好友
阅读权限30
听众
最后登录1970-1-1
|
神奇的人鱼
发表于 2025-10-16 14:30
本帖最后由 神奇的人鱼 于 2025-10-16 14:32 编辑
非常简单的CTF题目 快来体验一下
题目下载地址:
https://wwi.lanzoub.com/b0mc1o6sj
密码:8oiq
压缩密码:52pj
1. 先观察样本信息:
里面有一个jar文件,有点意思
2. 拖入IDA分析
原来是启动了一个java的进程
我们需要找到启动的命令行
3. x64找一下进程
就是把exe当成一个jar执行
java -jar xxx.exe
4. 分离jar
根据第一步的偏移地址直接从二进制文件中提取jar文件
5. jadx启动
定位到关键函数
6. AI启动
AI大法好,直接把源代码仍给AI,编写一个暴力破解代码:
这里需要注意一下,因为代码中使用了java特有的Integer.rotateLeft,在使用python的时候需要特殊处理
AI搞错了好几次
JAVA版本:
[Java] 纯文本查看 复制代码 import java.util.Arrays;
public class FlagCracker {
private static final int[] ENC_FLAG = {
87, 107, 28, 196, 205, 202, 197, 108, 158, 219, 94, 237, 119, 242, 101, 9,
161, 166, 16, 132, 96, 104, 183, 187, 163, 103, 121, 195, 27, 193, 141, 245,
226, 2, 177, 177, 99, 182
};
private static int dynamicKey(int index, int round) {
int key = index;
for (int i = 0; i < round * 3; i++) {
key = Integer.rotateLeft((key * 22695477) + 127, i % 32);
}
return key & 255;
}
private static int nonLinearTransform(int b, int key) {
return Integer.rotateRight(((Integer.rotateLeft(b, 4) ^ key) * 4919) + 66, 2) & 255;
}
// 模拟 verifyFlag 中单个字符的加密过程
private static int encryptChar(char c, int index) {
int key1 = dynamicKey(index, 1);
int tmp = c ^ key1;
int tmp2 = nonLinearTransform(tmp, key1);
int key2 = dynamicKey(index, 2);
int tmp3 = Integer.rotateRight(tmp2, 3) ^ key2;
int key3 = dynamicKey(index, 3);
return nonLinearTransform((tmp3 + key3) & 255, key3);
}
public static void main(String[] args) {
char[] flag = new char[ENC_FLAG.length];
// 前缀和后缀已知
String prefix = "flag{";
String suffix = "}";
for (int i = 0; i < prefix.length(); i++) {
flag[i] = prefix.charAt(i);
}
flag[flag.length - 1] = suffix.charAt(0);
String charSet = "0123456789ABCDEF";
// 破解中间32位(索引 5 到 36)
for (int i = 5; i <= 36; i++) {
boolean found = false;
for (char c : charSet.toCharArray()) {
if (encryptChar(c, i) == ENC_FLAG[i]) {
flag[i] = c;
found = true;
break;
}
}
if (!found) {
System.err.println("Failed to find char at position " + i);
flag[i] = '?'; // fallback
}
}
String result = new String(flag);
System.out.println("Recovered flag: " + result);
// Optional: verify
if (verifyFlag(result)) {
System.out.println("✅ Verification passed!");
} else {
System.out.println("❌ Verification failed!");
}
}
// 下面是原 verifyFlag 的简化版(仅用于最终验证)
public static boolean verifyFlag(String input) {
if (input == null || input.length() != ENC_FLAG.length) {
return false;
}
for (int i = 0; i < input.length(); i++) {
int c = input.charAt(i);
int key1 = dynamicKey(i, 1);
int tmp = c ^ key1;
int tmp2 = nonLinearTransform(tmp, key1);
int key2 = dynamicKey(i, 2);
int tmp3 = Integer.rotateRight(tmp2, 3) ^ key2;
int key3 = dynamicKey(i, 3);
if (nonLinearTransform((tmp3 + key3) & 255, key3) != ENC_FLAG[i]) {
return false;
}
}
return true;
}
}
Python版本:
[Python] 纯文本查看 复制代码 # 加密的flag数组
ENC_FLAG = [87, 107, 28, 196, 205, 202, 197, 108, 158, 219, 94, 237, 119, 242, 101, 9,
161, 166, 16, 132, 96, 104, 183, 187, 163, 103, 121, 195, 27, 193, 141, 245,
226, 2, 177, 177, 99, 182]
def java_rotate_left(val, distance):
"""精确模拟Java的Integer.rotateLeft"""
# Java的rotateLeft是循环左移,处理32位整数
distance &= 0x1F # 距离取模32
return ((val << distance) | ((val & 0xFFFFFFFF) >> (32 - distance))) & 0xFFFFFFFF
def java_rotate_right(val, distance):
"""精确模拟Java的Integer.rotateRight"""
# Java的rotateRight是循环右移,处理32位整数
distance &= 0x1F # 距离取模32
return (((val & 0xFFFFFFFF) >> distance) | (val << (32 - distance))) & 0xFFFFFFFF
def dynamicKey(index, round_num):
"""精确模拟Java的dynamicKey方法"""
key = index
for i in range(round_num * 3):
# Java中的整数运算是32位有符号的
key = (key * 22695477 + 127) & 0xFFFFFFFF
# 使用精确的Java rotateLeft模拟
key = java_rotate_left(key, i % 32)
return key & 0xFF
def nonLinearTransform(b, key):
"""精确模拟Java的nonLinearTransform方法"""
# 注意:Java的rotateLeft和rotateRight都是对32位整数操作
# 即使输入是8位,也会被提升为32位
# Integer.rotateLeft(b, 4)
b_32 = b & 0xFFFFFFFF # 提升为32位
rotated_left = java_rotate_left(b_32, 4)
# 异或操作
xor_result = rotated_left ^ key
# 乘法和加法
multiplied = (xor_result * 4919) & 0xFFFFFFFF
added = (multiplied + 66) & 0xFFFFFFFF
# Integer.rotateRight(added, 2)
rotated_right = java_rotate_right(added, 2)
return rotated_right & 0xFF
def encryptChar(c, index):
"""模拟verifyFlag中单个字符的加密过程"""
key1 = dynamicKey(index, 1)
tmp = ord(c) ^ key1
tmp2 = nonLinearTransform(tmp, key1)
key2 = dynamicKey(index, 2)
# Integer.rotateRight(tmp2, 3)
tmp3 = java_rotate_right(tmp2, 3) ^ key2
key3 = dynamicKey(index, 3)
return nonLinearTransform((tmp3 + key3) & 0xFF, key3)
def brute_force_flag():
"""暴力破解flag"""
flag = [''] * len(ENC_FLAG)
# 已知前缀和后缀
prefix = "flag{"
suffix = "}"
for i in range(len(prefix)):
flag[i] = prefix[i]
flag[-1] = suffix
# 可能的字符集
charset = "0123456789ABCDEF"
# 破解中间部分
for i in range(len(flag)):
if flag[i]: # 跳过已知位置
continue
found = False
for c in charset:
if encryptChar(c, i) == ENC_FLAG[i]:
flag[i] = c
found = True
print(f"位置 {i}: 找到字符 '{c}'")
break
if not found:
# 如果在常用字符集中没找到,尝试所有可打印字符
for c_code in range(32, 127):
if encryptChar(chr(c_code), i) == ENC_FLAG[i]:
flag[i] = chr(c_code)
found = True
print(f"位置 {i}: 找到字符 '{chr(c_code)}' (ASCII: {c_code})")
break
if not found:
flag[i] = '?'
print(f"位置 {i}: 未找到匹配字符")
return ''.join(flag)
def verify_flag(input_str):
"""验证flag是否正确"""
if input_str is None or len(input_str) != len(ENC_FLAG):
return False
for i in range(len(input_str)):
c = ord(input_str[i])
key1 = dynamicKey(i, 1)
tmp = c ^ key1
tmp2 = nonLinearTransform(tmp, key1)
key2 = dynamicKey(i, 2)
tmp3 = java_rotate_right(tmp2, 3) ^ key2
key3 = dynamicKey(i, 3)
result = nonLinearTransform((tmp3 + key3) & 0xFF, key3)
if result != ENC_FLAG[i]:
return False
return True
if __name__ == "__main__":
print("开始暴力破解flag...")
result = brute_force_flag()
print(f"\n破解结果: {result}")
if verify_flag(result):
print("✅ 验证通过!")
else:
print("❌ 验证失败!")
# 如果验证失败,尝试更广泛的字符集
print("\n尝试更广泛的字符集...")
flag = list(result)
for i in range(len(flag)):
if flag[i] == '?':
for c_code in range(256):
if encryptChar(chr(c_code), i) == ENC_FLAG[i]:
flag[i] = chr(c_code)
print(f"位置 {i}: 找到字符 '{chr(c_code)}' (ASCII: {c_code})")
break
result = ''.join(flag)
print(f"\n最终结果: {result}")
if verify_flag(result):
print("✅ 最终验证通过!")
7. 结果如下:
|
免费评分
-
查看全部评分
|
|
发表于 2025-10-17 13:46
套娃技术啊。。
