从main函数开始看,发现在check的时候加载了assets⽬录中的⼀个dex⽂件,跟进发现在FileUtils⾥⾯。
主要逻辑在copyfile函数之中,进行异或处理,注意这里的以1024⼀组进⾏解密就可以。
key=b'vn2022'
f1=open(r'ooo','rb+')
f2=open(r'dex','wb+')
while True:
t=[]
s=f1.read(1024)
if len(s)==0:
break
for i in range(len(s)):
t.append(s[i]^key[i%len(key)])
f2.write(bytes(t))
得到dex我们用jadx打开,主要加密逻辑为xxtea。
而且对加密数据进行了小端序转int
a=b'H4pPY_VNCTF!!OvO'
r=[0]*4
for i in range(16):
i2 = i >> 2
r[i2] = r[i2] | ((a[i] & 255) << ((i & 3) << 3))
for i in r:
print(hex(i),end=',')
print()
enc=[0]*11
c=[0x44 ,0x27 ,0xffffffa4 ,0x6c ,0xffffffae ,0xffffffee ,0x48 ,0xffffffc9 ,0x4a ,0xffffffc8 ,0x26 ,0x0b ,0x3c ,0x54 ,0x61 ,0xffffffd8 ,0x57 ,0x47 ,0x63 ,0xffffffae ,0x78 ,0x68 ,0x2f ,0xffffffb9 ,0xffffffc6 ,0xffffffc7 ,0x00 ,0x21 ,0x2a ,0x26 ,0xffffffd4 ,0xffffffd9 ,0xffffffc4 ,0x71 ,0xfffffffe ,0x5c ,0xffffffb5 ,0x76 ,0xffffffb3 ,0x32 ,0xffffff87 ,0x2b ,0x20 ,0xffffff96]
for i in range(len(c)):
i2 = i >> 2
enc[i2] = enc[i2] | ((c[i] & 255) << ((i & 3) << 3))
for i in enc:
print(hex(i),end=',')
得到密钥和密文
再写脚本解密
#include <stdio.h>
#include <stdint.h>
#include <windows.h>
#define DELTA 0x9e3779b9
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))
void btea(uint32_t *v, int n, uint32_t const key[4])
{
uint32_t y, z, sum;
unsigned p, rounds, e;
if (n > 1) /* Coding Part */
{
rounds = 6 + 52/n;
sum = 0;
z = v[n-1];
do
{
sum += DELTA;
e = (sum >> 2) & 3;
for (p=0; p<n-1; p++)
{
y = v[p+1];
z = v[p] += MX;
}
y = v[0];
z = v[n-1] += MX;
}
while (--rounds);
}
else if (n < -1) /* Decoding Part */
{
n = -n;
rounds = 6 + 52/n;
sum = rounds*DELTA;
y = v[0];
do
{
e = (sum >> 2) & 3;
for (p=n-1; p>0; p--)
{
z = v[p-1];
y = v[p] -= MX;
}
z = v[n-1];
y = v[0] -= MX;
sum -= DELTA;
}
while (--rounds);
}
}
int main() {
uint32_t key[4] = {1349530696, 1314283353, 558257219, 1333153569};
uint32_t v[12] = {1822697284, 3377000110, 187091018, 3630257212, 2925741911, 3106891896, 553699270, 3654559274, 1560179140, 850622133, 2518690695, 0};
btea(v, -11, key);
printf("%s", (char*)v);
return 0;
}