CyBRICS2019逆向 Matreshka lebel:java DES

解压得到的压缩包得到Code2.class和data.bin两个文件
推测是要利用class解密data.bin
http://www.javadecompilers.com/ Procyon decompile class文件 代码如下：

import java.io.FileOutputStream;
import java.io.FileInputStream;
import java.io.File;
//下面都是java DES涉及到的库
import javax.crypto.SecretKey;
import java.security.Key;
import javax.crypto.Cipher;
import java.security.spec.KeySpec;
import javax.crypto.spec.DESKeySpec;
import javax.crypto.SecretKeyFactory;

// 
// Decompiled by Procyon v0.5.36
// 

class Code2
{
    public static byte[] decode(final byte[] input, final String s) throws Exception {
        final SecretKey generateSecret = SecretKeyFactory.getInstance("DES").generateSecret(new DESKeySpec(s.getBytes())); 
        final Cipher instance = Cipher.getInstance("DES");
        instance.init(2, generateSecret);//2代表decode
        return instance.doFinal(input);
    }
    
    public static byte[] encode(final byte[] input, final String s) throws Exception {
        final SecretKey generateSecret = SecretKeyFactory.getInstance("DES").generateSecret(new DESKeySpec(s.getBytes()));  //s( "matreha!")是key
        final Cipher instance = Cipher.getInstance("DES");
        instance.init(1, generateSecret);
        return instance.doFinal(input);
    }
    
    public static void main(final String[] array) throws Exception {
        //new String(System.getProperty("user.name") )= 当前电脑的username，我的是"PyrricVictory"
        final byte[] encode = encode(System.getProperty("user.name").getBytes(), "matreha!");
        final byte[] array2 = { 76, -99, 37, 75, -68, 10, -52, 10, -5, 9, 92, 1, 99, -94, 105, -18 };
        for (int i = 0; i < array2.length; ++i) {
            if (array2[i] != encode[i]) {
                System.out.println("No");
                return;
            }
        }
        final File file = new File("data.bin");
        final FileInputStream fileInputStream = new FileInputStream(file);
        final byte[] b = new byte[(int)file.length()];//byte范围为-128到127（7位）
        fileInputStream.read(b); //数据读到b
        fileInputStream.close();
        final byte[] decode = decode(b, System.getProperty("user.name"));
        final FileOutputStream fileOutputStream = new FileOutputStream("stage2.bin");
        fileOutputStream.write(decode, 0, decode.length);  //得到解密后的文件
        fileOutputStream.flush();
        fileOutputStream.close();
    }
}

java程序流程

首先，对当前电脑的username做key为matreha!的DES加密，加密结果与array2进行比较，不等则return出main函数
之后，对data.bin的数据做key为username的DES解密得到解密后的数据stage2.bin

java程序静态分析

1.推出出题人的username
已知加密方式为DES,key为matreha!，结果为76, -99, 37, 75, -68, 10, -52, 10, -5, 9, 92, 1, 99, -94, 105, -18，可推username
2.简化代码
分析之后，我们关注的只是正确得到stage2.bin这个文件，那么我们只关注username的值，所以可将代码简化为

//新建txt保存为simplify.java

import java.io.FileOutputStream;
import java.io.FileInputStream;
import java.io.File;
//下面都是java DES涉及到的库
import javax.crypto.SecretKey;
import java.security.Key;
import javax.crypto.Cipher;
import java.security.spec.KeySpec;
import javax.crypto.spec.DESKeySpec;
import javax.crypto.SecretKeyFactory;

// 
// Decompiled by Procyon v0.5.36
// 

class Code2
{
    public static byte[] decode(final byte[] input, final String s) throws Exception {
        final SecretKey generateSecret = SecretKeyFactory.getInstance("DES").generateSecret(new DESKeySpec(s.getBytes())); 
        final Cipher instance = Cipher.getInstance("DES");
        instance.init(2, generateSecret);//2代表decode
        return instance.doFinal(input);
    }
    
    public static byte[] encode(final byte[] input, final String s) throws Exception {
        final SecretKey generateSecret = SecretKeyFactory.getInstance("DES").generateSecret(new DESKeySpec(s.getBytes()));  //s( "matreha!")是key
        final Cipher instance = Cipher.getInstance("DES");
        instance.init(1, generateSecret);
        return instance.doFinal(input);
    }
    
    public static void main(final String[] array) throws Exception {
        //new String(System.getProperty("user.name") )= 当前电脑的username，我的是"PyrricVictory"
        //final byte[] encode = encode(System.getProperty("user.name").getBytes(), "matreha!");
        final byte[] array2 = { 76, -99, 37, 75, -68, 10, -52, 10, -5, 9, 92, 1, 99, -94, 105, -18 };
        /*for (int i = 0; i < array2.length; ++i) {
            if (array2[i] != encode[i]) {
                System.out.println("No");
                return;
            }
        }*/
        final File file = new File("data.bin");
        final FileInputStream fileInputStream = new FileInputStream(file);
        final byte[] b = new byte[(int)file.length()];//byte范围为-128到127（7位）
        fileInputStream.read(b); //数据读到b
        fileInputStream.close();
        //final byte[] decode = decode(b, System.getProperty("user.name"));
        byte[] userName = decode(array2, "matreha!");
        final byte[] decode = decode(b, new String(userName));
        final FileOutputStream fileOutputStream = new FileOutputStream("stage2.bin");
        fileOutputStream.write(decode, 0, decode.length);  //得到解密后的文件
        fileOutputStream.flush();
        fileOutputStream.close();
    }
}

3.编译并运行java

cd到题目目录
javac simplify.java
java Code2
//之后同一目录下会出现一个stage2.bin

stage2.bin golang分析

pyc分析