normal系列

normal15

jeb分析

找到mainactivity

进入flagcheck关键函数

肉眼可见

key和flag分别十次哈希和aes加密。

而原key已经进行过两次哈希算法，currkey使用的是原key 的三个字节，这三个字节无法溯源

只能爆破

本题采用的是aes ecb pkscs5padding 的加密方式

因为这次的加密是采用java中的包来完成的，我们也就采用相应的java包来解密

（虽然说我不是很会java）

学习一下java的crypto包和这个什么

import java.io.ByteArrayOutputStream;
import java.security.MessageDigest;
import javax.crypto.Cipher; //crypto包快速入口 ：https://nowjava.com/docs/java-api-11/java.base/javax/crypto/package-summary.html
import javax.crypto.CipherOutputStream;
import javax.crypto.spec.SecretKeySpec; //aeskey 生成使用
public class n15decode {
  public static void main(String[] args) throws Exception {
    String data = "74f0b165db8a628716b53a9d4f6405980db2f833afa1ed5eeb4304c5220bdc0b541f857a7348074b2a7775d691e71b4904026" +
            "21e8a53bad4cf7ad4fcc15f20a8066e087fc1b2ffb21c27463b5737e34738a6244e1630d8fa1bf4f38b7e71d707425c8225f240f4bd2b" +
            "03d6c2471e900b75154eb6f9dfbdf5a4eca9de5163f9b3ee82959f166924e8ad5f1d744c51416a1db89638bb4d1411aa1b1307d88c1fb5";
    for (char i = 255; i > 1; i--) {
      for (char j = 255; j > 0; j--) {
        for (char k = 255; k > 0; k--) {
          byte [] byte_key1 = {(byte) i, (byte) j, (byte) k}; //new 操作创建新数组
          byte [] flag = bytelize(data);
          for(int a = 10;  a> 0 ;a--)
          {
            byte[] byte_key2 = hash(byte_key1);
            for(int b = 0; b < a-1; b++)
            {
              byte_key2 = hash(byte_key2);
            }
            flag = decrypt(flag, byte_key2);
          }
          int bool = 0;
          for (int c=0; c< flag.length;c++)
          {
            if(flag[0]<127 & flag[0]>32 & flag[1]<127 & flag[1]>32 & flag[2]<127 & flag[2]>32 &flag[c]=='{')
            {
               bool = 1;
               break;
            }
          }
          if(bool==1)
          {
          System.out.println(new String(flag,"utf-8"));}
        }
      }
    }

  }

  public static byte[] decrypt(byte[] in, byte[] key) throws Exception {
    SecretKeySpec aesKey = new SecretKeySpec(key, "AES"); //返回AESmode的key值  包说明：https://docs.oracle.com/javase/7/docs/api/javax/crypto/spec/SecretKeySpec.html
    Cipher decrypt = Cipher.getInstance("AES/ECB/PKCS5Padding");//转换模式
    decrypt.init(Cipher.DECRYPT_MODE, aesKey);//解码模式
    ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); //全部照抄
    CipherOutputStream cipherOutputStream = new CipherOutputStream(outputStream, decrypt);
    cipherOutputStream.write(in);
    cipherOutputStream.flush();
    cipherOutputStream.close();
    return outputStream.toByteArray();
  }

  public static byte[] hash(byte [] in) throws Exception {
    MessageDigest md = MessageDigest.getInstance("MD5");
    md.update(in);
    return md.digest(); //照抄md5好了捏
  }
  public static byte[] bytelize(String hex) {  //化成byte
    byte[] bytedata = new byte[hex.length() / 2];
    int j =0;
    for (int i = 0; i < bytedata.length; i+=2) {
      int temp = Integer.parseInt(hex.substring(i, i + 2), 16);
      bytedata[j++] = (byte) temp;
    }
    return bytedata;

  }
}

这题，，不是很会用java，借鉴了一下wp

flag{justrun}