JavaCM
本帖最后由 LoRyu 于 2020-12-18 20:59 编辑java写的,易语言启动需要有java环境
-----------------------------------------
12/18 19:09
之前那个有点小问题,更新了下附件
-----------------------------------------
12/18 20:56
一开始那个有aes加密之类的,所以更新了下附件,但是现在有大佬解出了那个版本,我还是把那个版本放回来 本帖最后由 solly 于 2020-12-18 20:46 编辑
LoRyu 发表于 2020-12-18 20:02
大佬能说下怎么整的吗
先取得临时目录下的 CrackMe.jar、Check.class.CrackMe 和 Frame.class.CrackMe 这三个文件。
创建一个 java project,并把 CrackMe.jar 加入java build path,利用反射,调用 lllllllllllllll.class 的方法,取得 cn.loryu.crackme.CrackMe 和另一个 ClassLoader:cn.loryu.crackme.a,然后再调用 cn.loryu.crackme.a 中的方法,取得 cn.loryu.crackme.Frame 和 cn.loryu.crackme.Check,而这两个文件都没有混淆,通过 cn.loryu.crackme.Check 可直接逆得前面发的注册机。
下面是取得这4个文件的源码:
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
public class StartCrk {
static String basePath = "I:\\Downloads\\crack\\000\\CrackMe_java3\\";
static String tempDir= "F:\\temp\\";
public static void main(String[] args) {
// TODO Auto-generated method stub
try {
Class<?> crk = Class.forName("lllllllllllllll");
/////
Object obj = crk.newInstance();
/////
Method m = crk.getMethod("loadClass", String.class);
m.setAccessible(true);
Field f0 = crk.getDeclaredField("lll");//// String[]
f0.setAccessible(true);
Field f1 = crk.getDeclaredField("lIIl"); ///// int
f1.setAccessible(true);
Field f2 = crk.getDeclaredField("llI"); ///// int
f2.setAccessible(true);
//String className1 = f0];
int n1 = 58;
//int i[] = new int;
int ii[] = (int[])f1.get(null);
// System.out.print("int lIIl[] = {");
// for(int j=0; j<n1; j++) {
// System.out.print(ii + ",");
// }
// System.out.println("}");
int n2 = 34;
byte ii2[] = (byte[])f2.get(null);
// System.out.print("int llI[] = {");
// for(int j=0; j<n2; j++) {
// System.out.print(ii2 + ",");
// }
// System.out.println("}");
//int n2 = 3;
//String s[] = new String;
String ss[] = (String[])f0.get(null);
System.out.println("0: " + ss);
System.out.println("1: " + ss);
System.out.println("2: " + ss);
String className = ss];
System.out.println("class Name: " + className);
/////
saveClass("cn.loryu.crackme.CrackMe");
saveClass("cn.loryu.crackme.a");
//saveClass("cn.loryu.crackme.Check");
//saveClass("cn.loryu.crackme.Frame");
Object params[] = new String;
params = className;
Class<?> claz2 = (Class<?>)m.invoke(obj, params); //// Class: cn.loryu.crackme.CrackMe
if(claz2 != null) {
System.out.println("load class success: " + params);
/////
Object obj2 = (claz2).newInstance();
Method mth[] = claz2.getDeclaredMethods();
for(int k=0; k<mth.length; k++) {
System.out.println("method: " + mth);
}
Field fld[] = claz2.getDeclaredFields();
for(int k=0; k<fld.length; k++) {
System.out.println("field: " + fld);
}
Class param_type_main[] = new Class;
param_type_main = String[].class;
Object param_value_main[] = new Object;
param_value_main = args;
//// 这里是执行 crackme
// claz2.getDeclaredMethod("main", param_type_main).invoke(null, param_value_main);
long flag1 = 0x274c89061a03L;
long flag2 = flag1 ^ 0x2e660bfc3229L;
//// field
Field f5 = claz2.getDeclaredField("ll");//// int[]
f5.setAccessible(true);
int n5 = 281;
int ll[] = (int[])f5.get(null);
// System.out.print("int llI[] = {");
// for(int j=0; j<n5; j++) {
// System.out.print(ll + ",");
// }
// System.out.println("}");
//// java.lang.String cn.loryu.crackme.CrackMe.a(int,int,int)
Class<?> type_a[] = new Class;
type_a = int.class;
type_a = int.class;
type_a = int.class;
int value_a[] = new int;
value_a = ll + ll;
value_a = ll + ll;
value_a = (int)flag1;
String cls0 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a, value_a, value_a);
System.out.println("obj 1: " + cls0); //// java.io.tmpdir
value_a = ll + ll;
value_a = ll + ll;
value_a = (int)flag1;
String cls1 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a, value_a, value_a);
System.out.println("obj 2: " + cls1); //// cn.loryu.crackme.Check
value_a = ll + ll;
value_a = ll + ll;
value_a = (int)flag1;
String cls2 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a, value_a, value_a);
System.out.println("obj 3: " + cls2); //// cn.loryu.crackme.Frame
value_a = ll + ll;
value_a = ll + ll;
value_a = (int)flag1;
String cls3 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a, value_a, value_a);
System.out.println("obj 4: " + cls3); //// Check.class.CrackMe
value_a = ll + ll;
value_a = ll + ll;
value_a = (int)flag1;
String cls4 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a, value_a, value_a);
System.out.println("obj 5: " + cls4); //// Frame.class.CrackMe
value_a = ll + ll;
value_a = ll + ll;
value_a = (int)flag1;
String cls5 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a, value_a, value_a);
System.out.println("obj 6: " + cls5); //// CBEA62C4FB252CEAAE4980645286D6FE2901C8802FC8AB89
value_a = ll + ll;
value_a = ll + ll;
value_a = (int)flag1;
String cls6 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a, value_a, value_a);
System.out.println("obj 7: " + cls6); //// 1F31F140088A5DA2BF202AE3862F206232087A15C4C2C4A1
value_a = ll + ll;
value_a = ll - ll;
value_a = (int)flag1;
String cls7 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a, value_a, value_a);
System.out.println("obj 8: " + cls7); //// cn.loryu.crackme.Check
value_a = ll + ll;
value_a = ll + ll;
value_a = (int)flag1;
String cls8 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a, value_a, value_a);
System.out.println("obj 9: " + cls8); //// cn.loryu.crackme.Frame
value_a = ll + ll;
value_a = ll + ll;
value_a = (int)flag1;
String cls9 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a, value_a, value_a);
System.out.println("obj 10: " + cls9); //// cn.loryu.crackme.Check
value_a = ll + ll;
value_a = ll + ll;
value_a = (int)flag1;
String cls10 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a, value_a, value_a);
System.out.println("obj 11: " + cls10); //// cn.loryu.crackme.Frame
//System.out.println("obj 12: " + ll); //// addListeners
value_a = ll + ll;
value_a = ll + ll;
value_a = (int)flag1;
String cls11 = (String)claz2.getDeclaredMethod("a", int.class, int.class, int.class).invoke(null, value_a, value_a, value_a);
System.out.println("method 1: " + cls11); //// addListeners
//// get classloader cn.loryu.crackme.a
String className_a = "cn.loryu.crackme.a";
//Class<?> cls_a = Class.forName(className_a);
Object params_a[] = new String;
params_a = className_a;
Class<?> cls_a = (Class<?>)m.invoke(obj, params_a); //// Class: cn.loryu.crackme.a
Object cls_a_obj = cls_a.newInstance();
Method mth2[] = cls_a.getDeclaredMethods();
for(int k=0; k<mth2.length; k++) {
System.out.println("a.method: " + mth2);
}
Field fld2[] = cls_a.getDeclaredFields();
for(int k=0; k<fld2.length; k++) {
System.out.println("a.field: " + fld2);
}
//// loadClass
// Class<?> cls_check = (Class<?>)cls_a.getMethod("loadClass", String.class).invoke(cls_a_obj, "cn.loryu.crackme.Check");
// if(cls_check != null) {
// System.out.println("load class ok: " + cls_check.getName());
// } else {
// System.out.println("load class failure: ");
// }
int i = (int)(flag2 >>> ll);
long l = (flag2 << ll) >>> ll;
////// Check.class.CrackMe
File a = new File(tempDir + "Check.class.CrackMe");
byte b1[] = (byte[])cls_a.getDeclaredMethod("a", short.class, File.class, String.class, long.class).invoke(cls_a_obj, (short)i, a.getAbsoluteFile(), "CBEA62C4FB252CEAAE4980645286D6FE2901C8802FC8AB89", l);
System.out.println("cn.loryu.crackme.Check size: " + b1.length);
saveClass("cn.loryu.crackme.Check", b1);
///// Frame.class.CrackMe
File b = new File(tempDir + "Frame.class.CrackMe");
byte b2[] = (byte[])cls_a.getDeclaredMethod("a", short.class, File.class, String.class, long.class).invoke(cls_a_obj, (short)i, b.getAbsoluteFile(), "1F31F140088A5DA2BF202AE3862F206232087A15C4C2C4A1", l);
System.out.println("cn.loryu.crackme.Frame size: " + b2.length);
saveClass("cn.loryu.crackme.Frame", b2);
// System.out.print("b1 = ");
// for(int k=0; k<b1.length; k++) {
// System.out.print(b1 + ", ");
// }
// System.out.println("");
// System.out.print("b2 = ");
// for(int k=0; k<b2.length; k++) {
// System.out.print(b2 + ", ");
// }
// System.out.println("");
} else {
System.out.println("load class failure: " + params);
}
} catch (ClassNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NoSuchMethodException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (SecurityException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NoSuchFieldException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IllegalArgumentException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IllegalAccessException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (InvocationTargetException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (InstantiationException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
public static int saveClass(String className, byte[] data) {
String fileName = className.replace('.', File.separatorChar).concat(".class");
try {
String fullPath = basePath + fileName;
int i = fullPath.lastIndexOf(File.separatorChar);
String path = fullPath.substring(0, i);
File f = new File(path);
f.mkdirs();/// Create directory
FileOutputStream fos = new FileOutputStream(fullPath);
OutputStream os = new BufferedOutputStream(fos);
os.write(data);
System.out.println("save " + className +".class OK");
os.flush();
os.close();
fos.flush();
fos.close();
} catch (FileNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return data.length;
}
public static int saveClass(String className) {
int size = 0;
try {
Class<?> crk = Class.forName("lllllllllllllll");
/////
//Object obj = crk.newInstance();
Method decrypt = crk.getDeclaredMethod("lllll", String.class);
decrypt.setAccessible(true);
Method decode = crk.getDeclaredMethod("lllIl", byte[].class, byte[].class);
decode.setAccessible(true);
////
Field f2 = crk.getDeclaredField("llI"); ///// int
f2.setAccessible(true);
byte ii2[] = (byte[])f2.get(null);
Object params1[] = new Object;
params1 = className.getBytes("UTF-8");
params1 = ii2;
String s = new String((byte[])decode.invoke(null, params1));
Object params2[] = new Object;
params2 = s;
byte bytes1[] = (byte[])decrypt.invoke(null, params2);
params1 = bytes1;
byte bytes2[] = (byte[])decode.invoke(null, params1);
size = bytes2.length;
System.out.println(className +".class length " + bytes2.length);
String fileName = className.replace('.', File.separatorChar).concat(".class");
String fullPath = basePath + fileName;
int i = fullPath.lastIndexOf(File.separatorChar);
String path = fullPath.substring(0, i);
File f = new File(path);
f.mkdirs();/// Create directory
FileOutputStream fos = new FileOutputStream(fullPath);
OutputStream os = new BufferedOutputStream(fos);
os.write(bytes2);
System.out.println("save " + className +".class OK");
os.flush();
os.close();
fos.flush();
fos.close();
} catch (ClassNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IllegalAccessException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NoSuchMethodException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (SecurityException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IllegalArgumentException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (InvocationTargetException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (FileNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NoSuchFieldException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return size;
}
}
TestJavaCM3.0Test
package cn.solly.crack;
public class Crack {
public static String str01 = "rygcryJgryjgryjhrygcryJgryjHryjgrygcryJgryjJryjjrygcryJgryjJryjhrygcryJgryjhryHlrygcryJgryjHryjlrygcryJgryjJryjHrygcryJgryjHryjlrygcryJgryjhryjjrygcryJgryjhryHhrygcryJgryjjryjjrygcryJgryjkryHgrygcryJgryjjryj#rygcryJgryjgryjhrygcryJgryjHryjgrygcryJgryjJryjjrygcryJgryjJryjh";;
public static void main(String[] args) {
GetIt(str01);
}
public static void GetIt(String str)
{
getCheckString(str);
}
public static void getCheckString(String s0)
{
char charArray01[] = s0.toCharArray();
for(int i = 0; i < charArray01.length; i++)
switch(charArray01)
{
case 'r': // '\\'
charArray01 = '\\';
break;
case 'y': // 'u'
charArray01 = 'u';
break;
case 'l': // '1'
charArray01 = '1';
break;
case 'k': // '2'
charArray01 = '2';
break;
case 'j': // '3'
charArray01 = '3';
break;
case 'h': // '4'
charArray01 = '4';
break;
case 'g': // '5'
charArray01 = '5';
break;
case 'H': // '6'
charArray01 = '6';
break;
case 'J': // '7'
charArray01 = '7';
break;
case 'K': // '8'
charArray01 = '8';
break;
case 'L': // '9'
charArray01 = '9';
break;
case '#': // '0'
charArray01 = '0';
break;
}
String s2 = String.valueOf(charArray01);
System.out.println("SN : " +deobfString(s2));
}
public static String obfString(String str)
{
String str01 = unicodeToString(str);
return unicodeToString(str01);
}
public static String deobfString(String str)
{
String str01 = unicodeToString(str);
return unicodeToString(str01);
}
public static String stringToUnicode(String str)
{
StringBuffer sb = new StringBuffer();
char c[] = str.toCharArray();
for(int i = 0; i < c.length; i++)
sb.append((new StringBuilder()).append("\\u").append(Integer.toHexString(c)).toString());
return sb.toString();
}
public static String unicodeToString(String unicode)
{
StringBuffer sb = new StringBuffer();
String hex[] = unicode.split("\\\\u");
for(int i = 1; i < hex.length; i++)
{
int index = Integer.parseInt(hex, 16);
sb.append((char)index);
}
return sb.toString();
}
}
就是密钥匙算法吗 没装Java环境,玩不了哦。 可惜不会反编译jar包{:1_937:}不然直接看源码岂不是美滋滋 搞个aes和blowfish加密,啥也没有怎么玩 直接jd-gui反编译一波 难搞,又是sha256又是aes的 云在天 发表于 2020-12-18 10:02
搞个aes和blowfish加密,啥也没有怎么玩
不好意思,aes那些加密是我混淆器用的是之前的配置,不小心开的今晚重新发一个:'(weeqw liaozhen 发表于 2020-12-18 09:44
可惜不会反编译jar包不然直接看源码岂不是美滋滋
如果是jar包,用压缩工具解压,然后用jad反编译整个工程就可以得到源代码了。 可以用idea直接看源码