-
-
[原创]2018看雪&TSRC CTF第五题WP
-
2018-12-10 06:32 2553
-
第一次做Android的逆向题,比赛的前一天把so的调试环境搭好了,结果...不用调试...所有的验证逻辑都在dex文件中(Java层)。
JEB反编译
先说句题外话:JEB不能在高版本的JDK环境下运行,不然会闪退。
把apk拖入JEB中,随便浏览一遍,很容易就找到以下关键的代码:
OnClick()为处理按钮点击事件的方法:
protected void onCreate(Bundle arg2) { super.onCreate(arg2); this.setContentView(2131296284); this.b(); this.n = this.findViewById(2131165242); this.findViewById(2131165273).setOnClickListener(new View$OnClickListener() { public void onClick(View arg3) { try { CrackMe.a(this.a); } catch(Exception ) { this.a.n.setText(this.a.getString(2131427370)); } } }); }
取input[:4],input[4:6],input[6:8]转换为数字,并做了一些初步的验证,看起来像是年月日:
private void c() { int v0 = 2131165227; try { String v0_1 = this.findViewById(v0).getText().toString(); this.j = 0; this.i = 0; this.h = 0; int v3 = 4; String v2 = v0_1.length() > v3 ? v0_1.substring(0, v3) : v0_1; this.j = Integer.parseInt(v2); if(this.j > 0 && this.j < 189) { this.j = 0; } if(this.j <= 1983 || this.j >= 2007) { this.j = 0; } int v4 = 6; v2 = v0_1.length() > v4 ? v0_1.substring(v3, v4) : v0_1; this.i = Integer.parseInt(v2); if(this.i < 1 || this.i > 12) { this.i = 0; } int v5 = 8; if(v0_1.length() > v5) { v0_1 = v0_1.substring(v4, v5); } this.h = Integer.parseInt(v0_1); if(this.h >= 1 && this.h <= 31) { return; } this.h = 0; } catch(Exception ) { this.n.setText(this.getString(2131427370)); } }
取input[8:]与预定义字符串数组做比较(小时),取相等时的索引,在一个整数数组中取数:
private int h() { int v0 = 2131165227; int v1 = 2131427370; try { String v0_1 = this.findViewById(v0).getText().toString(); v0_1 = v0_1.substring(8, v0_1.length()); int v3 = this.f; int v4 = 0; while(true) { if(v4 >= this.m.length) { break; } else if(v0_1.equals(this.m[v4])) { if(v3 == 2 && (v0_1.equals(this.m[6]))) { return 63; } this.k = this.a[v4]; v0 = 1; } else { ++v4; continue; } goto label_35; } v0 = 0; label_35: if(v0 == 0) { this.n.setText(this.getString(v1)); } return this.k; } catch(Exception ) { this.n.setText(this.getString(v1)); return 0; } }
转换过的年月日时作为索引中从4个数组中取数,求和:
4个预定义数组:
this.a = new int[]{16, 6, 7, 10, 9, 16, 10, 8, 8, 9, 6, 6}; this.b = new int[]{5, 10, 8, 15, 16, 15, 8, 16, 8, 16, 9, 17, 8, 17, 10, 8, 9, 18, 5, 15, 10, 9, 8, 9, 15, 18, 7, 8, 16, 6}; this.c = new int[]{6, 7, 18, 9, 5, 16, 9, 15, 18, 8, 9, 5}; this.d = new int[]{7, 7, 9, 12, 8, 7, 13, 5, 14, 5, 9, 17, 5, 7, 12, 8, 8, 6, 19, 6, 8, 16, 10, 6, 12, 9, 6, 7, 12, 5, 9, 8, 7, 8, 15, 9, 16, 8, 8, 19, 12, 6, 8, 7, 5, 15, 6, 16, 15, 7, 9, 12, 10, 7, 15, 6, 5, 14, 14, 9};
年月日转换为索引取数:
private void d() { try { if(this.j == 1989 || this.j == 2004) { this.h = 31; } if(this.i == 1 || this.i == 4 || this.i == 5 || this.i == 7 || this.i == 10 || this.i == 11 || this.i == 12) { this.j = 1999; } int v2 = 8; int v3 = 6; int v4 = 2; if(this.j <= 1994 && (this.i == v4 || this.i == v3 || this.i == v2)) { this.i = 3; } if(this.j >= 1996 && (this.i == v4 || this.i == v3 || this.i == v2)) { this.i = 9; } if(this.j == 1995 && (this.h > this.i + v4 || this.i == this.h)) { this.i = v3; } this.g = this.j; this.f = this.i; this.e = this.h; } catch(Exception ) { this.n.setText(this.getString(2131427370)); } } private int e() { try { return this.d[(this.g - 1900) % 60]; } catch(Exception ) { this.n.setText(this.getString(2131427370)); return 0; } } private int f() { try { return this.c[this.f - 1]; } catch(Exception ) { this.n.setText(this.getString(2131427370)); return 0; } }
最后的和为34:
private void a(int arg8) { int v0 = 2131427370; int v1 = 34; if(arg8 <= v1) { if(arg8 < v1) { } else { try { this.n.setText(String.format("%s%s", this.getString(2131427369), this.l[arg8])); this.findViewById(2131165273).setEnabled(false); return; label_23: this.n.setText(this.getString(v0)); } catch(Exception ) { this.n.setText(this.getString(v0)); } return; } } goto label_23; }
求解
根据以上的限制条件,遍历4个数组所有的组合:
l_str = ["23to01", "01to03", "03to05", "05to07", "07to09", "09to11", "11to13", "13to15", "15to17", "17to19", "19to21", "21to23"] l_h=[16, 6, 7, 10, 9, 16, 10, 8, 8, 9, 6, 6] l_d=[5, 10, 8, 15, 16, 15, 8, 16, 8, 16, 9, 17, 8, 17, 10, 8, 9, 18, 5, 15, 10, 9, 8, 9, 15, 18, 7, 8, 16, 6] l_m=[6, 7, 18, 9, 5, 16, 9, 15, 18, 8, 9, 5] l_y=[7, 7, 9, 12, 8, 7, 13, 5, 14, 5, 9, 17, 5, 7, 12, 8, 8, 6, 19, 6, 8, 16, 10, 6, 12, 9, 6, 7, 12, 5, 9, 8, 7, 8, 15, 9, 16, 8, 8, 19, 12, 6, 8, 7, 5, 15, 6, 16, 15, 7, 9, 12, 10, 7, 15, 6, 5, 14, 14, 9] year = [1984,1985,1986,1987,1988,1990,1991,1992,1993,1994,1995,1996,1997,1998,1999,2000,2001,2002,2003,2005,2006] month = [2,3,6,8,9] day = range(1,31) hour = range(1,13) for y in year: for m in month: for d in day: for h in hour: valid = 1 q = (y-1900)%60 if y<=1994 and m in [2,6,8]: valid = 0 elif y>=1996 and m in [2,6,8]: valid = 0 elif y==1995 and (d>m+2 or d==m): valid = 0 elif m==2 and h==7: valid = 0 if l_y[q] + l_m[m-1] + l_d[d-1] + l_h[h-1] ==34 and valid: print str(y)+str(m).rjust(2,'0')+str(d).rjust(2,'0')+l_str[h-1]
结果为:
λ python F:\ctf\2018\5\5.py 1995020305to07
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
最后于 2018-12-10 06:58
被mratlatsn编辑
,原因:
赞赏
他的文章
看原图