第一次做Android的逆向题,比赛的前一天把so的调试环境搭好了,结果...不用调试...所有的验证逻辑都在dex文件中(Java层)。
JEB反编译
先说句题外话:JEB不能在高版本的JDK环境下运行,不然会闪退。
把apk拖入JEB中,随便浏览一遍,很容易就找到以下关键的代码:
OnClick()为处理按钮点击事件的方法:
protected void onCreate(Bundle arg2) {
super.onCreate(arg2);
this.setContentView(2131296284);
this.b();
this.n = this.findViewById(2131165242);
this.findViewById(2131165273).setOnClickListener(new View$OnClickListener() {
public void onClick(View arg3) {
try {
CrackMe.a(this.a);
}
catch(Exception ) {
this.a.n.setText(this.a.getString(2131427370));
}
}
});
}
取input[:4],input[4:6],input[6:8]转换为数字,并做了一些初步的验证,看起来像是年月日:
private void c() {
int v0 = 2131165227;
try {
String v0_1 = this.findViewById(v0).getText().toString();
this.j = 0;
this.i = 0;
this.h = 0;
int v3 = 4;
String v2 = v0_1.length() > v3 ? v0_1.substring(0, v3) : v0_1;
this.j = Integer.parseInt(v2);
if(this.j > 0 && this.j < 189) {
this.j = 0;
}
if(this.j <= 1983 || this.j >= 2007) {
this.j = 0;
}
int v4 = 6;
v2 = v0_1.length() > v4 ? v0_1.substring(v3, v4) : v0_1;
this.i = Integer.parseInt(v2);
if(this.i < 1 || this.i > 12) {
this.i = 0;
}
int v5 = 8;
if(v0_1.length() > v5) {
v0_1 = v0_1.substring(v4, v5);
}
this.h = Integer.parseInt(v0_1);
if(this.h >= 1 && this.h <= 31) {
return;
}
this.h = 0;
}
catch(Exception ) {
this.n.setText(this.getString(2131427370));
}
}
取input[8:]与预定义字符串数组做比较(小时),取相等时的索引,在一个整数数组中取数:
private int h() {
int v0 = 2131165227;
int v1 = 2131427370;
try {
String v0_1 = this.findViewById(v0).getText().toString();
v0_1 = v0_1.substring(8, v0_1.length());
int v3 = this.f;
int v4 = 0;
while(true) {
if(v4 >= this.m.length) {
break;
}
else if(v0_1.equals(this.m[v4])) {
if(v3 == 2 && (v0_1.equals(this.m[6]))) {
return 63;
}
this.k = this.a[v4];
v0 = 1;
}
else {
++v4;
continue;
}
goto label_35;
}
v0 = 0;
label_35:
if(v0 == 0) {
this.n.setText(this.getString(v1));
}
return this.k;
}
catch(Exception ) {
this.n.setText(this.getString(v1));
return 0;
}
}
转换过的年月日时作为索引中从4个数组中取数,求和:
4个预定义数组:
this.a = new int[]{16, 6, 7, 10, 9, 16, 10, 8, 8, 9, 6, 6};
this.b = new int[]{5, 10, 8, 15, 16, 15, 8, 16, 8, 16, 9, 17, 8, 17, 10, 8, 9, 18, 5, 15, 10, 9, 8, 9, 15, 18, 7, 8, 16, 6};
this.c = new int[]{6, 7, 18, 9, 5, 16, 9, 15, 18, 8, 9, 5};
this.d = new int[]{7, 7, 9, 12, 8, 7, 13, 5, 14, 5, 9, 17, 5, 7, 12, 8, 8, 6, 19, 6, 8, 16, 10, 6, 12, 9, 6, 7, 12, 5, 9, 8, 7, 8, 15, 9, 16, 8, 8, 19, 12, 6, 8, 7, 5, 15, 6, 16, 15, 7, 9, 12, 10, 7, 15, 6, 5, 14, 14, 9};
年月日转换为索引取数:
private void d() {
try {
if(this.j == 1989 || this.j == 2004) {
this.h = 31;
}
if(this.i == 1 || this.i == 4 || this.i == 5 || this.i == 7 || this.i == 10 || this.i == 11 || this.i == 12) {
this.j = 1999;
}
int v2 = 8;
int v3 = 6;
int v4 = 2;
if(this.j <= 1994 && (this.i == v4 || this.i == v3 || this.i == v2)) {
this.i = 3;
}
if(this.j >= 1996 && (this.i == v4 || this.i == v3 || this.i == v2)) {
this.i = 9;
}
if(this.j == 1995 && (this.h > this.i + v4 || this.i == this.h)) {
this.i = v3;
}
this.g = this.j;
this.f = this.i;
this.e = this.h;
}
catch(Exception ) {
this.n.setText(this.getString(2131427370));
}
}
private int e() {
try {
return this.d[(this.g - 1900) % 60];
}
catch(Exception ) {
this.n.setText(this.getString(2131427370));
return 0;
}
}
private int f() {
try {
return this.c[this.f - 1];
}
catch(Exception ) {
this.n.setText(this.getString(2131427370));
return 0;
}
}
最后的和为34:
private void a(int arg8) {
int v0 = 2131427370;
int v1 = 34;
if(arg8 <= v1) {
if(arg8 < v1) {
}
else {
try {
this.n.setText(String.format("%s%s", this.getString(2131427369), this.l[arg8]));
this.findViewById(2131165273).setEnabled(false);
return;
label_23:
this.n.setText(this.getString(v0));
}
catch(Exception ) {
this.n.setText(this.getString(v0));
}
return;
}
}
goto label_23;
}
求解
根据以上的限制条件,遍历4个数组所有的组合:
l_str = ["23to01", "01to03", "03to05", "05to07", "07to09", "09to11", "11to13", "13to15", "15to17", "17to19", "19to21", "21to23"]
l_h=[16, 6, 7, 10, 9, 16, 10, 8, 8, 9, 6, 6]
l_d=[5, 10, 8, 15, 16, 15, 8, 16, 8, 16, 9, 17, 8, 17, 10, 8, 9, 18, 5, 15, 10, 9, 8, 9, 15, 18, 7, 8, 16, 6]
l_m=[6, 7, 18, 9, 5, 16, 9, 15, 18, 8, 9, 5]
l_y=[7, 7, 9, 12, 8, 7, 13, 5, 14, 5, 9, 17, 5, 7, 12, 8, 8, 6, 19, 6, 8, 16, 10, 6, 12, 9, 6, 7, 12, 5, 9, 8, 7, 8, 15, 9, 16, 8, 8, 19, 12, 6, 8, 7, 5, 15, 6, 16, 15, 7, 9, 12, 10, 7, 15, 6, 5, 14, 14, 9]
year = [1984,1985,1986,1987,1988,1990,1991,1992,1993,1994,1995,1996,1997,1998,1999,2000,2001,2002,2003,2005,2006]
month = [2,3,6,8,9]
day = range(1,31)
hour = range(1,13)
for y in year:
for m in month:
for d in day:
for h in hour:
valid = 1
q = (y-1900)%60
if y<=1994 and m in [2,6,8]:
valid = 0
elif y>=1996 and m in [2,6,8]:
valid = 0
elif y==1995 and (d>m+2 or d==m):
valid = 0
elif m==2 and h==7:
valid = 0
if l_y[q] + l_m[m-1] + l_d[d-1] + l_h[h-1] ==34 and valid:
print str(y)+str(m).rjust(2,'0')+str(d).rjust(2,'0')+l_str[h-1]
结果为:
λ python F:\ctf\2018\5\5.py
1995020305to07
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
最后于 2018-12-10 06:58
被mratlatsn编辑
,原因:
