不会吧,直接给class文件还不会做吗
jadx打开package defpackage; import java.nio.charset.StandardCharsets; import java.util.Arrays; import java.util.Scanner; /* renamed from: xor3 reason: default package */ /* loaded from: xor3.class */ public class xor3 { private static final byte[] TARGET {17, 6, 18, 1, 25, 16, 7, 18, 21, 12, 18, 21, 12, 18, 21, 12, 31}; public static void hello() { System.out.println(Hello, can you reverse it too); } public static void main(String[] strArr) { hello(); System.out.println(please enter your flag); Scanner scanner new Scanner(System.in); String nextLine scanner.nextLine(); scanner.close(); byte[] bytes nextLine.getBytes(StandardCharsets.ISO_8859_1); byte[] bArr new byte[bytes.length]; for (int i 0; i bytes.length; i) { bArr[i] (byte) (bytes[i] ^ 98); } System.out.print(your xor result is:[); for (int i2 0; i2 bArr.length; i2) { if (i2 0) { System.out.print(); } System.out.printf(%d, Integer.valueOf(bArr[i2] 255)); } System.out.println(]); if (Arrays.equals(bArr, TARGET)) { System.out.println(Congratulations! You have successfully solved the challenge); } else { System.out.println(Sorry, you have failed the challenge); } } }依旧ai提示词学习代码关键点在于把输入与98异或注意255按位与是在输出时进行不影响比较我们只需要把TARGET {17, 6, 18, 1, 25, 16, 7, 18, 21, 12, 18, 21, 12, 18, 21, 12, 31};与98异或就可以使用工具的过程中出现了一点问题cyberchef和随波逐流一开始都不好用发给ai说是把17识别成1和7了...仍不知道如何把输入的类型改为数字而不是文本....解决方法是先转成16进制但是问题又来了这俩工具在转换进制的使用也会识别错误换一个工具https://www.rapidtables.com/convert/number/decimal-to-hex.html转换结果11 06 12 01 19 07 12 15 0C 12 15 0C 12 15 0C 12 15 0C 1F与62进行16进制异或或者干脆别折腾了老老实实学pythonTARGET [17, 6, 18, 1, 25, 16, 7, 18, 21, 12, 18, 21, 12, 18, 21, 12, 31] result [] for i in TARGET: result.append(chr(i ^ 98)) print(.join(result))sdpc{repwnpwnpwn}upx放到Exeinfo PE看一眼Detected UPX!先脱壳然后放idaint __fastcall main(int argc, const char **argv, const char **envp) { double v3; // xmm0_8 int random_number; // [rsp4h] [rbp-4Ch] _BYTE v6[56]; // [rsp10h] [rbp-40h] BYREF unsigned __int64 v7; // [rsp48h] [rbp-8h] v7 __readfsqword(0x28u); puts( UPX Packed Program with Hidden Flag ); puts(This program is packed with UPX for demonstration purposes.); puts(Try to unpack it using UPX or other unpacking tools!\n); useless_function(Try to unpack it using UPX or other unpacking tools!\n, argv); another_useless_function(); random_number generate_random_number(); printf(Random number: %d\n, random_number); v3 complex_calculation(100); printf(Complex calculation result: %.2f\n, v3); printf(\nEnter the flag to verify: ); __isoc99_scanf(%49s, v6); if ( (unsigned int)validate_input(v6) ) puts(\nCongratulations! You found the correct flag!); else puts(\nIncorrect flag. Please try again.); return 0; }前面输出两个随机数烟雾弹关键部分__isoc99_scanf(%49s, v6); if ( (unsigned int)validate_input(v6) ) puts(\nCongratulations! You found the correct flag!);__isoc99_scanf(%49s, v6);__isoc99_scanf是scanf 的标准版本_isoc99是 GLIBC 里的版本标记。scanf — C 标准库函数读用户输入__isoc99_scanf — 编译时链接到了 ISO C99 标准 版本的 scanf功能完全一样只是符号名带版本后缀%49s — 读字符串限制长度 49防止溢出v6 — 就是一个 char v6[56] 数组用来存你输入的 flag跟进validate_input(v6)看逻辑_BOOL8 __fastcall validate_input(const char *s1) { char s2[56]; // [rsp10h] [rbp-40h] BYREF unsigned __int64 v3; // [rsp48h] [rbp-8h] v3 __readfsqword(0x28u); decrypt_flag((__int64)s2); return strcmp(s1, s2) 0; }v3是金丝雀跟进decrypt_flag函数__int64 __fastcall decrypt_flag(__int64 p_s2) { __int64 result; // rax int i; // [rsp10h] [rbp-8h] for ( i 0; ; i ) { result encrypted_flag[i]; if ( !(_BYTE)result ) break; *(_BYTE *)(i p_s2) xor_key[i % 14] ^ encrypted_flag[i]; } return result;