def rol8(x, n): n &= 7 return ((x << n) | (x >> (8-n))) & 0xFF def ror8(x, n): n &= 7 return ((x >> n) | (x << (8-n))) & 0xFF inv7 = 183 def F(inp): s = 42 out = [] for i,x in enumerate(inp): x ^= s x= rol8(x, i&7) x = (x * 7) & 0xFF x = (x + i) & 0xFF out.append(x) s = (s + x) & 0xFF return out def Finv(out): s = 42 inp = [] for i,y in enumerate(out): x = (y - i) & 0xFF x = (x * inv7) & 0xFF x = ror8(x, i&7) x ^= s inp.append(x) s = (s + y) & 0xFF return inp ci = [233,142,138,138,183,231,201,224,184,151,183,75,59,33,211,124] W = [(b - i) & 0xFFfor i,b in enumerate(ci)] v = W for _ in range(3): # inverse of 3rounds v= Finv(v) print(v) print(bytes(v))
[0x89 'a' 'l' 'i'] // magic [batchIndex LE int] [rsaEncryptedKey 256 bytes] [fileCount LE int] [fileNameLen LE int][fileNameXorE9][offset LE int] * N [encrypted data blob] // 这部分就是 streamX_encdata.bin
# lzrr_decompress.py defrle_decode(data): out = bytearray() i = 0 while i < len(data): b = data[i] if b == 0xFF: if data[i+1] == 0xFF: out.append(0xFF); i += 2 else: count = data[i+1] + 4 val = data[i+2] out.extend([val]*count); i += 3 else: out.append(b); i += 1 returnbytes(out)
classBitReader: def__init__(self, data): self.data = data; self.bitpos = 0 defread_bit(self): b = self.data[self.bitpos>>3] bit = (b >> (7-(self.bitpos & 7))) & 1 self.bitpos += 1 return bit defread_bits(self, n): v = 0 for _ inrange(n): v = (v<<1)|self.read_bit() return v
deflzrr_decompress(blob): magic = int.from_bytes(blob[0:4],'big') assert magic == 0x4c5a5252 flags = int.from_bytes(blob[6:8],'big') orig_len = int.from_bytes(blob[8:12],'big') data = blob[16:] if flags == 15: data = rle_decode(data) br = BitReader(data) out = bytearray() whilelen(out) < orig_len: if br.read_bit() == 0: out.append(br.read_bits(8)) else: dist = br.read_bits(8) if br.read_bit()==0else br.read_bits(16) if br.read_bit()==0: l2 = br.read_bits(3) else: l2 = br.read_bits(6)+8if br.read_bit()==0else br.read_bits(8) length = l2 + 3 start = len(out)-dist for i inrange(length): out.append(out[start+i]) returnbytes(out)
defks(keyhex, n=L): out = subprocess.check_output( ['java','-classpath','extracted_classes:.','DumpKS',algo,str(n),keyhex], text=True).strip() returnbytes.fromhex(out)
s0 = ks('0000000000000000')
basis_bits = [] for i inrange(64): kb = [0]*8; kb[i//8] = 1 << (i%8) keyhex = ''.join(f'{b:02x}'for b in kb) s = ks(keyhex) b = bytes(a^b for a,b inzip(s,s0)) bits = 0 for idx, byte inenumerate(b): for bit inrange(8): if byte & (1<<bit): bits |= 1 << (idx*8+bit) basis_bits.append(bits)
trg = bytes(a^b for a,b inzip(obs, s0)) rows = [] for bit_idx inrange(L*8): coeff = 0 for i inrange(64): if (basis_bits[i] >> bit_idx) & 1: coeff |= 1<<i rhs = (trg[bit_idx//8] >> (bit_idx%8)) & 1 if coeff: rows.append([coeff, rhs])
# 高斯消元 row=0; where=[-1]*64 for col inrange(64): pivot = next((r for r inrange(row,len(rows)) if (rows[r][0]>>col)&1), None) if pivot isNone: continue rows[row], rows[pivot] = rows[pivot], rows[row] where[col]=row for r inrange(len(rows)): if r!=row and ((rows[r][0]>>col)&1): rows[r][0]^=rows[row][0]; rows[r][1]^=rows[row][1] row+=1
key_bits=[0]*64 for col inrange(64): if where[col]!=-1: key_bits[col]=rows[where[col]][1]
key_bytes=[0]*8 for i,b inenumerate(key_bits): if b: key_bytes[i//8]|=1<<(i%8) keyhex=''.join(f'{b:02x}'for b in key_bytes) print(keyhex) # a91b1bb4e8978bda
publicclassImage1Part2 { privatestaticfinalStringIMAGE_DATA="......; public static void main(String[] args) throws Exception { byte[] imageBytes = Base64.getDecoder().decode(IMAGE_DATA); try (FileOutputStream fos = new FileOutputStream("flag.jpg")) { fos.write(imageBytes); } System.out.println("Image saved to flag.jpg"); } }
从 6 个 Java 文件提取 base64 JPEG,拼接得到完整 flag.jpg
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
import base64, re from pathlib import Path from PIL import Image
# 提取各 part 的 base64 for i inrange(1,7): text = Path(f'extracted_files/flagImage/Image1Part{i}.java').read_text() b64 = re.search(r'IMAGE_DATA\\s*=\\s*\"([^\"]+)\"', text).group(1) Path(f'flag_images/part{i}.jpg').write_bytes(base64.b64decode(b64))
# 拼接成完整 flag parts=[Image.open(f'flag_images/part{i}.jpg') for i inrange(1,7)] w=sum(p.width for p in parts); h=max(p.height for p in parts) out=Image.new('RGB',(w,h)) x=0 for p in parts: out.paste(p,(x,0)); x+=p.width out.save('flag_images/flag.jpg')