测试文件:https://static2.ichunqiu.com/icq/resources/fileupload/phrackCTF/REVERSE/Crackme.smali
参考资料:https://www.cnblogs.com/lz2017/p/6917049.html
1.文件分析
使用SmaliJavaUI反编译文件,得到
1 /** 2 * Generated by smali2java 1.0.0.558 3 * Copyright (C) 2013 Hensence.com 4 */ 5 6 package net.bluelotus.tomorrow.easyandroid; 7 8 import android.util.Base64; 9 import java.io.PrintStream; 10 import java.security.NoSuchAlgorithmException; 11 import javax.crypto.NoSuchPaddingException; 12 import java.security.InvalidKeyException; 13 import javax.crypto.IllegalBlockSizeException; 14 import javax.crypto.BadPaddingException; 15 import javax.crypto.spec.SecretKeySpec; 16 import javax.crypto.Cipher; 17 import java.security.Key; 18 import java.security.GeneralSecurityException; 19 20 public class Crackme { 21 private String str2 = "cGhyYWNrICBjdGYgMjAxNg=="; 22 23 public Crackme() { 24 GetFlag("sSNnx1UKbYrA1+MOrdtDTA=="); 25 } 26 27 private String GetFlag(String p1) {//将上面两段字符串经过base64解密 28 byte[] "content" = Base64.decode(p1.getBytes(), 0x0); 29 String "kk" = new String(Base64.decode(str2.getBytes(), 0x0)); 30 System.out.println(decrypt("content", "kk")); 31 return null; 32 } 33 34 private String decrypt(byte[] p1, String p2) {//将解密后的序列,一段用来生成key,一段作为被AES加密的字符串。 35 String "m" = 0x0; 36 try { 37 byte[] "keyStr" = p2.getBytes(); 38 SecretKeySpec "key" = new SecretKeySpec("keyStr", "AES"); 39 Cipher "cipher" = Cipher.getInstance("AES/ECB/NoPadding"); 40 "cipher".init(0x2, "key"); 41 byte[] "result" = "cipher".doFinal(p1); 42 return "m"; 43 } catch(NoSuchPaddingException "e") { 44 "e".printStackTrace(); 45 } 46 return "m"; 47 } 48 }
2.脚本获取
from Crypto.Cipher import AES import base64 key = base64.b64decode("cGhyYWNrICBjdGYgMjAxNg==") str1 = base64.b64decode("sSNnx1UKbYrA1+MOrdtDTA==") cryptor = AES.new(key, AES.MODE_ECB) result = cryptor.decrypt(str1) print(result)
3.get flag!
PCTF{Sm4liRiver}