.crackme.CrackMe.a(int,int,int)
		        Class<?> type_a[] = new Class[3];
		        type_a[0] = int.class;
		        type_a[1] = int.class;
		        type_a[2] = int.class;
		        int value_a[] = new int[3];
		        
		        value_a[0] = ll[2] + ll[3];
		        value_a[1] = ll[2] + ll[4];
		        value_a[2] = (int)flag1;
		        String cls0 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a[0], value_a[1], value_a[2]);
		        System.out.println("obj 1: " + cls0); //// java.io.tmpdir
		        
		        value_a[0] = ll[2] + ll[18];
		        value_a[1] = ll[2] + ll[19];
		        value_a[2] = (int)flag1;
		        String cls1 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a[0], value_a[1], value_a[2]);
		        System.out.println("obj 2: " + cls1); //// cn.loryu.crackme.Check

		        value_a[0] = ll[2] + ll[20];
		        value_a[1] = ll[8] + ll[21];
		        value_a[2] = (int)flag1;
		        String cls2 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a[0], value_a[1], value_a[2]);
		        System.out.println("obj 3: " + cls2); //// cn.loryu.crackme.Frame

		        value_a[0] = ll[2] + ll[5];
		        value_a[1] = ll[2] + ll[6];
		        value_a[2] = (int)flag1;
		        String cls3 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a[0], value_a[1], value_a[2]);
		        System.out.println("obj 4: " + cls3); //// Check.class.CrackMe

		        value_a[0] = ll[2] + ll[7];
		        value_a[1] = ll[8] + ll[9];
		        value_a[2] = (int)flag1;
		        String cls4 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a[0], value_a[1], value_a[2]);
		        System.out.println("obj 5: " + cls4); //// Frame.class.CrackMe

		        value_a[0] = ll[2] + ll[10];
		        value_a[1] = ll[2] + ll[11];
		        value_a[2] = (int)flag1;
		        String cls5 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a[0], value_a[1], value_a[2]);
		        System.out.println("obj 6: " + cls5); //// CBEA62C4FB252CEAAE4980645286D6FE2901C8802FC8AB89

		        value_a[0] = ll[2] + ll[12];
		        value_a[1] = ll[2] + ll[13];
		        value_a[2] = (int)flag1;
		        String cls6 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a[0], value_a[1], value_a[2]);
		        System.out.println("obj 7: " + cls6); //// 1F31F140088A5DA2BF202AE3862F206232087A15C4C2C4A1

		        value_a[0] = ll[2] + ll[14];
		        value_a[1] = ll[2] - ll[15];
		        value_a[2] = (int)flag1;
		        String cls7 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a[0], value_a[1], value_a[2]);
		        System.out.println("obj 8: " + cls7); //// cn.loryu.crackme.Check

		        value_a[0] = ll[2] + ll[16];
		        value_a[1] = ll[8] + ll[17];
		        value_a[2] = (int)flag1;
		        String cls8 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a[0], value_a[1], value_a[2]);
		        System.out.println("obj 9: " + cls8); //// cn.loryu.crackme.Frame

		        value_a[0] = ll[2] + ll[18];
		        value_a[1] = ll[2] + ll[19];
		        value_a[2] = (int)flag1;
		        String cls9 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a[0], value_a[1], value_a[2]);
		        System.out.println("obj 10: " + cls9); //// cn.loryu.crackme.Check

		        value_a[0] = ll[2] + ll[20];
		        value_a[1] = ll[8] + ll[21];
		        value_a[2] = (int)flag1;
		        String cls10 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a[0], value_a[1], value_a[2]);
		        System.out.println("obj 11: " + cls10); //// cn.loryu.crackme.Frame

		        //System.out.println("obj 12: " + ll[22]); //// addListeners
		        
		        value_a[0] = ll[2] + ll[23];
		        value_a[1] = ll[8] + ll[24];
		        value_a[2] = (int)flag1;
		        String cls11 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a[0], value_a[1], value_a[2]);
		        System.out.println("method 1: " + cls11); //// addListeners
		        
		        
		        //// get classloader cn.loryu.crackme.a
		        String className_a = "cn.loryu.crackme.a";
		        //Class<?> cls_a = Class.forName(className_a);
				Object params_a[] = new String[1];
				params_a[0] = className_a; 
				Class<?> cls_a = (Class<?>)m.invoke(obj, params_a);   //// Class: cn.loryu.crackme.a
		        Object cls_a_obj = cls_a.newInstance();
				Method mth2[] = cls_a.getDeclaredMethods();
				for(int k=0; k<mth2.length; k++) {
					System.out.println("a.method: " + mth2[k]);
				}
				Field fld2[] = cls_a.getDeclaredFields();
				for(int k=0; k<fld2.length; k++) {
					System.out.println("a.field: " + fld2[k]);
				}

		        //// loadClass
//		        Class<?> cls_check = (Class<?>)cls_a.getMethod("loadClass", String.class).invoke(cls_a_obj, "cn.loryu.crackme.Check");
//		        if(cls_check != null) {
//		        	System.out.println("load class ok: " + cls_check.getName()); 
//		        } else {
//		        	System.out.println("load class failure: ");
//		        }

		        int i = (int)(flag2 >>> ll[0]);
		        long l = (flag2 << ll[1]) >>> ll[1];
				////// Check.class.CrackMe
				File a = new File(tempDir + "Check.class.CrackMe");
				byte b1[] = (byte[])cls_a.getDeclaredMethod("a", short.class, File.class, String.class, long.class).invoke(cls_a_obj, (short)i, a.getAbsoluteFile(), "CBEA62C4FB252CEAAE4980645286D6FE2901C8802FC8AB89", l);
				System.out.println("cn.loryu.crackme.Check size: " + b1.length);
				saveClass("cn.loryu.crackme.Check", b1);
				
				///// Frame.class.CrackMe
				File b = new File(tempDir + "Frame.class.CrackMe");
				byte b2[] = (byte[])cls_a.getDeclaredMethod("a", short.class, File.class, String.class, long.class).invoke(cls_a_obj, (short)i, b.getAbsoluteFile(), "1F31F140088A5DA2BF202AE3862F206232087A15C4C2C4A1", l);
				System.out.println("cn.loryu.crackme.Frame size: " + b2.length);
				saveClass("cn.loryu.crackme.Frame", b2);
				
//				System.out.print("b1 = ");
//				for(int k=0; k<b1.length; k++) {
//					System.out.print(b1[k] + ", ");
//				}
//				System.out.println("");
//				System.out.print("b2 = ");
//				for(int k=0; k<b2.length; k++) {
//					System.out.print(b2[k] + ", ");
//				}
//				System.out.println("");
				
				
			} else {
				System.out.println("load class failure: " + params[0]);
			}
			
		} catch (ClassNotFoundException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (NoSuchMethodException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (SecurityException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (NoSuchFieldException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (IllegalArgumentException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (IllegalAccessException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (InvocationTargetException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (InstantiationException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}
		
	}
	
	
	public static int saveClass(String className, byte[] data) {
		String fileName = className.replace('.', File.separatorChar).concat(".class");
		
		try {
			String fullPath = basePath + fileName;
			int i = fullPath.lastIndexOf(File.separatorChar);
			String path = fullPath.substring(0, i);
			File f = new File(path);
			f.mkdirs();  /// Create directory

			FileOutputStream fos = new FileOutputStream(fullPath);
			OutputStream os = new BufferedOutputStream(fos);
			os.write(data);
			System.out.println("save " + className +".class OK");
			
			os.flush();
			os.close();
			fos.flush();
			fos.close();	
		} catch (FileNotFoundException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (IOException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}

		return data.length;
	
	}
	
	public static int saveClass(String className) {
		int size = 0;
		try {
			Class<?> crk = Class.forName("lllllllllllllll");
			/////
			//Object obj = crk.newInstance();

			Method decrypt = crk.getDeclaredMethod("lllll", String.class);
			decrypt.setAccessible(true);
			Method decode = crk.getDeclaredMethod("lllIl", byte[].class, byte[].class);
			decode.setAccessible(true);
			////
			Field f2 = crk.getDeclaredField("llI"); ///// int[34]
			f2.setAccessible(true);
			byte ii2[] = (byte[])f2.get(null);

			Object params1[] = new Object[2];
			params1[0] = className.getBytes("UTF-8");
			params1[1] = ii2;
			String s = new String((byte[])decode.invoke(null, params1));
			Object params2[] = new Object[1];
			params2[0] = s;
			byte bytes1[] = (byte[])decrypt.invoke(null, params2);
			params1[0] = bytes1;
			byte bytes2[] = (byte[])decode.invoke(null, params1);
			size = bytes2.length;
			System.out.println(className +".class length " + bytes2.length);
			
			String fileName = className.replace('.', File.separatorChar).concat(".class");
			
			String fullPath = basePath + fileName;
			int i = fullPath.lastIndexOf(File.separatorChar);
			String path = fullPath.substring(0, i);
			File f = new File(path);
			f.mkdirs();  /// Create directory
			
			FileOutputStream fos = new FileOutputStream(fullPath);
			OutputStream os = new BufferedOutputStream(fos);
			os.write(bytes2);
			System.out.println("save " + className +".class OK");
			
			os.flush();
			os.close();
			fos.flush();
			fos.close();	
		} catch (ClassNotFoundException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (IllegalAccessException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (NoSuchMethodException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (SecurityException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (IllegalArgumentException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (InvocationTargetException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (FileNotFoundException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (IOException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (NoSuchFieldException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}
	
		return size;
	}

}

solly · 发表于 2020-12-18 19:57

TestJavaCM3.0Test

[Java] 纯文本查看 复制代码

package cn.solly.crack;

public class Crack {

 public static String str01 = "rygcryJgryjgryjhrygcryJgryjHryjgrygcryJgryjJryjjrygcryJgryjJryjhrygcryJgryjhryHlrygcryJgryjHryjlrygcryJgryjJryjHrygcryJgryjHryjlrygcryJgryjhryjjrygcryJgryjhryHhrygcryJgryjjryjjrygcryJgryjkryHgrygcryJgryjjryj#rygcryJgryjgryjhrygcryJgryjHryjgrygcryJgryjJryjjrygcryJgryjJryjh";;

 public static void main(String[] args) {
	 GetIt(str01); 
 }
 
 public static void GetIt(String str)
 {
     getCheckString(str);
 }

 public static void getCheckString(String s0)
 {
     char charArray01[] = s0.toCharArray();
     for(int i = 0; i < charArray01.length; i++)
         switch(charArray01[i])
         {
         case 'r': // '\\'
             charArray01[i] = '\\';
             break;

         case 'y': // 'u'
             charArray01[i] = 'u';
             break;

         case 'l': // '1'
             charArray01[i] = '1';
             break;

         case 'k': // '2'
             charArray01[i] = '2';
             break;

         case 'j': // '3'
             charArray01[i] = '3';
             break;

         case 'h': // '4'
             charArray01[i] = '4';
             break;

         case 'g': // '5'
             charArray01[i] = '5';
             break;

         case 'H': // '6'
             charArray01[i] = '6';
             break;

         case 'J': // '7'
             charArray01[i] = '7';
             break;

         case 'K': // '8'
             charArray01[i] = '8';
             break;

         case 'L': // '9'
             charArray01[i] = '9';
             break;

         case '#': // '0'
             charArray01[i] = '0';
             break;
         }

     String s2 = String.valueOf(charArray01);
     System.out.println("SN : " +  deobfString(s2));
 }

 public static String obfString(String str)
 {
     String str01 = unicodeToString(str);
     return unicodeToString(str01);
 }

 public static String deobfString(String str)
 {
     String str01 = unicodeToString(str);
     return unicodeToString(str01);
 }

 public static String stringToUnicode(String str)
 {
     StringBuffer sb = new StringBuffer();
     char c[] = str.toCharArray();
     for(int i = 0; i < c.length; i++)
         sb.append((new StringBuilder()).append("\\u").append(Integer.toHexString(c[i])).toString());

     return sb.toString();
 }

 public static String unicodeToString(String unicode)
 {
     StringBuffer sb = new StringBuffer();
     String hex[] = unicode.split("\\\\u");
     for(int i = 1; i < hex.length; i++)
     {
         int index = Integer.parseInt(hex[i], 16);
         sb.append((char)index);
     }

     return sb.toString();
 }

}

嘟囔嘟囔 · 发表于 2020-12-18 07:24

就是密钥匙算法吗

jy04468108 · 发表于 2020-12-18 08:45

没装Java环境，玩不了哦。

liaozhen · 发表于 2020-12-18 09:44

可惜不会反编译jar包

不然直接看源码岂不是美滋滋

云在天 · 发表于 2020-12-18 10:02

搞个aes和blowfish加密，啥也没有怎么玩

miracle_ · 发表于 2020-12-18 10:03

直接jd-gui反编译一波

Light紫星 · 发表于 2020-12-18 11:37

难搞，又是sha256又是aes的

LoRyu · 发表于 2020-12-18 12:23

云在天发表于 2020-12-18 10:02
搞个aes和blowfish加密，啥也没有怎么玩

不好意思，aes那些加密是我混淆器用的是之前的配置，不小心开的今晚重新发一个

HyAiXj34 · 发表于 2020-12-18 14:34

liaozhen 发表于 2020-12-18 09:44
可惜不会反编译jar包不然直接看源码岂不是美滋滋

如果是jar包，用压缩工具解压，然后用jad反编译整个工程就可以得到源代码了。

snolf · 发表于 2020-12-18 14:38

可以用idea直接看源码

帐号		自动登录	找回密码
密码			注册[Register]

[CrackMe] JavaCM

本帖子中包含更多资源

免费评分

免费评分

免费评分

个人中心