不会吧,直接给class文件还不会做吗
2026/7/6 5:04:47 网站建设 项目流程

jadx打开

package defpackage; import java.nio.charset.StandardCharsets; import java.util.Arrays; import java.util.Scanner; /* renamed from: xor3 reason: default package */ /* loaded from: xor3.class */ public class xor3 { private static final byte[] TARGET = {17, 6, 18, 1, 25, 16, 7, 18, 21, 12, 18, 21, 12, 18, 21, 12, 31}; public static void hello() { System.out.println("Hello, can you reverse it too"); } public static void main(String[] strArr) { hello(); System.out.println("please enter your flag"); Scanner scanner = new Scanner(System.in); String nextLine = scanner.nextLine(); scanner.close(); byte[] bytes = nextLine.getBytes(StandardCharsets.ISO_8859_1); byte[] bArr = new byte[bytes.length]; for (int i = 0; i < bytes.length; i++) { bArr[i] = (byte) (bytes[i] ^ 98); } System.out.print("your xor result is:["); for (int i2 = 0; i2 < bArr.length; i2++) { if (i2 > 0) { System.out.print(""); } System.out.printf("%d", Integer.valueOf(bArr[i2] & 255)); } System.out.println("]"); if (Arrays.equals(bArr, TARGET)) { System.out.println("Congratulations! You have successfully solved the challenge"); } else { System.out.println("Sorry, you have failed the challenge"); } } }

依旧ai提示词学习代码

关键点在于把输入与98异或,注意255按位与是在输出时进行,不影响比较

我们只需要把TARGET = {17, 6, 18, 1, 25, 16, 7, 18, 21, 12, 18, 21, 12, 18, 21, 12, 31};与98异或就可以

使用工具的过程中出现了一点问题

cyberchef和随波逐流一开始都不好用

发给ai说是把17识别成1和7了...

仍不知道如何把输入的类型改为数字而不是文本....

解决方法是先转成16进制

但是问题又来了,这俩工具在转换进制的使用也会识别错误

换一个工具https://www.rapidtables.com/convert/number/decimal-to-hex.html

转换结果

11 06 12 01 19 07 12 15 0C 12 15 0C 12 15 0C 12 15 0C 1F

与62进行16进制异或

或者干脆别折腾了,老老实实学python

TARGET = [17, 6, 18, 1, 25, 16, 7, 18, 21, 12, 18, 21, 12, 18, 21, 12, 31] result = [] for i in TARGET: result.append(chr(i ^ 98)) print(''.join(result))
sdpc{repwnpwnpwn}

upx

放到Exeinfo PE看一眼

Detected UPX!

先脱壳然后放ida

int __fastcall main(int argc, const char **argv, const char **envp) { double v3; // xmm0_8 int random_number; // [rsp+4h] [rbp-4Ch] _BYTE v6[56]; // [rsp+10h] [rbp-40h] BYREF unsigned __int64 v7; // [rsp+48h] [rbp-8h] v7 = __readfsqword(0x28u); puts("=== UPX Packed Program with Hidden Flag ==="); puts("This program is packed with UPX for demonstration purposes."); puts("Try to unpack it using UPX or other unpacking tools!\n"); useless_function("Try to unpack it using UPX or other unpacking tools!\n", argv); another_useless_function(); random_number = generate_random_number(); printf("Random number: %d\n", random_number); v3 = complex_calculation(100); printf("Complex calculation result: %.2f\n", v3); printf("\nEnter the flag to verify: "); __isoc99_scanf("%49s", v6); if ( (unsigned int)validate_input(v6) ) puts("\nCongratulations! You found the correct flag!"); else puts("\nIncorrect flag. Please try again."); return 0; }

前面输出两个随机数烟雾弹

关键部分

__isoc99_scanf("%49s", v6); if ( (unsigned int)validate_input(v6) ) puts("\nCongratulations! You found the correct flag!");

__isoc99_scanf("%49s", v6);

  • __isoc99_scanf是scanf 的标准版本,_isoc99是 GLIBC 里的版本标记。

  • scanf — C 标准库函数,读用户输入

  • __isoc99_scanf — 编译时链接到了 ISO C99 标准 版本的 scanf,功能完全一样,只是符号名带版本后缀

  • %49s — 读字符串,限制长度 49,防止溢出

  • v6 — 就是一个 char v6[56] 数组,用来存你输入的 flag

跟进validate_input(v6)看逻辑

_BOOL8 __fastcall validate_input(const char *s1) { char s2[56]; // [rsp+10h] [rbp-40h] BYREF unsigned __int64 v3; // [rsp+48h] [rbp-8h] v3 = __readfsqword(0x28u); decrypt_flag((__int64)s2); return strcmp(s1, s2) == 0; }

v3是金丝雀

跟进decrypt_flag函数

__int64 __fastcall decrypt_flag(__int64 p_s2) { __int64 result; // rax int i; // [rsp+10h] [rbp-8h] for ( i = 0; ; ++i ) { result = encrypted_flag[i]; if ( !(_BYTE)result ) break; *(_BYTE *)(i + p_s2) = xor_key[i % 14] ^ encrypted_flag[i]; } return result;

需要专业的网站建设服务?

联系我们获取免费的网站建设咨询和方案报价,让我们帮助您实现业务目标

立即咨询